Linux Security Status on 2017
-
Upload
kazuki-omo -
Category
Technology
-
view
165 -
download
1
Transcript of Linux Security Status on 2017
Linux Security 2017 status and AppArmor info.
Kazuki Omo( 面 和毅 ): [email protected]
Secure OSS Sig. : http://www.secureoss.jp
2
Who am I ?
- Security Researcher/Engineer (17 years)
- SELinux/MAC Evangelist (12 years)
- Antivirus Engineer (3 years)
- SIEM Engineer (3 years)
- Linux Engineer (17 years)
3
Agenda
- Current Linux Security Trend
- Update for AppArmor
Current Linux Security Status
5
Current Linux Security Status
No one is talking about these Anymore!!
In Japan OSS env...
- How to enforce user to enable SELinux/AppArmor.- Why SELinux is better than AppArmor.- Why you need to enable SELinux/AppArmor….
6
Current Typical Linux Security Projects.
- Kernel hardening
- Working with ChipSet
- MAC, Capability, SecComp.
- Userland (Container)
Chipset
8
ARM
Protect against illicit modification of pointers
9
ARM
10
AMD
Encrypt for truly separate each VMs.
11
AMD
Performance degrade is negligible.
12
AMD
Separate HostOS and GuestOS
13
TPM2 Support
Trusted Boot / Integrity Mgmt / Log for analyze
14
Current Typical Linux Security Projects.
- Kernel hardening
- Working with ChipSet
- MAC, Capability, SecComp.
- Userland (Container)
Kernel (Hardening)
16
Kernel Hardening
17
Kernel Self Protection
18
Kernel Self Protection
19
Kernel Self Protection
Discussion for Stack Clash
jump
Stack
Stack guard
20
Current Typical Linux Security Projects.
- Kernel hardening
- Working with ChipSet
- MAC, Capability, SecComp.
- Userland (Container)
Android (Environment)
22
ARM
Use Secure boot for integrity check.
23
Android: default(hash for integrity check.)
24
SELinux in Android Oreo
25
SE-Android
SELinux is “already working” on Android.
Mitigating
26
SE-Android
Now they are focusing how to easy to maintain.
27
SE-Android
Now they are focusing how to easy to maintain.
28
Current Typical Linux Security Projects.
- Kernel hardening
- Working with ChipSet
- MAC, Capability, SecComp.
- Userland (Container)
MAC, Attack Surface Reducing, etc.
30
Access Control
Pre:
Docker(CentOS) → SELinux Enabled
Docker(AppArmor) → AppArmor Enabled
Disable SELinux?
Disable AppArmor?
31
Container A
Host OS
Access Control (Stackable LSM)
Container B Container C
How to Mix them. → Stackable
Container/Cloud: Host Env is given by Host-Admin.
32
Attack Surface Reducing
seccomp
System call filtering
AppArmor Updates
34
AppArmor Updates
Stacking LSM / containers
35
AppArmor Updates
Policy Namespaces & Stacking
Conclusion
37
Conclusion
- Linux Security is still growthing.
- Not so much information in Japan.
- We will keep to watching/spreading/contributing.
38
Any Questinos?
39
Thank You!!!