All,
I'm about to embark on a SELinux related final year project for BSc (Hons) in IT this semester. My goal is to learn SELinux well, compare to other (Linux) security projects, demystify it / demonstrate its pros and cons... I would like to do a thorough research on exploit / attack mitigation with SELinux as per Tresys website (http://www.tresys.com/innovation.php) and write a few (new) policies for software of my choice. I intend to use honeypots running Fedora 11 as my base system. However, I'm not sure if college class B network will produce conclusive results.
Thus, I would appreciate support, guidance and comments from (seasoned) SELinux gurus, developers and practitioners on this list in order to point me in the right direction when it comes to sourcing literature, white papers, research work other people might already have conducted and overcoming pitfalls related to such testing environments.
Kind regards,
Zbynek
On Sun, Sep 27, 2009 at 07:25:05PM +0100, Zbynek Houska wrote:
All,
I'm about to embark on a SELinux related final year project for BSc (Hons) in IT this semester. My goal is to learn SELinux well, compare to other (Linux) security projects, demystify it / demonstrate its pros and cons... I would like to do a thorough research on exploit / attack mitigation with SELinux as per Tresys website (http://www.tresys.com/innovation.php) and write a few (new) policies for software of my choice. I intend to use honeypots running Fedora 11 as my base system. However, I'm not sure if college class B network will produce conclusive results.
Thus, I would appreciate support, guidance and comments from (seasoned) SELinux gurus, developers and practitioners on this list in order to point me in the right direction when it comes to sourcing literature, white papers, research work other people might already have conducted and overcoming pitfalls related to such testing environments.
Hello,
Here is a list with links to SELinux resources. http://selinuxproject.org/page/User_Resources
You have already found the right mailing lists (except Tresys refpolicy list). I Recommend that you also bookmark and study the list Archives:
https://www.redhat.com/archives/fedora-selinux-list/ http://oss.tresys.com/pipermail/refpolicy/ http://marc.info/?l=selinux&r=1&w=2
Also have a look at this presentation: http://people.redhat.com/dwalsh/SELinux/Presentations/ManageRHEL5.pdf
This book: http://www.selinuxbyexample.com/
These: http://docs.fedoraproject.org/selinux-user-guide/f11/en-US/ http://docs.fedoraproject.org/selinux-managing-confined-services-guide/en-US...
And this: http://www.nsa.gov/research/selinux/
hth
Kind regards,
Zbynek
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
On Sun, Sep 27, 2009 at 9:53 PM, Dominick Grift domg472@gmail.com wrote:
On Sun, Sep 27, 2009 at 07:25:05PM +0100, Zbynek Houska wrote:
All,
I'm about to embark on a SELinux related final year project for BSc
(Hons)
in IT this semester. My goal is to learn SELinux well, compare to other (Linux) security projects, demystify it / demonstrate its pros and
cons...
I would like to do a thorough research on exploit / attack mitigation
with
SELinux as per Tresys website (http://www.tresys.com/innovation.php) and write a few (new) policies for software of my choice. I intend to use honeypots running Fedora 11 as my base system. However, I'm not sure if college class B network will produce conclusive results.
Thus, I would appreciate support, guidance and comments from (seasoned) SELinux gurus, developers and practitioners on this list in order to
point
me in the right direction when it comes to sourcing literature, white papers, research work other people might already have conducted and overcoming pitfalls related to such testing environments.
Hello,
Hi Dominick,
Here is a list with links to SELinux resources. http://selinuxproject.org/page/User_Resources
You have already found the right mailing lists (except Tresys refpolicy list). I Recommend that you also bookmark and study the list Archives:
https://www.redhat.com/archives/fedora-selinux-list/ http://oss.tresys.com/pipermail/refpolicy/ http://marc.info/?l=selinux&r=1&w=2
Oh, sure I always try to go through archives.
Also have a look at this presentation: http://people.redhat.com/dwalsh/SELinux/Presentations/ManageRHEL5.pdf
This book: http://www.selinuxbyexample.com/
These: http://docs.fedoraproject.org/selinux-user-guide/f11/en-US/
http://docs.fedoraproject.org/selinux-managing-confined-services-guide/en-US...
And this: http://www.nsa.gov/research/selinux/
Thanks a lot for all links you have put up together for me. I believe I already have some of them, if not all of them. I was wondering if there is some academic research into SELinux (other than Flux / Flask) as other resources / references might be deemed as unsubstantiated.
hth
Thanks,
Zbynek
Kind regards,
Zbynek
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
On Mon, 28 Sep 2009, Zbynek Houska zbynek.houska@gmail.com wrote:
write a few (new) policies for software of my choice. I intend to use honeypots running Fedora 11 as my base system. However, I'm not sure if college class B network will produce conclusive results.
Thus, I would appreciate support, guidance and comments from (seasoned) SELinux gurus, developers and practitioners on this list in order to point me in the right direction when it comes to sourcing literature, white papers, research work other people might already have conducted and overcoming pitfalls related to such testing environments.
Firstly firewall all traffic from the system in question - other than that which is required for it to be vulnerable to the attacks you desire. If you allow ICMP echo access then someone will try and ping-flood other systems. If you allow outbound TCP connections then your system may be used to compromise others.
Probably the best way to run honeypots is to use Xen or KVM to run virtual machines. This means that you have lots of good options for monitoring the machines while they are attacked. But don't assume that Xvn or KVM is flawless - IE don't have any sensitive data on the same physical machine.
The purpose of a honeypot is to attract attack, running the latest versions of software is going to make it more difficult for attackers and partially defeats this goal. Maybe running Fedora 10 (or earlier) with no updates would be a better option. Of course you will probably want to back-port the latest SE Linux policy before you do this (which shouldn't be difficult).
It's been a while since anyone ran a SE Linux Play Machine on Fedora, I would be happy to offer detailed advice and some testing if you want to run one.
On Mon, Sep 28, 2009 at 2:23 AM, Russell Coker russell@coker.com.au wrote:
On Mon, 28 Sep 2009, Zbynek Houska zbynek.houska@gmail.com wrote:
write a few (new) policies for software of my choice. I intend to use honeypots running Fedora 11 as my base system. However, I'm not sure if college class B network will produce conclusive results.
Thus, I would appreciate support, guidance and comments from (seasoned) SELinux gurus, developers and practitioners on this list in order to
point
me in the right direction when it comes to sourcing literature, white papers, research work other people might already have conducted and overcoming pitfalls related to such testing environments.
Firstly firewall all traffic from the system in question - other than that which is required for it to be vulnerable to the attacks you desire. If you allow ICMP echo access then someone will try and ping-flood other systems. If you allow outbound TCP connections then your system may be used to compromise others.
I think I will be using private VLANs on the switch (aka switchport protected / port protected on Cisco switches) which will limit that box to be able to talk to the gateway only, hence making it impossible to compromise other systems on same subnet. Firewall of some kind will have to be used too as for example outgoing SMTP traffic from that box isn't something I would like to see.
Probably the best way to run honeypots is to use Xen or KVM to run virtual machines. This means that you have lots of good options for monitoring the machines while they are attacked. But don't assume that Xvn or KVM is flawless - IE don't have any sensitive data on the same physical machine.
Yes, I was thinking of exactly the same - using either KVM or UML - will have to decide what way is the most feasible one.
The purpose of a honeypot is to attract attack, running the latest versions of software is going to make it more difficult for attackers and partially defeats this goal. Maybe running Fedora 10 (or earlier) with no updates would be a better option. Of course you will probably want to back-port the latest SE Linux policy before you do this (which shouldn't be difficult).
Good point here, I didn't thought it through.
It's been a while since anyone ran a SE Linux Play Machine on Fedora, I would be happy to offer detailed advice and some testing if you want to run one.
I wasn't even thinking about making 'play machine(s)' as I hoped to bring some randomness into it by making it unannounced and hope for the best - i.e. somebody trying to attack the box by scanning for running services. But I have to admit, the way you proposed is more controllable and will possibly yield more predictable results (rather than wait for a random attack). Do you have much experience in setting up and running such boxes? If so, would you mind shedding some light on the entire process, please? However, I reckon I will need to announce a kind of 'hackathon' (on this list?) in order to achieve some results as I can't imagine to be impartial if I do the attacks myself...
Regards,
Z.
-- russell@coker.com.au http://etbe.coker.com.au/ My Main Blog http://doc.coker.com.au/ My Documents Blog
selinux@lists.fedoraproject.org