[00:00.000 --> 00:17.760] We will start, so I guess we can start. [00:17.760 --> 00:23.360] Hello, my name is Radon Svaka, and I will be presenting how to harden a system with [00:23.360 --> 00:30.360] a file access policy statement. So, I'll start with the brief introduction of the framework. [00:30.360 --> 00:39.360] Can you hear me? [00:39.360 --> 01:00.360] Is it better? Is it better? So, FEPO-CD is an acronym for file access policy statement, [01:00.360 --> 01:10.360] and it's in a lightweight implementation of application-wide listing. It has many features. [01:10.360 --> 01:20.360] I will just highlight that it has integration with RPM, and it can load some data from RPM [01:20.360 --> 01:32.360] base, and it can log events to audit or syslog, and it heavily relies on FA Notify API from [01:32.360 --> 01:43.360] kernel. So, when we look at this framework architecture, we can see several components [01:43.360 --> 01:51.360] of the framework. The main component of the framework is the daemon. This daemon usually [01:51.360 --> 02:02.360] listens to this FA Notify events from kernel. When it loads up, it reads all the data from [02:02.360 --> 02:10.360] the backends, and it creates its own database, which is called trustdb. The first backend [02:10.360 --> 02:20.360] is RPMDB, which handles data from RPM database, or metadata, better term, and the second [02:20.360 --> 02:30.360] one is file backend, which loads all the trust information from user-defined trust lists. [02:30.360 --> 02:42.360] There is also CLI component, which can manage trust and also the daemon's properties. So, [02:42.360 --> 02:49.360] how does it work? When we look closer, we can see that it is on this image. There are [02:49.360 --> 02:57.360] two processes on the system. The first on the left side is bash, and the second on the [02:57.360 --> 03:05.360] right side is FA policy daemon. FA policy daemon is the situation listens for these events, [03:05.360 --> 03:18.360] and it's just waiting. Bash is trying to execute PS command, and it calls exactly system call, [03:18.360 --> 03:26.360] and this execution of the system call is on hold, so it's like post, and it's also waiting. [03:26.360 --> 03:34.360] Meanwhile, on the other side can also send an event to the daemon that something is happening [03:34.360 --> 03:41.360] on the system, and daemon can read from this event that there is some process called bash, [03:41.360 --> 03:55.360] and it wants to accept this PS command, and it has PID 500, so it does a rules evaluation, [03:55.360 --> 04:03.360] and when the decision is allowed, it sends affinity response to the kernel, and kernel [04:03.360 --> 04:13.360] will let this exact V eventually finish with success. If the decision was denied, then [04:13.360 --> 04:27.360] this exact V will return error code. So the daemon is the main part of the project, and [04:27.360 --> 04:39.360] it works with the rules, and there are rules and trust, and both have power over what to [04:39.360 --> 04:48.360] do with the files and their execution system. So these rules, they are pretty similar to [04:48.360 --> 04:57.360] SC Linux, they have also subject object notation, and they start with the decision part. Decision [04:57.360 --> 05:06.360] part is, it can be allow or deny, or it can be combined with syslog or audit attribute. [05:06.360 --> 05:14.360] The second part of the rule is permission, which can be open or exec, but that refers [05:14.360 --> 05:21.360] to the original system call from which that event comes from, and any is like place order [05:21.360 --> 05:29.360] and will match both of them. We also support just these two because this is, because FA [05:29.360 --> 05:45.360] notified us that. Our subject is what is executing, and object is what is being executed. So this [05:45.360 --> 05:58.360] trust is a very important concept here in FA policy, it can be defined by user, and it [05:58.360 --> 06:08.360] is usually done by CLI, and that there is also, or we don't have to add system binaries or [06:08.360 --> 06:18.360] files to the trust, because they are trusted by default, they are loaded by this backend, [06:18.360 --> 06:28.360] so this is done automatically, so when we run FA policy by default, it somehow works. So [06:28.360 --> 06:36.360] these are some rules example, I don't know if you see them, but the first one says, the [06:36.360 --> 06:43.360] first one allows loading of trusted shared libraries on the system, and the second one [06:43.360 --> 06:56.360] opposed to that, like denies untrusted libraries. Third one will allow execution of trusted [06:56.360 --> 07:08.360] files on the system, and fourth one allows using of scripts, which are trusted on the [07:08.360 --> 07:18.360] system, and fifth denies untrusted scripts. And there are two cage of rules, first one [07:18.360 --> 07:31.360] is for execution of all files, and the seventh is open for everything. So they are also [07:31.360 --> 07:40.360] described here. So when we want to install FA policy demand, it's very simple, we can [07:40.360 --> 07:48.360] just use normal Federa program for installation, which is called DNF, this is one liner, when [07:48.360 --> 07:56.360] we install it, the installation consists of, or it installs three packages to the system, [07:56.360 --> 08:03.360] the first one is FA policy, which is main package, which contains demon and CLI. The [08:03.360 --> 08:13.360] second one is RPM plugin for FA policy, which works, or which, during the RPM transactions, [08:13.360 --> 08:23.360] it sends the new metadata that are needed for correct behavior, so it sends it to the [08:23.360 --> 08:31.360] demon, and then demon can work with them, and they are up to date, and it also notifies [08:31.360 --> 08:39.360] the demon when the transaction ends, so it can behave, the demon can behave accordingly. [08:39.360 --> 08:48.360] And the third one is service package for FA policy, with the service policy. So when [08:48.360 --> 08:55.360] the installation is complete, we can start FA policy. There are several ways how to do [08:55.360 --> 09:02.360] that. In our examples, we will use debug deny, because we are interested in deny events, or [09:02.360 --> 09:10.360] debugging of the deny events, and we don't need anything more. If we would like to see [09:10.360 --> 09:19.360] also allowed events, or something else, some other debug information, it can be done via [09:19.360 --> 09:28.360] debug option, and when we want to run it on something more like production environment, [09:28.360 --> 09:38.360] we can use system CTL. So when we run it, FA policy will tell us that it's listening for [09:38.360 --> 09:46.360] these events, so it's okay, and we can start playing with this. So there are, I prepared [09:46.360 --> 09:53.360] a few scenarios to demonstrate how it works. So the first scenario is called execution [09:53.360 --> 10:03.360] of untrusted software. So I downloaded this file, this is Python script called exploit.py, [10:03.360 --> 10:14.360] and I want to try to run it. I make it executable, and when I run it, I can see that it's blocked, [10:14.360 --> 10:24.360] and we can see down there that there is deny event from FA policy that says that this exploit.py [10:24.360 --> 10:34.360] is not trusted, so it cannot be run. So it blocked this unknown program to be. [10:54.360 --> 11:04.360] Thank you. [11:24.360 --> 11:34.360] Thank you. [11:54.360 --> 12:04.360] Thank you. [12:24.360 --> 12:34.360] Thank you. [12:54.360 --> 13:04.360] Thank you. [13:24.360 --> 13:34.360] Thank you. [13:54.360 --> 14:04.360] Thank you. [14:24.360 --> 14:34.360] Thank you. [14:54.360 --> 15:04.360] Thank you. [15:24.360 --> 15:34.360] Thank you. [15:54.360 --> 16:04.360] Thank you. [16:24.360 --> 16:34.360] Thank you. [16:54.360 --> 17:04.360] Thank you. [17:24.360 --> 17:34.360] Thank you. [17:54.360 --> 18:04.360] Thank you. [18:24.360 --> 18:34.360] Thank you. [18:54.360 --> 19:04.360] Thank you. [19:24.360 --> 19:34.360] Thank you. [19:54.360 --> 20:04.360] Thank you. [20:24.360 --> 20:34.360] Thank you. [20:54.360 --> 21:04.360] Thank you. [21:24.360 --> 21:34.360] Thank you. [21:54.360 --> 22:04.360] Thank you. [22:24.360 --> 22:34.360] Thank you. [22:54.360 --> 23:04.360] Thank you. [23:24.360 --> 23:34.360] Thank you. [23:54.360 --> 24:04.360] Thank you. [24:24.360 --> 24:34.360] Thank you. [24:54.360 --> 25:04.360] Thank you.