Difference between revisions of "OPS235 Assignment 2 OLD"

From CDOT Wiki
Jump to: navigation, search
(SELinux Graphical Tools)
 
(169 intermediate revisions by 18 users not shown)
Line 1: Line 1:
{{Draft}}
+
{{Admon/caution|THIS IS AN OLD VERSION OF THE ASSIGNMENT|'''This is an archived version. Do not use this in your OPS235 course.'''}}
 +
= OPS235 Assignment 2 =
  
{{Admon/note | Please take note! | Doing your assignment is part of your ongoing learning process. As such you will be tested on this material in future tests and exams. If you have any questions or need help, please consult your instructor in a timely manner. The due date for this assignment will not be extended. This assignment will be marked partially through demonstration and partially through the submission of files.}}
+
'''Weight:''' 5% of the overall grade
  
=OPS235 Assignment #1 -- Winter 2010=
+
'''Due Date:''' Week 13 <br />Refer to your instructor for submission instructions
  
Weight: 5% of the overall grade<br>
 
  
Due Date: Week 13 - week of April 15-19 ('''Check with your Professor for exact date''')
+
{{Admon/important|It is YOUR responsibility to Backup your centos3 VM for this Assignment!|You are required to frequently backup your VM prior to exiting a work session during this assignment. Your instructor will NOT accept the fact that your hard disk crashed and lost all of your work. If you properly backed up your VM images and xml configuration files to a USB, then you can purchase a new hard-disk or wipe and recreate your hard disk and restore your VMs.}}<br>
 
 
 
 
{{Admon/important | Very Important! | Before making any changes to your system configuration, backup the original configuration files into the <code>/backups</code> directory.}}
 
  
 
== Introduction and Purpose ==
 
== Introduction and Purpose ==
  
In this assignment, you will demonstrate the skills you have learned to this point by configuring two services: a database server and a web server. You will install and use a database-backed web application, MediaWiki, to show that these services have been installed properly. Finally, you will configure the SELinux security system to ensure that these new services are not used to gain unauthorized access to your system.
+
In this assignment, you will demonstrate the skills you have learned to this point by configuring two services: a '''database server''' and a '''web server'''. You will install and use a database-backed web application, '''Wordpress''', to show that these services have been installed properly. You will also configure the '''SELinux''' security system to further enhance the security of your computer system.
  
This lab may be performed using any combination of your virtual machines and/or host disk pack.
+
'''NOTE: Do this assignment inside the centos3 virtual machine. '''
  
== About SELinux ==
+
== Installing Packages==
  
SELinux stands for ''Security Enhanced Linux'' and is based on research performed at NSA and other locations. Where the normal Unix/Linux security system, based upon file permissions, is a ''discretionary access control'' system (DAC), SELinux is a ''mandatory access control'' system (MAC). This means that it attempts to enforce a consistent policy across the entire system.
+
<u>Install these packages using ''yum''</u>
  
SELinux is based upon the ''security context'' of system resources such as files and processes. The security context consists of a user, role, type, and sensitivity component; you can see the security context of files and processes by adding the <code>-Z</code> option to the <code>ls</code> and <code>ps</code> commands:
+
* '''httpd''' - this is the Apache web server software.
 +
* '''php''' - this is the PHP server software, which allows Apache to run more complex websites.
 +
* '''php-mysql''' - this is a PHP extension that allows PHP to use a MySQL server.
  
$ ls -lZ
 
drwxr-xr-x. root  root  '''system_u:object_r:file_t:s0'''          arm
 
drwxr-xr-x. chris chris '''unconfined_u:object_r:user_home_t:s0''' arm2
 
drwxrwxr-x. chris chris '''unconfined_u:object_r:user_home_t:s0''' bin
 
drwxr-xr-x. chris chris '''unconfined_u:object_r:user_home_t:s0''' Desktop
 
drwxr-xr-x. chris chris '''unconfined_u:object_r:user_home_t:s0''' Documents
 
drwxr-xr-x. chris chris '''unconfined_u:object_r:user_home_t:s0''' Downloads
 
-rw-------. chris chris '''unconfined_u:object_r:user_home_t:s0''' fedora0.ks
 
-rw-------. chris chris '''unconfined_u:object_r:user_home_t:s0''' fedora1.ks
 
-rw-------. chris chris '''unconfined_u:object_r:user_home_t:s0''' fedora2.ks
 
-rw-------. chris chris '''unconfined_u:object_r:user_home_t:s0''' fedora3.ks
 
-rw-rw-r--. chris chris '''unconfined_u:object_r:user_home_t:s0''' foo
 
-rw-r--r--. chris chris '''unconfined_u:object_r:user_home_t:s0''' hosts
 
drwxr-xr-x. chris chris '''unconfined_u:object_r:user_home_t:s0''' Music
 
drwxr-xr-x. chris chris '''unconfined_u:object_r:user_home_t:s0''' Pictures
 
drwxrwxr-x. chris chris '''unconfined_u:object_r:user_home_t:s0''' play
 
drwxr-xr-x. chris chris '''unconfined_u:object_r:user_home_t:s0''' Public
 
drwxr-xr-x. chris chris '''unconfined_u:object_r:user_home_t:s0''' Templates
 
drwxr-xr-x. chris chris '''unconfined_u:object_r:user_home_t:s0''' Videos
 
-rw-r--r--. chris chris '''unconfined_u:object_r:user_home_t:s0''' x
 
[chris@muskoka ~]$ ps -Z
 
LABEL                                                  PID TTY      TIME CMD
 
'''unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023''' 2595 pts/1 00:00:00 bash
 
'''unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023''' 2612 pts/1 00:00:00 ps
 
  
The SELinux policy controls the interactions between security contexts. For example, it may be configured so that the Apache httpd webserver cannot read files in <code>/etc</code>, so if an attacker finds a way to make httpd (or a script run by httpd) read a file in <code>/etc</code>, SELinux will recognize that this should not be permitted and will deny the access. Since this is done at the kernel level, httpd will get a "file not found" error, even though the file is present, and there is no way for httpd to work around that error.
+
<u>Install the '''mysql-server''' (MySQL database server) package</u>
  
=== SELinux Context Commands ===
+
'''NOTE:''' This package may not be in the main repository. There a couple of options:
  
There are two main commands used to set the SELinux security context of files:
+
:*'''Preferred method:''' Use an alternative package (for example: '''mariadb''' and '''mariadb-server''')
* setcon - sets the security context of a file to a particular value
+
:*Download a "zipped tar-ball" from a website (google-search), decompress, and compile
* restorecon - resets the default security context of a file
 
  
You can reset the default security context of the entire system at the next boot with this command:
+
== Configuring Apache ==
  
touch /.autorelabel
+
# Start the httpd service using '''systemctl'''.
 +
# Ensure that the httpd service starts automatically during boot.
 +
# Confirm that you can connect to your web server using a web browser -- both from centos3 (you can test using '''links''') as well as from the host. You should see the Apache Test Page.
 +
# If you can't connect to it from outside the machine - perhaps your firewall is blocking access to the web server.
  
=== SELinux Booleans ===
+
== Configuring MySQL ==
  
SELinux policy can be tuned (without writing an entirely new policy) through the use of ''booleans'' or option switches. Each boolean can have a value of on (1) or off (0).
+
# Start the MySQL service (mysqld or mariadb) using '''systemctl'''.
 +
# Ensure that the mysqld/mariadb service starts automatically during boot.
 +
# You may get messages after starting the MySQL service for the first time. Do not ignore these messages, it  will tell you how to set a password and take other basic steps to secure the the MySQL server. Follow those instructions to set a password, recording the detail of what you do for later use.
 +
#* If you do not see any messages, research how you can secure the MySQL installation and set the MySQL-root password.
 +
#* Read those messages carefully, you are setting up a production MySQL server and there shouldn't be any "test" databases or anonymous users or users without a password.
 +
# Set your MySQL root password to your learn ID (without the @senecac.on.ca part).
 +
# This following part is challenging so take your time and read the instructions to make sure you do it properly, we have to set up a dedicated user and database for wordpress:
 +
## Start by looking at http://codex.wordpress.org/Installing_WordPress#Using_the_MySQL_Client where you will find instructions for the setup.
 +
## You will need to run those commands in a centos3 terminal.
 +
## Your adminusername is root
 +
## Your databasename is myblog
 +
## Your wordpressusername is your learn ID
 +
## The password should also be your learn ID
 +
## Your hostname is localhost
  
The <code>getsebool</code> and <code>setsebool</code> commands can be used to view and set SELinux boolean values:
+
== Installing and Configuring Wordpress ==
  
{|class="mediawiki sortable" border="1" cellspacing="0"
+
Wordpress (like most web applications) is not available in the Fedora repositories, it must be downloaded and installed manually.
!Command
 
!Description
 
|-
 
|<code>getsebool -a</code>
 
|Displays all SELinux booleans
 
|-
 
|<code>getsebool ''foo''</code>
 
|Displays the SELinux boolean ''foo''
 
|-
 
|<code>setsebool ''foo'' ''value''
 
|Sets the SELinux boolean ''foo'' to ''value'' (where ''value'' is 0 or "off", or 1 or "on")
 
|}
 
  
=== SELinux Graphical Tools ===
+
# Download the latest .tar.gz version from wodpress.org into your centos3 (use wget).
 +
# Extract it into '''/var/www/html'''
 +
# Now we need to allow Apache to modify the wordpress installation. To do this use chown -R to make the owner and group of every file and directory inside wordpress "apache".
 +
# Check your work so far by pointing your web browser to http://centos3/wordpress/ where you will get an error starting with "There doesn't seem to be a wp-config.php file"
 +
# Copy the wp-config-sample.php file to wp-config.php and edit the new file:
 +
#* Change the DB_NAME, DB_USER, DB_PASSWORD to the appropriate values.
 +
# Now go back to http://centos3/wordpress/ - you should see a Wordpress Welcome/Setup page.
 +
#* Set the title to Your Name's Blog. For example for me it would be "Andrew Smith's Blog"
 +
#* Set the password to your learn ID.
 +
#* Set the email to your Seneca email address.
 +
#* Click "Install Wordpress", you should see a "Success!" message.
  
The <code>system-config-selinux</code> tool, which is on the menu as System>Adminstration>SELinux Management, provides a GUI for man aging SELinux booleans and more.
+
== Write-up ==
  
 +
Write a blog post on your new blog explaining:
 +
* What is Apache, PHP, MySQL, and Wordpress.
 +
* What problems (minor and major) you ran into during the installation and how you solved them.
  
{{Admon/note|Takes Notes!|Take detailed notes of the steps you perform from this point onward.}}
+
Write a second post on your blog explaining:
 +
* Are you ready for the exam or not.
 +
* List the material you are strong on.
 +
* List the material you are worried about.
 +
* List any questions or topics you would like me to address during exam review.
  
== Installing Packages ==
+
''' Make your posts look professional. That means use good english, headings, bullet or numbered lists, etc.
  
Install these packages using ''yum'':
+
== Submitting Your Assignment ==
* '''httpd''' - this is the Apache web server software. It provides the '''httpd''' service, which runs on port 80.
 
* '''mysql-server''' - this is the MySQL database server. It provides the '''mysqld''' service, which runs on a Unix domain socket.
 
* '''mediawiki''' - this is the wiki software used by this wiki, Wikipedia, and many other sites. It is a series of PHP scripts which are run by Apache httpd as requests are received, and it connects to a local database such as MySQL.
 
  
== Configuring Services ==
+
'''Due date:''' Your name will be called in the lab on the due date for the assignment. If you are not there when your name is called - you will lose 20% of your mark. In that case you may show me your submission in the second lab that week instead. Assignments submitted after that will receive a grade of 0, but must still be completed satisfactorily in order to pass the course.
  
=== Apache httpd ===
+
=== Ready to show ===
  
# Start the httpd service using the '''service''' command.
+
Open one or more terminals in c7host, SSH to centos3 from those terminals, and have the following ready:
# Confirm that you can connect to your web server using a web browser -- both from the machine on which the server is running as well as from another machine on the same network. You should see a test page.
+
* The correct RPMs are installed
# Configure this software to start when the system is booted.
+
* Output showing firewall has been properly set up
# Create a very simple HTML index page for your system, and place it at <code>/var/www/html/index.html</code>
+
* Output of chkconfig --list mysqld
# Confirm that you can view the index page. If not, adjust your iptables configuration as necessary, or check for errors in <code>/var/log/httpd</code>
+
* Output of chkconfig --list httpd
 +
* MySQL output of: show databases; use mysql; select User,Password from user; use myblog; show tables;
 +
* Output of ls -la /var/www/html/wodpress/
 +
* Output of head -30 /var/www/html/wodpress/wp-config.php
 +
* Open a firefox with http://centos3/wordpress/
  
=== MySQL ===
+
=== Rubric ===
  
# Start the MySQL service (mysqld).
+
{| class="wikitable" border="1"
# '''When started for the first time, this service will print a message telling you how to set a password and take other basic steps to secure the the MySQL server.''' Follow those instructions to set a password.
+
! Task !!  Maximum mark !! Actual mark
# Configure this software to start when the system is booted.
+
|-
 +
| Correct packages installed || 1 ||
 +
|-
 +
| Firewall setup properly || 2 ||
 +
|-
 +
| Apache set up and running || 2 ||
 +
|-
 +
| MySQL set up correctly || 3 ||
 +
|-
 +
| Wordpress extracted correctly || 1 ||
 +
|-
 +
| Wordpress set up correctly || 2 ||
 +
|-
 +
| Wordpress showing in Firefox || 1 ||
 +
|-
 +
| Everything ready to show || 2 ||
 +
|-
 +
| First blog post || 3 ||
 +
|-
 +
| Second blog post || 3 ||
 +
|-
 +
| '''Total''' || 20 ||
  
=== MediaWiki ===
+
|}
 
 
# Edit MediaWiki's httpd configuration file, <code>/etc/httpd/conf.d/mediawiki.conf</code>
 
#* Uncomment the first two <code>Alias</code> lines
 
#* Reload the httpd configuration using the <code>service</code> command
 
# Access <code>http://localhost</code> on the machine on which the web server is running (do not do this remotely). You will see the MediaWiki welcome page; click on the setup link.
 
# Enter the setup information for your wiki:
 
#* Enter a name for the wiki
 
#* Enter your learn e-mail address as the contact information
 
#* Disable all e-mail features
 
#* Leave the database host as "localhost"
 
#* Set up a database password
 
#* Get MediaWiki to set up the superuser account by checking the appropriate box and entering the superuser password ('''Note:''' This is the database superuser password, NOT the root password).
 
# Click the "Install MediaWiki!" button The installation '''will fail'''. This is because the SELinux policy forbids connections from web scripts to the local database server.
 
# To fix this, you will need to change an SELinux boolean to enable httpd scripts to connect to a database. Find the SELinux boolean that permits this type of connection, and set the appropriate value.
 
# Re-submit the MediaWiki setup page.
 
# Once the setup is complete, you will need to move a file within the MediaWiki directory (inside <code>/var/www</code>). Refer to the directions on the screen.
 
 
 
When you are done, you should be able to go to <code>http://'''hostname'''/wiki</code> from any directly-connected machine.
 
 
 
=== Additional HTTPD Configuration ===
 
 
 
# Configure httpd to serve the <code>public_html</code> directories of your users. This will require changes to <code>/etc/httpd/conf/httpd.conf</code> as well as the SELinux configuration. See the man page for <code>httpd_selinux</code> and the Apache [http://httpd.apache.org/docs/2.2/ httpd documentation] for details.
 
 
 
== Write-up ==
 
 
 
Create a write-up of this assignment on your wiki. Include at least these pages:
 
# A main page, describing in general terms what you did.
 
# A page for your httpd configuration. Include your httpd.conf file.
 
# A page for your MySQL configuration.
 
# A page for your SELinux configuration. Include a list of all of your booleans and their current settings. Demonstrate that the configuration is as tight as possible (e.g., don't change booleans unnecessarily).
 
# A page for your MediaWiki configuration. Include your MediaWiki configuration file.
 
 
 
{{Admon/important|Bonus|Change the default icon in the upper-left corner of your MediaWiki installation to a picture of your choosing. Be sure that you have copyright clearance to use that image (e.g., it is licensed to you, or its your picture).}}
 
 
 
== Submitting the Assignment ==
 
 
 
Your professor will require you to submit this assignment in at least one of two ways:
 
 
 
# Demonstrate that the wiki is working.
 
# Use wget to harvest the wiki pages:
 
#* Issue the command: <code>wget -prk http://''hostname''/wiki</code>
 
#* Create a compressed tar file containing the results.
 
#* Submit it to your professor in the manner he specifies.
 
  
Check with your professor for the submission details for your section.
+
[[Category:OPS235]]

Latest revision as of 12:02, 27 November 2019

Stop (medium size).png
THIS IS AN OLD VERSION OF THE ASSIGNMENT
This is an archived version. Do not use this in your OPS235 course.

OPS235 Assignment 2

Weight: 5% of the overall grade

Due Date: Week 13
Refer to your instructor for submission instructions


Important.png
It is YOUR responsibility to Backup your centos3 VM for this Assignment!
You are required to frequently backup your VM prior to exiting a work session during this assignment. Your instructor will NOT accept the fact that your hard disk crashed and lost all of your work. If you properly backed up your VM images and xml configuration files to a USB, then you can purchase a new hard-disk or wipe and recreate your hard disk and restore your VMs.

Introduction and Purpose

In this assignment, you will demonstrate the skills you have learned to this point by configuring two services: a database server and a web server. You will install and use a database-backed web application, Wordpress, to show that these services have been installed properly. You will also configure the SELinux security system to further enhance the security of your computer system.

NOTE: Do this assignment inside the centos3 virtual machine.

Installing Packages

Install these packages using yum

  • httpd - this is the Apache web server software.
  • php - this is the PHP server software, which allows Apache to run more complex websites.
  • php-mysql - this is a PHP extension that allows PHP to use a MySQL server.


Install the mysql-server (MySQL database server) package

NOTE: This package may not be in the main repository. There a couple of options:

  • Preferred method: Use an alternative package (for example: mariadb and mariadb-server)
  • Download a "zipped tar-ball" from a website (google-search), decompress, and compile

Configuring Apache

  1. Start the httpd service using systemctl.
  2. Ensure that the httpd service starts automatically during boot.
  3. Confirm that you can connect to your web server using a web browser -- both from centos3 (you can test using links) as well as from the host. You should see the Apache Test Page.
  4. If you can't connect to it from outside the machine - perhaps your firewall is blocking access to the web server.

Configuring MySQL

  1. Start the MySQL service (mysqld or mariadb) using systemctl.
  2. Ensure that the mysqld/mariadb service starts automatically during boot.
  3. You may get messages after starting the MySQL service for the first time. Do not ignore these messages, it will tell you how to set a password and take other basic steps to secure the the MySQL server. Follow those instructions to set a password, recording the detail of what you do for later use.
    • If you do not see any messages, research how you can secure the MySQL installation and set the MySQL-root password.
    • Read those messages carefully, you are setting up a production MySQL server and there shouldn't be any "test" databases or anonymous users or users without a password.
  4. Set your MySQL root password to your learn ID (without the @senecac.on.ca part).
  5. This following part is challenging so take your time and read the instructions to make sure you do it properly, we have to set up a dedicated user and database for wordpress:
    1. Start by looking at http://codex.wordpress.org/Installing_WordPress#Using_the_MySQL_Client where you will find instructions for the setup.
    2. You will need to run those commands in a centos3 terminal.
    3. Your adminusername is root
    4. Your databasename is myblog
    5. Your wordpressusername is your learn ID
    6. The password should also be your learn ID
    7. Your hostname is localhost

Installing and Configuring Wordpress

Wordpress (like most web applications) is not available in the Fedora repositories, it must be downloaded and installed manually.

  1. Download the latest .tar.gz version from wodpress.org into your centos3 (use wget).
  2. Extract it into /var/www/html
  3. Now we need to allow Apache to modify the wordpress installation. To do this use chown -R to make the owner and group of every file and directory inside wordpress "apache".
  4. Check your work so far by pointing your web browser to http://centos3/wordpress/ where you will get an error starting with "There doesn't seem to be a wp-config.php file"
  5. Copy the wp-config-sample.php file to wp-config.php and edit the new file:
    • Change the DB_NAME, DB_USER, DB_PASSWORD to the appropriate values.
  6. Now go back to http://centos3/wordpress/ - you should see a Wordpress Welcome/Setup page.
    • Set the title to Your Name's Blog. For example for me it would be "Andrew Smith's Blog"
    • Set the password to your learn ID.
    • Set the email to your Seneca email address.
    • Click "Install Wordpress", you should see a "Success!" message.

Write-up

Write a blog post on your new blog explaining:

  • What is Apache, PHP, MySQL, and Wordpress.
  • What problems (minor and major) you ran into during the installation and how you solved them.

Write a second post on your blog explaining:

  • Are you ready for the exam or not.
  • List the material you are strong on.
  • List the material you are worried about.
  • List any questions or topics you would like me to address during exam review.

Make your posts look professional. That means use good english, headings, bullet or numbered lists, etc.

Submitting Your Assignment

Due date: Your name will be called in the lab on the due date for the assignment. If you are not there when your name is called - you will lose 20% of your mark. In that case you may show me your submission in the second lab that week instead. Assignments submitted after that will receive a grade of 0, but must still be completed satisfactorily in order to pass the course.

Ready to show

Open one or more terminals in c7host, SSH to centos3 from those terminals, and have the following ready:

  • The correct RPMs are installed
  • Output showing firewall has been properly set up
  • Output of chkconfig --list mysqld
  • Output of chkconfig --list httpd
  • MySQL output of: show databases; use mysql; select User,Password from user; use myblog; show tables;
  • Output of ls -la /var/www/html/wodpress/
  • Output of head -30 /var/www/html/wodpress/wp-config.php
  • Open a firefox with http://centos3/wordpress/

Rubric

Task Maximum mark Actual mark
Correct packages installed 1
Firewall setup properly 2
Apache set up and running 2
MySQL set up correctly 3
Wordpress extracted correctly 1
Wordpress set up correctly 2
Wordpress showing in Firefox 1
Everything ready to show 2
First blog post 3
Second blog post 3
Total 20