OPS235 Assignment 2
Weight: 5% of the overall grade
Due Date: 8th of August at the start of class
Introduction and Purpose
In this assignment, you will demonstrate the skills you have learned to this point by configuring two services: a database server and a web server. You will install and use a database-backed web application, MediaWiki, to show that these services have been installed properly. In this assignment, you will attempt to maintain a high level of security, by using iptables firewall to guard against unauthorized access. You will also configure the SELinux security system to further enhance the security of your computer system.
NOTE: This assignment may be performed using any combination of your virtual machines and/or host disk pack.
Required Tasks (ASSIGNMENT TOTAL: 70 Marks)
A. Installing Packages (Section Total: 8 Marks)
Install these packages using yum:
- httpd - this is the Apache web server software. It provides the httpd service, which runs on port 80.
- php - this is the PHP server software. It provides the php capabilities to the web server and wiki.
- mysql-server - this is the MySQL database server. It provides the mysqld service, which runs on a Unix domain socket and TCP port 3306 by default.
- mediawiki - this is the wiki software used by this wiki, Wikipedia, and many other sites. It is a series of PHP scripts which are run by Apache httpd as requests are received, and it connects to a database such as MySQL locally or on other servers.
B. Configuring Services
Apache httpd (Section Total: 10 Marks)
- Start the httpd service using the systemctl (or service) command.
- Confirm that you can connect to your web server using a web browser -- both from the machine on which the server is running as well as from another machine on the same network. You should see a test page.
- Configure this software to start when the system is booted using systemctl.
- Create a very simple HTML index page for your system, and place it at
/var/www/html/index.html
- Confirm that you can view the index page. If not, adjust your iptables configuration as necessary, or check for errors in
/var/log/httpd
MySQL (Section Total: 6 Marks)
- Start the MySQL service (mysqld) using the systemctl (or service) command.
- When started for the first time, this service will print a message telling you how to set a password and take other basic steps to secure the the MySQL server. Follow those instructions to set a password, recording the detail of what you do for later use. If this message does not appear on the screen, look in
/var/log/httpd/messages
- Configure this software to start when the system is booted using systemctl.
MediaWiki (Section Total: 12 Marks)
- Edit MediaWiki's httpd configuration file,
/etc/httpd/conf.d/mediawiki.conf
- Uncomment the first two
Alias
lines - Reload the httpd configuration using the
service
command
- Uncomment the first two
- Access
http://localhost/wiki
on the machine on which the web server is running (this will not work if done remotely, unless you use an ssh tunnel so that the access appears to be coming from the local host). You will see the MediaWiki welcome page; click on the setup link. - Enter the setup information for your wiki:
- Enter a name for the wiki
- Enter your learn e-mail address as the contact information
- Disable all e-mail features
- Leave the database host as "localhost"
- Set up a database password
- Get MediaWiki to set up the superuser account by checking the appropriate box and entering the superuser password (Note: This is the database superuser password, NOT the root password).
- Click the "Install MediaWiki!" button.
- Once the setup is complete, you will need to move a file within the MediaWiki directory (i.e. inside
/var/www/wiki
). Refer to the directions in the confirmation web page.
- Edit MediaWiki's httpd configuration file,
- NOTE: When you are done, you should be able to go to
http://hostname/wiki
from any directly-connected machine.
- NOTE: When you are done, you should be able to go to
Serving Personal Web Pages (Section Total: 12 Marks)
- Configure httpd to serve the
~/public_html
directories of your users. This will require changes to/etc/httpd/conf/httpd.conf
as well as the SELinux configuration. See the man page forhttpd_selinux
and the Apache httpd documentation for details. - Prove that this works by creating a page in your
~/public_html
directory. The URL will behttp://hostname/~your-user-id/
- Create a short web script which displays the available disk space on the computer. At its most basic level, a web script is the same as a regular script, with this additional requirement:
- It must output the line "Content-type: text/plain" or "Content-type: text/html" (depending on whether the script output is plain text or HTML), followed by a blank line.
- Name the script
~/public_html/diskfree.cgi
- The URL will behttp://hostname/~your-user-id/diskfree.cgi
- Configure httpd to allow your script to be run from the web. This will require changes to
/etc/httpd/conf/httpd.conf
as well as the SELinux configuration (possibly including both booleans and SELinux context). As with step 1, see the man page forhttpd_selinux
and the Apache httpd documentation for details.
- Configure httpd to serve the
C. Write-up (Section Total: 12 Marks)
Create a high-quality write-up of this assignment on your wiki. Describe in detail exactly what you did to set up each component. Include at least these pages:
- A main page (page name Main Page), describing in general terms what you did and containing links to the other wiki pages, as well as a link to the page and the script in your
~/public_html
directory. - A page for your httpd configuration (page name httpd_conf). Along with a description, include the exact text of your httpd.conf file.
- A page for your MySQL configuration (page name mysql_conf). Along with a description, include the details of the steps you performed to set up MySQL.
- A page for your MediaWiki configuration (page name mediawiki_conf). Along with a description, include your MediaWiki configuration file.
- A page for your iptables configuration (page name iptables_conf). Show the exact iptables rules that are in effect. Demonstrate that the configuration is as tight as possible (for example, test access to other services, and include the results of those tests in the wiki page).
- A page for the SELinux configuration (page name selinux_conf). Show the SELinux booleans and the context of your script file.
The easiest way to create new page is to create a link to it from an existing page (such as the main page), and then follow that link.
Write well and be creative:
- Make sure your spelling and grammar are correct (they count!).
- Present the pages attractively, and take advantage of graphics, colour, and fonts as appropriate -- for example, you may want to highlight the changes that you made in the configuration files using bold print, use outline numbering, divide the pages into easy-to-navigate sections, or use colour to show the commands you typed and what the system displayed in response.
- Stick to the important information - avoid including excessive text which doesn't add to the content that you are presenting (remember, your professor will be reading hundreds of wiki pages while marking!).
Resources on wiki markup:
- Wiki markup - Wikipedia
- Sandbox page on this wiki - examples
D. Security with SELinux (10 Marks)
About SELinux
SELinux stands for Security Enhanced Linux and is based on research performed at NSA and other locations. Where the normal Unix/Linux security system, based upon file permissions, is a discretionary access control system (DAC), SELinux is a mandatory access control system (MAC). This means that it attempts to enforce a consistent policy across the entire system, on top of the settings that any user has configured.
SELinux decisions are based on the security context of system resources such as files and processes. The security context consists of a user, role, type, and sensitivity component; you can see the security context of files and processes by adding the -Z
option to the ls
and ps
commands:
$ ls -lZ drwxr-xr-x. root root system_u:object_r:file_t:s0 arm drwxr-xr-x. chris chris unconfined_u:object_r:user_home_t:s0 arm2 drwxrwxr-x. chris chris unconfined_u:object_r:user_home_t:s0 bin drwxr-xr-x. chris chris unconfined_u:object_r:user_home_t:s0 Desktop drwxr-xr-x. chris chris unconfined_u:object_r:user_home_t:s0 Documents drwxr-xr-x. chris chris unconfined_u:object_r:user_home_t:s0 Downloads -rw-------. chris chris unconfined_u:object_r:user_home_t:s0 fedora0.ks -rw-------. chris chris unconfined_u:object_r:user_home_t:s0 fedora1.ks -rw-------. chris chris unconfined_u:object_r:user_home_t:s0 fedora2.ks -rw-------. chris chris unconfined_u:object_r:user_home_t:s0 fedora3.ks -rw-rw-r--. chris chris unconfined_u:object_r:user_home_t:s0 foo -rw-r--r--. chris chris unconfined_u:object_r:user_home_t:s0 hosts drwxr-xr-x. chris chris unconfined_u:object_r:user_home_t:s0 Music drwxr-xr-x. chris chris unconfined_u:object_r:user_home_t:s0 Pictures drwxrwxr-x. chris chris unconfined_u:object_r:user_home_t:s0 play drwxr-xr-x. chris chris unconfined_u:object_r:user_home_t:s0 Public drwxr-xr-x. chris chris unconfined_u:object_r:user_home_t:s0 Templates drwxr-xr-x. chris chris unconfined_u:object_r:user_home_t:s0 Videos -rw-r--r--. chris chris unconfined_u:object_r:user_home_t:s0 x [chris@muskoka ~]$ ps -Z LABEL PID TTY TIME CMD unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 2595 pts/1 00:00:00 bash unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 2612 pts/1 00:00:00 ps
The SELinux policy controls the interactions between security contexts. For example, the policy may specify that the Apache httpd webserver cannot read files in /etc
, so if an attacker finds a way to make httpd (or a script run by httpd) read a file in /etc
, SELinux will recognize that this is not normal and will deny the access. Since this is done at the kernel level, httpd will get a "file not found" error, even though the file is present, and there is no way for httpd to work around that error.
SELinux Context Commands
There are two main commands used to set the SELinux security context of files:
- chcon - sets the security context of a file to a particular value
- Example: setting the type of a file:
chcon -t unconfined_t /tmp/foo
- Example: setting the user/role/type of a file:
chcon unconfined_u:object_r:user_home_t ~/foo
- Example: setting the type of a file:
- restorecon - resets the default security context of a file
- Example: reset the context of one file:
restorecon /etc/services
- Example: recursively reset the contexts of all of the files in a directory:
restorecon -R ~
- Example: reset the context of one file:
You can reset the default security context of the entire system at the next boot with this command:
touch /.autorelabel
SELinux Booleans
SELinux policy can be tuned (without writing an entirely new policy) through the use of booleans or option switches. Each boolean can have a value of on (1) or off (0).
The getsebool
and setsebool
commands can be used to view and set SELinux boolean values:
Command | Description |
---|---|
getsebool -a
|
Displays all SELinux booleans |
getsebool foo
|
Displays the SELinux boolean foo |
setsebool foo value
|
Sets the SELinux boolean foo to value (where value is 0 or "off", or 1 or "on")
Use the |
SELinux Graphical Tools
The system-config-selinux tool, which is on the menu as System>Adminstration>SELinux Management, provides a GUI for managing SELinux booleans and more.
Submitting Your Assignment
Your professor will require you to submit this assignment in at least one of two ways:
- Demonstrate that the wiki is working.
- Use wget to harvest the wiki pages:
- Make sure all of the
http://
-style links (for the wiki image, the link to diskfree.cfgi, and so forth) use the same hostname (don't use "localhost" for one and "f16host" for another, for example). - Issue the command:
wget -prk http://hostname/wiki
-- where hostname matches the hostname used in thehttp://
links in your wiki pages. - Create a compressed tar file containing the results. (name the file learnid-a2.tgz)
- Check the tar file to see that it contains everything necessary to view your site (in particular, check that all needed image files are included). Do not edit the files in the tar archive -- if changes are needed, modify your wiki, and then repeat the
wget
andtar
steps above. - Refer to your OPS235 instructor on the proceedure to submit the tar archive file.
- Make sure all of the
Old Assignments
Still here for historical purposes. Obviously you don't need to do them.