Introduce of Linux Security

1. What is computer security?

 

 The principal objective of computer security is to protect and assure the confidentiality, integrity, and availability of automated information systems and the data they contain." - http://csrc.nist.gov/publications/secpubs/cslaw.txt

 

Security = police + service + process'

2. Where Is Linux Security Today?

Linux can be secured as well as any other OS (with proper patching, configuration & hygiene)
Linux has achieved CAPP certification and has achieved EAL3+ ( http://www.cesg.gov.uk/site/iacs/index.cfm?menuSelected=1&displayPage=13) certification

LSM hooks and SELinux([ http://www.nsa.gov/selinux/]) in 2.6 kernel

Lots of good free security software

Snort([ http://www.snort.org]), Netfilter([ http://www.netfilter.org]), Open SSH, Open SSL, SELinux,Tripwire, ............

 

3. Linux Security Modules (LSM)

LSM provides a general kernel framework to support security modules. In particular, the LSM framework is primarily focused on supporting access control modules. By itself, the framework does not provide any additional security; it merely provides the infrastructure to support security modules. The
LSM framework also moves most of the capabilities logic into an optional capabilities security module,with the system defaulting to a dummy security module that implements the traditional superuser logic.

The LSM framework adds security fields to kernel data structures(''simply void* pointers'') and inserts calls to hook functions(''function pointers in a global table, security_ops'') at critical points in the kernel code to manage the security fields and to perform access control. It also adds functions for registering and unregistering security modules(''stacking additional security modules with the primary security module'').

Location in kernel source tree:

/security/

 

 

4. Security-Enhanced Linux(SELinux)

SELinux is based on the Flask security architecture for flexible nondiscretionary access controls. Currently SELinux is implemented as a module according to LSM.
The Flask security architecture provides a clean separation between the policy enforcement code and the policy decision-making code. The policy decision-making code is encapsulated in a separate component of the operating system called the security server. The Flask security architecture includes an access vector cache (AVC) component that provides caching of access
decision computations obtained from the security server to minimize the performance overhead of the SELinux access controls. The policy enforcement code is integrated into the subsystems (e.g. the process management code, the filesystem code, the socket and networking code, and the IPC code) of the
operating system. The policy enforcement code obtains security policy decisions from the security server and AVC, and applies those decisions to assign security labels to processes and objects and to control operations based on those security labels.

The security server provided with current SELinux implements a combination of Role-Based Access Control (RBAC), a generalization of Type Enforcement (TE), and
optionally Multi-Level Security (MLS).

SELinux Types

A type is a security attribute given to objects such as files, and network ports, etc. The type of a process is commonly referred to as its domain. The SELinux policy is primarily composed of type enforcement rules, which describe how domains are allowed to interact with objects, and how domains are allowed to interact with other domains. A type is generally suffixed with a '_t', such as sysadm_t. This is the most important attribute for a process or object, as most policy decisions are based on the source and target types.

SELinux Roles

SELinux is type enforcement, so the SELinux role is not the same as those in a role-based access control system. Permissions are not given to roles. A role describes the set of types a user can use. For example, a system administrator that is using the system for regular user tasks should be in the staff_r role. If they need to administrate the system, then a role change to sysadm_r is required. In SELinux terms, the domains that a user can be in is determined by their role. If a role is not allowed to have a certain domain, a transition to that domain will be denied, even if the type enforcement rules allow the domain transition. A role is generally suffixed with a '_r', such as portage_r.

SELinux Identities

The SELinux identity is similar to a Linux username. The change of identity should be limited to very specific cases, since the role-based access control relies on the SELinux identity. Therfore, in general, a user’s SELinux identity will not change during a session. The user ID in Linux can be changed by set(e)uid, making it inappropriate for a SELinux identity. If a user is given a SELinux identity, it must match the Linux username. Each SELinux identity is allowed a set of roles.

SELinux Contexts

Using the above three security models together is called a SELinux context. A context takes the form identity:role:type.

SELinux Policy Files

The SELinux policy usually resides in /etc/security/selinux/src/policy. It is comprised of several files and directories for generating the policy. For easing the creation of the policy, macros from the m4 text processor are used to reuse common rules. The policy files are processed by m4, and then the policy compiler checkpolicy verifies that there are no syntactic errors, and creates a binary policy file. The binary policy then can be loaded into a running SELinux kernel.

Location in kernel source tree:

/security/selinux/*

 

 

5. IPtables(Netfilter)

 

'''Netfilter'''

Netfilter is a common packet processing framework, it makes such network tricks as packet filtering, network address translation (NAT) and connection tracking possible through the use of various hooks in the kernel's network code. These hooks are places that kernel code, either statically built or in the form of a loadable module, can register functions to be called for specific network events.

'''''Hooks                  When to be called'''''

NF_IP_PRE_ROUTING  After sanity checks, before routing decisions.

NF_IP_LOCAL_IN  After routing decisions if packet is for this host.

NF_IP_FORWARD  If the packet is destined for another interface

NF_IP_LOCAL_OUT  For packets coming from local processes on their way out

NF_IP_POST_ROUTING  Just before outbound packets "hit the wire".

'''''Return Code  Meaning'''''

NF_DROP  Discard the packet.

NF_ACCEPT  Keep the packet.

NF_STOLEN  Forget about the packet.

NF_QUEUE  Queue packet for userspace.

NF_REPEAT  Call this hook function again.

 

Location in kernel code tree:

/net/netfilter

'''IPtables'''

Userspace application to set the rules into Kernel IPTABLES

e.g.

iptables -A INPUT -p all -s 9.181.0.0/16 -j ACCEPT

usage:

/etc/sysconfig/iptable

6.  IPS/IDS

 

'''Snort''' --- a light weight IDS

 

e.g a simple rule

alert udp any any -> any 32770:34000 (content: "|00 01 86 B8|";       
content: "|00 00 00 01|"; distance: 4; within: 4; byte_jump: 4, 12, relative, align;byte_test: 4, >, 900, 20, relative;msg: "statd format string buffer overflow";)

 

7. Authentication

 

Pluggable Authentication Module(PAM)...

to be continued

8. Audit

syslog...

to be continued