Pulogalamu ya ProHoster > Blog > Ulamuliro > Linux Security Systems

Linux Security Systems

Chimodzi mwazifukwa zopambana kwambiri za Linux OS pa ophatikizidwa, zida zam'manja ndi maseva ndi kuchuluka kwa chitetezo cha kernel, mautumiki okhudzana ndi ntchito. Koma ngati yang'anitsitsani ku kamangidwe ka Linux kernel, ndiye kuti n'zosatheka kupeza malo omwe ali ndi chitetezo, motero. Kodi makina achitetezo a Linux akubisala kuti ndipo amakhala ndi chiyani?

Mbiri ya Linux Security Modules ndi SELinux

Security Enhanced Linux ndi mndandanda wa malamulo ndi njira yofikira yotengera njira zovomerezeka komanso zotengera njira zotetezera machitidwe a Linux ku ziwopsezo zomwe zingachitike ndikukonza zofooka za Discretionary Access Control (DAC), dongosolo lachitetezo lachikhalidwe la Unix. Ntchitoyi idachokera m'matumbo a US National Security Agency, ndipo makontrakitala a Secure Computing Corporation ndi MITER, komanso ma laboratories angapo ofufuza, adakhudzidwa mwachindunji ndi chitukukochi.

Linux Security Systems
Linux Security Modules

Linus Torvalds adapereka zolemba zingapo pazatsopano za NSA kuti zitha kuphatikizidwa munthambi yayikulu ya Linux kernel. Analongosola malo omwe ali nawo, omwe ali ndi ma interceptors oyendetsa ntchito pa zinthu ndi seti ya madera ena otetezera m'mapangidwe a deta ya kernel kuti asungidwe zomwe zimagwirizana. Malowa amatha kugwiritsidwa ntchito ndi ma kernel modules kuti agwiritse ntchito mtundu uliwonse wachitetezo womwe mukufuna. LSM idalowa kwathunthu Linux kernel v2.6 mu 2003.

Dongosolo la LSM limaphatikizapo minda ya alonda pamapangidwe a data ndi kuyimbira foni pamalo ofunikira mu code ya kernel kuti muwayendetse ndikuwongolera mwayi. Ikuwonjezeranso magwiridwe antchito polembetsa ma module achitetezo. Mawonekedwe a /sys/kernel/security/lsm ali ndi mndandanda wa ma module omwe akugwira ntchito mudongosolo. Nkhokwe za LSM zimasungidwa pamndandanda womwe umatchedwa mu dongosolo la CONFIG_LSM. Zolemba zatsatanetsatane za hook zikuphatikizidwa mufayilo yamutu yophatikiza/linux/lsm_hooks.h.

Dongosolo laling'ono la LSM linapangitsa kuti athe kumaliza kuphatikiza kwathunthu kwa SELinux ya mtundu womwewo wa Linux kernel v2.6. Nthawi yomweyo, SELinux idakhala muyezo wamalo otetezedwa a Linux ndipo idakhala gawo la magawo otchuka kwambiri: RedHat Enterprise Linux, Fedora, Debian, Ubuntu.

Kafotokozedwe ka mawu

  • Kuzindikira - Wogwiritsa ntchito SELinux sali wofanana ndi id yodziwika bwino ya Unix / Linux, amatha kukhalira limodzi pamakina omwewo, koma amasiyana kwambiri. Akaunti iliyonse ya Linux yokhazikika imatha kufanana ndi imodzi kapena zingapo mu SELinux. Chidziwitso cha SELinux ndi gawo lachitetezo chonse chomwe chimatsimikizira madera omwe mungathe komanso omwe simungalowe nawo.
  • Madomeni - Mu SELinux, madambwe ndi momwe amachitira mutuwo, mwachitsanzo, njira. Dongosolo limatanthauzira mwachindunji mwayi womwe njira ili nawo. Domain kwenikweni ndi mndandanda wazomwe zitha kuchita kapena zomwe ndondomeko ingachite ndi mitundu yosiyanasiyana. Zitsanzo zina za madambwe ndi sysadm_t ya kasamalidwe ka makina, ndi user_t yomwe ndi malo osagwiritsidwa ntchito nthawi zonse. Dongosolo la init limayenda mu init_t domain, ndipo njira yotchulidwa imayenda mu domain_t.
  • Ntchito - Chinachake chomwe chimagwira ntchito ngati mkhalapakati pakati pa madambwe ndi ogwiritsa ntchito a SELinux. Maudindo amatanthauzira madera omwe wogwiritsa ntchito atha kukhala nawo komanso mitundu ya zinthu zomwe wogwiritsa atha kuzipeza. Njira yotereyi yowongolera mwayi imalepheretsa kuwopseza kwa mwayi wowonjezereka. Maudindo amalembedwa munjira yachitetezo cha Role Based Access Control (RBAC) yomwe imagwiritsidwa ntchito mu SELinux.
  • Mitundu - Lembani mndandanda wa Enforcement mndandanda womwe umaperekedwa ku chinthu ndikusankha yemwe angachipeze. Zofanana ndi kufotokozera dera, kupatula kuti chigawocho chikugwiritsidwa ntchito ku ndondomekoyi, pamene mtunduwo umagwiritsidwa ntchito ku zinthu monga zolemba, mafayilo, sockets, ndi zina zotero.
  • Mitu ndi zinthu - Njira ndi mitu ndipo zimayendetsedwa mumtundu wina, kapena dera lachitetezo. Zida zamakina ogwiritsira ntchito: mafayilo, maupangiri, sockets, ndi zina, ndi zinthu zomwe zimapatsidwa mtundu wina, mwa kuyankhula kwina, mulingo wachinsinsi.
  • Ndondomeko za SELinux - SELinux imagwiritsa ntchito ndondomeko zosiyanasiyana pofuna kuteteza dongosolo. Ndondomeko ya SELinux imatanthawuza mwayi wogwiritsa ntchito maudindo, maudindo ku madera, ndi madera ku mitundu. Choyamba, wogwiritsa ntchito amaloledwa kupeza gawo, ndiye kuti udindowo umaloledwa kupeza madera. Pomaliza, dera litha kukhala ndi mwayi wopeza mitundu ina ya zinthu.

Zomangamanga za LSM ndi SELinux

Ngakhale dzinali, ma LSM sakhala ma module a Linux omwe amatha kutsitsa. Komabe, monga SELinux, imaphatikizidwa mwachindunji mu kernel. Kusintha kulikonse ku code code ya LSM kumafuna kuphatikiza kwa kernel. Njira yofananira iyenera kuyatsidwa muzokonda za kernel, apo ayi nambala ya LSM sidzatsegulidwa pambuyo pa boot. Koma ngakhale mu nkhani iyi, ikhoza kuthandizidwa ndi njira ya OS bootloader.

Linux Security Systems
Macheke a LSM

LSM ili ndi zokowera mu core kernel function zomwe zingakhale zofunikira pamacheke. Chimodzi mwazinthu zazikulu za LSM ndikuti ndizokhazikika. Chifukwa chake, macheke wamba amachitidwabe, ndipo gawo lililonse la LSM limangowonjezera zowongolera ndi zowongolera. Izi zikutanthauza kuti chiletsocho sichingabwererenso. Izi zikuwonetsedwa pachithunzichi, ngati zotsatira za kafukufuku wanthawi zonse wa DAC zikulephera, ndiye kuti sizifika ngakhale zingwe za LSM.

SELinux idatengera kamangidwe kachitetezo ka Flask kachitidwe ka kafukufuku wa Fluke, makamaka mfundo yamwayi wocheperako. Chofunikira cha lingaliro ili, monga momwe dzina lawo likusonyezera, ndikupereka wogwiritsa ntchito kapena kukonza maufulu okhawo omwe ali ofunikira kuti akwaniritse zomwe akufuna. Mfundoyi ikugwiritsidwa ntchito pogwiritsa ntchito kulemba mokakamiza, kotero kuti SELinux kuwongolera kolowera kumakhazikitsidwa pa domain => mtundu wa mtundu.

Kupyolera mu kulemba mokakamiza, SELinux ili ndi mphamvu zowonjezera zowonjezera kuposa momwe DAC imagwiritsidwira ntchito mu machitidwe a Unix / Linux. Mwachitsanzo, mutha kuchepetsa nambala ya doko ya netiweki yomwe ichitike pa seva ya ftp, kulola kulemba ndikusintha mafayilo mufoda inayake, koma osawachotsa.

Zigawo zazikulu za SELinux ndi:

  • Seva Yotsatira Ndondomeko - Njira yayikulu yokonzekera kuwongolera kolowera.
  • Database ya ndondomeko zotetezera dongosolo.
  • Kuyanjana ndi omvera zochitika za LSM.
  • Selinuxfs - Pseudo-FS, yofanana ndi /proc ndikuyika mu /sys/fs/selinux. Imakhala ndi kernel ya Linux panthawi yothamanga ndipo imakhala ndi mafayilo omwe ali ndi zambiri za SELinux.
  • Pezani Vector Cache - Njira yothandizira kupititsa patsogolo ntchito.

Linux Security Systems
Momwe SELinux Imagwirira Ntchito

Zonsezi zimagwira ntchito motere.

  1. Mutu, m'mawu a SELinux, umachita zololedwa pa chinthu pambuyo pa cheke cha DAC, monga momwe tawonetsera pachithunzi chapamwamba. Pempho la opareshonili limapita kwa omvera zochitika za LSM.
  2. Kuchokera pamenepo, pempholi, pamodzi ndi chitetezo cha phunziro ndi chinthu, zimaperekedwa ku SELinux Abstraction ndi Hook Logic module yomwe imayang'anira kuyanjana ndi LSM.
  3. Policy Enforcement Server ndiye amene amapanga zisankho pakupeza chinthucho, ndipo imalandira deta kuchokera ku SELinux AnHL.
  4. Kuti mupange chigamulo chokhudza kupeza, kapena kuletsa, Seva Yolimbikitsa Mapulani imatanthawuza kachipangizo kamene kamagwiritsidwa ntchito kwambiri ndi malamulo a Access Vector Cache (AVC).
  5. Ngati yankho la lamulo lofananira silipezeka mu cache, ndiye pempholo limaperekedwa ku database ya chitetezo.
  6. Zotsatira zakusaka kuchokera ku database ndi AVC zimabwezeretsedwa ku Policy Enforcement Server.
  7. Ngati ndondomeko yopezeka ikugwirizana ndi zomwe mwafunsidwa, ndiye kuti ntchitoyi imaloledwa. Apo ayi, ntchitoyi ndi yoletsedwa.

Kuwongolera Zokonda za SELinux

SELinux imagwira ntchito imodzi mwa njira zitatu:

  • Kukakamiza - Kukhazikitsa mwamphamvu malamulo achitetezo.
  • Zololeza - Kuphwanya zoletsa kumaloledwa, chizindikiro chofananira chimapangidwa mu chipika.
  • Oyimitsidwa - Ndondomeko zachitetezo sizikugwira ntchito.

Mutha kuwona momwe SELinux ilili ndi lamulo ili.

[admin@server ~]$ getenforce
Permissive

Kusintha mawonekedwe musanayambe kuyambiranso, mwachitsanzo, ikani kukakamiza, kapena 1. Chizindikiro chololeza chimagwirizana ndi nambala ya nambala 0.

[admin@server ~]$ setenfoce enforcing
[admin@server ~]$ setenfoce 1 #Ρ‚ΠΎ ΠΆΠ΅ самоС

Mutha kusinthanso mawonekedwe posintha fayilo:

[admin@server ~]$ cat /etc/selinux/config

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE= can take one of three values:
# targeted - Targeted processes are protected,
# minimum - Modification of targeted policy. Only selected processes are protected.
# mls - Multi Level Security protection.

SELINUXTYPE=chandamale

Kusiyanitsa ndi setenfoce ndikuti pamene makina opangira opaleshoni ayamba, mawonekedwe a SELinux adzakhazikitsidwa molingana ndi mtengo wa SELINUX parameter mu fayilo yokonzekera. Kuonjezera apo, kukakamiza <=> kusintha kolemala kumagwira ntchito pokhapokha pokonza fayilo /etc/selinux/config ndipo mutatha kuyambiranso.

Onani lipoti lachidule:

[admin@server ~]$ sestatus

SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: permissive
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Max kernel policy version: 31
Kuti muwone mawonekedwe a SELinux, zida zina zamagetsi zimagwiritsa ntchito -Z.

[admin@server ~]$ ls -lZ /var/log/httpd/
-rw-r--r--. root root system_u:object_r:httpd_log_t:s0 access_log
-rw-r--r--. root root system_u:object_r:httpd_log_t:s0 access_log-20200920
-rw-r--r--. root root system_u:object_r:httpd_log_t:s0 access_log-20200927
-rw-r--r--. root root system_u:object_r:httpd_log_t:s0 access_log-20201004
-rw-r--r--. root root system_u:object_r:httpd_log_t:s0 access_log-20201011
[admin@server ~]$ ps -u apache -Z
LABEL                             PID TTY          TIME CMD
system_u:system_r:httpd_t:s0     2914 ?        00:00:04 httpd
system_u:system_r:httpd_t:s0     2915 ?        00:00:00 httpd
system_u:system_r:httpd_t:s0     2916 ?        00:00:00 httpd
system_u:system_r:httpd_t:s0     2917 ?        00:00:00 httpd
...
system_u:system_r:httpd_t:s0     2918 ?        00:00:00 httpd

Poyerekeza ndi zotuluka za ls -l, pali magawo ena owonjezera pamawonekedwe awa:

<user>:<role>:<type>:<level>

Gawo lomaliza likuwonetsa china chake ngati sitampu yachitetezo ndipo imakhala ndi zinthu ziwiri:

  • s0 - kufunikira, komwe kudalembedwanso mumgawo wocheperako
  • c0, c1… c1023 ndiye gulu.

Kusintha kofikira

Gwiritsani ntchito semodule kuti muyike ma module a SELinux, onjezani ndi kuwachotsa.

[admin@server ~]$ semodule -l |wc -l #список всСх ΠΌΠΎΠ΄ΡƒΠ»Π΅ΠΉ
408
[admin@server ~]$ semodule -e abrt #enable - Π°ΠΊΡ‚ΠΈΠ²ΠΈΡ€ΠΎΠ²Π°Ρ‚ΡŒ ΠΌΠΎΠ΄ΡƒΠ»ΡŒ
[admin@server ~]$ semodule -d accountsd #disable - ΠΎΡ‚ΠΊΠ»ΡŽΡ‡ΠΈΡ‚ΡŒ ΠΌΠΎΠ΄ΡƒΠ»ΡŒ
[admin@server ~]$ semodule -r avahi #remove - ΡƒΠ΄Π°Π»ΠΈΡ‚ΡŒ ΠΌΠΎΠ΄ΡƒΠ»ΡŒ

Gulu loyamba semanage login imagwirizanitsa wogwiritsa ntchito SELinux ndi wogwiritsa ntchito makina ogwiritsira ntchito, yachiwiri imatchula. Pomaliza, lamulo lomaliza ndi -r switch limachotsa mapu a ogwiritsa ntchito a SELinux ku maakaunti a OS. Kufotokozera kwa syntax ya MLS/MCS Range values ​​​​ili m'gawo lapitalo.

[admin@server ~]$ semanage login -a -s user_u karol
[admin@server ~]$ semanage login -l

Login Name SELinux User MLS/MCS Range Service
__default__ unconfined_u s0-s0:c0.c1023 *
root unconfined_u s0-s0:c0.c1023 *
system_u system_u s0-s0:c0.c1023 *
[admin@server ~]$ semanage login -d karol

timu wogwiritsa ntchito amagwiritsidwa ntchito kuyang'anira mapu pakati pa ogwiritsa ntchito a SELinux ndi maudindo.

[admin@server ~]$ semanage user -l
                Labeling   MLS/       MLS/                          
SELinux User    Prefix     MCS Level  MCS Range             SELinux Roles
guest_u         user       s0         s0                    guest_r
staff_u         staff      s0         s0-s0:c0.c1023        staff_r sysadm_r
...
user_u          user       s0         s0                    user_r
xguest_u        user       s0         s0                    xguest_r
[admin@server ~]$ semanage user -a -R 'staff_r user_r'
[admin@server ~]$ semanage user -d test_u

Zosankha zamalamulo:

  • -a onjezerani kalembedwe ka mapu;
  • -l mndandanda wa ogwiritsa ntchito ofanana ndi maudindo;
  • -d chotsani zolemba zamapu;
  • -R mndandanda wa maudindo omwe amaperekedwa kwa wogwiritsa ntchito;

Mafayilo, madoko ndi ma booleans

Gawo lililonse la SELinux limapereka malamulo olembera mafayilo, koma mutha kuwonjezeranso malamulo anu ngati pakufunika. Mwachitsanzo, tikufuna kuti seva yapaintaneti ikhale ndi ufulu wopeza /srv/www foda.

[admin@server ~]$ semanage fcontext -a -t httpd_sys_content_t "/srv/www(/.*)?
[admin@server ~]$ restorecon -R /srv/www/

Lamulo loyamba limalembetsa malamulo atsopano olembera, ndipo lachiwiri limakhazikitsanso, kapena m'malo mwake limawulula, mitundu ya mafayilo malinga ndi malamulo omwe alipo.

Momwemonso, madoko a TCP / UDP amalembedwa m'njira yoti mautumiki oyenerera okha angamvetsere. Mwachitsanzo, kuti seva yapaintaneti imvetsere pa doko 8080, muyenera kuyendetsa lamulo.

[admin@server ~]$ semanage port -m -t http_port_t -p tcp 8080

Ma module ambiri a SELinux ali ndi magawo omwe amatha kutenga ma boolean. Mndandanda wonse wazosankha zotere zitha kuwoneka ndi getsebool -a. Makhalidwe a Boolean amatha kusinthidwa pogwiritsa ntchito setsebool.

[admin@server ~]$ getsebool httpd_enable_cgi
httpd_enable_cgi --> on
[admin@server ~]$ setsebool -P httpd_enable_cgi off
[admin@server ~]$ getsebool httpd_enable_cgi
httpd_enable_homedirs --> off

Practicum, pezani mawonekedwe a Pgadmin-web

Ganizirani chitsanzo kuchokera muzochita, tidayika pgadmin7.6-web pa RHEL 4 kuyang'anira database ya PostgreSQL. Tinadutsa pang'ono kufufuza ndikukhazikitsa pg_hba.conf, postgresql.conf ndi config_local.py, ikani ufulu pamafoda, idayika ma module a Python akusowa kuchokera ku pip. Chilichonse chakonzeka, thamangani ndikupeza 500 Internal Server zolakwika.

Linux Security Systems

Timayamba ndi omwe akuwakayikira, fufuzani /var/log/httpd/error_log. Pali zolemba zosangalatsa kumeneko.

[timestamp] [core:notice] [pid 23689] SELinux policy enabled; httpd running as context system_u:system_r:httpd_t:s0
...
[timestamp] [wsgi:error] [pid 23690] [Errno 13] Permission denied: '/var/lib/pgadmin'
[timestamp] [wsgi:error] [pid 23690] [timestamp] [wsgi:error] [pid 23690] HINT : You may need to manually set the permissions on
[timestamp] [wsgi:error] [pid 23690] /var/lib/pgadmin to allow apache to write to it.

Pakadali pano, olamulira ambiri a Linux adzayesedwa mwamphamvu kuti ayendetse setencorce 0, ndikuchita nawo. Kunena zowona, aka kanali koyamba kuchita izi. Izi, ndithudi, ndi njira yotulukira, koma kutali ndi zabwino kwambiri.

Ngakhale ndizovuta kupanga, SELinux ikhoza kukhala yosavuta kugwiritsa ntchito. Ingoikani phukusi la setroubleshoot ndikuwona chipika chadongosolo.

[admin@server ~]$ yum install setroubleshoot
[admin@server ~]$ journalctl -b -0
[admin@server ~]$ service restart auditd

Dziwani kuti ntchito yowunikira iyenera kuyambiranso motere, osati ndi systemctl, ngakhale kukhalapo kwa systemd mu OS. Mu dongosolo log zidzawonetsedwa osati mfundo yotsekereza, komanso chifukwa ndi njira yogonjetsera chiletsocho.

Linux Security Systems

Timapereka malamulo awa:

[admin@server ~]$ setsebool -P httpd_can_network_connect 1
[admin@server ~]$ setsebool -P httpd_can_network_connect_db 1

Timayang'ana mwayi wopezeka patsamba la pgadmin4-web, zonse zimagwira ntchito.

Linux Security Systems

Linux Security Systems

Source: www.habr.com

Kuwonjezera ndemanga