Chap 11 - Victoria College
Download
Report
Transcript Chap 11 - Victoria College
Chap 11
System Admin: Core Concepts
A well-maintained system…
• Runs quickly enough so users don’t get frustrated
• Has enough storage to accommodate users’ reasonable
needs
• Provides a working environment appropriate to each
user’s abilities and requirements
• Is secure from malicious and accidental acts altering its
performance or compromising the security of the data it
holds
• Is backed up regularly
• Has recent copies of necessary softqare
• Is easier to administer than a poorly maintained system
System admin and Superuser
• Root (superuser)
– Can add users, partition hard drives, change system
configuration files. Sudo can be used to give specific users
permission to perform tasks that are normally reserved for
superuser.
– Rwx file and directory access permissions do not affect root.
Superuser can red from, write to, and execute all files.
– Root can change a password without knowing the old password
– #
– /bin and /usr/bin contain utilities used often by root. Included in
root’s path Other users must access by absolute path name.
Ways to gain or grant su privileges
• Bringing up the system in single user mode
• Log in as root
• Su when logged in as a regular user and respond with
root password
• Sudo can give users superuser privilege for a limited
amount of time on a per-user and per-command basis.
• User can create a setuid. Remember that when an
ordinary user executes a file that is owned by root and
has setuid permissions, the program has full root
privileges. Examples: passwd, at, crontab
Disabling setuid
• Setuid can be disabled at the file system
level by mounting a file system with the
nosuid option.
Root Security Concerns
• /etc/securetty file controls which terminals a user
can log in on as root.
• /etc/security/access.conf file specifies login
controls (see example)
• RHEL and Fedora Core prohibit the login of root
over the Internet. Implemented by the PAM
securetty module. /etc/security/access.conf
must contain the names of all users and
terminals/workstations that you want a user to
be able to log in as root. Initially every line is
commented out. Root can log in over a network
using ssh.
System Administration Tools
• su user – can create a shell of execute a
program as the specified user
• Recommendation: use /bin/su in case someone
has compromised your system with a fake su
command
• Su spawns a new shell, but does not re-run the
PATH statement or change the environment
• Su – or su –l recreates the root environment as
well as running the path
consolehelper
• The consolehelper utility makes it easier
for a non-root user to run root system
programs. PAM, which authenticates
users, can be set to trust all console users,
to require user passwords, or to require
root passwords before granting trust. For
example, a user can log in to the console
as himself and run halt without knowing
the root password.
kill
• kill -15 pid - use first
• Kill -9 pid
- use only as a last resort
because of the inherent dangers
• Top can also be used to kill a process by
using the k option
• Pidof vi
• Killall xeyes vi
Rescue Mode
•
Used to fix a system that is not booting
normally
1. Boot from rescue or installation cd
2. At the boot: prompt, press enter
3. linux rescue
In rescue mode, you can change or replace
configuration files, check and repair
partitions using fsck and more
Avoiding Trojan Horses
• Make sure that PATH variable doesn’t
contain : at the beginning or end of the
path string
• Make sure that there are no :: anywhere in
the string
Checking for setuid files
find / -perm -4000 –exec ls –lh {} \; 2>/dev/null
SELinux
• Traditional Linux Security, called Discretionary
Access Control (DAC) is based on users and
groups.
• SELinux (Security Enhanced Linux) was
developed by the US National Security Agency
and implements Mandatory Access Control
(MAC) in the linux kernel. MAC enforces
security policies that limit what a user or
program can do. IT defines a security policy that
controls some or all objects, such as files,
devices, sockets, and ports, and some or all
subjects such as processes.
SELinux
• Using SELinux, you can grant a process
only the permissions that it needs to be
functional, following the principle of “least
privilege”
• Kernel processes MAC after it processes
DAC rules
SELinux States
• Enforcing/Active – default state. SELinux
security policy is enforced. No user or program
will be able to do anything not permitted by the
security policy
• Permissive/Warn – diagnostic state, wherein
SELinux sends warning messages to a log but
does not enforce the security policy; can easily
change to enforcing or disabled
• Disabled – no policy is loaded
Degradation
• Running SELinux in permissive or
enforcing state degrades system
performance between 5 and 10 percent.
SELinux Policies
• Targeted – applies SeLinux MAC controls
only to certain targeted processes.
Daemons and system processes that do
not have a specified policy are controlled
by traditional Linux DACs.
• Strict – applies SELinux MAC controls to
all processes. Very, very restrictive
Turning off SELinux
• Modify the /etc/selinux/config file so that it
includes the line SELINUX=disabled and
reboot
or use system-config-securitylevel
The SELinux Configuation FIle
• /etc/selinux/config file which has a link to
/etc/sysconfig/selinux, controls the state of
SELinux on the local system
• Although you can modify this file, it may be
more straightforward to work with systemconfig-securitylevel
To Display the state of SELinux
• sestatus
System-config-securitylevel utility
• The system-config-securitylevel utility
displays the Security Level Configuration
window which controls SeLinux. TO run
this utility, enter system-configsecuritylevel from a command line in a
graphical environment
Booting the System
• Booting is actually loading the kernel into system
RAM and starting it running. As the last step of
the boot procedure, Linux runs the init program
as PID 1. The init program is the first genuine
process to run after booting and is the parent of
all system processes.
• /etc/inittab holds initdefault entry that tells init
what runlevel to bring the system to. 3 – text
login, 5 – GUI
level Name
Login
Network Filesystems
0
halt
1
Single user
Text
Down
mounted
2
Multiuser
without NFS
Text
Up
mounted
3
Multiuser
Text
Up
Mounted
4
User defined
5
Multiuser with GUI
X
Up
Mounted
6
reboot
Init Scripts: start and stop system
services
• First script that runs is /etc/rc.d/rc.sysinit which
performs basic system configuration.
• Next, the /etc/rc.d/rc init script runs the scripts
for the services that need to be started when you
first bring the system up and that need to be
started or stopped. The rc scripts are shell
scripts located in the /etc/rc.d/init.d directory and
run via symbolic links in the /etc/rc.d/rcn.d
directories where n is the runlevel the system is
entering.
Rc scripts
• /etc/rc.d/rcn.d directory contains scripts
whose names begin with K (Kill) and
scripts whose names begin with S (start).
When entering a new runlevel, each K
script is executed sequentially with a
parameter of stop and each S is executed
with a parameter of start
/etc/rc.d/init.d
• Each script should point to a link in
/etc/rc.d/rcn.d. The script names are
functional and can be used with the start
or stop parameter to control these
processes
To start/stop system services
• /etc/rc.d/init.d/nfs stop
• /etc/rc.d/init.d/network start
• /etc/rc.d/init.d/network restart
/etc/rc.d/rc.local
• This file is executed after the other init
scripts. Put commands that customize the
system in rc.local
service
• RHEL provides service, a utility that
reports on or changes the status of any of
the system services in /etc/rc.d/init.d
• /sbin/service nfs stop
• /sbin/service network start
• /sbin/service network restart
chkconfig
• Chkconfig configures services. Can add,
remove, list startup information, and check
the directory hierarchy. (configures
/etc/rc.d) – changes configuration only, not
currently running services!
• To see list of services configured at each
run level,
chkconfig –list
(2 dashes!)
• To turn on httpd at runlevels 2, 3, and 4,
chkconfig –level 234 httpd on
Chkconfig cont.
• If you omit the levels, chkconfig defaults to
levels 2, 3, 4, and 5.
chkconfig sshd off
• Will turn off sshd for runlevels 2, 3, 4, and 5
• Chkconfig sets up the configuration file so
that the services specified will be started
at boot-up time.
Chkconfig cont.
• Chkconfig will not turn off services
immediately. You must restart the system
for changes to take effect.
• To start or stop services immediately,
service sshd stop
Using chkconfig video
To change modes while running
• /sbin/telinit 1 – changes to runlevel 1
• telinit 3 - changes to runlevel 3
• runlevel
– Displays the current runlevel
Shutdown options
• To stop the system:
shutdown –h now
To reboot the system:
shutdown –r now
rpcinfo
• Rpcinfo displays information about
programs registered with portmap and
makes RPC calls to programs to see if
they are alive.
– p (probe) lists all RPC programs on host or
local system if no host is specified
– n (port number)
– u (udp)
– -t (tcp)
rpcinfo –p hostname
Rpcinfo cont
• Because the portmap daemon holds info
about which servers are running on the
local system and which port each server is
running on, only trusted systems should
have access to this information. You can
lock it down by adding ‘portmap: hostIP’ to
the hosts.allow and by placing ‘portmap:
ALL’ in the hosts.deny
Xinetd Superserver
• More secure than inetd. Listens for
network connections. When one is made,
it launches a server daemon and forwards
the data from the socket to the daemon’s
standard input.
• /etc/xinetd.conf
Pam
• Linux Pluggable Authentication Modules
allow a system administrator to determine
how applications use authentication to
verity the identity of a user.
• /etc/pam.d/login
TCP Wrappers
• When you open a local system to access
from remote systems, you must ensure
that the following are met:
– Open the local system only to systems you
want to allow to access it
– Allow each remote system to access only the
data you want it to access.
– Allow each remote system to access data only
in the proper manner
TCP wrappers
• TCP wrappers can be used for any
daemon that is linked against libwrap.a.
They rely on the /etc/hosts.allow and the
/etc/hosts.deny file for access control.
• If deamon/client pair matches a line in
hosts.allow, access is granted
• If Daemon/clilent pair matches a line in
hosts.deny, access is denied.
• If no match in either, access is granted.
cron
• Cron is a system scheduler. It uses the
crond daemon and the crontab to allow
you to run repetitive tasks at the time and
date specified by a user in the user’s
crontab file. Entries run with the user’s ID
and privileges and are stored as the
username. Cron wakes up every minute
to check to see if there are jobs that need
to be run.
Cron example
• to create or modify the configuration file use:
– crontab -e
This will allow you to edit your own crontab using vi
• to view the contents of the file use:
– crontab -l
• to delete the file use:
– crontab –r
• Your configuration file is stored in the directory: /var/spool/crontabs
under your username.
• The crond daemon checks the crontab files every minute to
determine if a task should be launched in that minute.
• Each line in a crontab file has 6 fields:
–
–
–
–
–
minute
hour
day of the month
month
day of the week