A Secure Linux Platform by xiaohuicaicai


									   A Secure Linux Platform

Nigel Edwards, Joubert Berger, Tse Huong Choo

               ’2001 USENIX
    Annual Linux Showcase & Conference
 Introduction

 HP-LX security features
    Containment
    Auditing system call
    Secure administration model

 Conclusion
 HP Secure OS Software for Linux (HP-LX)

 Characteristic
    Restricting the communication channels available to a process and
     its children.
    Controlling write access permission to files to any user (including
    Auditing of system calls to audit administration actions and to detect
Containment (1/2)
 compartment attribute for every process
 - The kernel checks the compartment attribute against a table of
  rules to see if the access is allowed.

 Containing communication access
    Communication Control Table(CCT)
     HOST * -> COMPARTMENT web PORT 80
               METHOD tcp NETDEV lan_eth0
    Similar with Linux ipchains and netfilter.
    The major difference is that defining different rules for different
     compartments is possible.
Containment (2/2)
 Containing file access
    File Control Table(FCT)
    - defining possible access mode of a given path for a given
     web   /compt/web/apache/logs         read,write,append
     web   /compt/web/dev                 read,write
     web   /compt/web/tmp                 read,write
     web   /compt/web                     read
     web   /bin                           read
    Each time a process opens a file its compartment attribute is
      checked against a set of rules in the FCT.
    - If a process running in compartment “web” attempted to access the
      following file:/compt/web/apache/htdocs/index.html,
    It does not matter if the process is running as root or is the owner of
      the file.

 Audit subsystem
    Collecting audit data by hooking the system call entry points
    Collected data is pooled in a kernel buffer and then later spooled to
     disk via a user space daemon(called audit daemon).
    Templates are used to specify the format of the data :XML, plain text..
Audit subsystem configuration
Secure administration model
 tlx_admin bit
    Allowing processes with this bit set to create new compartments,
      reconfigure existing compartments and change the rules in the CCT
      and FCT
    Code inside kernel checks for this bit before executing administration
    Two processes with this bit set
     - getty for terminal 1 (console login)
     - an instance of SSH : PAM(Pluggable Authentication Modules)
      checks whether or not login user is an authorized administrator.

 Configure communication patterns explicitly

 Minimal kernel changes

 Prevent propagating worms and overwriting sensitive files.

To top