Home
/
IBM
/
Novell 10 SP1 EAL4
/
Design Manual

IBM Novell 10 SP1 EAL4, Design Manual

Share

Page: 34 / 246

IBM Novell 10 SP1 EAL4 Design Manual Download Page 34

4.1.2.3 Programs with software privilege

Examples of programs running with software privilege are:

•

Programs that are run by the system, such as the

cron

and

init

daemons.

•

Programs that are run by trusted administrators to perform system administration.

•

Programs that run with privileged identity by executing setuid programs.

All software that runs with hardware privileges or software privileges, and that implements security enforcing
functions, is part of the TOE Security Functions (TSF).  All other programs are either unprivileged programs
that run with the identity of the user that invoked the program, or software that executes with privileges but
does not implement any security functions.
In a properly administered system, unprivileged software is subject to the security policies of the system and
does not have any means of bypassing the enforcement mechanisms.  This unprivileged software need not be
trusted in any way, and is thus referred to as untrusted software.  Trusted processes that do not implement any
security function need to be protected from unauthorized tampering using the security functions of the SLES.
They need to be trusted to not perform any function that violates the security policy of the SLES.

4.2 TOE Security Functions software structure

This section describes the structure of the SLES software that constitutes the TOE Security Functions (TSF).
The SLES system is a multi-user operating system, with the kernel running in a privileged hardware mode,
and the user processes running in user mode. The TSF includes both the kernel software and certain trusted
non-kernel processes.
Figure 4-2 depicts the TSF and non-TSF portions of software. Subsequent sections provide more detailed
descriptions of the kernel and non-kernel TSF architectural subsystems.

22

Figure 4-2: TSF and non-TSF software

«
...
32
33
34
35
36
...
»

Summary of Contents for Novell 10 SP1 EAL4

Page 1: ...SUSE Linux Enterprise Server 10 SP1 EAL4 High Level Design Version 1 2 1...

Page 2: ...in the United States other countries or both Linux is a registered trademark of Linus Torvalds UNIX is a registered trademark of The Open Group in the United States and other countries Intel and Pent...

Page 3: ...stration 10 2 2 6 TSF interfaces 10 2 3 Approach to TSF identification 11 3 Hardware architecture 14 3 1 System x 14 3 1 1 System x hardware overview 14 3 1 2 System x hardware architecture 14 3 2 Sys...

Page 4: ...tems 35 4 4 4 Trusted process subsystems 35 4 4 5 User level audit subsystem 36 5 Functional descriptions 38 5 1 File and I O management 38 5 1 1 Virtual File System 39 5 1 1 1 Pathname translation 41...

Page 5: ...1 8 5 Work queue 64 5 1 9 Processor interrupts 64 5 1 10 Machine check 64 5 2 Process control and management 65 5 2 1 Data structures 66 5 2 2 Process creation and destruction 67 5 2 2 1 Control of c...

Page 6: ...ion 4 IPv4 86 5 4 3 2 Internet Protocol Version 6 IPv6 86 5 4 3 3 Transition between IPv4 and IPv6 88 5 4 3 4 IP Security IPsec 88 5 4 4 Internet Control Message Protocol ICMP 93 5 4 4 1 Link layer pr...

Page 7: ...s 151 5 6 Audit subsystem 151 5 6 1 Audit components 152 5 6 1 1 Audit kernel components 153 5 6 1 2 File system audit components 156 5 6 1 3 User space audit components 157 5 6 2 Audit operation and...

Page 8: ...stem p 185 5 10 3 1 Boot methods 185 5 10 3 2 Boot loader 185 5 10 3 3 Boot process 185 5 10 4 System p in LPAR 187 5 10 4 1 Boot process 188 5 10 5 System z 191 5 10 5 1 Boot methods 191 5 10 5 2 Con...

Page 9: ...Symmetric ciphers 217 5 12 2 Secure Shell 218 5 12 2 1 SSH client 220 5 12 2 2 SSH server daemon 220 5 12 3 Very Secure File Transfer Protocol daemon 220 5 12 4 CUPS 221 5 12 4 1 cupsd 222 5 12 4 2 p...

Page 10: ...ns 242 5 14 2 1 cron 242 5 14 2 2 atd 243 5 15 User level audit subsystem 243 5 15 1 Audit daemon 243 5 15 2 Audit utilities 244 5 15 2 1 aureport 244 5 15 2 2 ausearch 245 5 15 2 3 autrace 245 5 15 3...

Page 11: ...objects DA 4 252 6 4 Object reuse 253 6 4 1 Object reuse file system objects OR 1 253 6 4 2 Object reuse IPC objects OR 2 253 6 4 3 Object reuse memory objects OR 3 253 6 5 Security management 253 6...

Page 12: ...process control and management 259 6 8 1 3 Kernel subsystem inter process communication 260 6 8 1 4 Kernel subsystem networking 263 6 8 1 5 Kernel subsystem memory management 264 6 8 1 6 Kernel subsys...

Page 13: ...a source of information about the architecture of the system for any evaluation team 1 2 Document overview This HLD contains the following chapters Chapter 2 presents an overview of the IBM eServer sy...

Page 14: ...as networked workstations and servers Figure 2 1 shows a series of interconnected TOE systems Each TOE system is running the SLES operating system on an eServer computer Each computer provides the sa...

Page 15: ...needs by providing unlimited scalability support for open standards and mission critical qualities of service Following are systems in the IBM eServer product line that are included in the TOE System...

Page 16: ...ent a structural overview of the hardware and software that make up an individual eServer host computer This single computer architecture is one of the configurations permitted under this evaluation 2...

Page 17: ...t run with the administrative privilege such as the sshd cron atd and vsftpd daemons The TSF also includes the configuration files that define authorized users groups of users services provided by the...

Page 18: ...on travel across a LAN segment and they are routed by a host in that segment to a host on another LAN segment The packets are eventually routed by the host in the second LAN segment to a host on a thi...

Page 19: ...s 2 2 4 Security policy A user is an authorized individual with an account Users can use the system in one of three ways 1 By interacting directly with the system thorough a session at a computer cons...

Page 20: ...other directly attached terminals or through a network connection Authentication is based on a password entered by the user and authentication data stored in a protected file Users must log in to a h...

Page 21: ...structions are externally visible interfaces However the unprivileged processor instructions do not implement any security functionality and the processor restricts these instructions to the bounds de...

Page 22: ...oftware that must function correctly to support the system security mechanisms It is required for system administration It consists of TSF data or configuration files It consists of libraries linked t...

Page 23: ...11...

Page 24: ...efault asp The Intel Xeon processor is mainly based on EM64 technology which has the following three operating modes 32 bit legacy mode In this mode both AMD64 and EM64T processors will act just like...

Page 25: ...D configurations of SCSI and fiber channel disks and options for high speed networking The IBM System p servers are equipped with a real time hardware clock The clock is powered by a small battery and...

Page 26: ...essing units contain the z Architecture logic There are three modes in which Linux can be run on a System z server native hardware mode logical partition mode and z VM guest mode The following paragra...

Page 27: ...isk drives RAID 1 mirroring and options for high speed networking The IBM eServer 326 server is equipped with a real time hardware clock The clock is powered by a small battery and continues to tick e...

Page 28: ...with a compatibility thunk layer The thunk layer is a library provided by the operating system The library resides in a 32 bit process created by the 64 bit operating system to run 32 bit applications...

Page 29: ...17...

Page 30: ...ovide TSF self protection This section does not enumerate the privileged and unprivileged programs Rather the TSF Software Structure identifies the privileged software as part of the description of th...

Page 31: ...m z The System z systems also provide two execution modes identified by the Problem State bit bit 15 of the processor s Program Status Word PSW A value of 0 indicates a supervisor or kernel execution...

Page 32: ...d with user ID zero into a set of discrete privileges based on the operation being attempted For example if a process is trying to create a device special file by invoking the mknod system call instea...

Page 33: ...er what conditions DAC access control lists are described in detail in Section 5 1 5 4 1 2 1 4 Software privilege Software privilege for DAC policy is based on the user ID of the process At any time e...

Page 34: ...t have any means of bypassing the enforcement mechanisms This unprivileged software need not be trusted in any way and is thus referred to as untrusted software Trusted processes that do not implement...

Page 35: ...ance of processes to share portions of their address space under certain conditions but protection of the private address space of a process from outside tampering If the system runs low on free memor...

Page 36: ...those that allow the creation scheduling execution and deletion of process and thread subjects Memory subsystem This subsystem implements functions related to the management of memory resources of a s...

Page 37: ...specific C kernel functions Kernel threads reside in kernel space and only run in the kernel mode Following are some of the kernel threads keventd is a process context bottom half handler that execute...

Page 38: ...ed by the init program during system initialization The auditd daemon reads audit records from the kernel buffer through the audit device and writes them to disk in the form of audit logs The cron dae...

Page 39: ...update a user s password The passwd command turns off terminal echo while the user is typing the old as well as the new password in order to prevent displaying the password typed by the user Refer to...

Page 40: ...en two untrusted hosts over an insecure network star is a version of the tar command that preserves extended attributes Extended attributes are the means by which ACLs are associated with file system...

Page 41: ...rocess communication This subsystem includes the IPC kernel subsystem Networking This subsystem contains the kernel networking subsystem Memory management This subsystem contains the kernel memory man...

Page 42: ...tem contains the portion of the audit system that lies outside the kernel This subsystem contains the auditd trusted process which reads audit records from the kernel buffer and transfers them to on d...

Page 43: ...31...

Page 44: ...tems The file systems supported by TOE are ext3 proc tmpfs sysfs devpts CD ROM rootfs and binfmt_misc At the user interface level a file system is organized as a tree with a single root called a direc...

Page 45: ...ections describe data structures and algorithms that comprise each subsystem with special focus on access control and allocation mechanisms 5 1 1 Virtual File System The Virtual File System VFS provid...

Page 46: ...le model of VFS involve the use of a file pathname The file pathname is either an absolute pathname such as ext3mnt file1 or a relative pathname such as ext3mnt file1 The translation of a pathname to...

Page 47: ...s has write access to the directory being modified Directories cannot be directly written into Access checking in VFS is performed while an inode is derived from the corresponding pathname Each access...

Page 48: ...Figure 5 5 VFS pathname translation and access control checks 36 Figure 5 5 VFS pathname translation and access control checks...

Page 49: ...e the process is authorized to write in this directory Again if the operation vector of the inode is set then the call to permission is diverted to the disk based file system specific permission call...

Page 50: ...l buffers acquires the big kernel lock and invokes the do_mount function to perform the mount There are no object reuse issues to handle during file system mounting because the data structures created...

Page 51: ...SLES kernel s ext3 file system kernel is a robust and efficient file system that supports the following Automatic consistency checks Immutable files Preallocation of disk blocks to regular files Fast...

Page 52: ...ot be modified no link can be created to it and it cannot be renamed or removed Only an administrator can change this attribute Append only if this attribute is set the file may only be modified in ap...

Page 53: ...t3_lookup This routine is called when VFS real_lookup calls the disk based file system lookup routine of the disk based file system through the inode operation vector The ext3_find_entry is called by...

Page 54: ...42 Figure 5 8 New data blocks are allocated and initialized for an ext3 field...

Page 55: ...stems HOWTO html 5 1 2 2 1 Data structures and algorithms The following data structures and inode operations implement the file system on the SLES kernel vfs_permission Because the file system is a re...

Page 56: ...hich prevents access by normal users to data of other processes In addition to vfs_permission different files in the proc file system define their own access control service functions These service fu...

Page 57: ...device represent a pseudo terminal The slave device provides a terminal interface Instead of a hardware interface and associated hardware supporting the terminal functions a process that manipulates t...

Page 58: ...lacement of the dnotify tool which had the same purpose inotify is relevant because different sorts of applications might want or need to know when events such as file changes or creation happen An ex...

Page 59: ...1 Permission bits generic_permission implements standard UNIX permission bits to provide DAC for file system objects for the procfs devpts sysfs tmpfs securityfs binfmt_misc and ISO 9660 file systems...

Page 60: ...on A type of tag that specifies the type of the ACL entry A qualifier that specifies an instance a type of an ACL entry A permission set that specifies the discretionary access rights for processes id...

Page 61: ...is optional 5 1 5 2 6 Default ACLs and ACL inheritance A default ACL is an additional ACL which can be associated with a directory This default ACL has no effect on the access to this directory Inste...

Page 62: ...ranted else access is denied else if the file system group ID or any of the supplementary group IDs of the process match the qualifier of the entry of type ACL_GROUP_OBJ or the qualifier of any entry...

Page 63: ...Process destroys the asynchronous I O context using the io_destroy system call AIO uses the kernel bottom half mechanism of work queues to perform deferred work of AIO io_setup sets up a work queue na...

Page 64: ...ed delay component into the dispatching equation The delay is invoked on any new request to the device driver thereby allowing a thread that just finished its I O request to submit a new request Imple...

Page 65: ...kernel for processing Depending on the signal the kernel executes an appropriate interrupt handler to process the event Responsiveness of the system can be increased by promptly handling the interrupt...

Page 66: ...en CPUs must be provided Inter processor interrupts IPIs are used to exchange messages between CPUs in SMP system The following group of functions helps in issuing IPIs send_IPI_all Sends an IPI to al...

Page 67: ...ant structures that are used to implement processes and highlight security relevant credentials fields Process Creation and Destruction describes creation destruction and maintenance of a process with...

Page 68: ...suid and sgid which describe the saved user ID and saved group ID of a process groups which lists the groups to which the process belongs state which describes the run state of the process pid which i...

Page 69: ...security relevant credentials including uid euid gid and egid Because these credentials are used for access control decisions the child is given the same level of access to objects as the parent The c...

Page 70: ...do_exit Process termination is handled in the kernel by the do_exit function The do_exit function removes most references to the terminating process from the kernel data structures and releases resou...

Page 71: ...ssignment can cause the expired queue to become the active queue again making turnaround quite efficient For more information about O 1 scheduling refer to Linux Kernel Development A Practical guide t...

Page 72: ...ad entered into kernel mode via system calls until or unless the task voluntarily relinquished the CPU Because the kernel is preemptible a kernel task can be preempted so that some important user appl...

Page 73: ...mpt counter preempt_disable increments the preempt counter get_cpu calls preempt_disable followed by a call to smp_processor_id put_cpu re enables preemption Using these defines we could rewrite the a...

Page 74: ...a simple scenario a curbuf pointer indicates the first buffer that contains data in the array and nrbufs indicates the number of buffers that contain data The page structures are allocated and used as...

Page 75: ...very similar to the unnamed pipe described in Section 5 3 1 Unlike the unnamed pipe a FIFO has an entry in the disk based file system A large portion of the internal implementation of a FIFO pipe is i...

Page 76: ...he implementation of the enforcement of DAC and the handling of object reuse by the allocation algorithms The IPC mechanisms share the following common properties Each mechanism is represented by a ta...

Page 77: ...he kernel uses the memory for the kernel s internal purposes 5 3 3 2 2 ipcperms The ipcperms function is called when a process attempts to access an IPC resource ipcperms enforces the DAC policy Discr...

Page 78: ...med by invoking the ipcperms function 5 3 3 4 Semaphores Semaphores allow processes to synchronize execution by performing a set of operations atomically on themselves An important data structure impl...

Page 79: ...key A newly created shared memory segment s credentials are initialized from the creating process s credentials shmget invokes newseg to initialize the shared memory region newseg invokes shmem_file_...

Page 80: ...ther from the kernel or from another process is performed by invoking the routine send_sig_info The kill system call along with signal generation by the kernel ultimately invokes send_sig_info send_si...

Page 81: ...by them refer to Section 5 12 of this document 5 4 Network subsystem The network subsystem allows Linux systems to connect to other systems over a network It provides a general purpose framework with...

Page 82: ...ation see the TCP IP Tutorial and Technical Overview IBM Redbook by Adolfo John Roland It is at the http www redbooks ibm com abstracts gg243376 html website 5 4 1 Overview of the network protocol sta...

Page 83: ...them down to the link layer Transmission Control Protocol TCP and User Datagram Protocol UDP are the most commonly used transport layer protocols UDP simply provides a framework for addressing packet...

Page 84: ...nternet Protocol Version 4 IPv4 IPv4 aka simply IP is the standard that defines the manner in which the network layers of two hosts interact These hosts can be on the same network or reside on physica...

Page 85: ...as well as space for future growth A scope field has been added to multicast addresses to make for increased scalability The scope identifies whether the packet should be multicast only on the link si...

Page 86: ...tack both IPv4 and IPv6 are implemented in the operating system Linux implements both IPv4 and IPv6 The second mechanism uses tunnels The IPv4 network exists while the IPv6 infrastructure is in progre...

Page 87: ...is usually used for security between two hosts In tunnel mode AH and ESP provide security to the entire IP datagram The entire original IP datagram is encapsulated and an outer IP header attached Tunn...

Page 88: ...ESP header When authentication is also chosen within the ESP protocol the data is encrypted first and then authenticated The authenticated data is placed in the authentication data field If no authen...

Page 89: ...the creation and deletion of policy SAs and keys Automated SA and key management is done through the IKE protocol 5 4 3 4 1 6 Internet Key Exchange Protocol IKE The Internet Key Exchange IKE protocol...

Page 90: ...oss domain user mappings and other related security information to be cached in the kernel for the file systems to use other kernel services A special kind of key called a keyring which contains a lis...

Page 91: ...interfaces When sockets are used to establish a connection between two programs across a network there is always an asymmetry between the two ends One end on the server creates a communication endpoin...

Page 92: ...does not use these LSM hooks 5 4 5 2 bind bind associates a name address to a socket that was created with the socket system call It is necessary to assign an address to a socket before it can accept...

Page 93: ...y_socket_listen LSM hook but the SLES kernel does not use this hook listen does not create any data objects that are accessible to users so there are no object reuse issues to handle Only TCP sockets...

Page 94: ...hat provides a mapping between process memory references and the machine s physical memory The memory management subsystem maintains this mapping on a per process basis so two processes can access the...

Page 95: ...Kernel Memory Management describes how the kernel allocates dynamic memory for its own use and highlights how the kernel takes care of object reuse while allocating new page frames The fourth subsect...

Page 96: ...s so the kernel was able to recognize all architectures as if they possessed three level page tables The new page table structure actually implemented includes a new level called PUD immediately below...

Page 97: ...program a processor accesses memory to fetch instructions or to fetch and store data Addresses used by the program are virtual addresses The memory management subsystem provides translation from virt...

Page 98: ...s A logical address is included in the machine language instructions to specify the address of an operand or an instruction It consists of a segment and an offset or displacement that denotes the dist...

Page 99: ...Segment Descriptors are stored in either the Global Descriptor Table GDT or the Local Descriptor Table LDT The system has one GDT but may create an LDT for a process if it needs to create additional...

Page 100: ...of data that can be stored in a page frame in memory or on disk Data structures that map linear addresses to physical addresses are called page tables Page tables are stored in memory and are initiali...

Page 101: ...s fields that describe the page table or page entry such as accessed flag dirty flag and page size flag The two important flags for access control are the Read Write flag and the User Supervisor flag...

Page 102: ...levels They define entry points in more privileged code to which control can be transferred Intel processors use these call gates which control CPU transitions from one level of privilege to other Cal...

Page 103: ...ress extension PAE paging structures to potentially support mapping a 64 bit linear address to a 52 bit physical address In the first implementation of the Intel EM64T PAE paging structures are extend...

Page 104: ...n describes logical partitions and their impact on memory addressing and access control To learn more about System p systems see PowerPC 64 bit Kernel Internals by David Engebretson Mike Corrigan Pete...

Page 105: ...ird mode of operation for the processor This third mode called the hypervisor mode provides all the partition control and partition mediation in the system It also affects access to certain instructio...

Page 106: ...state The hypervisor takes the value of 1 for hypervisor mode and 0 for user and supervisor mode The following table describes the privilege state of the processor as determined by MSR HV and MSR PR a...

Page 107: ...or calls from the kernel space intended for the hypervisor Hypervisor calls can only be made from the supervisor state This access restriction to hypervisor calls is implemented with general purpose r...

Page 108: ...box Because the hypervisor is accessible only through the kernel mode no specific access control is performed when the kernel interacts with the hypervisor The kernel does provide an RTAS system call...

Page 109: ...called logical address regions which have been assigned in granular chunks to that partition These logical address regions provide the physical memory that backs up the virtual page address spaces fo...

Page 110: ...sing shared resources in a way that would deny or restrict access to those resources by other partitions A key example is the hypervisor itself which is implemented as a library of services shared by...

Page 111: ...effective address to a physical address It consists of a virtual segment ID bits 0 35 a page offset within the segment bits 36 51 and a byte offset within the page bits 52 63 All processes are given...

Page 112: ...ective address page or block and settings in the processor Machine State Register MSR Settings in the MSR and page segment and block descriptors are used in implementing access control The following d...

Page 113: ...egments are described by Segment Table Entries STEs The operating system generates and places STEs in segment tables in memory Each STE is a 128 bit entry that contains information for controlling seg...

Page 114: ...address translation mechanism based on the MSR settings for instruction IR or data DR access For performance measurement the processor concurrently starts both Block Address Translation BAT and Segmen...

Page 115: ...only for supervisor mode access only or for user and supervisor access In addition BAT allows the operating system to protect blocks of memory for read access only read write access or no access BAT t...

Page 116: ...e Register and the segment table Page level access control uses a key bit from Segment Table Entry STE along with the Page Protection PP bits from the Page Table Entry to determine whether supervisor...

Page 117: ...105 Figure 5 48 Page Address Translation and access control...

Page 118: ...n Native Hardware mode but still requires device driver support for devices dedicated to a partition 5 5 2 4 3 z VM Guest mode In z VM Guest mode SLES runs as a guest operating system on one or more z...

Page 119: ...ich allow each number to be associated with a byte location in memory The sequence starts at zero and proceeds left to right The z Architecture provides the means to access different address spaces In...

Page 120: ...which address space translation mode primary secondary access register or home is used for the translation The following diagram illustrates the logic used to determine the translation mode If the DAT...

Page 121: ...the CR7 For home address translation mode the Home Address Space Control Element HASCE is obtained from the CR13 In access register translation mode the Access List Entry Token ALET in the access reg...

Page 122: ...for each CPU thus permitting more than one CPU sharing main memory to operate concurrently with a minimum of interference Prefixing is performed with the help of a prefix register No access control i...

Page 123: ...ontrolled protection The protection mechanisms are applied independently at different stages of address translation Access to main memory is only permitted when none of the mechanisms prohibit access...

Page 124: ...ach page table entry and segment table entry Protection can be applied to a single page or an entire segment a collection of contiguous pages Once the ASCE is located the following dynamic address tra...

Page 125: ...113 Figure 5 54 31 bit Dynamic Address Translation with page table protection...

Page 126: ...114 Figure 5 55 64 bit Dynamic Address Translation with page table protection...

Page 127: ...ontrolled protection is based on using the access key and the storage key to evaluate whether access to a specific memory location is granted The 7 bit storage key consists of access control bits 0 1...

Page 128: ...briefly describes the eServer 326 memory addressing scheme For more detailed information about the eServer 326 memory management subsystem see AMD64 Architecture Programmer s Manual Volume 2 System Pr...

Page 129: ...resses are translated from virtual addresses using page translation mechanisms 5 5 2 5 5 Segmentation Segmentation is a method by which system software can isolate software processes or tasks and the...

Page 130: ...e value is lower than the DPL value higher privilege Otherwise a general protection exception occurs and the segment register is not loaded The following diagram from AMD64 illustrates data access pri...

Page 131: ...the code segment selector located in the call gate the processor performs the following three privilege checks 1 Compare the CPL with the call gate DPL from the call gate descriptor The CPL must be l...

Page 132: ...e page table setup supports up to 48 bits of address space The x86 64 architecture supports page sizes of 4 KB and 2 MB Figure 5 61 illustrates how paging is used to translate a 64 bit virtual address...

Page 133: ...and byte offset of the 4 KB page translation are combined to provide a byte offset into the 2 MB physical page Figure 5 62 illustrates how paging is used to translate a 64 bit linear address into a ph...

Page 134: ...ing paging These fields are the Read Write R W flag the User Supervisor U S flag and the No Execute NX flag The following diagram shows the bit positions in a page map level 4 entry The flags hold the...

Page 135: ...ded Feature Enable Register EFER In addition to the R W U S and NX flags of the page entry access control is also affected by the Write Protect WP bit of register CR0 If the write protection is not en...

Page 136: ...5 64 shows a sample NUMA design Each node in the system is simply a 4 processor SMP system Each CPU in the node contains a L1 and L2 cache The node contains an L3 cache which is shared by all process...

Page 137: ...ing information By using the TLB a translation can be performed without referencing the in memory page table entry that maps the virtual address However to keep translations as fast as possible the TL...

Page 138: ...ystem The name of the file is determined by an atomic counter called hugetlbfs_counter which is incremented every time a shared region is set up To create a file backed by huge pages the system admini...

Page 139: ...ts and thousands of concurrent users to be supported This section describes dynamic memory used by the kernel and describes the object reuse requirement This section also discusses the three sections...

Page 140: ...a gfp_mask flag that is always set to GFP_KERNEL __GFP_HIGHMEM __vmalloc in turn calls vmalloc_area_pages which will allocate the PTEs for the page requested 5 5 4 Process address space The address sp...

Page 141: ...ntil the process attempts to access that address for a write operation This technique is called demand paging When accessing the address for a read operation the kernel gives the address an existing p...

Page 142: ...eing interrupted in the middle and avoids accesses to the same memory location by other CPUs The SLES kernel provides a special atomic_t data type and special functions that act on atomic_t variables...

Page 143: ...fect the security of a computer system In particular an auditing facility records any action by any user that may represent a breach of system security For each action the auditing facility records en...

Page 144: ...x Audit consists of a standard sockets based interface for user processes and an internal kernel API for kernel modules 5 6 1 1 1 Kernel userspace interface On top of netlink there exists the generic...

Page 145: ...ject is done based on dev and or inode depending on whether dev inode is specified in the rule or whether a path is specified At kernel startup four lists are created to hold the filter rules One list...

Page 146: ...reate per task audit_context No syscall specific audit records will be generated for the task AUDIT_SETUP_CONTEXT Create the per task audit_context but don t necessarily fill it in a syscall entry tim...

Page 147: ...vector of inotify operations using the inotify_init function The operations vector contains the audit subsystem inotify event notification function audit_handle_ievent and the audit subsystem inotify...

Page 148: ...an initial setup file auditd rules There is also an init script that is used to start and stop auditd etc init d auditd When run this script sources another file etc sysconfig auditd to set the local...

Page 149: ...ILESYSTEM This enables file system auditing At boot time LAF provides the option audit which enables the system call and file system auditing support If audit is set to 1 system call and file system a...

Page 150: ...mum log space is reached ignore syslog suspend rotate space_left Low water mark space_left_action What action to take when low water mark is reached ignore syslog suspend single halt admin_space_left...

Page 151: ...e using auditctl e 1 5 The file system auditing is initialized by creating the watch lists and the hash table for the file system auditing auditd does the following on startup 1 Registers its pid with...

Page 152: ...al logging mechanism active This mechanism offers a set of APIs that can be used by other kernel subsystems such as SELinux SELinux is not used in SLES If the audit daemon is not listening or Netlink...

Page 153: ...ended with calls to audit framework functions Ordinarily system calls are performed in a three step process The first step changes from user to kernel mode copies system call arguments and sets up app...

Page 154: ...s chown chmod setxattr and removexattr are audited by audit_inode hooks inserted into the system calls The hooks directly update the inode information in the audit context When a watched object is acc...

Page 155: ...y audit information is placed on the netlink 5 6 3 1 5 Record generation by trusted programs Trusted programs create their own audit records in which their actions are described The following describe...

Page 156: ...ique for each syscall and lasts from syscall entry to syscall exit The tuple is composed of the timestamp and the serial number Each audit record for system calls contain the system call return code w...

Page 157: ...gments Syscalls shmget shmctl Rejection or acceptance by the TSF of any tested secret Audit record type USER_AUTH from PAM framework and audit record type USER_CHAUTHTOK from shadow utilities Use of i...

Page 158: ...has the ability to run this tool First ausearch checks the validity of the parameters passed whether they are supported or not Then it opens either the logs or the administrator specified files The lo...

Page 159: ...remove already tagged modules Modules stay tagged if they remain unused since the previous invocation of rmmod a This two step cleanup approach avoids transiently unused modules Only root administrato...

Page 160: ...k LSM also provides a simple mechanism for stacking additional security modules with the primary security module It defines register_security and unregister_security hooks in the security_operations s...

Page 161: ...omputing process capabilities on execve and set uid checking capabilities for a particular process saving and checking capabilities for netlink messages and handling the capget and capset system calls...

Page 162: ...boot time warn panic build or build panic whether the OWLSM extension should be loaded and whether event logging should occur For more information about AppArmor configuration please see the man page...

Page 163: ...do the opposite switch from complain to enforcing mode for a particular profile genprof can be used to generate a profile with all of the permission that were exercised during a test run of the target...

Page 164: ...orking traffic to a network adapter The physical layer of the networking stack invokes appropriate functions to send and receive networking packets through a network adapter The device driver correspo...

Page 165: ...am addressable guest registers the addresses of related control tables bits for controlling the operation of optional facilities areas for displaying information concerning and interception informatio...

Page 166: ...be prohibited such as I O Each access to such a virtualized resource causes the SIE instruction to terminate on the requesting processor and to return control back to the CP Based on CP s internal st...

Page 167: ...es Programs operate on block devices by opening their file system entries The file system entry contains a major and a minor number by which the kernel identifies the device The kernel maintains a has...

Page 168: ...ture This section describes the system initialization process of eServer systems Because part of the initialization is dependent on the hardware architecture the following subsections identify and des...

Page 169: ...init_main 11 Tells the kernel to send Ctrl Alt Delete to init for processing 12 Sets up signal handling 13 Initializes the console 14 Sets a default PATH environment variable 15 Initializes the var ru...

Page 170: ...port conflicts 3 The BIOS searches for the operating system to boot in an order predefined by the BIOS setting Once a valid device is found the BIOS copies the contents of its first sector containing...

Page 171: ...the etc sysconfig boot script 2 Mounts the proc special file system 3 Mounts the dev pts special file system 4 Executes etc init d boot local which was set by an administrator to perform site specific...

Page 172: ...160 Figure 5 79 System x SLES boot sequence...

Page 173: ...control to it with relocation disabled 3 Yaboot interacts with OpenFirmware and determines the system configuration including real memory layout and the device tree 4 Yaboot instantiates the Run Time...

Page 174: ...rcX d where X is the default run level The default run level for a SLES system in the evaluated configuration is 3 The following lists some of the initializations performed at run level 3 Saves and r...

Page 175: ...hich interacts with actual hardware and provides virtual versions of hardware to operating systems running in different logical partitions As part of an Initial Program Load the hypervisor performs ce...

Page 176: ...bed in Section 5 5 3 6 system date and system time 11 Uncompresses the system initrd initial RAM file mounts it and then executes linuxrc 12 Unmount initrd mounts the root file system and executes sbi...

Page 177: ...For more details about services started at run level 3 see the scripts in etc rc d rc3 d on a SLES system Figure 5 81 schematically describes the boot process of System p LPARs 165 Figure 5 81 System...

Page 178: ...suing an IPL instruction the CP reads the boot record written to the DASD virtual disk by the zipl utility 2 Based on the boot record CP loads the SLES kernel image into memory and jumps to the initia...

Page 179: ...onfiguration is 3 The following lists some of the initializations performed at run level 3 Saves and restores the system entropy tool for higher quality random number generation Configures network int...

Page 180: ...Volume 2 System Programming at http www amd com us en assets content_type white_papers_and_tech_docs 24593 pdf 5 10 6 1 Boot methods SLES supports booting from a hard disk a CD ROM or a floppy disk C...

Page 181: ...d video card disk controller and floating point unit 6 The boot loader reprograms the Programmable Interrupt Controller and maps the 16 hardware interrupts to the range of vectors from 32 to 47 The bo...

Page 182: ...pts special file system 4 Executes etc rc d rc local which was set by an administrator to perform site specific setup functions 5 Performs run level specific initialization by executing startup script...

Page 183: ...kernel are based on the process s user ID established at login time and all mandatory access control decisions made by the kernel are based on the process domain established through login which make t...

Page 184: ...rnel org pub linux libs pam 5 11 1 1 Overview PAM consists of a set of shared library modules which provide appropriate authentication and audit services to an application Applications are updated to...

Page 185: ...f the module stack before returning failures to the application optional which indicates that the module is not required and sufficient which indicates that if the module is successful there is no nee...

Page 186: ...system pam_wheel so Permits root access only to members of the wheel group By default pam_wheel so permits root access to the system if the applicant user is a member of the wheel group First the mod...

Page 187: ...swords are not used in the TOE var log lastlog The time and date of the last successful login for each user is stored here The file is owned by the root user and tty group and its mode is 644 var log...

Page 188: ...this ID Additionally the SLES kernel has a framework for providing software privilege for DAC policy through capabilities These capabilities which are based on the POSIX 1e draft allow breakup of the...

Page 189: ...nt to the pam_tally so module deny 5 Once the password is successfully verified various password aging restrictions which are set up in etc login defs are checked If the password has expired the login...

Page 190: ...to terminate the program if a user name is not entered within a specific amount of time 5 11 3 5 newgrp The newgrp command changes the group ID using the group password for authentication If run with...

Page 191: ...ping the old as well as the new password in order to prevent the password from being displayed as it is being typed by the user Refer to the passwd man page for more detailed information passwd genera...

Page 192: ...re performing actions on behalf of the user The audit subsystem tries to record security relevant actions performed by users Because the user identity attributes such as uid can be changed by an appro...

Page 193: ...o Rodriguez et al at http www redbooks ibm com redbooks pdfs gg243376 pdf The TLS Protocol version 1 1 by Tim Dierks and Eric Rescorla at http www ietf org rfc rfc2246 txt number 2246 Internet Securit...

Page 194: ...er encryption with asymmetric keys for exchanging symmetric keys and one way hash functions for data integrity The following sections briefly describe encryption and message digest concepts and how th...

Page 195: ...et messages have access to this symmetric key 5 12 1 1 1 2 Encryption with asymmetric keys Asymmetric key encryption and decryption also known as public key cryptography involve the use of a key pair...

Page 196: ...the intended receiver s public key Even if messages are intercepted by a third party the third party cannot decrypt them Only the intended receiver can decrypt messages with his or her private key Th...

Page 197: ...rcept messages between them replace their public keys with their own public keys and monitor their network traffic The solution for this vulnerability is the digital certificate A digital certificate...

Page 198: ...e key initialization vectors and sequence numbers 5 12 1 2 1 SSL handshake protocol The SSL handshake protocol is responsible for performing authentication of peers that are attempting secure communic...

Page 199: ...RTEZZA KEA key exchange This message is not used if the server certificate contains Diffie Hellman DH1 parameters 3 Client key exchange message RSA encrypted premaster secret message In the evaluated...

Page 200: ...y compresses them Then using all the negotiated security parameters applies a message authentication code MAC encrypts the data and transmits the result to the transport layer TCP The received data is...

Page 201: ...hic algorithm created by researchers Joan Daemen and Vincent Rijmen AES is an iterative symmetric key block cipher that can use keys of 128 192 and 256 bits and encrypts and decrypts data in blocks of...

Page 202: ...he SSH protocol requires that each host have a host specific key When the SSH client initiates a connection the keys are exchanged using the Diffe Hellman protocol A session key is generated and all t...

Page 203: ...nt The ssh client first parses arguments and reads the configuration readconf c then calls ssh_connect in sshconnect c to open a connection to the server and performs authentication ssh_login in sshco...

Page 204: ...ues The daemon generally follows these steps 1 Parses command line arguments 2 Parses the configuration file 3 Performs sanity checks such as ensuring that standard input is a socket 4 Initializes the...

Page 205: ...y if they pass both CUPS access checks The cupsd daemon typically follows these processing steps 1 Processes command line arguments 2 Sets up signal handlers 3 Forks a child 4 The parent waits for the...

Page 206: ...Stops the server 43 Frees all jobs 44 Frees file descriptor sets 45 Closes audit file descriptor 46 Exits 5 12 4 2 ping ping opens a raw socket and uses the ICMP protocol s mandatory ECHO_REQUEST data...

Page 207: ...ogram via the exec option There is also an option that allows a program to accept incoming connections and then launch stunnel Each SSL enabled daemon needs to present a valid X 509 certificate to the...

Page 208: ...mation chage generally follows these steps 1 Sets language 2 Sets up a variable indicating whether the application user is the root user 3 Parses command line arguments 4 Performs a sanity check on co...

Page 209: ...credentials 10 Prompts for new finger information if not supplied on the command line 11 Updates appropriate database files with new finger information 12 Exits 5 13 1 3 chsh The chsh program allows...

Page 210: ...uthentication database files 10 Invokes usr_update to update authentication database files with new account information 11 Generates audit records to log actions of the useradd command Actions such as...

Page 211: ...s 1 Sets language 2 Invokes getpwuid getuid to obtain the application user s passwd structure 3 Invokes pam_start to initialize PAM library and to identify the application with a particular service na...

Page 212: ...es pam_authenticate to authenticate the application user Generates an audit record to log the authentication attempt and its outcome 5 Invokes pam_acct_mgmt to perform module specific account manageme...

Page 213: ...ase files 11 Invokes pam_chauthok to rejuvenate the user s authentication tokens 12 Exits 5 13 3 3 groupdel The groupdel program allows an administrator to delete existing groups on the system Refer t...

Page 214: ...202...

Page 215: ...to set system time from the hardware clock time The hwclock man page gives more information hwclock follows these steps 1 Sets language 2 Parses command line arguments 3 Validates command line argumen...

Page 216: ...ee packet 7 when opening the socket AMTU performs the following 1 Using the PF_PACKET communication domain opens another connection to the listening server and 2 Ensures that the random data transmitt...

Page 217: ...90 BOOKS DZ9AR006 CCONTENTS The following privileged instructions are tested by this tool PTLB Purge TLB RRBE Reset reference bit extended PALB Purge ALB EPAR Extract Primary ASN HSCH Halt subchannel...

Page 218: ...d Global Descriptor Table Register LTR Load Task Register LLDT Load Local Descriptor Table Register To test CPU control registers use MOVL cs 28 esp This overwrites the value of the register that cont...

Page 219: ...ecks for a FIFO forks and runs operation if so 20 Checks for a copy flag copies the archive if so 21 Checks for TOC create or extract flags 22 If a list file arguments was passed opens that and uses i...

Page 220: ...ainst the shadow database 9 Zeros the password memory 10 Exits 5 14 Batch processing Batch processing on the SLES system means to submit a job that will be run when the system load permits Batch proce...

Page 221: ...an audit record to log the replacement of an existing crontab file crontab files are created in the var spool cron directory and are created with the login name of the respective user This establishes...

Page 222: ...s etc cron weekly hourly daily monthly 4 Calls the load_database routine to read crontab files in the var spool cron tabs directory 5 For every crontab file invokes getpwnam to get the user s identity...

Page 223: ...on parameters that define among other things what to do when errors are encountered or when the log files are full 5 Usually the etc init d auditd init script runs auditd which issues auditctl R etc a...

Page 224: ...ile records into a linked list before it checks whether the record matches the requested search criteria 5 15 2 3 autrace Only root can run this command autrace executes the program passed to it after...

Page 225: ...r the object in the calling process s shared library segment If the library is there the links are resolved and the program can call the shared library code If the library isn t there the loader pages...

Page 226: ...sed on the number of failed login attempts lib security pam_listfile so Modules that allow use of ACLs based on users ttys remote hosts groups and shells lib security pam_deny so Module that always re...

Page 227: ...overridden from shared libraries with environment variables LD_PRELOAD and LD_LIBRARY_PATH The LD_PRELOAD variable lists object files with functions that override the standard set The LD_LIBRARY_PATH...

Page 228: ...uperVisor Call assembly instruction SVC to make a system call The SVC instruction generates an exception The exception handler in the kernel redirects the call to the system call handler system_call s...

Page 229: ...range of interval addresses reserved for the kernel That is that the linear address is lower than PAGE_OFFSET 2 Because bad addresses lower than PAGE_OFFSET cause a page fault the kernel consults the...

Page 230: ...description of the interactive login process Section 5 12 2 describes the process of obtaining a shell from the remote system 6 1 4 User identity changing IA 4 Section 5 11 3 7 provides a description...

Page 231: ...ections 5 1 2 1 5 1 5 2 and 5 1 5 2 1 provide details on DAC based on ACLs on file system objects 6 3 4 DAC IPC objects DA 4 Section 5 3 provides details on DAC for IPC objects 6 4 Object reuse Sectio...

Page 232: ...audit subsystem 6 5 5 Reliable time stamps SM 5 Sections 3 1 1 3 2 1 3 3 1 and 3 4 1 describe the use of hardware clocks by eServer hardware to maintain reliable time stamps 6 6 Secure communications...

Page 233: ...e security enforcing in the sense that the subsystems work together to provide a defined security function Interfaces that are not security enforcing are interfaces between subsystems where the interf...

Page 234: ...subsystem maintains data structures that can be read directly by other kernel subsystems to obtain specific information They are considered to be data interfaces Data structures are defined in header...

Page 235: ...cument Sections 5 1 2 1 5 1 5 1 and 5 1 5 2 ext3_truncate This document Section 5 1 2 1 Specific isofs methods Interfaces defined in isofs_lookup This document Section 5 1 2 2 Basic inode operations T...

Page 236: ...ock include linux ext3_fs h isofs_sb_info include linux iso_fs_sb h inode include linux fs h ext3_inode include linux ext3_fs h iso_inode_info include linux iso_fs_i h ext3_xattr_entry include linux e...

Page 237: ...Alessandro Rubini free_irq Linux Device Drivers O Reilly Chapter 9 2nd Edition June 2001 Alessandro Rubini send_sig_info check_kill_permission Understanding the LINUX KERNEL Chapter 10 2nd Edition Dan...

Page 238: ...n 5 3 1 1 pipe_write Understanding the LINUX KERNEL Chapter 19 2nd Edition Daniel P Bovet Marco Cesati ISBN 0 596 00213 0 and this document Section 5 3 1 1 init_special_in ode This document Section 5...

Page 239: ...mmap ioctl sendpage The socket system call creates the inode The system calls such as bind connect poll listen setsockopt getsockopt ioctl and accept are directly implemented by the methods registered...

Page 240: ...sandro Rubini 6 8 1 5 3 Data Structures mm_struct and include linux sched h 6 8 1 6 Kernel subsystem audit This section lists external interfaces internal interfaces and data structures of the audit s...

Page 241: ...hlist A linked list that holds all the watches in the system auditfs_hash_table A hash table of hashed inode addresses to store and retrieve inode audit data 6 8 1 7 Kernel subsystem device drivers 6...

Page 242: ...rivers O Reilly Chapter 3 2nd Edition June 2001 Alessandro Rubini unregister_chrdev Linux Device Drivers O Reilly Chapter 3 2nd Edition June 2001 Alessandro Rubini 6 8 1 7 2 2 Block Devices Possible B...

Page 243: ...Trusted processes need to use system calls when they need the functions of a kernel subsystem The interfaces to the kernel subsystems therefore are only the system calls Trusted processes can communi...

Page 244: ...Stevens ISBN 0 13 474222 2 RODR TCP IP Tutorial and Technical Overview Adolfo Rodriguez et al EYNG Internet Security Protocols SSLeay TLS Eric Young DRKS The TLS Protocol version 1 Tim Dierks Eric Res...

Page 245: ...rd National Institute of Standards and Technology U S Department of Commerce 18 May 1994 SCHNEIR Applied Cryptography Second Edition protocols algorithms and source in code in C 1996 Schneier B FIPS 1...

Page 246: ...rection and intent are subject to change or withdrawal without notice and represent goals and objectives only This Information is provided AS IS without warranty of any kind This publication was produ...

Reviews:

No comments

Brands by name

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Popular brands

Load more brands