SECURITY MANAGEMENT FOR SE LINUX

Similar documents
COMPOSABILITY, PROVABILITY, REUSABILITY (CPR) FOR SURVIVABILITY

DETECTOR AND EXTRACTOR OF FILEPRINTS (DEF) PROTOTYPE

MODULAR AVIONICS TEST EQUIPMENT (MATE 390) TEST PROGRAM SET (TPS) DEMONSTRATION

AIR FORCE ENTERPRISE DEFENSE (AFED)

DoD Common Access Card Information Brief. Smart Card Project Managers Group

Use of the Common Vulnerabilities and Exposures (CVE) Vulnerability Naming Scheme

NAVAL POSTGRADUATE SCHOOL

AFRL-ML-WP-TM

A PROOF OF CONCEPT FOR 10x+ EFFICIENCY GAINS FOR MULTI-SENSOR DATA FUSION UTILIZING A HOWARD CASCADE PARALLEL PROCESSING SYSTEM

Center for Infrastructure Assurance and Security (CIAS) Joe Sanchez AIA Liaison to CIAS

Approaches to Improving Transmon Qubits

NAVAL POSTGRADUATE SCHOOL

INTELLIGENT SECURITY CONSOLE ARCHITECTURE

Basing a Modeling Environment on a General Purpose Theorem Prover

SIMULATION OF A SWARM OF UNMANNED COMBAT AIR VEHICLES (UCAVS)

Introducing I 3 CON. The Information Interpretation and Integration Conference

FUDSChem. Brian Jordan With the assistance of Deb Walker. Formerly Used Defense Site Chemistry Database. USACE-Albuquerque District.

COMPUTATIONAL FLUID DYNAMICS (CFD) ANALYSIS AND DEVELOPMENT OF HALON- REPLACEMENT FIRE EXTINGUISHING SYSTEMS (PHASE II)

Dana Sinno MIT Lincoln Laboratory 244 Wood Street Lexington, MA phone:

Guide to Windows 2000 Kerberos Settings

Multi-Modal Communication

ARINC653 AADL Annex Update

Software Change-Merging in Dynamic Evolution

A Distributed Parallel Processing System for Command and Control Imagery

MODELING AND SIMULATION OF LIQUID MOLDING PROCESSES. Pavel Simacek Center for Composite Materials University of Delaware

Empirically Based Analysis: The DDoS Case

NAVAL POSTGRADUATE SCHOOL

Using Templates to Support Crisis Action Mission Planning

Kathleen Fisher Program Manager, Information Innovation Office

CENTER FOR ADVANCED ENERGY SYSTEM Rutgers University. Field Management for Industrial Assessment Centers Appointed By USDOE

TEMPLATE ENHANCEMENT THROUGH KNOWLEDGE ACQUISITION (TEMPLE)

Running CyberCIEGE on Linux without Windows

Monte Carlo Techniques for Estimating Power in Aircraft T&E Tests. Todd Remund Dr. William Kitto EDWARDS AFB, CA. July 2011

Network Security Improvement Program

HIGH ASSURANCE SECURE X.500

MONTEREY, CALIFORNIA

Computer Aided Munitions Storage Planning

ATM Quality of Service Parameters at 45 Mbps Using a Satellite Emulator: Laboratory Measurements

STATIC SECURITY ANALYSIS FOR OPEN SOURCE SOFTWARE

Concept of Operations Discussion Summary

Service Level Agreements: An Approach to Software Lifecycle Management. CDR Leonard Gaines Naval Supply Systems Command 29 January 2003

Using Model-Theoretic Invariants for Semantic Integration. Michael Gruninger NIST / Institute for Systems Research University of Maryland

Vision Protection Army Technology Objective (ATO) Overview for GVSET VIP Day. Sensors from Laser Weapons Date: 17 Jul 09 UNCLASSIFIED

4. Lessons Learned in Introducing MBSE: 2009 to 2012

Towards a Formal Pedigree Ontology for Level-One Sensor Fusion

High-Assurance Security/Safety on HPEC Systems: an Oxymoron?

Dynamic Information Management and Exchange for Command and Control Applications

Information, Decision, & Complex Networks AFOSR/RTC Overview

Defense Hotline Allegations Concerning Contractor-Invoiced Travel for U.S. Army Corps of Engineers' Contracts W912DY-10-D-0014 and W912DY-10-D-0024

Cyber Threat Prioritization

Technological Advances In Emergency Management

Accuracy of Computed Water Surface Profiles

Parallelization of a Electromagnetic Analysis Tool

Triangular Mesh Generation of Elevation Versus Distance Course Profiles for use with Road Property Files

Topology Control from Bottom to Top

Corrosion Prevention and Control Database. Bob Barbin 07 February 2011 ASETSDefense 2011

Energy Security: A Global Challenge

DoD M&S Project: Standardized Documentation for Verification, Validation, and Accreditation

Architecture Reconstruction to Support a Product Line Effort: Case Study

2013 US State of Cybercrime Survey

Space and Missile Systems Center

SURVIVABILITY ENHANCED RUN-FLAT

Office of Global Maritime Situational Awareness

Nationwide Automatic Identification System (NAIS) Overview. CG 939 Mr. E. G. Lockhart TEXAS II Conference 3 Sep 2008

Architecting for Resiliency Army s Common Operating Environment (COE) SERC

CASE STUDY: Using Field Programmable Gate Arrays in a Beowulf Cluster

Data Warehousing. HCAT Program Review Park City, UT July Keith Legg,

Smart Data Selection (SDS) Brief

David W. Hyde US Army Engineer Waterways Experiment Station Vicksburg, Mississippi ABSTRACT

..,* TITLE: Reliability, Security, and Authenticity of Meta Medical Image Archive for the Integrated Healthcare Enterprise

ANOMALY DETECTION IN DISPARATE COMPUTER NETWORKS

Headquarters U.S. Air Force. EMS Play-by-Play: Using Air Force Playbooks to Standardize EMS

Exploring the Query Expansion Methods for Concept Based Representation

Components and Considerations in Building an Insider Threat Program

The C2 Workstation and Data Replication over Disadvantaged Tactical Communication Links

Apparel Research Network Upgrade Special Measurement Electronic Order File Final Technical Report September 27, 2004

U.S. Army Research, Development and Engineering Command (IDAS) Briefer: Jason Morse ARMED Team Leader Ground System Survivability, TARDEC

MODFLOW Data Extractor Program

Army Research Laboratory

LARGE AREA, REAL TIME INSPECTION OF ROCKET MOTORS USING A NOVEL HANDHELD ULTRASOUND CAMERA

Current Threat Environment

WAITING ON MORE THAN 64 HANDLES

VICTORY VALIDATION AN INTRODUCTION AND TECHNICAL OVERVIEW

Setting the Standard for Real-Time Digital Signal Processing Pentek Seminar Series. Digital IF Standardization

A VISUAL DATA HASH METHOD

Accelerating MCAE with GPUs

An Update on CORBA Performance for HPEC Algorithms. Bill Beckwith Objective Interface Systems, Inc.

Windows NT Operating System Primitives

Requirements for Scalable Application Specific Processing in Commercial HPEC

COTS Multicore Processors in Avionics Systems: Challenges and Solutions

Web Site update. 21st HCAT Program Review Toronto, September 26, Keith Legg

C2-Simulation Interoperability in NATO

ARL Eye Safer Fiber Laser Testbed LabView Automation and Control

ASSESSMENT OF A BAYESIAN MODEL AND TEST VALIDATION METHOD

Analysis of the Pan-Tilt-Zoom Consistency of a Sony SNC-RZ30N Camera

ATCCIS Replication Mechanism (ARM)

Application of Hydrodynamics and Dynamics Models for Efficient Operation of Modular Mini-AUVs in Shallow and Very-Shallow Waters

ENVIRONMENTAL MANAGEMENT SYSTEM WEB SITE (EMSWeb)

75 TH MORSS CD Cover Page. If you would like your presentation included in the 75 th MORSS Final Report CD it must :

REPORT DOCUMENTATION PAGE

Transcription:

AFRL-IF-RS-TR-2003-22 Final Technical Report February 2003 SECURITY MANAGEMENT FOR SE LINUX George Washington University Sponsored by Defense Advanced Research Projects Agency DARPA Order No. N624/00 APPROVED FOR PUBLIC RELEASE; DISTRIBUTION UNLIMITED. The views and conclusions contained in this document are those of the authors and should not be interpreted as necessarily representing the official policies, either expressed or implied, of the Defense Advanced Research Projects Agency or the U.S. Government. AIR FORCE RESEARCH LABORATORY INFORMATION DIRECTORATE ROME RESEARCH SITE ROME, NEW YORK

This report has been reviewed by the Air Force Research Laboratory, Information Directorate, Public Affairs Office (IFOIPA) and is releasable to the National Technical Information Service (NTIS). At NTIS it will be releasable to the general public, including foreign nations. AFRL-IF-RS-TR-2003-22 has been reviewed and is approved for publication. APPROVED: JERRY F. LIPA Project Engineer FOR THE DIRECTOR: JAMES W. CUSACK, Chief Information Systems Division Information Directorate

REPORT DOCUMENTATION PAGE Form Approved OMB No. 074-0188 Public reporting burden for this collection of information is estimated to average 1 hour per response, including the time for reviewing instructions, searching existing data sources, gathering and maintaining the data needed, and completing and reviewing this collection of information. Send comments regarding this burden estimate or any other aspect of this collection of information, including suggestions for reducing this burden to Washington Headquarters Services, Directorate for Information Operations and Reports, 1215 Jefferson Davis Highway, Suite 1204, Arlington, VA 22202-4302, and to the Office of Management and Budget, Paperwork Reduction Project (0704-0188), Washington, DC 20503 1. AGENCY USE ONLY (Leave blank) 2. REPORT DATE 3. REPORT TYPE AND DATES COVERED 4. TITLE AND SUBTITLE SECURITY MANAGEMENT FOR SE LINUX 6. AUTHOR(S) Sead Muftic FEBRUARY 2003 Final May 02 Dec 02 5. FUNDING NUMBERS C - F30602-02-1-0113 PE - 62301E PR - N624 TA - 00 WU - 01 7. PERFORMING ORGANIZATION NAME(S) AND ADDRESS(ES) George Washington University 2121 I Street NW Washington DC 20052 8. PERFORMING ORGANIZATION REPORT NUMBER 9. SPONSORING / MONITORING AGENCY NAME(S) AND ADDRESS(ES) Defense Advanced Research Projects Agency AFRL/IFSA 3701 North Fairfax Drive 525 Brooks Road Arlington Virginia Rome New York 13441-4505 10. SPONSORING / MONITORING AGENCY REPORT NUMBER AFRL-IF-RS-TR-2003-22 11. SUPPLEMENTARY NOTES AFRL Project Engineer: Jerry F. Lipa/IFSA/(315) 330-4494/ Jerry.Lipa@rl.af.mil 12a. DISTRIBUTION / AVAILABILITY STATEMENT APPROVED FOR PUBLIC RELEASE; DISTRIBUTION UNLIMITED. 12b. DISTRIBUTION CODE 13. ABSTRACT (Maximum 200 Words) This effort designed, specified, and implemented a security management system for SE Linux that included an automatic, user-friendly installation, customization of default installation parameters, and adjustment of default access control parameters. 14. SUBJECT TERMS Linux, Security Management 15. NUMBER OF PAGES 7 16. PRICE CODE 17. SECURITY CLASSIFICATION OF REPORT 18. SECURITY CLASSIFICATION OF THIS PAGE 19. SECURITY CLASSIFICATION OF ABSTRACT 20. LIMITATION OF ABSTRACT UNCLASSIFIED UNCLASSIFIED UNCLASSIFIED UL NSN 7540-01-280-5500 Standard Form 298 (Rev. 2-89) Prescribed by ANSI Std. Z39-18 298-102

TABLE OF CONTENTS 1 Project Schedule...1 2 Tasks and Deliverables...1 3 Final Project Report...1 4 Conclusions, Results and Benefits...3 5 Project Team...3 i

1 Project Schedule Security Management for SE Linux (Final Project Report) Project Security Management for SE Linux was scheduled to start on May 1 st, 2002 and finish on August 31 st, 2002. The project was completed fully within its schedule, i.e. it started on May 1 st, 2002, technical R&D activities were completed by July 31 st, 2002 and documentation and the final project report were delivered before August 31 st, 2002. In addition, since the budget was not completely exhausted, the project received a no cost extension until Dec 31 st, 2002 This document represents the final project report and was created on November 7 th, 2002. 2 Tasks and Deliverables Detail plan of activities, tasks, and deliverables in the project included the following: Task 1: Compilation of SE Linux and its integration with the current Linux kernel; Task 2: Analysis, design and creation of kernel options and modules for different target platforms; Task 3: Design and implementation of SE Linux Installer; Task 4: Design and implementation of policy administration tool using GUI; Task 5: Testing of the overall system on several target platforms; Task 6: SE Linux security administration manual; Task 7: Cooperation with other developers and potential users. 3 Final Project Report All activities and deliverables in the project have been completed. The results are as follows: 3.1 Task 1: Compilation of SE Linux and its integration with the current Linux kernel After downloading the SE Linux package, the team encountered minor inconsistencies and compilation problems. They were all corrected and SE Linux has been successfully compiled. Deliverable from this task is ZIP ed version of SE Linux source files which loads and executes without any errors. 3.2 Task 2: Analysis, design and creation of kernel options and modules for different target platforms Within this task the project team analyzed criteria for classification of target platforms significant for inclusion or exclusion of different modules in the Linux kernel. The type of processor architecture and support for SCSI devices were selected. Based on these, eight kernel options have been created by alternative compilation steps with the following characteristics: 1

Options Type of Processor SCSI Support Option 1 i386 No Option 2 i486 No Option 3 Pentium 3 No Option 4 Pentium 4 No Option 5 i386 Yes Option 6 i486 Yes Option 7 Pentium 3 Yes Option 8 Pentium 4 Yes All options are created for Linux kernel version 2.4.18, and are named SILK.2.4.18.1, SILK.2.4.18.2, etc. ( SILK is the code name for the SELinux created by the CSPRI Security Integrated with Linux Kernel). Eight kernel options are included in the distribution CD. 3.3 Task 3: Design and implementation of SELinux Installer Once the eight kernel options were created and SELinux was compiled, the next step was to create the automated SILK Installer. This program: loads from the distribution CD, examines the target machine for characteristics of the installation options given above, copies SELinux and the corresponding kernel option from the CD, and installs the kernel and SELinux on the target machine. During installation the original Linux modules, which are replaced the security extended modules of SELinux, are archived so that they can be later un installed by SILK Uninstaller, which was also implemented as part of this effort. 3.4 Task 4: Design and implementation of policy administration tool using GUI This task designed and implemented a simple GUI based policy administration tool. After installation, SELinux must be configured, referred to in the original (www.nsa.gov/selinux) version as command line editing of several policy configuration files. In addition, the administrator must also edit the Linux configuration files. This is not a simple task, especially for a large number of users, resources, and processes and, if not performed correctly, may introduce inconsistencies in the SELinux operations. The goal of this task was to design and implement a simple, fully functional, integrated and easy to use policy administration tool, which will assist security administrators to specify individual users, resources and their permissions by a simple click of a button. This task has been completed, all modules have been tested and are fully functional. The use of the policy GUI is described in detail in the SILK Manual. Through this interface it is also possible to create new security policy, to examine the policy creation log and SELinux system operation log. 3.5 Task 5: Testing of the overall system on several target platforms When Task 4 was completed and the policy administration tool was created, the project team tested the overall SELinux system. Various default features of the security policy were examined, especially those denying access to certain resources. Some results are included in the SILK Administration Manual, but this area requires further investigation, which is beyond the scope of this project. 2

3.6 Task 6: SE Linux security administration manual This task has produced the complete and fully professional SILK Administration manual which explains in detail the installation, customization, and administration of SELinux. The manual also includes various examples of policies and SELinux actions. 3.7 Task 7: Cooperation with other developers and potential users Throughout the lifetime of the project, in addition to R&D activities, the project team has established many contacts and cooperative activities with other developers and potential users of SELinux. In the area of development, the team had contacts with NAI Labs, Mark Westerman and the Finish company SOT. In the area of potential developers, the team met with several local companies interested in using SE Linux: Adaptech Systems (Rama Kant and David Niemi), Free Standards Group (Scott McNeil), Secure Software Solutions (John Viega), Intel, etc. The team had several meeting and made presentations to many potential users (DOD/DISA, Office of the CIO/Navy, The World Bank, etc.). 4 Conclusions, Results and Benefits In conclusion, all planned activities and deliveries have been completed. The project has created and delivered all planned results. The team has also created an initiative for further R&D cooperation with Universities, industry and Government. The final result is a simple, easy to install and easy to use version of SELinux, with its full functionality and benefits, and with the full documentation for its installation, administration and use. The research team has already created a proposal for the next short term follow up project and a strategic, three year plan for design and implementation of a comprehensive network security system based on SE Linux. 5 Project Team 5.1 Dr. Sead Muftic, CPI/GWU, PI 5.2 Tony Stanco, CPI/GWU, Senior Policy Analyst 5.3 Martin Dean, SAIC, GWU doctoral student 5.4 Emre Saglam, The World Bank, network administration 5.5 Michael Ngumba, CPI/GWU, research assistant 5.6 Frankiln Hum, CPI/GWU, research scientist 5.7 Donald Tomczak, CS/GWU, doctoral student 5.8 Juan Bocanegra, CPI/GWU, research assistant 3

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback