SlideShare une entreprise Scribd logo

Remote security with Red Hat Enterprise Linux

Giuseppe Paterno'
Giuseppe Paterno'
Technologie
1  sur  23
Télécharger pour lire hors ligne
Remote security with Red Hat Enterprise Linux Giuseppe “Gippa” Paternò Red Hat - Solution Architect & EMEA Security Prod. Expert Visiting Researcher – Trinity College Dublin gpaterno@redhat.com paternog@cs.tcd.ie
Who am I  Currently Solution Architect and EMEA Security Expert in Red Hat  Visiting Researcher at Trinity College Dublin  Previously Security Solution Architect in Sun and also in IBM  Red Hat Certified Security Specialist (RHCSS), RH Architect (RHCA) and Cisco Certified Network Professinal (CCNP)  Part of the italian security community sikurezza.org  Forensic analisys for local govs  More on: ● http://www.gpaterno.com/ ● http://www.scss.tcd.ie/Giuseppe.Paterno/ ● http://www.linkedin.com/in/gpaterno
Agenda  The “Defense in Depth” philosophy  Advantages of OSS on Security  Statistics about Linux vulnerabilities  Security of the Operating System ● ● Kernel security and other features ● The importance of patching ●  Hardening, minimization and how Linux is positioned MAC systems: SeLinux Authentication and authorization ● ● Intergration with Linux and with applications ●  Smart Cards and Biometric authentication Authorization and profiling, i.e. assigning roles Application protection ● Be aware of the “default” installation ● Use of the application-layer firewalls
“ The only truly secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards - and even then I have my doubts. ” Eugene H. Spafford, director of the Purdue Center for Education and Research in Information Assurance and Security.
The “Defense in Depth” philosophy  Any system, configuration, application and even software development have to be thought in a secure way  It uses several security layers to secure systems and data. ● Use of multiple computer security techniques to help mitigate the risk of a one defence being compromised or circumvented ● Ex: using antivirus on both workstations and file/mail servers  This concept should be applied in every systems, expecially on those that hold sensible data or whenever security is highly required
The “Defense in Depth” philosophy  This translate in: ● Secure the OS ● Secure access to the network ● Use a common/central authentication and authorization ● Secure the applications ● Think and develop applications in a secure way  Red Hat Enterprise Linux is the only OS that respect the “Defense in Depth” philosophy
Advantages of OSS on Security  Open Source means that the code is publically available  A great number of people (the community) can evaluate the code of the project and: ● Find memory leaks in the code (programming error) ● Find a poorly secure algorithm/protocol (design error) ● Have a peer review (from expert people)  As a result we will (and a given vendor will): ● Have the best code and algorithm ● Have a quick fix for the problem (even in day 0) ● Most of the “white-hats” produces both an exploit and a patch for the program  Most of the projects reuses standard algorithm/code (libraries), thus eliminating common problems.
Linux (RHEL) default install vulnerabilities: Low 23% 82 117 Moderate 32% 160 Important 44% 3 Critical 1% 0 20 40 60 80 100 120 140 160 180 Number of vulnerabilities
Security of the OS: hardening/minimization  Out of the box, nearly all operating systems are configured insecurely. Hardening is minimizing a computer's exposure to current and future threats.  How it works: ● ● ● ● ● Remove unecessary users/groups Disable unused services Configure securely all used applications Configure the strongest authentication possible Use and configure firewalls/IDS/IPS/MAC Systems...  Fewer software components on a server means fewer security holes to detect and fill  Minimizing the number of OS modules installed on a server can greatly improve overall system security by reducing the number of vulnerabilities.
Security of the OS: how is Linux  Mostly Linux distribution are hardened and secured by default (at least RHEL and Fedora are ;) ● ● ● ● ● Only SSH opened and other services in loopback only No unsecure/unencrypted services (telnet/ftp/r*) Firewall and Mandatory Access Control (MAC) systems enabled by default All unnecessary users/groups set to nologin Default packages set to minimum (minimization) ● The admin installs only what is strictly necessary to run the server ● Minimal systems are usually supported!!
Security of the OS: kernel  Buffer overflow: ● It injects an arbitrary code (usually a shell) in the program's data area and execute it ● Attackers gain access and privileges of the exploited program  How to prevent: ● No-Execute and Exec-shield technology ● Software emulation of the no execute of the data area ● Flag data memory as non-executable and program memory as non-writeable ● PIE (Position Independent Executable) ● Randomization of the application address in the stack
Security of the OS: other features  Restricted Memory Access ●  Restricts how the kernel memory (/dev/mem) can be overwritten. This prevents several rootkits from functioning resulting in a safer and more secure system. Kernel signature (ksign) ● ●  Signature of kernel modules, to allow only certains gpg signed kernel modules to be loadeed Avoid rootkits than hide themselves Secure application compile (FORTIFY_SOURCE and StackSmashing protector) ● "FORTIFY_SOURCE" is a gcc option that detect and prevent a subset of the buffer overflows before they can do damage (unchecked buffer size)  ELF (Executable and Linkable Format) Data Hardening  RPM Signing ● Each package/application is signed from the vendor so that any change is tracked (same effect as tripwire)
Security in the OS: MAC and SELinux  Mandatory Access Control (MAC) is a kind of access control defined by the Trusted Computer System Evaluation Criteria ● “[...] restricting access to objects based on the sensitivity of the information contained in the objects and the formal authorization (i.e., clearance) of subjects to access information of such sensitivity". (from Wikipedia)  The most used MAC system in Linux is Security Enhanced Linux (SE Linux) ● Developed initially by NSA (National Security Agency) ● Several contributors, such as Red Hat, Tresys, IBM, .... ● Certified Common Criteria (EaL4+) and used by military ● When used in “stricted” mode is even more secure ● Based on policies that confine user programs and system services to the minimum amount of privilege they require to do their jobs
SE-Linux: overview  By default, anything not explicitly permitted is denied  Rules are called “policies”  Two pre-defined policies in RHEL/Fedora, i.e.: ● targeted: only common daemons are confined (typically only the one started from init.d/*), leaving “unconfined” the others ● strict: any process within the system is confined  RHEL is in “targeted” mode by default, while fedora in “strict”: daemons with remote access (apache, mysql, ...) are protected by the SE-Linux “shield”
SE-Linux Security Context  All files and processes have a security context  The context has several elements, example:    user:role:type:sensitivity:category User: root OR user_u (Processes: system_u) Role: Files -> object_r ; Processes -> system_r Type: Used by Type Enforcement to specify the nature of the data $ ps -ZC bash,sshd LABEL CMD PID TTY TIME system_u:system_r:sshd_t:s0-s0:c0.c1023 1709 ? 00:00:00 sshd unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 32019 pts/0 00:00:00 bash
SE Linux: an italian success We are protecting the italian government employees' payslips and tax declaration (around 4M users)
Security in the OS: patching PATCHING IS IMPORTANT!!!  Always keep up-to-date the system's security patches  It is important a management system that is able to apply all the patch seamless and avoid human errors ● After buffer overflows and “zero day”, the major security concerns are about human error on configuration files  That is: ● Applying automatically patch and rollback if necessary ● Compare software between machines (ex: cluster) ● Use a standard, proven, configuration file for common services (ssh, authentication, ....) and distribute it ● An example is Red Hat Network Satellite
Authentication and authorization  Just to be clear on terms: ● Authentication is proving who you claim to be (who you are) Deals with identifying the users ● Can be: ● Username/Password (and variants such as kerberos) ● One Time Passwords (OTP) ● Two Factor (key based: Smart Cards/Biometric) ● ● Authorization is giving permission to users (what you can do). Sometimes referred as “profiling”. After the authentication phase, the user is profiled ● The application (ex: login shell, web application, ...) will give appropriate rights based upon certain parameters ● Parameters usually stored in LDAP, but also in databases ●
Strong authentication: Smart Cards/Biometric/OTP  Autentication usually based on username and password ● ● ●  Passwords can easily eavesdropped Kerberos and cryptography helps on protecting passwords but ... ... don't prevent users to give away they're passwords or copying it (keyloggers, post-it, social engineering, ...) The best way is the famous “something you have” and “something you know” ● ● ● ● ● Smart Cards and biometric autentications cover “something you have” PINs or pass-phrases are usually “something you know” The only way is stealing the smart card (and is not possible for biometric apart kidnapping ;) Smart Cards hold private keys of a PKI infrastructure (and PIN or fingerprints unlock the keyring) It can be revoked at any time
Authorization and Profiling (roles)  Every user should be granted the least privileges to do the job  Profiles and roles should be stored on a central repository ● ●  Each application should be designed to use profiling ● ●  Advantage is that authorization is cross to all systems/applications Usually are stored in LDAP ● OpenLDAP and Fedora Directory Server (RHDS) are the most famous in the OSS world Java applications should use the JAAS APIs PHP/C/C++/Python should perform look-ups in LDAP directly Examples (in infrastructure software) ● Apache with mod_authz_ldap ● AllowUsers in SSH ● Sudo with LDAP
Application Security  Each application should be configured securely!!! ● ● ● ● This statement can't be stressed enough Most of the “default installations” are opened Hardening should involve the whole platform, not only the OS Configuration depends on the application itself ● Well-known for “infrastructure” software such as Jboss ● Contact your vendor or the OSS mailing lists for more information
Application Security  Use application-layer firewalls ● ● ● ● In the “Defense in Depth” philosophy give the edge protection layer Everything incapsulated on port 80/443 (and 25) !!! The most valuable example in OSS is ModSecurity ● Web Application Firewall ● Real-Time Monitoring and Attack Detection ● Attack Prevention and Just-in-time Patching Other examples: spamassassin, clamav, squid + dansguard, SIP Express Router (SER), .....
Questions? Thank you! Giuseppe “Gippa” Paternò Red Hat - Solution Architect & EMEA Security Prod. Expert Visiting Researcher – Trinity College Dublin gpaterno@redhat.com paternog@cs.tcd.ie

Recommandé

Microservices with Micronaut
Microservices with MicronautMicroservices with Micronaut
Microservices with MicronautQAware GmbH
 
Microservices with Micronaut
Microservices with MicronautMicroservices with Micronaut
Microservices with MicronautQAware GmbH
 
Don't dump thread dumps
Don't dump thread dumpsDon't dump thread dumps
Don't dump thread dumpsTier1 App
 
Asynchronous Python with Twisted
Asynchronous Python with TwistedAsynchronous Python with Twisted
Asynchronous Python with TwistedAdam Englander
 
Shall we play a game?
Shall we play a game?Shall we play a game?
Shall we play a game?Maciej Lasyk
 
Integrating web archiving in preservation workflows. Louise Fauduet, Clément ...
Integrating web archiving in preservation workflows. Louise Fauduet, Clément ...Integrating web archiving in preservation workflows. Louise Fauduet, Clément ...
Integrating web archiving in preservation workflows. Louise Fauduet, Clément ...Biblioteca Nacional de España
 
Twisted: a quick introduction
Twisted: a quick introductionTwisted: a quick introduction
Twisted: a quick introductionRobert Coup
 
Distributed system coordination by zookeeper and introduction to kazoo python...
Distributed system coordination by zookeeper and introduction to kazoo python...Distributed system coordination by zookeeper and introduction to kazoo python...
Distributed system coordination by zookeeper and introduction to kazoo python...Jimmy Lai
 

Recommandé

Microservices with Micronaut
Microservices with MicronautMicroservices with Micronaut
Microservices with MicronautQAware GmbH
 
Microservices with Micronaut
Microservices with MicronautMicroservices with Micronaut
Microservices with MicronautQAware GmbH
 
Don't dump thread dumps
Don't dump thread dumpsDon't dump thread dumps
Don't dump thread dumpsTier1 App
 
Asynchronous Python with Twisted
Asynchronous Python with TwistedAsynchronous Python with Twisted
Asynchronous Python with TwistedAdam Englander
 
Shall we play a game?
Shall we play a game?Shall we play a game?
Shall we play a game?Maciej Lasyk
 
Integrating web archiving in preservation workflows. Louise Fauduet, Clément ...
Integrating web archiving in preservation workflows. Louise Fauduet, Clément ...Integrating web archiving in preservation workflows. Louise Fauduet, Clément ...
Integrating web archiving in preservation workflows. Louise Fauduet, Clément ...Biblioteca Nacional de España
 
Twisted: a quick introduction
Twisted: a quick introductionTwisted: a quick introduction
Twisted: a quick introductionRobert Coup
 
Distributed system coordination by zookeeper and introduction to kazoo python...
Distributed system coordination by zookeeper and introduction to kazoo python...Distributed system coordination by zookeeper and introduction to kazoo python...
Distributed system coordination by zookeeper and introduction to kazoo python...Jimmy Lai
 
Apache ZooKeeper
Apache ZooKeeperApache ZooKeeper
Apache ZooKeeperScott Leberknight
 
Hs java open_party
Hs java open_partyHs java open_party
Hs java open_partyOpen Party
 
WTF is Twisted?
WTF is Twisted?WTF is Twisted?
WTF is Twisted?hawkowl
 
Low latency microservices in java QCon New York 2016
Low latency microservices in java QCon New York 2016Low latency microservices in java QCon New York 2016
Low latency microservices in java QCon New York 2016Peter Lawrey
 
An Introduction to Twisted
An Introduction to TwistedAn Introduction to Twisted
An Introduction to Twistedsdsern
 
Stealthy, Hypervisor-based Malware Analysis
Stealthy, Hypervisor-based Malware AnalysisStealthy, Hypervisor-based Malware Analysis
Stealthy, Hypervisor-based Malware AnalysisTamas K Lengyel
 
Java Performance Monitoring & Tuning
Java Performance Monitoring & TuningJava Performance Monitoring & Tuning
Java Performance Monitoring & TuningMuhammed Shakir
 
Profiler Guided Java Performance Tuning
Profiler Guided Java Performance TuningProfiler Guided Java Performance Tuning
Profiler Guided Java Performance Tuningosa_ora
 
Anatomy of neutron from the eagle eyes of troubelshoorters
Anatomy of neutron from the eagle eyes of troubelshoortersAnatomy of neutron from the eagle eyes of troubelshoorters
Anatomy of neutron from the eagle eyes of troubelshoortersSadique Puthen
 
Winter is coming? Not if ZooKeeper is there!
Winter is coming? Not if ZooKeeper is there!Winter is coming? Not if ZooKeeper is there!
Winter is coming? Not if ZooKeeper is there!Joydeep Banik Roy
 
Commication Framework in OpenStack
Commication Framework in OpenStackCommication Framework in OpenStack
Commication Framework in OpenStackSean Chang
 
Lock free programming- pro tips
Lock free programming- pro tipsLock free programming- pro tips
Lock free programming- pro tipsJean-Philippe BEMPEL
 
Virtualizing Java in Java (jug.ru)
Virtualizing Java in Java (jug.ru)Virtualizing Java in Java (jug.ru)
Virtualizing Java in Java (jug.ru)aragozin
 
Apache Zookeeper
Apache ZookeeperApache Zookeeper
Apache ZookeeperNguyen Quang
 
Apache ZooKeeper TechTuesday
Apache ZooKeeper TechTuesdayApache ZooKeeper TechTuesday
Apache ZooKeeper TechTuesdayAndrei Savu
 
Can you trust Neutron?
Can you trust Neutron?Can you trust Neutron?
Can you trust Neutron?salv_orlando
 
Java performance tuning
Java performance tuningJava performance tuning
Java performance tuningMohammed Fazuluddin
 
Java Performance and Using Java Flight Recorder
Java Performance and Using Java Flight RecorderJava Performance and Using Java Flight Recorder
Java Performance and Using Java Flight RecorderIsuru Perera
 
Kubernetes Summit 2019 - Harden Your Kubernetes Cluster
Kubernetes Summit 2019 - Harden Your Kubernetes ClusterKubernetes Summit 2019 - Harden Your Kubernetes Cluster
Kubernetes Summit 2019 - Harden Your Kubernetes Clustersmalltown
 
Using Java Mission Control & Java Flight Recorder
Using Java Mission Control & Java Flight RecorderUsing Java Mission Control & Java Flight Recorder
Using Java Mission Control & Java Flight RecorderIsuru Perera
 
CISSP Week 14
CISSP Week 14CISSP Week 14
CISSP Week 14jemtallon
 
Top 10 ways to make hackers excited: All about the shortcuts not worth taking
Top 10 ways to make hackers excited: All about the shortcuts not worth takingTop 10 ways to make hackers excited: All about the shortcuts not worth taking
Top 10 ways to make hackers excited: All about the shortcuts not worth takingPaula Januszkiewicz
 

Contenu connexe

Tendances

Hs java open_party
Hs java open_partyHs java open_party
Hs java open_partyOpen Party
 
WTF is Twisted?
WTF is Twisted?WTF is Twisted?
WTF is Twisted?hawkowl
 
Low latency microservices in java QCon New York 2016
Low latency microservices in java QCon New York 2016Low latency microservices in java QCon New York 2016
Low latency microservices in java QCon New York 2016Peter Lawrey
 
An Introduction to Twisted
An Introduction to TwistedAn Introduction to Twisted
An Introduction to Twistedsdsern
 
Stealthy, Hypervisor-based Malware Analysis
Stealthy, Hypervisor-based Malware AnalysisStealthy, Hypervisor-based Malware Analysis
Stealthy, Hypervisor-based Malware AnalysisTamas K Lengyel
 
Java Performance Monitoring & Tuning
Java Performance Monitoring & TuningJava Performance Monitoring & Tuning
Java Performance Monitoring & TuningMuhammed Shakir
 
Profiler Guided Java Performance Tuning
Profiler Guided Java Performance TuningProfiler Guided Java Performance Tuning
Profiler Guided Java Performance Tuningosa_ora
 
Anatomy of neutron from the eagle eyes of troubelshoorters
Anatomy of neutron from the eagle eyes of troubelshoortersAnatomy of neutron from the eagle eyes of troubelshoorters
Anatomy of neutron from the eagle eyes of troubelshoortersSadique Puthen
 
Winter is coming? Not if ZooKeeper is there!
Winter is coming? Not if ZooKeeper is there!Winter is coming? Not if ZooKeeper is there!
Winter is coming? Not if ZooKeeper is there!Joydeep Banik Roy
 
Commication Framework in OpenStack
Commication Framework in OpenStackCommication Framework in OpenStack
Commication Framework in OpenStackSean Chang
 
Virtualizing Java in Java (jug.ru)
Virtualizing Java in Java (jug.ru)Virtualizing Java in Java (jug.ru)
Virtualizing Java in Java (jug.ru)aragozin
 
Apache ZooKeeper TechTuesday
Apache ZooKeeper TechTuesdayApache ZooKeeper TechTuesday
Apache ZooKeeper TechTuesdayAndrei Savu
 
Can you trust Neutron?
Can you trust Neutron?Can you trust Neutron?
Can you trust Neutron?salv_orlando
 
Java Performance and Using Java Flight Recorder
Java Performance and Using Java Flight RecorderJava Performance and Using Java Flight Recorder
Java Performance and Using Java Flight RecorderIsuru Perera
 
Kubernetes Summit 2019 - Harden Your Kubernetes Cluster
Kubernetes Summit 2019 - Harden Your Kubernetes ClusterKubernetes Summit 2019 - Harden Your Kubernetes Cluster
Kubernetes Summit 2019 - Harden Your Kubernetes Clustersmalltown
 
Using Java Mission Control & Java Flight Recorder
Using Java Mission Control & Java Flight RecorderUsing Java Mission Control & Java Flight Recorder
Using Java Mission Control & Java Flight RecorderIsuru Perera
 

Tendances (20)

Apache ZooKeeper
Apache ZooKeeperApache ZooKeeper
Apache ZooKeeper
 
Hs java open_party
Hs java open_partyHs java open_party
Hs java open_party
 
WTF is Twisted?
WTF is Twisted?WTF is Twisted?
WTF is Twisted?
 
Low latency microservices in java QCon New York 2016
Low latency microservices in java QCon New York 2016Low latency microservices in java QCon New York 2016
Low latency microservices in java QCon New York 2016
 
An Introduction to Twisted
An Introduction to TwistedAn Introduction to Twisted
An Introduction to Twisted
 
Stealthy, Hypervisor-based Malware Analysis
Stealthy, Hypervisor-based Malware AnalysisStealthy, Hypervisor-based Malware Analysis
Stealthy, Hypervisor-based Malware Analysis
 
Java Performance Monitoring & Tuning
Java Performance Monitoring & TuningJava Performance Monitoring & Tuning
Java Performance Monitoring & Tuning
 
Profiler Guided Java Performance Tuning
Profiler Guided Java Performance TuningProfiler Guided Java Performance Tuning
Profiler Guided Java Performance Tuning
 
Anatomy of neutron from the eagle eyes of troubelshoorters
Anatomy of neutron from the eagle eyes of troubelshoortersAnatomy of neutron from the eagle eyes of troubelshoorters
Anatomy of neutron from the eagle eyes of troubelshoorters
 
Winter is coming? Not if ZooKeeper is there!
Winter is coming? Not if ZooKeeper is there!Winter is coming? Not if ZooKeeper is there!
Winter is coming? Not if ZooKeeper is there!
 
Commication Framework in OpenStack
Commication Framework in OpenStackCommication Framework in OpenStack
Commication Framework in OpenStack
 
Lock free programming- pro tips
Lock free programming- pro tipsLock free programming- pro tips
Lock free programming- pro tips
 
Virtualizing Java in Java (jug.ru)
Virtualizing Java in Java (jug.ru)Virtualizing Java in Java (jug.ru)
Virtualizing Java in Java (jug.ru)
 
Apache Zookeeper
Apache ZookeeperApache Zookeeper
Apache Zookeeper
 
Apache ZooKeeper TechTuesday
Apache ZooKeeper TechTuesdayApache ZooKeeper TechTuesday
Apache ZooKeeper TechTuesday
 
Can you trust Neutron?
Can you trust Neutron?Can you trust Neutron?
Can you trust Neutron?
 
Java performance tuning
Java performance tuningJava performance tuning
Java performance tuning
 
Java Performance and Using Java Flight Recorder
Java Performance and Using Java Flight RecorderJava Performance and Using Java Flight Recorder
Java Performance and Using Java Flight Recorder
 
Kubernetes Summit 2019 - Harden Your Kubernetes Cluster
Kubernetes Summit 2019 - Harden Your Kubernetes ClusterKubernetes Summit 2019 - Harden Your Kubernetes Cluster
Kubernetes Summit 2019 - Harden Your Kubernetes Cluster
 
Using Java Mission Control & Java Flight Recorder
Using Java Mission Control & Java Flight RecorderUsing Java Mission Control & Java Flight Recorder
Using Java Mission Control & Java Flight Recorder
 

Similaire à Remote security with Red Hat Enterprise Linux

CISSP Week 14
CISSP Week 14CISSP Week 14
CISSP Week 14jemtallon
 
Top 10 ways to make hackers excited: All about the shortcuts not worth taking
Top 10 ways to make hackers excited: All about the shortcuts not worth takingTop 10 ways to make hackers excited: All about the shortcuts not worth taking
Top 10 ways to make hackers excited: All about the shortcuts not worth takingPaula Januszkiewicz
 
Overview of NSA Security Enhanced Linux - FOSS.IN/2005
Overview of NSA Security Enhanced Linux - FOSS.IN/2005Overview of NSA Security Enhanced Linux - FOSS.IN/2005
Overview of NSA Security Enhanced Linux - FOSS.IN/2005James Morris
 
CISSP Week 22
CISSP Week 22CISSP Week 22
CISSP Week 22jemtallon
 
Talk28oct14
Talk28oct14Talk28oct14
Talk28oct14mjos
 
Portakal Teknoloji Otc Lyon Part 1
Portakal Teknoloji Otc Lyon Part 1Portakal Teknoloji Otc Lyon Part 1
Portakal Teknoloji Otc Lyon Part 1bora.gungoren
 
2008 08-12 SELinux: A Key Component in Secure Infrastructures
2008 08-12 SELinux: A Key Component in Secure Infrastructures2008 08-12 SELinux: A Key Component in Secure Infrastructures
2008 08-12 SELinux: A Key Component in Secure InfrastructuresShawn Wells
 
2008-10-15 Red Hat Deep Dive Sessions: SELinux
2008-10-15 Red Hat Deep Dive Sessions: SELinux2008-10-15 Red Hat Deep Dive Sessions: SELinux
2008-10-15 Red Hat Deep Dive Sessions: SELinuxShawn Wells
 
Hqs abatis hdf general overview
Hqs abatis hdf general overviewHqs abatis hdf general overview
Hqs abatis hdf general overviewNine23Ltd
 
lamacchia-palladium
lamacchia-palladiumlamacchia-palladium
lamacchia-palladiumNed Hayes
 
3.Secure Design Principles And Process
3.Secure Design Principles And Process3.Secure Design Principles And Process
3.Secure Design Principles And Processphanleson
 
Confidential compute with hyperledger fabric .v17
Confidential compute with hyperledger fabric .v17Confidential compute with hyperledger fabric .v17
Confidential compute with hyperledger fabric .v17LennartF
 
Workshop on BackTrack live CD
Workshop on BackTrack live CDWorkshop on BackTrack live CD
Workshop on BackTrack live CDamiable_indian
 
Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008ClubHack
 
Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008ClubHack
 
Building your macOS Baseline Requirements MacadUK 2018
Building your macOS Baseline Requirements MacadUK 2018Building your macOS Baseline Requirements MacadUK 2018
Building your macOS Baseline Requirements MacadUK 2018Henry Stamerjohann
 
Final project.ppt
Final project.pptFinal project.ppt
Final project.pptshreyng
 
Threats, Vulnerabilities & Security measures in Linux
Threats, Vulnerabilities & Security measures in LinuxThreats, Vulnerabilities & Security measures in Linux
Threats, Vulnerabilities & Security measures in LinuxAmitesh Bharti
 

Similaire à Remote security with Red Hat Enterprise Linux (20)

CISSP Week 14
CISSP Week 14CISSP Week 14
CISSP Week 14
 
Top 10 ways to make hackers excited: All about the shortcuts not worth taking
Top 10 ways to make hackers excited: All about the shortcuts not worth takingTop 10 ways to make hackers excited: All about the shortcuts not worth taking
Top 10 ways to make hackers excited: All about the shortcuts not worth taking
 
Overview of NSA Security Enhanced Linux - FOSS.IN/2005
Overview of NSA Security Enhanced Linux - FOSS.IN/2005Overview of NSA Security Enhanced Linux - FOSS.IN/2005
Overview of NSA Security Enhanced Linux - FOSS.IN/2005
 
CISSP Week 22
CISSP Week 22CISSP Week 22
CISSP Week 22
 
Talk28oct14
Talk28oct14Talk28oct14
Talk28oct14
 
Portakal Teknoloji Otc Lyon Part 1
Portakal Teknoloji Otc Lyon Part 1Portakal Teknoloji Otc Lyon Part 1
Portakal Teknoloji Otc Lyon Part 1
 
Ch11
Ch11Ch11
Ch11
 
Ch11 system administration
Ch11 system administration Ch11 system administration
Ch11 system administration
 
2008 08-12 SELinux: A Key Component in Secure Infrastructures
2008 08-12 SELinux: A Key Component in Secure Infrastructures2008 08-12 SELinux: A Key Component in Secure Infrastructures
2008 08-12 SELinux: A Key Component in Secure Infrastructures
 
2008-10-15 Red Hat Deep Dive Sessions: SELinux
2008-10-15 Red Hat Deep Dive Sessions: SELinux2008-10-15 Red Hat Deep Dive Sessions: SELinux
2008-10-15 Red Hat Deep Dive Sessions: SELinux
 
Hqs abatis hdf general overview
Hqs abatis hdf general overviewHqs abatis hdf general overview
Hqs abatis hdf general overview
 
lamacchia-palladium
lamacchia-palladiumlamacchia-palladium
lamacchia-palladium
 
3.Secure Design Principles And Process
3.Secure Design Principles And Process3.Secure Design Principles And Process
3.Secure Design Principles And Process
 
Confidential compute with hyperledger fabric .v17
Confidential compute with hyperledger fabric .v17Confidential compute with hyperledger fabric .v17
Confidential compute with hyperledger fabric .v17
 
Workshop on BackTrack live CD
Workshop on BackTrack live CDWorkshop on BackTrack live CD
Workshop on BackTrack live CD
 
Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008
 
Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008
 
Building your macOS Baseline Requirements MacadUK 2018
Building your macOS Baseline Requirements MacadUK 2018Building your macOS Baseline Requirements MacadUK 2018
Building your macOS Baseline Requirements MacadUK 2018
 
Final project.ppt
Final project.pptFinal project.ppt
Final project.ppt
 
Threats, Vulnerabilities & Security measures in Linux
Threats, Vulnerabilities & Security measures in LinuxThreats, Vulnerabilities & Security measures in Linux
Threats, Vulnerabilities & Security measures in Linux
 

Plus de Giuseppe Paterno'

OpenStack e le nuove Infrastrutture IT
OpenStack e le nuove Infrastrutture ITOpenStack e le nuove Infrastrutture IT
OpenStack e le nuove Infrastrutture ITGiuseppe Paterno'
 
OpenStack Explained: Learn OpenStack architecture and the secret of a success...
OpenStack Explained: Learn OpenStack architecture and the secret of a success...OpenStack Explained: Learn OpenStack architecture and the secret of a success...
OpenStack Explained: Learn OpenStack architecture and the secret of a success...Giuseppe Paterno'
 
Let's sleep better: programming techniques to face new security attacks in cloud
Let's sleep better: programming techniques to face new security attacks in cloudLet's sleep better: programming techniques to face new security attacks in cloud
Let's sleep better: programming techniques to face new security attacks in cloudGiuseppe Paterno'
 
OpenStack: Security Beyond Firewalls
OpenStack: Security Beyond FirewallsOpenStack: Security Beyond Firewalls
OpenStack: Security Beyond FirewallsGiuseppe Paterno'
 
Il problema dei furti di identità nelle infrastrutture Cloud e possibili rimedi
Il problema dei furti di identità nelle infrastrutture Cloud e possibili rimediIl problema dei furti di identità nelle infrastrutture Cloud e possibili rimedi
Il problema dei furti di identità nelle infrastrutture Cloud e possibili rimediGiuseppe Paterno'
 
How the Post-PC era changed IT Ubuntu for next gen datacenters
How the Post-PC era changed IT Ubuntu for next gen datacentersHow the Post-PC era changed IT Ubuntu for next gen datacenters
How the Post-PC era changed IT Ubuntu for next gen datacentersGiuseppe Paterno'
 
Filesystem Comparison: NFS vs GFS2 vs OCFS2
Filesystem Comparison: NFS vs GFS2 vs OCFS2Filesystem Comparison: NFS vs GFS2 vs OCFS2
Filesystem Comparison: NFS vs GFS2 vs OCFS2Giuseppe Paterno'
 
Creating OTP with free software
Creating OTP with free softwareCreating OTP with free software
Creating OTP with free softwareGiuseppe Paterno'
 
Protecting confidential files using SE-Linux
Protecting confidential files using SE-LinuxProtecting confidential files using SE-Linux
Protecting confidential files using SE-LinuxGiuseppe Paterno'
 
Comparing IaaS: VMware vs OpenStack vs Google’s Ganeti
Comparing IaaS: VMware vs OpenStack vs Google’s GanetiComparing IaaS: VMware vs OpenStack vs Google’s Ganeti
Comparing IaaS: VMware vs OpenStack vs Google’s GanetiGiuseppe Paterno'
 
La gestione delle identità per il controllo delle frodi bancarie
La gestione delle identità per il controllo delle frodi bancarieLa gestione delle identità per il controllo delle frodi bancarie
La gestione delle identità per il controllo delle frodi bancarieGiuseppe Paterno'
 
Secure real-time collaboration with SecurePass and Etherpad
Secure real-time collaboration with SecurePass and EtherpadSecure real-time collaboration with SecurePass and Etherpad
Secure real-time collaboration with SecurePass and EtherpadGiuseppe Paterno'
 
Identity theft in the Cloud and remedies
Identity theft in the Cloud and remediesIdentity theft in the Cloud and remedies
Identity theft in the Cloud and remediesGiuseppe Paterno'
 
Il problema dei furti di identita' nelle infrastrutture Cloud e possibili rimedi
Il problema dei furti di identita' nelle infrastrutture Cloud e possibili rimediIl problema dei furti di identita' nelle infrastrutture Cloud e possibili rimedi
Il problema dei furti di identita' nelle infrastrutture Cloud e possibili rimediGiuseppe Paterno'
 

Plus de Giuseppe Paterno' (15)

OpenStack e le nuove Infrastrutture IT
OpenStack e le nuove Infrastrutture ITOpenStack e le nuove Infrastrutture IT
OpenStack e le nuove Infrastrutture IT
 
OpenStack Explained: Learn OpenStack architecture and the secret of a success...
OpenStack Explained: Learn OpenStack architecture and the secret of a success...OpenStack Explained: Learn OpenStack architecture and the secret of a success...
OpenStack Explained: Learn OpenStack architecture and the secret of a success...
 
Let's sleep better: programming techniques to face new security attacks in cloud
Let's sleep better: programming techniques to face new security attacks in cloudLet's sleep better: programming techniques to face new security attacks in cloud
Let's sleep better: programming techniques to face new security attacks in cloud
 
SecurePass at OpenBrighton
SecurePass at OpenBrightonSecurePass at OpenBrighton
SecurePass at OpenBrighton
 
OpenStack: Security Beyond Firewalls
OpenStack: Security Beyond FirewallsOpenStack: Security Beyond Firewalls
OpenStack: Security Beyond Firewalls
 
Il problema dei furti di identità nelle infrastrutture Cloud e possibili rimedi
Il problema dei furti di identità nelle infrastrutture Cloud e possibili rimediIl problema dei furti di identità nelle infrastrutture Cloud e possibili rimedi
Il problema dei furti di identità nelle infrastrutture Cloud e possibili rimedi
 
How the Post-PC era changed IT Ubuntu for next gen datacenters
How the Post-PC era changed IT Ubuntu for next gen datacentersHow the Post-PC era changed IT Ubuntu for next gen datacenters
How the Post-PC era changed IT Ubuntu for next gen datacenters
 
Filesystem Comparison: NFS vs GFS2 vs OCFS2
Filesystem Comparison: NFS vs GFS2 vs OCFS2Filesystem Comparison: NFS vs GFS2 vs OCFS2
Filesystem Comparison: NFS vs GFS2 vs OCFS2
 
Creating OTP with free software
Creating OTP with free softwareCreating OTP with free software
Creating OTP with free software
 
Protecting confidential files using SE-Linux
Protecting confidential files using SE-LinuxProtecting confidential files using SE-Linux
Protecting confidential files using SE-Linux
 
Comparing IaaS: VMware vs OpenStack vs Google’s Ganeti
Comparing IaaS: VMware vs OpenStack vs Google’s GanetiComparing IaaS: VMware vs OpenStack vs Google’s Ganeti
Comparing IaaS: VMware vs OpenStack vs Google’s Ganeti
 
La gestione delle identità per il controllo delle frodi bancarie
La gestione delle identità per il controllo delle frodi bancarieLa gestione delle identità per il controllo delle frodi bancarie
La gestione delle identità per il controllo delle frodi bancarie
 
Secure real-time collaboration with SecurePass and Etherpad
Secure real-time collaboration with SecurePass and EtherpadSecure real-time collaboration with SecurePass and Etherpad
Secure real-time collaboration with SecurePass and Etherpad
 
Identity theft in the Cloud and remedies
Identity theft in the Cloud and remediesIdentity theft in the Cloud and remedies
Identity theft in the Cloud and remedies
 
Il problema dei furti di identita' nelle infrastrutture Cloud e possibili rimedi
Il problema dei furti di identita' nelle infrastrutture Cloud e possibili rimediIl problema dei furti di identita' nelle infrastrutture Cloud e possibili rimedi
Il problema dei furti di identita' nelle infrastrutture Cloud e possibili rimedi
 

Dernier

Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 

Dernier (20)

Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 

Remote security with Red Hat Enterprise Linux

  • 1. Remote security with Red Hat Enterprise Linux Giuseppe “Gippa” Paternò Red Hat - Solution Architect & EMEA Security Prod. Expert Visiting Researcher – Trinity College Dublin gpaterno@redhat.com paternog@cs.tcd.ie
  • 2. Who am I  Currently Solution Architect and EMEA Security Expert in Red Hat  Visiting Researcher at Trinity College Dublin  Previously Security Solution Architect in Sun and also in IBM  Red Hat Certified Security Specialist (RHCSS), RH Architect (RHCA) and Cisco Certified Network Professinal (CCNP)  Part of the italian security community sikurezza.org  Forensic analisys for local govs  More on: ● http://www.gpaterno.com/ ● http://www.scss.tcd.ie/Giuseppe.Paterno/ ● http://www.linkedin.com/in/gpaterno
  • 3. Agenda  The “Defense in Depth” philosophy  Advantages of OSS on Security  Statistics about Linux vulnerabilities  Security of the Operating System ● ● Kernel security and other features ● The importance of patching ●  Hardening, minimization and how Linux is positioned MAC systems: SeLinux Authentication and authorization ● ● Intergration with Linux and with applications ●  Smart Cards and Biometric authentication Authorization and profiling, i.e. assigning roles Application protection ● Be aware of the “default” installation ● Use of the application-layer firewalls
  • 4. “ The only truly secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards - and even then I have my doubts. ” Eugene H. Spafford, director of the Purdue Center for Education and Research in Information Assurance and Security.
  • 5. The “Defense in Depth” philosophy  Any system, configuration, application and even software development have to be thought in a secure way  It uses several security layers to secure systems and data. ● Use of multiple computer security techniques to help mitigate the risk of a one defence being compromised or circumvented ● Ex: using antivirus on both workstations and file/mail servers  This concept should be applied in every systems, expecially on those that hold sensible data or whenever security is highly required
  • 6. The “Defense in Depth” philosophy  This translate in: ● Secure the OS ● Secure access to the network ● Use a common/central authentication and authorization ● Secure the applications ● Think and develop applications in a secure way  Red Hat Enterprise Linux is the only OS that respect the “Defense in Depth” philosophy
  • 7. Advantages of OSS on Security  Open Source means that the code is publically available  A great number of people (the community) can evaluate the code of the project and: ● Find memory leaks in the code (programming error) ● Find a poorly secure algorithm/protocol (design error) ● Have a peer review (from expert people)  As a result we will (and a given vendor will): ● Have the best code and algorithm ● Have a quick fix for the problem (even in day 0) ● Most of the “white-hats” produces both an exploit and a patch for the program  Most of the projects reuses standard algorithm/code (libraries), thus eliminating common problems.
  • 8. Linux (RHEL) default install vulnerabilities: Low 23% 82 117 Moderate 32% 160 Important 44% 3 Critical 1% 0 20 40 60 80 100 120 140 160 180 Number of vulnerabilities
  • 9. Security of the OS: hardening/minimization  Out of the box, nearly all operating systems are configured insecurely. Hardening is minimizing a computer's exposure to current and future threats.  How it works: ● ● ● ● ● Remove unecessary users/groups Disable unused services Configure securely all used applications Configure the strongest authentication possible Use and configure firewalls/IDS/IPS/MAC Systems...  Fewer software components on a server means fewer security holes to detect and fill  Minimizing the number of OS modules installed on a server can greatly improve overall system security by reducing the number of vulnerabilities.
  • 10. Security of the OS: how is Linux  Mostly Linux distribution are hardened and secured by default (at least RHEL and Fedora are ;) ● ● ● ● ● Only SSH opened and other services in loopback only No unsecure/unencrypted services (telnet/ftp/r*) Firewall and Mandatory Access Control (MAC) systems enabled by default All unnecessary users/groups set to nologin Default packages set to minimum (minimization) ● The admin installs only what is strictly necessary to run the server ● Minimal systems are usually supported!!
  • 11. Security of the OS: kernel  Buffer overflow: ● It injects an arbitrary code (usually a shell) in the program's data area and execute it ● Attackers gain access and privileges of the exploited program  How to prevent: ● No-Execute and Exec-shield technology ● Software emulation of the no execute of the data area ● Flag data memory as non-executable and program memory as non-writeable ● PIE (Position Independent Executable) ● Randomization of the application address in the stack
  • 12. Security of the OS: other features  Restricted Memory Access ●  Restricts how the kernel memory (/dev/mem) can be overwritten. This prevents several rootkits from functioning resulting in a safer and more secure system. Kernel signature (ksign) ● ●  Signature of kernel modules, to allow only certains gpg signed kernel modules to be loadeed Avoid rootkits than hide themselves Secure application compile (FORTIFY_SOURCE and StackSmashing protector) ● "FORTIFY_SOURCE" is a gcc option that detect and prevent a subset of the buffer overflows before they can do damage (unchecked buffer size)  ELF (Executable and Linkable Format) Data Hardening  RPM Signing ● Each package/application is signed from the vendor so that any change is tracked (same effect as tripwire)
  • 13. Security in the OS: MAC and SELinux  Mandatory Access Control (MAC) is a kind of access control defined by the Trusted Computer System Evaluation Criteria ● “[...] restricting access to objects based on the sensitivity of the information contained in the objects and the formal authorization (i.e., clearance) of subjects to access information of such sensitivity". (from Wikipedia)  The most used MAC system in Linux is Security Enhanced Linux (SE Linux) ● Developed initially by NSA (National Security Agency) ● Several contributors, such as Red Hat, Tresys, IBM, .... ● Certified Common Criteria (EaL4+) and used by military ● When used in “stricted” mode is even more secure ● Based on policies that confine user programs and system services to the minimum amount of privilege they require to do their jobs
  • 14. SE-Linux: overview  By default, anything not explicitly permitted is denied  Rules are called “policies”  Two pre-defined policies in RHEL/Fedora, i.e.: ● targeted: only common daemons are confined (typically only the one started from init.d/*), leaving “unconfined” the others ● strict: any process within the system is confined  RHEL is in “targeted” mode by default, while fedora in “strict”: daemons with remote access (apache, mysql, ...) are protected by the SE-Linux “shield”
  • 15. SE-Linux Security Context  All files and processes have a security context  The context has several elements, example:    user:role:type:sensitivity:category User: root OR user_u (Processes: system_u) Role: Files -> object_r ; Processes -> system_r Type: Used by Type Enforcement to specify the nature of the data $ ps -ZC bash,sshd LABEL CMD PID TTY TIME system_u:system_r:sshd_t:s0-s0:c0.c1023 1709 ? 00:00:00 sshd unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 32019 pts/0 00:00:00 bash
  • 16. SE Linux: an italian success We are protecting the italian government employees' payslips and tax declaration (around 4M users)
  • 17. Security in the OS: patching PATCHING IS IMPORTANT!!!  Always keep up-to-date the system's security patches  It is important a management system that is able to apply all the patch seamless and avoid human errors ● After buffer overflows and “zero day”, the major security concerns are about human error on configuration files  That is: ● Applying automatically patch and rollback if necessary ● Compare software between machines (ex: cluster) ● Use a standard, proven, configuration file for common services (ssh, authentication, ....) and distribute it ● An example is Red Hat Network Satellite
  • 18. Authentication and authorization  Just to be clear on terms: ● Authentication is proving who you claim to be (who you are) Deals with identifying the users ● Can be: ● Username/Password (and variants such as kerberos) ● One Time Passwords (OTP) ● Two Factor (key based: Smart Cards/Biometric) ● ● Authorization is giving permission to users (what you can do). Sometimes referred as “profiling”. After the authentication phase, the user is profiled ● The application (ex: login shell, web application, ...) will give appropriate rights based upon certain parameters ● Parameters usually stored in LDAP, but also in databases ●
  • 19. Strong authentication: Smart Cards/Biometric/OTP  Autentication usually based on username and password ● ● ●  Passwords can easily eavesdropped Kerberos and cryptography helps on protecting passwords but ... ... don't prevent users to give away they're passwords or copying it (keyloggers, post-it, social engineering, ...) The best way is the famous “something you have” and “something you know” ● ● ● ● ● Smart Cards and biometric autentications cover “something you have” PINs or pass-phrases are usually “something you know” The only way is stealing the smart card (and is not possible for biometric apart kidnapping ;) Smart Cards hold private keys of a PKI infrastructure (and PIN or fingerprints unlock the keyring) It can be revoked at any time
  • 20. Authorization and Profiling (roles)  Every user should be granted the least privileges to do the job  Profiles and roles should be stored on a central repository ● ●  Each application should be designed to use profiling ● ●  Advantage is that authorization is cross to all systems/applications Usually are stored in LDAP ● OpenLDAP and Fedora Directory Server (RHDS) are the most famous in the OSS world Java applications should use the JAAS APIs PHP/C/C++/Python should perform look-ups in LDAP directly Examples (in infrastructure software) ● Apache with mod_authz_ldap ● AllowUsers in SSH ● Sudo with LDAP
  • 21. Application Security  Each application should be configured securely!!! ● ● ● ● This statement can't be stressed enough Most of the “default installations” are opened Hardening should involve the whole platform, not only the OS Configuration depends on the application itself ● Well-known for “infrastructure” software such as Jboss ● Contact your vendor or the OSS mailing lists for more information
  • 22. Application Security  Use application-layer firewalls ● ● ● ● In the “Defense in Depth” philosophy give the edge protection layer Everything incapsulated on port 80/443 (and 25) !!! The most valuable example in OSS is ModSecurity ● Web Application Firewall ● Real-Time Monitoring and Attack Detection ● Attack Prevention and Just-in-time Patching Other examples: spamassassin, clamav, squid + dansguard, SIP Express Router (SER), .....
  • 23. Questions? Thank you! Giuseppe “Gippa” Paternò Red Hat - Solution Architect & EMEA Security Prod. Expert Visiting Researcher – Trinity College Dublin gpaterno@redhat.com paternog@cs.tcd.ie