910 likes | 1.09k Vues
Computer Science Innovations, LLC. Cybersecurity. Overview. Define Security Discretionary Access Control Trusted Computer System Evaluation Criteria (TCSEC) - Orange Book 1984 by MITRE Corporation Basis for all we do in Security Define Security, how me measure it. Long-term goal.
E N D
Computer Science Innovations, LLC Cybersecurity
Overview • Define Security • Discretionary Access Control • Trusted Computer System Evaluation Criteria (TCSEC) - Orange Book • 1984 by MITRE Corporation • Basis for all we do in Security • Define Security, how me measure it.
Long-term goal • Given a System, X, tell me the security level. C2, B1, PL3, PL3+ • What does the security level imply? • It implies, what you can do with the system. • Says Who? • Commercial world – Underwriter? • What's an Underwriter? Quantify? • Insurance Companies.
The Present Situation • If I am Responsible for System, X, how do I bring it into Production? • Someone must Approve. • Somebody must assume risk. • Who is that? Insurance company • DOD Adjudicator. • Someone who assumes the risk.
Development up to present • If your system, and you are well defined. • If your security model is simple and based on standards. • If you speak the same language as the decision maker? • It is easier to get someone to put their neck on the line. • Einstein said, If I saw further than others it is because I was standing on the shoulders of Giants.
Goals • Einstein said, As simple as possible, but no simpler. • If you cannot explain it simply, you do not understand it well enough. • Any fool can make things more complex it takes genius to find the simplicity. • Great science is simple.
Science Being Simple Computer Science – Simple seems to win. P-V Semaphore --- Seven lines of code. Google ---- Processing Paradigms.... Simplicity in processing. Map/Reduce …. Solr... Open Source......
Definitions • Levels of Security • Lowest D... Not even discuss it. • Next Level up is C... C1 and C2 • C1 and C2 rely on Discretionary Access Control. • Next level up is B1, B2, B3 which are largely related. • B level uses Mandatory Access Control
Use of Definitions • The same definitions are used for Commercial as Government • In other words, there is just one Security. • There is Computer Security Used in Different Areas. • What is Discretionary Access Control?
Subjects and Objects • Access Control... Can the subject read or write the Object? That is one thing we are concerned with. • Auditing... What did the subject do on June 30th? Who are the subjects that accessed my mail. • Assurance – How can I be Guaranteed that all access to th data have access control and Auditing. And … Does my model work?
Access Control • Access Control has some pieces.... • What are the pieces? The first two are • Identity Assertion • Role Gathering • Systems do this. • We knew this in 1984.. This is not new and pre-dates the Internet.
Identity Assertion • Eminem – I am who you say I am. • How do you find out your identity? • Google... Username and Password • Google.. Additional Security through a Token • Show Something About yourself • Biometric Devices. • Prove who you are.
Do I have a session How Do We Do Identity Assertion Www.bankofamerica.com Web Server Browser Do I have a session
How Do We Assert and Identity Username and Password Sitekey Identity Asserter is username and password. Google --- username and password. Challenge ---> send a key to cell phone Biometrics... cheap....
Identity Assertion • Identity Asserters must be pluggable. • What does that mean? • It means if I change the Identity Asserter, I do not need to change the software. • Best Practice … Run the software with two different Identity Asserters without changing, compiling or writing Software.
Role Gathering Browser Web server Asserts Identity Gathers roles
Role Gathering • Having proven who I am.... What can I do? • The Roles Dictate what you can do. • So if my role is Administrator.. I can do a lot. • If my role is Guest... I can do a little. • Show me what you mean. Ok. Let's do a practical Example.
Where do We See Roles Web applications..... Web.xml Directory ---- roles can work in the directory Page --- useradmin ----> roles can see it are Administrator.... Browser... look up web.xml roles..... See it.
Practical Example - Roles • id uid=1000(scott) gid=1000(scott) groups=1000(scott),27(sudo),30(dip),46(plugdev),109(lpadmin),124(sambashare),129(vboxusers) • Groups are Synonymous with Roles... Spec says. • They say what I can do. Use Plug in Devices • Line Printer Administrator, Share Files...etc.
What Happened? • Logged into my machine. • Asserted my identity by username password. • Gathered my roles. • Determined what I can do. • Why? It's the standard.
Impromptu Lab Go to your linux instance. Any linux instance. id command then do a sudo su - then do a adduser pedro su - pedro id
Unix File Permissions For a file or a directory we have Modes xxx yyy zzz For xxx we have read, write and execute for the user (you). For yyy we have read, write and execute for the group(all group membership). For zzz we have read, write and execute for the world (everyone on the computer). So the question is, what permissions does a file get at creation? It is determined by umask or user mask So where do you set it.
Umask where is it The Unix command umask is set somewhere, most commonly in .bashrc It also has a default for the system. It is common to set it in your .bashrc Umask is the permissions give to newly created files.
Unix Convention – More than When you create a user, say sherman then the user is sherman and sherman is the name of the private group. So now the home directory is owned by sherman as the user and sherman as a private group. Private groups are used for ownership of things the user is only allowed to write. So your private group has your files for write.
Create a User and Private Group Command – useradd -U sherman root@ip-10-138-35-253:~# su - sherman No directory, logging in with HOME=/ $ id uid=1001(sherman) gid=1001(sherman) groups=1001(sherman) Command useradd -U wilson No directory, logging in with HOME=/ $ id uid=1002(wilson) gid=1002(wilson) groups=1002(wilson)
Create a Group to Share We wish to create a group, called seahawks and make wilson and sherman members of that group. We do not wish to change their primary membership, we wish to add them as members of the group. Command – groupadd seahawks root@ip-10-138-35-253:~# groupadd seahawks root@ip-10-138-35-253:~# usermod wilson -G seahawks root@ip-10-138-35-253:~# su - wilson No directory, logging in with HOME=/ $ id uid=1002(wilson) gid=1002(wilson) groups=1002(wilson),1003(seahawks) $ exit root@ip-10-138-35-253:~# usermod sherman -G seahawks root@ip-10-138-35-253:~# su - sherman No directory, logging in with HOME=/ $ id uid=1001(sherman) gid=1001(sherman) groups=1001(sherman),1003(seahawks) $
Let's Explore the Private Group Your home directory is not shared. /home/sherman would have file owned by sherman The ownership is user:group so for these files Permissions sherman:sherman So we have the octets xxx yyy zzz and now ownership. If we look at a home directory we should see ubuntu@ip-10-138-35-253:~$ ls -al .bashrc -rw-r--r-- 1 ubuntu ubuntu 3646 Feb 12 20:32 .bashrc ubuntu@ip-10-138-35-253:~$
Let's Look at the shared Group Setup an area on disk to share. Let's use root@ip-10-138-35-253:/opt# chown -R sherman:seahawks shared/ root@ip-10-138-35-253:/opt# ls -al total 12 drwxr-xr-x 3 root root 4096 Feb 12 20:50 . drwxr-xr-x 22 root root 4096 Feb 12 20:17 .. drwxr-xr-x 2 sherman seahawks 4096 Feb 12 20:50 shared root@ip-10-138-35-253:/opt# su - sherman No directory, logging in with HOME=/ $ cd /opt/shared $ touch x $ ls -al x -rw-rw-r-- 1 sherman sherman 0 Feb 12 20:51 x
The Shared Group uses the Private Group The private group is dominating the directories private group. When we do a touch x as sherman the group owner is sherman. The problem is sherman cannot share with wilson, therefore we do not have a shared group. So chmod 2775 to the rescue. root@ip-10-138-35-253:/opt# chmod 2775 shared/ root@ip-10-138-35-253:/opt# ls -al total 12 drwxr-xr-x 3 root root 4096 Feb 12 20:50 . drwxr-xr-x 22 root root 4096 Feb 12 20:17 .. drwxrwsr-x 2 sherman seahawks 4096 Feb 12 20:51 shared
Some Limitations If you have a directory tree, then all directories must be set with the 2775. So how do you change just the directories? Command chmod -R * –- DO NOT DO THIS. IT CHANGES EVERYTHING INCLUDING FILES. Proper Command is find . -type d -exec chmod 2775 {} \;
Common Shortcomings? • Let's say you have a machine with a web server. • You have 5 people that are Web Server Administrators • What are your options? • You can have a Group Account • Or you can setup the machine to allow multiple people to update the Web Server.
What is Wrong with a Group Account? • It Violates Discretionary Access Control. • Why? Named Subject, Named Object. • NOT • Named Group containing many Subjects and Named Object. • Must be one to one – Person to Subject. • Now Three More Topics for C2.
Bringing Up A Web Server Web Server ---- runs on port 80 Web Server ---- runs on port 8080 Ports < 1024 require Admin Privilege to Start Process. Ports >= 1024 do not require Admin Why do we care? Least Privilege....
Have “Normal” Users Web Admin So Let's say --- Morris Mo... he is a web admin Cheri is a web admin.... They are going to run As normal users... But they need to share The web server.. and we do not want to violate DAC.. So we need to separate them and Keep Least Privilege...
Separate Users Step 1 Create a group per user And create a shared group. Mo Al Webguys shared group.
How To root@companion:/opt# groupadd mo root@companion:/opt# groupadd al root@companion:/opt# groupadd webguys root@companion:/opt# useradd mo -g mo -G webguys root@companion:/opt# useradd al -g al -G webguys root@companion:/opt# useradd mo -g mo -G webguys root@companion:/opt# useradd al -g al -G webguys
How To root@companion:/opt# mkdir /opt/share root@companion:/opt# chown al:webguys /opt/share root@companion:/opt# chmod 2775 /opt/share the 2 is the set groupid bit. It means that all files created inherit the group from the directory not the user. root@companion:/opt# useradd mo -g mo -G webguys root@companion:/opt# useradd al -g al -G webguys
Three More Topics • Confidentiality • No one can listen in and gain information. • Encryption • Least Privilege • Very Very Important. • Am I doing the action with the least amount of Authority. Don't work as Root or Admin • Non-Repudiation • How can I not deny that I sent it.
Confidentiality • https • Hyper Text Transport Protocol Secure • When you read your email are you • http or https? • Log into your mail. • Is it http or https? https
Least Privilege • I must work as a normal user • Or • I must work as an admin. • Which is better? • Why? Myself? Why? You don't mess up the system on purpose or by accident. • Ports... https which port is that? 443 • Who do you have to be to work as 443? • For ports less than 1024 you must be admin
How Do We Do Least Privilege With https? • The browser (Source) wants to communicate on 443.... Default • The system wants to use a normal user. • So what happens? • So your Firewall or Router maps 443 to 8443 • So the Source requests 443 the System responds with 8443 the Router maps them. • Best Practice … Always map <1024 ports to > 1024 to preserve Least Privilege.
Outside World to Inside Https in a browser it says communicate on 443 But we want least privilege … So how do we do that. 8443 on the local system. We need our firewall/router administrator to set this up for us.
Let's Look At This Firewall Al Admin Web Server 8443 Browser 443 Map Incoming 443 to intenal 8443 On a specifc Server
Apache and Least Privilege • ubuntu@ip-10-204-147-104:~$ ps -ef | grep apache • root 3725 1 0 14:55 ? 00:00:00 /usr/sbin/apache2 -k start • www-data 3727 3725 0 14:55 ? 00:00:00 /usr/sbin/apache2 -k start • www-data 3729 3725 0 14:55 ? 00:00:00 /usr/sbin/apache2 -k start • www-data 3730 3725 0 14:55 ? 00:00:00 /usr/sbin/apache2 -k start • ubuntu 3828 865 0 14:55 pts/0 00:00:00 grep --color=auto apache • ubuntu@ip-10-204-147-104:~$ sudo su - • root@ip-10-204-147-104:~# cd /etc/ • root@ip-10-204-147-104:/etc# grep www-data passwd • www-data:x:33:33:www-data:/var/www:/bin/sh • Apache is not adhering to Least Privilege
Unix Cheat Sheet • The command ls is the same thing as dir in windows • The command ps is process status and commonly used as ps -ef | more • Do a ps -ef | more • The command pwd is print working directory • The command chmod is change mode • The command chown is change user and group
DAC in UNIX • In Unix we get DAC out of the box. • How do we do it. • Name Subject …. logging in • How do we protect files? • This is access control.
Unix History • How did we get to Unix? • Who created it? Brian Kerrnighan, Dennis Ritchie, Thompson. • They worked for AT&T in New Jersey in the 70's. They had an idea. What if an operating systems was created that worked on any hardware? • So they needed a hardware independent language – they called it C.
Unix History Continued • AT&T gave it away for free. • How many run Android's. Unix kernel • How many run IPhones. Unix. • There are two flavors. System V – MIT – Linux • BSD – Berkeley – Cal Berkley – Mac/OS • AT&T – Created this.
Commands - Unix • Permissions • wwwxxxyyy for a file or directory. • Now let's define www it has 3 digit for RWE • So RWE is what … 7 now www is for the user's permission. • xxx is for the group's permission and • yyy is for the world's permission. • So if a file is 400 like .pem file what is that? • 400 100 000 000 which is R------ at the owner level.
More Permissions • So if I want a file to be Read and Write for the Owner (User) of the file and Read for the Group and Nothing for the world. • Let's do it together • www xxx yyy • U G O • The three digits RWE • 110 100 000 = 6 4 0