Marco Pizzoli, ...e SELinux fosse più sicuro?
Transcript
Marco Pizzoli, ...e SELinux fosse più sicuro?
...e SELinux fosse più sicuro? ...and if Linux was more secure? (Play on words with the Italian language) Marco Pizzoli Faenza, 2011-10-29 IMOLUG: Imola e Faenza Linux Users Group – www.imolug.org Marco Pizzoli, ...e SELinux fosse più sicuro? 1 About the speaker... System and network administrator IT Security enthusiast Computer Science degree – Thesys: Digital Identities and PKI Computer Networks and Systems Security degree – Thesys: Centralization of information with LDAP Computer Networks and Systems Security degree – (II level) (Future) Thesys: Identity, Policy and Auditing ... Faenza, 2011-10-29 IMOLUG: Imola e Faenza Linux Users Group – www.imolug.org Marco Pizzoli, ...e SELinux fosse più sicuro? 2 New terms Faenza, 2011-10-29 IMOLUG: Imola e Faenza Linux Users Group – www.imolug.org Marco Pizzoli, ...e SELinux fosse più sicuro? 3 What's the need for a security framework inside the kernel? To enforce Mandatory Access Control (MAC) To better protect against malicious software To limit the vulnerability surface exposed by bugged / not-so-secure software: – – – Buffer overflow Heap overflow The next thing... To better maintain a complex system, by delegating to a single component all security decisions Faenza, 2011-10-29 IMOLUG: Imola e Faenza Linux Users Group – www.imolug.org Marco Pizzoli, ...e SELinux fosse più sicuro? 4 What could be an example of malicious software running on my machine? Bugged software could be exploited to do something not wanted. I.e. a webserver: – could open a connection to another host inside the same network – could read each file on the file system on which it has read permission – could truncate his access logs Faenza, 2011-10-29 IMOLUG: Imola e Faenza Linux Users Group – www.imolug.org Marco Pizzoli, ...e SELinux fosse più sicuro? 5 What could be an example of malicious software running on my machine? Bugged software could be exploited to do something not wanted. I.e. a webserver: Possible solutions: – could open a connection to another host inside the same network webserver running with a dedicated user, webserver user prohibited to open network connections with iptables – could read each file on the file system on which it has read permission webserver running chroot-ed – could truncate his access logs ????? Faenza, 2011-10-29 IMOLUG: Imola e Faenza Linux Users Group – www.imolug.org Marco Pizzoli, ...e SELinux fosse più sicuro? 6 The need for a fine-grained control Let's have a look at our open()-syscall flags: O_APPEND, O_ASYNC, O_CREAT, O_DIRECT, O_EXCL,O_LARGEFILE, O_NOATIME, O_NOCTTY, O_NOFOLLOW, O_NONBLOCK or O_NDELAY, O_SYNC, O_TRUNC And now, let's have a look at our httpd_access.log file permissions: -rw-r--r-- 1 root root 0 Oct 1 23:59 httpd_access.log Uh? It seems that, given “w” permission to the log file, we are not able to limit what can be done on it... and actually it is!!! This is where the Mandatory Access Control (MAC) comes in help Faenza, 2011-10-29 IMOLUG: Imola e Faenza Linux Users Group – www.imolug.org Marco Pizzoli, ...e SELinux fosse più sicuro? 7 DAC versus MAC - DAC Discretionary Access Control is the more familiar to most people: – Access to resources is based on user's identity – A user is granted permissions to a resource by being placed on an access control list (ACL) associated with resource – The DAC model is based on resource ownership – It's “discretionary” in the sense that when a user (or group) is the owner of an object in the DAC model, the user can grant permission to other users and groups. – Example: Unix user-group-other (ugo) permission bits Faenza, 2011-10-29 IMOLUG: Imola e Faenza Linux Users Group – www.imolug.org Marco Pizzoli, ...e SELinux fosse più sicuro? 8 DAC versus MAC - MAC Mandatory Access Control is not so common in everyday computers: – Users are given permissions to resources by an administrator – Only an administrator can grant permissions or rights to objects and resources – Access to resources is based on an object's security level, while users are granted security clearance. – Only administrators can modify an object's security label or a user's security clearance. To make concepts easier, I like to think to a fashion similar to a network firewall, I.e. – – – SystemA is entitled to connect to systemB, to TCP port x On my FW, I will add a permit rule to let it do ...and a deny rule to each other traffic having source SystemA All of this applied to the whole system Faenza, 2011-10-29 (over-simplification) IMOLUG: Imola e Faenza Linux Users Group – www.imolug.org Marco Pizzoli, ...e SELinux fosse più sicuro? 9 DAC coupled to MAC It works! :-) Access is granted as long as both models agree MAC will always have the last word This is the default in SELinux Faenza, 2011-10-29 IMOLUG: Imola e Faenza Linux Users Group – www.imolug.org Marco Pizzoli, ...e SELinux fosse più sicuro? 10 What's the origin of SELinux? Flux Advanced Security Kernel (FLASK) http://www.nsa.gov/research/selinux/index.shtml Faenza, 2011-10-29 IMOLUG: Imola e Faenza Linux Users Group – www.imolug.org Marco Pizzoli, ...e SELinux fosse più sicuro? 11 What's the story of NSA and Linux? NSA developed SELinux as patches to Linux Kernel 2.4.x 2001: NSA proposal to integrate SELinux into the official kernel Linus Torvalds refuses: – Other security frameworks under active development inside the community – Each security framework model was different from each other – No formal consensus on the right one to be adopted Need for the devel of Linux Security Modules (LSM): – Creation of a large number of hooks throughout the kernel – Re-development of SELinux and all other possible security frameworks as modules Faenza, 2011-10-29 IMOLUG: Imola e Faenza Linux Users Group – www.imolug.org Marco Pizzoli, ...e SELinux fosse più sicuro? 12 Linux Security Modules Faenza, 2011-10-29 IMOLUG: Imola e Faenza Linux Users Group – www.imolug.org Marco Pizzoli, ...e SELinux fosse più sicuro? 13 What's the story of LSM? In the official 2.6 kernel since December 2003 For a long time there has been only one implementation: SELinux It has been subject to several criticisms: – – – It imposes a little computational cost (overhead), even if no modules are actually loaded It has been developed to provide for access control but does not actually prevent to be (ab)used for other reasons The LSM API is a moving target, so it is difficult to keep-in-sync Faenza, 2011-10-29 IMOLUG: Imola e Faenza Linux Users Group – www.imolug.org Marco Pizzoli, ...e SELinux fosse più sicuro? 14 What about other security models? AppArmor: – – – – – – – Same purpose, different approach (path-based) PRO: simpler configuration CONS: not as secure as SELinux Initially created by Immunix, Inc. Novell acquired Immunix (2005) and continued to develop and sponsor the project until Semptember 2007: they laid off all the AppArmor team Since 2009 active development from Canonical In the official kernel only since 2.6.36 release (October 2010) GRSecurity: – – – – – Set of security patches for the Linux kernel Path-based security model (same of AppArmor) Not an LSM → not in the official kernel Some components could be used on a SELinux system Poor documentation RSBAC: – – – Dedicated hooking mechanism → not an LSM → not in the official Kernel Similar design of SELinux More functionality than SELinux Faenza, 2011-10-29 IMOLUG: Imola e Faenza Linux Users Group – www.imolug.org Marco Pizzoli, ...e SELinux fosse più sicuro? 15 SELinux: how does it works? Based on the concept of security context First distinction: – – Objects: files, ipc channels, sockets, network hosts, etc... Subjects: processes All objects and subjects have a single security context associated A security context consists of 3 elements: – user:role:type We will say that each file has a type and each process has a domain Faenza, 2011-10-29 IMOLUG: Imola e Faenza Linux Users Group – www.imolug.org Marco Pizzoli, ...e SELinux fosse più sicuro? 16 Everything has a security context Files and directories: – Saved as extended attributes As a consequence of a mount option – mount -t iso9660 -o context=%s As a consequence of a mount option (network fs) – mount -t [nfs|cifs] -o context=%s Network packets: Faenza, 2011-10-29 IMOLUG: Imola e Faenza Linux Users Group – www.imolug.org Marco Pizzoli, ...e SELinux fosse più sicuro? 17 Everything has a security context - continued Processes: Faenza, 2011-10-29 IMOLUG: Imola e Faenza Linux Users Group – www.imolug.org Marco Pizzoli, ...e SELinux fosse più sicuro? 18 Caveats Working with SELinux entails particular attention to pay on each activity. E.g. Faenza, 2011-10-29 IMOLUG: Imola e Faenza Linux Users Group – www.imolug.org Marco Pizzoli, ...e SELinux fosse più sicuro? 19 A practical example: password change Remember that SELinux adds type enforcement to standard Linux: – Both have to be granted, to access the resource Let's look at the standard Linux behaviour: – User joe invokes /usr/bin/passwd, which is SUID – Digits the new password – /usr/bin/passwd, acting as root EUID, changes joe's pw on /etc/shadow Faenza, 2011-10-29 IMOLUG: Imola e Faenza Linux Users Group – www.imolug.org Marco Pizzoli, ...e SELinux fosse più sicuro? 20 A practical example: password change A graph could be of help: Faenza, 2011-10-29 IMOLUG: Imola e Faenza Linux Users Group – www.imolug.org Marco Pizzoli, ...e SELinux fosse più sicuro? 21 Privileges – the old way vs. the new We were used to think about user privileges Faenza, 2011-10-29 But now we have to think about Type Enforcement IMOLUG: Imola e Faenza Linux Users Group – www.imolug.org Marco Pizzoli, ...e SELinux fosse più sicuro? 22 A practical example: password change We have seen how the passwd_t type can change the password of a user We have not yet seen how a user can acquire the passwd_t type!! Faenza, 2011-10-29 IMOLUG: Imola e Faenza Linux Users Group – www.imolug.org Marco Pizzoli, ...e SELinux fosse più sicuro? 23 A practical example: password change We have to explicit some other rules... Faenza, 2011-10-29 IMOLUG: Imola e Faenza Linux Users Group – www.imolug.org Marco Pizzoli, ...e SELinux fosse più sicuro? 24 And finally, if something not allowed happens... Faenza, 2011-10-29 IMOLUG: Imola e Faenza Linux Users Group – www.imolug.org Marco Pizzoli, ...e SELinux fosse più sicuro? 25 SELinux operative modes We have the flexibility to enable/test/disable SELinux enforcing Let's see our current mode: Faenza, 2011-10-29 IMOLUG: Imola e Faenza Linux Users Group – www.imolug.org Marco Pizzoli, ...e SELinux fosse più sicuro? 26 Obtaining initial context: pam_selinux.so Faenza, 2011-10-29 IMOLUG: Imola e Faenza Linux Users Group – www.imolug.org Marco Pizzoli, ...e SELinux fosse più sicuro? 27 A question of policy The policy is responsible for the majority of what is allowed and what is not It is comprised of a set of rules to be checked against It leads all access control decisions It could implement any kind of MAC Each time you encounter an access denial... it's due to the policy!* :-) Each system could load a completely different policy: – keep it in mind! * over-simplification Faenza, 2011-10-29 IMOLUG: Imola e Faenza Linux Users Group – www.imolug.org Marco Pizzoli, ...e SELinux fosse più sicuro? 28 The Strict Policy Definition: – – A system where everything is denied by default You must specify allow rule to grant privileges SELinux designed to be a strict policy: – – – – The policy rules have only allows, no denies Minimal privileges for every daemon Separate user domains for programs like GPG, X, ssh, etc... Default policy provided by NSA Difficult to enforce in general purpose operating systems Fedora Core 2 Experience: – – – – – – – Bogged down handling incredible permutations of Linux Analysis of Strict policy becoming impossible Strict Policy becoming less strict Fixing userspace problems while ignoring server space Caused hundreds of bugs to be reported #1 Question “How do I turn off SELinux?” Don't want to become Trusted Solaris http://selinuxsymposium.org/2005/presentations/session4/4-1-walsh.pdf Faenza, 2011-10-29 IMOLUG: Imola e Faenza Linux Users Group – www.imolug.org Marco Pizzoli, ...e SELinux fosse più sicuro? 29 The Targeted Policy Faenza, 2011-10-29 IMOLUG: Imola e Faenza Linux Users Group – www.imolug.org Marco Pizzoli, ...e SELinux fosse più sicuro? 30 The MLS Policy http://fedoraproject.org/wiki/Docs/Drafts/SELinux/WhatIsIt#What_is_the_mls_policy.3F_Who_is_it_for.3F Faenza, 2011-10-29 IMOLUG: Imola e Faenza Linux Users Group – www.imolug.org Marco Pizzoli, ...e SELinux fosse più sicuro? 31 The Reference Policy http://fedoraproject.org/wiki/Docs/Drafts/SELinux/WhatIsIt#What_is_the_Reference_Policy.3F Faenza, 2011-10-29 IMOLUG: Imola e Faenza Linux Users Group – www.imolug.org Marco Pizzoli, ...e SELinux fosse più sicuro? 32 The Minimum Policy http://fedoraproject.org/wiki/SELinux/Policies Faenza, 2011-10-29 IMOLUG: Imola e Faenza Linux Users Group – www.imolug.org Marco Pizzoli, ...e SELinux fosse più sicuro? 33 Extending the target: virtualization sVirt: Faenza, 2011-10-29 IMOLUG: Imola e Faenza Linux Users Group – www.imolug.org Marco Pizzoli, ...e SELinux fosse più sicuro? 34 Let's write a policy! It could be not so simple... let's call for help! :-) Faenza, 2011-10-29 IMOLUG: Imola e Faenza Linux Users Group – www.imolug.org Marco Pizzoli, ...e SELinux fosse più sicuro? 35 Let's write a policy! - Faenza, 2011-10-29 continued IMOLUG: Imola e Faenza Linux Users Group – www.imolug.org Marco Pizzoli, ...e SELinux fosse più sicuro? 36 SELinux: How much does it cost? Those guys at Phoronix asked themselves: – – – They actually tested 2 different distributions They compared the performance in different use cases To allow them to have measurable differences they deliberately chose a low-profile platform Faenza, 2011-10-29 IMOLUG: Imola e Faenza Linux Users Group – www.imolug.org Marco Pizzoli, ...e SELinux fosse più sicuro? 37 How much does it cost? - Hardware platform [...] To look for the greatest impact, a low-power netbook was used for testing. This netbook was the Samsung NC10 with an Intel Atom N270 CPU, i945 graphics, 2GB of system memory, and a 32GB OCZ Core Series SSD. A clean install of Fedora 15 (i686) with the Linux 2.6.38 kernel, GNOME Shell 3.0.1, X Server 1.10.1, xf86-video-intel 2.14.0, Mesa 7.11-devel, GCC 4.6.0, and an EXT4 file-system were used. [...] http://www.phoronix.com/scan.php?page=article&item=fedora_15_selinux&num=1 Faenza, 2011-10-29 IMOLUG: Imola e Faenza Linux Users Group – www.imolug.org Marco Pizzoli, ...e SELinux fosse più sicuro? 38 How much does it cost? - Apache test Faenza, 2011-10-29 IMOLUG: Imola e Faenza Linux Users Group – www.imolug.org Marco Pizzoli, ...e SELinux fosse più sicuro? 39 How much does it cost? - 7-zip test Faenza, 2011-10-29 IMOLUG: Imola e Faenza Linux Users Group – www.imolug.org Marco Pizzoli, ...e SELinux fosse più sicuro? 40 How much does it cost? - RHEL 5 (2007 version) http://blog.larsstrand.org/2007_11_01_archive.html Faenza, 2011-10-29 IMOLUG: Imola e Faenza Linux Users Group – www.imolug.org Marco Pizzoli, ...e SELinux fosse più sicuro? 41 SELinux and PostgreSQL Attempt to make PostgreSQL SELinux-aware Efficient way to centralize security decisions and to take them out of the DBMS engine. Part of a more challenging target (see later) I want to publicly thank Kohei Kaigai @ NEC for permitting me to leverage his images and slides Faenza, 2011-10-29 IMOLUG: Imola e Faenza Linux Users Group – www.imolug.org Marco Pizzoli, ...e SELinux fosse più sicuro? 42 SELinux and PostgreSQL - Concepts – 1/2 Faenza, 2011-10-29 IMOLUG: Imola e Faenza Linux Users Group – www.imolug.org Marco Pizzoli, ...e SELinux fosse più sicuro? 43 SELinux and PostgreSQL - Concepts – 2/2 Faenza, 2011-10-29 IMOLUG: Imola e Faenza Linux Users Group – www.imolug.org Marco Pizzoli, ...e SELinux fosse più sicuro? 44 SE-PostgreSQL - How does it works? Faenza, 2011-10-29 IMOLUG: Imola e Faenza Linux Users Group – www.imolug.org Marco Pizzoli, ...e SELinux fosse più sicuro? 45 SE-PostgreSQL What could we expect in the future? Faenza, 2011-10-29 IMOLUG: Imola e Faenza Linux Users Group – www.imolug.org Marco Pizzoli, ...e SELinux fosse più sicuro? 46 A more challenging target: A SELinux-aware LAPP stack Faenza, 2011-10-29 IMOLUG: Imola e Faenza Linux Users Group – www.imolug.org Marco Pizzoli, ...e SELinux fosse più sicuro? 47 Apache/SELinux Plus Faenza, 2011-10-29 IMOLUG: Imola e Faenza Linux Users Group – www.imolug.org Marco Pizzoli, ...e SELinux fosse più sicuro? 48 mod_selinux.conf Faenza, 2011-10-29 IMOLUG: Imola e Faenza Linux Users Group – www.imolug.org Marco Pizzoli, ...e SELinux fosse più sicuro? 49 Sviluppi futuri: SELinux e Android Faenza, 2011-10-29 IMOLUG: Imola e Faenza Linux Users Group – www.imolug.org Marco Pizzoli, ...e SELinux fosse più sicuro? 50 To learn SELinux, how can I start? Buy a good book on the topic: – Currently there's only one that I'm aware of: ● Many pictures in these slides have been taken from this book Subscribe to Fedora/SELinux and ReferencePolicy mailing lists: – – http://www.redhat.com/mailman/listinfo/fedoraselinux-list http://oss.tresys.com/mailman/listinfo/refpolicy Read each article you find on the web by Dan Walsh @ RedHat: – http://danwalsh.livejournal.com/ Faenza, 2011-10-29 IMOLUG: Imola e Faenza Linux Users Group – www.imolug.org Marco Pizzoli, ...e SELinux fosse più sicuro? 51 Questions? Faenza, 2011-10-29 IMOLUG: Imola e Faenza Linux Users Group – www.imolug.org Marco Pizzoli, ...e SELinux fosse più sicuro? 52 Grazie per l'attenzione [email protected] Faenza, 2011-10-29 IMOLUG: Imola e Faenza Linux Users Group – www.imolug.org Marco Pizzoli, ...e SELinux fosse più sicuro? 53