Secure Operating Systems Lesson C Linux Security Features

  • Slides: 15
Download presentation
Secure Operating Systems Lesson C: Linux Security Features

Secure Operating Systems Lesson C: Linux Security Features

Where are we? o o o Multics is beautiful, Multics is beautiful… And also,

Where are we? o o o Multics is beautiful, Multics is beautiful… And also, we’ve looked at some of the ways operating systems get broken Let’s look at a well known OS today: Linux

Linux: Overview o o o o Accounts, authentication File permissions Secure Access Encrypted storage

Linux: Overview o o o o Accounts, authentication File permissions Secure Access Encrypted storage Logging Resource usage controls… It’s a long list. Let’s take a look.

User Accounts o o o The Unix model is pretty straightforward An entity has

User Accounts o o o The Unix model is pretty straightforward An entity has a user account; this account can be associated with groups Usually, there is one superuser, root – this account has complete control of the system

PAM: Authentication o User accounts don’t help if you can’t authenticate, so Linux provides

PAM: Authentication o User accounts don’t help if you can’t authenticate, so Linux provides PAM n o Pluggable Authentication Module PAM allows us fine grained support on logins and authentication n n Account modules: auth is valid under current conditions (time of day, phase of moon…) Authentication modules: authenticates the user Password modules: Updating passwords, and measuring password strength Session modules: things to do at the start and end of every session

Protection: Files o o Files can be protected at the user, group, world, level

Protection: Files o o Files can be protected at the user, group, world, level Valid permissions are read, write, execute umask provides default permissions for a user on files and directories Setuid bit – is this a vuln or a feature? Let’s discuss…

Secure Access o o None of the above matters if we can’t log in

Secure Access o o None of the above matters if we can’t log in to the box securely Linux has a few features. Most notably, we can restrict the places root can log in from – perhaps to a local physical console All remote connections come in through sshd – compare to telnet

Encrypted storage o o o First, let’s be clear… what are we protecting from?

Encrypted storage o o o First, let’s be clear… what are we protecting from? With that said, we can create an encrypted bootload and encrypted storage in Linux Protecting the boot sequence is pretty important – we’ll revisit that when we look at Windows 8

Logging o o Or even audit…there’s syslog and auditing In more up to date

Logging o o Or even audit…there’s syslog and auditing In more up to date Linii, there’s auditd n n n o o Very flexible auditing system, that provides very granular logging of events Configured by audit rules Tampering? At the less granular level, there’s syslog etc. In essence: you have the ability to see, if you choose to look

Resource control o o Linux can control how much of a resource a particular

Resource control o o Linux can control how much of a resource a particular uses, too Quota can also provide hard limits

Non-Executable Memory o o o Linux has supported the NX bit for almost TEN

Non-Executable Memory o o o Linux has supported the NX bit for almost TEN years (!!!) You do need to check your distribution and kernel configuration though Remind me: what does this achieve?

ASLR o Yes, Linux has address space layout randomization as a kernel option

ASLR o Yes, Linux has address space layout randomization as a kernel option

GCC assistance o o Pointer encryption -Wformat –Wformat-security n o o Not much use

GCC assistance o o Pointer encryption -Wformat –Wformat-security n o o Not much use if you don’t pay attention -D_FORTIFY_SOURCE=2 –O 2 – put in runtime and compile time checks on buffers Built in stack canaries Position Independent Executables (PIE) ELF hardening (mark segments r/o before execution

Things to Do o Take a look at the little Linux machine you installed

Things to Do o Take a look at the little Linux machine you installed earlier in the semester. What security features are available? What areas can you harden the configuration. Tell me what you did to try and harden the OS…

Questions & Comments o What do you want to know?

Questions & Comments o What do you want to know?

Linux 1 Linux http linux vbird orglinuxbasic LinuxLinux 1 Linux http linux vbird orglinuxbasic Linux
Linux 1 Linux http linux vbird orglinuxbasic LinuxLinux 1 Linux http linux vbird orglinuxbasic Linux
Linux Installation LINUX INSTALLATION Linux Installation Download LINUXLinux Installation LINUX INSTALLATION Linux Installation Download LINUX
SECURE INTERNET SECURE GENERATIONS SECURE INTERNET SECURE GENERATIONSSECURE INTERNET SECURE GENERATIONS SECURE INTERNET SECURE GENERATIONS
Pengertian Linux Apakah Linux itu Linux adalah OperatingPengertian Linux Apakah Linux itu Linux adalah Operating
Linux Kernel Linux System Architecture Linux Operating SystemLinux Kernel Linux System Architecture Linux Operating System
Linux Security What is a Secure System SecureLinux Security What is a Secure System Secure
Processes and operating systems Operating systems Operating systemsProcesses and operating systems Operating systems Operating systems
Operating Systems Operating Systems Operating systems provide aOperating Systems Operating Systems Operating systems provide a
Chapter 15 Linux Operating Systems Understanding Operating SystemsChapter 15 Linux Operating Systems Understanding Operating Systems
BASIC LINUX SECURITY 030523126 Linux Operating System andBASIC LINUX SECURITY 030523126 Linux Operating System and
Operating System Features 1 Operating System Features MemoryOperating System Features 1 Operating System Features Memory
Linux xlanchen2007 10 9 Linux Operating Systems AnalysisLinux xlanchen2007 10 9 Linux Operating Systems Analysis
Secure Operating Systems Lesson E Windows Security OverviewSecure Operating Systems Lesson E Windows Security Overview