 Sure All right, hey everybody So we had a good lunch. This is introduction to it's a Linux. I'm Jason The slides will be on my blog later. I'll put them up So first few questions who Knows that they use a silenix like one, okay Who uses red hat sent us fedora any of those? All right, so you all actually use it, too Who's turned it off on the machine I know he tries not to turn it off anyone else All right, that's good so quick overview about me quick intro to a silenix What it is and then I'll go through a few examples of why it Breaks things and how to fix them and Like a little bit of an intro to like what a policy looks like it's far from a complete one, but it's enough to like Maybe make you not scared of it so I am a gentoo developer. I Maintain a silenix and I'm on the hardened projects my email my PGP key My blog I'll put the slides up later as I said All right, I see Linux The S and the E mean security enhanced if you didn't know that I'm not sure why you're here Um Security obviously it gives security stuff to the kernel and To everything on the computer enhanced is kind of the important part because it doesn't actually replace anything else It extends it so all your regular things continue to work. I said it's just one more layer on top So Yeah, it Controls access. It's an access control method. It's what we call a mandatory access control method and I'll get Into that next It has a whole bunch of things. It's very very flexible. I see Linux itself doesn't actually mandate very much Everything in it is in the policy so Android also uses I see Linux, but their policy is very very different from like fedora and gentoo and stuff But like so like I still think it's a very flexible how it works a Bit history originally made by the NSA they Based it off Bella Paluda If I pronounce that right security thing Least open source added to the kernel it was one of the first Mac in the kernel It's used quite a lot gentoo Great hat fedora. It's optional and devian and about to Android every single Android phone for the last many years uses it and it's on and enforcing in all of them So that's pretty cool So to explain a bit about Mandatory access control. I personally explained that which is discretionary access control These are the regular unit permissions used to users groups Regular Unix permissions and ACLs and all those The discretion basically means that the user can choose to do what they want with their own stuff so if I have a bunch of data that is Important and I am either malicious I can Make it readable so other people can get it or if I'm just an idiot I can make it readable by accident and then other people can get it both of which are bad and root In a regular system can do basically anything it wants. There's nothing stopping root at all and Like this has some obvious problems where like if you try to do things But it's as well known for like letting you do things like RMRF your entire partition So yeah, root can usually do a lot In a mandatory access control there is a system-wide policy that is Well, it's usually made by the distro, but as I'm going to show you you can modify it extend it or whatever you want and It is fixed So even if your DAC permissions Allow things I say Linux will not so Linux will actually check the Unix permissions first So if your permission on the file does not allow world readable It won't let it at all if you do make it world readable. It'll try that. Okay, that's fine Then it'll go on to SELinux and say oh no, that one's not okay. Then it'll fill block it. So it's one more step there are hooks all throughout the kernel and It's called the LSM Linux security modules. So there are many other kinds of Macs as well that use these hooks throughout the kernel and Decide what to do with them. So there are Fairly specialized ones like Yama. It only does a couple things, but if they're sort of very important It doesn't really have a policy. I see Linux app armors Mac are big and have policies app armor is the one that Ubuntu makes and I think that one comes on Ubuntu machines by default at least the servers Smack is used by Samsung's Tizen. I think SELinux is used Red Hat, CentOS and those family of things Used in Android as well and it's fairly I think it's the biggest of all them. I'm not really sure So This is the part where all you sinners changed if you change this line to permissive There's basically three states off which is useless. Don't do that Permissive which will tell you all the problems that it would have stopped But it won't actually do anything about it which is also pretty useless and then enforcing is the actual like one you want so try not to turn that off and There are different kinds of policies Targeted is what Fedora runs in by default I believe it Means that the servers and like Apache and those kind of things are locked down pretty hard But your main like user account is fairly unconfined. It can do quite a lot Which is a pretty good trade-off because they do run it by default So you have users that don't really opt into it. So it has to work for them strict Doesn't have unconfined. So even a regular user has restrictions, but it's still pretty okay MLS is the serious business one. If you are a three-letter government agency it Doesn't work very well. It's like a real pain. He has to use If you want to do graphical stuff with it, it kind of sucks MCS is great. That's what I use. It's basically strict plus categories which allow Extra confinement for things like if you have many VMs it can separate the individual VMs from each other So they cannot touch each other and stuff like that But I'm not gonna get into anything except strict in this talk So These are from the SC Linux coloring book by Dan and Marin It's awesome. You should Download it and color it. I'll give the link later Basically, this is what SC Linux rules look like everything is denied by default and Then you have a source a target a class and a bunch of permissions you can do to it So you allow the cat Food that is like the cat food and you allow the dog to eat food That's the dog food and that makes sense and everything else is denied by default So if the dog tries to eat the cat food the colonel says no and pulls the leash and Similarly, if the cat tries to eat the dog food You don't get anything either and the penguin gets really angry. Yeah, the color book is awesome. You should totally do it um so the I see Linux doesn't really sort of Understand things it only understands labels and everything has a label and if you have problems in SC Linux It's almost always a labeling problem. It's Sometimes like you need to add more rules, but if you try and customize things, it's almost always a labeling problem So this is sort of the most important part to get labels have this format well There's a user part a role part and a type and then this sensitivity at the end is for MLS and MCS Which I'm not going to get into So here are some kind of labels the first one is what the web server runs under so By convention we put underscore u underscore r and underscore t at the end. It's not actually required, but we just do anyway So that's a it should be the type and it's a system Roll in user so it's a demon the next one is what like a regular normal user runs under and You'll notice that the user part is different. So there are extra constraints and things Which you can look up later, which basically Use the other parts of it to Stop what they can do. So like a user role is not allowed to run the HDB Demon so even if a user try they wouldn't actually like it wouldn't work The next one is staff which is Regular stuff like staff u staff r stuff t is Basically the same thing as user but They are made for the administrators and it allows you to also switch to the system administrator role, which has a lot of missions so apart from six admin staff and user are pretty similar then Files also have labels just like Processes just like everything else files Have an object our role because they're not like a user And Bint is everything inside bin everything inside user like she was ours user t and Like it's once you get used to it. It's kind of obvious where things go based on their name and then there's the last one is HDBD system content, which is Content for the web server that's system-wide like in slash bar slash dub dub dub Then there's also like a system or HTTP user content, which is the stuff in like your home directory public HTML Yeah, so I say the next is pretty early so somehow they claim dashed zed on everything which is awesome so LS dashed zed will list the Types on files And it looks like that. They're pretty obvious Then it's been that is nice Sashi DC is you to see like it's kind of obvious PSZ will list the thing what type things are running as ID dashed will list what you are running as So that's how you find out what things are in so if for example you Got a new version of a program and it didn't work and you looked at it and you said oh a Patches running as something. That's not HTTP DT Then something's probably wrong. You might need to change the labels on something to make it like Use the new one you have or something like that, but so if you go PS and see what it is it's like How do you find things? so sometimes excellent spray things and That's supposed to happen If you see something like this Where you have the audit logs and you see that someone's trying to access Shadow T. That's probably bad Things don't usually read that that might mean you've been hacked. It might be something really bad, but it's like not good The audit logs are actually not really part of SC linux. They are part of the auditing subsystem within the Linux kernel Which is completely separate and you can audit a lot of accesses to different things all around the machine and SC linux will also report its issues to audit. So Yeah, that's where they go if you don't have audit running which you should because it's much better Then they go into dMessage which They get this line, but you don't get the other like path information. So run audit Yeah, so usually as a regular user you don't have to write policy like the aim of all distros is to make things work and if you have something in a weird place you want it to Have reasonable defaults, but sometimes users want to do other things. So you can have web sites in users home directories and Maybe people don't always want that and maybe they sometimes do but you don't want the right rules for it so there's a Boolean which means that there are extra rules which you can turn on and off in the policy just by running like turning on off So let's see you go and you turn on User dears in Apache You make your website and it doesn't work awesome. Why oh, okay? I screwed up the permissions on the directory so Apache couldn't access it Okay, so you see hmod it and now Apache should be able to read it, but oh, okay It still can't do it now. If you check the audit logs, you'll see that htpd is trying to access like the user directories and Audit to allow will it's a tool. I'll show you later which will take All the audit entries and show you what the rules would be and it will also let you know Oh, this thing can be changed by tunable So if you turn on the htpd enable hoders it allows htpd to access hoders Which does what it sounds like and it's awesome and it works so Fixing problems is not that hard Usually you just have to poke around a little bit and you'll get it working All right, any questions at this point before I go more Okay, cool All right, so the labels on disk have like We have a big file with all the f contexts and It uses these reacts is to match what the label should be and then labels into our system So you can have a straight up like a simple one use of it in Apache and it will label it as htpd Exactly, which is the type for the executable the dash dash Means it's only allowed for regular file types So if you somehow like change Apache from being the Apache binary to assembling to something else like something really bad Because of this dash dash it wouldn't allow assembling to be labeled like that So that works and they are full reg X's like full full ones. So the second Like this will match htpd the directory and will also match everything under it because of adult start and then Also the like Apache and then Apache 2 and they're labeled in different directories So the 2 is sometimes optional depending on what distro you're on so the 2 has a custom mark So it can match both with or without it So usually we have a lot of types, but they kind of follow the same pattern So these are the ones like these are the most obvious ones for htpd if you were running ftpd or Something else that'd be a bunch of similar types. There'll be a type the executable There'll be something for the config. There'll be something for the log and maybe it's data depending on what the thing is And the last one is a really big reg X Allowing people to put things in their home directory under public html Which is the standard or web or dub dub dub and they'll all get the same label and the home beer at the beginning is special it When it goes through this Gen home beer con gets run automatically, which will take all these kind of entries and make new versions for every single user on your system So Like home does not directory so this gets replaced with all your users like slash home slash jason slash home slash Bob Whatever and then get you get one for all your users and it changes the type So maybe if some of them are user you it'll replace the system with user and then Stuff like that. There are a bunch more I added while ago so you can do all kinds of cool matching now and This is kind of what a policy looks like You don't really need to know it you just need to like understand Why or how? things can be done it's like Like the earlier cat and dog there's a allow the HB demon to Search and read and open things inside the config directories and the files that kind of make sense But that's really a long winded to write so That sucks. So we have a bunch of macros inside it So you'll see things like list your perms which actually expands to basically Get at our search read open because typically if you want to list the director you need all of them so the macro will expand all of that and Read file perms read link file perms So there's a bunch of macros we use to simplify things and then that still kind of sucks so we have even more macros to manage files pattern is this line Basically expands to this block. So you don't have to do all the writing. You can write just one and it handles it for you and Then it also does network stuff. So you can allow sockets TCP sockets in this case so if you wanted to bind to a UDP socket it wouldn't work like give and give an access and It can bind to hdbd port to which if you look somewhere else inside it You'll see is port 80 or 80 a if you want to bind your web server to port 1 2 3 that won't work You would either have to add the hdbd port type and add 1 2 3 to that or you could find whatever type is on port 1 2 3 and add like allow Apache to bind to that type instead So either one works and whatever is easier for you or just keep on port 80 because that's what you use More troubleshooting. Yeah, so as earlier we try to make the defaults reasonable and Cover all the weird cases like that's why the rayaxes are really useful because if you put things in different directories The rayaxes will usually handle it But sometimes people really want to put things in really strange places So if you really want to put your website in slash website instead of like bar dub dub dub You can do that and it's probably not gonna work at first and then if you ls it with dash Z You'll see the types are wrong and okay. Well, that's pretty obvious because default T Shouldn't really have access to anything because it's not really a thing So you can add your own file type rayaxes to The system using se manage So in this case very similar to This part where you have this is the file context for the main system content you can add your own one here and You add the type with that rayax and then it'll know everything under there should be matched like that then you can restore Khan which Like that's the tool which will go through everything and check the context if they're wrong it'll Change them to match what they should be There's also a dash force flag which will be the change things. You shouldn't need to use it If things really don't work then you can try it and after you do that it'll work again, and that's awesome I Didn't actually cover this set in force one for those of you that have used fedora and stuff That's the command to turn it on from permissive into enforcing and 740 is what you should never do 740 turns it from enforcing into permissive so that is good and These shirts also came from Dan Walsh Make I still think it's important again, so Yeah, do that because that's awesome If you want to learn some more there's a bunch of Places I'll put the slides up the coloring books awesome. There's a lot of stuff on the wikis about them This is really long and has a lot of detail about all of it. There's a lot more rules for different things different kinds of rules There's other kinds of classes. You can do all kinds of networking stuff, which it can get pretty in-depth, but You like this isn't just an intro so I have a demo of some stuff, too, but any questions first about anything so the demo is I Have a VM running in enforcing mode so you get in force well Is that on the screen? Okay, good y'all it cool. All right, so get in force Says enforcing awesome. We're in the right mode. There's also se status Which will tell you a lot more about it status enabled good This is the point you can kind of ignore that the policy type was the earlier things I mentioned So this is running in strict mode. It's all running MLS is not enabled Um, this is the file I mentioned earlier That's what you want and then um, if we go ps You can kind of be Apache demon is here and it's running under Apache the type. So that's what we want then audit to allow This will read the audit logs And see what was in them and what the problems were And these are the rules that would allow things. You need to be really really careful with this tool It will just allow everything in the logs, which is not what you want This rule really bad like things should not have access to shadow Um, it actually won't compile if you try that one. There's extra protections around that type To stop people doing things wrong um This is the actual audit log So then if we go to The little web server that's running here I put a back door early So it's a very simple php, uh shell If you get hacked by somebody they will upload something like this so they can run more commands on your system and It's From here you can do a lot more things read files write files, whatever so Assuming we've been hacked already in this vm We'll try some things first with Enforcing mode and they won't work and then we'll turn them Turn enforcing mode off and then we'll try them again and then it's a lot worse So You can ls the files because the web server is allowed Do you see that So you can ls something you can If you cat this file in proc you see your own current type so The backdoor script is running as they should be demon So that's mostly fine not so bad now if you start ls root You're not gonna get anything not allowed. Okay, and for extra fun. I Made my shadow file world readable so anybody on the system even if you're not rude can read it uh, don't ever do that but so If this links was not around that would be really bad and let you read all your passwords and then you're owned So if we cat this We again get nothing Which is what you want so like if this had happened somebody would have broken into your machines and it They would have had Like the ability to do a little bit of stuff But not very much and if you lock things down the web server can connect to the database and Read its html files and that's kind of bad because your database sucks, but like It's still just the database not everything else. So That's a good start if we had turned this off I'm gonna run this sinful command And then if we check Current mode now pervasive Now we can try a lot more things We can cap this file you get the passwords asdf so you don't have to crack it But if this was an actual machine you don't want like you don't feel getting that Uh, what other fun things are there in machine? Um So you can read all this you can I don't know if this will work Oh Yeah htbb can't do it. Oh wait, it's under a user estimate. The web server doesn't have that much power No, I ran it from here I ran it here So the actual state now is enforcing But because the web server does not have access to even read what state sce links is in it thinks this is able That's kind of cool. Actually, I didn't um So any other fun things you want to find out? Oh, well here. We'll go through sce manage So these are all the bullions There's a lot of them for a lot of things so If you don't use nfs, for example, you could have that turned off and then it wouldn't allow any nfs access which If you do use it, then it's very easy to enable these extra permissions which you want and Again sce linux is deny everything by default and only allow things that you Like you by default nothing's allowed and then you have to allow certain things There is no deny rule so By default the idea is to keep things very slim and only the bare minimum is required So you can extend it if needed um Oh, also I did this So even without the shell I put a sim link to etsy shadow So if you try that that also won't work So that is both like somehow if you couldn't put an entire shell in but you could somehow set a sim link To etsy shadow or read that like it won't follow the sim link and it won't read the file so you're kind of Out of luck that way too um Oh, yeah So this is the bad one that you don't want these are the home directory Accessing once this is the boolean tittle tell you if you want to allow this thing set the boolean So if we set this thing Set it on Now we can do things in here Pretty small So how many people Are gonna enable it now? Do that convince anyone? Um As long as people are a bit less scared of it now than before Maybe you'll think twice about running send for zero Yeah, usually what happens is you just want your thing to work and Yes, most of the guys from like oracle database, uh, their guide is Yeah, yeah So so like It's a really really really bad sign if you're what if you're like a big company oracle We're supposed to like keep all your data safe and like the first thing they tell you to do is turn off If you saw a product and this product said oh to use this one you got to totally disable all your firewalls on your network Would you run that thing like that's really bad if someone really doesn't want to run a firewall on your network You wouldn't let them SC Linux is pretty much a firewall between things on your computer if people telling you to turn it off that's Really bad sign like Any projects out there that do that You should hassle them for it not even if you don't really use it yourself like that's just really bad design Choices and everything on their part like it's probably not something you want so Yeah, so people usually disable it because It breaks things but Like if it's something in the distro already, it'll almost always Work out of the box and if it doesn't because you move things around it's Hopefully just a matter of enabling some bullions or changing some paths if it's really something brand new You could write the policy yourself or just follow bug with your distro and they'll help Uh red hat has a whole ton. Yeah Is it available in said containers and like docker? Does it have a series? um, so I see the next there's only one in the kernel. There is a lot of work going on to allow Like it to run inside another one, but that doesn't work right now. It may work in a few months or something. Hopefully but right now what happens is you put everything in Like one docker container running under like a docker type and then It's using multi category security, which I covered earlier very briefly to give each container a separate Category Yes, but it when it so docker is like well dan the guy who runs it at red hat Now works on docker a lot So he obviously put a lot of really good acylinic stuff into docker So if you run a container it will run it on its own and also this vm that i'm running here uh In lib vert lib vert is also hooked into acylinics. So whenever I so I have three different vm's It's the same thing as docker. It'll run each vm separately So if somehow I managed to escape out of one of the docker containers I wouldn't be able to access anything outside the container I wouldn't be able to access anything in any of the other containers either So it's um, but within the container There is no acylinics. Like it looks like there is none. Um And everything runs as the same types and Hopefully in a while that'll like you'll be able to have a nested policy, but that doesn't work for now Go ahead DR SEC DR SEC is not um Not related DR SEC is a kernel patch set which enables a lot of other Security hardening features Some extra permissions on read write and execute memory so like you can't like Stack over loads and stuff don't work very well on it and it has a lot of great stuff in it But it's not like it's nothing new acylinics. I run both on my laptop and all my machines But you can run acylinics without DR SEC. You can run DR SEC without acylinics and you can also um DR SEC also has its own Mac in it like there are back which Does a lot of the same things like it's the same idea. It's a Mac as well as acylinics But it's a different policy language. You set it up differently. I haven't actually used it, but uh, Yeah You had more. Yeah. Uh, you said that everything is a label. Yeah, so I think the those when In terms of some service service Those labels are they stored in the Indian Um, okay. Well, so if we look in This is my, uh strictest the policy type right now So then there's policy And this policy dot 30 file is The whole actual policy. So when you boot the machine very very very early on In it will load that file into the kernel. Um And that sets up everything in the kernel So before that's loaded you don't really have anything, but it's set super early um If you look in contexts And then files you get these file contexts file context home dears. These are the files which So let's do If you look at this these are all The labels on your entire machine like there's a lot of them You might not have all these things But like there's a lot of extra ones just to cover every base And they don't really hurt like they're um Pretty Oh, okay. Yeah, so Because everybody complains about the grace So generally you kind of Well, okay, honestly a lot of people that like write web servers things don't really care They're not gonna write them So it's up to us to write them and um Sometimes they do ship them And sometimes they ship them as kind of an example But generally what the best is um The htpD even doesn't have permission to do anything with the policy Like it's a very low privileged thing which cannot touch and security stuff So it can't load things at once like that's not allowed at all. Otherwise it could subvert all of it so When you install Like apache on my machine it'll also load the Gentoo has them quite modular So it'll have like the htp policy separate and it'll it'll install that first then it'll install apache and The package manager when it actually installs it'll get things ready And then it will label all the files in the package properly as it merged them in rpm does the same like they handle it kind of for you Uh You Like red hat and genti's policy ubuntu's policy. They're all like derived from the same reference policy project So if you want to add support for whatever your software is the best is to add support to the reference policy And then from there like if you make something you add its reference policy I can pull it down as genti really easily and fedora can pull it down fedora really easily It's much better to do that way than it's in the system will get loaded When it gets loaded, uh Fedora, I think loads all the policies no matter what so when you update it there's a huge s loading policy package which loads all of it and It would pull in your policies too as needed I have seen some packages once in a while They'll try and load their own policy and it doesn't work because they write them for fedora and There are slight differences not huge But like it's enough that like the one they wrote on fedora won't work on any other distro So generally you don't want to do that The best is to do it upstream in the reference and then it'll get put everywhere else Because that's where most people fail because they think it's just the standard Apache configuration, but obviously that Apache cannot connect to your database Yeah, that that's a really good. Yeah, so if you are shipping a package You might want a lot of documentation saying oh You need to enable these booleans or you might need to set these things To remind the users, but you don't want to actually ship the actual like policy file Because that's probably not too good But documentation like that is always very helpful as long as your documentation does not say turn it off That's not cool but Yeah And also so if you have a rule like don't ever turn it off Things will always work on it Otherwise you have a problem where like oh it doesn't work when you turn it off now And then it works kind of and then you forget and go home And then later you reboot the server and when it reboots again, it turns it on and then all of yourself broken You have no idea why so if you just don't turn it off it works a lot And don't start playing with them Friday night kind of thing like Yeah, there's uh, let me go back to this there's a lot more documentation On everything else uh I didn't cover network types, but like there's a lot of every part of the system Has an sce linux thing with it also apache As a user space thing can query the If you install like mod sce linux into apache It can query sce linux for some other things and then you can set things up where If for example, you were a hosting provider that provided hosting to many customers On the same machine you can have each customer's Like web app running under its own types And apache will do that for you so You can do a lot More with it much much more than I explained today uh The wikis are really good The project wiki has every like documentation of every single rule. There are quite a lot Most of them you don't really need very often the main ones allow obviously um Yeah Is there something along the lines of like a vim tutor to make it interactive and who will be in this episode the calling of it Yeah, I would Well, the calling was pretty simple. It's like four pages um And then really it's more a pattern like Try and turn it on or at least turning its permissive mode first and then look at the audit logs and see what's really broken And the audit to allow the separate package It's part of the core details. So like if you have it, it'll be there. Um And then uh So there are a thing called permissive types. So if for some reason you really really like Your web servers really need this access to something and you can't do the policy You can turn just one type into permissive, which is much better than setting the whole system Which means that type will be exempt from everything, which is pretty bad If it's the web server, but if you need it for something like oh my backups really aren't working And I really need my backups to work now like you can do that a bit So that is all handled with sce manage as well uh Okay, well, let's show so if you look through the sce manage ports, this is the patchy port 8443 8080 so those are the ones you're allowed to bind on if you would need to Bind a patchy on something else sce manages where to go Almost everything you need to configure you can do with sce manage You shouldn't really need to start diving into the policies, but um Uh And I'll upload the slides on my blog like after this Cool Nothing else thing is it Awesome you should all do this