1,885
edits
Changes
Created page with '{{Draft}} {{Admon/note | Please take note! | Doing your assignment is part of your ongoing learning process. As such you will be tested on this material in future tests and exam...'
{{Draft}}
{{Admon/note | Please take note! | Doing your assignment is part of your ongoing learning process. As such you will be tested on this material in future tests and exams. If you have any questions or need help, please consult your instructor in a timely manner. The due date for this assignment will not be extended. This assignment will be marked partially through demonstration and partially through the submission of files.}}
=OPS235 Assignment #1 -- Winter 2010=
Weight: 5% of the overall grade<br>
Due Date: Week 13 - week of April 15-19 ('''Check with your Professor for exact date''')
{{Admon/important | Very Important! | Before making any changes to your system configuration, backup the original configuration files into the <code>/backups</code> directory.}}
== Introduction and Purpose ==
In this assignment, you will demonstrate the skills you have learned to this point by configuring two services: a database server and a web server. You will install and use a database-backed web application, MediaWiki, to show that these services have been installed properly. Finally, you will configure the SELinux security system to ensure that these new services are not used to gain unauthorized access to your system.
This lab may be performed using any combination of your virtual machines and/or host disk pack.
== About SELinux ==
SELinux stands for ''Security Enhanced Linux'' and is based on research performed at NSA and other locations. Where the normal Unix/Linux security system, based upon file permissions, is a ''discretionary access control'' system (DAC), SELinux is a ''mandatory access control'' system (MAC). This means that it attempts to enforce a consistent policy across the entire system.
SELinux is based upon the ''security context'' of system resources such as files and processes. The security context consists of a user, role, type, and sensitivity component; you can see the security context of files and processes by adding the <code>-Z</code> option to the <code>ls</code> and <code>ps</code> commands:
$ ls -lZ
drwxr-xr-x. root root '''system_u:object_r:file_t:s0''' arm
drwxr-xr-x. chris chris '''unconfined_u:object_r:user_home_t:s0''' arm2
drwxrwxr-x. chris chris '''unconfined_u:object_r:user_home_t:s0''' bin
drwxr-xr-x. chris chris '''unconfined_u:object_r:user_home_t:s0''' Desktop
drwxr-xr-x. chris chris '''unconfined_u:object_r:user_home_t:s0''' Documents
drwxr-xr-x. chris chris '''unconfined_u:object_r:user_home_t:s0''' Downloads
-rw-------. chris chris '''unconfined_u:object_r:user_home_t:s0''' fedora0.ks
-rw-------. chris chris '''unconfined_u:object_r:user_home_t:s0''' fedora1.ks
-rw-------. chris chris '''unconfined_u:object_r:user_home_t:s0''' fedora2.ks
-rw-------. chris chris '''unconfined_u:object_r:user_home_t:s0''' fedora3.ks
-rw-rw-r--. chris chris '''unconfined_u:object_r:user_home_t:s0''' foo
-rw-r--r--. chris chris '''unconfined_u:object_r:user_home_t:s0''' hosts
drwxr-xr-x. chris chris '''unconfined_u:object_r:user_home_t:s0''' Music
drwxr-xr-x. chris chris '''unconfined_u:object_r:user_home_t:s0''' Pictures
drwxrwxr-x. chris chris '''unconfined_u:object_r:user_home_t:s0''' play
drwxr-xr-x. chris chris '''unconfined_u:object_r:user_home_t:s0''' Public
drwxr-xr-x. chris chris '''unconfined_u:object_r:user_home_t:s0''' Templates
drwxr-xr-x. chris chris '''unconfined_u:object_r:user_home_t:s0''' Videos
-rw-r--r--. chris chris '''unconfined_u:object_r:user_home_t:s0''' x
[chris@muskoka ~]$ ps -Z
LABEL PID TTY TIME CMD
'''unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023''' 2595 pts/1 00:00:00 bash
'''unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023''' 2612 pts/1 00:00:00 ps
The SELinux policy controls the interactions between security contexts. For example, it may be configured so that the Apache httpd webserver cannot read files in <code>/etc</code>, so if an attacker finds a way to make httpd (or a script run by httpd) read a file in <code>/etc</code>, SELinux will recognize that this should not be permitted and will deny the access. Since this is done at the kernel level, httpd will get a "file not found" error, even though the file is present, and there is no way for httpd to work around that error.
=== SELinux Context Commands ===
There are two main commands used to set the SELinux security context of files:
* setcon - sets the security context of a file to a particular value
* restorecon - resets the default security context of a file
You can reset the default security context of the entire system at the next boot with this command:
touch /.autorelabel
=== SELinux Booleans ===
SELinux policy can be tuned (without writing an entirely new policy) through the use of ''booleans'' or option switches. Each boolean can have a value of on (1) or off (0).
The <code>getsebool</code> and <code>setsebool</code> commands can be used to view and set SELinux boolean values:
{|class="mediawiki sortable" border="1" cellspacing="0"
!Command
!Description
|-
|<code>getsebool -a</code>
|Displays all SELinux booleans
|-
|<code>getsebool '''foo'''</code>
|Displays the SELinux boolean '''foo'''
|-
|<code>setsebool '''foo''' '''value'''
|Sets the SELinux boolean '''foo'' to '''value''' (where '''value''' is 0 or "off", or 1 or "on")
|}
=== SELinux Graphical Tools ===
The <code>sysetm-config-selinux</code> tool, which is on the menu as System>Adminstration>SELinux Management, provides a GUI for man aging SELinux booleans and more.
{{Admon/note|Takes Notes!|Take detailed notes of the steps you perform from this point onward.}}
== Installing Packages ==
Install these packages using ''yum'':
* '''httpd''' - this is the Apache web server software. It provides the '''httpd''' service, which runs on port 80.
* '''mysql-server''' - this is the MySQL database server. It provides the '''mysqld''' service, which runs on a Unix domain socket.
* '''mediawiki''' - this is the wiki software used by this wiki, Wikipedia, and many other sites. It is a series of PHP scripts which are run by Apache httpd as requests are received, and it connects to a local database such as MySQL.
== Configuring Services ==
=== Apache httpd ===
# Start the httpd service using the '''service''' command.
# Confirm that you can connect to your web server using a web browser -- both from the machine on which the server is running as well as from another machine on the same network. You should see a test page.
# Configure this software to start when the system is booted.
# Create a very simple HTML index page for your system, and place it at <code>/var/www/html/index.html</code>
# Confirm that you can view the index page
=== MySQL ===
# Start the MySQL service (mysqld).
# '''When started for the first time, this service will print a message telling you how to set a password and take other basic steps to secure the the MySQL server.''' Follow those instructions to set a password.
# Configure this software to start when the system is booted.
=== MediaWiki ===
# Edit MediaWiki's httpd configuration file, <code>/etc/httpd/conf.d/mediawiki.conf</code>
#* Uncomment the first two <code>Alias</code> lines
#* Reload the httpd configuration using the <code>service</code> command
# Access <code>http://localhost</code> on the machine on which the web server is running (do not do this remotely). You will see the MediaWiki welcome page; click on the setup link.
# Enter the setup information for your wiki:
#* Enter a name for the wiki
#* Enter your learn e-mail address as the contact information
#* Disable all e-mail features
#* Leave the database host as "localhost"
#* Set up a database password
#* Get MediaWiki to set up the superuser account by checking the appropriate box and entering the superuser password ('''Note:''' This is the database superuser password, NOT the root password).
# Click the "Install MediaWiki!" button The installation '''will fail'''. This is because the SELinux policy forbids connections from web scripts to the local database server.
# To fix this, you will need to change an SELinux boolean to enable httpd scripts to connect to a database. Find the SELinux boolean that permits this type of connection, and set the appropriate value.
# Re-submit the MediaWiki setup page.
# Once the setup is complete, you will need to move a file within the MediaWiki directory (inside <code>/var/www</code>). Refer to the directions on the screen.
When you are done, you should be able to go to <code>http://'''hostname'''/wiki</code> from any directly-connected machine.
=== Additional HTTPD Configuration ===
# Configure httpd to serve the <code>public_html</code> directories of your users. This will require changes to <code>/etc/httpd/conf/httpd.conf</code> as well as the SELinux configuration. See the man page for <code>httpd_selinux</code> and the Apache [http://httpd.apache.org/docs/2.2/ httpd documentation] for details.
== Write-up ==
Create a write-up of this assignment on your wiki. Include at least these pages:
# A main page, describing in general terms what you did.
# A page for your httpd configuration. Include your httpd.conf file.
# A page for your MySQL configuration.
# A page for your SELinux configuration. Include a list of all of your booleans and their current settings. Demonstrate that the configuration is as tight as possible (e.g., don't change booleans unnecessarily).
# A page for your MediaWiki configuration. Include your MediaWiki configuration file.
{{Admon/important|Bonus|Change the default icon in the upper-left corner of your MediaWiki installation to a picture of your choosing. Be sure that you have copyright clearance to use that image (e.g., it is licensed to you, or its your picture).}}
== Submitting the Assignment ==
Your professor will require you to submit this assignment in one of two ways:
# Demonstrate that the wiki is working.
# Use wget to harvest the wiki pages recursively:
#* Issue the command: <code>wget -prk http://'''hostname'''/wiki</code>
#* Create a compressed tar file containing the results and submit it to your professor in the manner he specifies.
Check with your professor for the submission details for your section.
{{Admon/note | Please take note! | Doing your assignment is part of your ongoing learning process. As such you will be tested on this material in future tests and exams. If you have any questions or need help, please consult your instructor in a timely manner. The due date for this assignment will not be extended. This assignment will be marked partially through demonstration and partially through the submission of files.}}
=OPS235 Assignment #1 -- Winter 2010=
Weight: 5% of the overall grade<br>
Due Date: Week 13 - week of April 15-19 ('''Check with your Professor for exact date''')
{{Admon/important | Very Important! | Before making any changes to your system configuration, backup the original configuration files into the <code>/backups</code> directory.}}
== Introduction and Purpose ==
In this assignment, you will demonstrate the skills you have learned to this point by configuring two services: a database server and a web server. You will install and use a database-backed web application, MediaWiki, to show that these services have been installed properly. Finally, you will configure the SELinux security system to ensure that these new services are not used to gain unauthorized access to your system.
This lab may be performed using any combination of your virtual machines and/or host disk pack.
== About SELinux ==
SELinux stands for ''Security Enhanced Linux'' and is based on research performed at NSA and other locations. Where the normal Unix/Linux security system, based upon file permissions, is a ''discretionary access control'' system (DAC), SELinux is a ''mandatory access control'' system (MAC). This means that it attempts to enforce a consistent policy across the entire system.
SELinux is based upon the ''security context'' of system resources such as files and processes. The security context consists of a user, role, type, and sensitivity component; you can see the security context of files and processes by adding the <code>-Z</code> option to the <code>ls</code> and <code>ps</code> commands:
$ ls -lZ
drwxr-xr-x. root root '''system_u:object_r:file_t:s0''' arm
drwxr-xr-x. chris chris '''unconfined_u:object_r:user_home_t:s0''' arm2
drwxrwxr-x. chris chris '''unconfined_u:object_r:user_home_t:s0''' bin
drwxr-xr-x. chris chris '''unconfined_u:object_r:user_home_t:s0''' Desktop
drwxr-xr-x. chris chris '''unconfined_u:object_r:user_home_t:s0''' Documents
drwxr-xr-x. chris chris '''unconfined_u:object_r:user_home_t:s0''' Downloads
-rw-------. chris chris '''unconfined_u:object_r:user_home_t:s0''' fedora0.ks
-rw-------. chris chris '''unconfined_u:object_r:user_home_t:s0''' fedora1.ks
-rw-------. chris chris '''unconfined_u:object_r:user_home_t:s0''' fedora2.ks
-rw-------. chris chris '''unconfined_u:object_r:user_home_t:s0''' fedora3.ks
-rw-rw-r--. chris chris '''unconfined_u:object_r:user_home_t:s0''' foo
-rw-r--r--. chris chris '''unconfined_u:object_r:user_home_t:s0''' hosts
drwxr-xr-x. chris chris '''unconfined_u:object_r:user_home_t:s0''' Music
drwxr-xr-x. chris chris '''unconfined_u:object_r:user_home_t:s0''' Pictures
drwxrwxr-x. chris chris '''unconfined_u:object_r:user_home_t:s0''' play
drwxr-xr-x. chris chris '''unconfined_u:object_r:user_home_t:s0''' Public
drwxr-xr-x. chris chris '''unconfined_u:object_r:user_home_t:s0''' Templates
drwxr-xr-x. chris chris '''unconfined_u:object_r:user_home_t:s0''' Videos
-rw-r--r--. chris chris '''unconfined_u:object_r:user_home_t:s0''' x
[chris@muskoka ~]$ ps -Z
LABEL PID TTY TIME CMD
'''unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023''' 2595 pts/1 00:00:00 bash
'''unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023''' 2612 pts/1 00:00:00 ps
The SELinux policy controls the interactions between security contexts. For example, it may be configured so that the Apache httpd webserver cannot read files in <code>/etc</code>, so if an attacker finds a way to make httpd (or a script run by httpd) read a file in <code>/etc</code>, SELinux will recognize that this should not be permitted and will deny the access. Since this is done at the kernel level, httpd will get a "file not found" error, even though the file is present, and there is no way for httpd to work around that error.
=== SELinux Context Commands ===
There are two main commands used to set the SELinux security context of files:
* setcon - sets the security context of a file to a particular value
* restorecon - resets the default security context of a file
You can reset the default security context of the entire system at the next boot with this command:
touch /.autorelabel
=== SELinux Booleans ===
SELinux policy can be tuned (without writing an entirely new policy) through the use of ''booleans'' or option switches. Each boolean can have a value of on (1) or off (0).
The <code>getsebool</code> and <code>setsebool</code> commands can be used to view and set SELinux boolean values:
{|class="mediawiki sortable" border="1" cellspacing="0"
!Command
!Description
|-
|<code>getsebool -a</code>
|Displays all SELinux booleans
|-
|<code>getsebool '''foo'''</code>
|Displays the SELinux boolean '''foo'''
|-
|<code>setsebool '''foo''' '''value'''
|Sets the SELinux boolean '''foo'' to '''value''' (where '''value''' is 0 or "off", or 1 or "on")
|}
=== SELinux Graphical Tools ===
The <code>sysetm-config-selinux</code> tool, which is on the menu as System>Adminstration>SELinux Management, provides a GUI for man aging SELinux booleans and more.
{{Admon/note|Takes Notes!|Take detailed notes of the steps you perform from this point onward.}}
== Installing Packages ==
Install these packages using ''yum'':
* '''httpd''' - this is the Apache web server software. It provides the '''httpd''' service, which runs on port 80.
* '''mysql-server''' - this is the MySQL database server. It provides the '''mysqld''' service, which runs on a Unix domain socket.
* '''mediawiki''' - this is the wiki software used by this wiki, Wikipedia, and many other sites. It is a series of PHP scripts which are run by Apache httpd as requests are received, and it connects to a local database such as MySQL.
== Configuring Services ==
=== Apache httpd ===
# Start the httpd service using the '''service''' command.
# Confirm that you can connect to your web server using a web browser -- both from the machine on which the server is running as well as from another machine on the same network. You should see a test page.
# Configure this software to start when the system is booted.
# Create a very simple HTML index page for your system, and place it at <code>/var/www/html/index.html</code>
# Confirm that you can view the index page
=== MySQL ===
# Start the MySQL service (mysqld).
# '''When started for the first time, this service will print a message telling you how to set a password and take other basic steps to secure the the MySQL server.''' Follow those instructions to set a password.
# Configure this software to start when the system is booted.
=== MediaWiki ===
# Edit MediaWiki's httpd configuration file, <code>/etc/httpd/conf.d/mediawiki.conf</code>
#* Uncomment the first two <code>Alias</code> lines
#* Reload the httpd configuration using the <code>service</code> command
# Access <code>http://localhost</code> on the machine on which the web server is running (do not do this remotely). You will see the MediaWiki welcome page; click on the setup link.
# Enter the setup information for your wiki:
#* Enter a name for the wiki
#* Enter your learn e-mail address as the contact information
#* Disable all e-mail features
#* Leave the database host as "localhost"
#* Set up a database password
#* Get MediaWiki to set up the superuser account by checking the appropriate box and entering the superuser password ('''Note:''' This is the database superuser password, NOT the root password).
# Click the "Install MediaWiki!" button The installation '''will fail'''. This is because the SELinux policy forbids connections from web scripts to the local database server.
# To fix this, you will need to change an SELinux boolean to enable httpd scripts to connect to a database. Find the SELinux boolean that permits this type of connection, and set the appropriate value.
# Re-submit the MediaWiki setup page.
# Once the setup is complete, you will need to move a file within the MediaWiki directory (inside <code>/var/www</code>). Refer to the directions on the screen.
When you are done, you should be able to go to <code>http://'''hostname'''/wiki</code> from any directly-connected machine.
=== Additional HTTPD Configuration ===
# Configure httpd to serve the <code>public_html</code> directories of your users. This will require changes to <code>/etc/httpd/conf/httpd.conf</code> as well as the SELinux configuration. See the man page for <code>httpd_selinux</code> and the Apache [http://httpd.apache.org/docs/2.2/ httpd documentation] for details.
== Write-up ==
Create a write-up of this assignment on your wiki. Include at least these pages:
# A main page, describing in general terms what you did.
# A page for your httpd configuration. Include your httpd.conf file.
# A page for your MySQL configuration.
# A page for your SELinux configuration. Include a list of all of your booleans and their current settings. Demonstrate that the configuration is as tight as possible (e.g., don't change booleans unnecessarily).
# A page for your MediaWiki configuration. Include your MediaWiki configuration file.
{{Admon/important|Bonus|Change the default icon in the upper-left corner of your MediaWiki installation to a picture of your choosing. Be sure that you have copyright clearance to use that image (e.g., it is licensed to you, or its your picture).}}
== Submitting the Assignment ==
Your professor will require you to submit this assignment in one of two ways:
# Demonstrate that the wiki is working.
# Use wget to harvest the wiki pages recursively:
#* Issue the command: <code>wget -prk http://'''hostname'''/wiki</code>
#* Create a compressed tar file containing the results and submit it to your professor in the manner he specifies.
Check with your professor for the submission details for your section.
