Top Banner
SELINUX IN PRODUCTION Deploying SELinux successfully in production environments Jerone, Lukas, Daniel Tuesday, May 8 10:30 AM - 11:15 AM
55

SELINUX IN PRODUCTION - Microsoft · 2018-05-10 · SELINUX IN PRODUCTION Deploying SELinux successfully in production environments Jerone, Lukas, ... These initiatives are being

May 20, 2020

Download

Documents

dariahiddleston
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Page 1: SELINUX IN PRODUCTION - Microsoft · 2018-05-10 · SELINUX IN PRODUCTION Deploying SELinux successfully in production environments Jerone, Lukas, ... These initiatives are being

SELINUX IN PRODUCTIONDeploying SELinux successfully in production environmentsJerone, Lukas, Daniel

Tuesday, May 8 10:30 AM - 11:15 AM

Page 2: SELINUX IN PRODUCTION - Microsoft · 2018-05-10 · SELINUX IN PRODUCTION Deploying SELinux successfully in production environments Jerone, Lukas, ... These initiatives are being

Agenda

● Enabling customers● SELinux FAQ ● Containers way● Panel discussion

Page 3: SELINUX IN PRODUCTION - Microsoft · 2018-05-10 · SELINUX IN PRODUCTION Deploying SELinux successfully in production environments Jerone, Lukas, ... These initiatives are being

ENABLING CUSTOMERS

Page 4: SELINUX IN PRODUCTION - Microsoft · 2018-05-10 · SELINUX IN PRODUCTION Deploying SELinux successfully in production environments Jerone, Lukas, ... These initiatives are being

In Production downtime is costly and change can come slowly. Uptime and functionality

are the main driving forces.

Page 5: SELINUX IN PRODUCTION - Microsoft · 2018-05-10 · SELINUX IN PRODUCTION Deploying SELinux successfully in production environments Jerone, Lukas, ... These initiatives are being

Isn't SELinux old? Who is asking for it now? ● Seeking add additional protection through application containment.

○ Financial sector customers

● Seeking to increase overall security profile of their environment.○ Energy and Utility sector customers○ Financial sector customers○ Public sector customers and contractors

■ Defense Information System Agency (DISA) has mandated in the Secure Technical Implementation Guide (STIG) that SELinux must be in enforcing mode if you are running RHEL 6 or RHEL 7.

● These initiatives are being done at scale for the entire environment.

Page 6: SELINUX IN PRODUCTION - Microsoft · 2018-05-10 · SELINUX IN PRODUCTION Deploying SELinux successfully in production environments Jerone, Lukas, ... These initiatives are being

Enabling SELinux at scale is difficult and timely ● Must ensure applications remain functional.

● Building internal experts:○ Administrators

■ Focused on application deployment and system administration.○ Developers

■ Development of SELinux policies for custom applications.

● Building internal resolution strategies for SELinux application functionality issues.

● Ensuring all administrative staff is trained in handling a SELinux enabled environment.

● Facility to analyse and monitor of audit logs for a large amount of systems once deployed.

● Deploying SELinux slowly is a key factor to its success in a production environment.

Page 7: SELINUX IN PRODUCTION - Microsoft · 2018-05-10 · SELINUX IN PRODUCTION Deploying SELinux successfully in production environments Jerone, Lukas, ... These initiatives are being

Summary of enablement steps for Admins1. Turn on SELinux in Permissive mode

○ Permissive is a debug mode. It does not enforce policies, only reports.○ Ensure auditd is enabled , and at least 2 - 3 GB is space available in /var/log/audit/○ Requires a reboot if SELinux is disabled

i. THIS CAN BE VERY TIMELY IN PRODUCTIONii. Ensure to turn on filesystem relabel on reboot

2. Observation○ Observe audit logs for SELINUX avc denial messages that could be preventing functionality.

3. Remediation○ This is a critical thinking exercise. How to properly remediate SELINUX denials.

4. Apply Remediation5. Repeat steps 2 - 4 for a given amount of time

○ While doing so create runbook or guide for SELinux enablement of Operating System or Application.6. Set SELinux in Enforcing Mode

Page 8: SELINUX IN PRODUCTION - Microsoft · 2018-05-10 · SELINUX IN PRODUCTION Deploying SELinux successfully in production environments Jerone, Lukas, ... These initiatives are being

Application Deployment Workflow for Admins● DEV / Test environment to vet SELinux issues before Production deployment is critical.

○ Simulate how functionally use application in Production.○ If possible running test suites to exercise application functionality can greatly help also.

● Do this process per application.

● As remediate SELinux issues, make remediations as apart of the individual application's deployment package or instructions.

● On initial rollout into Production, leave system in Permissive mode for a given period of time to ensure there are no functional issues.

● Enable Enforcing mode for application in Production.

Page 9: SELINUX IN PRODUCTION - Microsoft · 2018-05-10 · SELINUX IN PRODUCTION Deploying SELinux successfully in production environments Jerone, Lukas, ... These initiatives are being

Remediation of SELinux denials● Remediation is a critical thinking problem.

○ May require knowledge of how the application is supposed to work.

● Red Hat provides great tools like audit2allow and audit2why that extremely helpful with resolving SELinux issues, though you can't always take what they say as the proper solution.

● Example SELINUX audit log denial:

type=AVC msg=audit(1511797905.636:50): avc: denied { open } for pid=2708comm="rsyslogd" path="/etc/rsyslog.d/test2.conf" dev="dm-1" ino=1308304scontext=system_u:system_r:syslogd_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0tclass=file

Page 10: SELINUX IN PRODUCTION - Microsoft · 2018-05-10 · SELINUX IN PRODUCTION Deploying SELinux successfully in production environments Jerone, Lukas, ... These initiatives are being

Remediation of SELinux denials● Output from audit2allow:

● In this example the tool will not give the correct solution.○ The tool is saying to create a custom selinux policy module to grant open access from domain

syslogd_t to any file of type user_tmp_t.

■ Meaning any process running as syslogd_t can open any file of type user_tmp_t.

● The better solution is that file /etc/rsyslog.d/test2.conf should be of type syslog_conf_t and not user_tmp_t.

○ With this we only relabel the file type syslog_conf_t.

#============= syslogd_t ==============

allow syslogd_t user_tmp_t:file open;

Page 11: SELINUX IN PRODUCTION - Microsoft · 2018-05-10 · SELINUX IN PRODUCTION Deploying SELinux successfully in production environments Jerone, Lukas, ... These initiatives are being

Administrative tools● Remote log gathering, analysis, and monitoring tools

○ Help monitor environment and catch SELinux activity.○ Example Tools:

■ Splunk● Linux Auditd app

■ Nagios

● Configuration Management tools○ Help with SELinux remediation deployment and application deployment.○ Example Tools:

■ Ansible / Ansible Tower■ Puppet

Page 12: SELINUX IN PRODUCTION - Microsoft · 2018-05-10 · SELINUX IN PRODUCTION Deploying SELinux successfully in production environments Jerone, Lukas, ... These initiatives are being

Custom & Vendor applications● SELinux policies may want to be created for in-house custom applications.

○ In-house developers may need training, though by creating SELinux policies for custom applications:■ Save administrators time, with less SELinux remediation since applications will have their own policies.■ Developers will also take on SELinux testing of the custom application before it goes out for

deployment. As it will become apart of their development testing and workflow.○ Red Hat can help with mentoring and policy development with in-house developers.

● If a vendor application does not provide an SELinux policy:○ First contact the vendor and see if they have an SELinux policy for their application.○ Contact Red Hat and find out if that vendor is a partner. Red Hat maybe able to help.○ If you decide to create an SELinux policy for the application, try and get blessing from the vendor to avoid

any support issues in the future from the vendor.

● Majority of Red Hat supplied applications come with a supplied SELinux policy.

Page 13: SELINUX IN PRODUCTION - Microsoft · 2018-05-10 · SELINUX IN PRODUCTION Deploying SELinux successfully in production environments Jerone, Lukas, ... These initiatives are being

If you need help contact Red Hat

Page 14: SELINUX IN PRODUCTION - Microsoft · 2018-05-10 · SELINUX IN PRODUCTION Deploying SELinux successfully in production environments Jerone, Lukas, ... These initiatives are being

SELINUX FAQ

Page 15: SELINUX IN PRODUCTION - Microsoft · 2018-05-10 · SELINUX IN PRODUCTION Deploying SELinux successfully in production environments Jerone, Lukas, ... These initiatives are being

What kind of security does SELinux provide for my production environment?

Page 16: SELINUX IN PRODUCTION - Microsoft · 2018-05-10 · SELINUX IN PRODUCTION Deploying SELinux successfully in production environments Jerone, Lukas, ... These initiatives are being

Proactive security

Page 17: SELINUX IN PRODUCTION - Microsoft · 2018-05-10 · SELINUX IN PRODUCTION Deploying SELinux successfully in production environments Jerone, Lukas, ... These initiatives are being

Could SELinux mitigate damage caused by Meltdown and Spectre?

Page 18: SELINUX IN PRODUCTION - Microsoft · 2018-05-10 · SELINUX IN PRODUCTION Deploying SELinux successfully in production environments Jerone, Lukas, ... These initiatives are being

Meltdown & Spectre vs. SELinux

Unfortunately SELinux cannot mitigate damage caused by recently disclosed vulnerabilities Meltdown and Spectre.

Page 19: SELINUX IN PRODUCTION - Microsoft · 2018-05-10 · SELINUX IN PRODUCTION Deploying SELinux successfully in production environments Jerone, Lukas, ... These initiatives are being

Is there an exploit example where SELinux help to protect your system?

Page 21: SELINUX IN PRODUCTION - Microsoft · 2018-05-10 · SELINUX IN PRODUCTION Deploying SELinux successfully in production environments Jerone, Lukas, ... These initiatives are being

http://y2u.be/Ysshrh4aGOs

Page 22: SELINUX IN PRODUCTION - Microsoft · 2018-05-10 · SELINUX IN PRODUCTION Deploying SELinux successfully in production environments Jerone, Lukas, ... These initiatives are being

Is it possible to deploy SELinux configuration to production environment?

Page 23: SELINUX IN PRODUCTION - Microsoft · 2018-05-10 · SELINUX IN PRODUCTION Deploying SELinux successfully in production environments Jerone, Lukas, ... These initiatives are being

Yes, it’s possible using Ansible!

Page 24: SELINUX IN PRODUCTION - Microsoft · 2018-05-10 · SELINUX IN PRODUCTION Deploying SELinux successfully in production environments Jerone, Lukas, ... These initiatives are being

SELinux - Disabled

SELinux - Disabled

SELinux - Disabled

Page 25: SELINUX IN PRODUCTION - Microsoft · 2018-05-10 · SELINUX IN PRODUCTION Deploying SELinux successfully in production environments Jerone, Lukas, ... These initiatives are being

Permissive mode = Debugging modeAccesses are logged

Not enforced

Page 26: SELINUX IN PRODUCTION - Microsoft · 2018-05-10 · SELINUX IN PRODUCTION Deploying SELinux successfully in production environments Jerone, Lukas, ... These initiatives are being

SELinux - Permissive

SELinux - Permissive

SELinux - Permissive

Page 27: SELINUX IN PRODUCTION - Microsoft · 2018-05-10 · SELINUX IN PRODUCTION Deploying SELinux successfully in production environments Jerone, Lukas, ... These initiatives are being

EnforcingSELinux security policy is enforced by kernel

Page 28: SELINUX IN PRODUCTION - Microsoft · 2018-05-10 · SELINUX IN PRODUCTION Deploying SELinux successfully in production environments Jerone, Lukas, ... These initiatives are being

SELinux - Enforcing

SELinux - Enforcing

SELinux - Enforcing

Page 29: SELINUX IN PRODUCTION - Microsoft · 2018-05-10 · SELINUX IN PRODUCTION Deploying SELinux successfully in production environments Jerone, Lukas, ... These initiatives are being

Ansible Galaxy provides Linux-system-roles. SELinux role

Essentially provide mechanisms to manage local customizations:

● Set enforcing/permissive● restorecon portions of filesystem tree● Set/Get Booleans● Set/Get file contexts● Manage logins● Manage ports

Page 30: SELINUX IN PRODUCTION - Microsoft · 2018-05-10 · SELINUX IN PRODUCTION Deploying SELinux successfully in production environments Jerone, Lukas, ... These initiatives are being

https://galaxy.ansible.com/linux-system-roles/selinux

+

Page 31: SELINUX IN PRODUCTION - Microsoft · 2018-05-10 · SELINUX IN PRODUCTION Deploying SELinux successfully in production environments Jerone, Lukas, ... These initiatives are being

What is a key to understand SELinux?

Page 32: SELINUX IN PRODUCTION - Microsoft · 2018-05-10 · SELINUX IN PRODUCTION Deploying SELinux successfully in production environments Jerone, Lukas, ... These initiatives are being

SELinux policy rules

Page 33: SELINUX IN PRODUCTION - Microsoft · 2018-05-10 · SELINUX IN PRODUCTION Deploying SELinux successfully in production environments Jerone, Lukas, ... These initiatives are being

Describe an Interaction between processes

and system resources

Page 34: SELINUX IN PRODUCTION - Microsoft · 2018-05-10 · SELINUX IN PRODUCTION Deploying SELinux successfully in production environments Jerone, Lukas, ... These initiatives are being

SELinux Allow rule syntax with Types

Page 35: SELINUX IN PRODUCTION - Microsoft · 2018-05-10 · SELINUX IN PRODUCTION Deploying SELinux successfully in production environments Jerone, Lukas, ... These initiatives are being

allow type1 type2:object_class permission;

Page 36: SELINUX IN PRODUCTION - Microsoft · 2018-05-10 · SELINUX IN PRODUCTION Deploying SELinux successfully in production environments Jerone, Lukas, ... These initiatives are being

allow apache_t apache_log_t:file read;

Page 37: SELINUX IN PRODUCTION - Microsoft · 2018-05-10 · SELINUX IN PRODUCTION Deploying SELinux successfully in production environments Jerone, Lukas, ... These initiatives are being

apache_process apache_log

are labels

Page 38: SELINUX IN PRODUCTION - Microsoft · 2018-05-10 · SELINUX IN PRODUCTION Deploying SELinux successfully in production environments Jerone, Lukas, ... These initiatives are being

Assigned to processes

Assigned to system resources

by selinux security policy

map real system entities into the SELinux world

Page 39: SELINUX IN PRODUCTION - Microsoft · 2018-05-10 · SELINUX IN PRODUCTION Deploying SELinux successfully in production environments Jerone, Lukas, ... These initiatives are being

SELinux keeps your container in its own space

Page 40: SELINUX IN PRODUCTION - Microsoft · 2018-05-10 · SELINUX IN PRODUCTION Deploying SELinux successfully in production environments Jerone, Lukas, ... These initiatives are being

container:MCS1 container:MCS2 container:MCS3

Page 41: SELINUX IN PRODUCTION - Microsoft · 2018-05-10 · SELINUX IN PRODUCTION Deploying SELinux successfully in production environments Jerone, Lukas, ... These initiatives are being

SELinux user:SELinux role:SELinux type:SELinux category

system_u:object_r:container_t:c306,c536

system_u:object_r:container_t:c206,c636

system_u:object_r:container_t:c406,c736

Page 42: SELINUX IN PRODUCTION - Microsoft · 2018-05-10 · SELINUX IN PRODUCTION Deploying SELinux successfully in production environments Jerone, Lukas, ... These initiatives are being

CONTAINERS WAY

Page 43: SELINUX IN PRODUCTION - Microsoft · 2018-05-10 · SELINUX IN PRODUCTION Deploying SELinux successfully in production environments Jerone, Lukas, ... These initiatives are being

Containers redesign the way Linux WorksTime to rethink the OS, and SELinux

● SELinux is about controlling what a group of process can do on a system.

Page 44: SELINUX IN PRODUCTION - Microsoft · 2018-05-10 · SELINUX IN PRODUCTION Deploying SELinux successfully in production environments Jerone, Lukas, ... These initiatives are being

Containers redesign the way Linux WorksTime to rethink the OS, and SELinux

● SELinux is about controlling what a group of process can do on a system.○ OpenShift V2.0

Page 45: SELINUX IN PRODUCTION - Microsoft · 2018-05-10 · SELINUX IN PRODUCTION Deploying SELinux successfully in production environments Jerone, Lukas, ... These initiatives are being

Containers redesign the way Linux WorksTime to rethink the OS, and SELinux

● SELinux is about controlling what a group of process can do on a system.○ OpenShift V2.0○ ps command or ls -l /dev

Page 46: SELINUX IN PRODUCTION - Microsoft · 2018-05-10 · SELINUX IN PRODUCTION Deploying SELinux successfully in production environments Jerone, Lukas, ... These initiatives are being

Containers redesign the way Linux WorksTime to rethink the OS, and SELinux

● SELinux is about controlling what a group of process can do on a system.○ OpenShift V2.0○ ps command or ls -l /dev

● Containers are about controlling what a group of processes can do on a system

Page 47: SELINUX IN PRODUCTION - Microsoft · 2018-05-10 · SELINUX IN PRODUCTION Deploying SELinux successfully in production environments Jerone, Lukas, ... These initiatives are being

Containers redesign the way Linux WorksTime to rethink the OS, and SELinux

● SELinux is about controlling what a group of process can do on a system.○ OpenShift V2.0○ ps command or ls -l /dev

● Containers are about controlling what a group of processes can do on a system○ Only allow the writable content into the container

Page 48: SELINUX IN PRODUCTION - Microsoft · 2018-05-10 · SELINUX IN PRODUCTION Deploying SELinux successfully in production environments Jerone, Lukas, ... These initiatives are being

Containers redesign the way Linux WorksTime to rethink the OS, and SELinux

● SELinux is about controlling what a group of process can do on a system.○ OpenShift V2.0○ ps command or ls -l /dev

● Containers are about controlling what a group of processes can do on a system○ Only allow the writable content into the container○ Remove all content that you don’t want the container processes out of the

container.

Page 49: SELINUX IN PRODUCTION - Microsoft · 2018-05-10 · SELINUX IN PRODUCTION Deploying SELinux successfully in production environments Jerone, Lukas, ... These initiatives are being

Containers redesign the way Linux WorksTime to rethink the OS, and SELinux

● SELinux is about controlling what a group of process can do on a system.○ OpenShift V2.0○ ps command or ls -l /dev

● Containers are about controlling what a group of processes can do on a system○ Only allow the writable content into the container○ Remove all content that you don’t want the container processes out of the

container.○ What happens in Vegas stays in Vegas.

Page 50: SELINUX IN PRODUCTION - Microsoft · 2018-05-10 · SELINUX IN PRODUCTION Deploying SELinux successfully in production environments Jerone, Lukas, ... These initiatives are being

Containers redesign the way Linux WorksTime to rethink the OS, and SELinux

● SELinux is about controlling what a group of process can do on a system.○ OpenShift V2.0○ ps command or ls -l /dev

● Containers are about controlling what a group of processes can do on a system○ Only allow the writable content into the container○ Remove all content that you don’t want the container processes out of the

container.○ What happens in Vegas stays in Vegas.

● SE-Android

Page 51: SELINUX IN PRODUCTION - Microsoft · 2018-05-10 · SELINUX IN PRODUCTION Deploying SELinux successfully in production environments Jerone, Lukas, ... These initiatives are being

Containers redesign the way Linux WorksTime to rethink the OS, and SELinux

● SELinux is about controlling what a group of process can do on a system.○ OpenShift V2.0○ ps command or ls -l /dev

● Containers are about controlling what a group of processes can do on a system○ Only allow the writable content into the container○ Remove all content that you don’t want the container processes out of the

container.○ What happens in Vegas stays in Vegas.

● SE-Android● Docker Exploits

Page 52: SELINUX IN PRODUCTION - Microsoft · 2018-05-10 · SELINUX IN PRODUCTION Deploying SELinux successfully in production environments Jerone, Lukas, ... These initiatives are being

DISCUSSION PANEL

Page 53: SELINUX IN PRODUCTION - Microsoft · 2018-05-10 · SELINUX IN PRODUCTION Deploying SELinux successfully in production environments Jerone, Lukas, ... These initiatives are being

SELINUX COLORING BOOK

https://people.redhat.com/duffy/selinux/selinux-coloring-book_A4-Stapled.pdf

Page 54: SELINUX IN PRODUCTION - Microsoft · 2018-05-10 · SELINUX IN PRODUCTION Deploying SELinux successfully in production environments Jerone, Lukas, ... These initiatives are being

MAY 8 1:00 - 3:00 PMDefend yourself using built-in Red Hat Enterprise Linux security technologiesSession code: L1036

MAY 9 4:00 - 6:00 PMA practical introduction to container securitySession code: L1007

MAY 101:00 - 1:45 PMSecurity-Enhanced Linux for mere mortalsSession code: S1931

1:45 - 3:45 PMA practical introduction to container securitySession code: L1007R

Don’t miss these labs & sessions coming up this week

Page 55: SELINUX IN PRODUCTION - Microsoft · 2018-05-10 · SELINUX IN PRODUCTION Deploying SELinux successfully in production environments Jerone, Lukas, ... These initiatives are being

THANK YOUplus.google.com/+RedHat

linkedin.com/company/red-hat

youtube.com/user/RedHatVideos

facebook.com/redhatinc

twitter.com/RedHatNews