 Hello, you can hear me? Okay, so my voice is doing strange stuff. So you'll be Having a hearing test and now I'm giving you on a reading test. Can anybody read that on the screen? Oh It's better still too small. Hopefully this will work better So there was yesterday a tutorial about a Selenix mine is a presentation Going through the basic stuff Normally if you read the early scriptures, everybody would have told you life is too short to learn as a Linux I'm going to try to explain you that in 35 minutes. I think I have so Hopefully you Still be alive in 30 minutes Yeah, so I'm Tosham Bhavani. I'm from Antwerp Belgium little country in Europe Self-employed I am involved in enterprise Linux, which basically translates to sent us red hats I do some of the proprietary BSD stuff a x I'm I do a little bit of free BSD and open BSD That's how I got involved in as a Linux I like virtualization. I Run config management camp if anybody is interested in that I like Ansible form and puppet and Yeah, I'm sometimes on social media. Don't find me that too often So an introduction then what is as a Linux and some ways how to use it and how to Live with it on your system in in in enforcing mode So who of you actually already uses as a Linux and I'm talking in enforcing moda Nobody actually well two hands I see from here, okay Anybody in permissive mode? Okay. Also two people. So the rest of you all disabled Okay, so yeah one basic misconception is As a Linux is a horrible beast It will eat you alive and you will be dead all your production systems will die horribly and You won't be able to live anymore. That isn't true anymore. If you were running versions So sent us for or even sent us five. Maybe that might have been through in sent us for definitely you really needed to know what you were doing in Sent us five that improved. So when I say sent us five I'm talking about sent those red hat scientific all the other variants that are based on that distribution If you are a fancy geek running gen 2 then you always have the latest one. So that doesn't apply to you Only in less 12. I think as a Linux has been enabled Previous versions had up armor Which today Ubuntu uses it doesn't do much. So Another Very common thing is it's a pain in the ass. Yes, I know that But it's very easy to work with nowadays and then there are vendors who will tell you to actually disable that so The lovely people from the oh company. They love to tell you please disable this because I was we won't support you Unfortunately, if you need to work with them, then yes, you must do that However, if you run your systems with as a Linux you get Chuck Norris in there So you'll be happy to know that he will kill all the bad guys for you Now as a Linux was developed by the NSA and now most people will be thinking there are some backdoor in there But the NSA actually built it and open source to directly now multiple people From multiple companies have looked at these codes and have actually checked the code and Verified that there are no backdoors in there It's a kernel module. So it has also gone through all the scrutiny of being accepted in the kernel itself So if you really have a lot of time on your hands, you can manually read all the code and double check that There are really no backdoors in there But presuming you have other things to do you can just accept what other people have told you So what is as a Linux? So first we need to understand what? traditional Unix Permissions are in Unix everything is a file. So we're going to secure a file sorry So we're going to secure a file And the file can be secured by a 3x3 matrix, which is basically your user your group and the others You can give them read write or execute permissions And that's how you get these binary statements Which you use ch mod 777 whereby everybody could do everything with it Which is not the most convenient thing to do, but it's the most easiest example to give Now as a Linux is security enhanced Linux. It's a mandatory access control So it basically Denies everything unless you allow it to do something now it has policies which I Loaded into the current. Well, there's a kernel module which loads policies and these policies basically tell what is allowed by which Type of which Demon which file can be used because everything will get a label. So a specific label will be allowed to do certain things with other labels Now you need to have a kernel that is compiled with as a Linux So if you compile your own kernel you go to security features and there there's as a Linux and then you can enable it You compile your kernel Again, if you're running most of the enterprise Linux's they have that already enabled in there and Everything is a label or a context and that is Basically defined in three types The type enforcement the role-based Control and the multi-level. I'm not going to talk that much about multi-level because it's a higher level of of Control which allows you to do multiple things at the same time But the type enforcement is the most commonly used one The role-based in force one is basically when you log in with root you Get into the unconfined mode which allows you to basically do anything on your machine Which could be one of the reasons why you execute something as root and it would work And when you execute it as a different user it wouldn't work So access control is based on the type enforcement Which basically tells you that a specific context can do certain things to another context So the object let's say an Apache demon can read all Files with the label of HTTP underscore Rw access T you'll see that most of these things end on a T stating that they are basically a type enforcement The role-based will be that you as a user root would be unconfined Or you could actually have that the root would be confined Which means that you as a root user would not be able to do everything on your machine. This is Sometimes relevant for people who work in larger corporations where you're not allowed to see the data But you still need to manage hold the machine then you could actually put the data in a different type Where by you as a root user would not be able to access the data But still be able to do all your operations on the machine The multi-level is mostly on being able to have Multiple objects talk to multiple subjects It's on it's mostly used if you use effort Which is basically containerizing your VMS in specific groups And then you can tell that these VMs can only talk to each other They can see underlying file systems or they can connect to specific network cards and so on So if you want to look at it visually Normally if a process asks For access it will talk to the kernel and the kernel will basically tell you yes You get access to that file or no you don't get access to that file In the as a Linux version you have the kernel which loads the as a Linux module The module will actually load the policy database and that policy database will then tell you that okay You as Apache can only see anything with the Apache labels and So you get restricted to your one confined Center and So if you get an attack you are less likely to have your complete system compromised And only that section of your system would be compromised So these are the features The most important is that you actually have a base policy But you can actually quite easily generate policies yourself These policies are generated based on the audit log. So you need to have your audit logs running Today there are tools like audit to allow and audit to why which will actually explain you what is happening So you don't need to understand all the cryptical mess messages if you are really Daring you can actually change base policies Just remember that if you are running a distribution and you change anything in the base policy The next time you do an update of the base policy all your changes will be wiped out It controls file systems direct trees Sockets ports network interfaces demons. So it basically controls everything that runs on your machine So if you're running a simple web server, it will not allow you to run your Web files just anywhere. You will need to tell as a Linux that oh they are located there Of course, the base policy has the default Locations in there, but if you need to run it off an NFS, then you will need to tell the database basically that please allow me To run my website from an NFS server So in a way it disallows misbehavior It's a good annoyance if you have junior in your company You want to know them because it will actually not tell anything in the other logs of the application itself It will just tell you Apache wasn't able to start up. Okay. That doesn't tell you much And It can even restrict to you to use it as I explained so if you look About five years ago. It was only the kernel which was enabled you had Then an initiative from postgres to have se postgres which basically means that you can even confine databases and Today even tables and columns too specific as a Linux users Be it users of the system or users on the database level Apache has a mod which you can install which you can also do that PHP today also has an an extension for that. So while we don't have the full stack available yet Most of the standardized applications are available If you're running your own application, you can easily write A policy by just running it in permissive mode in development Running audit to allow and it will actually generate a basic policy You will have to filter out still some stuff. I'm not saying that you don't need to do any effort but it won't Tell you everything. Well, you don't need to write everything from scratch anymore So where do we find as a Linux it was merged into mainline kernel in 2.6.0 Somewhere around 2002. So it's been around for the last 15 years. So it's quite stable by now Yeah, so red hat sent us scientific from version 4 Novel Gen 2 Debian also has Some Versions of it if you have an Android phone and it's a newer version. You also have as a Linux running on your phone Ubuntu still chooses to have app armor as a default But you can if you really want to run as a Linux also there. So again Why would we want to use it? It confines processes services uses in compartments so allowing you to only have Well, if you have a problem, it will only be in that particular compartment You can use that for virtual machines. There's an extension called effort if you're running Version 7 that's enabled by default If you want to do more advanced stuff, then you'll have to go to load level If you run kiosks for a living then you can use ex-guest which also runs as a Linux Which basically allows the users to do anything Within his confined kiosk console That you set up If you have a German built car, then you're most likely also have as a Linux running in your car USB redirects So if I plug in a USB device here, and I want it to be used on a virtual machine Somewhere around the world Nine out of ten chances. It's also running some version of as a Linux to make sure that that specific USB is being redirected to that one specific machine only it does that by subdividing categories within the labels so that's the Theoretical part are there any questions already? So, yeah I asked already how many people used enforcing permissive and disabled if you're running it in enforcing then it's on Which means that your system is secured anything that Would not be allowed to get denied and goes into your audit log If you are running in permissive mode, it will actually allow those things, but it will still Sorry It will still allow you to see the denied messages so that you can actually generate a policy Once you have generated the policy you can then load it into the system keep the system still in permissive mode and see if any Other error messages are being created or denied messages And then you can filter out from there what is being done Of course if you run it in disabled mode then it's off So it's basically not loading the kernel module and you have no advantage of the system Now given that you just get a machine like that You don't know what? The the status of as a Linux is you can run a command called as a status and will actually tell you What the machine is running Let's see So it will tell you for instance enabled it will tell you also which Policy version it's running and if MLS is enabled or not So the policy version is the base policy that gets loaded into the machine That comes mostly from your distribution If it would be in permissive mode, it would just tell you the same thing but with permissive if it's disabled It just gives you one line with disabled Now most of the commands that we know already today if you add capital Z you actually get the as a Linux labels or contacts So LS minus capital Z will actually give you the context of all the files Nets that minus that will give you all the context of the parts and PS will give you all the context of the Demons If I knew how to Sorry, that's the largest I can go It doesn't go any larger So is this better now Yeah, so you see here the files. These are just files in my home directory But you see there that you have the traditional Unix permissions, you then have the owners and then you have the context of As a Linux so in this case admin underscore home underscore T This part is the most important because that's the type Which basically admin home is your root Directory, sorry your root user directory If I would do the same If I would do the same on var WWW which is already defined in the base policy as the default web Directory you see that you get the HTTP sys content T type So that means that any demon that is flagged with HTTP D Type can actually read these files. So if you're running Apache But if you're running engine X, that's the same thing So again, if you're running most of the common web servers, they already known and once you install them It will actually take the demon with the correct Type enforcement rules already by default if you've written your own web server Then you'll have to actually write a policy for that. So mostly if you read up in the documentations You'll find objects objects, which basically can be labeled Files normally get labeled By in the file system, so it's supported in most file system not all Again, if you're using fancy file systems that doesn't work most of the common UNIX file systems are supported and can handle the extended attributes Now the labels can be set manually Yeah, so labels can be set manually using a command called CHCOM which basically changed the context of a file So if you wanted to have In the folder user server WW your website, then this would be the command the first one Now the capital R is to do it recursively the T stands for the type you want to do it And of course, this is very nice because it will start working Now the next time you reboot your machine. You'll see that nothing works again because every time the restore demon or the Machine gets rebooted it will actually set the files back to the default labels Now to prevent that you can actually inject that into the database itself and for that you use as a manage So in that case you would use as a manage. We want to add a specific file context to the Specific type and then you need to use some regular expression to actually get that into the database Which means that all files? folders Any other things under user SRV WWW would actually be labeled under that specific context So the next time you reboot the next time restore com runs in the background Your files will still be have the correct label and your web server would still be able to read them Now if you have for instance SCP files from your laptop to your home directory and you copy them from your home directory to your Web server, you'll see that actually nothing works because the minute you SCP to the Host it will get a label at that point and given that you SCP into your home directory You'll actually get a label with home In it now when you copy the files it doesn't it copies the label that it originally had it doesn't copy what the destination would be Now if you want to restore all of those back to the defaults, then you can use restore com Again the capital R is to do it recursively and it would do it for all these files and set it back to the default Now let's say you have like most people here your machine in disable mode Then you would actually if you enable as a Linux you would get into trouble in the sense that None of your files would be labeled correctly now to do that you need to Relabel your home directory and then you need to Put a file in the root Called dot auto relabel and then reboot your machine. What will happen at that moment is the machine will reboot It will load up in run level one and will actually start relabeling hold your file system So if you have a few petabytes of data, this can take a long time while it's relabeling your machine is offline so It's advisable to keep as a Linux in permissive mode It makes life easier afterwards if you have it in disabled during your installation then your installer Will actually not label the files correctly because it doesn't see the use of doing that You can use also fixed files, which will actually Tell you what specs were for this specific location and how they were being applied there now In the beginning policies were made and you had to follow the policies now many people actually found this quite restrictive, so there are now booleans that you can actually Flip which will allow you to do certain things which a normal system does not always require So for instance a web server will automatically be allowed to connect on port 80 because Without part 80 you wouldn't be able to serve your website now part 81 81 is not a very common part But if you want to use this then you need to add this to the specific context that you need So to get a list of the default ones It's as a manage part minus L, which will give you the whole list If you want to add that if you want to add a specific one you do minus a Then minus T for the type and minus P for the protocol that it's going to use and so even if you want to run SSH on a different part than 22 you need to actually Tell as a Linux that I'm going to run it on port 5022 and Add that to the database because I visit won't allow you to do that So the files Example I gave already, but again here if you're not sure what file Context is being used or what is there by default you can always use minus L And it will actually give you the list of all the file context and the directories that are being tagged automatically for that specific context now The Booleans you can get get the essay bulls which will give you all the Booleans That are available and then you can grab on Samba so for instance if you run a Samba server and you want to Allow home directories to be shared by default. This isn't allowed So you would actually have to set the Boolean to on By default, it's off the minus capital P here sets it persistent That means that even the next time the base policy will get uploaded It will keep your value and not the default value now the main thing about as a Linux is That if you have a web server like Apache and genetics Samba server And you try to start it up or even your SSH server you started it up on a different port than 22 It will just tell you failed It doesn't tell you much more than that, which isn't very descriptive However, if you look in the audit log, it will actually tell you that a certain process called SSHD Try to attach to a specific port 5022 and it got denied The same for a web server if it tries to connect to the port 8181 and you didn't enable it it will tell you denied now you can basically Grab those denied and pipe them to audit to why and it will give you a nice explanation from what you did What went wrong how it went wrong? You could also use audit to allow which will generate a policy for you However, if the booleans already exist it will actually warn you that please do not in compile this Policy but use the booleans that already exist for that If you want to get a better description on the booleans because if you use get essay bool minus a it will just give you the names It won't give you a description So the minus L here gives you a small description on what the boolean is supposed to do So once you have such a policy You can actually Compile that into a binary form and load it into the database kernel and at that point it becomes enforcing into your kernel Depending on time. I'll see if I can show some So your subject your demon Or your process asks the database whether it can actually Sorry ask the kernel where it can actually get access to a specific Object and the database will answer to the Policy whether it can or cannot do that And here you see then that the denied message goes into your audit logs if it gets denied So yeah, you can also use as a search if you want to search on booleans on types So if you're quite new they have a lot of tools to figure out stuff And it will actually explain you in more human readable language what these booleans what these switches do What specific file contexts are being used where and how? So this is the Shortest way to generate a policy You basically look at your audit log you grab on in this case. It was a Demon called Zarafa Well, no, sorry. I forgot to change that it's Galera. So the default Galera setup Requires you to use our sync, which is allowed. I use perkona extra backup. So you need to allow certain things on On as a Linux level so it should read actually grip Galera From the audit log you pipe it through to audit to allow and you create give it a module name Galera and it will actually Output you the full policy that you could actually compile already You can at that point to read what the policy is if you agree or don't agree with it Then you can make some modifications You run the check module which basically checks that it doesn't conflict with any existing modules that are already in your database Then you package it into the binary form and then you install it into the policy database Once you run the last command it becomes active So this is how a policy actually looks so you have on top The module name it will always give you a version So this is actually a modification. I made because it will always start with one dot zero It will then tell well, it will then first state what types and what classes it will be using And then here below it will tell you what actually Is being done so my squirrel needs to be able to read the host name to know which of the cluster nodes It's talking to it needs to be able to use our sync to do the state transfer and then it needs to do a set To be able to know where it actually ended and started So if you see it's not that complicated Given that it's these Five commands and you get a policy which actually allows you to run Yeah Yeah, that's all I have for the moment Unless there are questions or other examples Hi To be true this seems like quite a lot of hoops to run through Even get a normal web server running. So taking into account that any startup Keeps on growing at what stage in its growth part. Do would you suggest that they move from a disabled to a enabled? From a disabled to an enabled When is the right time to invest I would start differently first and for all start with permissive Do not start with disabled With permissive you it won't stop your demons It won't do anything But you will be able to generate policies from there already and then it depends on what maturity your startup is and How much security is relevant to you? So there were some incidents with Docker where people who were running as a Linux actually didn't get affected There being cases in the past where there were bugs in in certain databases Which gods didn't get affected to people running as a Linux. So Yeah, it Running in disabled mode today. I feel is stupid Given that permissive allows you to do everything But gives you at least the audit logs Which means that if you have the time whenever you have the time you can at least start looking at those You can at least see if anything relevant or anything is going wrong there And if it is a small thing and then you can enable it quite quickly if it is a big work Then yeah, you might want to postpone that for a later period Okay, thank you. Hi. Yeah So you talked about compartmentalization and isolation to enhance the security So you also mentioned the example of Apache getting compromised, but then it's only limited to a small Compartment so that the whole system isn't compromised But if there's a vulnerability that is exploited that gives some attack a route on my box Then it's basically game over right because he's rude or it does as a Linux protect me even in this case So as a Linux by default will not protect you in that case unless you have confined the root user That's also possible. Yeah, so on my production boxes. I confined the root users So the box I was on to do the the few tests is not a production box. It's just an extra repository we have So I don't run root confined there But on the real production production machines we run it confined and root can do basically nearly nothing Yeah, you update Okay, thank you Excuse me So how well does a silly next play with the Docker and if so How well green can you restrict the different containers, you know running different services? So, um, I Don't remember which version by heart but there You now may so the in February There were a few updates for Docker and from then it plays wealth with Docker So if you're running latest versions of Docker, no problems. It has namespace abilities It has full support for as a Linux if you're running it on centos or on Fedora I have no idea about other distributions But I presume that most other distributions will be doing as well. Maybe some even better We had one question this side someone Okay, then I guess that's about it. Thanks to Sean