CIS 290 Linux Security

1
CIS 290 Linux Security

• Program Authentication Module and Security
  Enhanced LINUX

2
PAM

• A suite of shared libraries/(compiled) program
  interfaces that enable the local system
  administrator to choose how applications
  authenticate users. The ldd command will show the
  required pam .so libraries for a service.
• PAM deals with four types of management
  tasks authentication management account
  management session management and password
  management.

3
PAM Configuration

• /etc/pam.d, /etc/pam.conf (ignored if pam.d
  exists), /etc/security, /etc/login.defs
• The format of each rule is a space separated
  collection of tokens, the first three being
  case-insensitive service type control
  module-path module-arguments
• Each argument is stacked on top of each other
  and executed in sequence. Hence the term,
  authentication stack
• Service is the application calling PAM. It is
  eliminated under pam.d the filename represents
  the service. The default service is other.
• Type  performs non-authentication based account
  management - restrict/permit access to a service
  based on the time of day, currently available
  system resources, maximum number of users or
  location of the user.
• Control determines the behavior of the PAM-API
  should the module fail to succeed in its
  authentication task. There are two of syntax for
  the control field a single simple keyword or
  square-bracketed selection of valueaction pairs.
• module-path filename of the PAM module used by
  the application
• module-arguments are a space separated list of
  tokens that can be used to modify the specific
  behavior of the given PAM. 

4
PAM Type values

• Account performs non-authentication based
  account management. It is typically used to
  restrict/permit access to a service based on the
  time of day, currently available system resources
  (maximum number of users) or perhaps the location
  of the applicant user -- 'root' login only on the
  console.
• Auth provides two aspects of authenticating the
  user - it establishes that the user is who they
  claim to be by password prompt, can grant group
  membership or other privileges through its
  credential granting properties.
• Password required for updating the
  authentication token associated with the user
  one module for each 'challenge/response' based
  authentication (auth) type.
• Session associated with doing things that need
  to be done for the user before/after they can be
  given service -logging of information, mounting
  directories, etc.

5
PAM Control values

• Required failure of such a PAM will ultimately
  lead to the PAM-API returning failure but only
  after the remaining stacked modules (for
  this service and type) have been invoked.
• Requisite like required, however, in the case
  that such a module returns a failure, control is
  directly returned to the application or to the
  superior PAM stack. The return value is that
  associated with the first required or requisite
  module to fail
• Sufficient a module succeeds and no
  prior required module has failed the PAM
  framework returns success to the application or
  to the superior PAM stack immediately without
  calling any further modules in the stack. A
  failure of a sufficient module is ignored and
  processing of the PAM module stack continues
  unaffected.
• Optional lthe success or failure of this module
  is only important if it is the only module in the
  stack associated with this servicetype.
• Include include all lines of given type from the
  configuration file specified as an argument to
  this control.
• Substack include all lines of given type from
  the configuration file specified as an argument
  to this control. This differs from include in
  that evaluation of the done and die actions in a
  substack does not cause skipping the rest of the
  complete module stack, but only of the substack.

6
PAM Control Value results
Control Flag Success Result Failure Result
requisite Stack continues to execute Stack immediately terminates in failure
required Stack continues to execute Stack continues to execute, but terminates in failure
sufficient Stack immediately terminates in success, unless a prior requiredmodule has failed Stack continues to execute
optional Stack continues to execute Stack continues to execute, and fails only if other modules are missing or give inconclusive results
7
PAM Control values

• More complicated syntax valid control values
• value1action1 value2action2 ...
• the full list of PAM error values is listed
  in /usr/include/security/_pam_types.h.
• The actions are
• ignore when used with a stack of modules, the
  module's return status will not contribute to the
  return code the application obtains.
• badthis action indicates that the return code
  should be thought of as indicative of the module
  failing. If this module is the first in the stack
  to fail, its status value will be used for that
  of the whole stack.
• die equivalent to bad with the side effect of
  terminating the module stack and PAM immediately
  returning to the application.
• okthis tells PAM that the administrator thinks
  this return code should contribute directly to
  the return code of the full stack of modules. In
  other words, if the former state of the stack
  would lead to a return of PAM_SUCCESS, the
  module's return code will override this value.
• done equivalent to ok with the side effect of
  terminating the module stack and PAM immediately
  returning to the application.
• N quivalent to ok with the side effect of
  jumping over the next N modules in the stack.
  Note that N equal to 0 is not allowed (and it
  would be identical to ok in such case).
• Reset clear all memory of the state of the
  module stack and start again with the next
  stacked module.

8
PAM Control value equivalents

• required
• successok new_authtok_reqdok ignoreignore
  defaultbad
• requisite
• successok new_authtok_reqdok ignoreignore
  defaultdie
• sufficient
• successdone new_authtok_reqddone
  defaultignore
• optional
• successok new_authtok_reqdok defaultignore

9
PAM Modules

• There are over 70 PAM modules, each with their
  own options and return codes.
• The most common
• pam_access (login), pam_cracklib (password)m
  pam_deny, pam_exec, pam_env, pam_limits
• Listed in /lib/security

10
Security Enhanced LINUX

• Kernel level security included since 2.60 kernel
• Not an application interface. But sends access
  return codes to applications.
• Can be combined with ACLs
• /etc/selinux directory
• Old gui system-config-selinux, new gui
  policycureutils-gui
• BE CAREFUL with changes. Especially deleting
  files.
• See enforcing0 or selinux0 on Grub edit
  menu
• Protects, files, processes, applications
• Based on security context
• An SE Linux security context is comprised
  of three parts an "identity", a "role", and a
  "type" for users and files or "domain" for
  processes. Default context for root, the role is
  sysadm_r, and the domain is sysadm_t.
• Configuration directory /etc/selinux directory

11
SELINUX Modes/Types

• Enforcing  enable and enforce the SELinux
  security policy on the system, denying access and
  logging actions in /var/log/audit/audit.log
• Permissive  enabled but will not enforce the
  security policy, only warn and log actions. Used
  for troubleshooting SELinux issues
• Disabled SELinux is turned off
• Targeted Specific processes
• MLS VERY secure - systemwide

12
SELINUX Policy

• Policy a set of rules the SELinux security
  engine that defines types for file objects and
  domains for processes, and user defined
  (identities) roles to limit the domains that can
  be entered.
• Strict - minimum access
• Targeted specific processes
• Unconfined not under SELINUX control, outside
  SELINUX context

13
SELINUX Access Control

• Type Enforcement (TE) Type Enforcement is the
  primary mechanism of access control used in
  the targeted policy
• Role-Based Access Control (RBAC) Based around
  SELinux users (not necessarily the same as the
  Linux user), but not used in the
  default targeted policy
• Multi-Level Security (MLS) Not commonly used and
  often hidden in the default targeted policy.
• Shown with Z option (ls Z, ps Z etc)

14
SELINUX Commands

• sestatus show SELINUX status
• getenforce show SELINIX status
• setenforce set SELINUX status
• semanage command line policy management
• chcon change SELINUX context
• restorecon restore default SELINIX context
• audit2allow Generate SELINUX policy from
  /var/log/audit/audit.log
• sealert troubleshooting tool
• ls Z, ps Z show SELINUX context for files,
  processes
• id show the current user id context.