1 |
Current version: https://www.youtube.com/watch?v=MkBXGUb6RPo |
2 |
|
3 |
TOMOYO Linux demonstration: Kickstarting on openSUSE 12.1 |
4 |
|
5 |
TOMOYO Linux is an access recording and restricting mechanism for Linux systems. |
6 |
|
7 |
In a normal Linux system, every application is unmonitored and it is difficult to determine what is happening in that system. |
8 |
|
9 |
In a TOMOYO enabled Linux system, each application can be monitored to determine exactly what it is doing. |
10 |
|
11 |
The learning mode automatically records every action that an application performs as a policy configuration. Browsing the policy configuration can allow a precise understanding of what each application is doing. |
12 |
|
13 |
The enforcing mode restricts each application to do only what the policy configuration has allowed it to do. |
14 |
|
15 |
This movie demonstrates how to setup TOMOYO Linux on openSUSE 12.1, and then demonstrates how to analyze and restrict shell sessions. |
16 |
|
17 |
openSUSE 12.1 is distributed with TOMOYO Linux enabled kernels. Therefore, you can use TOMOYO Linux by installing tools package and changing kernel boot command line options. |
18 |
|
19 |
Initialize policy configuration. |
20 |
|
21 |
Start TOMOYO Linux's policy editor. |
22 |
|
23 |
Since you've just initialized policy configuration, only <kernel> domain is defined and policy configuration for <kernel> domain is empty. |
24 |
|
25 |
You can change access control level using profiles. Currently 4 profiles are defined. |
26 |
|
27 |
Profile 0 is for disabled mode, 1 is for learning mode, 2 is for permissive mode, 3 is for enforcing mode. |
28 |
|
29 |
Assign profile 1 to <kernel> domain so that TOMOYO Linux records access requests occurred in the <kernel> domain. |
30 |
|
31 |
Quit the policy editor. |
32 |
|
33 |
You've finished all preparations. Now, reboot the system so that TOMOYO Linux can start analysing. |
34 |
|
35 |
In order to enable TOMOYO Linux, add security equals tomoyo. |
36 |
|
37 |
The system is booting like normal Linux. But in the background, TOMOYO Linux is recording access requests occurred in the system. |
38 |
|
39 |
Every application is placed into a separate domain. |
40 |
|
41 |
TOMOYO Linux records what programs were executed, what files were read, what files were written, for each domain. |
42 |
|
43 |
You can record access requests occurred in the system using learning mode and restrict access requests occurred in the system using enforcing mode. |
44 |
|
45 |
Each domain can have different access requests and different profiles, to allow for fine grained control. |
46 |
|
47 |
You've finished rebooting the system. Let's browse what TOMOYO Linux has recorded. |
48 |
|
49 |
Start konsole and start the policy editor. |
50 |
|
51 |
All activities from boot till now are recorded as policy configuration by TOMOYO Linux. |
52 |
|
53 |
Thus, policy configuration for <kernel> domain is no longer empty. |
54 |
|
55 |
You can see that kernel executed /sbin/init, /lib/systemd/systemd-cgroups-agent and /sbin/modprobe. |
56 |
|
57 |
This screen shows domain transition tree from sbin init. |
58 |
|
59 |
You can see what sbin init has requested. |
60 |
|
61 |
Go to domain for policy editor. |
62 |
|
63 |
You can see that the policy editor is executed from sudo executed by bash executed by kdeinit4. |
64 |
|
65 |
Do something in this terminal. |
66 |
|
67 |
For example, execute bin ls and bin ps and usr bin id. |
68 |
|
69 |
Read etc fstab using bin cat. |
70 |
|
71 |
Refresh the screen on the policy editor. You can find commands you executed are appended. |
72 |
|
73 |
Also, you can find files accessed by these commands. |
74 |
|
75 |
You will notice that random values are in the pathnames. You can convert such pathnames to patterns using wildcards. |
76 |
|
77 |
Assign profile 3 to bash executed by sudo and its descendent domains so that TOMOYO Linux restricts access requests occurred in this terminal. |
78 |
|
79 |
Do something in this terminal. |
80 |
|
81 |
You can see that only operations you did with profile 1 are permitted with profile 3. |
82 |
|
83 |
By using TOMOYO Linux, you can restrict operations for improving security. |
84 |
|
85 |
For more information, visit TOMOYO Linux project's website at tomoyo.osdn.jp. |