The NSA have published a 170-page security configuration guide for RHEL5. It’s a kind of best practices document for security, with step-by-step explanations for locking down pretty much every feature of the OS.
I’d say this is essential reading for anyone deploying RHEL or similar (Fedora, CentOS etc.) distributions, and likely also quite useful in the general case.
Seems like ideal reading during travel to FOSS.IN :-)
FOSS.IN/2007 looks to be shaping up well — here’s the shortlisted schedule.
The live registration stats are interesting — 57% of delegates have indicated interest in the Fedora session of the project days.
I’m honoured and very happy to be returning this year to give talks on general kernel development and the state of SELinux. While preparing the slides, I was surprised at how much has happened in SELinux since my last talk at the conference in 2005. Things really move fast in FOSS.
It’s lucky the talks this year have been extended to 90 minutes, as I have approximately several million slides to get through. Well, perhaps not so lucky for those attending my talks. I’ll post the slides after the conference. In the meantime, catch this interview with Dan Walsh on some cool SELinux features in Fedora 8.
Something that may be of interest to others visiting India for the conference is the excellent Foreign Speaker HOWTO by Harald Welte.
I’d echo his advice to always have small change on you (in denominations of 20/10/5 Rs and some coins), as 500 Rs notes are not very useful for local transport and similar, unless you like the idea of giving 10000% tips. It’s probably best to obtain the currency before getting to India, which typically needs to be ordered ahead of time.
Ulrich Drepper features in a video in the latest Red Hat Magazine, explaining how to play nicely with SELinux.
One of the common issues we see is breakage of third party applications, where they ship with dangerous bugs in the code, which SELinux will often find. These can be coding errors, such as not closing files on exec, where child processes will inherit the parent’s, or also commonly, linking issues, where the application has not been built correctly. In the latter case, you will typically see some probably unexpected memory-related security checks failing: Dan Walsh has written about this in detail recently.
Ulrich mentions another common issue, where the application simply has no policy written for it. One approach for this is to run the application as an unconfined domain, which of course doesn’t help secure the application itself, but ensures that the rest of the system retains its SELinux protection.
Ideally, the application should have a policy, and Ulrich mentions efforts in education and training to help people better understand this area, as well as improvements in SELinux tools (setroubleshoot) and the development environment (e.g. modular policy).
Another approach that I would suggest, which should be highly effective, is to post details of your application to an SELinux mailing list (fedora-selinux, the main list etc.) and ask for help. In the meantime, you can run the system in permissive mode, which will ensure that labeling is still enforced, and that you can observe the logs for further analysis if required.
Ulrich also mentions more policy being developed internally for packages, with increasing support for user-oriented (as opposed to server-) applications.
***
Some will know that I’ve recently moved back to Sydney, where I’ll be working in the same role with Red Hat. Linux in the Asia-Pacific region certainly seems to have grown since I left four years ago, as evidenced by the size of the current Sydney RH office compared to the fairly small one I visited then.
They have one of the most amazing views I’ve ever seen in Sydney, stretching from the harbour around to the Blue Mountains. Of course, my tiny camera & lack of skills cannot do it justice.
On a clear day you can see New Zealand
It’s really exciting to be back.
The FOSS.IN/2007 Call for Participation closes on October 8th, in a few days. If you want to give a talk at the main conference, or during a Project Days session, now would be a good time to send something in.
I’ve just submitted a couple of talks.
If you’re after special treatment as a speaker, Atul has written up some useful advice, in his classic style.
Dan Walsh has published an article on his SELinux policy generation wizard at Red Hat Magazine.
The article is a great introduction to the modern SELinux policy development environment, while the tool itself demonstrates how high-level abstractions are the key to SELinux usability.
In this case, the sysadmin is provided with a set of questions about the application to be confined, and makes selections based upon patterns which are commonly encountered in similar applications. Some further questions are asked, such as which ports the application might use, and then a loadable policy module is generated.
If you want to try the tool for yourself, you’ll find it in current RHEL 5 and Fedora 7, runnable via system-config-selinux .
Linux Journal have published an interesting article, Mambo Exploit Blocked by SELinux, by Richard Bullington-McGuire.
Mambo is a CMS written in PHP. At some point, the code was vulnerable to a worm, which breached Richard’s system. His article details how this breach was both detected and contained with SELinux, as configured with the default targeted policy under RHEL4.
It demonstrates one of the core goals of SELinux, which is to prevent flawed software from being exploited by malware. In this case, the payload was delivered into the system via a third party PHP application, but was then prevented from doing any damage.
The article is also useful generally as an example of computer forensics procedures.
Even though it is fairly well known that system call wrappers are dangerous, many security schemes continue to use them, including several well-known commercial security products from major vendors.
Briefly, the technique involves intercepting user requests at the system call level, then performing some security function and perhaps failing the call. A common example is re-vectoring the system call table so that a virus scanner is invoked when a file is opened. The Linux system call table was unexported long ago to discourage such use, although there’s no way to actually prevent it.
There are many problems with such techniques. One significant class arises from the combination of concurrency, and gaps in time between when an object is checked and when it is used. For example, an application may subvert the security mechanism by passing clean data to be checked, then replacing it with malicious data before it is used. This is called a Time of Check to Time of Use race, or TOCTTOU.
Robert Watson, of FreeBSD and TrustedBSD fame, recently presented a good paper on the topic, which he discusses here: USENIX WOOT07, Exploiting Concurrency Vulnerabilities in System Call Wrappers, and the Evil Genius.
In the paper, problems with system call wrapping are comprehensively detailed, while the slides also include several examples of exploit code.
One interesting case, which I think would surprise many, is the ease with which their sudo could be subverted.
With Sudo on MP systems, the window for execve() arguments was over 430K cycles. We were able to successfully exploit this vulnerability, replacing command lines so that they were incorrectly logged, masking all further attacker activity in the audit trail.
The paper also discusses ways to mitigate the problem, including not using system call wrapping at all, and instead directly integrating mediation into the kernel; which is what SELinux does.
The 2007 FOSS.IN conference has been announced, and will take place in Bengalaru from December 4-8.
It looks like they’re tightening their focus on community development and depth of talks, as discussed by Andrew Cowie.
There’ll be a HackCenter — an area set up specifically for people to work together — this is something I’d have found useful at many other conferences in the past.
I really hope to return to the conference this year, after not being able to make it for 2006.
I just posted about this on SELinux News: HP have now completed a common criteria certification of RHEL 5, covering LSPP, RBACPP and CAPP at EAL4 augmented. This is basically the same as the IBM certification. Indeed, both certifications stem from the same cooperative effort.
For the first time, we are seeing security certifications from different vendors which are fully compatible, thanks to a community-based approach. From a customer point of view, there is now true choice in certified solutions, as it’s possible to choose different hardware vendors. While technically not certified, pure RHEL clones effectively extend that choice to selection of OS vendor.
So, Linux now offers the highest evaluation level possible for an off-the-shelf operating system, with a flexible, modern MAC scheme, without vendor lock-in for either hardware or software. It’s all upstream, and the source is out there for anyone to review, use, experiment with or develop further.
More importantly, the underlying technology aims for general usability, and is already protecting millions of systems from modern security threats.
Seth Vidal writes about configuring polyinstantiated tmp directories under Fedora. This allows different users to have their own view of /tmp through the use of shared-subtrees and pam_namespace.
Also see Russell Coker’s paper on the topic.