Have You Driven an SELinux Lately? - An Update on the SELinux Project - OLS 2008

This document discusses adding extended attribute support to NFS. It provides background on extended attributes, describes different implementations among operating systems, and outlines a proposal to implement name/value extended attribute support in Linux NFSv3 through a side protocol. Prototype code has been developed and is undergoing review. The work could serve as a model for adding extended attribute support to NFSv4 to enable proper support on Linux and BSD systems.

Linux Kernel Security Overview - KCA 2009

Linux Kernel Security: Adapting 1960s Technology to Meet 21st Century Threats

Unix was not designed with security primarily in mind. It was initially developed in the late 1960s -- before the Internet was invented. While relatively simple, the Unix security model is inadequate for protecting against common security threats. Its designers identified fundamental design flaws over thirty years ago. As Linux is modeled on Unix, it inherits this traditional Unix security model. Meeting modern security requirements has required significant enhancements to Linux, which are ongoing, but well-advanced. While many new security ideas have emerged, Linux developers have necessarily been constrained by decades of operating system standards and conventions. Aimed at admins, developers and technical managers, the talk will cover: * The historical context of Linux security * Modern security OS requirements * How these requirements are being addressed (or not) by various enhancements made to Linux security * Areas of ongoing and future work. We'll also consider how FOSS culture contributes to security.

Secure and Simple Sandboxing in SELinux

Kernel Recipes 2013 - Linux Security Modules: different formal concepts

Anne Nicolas

How Many Linux Security Layers Are Enough?

Talk about Linux security and the related possibilities to secure your systems. Several areas are discussed, like what is possible, how to select the right security measures and tips to implement them. Some subjects passing by in the presentation are file integrity (IMA/EVM), containers like Docker, virtualization. The referenced tool Lynis can be downloaded freely from https://cisofy.com/downloads/

Mandatory Access Control Networking Update - Netonf 2006 Tokyo

The document summarizes a presentation on network security and Linux security. The presentation covered introduction to security, computer security, and network security. It discussed why security is needed, who is vulnerable, common security attacks like dictionary attacks, denial of service attacks, TCP attacks, and packet sniffing. It also covered Linux security topics like securing the Linux kernel, file and filesystem permissions, password security, and network security using firewalls, IPSEC, and intrusion detection systems. The presentation concluded with a reference to an ID-CERT cybercrime report and a call for questions.

Linux Security

nayakslideshare

This document provides an overview of Linux security and auditing. It discusses the history and architecture of Linux, important security concepts like physical security, operating system security, network security, file system security and user/group security. It also describes various Linux security tools that can be used for tasks like vulnerability scanning, auditing, intrusion detection and password cracking.

Linux Operating System Vulnerabilities

Information Technology

The document discusses vulnerabilities in the Linux operating system and countermeasures to protect Linux systems from remote attacks. It describes how attackers can use tools like Nessus to discover vulnerabilities, deploy trojan programs, and create buffer overflows. It also provides recommendations for system administrators, including keeping systems updated with the latest patches, using rootkit detectors, and training users to avoid social engineering attacks.

Basic Linux Security

pankaj009

This document discusses basic Linux system security. It recommends securing physical access to machines, using the principle of least privilege by limiting accounts, ports, and applications. It also recommends strong passwords, closing unnecessary ports, encrypting network connections, keeping software updated, using intrusion detection, and advanced techniques like auditing OSes and using virtual machines.

Security, Hack1ng and Hardening on Linux - an Overview

Kaiwan Billimoria

Futex Scaling for Multi-core Systems

Davidlohr Bueso

The document discusses improvements to the implementation of futexes (fast userspace mutexes) in the Linux kernel to improve scaling on multicore systems. Some key issues with the original futex implementation are a global hash table that does not scale well with NUMA, hash collisions, and contention on hash bucket locks. Improvements discussed include using per-process or per-thread hash tables to address NUMA issues, improving hashing to reduce collisions, releasing hash bucket locks before waking tasks to allow concurrent wakeups, and replacing spinlocks with queued/MCS locks to reduce cacheline bouncing under contention. These changes aim to improve futex performance and scalability as the number of cores in systems increases.

Linux Security, from Concept to Tooling

Linux is considered to be a secure operating system by default. Still there is a lot to learn about system hardening and technical auditing. This 1-hour presentation explains the need for hardening and auditing of your systems. We discussed some additional documents and tools, to further help this endeavor. This presentation is suitable for both beginners and those with experience in system hardening.

File System Implementation & Linux Security

Geo Marian

This document discusses file system implementation and Linux security. It begins by describing how file systems are typically stored on disks with partitions and sectors. It then explains how files are created, opened, read, written to, and deleted in a file system. Two common allocation methods are also summarized - contiguous allocation and linked allocation. Finally, it outlines some common security threats like intruders, malicious programs, and generic attacks and how TCP wrappers can be used to filter network access on Linux servers.

Introduction To Linux Security

Michael Boman

This document provides an introduction to Linux security. It covers turning off unnecessary servers and services, limiting access to needed servers using IPTables, updating the system regularly, and reading Linux log files. The document recommends keeping daemons and services disabled or bound to localhost when possible, using tools like netstat, IPTables, and log checking utilities to monitor open ports and system activity. It concludes with a question and answer section and recommends additional security resources.

SELinux basics

Lubomir Rintel

The document introduces SELinux, which uses mandatory access control (MAC) in addition to traditional UNIX discretionary access control (DAC). SELinux labels processes and files with security contexts that define access permissions in the security policy. The policy controls access between labeled processes and files through type enforcement rules. System administrators can manage labels and policy using tools like semanage and restorecon.

Linux Network Security

Amr Ali

This document discusses Linux network security and the xFirewall program. It provides an overview of Linux and its networking capabilities. It then describes iptables, the built-in Linux firewall, and xFirewall, a user-friendly frontend for iptables. xFirewall detects network attacks and logs unauthorized access based on allowed ports in its configuration file. The document shows nmap scan results for a system running xFirewall, demonstrating that it only allows connections to specified open ports and blocks other ports from being discovered.

XPDS16: XSM-Flask, current limitations and Ongoing work. - Anshul Makkar, Ct...

The Linux Foundation

This document summarizes Xen security framework (XSM) which enables fine-grained control over interactions between domains, hypervisor, and resources. XSM uses mandatory access control based on security labels rather than discretionary access control. Permissions for subjects (processes or VMs) to interact with objects (files, ports, devices, etc.) are defined in security policies. The architecture includes security policies, a policy controlling entity, security server, access vector cache, and policy database. The decision making process involves checking the access vector cache, consulting the security server and policy database if needed, and returning the access decision. Challenges include ensuring atomic policy changes and consistency between security policy and runtime policy database.

Unix Security

replay21

Introduction To SELinux

Rene Cunningham

This document provides an overview of SELinux, including its introduction, access control mechanisms, policy, administration, and benefits. SELinux is a Linux security module that implements mandatory access controls to confine processes and restrict their access. It defines types for objects like files and directories, domains for processes, and roles to determine what access users and processes have. SELinux policy enforces these controls and can be configured through booleans and modified policy modules. It helps strengthen security by auditing access and confining services like web servers even if they are compromised by an attack.

SELinux Basic Usage

Dmytro Minochkin

Linux Security Scanning with Lynis

Are you really sure the security of your Linux systems is done properly? Since 2002, Michael Boelen performs research in this field. The answer is short: there is too much to possible and to do. For this reason, he created several open source security tools, to help others saving time. We will look into how Lynis can help with technical security scans. In this talk, we had a look on how Lynis helps with system hardening. We discussed the background of the tool, lessons learned after 13 years of open source software development, and what the future plans are.

SELinux Project Overview - Linux Foundation Japan Symposium 2008

The State of Security Enhanced Linux - FOSS.IN/2007

The document provides an overview and update on the State of Security Enhanced (SE) Linux project. It discusses that SE Linux is a security framework that uses type enforcement and mandatory access control to enforce confidentiality and integrity. It then summarizes that the project has expanded its policy tools, added dynamic policy loading, improved certification and protection, and continued extending its support beyond the Linux kernel. It closes by discussing ongoing work and how to get involved in helping the project.

What's hot

Threats, Vulnerabilities & Security measures in Linux

Amitesh Bharti

Linux security

trilokchandra prakash

2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview

Linux Security Overview

Kernel TLV

Security and Linux Security

Rizky Ariestiyansyah

Linux Security

nayakslideshare

Linux Operating System Vulnerabilities

Information Technology

Basic Linux Security

pankaj009

Security, Hack1ng and Hardening on Linux - an Overview

Kaiwan Billimoria

Futex Scaling for Multi-core Systems

Davidlohr Bueso

Linux Security, from Concept to Tooling

File System Implementation & Linux Security

Geo Marian

Introduction To Linux Security

Michael Boman

SELinux basics

Lubomir Rintel

Linux Network Security

Amr Ali

XPDS16: XSM-Flask, current limitations and Ongoing work. - Anshul Makkar, Ct...

The Linux Foundation

Unix Security

replay21

Introduction To SELinux

Rene Cunningham

SELinux Basic Usage

Dmytro Minochkin

Linux Security Scanning with Lynis

What's hot (20)

Threats, Vulnerabilities & Security measures in Linux

Linux security

2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview

Linux Security Overview

Security and Linux Security

Linux Security

Linux Operating System Vulnerabilities

Basic Linux Security

Security, Hack1ng and Hardening on Linux - an Overview

Futex Scaling for Multi-core Systems

Linux Security, from Concept to Tooling

File System Implementation & Linux Security

Introduction To Linux Security

SELinux basics

Linux Network Security

XPDS16: XSM-Flask, current limitations and Ongoing work. - Anshul Makkar, Ct...

Unix Security

Introduction To SELinux

SELinux Basic Usage

Linux Security Scanning with Lynis

Similar to Have You Driven an SELinux Lately? - An Update on the SELinux Project - OLS 2008

SELinux Project Overview - Linux Foundation Japan Symposium 2008

The State of Security Enhanced Linux - FOSS.IN/2007

Zephyr Introduction - Nordic Webinar - Sept. 24.pdf

AswathRangaraj1

West is a command line tool that manages Zephyr projects. It initializes workspaces, updates repositories, and provides commands for common development tasks like building, flashing, and debugging. West separates the core tool functionality from Zephyr-specific extensions, allowing it to manage multiple projects. When initializing a workspace, West clones the main Zephyr repository and any dependencies, creating a reproducible development environment.

Best Practices for Deploying Enterprise Applications on UNIX

Noel McKeown

The document provides best practices for preparing a UNIX server for deploying enterprise applications. It discusses tasks such as OS installation, hardening the server, configuring shared storage, setting up system accounts, enabling sudo privileges, and disabling security features like iptables and SELinux that could interfere with applications. The goal is to baseline the server, lock down access, and set it up securely according to industry standards before deploying enterprise software.

2008-10-15 Red Hat Deep Dive Sessions: SELinux

This document discusses SELinux and provides details about: 1) The three SELinux policy types - targeted, strict, and multi-level security (MLS). It explains the differences between these policy types. 2) How SELinux works using type enforcement to define security contexts for subjects and objects to enforce access controls. 3) Tools that system administrators can use to manage SELinux policies and troubleshoot issues like semanage, sealert, and audit2allow. It provides examples of using these tools. 4) A scenario where a corporate VPN update broke a user's configuration and how SELinux logs and tools could help fix the issue.

Selinux

Ankit Raj

This document provides an introduction to SELinux, including a brief history of how it was created by the NSA and adopted in major Linux distributions. It explains the differences between Discretionary Access Control (DAC) and Mandatory Access Control (MAC) models. It also describes how SELinux works by enforcing security policies at the kernel level to confine processes and provide fine-grained access controls, and outlines some of the key benefits it provides like auditing and strengthening server security.

2008-01-22 Red Hat (Security) Roadmap Presentation

LinuxCon ContainerCon CloudOpen China

This document provides an agenda and overview for a Red Hat security seminar. The seminar will cover Red Hat emerging technologies like virtualization and security, Red Hat security features and certifications, SELinux enhancements in Red Hat Enterprise Linux 5, and high availability and clustering solutions. It will also discuss the Red Hat development model, JBoss enterprise services, and Red Hat identity management products.

stackconf 2023 | SCS: Buildig Open Source Cloud and Container Infrastructure ...

NETWAYS

Kurt Garloff discusses the importance of open source software and digital sovereignty. He describes how open source is now ubiquitous but proprietary platforms still dominate IT. The Sovereign Cloud Stack (SCS) aims to address this by providing an open source reference implementation and standards for a modular, cloud infrastructure platform that can be operated by many entities. SCS will deliver certifiable standards, open source code, and knowledge sharing to enable more distributed control and choice in cloud infrastructure.

stackconf 2023 | SCS: Buildig Open Source Cloud and Container Infrastructure ...

NETWAYS

Linux is everywhere. Open Source has won! It has not. While Open Source components are all over the place, the big IT players use them to build platforms that are not fully open but designed to lock their users in. The question to ask these days is not: “Are you building on top of open source?”, because everyone is. The question should be: “Do you allow others to rebuild your whole platform?” and “Do you allow others to contribute to it and shape its future?” Sounds utopian? Sovereign Cloud Stack (SCS) tries to do exactly this: Build a network of operators to define common standards together, implement them in a complete, openly developed and fully open source manner and then even collaborate on operating it well — which can be harder than building it. The speaker will discuss the vision behind the the SCS project, how it has build the community and the technology stack, what it has achieved so far and where it will go next.

Zephyr: Creating a Best-of-Breed, Secure RTOS for IoT

Presentation delivered at LinuxCon China 2017. Zephyr is an upstream open source project for places where Linux is too big to fit. This talk will overview the progress we've made in the first year towards the projects goals around incorporating best of breed technologies into the code base, and building up the community to support multiple architectures and development environments. We will share our roadmap, plans and the challenges ahead of the us and give an overview of the major technical challenges we want to tackle in 2017.

GWAVACon 2013: Novell Open Enterprise Server - Roadmap and Future

GWAVA

The document outlines the roadmap for Novell Open Enterprise Server (OES). Key points include: - OES 11 SP1 was released in December 2012 with over 50 new features including single DVD install, virtualization improvements, and Linux user management enhancements. - OES 11 SP2 will include integration with SLES 11 SP3, eDirectory 8.8 SP8, improved deployment tools, and management/monitoring enhancements. - Future releases will focus on larger than 8TB storage support, improved file access protocols, Active Directory integration, and moving to a single update channel. The roadmap aims to address deployment issues and add support for new client platforms.

2008 08-12 SELinux: A Key Component in Secure Infrastructures

OSMC 2010 | Insides SUSE Linux by Joachim Werner

NETWAYS

Engage 2019 - SUSE Linux and Container update

Christian Holsing

A Summary about Hykes' Keynote on Dockercon 2015

Henry Huang

The keynote discussed Docker's goals of reinventing the programmer's toolbox through tools like Docker runtime, distribution, composition, machine management, clustering, networking, and extensibility plugins. It also discussed building better infrastructure plumbing through projects like Notary for secure content distribution and runC as a portable container runtime. Finally, it covered promoting open standards through the Open Container Project to define a vendor-neutral container format and ensure support from a broad industry coalition.

Overview of NSA Security Enhanced Linux - FOSS.IN/2005

NASA Open Government Initiative

This document provides an overview of NSA Security Enhanced Linux (SELinux). SELinux implements mandatory access control (MAC) to provide fine-grained access control and confinement of processes. It uses type enforcement (TE) and role-based access control (RBAC) models to define types for objects and domains for processes. TE rules in the SELinux policy specify which domains can access which object types. SELinux has been merged into the Linux kernel and adopted by several distributions to enhance security for network-facing services. Current development focuses on multi-level security and a reference policy, with future work on tools, policies, and additional applications.

Learn OpenStack from trystack.cn

OpenCity Community

TryStack.cn is a non-profit OpenStack testbed and community project in China that aims to promote OpenStack adoption. It operates the largest OpenStack testbed in China with hardware from various vendors. TryStack.cn provides reference architectures, best practices, and contributes code back to the community. It also organizes OpenStack meetups and training to help grow the OpenStack ecosystem in China.

Linux Environment- Linux Basics

Trinity Dwarka

2011 NASA Open Source Summit - Brian Stevens

The document summarizes Brian Stevens' presentation at the 2011 NASA Open Source Summit. The presentation discussed the history and evolution of open source, from UNIX in the 1980s to widespread Linux adoption today. Stevens emphasized the benefits of open source such as sharing, efficiency, agility, and collaboration over proprietary "islands." He highlighted SELinux as an example of an open source project that through community collaboration has become integrated into Linux and other operating systems. Stevens concluded by discussing Red Hat's Fedora distribution and emphasizing the importance of treating customers as partners in open source business models.

linux.pptx

AudieMarAgpawa

Kali Linux is an open-source, Debian-based Linux distribution designed for digital forensics and penetration testing. It contains hundreds of tools for security tasks like penetration testing, forensics, and vulnerability management. While offering advantages like customizability and security, Kali Linux is intended for security professionals and includes many hacking tools not needed for regular use.

Similar to Have You Driven an SELinux Lately? - An Update on the SELinux Project - OLS 2008 (20)

SELinux Project Overview - Linux Foundation Japan Symposium 2008

The State of Security Enhanced Linux - FOSS.IN/2007

Zephyr Introduction - Nordic Webinar - Sept. 24.pdf

Best Practices for Deploying Enterprise Applications on UNIX

2008-10-15 Red Hat Deep Dive Sessions: SELinux

Selinux

2008-01-22 Red Hat (Security) Roadmap Presentation

stackconf 2023 | SCS: Buildig Open Source Cloud and Container Infrastructure ...

Zephyr: Creating a Best-of-Breed, Secure RTOS for IoT

GWAVACon 2013: Novell Open Enterprise Server - Roadmap and Future

2008 08-12 SELinux: A Key Component in Secure Infrastructures

OSMC 2010 | Insides SUSE Linux by Joachim Werner

Engage 2019 - SUSE Linux and Container update

A Summary about Hykes' Keynote on Dockercon 2015

Overview of NSA Security Enhanced Linux - FOSS.IN/2005

Learn OpenStack from trystack.cn

Linux Environment- Linux Basics

2011 NASA Open Source Summit - Brian Stevens

linux.pptx

More from James Morris

sVirt: Hardening Linux Virtualization with Mandatory Access Control

OLPC Networking Overview

The document provides an overview of the networking aspects of the One Laptop Per Child (OLPC) project. It describes the OLPC hardware as a $100 rugged laptop with limited specs. The software is a minimal Linux-based system with a Sugar GUI. Networking requirements include adapting to various scenarios from small village networks to large school networks. Key networking technologies utilized are 802.11s wireless mesh networking with AODV and OLSR routing, IPv6 autoconfiguration, and potential IPSec encryption. The envisioned topology has schools connected to "mesh portals" that link to other schools and the internet.

Cryptographic Hardware Support for the Linux Kernel - Netconf 2004

Kernel Security for 2.8 - Kernel Summit 2004

Better IPSec Security Association Resolution - Netconf 2006 Tokyo

This document discusses improving IPsec security association resolution. It outlines problems with the current approach, where applications often get errors when no SA exists. The proposed solution is to have connect(), sendmsg(), and other calls return status to indicate resolution is in progress, and queue or retry packets as needed. Ongoing work includes handling all use cases and determining the full scope of the problem to address. Key challenges include different needs for opportunistic encryption versus large scale deployments.

How and Why You Should Become a Kernel Hacker - FOSS.IN/2007

SELinux Kernel Internals and Architecture - FOSS.IN/2005

SELinux is a Linux security module that provides mandatory access controls. It labels important system objects like processes, files, and network packets. These labels contain security context information used by SELinux policies to enforce access rules between subjects and objects. The SELinux policy is compiled and loaded into the kernel, where Linux Security Modules hooks mediate critical operations according to the policy.

Anatomy of Fedora Kiosk Mode (FOSS.MY/2008)