Secure Foundations: An SELinux Primer Shawn Wells Director, Innovation Programs & Lead Developer, SCAP
Slide 1
Slide 2
20 MINUTES, 2 QUESTIONS
- How do we label data? 2. How do we verify security compliance?
Slide 3
FIRST: An SELinux History Lesson • Originated from NSA R&D • First release in December 2010 • Integrated into mainline Linux in 2003
Slide 4
FIRST: An SELinux History Lesson Exploit Exploit
Slide 5
What An Attacker Can’t Do • Read/manipulate user data • Read/manipulate system files • Attack data/processes owned by other compartments (via polyinstantiation) • Attack other machines on the network, unless authorized to pass traffic on specific port • Evade audit subsystem
Slide 6
Role Based Access Control
Slide 7
Slide 8
Slide 9
SCAP Security Guide
Slide 10
SCAP OpenSCAP HTML Firefox
Slide 11
Red Hat Enterprise Linux 6 with KVM Red Hat Enterprise Linux 5.6 with KVM CAPP: Users control who access’ their data RBAC: Users classified into roles (“BackupAdm,” “AuditAdm”…) LSPP: Compartmentalizes users and applications from each other. Enables MLS. Certification Date IBM z/VM Version 5 Release 3 (for IBM System z VMWare Mainframes) vSphere 5.0 VMWare ESXi 4.1 Microsoft Windows Server 2008 Hyper-V Role with HotFix KB950050 2012-10-08 2012-04-20 2008-08-06 2012-05-18 2010-12-1 5 2009-07-24 EAP4+ EAP4+ EAP4+ EAP4+ EAP4+ EAP4+ CAPP YES YES YES NO NO NO RBAC YES YES NO NO NO NO LSPP YES YES YES NO NO NO EAL Level
Slide 12
