Open main menu

CDOT Wiki β

OPS235 Assignment 2 OLD

Revision as of 17:12, 5 August 2010 by Echoer (talk | contribs) (Apache httpd)
Note.png
Please take note!
Doing your assignment is part of your ongoing learning process. As such you will be tested on this material in future tests and exams. If you have any questions or need help, please consult your instructor in a timely manner. The due date for this assignment will not be extended. This assignment will be marked partially through demonstration or through the submission of files.

OPS235 Assignment #2 -- Summer 2010

Weight: 5% of the overall grade

Due Date: Week 13 - week of Aug 9-13 (Check with your Professor for exact date)


Very Important!
Before making any changes to your system configuration, backup the original configuration files into the /backups directory.

Introduction and Purpose

In this assignment, you will demonstrate the skills you have learned to this point by configuring two services: a database server and a web server. You will install and use a database-backed web application, MediaWiki, to show that these services have been installed properly. Finally, you will configure the SELinux security system and the web server to serve files in the public_html subdirectory of each user's home directory, including a short web script.'

In this assignment, you will attempt to maintain a high level of security, by using SELinux and the iptables firewall to guard against unauthorized access.

This lab may be performed using any combination of your virtual machines and/or host disk pack.

About SELinux

SELinux stands for Security Enhanced Linux and is based on research performed at NSA and other locations. Where the normal Unix/Linux security system, based upon file permissions, is a discretionary access control system (DAC), SELinux is a mandatory access control system (MAC). This means that it attempts to enforce a consistent policy across the entire system, regardless of settings that any user has configured.

SELinux decisions are based on the security context of system resources such as files and processes. The security context consists of a user, role, type, and sensitivity component; you can see the security context of files and processes by adding the -Z option to the ls and ps commands:

$ ls -lZ
drwxr-xr-x. root  root  system_u:object_r:file_t:s0          arm
drwxr-xr-x. chris chris unconfined_u:object_r:user_home_t:s0 arm2
drwxrwxr-x. chris chris unconfined_u:object_r:user_home_t:s0 bin
drwxr-xr-x. chris chris unconfined_u:object_r:user_home_t:s0 Desktop
drwxr-xr-x. chris chris unconfined_u:object_r:user_home_t:s0 Documents
drwxr-xr-x. chris chris unconfined_u:object_r:user_home_t:s0 Downloads
-rw-------. chris chris unconfined_u:object_r:user_home_t:s0 fedora0.ks
-rw-------. chris chris unconfined_u:object_r:user_home_t:s0 fedora1.ks
-rw-------. chris chris unconfined_u:object_r:user_home_t:s0 fedora2.ks
-rw-------. chris chris unconfined_u:object_r:user_home_t:s0 fedora3.ks
-rw-rw-r--. chris chris unconfined_u:object_r:user_home_t:s0 foo
-rw-r--r--. chris chris unconfined_u:object_r:user_home_t:s0 hosts
drwxr-xr-x. chris chris unconfined_u:object_r:user_home_t:s0 Music
drwxr-xr-x. chris chris unconfined_u:object_r:user_home_t:s0 Pictures
drwxrwxr-x. chris chris unconfined_u:object_r:user_home_t:s0 play
drwxr-xr-x. chris chris unconfined_u:object_r:user_home_t:s0 Public
drwxr-xr-x. chris chris unconfined_u:object_r:user_home_t:s0 Templates
drwxr-xr-x. chris chris unconfined_u:object_r:user_home_t:s0 Videos
-rw-r--r--. chris chris unconfined_u:object_r:user_home_t:s0 x
[chris@muskoka ~]$ ps -Z
LABEL                                                  PID TTY      TIME CMD
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 2595 pts/1 00:00:00 bash
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 2612 pts/1 00:00:00 ps

The SELinux policy controls the interactions between security contexts. For example, the policy may specify that the Apache httpd webserver cannot read files in /etc, so if an attacker finds a way to make httpd (or a script run by httpd) read a file in /etc, SELinux will recognize that this is not normal and will deny the access. Since this is done at the kernel level, httpd will get a "file not found" error, even though the file is present, and there is no way for httpd to work around that error.

SELinux Context Commands

There are two main commands used to set the SELinux security context of files:

  1. chcon - sets the security context of a file to a particular value
    • Example: setting the type of a file: chcon -t unconfined_t /tmp/foo
    • Example: setting the user/role/type of a file: chcon unconfined_u:object_r:user_home_t ~/foo
  2. restorecon - resets the default security context of a file
    • Example: reset the context of one file: restorecon /etc/services
    • Example: recursively reset the contexts of all of the files in a directory: restorecon -R ~

You can reset the default security context of the entire system at the next boot with this command:

touch /.autorelabel

SELinux Booleans

SELinux policy can be tuned (without writing an entirely new policy) through the use of booleans or option switches. Each boolean can have a value of on (1) or off (0).

The getsebool and setsebool commands can be used to view and set SELinux boolean values:

Command Description
getsebool -a Displays all SELinux booleans
getsebool foo Displays the SELinux boolean foo
setsebool foo value Sets the SELinux boolean foo to value (where value is 0 or "off", or 1 or "on")


SELinux Graphical Tools

The system-config-selinux tool, which is on the menu as System>Adminstration>SELinux Management, provides a GUI for managing SELinux booleans and more.


Takes Notes!
Take detailed notes of the steps you perform from this point onward.

Installing Packages

Install these packages using yum:

  • httpd - this is the Apache web server software. It provides the httpd service, which runs on port 80.
  • mysql-server - this is the MySQL database server. It provides the mysqld service, which runs on a Unix domain socket.
  • mediawiki - this is the wiki software used by this wiki, Wikipedia, and many other sites. It is a series of PHP scripts which are run by Apache httpd as requests are received, and it connects to a local database such as MySQL.

Configuring Services

Apache httpd

  1. Start the httpd service using the service command.
  2. Confirm that you can connect to your web server using a web browser -- both from the machine on which the server is running as well as from another machine on the same network. You should see a test page.
  3. Configure this software to start when the system is booted.
  4. Create a very simple HTML index page for your system, and place it at <code> /var/www/html/index.html
  5. Confirm that you can view the index page. If not, adjust your iptables configuration as necessary, or check for errors in /var/log/httpd

MySQL

  1. Start the MySQL service (mysqld).
  2. When started for the first time, this service will print a message telling you how to set a password and take other basic steps to secure the the MySQL server. Follow those instructions to set a password, recording the detail of what you do for later use.
  3. Configure this software to start when the system is booted.

MediaWiki

  1. Edit MediaWiki's httpd configuration file, /etc/httpd/conf.d/mediawiki.conf
    • Uncomment the first two Alias lines
    • Reload the httpd configuration using the service command
  2. Access http://localhost/wiki on the machine on which the web server is running (this will not work if done remotely, unless you use an ssh tunnel so that the access appears to be coming from the local host). You will see the MediaWiki welcome page; click on the setup link.
  3. Enter the setup information for your wiki:
    • Enter a name for the wiki
    • Enter your learn e-mail address as the contact information
    • Disable all e-mail features
    • Leave the database host as "localhost"
    • Set up a database password
    • Get MediaWiki to set up the superuser account by checking the appropriate box and entering the superuser password (Note: This is the database superuser password, NOT the root password).
  4. Click the "Install MediaWiki!" button.
  5. Once the setup is complete, you will need to move a file within the MediaWiki directory (inside /var/www). Refer to the directions in the confirmation web page.

When you are done, you should be able to go to http://hostname/wiki from any directly-connected machine.

Serving Personal Web Pages

  1. Configure httpd to serve the ~/public_html directories of your users. This will require changes to /etc/httpd/conf/httpd.conf as well as the SELinux configuration. See the man page for httpd_selinux and the Apache httpd documentation for details.
  2. Prove that this works by creating a page in your ~/public_html directory. The URL will be http://hostname/~your-user-id/
  3. Create a short web script which displays the available disk space on the computer. At its most basic level, a web script is the same as a regular script, with this additional requirement:
    • It must output the line "Content-type: text/plain" or "Content-type: text/html" (depending on whether the script output is plain text or HTML), followed by a blank line.
  4. Name the script ~/public_html/diskfree.cgi - The URL will be http://hostname/~your-user-id/diskfree.cgi
  5. Configure httpd and SELinux to allow your script to be run from the web. This will require changes to /etc/httpd/conf/httpd.conf as well as the SELinux configuration (possibly including both booleans and SELinux context). As with step 1, see the man page for httpd_selinux and the Apache httpd documentation for details.
Hint
Look for an "add-handler" line in your httpd.conf file.

Write-up

Create a high-quality write-up of this assignment on your wiki. Include at least these pages:

  1. A main page, describing in general terms what you did and containing links to the other wiki pages, as well as a link to the page and script in your ~/public_html directory.
  2. A page for your httpd configuration. Along with a description, include the exact text of your httpd.conf file.
  3. A page for your MySQL configuration. Along with a description, include the details of the steps you performed to set up MySQL.
  4. A page for your SELinux configuration. Along with a description, include a list of all of your booleans and their current settings. Show that the configuration is as tight as possible (e.g., don't change booleans unnecessarily).
  5. A page for your MediaWiki configuration. Along with a description, include your MediaWiki configuration file.
  6. A page for your iptables configuration. Show the exact iptables rules that are in effect. Demonstrate that the configuration is as tight as possible.

The easiest way to create new page is to create a link to it from an existing page (such as the main page), and then follow that link.

Resources on wiki markup:

Bonus Opportunity!
Change the default icon in the upper-left corner of your MediaWiki installation to a picture of your choosing. Be sure that you have copyright clearance to use that image (e.g., it is licensed to you, or it is a picture you own).

Submitting the Assignment

Your professor will require you to submit this assignment in at least one of two ways:

  1. Demonstrate that the wiki is working.
  2. Use wget to harvest the wiki pages:
    • Issue the command: wget -prk http://hostname/wiki
    • Create a compressed tar file containing the results. (name the file <learnid>-a2.tgz)
    • Submit it to your professor in the manner he specifies.

Check with your professor for the submission details for your section.

Sections A & B - Chris Tyler

Section C - Andrew Grimo

Assessment

  • 50% - completion of steps - quality of configuration, iptables and SELinux configuration as tight as possible
  • 50% - documentation on the wiki - quality of writing, quality of presentation, and accuracy and completeness of information
  • +5% - bonus for replacing the wiki logo