1. What is computer security?
The principal objective of computer security is to protect and assure the confidentiality, integrity, and availability of automated information systems and the data they contain." -
http://csrc.nist.gov/publications/secpubs/cslaw.txt
Security = police + service + process'
2. Where Is Linux Security Today?
Linux can be secured as well as any other OS (with proper patching, configuration & hygiene)
Linux has achieved CAPP certification and has achieved EAL3+ ( http://www.cesg.gov.uk/site/iacs/index.cfm?menuSelected=1&displayPage=13) certification
Linux has achieved CAPP certification and has achieved EAL3+ ( http://www.cesg.gov.uk/site/iacs/index.cfm?menuSelected=1&displayPage=13) certification
LSM hooks and SELinux([
http://www.nsa.gov/selinux/]) in 2.6 kernel
Lots of good free security software
Snort([
http://www.snort.org]), Netfilter([
http://www.netfilter.org]), Open SSH, Open SSL, SELinux,Tripwire, ............
3. Linux Security Modules (LSM)
LSM provides a general kernel framework to support security modules. In particular, the LSM framework is primarily focused on supporting access control modules. By itself, the framework does not provide any additional security; it merely provides the infrastructure to support security modules. The
LSM framework also moves most of the capabilities logic into an optional capabilities security module,with the system defaulting to a dummy security module that implements the traditional superuser logic.
LSM framework also moves most of the capabilities logic into an optional capabilities security module,with the system defaulting to a dummy security module that implements the traditional superuser logic.
The LSM framework adds security fields to kernel data structures(''simply void* pointers'') and inserts calls to hook functions(''function pointers in a global table, security_ops'') at critical points in the kernel code to manage the security fields and to perform access control. It also adds functions for registering and unregistering security modules(''stacking additional security modules with the primary security module'').
Location in kernel source tree:
/security/
4. Security-Enhanced Linux(SELinux)
SELinux is based on the Flask security architecture for flexible nondiscretionary access controls. Currently SELinux is implemented as a module according to LSM.
The Flask security architecture provides a clean separation between the policy enforcement code and the policy decision-making code. The policy decision-making code is encapsulated in a separate component of the operating system called the security server. The Flask security architecture includes an access vector cache (AVC) component that provides caching of access
decision computations obtained from the security server to minimize the performance overhead of the SELinux access controls. The policy enforcement code is integrated into the subsystems (e.g. the process management code, the filesystem code, the socket and networking code, and the IPC code) of the
operating system. The policy enforcement code obtains security policy decisions from the security server and AVC, and applies those decisions to assign security labels to processes and objects and to control operations based on those security labels.
The Flask security architecture provides a clean separation between the policy enforcement code and the policy decision-making code. The policy decision-making code is encapsulated in a separate component of the operating system called the security server. The Flask security architecture includes an access vector cache (AVC) component that provides caching of access
decision computations obtained from the security server to minimize the performance overhead of the SELinux access controls. The policy enforcement code is integrated into the subsystems (e.g. the process management code, the filesystem code, the socket and networking code, and the IPC code) of the
operating system. The policy enforcement code obtains security policy decisions from the security server and AVC, and applies those decisions to assign security labels to processes and objects and to control operations based on those security labels.
The security server provided with current SELinux implements a combination of Role-Based Access Control (RBAC), a generalization of Type Enforcement (TE), and
optionally Multi-Level Security (MLS).
optionally Multi-Level Security (MLS).
SELinux Types
A type is a security attribute given to objects such as files, and network ports, etc. The type of a process is commonly referred to as its domain. The SELinux policy is primarily composed of type enforcement rules, which describe how domains are allowed to interact with objects, and how domains are allowed to interact with other domains. A type is generally suffixed with a '_t', such as sysadm_t. This is the most important attribute for a process or object, as most policy decisions are based on the source and target types.
SELinux Roles
SELinux is type enforcement, so the SELinux role is not the same as those in a role-based access control system. Permissions are not given to roles. A role describes the set of types a user can use. For example, a system administrator that is using the system for regular user tasks should be in the staff_r role. If they need to administrate the system, then a role change to sysadm_r is required. In SELinux terms, the domains that a user can be in is determined by their role. If a role is not allowed to have a certain domain, a transition to that domain will be denied, even if the type enforcement rules allow the domain transition. A role is generally suffixed with a '_r', such as portage_r.
SELinux Identities
The SELinux identity is similar to a Linux username. The change of identity should be limited to very specific cases, since the role-based access control relies on the SELinux identity. Therfore, in general, a user’s SELinux identity will not change during a session. The user ID in Linux can be changed by set(e)uid, making it inappropriate for a SELinux identity. If a user is given a SELinux identity, it must match the Linux username. Each SELinux identity is allowed a set of roles.
SELinux Contexts
Using the above three security models together is called a SELinux context. A context takes the form identity:role:type.
SELinux Policy Files
The SELinux policy usually resides in /etc/security/selinux/src/policy. It is comprised of several files and directories for generating the policy. For easing the creation of the policy, macros from the m4 text processor are used to reuse common rules. The policy files are processed by m4, and then the policy compiler checkpolicy verifies that there are no syntactic errors, and creates a binary policy file. The binary policy then can be loaded into a running SELinux kernel.
Location in kernel source tree:
/security/selinux/*
5. IPtables(Netfilter)
'''Netfilter'''
Netfilter is a common packet processing framework, it makes such network tricks as packet filtering, network address translation (NAT) and connection tracking possible through the use of various hooks in the kernel's network code. These hooks are places that kernel code, either statically built or in the form of a loadable module, can register functions to be called for specific network events.
'''''Hooks When to be called'''''
NF_IP_PRE_ROUTING After sanity checks, before routing decisions.
NF_IP_LOCAL_IN After routing decisions if packet is for this host.
NF_IP_FORWARD If the packet is destined for another interface
NF_IP_LOCAL_OUT For packets coming from local processes on their way out
NF_IP_POST_ROUTING Just before outbound packets "hit the wire".
'''''Return Code Meaning'''''
NF_DROP Discard the packet.
NF_ACCEPT Keep the packet.
NF_STOLEN Forget about the packet.
NF_QUEUE Queue packet for userspace.
NF_REPEAT Call this hook function again.
Location in kernel code tree:
/net/netfilter
'''IPtables'''
Userspace application to set the rules into Kernel IPTABLES
e.g.
iptables -A INPUT -p all -s 9.181.0.0/16 -j ACCEPT
usage:
/etc/sysconfig/iptable
6. IPS/IDS
'''Snort''' --- a light weight IDS
e.g a simple rule
alert udp any any -> any 32770:34000 (content: "|00 01 86 B8|";
content: "|00 00 00 01|"; distance: 4; within: 4; byte_jump: 4, 12, relative, align;byte_test: 4, >, 900, 20, relative;msg: "statd format string buffer overflow";)
content: "|00 00 00 01|"; distance: 4; within: 4; byte_jump: 4, 12, relative, align;byte_test: 4, >, 900, 20, relative;msg: "statd format string buffer overflow";)
7. Authentication
Pluggable Authentication Module(PAM)...
to be continued
to be continued
8. Audit
syslog...
to be continued
to be continued