21c-AppArmorSELinux
Previous: 21b-Virtualization.html
Screencasts
Included as part of lecture: 21d-PracticalPersonal.html
Un-trusted applications?
Skype uploadded shadow files, MS got hand caught in cookie jar by
apparmor, and recently does it again:https://www.osnews.com/story/137828/new-outlook-sends-passwords-mails-and-other-data-to-microsoft/ https://mailbox.org/en/post/warning-new-outlook-sends-passwords-mails-and-other-data-to-microsoft
Linux Security Modules
(LSM)
https://en.wikipedia.org/wiki/Linux_Security_Modules
Linux Security Modules (LSM) is a framework that allows the Linux
kernel to support a variety of computer security models while avoiding
favoritism toward any single security implementation.
The framework is licensed under the terms of the GNU General Public
License and is standard part of the Linux kernel since Linux 2.6.
AppArmor, SELinux, Smack, TOMOYO Linux, and Yama are the currently
accepted modules in the official kernel.
AppArmor
https://en.wikipedia.org/wiki/AppArmor
AppArmor supplements the traditional Unix discretionary access
control (DAC) model by providing mandatory access control (MAC).
Defined by central configuration files, without modifying files or
processes
Restricts only user-specified processes (defined by path) access
over entities (files, network, etc.)
Guides (in recommended
order)
https://help.ubuntu.com/community/AppArmor https://debian-handbook.info/browse/stable/sect.apparmor.html https://doc.opensuse.org/documentation/leap/security/html/book.security/part.apparmor.html
SELinux
https://en.wikipedia.org/wiki/Security-Enhanced_Linux
SELinux also supplements the traditional Unix discretionary access
control (DAC) model by providing mandatory access control (MAC).
Denies all requests by default.
Defined by labels on files and processes as part of file-system,
rather than merely a central configuration.
Everything gets labeled, processes, users, files, ports, etc., and
permissions map these groups to each other.
Typical policy is distributed by the operating system (e.g., Fedora,
CentOs), but these are designed to be permissive, and tend to be
server-focused.
Guides (in recommended
order)
https://opensource.com/business/13/11/selinux-policy-guide https://doc.opensuse.org/documentation/leap/security/html/book.security/part.selinux.html https://wiki.centos.org/HowTos/SELinux https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html-single/selinux_users_and_administrators_guide/ http://selinuxgame.org/ https://serversforhackers.com/c/battling-selinux-cast
+++++++++++++++++++++ Cahoot-21d.1
Next: 21d-PracticalPersonal.html