SELinux, czyli zero-zero-day exploits - DWO 2013
If you can't read please download the document
-
Upload
adam-przybyla -
Category
Technology
-
view
546 -
download
3
description
SELinux Mandatory Access Control part II
Transcript of SELinux, czyli zero-zero-day exploits - DWO 2013
- 1. SELinux, czyli zero-zero-dayexploitsPraktyczne wykorzystanie SELinuksa II Bielsko 2013Adam Przybya (Creative Commons cc-by-nd)
2. SELinux Security-Enhanced Linux Mandatory Access Control Projekt na zlecenie U.S. Department ofDefense Przy wsppracy NSA (National SecurityAgency) SELinux dla androida, KNOX 3. Tradycyjne metodyzabezpieczenia DAC prawa dostpu do plikw Firewall - iptables Szyfrowanie SSL IDS/IPS mod_security firewall aplikacyjny 4. Czy to SELinux?[root@synergia ~]# setenforce 0[root@synergia ~]# sestatusSELinux status:enabledSELinuxfs mount:/selinuxCurrent mode:permissiveMode from config file:enforcingPolicy version:24Policy from config file:targeted[root@synergia ~]# setenforce 1[root@synergia ~]# 5. [adam@synergia ~]$ pythonPython 2.6.6 (r266:84292, Sep 11 2012, 08:34:23)[GCC 4.4.6 20120305 (Red Hat 4.4.6-4)] on linux2Type "help", "copyright", "credits" or "license" for moreinformation.>>>>>> import selinux>>>>>> selinux.getcon()[0, unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023]>>> selinux.getpidcon(1)[0, system_u:system_r:init_t:s0] 6. Porzdki na pocztek[root@synergia ~]# cat /etc/selinux/config# This file controls the state of SELinux on the system.# SELINUX= can take one of these three values:# enforcing - SELinux security policy is enforced.# permissive - SELinux prints warnings instead of enforcing.# disabled - No SELinux policy is loaded.SELINUX=permissive# SELINUXTYPE= can take one of these two values:# targeted - Targeted processes are protected,# mls - Multi Level Security protection.SELINUXTYPE=targeted[root@synergia ~]# touch /.autorelabel[root@synergia ~]# reboot 7. Dostp poprzez bibliotekadam@synergia ~]$ pythonPython 2.6.6 (r266:84292, Sep 11 2012, 08:34:23)[GCC 4.4.6 20120305 (Red Hat 4.4.6-4)] on linux2Type "help", "copyright", "credits" or "license" for moreinformation.>>>>>> import selinux>>>>>> selinux.getcon()[0, unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023]>>> selinux.getpidcon(1)[0, system_u:system_r:init_t:s0] 8. Pojedyncze poprawki[root@synergia ~]# ll -Z .bashrc -rw-r--r--. root root system_u:object_r:admin_home_t:s0 .bashrc[root@synergia ~]#[root@synergia ~]# restorecon -v .bashrc[root@synergia ~]#[root@synergia ~]# restorecon -R -v /var/lib/restorecon reset /var/lib/rsyslog contextsystem_u:object_r:var_lib_t:s0->system_u:object_r:syslogd_var_lib_t:s0[root@synergia ~]# 9. Skadniki polityki SELinuksa Plik fc definiuje kontekst bezpieczestwaplikw Plik if plik interfaceu Plik te - reguy dostpu dla domenyselinuksa 10. Zarzdzanie selinuksem Semanage zmiany kontekstu plikw zmiany kontekstu uytkownikw przypisania kontekstu do portw Setenforce Wyaczenie selinuksa getsebool/setsebool Zmiany parametrw polityki sestatus /etc/selinux/config Konfiguracja SELinuksa 11. Serwer HTTP z SELinuksem Ustawienie parametrw za pomoczmiennych Sprawdzenie domenty demona Sprawdzenie atrybutw plikw Wasne reguy 12. [root@malenstwo ~]# getsebool -a|grep httpallow_httpd_anon_write --> offallow_httpd_mod_auth_ntlm_winbind --> offallow_httpd_mod_auth_pam --> offallow_httpd_sys_script_anon_write --> offhttpd_builtin_scripting --> onhttpd_can_network_connect --> onhttpd_can_network_connect_db --> onhttpd_can_network_relay --> offhttpd_can_sendmail --> offhttpd_dbus_avahi --> onhttpd_enable_cgi --> onhttpd_enable_ftp_server --> offhttpd_enable_homedirs --> onhttpd_execmem --> offhttpd_read_user_content --> offhttpd_ssi_exec --> offhttpd_tmp_exec --> offhttpd_tty_comm --> onhttpd_unified --> onhttpd_use_cifs --> off[root@malenstwo ~]# 13. Konteksty startowe[root@synergia ~]# ll -Z /etc/init.d/httpd-rwxr-xr-x. root root system_u:object_r:httpd_initrc_exec_t:s0/etc/init.d/httpd[root@synergia ~]# ll -Z /usr/sbin/httpd-rwxr-xr-x. root root system_u:object_r:httpd_exec_t:s0/usr/sbin/httpd[root@synergia ~]# 14. Kontekst uruchomionego httpd[root@synergia ~]# ps -ZC httpdLABEL PID TTY TIME CMDunconfined_u:system_r:httpd_t:s0 7429 ? 00:00:00 httpdunconfined_u:system_r:httpd_t:s0 7432 ? 00:00:00 httpdunconfined_u:system_r:httpd_t:s0 7433 ? 00:00:00 httpdunconfined_u:system_r:httpd_t:s0 7434 ? 00:00:00 httpdunconfined_u:system_r:httpd_t:s0 7435 ? 00:00:00 httpdunconfined_u:system_r:httpd_t:s0 7436 ? 00:00:00 httpdunconfined_u:system_r:httpd_t:s0 7437 ? 00:00:00 httpdunconfined_u:system_r:httpd_t:s0 7438 ? 00:00:00 httpdunconfined_u:system_r:httpd_t:s0 7439 ? 00:00:00 httpd[root@synergia ~]# ll /etc/httpd/conf.d/welcome.conf -Z-rw-r--r--. root root system_u:object_r:httpd_config_t:s0/etc/httpd/conf.d/welcome.conf[root@synergia ~]# 15. Semanage[root@synergia ~]# semanage port -l |grep http_port_thttp_port_t tcp 80, 443, 488, 8008, 8009, 8443pegasus_http_port_t tcp5988[root@synergia ~]#[root@synergia ~]# semanage fcontext -a -t httpd_sys_content_t"/web(/.*)?" 16. Pytania?
