Meeting Critical Security Objectives with Security-Enhanced Linux
Presentation Outline
The Need for Secure OS
Why is DAC inadequate?
What can MAC offer?
MAC Implementation Issues
Customize according to need
Security Solutions with Flexible MAC
Toward a New Form of MAC
The Flask Security Architecture
The Flask Security Architecture (2)
Policy Decisions
Policy Changes
Controlled Services
Security Server Interface
Security Server Interface (2)
Security Server Interface (3)
Permission Checking Examples
Permission Checking Examples (2)
API Enhancements
Example Security Server
Example Policy Configuration: TE Concepts
Type Enforcement: Domains
Type Enforcement: Types
Sample TE Rules
Example Policy Configuration: RBAC concepts
Role-Based Access Control: Roles
Example Policy Configuration: Security Objectives
Limiting raw access to data
Limiting raw access to data (2)
Kernel integrity protection
Kernel integrity protection (2)
System file integrity protection
Confining privileged processes
Confining privileged processes (2)
Separating Processes
Administrator domain protection
Malicious software protection
Performance
Ongoing and future work
Linux Security Module Project
Questions?
Author: Peter A. Loscocco
E-mail: loscocco@tycho.nsa.gov