2014 04-03 xyratex event
TRANSCRIPT
![Page 1: 2014 04-03 xyratex event](https://reader031.vdocuments.site/reader031/viewer/2022032208/58a3eb161a28ab272e8b5597/html5/thumbnails/1.jpg)
Secure Foundations: An SELinux Primer
Shawn Wells Director, Innovation Programs & Lead Developer, SCAP
![Page 2: 2014 04-03 xyratex event](https://reader031.vdocuments.site/reader031/viewer/2022032208/58a3eb161a28ab272e8b5597/html5/thumbnails/2.jpg)
20 MINUTES, 2 QUESTIONS
1. How do we label data?
2. How do we verify security compliance?
![Page 3: 2014 04-03 xyratex event](https://reader031.vdocuments.site/reader031/viewer/2022032208/58a3eb161a28ab272e8b5597/html5/thumbnails/3.jpg)
FIRST: An SELinux History Lesson
• Originated from NSA R&D • First release in December 2010
• Integrated into mainline Linux in 2003
![Page 4: 2014 04-03 xyratex event](https://reader031.vdocuments.site/reader031/viewer/2022032208/58a3eb161a28ab272e8b5597/html5/thumbnails/4.jpg)
FIRST: An SELinux History Lesson
Exploit
Exploit
![Page 5: 2014 04-03 xyratex event](https://reader031.vdocuments.site/reader031/viewer/2022032208/58a3eb161a28ab272e8b5597/html5/thumbnails/5.jpg)
What An Attacker Can’t Do
• Read/manipulate user data
• Read/manipulate system files
• Attack data/processes owned by other compartments (via polyinstantiation)
• Attack other machines on the network, unless authorized to pass traffic on specific port
• Evade audit subsystem
![Page 6: 2014 04-03 xyratex event](https://reader031.vdocuments.site/reader031/viewer/2022032208/58a3eb161a28ab272e8b5597/html5/thumbnails/6.jpg)
Role Based Access Control
![Page 7: 2014 04-03 xyratex event](https://reader031.vdocuments.site/reader031/viewer/2022032208/58a3eb161a28ab272e8b5597/html5/thumbnails/7.jpg)
![Page 8: 2014 04-03 xyratex event](https://reader031.vdocuments.site/reader031/viewer/2022032208/58a3eb161a28ab272e8b5597/html5/thumbnails/8.jpg)
![Page 9: 2014 04-03 xyratex event](https://reader031.vdocuments.site/reader031/viewer/2022032208/58a3eb161a28ab272e8b5597/html5/thumbnails/9.jpg)
SCAP Security Guide
![Page 10: 2014 04-03 xyratex event](https://reader031.vdocuments.site/reader031/viewer/2022032208/58a3eb161a28ab272e8b5597/html5/thumbnails/10.jpg)
SCAP HTML
OpenSCAP Firefox
![Page 11: 2014 04-03 xyratex event](https://reader031.vdocuments.site/reader031/viewer/2022032208/58a3eb161a28ab272e8b5597/html5/thumbnails/11.jpg)
CAPP: Users control who access’ their data RBAC: Users classified into roles (“BackupAdm,” “AuditAdm”...) LSPP: Compartmentalizes users and applications from each other. Enables MLS.
Red Hat Enterprise Linux 6 with KVM
Red Hat Enterprise Linux 5.6 with KVM
IBM z/VM Version 5 Release 3 (for IBM System z Mainframes)
VMWare vSphere 5.0
VMWare ESXi 4.1
Microsoft Windows Server 2008 Hyper-V Role with HotFix KB950050
Certification Date
2012-10-08 2012-04-20 2008-08-06 2012-05-18 2010-12-15
2009-07-24
EAL Level EAP4+ EAP4+ EAP4+ EAP4+ EAP4+ EAP4+ CAPP YES YES YES NO NO NO
RBAC YES YES NO NO NO NO
LSPP YES YES YES NO NO NO
![Page 12: 2014 04-03 xyratex event](https://reader031.vdocuments.site/reader031/viewer/2022032208/58a3eb161a28ab272e8b5597/html5/thumbnails/12.jpg)