ProHoster > Блог > Gudanarwa > Tsarin tsaro na Linux

Tsarin tsaro na Linux

Ɗaya daga cikin dalilan gagarumar nasarar da Linux OS ta samu akan na'urorin hannu, na'urorin tafi da gidanka da sabobin shine babban matakin tsaro na kernel, ayyuka masu alaƙa da aikace-aikace. Amma idan duba da kyau zuwa tsarin gine-ginen kernel na Linux, to ba zai yiwu a sami wani fili a cikinsa da ke da alhakin tsaro kamar haka ba. Ina tsarin tsarin tsaro na Linux yake ɓoye kuma menene ya kunsa?

Bayani akan Modulolin Tsaro na Linux da SELinux

Linux Ingantaccen Tsaro wani tsari ne na ƙa'idodi da hanyoyin samun dama bisa ga tilas da samfuran isa ga tushen rawar don kare tsarin Linux daga yuwuwar barazanar da kuma gyara gazawar Gudanar da Samun Hankali (DAC), tsarin tsaro na gargajiya na Unix. Aikin ya samo asali ne daga hanji na Hukumar Tsaro ta Amurka, kuma kai tsaye ne aka samar da shi daga hannun ‘yan kwangilar Secure Computing Corporation da MITER, da kuma dakunan gwaje-gwaje na bincike da dama.

Tsarin tsaro na Linux
Modules Tsaro na Linux

Linus Torvalds ya yi tsokaci da yawa game da sabbin ci gaban NSA domin a haɗa su a cikin babban layin Linux kernel. Ya bayyana yanayin gabaɗaya, tare da saitin masu shiga tsakani don sarrafa ayyuka tare da abubuwa da saitin wasu filayen kariya a cikin tsarin bayanan kwaya don adana halayen da suka dace. Ana iya amfani da wannan mahalli ta hanyar kernel modules don aiwatar da kowane samfurin tsaro da ake so. LSM ya shiga cikin Linux kernel v2.6 a cikin 2003.

Tsarin LSM ya haɗa da filayen gadi a cikin tsarin bayanai da kira zuwa ayyukan shiga tsakani a mahimman wurare a cikin lambar kernel don sarrafa su da aiwatar da ikon shiga. Hakanan yana ƙara ayyuka don yin rijistar samfuran tsaro. Ƙwararren / sys/kernel/security/lsm interface ya ƙunshi jerin abubuwa masu aiki akan tsarin. Ana adana ƙugiya na LSM a cikin lissafin da ake kira bisa tsari da aka kayyade a CONFIG_LSM. Cikakkun bayanai akan ƙugiya an haɗa su a cikin fayil ɗin taken sun haɗa da/linux/lsm_hooks.h.

Ƙarƙashin tsarin LSM ya ba da damar kammala cikakken haɗin kai na SELinux tare da sigar iri ɗaya ta tsayayyen kernel Linux v2.6. Kusan nan da nan, SELinux ya zama ainihin ma'auni don amintaccen muhallin Linux kuma an haɗa shi cikin shahararrun rabawa: RedHat Enterprise Linux, Fedora, Debian, Ubuntu.

Kamus na SELinux

  • Shaida - Mai amfani da SELinux baya ɗaya da ID ɗin mai amfani na Unix/Linux na yau da kullun; suna iya zama tare akan tsarin iri ɗaya, amma sun bambanta sosai. Kowane daidaitaccen asusun Linux na iya dacewa da ɗaya ko fiye a cikin SELinux. Asalin SELinux wani ɓangare ne na mahallin tsaro gabaɗaya, wanda ke ƙayyade waɗanne yankuna ne zaku iya kuma ba za ku iya shiga ba.
  • Yankuna - A cikin SELinux, yanki shine mahallin aiwatar da wani batu, watau tsari. Yankin yana ƙayyade damar kai tsaye wanda tsari ke da shi. Ainihin yanki shine jerin abubuwan da matakai zasu iya yi ko abin da tsari zai iya yi tare da nau'ikan daban-daban. Wasu misalan yanki sune sysadm_t don gudanar da tsarin, da user_t wanda shine yanki na yau da kullun mara gata. Tsarin init yana gudana a cikin yankin init_t, kuma tsarin mai suna yana gudana a cikin yankin mai suna_t.
  • Matsayi - Abin da ke aiki azaman tsaka-tsaki tsakanin yanki da masu amfani da SELinux. Matsayi yana ƙayyade ko wane yanki mai amfani zai iya kasancewa a ciki da kuma irin abubuwan da zasu iya shiga. Wannan hanyar sarrafa damar shiga tana hana barazanar haɓakar hare-hare. Ana rubuta ayyukan cikin tsarin tsaro na tushen Role Based Access Control (RBAC) da aka yi amfani da shi a cikin SELinux.
  • Iri - Siffar lissafin tilastawa Nau'in da aka sanya wa abu kuma yana ƙayyade wanda zai iya samun dama ga shi. Mai kama da ma'anar yanki, sai dai yankin ya shafi tsari, kuma nau'in ya shafi abubuwa kamar kundayen adireshi, fayiloli, kwasfa, da sauransu.
  • Batutuwa da abubuwa - Tsari akan batutuwa ne kuma ana gudanar da su a cikin takamaiman mahallin, ko yankin tsaro. Albarkatun tsarin aiki: fayiloli, kundayen adireshi, soket, da sauransu, abubuwa ne waɗanda aka sanya wani nau'i, a wasu kalmomi, matakin sirri.
  • Manufofin SELinux - SELinux yana amfani da manufofi iri-iri don kare tsarin. Manufar SELinux ta bayyana damar masu amfani zuwa matsayi, matsayi zuwa yankuna, da yanki zuwa nau'ikan. Na farko, mai amfani yana da izini don samun rawar, sannan ana ba da izinin yin amfani da yanki. A ƙarshe, yanki na iya samun damar zuwa wasu nau'ikan abubuwa kawai.

LSM da SELinux gine

Duk da sunan, LSMs ba gabaɗaya nau'ikan Linux masu ɗaukar nauyi ba ne. Koyaya, kamar SELinux, an haɗa shi kai tsaye cikin kwaya. Duk wani canji zuwa lambar tushe na LSM yana buƙatar sabon tarin kwaya. Dole ne a kunna zaɓin da ya dace a cikin saitunan kwaya, in ba haka ba ba za a kunna lambar LSM ba bayan taya. Amma ko da a wannan yanayin, ana iya kunna shi ta zaɓin bootloader na OS.

Tsarin tsaro na Linux
LSM rajistan shiga

LSM an sanye shi da ƙugiya a cikin ayyukan kwaya waɗanda zasu iya dacewa don dubawa. Ɗaya daga cikin manyan fasalulluka na LSMs shine cewa an tara su. Don haka, ana yin daidaitattun cak, kuma kowane Layer na LSM yana ƙara ƙarin sarrafawa da sarrafawa kawai. Wannan yana nufin ba za a iya jujjuya haramcin ba. Ana nuna wannan a cikin adadi; idan sakamakon binciken DAC na yau da kullun ya kasance gazawa, to al'amarin ba zai kai ga ƙugiya na LSM ba.

SELinux yana ɗaukar tsarin tsaro na Flask na tsarin aikin bincike na Fluke, musamman ƙa'idar mafi ƙarancin gata. Asalin wannan ra'ayi, kamar yadda sunansa ya nuna, shine baiwa mai amfani ko aiwatar da waɗannan haƙƙoƙin da suka dace don aiwatar da ayyukan da aka yi niyya. Ana aiwatar da wannan ƙa'idar ta amfani da bugu na tilastawa, don haka ikon samun dama a cikin SELinux ya dogara ne akan yankin => nau'in samfurin.

Godiya ga bugu na tilastawa, SELinux yana da ikon sarrafa damar shiga fiye da tsarin DAC na al'ada da aka yi amfani da shi a cikin tsarin aiki na Unix/Linux. Misali, zaku iya iyakance lambar tashar tashar sadarwa wacce uwar garken ftp zata haɗa zuwa, ba da damar rubutawa da canza fayiloli a cikin takamaiman babban fayil, amma ba share su ba.

Babban abubuwan SELinux sune:

  • Sabar Tilasta Manufofin - Babban tsari don tsara ikon samun dama.
  • Bayanan tsarin tsaro na tsarin.
  • Yin hulɗa tare da mai karɓar taron LSM.
  • Selinuxfs - Pseudo-FS, daidai da /proc kuma an saka shi a /sys/fs/selinux. Ƙwararrun kernel na Linux ya cika da ƙarfi a lokacin aiki kuma yana ɗauke da fayiloli masu ɗauke da bayanin matsayin SELinux.
  • Samun damar Cache Vector - Tsarin taimako don haɓaka yawan aiki.

Tsarin tsaro na Linux
Yadda SELinux ke aiki

Duk yana aiki kamar haka.

  1. Wani batu, a cikin sharuɗɗan SELinux, yana aiwatar da izinin aiki akan abu bayan duba DAC, kamar yadda aka nuna a saman hoto. Wannan buƙatar yin aiki yana zuwa ga mai karɓar taron LSM.
  2. Daga can, buƙatun, tare da batun batun da mahallin tsaro, an wuce zuwa SELinux Abstraction da Hook Logic module, wanda ke da alhakin hulɗa tare da LSM.
  3. Ikon yanke shawara akan samun damar wani abu zuwa abu shine Sabar Taimakawa Manufofin kuma tana karɓar bayanai daga SELinux AnHL.
  4. Don yanke shawara game da samun dama ko hanawa, Sabar Taimakawa Manufofin ta juya zuwa tsarin caching Vector Cache (AVC) don mafi yawan dokokin da aka yi amfani da su.
  5. Idan ba a sami mafita don ƙa'idar da ta dace ba a cikin cache, to ana aika buƙatar zuwa bayanan manufofin tsaro.
  6. Sakamakon binciken daga bayanan bayanan da AVC an mayar da shi zuwa uwar garken Tilasta Manufofin.
  7. Idan manufar da aka samo ta dace da aikin da aka nema, to ana ba da izinin aiki. In ba haka ba, an haramta aikin.

Sarrafa Saitunan SELinux

SELinux yana aiki a ɗayan hanyoyi uku:

  • Ƙaddamarwa - Ƙuntataccen riko da manufofin tsaro.
  • Izinin - An ba da izinin keta hani; an yi bayanin daidai a cikin jarida.
  • An kashe—Manufofin tsaro ba sa aiki.

Kuna iya ganin yanayin da SELinux ke ciki tare da umarni mai zuwa.

[admin@server ~]$ getenforce
Permissive

Canza yanayin kafin sake kunnawa, misali, saita shi don aiwatarwa, ko 1. Ma'aunin izini yayi daidai da lambar lamba 0.

[admin@server ~]$ setenfoce enforcing
[admin@server ~]$ setenfoce 1 #то же самое

Hakanan zaka iya canza yanayin ta hanyar gyara fayil ɗin:

[admin@server ~]$ cat /etc/selinux/config

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE= can take one of three values:
# targeted - Targeted processes are protected,
# minimum - Modification of targeted policy. Only selected processes are protected.
# mls - Multi Level Security protection.

SELINUXTYPE=manufa

Bambanci tare da setenfoce shine lokacin da tsarin aiki ya fara takalma, za a saita yanayin SELinux daidai da ƙimar SELINUX a cikin fayil ɗin sanyi. Bugu da ƙari, canje-canje don tilastawa <=> nakasa yana yin tasiri ne kawai ta gyara fayil ɗin /etc/selinux/config kuma bayan sake kunnawa.

Duba taƙaitaccen rahoton matsayi:

[admin@server ~]$ sestatus

SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: permissive
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Max kernel policy version: 31
Don duba halayen SELinux, wasu daidaitattun kayan aiki suna amfani da ma'aunin -Z.

[admin@server ~]$ ls -lZ /var/log/httpd/
-rw-r--r--. root root system_u:object_r:httpd_log_t:s0 access_log
-rw-r--r--. root root system_u:object_r:httpd_log_t:s0 access_log-20200920
-rw-r--r--. root root system_u:object_r:httpd_log_t:s0 access_log-20200927
-rw-r--r--. root root system_u:object_r:httpd_log_t:s0 access_log-20201004
-rw-r--r--. root root system_u:object_r:httpd_log_t:s0 access_log-20201011
[admin@server ~]$ ps -u apache -Z
LABEL                             PID TTY          TIME CMD
system_u:system_r:httpd_t:s0     2914 ?        00:00:04 httpd
system_u:system_r:httpd_t:s0     2915 ?        00:00:00 httpd
system_u:system_r:httpd_t:s0     2916 ?        00:00:00 httpd
system_u:system_r:httpd_t:s0     2917 ?        00:00:00 httpd
...
system_u:system_r:httpd_t:s0     2918 ?        00:00:00 httpd

Idan aka kwatanta da fitowar al'ada na ls -l, akwai ƙarin ƙarin filayen da yawa a cikin tsari mai zuwa:

<user>:<role>:<type>:<level>

Filin ƙarshe yana nuna wani abu kamar rabe-raben tsaro kuma ya ƙunshi haɗin abubuwa guda biyu:

  • s0 - mahimmanci, kuma an rubuta shi azaman tsaka-tsakin matakin ƙarami
  • c0, c1… c1023 - rukuni.

Canza saitin shiga

Yi amfani da semodule don ɗorawa, ƙara, da cire samfuran SELinux.

[admin@server ~]$ semodule -l |wc -l #список всех модулей
408
[admin@server ~]$ semodule -e abrt #enable - активировать модуль
[admin@server ~]$ semodule -d accountsd #disable - отключить модуль
[admin@server ~]$ semodule -r avahi #remove - удалить модуль

Teamungiyar farko semanage login yana haɗa mai amfani da SELinux zuwa mai amfani da tsarin aiki, na biyu yana nuna jerin. A ƙarshe, umarni na ƙarshe tare da sauyawa -r yana cire taswirar masu amfani da SELinux zuwa asusun OS. Bayanin haɗin kai don ƙimar MLS/MCS Range yana cikin sashin da ya gabata.

[admin@server ~]$ semanage login -a -s user_u karol
[admin@server ~]$ semanage login -l

Login Name SELinux User MLS/MCS Range Service
__default__ unconfined_u s0-s0:c0.c1023 *
root unconfined_u s0-s0:c0.c1023 *
system_u system_u s0-s0:c0.c1023 *
[admin@server ~]$ semanage login -d karol

tawagar mai amfani ana amfani da su don sarrafa taswira tsakanin masu amfani da SELinux da matsayi.

[admin@server ~]$ semanage user -l
                Labeling   MLS/       MLS/                          
SELinux User    Prefix     MCS Level  MCS Range             SELinux Roles
guest_u         user       s0         s0                    guest_r
staff_u         staff      s0         s0-s0:c0.c1023        staff_r sysadm_r
...
user_u          user       s0         s0                    user_r
xguest_u        user       s0         s0                    xguest_r
[admin@server ~]$ semanage user -a -R 'staff_r user_r'
[admin@server ~]$ semanage user -d test_u

Matsalolin umarni:

  • -a ƙara shigarwar taswirar rawar al'ada;
  • -l jerin masu amfani masu dacewa da matsayi;
  • -d share shigarwar taswirar rawar mai amfani;
  • -R jerin matsayin da aka haɗe zuwa mai amfani;

Fayiloli, Tashoshi da ƙimar Boolean

Kowane tsarin SELinux yana ba da saitin ƙa'idodin alamar fayil, amma kuma kuna iya ƙara ƙa'idodin ku idan ya cancanta. Misali, muna son sabar gidan yanar gizo ta sami haƙƙin shiga ga babban fayil /srv/www.

[admin@server ~]$ semanage fcontext -a -t httpd_sys_content_t "/srv/www(/.*)?
[admin@server ~]$ restorecon -R /srv/www/

Umurni na farko yana yin rajistar sabbin ka'idojin yin alama, kuma na biyu yana sake saiti, ko kuma saitin, nau'ikan fayil ɗin daidai da ƙa'idodin yanzu.

Hakanan, tashar jiragen ruwa na TCP/UDP ana yiwa alama ta yadda sabis ɗin da ya dace kawai zai iya sauraren su. Misali, domin sabar gidan yanar gizo ta saurari tashar 8080, kuna buƙatar gudanar da umarni.

[admin@server ~]$ semanage port -m -t http_port_t -p tcp 8080

Mahimman adadin samfuran SELinux suna da sigogi waɗanda zasu iya ɗaukar ƙimar Boolean. Ana iya ganin duk jerin irin waɗannan sigogi ta amfani da getsebool -a. Kuna iya canza ƙimar boolean ta amfani da setsebool.

[admin@server ~]$ getsebool httpd_enable_cgi
httpd_enable_cgi --> on
[admin@server ~]$ setsebool -P httpd_enable_cgi off
[admin@server ~]$ getsebool httpd_enable_cgi
httpd_enable_homedirs --> off

Taron bita, sami dama ga hanyar haɗin yanar gizon Pgadmin-web

Bari mu kalli misali mai amfani: mun shigar da pgadmin7.6-web akan RHEL 4 don gudanar da bayanan PostgreSQL. Mun yi tafiya kadan nema tare da saitunan pg_hba.conf, postgresql.conf da config_local.py, saita izinin babban fayil, shigar da bacewar Python modules daga pip. Komai yana shirye, mun ƙaddamar da karɓa Kuskuren uwar garken ciki 500.

Tsarin tsaro na Linux

Muna farawa da waɗanda ake zargi, duba /var/log/httpd/error_log. Akwai wasu abubuwan shiga masu ban sha'awa a wurin.

[timestamp] [core:notice] [pid 23689] SELinux policy enabled; httpd running as context system_u:system_r:httpd_t:s0
...
[timestamp] [wsgi:error] [pid 23690] [Errno 13] Permission denied: '/var/lib/pgadmin'
[timestamp] [wsgi:error] [pid 23690] [timestamp] [wsgi:error] [pid 23690] HINT : You may need to manually set the permissions on
[timestamp] [wsgi:error] [pid 23690] /var/lib/pgadmin to allow apache to write to it.

A wannan gaba, yawancin masu gudanar da Linux za su sha wahala sosai don gudanar da setencorce 0, kuma wannan shine ƙarshen sa. A gaskiya, na yi haka ne a karon farko. Wannan ba shakka kuma hanya ce ta fita, amma nesa da mafi kyau.

Duk da kyawawan ƙira, SELinux na iya zama abokantaka mai amfani. Kawai shigar da kunshin saiti kuma duba tsarin log ɗin.

[admin@server ~]$ yum install setroubleshoot
[admin@server ~]$ journalctl -b -0
[admin@server ~]$ service restart auditd

Lura cewa dole ne a sake kunna sabis ɗin da aka duba ta wannan hanyar, kuma ba amfani da systemctl ba, duk da kasancewar tsarin a cikin OS. A cikin tsarin log za a nuna ba kawai gaskiyar tarewa ba, har ma da dalili da hanyar shawo kan haramcin.

Tsarin tsaro na Linux

Muna aiwatar da waɗannan umarni:

[admin@server ~]$ setsebool -P httpd_can_network_connect 1
[admin@server ~]$ setsebool -P httpd_can_network_connect_db 1

Muna duba damar zuwa shafin yanar gizon pgadmin4-web, komai yana aiki.

Tsarin tsaro na Linux

Tsarin tsaro na Linux

source: www.habr.com

Add a comment