1,234
edits
Changes
no edit summary
{{Admon/caution|DO NOT USE THIS VERSION OF THE COURSE. This page will no longer be updated.|'''Debian version here:''' https://seneca-ictoer.github.io/OPS245
<br>'''CentOS version here:''' https://seneca-ictoer.github.io/OPS245-C7<br>'''Andrew's version here:''' http://wiki.littlesvr.ca/wiki/OPS245_Lab_4}}
=LAB PREPARATION=
{| width="40%" align="right" cellpadding="10"
Many students may think that the following topic is small and "not a big deal". Those students may say, '''"How hard is running and stopping services?"'''
The process may not be hard, but knowing how to stop, start, restart and check the status of services is absolutely critical to a Linux server. '''Aside from learning to trouble-shoot problems''' by checking the status of running services, '''understanding how to manage services is critical to help protect a Linux server from penetration''' (this term is referred to as "'''Hardening a system'''"). Sometimes it is "what we don't know" that can harm us. One key element in hardening a computer system is to disable non essential networkng services to allow IDSs ('''Intrusion Detection Systems''') to focus on a narrower range of policy violations. A Debian-based penetration testing distribution called '''Kali''' (formerly referred to as '''"BackTraxBackTrack"''') allows sysadmins and security professionals to identify vulnerabilities in their computer systems, and thus improve (harden) their systems against penetration. Learning to monitor the status, enable and disable networking services underlies the '''BacktraxBacktrack''' motto: '''''"The quieter you are, then more you will hear..."'''''<br><br>
<u>Main Objectives</u>:
[http://archive.linuxfromscratch.org/blfs-museum/1.0/BLFS-1.0/postlfs/skel.html /etc/skel]<br>
[http://zenit.senecac.on.ca/wiki/index.php/Init_vs_systemd init vs systemd]
<br><br>
Python Reference<br />
[https://docs.python.org/3/howto/argparse.html argparse]
|}
# View the contents of the '''/home''' directory. Was the home directory for user '''ops245_2''' removed?
# Issue the following command to remove ops245_2's home directory: <b><code><span style="color:#3366CC;font-size:1.2em;">sudo rm -rf /home/ops245_2</span></code></b>
# Issue the '''userdel''' comamnd command to remove the '''ops245_1''' account with , but this time include the '''-r option''' (and to also remove the home directory regardless if it exists or not).
# Issue the useradd -m command to recreate the user called: '''ops245_1'''.
# Use the '''passwd''' command to set the password for the user '''ops245_1'''.
# View the <u>contents</u> for '''ops245_2's home directory''' and note the files. What do you notice that is different. What do you think is the purpose of the '''/etc/skel''' directory?
# Be sure to record your observations in your lab notes.
#Issue Look in the man pages for the '''useradd''' command. Explain the purpose of using the '''-e''' option for the ''useradd'' command.#Issue the following command: <b><code><span style="color:#3366CC;font-size:1.2em;">sudo chage -E 20192024-12-31 ops245_1</span></code></b>
#Issue the following command: <b><code><span style="color:#3366CC;font-size:1.2em;">sudo usermod -c "New Name" ops245_2</span></code></b>.
#View ops245_2's account information in the '''/etc/passwd''' file. What do you notice is different?
#Now re-issue the command to create '''welcome''' group. This time, sudo should work.
#Issue the command: <b><code><span style="color:#3366CC;font-size:1.2em;">grep welcome /etc/group</span></code></b> file to confirm that the group '''welcome''' was created.
# Read the man page for the <b><code><span style="color:#3366CC;font-size:1.2em;">usermod</span></code></b> commandand <b><code><span style="color:#3366CC;font-size:1.2em;">groupmod</span></code></b> commands. Which command (and which option ) will allow you to set the Group ID number ('''GID''') when you create a new group? Which command (and options ) allow you to both append and assign users to an existing group name?
# Issue two separate '''usermod''' commands to add both '''ops245_1''' and '''ops245_2''' to the newly-created '''welcome''' group.
# Verify that both ops245_1 and ops245_2 now belong to the '''welcome''' group.
===Practical Example===
When you created your first user on your host, centos1 and centos2, you made them an administrator. This allowed them to (when they request it) run commands with root priveleges. But you won't always know in advance if a user is going to be an administrator (what if someone gets promoted, or changes jobs?), so you can't always do that in advance. Checking that box also allows them to run ''any'' command with root priveleges by using sudo. In many cases, administrators won't be allowed to do ''everything'', but instead be restricted to certain tasks (e.g. managing user accounts, managing software, managing services, etc.). Sudo will allow us this detailed control, so we can pick and choose who gets to run which commands as root.
=== Part 1: Finding out why Your First User can do Anything? ===
You've already observed that your first user can use sudo to execute any command, but what about their account actually makes that possible.?
<ol>
<li>View (but do not edit) the contents of '''/etc/suduoerssudoers'''. Search for your user account. You won't find them.</li><li>Check the contents of '''/etc/passwd ''' and '''/etc/group ''' for entries with your user account. Is there anything different between your account and '''ops245_1'''?</li><li>You should find that your user is part of a secondary group. What group is it? Are they part of that group on '''centos3'''?</li><li>The '''wheel''' group represents administrators with complete sudo privileges. Go back to '''/etc/sudoers ''' and read the entry for '''wheel'''. It should look something like this:<br />
<b><code><span style="color:#3366CC;font-size:1.2em;">%wheel ALL=(ALL) ALL</span></code></b><br />
::This means that anyone who is part of that group can run ''any'' command, as ''any'' user. Effectively, they can use sudo to be root.
</li>
<li>During the lecture, you should have learned some reasons to limit access to the actual root account, and why using sudo is a better practice. Record your observations.</li>
<li>On centos3, add your user to '''wheel ''' as a secondary group so you can use sudo the same way there that you can on your other machines.</li>
</ol>
<li>Try running that command again, this time with sudo.</li>
<li>It still won't work, because this user does not have permission to use sudo for anything.</li>
<li>Log out from '''ops245_1''' and log back in as your normal user.</li>
<li>Create a file called '''ops245_1''' in '''/etc/sudoers.d'''. Add the following line to it:
<b><code><span style="color:#3366CC;font-size:1.2em;">ops245_1 ALL=(ALL) /usr/bin/systemctl</span></code></b>
::This indicates this user can use sudo to run systemctl commands as if they were any account (root is the important one).
</li>
<li>Log out from your normal user and log back in as '''ops245_1'''.</li>
<li>Try restarting sshd again. This time it should work.</li>
<li>Change to your '''ops245_2''' account, and try restarting sshd (with and without sudo).
::That account still can't. Sudo entries only affect the users and groups listed.</li>
<li>We don't want '''ops245_2''' to manage services, that's a job for '''ops245_1''', but we do want them to manage user accounts. So log back in as your regular user and create a sudeors file for '''ops245_2''' and set it so that they can run the useradd, usermod, userdel, groupadd, groupmod, and groupdel commands through sudo.</li><b><code><span style="color:#3366CC;font-size:1.2em;">ops245_2 ALL=(ALL) /usr/sbin/useradd<br />ops245_2 ALL=(ALL) /usr/sbin/usermod<br />ops245_2 ALL=(ALL) /usr/sbin/userdel<br />ops245_2 ALL=(ALL) /usr/sbin/groupadd<br />ops245_2 ALL=(ALL) /usr/sbin/groupmod<br />ops245_2 ALL=(ALL) /usr/sbin/groupdel<br /></span></code></b>
<li>Test to make sure it works.</li>
</ol>
=INVESTIGATION 3: Managing System Services and Run-levels=
At the beginning of this lab we mentioned that running unneeded '''packages can be a security risk''' due to the unnecessary increase in the complexity of your system. Similarly, it is also unnecessarily hazardous, and even more so, to leave unneeded services running. In this investigation, we will learn how to '''control services, and turn off those services that we think are not necessary to help reduce security risks'''.
Although there is a command called: '''service''' that may appear to manager manage services on your Linux system, it is considered <u>'''deprecated'''</u> (i.e. "obsolete"). It has been replaced by using the [http://zenit.senecac.on.ca/wiki/index.php/Init_vs_systemd#systemd_Command_Usage systemctl] command.
:'''Perform the following steps:'''
# Use the commands you used in Lab2 to '''stop''' and '''disable''' the iptables service.
# Issue a command to verify you '''disabled''' and '''stopped''' the iptables service.<br><br>'''Note:''' There is a major difference between stopping a service and disabling a service: If a service is stopped but enabled, the service will start upon reboot. Therefore to prevent it being started upon boot-up, the service will need to be disabled as well!<br><br>
# Issue the commands to '''start''' and '''enable''' the iptables service, and '''verify''' that it is <u>started</u> and <u>enabled</u>.<br><br>'''Note:''' If you performed the commands correctly, the iptables service should be running, and will automatically run upon your Linux machine start-up.
===Part 2: How do we Manage Runlevels?===
Running Linux servers in graphical mode can make the server vulnerable to penetration (i.e. a potential break-in to the server from unauthorized intruders). The X-windows framework can be vulnerable to attacks when these servers are connected to the Internet. This is why when you install '''server versions''' of Linux, they work in text-based mode only. Desktop versions of Linux are then installed on workstations (working in graphical mode) that connect to the '''Linux server''' (for security reasons since those servers are closest to the router and the Internet).
The Linux sysadmin can also change the run-level target (or state) of a graphical Linux server to run in text-based mode and run the graphical mode by issuing a command when graphic mode is required. The You may also encounter this capability described as run-level levels, but that term is now deprecated in Fedora, and will likely be deprecated in /RHEL/CentOS at some point as well, but for now this is what the industry is using.
{| width="50%" align="right" cellpadding="10"
|- valign="top"
# Remain in your '''centos1''' VM for this section.
# Issue the following Linux command: <b><code><span style="color:#3366CC;font-size:1.2em;">systemctl get-default</span></code></b><br><br>'''Note:''' The output should read '''graphical.target'''
# Try the same command on your '''centos3''' VM and observe how the output differs. Go back to your '''centos3centos1''' VM.# You can use the '''systemctl isolate''' command to change the current run-leveltarget. See a list of runlevels targets [https://www.centos.org/docs/5/html/5.2/Installation_Guide/s2-init-boot-shutdown-rl.html here].# Change the current run-level target in '''centos1''' to '''multi-user.target''' by issuing the following command:<br><b><code><span style="color:#3366CC;font-size:1.2em;">sudo systemctl isolate multi-user.target</span></code></b>
# What did you notice?
# Reboot your '''centos1''' VM. It should return to the graphical login screen. You should notice at this point that the command '''systemctl isolate''' did not change the default target the system will boot to.
# Issue the <b><code><span style="color:#3366CC;font-size:1.2em;">sudo systemctl set-default multi-user.target</span></code></b> command (with elevated permissions) to change the current defatult run-level default target in '''centos1''' to '''multi-user.target''', then reboot your machine. What do you notice?
# Change the current run-level in '''centos1''' to '''graphical.target''' by issuing the following command:<br><b><code><span style="color:#3366CC;font-size:1.2em;">sudo systemctl isolate graphical.target</span></code></b>
# Try to do the same thing to your '''centos3''' VM. Did it work? Why or why not?
'''Answer INVESTIGATION 3 observations / questions in your lab log book.'''
= INVESTIGATION 4: CREATING USERS VIA USING ARGUMENTS IN SHELL SCRIPTS=
===Using argparse to Obtain Positional Arguments from the Command Line===
:'''Perform the following steps:'''
'''Answer INVESTIGATION 4 observations / questions in your lab log book.'''
# Make certain that your '''c7host''', '''centos1''' and '''centos2''' VMs are running.
# Switch to your '''c7host''' VM.
# Open a shell terminal, enter a root session, and change to the your '''/root/bin''' directory.# Issue the Linux command: <b><code><span style="color:#3366CC;font-size:1.2em;">wget https://ictraw.senecacollegegithubusercontent.cacom/~ops235OPS245/labs/main/lab4-check.bash</span></code></b><!--<br />For Andrew's sections use this script instead:<b><code><span style="color:#3366CC;font-size:1.2em;">wget http://littlesvr.ca/ops245/lab4-check-andrew.bash</span></code></b>-->
# Give the '''lab4-check.bash''' file execute permissions (for the file owner).
# Run the shell script and if any warnings, make fixes and re-run shell script until you receive "congratulations" message.
#Arrange proof of the following on the screen:<br><span style="color:green;font-size:1.5em;">✓</span> '''centos1''' VM:<blockquote><ul><li>Demonstrate that this VM 's current run-level is set to '''5'''.</ul></blockquote><span style="color:green;font-size:1.5em;">✓</span>'''c7host''' machine<blockquote><ul><li>Run the '''lab4-check.bash''' script (must have all <b><code><span style="color:#66cc00;border:thin solid black;font-size:1.2em;"> OK </span></code></b> messages)</li></ul></blockquote><span style="color:green;font-size:1.5em;">✓</span> '''Lab4''' log-book filled out.
#Take a screenshot of the proof in the previous step, and upload it , your tarchiver2.py script, your log book, and the file generated by '''lab4-check.bash''' to blackboard.
= Practice For Quizzes, Tests, Midterm & Final Exam =
# What is the difference between '''starting''' a service and '''enabling''' a service?
# Can a service be stopped and started by issuing just one command?
[[Category:OPS245]]