A Secure Linux Platform Nigel Edwards, Joubert Berger, Tse Huong Choo ’2001 USENIX Annual Linux Showcase & Conference Outline Introduction HP-LX security features Containment Auditing system call Secure administration model Conclusion Introduction HP Secure OS Software for Linux (HP-LX) Characteristic Restricting the communication channels available to a process and its children. Controlling write access permission to files to any user (including root) Auditing of system calls to audit administration actions and to detect intrusion Containment (1/2) compartment attribute for every process - The kernel checks the compartment attribute against a table of rules to see if the access is allowed. Containing communication access Communication Control Table(CCT) HOST * -> COMPARTMENT web PORT 80 METHOD tcp NETDEV lan_eth0 Similar with Linux ipchains and netfilter. The major difference is that defining different rules for different compartments is possible. Containment (2/2) Containing file access File Control Table(FCT) - defining possible access mode of a given path for a given compartment web /compt/web/apache/logs read,write,append web /compt/web/dev read,write web /compt/web/tmp read,write web /compt/web read web /bin read Each time a process opens a file its compartment attribute is checked against a set of rules in the FCT. - If a process running in compartment “web” attempted to access the following file:/compt/web/apache/htdocs/index.html, It does not matter if the process is running as root or is the owner of the file. Audit Audit subsystem Collecting audit data by hooking the system call entry points Collected data is pooled in a kernel buffer and then later spooled to disk via a user space daemon(called audit daemon). Templates are used to specify the format of the data :XML, plain text.. Audit subsystem configuration Secure administration model tlx_admin bit Allowing processes with this bit set to create new compartments, reconfigure existing compartments and change the rules in the CCT and FCT Code inside kernel checks for this bit before executing administration functions. Two processes with this bit set - getty for terminal 1 (console login) - an instance of SSH : PAM(Pluggable Authentication Modules) checks whether or not login user is an authorized administrator. Conclusion Configure communication patterns explicitly Minimal kernel changes Prevent propagating worms and overwriting sensitive files.
Pages to are hidden for
"A Secure Linux Platform"Please download to view full document