Professional Documents
Culture Documents
NSM 10
NSM 10
Cristian-Mihai AMARANDEI
Email: cristian-mihai.amarandei@academic.tuiasi.ro
”Network Service Management” – Course Notes
SELinux
●
NSA definition [1]:
– NSA Security-Enhanced Linux is a set of patches to the Linux kernel and utilities to provide a
strong, flexible, mandatory access control (MAC) architecture into the major subsystems of the
kernel. It provides an enhanced mechanism to enforce the separation of information based on
confidentiality and integrity requirements, which allows threats of tampering, and bypassing of
application security mechanisms, to be addressed and enables the confinement of damage
that can be caused by malicious or flawed applications. It includes a set of sample security
policy configuration files designed to meet common, general-purpose security goals.
●
RedHat [3]:
– Security-Enhanced Linux (SELinux) is a security architecture for Linux systems that allows
administrators to have more control over who can access the system. It was originally
developed by the United States National Security Agency (NSA) as a series of patches to the
Linux kernel using Linux Security Modules (LSM).
SELinux
●
ways that you can configure SELinux to protect your system:
– targeted policy:
●
is the default option and covers a range of processes, tasks, and services
– multi-level security (MLS):
●
MLS can be very complicated and is typically only used by government organizations.
●
SELinux targeted policy:
– consists of sets of policies, defined by the application developers, that declare exactly
what actions and accesses are proper and allowed for each binary executable,
configuration file, and data file used by an application.
– Policies declare predefined labels that are placed on individual programs, files, and
network ports.
SELinux
●
SELinux has three modes:
– Enforcing: SELinux is enforcing access control rules. Computers
generally run in this mode.
– Permissive: SELinux is active but instead of enforcing access
control rules, it records warnings of rules that have been violated.
This mode is used primarily for testing and troubleshooting.
– Disabled: SELinux is turned off entirely: no SELinux violations
are denied, nor even recorded. Discouraged!
SELinux
●
commands that deal with files use the -Z option to display
or set SELinux contexts
– ps, ls, cp, and mkdir all use the -Z option to display or set
SELinux contexts
SELinux booleans
●
SELinux booleans are switches that change the behavior
of the SELinux policy.
●
SELinux booleans are rules that can be enabled or
disabled.
– They can be used by security administrators to tune the policy
to make selective adjustments.
SELinux booleans
●
Commands for managing SELinux booleans:
– getsebool:
●
lists booleans and their state; un-privileged users can run it
– setsebool:
●
modifies booleans; requires superuser privileges
●
setsebool -P modifies the SELinux policy to make the modification persistent.
– semanage boolean -l reports on whether or not a boolean is
persistent, along with a short description of the boolean.
●
requires superuser privileges
SELinux logs
●
audit messages - /var/log/audit/audit.log
●
SELinux messages - /var/log/messages
●
PAM - is a mechanism to integrate multiple low-level authentication
schemes into a high-level application programming interface (API).
●
It allows programs that rely on authentication to be written
independently of the underlying authentication scheme.
– first proposed by Sun Microsystems in RFC 86.0 dated October 1995
– adopted as the authentication framework of the CDE (Common Desktop
Environment)
●
As a stand-alone open-source infrastructure, PAM first appeared in
Red Hat Linux 3.0.4 in 1996
●
currently supported in: AIX, BSD, HP-UX, Linux, Mac OS X, Solaris.
●
Applications communicate with the PAM library through
the PAM application programming interface (API)
●
PAM modules communicate with the PAM library through
the PAM service provider interface (SPI)
Source: http://ldapwiki.willeke.com/attach/Pluggable%20Authentication%20Modules/pam.overview.1.png
NSM Lecture 10 - Linux system security 31/42
”Network Service Management” – Course Notes
●
<module interface>
– Four types of PAM module interface are available
– Each of these corresponds to a different aspect of the authorization process
– account: This module interface verifies that access is allowed. For example, it checks
if a user account has expired or if a user is allowed to log in at a particular time of day.
– auth: it establishes that the user is who they claim to be, by instructing the application
to prompt the user for a password or other means of identification.
– password: used for updating the authentication token associated with the user (i.e.
password)
– session: doing things that need to be done for the user before/after they can be given
service like mounting a user's home directory and making the user's mailbox available
●
<control flag>
– All PAM modules generate a success or failure result when called. Control flags tell PAM what do
with the result
– some valid control flag values are:
●
required: The module result must be successful for authentication to continue. If the test fails at this point, the
user is not notified until the results of all module tests that reference that interface are complete.
●
requisite: The module result must be successful for authentication to continue. However, if a test fails at this
point, the user is notified immediately with a message reflecting the first failed required or requisite module test.
●
sufficient: success of such a module is enough to satisfy the authentication requirements of the stack of
modules. A failure of this module is not deemed as fatal to satisfying the application that this type has
succeeded. If the module succeeds the PAM framework returns success to the application immediately without
trying any other modules.
●
optional: only becomes necessary for successful authentication when no other modules reference the interface.
●
Control flags used by login:
– required - pam_unix.so (main authentication module)
– requisite - pam_securetty.so ( ensures that if the user is
trying to log in as root, the tty on which the user is logging in is
listed in the /etc/securetty file, if that file exists.)
– optional - pam_lastlog.so
●
<module_name>
– The module-path tells PAM which module to use and (optionally) where to find it
– Most configurations only contain the module's name
– PAM looks for the modules in the default PAM module directory, normally /usr/lib/security.
– if your linux distribution conforms to the Filesystem Hierarchy Standard (FHS), PAM
modules can be found in /lib/security
●
<module arguments>
– arguments to be passed to the module
– Each module has its own arguments
● the "nulok" ("null ok"), argument being passed to pam_unix.so module, indicating the a blank ("null")
password is acceptable
Source: http://tldp.org/HOWTO/User-Authentication-HOWTO/x263.html
Source: https://www.centos.org/docs//2/rhl-cg-en-7.2/s1-access-console-all.html
●
Core files (core 0) – prohibit the creation of core files
●
Number of processes (nproc 35)– limited to 35
●
Memmory usage (rss 5000) – 5MB for everyone except root
●
* - cover all users - !!!! can pose problem with daemon users account like httpd
Reading assignment
●
Red Hat Enterprise Linux 7 SELinux User's and Administrator's Guide -
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/pdf/selinux_users_and_administrators_guide/
Red_Hat_Enterprise_Linux-7-SELinux_Users_and_Administrators_Guide-en-US.pdf
●
Securing & Optimizing Linux: The Ultimate Solution (v.2.0) - ftp://ftp.monash.edu.au/pub/linux/docs/LDP/solrhe/Securing-
Optimizing-Linux-The-Ultimate-Solution-v2.0.pdf
– Chapter 4 (pag. 90)
●
Securing & Optimizing Linux: Red Hat Edition (v.1.3) - http://www.tldp.org/LDP/solrhe/Securing-Optimizing-Linux-RH-Edition-
v1.3.pdf
– Chapter 3
●
Red Hat Enterprise Linux 7 System-Level Authentication Guide
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/pdf/system-level_authentication_guide/
Red_Hat_Enterprise_Linux-7-System-Level_Authentication_Guide-en-US.pdf
– Chapter 10 (PAM)
References
This presentation is intended for lecturing purposes only and it is based on the references listed below. Therefore, the students are encouraged to (and they should) read
thoroughly the original documents listed below in order to improve their skills.
1. https://en.wikipedia.org/wiki/Security-Enhanced_Linux
2. Dan Walsh, SELinux Coloring Book - http://people.redhat.com/duffy/selinux/selinux-coloring-book_A4-Stapled.pdf
3. What is SELinux? https://www.redhat.com/en/topics/linux/what-is-selinux
4. http://www.opengroup.org/rfc/rfc86.0.html
5. What is PAM? https://medium.com/information-and-technology/wtf-is-pam-99a16c80ac57
6. How PAM works - http://www.tuxradar.com/content/how-pam-works
7. Understanding and configuring PAM - https://developer.ibm.com/tutorials/l-pam/
8. XSSO Sign-on Services - https://pubs.opengroup.org/onlinepubs/8329799/chap4.htm
9. Charlie Lai and Vipin Samar, Making Login Services Independent of Authentication Technologies, 1996,
http://tulip.bu.ac.th/~nattakorn.c/ldap_radius/pam.pdf
10. The Linux-PAM System Administrators' Guide - http://www.linux-pam.org/Linux-PAM-html/Linux-PAM_SAG.html
11. The Linux-PAM Module Writers' Guide - http://www.linux-pam.org/Linux-PAM-html/Linux-PAM_MWG.html
12. The Linux-PAM Application Developers' Guide - http://www.linux-pam.org/Linux-PAM-html/Linux-PAM_ADG.html
13. http://www.linux-pam.org/documentation/Linux-PAM-1.2.0-docs.tar.gz
14. Securing and Hardening Red Hat Linux Production Systems - http://www.puschitz.com/SecuringLinux.shtml
15. Peter Hernberg, User Authentication HOWTO - https://tldp.org/HOWTO/pdf/User-Authentication-HOWTO.pdf
16. Oracle Solaris Security for Developers Guide - https://docs.oracle.com/cd/E19963-01/pdf/819-2145.pdf