Changes

[[Category:OPS235]]{{Admon/caution|THIS IS AN OLD VERSION OF THE ASSIGNMENT|'''For the This is an archived version. Do not use this in your OPS235 assignment for Chris Tylerscourse.''' section (Section B), please see: [[}}= OPS235 Assignment 2/Fall 2011]]'''=

{{Admon/note|Assignment Material May Appear on Tests and Exam|Doing your assignment is part '''Weight:''' 5% of your ongoing learning process. As such you will be tested on this material in future tests and exams. If you have any questions or need help, please consult your instructor in a timely manner. The due date for this assignment will not be extended. As it must be marked in class.This assignment will be marked partially through demonstration and partially through the submission of files.}}overall grade

Due Date: Week 13 - week of April 8 ('''Check with your Professor for exact date'''). {{Admon/important|It is YOUR responsibility to Backup Your Configuration Filesyour centos3 VM for this Assignment!|Before making any changes You are required to frequently backup your system configuration, backup VM prior to exiting a work session during this assignment. Your instructor will NOT accept the original fact that your hard disk crashed and lost all of your work. If you properly backed up your VM images and xml configuration files into the <code>/backups</code> directoryto a USB, then you can purchase a new hard-disk or wipe and use <code>git</code> to manage recreate your hard disk and restore your changeVMs.}}<br>

In this assignment, you will demonstrate the skills you have learned to this point by configuring two services: a '''database server''' and a '''web server'''. You will install and use a database-backed web application, '''MediaWikiWordpress''', to show that these services have been installed properly. In this assignment, you You will attempt to maintain a high level of security, by using also configure the '''iptablesSELinux''' firewall security system to guard against unauthorized accessfurther enhance the security of your computer system.

An '''Optional Bonus''' is available where you canl configure NOTE: Do this assignment inside the centos3 virtual machine. '''SELinux''' security system to further enhance the security of your computer system.

Install these packages using ''yum''NOTE:* '''httpd''' - this is This package may not be in the Apache web server softwaremain repository. It provides the '''httpd''' service, which runs on port 80.* '''php''' - this is the PHP server software. It provides the '''php''' capabilities to the web server and wiki.* '''mysql-server''' - this is the MySQL database server. It provides the '''mysqld''' service, which runs on a Unix domain socket and TCP port 3306 by default.* '''mediawiki''' - this is the wiki software used by this wiki, Wikipedia, and many other sites. It is There a series couple of PHP scripts which are run by Apache httpd as requests are received, and it connects to a database such as MySQL locally or on other servers.options:

====Configuring Apache httpd ====

:# Start the httpd service using the '''servicesystemctl''' command.:# Ensure that the httpd service starts automatically during boot.# Confirm that you can connect to your web server using a web browser -- both from the machine on which the server is running centos3 (you can test using '''links''') as well as from another machine on the same networkhost. You should see a test pagethe Apache Test Page.:# Configure this software If you can't connect to start when it from outside the system machine - perhaps your firewall is booted.:# Create a very simple HTML index page for your system, and place it at <code> /var/www/html/index.html </code>:# Confirm that you can view blocking access to the index pageweb server. If not, adjust your iptables configuration as necessary, or check for errors in <code>/var/log/httpd</code>

==== Configuring MySQL ====

:# Start the MySQL service (mysqldor mariadb)using '''systemctl'''.# Ensure that the mysqld/mariadb service starts automatically during boot.:# '''When started You may get messages after starting the MySQL service for the first time. Do not ignore these messages, this service it will print a message telling tell you how to set a password and take other basic steps to secure the the MySQL server.''' Follow those instructions to set a password, recording the detail of what you do for later use.:# Configure this software * If you do not see any messages, research how you can secure the MySQL installation and set the MySQL-root password.#* Read those messages carefully, you are setting up a production MySQL server and there shouldn't be any "test" databases or anonymous users or users without a password.# Set your MySQL root password to start when your learn ID (without the system @senecac.on.ca part).# This following part is bootedchallenging so take your time and read the instructions to make sure you do it properly, we have to set up a dedicated user and database for wordpress:## Start by looking at http://codex.wordpress.org/Installing_WordPress#Using_the_MySQL_Client where you will find instructions for the setup.## You will need to run those commands in a centos3 terminal.## Your adminusername is root## Your databasename is myblog## Your wordpressusername is your learn ID## The password should also be your learn ID## Your hostname is localhost

==== MediaWiki ==Installing and Configuring Wordpress ==

:# Edit MediaWiki's httpd configuration file, <code>/etc/httpd/conf.d/mediawiki.conf</code>:#* Uncomment the first two <code>Alias</code> lines:#* Reload the httpd configuration using the <code>service</code> command:# Access <code>http://localhost/wiki</code> on the machine on which the Wordpress (like most web server applications) is running (this will not work if done remotelyavailable in the Fedora repositories, unless you use an ssh tunnel so that the access appears to it must be coming from the local host). You will see the MediaWiki welcome page; click on the setup link.:# Enter the setup information for your wiki::#* Enter a name for the wiki:#* Enter your learn e-mail address as the contact information;#* Disable all e-mail features:#* Leave the database host as "localhost":#* Set up a database password:#* Get MediaWiki to set up the superuser account by checking the appropriate box downloaded and entering the superuser password ('''Note:''' This is the database superuser password, NOT the root password).:# Click the "Install MediaWiki!" button.:# Once the setup is complete, you will need to move a file within the MediaWiki directory (i.e. inside <code>/var/www/wiki</code>). Refer to the directions in the confirmation web pageinstalled manually.

::# Download the latest .tar.gz version from wodpress.org into your centos3 (use wget).# Extract it into '''NOTE:/var/www/html''' When # Now we need to allow Apache to modify the wordpress installation. To do this use chown -R to make the owner and group of every file and directory inside wordpress "apache".# Check your work so far by pointing your web browser to http://centos3/wordpress/ where you are donewill get an error starting with "There doesn't seem to be a wp-config.php file"# Copy the wp-config-sample.php file to wp-config.php and edit the new file:#* Change the DB_NAME, DB_USER, you should be able DB_PASSWORD to the appropriate values.# Now go back to <code>http://'''hostname'''centos3/wiki<wordpress/code> from any directly-connected machineyou should see a Wordpress Welcome/Setup page.#* Set the title to Your Name's Blog. For example for me it would be "Andrew Smith's Blog"#* Set the password to your learn ID.#* Set the email to your Seneca email address.#* Click "Install Wordpress", you should see a "Success!" message.

==== Serving Personal Web Pages ==Write-up ==

:# Configure httpd to serve the <code>~/public_html</code> directories of your users. This will require changes to <code>/etc/httpd/conf/httpd.conf</code> as well as the SELinux configuration. See the man page for <code>httpd_selinux</code> and the Apache [http://httpd.apache.org/docs/2.2/ httpd documentation] for details.:# Prove that this works by creating Write a page in blog post on your <code>~/public_html</code> directory. The URL will be <code>httpnew blog explaining://''hostname''/~''your-user-id''/</code>:# Create a short web script which displays the available disk space on the computer. At its most basic level* What is Apache, a web script is the same as a regular scriptPHP, with this additional requirement::#* It must output the line "Content-type: text/plain" or "Content-type: text/html" (depending on whether the script output is plain text or HTML)MySQL, followed by a blank lineand Wordpress.:# Name the script <code>~/public_html/diskfree.cgi</code> - The URL will be <code>http://''hostname''/~''your-user-id''/diskfree.cgi</code>:# Configure httpd and SELinux to allow your script to be run from the web. This will require changes to <code>/etc/httpd/conf/httpd.conf</code> as well as the SELinux configuration * What problems (possibly including both booleans minor and SELinux contextmajor). As with step 1, see you ran into during the man page for <code>httpd_selinux</code> installation and the Apache [http://httpd.apache.org/docs/2.2/ httpd documentation] for detailshow you solved them.

{{Admon/tip|Hint|Look Write a second post on your blog explaining:* Are you ready for an "add-handler" line in your httpdthe exam or not.* List the material you are strong on.* List the material you are worried about.conf file* List any questions or topics you would like me to address during exam review.}}

'''Write well and be creativeDue date:'''* Make sure your spelling and grammar are correct (they count!).* Present Your name will be called in the lab on the pages attractively, and take advantage of graphics, colour, and fonts as appropriate -- due date for example, you may want to highlight the changes that assignment. If you made in the configuration files using '''bold''' print, use outline numbering, divide the pages into easyare not there when your name is called -to-navigate sections, or use colour to show the <span style="color:orange">commands you typed</span> and <span style="color:green">what the system displayed in response</span>will lose 20% of your mark.* Stick to the important information - avoid including excessive text which doesn't add to the content In that case you are presenting (remember, may show me your professor submission in the second lab that week instead. Assignments submitted after that will receive a grade of 0, but must still be reading hundreds of wiki pages while marking!)completed satisfactorily in order to pass the course.

{{Admon/tip|Tip: Customizing your WIKI|Change the default icon Open one or more terminals in c7host, SSH to centos3 from those terminals, and have the upperfollowing ready:* The correct RPMs are installed* Output showing firewall has been properly set up* Output of chkconfig -left corner -list mysqld* Output of your MediaWiki installation to a picture chkconfig --list httpd* MySQL output of your choosing. Be sure that you have copyright clearance to : show databases; use mysql; select User,Password from user; use that image (emyblog; show tables;* Output of ls -la /var/www/html/wodpress/* Output of head -30 /var/www/html/wodpress/wp-config.g., it is licensed to you, or it is php* Open a picture you own).}}firefox with http://centos3/wordpress/

== Bonus: SELinux (x Marks) = Rubric ===

{| class="wikitable" border= About SELinux == SELinux stands for ''Security Enhanced Linux'' and is based on research performed at NSA and other locations. Where the normal Unix/Linux security system, based upon file permissions, is a ''discretionary access control'' system (DAC), SELinux is a ''mandatory access control'' system (MAC). This means that it attempts to enforce a consistent policy across the entire system, on top of the settings that any user has configured. SELinux decisions are based on the ''security context'' of system resources such as files and processes. The security context consists of a user, role, type, and sensitivity component; you can see the security context of files and processes by adding the <code>-Z</code> option to the <code>ls</code> and <code>ps</code> commands:"1"! Task !! $ ls -lZMaximum mark !! Actual mark drwxr-xr|-x. root root '''system_u:object_r:file_t:s0''' arm drwxr-xr-x. chris chris '''unconfined_u:object_r:user_home_t:s0''' arm2| Correct packages installed || 1 || drwxrwxr|-x. chris chris '''unconfined_u:object_r:user_home_t:s0''' bin drwxr-xr-x. chris chris '''unconfined_u:object_r:user_home_t:s0''' Desktop| Firewall setup properly || 2 || drwxr-xr|-x. chris chris '''unconfined_u:object_r:user_home_t:s0''' Documents drwxr-xr-x. chris chris '''unconfined_u:object_r:user_home_t:s0''' Downloads| Apache set up and running || 2 || -rw------|-. chris chris '''unconfined_u:object_r:user_home_t:s0''' fedora0.ks -rw-------. chris chris '''unconfined_u:object_r:user_home_t:s0''' fedora1.ks| MySQL set up correctly || 3 || -rw------|-. chris chris '''unconfined_u:object_r:user_home_t:s0''' fedora2.ks -rw-------. chris chris '''unconfined_u:object_r:user_home_t:s0''' fedora3.ks -rw-rw-r--. chris chris '''unconfined_u:object_r:user_home_t:s0''' foo -rw-r--r--. chris chris '''unconfined_u:object_r:user_home_t:s0''' hosts drwxr-xr-x. chris chris '''unconfined_u:object_r:user_home_t:s0''' Music drwxr-xr-x. chris chris '''unconfined_u:object_r:user_home_t:s0''' Pictures drwxrwxr-x. chris chris '''unconfined_u:object_r:user_home_t:s0''' play drwxr-xr-x. chris chris '''unconfined_u:object_r:user_home_t:s0''' Public drwxr-xr-x. chris chris '''unconfined_u:object_r:user_home_t:s0''' Templates drwxr-xr-x. chris chris '''unconfined_u:object_r:user_home_t:s0''' Videos -rw-r--r--. chris chris '''unconfined_u:object_r:user_home_t:s0''' x [chris@muskoka ~]$ ps -Z LABEL PID TTY TIME CMD '''unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023''' 2595 pts/| Wordpress extracted correctly || 1 00:00:00 bash|| '''unconfined_u:unconfined_r:unconfined_t:s0|-s0:c0.c1023''' 2612 pts/1 00:00:00 ps The SELinux policy controls the interactions between security contexts. For example, the policy may specify that the Apache httpd webserver cannot read files in <code>/etc</code>, so if an attacker finds a way to make httpd (or a script run by httpd) read a file in <code>/etc</code>, SELinux will recognize that this is not normal and will deny the access. Since this is done at the kernel level, httpd will get a "file not found" error, even though the file is present, and there is no way for httpd to work around that error. === SELinux Context Commands === There are two main commands used to | Wordpress set the SELinux security context of files:up correctly || 2 ||# chcon |- sets the security context of a file to a particular value#* Example: setting the ''type'' of a file: <code>chcon -t ''unconfined_t'' ''/tmp/foo''</code>#* Example: setting the user/role/type of a file: <code>chcon ''unconfined_u:object_r:user_home_t'' ''~/foo''</code># restorecon - resets the default security context of a file#* Example: reset the context of one file: <code>restorecon /etc/services</code>#* Example: recursively reset the contexts of all of the files | Wordpress showing in a directory: <code>restorecon -R ~</code> You can reset the default security context of the entire system at the next boot with this command:  touch /.autorelabel === SELinux Booleans === SELinux policy can be tuned (without writing an entirely new policy) through the use of ''booleans'' or option switches. Each boolean can have a value of on (Firefox || 1) or off (0).|||-The <code>getsebool</code> and <code>setsebool</code> commands can be used | Everything ready to view and set SELinux boolean values: {show || 2 ||class="mediawiki sortable" border="1" cellspacing="0"!Command!Description

|<code>getsebool -a</code>First blog post || 3 ||Displays all SELinux booleans

|<code>getsebool ''foo''</code>Second blog post || 3 ||Displays the SELinux boolean ''foo''

|<code>setsebool ''foo'Total' ''value''</code>|| 20 || |Sets the SELinux boolean ''foo'' to ''value'' (where ''value'' is 0 or "off", or 1 or "on")

 === SELinux Graphical Tools === The ''system-config-selinux'' tool, which is on the menu as System>Adminstration>SELinux Management, provides a GUI for managing SELinux booleans and more.  {{Admon/note|Takes Notes!|Take detailed notes of the steps you perform from this point onward -- you will need them for the wiki pages you will create later.}} == Submitting Your Assignment == Your professor will require you to submit this assignment in at least one of two ways[[Category: # Demonstrate that the wiki is working.# Use wget to harvest the wiki pages:#* Make sure all of the <code><nowiki>http://</nowiki></code>-style links (for the wiki image, the link to diskfree.cfgi, and so forth) use the same hostname (don't use "localhost" for one and "f13host" for another, for example).#* Issue the command: <code>wget -prk http://''hostname''/wiki</code> -- where ''hostname'' matches the hostname used in the <code><nowiki>http://</nowiki></code> links in your wiki pages.#* Create a compressed tar file containing the results. (name the file <learnid>-a2.tgz)#* Check the tar file to see that it contains everything necessary to view your site (in particular, check that all needed image files are included). Do not edit the files in the tar archive -- if changes are needed, modify your wiki, and then repeat the <code>wget</code> and <code>tar</code> steps above.#* Submit the tar file to your professor in the manner he specifies. === Section A - Chris Tyler === * TBA === Section B - David Trinh === * TBA  === Section C - Mike Martin === * TBA === Sections D, E, F, & G - Murray Saul === * TBA  == Assessment == * 50% - completion of steps - quality of configuration, iptables and SELinux configuration as tight as possible* 50% - documentation on the wiki - quality of writing, quality of presentation, and accuracy and completeness of information* +5% - bonus for replacing the wiki logoOPS235]]