czwartek, 25 kwietnia 2013

Part 7: Manage security

Part 7:  Manage security

1) Configure firewall settings using system-config-firewall or iptables.
* yum install system-config-firewall

* system-config-firewall and click and clack ;)

* vim /etc/sysconfig/iptables ;)

2) Set enforcing and permissive modes for SELinux.
* yum whatprovides /usr/sbin/semanage > policycoreutils-python
  yum install policycoreutils-python

* check status of SELinux
  [root@redhat ~]# getenforce
  Enforcing

* checking status
  [root@redhat ~]# sestatus
  SELinux status:                 enabled
  SELinuxfs mount:                /selinux
  Current mode:                   enforcing
  Mode from config file:          enforcing
  Policy version:                 24
  Policy from config file:        targeted

* change status
  setenforce 0 (disable) or echo 0 >/selinux/enforce

  setenforce 1 (enable) or echo 1 >/selinux/enforce

* set default mode for SELinux in /etc/selinux/config
  SELINUX=enforcing or what need

3) List and identify SELinux file and process context.
* file contexts
  ls -lZ

* process context
  ps -lZ

TIP: add -Z option to ls or ps

4) Restore default file contexts.
* ls -lZ then

* restorecon  -vv filename

5) Use boolean settings to modify system SELinux settings.
* get list of settings
  [root@redhat ~]# getsebool -a
  ......
  postgresql_can_rsync --> off
  pppd_can_insmod --> off
  pppd_for_user --> off
  privoxy_connect_any --> on
  puppet_manage_all_files --> off
  ......
 
  Take what need

* how set boolean
 
  [root@redhat ~]# setsebool  -P allow_ftpd_full_access on (-P means that it will be saved in the policy files)
 
  it will 'open ftpd' for files which has not correct SELinux properties on /var/ftp/pub ;)

* use togglesebool

  [root@redhat ~]# togglesebool allow_ftpd_full_access
  allow_ftpd_full_access: active
  [root@redhat ~]# togglesebool allow_ftpd_full_access
  allow_ftpd_full_access: inactive

6) Diagnose and address routine SELinux policy violations.
*  yum install setroubleshoot-server for sealert command but it maybe is not need???? taken from google

* ls -Z and ps -Z and ps -AZ to see processes ;)
  if there is no access to files on www/ftp or whatever exam will need

* maybe is better to change to mode permissive in dev/testing environment ;) ?

* check audit.log, there should be lines which can go to command audit2why, put lines to file

  audit2why < file.audit, then can use audit2allow to prepare module which can be imported by 'semodule -i blabla.123'

* check what system can do for SELinux
  man -k _selinux, choose what need, for example man ftpd_selinux
  read man and do changes

  semanage fcontext -a -t public_content_t "/var/ftp(/.*)?"
  restorecon -F -R -v /var/ftp
Autor: o

Brak komentarzy:

Prześlij komentarz

Subskrybuj: Komentarze do posta (Atom)