Difference between revisions of "OPS235 Assignment 2 Tips"

From CDOT Wiki
Jump to: navigation, search
(Created page with '= Turning Firewall On/Off on CentOS 7 = == To turn it off == * /usr/sbin/iptables -F * /usr/sbin/iptables -P INPUT ACCEPT * /usr/sbin/iptables -P OUTPUT ACCEPT == To turn it on =…')
 
 
(6 intermediate revisions by one other user not shown)
Line 1: Line 1:
 +
{{Admon/caution|THIS IS AN OLD VERSION OF THE ASSIGNMENT|'''This is an archived version. Do not use this in your OPS235 course.'''}}
 +
[[category:OPS235]][[Category:rchan]]
 
= Turning Firewall On/Off on CentOS 7 =
 
= Turning Firewall On/Off on CentOS 7 =
 
== To turn it off ==
 
== To turn it off ==
Line 6: Line 8:
 
== To turn it on ==
 
== To turn it on ==
 
* systemctl restart firewalld.service
 
* systemctl restart firewalld.service
 +
 +
= Turning SELinux On/Off on CentOS 7 =
 +
== To turn off SELinux temporary into permissive mode ==
 +
* setenforce 0
 +
== To turn SELinx back on from permissive mode ==
 +
* setenforce 1
 +
== To check the current status of SELinux ==
 +
* sestatus
 +
<pre>
 +
SELinux status:                enabled
 +
SELinuxfs mount:                /sys/fs/selinux
 +
SELinux root directory:        /etc/selinux
 +
Loaded policy name:            targeted
 +
Current mode:                  enforcing
 +
Mode from config file:          enforcing
 +
Policy MLS status:              enabled
 +
Policy deny_unknown status:    allowed
 +
Max kernel policy version:      28
 +
</pre>
 +
 +
* setenforce 0
 +
* sestatus
 +
<pre>
 +
SELinux status:                enabled
 +
SELinuxfs mount:                /sys/fs/selinux
 +
SELinux root directory:        /etc/selinux
 +
Loaded policy name:            targeted
 +
Current mode:                  permissive
 +
Mode from config file:          enforcing
 +
Policy MLS status:              enabled
 +
Policy deny_unknown status:    allowed
 +
Max kernel policy version:      28
 +
</pre>
 +
 +
= Listing the RUN-TIME configurable parameter for SELinux =
 +
* getsebool -a
 +
<pre>
 +
abrt_anon_write --> off
 +
abrt_handle_event --> off
 +
abrt_upload_watch_anon_write --> on
 +
antivirus_can_scan_system --> off
 +
antivirus_use_jit --> off
 +
auditadm_exec_content --> on
 +
authlogin_nsswitch_use_ldap --> off
 +
authlogin_radius --> off
 +
authlogin_yubikey --> off
 +
awstats_purge_apache_log_files --> off
 +
boinc_execmem --> on
 +
...
 +
</pre>
 +
== List of SELinux run-time configurable parameter that control Apache server (httpd)==
 +
* getsebool -a | grep httpd
 +
<pre>
 +
httpd_anon_write --> off
 +
httpd_builtin_scripting --> on
 +
httpd_can_check_spam --> off
 +
httpd_can_connect_ftp --> off
 +
httpd_can_connect_ldap --> off
 +
httpd_can_connect_mythtv --> off
 +
httpd_can_connect_zabbix --> off
 +
httpd_can_network_connect --> off
 +
httpd_can_network_connect_cobbler --> off
 +
httpd_can_network_connect_db --> off
 +
httpd_can_network_memcache --> off
 +
httpd_can_network_relay --> off
 +
httpd_can_sendmail --> off
 +
httpd_dbus_avahi --> off
 +
httpd_dbus_sssd --> off
 +
httpd_dontaudit_search_dirs --> off
 +
httpd_enable_cgi --> on
 +
httpd_enable_ftp_server --> off
 +
httpd_enable_homedirs --> off
 +
httpd_execmem --> off
 +
httpd_graceful_shutdown --> on
 +
httpd_manage_ipa --> off
 +
httpd_mod_auth_ntlm_winbind --> off
 +
httpd_mod_auth_pam --> off
 +
httpd_read_user_content --> off
 +
httpd_run_preupgrade --> off
 +
httpd_run_stickshift --> off
 +
httpd_serve_cobbler_files --> off
 +
httpd_setrlimit --> off
 +
httpd_ssi_exec --> off
 +
httpd_sys_script_anon_write --> off
 +
httpd_tmp_exec --> off
 +
httpd_tty_comm --> off
 +
httpd_unified --> off
 +
httpd_use_cifs --> off
 +
httpd_use_fusefs --> off
 +
httpd_use_gpg --> off
 +
httpd_use_nfs --> off
 +
httpd_use_openstack --> off
 +
httpd_use_sasl --> off
 +
httpd_verify_dns --> off
 +
</pre>
 +
= How to turn on/off a SELinux run-time parameter=
 +
== To turn on a run-time parameter ==
 +
For Current session
 +
* setsebool httpd_can_network_connect_db on
 +
For good (even after a reboot)
 +
* setsebool -P httpd_can_network_connect_db on
 +
== To turn off a run-time parameter ==
 +
For the current session
 +
* setsebool httpd_can_network_connect_db off
 +
For good (even after a reboot)
 +
* setsebool -P httpd_can_network_connect_db off

Latest revision as of 12:02, 27 November 2019

Stop (medium size).png
THIS IS AN OLD VERSION OF THE ASSIGNMENT
This is an archived version. Do not use this in your OPS235 course.

Turning Firewall On/Off on CentOS 7

To turn it off

  • /usr/sbin/iptables -F
  • /usr/sbin/iptables -P INPUT ACCEPT
  • /usr/sbin/iptables -P OUTPUT ACCEPT

To turn it on

  • systemctl restart firewalld.service

Turning SELinux On/Off on CentOS 7

To turn off SELinux temporary into permissive mode

  • setenforce 0

To turn SELinx back on from permissive mode

  • setenforce 1

To check the current status of SELinux

  • sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      28
  • setenforce 0
  • sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   permissive
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      28

Listing the RUN-TIME configurable parameter for SELinux

  • getsebool -a
abrt_anon_write --> off
abrt_handle_event --> off
abrt_upload_watch_anon_write --> on
antivirus_can_scan_system --> off
antivirus_use_jit --> off
auditadm_exec_content --> on
authlogin_nsswitch_use_ldap --> off
authlogin_radius --> off
authlogin_yubikey --> off
awstats_purge_apache_log_files --> off
boinc_execmem --> on
...

List of SELinux run-time configurable parameter that control Apache server (httpd)

  • getsebool -a | grep httpd
httpd_anon_write --> off
httpd_builtin_scripting --> on
httpd_can_check_spam --> off
httpd_can_connect_ftp --> off
httpd_can_connect_ldap --> off
httpd_can_connect_mythtv --> off
httpd_can_connect_zabbix --> off
httpd_can_network_connect --> off
httpd_can_network_connect_cobbler --> off
httpd_can_network_connect_db --> off
httpd_can_network_memcache --> off
httpd_can_network_relay --> off
httpd_can_sendmail --> off
httpd_dbus_avahi --> off
httpd_dbus_sssd --> off
httpd_dontaudit_search_dirs --> off
httpd_enable_cgi --> on
httpd_enable_ftp_server --> off
httpd_enable_homedirs --> off
httpd_execmem --> off
httpd_graceful_shutdown --> on
httpd_manage_ipa --> off
httpd_mod_auth_ntlm_winbind --> off
httpd_mod_auth_pam --> off
httpd_read_user_content --> off
httpd_run_preupgrade --> off
httpd_run_stickshift --> off
httpd_serve_cobbler_files --> off
httpd_setrlimit --> off
httpd_ssi_exec --> off
httpd_sys_script_anon_write --> off
httpd_tmp_exec --> off
httpd_tty_comm --> off
httpd_unified --> off
httpd_use_cifs --> off
httpd_use_fusefs --> off
httpd_use_gpg --> off
httpd_use_nfs --> off
httpd_use_openstack --> off
httpd_use_sasl --> off
httpd_verify_dns --> off

How to turn on/off a SELinux run-time parameter

To turn on a run-time parameter

For Current session

  • setsebool httpd_can_network_connect_db on

For good (even after a reboot)

  • setsebool -P httpd_can_network_connect_db on

To turn off a run-time parameter

For the current session

  • setsebool httpd_can_network_connect_db off

For good (even after a reboot)

  • setsebool -P httpd_can_network_connect_db off