Cookie Consent by Free Privacy Policy Generator ๐Ÿ“Œ Bpflock - eBPF Driven Security For Locking And Auditing Linux Machines

๐Ÿ  Team IT Security News

TSecurity.de ist eine Online-Plattform, die sich auf die Bereitstellung von Informationen,alle 15 Minuten neuste Nachrichten, Bildungsressourcen und Dienstleistungen rund um das Thema IT-Sicherheit spezialisiert hat.
Ob es sich um aktuelle Nachrichten, Fachartikel, Blogbeitrรคge, Webinare, Tutorials, oder Tipps & Tricks handelt, TSecurity.de bietet seinen Nutzern einen umfassenden รœberblick รผber die wichtigsten Aspekte der IT-Sicherheit in einer sich stรคndig verรคndernden digitalen Welt.

16.12.2023 - TIP: Wer den Cookie Consent Banner akzeptiert, kann z.B. von Englisch nach Deutsch รผbersetzen, erst Englisch auswรคhlen dann wieder Deutsch!

Google Android Playstore Download Button fรผr Team IT Security



๐Ÿ“š Bpflock - eBPF Driven Security For Locking And Auditing Linux Machines


๐Ÿ’ก Newskategorie: IT Security Nachrichten
๐Ÿ”— Quelle: kitploit.com


bpflock - eBPF driven security for locking and auditing Linux machines.

Note: bpflock is currently in experimental stage, it may break, options and security semantics may change, some BPF programs will be updated to use Cilium ebpf library.


1. Introduction

bpflock uses eBPF to strength Linux security. By restricting access to a various range of Linux features, bpflock is able to reduce the attack surface and block some well known attack techniques.

Only programs like container managers, systemd and other containers/programs that run in the host pid and network namespaces are allowed access to full Linux features, containers and applications that run on their own namespace will be restricted. If bpflock bpf programs run under the restricted profile then all programs/containers including privileged ones will have their access denied.

bpflock protects Linux machines by taking advantage of multiple security features including Linux Security Modules + BPF.

Architecture and Security design notes:

  • bpflock is not a mandatory access control labeling solution, and it does not intent to replace AppArmor, SELinux, and other MAC solutions. bpflock uses a simple declarative security profile.
  • bpflock offers multiple small bpf programs that can be reused in multiple contexts from Cloud Native deployments to Linux IoT devices.
  • bpflock is able to restrict root from accessing certain Linux features, however it does not protect against evil root.

2. Functionality Overview

2.1 Security features

bpflock offer multiple security protections that can be classified as:

2.2 Semantics

bpflock keeps the security semantics simple. It support three global profiles to broadly cover the security sepctrum, and restrict access to specific Linux features.

  • profile: this is the global profile that can be applied per bpf program, it takes one of the followings:

    • allow|none|privileged : they are the same, they define the least secure profile. In this profile access is logged and allowed for all processes. Useful to log security events.
    • baseline : restrictive profile where access is denied for all processes, except privileged applications and containers that run in the host namespaces, or per cgroup allowed profiles in the bpflock_cgroupmap bpf map.
    • restricted : heavily restricted profile where access is denied for all processes.
  • Allowed or blocked operations/commands:

    Under the allow|privileged or baseline profiles, a list of allowed or blocked commands can be specified and will be applied.

    • --protection-allow : comma-separated list of allowed operations. Valid under baseline profile, this is useful for applications that are too specific and perform privileged operations. It will reduce the use of the allow | privileged profile, so instead of using the privileged profile, we can specify the baseline one and add a set of allowed commands to offer a case-by-case definition for such applications.
    • --protection-block : comma-separated list of blocked operations. Valid under allow|privileged and baseline profiles, it allows to restrict access to some features without using the full restricted profile that might break some specific applications. Using baseline or privileged profiles opens the gate to access most Linux features, but with the --protection-block option some of this access can be blocked.

For bpf security examples check bpflock configuration examples

3. Deployment

3.1 Prerequisites

bpflock needs the following:

  • Linux kernel version >= 5.13 with the following configuration:

    Obviously a BTF enabled kernel.

    Enable BPF LSM support

    If your kernel was compiled with CONFIG_BPF_LSM=y check the /boot/config-* to confirm, but when running bpflock it fails with:

    must have a kernel with 'CONFIG_BPF_LSM=y' 'CONFIG_LSM=\"...,bpf\"'"

    Then to enable BPF LSM as an example on Ubuntu:

    1. Open the /etc/default/grub file as privileged of course.
    2. Append the following to the GRUB_CMDLINE_LINUX variable and save.
      "lsm=lockdown,capability,yama,apparmor,bpf"
      or
      GRUB_CMDLINE_LINUX="lsm=lockdown,capability,yama,apparmor,bpf"
    3. Update grub config with:
      sudo update-grub2
    4. Reboot into your kernel.

    3.2 Docker deployment

    To run using the default allow or privileged profile (the least secure profile):

    docker run --name bpflock -it --rm --cgroupns=host \
    --pid=host --privileged \
    -v /sys/kernel/:/sys/kernel/ \
    -v /sys/fs/bpf:/sys/fs/bpf linuxlock/bpflock

    Fileless Binary Execution

    To log and restict fileless binary execution run with:

    docker run --name bpflock -it --rm --cgroupns=host --pid=host --privileged \
    -e "BPFLOCK_FILELESSLOCK_PROFILE=restricted" \
    -v /sys/kernel/:/sys/kernel/ \
    -v /sys/fs/bpf:/sys/fs/bpf linuxlock/bpflock

    When running under restricted profile, the container logs will display:

    Running under the restricted profile may break things, this is why the default profile is allow.

    Kernel Modules Protection

    To apply Kernel Modules Protection run with environment variable BPFLOCK_KMODLOCK_PROFILE=baseline or BPFLOCK_KMODLOCK_PROFILE=restricted:

    docker run --name bpflock -it --rm --cgroupns=host --pid=host --privileged \
    -e "BPFLOCK_KMODLOCK_PROFILE=restricted" \
    -v /sys/kernel/:/sys/kernel/ \
    -v /sys/fs/bpf:/sys/fs/bpf linuxlock/bpflock

    Example:

    $ sudo unshare -p -n -f
    # modprobe xfs
    modprobe: ERROR: could not insert 'xfs': Operation not permitted
    Kernel Image Lock-down

    To apply Kernel Image Lock-down run with environment variable BPFLOCK_KIMGLOCK_PROFILE=baseline:

    docker run --name bpflock -it --rm --cgroupns=host --pid=host --privileged \
    -e "BPFLOCK_KIMGLOCK_PROFILE=baseline" \
    -v /sys/kernel/:/sys/kernel/ \
    -v /sys/fs/bpf:/sys/fs/bpf linuxlock/bpflock
    $ sudo unshare -f -p -n bash
    # head -c 1 /dev/mem
    head: cannot open '/dev/mem' for reading: Operation not permitted
    BPF Protection

    To apply bpf restriction run with environment variable BPFLOCK_BPFRESTRICT_PROFILE=baseline or BPFLOCK_BPFRESTRICT_PROFILE=restricted:

    docker run --name bpflock -it --rm --cgroupns=host --pid=host --privileged \
    -e "BPFLOCK_BPFRESTRICT_PROFILE=baseline" \
    -v /sys/kernel/:/sys/kernel/ \
    -v /sys/fs/bpf:/sys/fs/bpf linuxlock/bpflock

    Example running in a different pid and network namespaces and using bpftool:

    $ sudo unshare -f -p -n bash
    # bpftool prog
    Error: can't get next program: Operation not permitted
    Running with the -e "BPFLOCK_BPFRESTRICT_PROFILE=restricted" profile will deny bpf for all:
    3.3 Configuration and Environment file

    Passing configuration as bind mounts can be achieved using the following command.

    Assuming bpflock.yaml and bpf.d profiles configs are in current directory inside bpflock directory, then we can just use:

    ls bpflock/
    bpf.d bpflock.d bpflock.yaml
    docker run --name bpflock -it --rm --cgroupns=host --pid=host --privileged \
    -v $(pwd)/bpflock/:/etc/bpflock \
    -v /sys/kernel/:/sys/kernel/ \
    -v /sys/fs/bpf:/sys/fs/bpf linuxlock/bpflock

    Passing environment variables can also be done with files using --env-file. All parameters can be passed as environment variables using the BPFLOCK_$VARIABLE_NAME=VALUE format.

    Example run with environment variables in a file:

    docker run --name bpflock -it --rm --cgroupns=host --pid=host --privileged \
    --env-file bpflock.env.list \
    -v /sys/kernel/:/sys/kernel/ \
    -v /sys/fs/bpf:/sys/fs/bpf linuxlock/bpflock

    4. Documentation

    Documentation files can be found here.

    5. Build

    bpflock uses docker BuildKit to build and Golang to make some checks and run tests. bpflock is built inside Ubuntu container that downloads the standard golang package.

    Run the following to build the bpflock docker container:

    git submodule update --init --recursive
    make

    Bpf programs are built using libbpf. The docker image used is Ubuntu.

    If you want to only build the bpf programs directly without using docker, then on Ubuntu:

    sudo apt install -y pkg-config bison binutils-dev build-essential \
    flex libc6-dev clang-12 libllvm12 llvm-12-dev libclang-12-dev \
    zlib1g-dev libelf-dev libfl-dev gcc-multilib zlib1g-dev \
    libcap-dev libiberty-dev libbfd-dev

    Then run:

    make bpf-programs

    In this case the generated programs will be inside the ./bpf/build/... directory.

    Credits

    bpflock uses lot of resources including source code from the Cilium and bcc projects.

    License

    The bpflock user space components are licensed under the Apache License, Version 2.0. The BPF code where it is noted is licensed under the General Public License, Version 2.0.



...



๐Ÿ“Œ The difference between test-driven development and observability-driven development


๐Ÿ“ˆ 25.92 Punkte

๐Ÿ“Œ Observability-Driven Development vs Test-Driven Development


๐Ÿ“ˆ 24.12 Punkte

๐Ÿ“Œ Lynis - Security Auditing Tool for Unix/Linux Systems - Kali Linux


๐Ÿ“ˆ 22.88 Punkte

๐Ÿ“Œ weaveworks/footloose: Container Machines - Containers that look like Virtual Machines


๐Ÿ“ˆ 22.62 Punkte

๐Ÿ“Œ How to secure Linux systems - Auditing, Hardening and Security


๐Ÿ“ˆ 22.19 Punkte

๐Ÿ“Œ [dos] Linux - Missing Locking Between ELF coredump code and userfaultfd VMA Modification


๐Ÿ“ˆ 20.97 Punkte

๐Ÿ“Œ Webinar: Locking Down Financial and Accounting Data โ€” Best Data Security Strategies


๐Ÿ“ˆ 20.4 Punkte

๐Ÿ“Œ Lynis 2.7.3 - Security Auditing Tool for Unix/Linux Systems


๐Ÿ“ˆ 20.39 Punkte

๐Ÿ“Œ LSAT โ€“ Linux Security Auditing Tool


๐Ÿ“ˆ 20.39 Punkte

๐Ÿ“Œ LSAT โ€“ Linux Security Auditing Tool


๐Ÿ“ˆ 20.39 Punkte

๐Ÿ“Œ Lynis Security Auditing Software For Unix-Linux


๐Ÿ“ˆ 20.39 Punkte

๐Ÿ“Œ Lynis 2.6.7 - Security Auditing Tool for Unix/Linux Systems


๐Ÿ“ˆ 20.39 Punkte

๐Ÿ“Œ Lynis 2.6.8 - Security Auditing Tool for Unix/Linux Systems


๐Ÿ“ˆ 20.39 Punkte

๐Ÿ“Œ Lynis 2.7.0 - Security Auditing Tool for Unix/Linux Systems


๐Ÿ“ˆ 20.39 Punkte

๐Ÿ“Œ Lynis 2.7.5 - Security Auditing Tool for Unix/Linux Systems


๐Ÿ“ˆ 20.39 Punkte

๐Ÿ“Œ Lynis 3.0.0 - Security Auditing Tool for Unix/Linux Systems


๐Ÿ“ˆ 20.39 Punkte

๐Ÿ“Œ MariaDB Academy: Authentication from MariaDB 10.4, and Account Locking and Password Expiry


๐Ÿ“ˆ 20.28 Punkte

๐Ÿ“Œ WhatsApp gaining face and fingerprint locking its web and desktop clients


๐Ÿ“ˆ 20.28 Punkte

๐Ÿ“Œ Pessimistic and Optimistic Locking With MySQL, jOOQ, and Kotlin


๐Ÿ“ˆ 20.28 Punkte

๐Ÿ“Œ Configuring and auditing Linux systems with Audit daemon


๐Ÿ“ˆ 20.27 Punkte

๐Ÿ“Œ Re-Edit | Getting Started in Blockchain Security and Smart Contract Auditing | Beau Bullock


๐Ÿ“ˆ 19.71 Punkte

๐Ÿ“Œ What is the Difference Between Compliance and Auditing in Information Security? | UpGuard


๐Ÿ“ˆ 19.71 Punkte

๐Ÿ“Œ Check, Verify and Confirmโ€ฆ Itโ€™s Simple, Not Easy: Security Auditing in a Nutshell


๐Ÿ“ˆ 19.71 Punkte

๐Ÿ“Œ Clarifying the Misconceptions: Monitoring and Auditing for Container Security


๐Ÿ“ˆ 19.71 Punkte

๐Ÿ“Œ Webcast: Getting Started in Blockchain Security and Smart Contract Auditing


๐Ÿ“ˆ 19.71 Punkte

๐Ÿ“Œ Why Locking Down the Kernel Wonโ€™t Stall Linux Improvements


๐Ÿ“ˆ 19.18 Punkte

๐Ÿ“Œ #0daytoday #Linux - Missing Locking in Siemens R3964 Line Discipline Race Condition Exploit [#0day #Exploit]


๐Ÿ“ˆ 19.18 Punkte

๐Ÿ“Œ Linux Kernel 5.3.11 btrfs Image Mount kernel/locking/rwsem.c rwsem_down_write_slowpath memory corruption


๐Ÿ“ˆ 19.18 Punkte

๐Ÿ“Œ Locking Down Linux For The Enterprise


๐Ÿ“ˆ 19.18 Punkte

๐Ÿ“Œ Linux Kernel up to 5.0.9 Fix CVE-2019-11599 mmget_not_zero/get_task_mm locking


๐Ÿ“ˆ 19.18 Punkte

๐Ÿ“Œ Linux Kernel up to 5.9.13 Locking drivers/tty/tty_io.c use after free


๐Ÿ“ˆ 19.18 Punkte

๐Ÿ“Œ Linux TIOCSPGRP Broken Locking


๐Ÿ“ˆ 19.18 Punkte

๐Ÿ“Œ Linux TIOCSPGRP Broken Locking


๐Ÿ“ˆ 19.18 Punkte

๐Ÿ“Œ #0daytoday #Linux TIOCSPGRP Broken Locking Exploit CVE-2020-29661 [remote #exploits #0day #Exploit]


๐Ÿ“ˆ 19.18 Punkte











matomo