IBM 10 SP1 EAL4 Bedienungsanleitung

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246

Zur Seite of

Richtige Gebrauchsanleitung

Die Vorschriften verpflichten den Verkäufer zur Übertragung der Gebrauchsanleitung IBM 10 SP1 EAL4 an den Erwerber, zusammen mit der Ware. Eine fehlende Anleitung oder falsche Informationen, die dem Verbraucher übertragen werden, bilden eine Grundlage für eine Reklamation aufgrund Unstimmigkeit des Geräts mit dem Vertrag. Rechtsmäßig lässt man das Anfügen einer Gebrauchsanleitung in anderer Form als Papierform zu, was letztens sehr oft genutzt wird, indem man eine grafische oder elektronische Anleitung von IBM 10 SP1 EAL4, sowie Anleitungsvideos für Nutzer beifügt. Die Bedingung ist, dass ihre Form leserlich und verständlich ist.

Was ist eine Gebrauchsanleitung?

Das Wort kommt vom lateinischen „instructio”, d.h. ordnen. Demnach kann man in der Anleitung IBM 10 SP1 EAL4 die Beschreibung der Etappen der Vorgehensweisen finden. Das Ziel der Anleitung ist die Belehrung, Vereinfachung des Starts, der Nutzung des Geräts oder auch der Ausführung bestimmter Tätigkeiten. Die Anleitung ist eine Sammlung von Informationen über ein Gegenstand/eine Dienstleistung, ein Hinweis.

Leider widmen nicht viele Nutzer ihre Zeit der Gebrauchsanleitung IBM 10 SP1 EAL4. Eine gute Gebrauchsanleitung erlaubt nicht nur eine Reihe zusätzlicher Funktionen des gekauften Geräts kennenzulernen, sondern hilft dabei viele Fehler zu vermeiden.

Was sollte also eine ideale Gebrauchsanleitung beinhalten?

Die Gebrauchsanleitung IBM 10 SP1 EAL4 sollte vor allem folgendes enthalten:
- Informationen über technische Daten des Geräts IBM 10 SP1 EAL4
- Den Namen des Produzenten und das Produktionsjahr des Geräts IBM 10 SP1 EAL4
- Grundsätze der Bedienung, Regulierung und Wartung des Geräts IBM 10 SP1 EAL4
- Sicherheitszeichen und Zertifikate, die die Übereinstimmung mit entsprechenden Normen bestätigen

Warum lesen wir keine Gebrauchsanleitungen?

Der Grund dafür ist die fehlende Zeit und die Sicherheit, was die bestimmten Funktionen der gekauften Geräte angeht. Leider ist das Anschließen und Starten von IBM 10 SP1 EAL4 zu wenig. Eine Anleitung beinhaltet eine Reihe von Hinweisen bezüglich bestimmter Funktionen, Sicherheitsgrundsätze, Wartungsarten (sogar das, welche Mittel man benutzen sollte), eventueller Fehler von IBM 10 SP1 EAL4 und Lösungsarten für Probleme, die während der Nutzung auftreten könnten. Immerhin kann man in der Gebrauchsanleitung die Kontaktnummer zum Service IBM finden, wenn die vorgeschlagenen Lösungen nicht wirksam sind. Aktuell erfreuen sich Anleitungen in Form von interessanten Animationen oder Videoanleitungen an Popularität, die den Nutzer besser ansprechen als eine Broschüre. Diese Art von Anleitung gibt garantiert, dass der Nutzer sich das ganze Video anschaut, ohne die spezifizierten und komplizierten technischen Beschreibungen von IBM 10 SP1 EAL4 zu überspringen, wie es bei der Papierform passiert.

Warum sollte man Gebrauchsanleitungen lesen?

In der Gebrauchsanleitung finden wir vor allem die Antwort über den Bau sowie die Möglichkeiten des Geräts IBM 10 SP1 EAL4, über die Nutzung bestimmter Accessoires und eine Reihe von Informationen, die erlauben, jegliche Funktionen und Bequemlichkeiten zu nutzen.

Nach dem gelungenen Kauf des Geräts, sollte man einige Zeit für das Kennenlernen jedes Teils der Anleitung von IBM 10 SP1 EAL4 widmen. Aktuell sind sie genau vorbereitet oder übersetzt, damit sie nicht nur verständlich für die Nutzer sind, aber auch ihre grundliegende Hilfs-Informations-Funktion erfüllen.

Inhaltsverzeichnis der Gebrauchsanleitungen

  • Seite 1

    SUS E Li nu x Ent erp ris e Se rve r 10 S P1 EA L4 High - Le vel D esi gn Ver sio n 1.2. 1[...]

  • Seite 2

    Version Author Date Comments 1.0 EJR 3/15/07 First draft based on RHEL5 HLD 1.1 EJR 4/19/07 Updates based on comments from Stephan Mueller and Klaus Weidner 1.2 GCW 4/26/07 Incorporated Stephan's comment to remove racoon 1.2.1 GCW 10/27/08 Added legal matter missing from fina l draft. Novell, the Novell logo, the N logo, and SUS E are register[...]

  • Seite 3

    Ta ble o f Co nt en ts 1 Int rodu ction................................................................................................................................................. .. . 1 1 .1 Purpos e of t his do cument ...................................................................................................... ... ... .. ... .. ... [...]

  • Seite 4

    4.1 .2.1 D AC.......................................................................................................................... ... .. ... .. 25 4.1 .2.2 A p pArmor ................................................................................................................ .. ... ... .. .. 26 4.1 .2.3 P rogr ams with s oftware priv ileg[...]

  • Seite 5

    5.1 .5 Dis cretion ary Acce ss Con trol (DA C)................................................................................... ... ... . 55 5 .1.5.1 P ermissio n bits ..................................................................................................... ... .. ... ... .. ... 56 5 .1.5.2 A ccess C ontrol L ists ....................[...]

  • Seite 6

    5 .3.3.2 C ommon fu nctions ................................................................................................... ... .. ... .. .. 76 5 .3.3.3 Me ssage queue s .................................................................................................................. .. 77 5 .3.3.4 Se maphore s..................................[...]

  • Seite 7

    5.5 .3 Ke rnel me mory manage ment ........................................................................... ... .. ... .. ... .. ... ... .. ..1 4 2 5 .5.3.1 Su pport for NUMA ser vers................................................................................. ... ... .. ... .. ..1 4 2 5 .5.3.2 R evers e map Virt ual Memo ry.................[...]

  • Seite 8

    5.8.3 secu rityfs ....................................................................................................................... ... .. ... .. ... 174 5 .9 Dev ice driver s............................................................................................................... .. ... .. ... .. ... ... .. . 174 5.9.1 I/O virtual izati[...]

  • Seite 9

    5 .11.3.1 age tty ........................................................................................................................... ... .. 203 5 .11.3.2 g p asswd ...................................................................................................................... ... .. . 203 5 .11.3.3 l ogin ............................[...]

  • Seite 10

    5 .13.3.2 g roupmo d.......................................................................................................... ... .. ... .. ... .. 232 5 .13.3.3 g roupde l....................................................................................................... .. ... .. ... .. ... ... .. 232 5.1 3.4 Syste m Time manage ment..........[...]

  • Seite 11

    6.1 Ide ntificat ion and authe ntication ................................................................................... .. ... .. ... .. ... .. ...2 51 6.1.1 User identification and authentication da ta management (IA.1)..... .... ..... .... ..... ..... .... ..... .... .. .. . .. .251 6.1 .2 Common authe nticatio n mech anism (IA .2) .........[...]

  • Seite 12

    6.8 Secur ity en forcing interf aces bet ween su bsyste ms................................................................... .. ... .. ...25 5 6.8.1 Summary of kernel subsystem interfaces ... ..... ..... .... ..... .... ..... ..... .... ..... .... ..... ..... . .. . .. .. . .. .. . .. .. . .. ..256 6.8 .1.1 K erne l subsyst em file a nd I/O ......[...]

  • Seite 13

    1 Introduction This document describes the High Level Design ( HLD) for the SUSE® Linux® Enterprise Server 10 Service Pack 1 operating system. For ease of reading, this document uses the phrase SUSE Linux Enterprise Server and the abbreviation SLES as a synonym for S USE Linux Enterprise Server 10 SP1. This document summarizes the design and Ta r[...]

  • Seite 14

    2 System Overview The Target of Evaluation (TOE) is SUS E Linux Ente rprise Server (SLES) running on an IBM eServer host computer. The SLES product is ava ilable on a wide range of hardware platforms. This evaluation covers the SLES product on the IBM eServer System x™, System p ™, and System z™, and eServer 326 (Opteron). (Throughout this do[...]

  • Seite 15

    The TOE system provides user Identification a nd Authentication (I&A) mechanism by requiring each user to log in with proper password at the local workstation, a nd also at any remote computer where the user can enter commands to a shell program (for examp le, remote ssh sessions). Each computer enforces a coherent Discretionary Access Control [...]

  • Seite 16

    The Common Criteria for Information Technology Security Evaluation [CC] a nd the Common Methodology for Information Technology Security Evaluation [CEM] dema nd breaking the TOE into logical subsystems that can be either (a ) products, or (b) logical functions performed by the system. The approach in this section is to break the system into structu[...]

  • Seite 17

    The SLES kernel includes the base kernel and sepa rately-loadable kernel modules and device drivers. (Note that a device driver can a lso be a ker nel module.) The kernel consists of the bootable kernel image and its loadable modules. The kernel implements the system call interface, which provides system calls for file management, memory ma nagemen[...]

  • Seite 18

    2.2.2 eServer system structure The system is an eServer computer, which permits one user at a time to log in to the computer console. Several virtual consoles can be mapp ed to a single physical console. Different users can login through different virtual consoles simultaneously. The system can be connected to other computers via physically a nd lo[...]

  • Seite 19

    Network services, such as ssh or ftp , involve client-server architecture a nd a network service-layer protocol. The client-server model splits the softwa re that provides a service into a client portion that ma kes the request, and a server portion that ca rries out the reque st, usually on a different computer. The service protocol is the interfa[...]

  • Seite 20

    Objects are pa ssive re posi tories of data. The TOE defines three types of objects: named obj ects, storage objects, and public objects. Nam ed objects are resources, such as files and IPC objects, which can be manipulated by multiple users using a nami ng convention defined at the TSF interface. A storage object is an object that supports both re[...]

  • Seite 21

    The local TSF interfaces p rovided by an individual host computer include: • Files that are pa rt of the TSF database that define the configuration pa rameters used by the security functions. • System calls made by trusted a nd untrusted programs to the privileged kernel-mode software. As described separately in this document, system calls are [...]

  • Seite 22

    The SLES operating system is distributed a s a collection of packages. A package can include programs, configuration data, and documentation for the package. Analysis is performed at the file level, except where a particular package can be treated collectively. A file is included in the TSF for one or more of the following reasons: • It contains [...]

  • Seite 23

    11[...]

  • Seite 24

    3 Hardware architecture The TOE includes the IBM System x, System p, System z, and eServer 326. This section describes the hardware architecture of these eServer sys tems. For more detailed information about Linux support and resources for the entire eServer line, refer to http: //www.ibm.com/systems/browse/linux . 3.1 System x IBM System x systems[...]

  • Seite 25

    In this mode, applications may a ccess: • 64-bit flat linear addressing • 8 new general-purpose registers (GPRs) • 8 new registers for streaming Single Instruction/Multiple Data (SIMD) extensions (SSE, SSE2 and SSE3) • 64-bit-wide GPRs and instruction pointers • uniform byte-register addressing • fast interrupt-prioritization mechani sm[...]

  • Seite 26

    USB (except keyboard and mouse), PCMCIA, and IEEE 1394 (Firewire) devices are not supported in the evaluated configuration. 3.3 System z The IBM System z is designed a nd optimized for high-performance data and transaction serving requirements. On a System z system, Li nux can run on native hardware, in a logical partition, or as a guest of the z/V[...]

  • Seite 27

    For more details about z/Architecture, refer to the z/Architecture document z/Architecture Princip les of Operation at http://publibz.boulder.ibm.c om/epubs/pdf/dz9zr002.pdf . USB (except keyboard and mouse), PCMCIA, and IEEE 1394 (Firewire) devices are not supported in the evaluated configuration. 3.4 eServ er 326 The IBM eServer 326 systems are A[...]

  • Seite 28

    processor extensions are activated, a llowing the processor to operate in one of two sub-modes of LMA. These are the 64-bit mode and the compa tibility mode. • 64-bit mode: In 64-bit mode, the p rocessor supports 64-bit virtual addresses, a 64-bit instruction pointer, 64-bit general-purpose registers, a nd eight additional general-purpose registe[...]

  • Seite 29

    17[...]

  • Seite 30

    4 Software architecture This chapter summarizes the software structure a nd design of the SLES system and provides references to detailed design documentation. The following subsections describe the TOE S ecurity Functions (TSF) software and the TSF databases for the SLES system. The descriptions are organized according to the structure of the syst[...]

  • Seite 31

    System x: The System x servers are pow ered by Intel processors. Intel processors provide four execution modes, identified with processor privilege levels 0 through 3. The highest privilege level execution mode corresponds to processor privilege level 0; the lowest privi lege level execution mode corresponds to processor privilege level 3. The SLES[...]

  • Seite 32

    • When the processor is in kernel mode, the program has ha rdware privilege because it can execute certain privileged instructions that a re not available in user mode. Thus, any code that runs in kernel mode executes with ha rdware privileges. Software that runs with hardware privileges includes: • The base SLES kernel. This constitutes a larg[...]

  • Seite 33

    4.1.2.1 DAC The DAC model allows the owner of the object to decide who can access that object, and in what manner. Like any other access control model, DAC implementation can be explained by which subjects and objects are under the control of the model, security attributes used by the model, access control and attribute transition rules, and the ov[...]

  • Seite 34

    4.1.2.3 Program s with softwa re privilege Examples of programs running with software privi lege are: • Programs that are run by the system, such as the cron and init daemons. • Programs that are run by trusted a dministrators to perform system administration. • Programs that run with privileged identity by executing setuid programs. All soft[...]

  • Seite 35

    The concept of breaking the TOE product into logica l subsystems is described in the Common Criteria. These logical subsystems are the building blocks of the TOE, a nd are described in the Functional Descriptions chapter of this paper. They include logica l subsystems and trusted processes that implement security functions. A logical subsystem can [...]

  • Seite 36

    4.2.1.1 Logical components The kernel consists of logical subsystems that p rovide different functionalities. Even though the kernel is a single executable program, the various services i t provides can be broken into logical components. These components interact to p rovide specific functions. Figure 4-3 schematically describes logica l kernel sub[...]

  • Seite 37

    • Audit subsystem: This subsystem implements functions related to recording of security-critical events on the system. Implemented functions include those that trap each system call to record security critical events and those that imp lement the collection and recording of audit data. 4.2.1.2 Execution components The execution components of the [...]

  • Seite 38

    4.2 .1. 2.3 Ker nel m odul es a nd dev ice dri vers Kernel modules are pieces of code that can be loaded a nd unloaded into and out of the kernel upon demand. They extend the functionality of the kernel wi thout the need to reboot the system. Once loaded, the kernel module object code can access other kernel code and da ta in the same manner as sta[...]

  • Seite 39

    • The crontab program is the program used to install, deinstall, or list the tables used to drive the cron daemon. Users can have their own crontab files that set up the time and frequency of execution, as well as the command or script to execute. • The gpasswd command administers the /etc/group file and /etc/gshadow file if compiled with SHADO[...]

  • Seite 40

    • The chfn command allows users to change their finger i nformation. The finger command displays that information, which is stored in the /etc/passwd file. • The date command is used to print or set the system da te and time. Only an administrative user is allowed to set the system date a nd time. • The groupadd , groupmod , a nd groupdel com[...]

  • Seite 41

    This section briefly describes the functiona l subsystems that implement the required security functionaliti es and the logical subsystems that a re part of each of the functional subsystems. The subsystems are structured into those imp lemented within the SLES kernel, and those implemented a s trusted processes. 4.4.1 Hardware The hardware consist[...]

  • Seite 42

    • gpasswd • chage • useradd, usermod, userdel • groupadd, groupmode, groupdel • chsh • chfn • openssl 4.4.5 User-level audit subsyst em This subsystem contains the portion of the a udit system that lies outside the kernel. This subsystem contai ns the auditd trusted process, which reads audit records from the kernel buffer, and transf[...]

  • Seite 43

    31[...]

  • Seite 44

    5 Functional descr iptions The kernel structure, its trusted software, and its Target of Evaluation (TOE) Security Functions (TSF) databases provide the foundation for the descriptions in this chapter. 5.1 File and I/O management The file and I/O subsystem is a management system for defining objects on secondary storage devices. The file and I/O su[...]

  • Seite 45

    In order to shield user programs from the underlying details of different types of disk devices and disk-based file systems, the SLES kernel provides a softwa re layer that handles all system calls related to a standa rd UNIX file system. This common interface lay er, called the Virtual File System, interacts with disk-based file systems whose phys[...]

  • Seite 46

    The root directory is contained in the root file sys tem, which is ext3 in this TOE. All other file systems can be mounted on subdirectories of the root file system. The VFS allows programs to perform operations on files without having to know the implementation of the underlying disk-based file system. The VFS layer redirects file operation reques[...]

  • Seite 47

    inode : Stores general information a bout a specific file, such as file type and access rights, file owner, group owner, length in bytes, operations vector, time of last file access, time of last file w rite, and time of last inode change. An inode is associated to each file a nd is described in the kernel by a struct inode data structure. file : S[...]

  • Seite 48

    Figure 5-5 VFS pathname translation a nd access control checks 36 Fig ure 5-5: VF S pa thn ame tra nsla tion and ac cess co ntro l che cks[...]

  • Seite 49

    5.1.1. 2 open() The following describes the call sequence of a n open() call to create a file: 1. Call the open() system call with a relative pa thname and flags to create a file for read and write. 2. open () calls open_namei() , which ultimately derives the dentry for the directory in which the file is being created. If the pa thname contains mul[...]

  • Seite 50

    5.1.1.3 write() Another example of a file system operation is a write() system call to write to a file that wa s opened for writing. The write() system call in VFS is very straightforward, becaus e access checks have already been performed by open() . The following list shows the call sequence of a write() ca ll: 1. Call the write() system call wit[...]

  • Seite 51

    • Unbindable Mount: This mount does not forward or receive propa gation. This mount type can not be bind-mounted, and it is not valid to m ove it under a shared mount. • Slave Mount: A slave mount remains tied to its parent mount and receives new mount or unmount events from there. The mount or unmount events in a slave mount do not p ropagate [...]

  • Seite 52

    5.1.2 .1.1 .1 Acc ess Contr ol L ists ACLs provide a way of extending directory a nd file access restrictions beyond the traditional owner, group, and world permission settings. For more details about the ACL format, refer to Discretionary Access Control, Section 5.1.5, of this document, and section 6.2.4.3 of the SLES Security Target document. EAs[...]

  • Seite 53

    • ext3_group_desc : Disk blocks are pa rtitioned into groups. Each group has its own group descriptor. ext3_group_desc stores information such as the block number of the inode bitma p, and the block number of the block bitmap. • ext3_inode : The on-disk counterpart of the inode structure of VFS, ext3_inode stores information such as file owner,[...]

  • Seite 54

    42 Fig ure 5-8: N ew d ata bloc ks a re a lloc ated an d ini tial ized for an e xt3 field[...]

  • Seite 55

    Figure 5-9 shows how for a file on the ext3 file system, inode_operations ma p to ext3_file_inode_operations . Similarly, for directory, sym link, and special-file types of objects, inode operations map to ext3_dir_inode_operations , ext3_symlink_inode_operations , and ext3_special_inode_operations , respectively. ext3_truncate() is the entry point[...]

  • Seite 56

    from the superblock’s s_root field of the superblock, a nd then invokes isofs_find_entry() to retrieve the object from the CD-ROM. On a CD-ROM file system, inode_operations map to isofs_dir_inode_operations . 5.1.3 Pseudo file systems 5.1.3.1 procfs The proc file system is a specia l file system that allows system programs and administrators to m[...]

  • Seite 57

    Since VM is volatile in na ture, tmpfs data is not preserved between reboots. Hence this file system is used to store short-lived temporary files. An a dministrator is allowed to specify the memory placement policies (the policy itself and the preferred nodes to be alloca ted) for this file system. 5.1.3.3 sysfs sysfs is an in-memory file system, w[...]

  • Seite 58

    5.1.3.6 binfmt_m isc binfmt_misc provides the abi lity to register additional binary formats to the kernel without compiling an additional module or kernel. Therefore, binfmt_mi sc needs to know magic numbers at the beginning, or the filename extension of the bina ry. binfmt_misc works by maintaining a linked list of structs that contain a descript[...]

  • Seite 59

    chown() system call. The owner and the root user are allowed to define and change ac cess rights for an object. This following subsection looks at the kernel functions imp lementing the access checks. The function used depends on the file system; for example, vfs_permission() invokes permission() which then calls specific *_permission() routines ba[...]

  • Seite 60

    • If the process is neither the owner nor a member of a n appropriate group, and the permission bits for world allow the type of access requested, then the subject is permitted access. • If none of the conditions above are satisfied, and the effective UID of the process is not zero, then the access attempt is denied. 5.1.5.2 Access Control List[...]

  • Seite 61

    5.1 .5. 2.3 AC L per mis si ons An ACL entry can define separa te permissions for read, write, and execute or search. 5.1 .5. 2.4 Rel ati ons hip to file per mi ssio n b its An ACL contains exactly one entry for each of the ACL_USER_OBJ , ACL_GROUP_OBJ , and ACL_OTHER types of tags, called the required ACL entries. An ACL ca n have between zero and[...]

  • Seite 62

    5.1 .5. 2.8 AC L enf orc eme nt The ext3_permission() function uses ACLs to enforce DAC. The algorithm goes through the following steps: 1. Performs checks such as “no write access if read-only file sys tem” and “no write access if the file is immutable.” 2. For ext3 file systems, the kernel calls the ext3_get_acl() to get the ACL correspon[...]

  • Seite 63

    file by adding ACLs with the setfacl command. For examp le, the following command allows a user named john read access to this file, even if john does not belong to the root group. #setfacl –m user:john:4,mask::4 /aclfile The ACL on file will look like: # owner: root # group: root user:: rw- user:john:r— group::r-- mask::r-- other::--- The mask[...]

  • Seite 64

    application, the I/O scheduler is considered a n important kernel component in the I/O path. SLES includes four I/O scheduler options to optimize system performa nce. 5.1.7.1 Deadline I/O scheduler The deadline I/O scheduler available in the Linux 2.6 kernel incorporates a per-request expiration-based approach, and operates on five I/O queues. The [...]

  • Seite 65

    requests. This capability makes it behaves simi larly to the Anticipa tory I/O scheduler . I/O priorities are also considered for the processes, which are derived from their CPU p riority. 5.1.7.4 Noop I/O scheduler The noop I/O scheduler can be considered as a rather minima l I/O scheduler that performs, as well as provides, basic merging a nd sor[...]

  • Seite 66

    5.1.8.4 Tasklets Tasklets are dynamically linked and built on top of softirq mechanisms. Tasklets differ from softirqs in that a tasklet is always serialized with respect to itself. In other words, a tasklet cannot be executed by two CPUs at the same time. However, different tasklets can be executed concurrently on several CPUs. 5.1.8.5 Work queue [...]

  • Seite 67

    5.2 Proces s control and mana gement A process is an instance of a program in execution. Process management consists of creating, manip ulating, and terminating a p rocess. Process management is handled by the process management subsystems of the kernel. The kernel interacts with the memory subsystem, the network subsystem, the file and I/O subsyst[...]

  • Seite 68

    The SLES kernel maintains information about each process in a task_struct process type of descriptor. Each process descriptor contains information such as run-state of process, address space, list of open files, process priority, which files the process is allowed to a ccess, and security relevant credentials fields including the following: • uid[...]

  • Seite 69

    Fig ure 5-1 2: T he t ask stru ctur e The kernel maintains a circular doubly-linked list of all existing process descriptors. The head of the list is the init_task descriptor referenced by the first element of the task array. The init_task descriptor belongs to process 0 or the swapper, the ancestor of all p rocesses. 5.2.2 Proce ss crea tion and d[...]

  • Seite 70

    5.2 .2. 2.4 set resu id() and se tres gid( ) These set the real user and group ID, the effective user a nd group ID, and the saved set-user and group ID of the current process. Normal user processes (that is, p rocesses with real, effective, and saved user IDs that are nonzero) may change the real, effective, a nd saved user and group IDs to either[...]

  • Seite 71

    5.2.5 Scheduling Scheduling is one of the features that is highly imp roved in the SLES 2.6 kernel over the 2.4 kernel. It uses a new scheduler algorithm, called the O (1) algorithm, that provides greatly increased scheduling scalability. The O (1) algorithm achieves this by taking ca re that the time taken to choose a process for placing into exec[...]

  • Seite 72

    For more information about hyperthreading, refer to http://www.intel.com/technology/hyp erthread/ . 5.2.6 Kerne l preem pti on The kernel preemption feature has been imp lemented in the Linux 2.6 kernel. This should significantly lower latency times for user-interactive app lications, multimedia a pplications, and the like. This feature is especial[...]

  • Seite 73

    The following code snippet demonstrates the p er-CPU data structure problem, in an SMP system: int arr[NR_CPUS]; arr[smp_processor_id()] = i; /* kernel preemption could happen here */ j = arr[smp_processor_id()]; /* i and j are not equal as smp_processor_id() may not be the same */ In this situation, if kernel preemption had ha ppened at the specif[...]

  • Seite 74

    5.3.1 Pipes Pipes allow the transfer of data in a FIFO manner. The pipe() sy stem call creates unnamed pipes. Unnamed pipes are only accessible to the creating process and its descendants through file descriptors. Once a pipe is created, a process ma y use the read() and write() VFS system calls to access it. In order to allow access from the VFS l[...]

  • Seite 75

    pipe_inode_info : Contains generic state informa tion about the pipe with fields such as base (which points to the kernel buffer), len (which represents the number of bytes written into the buffer and yet to be read), wait (which represents the wait queue), and start (which points to the read position in the kernel buffer). do_pipe() : Invoked thro[...]

  • Seite 76

    The inode allocation routine of the disk-bas ed file system does the allocation and initializa tion of the inode object; thus, object reuse is handled by the disk-based fi le system. 5.3.2.2 FIFO open A call to the open() VFS system call performs the sam e operation as it does for device special files. Regular DACs when the FIFO inode is read a re [...]

  • Seite 77

    • ipc_id : The ipc_id data structure describes the security credentials of an IPC resource with the p field, which is a pointer to the credential structure of the resource. • kern_ipc_perm : The kern_ipc_perm data structure is a credential structure for an IPC resource with fields such as key, uid, gid, cuid, cgid, mode, seq, and security. uid [...]

  • Seite 78

    5.3 .3. 3.3 ms gg et() This function is invoked to create a new message queue, or to get a descriptor of an existing queue based on a key. The newly created credentials of the message queue a re initialized from the credentials of the creating process. 5.3 .3. 3.4 ms gsn d() This function is invoked to send a message to a message queue. DAC is p er[...]

  • Seite 79

    5.3 .3. 4.4 sem ctl( ) A function that is invoked to set a ttributes, query status, or delete a semaphore. A semaphore is not deleted until the process waiting for a semaphore has received it. DAC is performed by invoking the ipcperms() function. 5.3.3.5 Shared memory regions Shared memory regions allow two or more p rocesses to access common data [...]

  • Seite 80

    5.3.4 Signals Signals offer a means of delivering as ynchronous event s to processes. Processes can send signals to each other with the kill() system call, or the kernel can internally deliver the signals. Events that cause a signal to be generated include keyboard interrupts via the interrupt, stop, or quit keys, exceptions from invali d instructi[...]

  • Seite 81

    specifying the target a ddress of the ser ver. For an Internet domain socket, the address of the server is i ts IP address and its port number. Sockets are created using the socket() system call. Depending on the type of socket, either UNIX domain or internet domain, the socket fami ly operations vector invokes either unix_create() or inet_create()[...]

  • Seite 82

    • The protocol-independent interface module p rovides an interface that is independent of hardware devices and network protocol. This is the interfac e module that is used by other kernel subsystems to access the network without having a dependency on particular p rotocols or hardware. Finally, the system call interface module restricts the expor[...]

  • Seite 83

    The transport layer consists of the TCP, UDP and simi lar protocols. The application layer consists of a ll the various application clients and servers, such as the Sa mba file and print server, the Apache web server, and others. Some of the app lication-level protocols include Telnet, for remote login; FTP, for file transfer; and, SMTP, for mail t[...]

  • Seite 84

    5.4.2 Transpo rt l ayer proto cols The transport layer protocols supported by the SLES kernel are TCP and UDP. 5.4.2.1 TCP TCP is a connection-oriented, end-to-end, reliable protocol designed to fit into a layered hierarchy of protocols that support multi-network app lications. TCP provides for reliable IPC between pa irs of processes in host compu[...]

  • Seite 85

    The following section introduces Internet Protocol Version 6 (IPv6). F or additional information about referenced socket options and advanced IPv6 applica tions, see RFC 3542. Internet Protocol Version 6 (IPv6) was designed to imp rove upon and succeed Internet Protocol Version 4 (IPv4). IPv4 addresses consist of 32 bits. This accounts for about 4 [...]

  • Seite 86

    5.4 .3. 2.3 Flo w L abel s The IPv6 header has a field to in which to enter a flow label. This p rovides the ability to identify packets for a connection or a traffic stream for sp ecial processing. 5.4 .3. 2.4 S ecuri ty The IPv6 specifications mandate IP security. IP security must be included as pa rt of an IPv6 implementation. IP security provid[...]

  • Seite 87

    The phrase data integrity implies that the data received is as it wa s when sent. It has not been tampered, altered, or impa ired in any way. Data authentication ensures that the sender of the data is really who you believe it to be. Without data a uthentication and integrity, someone can intercept a datagram and alter the contents to reflect somet[...]

  • Seite 88

    In tunnel mode, the entire IP datagram is encapsulated, protecting the entire IP datagram. An IP P acket with tunne l mo de AH 5.4 .3.4.1 .2 Enc apsu latin g Sec uri ty Pay load Prot oco l (E SP) The Encapsulating Security Payload (ESP) header is defined in RFC 2406. Besides data confidentiality, ESP also provides authentication and integrity as an[...]

  • Seite 89

    An IP P acket with tunne l mo de ESP 5.4 .3.4.1 .3 Sec urit y As soc iation s RFC2401 defines a Security Association (S A) as a simplex or one-way connection that affords security services to the traffic it carries. S eparate SAs must exist for each direction. IPSec stores the SAs in the Security Association Database (SAD), which resides in the Lin[...]

  • Seite 90

    5.4 .3.4.1 .8 Cry ptog raph ic sub sys tem IPSec uses the cryptographic subsystem described in thi s section. The cryptographic subsystem performs several cryptographic-related assignments, includi ng Digital Signature Algorithm (DSA) signature verification, in-kernel key management, arbitrary-precision integer arithmetic, and verification of kerne[...]

  • Seite 91

    5.4 .4. 1.1 Ad dres s R esol utio n P rotoc ol ( AR P) Address Resolution Protocol (ARP) is a protocol for map ping an IP address to a physical machine address that is recognized in the local network. For examp le, in IP Version 4, the most common level of IP in use today, an address is 32 bits long. In an Ethernet local area network, however, a dd[...]

  • Seite 92

    The following subsections describe access control and object reuse handling associated with establishing a communications channel. 5.4.5.1 socket() socket() creates an endpoint of communica tion using the desired protocol type. Object reuse handling during socket creation is described in Section 5.3.5. socket() may perform additional access control[...]

  • Seite 93

    Similarly, for UNIX domain sockets, bind() invokes unix_bind() . unix_bind() creates a n entry in the regular ext3 file system spa ce. This process of creating an entry for a socket in the regular file system space has to undergo all file system access control restrictions. The socket exists in the regular ext3 file system space, and honors DAC pol[...]

  • Seite 94

    5.4.5.6 Generic calls read(), write() and close() : read() , write() and close() are generic I/O system calls that operate on a file descriptor. Depending on the type of object, whether regular file, directory, or socket, appropriate object-specific functions are invoked. 5.4.5.7 Access control DAC mediation is performed a t bind () time. The socke[...]

  • Seite 95

    • A system call interface is provided to p rovide restricted access to user processes. This interface allows user processes to allocate and free storage, a nd also to perform memory-mapped file I/O. This section highlights the implementation of the System Architecture requirements of a) a llowing the kernel software to protect its own memory reso[...]

  • Seite 96

    5.5.1 Four-Level Page Tables Before the current implementation of four-level page tables, the kernel implemented a three-level p age table structure for all architectures. The three-level pa ge table structure that previously existed was constituted, from top to bottom, for the pa ge global directory (PGD), page middle directory (PMD), a nd PTE. In[...]

  • Seite 97

    The creation and insertion of a new level, the PUD level, immediately below the top-level PGD directory aims to maintain p ortability and transparency once all architectures have a n active PGD at the top of hierarchy and an active PTE at the bottom. The PMD and PUD levels are only used in architectures that need them. These levels are optimized on[...]

  • Seite 98

    The larger kernel virtual address space allows the system to manage more physical memory. Up to 64 GB of main memory is supported by S LES on x86-compatible systems. The larger user virtual address spac e allows applications to use approximately 30% more memory (3.7—3.8 GB), improving performance for a pplications that take advantage of the featu[...]

  • Seite 99

    5.5 .2. 1.1 S egme ntati on The segmentation unit translates a logical address into a linear address. A logical a ddress consists of two parts: a 16 bit segment identifier ca lled the segment selector, and a 32-bit offset. For quick retrieval of the segment selector, the processor provides six segmentation registers whose purpose is to hold segment[...]

  • Seite 100

    5.5 .2. 1.2 Pa gin g The paging unit translates linear a ddresses into physical addresses. It checks the requested access type a gainst the access rights of the linear address. Linear a ddresses are grouped in fixed-length intervals called pages. To allow the kernel to specify the physica l address and access rights of a page instead of addresses a[...]

  • Seite 101

    In extended paging, 32 bits of linear address are divided into two fields: • Directory: The most significant 10 bi ts represents directory. • Offset: The remaining 22 bits represents offset. Each entry of the page directory a nd of the page table is represented by the same data structure. This data structure includes fields that describe the pa[...]

  • Seite 102

    User-Supervisor flag: This flag contains the privilege level that is required for accessing the page or page table. The User-Supervisor flag is either 0, which indica tes that the page can be accessed only in kernel mode, or 1, which indicates that it ca n always be accessed. 5.5 .2.1.2 .1 Pagin g in th e S LES kerne l The SLES kernel is based on L[...]

  • Seite 103

    For more information about call ga tes, refer to the http://www.csee.umbc.edu/~plusquel/310/slides/micro_arch4.html Web site. 5.5 .2.1.2 .3 Tran slati on lookas ide buffe rs The System x processor includes other caches, in a ddition to the hardware caches. These caches are called Translation Lookaside Buffers (TLBs), a nd they speed up the linear-t[...]

  • Seite 104

    The PS flag in the page directory entry (PDE.PS) selects between 4 KB and 2 MB page sizes. 5.5.2.2 System p Linux on POWER5 System p systems runs only in Logical Partitioning (LPAR) mode. The System p offers the ability to pa rtition one system into several independent systems through LPAR. LPAR divi des the processors, memory, and storage into mul[...]

  • Seite 105

    Fig ure 5-3 4: L ogic al p artitio ns On System p systems without logical pa rtitions, the processor has two operating modes, user and supervisor. The user and supervisor modes are implemented using the PR bit of the Machine State Register (MSR). Logical partitions on System p systems necessitate a third mode of operation for the processor. This th[...]

  • Seite 106

    • 0 The processor is not in hypervisor state. • 1 If MSRPR= 0 the processor is in hypervisor state; otherwise, the processor is not in hypervisor state. The hypervisor takes the value of 1 for hypervisor mode a nd 0 for user and supervisor mode. The following table describes the privilege state of the processor as determined by MSR [HV] and MSR[...]

  • Seite 107

    Just as certain memory a reas are protected from access in user mode, some memory areas, such as hardwa re page tables, are accessible only in hyp ervisor mode. The PowerPC and POWER architecture provides only one system call instruction. This sys tem call instruction, sc, is used to perform system ca lls from the user space intended for the SLES k[...]

  • Seite 108

    hardware address of the memory. This translation is done by the hypervisor, which keeps a logical pa rtition unaware of the existence of other logical partitions. 5.5 .2. 2.1 Ad dres s T rans lati on on L PA Rs On System p systems running with logical pa rtitions, the effective address, the virtual address, a nd the physical address format and mean[...]

  • Seite 109

    5.5 .2. 2.4 Vi rtua l m ode addre ss ing Operating systems use another type of a ddressing, virtual addressing, to give user applications an effective address space that exceeds the amount of physical m emory installed in the system. The operating system does this by paging infrequently used programs and data f rom memory out to disk, and bringing [...]

  • Seite 110

    5.5 .2. 2.7 Ru n-Tim e Ab stra cti on S ervic es System p hardware platforms provide a set of firmware Run-Time Abstraction Services (RTAS) ca lls. In LPAR, these calls perform additiona l validation checking and resource virtualization for the partitioned environment. For example, although there is only one physical non-volatile RAM chip, and one [...]

  • Seite 111

    For further information about PowerPC 64 bit p rocessor, see PowerPC 64-bit Kernel Internals by David Engebretson, Mike Corrigan & Peter Bergner at http://lwn.net/2001/features/OLS/pdf/pdf/p pc64.pdf . You can find further in formation about System p ha rdware at http://www-1.ibm.com/servers/eserver/pseries/linux/ . The following describes the [...]

  • Seite 112

    • To access a particular memory loca tion, the CPU transforms an effective address into a physical address using one of the following address translation mechanism s. • Real mode address translation, where a ddress translation is disabled. The physical address is the same as the effective a ddress. • Block address translation, which translate[...]

  • Seite 113

    • DR: Data Address Translation. The value of 0 disables transla tion, and the value of 1 enables translation. 5.5 .2. 3.2 P age desc ript or Pages are described by Page Table Entries (PTEs). The operating system generates and places PTEs in a page table in memory. A PTE on SLES is 128 bi ts in length. Bits relevant to access control are Page p ro[...]

  • Seite 114

    • Vs: Supervisor mode valid bit. Used with MSR[PR] to restrict translation for some block addresses. • Vp: User mode valid bit. Used with MSR[PR] to restrict translation for some block addresses. • PP: Protection bits for block. 5.5 .2. 3.5 Ad dress tra nslat ion me cha nis ms The following simplified flowchart describes the process of select[...]

  • Seite 115

    Real Mode Address Translation: Real Mode Address Translation is not technically the translation of a ny addresses. Real Mode Address Translation signifies no tra nslation. That is, the physical address is the sam e as the effective address. The operating system us es this mode during initialization a nd some interrupt processing. Because there is n[...]

  • Seite 116

    Page address translation begins with a check to s ee if the effective segment ID, corresponding to the effective address, exists in the Segment Lookaside Buffer (SLB). The SLB provides a mapping between Effective Segment Ids (ESIDs) and Virtual Segment Ids (VSIDs). If the S LB search fails, a segment fault occurs. This is an Instruction Segment exc[...]

  • Seite 117

    105 Fig ure 5-4 8: P age Ad dres s T rans latio n and acc ess con trol[...]

  • Seite 118

    5.5.2.4 System z SLES on System z systems can run either in na tive mode or in LPAR. Additionally, it can run as z/VM guests, which is specific to this series. This section briefly describes these three modes and how they address and protect memory. F or more detailed information about System z architecture, refer to Z/A rchit ectur e Princ iple of[...]

  • Seite 119

    Absolute address: An absolute address is the a ddress assigned to a main memory location. An absolute address is used for a memory access without any transformations performed on it. Effective address: An effective address is the a ddress that exists before any transformation takes p lace by dynamic address translation or p refixing. An effective a[...]

  • Seite 120

    5.5 .2.4.7 .1 Dyn amic addr ess tran slat ion Bit 5 of the current PSW indicates whether a virtual a ddress is to be translated using pa ging tables. If it is, bits 16 and 17 control which address space translation mode (p rimary, secondary, access-register, or home) is used for the translation. The following diagram illustrates the logic used to d[...]

  • Seite 121

    Fig ure 5-5 1: A ddr ess tran sla tion mod es Each address-space translation mode tra nslates virtual addresses corresponding to that address spac e. For example, primary a ddress-space mode translates virtual addresses from the primary a ddress space, and home address space mode translates virtual addresses belonging to the home address space. Eac[...]

  • Seite 122

    5.5 .2.4.7 .2 Pref ixing Prefixing provides the ability to a ssign a range of real addresses to a different block in absolute memory for each CPU, thus permitting more than one CPU sharing main memory to operate concurrently wi th a minimum of interference. Prefixing is performed with the help of a prefix register. No access control is performed wh[...]

  • Seite 123

    For a detailed description of prefixing a s well as implementation details, see z/Archi tectu re Prin ciple s of Oper ation at http://publibz.boulder.ibm. com/epubs/pdf/dz9zr002.pdf . 5.5 .2. 4.8 Me mor y pr otec tion m echa nis ms In addition to separating the a ddress space of user and supervisor states, the z/Architecture provides mechanisms to [...]

  • Seite 124

    5.5 .2.4.8 .2 Page table pro tect ion The page table protection m echanism is applied to virtual addresses during their translation to real addresses. The page table protection m echanism controls access to virtual storage by using the pa ge protection bit in each page-table entry and segment-ta ble entry. Protection can be applied to a single p ag[...]

  • Seite 125

    113 Fig ure 5-5 4: 3 1-b it D ynam ic Add ress T ra nsla tion with pag e ta ble pr otec tion[...]

  • Seite 126

    114 Fig ure 5-5 5: 6 4-b it D ynam ic Add ress T ra nsla tion with pag e ta ble pr otec tion[...]

  • Seite 127

    5.5 .2.4.8 .3 Key -co ntro lled pro tect ion When an access attempt is ma de to an absolute address, which refers to a memory location, key-controlled protection is app lied. Each 4K page, real memory location, has a 7-bit storage key associa ted with it. These storage keys for pages can only be set when the processor is in the supervisor state. Th[...]

  • Seite 128

    5.5.2.5 eServer 326 eServer 326 systems use AMD Opteron processors. The Opteron processors ca n either operate in legacy mode to support 32-bit operating systems, or in long m ode to support 64-bit operating systems. Long mode has two possible sub modes, the 64-bit mode, which runs only 64-bit a pplications, and compatibility mode, which can run on[...]

  • Seite 129

    The segment selector specifies an entry in either the global or local descriptor table. The sp ecified descriptor- table entry describes the segment loca tion in virtual-address space, its size, and other characteristics. The effective address is used as an offset into the segment sp ecified by the selector. 5.5 .2. 5.2 E ffec tive add ress The off[...]

  • Seite 130

    • Requestor Privilege Level (RPL):RPL represents the privilege level of the program that created the segment selector. The RPL is stored in the s egment selector used to reference the segment descriptor. • Descriptor Privilege Level (DPL):DPL is the privilege level that is associated with an individua l segment. The system software a ssigns thi[...]

  • Seite 131

    calls. If the code segment is non-conforming (with conforming bi t C set to zero in the segment descriptor), then the processor first checks to ensure that CPL is equal to DPL. If CPL is equal to DPL, then the processor performs the next check to see if the RPL va lue is less than or equal to the CPL. A general protection exception occurs if either[...]

  • Seite 132

    The eServer 326 supports a four-level page table. The uppermost level is kept private to the architecture- specific code of SLES. The pa ge-t able setup supports up to 48 bits of address spac e. The x86-64 architecture supports page sizes of 4 KB and 2 MB. Figure 5-61 illustrates how paging is used to translate a 64-bit virtual address into a physi[...]

  • Seite 133

    When the page size is 2 MB, bits 0 to 20 represent the byte offs et into the physical page. That is, page table offset and byte offset of the 4 KB page trans lation are combined to provide a byte offset into the 2 MB physical page. Figure 5-62 illustrates how paging is used to transla te a 64-bit linear address into a physical address for the 2 MB [...]

  • Seite 134

    Each entry of the page map level-4 table, the page-directory pointer table, the pa ge-directory table, and the page table is represented by the sa me data structure. This data structure includes fields that interact in implementing a ccess control during paging. These fields are the Read/Write (R/W) flag, the User/Sup ervisor (U/S) flag, and the No[...]

  • Seite 135

    • Read/Write flag: This flag contai ns access rights of the physical pages mapped by the table entry. The R/W flag is either read/write or read. If set to 0, the corresponding page can only be read; otherwise, the corresponding page can be written to or read. The R/W flag affects all physical pa ges mapped by the table entry. That is, the R/W fla[...]

  • Seite 136

    5.5.3.1 Suppor t for NUMA servers NUMA is an architecture wherein the memory access time for different regions of memory from a given processor varies according to the nodal distance of the memory region from the processor. Each region of memory, to which access times are the sam e from any CPU, is called a node. The NUMA architecture surpasses the[...]

  • Seite 137

    systems, this operation is unaccepta bly slow. With Rmap VM, additional memory mana gement structures have been created that enable a p hysical address to be back-translated to its associated virtual a ddress quickly and easily. For more information about Rmap VM, see http://lwn.net/Articles/23732/ and http://www-106.ibm.com/developerworks/linux/li[...]

  • Seite 138

    Huge TLB File system ( hugetlbfs ) is a p seudo file system, implemented in fs/hugetlbfs/inode.c . The basic idea behind the imp lementation is that large pa ges are being used to back up any file that exists in the file system. During initialization, init_hugetlbfs_fs() registers the file system and mounts it as an internal file system with kern_m[...]

  • Seite 139

    5.5.3.4 Remap_file_pages Remap_file_pages is another memory management feature that is suitable f or large memory and database applications. It is p rimarily useful for x86 systems that use the shared memory file system ( shmemfs ). A shmemfs memory segment requires kernel structures for control a nd mapping functions, and these structures can grow[...]

  • Seite 140

    5.5.3.6 Memor y area management Memory areas are sequences of memory cells ha ving contiguous physical addresses with an arbitrary length. The SLES kernel uses the buddy algorithm for dealing with relatively large memory requests, but in order to satisfy kernel needs of small memory areas, a different scheme, called slab allocator, is used. The sla[...]

  • Seite 141

    address returned by arch_get_unmapped_area() to contain a linear a ddress that is part of another process’s address space. In addition to this process compartmentali zation, the do_mmap() routine also makes sure that when a new memory region is inserted it does not ca use the size of the process address space to exceed the threshold set by the sy[...]

  • Seite 142

    5.5.5 Symm etric multipro cessi ng and synchronization The SLES kernel allows multiple processes to execute in the kernel simultaneously (the kernel is reentrant). It also supports symmetric multiprocessing (SMP), in which two or more processors share the same memory and have equal access to I/O devices. Because of re-entrancy a nd SMP synchronizat[...]

  • Seite 143

    5.5.5.3 Spin locks Spin locks provide an additional synchroniza tion primitive for app lications running on SMP systems. A spin lock is just a simple flag. When a kernel control pa th tries to claim a spin lock, it first checks whether or not the flag is already set. If not, then the flag is s et, and the operation succeeds immediately. If i t is n[...]

  • Seite 144

    Fig ure 5-6 9: A udi t fra mew ork co mpo nents 5.6.1.1 Audit kernel components Linux Audit of the SLES kernel includes three kernel-side components relating to the audit functionality. The first component is a generic mechanism for creating audit records and communicating wi th user space. The communication is a chieved via netlink socket interfac[...]

  • Seite 145

    The kernel checks the effective capabi lities of the sender process. If the sender does not possess the right capability, the netlink message is discarded. 5.6 .1. 1.2 Sy sca ll au ditin g The second component is a mechanism that a ddresses system call auditing. It uses the generic logging mechanism for creating audit records a nd communicating wit[...]

  • Seite 146

    5.6 .1. 1.5 Au dit co ntex t fiel ds • Login ID: Login ID is the user ID of the logged-in user. It remains unchanged through the setuid() or seteuid() system calls. Login ID is required by the Controlled Access Protection Profile to irrefutably associate a user with that user’s actions, even across su() calls or use of setuid binaries. • stat[...]

  • Seite 147

    • serial : A unique number that helps identify a pa rticular audit record. Along with ctime , it can determine which pieces belong to the sam e audit record. The (timestamp, serial) tuple is unique for each syscall and it lives from syscall entry to syscall exit. • ctime : Time at system call entry. • major : System call number. • argv arra[...]

  • Seite 148

    When a filesystem object the audit subsystem is watching changes, the inotify subsystem calls the audit_handle_event() function. audit_handle_event() in turn updates the audit subsystem's watch data for the watched entity. This process is deta iled in Section 5.6.3.1.3. 5.6.1.3 User space audit components The main user level audit components c[...]

  • Seite 149

    5.6.2 Audit operation and configuration op tions 5.6.2.1 Configu ration There are many ways to control the operation of the audit subsystem. The controls are available a t compilation time, boot time, daemon startup time, a nd while the daemon is running. At compilation time, SLES kernel provides three kernel configuration options that control the [...]

  • Seite 150

    Option Description Possible values log_file n ame of the log file log_format How t o flush the data from auditd to the log. RAW . Only RAW is supported in this version. priority_boost The nice v alue for auditd . Used to run audi td at a certain priority. flush Me thod of writing data to disk. none , interval , data , sync freq Use d when flush is [...]

  • Seite 151

    Optio n descriptio n Possib le values -b Sets max number of outstanding buffer allowed. If all buffers are exhausted, the failure flag is checked. Default is 64 -e Sets enabled flag 0|1 -f Sets failure flag silent , printk , panic -r Sets the rate of messages/second. If 0 no rate is set. If > 0 and rate exceeded, the failure flag is checked. Tab[...]

  • Seite 152

    7. If audit is enabled, the kernel intercepts the system calls, and generates audit records a ccording to the filter rules. Or, the kernel generates audit records for watches set on particular file system files or directories. 8. Trusted programs can also write a udit records for security relevant operation via the audit netlink, not directly to th[...]

  • Seite 153

    5.6 .3. 1.2 Sy sca ll au dit re cor d g enera tion Once attached, every security-relevant sys tem call performed by the process is evaluated in the kernel. The process’s descendants maintain their attachm ent to the audit subsystem. 1. All security-relevant system calls ma de by the process are intercepted at the beginning or a t the exit of the [...]

  • Seite 154

    generates the audit record, and sends the record to netlink s ocket. Both audit_syscall_entry() and audit_syscall_exit() call audit_filter_syscall() to apply filter logic, to check whether to audit or not to audit the call. Filtering logic allows an administrative user to filter out events based on the rules set, a s described in the auditctl man p[...]

  • Seite 155

    5.6 .3. 1.4 Soc ket call and IP C au dit re cor d gen erati on Some system calls pass an argument to the kernel specifying which function the system call is requesting from the kernel. These system calls request multiple services from the kernel through a single entry point. For example, the first argument to the ipc() call sp ecifies whether the r[...]

  • Seite 156

    timestamp of the record and the serial number are used by the user-space daemon to determine which pieces belong to the same audit record. The tuple is unique for each sy scall and lasts from syscall entry to syscall exit. The tuple is composed of the timestamp and the serial number. Each audit record for system calls contain the system call return[...]

  • Seite 157

    Event Description LAF audit events Startup and shutdown of audit functions DA EMON_START , DAEMON_END are generated by auditd Modification of audit configuration fi les DAEMON_CONFIG , DAEMON_RECONFIG are generated by auditd . Sysca lls open , lin k , unlink , rename , truncate , write on configuration files Successful and unsuccessful file read/wr[...]

  • Seite 158

    Event Description LAF audit events Execution of the test of the underlying ma chine and the result of the test Audit message from amtu utility: a udit record type: USER . Changes to system time Syscall settimeofday , adjtimex Setting up a trusted channel Sycall exec (of stunnel program) Table 5-4: Audit Subsystem event codes 5.6.4 Audit tools In ad[...]

  • Seite 159

    Lower-layer functions, such as scheduling and interrupt management, cannot be modularized. Kernel modules can be used to add or replace system ca lls. The SLES kernel supports dynamically-loadable kernel modules that are loaded automa tically on demand. Loading and unloading occurs as follows: 1. The kernel notices that a requested feature is not r[...]

  • Seite 160

    STR UC TU RE OB JEC T task_struct T ask(Process) linux_binprm Pr ogram super_block File syste m inode Pi pe, Fi le, or Socket file Open File sk_buff Net work Buffer(Packet) net_device Net work Device kern_ipc_perm Se maphore, Shared M emory Segment, or Message Queue msg_msg I ndividual Message Table 5-5: Kernel data structures modified by the LSM k[...]

  • Seite 161

    LSM adds a general security system ca ll that simply invokes the sys_security hook. This system call and hook permits security modules to imp lement new system calls for security-aware a pplications. 5.7.2 LSM capabilities mo dule The LSM kernel patch moves most of the existing POSIX.1e ca pabilities logic into an optiona l security module stored i[...]

  • Seite 162

    ● Administrative utilities p rovide a mechanism for administrators to configure, query, a nd control AppArmor. For background information on AppArmor which was originally named SubDomain, SubDomain: Parsimonious Server Security by Crispin Cowan, Steve Beattie, Greg Kroah-Hartman, Calton Pu, Perry Wagle, and Virgil Gligor at https://forgesvn1.nove[...]

  • Seite 163

    ● px - discrete profile execute ● Px - discrete profile execute after scrubbing the environment ● ix - inherit execute ● m - allow PROT_EXEC with mmap(2) calls ● l – link For more information about complete AppArmor profile syntax, please see the apparmor.d man page. AppArmor profiles are loaded into the kernel by the apparmor_parser to[...]

  • Seite 164

    5.9 Devic e drivers A device driver is a software layer that makes a ha rdware device respond to a well-defined programming interface. The kernel interacts with the device only through these well-defined interfaces. For detailed information about device drivers, see Linux Dev ice Drive rs, 2nd Edition , by Alessandro Rubini and Jonathan Corbet. The[...]

  • Seite 165

    guest program or interpreted ma chine. The interpreted and host machines execute guest and host programs, respectively. The interpretive-execution fa cility is invoked by executing the Start Interpretive Execution (SIE) p rocessor instruction, which causes the CPU to enter the i nterpretive-execution mode and to begin execution of the guest program[...]

  • Seite 166

    • Conditional interceptions refer to functions that are executed for the guest unless a specified condition is encountered that causes control to be returned to the host by the process that called the interception. Following are some of the controls that can ca use interception when the related function is handled for the guest: • Supervisor Ca[...]

  • Seite 167

    This extra level of indirection is needed for cha racter devices, but not for block devices, because of the large variety of character devices a nd the operations they support. The following diagram illustrates how the kernel maps the file operations vector of the device file object to the correct set of operations routines for that device. 5.9.3 B[...]

  • Seite 168

    5.10 System initialization When a computer with SLES is turned on, the operating system is loaded into memory by a special program called a boot loader. A boot loader usually exists on the sys tem's primary hard drive, or other media device, and has the sole responsibility of loading the Linux kernel with its required files or, in some cases, [...]

  • Seite 169

    the system runlevel by controlling PID 1. F or more information on the /etc/inittab file, please see the inittab(5) man page. For more information on the init program, please see the init(8) manpa ge. The init program generally follows these startup steps: 1. Gets its own name. 2. Sets its umask. 3. Checks for root identity. 4. Checks to see if it [...]

  • Seite 170

    5.10.2.1 Boot methods SLES supports booting from a hard disk, a CD-ROM, or a floppy disk. CD- ROM and floppy disk boots are used for installation, and to perform diagnostics a nd maintenance. A typical boot is from a boot ima ge on the local hard disk. 5.10.2.2 Boot loader A boot loader is a program that resides in the starting sectors of a disk, t[...]

  • Seite 171

    14. The boot loader sets the IDT with null interrupt handlers. It puts the system parameters obtained from the BIOS and the pa rameters passed to the operating system into the first p age frame. 15. The boot loader identifies the model of the p rocessor. It loads the gdtr and idtr registers with the addresses of the Global Descriptor Table and Inte[...]

  • Seite 172

    160 Fig ure 5-7 9: S yste m x SL ES b oot sequ enc e[...]

  • Seite 173

    5.10.3 System p This section briefly describes the system initia lization process for System p servers. 5.10.3.1 Boot methods SLES supports booting from a hard disk or from a CD-ROM. CD-ROM boots are used for installation and to perform diagnostics and maintenance. A typical boot is from a boot image on the loca l hard disk. 5.10.3.2 Boot loader A [...]

  • Seite 174

    1. Yaboot allows an administrator to p erform interactive debugging of the startup process by executing the /etc/sysconfig/init script. 2. Mounts the /proc special file system. 3. Mounts the /dev/pts special file system. 4. Executes /etc/rc.d/rc.local , which was set by an administrator to p erform site-specific setup functions. Performs run-level [...]

  • Seite 175

    5.10.4 System p in LPAR SLES runs in a logical partition on an Sy stem p system. The hypervisor program creates logical partitions, which interacts with actual hardware a nd provides virtual versions of hardware to operating systems running in different logical partitions. As pa rt of an Initial Program Load, the hypervisor performs certai n initia[...]

  • Seite 176

    5.10.4.1 Boot process For an individual computer, the boot p rocess consists of the following steps when the CPU is powered on or reset: 1. The hypervisor assigns memory to the pa rtition as a 64 MB contiguous load area and the balance in 256 KB chunks. 2. The boot loader loads the SLES kernel into the load a rea. 3. Provides system configuration d[...]

  • Seite 177

    • Starts the agetty program. For more details about services s tarted at run level 3, see the scripts in /etc/rc.d/rc3.d on a SLES system. Figure 5-81 schematically describes the boot p rocess of System p LPARs. 165 Fig ure 5-8 1: Syste m p LP AR SLE S bo ot s eq uenc e[...]

  • Seite 178

    5.10.5 System z This section briefly describes the system initia lization process for System z servers. 5.10.5.1 Boot methods Linux on System z supports three installation methods: native, LPAR, and z/VM guest installations. SLES only supports z/VM guest installation. The p rocess described below corresponds to the z/VM guest mode. The boot method [...]

  • Seite 179

    4. Executes /etc/rc.d/rc.local , which was set by an administrator to p erform site-specific setup functions. 5. Performs run-level specific initializa tion by executing startup scripts defined in /etc/inittab . The scripts are named /etc/rc.d/rcX.d , where X is the default run level. The default run level for a SLES system i n the evaluated config[...]

  • Seite 180

    5.10.6 eServer 326 This section briefly describes the system initia lization process for eServer 326 servers. For detailed information on system initia lization, see AMD 64 Arc hitec ture, Progr amm er’s Manu al Volum e 2: Syste m Prog ram ming , at http://www.a md.com/us-en/assets/content_type/white_papers_and_tech_docs/24593.p df. 5.10.6.1 Boot[...]

  • Seite 181

    5.10.6.2 Boot loader After the system completes the ha rdware diagnostics setup in the firmware, the first p rogram that runs is the boot loader. The boot loader is responsible for copyi ng the boot image from hard disk and then transferring control to it. SLES supports GRUB, which lets you set p ointers in the boot sector to the kernel image and t[...]

  • Seite 182

    17. x86_ 64_start_kernel() completes the kernel initializa tion by initializing Page Tables, Memory Handling Data S tructure s IDT tables, slab allocator (described in Section 5.5.3.6), system date, and system time. 18. Uncompress the initrd initial RAM file system, mounts it, and then executes /linuxrc . 19. Unmounts initrd , mounts the root file [...]

  • Seite 183

    5.11 Identification and authentication Identification is when a user possesses an identity to a system in the form of a login ID. Identification establishes user accountability and acc ess restrictions for actions on the system. Authentication is verifica tion that the user’s claimed identity is valid, and is implemented through a user pa ssword [...]

  • Seite 184

    provides a way to develop programs that a re independent of the authentication scheme. These programs need authentication modules to be attached to them at run-time in order to work. Which authentication module is to be attached is dependent upon the local sy stem setup and is at the discretion of the local sys tem administrator. This section brief[...]

  • Seite 185

    6. Each authentication module performs its a ction and relays the result back to the applica tion. 7. The PAM library is modified to create a USER_AUTH type of audit record to note the success or failure from the authentication module. 8. The application takes app ropriate action based on the aggregate results from a ll authentication modules. 5.11[...]

  • Seite 186

    • pam_passwdqc.so : Performs additional pas sword stre ngth checks. For example, it rejects passwords such as “1qaz2wsx” that follow a pattern on the keyboa rd. In addition to checking regular passwords it offers support for passphrases and can provide randomly generated p asswords. • pam_env.so : Loads a configurable list of environment va[...]

  • Seite 187

    5.11.2 Protecte d data bases The following databases are consulted by the identifi cation and authentication subsystem during user session initiation: • /etc/passwd : For all system users, it stores the login nam e, user ID, primary group ID, real name, home directory, and shell. Each user’s entry occupies one line, a nd fields are separated by[...]

  • Seite 188

    • /etc/ftpusers : The ftpusers text file contains a list of users who cannot log in using the File Transfer Protocol (FTP) server daemon. The file is owned by the root user and root group, and its mode is 644. • /etc/apparmor/ * and /etc/apparmor.d/ *: The directories /etc/apparmor a nd /etc/apparmor.d contain several configuration files tha t [...]

  • Seite 189

    6. Execs the login program. The steps that are relevant to the identifica tion and authorization subsystem are step 5, which p rompts for the user’s login name, and step 6, which executes the login p rogram. The administrator can also use a command-line option to terminate the program if a user name is not entered within a sp ecific amount of tim[...]

  • Seite 190

    17. Sets effective, real, and saved user ID. 18. Changes directory to the user’s home directory. 19. Executes shell. 5.11.3.4 mingetty mingetty , the minimal Linux getty , is invoked f rom /sbin/init when the system transitions from single-user mode to multi-user mode. mingetty opens a pseudo tty port, prompts for a login name, and invokes /bin/l[...]

  • Seite 191

    16. Sets up signals. 17. Forks a child. 18. Parent waits on child's return; child continues: 19. Adds the new GID to the group list. 20. Sets the GID. 21. Logs an audit record. 22. Starts a shell if the -c flag was specified. 23. Looks for the SHELL environment variable or, if SHELL is not set defaults to /bin/sh . 24. Gets the basename of the[...]

  • Seite 192

    4. Processes command-line arguments. 5. Sets up the environment variable array. 6. Invokes pam_start() to initialize the PAM library, and to identify the application with a pa rticular service name. 7. Invokes pam_set_item() to record the tty and user name. 8. Validates the user that the app lication invoker is trying to become. 9. Invokes pam_auth[...]

  • Seite 193

    Cryptography can be used to neutralize some of these attacks and to ensure confidentiality a nd integrity of network traffic. Cryptography can also be used to implement authentication schemes using digital signa tures. The TOE supports a technology based on cryptography ca lled OpenSSL. OpenSSL is a cryptography toolkit imp lementing the Secure Soc[...]

  • Seite 194

    5.12.1.1 Concepts SSL is used to authenticate endpoints a nd to secure the contents of the application-level communica tion. An SSL-secured connection begins by establishing the identities of the peers, and establishing an encryption method and key in a secure way. Application-level communi cation can then begin. All incoming traffic is decrypted b[...]

  • Seite 195

    Data confidentiality ca n be maintained by keeping the a lgorithm, the key, or both, secret from unauthorized people. In most cases, including OpenSSL, the a lgorithm used is well-known, but the key is protected from unauthorized people. 5.12. 1.1. 1.1 Encry ptio n w ith sym met ric key s A symmetric key, also known as a secret key, is a si ngle ke[...]

  • Seite 196

    If encryption is done with a public key, only the corresponding p rivate key can be used for decryption. This allows a user to communicate confidentially with another user by encrypting messages with the intended receiver’s public key. Even if m essages are intercepted by a third party, the third pa rty cannot decrypt them. Only the intended rece[...]

  • Seite 197

    5.1 2.1 .1. 2 M essag e dig est A message digest is text in the form of a single string of digits created with a one-way hash function. One- way hash functions are algorithms that transform a m essage of arbitrary length into a fixed length tag ca lled a message digest. A good hash function can detect even a small change in the original message to [...]

  • Seite 198

    The SSL architecture differentiates between an SSL session and an SSL connection. A connection is a transient transport device between p eers. A session is an association between a client and a server. Sessions define a set of cryptographic security parameters, which can be shared among multiple connections. Sessions are used to avoid the expensive[...]

  • Seite 199

    1. Client hello message: The CipherSuite list, passed from the client to the server in the client hello message, contains the combinations of cryp tographic algorithms supported by the client in order of the client's preference (first choice fi rst) . Each CipherSuite defines both a key exchange a lgorithm and a CipherSpec. The server selects [...]

  • Seite 200

    For the list of Cipher suites supported, see FCS_COP.1(2) in the Security Target. 5. SSL Change cipher spec protocol: The SSL change cipher spec protocol signals transitions in the security parameters. The protocol consists of a single message, which is encrypted with the current security parameters. Using the change cipher sp ec message, security [...]

  • Seite 201

    • Blowfish: Blowfish is a block cipher that operates on 64-bit blocks of data. It supports variable key sizes, but generally uses 128-bit keys. • Data Encryption Standard ( DES): DES is a symmetric key cryptosystem derived from the Lucifer algorithm developed at IBM. DES describes the Da ta Encryption Algorithm (DEA). DEA operates on a 64-bit b[...]

  • Seite 202

    MD2, MD4, and MD5 are cryptographic m essage-digest algorithms that take a message of arbitrary length and generate a 128-bit message digest. In MD5, the m essage is processed in 512-bit blocks in four distinct rounds. MDC2 is a method to construct hash functions with 128-bit output from block ciphers. These functions are an implementation of MDC2 [...]

  • Seite 203

    mac = MAC (key, sequence_number || unencrypted_packet) where unencrypted_packet is the entire packet without MAC (the length fields, payload and pa dding), and sequence_number is an implicit p acket sequence number represented as uint32. The sequence number is initialized to zero for the first p acket, and is incremented after every pa cket, regard[...]

  • Seite 204

    5.12.3 Very Secure File Transfer Proto col daem on Very Secure File Transfer Protocol daemon (VSFTPD) provides a secure, fast, and stable file transfer service to and from a remote host. The behavior of VSFTPD can be controlled by its configuration file /etc/vsftpd/vsftpd.conf . The remainder of this section describes some of the security- relevant[...]

  • Seite 205

    For background on CUPS labeled printing, p lease see: http://free.linux.hp.com/~mra/docs/ . CUPS uses the Internet Printing Protocol (IPP) that wa s designed to replace the Line Printer Daemon (LPD) protocol, as a basis for mana ging print jobs. CUPS also supports LPD, Server Message Block (SMB), and AppSocket protocols with reduced functionality. [...]

  • Seite 206

    24. Check for input or output requests with select() . 25. If select() fails, logs error messages, notifies cli ents, and exits the main loop for shutdown processing. 26. Gets the current time. 27. Checks print status of print jobs. 28. Updates CGI data. 29. Updates notifier messages. 30. Expires subscriptions and removes completed jobs. 31. Update[...]

  • Seite 207

    cryptography standards that they require. The open ssl command can be used by an administrative user for the following: • Creation of RSA, DH, and DSA pa rameters. • Generation of 1024-bit RSA keys. • Creation of X.509 certificates, CSRs, and CRLs. • Calculation of message digests. • Encryption and Decryption with ciphers. • SSL and TLS[...]

  • Seite 208

    # Service-level configuration # --------------------------- [ssmtp] accept = 465 connect = 25 The above configuration secures localhost-SMTP when someone connects to it via port 465. The configuration tells stunnel to listen to the SSH port 465, and to send all info to the plain port 25 on localhost. For additional information a bout stun nel , ref[...]

  • Seite 209

    14. Invokes pam_chauthok() to rejuvenate user’s authentication tokens. 15. Exits. 5.13.1.2 chfn The chfn program allows users to change their finger informa tion. The finger command displays the information, stored in the /etc/passwd file. Refer to the chfn man page for detailed information. chfn generally follows these steps: 1. Sets language. 2[...]

  • Seite 210

    11. Invokes setpwnam() to update appropriate databa se files with the new shell. 12. Exits. 5.13.2 User managem ent 5.13.2.1 useradd The useradd program allows an authorized user to create new user a ccounts on the system. Refer to the useradd man page for more information. useradd generally follows these steps: 1. Sets language. 2. Invokes getpwui[...]

  • Seite 211

    6. Processes command-line arguments. 7. Ensures that the user account being modified exists. 8. Invokes open_files() to lock and open authentication databa se files. 9. Invokes usr_update() to update authentication database files with updated account information. 10. Generates audit record to log actions of the usermod command. The logged actions i[...]

  • Seite 212

    5.13.3 Group management 5.13.3.1 groupadd The groupadd program allows an administrator to c reate new groups on the system. Refer to the groupadd man page for more detailed informa tion on usage of the command. groupadd generally follows these steps: 1. Sets language. 2. Invokes getpwuid ( getuid() ) to obtain an applica tion user’s passwd struct[...]

  • Seite 213

    5.13.3.2 groupmod The groupmod program allows an administrator to modi fy existing groups on the system. Refer to the groupmod man page for more information. groupmod generally follows these steps: 1. Sets language. 2. Invokes getpwuid ( getuid() ) to obtain application user’s passwd structure. 3. Invokes pam_start() to initialize the PAM library[...]

  • Seite 214

    202[...]

  • Seite 215

    5.13.4 System Time manageme nt 5.13.4.1 date The date program, for a normal user, displays current da te and time. For an administrative user, date can also set the system date a nd time. Refer to the date man page for more information. date generally follows these steps: 1. Sets language. 2. Parses command-line arguments. 3. Validates command-line[...]

  • Seite 216

    This tool works from a premise that it is working on a n abstract machine that is providing functiona lity to the TSF. The test tool runs on all hardware architectures that a re targets of evaluation and reports problems with any underlying functionalities. For more detailed information on the Abstract Ma chine Test, refer to Emily Ratliff, “Abst[...]

  • Seite 217

    5.13 .5.1 .5.1 Syste m p The instruction set for the PowerPC processor is given in the book a t the following URL: http://www.ibm.com/chips/techlib/techlib.nsf/ techdocs/852569B20050FF778525699600682CC7/$file/booke _rm.pdf For each instruction, the description in the book li sts whether it is available only in supervisor mode or not. The following [...]

  • Seite 218

    To test CPU control registers, use MOVL %cs, 28(%esp) . This overwrites the va lue of the register that contains the code segment. The register that c ontains the address of the next instruction ( eip ) is not directly addressable. Note that in the Intel documentation of MOV it is explicitly stated that MOV cannot be used to set the CS register. At[...]

  • Seite 219

    2. Gets its euid and uid. 3. Transforms old-style command line a rgument syntax into new-style syntax. 4. Processes the command line a rguments. 5. Sets up signal handling. 6. Initializes the fifo. 7. Initializes any remote connection. 8. Sets back the real UID. 9. Opens the archive. 10. Initializes data structures. 11. Checks for multi-volume form[...]

  • Seite 220

    5.13.6 I&A support 5.13.6.1 pam_tally The pam_tally utility allows administrative users to reset the failed login counter kept in the /var/log/faillog . Please see the /usr/share/doc/packages/pam/modules/README.pam_tally file on a SLES system for more information. 5.13.6.2 unix_chkpwd The unix_chkpwd helper program works with the pam_unix PAM m[...]

  • Seite 221

    The crontab program is used to install, deinstall, or list the tables used to drive the cron daemon in Vixie Cron. The crontab program allows an administrator to perform specific tasks on a regularly-scheduled basis without logging in. Users can have their own crontabs that allow them to create jobs that will run at given times. A user can create a[...]

  • Seite 222

    commands that are to be executed. Informa tion stored in this job file, along with its attributes, is used by the atd daemon to recreate the invocation of the user’s identity while performing tasks a t the scheduled time. 5.14.2 Batch processing daem ons 5.14.2.1 cron The cron daemon executes commands scheduled through crontab or listed in /etc/c[...]

  • Seite 223

    5.15 User-level audit subsystem The main user-level audit components consist of the auditd daemon, the auditctl control program, the libaudit library, the auditd.conf configuration file, a nd the auditd.rules initial setup file. There is also the /etc/init.d/auditd init script that is used to start a nd stop auditd . When run, this script sources a[...]

  • Seite 224

    2. Processes the command line a rguments. 3. Attempts to raise its resource limits. 4. Sets its umask. 5. Resets its internal counters. 6. Emits a title. 7. Processes audit records from an audit log file or stdin , incrementing counters depending on audit record contents. 8. Prints a message and exits if there a re no useful events. 9. Prints a sum[...]

  • Seite 225

    5.16 Suppor ting functions Trusted programs and trusted processes in a n SLES system use libraries. Libraries do not form a subsystem in the notation of the Common Criteria, but they provide supporting functions to trusted commands and processes. A library is an archive of link-edited objects a nd their export files. A shared library is an archive [...]

  • Seite 226

    Lib rar y Des crip tion /lib/libc.so.6 C Run time library functions. /lib/libcrypt.so.1 Library that performs one-way encryption of user a nd group passwords. /lib/libcrypt.so.o.9.8b Replacement library for libcrypt.so.1 Supp orts bigcrypt and blowfish password encryption. /lib/security/pam_unix.so Modules that perform basic pa ssword-based authent[...]

  • Seite 227

    5.16.2 Library l inking mechanism On SLES, a binary executable automa tically causes the program loader /lib/ld-linux.so.2 to be loaded and run. This loader takes care of analyzing the library names in the executable file, locating the library in the system directory tree, and ma king requested code available to the executing process. The loader do[...]

  • Seite 228

    system initialization, a nd sets the IDT entry corresponding to vector 128 (Ox80) to invoke the system call exception handler. When compiling and linking a p rogram that makes a system call, the libc libra ry wrapper routine for that system call stores the app ropriate system call number in the eax register, and executes the int 0x80 assembly langu[...]

  • Seite 229

    passed as system-call parameters. For the sa ke of efficiency, and satisfying the access control requirement, the SLES kernel performs validation in a two-step process, as follows: 1. Verifies that the linear address (virtual address for Sy stem p and System z) passed as a param eter does not fall within the range of interval a ddresse s reserved f[...]

  • Seite 230

    6 Mapping the TOE summary specification to the High-Level Design This chapter provides a mapp ing of the security functions of the TOE summary specification to the functions described in this High-Level Design document. 6.1 Identification and authentication Section 5.11 provides details of the SLES Identifica tion and Authentication subsystem. 6.1.[...]

  • Seite 231

    6.2.3 Audit record fo rmat (AU.3) Section 5.6.3.2 describes information stored in each a udit record. 6.2.4 Audit post-processing (AU .4) Section 5.15.2 describes audit subsystem utilities provided for post-processing of audit data. 6.3 Disc retionary Access Contro l Sections 5.1 and 5.2 provide details on Discretionary Access Control (DAC) on the [...]

  • Seite 232

    6.5.1 Roles (SM.1) Section 5.13 provides details on va rious commands that support the notion of an administrator a nd a normal user. 6.5.2 Access control configuration and managem ent (SM.2) Sections 5.1.1 and 5.1.2.1 provide details on the system calls of the file system that are used to set attributes on objects to configure access control. 6.5.[...]

  • Seite 233

    6.7.4 Trusted processes (TP.4) Section 4.2.2 provides details on the non-kernel trusted p rocess on the SLES system. 6.7.5 TSF Databases (TP.5) Section 4.3 provides details on the TSF da tabases on the SUSE Linux Enterprise Server system. 6.7.6 Inte rnal TOE prot ecti on mecha nisms (TP.6) Section 4.1.1 describes hardware privilege implementa tion [...]

  • Seite 234

    • Kernel Modules • Device Drivers • Trusted process subsystems: • System Initialization • Identification and Authentication • Network Applications • System Management • Batch Processing • User-level audit subsystem 6.8.1 Summary of kernel subsy stem interfaces This section identifies the kernel subsystem interfaces and structures [...]

  • Seite 235

    6.8 .1. 1.2 Int ern al I nter fac es 6.8 .1. 1.3 Internal function Interfaces defined in permission This document, Section 5.1.1.1 vfs_permission This document, Sections 5.1 . 1.1 and 5.1.5.1 get_empty_filp This document, Section 5.1.1.1 fget This document, Section 5.1.1.1 do_mount This document, Section 5.1.2.1 Specific ext3 methods Interfaces def[...]

  • Seite 236

    read_inode w rite_super read_inode2 w rite_super_lockfs dirty_inode u nlockfs write_inode s tatfs put_inode r emount_fs delete_inode c lear_inode Dentry operations: Note that they a re not used by other subsystems, so there is no subsystem interface: • d_revalidate • d_hash • d_compare • d_delete • d_release • d_iput 6.8 .1. 1.4 Dat a S[...]

  • Seite 237

    System calls are listed in the F unctional Specification mapping table. 6.8 .1. 2.2 Int ern al I nter fac es Internal function Interfaces defined in current Un ders tand ing the LI NUX KERN EL , Chapter 3, 2nd Edition, Daniel P. Bovet, Marco Cesati, ISBN# 0-596-00213-0 request_irq Li nux Dev ice Driv ers , O’Reilly, Chap ter 9, 2nd Edition June 2[...]

  • Seite 238

    6.8 .1. 3.1 Ex tern al int erf ace s ( sys tem ca lls) • TSFI system calls • Non-TSFI system calls System calls are listed in the F unctional Specification mapping table. 6.8 .1. 3.2 Int ern al I nter fac es Internal function Interfaces defined in do_pipe U nde rstan ding the L INU X K ERNE L , Chapter 19, 2nd Edition, Dani el P. Bovet, Marco C[...]

  • Seite 239

    6.8.1.4 Kernel subsystem networking This section lists external interfaces, internal interfaces and data structures of the networking subsystem. 6.8 .1. 4.1 Ex tern al int erf ace s ( sys tem ca lls) • TSFI system calls • Non-TSFI system calls System calls are listed in the F unctional Specification mapping table. 6.8 .1. 4.2 Int ern al i nter [...]

  • Seite 240

    System calls are listed in the F unctional Specification mapping table 6.8 .1. 5.2 Int ern al i nter fac es Internal interfaces Interfaces defined in get_zeroed_page L inux Devic e D river s , O’Reilly, Chapter 7, 2nd Edition June 2001, Alessandro Rubini /this document, chapter 5.5.2.1 __vmalloc L inux Devic e D river s , O’Reilly, Chapter 7, 2[...]

  • Seite 241

    • audit_sockaddr • audit_ipc_perms 6.8 .1. 6.3 Dat a s tru ctu res • audit_sock : The netlink socket through which all user space communicati on is done. • audit_buffer : The audit buffer is used when formatting an audit record to send to user space. The audit subsystem pre-allocates a udit buffers to enhance performance. • audit_context [...]

  • Seite 242

    driver methods for character device drivers a nd block device drivers, see [RUBN]. Chapter 3 describes the methods for character devices a nd chapter 6 describes the methods for block devices. 6.8 .1.7.2 .1 Char acter Devic es Possible Character Device m ethods are: llseek fl ush read rele ase write fs ync readdir fa sync poll lock ioctl re adv mma[...]

  • Seite 243

    6.8 .1. 7.3 Dat a s tru ctu res device_struct f s/devices.c file_operations i nclude/linux/fs.h block_device_operati ons include/linux/fs.h 6.8.1.8 Kernel subsystems kernel modules This section lists external interfaces, internal interfaces, and data structures of the kernel modules subsystem. 6.8 .1. 8.1 Ex tern al in terf ace s ( syste m c all s)[...]

  • Seite 244

    7 References [CC] Com mon Criter ia fo r In form ation Techn olog y Secu rity Eva luati on, CCI MB- 99-031 , Ve rsion 2.1, Augu st 1 999 [CEM] Com mon Meth odo log y for In form atio n T echn olog y S ecur ity E valu ation , C EM- 99/045 , Pa rt 2 – Eva luati on Metho dolo gy, Versio n 1 .0, 1 999 [BOVT] Unde rsta ndin g the L INU X K ERN EL , 2n[...]

  • Seite 245

    [RSA] "A Method for Obtaining Digital S ignatures and Public-Key Cryptosystems," Comm unic ation s of the ACM , v. 21, n. 2, F eb 1978, pp. 120-126, R. Rivest, A. Shamir, and L. M. Adleman, [DH1] "New Directions in Cryptography," IEE E T rans actio ns on I nform ation Theo ry , V.IT-22, n. 6, Jun 1977, pp. 74-84, W. Diffie and M[...]

  • Seite 246

    Th e follo wing a re tr ade mar ks or reg ister ed t rad ema rks o f the Int erna tion al Bu siness Mac hine s C orpo ration in the Un ited S t ates and /or othe r cou ntries . Fo r a c om plete list o f IB M T rade mar ks, s ee www .ibm.c om/leg al/c opy trade .sh tml: B ladeC ente r, eS erv er, PO WER , Pow er A rchitec ture , Powe rPC , PR /SM ,[...]