Oct 14, 2010 - libvirt is a C language application programming interface (API) for managing and interacting with the vir
Red Hat Enterprise Linux 6 Security Thomas Cameron, RHCA, RHCX, RHCVA Managing Solutions Architect, Red Hat October 14th, 2010
[email protected] thomasdcameron on Twitter
Agenda
Today we'll talk about... ●
New security features
●
Essentials of securing your system
●
SELinux for Mere Mortals
●
Svirt
●
Sandboxing
●
Kiosk
3
ISSA | THOMAS CAMERON
New Security Features
New Security Features ●
System Security Services Daemon (SSSD) ●
5
The System Security Services Daemon (SSSD) is a new feature in Red Hat Enterprise Linux 6 Beta that implements a set of services for central management of identity and authentication. Centralizing identity and authentication services enables local caching of identities, allowing users to still identify in cases where the connection to the server is interrupted. SSSD supports many types of identity and authentication services, including: Red Hat Directory Server, Active Directory, OpenLDAP, 389, Kerberos and LDAP. ISSA | THOMAS CAMERON
New Security Features ●
Security-Enhanced Linux (SELinux) ●
6
Security-Enhanced Linux (SELinux) adds Mandatory Access Control (MAC) to the Linux kernel, and is enabled by default in Red Hat Enterprise Linux 6 Beta. A general purpose MAC architecture needs the ability to enforce an administratively-set security policy over all processes and files in the system, basing decisions on labels containing a variety of security-relevant information.
ISSA | THOMAS CAMERON
New Security Features ●
Security-Enhanced Linux (SELinux) ●
Confined Users –
7
Traditionally, SELinux is used to define and control how an application interacts with the system. SELinux in Red Hat Enterprise Linux 6 Beta introduces a set of policies that allows system administrators to control what particular users can access on a system.
ISSA | THOMAS CAMERON
New Security Features ●
Security-Enhanced Linux (SELinux) ●
Sandbox –
8
SELinux in Red Hat Enterprise Linux 6 Beta features the new security sandbox feature. The security sandbox adds a set of SELinux policies that enables a system administrator to run any application within a tightly confined SELinux domain. Using the sandbox, system administrators can test the processing of untrusted content without damaging the system.
ISSA | THOMAS CAMERON
New Security Features ●
Security-Enhanced Linux (SELinux) ●
X Access Control Extension (XACE) –
9
The X Window System (commonly refered to a "X") provides the base framework for displaying the graphical user interface (GUI) on Red Hat Enterprise Linux 6 Beta. This release features the new X Access Control Extension (XACE), which permits SELinux to access decisions made within X, specifically, controlling information flow between window objects.
ISSA | THOMAS CAMERON
New Security Features ●
Backup Passphrases for Encrypted Storage Devices ●
10
Red Hat Enterprise Linux provides the ability to encrypt the clearpart all part /boot fstype ext3 size=100 part swap size=1024 part / fstype ext3 size=1000 grow %packages @base @Web Server tux %post /sbin/chkconfig foo off /bin/rpm Uvh http://ml110.redhat.com/pub/packages/mypackage1.01.i386.rpm /bin/echo install ipv6 /bin/true > /etc/modprobe.conf /usr/sbin/groupadd admins /usr/sbin/useradd G admins p '$1$uWyP9$RRM.DRsYpNcAUF6/KD/WV/' c “Thomas Cameron” tcameron
Preproduction ●
Before your system goes into production: –
port scan
–
process scan
–
harden your server
Preproduction ●
Port scan your server –
nmap, nmapfe
–
Scan the host from another machine or machines
Preproduction ●
nmap, nmapfe –
Command line or GUI driven tools to do portscans
–
Don't portscan servers unless you know it is OK to do so! ●
Your systems
●
You have documented permission to scan them
Preproduction ●
Determine which services are supposed to be listening and make sure that those ports are open. If anything else is open, determine the service which is running and remove it. –
●
lsof i :[port] can help you determine which service is listening on what port
Record what is listening capture a baseline reading
Preproduction ●
Process Scanning –
Do a process scan to see what is running and who is running it. ●
ps aux
●
ps ef
USER root root root root root root root root root root root root root root root root root root root root root root root root root root root root root root rpc root root root dbus root root root root root root root root root root root root root root root smmsp root root xfs root root avahi avahi 68 root 68 68 root root root root root root root root
PID %CPU %MEM 1 0.0 0.1 2 0.0 0.0 3 0.0 0.0 4 0.0 0.0 5 0.0 0.0 6 0.0 0.0 7 0.0 0.0 10 0.0 0.0 11 0.0 0.0 67 0.0 0.0 70 0.0 0.0 72 0.0 0.0 135 0.0 0.0 136 0.0 0.0 137 0.0 0.0 138 0.0 0.0 290 0.0 0.0 321 0.0 0.0 322 0.0 0.0 355 0.0 0.0 1005 0.0 0.0 1026 0.0 0.0 389 0.0 0.3 1615 0.0 0.1 1717 0.0 2.0 1734 0.0 0.1 1736 0.0 0.9 1755 0.0 0.1 1758 0.0 0.1 1795 0.0 0.1 1818 0.0 0.1 1836 0.0 2.4 1862 0.0 0.1 1907 0.0 0.1 1936 0.0 0.2 1953 0.0 0.1 1965 0.0 0.1 1978 0.0 0.0 2026 0.0 0.3 2051 0.0 0.1 2071 0.0 0.2 2095 0.0 0.1 2111 0.0 0.1 2116 0.0 1.2 2133 0.0 0.5 2152 0.0 0.2 11756 0.1 0.6 11759 0.0 0.3 12096 0.0 0.2 2178 0.0 0.4 2187 0.0 0.3 2204 0.0 0.1 2220 0.0 0.3 2258 0.0 0.4 2289 0.0 0.1 2313 0.0 3.1 2330 0.0 0.3 2331 0.0 0.1 2347 0.0 0.9 2348 0.0 0.2 2354 0.0 0.2 2359 0.0 0.2 2371 0.2 0.1 2414 0.0 0.0 2418 0.0 0.1 2419 0.0 0.1 2422 0.0 0.1 2425 0.0 0.1 2426 0.0 0.1 2448 0.0 0.1
VSZ RSS TTY 2036 600 ? 0 0 ? 0 0 ? 0 0 ? 0 0 ? 0 0 ? 0 0 ? 0 0 ? 0 0 ? 0 0 ? 0 0 ? 0 0 ? 0 0 ? 0 0 ? 0 0 ? 0 0 ? 0 0 ? 0 0 ? 0 0 ? 0 0 ? 0 0 ? 0 0 ? 2912 1400 ? 2276 696 ? 9668 8076 ? 12048 636 ? 9612 3852 ? 1692 588 ? 1644 400 ? 2128 512 ? 1772 544 ? 40764 9588 ? 1788 720 ? 4932 556 ? 12952 1072 ? 2120 744 ? 1712 504 ? 0 0 ? 12688 1296 ? 1876 448 ? 9328 1104 ? 1640 536 ? 5036 740 ? 12720 4668 ? 9580 1960 ? 5176 948 ? 8268 2608 ? 4488 1396 pts/0 4184 884 pts/0 8500 1812 ? 7540 1444 ? 1864 468 ? 5220 1176 ? 3776 1596 ? 2204 428 ? 25224 12112 ? 2532 1368 ? 2532 424 ? 5360 3544 ? 3100 1080 ? 1964 816 ? 1968 808 ? 1924 656 ? 1904 344 ? 1628 460 tty1 1624 460 tty2 1628 460 tty3 1628 464 tty4 1628 460 tty5 1628 464 tty6
STAT Ss S SN S S< S< S< S< S< S< S< S< S S S< S< S< S< S< S< S< S< S trusted.txt
Standard SELinux Sandbox ➔
Uses MCS Labels for separation ➔ ➔
➔
Apps have same types/access but can not interact.
Excellent for scripting ➔
➔
Based on same technology as svirt/libvirt
Pipe apps read stdin/write stdout
Confinement of grid jobs ➔
Wrap grid jobs in sandbox wrapper
Confinement of Grid Jobs ➔
Allow administrator to Wrap grid jobs in sandbox wrapper. ➔
grid job can run on machines Can not attack machine ➔ Can not launch attacks on other machines. ➔
import os, sys SANDBOX_ARGS = ['-f%s' % os.environ['_CONDOR_SCRATCH_DIR']] SANDBOX_ARGS.extend(sys.argv[1::]) os.execv('/usr/bin/sandbox',SANDBOX_ARGS)
What about the desktop? ➔
How do I confine acroread?
➔
Large communications paths ➔
X Server
➔
File System Home Directory ➔ /tmp ➔
➔
gconf
➔
Dbus
/usr/bin/sandbox ➔
Setup File System
➔
Creates new directories in $HOME and /tmp
➔
Select random MCS label (MCS1)
➔
Label directories sandbox_file_t:MCS1
➔
Copy executable/input files to homedir & /tmp.
➔
Create .sandboxrc in homedir with command
➔
Execute new utility seunshare ➔
➔
seunshare [ -t tmpdir ] [ -h homedir ] -- CONTEXT sandboxX.sh [args]
Delete temporary $HOME & /tmp
/usr/sbin/seunshare ➔
C Setuid Program ➔
unshare ➔
➔
mount ➔
➔
Disassociate the mount namespace bind mount new $HOME and /tmp
setexeccon ➔
Set the Selinux context to run the command
➔
Drop all capabilities
➔
exec /usr/share/sandbox/sandboxX.sh
Sandbox X Componants ➔
Xephyr ➔
Xace does not work ➔ ➔
➔
➔
Xace good for MLS but not for Type Enforcement X Applications expect full access to X server and die when denied any access
Every sandbox app gets its own X Server
Window Manager ➔
Need window manager to run app with full screen ➔
➔
Matchbox-window-manager
Optional flag -W metacity ➔
sandbox -X -t sandbox_web_t -W metacity firefox
Application ➔
Gnome/GTK apps create content on the fly ➔
Firefox creates a new .mozilla dir etc.
SELinux Policy ➔
sandbox_xserver_t
➔
Default type sandbox_x ➔
sandbox_x_t
➔
sandbox_x_client_t ➔
➔
Only Print Networking, No Setuid, very little privileges
sandbox_x_file_t
➔
sandbox_web - Connect to apache ports
➔
sandbox_net - Connect to all ports
➔
sandbox_x_domain_template(sandbox_x)
sandbox -X ➔
Problems ➔
Window can not resize Xephyr does not support re-size yet, hopefully soon ➔ Rootless X Server ➔
➔
No Cut and Paste
➔
User confusion ➔
Don't want to write a document while in a sandbox
sandbox -X ➔
Future ➔
MLS?
➔
Save sandbox dir?
Sandboxing ●
Demo - GNOME
●
Demo - Evince
204
ISSA | THOMAS CAMERON
Kiosk
Kiosk ●
206
Demo of xguest
ISSA | THOMAS CAMERON
Questions? http://people.redhat.com/tcameron
