 Ok, možnáte mít? Jsou můžete mít? Tak, co? Ok, budeme mít jedna prostě zvukování. A zvukování je, že lidí zvukování sekuritého? Když jsi zvukování? Jsou můžete mít? Ok. To bude zvukování, že lidí zvukování sekuritého a my zvukování se o to příjde. Můžete mít? Můžete mít? Můžete mít? Můžete mít? Takže, co jste si bude. Svukování jsme zvořili pro zvukování seci lináxu i jeho z Redheada. Ok. Taky, možete mít? My zvukování seci lináxu. A točíte, že lidí seci lináxu před svojí seci lináxu. A točíte, že lidí seci lináxu přijde příjde. A točíte, že lidí seci lináxu. A točíte, že lidí seci lináxu. A točíte, že lidí seci lináxu. A toto předpustí bude návodní analizy zvukování. A můžeme se to zvukovánit, když se nám zvukovánit? Co myslíte? Tak, když je to zvukovánit. A můžeme se to zvukovánit, když se zvukovánit, když se zvukovánit? Tak je to můžeme se to zvukovánit. Ali můžeme se to zvukovánit, když se zvukovánit? Ali můžeme se to zvukovánit, když se zvukovánit? some private data on our devices. So this is the issues affecting all of us. Okay, where the security issues come from. It comes from us, from the developers. Thank you. Okay, and how are they fixed? So answer for this question is that we have some kind of reactive security model, oh cool. Tady je tímto. Je to tímto, když se návává software. A můžete se vlunovat, a to je zvukovat, a můžete se vlunovat, můžete mít vlunovat, můžete mít vlunovat, a můžete mít vlunovat. Díky tady máme něco, který máme vlunovat, a díky tady můžete se vlunovat, který máme vlunovat, a tady máme něco, který máme vlunovat, a tady máme vlunovat, které je umelnout vlunovat. A to je v워ta, abych se zavirovat addition security mechanism which brings practice security to your system. It's implementation of mandatory access control and we will talk about it right now. OK, what are the latest known exploits? No exploits has you know logos and names, so do you know any? OK, OK, cool. So I'll start with something different. I will talk about VINOM, it's old one, but it's related to virtualization. Then Daniel Walsh write a nice blog about the latest Docker CVE from 2016. It's a nice blog on round.blog. And the last one is Shellshock. We will look at Shellshock more deeper. But as you said, the dirty cow. So every security mechanism has something, which we call the root of trust. And from a slinnx point of view, the root of trust is the kernel. So we cannot mitigate any damage comes from kernels. So please don't ask me any question if we can deny some consequences from dirty cow. OK, some hacking time, so we will talk about the Shellshock. The point of the Shellshock is pretty easy. We have here the environment variable and in the older version of Bash, you can add semicolon and add any arbitrary code. And this arbitrary code will be executed before the real command. So concept of our hack will be that we have two machines, one is victim. On the victim we have a web server and on the web server we have a CGI script. I try to send the HTTP request to victim. And in the HTTP request, there will be exploit and I try to connect to attacker machine. And on the attacker machine, I will be listen on one TCP port. OK, so demo time, let's do it. OK, guys, can you see it? OK, cool. So here I will start listening. On TCP port 99, 99. OK, and here is the HTTP request. And, you know, here is our redirection to attacker machine. So let's try it. And I send the HTTP request and you see here that I have a terminal. I can type any commands, for example, get at C, no, SVD. OK, so I'm here. I forgot to say that on the victim's side, we run SLNX in permissive mode. So the policy is not enforced. We can check it, get enforced. OK, permissive. Let's switch it to enforcing mode. OK, and repeat the attack. Ops, sorry. OK, so once again, and you see that I don't have any terminal here. It's, I cannot write. OK, so as you can see, that is enforcing mode. OK, and what's the conclusion of this? The conclusion is that if you run your Linux system with Celenux disabled or in permissive mode, you're going to get a bad time. OK, let's talk more about the SLNX and about the SLNX security policy. So basically, SLNX security policy defining rules for processes contentment. For example, what processes have access to what resources by defining something which we call labels to processes and resources. Resource can be file directory or link file socket, basically everything on the system. And we are describing interaction between these labels. So let's look on it, on the example. So here we have a patchy script, which is our CGI script. And you see the the blue frame, you know. And the and here we have our resources or objects. And one of the objects is is a web page web pages and the user secrets. User secrets, we can imagine as, for example, the user's home. And here you can see the the interaction that the CGI script can read the web pages. And there is no interaction that CGI script can read the user secrets. Yeah. The interaction, which I described, we call it the SLNX policy rule. For example, a patchy script can read web pages. If there is no slinnx rule, which means there's no interaction, a slinnx will deny it. OK, another example, a patchy script cannot read user secrets. And some technical background. So we can compare the slinnx and traditional UNIX security. In in traditional UNIX security, we have the three categories, the user group and the all or others. As you can see on the example on slash var slash vvv slash html. That user user can read write and execute. The group can read and execute and others can also read or execute. What about labels in a slinnx? So we have four categories. We have also the user, just a small note that a slinnx user is something different than a slinnx user on your system. Then we have a role type type is the most important part of the of the slinnx context or label. And the last one is category. So as you can see on the example, again, here we have a slinnx user, a slinnx role and a slinnx type. And the last one is a slinnx category. In 99% you will take, you will care about the types, this mode and a slinnx we call type enforcement. And with types, we are creating a slinnx rules. OK, let's merge it together. Here you can see the file permissions and here is the slinnx label. OK, what about processes? Here you can see effective user and effective group. What about the patchy label on the system? It's similar as you can see. Here is the slinnx user role and type. So as I said, the slinnx is just something additional to your system. It's additional security mechanism. So at first during providing the syscall, the AC is first and then we have a slinnx policy. OK, you need to keep on mind that if you are doing something with a slinnx that everything is about labels. So please keep it in mind. Slinnx has three modes. As I said during the demo, the most important is enforcing when the slinnx policy is enforced. The second one is permissive mode, which means that the policy is not enforced, but the actions are just locked. Where you can find these locks, you can find it in slash var slash lock slash audit slash audit lock or a pretty solution is just type out search minus m a v c and you will see a v c's. OK, the last one is disabled. I have nothing to say about this mode, so just don't use it, please. OK, if you want to pronounce and change your mode on your system, you find it in slash hc slash slinnx slash config and here is a argument slinnx, you just type it to enforcement. OK, so that's everything and it's yours. Right. Thank you, Lukash. In the following part of the presentation, I'm going to show you what you yourselves can do to improve not only your security by improving the slinnx policy. I'm going to show two short demos of our new tool and I'm going to explain how you can use it, how you can apply those two cases to your case. Since we don't have any fancy name, we're just calling it a slinnx policy analysis tool. The main purpose of the tool is to search through the whole policy and find combinations of permissions that in real life would translate to potentially harm flections. So, for example, we can search for pathways to permission escalation, no. Yeah, that's the one, sorry. Yeah, so we can search for such pathways. The use case I'm going to show now is when you do a change to a policy. You can cause some unwanted consequences, like it can have unwanted consequences and you don't really have to be aware of them. So, the tool is going to help you with that. So, since I need to compare two states before and after a change, I'm going to make two snapshots of the policy. OK, so, there we go. So, the first snapshot. I'm only selecting classes, file and process, since I want to save some time and I'm not going to change any other, so there is no, really no need to. This is the resulting file and I've selected filter bools, which means that it will disregard any rules that are not enabled at the moment due to boolean settings in the system. So, now let's say that I have a patchy server running and I have my super custom config, but it's not working due to Salinux and I'm too lazy to actually search for what was disabled. So, I'm going to enable it to write and read to all non-secretary related files. So, I have this module with one allow rule. As I said, it allows read and write and, of course, get attribute and open to HTTP daemon to all non-secretary related files. I'm going to mount it to the system and then create the other snapshot. So, let's call it graph two, whatever. I didn't provide any policy file. That means that the tool uses the policy loaded in the system, but, of course, you can get a policy file from your server or whatever machine you are using, which doesn't have the tool on it and create the snapshot from there. Now, we have the two snapshots and now I'm going to run a query on the two graphs, comparing them. I'm only running one function, one comparison function, transition write. That's going to search for escalation attacks, like if we're privileged escalation, that's the one, privileged escalation attacks. So, we got a lot of results. Let's see what they mean. So, let's focus on, for example, on this line. This is a label for executable of some daemon, which will run in this domain. The fact that the line is here means that the tool is saying that HTTP daemon can write to the executable of the daemon and then execute it, which means that if someone was to a successful attack, you're a patchy daemon, and then he would be able to grant access to all the privileges of all the daemons that are in this column. The reason why there's so many results at this point is that I've used an attribute. I've allowed read and write to all non-security file types. So, I'm going to explain real quick what an attribute is. Don't mind the labels at this point. This is an actual policy or part of an actual policy for PCP service. The three bullets at the top are the three daemons that are a part of the service, and those bullets at the bottom are resources that need to be accessible to those daemons. So, instead of typing rules that would allow each of those daemons to access the individual resources, we're going to create an attribute, PCP domain, and then assign the attribute to all three types. And then type rules that will be from the PCP domain to all the resources. So, an attribute is an alternate means to describe several types at once. This mechanism is really useful for us because it not only simplifies writing the policy, but also reading, which we will see in the moment, because the other use case of the tool I'm going to show now is that it can take part of the policy that, let's say, we want to know what policy we have for certain service. So, we extract it from the whole policy and then visualize it in some graph visualization tool. So, I've used kefi. The command to extract the actual policy is described on the GitHub, so I'm not going to show it, it's just a simple command. But what I have here is a policy for a keyboard demon. Yeah, it looks really messy. Because if we disregard attributes, there's actually a lot of rules that touch the two tiny parts. We have here the two green bullets, which are the keyboard service. But kefi here is going to help us somehow sort it out, make it look reasonable. So, now we can actually see that there is one really crazy attribute, file type. We need a lot of system services to access all of the files in the system, so that's why we use this attribute. But since I want to know what the keyboard demon can do, I don't really need to know this, so I'm going to delete this and filter out all the nodes that don't have any connection. Other than file type, we have domain, which is an attribute that's given to all processes or to labels that need to be assigned to processes. So, I'm going to delete that one as well, that's obviously assigned to keyboard D, that's the label for the demon itself. This, by the way, is the label for the demon executable. I haven't really explained it in the first slide, but the blue dots are normal types. The orange dots are attributes and the orange lines mean assignment of the attribute to a type. So, keyboard exec t now has assigned those four attributes, which means that all the lines that go from them, they apply to the executable itself. Okay, let's continue. Non-security file type, that's the attribute I've used just a second ago. The same as file type, it just excludes the security-related files, like in the kernel and stuff. So, I don't really need that exact type, that allows or that sets up everything necessary for a file to be executable or for SCLinux to allow execution of the file. And then demon, obviously. So, let's have Gefi sort it out even more. Now, we can pretty much go through the policy now and have a look what's actually going on. I'm gonna show the actual access that's out there. And you can see that you can easily go through it. And so, if you're a maintainer of a service or you know some service very well, you can do this by yourself or you're writing your policy. You can inspire yourself by policies for other services or maybe just if you make any change, you can compare the two graphs and, you know, see if there's some huge change that you really didn't want to have. Right. So, that's enough for the demo. And so, by now, I hope that I've shown that SCLinux or me and Lukash, we have shown that SCLinux is a valuable technology to have running on your system. Even if you have some super special config for your system, it's pretty easy to set up a SCLinux to accommodate your changes. We have cool tools to help you do that. If those tools won't help, we're here to help as well. I have a shameful block. Lukash will have a workshop tomorrow, where he will show how to write your own policy and some more ways how you can use our tools. So, definitely go check it out. Do you have any questions? No? Really? OK. Hold on a second. Lukash, turn on the microphone. There's a red button. Lukash? Yes, I am. Yeah. OK. So, the initial command that you run created when you created a snapshot, it creates a two, you call that graph in graph two. Right, yeah, I call it graph because I actually used a network X graph representation to store that. Yeah, but could I open those graphs with the same program that you used at the last part? Or those are just somehow binary files? Well, yeah, those would actually be... You could visualize them by Gefi, but you wouldn't have those fancy colors and you wouldn't have the actual access permissions, like the text I have there. For that, there is different commands. Let me check. Yeah, visual query. So, let me check if I have some... Yeah. Right, so this is how you could create the graph for Gefi. In here, I select a type of the demon I want to see, or I can actually specify a name of a service, like without the T. For example, the keyboard demon I just typed in keyboard D. And then I select what class is I want to see in the graph. And then that's it. I get the file, I get the... Sorry, I killed it by, you can see it. But because it would take some time, but... Yeah, it's okay, thank you. That's it. Thank you for the question. Another question? Yeah, here. My question is how we can create the new policies based on which languages, OpenSCAP or something like that? Well, we have a special high-level language for policies. There is also a sill language, which is like lower level. But if you're interested in that, go check out the workshop tomorrow. So, yes, as we'd say, tomorrow we will write our own policy for one demon. So, you can see it, okay? Any other questions? Okay. Lot of running today. Thank you. About the tool you have just presented here, is there any plan to package it or to include it in SCD in hooks? And what is the timings about it? Right, so... We are waiting for SC tools for, since I'm using them in the tool. And as you probably know, Fedora doesn't have them in the SC tools yet. So, as soon as that comes out, I'm planning on releasing a package with the tool Fedora26. That's it. Any other questions? Thanks. What is the relationship between the Selinix and the standard Unix file permissions? When I run Selinix, can I forget about the Unix file permission and it magically did it for me? So, the standard permissions are still applied and they're actually evaluated before a Selinix permission. So, if something is disabled due to the system permissions, a Selinix won't even get a chance to look at that. So, but if it's allowed by the system permissions, then a Selinix evaluates it and, you know, so it's an additional layer of protection. A Selinix brings kind of granularity, you know, just to system. OK, so... OK, thanks. What would be the best way to harden a system that has disabled Selinix to set it from disabled to enforcing? What would be the best steps? So, if I understand it correctly, that you have a system with a Selinix disabled and you want to enable it, yeah? So, at first you need to enable it as I shown on that config file slash at C slash a Selinix slash config and then run RestoreCon, which restores the context of your files on the system. OK? Sorry? OK, that's another possibility. Well, it should do it automatically, actually. When you're switching from disabled to permissive or enable, the author's label will go by itself. Yeah. Well, he's starting at disabled at this point, so... Yeah. Ended, yeah. If you have a Selinix in enforcing mode, is there a possibility to exclude certain processes from having any, like, you have a very complex application that you even don't know what in the production system, what file systems it will even touch because the customer can modify it. So, can you just say, OK, I won't have a Selinix, but I don't want to have it for, like, this application running? Yes. There's a concept of permissive domains. So, you can just switch the domain in which the service runs to permissive and then a Selinix will still log the disables that would be there normally, but it won't enforce them. So, like this, you can finish developing the service, then look at the log and allow everything that you actually need and then remove the attribute permissive domain. Yes, and if you don't have a Selinix policy for your service, so then the Selinix is not in the game, no, for that service. Just for that service, yeah. OK, cool. Is there any plan for the future that, as you told now, if there is no policy, that in the future it will change, that if there is no policy, then the service wouldn't be allowed? So... We don't support it. You can run any service on a Selinix-enabled system and, as I said, Selinix is not in the game. You need to write the policy. For services that are widely used, we would write the policy at some point. So, like... Yeah, we have around 500, more than 500 modules on the Fedora systems. So, you don't plan to enforce that every service has to have a policy? That's actually a nice idea, but it's too strict, you know? We could potentially do that in some special scenario where you would need extra tight security. You can, but Selinix is enabled by default on Fedora, so we don't want to break everyone's system. Just... So, the question... Sorry, I don't... OK, I don't hear it, sorry. Yes. Yes, we have a... It's not a special mode, it's a kind of a Selinix mode called MLS, and it's going to be possible. Right, so here you have a Selinix-type targeted. That's the default configuration, but there is MLS. That's a different type of policy that has a way stricter definition. So, I'd want to check it out. OK, any other questions? OK, so... OK, Paul, OK. So, I kind of know there's no real answer to this, but I'm just kind of teasing this as something so that maybe you can talk about it, and I think perhaps one of the earlier questions was asking about this. So, the graph that you showed us was really cool, and that was nice. It allows us to see how policy works and how policy interacts, but have you done any work or have you thought about basically going the opposite way, starting with a graph, using any sort of tool and saying, OK, I've got this type and I want it to be able to interact with this domain, I want this domain to have this attribute assigned to it, and then taking that visual representation and generating a Selinix policy from that. Well, yeah, I've thought about it, but well, it is definitely possible. At this point, the biggest hurdle on the way is that the policy uses a lot of macros and four macros, and it would be quite difficult to use them when recreating the policy from the graph. So, if we decided to write all the policies this way, then, yeah, that would be pretty cool, but editing them afterwards in the code would be probably a pretty bad experience, I guess, yeah. So, in Sel, it would have a hard time writing even now, so that's why we have a higher-level language to describe the policy. So, yeah, I've been thinking about it, and maybe at some point we'll get to it. OK, so if you don't have any questions, thank you very much. Test one, two.