1 / 44

Chap 11

Chap 11. System Admin: Core Concepts. A well-maintained system…. Runs quickly enough so users don’t get frustrated Has enough storage to accommodate users’ reasonable needs Provides a working environment appropriate to each user’s abilities and requirements

tsoto
Télécharger la présentation

Chap 11

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Chap 11 System Admin: Core Concepts

  2. A well-maintained system… • Runs quickly enough so users don’t get frustrated • Has enough storage to accommodate users’ reasonable needs • Provides a working environment appropriate to each user’s abilities and requirements • Is secure from malicious and accidental acts altering its performance or compromising the security of the data it holds • Is backed up regularly • Has recent copies of necessary softqare • Is easier to administer than a poorly maintained system

  3. System admin and Superuser • Root (superuser) • Can add users, partition hard drives, change system configuration files. Sudo can be used to give specific users permission to perform tasks that are normally reserved for superuser. • Rwx file and directory access permissions do not affect root. Superuser can red from, write to, and execute all files. • Root can change a password without knowing the old password • # • /bin and /usr/bin contain utilities used often by root. Included in root’s path Other users must access by absolute path name.

  4. Ways to gain or grant su privileges • Bringing up the system in single user mode • Log in as root • Su when logged in as a regular user and respond with root password • Sudo can give users superuser privilege for a limited amount of time on a per-user and per-command basis. • User can create a setuid. Remember that when an ordinary user executes a file that is owned by root and has setuid permissions, the program has full root privileges. Examples: passwd, at, crontab

  5. Disabling setuid • Setuid can be disabled at the file system level by mounting a file system with the nosuid option.

  6. Root Security Concerns • /etc/securetty file controls which terminals a user can log in on as root. • /etc/security/access.conf file specifies login controls (see example) • RHEL and Fedora Core prohibit the login of root over the Internet. Implemented by the PAM securetty module. /etc/security/access.conf must contain the names of all users and terminals/workstations that you want a user to be able to log in as root. Initially every line is commented out. Root can log in over a network using ssh.

  7. System Administration Tools • su user – can create a shell of execute a program as the specified user • Recommendation: use /bin/su in case someone has compromised your system with a fake su command • Su spawns a new shell, but does not re-run the PATH statement or change the environment • Su – or su –l recreates the root environment as well as running the path

  8. consolehelper • The consolehelper utility makes it easier for a non-root user to run root system programs. PAM, which authenticates users, can be set to trust all console users, to require user passwords, or to require root passwords before granting trust. For example, a user can log in to the console as himself and run halt without knowing the root password.

  9. kill • kill -15 pid - use first • Kill -9 pid - use only as a last resort because of the inherent dangers • Top can also be used to kill a process by using the k option • Pidof vi • Killall xeyes vi

  10. Rescue Mode • Used to fix a system that is not booting normally • Boot from rescue or installation cd • At the boot: prompt, press enter • linux rescue In rescue mode, you can change or replace configuration files, check and repair partitions using fsck and more

  11. Avoiding Trojan Horses • Make sure that PATH variable doesn’t contain : at the beginning or end of the path string • Make sure that there are no :: anywhere in the string

  12. Checking for setuid files find / -perm -4000 –exec ls –lh {} \; 2>/dev/null

  13. SELinux • Traditional Linux Security, called Discretionary Access Control (DAC) is based on users and groups. • SELinux (Security Enhanced Linux) was developed by the US National Security Agency and implements Mandatory Access Control (MAC) in the linux kernel. MAC enforces security policies that limit what a user or program can do. IT defines a security policy that controls some or all objects, such as files, devices, sockets, and ports, and some or all subjects such as processes.

  14. SELinux • Using SELinux, you can grant a process only the permissions that it needs to be functional, following the principle of “least privilege” • Kernel processes MAC after it processes DAC rules

  15. SELinux States • Enforcing/Active – default state. SELinux security policy is enforced. No user or program will be able to do anything not permitted by the security policy • Permissive/Warn – diagnostic state, wherein SELinux sends warning messages to a log but does not enforce the security policy; can easily change to enforcing or disabled • Disabled – no policy is loaded

  16. Degradation • Running SELinux in permissive or enforcing state degrades system performance between 5 and 10 percent.

  17. SELinux Policies • Targeted – applies SeLinux MAC controls only to certain targeted processes. Daemons and system processes that do not have a specified policy are controlled by traditional Linux DACs. • Strict – applies SELinux MAC controls to all processes. Very, very restrictive

  18. Turning off SELinux • Modify the /etc/selinux/config file so that it includes the line SELINUX=disabled and reboot or use system-config-securitylevel

  19. The SELinux Configuation FIle • /etc/selinux/config file which has a link to /etc/sysconfig/selinux, controls the state of SELinux on the local system • Although you can modify this file, it may be more straightforward to work with system-config-securitylevel

  20. To Display the state of SELinux • sestatus

  21. System-config-securitylevel utility • The system-config-securitylevel utility displays the Security Level Configuration window which controls SeLinux. TO run this utility, enter system-config-securitylevel from a command line in a graphical environment

  22. Booting the System • Booting is actually loading the kernel into system RAM and starting it running. As the last step of the boot procedure, Linux runs the init program as PID 1. The init program is the first genuine process to run after booting and is the parent of all system processes. • /etc/inittab holds initdefault entry that tells init what runlevel to bring the system to. 3 – text login, 5 – GUI

  23. Init Scripts: start and stop system services • First script that runs is /etc/rc.d/rc.sysinit which performs basic system configuration. • Next, the /etc/rc.d/rc init script runs the scripts for the services that need to be started when you first bring the system up and that need to be started or stopped. The rc scripts are shell scripts located in the /etc/rc.d/init.d directory and run via symbolic links in the /etc/rc.d/rcn.d directories where n is the runlevel the system is entering.

  24. Rc scripts • /etc/rc.d/rcn.d directory contains scripts whose names begin with K (Kill) and scripts whose names begin with S (start). When entering a new runlevel, each K script is executed sequentially with a parameter of stop and each S is executed with a parameter of start

  25. /etc/rc.d/init.d • Each script should point to a link in /etc/rc.d/rcn.d. The script names are functional and can be used with the start or stop parameter to control these processes

  26. To start/stop system services • /etc/rc.d/init.d/nfs stop • /etc/rc.d/init.d/network start • /etc/rc.d/init.d/network restart

  27. /etc/rc.d/rc.local • This file is executed after the other init scripts. Put commands that customize the system in rc.local

  28. service • RHEL provides service, a utility that reports on or changes the status of any of the system services in /etc/rc.d/init.d • /sbin/service nfs stop • /sbin/service network start • /sbin/service network restart

  29. chkconfig • Chkconfig configures services. Can add, remove, list startup information, and check the directory hierarchy. (configures /etc/rc.d) – changes configuration only, not currently running services! • To see list of services configured at each run level, chkconfig –list (2 dashes!) • To turn on httpd at runlevels 2, 3, and 4, chkconfig –level 234 httpd on

  30. Chkconfig cont. • If you omit the levels, chkconfig defaults to levels 2, 3, 4, and 5. chkconfig sshd off • Will turn off sshd for runlevels 2, 3, 4, and 5 • Chkconfig sets up the configuration file so that the services specified will be started at boot-up time.

  31. Chkconfig cont. • Chkconfig will not turn off services immediately. You must restart the system for changes to take effect. • To start or stop services immediately, service sshd stop

  32. Using chkconfig video

  33. To change modes while running • /sbin/telinit 1 – changes to runlevel 1 • telinit 3 - changes to runlevel 3 • runlevel • Displays the current runlevel

  34. Shutdown options • To stop the system: shutdown –h now To reboot the system: shutdown –r now

  35. rpcinfo • Rpcinfo displays information about programs registered with portmap and makes RPC calls to programs to see if they are alive. • p (probe) lists all RPC programs on host or local system if no host is specified • n (port number) • u (udp) • -t (tcp) rpcinfo –p hostname

  36. Rpcinfo cont • Because the portmap daemon holds info about which servers are running on the local system and which port each server is running on, only trusted systems should have access to this information. You can lock it down by adding ‘portmap: hostIP’ to the hosts.allow and by placing ‘portmap: ALL’ in the hosts.deny

  37. Xinetd Superserver • More secure than inetd. Listens for network connections. When one is made, it launches a server daemon and forwards the data from the socket to the daemon’s standard input. • /etc/xinetd.conf

  38. Pam • Linux Pluggable Authentication Modules allow a system administrator to determine how applications use authentication to verity the identity of a user. • /etc/pam.d/login

  39. TCP Wrappers • When you open a local system to access from remote systems, you must ensure that the following are met: • Open the local system only to systems you want to allow to access it • Allow each remote system to access only the data you want it to access. • Allow each remote system to access data only in the proper manner

  40. TCP wrappers • TCP wrappers can be used for any daemon that is linked against libwrap.a. They rely on the /etc/hosts.allow and the /etc/hosts.deny file for access control. • If deamon/client pair matches a line in hosts.allow, access is granted • If Daemon/clilent pair matches a line in hosts.deny, access is denied. • If no match in either, access is granted.

  41. cron • Cron is a system scheduler. It uses the crond daemon and the crontab to allow you to run repetitive tasks at the time and date specified by a user in the user’s crontab file. Entries run with the user’s ID and privileges and are stored as the username. Cron wakes up every minute to check to see if there are jobs that need to be run.

  42. Cron example • to create or modify the configuration file use: • crontab -eThis will allow you to edit your own crontab using vi • to view the contents of the file use: • crontab -l • to delete the file use: • crontab –r • Your configuration file is stored in the directory: /var/spool/crontabs under your username. • The crond daemon checks the crontab files every minute to determine if a task should be launched in that minute. • Each line in a crontab file has 6 fields: • minute • hour • day of the month • month • day of the week

More Related