1 / 17

SECURITY IN THE LINUX OPERATING SYSTEM

SECURITY IN THE LINUX OPERATING SYSTEM. Andy Saxena Somudra Chakraborty CSE 258, Fall 1999. Introduction. Linux is a multi-user operating system. Security mechanisms must allow users to service their legitimate needs without compromising the server system security.

georgette
Download Presentation

SECURITY IN THE LINUX OPERATING SYSTEM

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. SECURITY IN THE LINUX OPERATING SYSTEM Andy Saxena Somudra Chakraborty CSE 258, Fall 1999

  2. Introduction • Linux is a multi-user operating system. • Security mechanisms must allow users to service their legitimate needs without compromising the server system security. • Private data must still remain private, • Resource and file management must maintain integrity; • User privileges must still be granted. • Overall system stability and correctness cannot suffer.

  3. External Security • User login Uses passwords for authentication Passwords encrypted using DES “Shadow Technique” to hide encrypted password - /etc/shadow

  4. External Security Password Shadowing /etc/passwd : user:passwd:UID:GID:full_name:home_directory:shell /etc/shadow user:x:UID:GID:full_name:home_directory:shell Shadowing does not change the structure of /etc/passwd It simply moves the passwords.

  5. External Security Password Attacks Brute Force Cycle through all 256 possible keys until one works July 17,1998, Deep Crack cracked the 56-bit key 56 hours. Dictionary Attack Search key space that comprises weak passwords Crack-www.users.dircon.co.uk/~crypto/index.html

  6. External Security Remote Access Precautions Secure Shell - http://www.ssh.org Replaces telnet, rlogin, ftp Provides secure means of data transmission Insecure networks are no loner a problem

  7. External Security SSH - 3 major components Transport Layer [SSH-TRANS] - provide server authentication, confidentiality, and integrity User authentication protocol [SSH-USERAUTH] - runs over the transport layer protocol, authenticates the client- side user to the server Connection protocol [SSH-CONN] - runs over the user authentication protocol, multiplexes the encrypted tunnel into several logical channels

  8. External Security Administering Trusted Users and Hosts • The .rhostsfile exists in a user's home directory • Specifies trusted hosts based on the user’s choice • More headaches for administrator - loss of control • Solution - disable or monitor contents. Limiting User Access to System Resources In /etc/pam.d/limits.conf Limit processes per user. Limit memory usage.

  9. Internal Security 5 functional mechanisms implemented • audit trail mechanisms, • discretionary access control, • information labels, • mandatory access control and • privilege.

  10. Internal Security Audit Trail Functionality • System generated records - Include system and kernel messages • syslogd & klogd ---> /var/log/messages • syslogd -> program name, facility type, priority, etc. klogd -> intercepts and logs kernel messages • Application generated records - Store in user-managed space. Limit User Access to System Resources In /etc/pam.d/limits.conf Limit processes per user. Limit memory usage.

  11. Internal Security Discretionary Access Control (DAC) • Limit a user’s access to a file. • Let owner determine file access permissions. Information Labels Contain file information about origin of file, a release marking, DAC advisories, project related information, etc. Purpose - tracking

  12. Internal Security Privilege (Dynamic implementation) • Elevating subject permissions temporarily. • Let’s subject override access access control information for an object. • Set SUID bit Mandatory Access Control • Protection decisions must not be decided by the object owner. • The system must enforce the protection decisions.

  13. Internal Security File Access • Permission Bit Mechanism (Part of DAC) is implemented. • Read, write, execute permissions for owner, group and other. • 10 bits used. • ACL object. • Groups • Grant privileges to a group of users. • Information stored in the groupsvector in the task_struct(defined in sched.h).

  14. Internal Security Memory Access • Each process has its own page table. • All memory access via page table. • Easy for OS to terminate process which references an invalid memory address. • Access control information for page held in the page table entry (PTE). • Prevents executable code from being overwritten • Separates kernel code and user code.

  15. Internal Security Memory Access KRE Code running in kernel mode can read this page URE Code running in user mode can read this page KWE Code running in kernel mode can write to this page UWE Code running in user mode can write to this page

  16. Internal Security Process Execution Control • Kernel generates signals to executing processes. • Processes may choose to ignore most signals. • Cannot ignore SIGSTOP and SIGKILL • SIGSTOP - Halt execution. • SIGKILL - Terminate process. • This is a mandatory access control implementation.

  17. Conclusion • Linux is a versatile OS. • Security implementation in the OS is spread throughout the system - memory management, file management, process management, etc. • Therefore every aspect of security needs to be configured from scratch since default is not maximum security.

More Related