26,39 €
Mehr erfahren.
- Herausgeber: Packt Publishing
- Kategorie: Fachliteratur
- Sprache: Englisch
NSA Security-Enhanced Linux (SELinux) is a set of patches and added utilities to the Linux kernel to incorporate a strong, flexible, mandatory access control architecture into the major subsystems of the kernel. With its fine-grained yet flexible approach, it is no wonder Linux distributions are firing up SELinux as a default security measure.
SELinux System Administration covers the majority of SELinux features through a mix of real-life scenarios, descriptions, and examples. Everything an administrator needs to further tune SELinux to suit their needs are present in this book.
This book touches on various SELinux topics, guiding you through the configuration of SELinux contexts, definitions, and the assignment of SELinux roles, and finishes up with policy enhancements. All of SELinux's configuration handles, be they conditional policies, constraints, policy types, or audit capabilities, are covered in this book with genuine examples that administrators might come across.
By the end, SELinux System Administration will have taught you how to configure your Linux system to be more secure, powered by a formidable mandatory access control.
Das E-Book können Sie in Legimi-Apps oder einer beliebigen App lesen, die das folgende Format unterstützen:
Seitenzahl: 164
Veröffentlichungsjahr: 2013
Ähnliche
Table of Contents
SELinux System Administration
SELinux System Administration
Copyright © 2013 Packt Publishing
All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.
Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the author, nor Packt Publishing, and its dealers and distributors will be held liable for any damages caused or alleged to be caused directly or indirectly by this book.
Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.
First published: September 2013
Production Reference: 1170913
Published by Packt Publishing Ltd.
Livery Place
35 Livery Street
Birmingham B3 2PB, UK.
ISBN 978-1-78328-317-0
www.packtpub.com
Cover Image by Jarek Blaminsky (<[email protected]>)
Credits
Author
Sven Vermeulen
Reviewers
Thomas Fischer
Dominick Grift
Acquisition Editor
Kartikey Pandey
Commissioning Editor
Neha Nagwekar
Technical Editor
Krishnaveni Haridas
Project Coordinator
Suraj Bist
Proofreaders
Ameesha Green
Maria Gould
Simran Bhogal
Indexer
Priya Subramani
Graphics
Abhinash Sahu
Production Coordinator
Nitesh Thakur
Cover Work
Nitesh Thakur
About the Author
Sven Vermeulen is a long term contributor to various free software projects and the author of various online guides and resources. He got his first taste of free software in 1997 and never looked back since then. In 2003, he joined the ranks of the Gentoo Linux project as a documentation developer and has crossed several roles after that, including Gentoo Foundation’s trustee, council member, project leads for documentation, and (his current role) project lead for Gentoo Hardened’s SELinux integration.
In this time frame, he has gained expertise in several technologies, ranging from operating system level knowledge to application servers as he used his interest in security to guide his projects further: security guides using SCAP languages, mandatory access controls through SELinux, authentication with PAM, (application) firewalling, and more.
On SELinux, he has contributed several policies to the reference policy project and participates actively in policy development and user space development projects.
Sven is an IT infrastructure architect working at a European financial institution. Secured implementation of infrastructure (and the surrounding architectural integration) is of course an important part of this. Prior to this, he graduated with an MSc in Computer Engineering at the University of Ghent and then worked as a web application infrastructure engineer with IBM WebSphere AS.
Sven is the main author of Gentoo’s Handbook which covers the installation and configuration of Gentoo Linux on several architectures. He also authored the Linux Sea online publication, which is a gentle introduction to Linux for novice system administrators.
I would like to thank the SELinux community for their never-ending support in the field, especially the guys frequenting the #selinux chat channel (you know who am I referring to, especially you Dominick.) Without their assistance, I probably wouldn’t have probably been able to be where I am today with SELinux. The same goes to the team members of the Gentoo Hardened project, who despite their geographically distributed nature, are always working together to get Gentoo Linux to a more secure state. Finally, I would like a to give special mention to my colleague “wokwok” for making security a fun field. His approach to security always makes me smile and ensures that this (very) broad and multi-disciplinary field is always alive and kicking.
About the Reviewers
Thomas Fischer is a Computer and IT security specialist since the last 15 years. He is experienced in most fields of IT security and is a master in different programming languages. He was the CEO of a German web and IT company over eight years, and also was also the system architect and administrator for various companies in the professional bike sport scene, Germany. He studied computer networking and security and safety engineering in Furtwangen in the Black Forest. A specialist had made talks at different conferences on the topics of web security and the Linux workstation. Thomas Fischer took part in different international IT security war games and the ICTF 2012. When he is not busy with his machine, he enjoys long distance cycling or extreme mountain bike races.
Dominick Grift has been an SELinux contributor and enthusiast. He has almost 10 years of experience in providing SELinux support to the community. He has been a reference policy contributor and co-maintainer, and Fedora SELinux policy co-maintainer.
I would like to thank the SELinux community for bringing me to the position where I am today.
www.PacktPub.com
Support files, eBooks, discount offers and more
You might want to visit www.PacktPub.com for support files and downloads related to your book.
Did you know that Packt offers eBook versions of every book published, with PDF and ePub files available? You can upgrade to the eBook version at www.PacktPub.com and as a print book customer, you are entitled to a discount on the eBook copy. Get in touch with us at <[email protected]> for more details.
At www.PacktPub.com, you can also read a collection of free technical articles, sign up for a range of free newsletters and receive exclusive discounts and offers on Packt books and eBooks.
http://PacktLib.PacktPub.com
Do you need instant solutions to your IT questions? PacktLib is Packt’s online digital book library. Here, you can access, read and search across Packt’s entire library of books.
Why Subscribe?
Free Access for Packt account holders
If you have an account with Packt at www.PacktPub.com, you can use this to access PacktLib today and view nine entirely free books. Simply use your login credentials for immediate access.
Preface
Be it for personal use or for larger enterprises, system administrators have often an ungrateful job of protecting the system from malicious attacks and undefined application behavior. Providing security to systems is a major part of their job description, and to accomplish this there are a large set of security technologies are at the administrator's disposal, such as firewalls, file integrity validation tools, configuration enforcement technologies, and many more. Major parts of system security is the authentication of users, authorization of these users, and auditing of all changes and operations made on the system. Users, however, are becoming more experienced with working around regular access controls that are designed to keep the system safe, and application vulnerabilities are often exposing much more of the system than what the application should have access to.
Fine-grained access controls and enforcement by the system are needed so that users do not need to look for workarounds, and application vulnerabilities remain within the scope of the application. Linux has replied to this demand with a flexible security architecture in which mandatory access control systems can be defined. One of these is SELinux, the security-enhanced Linux subsystem.
More and more distributions are bundling SELinux support with their offerings, making SELinux available to the mass population of Linux administrators. Yet SELinux is often found to be a daunting technology to work with. Be it due to misunderstandings or lack of information, too many times SELinux is being disabled in favor of rapid fixing of permission issues. This, however, is not fixing an issue but it is ignoring an issue and removing the safe barriers that were put in place to protect the system from them.
In this book, we will describe the SELinux concepts and show how to leverage SELinux to improve the secure state of a Linux system. Together with examples and command references, this book will offer a complete view on SELinux and how it integrates with various other components on a Linux system.
What this book covers
Chapter 1, Fundamental SELinux Concepts, describes SELinux covering the basic concepts of this mandatory access control system needed to understand how and why SELinux-enabled systems behave as they do.
Chapter 2, Understanding SELinux Decisions and Logging, focuses on the enforcement of rules within an SELinux system and how are they related to a Linux system. It explains how and what SELinux logs on the system and how SELinux can be enabled or disabled.
Chapter 3, Managing User Logins, teaches how to manage users and logins on a SELinux system and how to assign roles based on the user's needs. It describes the integration of SELinux with other technologies such as PAM or sudo, and gives us a first taste of what unconfined domains mean to an SELinux system.
Chapter 4, Process Domains and File-level Access Controls, describes the SELinux access control rules based on file accesses. We see how SELinux uses file contexts and process contexts and how we can interrogate the SELinux policy.
Chapter 5, Controlling Network Communications, introduces us to access controls on the network level. We see how the standard SELinux socket-based access controls work, and how we can leverage the Linux netfilter system to label network packets. The chapter also gives a brief introduction to the labeled IPSec and NetLabel/CIPSO support, two technologies that can transport SELinux labels across systems.
Chapter 6, Working with SELinux Policies, discusses how to tune SELinux policies, either through SELinux Booleans or by adding additional rules on top of the existing policy. This chapter covers how to use distribution provided tools, as well as manually maintaining additional SELinux policy modules and finish off with a set of use case-driven examples for enhancing SELinux policies.
Who this book is for
This book targets Linux system administrators who have a good understanding of how does Linux work and want to understand and work with the SELinux technology. It might also be interesting for IT architects to understand how SELinux can be positioned to enhance the security of Linux systems within their organization.
Conventions
In this book, you will find a number of styles of text that distinguish between different kinds of information. Here are some examples of these styles, and an explanation of their meaning.
Code words in text are shown as follows: "The context can be seen using the regular file listing tools such as ls -Z or stat."
A block of code is set as follows:
When we wish to draw your attention to a particular part of a code block, the relevant lines or items are set in bold:
Any command-line input or output is written as follows:
New terms and important words are shown in bold. Words that you see on the screen, in menus or dialog boxes for example, appear in the text like this: "This usually is "denied", although some actions are explicitly marked for auditing and would result in "granted"".
Note
Warnings or important notes appear in a box like this.
Tip
Tips and tricks appear like this.
Reader feedback
Feedback from our readers is always welcome. Let us know what you think about this book—what you liked or may have disliked. Reader feedback is important for us to develop titles that you really get the most out of.
To send us general feedback, simply send an e-mail to <[email protected]>, and mention the book title through the subject of your message.
If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, see our author guide on www.packtpub.com/authors.
Customer support
Now that you are the proud owner of a Packt book, we have a number of things to help you to get the most from your purchase.
Downloading the example code
You can download the example code files for all Packt books you have purchased from your account at http://www.packtpub.com. If you purchased this book elsewhere, you can visit http://www.packtpub.com/support and register to have the files e-mailed directly to you.
Errata
Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you find a mistake in one of our books—maybe a mistake in the text or the code—we would be grateful if you would report this to us. By doing so, you can save other readers from frustration and help us improve subsequent versions of this book. If you find any errata, please report them by visiting http://www.packtpub.com/support, selecting your book, clicking on the erratasubmissionform link, and entering the details of your errata. Once your errata are verified, your submission will be accepted and the errata will be uploaded to our website, or added to any list of existing errata, under the Errata section of that title.
Piracy
Piracy of copyright material on the Internet is an ongoing problem across all media. At Packt, we take the protection of our copyright and licenses very seriously. If you come across any illegal copies of our works, in any form, on the Internet, please provide us with the location address or website name immediately so that we can pursue a remedy.
Please contact us at <[email protected]> with a link to the suspected pirated material.
We appreciate your help in protecting our authors, and our ability to bring you valuable content.
Questions
You can contact us at <[email protected]> if you are having a problem with any aspect of the book, and we will do our best to address it.
Chapter 1. Fundamental SELinux Concepts
SELinux (Security Enhanced Linux) brings additional security measures for your Linux system to further protect the resources on the system.
In this chapter, we will cover:
At the end, we will provide an overview of the differences between SELinux implementations across distributions.
Providing more security to Linux
Seasoned Linux administrators and security engineers already know that they need to have some trust in the users and processes on their system in order for the system to remain secure. Part of that is because users can attempt to exploit vulnerabilities found on the software running on the system, but a large part of it is because the secure state of the system depends on the behavior of the users. A Linux user with access to sensitive information can easily leak that out to the public, manipulate the behavior of the applications he launches, and can do many more things. The default access controls in place in a regular Linux system are discretionary, meaning it is up to the user's discretion how the access controls should behave.
The Linux DAC (Discretionary Access Control) mechanism is based on the user and/or group information of the process versus the user and/or group information of the file, directory, or other resource that is being manipulated. Consider the /etc/shadow file, which contains the password and account information of the local Linux accounts:
Without additional access control mechanisms in place, this file is readable and writable by any process that is owned by the root user, regardless of the purpose of the process on the system. The shadow file is a typical example of a sensitive file that we don't want to see leaked or abused in any other fashion. Yet, the moment someone has access to the file he can copy it elsewhere, for example, to their home directory or even mail it to his own computer and attempt to attack the password hashes stored within.
Another example of how Linux DAC requires trust from its users is when a database is hosted on the system. Database files themselves are (hopefully) only manageable by the runtime user of the database management system (DBMS) and the Linux root user. Properly secured systems will grant the additional users access to these files (for instance through sudo) by allowing these users to change their effective user ID from their personal user to the database runtime user, or even root. Those users too can analyze the database files and gain access to potentially very confidential information in the database without going through the DBMS.
