Computer Security & SELinux

8/11/2019 Computer Security & SELinux

1/37

_______________________________________________Computer Security & SELinux

Chapter 1

Introduction

1.1 Overview:

The collection of tools designed to protect data, files& information stored

on computer became evident from hackers, intruders& unauthoried party is called

computer security!

1.2 Hackers Vs Crackers:

" hacker is someone #ho en$oys the challenge of figuring out ho#

complex systems #ork! %ackers take great satisfaction in mastering the esoteric details of

a computer system and using that information to analye its performance or predict ho#

other parts of the system #ill #ork!

Crackersare hackers #ho use their skills to bypass system security and

manipulate computers and information illicitly! nce the cracker has entered the system,

he may use its resources, modify information stored in it, prevent others from accessing

it, or use it to launch an attack on another system!

What Do Crackers Do?

'f a cracker breaks into your system, he may do the follo#ing(

)se system resources *disk space, C+) cycles, net#ork band#idth you #ant for

you or other users

-eny services to you or other users..either maliciously or because he/s using the

resources himself

Steal valuable information

-estroy files..either maliciously or to cover his tracks

0


2/37


)se your computers to break into other sites

Cause you to lose staff time *read( money in tracking him do#n and putting

compromised systems back in order

"ll attacks depend on gaining initial access to the computer! 1ou should put yourself in

the cracker/s shoes and think about ho# you could attack your o#n system! 's it used by

you alone or by many people2 's it accessible via a phone line or connected to a private or

public net#ork2 'f it/s connected to a net#ork, is the net#ork physically secure2 "re your

computers locked up or in a public site2 3here are your backup tapes stored2 Can a

cracker get access to them, thereby gaining access to your files #ithout ever breaking into

your computer2 'f you/re responsible for administering a multiuser system, ho# #ise are

your users2 3hat #ill they do if they receive a phone call from the 4systemadministrator4 asking for their pass#ords for 4special maintenance42

These 5uestions cover many..but certainly not all..of the approaches a cracker might use

to gain access to your computer or data! The attacks fall into the follo#ing four basic

categories(

+hysical security attacks

Social engineering attacks -umpster.diving attacks

6et#ork. and phone.based attacks!

The point of any attack is to gain access to a legitimate user/s account, or to exploit bugs

in system programs to get a command shell #ithout actually compromising an account!

1.3 Peope Issues:

Social engineering on the part of crackers is a subtle and difficult threat to

address! "s you may guess, the best defense against social engineering is user and staff

education! 1our users should kno#, for instance, that because you have superuser

privileges you never have any reason to ask for their pass#ords, and that any such re5uest

7


3/37


should be reported to you immediately! +art of the goal of a security policy is to educate

your users on such matters!

" second #ay to counter the social engineering threat is to limit system

use on the part of temporary #orkers, employees of other companies, ne# hires, and

others #ho have not yet been trained or #hose commitment to maintaining system

security is not obvious! This #ill re5uire management guidance and support, but can be a

surprisingly effective measure to take! ften ne# hires are not yet ready to make

productive use of the system, for instance! 'f your company includes security and

application training as part of the orientation process before system access is granted,

such users are less likely to be vulnerable to the #iles of friendly crackers!

)ser education is important because security is often inconvenient and

users are devious..they #ill th#art your best.laid plans unless they understand the

reasons for the inconvenience! 8any users may feel that their account security is a

personal matter, similar to the choice of #hether to #ear seat belts #hile driving!

%o#ever, a multiuser computer system is a community of sorts, and one #eak account is

all a cracker needs to compromise an entire system!

9


4/37


Chapter 2

!uthentication

2.1 "ser !uthentication:

Authenticationis a fancy name for identifying yourself as a valid user of a

computer system, and it/s your first defense against a break.in! )ntil recently, )6': user

authentication meant typing a valid login name and pass#ord! This is kno#n as reusable

password authentication, meaning that you enter the same pass#ord each time you log in!

;eusable pass#ord authentication is too #eak for some systems and #ill eventually be

replaced by one.time pass#ord systems in #hich you enter a different pass#ord each

login!

;eusable pass#ords are strong enough for some sites as long as users

choose good pass#ords! )nfortunately, many don/t! ;esearch has sho#n that as many as

9


5/37


dictionary, uses a fairly rich vocabulary *the digit 404 and capitaliation, and it/s easy to

remember *but not to type!

2.3 Password %creenin#:;etroactive pass#ord vetting puts you in the role of the cracker! 1ou make

your best effort to break your users/ pass#ords, and if you succeed you notify the user

and re5uire her to change her pass#ord to something safer! The public domain program

crack, #ritten by "lec 8uffett and available for anonymous ftp from ftp.cert.org

and other sites, is one of the best! crackuses various tricks to permute login names and

fingerinformation into likely pass#ords and #hatever #ord lists you specify! 'f you/ve

got the disk space and C+) cycles, you can feed crackthe huge English and foreign.

language #ord lists available for ftpfrom the host black.ox.ac.uk!

The problem #ith crackand similar programs is that users hate being told

that you/ve cracked their pass#ords! 't/s kind of like having a neighbor say, 4y the #ay, '

#as rattling doorknobs last night and noticed that yours #asn/t locked!4 %o#ever, crack

is useful for gathering information you can use to make a case to management for

stronger pass#ord security! @or instance, if you can sho# that 9


6/37


7/37


thousands of guesses per second, #hich is a huge advantage for the cracker! 3ithout

access to the encrypted pass#ords, the cracker must try each of her guesses through the

normal login procedure, #hich at best may take five to 0< seconds per guess!

Shado# pass#ords hide the encrypted pass#ords in a file that is readable only by the

superuser, thereby preventing crackers from cracking them offline! 1ou should use them!

2., One -i*e Passwords:

;eusable pass#ords may be a serious problem if your users use your site

to connect to remote sites on the 'nternet or if your local net#ork is not physically secure!

n @ebruary 9, 0FFB, the CE;TGCC issued advisory C".FB(


8/37


Chapter 3

%ecurit)

This chapter covers the basics of keeping your system secure! 't takes a

5uick look at the primary defenses you need to protect yourself from unauthoried access

through telephone lines *modems, as #ell as some aspects of net#ork connections! 'n

addition, it explains ho# to protect your user files and ensure pass#ord integrity!

This chapter doesn/t bother #ith complex solutions that are difficult to

implement because they re5uire a considerable amount of kno#ledge and apply only to a

specific configuration! 'nstead, it looks at basic security methods, most of #hich are

do#nright simple and effective!

3.1 I*provin# Passwords:

The most commonly used method for breaking into a system either

through a net#ork, over a modem connection, or sitting in front of a terminal is through

#eak pass#ords! 3eak *#hich means easily guessable pass#ords are very common!

3hen system users have such pass#ords, even the best security systems cannot protect

against intrusion!

'f you are managing a system that has several users, implement a policy

re5uiring users to set their pass#ords at regular intervals *usually six to eight #eeks is a

good idea and to use non.English #ords! The best pass#ords are combinations of letters

and numbers that are not in the dictionary! Sometimes, though, having a policy against

#eak pass#ords isn/t enough! 1ou may #ant to consider forcing stronger pass#ord usage

by using public domain or commercial soft#are that checks potential pass#ords forsusceptibility! These packages are often available in source code, so you can compile

them for Linux #ithout a problem!

3hat makes a strong pass#ord *one that is difficult to break2 %ere are a fe# general

guidelines that many system administrators adhere to(

I


9/37


"void using any part of a user/s real name and any name from the user/s family or

pets *these pass#ords are the easiest to guess!

"void using important dates *birthdates, #edding day, and so onin any variation!

"void numbers or combinations of numbers and letters #ith special meaning

*license plate number, telephone number, special dates, and so on!

"void any place names or items that may be readily identified #ith a user

*television characters, hobby, and so on

"void any #ord that could be in the dictionary *don/t use real #ords!

+roducing a strong pass#ord isn/t that difficult! ?et your users into the habit of mixing

letters, numbers, and characters at random! Suppose a user #ants to use lionking as a

pass#ord! Encourage modification to lionJkingJ, l_ionk_ing, lion>king, or some similar

variation! Even a slight variation in a pass#ord/s normal pattern can make life very

difficult for someone trying to guess the pass#ord!

Change the root pass#ord often and make it very difficult to guess! nce someone has

the root pass#ord, your system is totally compromised!

Check the GetcGpass#d file at regular intervals to see #hether there are entries you don/t

recognie that may have been added as a route in to your system! "lso make sure each

account has a pass#ord! ;emove any accounts that you don/t need anymore!

3.2 %ecurin# our /ies:

Security begins at the file permission level! 3hether you #ant to protect a

file from the prying eyes of an unauthoried invader or another user, carefully set your

umask *file creation mask to set your files for maximum security! 1ou should have to

make a conscious effort to share files!

f course, this precaution is really only important if you have more than

one user on the system or have to consider hiding information from others! 'f you are on a

F


10/37


system #ith several users, consider forcing umask settings for everyone that set read.and.

#rite permissions for the user only and give no permissions to anyone else! This

procedure is as good as you can get #ith file security!

Consider encrypting really sensitive files *such as accounting or employee

information #ith a simple utility! 8any such programs are available! 8ost re5uire only a

pass#ord to trigger the encryption or decryption process!

3.3 Controin# 0ode* !ccess:

@or most Linux users, protecting the system from access through an

'nternet gate#ay isn/t important because fe# users have an 'nternet access machine

directly connected to their Linux box! 'nstead, the main concern should be to protect

yourself from break.in through the most accessible method open to system invaders(

modems!

8odems are the most commonly used interface into every Linux system

*unless you are running completely stand.alone or on a closed net#ork! 8odems are

used for remote user access, as #ell as for net#ork and 'nternet access! Securing your

system/s modem lines from intrusion is simple and effective enough to stop casual

bro#sers!

3.& Caack 0ode* Controin#:

The safest techni5ue to prevent unauthoried access through modems is to

employ a callback modem! " callback modem lets users connect to the system as usual,

and then hangs up and consults a list of valid users and their telephone numbers and calls

back the user to establish the call! Callback modems are 5uite expensive, so this solution

is not practical for many systems! Callback modems have some problems, too, especially

if users change locations fre5uently! "lso, callback modems are vulnerable to abuse

because of call.for#arding features of modern telephone s#itches!

0


11/37


The typical telephone modem can be a source of problems if it doesn/t

hang up the line properly after a user session has finished! 8ost often, this problem stems

from the #iring of the modem or the configuration setup!

3iring problems may sound trivial, but many systems #ith hand.#ired

modem cables don/t properly control all the pinsK the system can be left #ith a modem

session not properly closed and a log.off not completed! "nyone calling that modem

continues #here the last user ended! To prevent this kind of problem, make sure the

cables connecting the modem to the Linux machine are complete! ;eplace hand.#ired

cables that you are unsure of #ith properly constructed commercial ones! "lso, #atch the

modem #hen a fe# sessions are completed to make sure the line hangs up properly!

Configuration problems can also prevent line hangups! Check the modem

documentation to make sure your Linux script can hang up the telephone line #hen the

connection is broken! This problem seldom occurs #ith the most commonly used

modems, but off.brand modems that do not have true compatibility #ith a supported

modem can cause problems! "gain, #atch the modem after a call to make sure that it is

hanging up properly!

ne #ay to prevent break.ins is to remove the modem from the circuit#hen it/s not needed! ecause un#anted intruders usually attempt to access systems

through modems after normal business hours, you can control the serial ports the modems

are connected to by using cron to change the status of the ports or disable the port

completely after hours! 'f late.night access is re5uired, one or t#o modem lines out of a

pool can be kept active! Some larger systems keep a dedicated number for the after.hours

modem line, usually different than the normal modem line numbers

@or a user to gain access to Linux through a modem line, the system must

use the getty process! The getty process itself is spa#ned by the init process for each

serial line! The getty program is responsible for getting usernames, setting

communications parameters *baud rate and terminal mode, for example, and controlling

time.outs! 'n Linux, the GetcGttys file controls the serial and multiport board ports!

00


12/37


Some Linux systems allo# a dialup pass#ord system to be implemented!

This kind of system forces a user calling on a modem to enter a second pass#ord that

validates access through the modem! 'f this feature is supported on your system, it is

usually #ith a file called GetcGdialups! The Linux system uses the file GetcGdialups to

supply a list of ports that offer dialup pass#ordsK a second file *such as GetcGd_pass#d

has the pass#ords for the modem lines! "ccess is determined by the type of shell used by

the user! 1ou can apply the same procedure to ))C+ access!

3.' ""CP:

The ))C+ *)nix to )nix Co+y program allo#s t#o Linux systems to

send files and e.mail back and forth! "lthough this program #as designed #ith good

security in mind, it #as designed many years ago and security re5uirements have changed

a lot since then! " number of security problems have been found over the years #ith

))C+, many of #hich have been addressed #ith changes and patches to the system! Still,

))C+ re5uires some system administration attention to ensure that it is #orking properly

and securely!

))C+ has its o#n pass#ord entry in the system pass#ord file

GetcGpass#d! ;emote systems dialing in using ))C+ log in to the local system bysupplying the uucp login name and pass#ord! 'f you don/t put a pass#ord on the system

for the ))C+ login, anyone can access the system! ne of the first things you should do

is log in as root and issue the command

Passwd uucp

To set a ))C+ pass#ord! 'f you #ant remote systems to connect through ))C+, you

have to supply them #ith your pass#ord, so make sure it is different than other

pass#ords *as #ell as difficult to guess! The slight hassle of having to supply pass#ords

to a remote system administrator is much better than having a #ide.open system!

"lternatively, if you don/t plan to use ))C+, remove the uucp user entirely from the

GetcGpass#ord file or provide a strong pass#ord that can/t be guessed *putting an asterisk

07


13/37


as the first character of the pass#ord field in GetcGpass#d effectively disables the login!

;emoving uucp from the GetcGpass#d file doesn/t affect anything else on the Linux

system!

Set permissions to be as restrictive as possible in all ))C+ directories *usually

GusrGlibGuucp, GusrGspoolGuucp, and GusrGspoolGuucppublic! +ermissions for these

directories tend to be lax #ith most systems, so use cho#n, chmod, and chgrp to restrict

access only to the uucp login! Set the group and username for all files to uucp as #ell!

Check the file permissions regularly!

))C+ uses several files to control #ho is allo#ed in! These files *GusrGlibGuucpGSystems

and GusrGlibGuucpG+ermissions, for example should be o#ned and accessible only by the

uucp login! This setup prevents modification by an intruder #ith another login name!

The GusrGspoolGuucppublic directory can be a common target for break.ins because it

re5uires read and #rite access by all systems accessing it! To safeguard this directory,

create t#o subdirectories( one for receiving files and another for sending! 1ou can create

more subdirectories for each system that is on the valid user list, if you #ant to go that

far!

" neat trick to protect ))C+ is to change the ))C+ program login name so that random

accessing to the uucp login doesn/t #ork at all! The ne# name can be anything, and

because valid remote systems must have a configuration file at both ends of the

connection, you can easily let the remote system/s administrator kno# the ne# name of

the login! Then no one can use the uucp login for access!

3.+ ! !ccess:

8ost L"6s are not thought of as a security problem, but they tend to be

one of the easiest methods into a system! 'f any of the machines on the net#ork has a

#eak access point, all the machines on the net#ork can be accessed through that

machine/s net#ork services! +Cs and 8acintoshes usually have little security, especially

over call.in modems, so they can be used in a similar manner to access the net#ork

09


14/37


services! " basic rule about L"6 that it is impossible to have a secure machine on the

same net#ork as non.secure machines! Therefore, any solution for one machine must be

implemented for all machines on the net#ork!

The ideal L"6 security system forces proper authentication of any

connection, including the machine name and the username! " fe# soft#are problems can

contribute to authentication difficulties! The concept of a trusted host, #hich is

implemented in Linux, allo#s a machine to connect #ithout hassle assuming its name is

in a file on the host *Linux machine! " pass#ord isn/t even re5uired in most casesJ "ll an

intruder has to do is determine the name of a trusted host and then connect #ith that

name! Carefully check the GetcGhosts!e5uiv, GetcGhosts, and !rhosts files for entries that

may cause problems!

ne net#ork authentication solution that is no# #idely used is erberos,

a method originally developed at 8'T! erberos uses a very secure host that acts as an

authentication server! )sing encryption in the messages bet#een machines to prevent

intruders from examining headers, erberos authenticates all messages over the net#ork!

ecause of the nature of most net#orks, most Linux systems are

vulnerable to a kno#ledgeable intruder! There are literally hundreds of kno#n problems#ith utilities in the TC+G'+ family! " good first step to securing a system is to disable the

TC+G'+ services you don/t use at all, as others can use them to access your system!

3., -rackin# Intruders:

8any intruders are curious about your system but don/t #ant to do any

damage! They may get on your system #ith some regularity, snoop around, play a fe#

games, and then leave #ithout changing anything! This activity makes it hard to kno#you are being broken into and leaves you at the intruder/s mercy should he decide he

#ants to cause damage or use your system to springboard to another!

1ou can track users of your system 5uite easily by invoking auditing, a

process that logs every time a user connects and disconnects from your system! "uditing

0B


15/37


can also tell you #hat the user does #hile on your system, although this type of audit

slo#s the system do#n a little and creates large log files! 6ot all Linux versions support

auditing, so consult your man pages and system documentation for more information!

'f you do rely on auditing, scan the logs often! 't may be #orth#hile

#riting a 5uick summary script program that totals the amount of time each user is on the

system so that you can #atch for anomalies and numbers that don/t mesh #ith your

personal kno#ledge of the user/s connect times! 1ou can #rite a simple shell script to

analye the log in ga#k! 1ou can also use one of the audit reporting systems available in

the public domain!

Chapter &

0>


16/37


!uto*ated %ecurit) -oos

+rogrammers have developed automated security tools *"STs to assess

your system security! "STs are sharp on both sides..if you don/t use them to find

insecurities, crackers may!

8any crackers #ork from checklists of kno#n bugs, methodically trying

each in turn until they find a #ay in or give up and move on to an easier target! "STs

automate this boring $ob and generate summary reports! 'f you close those holes, a

checklist cracker may move on to less secure hosts, preferably ones you don/t administer!

There are t#o problems #ith "STs! @irst, you may gain a false sense of

security #hen they cheerfully report 4all/s #ell!4 "STs only report kno#n insecurities,

and ne# ones are discovered constantly! " second, related problem is that if crackers

break in to your system, they may alter your "ST to al#ays report good ne#s!

-espite these problems, you should run "STs! They are good tools if you

understand their limitations and especially if you can install them on and run them from

read.only media! 1ou can also use tools such as Trip#ire to verify the integrity of your

"STs!

&.1 COP%:

C+S *Computer racle and +ass#ord System #as #ritten by -an

@armer of Sun 8icrosystems! C+S has been ported to many different versions of

)6':! 8ost of it is #ritten in ourne shell scripts and perl, so it/s easy to understand

and to modify if it doesn/t do exactly #hat you #ant! C+S performs comprehensive

checks for user. and system.level insecurities, checks #hether you/ve patched programs

#ith kno#n insecurities, and includes an expert system that tries to determine #hether

your computer can be cracked! 'f you don/t run any other "ST, you should run C+S!

&.2 4ereros:

0


17/37


erberos is a secure system for providing net#ork authentication services! "uthentication

means(

The identities of entities on the net#ork are verified!

Traffic on the net#ork is from the source #ho claims to have sent it!

erberos uses pass#ords to verify the identity of users, and these pass#ords are al#ays

sent over the net#ork in encrypted form!

Why Use Kerberos?

8ost conventional net#ork systems use pass#ord.based authentication

schemes! 3hen a user needs to authenticate to a service running on a net#ork server,they type in their pass#ord for each service that re5uires authentication! Their pass#ord

is sent over the net#ork, and the server verifies their identity using the pass#ord!

Transmission of pass#ords in plaintext using this method, #hile

commonly done, is a tremendous security risk! "ny system cracker #ith access to the

net#ork and a packet analyer *also kno#n as a packet sniffer can intercept any

pass#ords sent this #ay!

The primary design goal of erberos is to ensure that pass#ords are never

sent across a net#ork unencrypted and are preferably never sent over the net#ork at all!

The proper use of erberos #ill eradicate the threat of packet sniffers intercepting

pass#ords on your net#ork!

The problem of maintaining security on hundreds of #orkstations installed

in insecure, public sites led the 8assachusetts 'nstitute of Technology/s *8'T/s +ro$ect

"thena programmers to develop erberos!

erberos solves some *but not all of the problems inherent in physically

insecure net#orks and computers! erberos net#ork servers verify both their o#n

identity and that of their clients #ithout sending unencrypted pass#ords over the L"6

#here they may be snooped, and can provide privacy via data encryption! +ersons using

0H


18/37


erberos services can be fairly sure that they/re talking to the real service, and erberos

services can be e5ually sure that #hen Moe asks the mail server for his electronic mail, it/s

really Moe! erberos is free, and source code is available from the host athena5

dist.*it.edu! The )SE6ET ne#sgroup co*p.protocos.kereros is devoted to

discussion of the erberos system!

" disadvantage of erberos is that each net#ork client and server program

must be erberied that is, modified to call the erberos subroutines! erberied

versions of standard applications such as telnetare supplied #ith erberos, and if you

have source code for your applications, you can add calls to the erberos subroutines

yourself! %o#ever, many third.party soft#are vendors provide neither source code nor

erberied versions of their soft#are!

erberos has additional problems! 8any 'nternet servers don/t use it, and

it does you no good to install a erberied telnetclient if your users connect to remote

hosts that run unerberied telnetservers! erberos doesn/t #ork #ith dumb *"SC''

terminals or most :.terminals, and on multiuser computers is only as strong as the

superuser account because the superuser can find the secret keys! erberos also re5uires

an other#ise.unused, secure host to maintain its database of principals and their secret

keys!

-espite its limitations, erberos is useful in certain environments! @or more information,

ftp to the host rtfm.mit.edu and do#nload the erberos @"N *@re5uently "sked

Nuestions document!

&.3 /irewas:

Must as your car/s fire#all is designed to protect you from engine fires, a

net#ork fire#all protects an internal, hidden net#ork from the rest of the 'nternet!

@ire#alls are popular #ith sites that need heightened security, but are unpopular #ith

users!

0I
http://nttp//comp.protocols.kerberoshttp://nttp//comp.protocols.kerberos


19/37


The basic idea of a fire#all is to establish a single, heavily guarded point

of entry to your local area net#ork *L"6! The system administrator maintains a high

level of security on the fire#all *or bastion host, #hich may also be surrounded by

filtering routers that automatically limit access to the fire#all!

@ire#alls *and the interior L"6s they protect can be made very secure,

but they limit access to 'nternet services! 'n many fire#all implementations, users #ho

#ant access to the 'nternet must first log in to the fire#all host!@ire#all technology is

changing rapidly and many commercial products are no# available!

&.& P!0:

+rograms that give privileges to users must properly authenticate *verify

the identity of each user! 3hen you log in to a system, you provide your username and

pass#ord, and the login process uses the username and pass#ord to authenticate the login

O to verify that you are #ho you say you are! @orms of authentication other than

pass#ords are possible, and the pass#ords can be stored in different #ays!

+luggable "uthentication 8odules *+"8 is a #ay of allo#ing the system

administrator to set an authentication policy #ithout having to recompile authentication

programs! 3ith +"8, you control ho# particular authentication modules are plugged into

a program by editing that program/s +"8 configuration file in /etc/pam.d!

8ost ;ed %at Linux users #ill never need to alter +"8 configuration files

for any of their programs! 3hen you use 6P0 to install programs that re5uire

authentication, they automatically make the changes necessary to do normal pass#ord

authentication using +"8! %o#ever, if you need to customie your configuration, you

must understand the structure of a +"8 configuration file!

Advantages of PAM:-

3hen used correctly, +"8 provides many advantages for a system administrator, such as

the follo#ing(

0F


20/37


" common authentication scheme that can be used #ith a #ide variety of

applications!

+"8 can be implemented #ith various applications #ithout having to recompile

the applications to specifically support +"8!

?reat flexibility and control over authentication for the administrator and

application developer!

"pplication developers do not need to develop their program to use a particular

authentication scheme! 'nstead, they can focus purely on the details of their

program!

&.' %ecurit) 6eated Packa#es:

To install the secure server, you #ill need to install three packages at minimum(

Apache

The apache package contains the httpd daemon and related utilities,

configuration files, icons, "pache modules, man pages and other files used by the

"pache 3eb server!

mod_ssl

The mod_ssl package includes the mod_ssl module, #hich provides strong

cryptography for the "pache 3eb server via the Secure Sockets Layer *SSL and

Transport Layer Security *TLS protocols!

Openssl

The openssl package contains the penSSL toolkit! The penSSL toolkit

implements the SSL and TLS protocols and also includes a general purpose

cryptography library!

7


21/37


"dditionally, other soft#are packages included #ith ;ed %at Linux can provide certain

security functionalities *but are not re5uired by the secure server to function(

Apache-devel

The apache-develpackage contains the "pache include files, header files and

the "+:S utility! 1ou #ill need all of these if you intend to load any extra

modules, other than the modules provided #ith this product! for more information

on loading modules into your secure 3eb server using "pache/s -S

functionality!

'f you do not intend to load other modules into your secure 3eb server, you do

not need to install this package!

Apache-manual

The apache-manual package contains the "pache +ro$ect/s Apache 1.3 User's

Guidein %T8L format!

penSS% packages

The penSS% packages provide the penSS% set of net#ork connectivity tools

for logging in to and executing commands on a remote machine! penSS% tools

encrypt all traffic *including pass#ords, so you can avoid eavesdropping,

connection hi$acking, and other attacks on the communications bet#een your

machine and the remote machine!

The openssh package includes core files needed by both the penSS% client

programs and the penSS% server! The openssh package also contains scp, a

secure replacement for rcp *for copying files bet#een machines and ftp *for

transferring files bet#een machines!

70


22/37


The openssh-askpasspackage supports the display of a dialog #indo# #hich

prompts for a pass#ord during use of the penSS% agent #ith ;S"

authentication!

The openssh-askpass-gnome package contains a ?68E ?)' desktop

environment dialog #indo# #hich is displayed #hen penSS% programs prompt

for a pass#ord! 'f you are running ?68E and using penSS% utilities, you

should install this package!

The openssh-serverpackage contains the sshdsecure shell daemon and related

files! The secure shell daemon is the server side of the penSS% suite, and must

be installed on your host if you #ant to allo# SS% clients to connect to your host!

The openssh-clientspackage contains the client programs needed to make

encrypted connections to SS% servers, including the follo#ing( ssh, a secure

replacement for rshK and slogin, a secure replacement for rlogin *for remote

login and telnet *for communicating #ith another host via the TEL6ET

protocol!

Openssl-devel

The openssl-develpackage contains the static libraries and the include file

needed to compile applications #ith support for various cryptographic algorithms

and protocols! 1ou need to install this package only if you are developing

applications #hich include SSL support O you do not need this package to use

SSL!

tunnel

77


23/37


The stunnelpackage provides the Stunnel SSL #rapper! Stunnel supports the

SSL encryption of TC+ connections, so it can provide encryption for non.SSL

a#are daemons and protocols *such as ++, '8"+ and L-"+ #ithout re5uiring

any changes to the daemon/s code!

Table B.0 displays the location of the secure server packages and additional security.

related packages #ithin the package groups provided by ;ed %at Linux! This table also

tells you #hether each package is optional or not for the installation of a secure 3eb

server!

-ae &51. %ecurit) Packa#es

Packa#e a*e ocated in $roup Optiona?apache System EnvironmentG-aemons nomod_ssl System EnvironmentG-aemons noopenssl System EnvironmentGLibraries noapache-devel -evelopmentGLibraries yesapache-manual -ocumentation yesopenssh "pplicationsG'nternet yesopenssh-askpass "pplicationsG'nternet yesopenssh-askpass-gnome "pplicationsG'nternet yesopenssh-askpass-gnome "pplicationsG'nternet yesopenssh-clients "pplicationsG'nternet yesopenssh-server System EnvironmentG-aemons yesopenssl-devel -evelopmentGLibraries yesstunnel "pplicationsG'nternet yes

79


24/37


Chapter '

%ecurit) Poicies

The single most useful security technology is also the simplest! The right

policies and procedures can significantly increase the security of even the most vanilla

)6': system! Security begins #ith analysis! efore you can protect your system in a

cost.effective #ay, you need to kno# #hat resources must be protected, their relative

value to you and your organiation, and the areas in #hich they are most at risk! 1ou also

need to evaluate #hat security protection is already in place!

@or instance, if you administer a database server for a large corporation

and it is only connected to a corporate 3"6 over leased lines, protecting the integrity of

the data on the server #ill be a high priority! 1ou #ill probably decide that the risk of

intrusion from outsiders is less of a threat, because there are no easy public gate#ays into

your net#ork! %o#ever, there is a potential for inadvertent or malicious damage on the

part of other#ise authoried users throughout the company!

n the other hand, if you administer an 'nternet server, you are vulnerable

to net#ork.oriented attacks from every cracker out there! 1our o#n information and

resources are at risk, and so are the e.mail, 3eb files, and other resources for each of your

customers! 'nadvertent damage #ill be easy to manage, because you are able to keep a

tight rein on the activities of legitimate users!

+olicies and procedures must be #ell thought out and must be easily

enforceable if they are to improve your system/s security! 'n most cases, you #ill need the

active support of management in implementing security measures! )nfortunately, many

managers don/t have the hands.on experience to balance rigorous procedures against

users/ needs! 8anagement #ill need your best professional advice to craft policies and

procedures that are effective #ithout being unreasonable, arbitrary, or a#k#ard for users

to #ork #ithin! 1ou #ill also need management/s help in publiciing the policies,

7B


25/37


enforcing the procedures, and establishing an atmosphere of acceptance on the part of

users!

'f you gain the support of management and users for your policies, your

life #ill be much easier and your system is far more likely to become and remain secure!

ne #ay to gain support is to describe your approach in terms of cost versus benefit

tradeoffs! @or instance, your policy should begin by identifying the degree to #hich this

system/s resources and information are deemed critical to the company, difficult to

replace, proprietary or other#ise in need of strong security measures! The more valuable

the system, the more firm and comprehensive the security approach should be!

8anagement #ill commit money and time to protect assets that are clearly valuable to the

company and users #ill accept more stringent controls on such a system!

Security policies and procedures must also match the culture of your organiation or user

community! @or instance, if your system serves a classified military site, a public agency,

or the finance department of a buttoned.do#n corporation, you may choose an approach

that leaves the user no choice as to ho# he #ill accomplish various computing tasks! n

the other hand, if your system serves an academic or research community, your users #ill

demand a fair degree of autonomy and flexibility in their use of the system! 'n this case,

your security policy must ensure that an ade5uate degree of protection is in place, but

#ithout other#ise constraining ho# people use the system!

'.1 $oas:

1our system exists to provide services and collect information on behalf of some set of

authoried users! The purpose of your security policy is to protect those resources against

deliberate or inadvertent misuse! There are at least six aspects of the system to consider(

"vailability! The system and at least the most important information it holds must

be available for use #hen the users need them!

)tility! The system and the information it holds is intended to serve a purpose!

They must not only be available, but be available in such a #ay that that purpose

is met!

7>


26/37


'ntegrity! The system and the information it holds must remain intact and

accessible!

"uthenticity! There must be a #ay for the system to ensure that potential users are

allo#ed access to various resources! Similarly, users should be able to verify that

they are connected to the right system!

Confidentiality! Some information may be deemed private or semi.privateK

security mechanisms must allo# such designations and control access to that

information appropriately!

+ossession! The o#ners of the system must be able to control its use and daily

operations! ecause )6': is a multi.user operating system, if the administrator

loses control of the system to a cracker, all users are affected!

Each security measure, and the overall security approach, should be evaluated against

these criteria! 6ot every security measure #ill address all six ob$ectives, but taken

together, they must provide a comprehensive response to the security threat!

'.2 Ph)sica !ccess to Peope:

+revent potential crackers from #atching the screen as receptionists enter

data, from gaining access to telephone lists and office layout diagrams, and from #alking

through #ork areas! 't/s $ust too easy and natural for users to respond to pleasant 5ueries

by sho#ing an outsider ho# they log in, access information, or do their $obs!

'.3 Ph)sica %ecurit):

" second element of good system security is to control physical access to

your system and any net#orks attached to it! egin by auditing your site! 3hat prevents

unauthoried users from doing any of the follo#ing2

Enter your facility

;ead manuals, logon instructions, configuration notes, or system dumps

Copy or take a#ay tapes, +C8C'" cards, removable disks, or diskettes

Connect their o#n laptop to a net#ork backbone

7


27/37


Sit do#n at a #orkstation

"pproach the system console

;ead or take a#ay printer output

See or modify your telephone panels

Tap into net#ork transmissions over copper, fiber, infrared, or cellular media

8ake sure your policy and procedures clearly address ho# these forms of system access

#ill be prevented! Then ensure that the policies and procedures are actually

7H


28/37


Chapter +

Case %tud) o( %7inu8

+.1 Overview:

SELinux is an operating system based on Linux #hich includes

8andatory "ccess Control! 'n short, #ith SELinux you can define explicit rules about

#hat sub$ects *users, programs can access #hich ob$ects *files, devices! 1ou could think

of it as an internal firewall, #hich gives you the ability to separate programs and thereby

ensuring a high level of security #ithin the operating system!

SELinux is designed to meet the 6S"Ps stringent needs for secure

operating system and is available as a module for allma$or Linux distributions! SELinux

is basically a patch to the Linux kernel to add security features and offers patches to

application to allo# them to determine the security domain in #hich to run processes!

The 6ational Security "gency *6S" and computing go #ay back! The

agency #as founded in 0F>7 #ith the dual mission of protecting )!S! information

systems and producing foreign intelligence information! Since its inception, the 6S" has

had the unenviable $ob of producing security standards that #ill keep all communications

of the federal government and military secure!

?iven that the 6S" has been one of the largest consumers of information

technology on the planet, their interest in and use of Linux did not come as a surprise to

anyone! %o#ever, #hen the development of an 6S".flavored version of Linux, kno#n as

4Security Enhanced4 *SE Linux, #as announced, it #as something of a surprise! Some

#ere nervous, as the 6S" and hackers have come to blo#s over encryption in the past!

%o#ever, after public examination of SE Linux, it became clear that the 6S" had done

some pretty terrific #ork #ith the Linux kernel!

7I


29/37


What Is %7 inu8?

Security Enhanced Linux has the simple goal of managing access to

system resources through strong typing and domain control! in English, that means SE

Linux *as currently architected runs a security server inside the kernel that determines

#hat system resources a process has access to! )sing a flexible policy definition system,

SE Linux acts as an arbiter for all ob$ects the kernel makes available to processes,

including files, other processes *for process control security, and memory!

SE Linux, #hich is available as a tarball from the SE Linux 3eb site is

designed to be installed on top of an existing distribution! 't is not a distribution in and of

itself! riginally designed for use #ith the 7!7!07 kernel, SE Linux as do#nloaded is

configured to #ork #ith ;ed %at !0! )sing it #ith other distributions #ill lead to some

policy errors! 3hile #e did not attempt to test SE Linux under ;ed %at H!< or H!0,

according to +ete Loscocco of the 6S" *the pro$ect/s leader, it #orks, but he doesn/t

recommend using it #ith those distros!

Correctly configured, a system based upon an SE Linux kernel shouldn/t

experience issues #ith users overstepping their bounds! Those familiar #ith computer

security can tell you that gaining control of a user account is the first step to#ards gainingcontrol of the entire system! 3ith an SE Linux kernel, your system can restrict users into

domains #ith very specific access rights and permissions!

SE Linux/s security policy is very configurable, allo#ing the system

administrator, or more properly, the security policy administrator, to create domains #ith

very specific abilities! @or example, SE Linux can be configured so that it is impossible

for users coming in over the net#ork to s#itch domains *thus, they can be restricted from

entering the system administrator domain!

/eatures o( the %7inu8:

SELinux prevents processes running on the system from follo#ing

;eading unprivileged data and programs!

7F


30/37


Tampering #ith data and programs!

ypassing application security mechanism!

Executing untrust#orthy programs!

'nterfering #ith other processes in violation of the systems security policy

1. What is %ecurit)5enhanced inu8?

Security.enhanced Linux is a research prototype of the LinuxQ kernel and

a number of utilities #ith enhanced security functionality designed simply to demonstrate

the value of mandatory access controls to the Linux community and ho# such controls

could be added to Linux! The Security.enhanced Linux kernel contains ne# architectural

components originally developed to improve the security of the @lask operating system!These architectural components provide general support for the enforcement of many

kinds of mandatory access control policies, including those based on the concepts of Type

EnforcementQ, ;ole.based "ccess Control, and 8ulti.level Security!

2. What does %ecurit)5enhanced inu8 #ive *e that standard inu8 can9t?

The Security.enhanced Linux kernel enforces mandatory access control

policies that confine user programs and system servers to the minimum amount ofprivilege they re5uire to do their $obs! 3hen confined in this #ay, the ability of these user

programs and system daemons to cause harm #hen compromised *via buffer overflo#s

or misconfigurations, for example is reduced or eliminated! This confinement

mechanism operates independently of the traditional Linux access control mechanisms! 't

has no concept of a 4root4 super.user, and does not share the #ell.kno#n shortcomings of

the traditional Linux security mechanisms *such as a dependence on setuidGsetgid

binaries!

The security of an unmodified Linux system depends on the correctness of

the kernel, all the privileged applications, and each of their configurations! " problem in

any one of these areas may allo# the compromise of the entire system! 'n contrast, the

security of a modified system based on the Security.enhanced Linux kernel depends

9


31/37


primarily on the correctness of the kernel and its security policy configuration! 3hile

problems #ith the correctness or configuration of applications may allo# the limited

compromise of individual user programs and system daemons, they do not pose a threat

to the security of other user programs and system daemons or to the security of the

system as a #hole!

3. What is it #ood (or?

The Security.enhanced Linux/s ne# features are designed to enforce the

separation of information based on confidentiality and integrity re5uirements! They are

designed for preventing processes from reading data and programs, tampering #ith data

and programs, bypassing application security mechanisms, executing untrust#orthy

programs, or interfering #ith other processes in violation of the system security policy!

They also help to confine the potential damage that can be caused by malicious or fla#ed

programs! They should also be useful for enabling a single system to be used by users

#ith differing security authoriations to access multiple kinds of information #ith

differing security re5uirements #ithout compromising those security re5uirements!

&. How co*patie is %ecurit)5enhanced inu8 with un*odi(ied inu8?

Security.enhanced Linux provides binary compatibility #ith existing

Linux applications! 't provides source compatibility #ith existing Linux kernel modules!

These t#o categories of compatibility are discussed in detail belo#(

"! "pplication compatibility

3e provide binary compatibility #ith existing applications! 3e have

extended kernel data structures to include ne# security attributes, and #e have added ne#

"+' calls for security.a#are applications! %o#ever, #e have not changed any data

structures visible to applications and #e have not changed the interface of any existing

system call, so existing applications can run unchanged if the security policy authories

their operation!

90


32/37


! ernel module compatibility

3e provide source compatibility #ith existing kernel modules! 3e have

not changed existing exported kernel function interfaces! %o#ever, the changes to kernel

data structures re5uire recompilation of kernel modules in order for them to be used #ith

our kernel!

Security.enhanced Linux also provides a development support kernel

configuration option *C6@'?_SEC);'T1_SEL'6):_-EDEL+ that allo#s the

system to be run in a permissive mode that audits but does not enforce the mandatory

access controls! 3e are using this mode #hile developing the mandatory access controls

and security policies in order to determine the permissions re5uired for the system to

operate! 3hen compiled #ith this option, the kernel is initially permissive, and it can be

toggled bet#een being permissive and enforcing permissions at any time! 6e# users of

Security.enhanced Linux #ill likely #ant to use this mode initially because their systems

may re5uire some permission that are not included in the example security policy

configuration, especially since the example configuration is not yet complete! @or

4operational4 use, the kernel should be built #ithout this option!

Security.enhanced Linux should not introduce any interoperabilityproblems #ith ordinary Linux systems as long as all desired operations are authoried by

the security policy configuration!

'. What are the #oas o( the e8a*pe securit) poic) con(i#uration?

"t a high level the goals are to demonstrate the flexibility and security of

the mandatory access controls and to provide a simple #orking system #ith minimal

modifications to applications! "t a lo#er level, the policy has a number of goals

described in the policy documentation! These goals include controlling ra# access to

data, protecting the integrity of the kernel, system soft#are, system configuration

information and system logs, confining the potential damage that can be caused through

the exploitation of a fla# in a process that re5uires privileges, protecting privileged

processes from executing malicious code, protecting the administrator role and domain

97


33/37


from being entered #ithout user authentication, preventing ordinary user processes from

interfering #ith system processes or administrator processes, and protecting users and

administrators from the exploitation of fla#s in their bro#ser by malicious mobile code!

+. Wh) was inu8 chosen as the ase pat(or*?

Linux #as chosen as the platform for the #ork because of its gro#ing

success and open development environment! Linux provides an excellent opportunity to

demonstrate that this functionality can be successful in a mainstream operating system

and, at the same time, contribute to the security of a #idely used system! " Linux

platform also offers an excellent opportunity for this #ork to receive the #idest possible

revie# and perhaps provide the foundation for additional security research by others!

,. Is it secure?

The notion of a secure system includes many attributes *e!g!, physical

security, personnel security, etc! and Security.enhanced Linux addresses only a very

narro# set of these attributes *i!e!, mandatory access controls in the operating system!

+ut another #ay, 4secure system4 means safe enough to protect some real #orld

information from some real #orld adversary that the information o#ner andGor user care

about! Security.enhanced Linux is only a research prototype that is intended to

demonstrate mandatory controls in a modern operating system like Linux and thus is very

unlikely to meet any interesting definition of secure system! 3e do believe that the

technology demonstrated in Security.enhanced Linux #ill be valuable to people that are

building secure systems!

. How is it di((erent (ro* other e((orts?

Security.enhanced Linux has a #ell.defined architecture for flexible

mandatory access controls that has been experimentally validated through several

prototype systems *-T8ach, -TS, and @lask! -etailed studies have been performed of

the ability of the architecture to support a #ide variety of security policies and are

available under http(GG###!cs!utah!eduGfluxGdtosG and http(GG###!cs!utah!eduGfluxGflaskG!

99


34/37


The architecture provides fine.grained controls over many kernel

abstractions and services that are not controlled by other systems! Some of the distinctive

characteristics of the Security.enhanced Linux system are(

Clean Separation of +olicy from Enforcement

3ell.-efined +olicy 'nterfaces

'ndependent of Specific +olicies and +olicy Languages

'ndependent of Specific Security Label @ormats and Contents

'ndividual Labels and Controls for ernel b$ects and Services

Caching of "ccess -ecisions for Efficiency

Support for +olicy Changes

Controls over +rocess 'nitialiation and 'nheritance and +rogram Execution

Controls over @ile Systems, -irectories, @iles, and pen @ile -escriptions

Controls over Sockets, 8essages, and 6et#ork 'nterfaces

Controls over )se of 4Capabilities4

+.2 !dvanta#es o( %7inu8 over %tandard inu8:

What is SELinux good for?

4The Security.enhanced Linux/s ne# features are designed to enforce the separation of

information based on confidentiality and integrity re5uirements! They are designed for

preventing processes from reading data and programs, tampering #ith data and programs,

bypassing application security mechanisms, executing untrust#orthy programs, or

interfering #ith other processes in violation of the system security policy! They also help

to confine the potential damage that can be caused by malicious or fla#ed programs!

They should also be useful for enabling a single system to be used by users #ith differing

security authoriations to access multiple kinds of information #ith differing security

re5uirements #ithout compromising those security re5uirements!4

9B


35/37


+ersonally, ' think SELinux is best suited to small servers #hich are exposed to the

'nternet, are under threat of being attacked, and therefore re5uire a high level of security!

1ou #ouldn/t use SELinux to run a large application server on your internal net#ork . the

#ork involved #ould exceed the benefits! ut you #ould use SELinux to secure a #eb,

Email, or -6S server #hich is on the 'nternet . particularly if the server #as running a

number of services! 'f the server is running only one service then there may be little

benefit from using SELinux! 'n an extreme case, a '6- based -6S server running on a

read.only C-.;om *and a little ;"8 disk #ould benefit very little from running

SELinux! n the other hand, if the system is running a number of services #hich need to

be isolated from each other then SELinux is ideal!

ne of the issues here is that #riting SELinux policies can be difficult for large, complexservers! 8ost system administrators #on/t kno# the details of ho# their server #orks and

therefore #ill have difficulty in making changes to the security policy!

Wh) shoud I run %7inu8 and not nor*a inu8?

ecause SELinux gives you the ability to secure processes from each other #ithin the

system! @or example, if you have a #eb server on the 'nternet #hich is also serving Email

and -6S then you #ould not #ant vulnerability in the #eb server process allo#ing the

attacker access to corrupt your -6S server! SELinux is one of the very fe# practical

operating systems available #hich can provide such a level of protection!

9>


36/37


;I;IO$6!PH;I;IO$6!PH

6e(erence ;ooks

Magazine!inu" #ournal

@eature ( Linux ernel 'nternals

'ssue ( MuneGMuly 7


37/37


http(GG###!cs!utah!eduGfluxGflask

http(GG###!nsa!govGselinux

ftp(GGtsx.00!mit!eduGpubGlinuxGsourcesG

ftp(GGsunsite!unc!eduGpubGlinuxGkernel
http://www.cs.utah.edu/flux/flaskftp://tsx-11.mit.edu/pub/linux/sources/http://www.cs.utah.edu/flux/flaskftp://tsx-11.mit.edu/pub/linux/sources/

Date post:	03-Jun-2018
Category:	Documents
Upload:	mayurpayghan
View:	246 times
Download:	0 times

Computer Security & SELinux

Documents