Changes

[[Category:OPS235]]{{Admon/note caution| Please take note! THIS IS AN OLD VERSION OF THE ASSIGNMENT| Doing your assignment '''This is part of your ongoing learning processan archived version. As such you will be tested on Do not use this material in future tests and exams. If you have any questions or need help, please consult your instructor in a timely manner. The due date for this assignment will not be extended. This assignment will be marked partially through demonstration or through the submission of filesOPS235 course.'''}}= OPS235 Assignment 2 =

Weight'''Due Date: 5% of the overall grade''' Week 13 <br/>Refer to your instructor for submission instructions

 {{Admon/important | Very ImportantIt is YOUR responsibility to Backup your centos3 VM for this Assignment! | Before making any changes You are required to frequently backup your system configuration, backup VM prior to exiting a work session during this assignment. Your instructor will NOT accept the original fact that your hard disk crashed and lost all of your work. If you properly backed up your VM images and xml configuration files into the <code>/backups</code> directoryto a USB, then you can purchase a new hard-disk or wipe and recreate your hard disk and restore your VMs.}}<br>

In this assignment, you will demonstrate the skills you have learned to this point by configuring two services: a '''database server ''' and a '''web server'''. You will install and use a database-backed web application, MediaWiki'''Wordpress''', to show that these services have been installed properly. Finally, you You will also configure the '''SELinux ''' security system and the web server to serve files in further enhance the <code>public_html</code> subdirectory of each user's home directory, including a short web script.' In this assignment, you will attempt to maintain a high level of security, by using SELinux and the iptables firewall to guard against unauthorized access. This lab may be performed using any combination of your virtual machines and/or host disk packcomputer system. == About SELinux ==

SELinux stands for ''Security Enhanced Linux'' and is based on research performed at NSA and other locationsNOTE: Do this assignment inside the centos3 virtual machine. Where the normal Unix/Linux security system, based upon file permissions, is a ''discretionary access control'' system (DAC), SELinux is a ''mandatory access control'' system (MAC). This means that it attempts to enforce a consistent policy across the entire system, regardless of settings that any user has configured.

$ ls -lZ drwxr-xr-x. root root <u>Install these packages using ''yum'system_u:object_r:file_t:s0''' arm drwxr-xr-x. chris chris '''unconfined_u:object_r:user_home_t:s0''' arm2 drwxrwxr-x. chris chris '''unconfined_u:object_r:user_home_t:s0''' bin drwxr-xr-x. chris chris '''unconfined_u:object_r:user_home_t:s0''' Desktop drwxr-xr-x. chris chris '''unconfined_u:object_r:user_home_t:s0''' Documents drwxr-xr-x. chris chris '''unconfined_u:object_r:user_home_t:s0''' Downloads -rw-------. chris chris '''unconfined_u:object_r:user_home_t:s0''' fedora0.ks -rw-------. chris chris '''unconfined_u:object_r:user_home_t:s0''' fedora1.ks -rw-------. chris chris '''unconfined_u:object_r:user_home_t:s0''' fedora2.ks -rw-------. chris chris '''unconfined_u:object_r:user_home_t:s0''' fedora3.ks -rw-rw-r--. chris chris '''unconfined_u:object_r:user_home_t:s0''' foo -rw-r--r--. chris chris '''unconfined_u:object_r:user_home_t:s0''' hosts drwxr-xr-x. chris chris '''unconfined_u:object_r:user_home_t:s0''' Music drwxr-xr-x. chris chris '''unconfined_u:object_r:user_home_t:s0''' Pictures drwxrwxr-x. chris chris '''unconfined_u:object_r:user_home_t:s0''' play drwxr-xr-x. chris chris '''unconfined_u:object_r:user_home_t:s0''' Public drwxr-xr-x. chris chris '''unconfined_u:object_r:user_home_t:s0''' Templates drwxr-xr-x. chris chris '''unconfined_u:object_r:user_home_t:s0''' Videos -rw-r--r--. chris chris '''unconfined_u:object_r:user_home_t:s0''' x [chris@muskoka ~]$ ps -Z LABEL PID TTY TIME CMD '''unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023''' 2595 pts/1 00:00:00 bash '''unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023''' 2612 pts</1 00:00:00 psu>

The SELinux policy controls * '''httpd''' - this is the interactions between security contextsApache web server software. For example* '''php''' - this is the PHP server software, the policy may specify that the which allows Apache httpd webserver cannot read files in <code>/etc</code>, so if an attacker finds a way to make httpd (or a script run by httpd) read a file in <code>/etc</code>, SELinux will recognize that this is not normal and will deny the accessmore complex websites. Since * '''php-mysql''' - this is done at the kernel level, httpd will get a "file not found" error, even though the file is present, and there is no way for httpd PHP extension that allows PHP to work around that erroruse a MySQL server.

There are two main commands used to set the SELinux security context of files:# chcon - sets the security context of a file to a particular value#* Example: setting the ''type'' of a file: <code>chcon -t ''unconfined_t'' ''/tmp/foo''</codeu>#* Example: setting Install the user/role/type of a file: <code>chcon ''unconfined_u:object_r:user_home_t'' mysql-server''~/foo''(MySQL database server) package</code># restorecon - resets the default security context of a file#* Example: reset the context of one file: <code>restorecon /etc/services</code>#* Example: recursively reset the contexts of all of the files files in a directory: <code>restorecon -R ~</codeu>

You can reset '''NOTE:''' This package may not be in the default security context main repository. There a couple of the entire system at the next boot with this commandoptions:

=== SELinux Booleans =Configuring Apache ==

SELinux policy can be tuned (without writing an entirely new policy) through # Start the use of httpd service using '''booleanssystemctl'' or option switches'.# Ensure that the httpd service starts automatically during boot. Each boolean # Confirm that you can have connect to your web server using a value of on web browser -- both from centos3 (1) or off (0you can test using '''links''')as well as from the host. You should see the Apache Test Page.# If you can't connect to it from outside the machine - perhaps your firewall is blocking access to the web server.

{|class="mediawiki sortable" border="1" cellspacing="0"!Command!Description|-|<code>getsebool -a</code>|Displays all SELinux booleans|-|<code>getsebool # Start the MySQL service (mysqld or mariadb) using '''systemctl'foo''<.# Ensure that the mysqld/code>mariadb service starts automatically during boot.|Displays # You may get messages after starting the MySQL service for the SELinux boolean ''foo''first time. Do not ignore these messages, it will tell you how to set a password and take other basic steps to secure the the MySQL server. Follow those instructions to set a password, recording the detail of what you do for later use.|#* If you do not see any messages, research how you can secure the MySQL installation and set the MySQL-root password.|<code>setsebool ''foo'' ''value''|Sets the SELinux boolean ''foo'' to ''value'' (where '#* Read those messages carefully, you are setting up a production MySQL server and there shouldn'value'' is 0 or t be any "offtest", databases or 1 anonymous users or "users without a password.# Set your MySQL root password to your learn ID (without the @senecac.on".ca part).# This following part is challenging so take your time and read the instructions to make sure you do it properly, we have to set up a dedicated user and database for wordpress:## Start by looking at http://codex.wordpress.org/Installing_WordPress#Using_the_MySQL_Client where you will find instructions for the setup.|}## You will need to run those commands in a centos3 terminal.## Your adminusername is root## Your databasename is myblog## Your wordpressusername is your learn ID## The password should also be your learn ID## Your hostname is localhost

The ''system-config-selinux'' tool, which is on # Download the menu as System>Adminstration>SELinux Management, provides a GUI for managing SELinux booleans and morelatest .tar.  {{Admon/note|Takes Notes!|Take detailed notes of the steps you perform gz version from this point onwardwodpress.}} == Installing Packages == Install these packages using ''yum'':* '''httpd''' - this is the Apache web server software. It provides the '''httpd''' service, which runs on port 80org into your centos3 (use wget).* '''mysql-server''' - this is the MySQL database server. It provides the '''mysqld''' service, which runs on a Unix domain socket.* '''mediawiki''' - this is the wiki software used by this wiki, Wikipedia, and many other sites. It is a series of PHP scripts which are run by Apache httpd as requests are received, and # Extract it connects to a local database such as MySQL. == Configuring Services == === Apache httpd === # Start the httpd service using the '''serviceinto ''' command.# Confirm that you can connect to your web server using a web browser -- both from the machine on which the server is running as well as from another machine on the same network. You should see a test page.# Configure this software to start when the system is booted.# Create a very simple HTML index page for your system, and place it at <code>/var/www/html/index.html</code># Confirm that you can view the index page. If not, adjust your iptables configuration as necessary, or check for errors in <code>/var/log/httpd</code> === MySQL === # Start the MySQL service (mysqld).# '''When started for the first time, this service will print a message telling you how # Now we need to set a password and take other basic steps allow Apache to secure modify the the MySQL serverwordpress installation.''' Follow those instructions to set a password, recording the detail of what you To do for later this use.# Configure this software chown -R to start when make the system is booted. === MediaWiki === # Edit MediaWiki's httpd configuration owner and group of every file, <code>/etc/httpd/confand directory inside wordpress "apache".d/mediawiki.conf</code>#* Uncomment the first two <code>Alias</code> lines#* Reload the httpd configuration using the <code>service</code> command# Access <code>Check your work so far by pointing your web browser to http://localhostcentos3/wiki<wordpress/code> on the machine on which the web server is running (this where you will not work if done remotely, unless you use get an ssh tunnel so that the access appears error starting with "There doesn't seem to be coming from the local host). You will see the MediaWiki welcome page; click on the setup linka wp-config.php file"# Enter Copy the setup information for your wiki:#* Enter a name for the wiki#* Enter your learn ewp-mail address as the contact information#* Disable all econfig-mail features#* Leave the database host as "localhost"#* Set up a database password#* Get MediaWiki sample.php file to set up the superuser account by checking the appropriate box wp-config.php and entering edit the superuser password ('''Notenew file:''' This is the database superuser password, NOT the root password).# Click * Change the "Install MediaWiki!" button.# Once the setup is completeDB_NAME, DB_USER, you will need DB_PASSWORD to move a file within the MediaWiki directory (inside <code>/var/www</code>). Refer to the directions in the confirmation web pageappropriate values. When you are done, you should be able to # Now go back to <code>http://'''hostname'''centos3/wiki<wordpress/code> from any directly-connected machineyou should see a Wordpress Welcome/Setup page. === Serving Personal Web Pages === # Configure httpd to serve * Set the <code>~/public_html</code> directories of your users. This will require changes title to <code>/etc/httpd/conf/httpd.conf</code> as well as the SELinux configurationYour Name's Blog. See the man page For example for <code>httpd_selinux</code> and the Apache [http://httpd.apache.org/docs/2.2/ httpd documentation] for details.# Prove that this works by creating a page in your <code>~/public_html</code> directory. The URL will me it would be <code>http://"Andrew Smith''hostname''/~''your-user-id''/</code>s Blog"# Create a short web script which displays * Set the available disk space on the computerpassword to your learn ID. At its most basic level, a web script is the same as a regular script, with this additional requirement:#* It must output Set the line "Content-type: text/plain" or "Content-type: text/html" (depending on whether the script output is plain text or HTML), followed by a blank line.# Name the script <code>~/public_html/diskfree.cgi</code> - The URL will be <code>http://''hostname''/~''email to your-user-id''/diskfreeSeneca email address.cgi</code># Configure httpd and SELinux to allow your script to be run from the web. This will require changes to <code>/etc/httpd/conf/httpd.conf</code> as well as the SELinux configuration (possibly including both booleans and SELinux context). As with step 1* Click "Install Wordpress", you should see the man page for <code>httpd_selinux</code> and the Apache [http://httpd.apache.org/docs/2.2/ httpd documentation] for details. {{Admon/tip|Hint|Look for an a "add-handlerSuccess!" line in your httpd.conf filemessage.}}

Create Write a high-quality write-up of this assignment blog post on your wiki. Include at least these pagesnew blog explaining:# A main page* What is Apache, describing in general terms what you did and containing links to the other wiki pages, as well as a link to the page and script in your <code>~/public_html</code> directory.# A page for your httpd configuration. Along with a descriptionPHP, include the exact text of your httpd.conf file.# A page for your MySQL configuration. Along with a description, include the details of the steps you performed to set up MySQLand Wordpress.# A page for your SELinux configuration. Along with a description, include a list of all of your booleans * What problems (minor and their current settings. Show that the configuration is as tight as possible (e.g., don't change booleans unnecessarilymajor).# A page for your MediaWiki configuration. Along with a description, include your MediaWiki configuration file.# A page for your iptables configuration. Show you ran into during the exact iptables rules that are in effect. Demonstrate that the configuration is as tight as possible. The easiest way to create new page is to create a link to it from an existing page (such as the main page), installation and then follow that linkhow you solved them.

Resources Write a second post on wiki markupyour blog explaining:* [http://enAre you ready for the exam or not.* List the material you are strong on.wikipedia* List the material you are worried about.org/wiki/Help:Wiki_markup Wiki markup] - Wikipedia* [[Sandbox|Sandbox page on this wiki]] - examplesList any questions or topics you would like me to address during exam review.

{{Admon/tip|Bonus Opportunity!|Change the default icon in the upper-left corner of ''' Make your MediaWiki installation to a picture of your choosingposts look professional. Be sure that you have copyright clearance to That means use that image (e.g.good english, it is licensed to youheadings, bullet or it is a picture you own)numbered lists, etc.}}

== Submitting the Your Assignment ==

'''Due date:''' Your professor name will require be called in the lab on the due date for the assignment. If you to submit this assignment are not there when your name is called - you will lose 20% of your mark. In that case you may show me your submission in at least one the second lab that week instead. Assignments submitted after that will receive a grade of two ways:0, but must still be completed satisfactorily in order to pass the course.

# Demonstrate that the wiki is working.# Use wget === Ready to harvest the wiki pages:#* Issue the command: <code>wget -prk http://''hostname''/wiki</code>#* Create a compressed tar file containing the results. (name the file <learnid>-a2.tgz)#* Submit it to your professor in the manner he specifies.show ===

Check with your professor for Open one or more terminals in c7host, SSH to centos3 from those terminals, and have the submission details for your sectionfollowing ready:* The correct RPMs are installed* Output showing firewall has been properly set up* Output of chkconfig --list mysqld* Output of chkconfig --list httpd* MySQL output of: show databases; use mysql; select User,Password from user; use myblog; show tables;* Output of ls -la /var/www/html/wodpress/* Output of head -30 /var/www/html/wodpress/wp-config.php* Open a firefox with http://centos3/wordpress/

=== Sections A & B - Chris Tyler Rubric ===