Security Strategies in Linux Platforms and Applications Lesson 10
description
Transcript of Security Strategies in Linux Platforms and Applications Lesson 10
![Page 1: Security Strategies in Linux Platforms and Applications Lesson 10](https://reader036.fdocuments.us/reader036/viewer/2022062305/5681638a550346895dd47b27/html5/thumbnails/1.jpg)
© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
Security Strategies in Linux Platforms and Applications
Lesson 10Kernel Security Risk Mitigation
![Page 2: Security Strategies in Linux Platforms and Applications Lesson 10](https://reader036.fdocuments.us/reader036/viewer/2022062305/5681638a550346895dd47b27/html5/thumbnails/2.jpg)
Page 2Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
Learning Objective and Key ConceptsLearning Objective Assess the architecture of the Linux kernel and
techniques used to enact a more secure kernel.Key Concepts Linux kernel architecture Tuning, installing, and upgrading the Linux kernel Options to consider in a stock versus custom
kernel scenario Steps to compile a custom kernel
![Page 3: Security Strategies in Linux Platforms and Applications Lesson 10](https://reader036.fdocuments.us/reader036/viewer/2022062305/5681638a550346895dd47b27/html5/thumbnails/3.jpg)
Page 3Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
DISCOVER: CONCEPTS
![Page 4: Security Strategies in Linux Platforms and Applications Lesson 10](https://reader036.fdocuments.us/reader036/viewer/2022062305/5681638a550346895dd47b27/html5/thumbnails/4.jpg)
Page 4Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
Linux Kernel Architecture
Monolithic Loadable kernel module (LKM)
![Page 5: Security Strategies in Linux Platforms and Applications Lesson 10](https://reader036.fdocuments.us/reader036/viewer/2022062305/5681638a550346895dd47b27/html5/thumbnails/5.jpg)
Page 5Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
Linux Kernel Architecture (Continued)
SubsystemsProcess schedulerMemory managementVirtual filesystem (VFS)Network interface Inter-process communication (IPC)
![Page 6: Security Strategies in Linux Platforms and Applications Lesson 10](https://reader036.fdocuments.us/reader036/viewer/2022062305/5681638a550346895dd47b27/html5/thumbnails/6.jpg)
Page 6Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
Linux Kernel Architecture (Continued)
Process SchedulerControls access to the central processing
unit (CPU) Interacts with the CPUDetermines which process will have access
to the CPU Interacts with the memory manager
![Page 7: Security Strategies in Linux Platforms and Applications Lesson 10](https://reader036.fdocuments.us/reader036/viewer/2022062305/5681638a550346895dd47b27/html5/thumbnails/7.jpg)
Page 7Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
Linux Kernel Architecture (Continued)Memory ManagementConsists of a virtual memory interface to the
hardware memoryControls access to random access memory
(RAM)Restricts access to user processesAllows user processes to consume and
release storage as well as memory maps for input and output
![Page 8: Security Strategies in Linux Platforms and Applications Lesson 10](https://reader036.fdocuments.us/reader036/viewer/2022062305/5681638a550346895dd47b27/html5/thumbnails/8.jpg)
Page 8Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
Linux Kernel Architecture (Continued)VFSLoads programs or an executableMounts a filesystem on the hardwareManages all filesystems that are mountedProvides a common interface for all
processes
![Page 9: Security Strategies in Linux Platforms and Applications Lesson 10](https://reader036.fdocuments.us/reader036/viewer/2022062305/5681638a550346895dd47b27/html5/thumbnails/9.jpg)
Page 9Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
Linux Kernel Architecture (Continued)Network Interface Allows Linux to access other networks Supports many network cards and protocols Provides a common interface from the hardware
to other subsystems Allows a network card to interface with software
and hardware Interacts with the VFS and process scheduler
subsystems
![Page 10: Security Strategies in Linux Platforms and Applications Lesson 10](https://reader036.fdocuments.us/reader036/viewer/2022062305/5681638a550346895dd47b27/html5/thumbnails/10.jpg)
Page 10Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
Kernel Networking Options
![Page 11: Security Strategies in Linux Platforms and Applications Lesson 10](https://reader036.fdocuments.us/reader036/viewer/2022062305/5681638a550346895dd47b27/html5/thumbnails/11.jpg)
Page 11Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
Linux Kernel Architecture (Continued)
IPCSends signals to processesSends signals in the following ways:• Message queues• Semaphores • Shared memory
![Page 12: Security Strategies in Linux Platforms and Applications Lesson 10](https://reader036.fdocuments.us/reader036/viewer/2022062305/5681638a550346895dd47b27/html5/thumbnails/12.jpg)
Page 12Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
DISCOVER: PROCESS
![Page 13: Security Strategies in Linux Platforms and Applications Lesson 10](https://reader036.fdocuments.us/reader036/viewer/2022062305/5681638a550346895dd47b27/html5/thumbnails/13.jpg)
Page 13Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
Patching the Linux Kernel (Version 2.6.35.4 )
Step 1
From the source tree (/usr/src/linux), download the patch from the Internet using the following command:[root@is418 linux]# wget http://www.kernel.org/pub/linux/kernel/v2.6/patch-2.6.35.4.bz2
Step 2
Extract the file in the source tree using the following command:[root@is418 linux]# bunzip2 patch-2.6.35.4.bz2
![Page 14: Security Strategies in Linux Platforms and Applications Lesson 10](https://reader036.fdocuments.us/reader036/viewer/2022062305/5681638a550346895dd47b27/html5/thumbnails/14.jpg)
Page 14Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
Patching the Linux Kernel (Version 2.6.35.4 ) (Continued)
Step 3
Apply the patch using the following command:root@is418 linux]#patch -p1 < patch-2.6.35.4
Step 4Proceed to build the kernel as described in the textbook.
![Page 15: Security Strategies in Linux Platforms and Applications Lesson 10](https://reader036.fdocuments.us/reader036/viewer/2022062305/5681638a550346895dd47b27/html5/thumbnails/15.jpg)
Page 15Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
Persisting a Kernel Parameter Change
Step 1Open the /etc/sysctl.conf file in a text editor.
Step 2
Find the directive net.ipv4.tcp_syncookies by using the directive net.ipv4.tcp_syncookies = 0
![Page 16: Security Strategies in Linux Platforms and Applications Lesson 10](https://reader036.fdocuments.us/reader036/viewer/2022062305/5681638a550346895dd47b27/html5/thumbnails/16.jpg)
Page 16Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
Persisting a Kernel Parameter Change (Continued)
Step 3Change the directive's value by using the directive net.ipv4.tcp_syncookies = 1
Step 4 Save and exit.
![Page 17: Security Strategies in Linux Platforms and Applications Lesson 10](https://reader036.fdocuments.us/reader036/viewer/2022062305/5681638a550346895dd47b27/html5/thumbnails/17.jpg)
Page 17Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
Process to Compile a Kernel1.Login as root and change directory to /usr/src.2.Download the latest stable kernel from
www.kernel.org.3.Extract the compressed source tree into the
/usr/src directory and create a symbolic link from the extracted directory to /usr/src/linux.
4.Configure what needs to be compiled into the kernel and then change into the /usr/src/linux directory by typing cd /usr/src/linux.
5.Type make menuconfig.
![Page 18: Security Strategies in Linux Platforms and Applications Lesson 10](https://reader036.fdocuments.us/reader036/viewer/2022062305/5681638a550346895dd47b27/html5/thumbnails/18.jpg)
Page 18Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
Process to Compile a Kernel (Continued)
6.Save the options selected when exiting out of the menu interface.
7.Type make.8.Type make modules.9.Type make modules_install.10.Type make install.
![Page 19: Security Strategies in Linux Platforms and Applications Lesson 10](https://reader036.fdocuments.us/reader036/viewer/2022062305/5681638a550346895dd47b27/html5/thumbnails/19.jpg)
Page 19Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
Customizing a Kernel with make menuconfig
![Page 20: Security Strategies in Linux Platforms and Applications Lesson 10](https://reader036.fdocuments.us/reader036/viewer/2022062305/5681638a550346895dd47b27/html5/thumbnails/20.jpg)
Page 20Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
DISCOVER: ROLES
![Page 21: Security Strategies in Linux Platforms and Applications Lesson 10](https://reader036.fdocuments.us/reader036/viewer/2022062305/5681638a550346895dd47b27/html5/thumbnails/21.jpg)
Page 21Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
Linux System Administrator
Configures kernel parameters for optimal security
Ensures all LKMs are necessary and testedManages kernel updates Monitors the operating system for any
kernel changes
![Page 22: Security Strategies in Linux Platforms and Applications Lesson 10](https://reader036.fdocuments.us/reader036/viewer/2022062305/5681638a550346895dd47b27/html5/thumbnails/22.jpg)
Page 22Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
DISCOVER: CONTEXTS
![Page 23: Security Strategies in Linux Platforms and Applications Lesson 10](https://reader036.fdocuments.us/reader036/viewer/2022062305/5681638a550346895dd47b27/html5/thumbnails/23.jpg)
Page 23Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
Use of LKM in Securing Linux SystemAdvantagesAllows Linux to be a monolithic kernelLoads modules as neededRemoves or unloads unneeded modulesPerforms changes in hardware or any new
module without recompiling the kernel
![Page 24: Security Strategies in Linux Platforms and Applications Lesson 10](https://reader036.fdocuments.us/reader036/viewer/2022062305/5681638a550346895dd47b27/html5/thumbnails/24.jpg)
Page 24Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
Use of LKM in Securing Linux System (Continued)
DisadvantagesHas access to kernel space and a poorly
written LKM can impact the performance of the operating system
Is a source of rootkits and other malicious software that could gain access to kernel space
![Page 25: Security Strategies in Linux Platforms and Applications Lesson 10](https://reader036.fdocuments.us/reader036/viewer/2022062305/5681638a550346895dd47b27/html5/thumbnails/25.jpg)
Page 25Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
DISCOVER: RATIONALE
![Page 26: Security Strategies in Linux Platforms and Applications Lesson 10](https://reader036.fdocuments.us/reader036/viewer/2022062305/5681638a550346895dd47b27/html5/thumbnails/26.jpg)
Page 26Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
Linux Kernel ArchitectureAssessing the Linux kernel architecture helps to: Examine how memory and swap space are managed Examine how modules interact with the kernel Analyze the risks involved when adding new modules Explore how networks interact with the kernel and the
drivers and protocols that are available for use Understand how filesystems are mounted and
managed
![Page 27: Security Strategies in Linux Platforms and Applications Lesson 10](https://reader036.fdocuments.us/reader036/viewer/2022062305/5681638a550346895dd47b27/html5/thumbnails/27.jpg)
Page 27Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
Vendor-Supplied and Custom KernelVendor-Supplied KernelPros
• Easier to apply patches and updates, easier to maintain, and has a system to address security issues
Cons• Has generic builds that are not optimized for the
specific hardware that will run the kernel• Often times contains more features and modules
than are needed
![Page 28: Security Strategies in Linux Platforms and Applications Lesson 10](https://reader036.fdocuments.us/reader036/viewer/2022062305/5681638a550346895dd47b27/html5/thumbnails/28.jpg)
Page 28Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
Vendor-Supplied and Custom Kernel (Continued)Custom KernelPros
• Optimized for specific hardware• More secure because only the needed features
and modules are compiled into the kernelCons
• Need to recompile when patches are available• Requires a Linux system administrator to manage
kernel updates
![Page 29: Security Strategies in Linux Platforms and Applications Lesson 10](https://reader036.fdocuments.us/reader036/viewer/2022062305/5681638a550346895dd47b27/html5/thumbnails/29.jpg)
Page 29Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
Benefits of Installing a New Kernel Installing is less riskier than upgrading
because a computer system can become unstable or even unbootable after an upgrade.
If the new kernel causes the computer system to become unbootable or unstable, the older kernel will still be available to run the system until the issue is resolved.
![Page 30: Security Strategies in Linux Platforms and Applications Lesson 10](https://reader036.fdocuments.us/reader036/viewer/2022062305/5681638a550346895dd47b27/html5/thumbnails/30.jpg)
Page 30Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
SummaryVendor-supplied and custom Linux kernelProcess to patch and compile a Linux kernelRole of a Linux system administrator in
securing the Linux kernelUse of LKM to secure the Linux kernelBenefits of installing a new kernel
![Page 31: Security Strategies in Linux Platforms and Applications Lesson 10](https://reader036.fdocuments.us/reader036/viewer/2022062305/5681638a550346895dd47b27/html5/thumbnails/31.jpg)
Page 31Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
OPTIONAL SLIDES
![Page 32: Security Strategies in Linux Platforms and Applications Lesson 10](https://reader036.fdocuments.us/reader036/viewer/2022062305/5681638a550346895dd47b27/html5/thumbnails/32.jpg)
Page 32Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
Ubuntu Kernel Package Options
![Page 33: Security Strategies in Linux Platforms and Applications Lesson 10](https://reader036.fdocuments.us/reader036/viewer/2022062305/5681638a550346895dd47b27/html5/thumbnails/33.jpg)
Page 33Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
Customizing a Kernel with make config