Protect your server with SELinux on SUSE Linux Enterprise Server 11 SP Sander van Vugt

Similar documents
Best practices with SUSE Linux Enterprise Server Starter System and extentions Ihno Krumreich

Using Linux Containers as a Virtualization Option

How To Make Databases on SUSE Linux Enterprise Server Highly Available Mike Friesenegger

SUSE Linux Enterprise Kernel Back to the Future

Managing Linux Servers Comparing SUSE Manager and ZENworks Configuration Management

SUSE OpenStack Cloud. Enabling your SoftwareDefined Data Center. SUSE Expert Days. Nyers Gábor Trainer &

Linux and z Systems in the Datacenter Berthold Gunreben

Essentials. Johannes Meixner. about Disaster Recovery (abbreviated DR) with Relax-and-Recover (abbreviated ReaR)

Provisioning with SUSE Enterprise Storage. Nyers Gábor Trainer &

Open Enterprise & Open Community

Novell SLES 10/Xen. Roadmap Presentation. Clyde R. Griffin Manager, Xen Virtualization Novell, Inc. cgriffin at novell.com.

SaltStack and SUSE Systems and Configuration Management that Scales and is Easy to Extend

Build with SUSE Studio, Deploy with SUSE Linux Enterprise Point of Service and Manage with SUSE Manager Case Study

SUSE Manager Roadmap OS Lifecycle Management from the Datacenter to the Cloud

Linux High Availability on IBM z Systems

SUSE Linux Enterprise High Availability Extension

Docker Networking In OpenStack What you need to know now. Fawad Khaliq

SICOOB. The Second Largest Linux on IBM System z Implementation in the World. Thiago Sobral. Claudio Kitayama

SUSE Manager in Large Scale 17220

Introduction to Software Defined Infrastructure SUSE Linux Enterprise 15

SUSE An introduction...

Cloud in a box. Fully automated installation of SUSE Openstack Cloud 5 on Dell VRTX. Lars Everbrand. Software Developer

From GIT to a custom OS image in a few click OS image made easy

SUSE Manager and Salt

Define Your Future with SUSE

Welcome to SUSE Expert Days 2017 Service Delivery with DevOps

Saving Real Storage with xip2fs and DCSS. Ihno Krumreich Project Manager for SLES on System z

BOV89296 SUSE Best Practices Sharing Expertise, Experience and Knowledge. Christoph Wickert Technical Writer SUSE /

Exploring History with Hawk

A Carrier-Grade Cloud Phone System

Building a Secure and Compliant Cloud Infrastructure. Ben Goodman Principal Strategist, Identity, Compliance and Security Novell, Inc.

Expert Days SUSE Enterprise Storage

Exploring the High Availability Storage Infrastructure. Tutorial 323 Brainshare Jo De Baer Technology Specialist Novell -

Secure Authentication

Novell Infiniband and XEN

SELinux Updates. Thorsten Scherf Senior Consultant. Red Hat Global Professional Services Berlin / Germany

SDS Heterogeneous OS Access. Technical Strategist

Saving Your Bacon Recovering From Common Linux Startup Failures

Samba HA Cluster on SLES 9

Using Crowbar to Deploy Your OpenStack Cloud. Adam Spiers Vincent Untz John H Terpstra

The opensuse project. Motivation, Goals, and Opportunities. Sonja Krause-Harder Michael Löffler. March 6, 2006

DevOps with SUSE: How SUSE Manager, SUSE Studio and SUSE Cloud APIs Facilitate Continuous Software Delivery. Wolfgang Engel.

SELinux. Thorsten Scherf. Red Hat EMEA. October 2015

Unleash the Power of Ceph Across the Data Center

Before We Start... 1

Too Many Metas A high level look at building a metadata desktop. Joe Shaw

SELinux For Mere Mortals

Gaps and Overlaps in Identity Management Solutions OASIS Pre-conference Workshop, EIC 2009

openqa making QA interesting since 2013 Ondrej Holecek /aaannz/

SELINUX SUPPORT IN HFI1 AND PSM2

SELinux Introduction. Jason Zaman FOSSASIA 2017 March 17th - 19th blog.perfinion.com

SUSE Linux Enterprise 11

Scaling a Highly Available Global SUSE Manager Deployment at Rackspace to Manage Multiple Linux Platforms

Demystifying SELinux:

Hands-on with Native Linux Containers (LXC) Workbook

96Boards Enablement for opensuse

VSP16. Venafi Security Professional 16 Course 04 April 2016

Software Defined. All The Way with OpenStack. T. R. Bosworth Senior Product Manager SUSE OpenStack Cloud

SELinux Policy Development. Jason Zaman FOSSASIA 2018 March 24 blog.perfinion.com

10/23/12. Fundamentals of Linux Platform Security. Linux Platform Security. Roadmap. Security Training Course. Module 4 Introduction to SELinux

Know your competition A review of qemu and KVM for System z

Access Control. SELinux. Mestrado Integrado em Engenharia Informática e Computação. Computer Systems Security

SUSE. High Performance Computing. Kai Dupke. Meike Chabowski. Senior Product Manager SUSE Linux Enterprise

openqa features capabilities bugs Ondrej Holecek /aaannz/

Fun with SELinux. Writing SELinux Policy Permissive Domains Real bugs. Miroslav Grepl Presented by

IO110: Open Enterprise Server 2. Hardware you can hit with a hammer, software you can only curse at...

openqa Avoiding Disasters of Biblical Proportions Marita Werner QA Project Manager

Packaging made easy. How the opensuse build service makes building packages easy for developers who don't care about packaging

SELinux Workshop Redux. Jamie Duncan, Senior Technical Account Manager RVaLUG - 18 April 2014

Security Enhanced Linux. Thanks to David Quigley

Virtualization at Scale in SUSE Linux Enterprise Server

Troubleshooting Your SUSE TUT6113. Cloud. Paul Thompson SUSE Technical Consultant. Dirk Müller SUSE OpenStack Engineer

openqa Avoiding Disasters of Biblical Proportions Marita Werner QA Project Manager

Collecting data from IoT devices using Sigfox network

Zdeněk Kubala Senior QA

SELi He nux a dlin in F e edora 8 Dan N W am als e h Red D H a at te

Novell Data Synchronizer Mobility Pack Overview. Novell. Readme. January 28, 2013

SELinux. Daniel J Walsh SELinux Lead Engineer

SELINUX FOR MERE MORTALS

High Availability for Highly Reliable Systems

Using Manage Alarm Tool

Avaya Aura Call Center Elite Multichannel Documentation Roadmap

Advanced patching of SUSE Linux Enterprise Server 10 with ZENworks Linux Management 7.2

3 Mobility Pack Installation Instructions

SELinux Workshop Redux Jamie Duncan, Red Hat RVaLUG 19 April 2014

2/26/13. Hands-on SELinux: A Practical Introduction. Roadmap. SELinux Tools. Security Training Course. Day 1: Day 2: GUI

Version is the follow-on release after version 8.1, featuring:

April Understanding Federated Single Sign-On (SSO) Process

What's New with SUSE Linux Enterprise Server for z Systems

User Guide for Avaya Equinox Add-in for IBM Lotus Notes

amdgpu Graphics Stack Documentation

October Oracle Application Express Statement of Direction

SELinux Basics. Clint Savage Fedora Ambassador. Fedora Classroom November 9, 2008

Samba and Ceph. Release the Kraken! David Disseldorp

IP Office 9.0 IP Office Server Edition Reference Configuration

Veritas NetBackup and Oracle Cloud Infrastructure Object Storage ORACLE HOW TO GUIDE FEBRUARY 2018

The Journey of an I/O request through the Block Layer

The issues included in this document were identified in Novell ZENworks 7.3 Linux Management with Interim Release 3 (IR3).

BC403 Advanced ABAP Debugging

9/18/14. Hands-on SELinux: A Practical Introduction. Roadmap. SELinux Tools. Security Training Course. Day 1: Day 2: GUI

Transcription:

Protect your server with SELinux on SUSE Linux Enterprise Server 11 SP Sander van Vugt Instructor, Consultant and Author Sandervanvugt.nl

About Sander van Vugt Trainer, consultant and author Doing much work on SUSE Linux Enterprise as well as the other distribution (and started to appreciate SELinux on that distribution) www.sandervanvugt.{com org nl} mail@sander.fr 2

Why would you need kernel level security anyway? Some things cannot be handled with permissions and firewalls alone... Just updating your server doesn't protect against badly written scripts or zero-day exploits Restricting on permissions isn't always feasible (you don't want to take away other permissions on /tmp for instance) Firewall protection is also limited 3

What are your options for kernel level security? SELinux or AppArmor AppArmor is the current default in SLES 11 Large market demand for SELinux More vivid community for SELinux SELinux is more thorough, but more complex as well Solutions building their own lists of syscalls to be blocked 4

SELinux Status in SUSE Linux Enterprise Server 11 SP 3 Complete Support for the stack Consult your SUSE support engineer to find out about policy support Binary support still developing What it comes down to: install the refpolicy, find out that it doesn't do what you need it to do and walk the long road of having it do what you need it to do This session helps you taking the first steps 5

SELinux in SLES12 AppArmor will still be the default solution Many customers are using AppArmor and want to keep using it SELinux will be fully supported as well and a small MLS policy will be provided to protect specific parts of a system Developing an all-including policy is on the roadmap 6

Overview

What is SELinux All syscalls are are denied by default, unless specifically enabled All objects (files, ports, processes etc.) are provided with a security label (the context) User, role and type part in the context Type part is the most important The SELinux policy contains rules where you can see which source context has access to which target context 8

SELinux Components The Policy is the key component It defines the security contexts for type enforcements That means: if you use ls -Z on a directory, you'll find a context user, role and type and the policy knows how to handle that. It all comes down to a line like the following that is defined in the policy: allow user_t bin_t : file {read execute getattr}; This states that user_t (the source) has allow to bin_t (the target) on the object class file with the permissions read execute and getattr The SELinux Policy has tens of thousands of rules Which makes it extremely complex 9

Refpolicy: mother of all policies The refpolicy is a generic fully functional policy managed as a free software project Application developers provide code for the Refpolicy, where after peer review it can be included Refpolicy is a common base for distributions that only need to make modifications to it Because of differences that in some cases are huge, making these changes can be hard 10

Using Policy Features MLS is multi level security, every object gets a security clearance label MCS (Multi Category Security) is MLS but less detailed Targeted is the normal policy without MLS Support of features is indicted by policy version, current is 28. Compile policy to support different options How to handle unknown permissions? Do or don't support unconfined domains? 11

Compiling the Policy Monolithic: One huge policy Don't use it anymore! Modular: Different rules are groups in modules, which makes it more readable and less complicated to manage 12

Managing SELinux

Managing SELinux means applying context You can find the context you need on default objects From the _selinux man page (if available) Using semanage fcontext -l From the policy itself (may be hard) 14

Managing SELinux Setting the Appropriate Contexts Use semanage fcontext -l to find available contexts Use semanage fcontext -a -t your_content_t /web(/.*)? Use restorecon -R -v / to relabel Setting Booleans Use semanage boolean -l to get an overview of available Booleans Use getsebool -a for an overview Use setsebool -P your_boolean on to switch on a boolean 15

Understanding SELinux Modes Set mode while booting Enforcing: Active and Armored Permissive: Active, but only logging Use this while setting up your system! Log messages are in /var/log/audit/audit.log Disabled Are there good reasons to switch to disabled? 16

Applications and SELinux Most applications are not SELinux aware Some applications are and they make active SELinux calls These applications behave differently than expected on a system where SELinux code is active Check your application with ldd Most applications on SUSE are not native SELinux 17

Configuring SELinux on SLES

Installing SELinux on SUSE Linux Enterprise Server Install all SELinux Packages Use YaST for easy selection Install a Policy Install the refpolicy source file from OpenSUSE.org Enable GRUB Boot Options and reboot security=selinux selinux=1 enforcing=0 Compile the policy and reboot 19

Compiling the Policy Extract the tarball to /etc/selinux/refpolicy Edit /etc/selinux/refpolicy/build.conf DISTRO = suse UNK_PERMS = allow DIRECT_INITRC = y MONOLITHIC = n Leave other params to their default Run make load from /etc/selinux/refpolicy Reboot Fix a small bug and run make relabel for file system labelling semanage fcontext -a -e /dev /lib/udev/devices restorecon -Rv / 20

At This Point: Verify the Installation Use sestatus -v Shows current mode and process / file contexts Use semanage boolean -l Lists all boolean switches to change policy settings and at the same time verifies access to the policy Use semanage fcontext -l Lists all file contexts and verifies policy access 21

Tuning Policy Modules

About Policy Modules Policy modules provide the base chunks of SELinux functionality semodule -l Shut off all rules for a part of the system by unloading the corresponding policy (not very useful) semodule -d Or compile a new module that allows all you need to accomplish: use audit2allow 23

Modifying Policies manually Input files are in /etc/selinux/refpolicy/policy/modules/services *.te files contain everything a module needs to have *.if files define how other policy modules get access to this policy *.fc files contain the labeling instructions After modifying the input files, run make && make install && make load to activate them 24

Using Audit2allow Audit2allow helps analyzing the log messages in /var/log/audit/audit.log audit2allow -w -a presents the audit information in a more readable way audit2allow -a shows the type enforcement rule that allows the denied access audit2allow -a -M blah creates a te file and a compiled pp file that will allow the denied access After creating the new module, use semodule -i modulename.pp to execute it Be careful when using audit2allow 25

Disabling SELinux for a single service semanage permissive -a somelabel_t Get an overview of current permissive domains using semanage permissive -l Not supported on all environments 26

More information Refpolicy project: http://oss.resys.com/projects/refpolicy Dan Walsh blog: http://danwalsh.liveblog.com Sven Vermeulen, SELinux System Administration (ISBN 978-1-78328-317-0) 27

Questions? Thank you. 28

Corporate Headquarters Maxfeldstrasse 5 90409 Nuremberg Germany +49 911 740 53 0 (Worldwide) www.suse.com Join us on: www.opensuse.org 29

Unpublished Work of SUSE. All Rights Reserved. This work is an unpublished work and contains confidential, proprietary and trade secret information of SUSE. Access to this work is restricted to SUSE employees who have a need to know to perform tasks within the scope of their assignments. No part of this work may be practiced, performed, copied, distributed, revised, modified, translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of SUSE. Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability. General Disclaimer This document is not to be construed as a promise by any participating company to develop, deliver, or market a product. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. SUSE makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. The development, release, and timing of features or functionality described for SUSE products remains at the sole discretion of SUSE. Further, SUSE reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All SUSE marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc. in the United States and other countries. All third-party trademarks are the property of their respective owners.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback