Operating system hardening

Similar documents
CS 356 Operating System Security. Fall 2013

OS Security IV: Virtualization and Trusted Computing

CSC 5930/9010 Cloud S & P: Virtualization

Module 1: Virtualization. Types of Interfaces

Lecture 5: February 3

The only open-source type-1 hypervisor

W11 Hyper-V security. Jesper Krogh.

Confinement. Steven M. Bellovin November 1,

Virtualization. Michael Tsai 2018/4/16

Security Architecture

The Challenges of X86 Hardware Virtualization. GCC- Virtualization: Rajeev Wankar 36

INF3510 Information Security. Lecture 6: Computer Security. Universitetet i Oslo Audun Jøsang

CompTIA A+ Certification ( ) Study Guide Table of Contents

Cyber Essentials Questionnaire Guidance

Securing the Data Center against

Nested Virtualization and Server Consolidation

Table of Contents. Course Introduction. Table of Contents Getting Started About This Course About CompTIA Certifications. Module 1 / Server Setup

Chapter 5 C. Virtual machines

Deploying Application and OS Virtualization Together: Citrix and Virtuozzo

Privilege Escalation

Parallels Virtuozzo Containers

Lecture 09: VMs and VCS head in the clouds

Securing your Virtualized Datacenter. Charu Chaubal Senior Architect, Technical Marketing 6 November, 2008

Host. Computer system #1. Host Hardening

Technical Brief Distributed Trusted Computing

CSE 565 Computer Security Fall 2018

OUR CUSTOMER TERMS CLOUD SERVICES - INFRASTRUCTURE

Unit 2: Manage Files Graphically with Nautilus Objective: Manage files graphically and access remote systems with Nautilus

Acronis Backup Advanced Version 11.5 Update 6

Distributed Systems COMP 212. Lecture 18 Othon Michail

Introduction to UNIX/LINUX Security. Hu Weiwei

EE 660: Computer Architecture Cloud Architecture: Virtualization

GSE/Belux Enterprise Systems Security Meeting

Acronis Backup & Recovery 11.5

Virtualization. Dr. Yingwu Zhu

Spring 2017 :: CSE 506. Introduction to. Virtual Machines. Nima Honarmand

Operating Systems 4/27/2015

vsphere Security VMware vsphere 6.5 VMware ESXi 6.5 vcenter Server 6.5 EN

90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation

vsphere Security Modified on 21 JUN 2018 VMware vsphere 6.7 VMware ESXi 6.7 vcenter Server 6.7

ViryaOS RFC: Secure Containers for Embedded and IoT. A proposal for a new Xen Project sub-project

SentinelOne Technical Brief

THREAT PROTECTION FOR VIRTUAL SYSTEMS #ILTACON #ILTA156

What is Cloud Computing? Cloud computing is the dynamic delivery of IT resources and capabilities as a Service over the Internet.

Ceedo Client Family Products Security

INF3510 Information Security Spring Lecture 4 Computer Security. University of Oslo Audun Jøsang

Bacula Systems Virtual Machine Performance Backup Suite

VMware AirWatch Content Gateway for Linux. VMware Workspace ONE UEM 1811 Unified Access Gateway

Key Threats Melissa (1999), Love Letter (2000) Mainly leveraging social engineering. Key Threats Internet was just growing Mail was on the verge

Storage and File System

Designing the Stable Infrastructure for Kernel-based Virtual Machine using VPN-tunneled VNC

Docker for HPC? Yes, Singularity! Josef Hrabal

vsphere Security Update 2 Modified on 22 JUN 2018 VMware vsphere 6.5 VMware ESXi 6.5 vcenter Server 6.5

Virtualization. Pradipta De

COMPUTER ARCHITECTURE. Virtualization and Memory Hierarchy

Terra: A Virtual Machine-Based Platform for Trusted Computing by Garfinkel et al. (Some slides taken from Jason Franklin s 712 lecture, Fall 2006)

Using a Separation Kernel to Protect against the Remote Exploitation of Unaltered Passenger Vehicles

Software Vulnerability Assessment & Secure Storage

GLOBALPROTECT. Key Usage Scenarios and Benefits. Remote Access VPN Provides secure access to internal and cloud-based business applications

Virtualization. join, aggregation, concatenation, array, N 1 ühendamine, agregeerimine, konkateneerimine, massiiv

Virtualization. ...or how adding another layer of abstraction is changing the world. CIS 399: Unix Skills University of Pennsylvania.

Chapter 8 Operating Systems and Utility Programs أ.أمل زهران

Technology in Action. Chapter 5 System Software: The Operating System, Utility Programs, and File Management

LINUX Virtualization. Running other code under LINUX

BACKUP APP V7 MICROSOFT SYSTEM BACKUP AND RESTORE GUIDE

HP Sure Start Gen3. Table of contents. Available on HP Elite products equipped with 7th generation Intel Core TM processors September 2017

Enhance your Cloud Security with AMD EPYC Hardware Memory Encryption

CSE543 - Computer and Network Security Module: Virtualization

1 Virtualization Recap

COS 318: Operating Systems. File Systems. Topics. Evolved Data Center Storage Hierarchy. Traditional Data Center Storage Hierarchy

18-642: Security Mitigation & Validation

Virtualization for Embedded Systems

Server Security Checklist

CSE543 - Computer and Network Security Module: Virtualization

vsphere Security Update 1 Modified 03 NOV 2017 VMware vsphere 6.5 VMware ESXi 6.5 vcenter Server 6.5

ReVirt: Enabling Intrusion Analysis through Virtual Machine Logging and Replay

Secure Sharing of an ICT Infrastructure Through Vinci

Virtualization and memory hierarchy

Originally prepared by Lehigh graduate Greg Bosch; last modified April 2016 by B. Davison

Security Fundamentals for your Privileged Account Security Deployment

BACKUP APP V7 MICROSOFT SYSTEM STATE BACKUP AND RESTORE GUIDE

Server Hardening Title Author Contributors Date Reviewed By Document Version

Unit 5: Distributed, Real-Time, and Multimedia Systems

CLOUD COMPUTING IT0530. G.JEYA BHARATHI Asst.Prof.(O.G) Department of IT SRM University

Systems View -- Current. Trustworthy Computing. TC Advantages. Systems View -- Target. Bootstrapping a typical PC. Boot Guarantees

Backup, File Backup copies of individual files made in order to replace the original file(s) in case it is damaged or lost.

Zadara Enterprise Storage in

CS197U: A Hands on Introduction to Unix

for Kerrighed? February 1 st 2008 Kerrighed Summit, Paris Erich Focht NEC

IMPLEMENTING MICROSOFT CREDENTIAL GUARD FOR ISO 27001, PCI, AND FEDRAMP

CSC- Bioweek 2018 Using cpouta for cloud computing Kimmo Mattila, Shubham Kapoor, Ari-Matti Saren (Jukka Nousiainen)

Juniper Vendor Security Requirements

Client Computing Security Standard (CCSS)

Virtualization Introduction

Operating System Security

CompTIA A+ Accelerated course for & exams

HOW TO SECURELY CONFIGURE A LINUX HOST TO RUN CONTAINERS

Security: The Key to Affordable Unmanned Aircraft Systems

The next step in IT security after Snowden

Windows 10 Security & Audit

Transcription:

Operating system Comp Sci 3600 Security

Outline 1 2 3 4 5 6

What is OS? Hardening process that includes planning, ation, uration, update, and maintenance of the operating system and the key applications in use Today, we will provide a general overview, and next week, we will go over the process, from start to finish, of ing and a personal computing setup, along with software choices for secure data storage and transmission.

OS architecture User s and Utilities Operating Kernel Physical Hardware BIOS / SMM Figure 12.1 Operating Security Layers Each of these layers of code needs appropriate measures in place to provide appropriate services. And each layer is vulnerable to attack from below, should the lower layers not also be secured appropriately.

Outline 1 2 3 4 5 6

Things to consider during enterprise The purpose of the system, the type of information stored, the applications and services provided, and their requirements. The categories of users of the system, the privileges they have, and the types of information they can access. How the users are authenticated. How access to the information stored on the system is managed. What access the system has to information stored on other hosts, such as file or database servers, and how this is managed. Who will administer the system, and how they will manage the system (via local or remote access). Any additional measures required on the system, including the use of host firewalls, anti-virus or other malware protection mechanisms, and logging.

Outline 1 2 3 4 5 6

Operating system Install and patch the operating system. Harden and ure the operating system to adequately address the identified needs of the system by: Removing unnecessary services, applications, and protocols. Configuring users, groups, and permissions. Configuring resource. Install and ure additional, such as host-based firewalls or intrusion detection systems (IDS), if needed. Test the of the basic operating system to ensure that the steps taken adequately address its needs.

Outline 1 2 3 4 5 6

Secure ation procedures begins with the ation of the operating system. Check hash of media to insure validity Encrypt full hard disk during ation Install only the minimum needed software Install in an isolated environment (OS is vulnerable until patched) Setup BIOS boot and uration password Avoid ing non-open binary drivers, especially with kernel access Patch operating system to most current, and enable updates

Outline 1 2 3 4 5 6

Minimizing attack surface Ideally, only the minimum ed software needed However, if a standard is required, then remove extras Further, disable any unneeded protocols and services

Outline 1 2 3 4 5 6

Users, groups, authentication Determine the needed permissions for each user of the system Map user permissions to groups of users Minimize the time that administrators will work under the state of elevated privilege Remove any default or guest accounts, change any default passwords

Outline 1 2 3 4 5 6

Configure resource Once the users and their associated groups are defined, appropriate permissions can be set on data and resources to match the specified policy. Some users access limited software Some users access limited directories or files

Outline 1 2 3 4 5 6

Install or ure extra -related software Host based firewall (e.g., iptables/netfilter) White-list applications, allowing only a specific list

Test you Check assumptions about system behavior Test non-whitelisted applications nmap and wireshark to probe network behavior, etc.

Outline 1 2 3 4 5 6

Once the base operating system is ed and appropriately secured, the required services and applications must next be ed and ured.

Outline 1 2 3 4 5 6

Which software to? may be from additional packages provided with the operating system distribution, or from a separate third-party package. As with the base operating system, utilizing an isolated, secure build network is preferred. OS repositories employ secure signature and hashing on files to insure integrity; use it For third party applications, always check signature reported by developer Do not un-trusted applications, with the minimum requirement excluding anything closed source or for which you do not have access to the source code, and the ideal being highly scrutinized open projects

Outline 1 2 3 4 5 6

Configure applications Check default urations For example permissions granted to the web serving software on your server may allow the software merely serving a static site to write files

Outline 1 2 3 4 5 6

level encryption In addition to the whole disk, you can encrypt particular folders, or an entire home directory. Setup key exchange and signing, for example for your website s certificate, by getting a CA to sign your keys Setup and choose secure options for your SSH uration, create and exchange keys with clients

Outline 1 2 3 4 5 6

Security maintenance Monitoring and analyzing logging information Performing regular s Recovering from compromises Regularly testing system Using appropriate software maintenance processes to patch and update all critical software, and to monitor and revise uration as needed

Logging Logging is a reactive control that can only inform you about bad things that have already happened. But effective logging helps ensure that in the event of a system breach or failure, system administrators can more quickly and accurately identify what happened and thus most effectively focus their remediation and recovery efforts.

Backup and archive Are s on-site or off? Are s encrypted? Does the procedure transfer data across the network, how?

Outline 1 2 3 4 5 6

Most servers will be Extensive documentation base for

Outline 1 2 3 4 5 6

updates Modern Unix and Linux distributions typically include tools for automatically downloading and ing software updates, including updates, which can minimize the time a system is vulnerable to known vulnerabilities for which patches exist. Packages are cryptographically signed by packager and signatures are checked before ation Red Hat / Fedora uses dnf, Open SuSE uses yast, debian uses apt-get, etc

Outline 1 2 3 4 5 6

and service uration of applications and services on Unix and Linux systems is most commonly implemented using separate text files for each application and service. -wide uration details are generally located either in the /etc directory or in the ation tree for a specific application. Where appropriate, individual user urations that can override the system defaults are located in hidden dot files in each user s home directory. The name, format, and usage of these files are very much dependent on the particular system version and applications in use.

Outline 1 2 3 4 5 6

Set permissions on Unix and Linux systems implement discretionary access control to all file system resources. These include not only files and directories but devices, processes, memory, and indeed most system resources, like devices, etc use chmod, chown, getfacl, setfacl, and other user and group management commands to ure permissions and access Information on user accounts and group membership are traditionally stored in the /etc/passwd and /etc/group files Remove default or guest users, change default passwords, if any Minimize the number of programs that need to run as root

Outline 1 2 3 4 5 6

Setup remote access Minimize the ability to access your system remotely, if at all Close unnecessary incoming ports Use iptables/netfilter for Linux, or pf for BSD-based systems

Outline 1 2 3 4 5 6

jail Restricts a running process to a subset of the file system by mapping the processes view of root to a sub-directory of the real root Not all processes tolerate this well, and it can require including more directories into the jail If a process can run as root, it is possible to break out of the jail

Outline 1 2 3 4 5 6

Software simulates hardware, so that an operating system can run inside of software Full virtualization almost complete simulation of the actual hardware to allow software, which typically consists of a guest operating system, to run unmodified. Paravirtualization a hardware environment is not simulated; however, the guest programs are executed in their own isolated domains, as if they are running on a separate system. Guest programs need to be specifically modified to run in this environment.

Hypervisors A hypervisor or virtual machine monitor (VMM) is computer software, firmware or hardware that creates and runs virtual machines. A computer on which a hypervisor runs one or more virtual machines is called a host machine, and each virtual machine is called a guest machine.

Outline 1 2 3 4 5 6

Hypervisor types

Hypervisor types Type-1, native or bare-metal hypervisors: These hypervisors run directly on the host s hardware to control the hardware and to manage guest operating systems. For this reason, they are sometimes called bare metal hypervisors. Xen for example. These are more secure than type 2 Type-2 or hosted hypervisors: These hypervisors run on a conventional operating system (OS) just as other computer programs do. A guest operating system runs as a process on the host. Type-2 hypervisors abstract guest operating systems from the host operating system. VirtualBox for example

Type 1: bare metal / native hypervisor User Apps Guest O/S 1 Kernel User Apps Guest O/S 2 Kernel... Hypervisor/ VMM Physical Hardware User Apps Guest O/S n Kernel BIOS / SMM Figure 12.2 Native Security Layers

Type 2: hosted hypervisor Other User Apps User Apps Guest O/S 1 Kernel Host Operating Kernel Physical Hardware User Apps Guest O/S n Kernel BIOS / SMM Figure 12.3 Hosted Security Layers... Hypervisor/ VMM

Virtualbox: Type 2

Third type: Containers (OS-level virtualization) Kernel allows the existence of multiple isolated user-space instances. Such instances, called containers, partitions, virtualization engines (VEs) or jails (FreeBSD jail or jail), may look like real computers from the point of view of programs running in them. Typical program can see all resources (connected devices, files and folders, network shares, CPU power, quantifiable hardware capabilities) of that computer, but programs running inside a container can only see the container s contents and devices assigned to the container. Can be seen as an advanced implementation of the standard mechanism, which changes the apparent root folder for the current running process and its children. Kernel provides resource-management features to limit the impact of one container s activities on other containers.

Example container: Docker

Container options

SubGraph OS: docker containers for isolation

Qubes OS: bare metal with full VM for isolation

Qubes OS: detailed

Outline 1 2 3 4 5 6

Security and virtualization Guest OS isolation, ensuring that programs executing within a guest OS may only access and use the resources allocated to it, and not covertly interact with programs or data either in other guest OSs or in the hypervisor. Guest OS monitoring by the hypervisor, which has privileged access to the programs and data in each guest OS, and must be trusted as secure from subversion and compromised use of this access. Virtualized environment, particularly image and snapshot manage- ment, which attackers may attempt to view or modify. Minimize access to the hypervisor

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback