RH253 - Red Hat Enterprise Linux Network Services and Security Administration




RH253 - Red Hat Enterprise Linux Network...
RH253 - Red Hat Enterprise Linux Network Services and Security Administration

Fault Analysis: Gathering Data
Benefits of ...
RH253 - Red Hat Enterprise Linux Network Services and Security Administration

Daemon Specification
Client Specification
M...
RH253 - Red Hat Enterprise Linux Network Services and Security Administration

Basic Chain Operations
Additional Chain Ope...
RH253 - Red Hat Enterprise Linux Network Services and Security Administration


Service Profile: DNS
Access Control Profil...
RH253 - Red Hat Enterprise Linux Network Services and Security Administration



Objectives
File Transfer Protocol(FTP)
Se...
RH253 - Red Hat Enterprise Linux Network Services and Security Administration


Apache Namespace Configuration
Virtual Hos...
RH253 - Red Hat Enterprise Linux Network Services and Security Administration

Intro to Postfix Configuration
Incoming Pos...
RH253 - Red Hat Enterprise Linux Network Services and Security Administration


OpenSSH Authentication
The OpenSSH Server
...
RH253 - Red Hat Enterprise Linux Network Services and Security Administration


End of Unit 9


Appendix A - Installing So...
Introduction




                                              Introduction

                    RH253: Network Services a...
Copyright




                                                  Copyright
                   ●  The contents of this cours...
Welcome




                                                   Welcome
                   Please let us know if you have a...
Participant Introductions




                            Participant Introductions
                     Please introduce ...
Red Hat Enterprise Linux




                               Red Hat Enterprise Linux
                    ●      Enterprise...
Red Hat Enterprise Linux Variants




                 Red Hat Enterprise Linux Variants
                    ●     Two Ins...
Red Hat Network




                                        Red Hat Network
                   ●A comprehensive software d...
Other Red Hat Supported Software




               Other Red Hat Supported Software
                   ●    Global Filesy...
The Fedora Project




                                     The Fedora Project
                     ●   Red Hat sponsored ...
Classroom Network




                                    Classroom Network
                                              ...
Objectives of RH253




                                   Objectives of RH253
                      ● To become a system ...
Audience and Prerequisites




                                 Audience and Prerequisites
                    ●  Audience...
Unit 1




                                                       Unit 1

                           System Performance an...
Objectives




                                                 Objectives
                   Upon completion of this unit...
System Resources as Services




                        System Resources as Services
                    ●  Computing inf...
Security in Principle




                                    Security in Principle
                        ●   Security D...
Security in Practice




                                    Security in Practice
                       ● By design, the ...
Security Policy: the People




                               Security Policy: the People
                     ●        M...
Security Policy: the System




                              Security Policy: the System
                     ●    Managi...
Response Strategies




                                   Response Strategies
                      ●   Assume suspected ...
System Faults and Breaches




                         System Faults and Breaches
                   ● Both effect system...
Method of Fault Analysis




                             Method of Fault Analysis
                     ●     Characterize...
Fault Analysis: Hypothesis




                              Fault Analysis: Hypothesis
                     ●       Form ...
Method of Fault Analysis, continued




              Method of Fault Analysis, continued
                     ● Note the ...
Fault Analysis: Gathering Data




                         Fault Analysis: Gathering Data
                     ●    strac...
Benefits of System Monitoring




                        Benefits of System Monitoring
                    ● System perfo...
Network Monitoring Utilities




                           Network Monitoring Utilities
                     ●     Networ...
Networking, a Local view




                               Networking, a Local view
                    ●      The ip uti...
Networking, a Remote view




                            Networking, a Remote view
                   ●  nmap reports act...
File System Analysis




                                   File System Analysis
                       ●   Regular file s...
Typical Problematic Permissions




                    Typical Problematic Permissions
                    ● Files withou...
Monitoring Processes




                                  Monitoring Processes
                       ●   Monitor process...
Process Monitoring Utilities




                               Process Monitoring Utilities
                      ●      ...
System Activity Reporting




                                System Activity Reporting
                    ●       Freque...
Managing Processes by Account




                   Managing Processes by Account
                   ●  Use PAM to set co...
System Log Files




                                        System Log Files
                      ●   Why monitor log fi...
syslogd and klogd Configuration




                    syslogd and klogd Configuration
                    ● syslogd and ...
Log File Analysis




                                         Log File Analysis
                       ● Should be perfor...
End of Unit 1




                                             End of Unit 1
                   ●    Questions and Answers...
Unit 2




                                                       Unit 2

                               System Service Ac...
Objectives




                                                 Objectives
                   Upon completion of this unit...
System Resources Managed by init




                            System Resources Managed by init
                  ● Serv...
System Initialization and Service Management




                 System Initialization and Service
                      ...
chkconfig




                                                  chkconfig
                   ●  Manages service definition...
Initialization Script Management




                   Initialization Script Management
                     ● Determine ...
xinetd Managed Services




                            xinetd Managed Services
                   ● Transient services ar...
xinetd Default Controls




                               xinetd Default Controls
                     ●    Top-level con...
xinetd Service Configuration




                          xinetd Service Configuration
                     ●    Service ...
xinetd Access Controls




                                xinetd Access Controls
                     ●   Syntax
        ...
Host Pattern Access Controls




                         Host Pattern Access Controls
                    ●     Host mask...
The /etc/sysconfig/ files




                                The /etc/sysconfig/ files
                      ● Some servi...
Service and Application Access Controls




                     Service and Application Access
                          ...
tcp_wrappers Configuration




                        tcp_wrappers Configuration
                    ●    Three stages of...
Daemon Specification




                                 Daemon Specification
                   ●    Daemon name:
      ...
Client Specification




                                    Client Specification
                       ●   Host specific...
Macro Definitions




                                       Macro Definitions
                    ●   Host name macros
  ...
Extended Options




                                                    Extended Options
                   ●   Syntax:
 ...
A tcp_wrappers Example




                            A tcp_wrappers Example
                   # /etc/hosts.allow
      ...
xinetd and tcp_wrappers




                              xinetd and tcp_wrappers
                   ● xinetd provides its...
SELinux




                                                    SELinux
                   ● Mandatory Access Control (MAC...
SELinux, continued




                                     SELinux, continued
                     ● All files and proces...
SELinux: Targeted Policy




                               SELinux: Targeted Policy
                    ● The targeted po...
SELinux: Management




                                SELinux: Management
                   ●    Modes: Enforcing, Perm...
SELinux: semanage




                                    SELinux: semanage
                    ●   Some features controll...
SELinux: File Types




                                    SELinux: File Types
                      ● A managed service ...
End of Unit 2




                                             End of Unit 2
                   ●    Questions and Answers...
Unit 3




                                                       Unit 3

                          Network Resource Acces...
Objectives




                                                 Objectives
                   Upon completion of this unit...
Routing




                                                    Routing
                   ● Routers transport packets bet...
IPv6 Features




                                            IPv6 Features
                                              ...
Implementing IPv6




                                    Implementing IPv6
                    ● Kernel ipv6 module enabl...
IPv6: Dynamic Interface Configuration




                              IPv6: Dynamic Interface
                          ...
IPv6: Static Interface Configuration




               IPv6: Static Interface Configuration
                     ● /etc/s...
IPv6: Routing Configuration




                          IPv6: Routing Configuration
                    ●     Default Ga...
tcp_wrappers and IPv6




                              tcp_wrappers and IPv6
                   ●    tcp_wrappers is IPv6...
New and Modified Utilities




                              New and Modified Utilities
                     ●       ping6...
Netfilter Overview




                                      Netfilter Overview
                     ● Filtering in the ke...
Netfilter Tables and Chains




                                             Netfilter Tables and Chains




             ...
Netfilter Packet Flow




                                                      Netfilter Packet Flow




                ...
Rule Matching




                                           Rule Matching
                   ●  Rules in ordered list
   ...
Rule Targets




                                              Rule Targets
                   ●    Built-in targets: DROP...
Simple Example




                                                             Simple Example
                 ●    An IN...
Basic Chain Operations




                               Basic Chain Operations
                    ●    List rules in a ...
Additional Chain Operations




                          Additional Chain Operations
                    ●     Assign cha...
Rules: General Considerations




                        Rules: General Considerations
                    ●     Mostly c...
Match Arguments




                                       Match Arguments
                   ●    Matches may be made by:...
Connection Tracking




                                   Connection Tracking
                      ●   Provides inspecti...
Connection Tracking, continued




                    Connection Tracking, continued
                    ●    Connection ...
Connection Tracking Example




                                       Connection Tracking Example
                  ●    ...
Network Address Translation (NAT)




              Network Address Translation (NAT)
                   ●  Translates one...
DNAT Examples




                                                    DNAT Examples
                   ●   INBOUND
       ...
SNAT Examples




                                                      SNAT Examples
                   ●   MASQUERADE
  ...
Rules Persistence




                                       Rules Persistence
                    ●  iptables is not a da...
Sample /etc/sysconfig/iptables




                                 Sample /etc/sysconfig/iptables
                   *fil...
IPv6 and ip6tables




                                     IPv6 and ip6tables
                     ●   Packet filtering f...
End of Unit 3




                                             End of Unit 3
                   ●    Questions and Answers...
Unit 4




                                                       Unit 4

                               Organizing Networ...
Objectives




                                                 Objectives
                   Upon completion of this unit...
Host Name Resolution




                                Host Name Resolution
                   ●  Some name services pro...
The Stub Resolver




                                      The Stub Resolver
                    ● Generic resolver libra...
DNS-Specific Resolvers




                               DNS-Specific Resolvers
                    ●    host
           ...
Trace a DNS Query with dig




                             Trace a DNS Query with dig
                   ●     dig +trace...
Rh253
Rh253
Rh253
Rh253
Rh253
Rh253
Rh253
Rh253
Rh253
Rh253
Rh253
Rh253
Rh253
Rh253
Rh253
Rh253
Rh253
Rh253
Rh253
Rh253
Rh253
Rh253
Rh253
Rh253
Rh253
Rh253
Rh253
Rh253
Rh253
Rh253
Rh253
Rh253
Rh253
Rh253
Rh253
Rh253
Rh253
Rh253
Rh253
Rh253
Rh253
Rh253
Rh253
Rh253
Rh253
Rh253
Rh253
Rh253
Rh253
Rh253
Rh253
Rh253
Rh253
Rh253
Rh253
Rh253
Rh253
Rh253
Rh253
Rh253
Rh253
Rh253
Rh253
Rh253
Rh253
Rh253
Rh253
Rh253
Rh253
Rh253
Rh253
Rh253
Rh253
Rh253
Rh253
Rh253
Rh253
Rh253
Rh253
Rh253
Rh253
Rh253
Rh253
Rh253
Rh253
Rh253
Rh253
Rh253
Rh253
Rh253
Rh253
Rh253
Rh253
Rh253
Rh253
Rh253
Rh253
Rh253
Rh253
Rh253
Rh253
Rh253
Rh253
Rh253
Rh253
Rh253
Rh253
Rh253
Rh253
Rh253
Rh253
Rh253
Rh253
Rh253
Rh253
Rh253
Rh253
Rh253
Rh253
Rh253
Rh253
Rh253
Rh253
Rh253
Rh253
Rh253
Rh253
Rh253
Rh253
Rh253
Rh253
Rh253
Rh253
Rh253
Rh253
Rh253
Rh253
Rh253
Rh253
Rh253
Rh253
Rh253
Rh253
Rh253
Rh253
Rh253
Rh253
Rh253
Rh253
Rh253
Rh253
Rh253
Rh253
Rh253
Rh253
Rh253
Rh253
Rh253
Rh253
Rh253
Upcoming SlideShare
Loading in …5
×

Rh253

6,460 views

Published on

0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
6,460
On SlideShare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
151
Comments
0
Likes
3
Embeds 0
No embeds

No notes for slide

Rh253

  1. 1. RH253 - Red Hat Enterprise Linux Network Services and Security Administration RH253 - Red Hat Enterprise Linux Network Services and Security Administration Introduction - RH253: Network Services and Security Administration Copyright Welcome Participant Introductions Red Hat Enterprise Linux Red Hat Enterprise Linux Variants Red Hat Network Other Red Hat Supported Software The Fedora Project Classroom Network Objectives of RH253 Audience and Prerequisites Unit 1 - System Performance and Security Objectives System Resources as Services Security in Principle Security in Practice Security Policy: the People Security Policy: the System Response Strategies System Faults and Breaches Method of Fault Analysis Fault Analysis: Hypothesis Method of Fault Analysis, continued http://www.way2download.com/linux/RH253/ (1 of 10) [2008/02/06 08:25:50 PM]
  2. 2. RH253 - Red Hat Enterprise Linux Network Services and Security Administration Fault Analysis: Gathering Data Benefits of System Monitoring Network Monitoring Utilities Networking, a Local view Networking, a Remote view File System Analysis Typical Problematic Permissions Monitoring Processes Process Monitoring Utilities System Activity Reporting Managing Processes by Account System Log Files syslogd and klogd Configuration Log File Analysis End of Unit 1 Unit 2 - System Service Access Controls Objectives System Resources Managed by init System Initialization and Service Management chkconfig Initialization Script Management xinetd Managed Services xinetd Default Controls xinetd Service Configuration xinetd Access Controls Host Pattern Access Controls The /etc/sysconfig/ files Service and Application Access Controls tcp_wrappers Configuration http://www.way2download.com/linux/RH253/ (2 of 10) [2008/02/06 08:25:50 PM]
  3. 3. RH253 - Red Hat Enterprise Linux Network Services and Security Administration Daemon Specification Client Specification Macro Definitions Extended Options A tcp_wrappers Example xinetd and tcp_wrappers SELinux SELinux, continued SELinux: Targeted Policy SELinux: Management SELinux: semanage SELinux: File Types End of Unit 2 Unit 3 - Network Resource Access Controls Objectives Routing IPv6 Features Implementing IPv6 IPv6: Dynamic Interface Configuration IPv6: Static Interface Configuration IPv6: Routing Configuration tcp_wrappers and IPv6 New and Modified Utilities Netfilter Overview Netfilter Tables and Chains Netfilter Packet Flow Rule Matching Rule Targets Simple Example http://www.way2download.com/linux/RH253/ (3 of 10) [2008/02/06 08:25:50 PM]
  4. 4. RH253 - Red Hat Enterprise Linux Network Services and Security Administration Basic Chain Operations Additional Chain Operations Rules: General Considerations Match Arguments Connection Tracking Connection Tracking, continued Connection Tracking Example Network Address Translation (NAT) DNAT Examples SNAT Examples Rules Persistence Sample /etc/sysconfig/iptables IPv6 and ip6tables End of Unit 3 Unit 4 - Organizing Networked Systems Objectives Host Name Resolution The Stub Resolver DNS-Specific Resolvers Trace a DNS Query with dig Other Observations Forward Lookups Reverse Lookups Mail Exchanger Lookups SOA Lookups SOA rdata Being Authoritative The Everything Lookup Exploring DNS with host Transitioning to the Server http://www.way2download.com/linux/RH253/ (4 of 10) [2008/02/06 08:25:50 PM]
  5. 5. RH253 - Red Hat Enterprise Linux Network Services and Security Administration Service Profile: DNS Access Control Profile: BIND Getting Started with BIND Essential named Configuration Configure the Stub Resolver bind-chroot Package caching-nameserver Package Address Match List Access Control List (ACL) Built-In ACL's Server Interfaces Allowing Queries Allowing Recursion Allowing Transfers Modifying BIND Behavior Access Controls: Putting it Together Slave Zone Declaration Master Zone Declaration Zone File Creation Tips for Zone Files Testing BIND Syntax Utilities Advanced BIND Topics Remote Name Daemon Control (rndc) Delegating Subdomains DHCP Overview Service Profile: DHCP Configuring an IPv4 DHCP Server End of Unit 4 Unit 5 - Network File Sharing Services http://www.way2download.com/linux/RH253/ (5 of 10) [2008/02/06 08:25:50 PM]
  6. 6. RH253 - Red Hat Enterprise Linux Network Services and Security Administration Objectives File Transfer Protocol(FTP) Service Profile: FTP Network File Service (NFS) Service Profile: NFS Port options for the Firewall NFS Server NFS utilities Client-side NFS Samba services Service Profile: SMB Configuring Samba Overview of smb.conf Sections Configuring File and Directory Sharing Printing to the Samba Server Authentication Methods Passwords Samba Syntax Utility Samba Client Tools: smbclient Samba Client Tools: nmblookup Samba Clients Tools: mounts Samba Mounts in /etc/fstab End of Unit 5 Unit 6 - Web Services Objectives Apache Overview Service Profile: HTTPD Apache Configuration Apache Server Configuration http://www.way2download.com/linux/RH253/ (6 of 10) [2008/02/06 08:25:50 PM]
  7. 7. RH253 - Red Hat Enterprise Linux Network Services and Security Administration Apache Namespace Configuration Virtual Hosts Apache Access Configuration Apache Syntax Utilities Using .htaccess Files .htaccess Advanced Example CGI Notable Apache Modules Apache Encrypted Web Server Squid Web Proxy Cache Service Profile: Squid Useful parameters in /etc/squid/squid.conf End of Unit 6 Unit 7 - Electronic Mail Services Objectives Essential Email Operation Simple Mail Transport Protocol SMTP Firewalls Mail Transport Agents Service Profile: Sendmail Intro to Sendmail Configuration Incoming Sendmail Configuration Outgoing Sendmail Configuration Inbound Sendmail Aliases Outbound Address Rewriting Sendmail SMTP Restrictions Sendmail Operation Using alternatives to Switch MTAs Service Profile: Postfix http://www.way2download.com/linux/RH253/ (7 of 10) [2008/02/06 08:25:50 PM]
  8. 8. RH253 - Red Hat Enterprise Linux Network Services and Security Administration Intro to Postfix Configuration Incoming Postfix Configuration Outgoing Postfix Configuration Inbound Postfix Aliases Outbound Address Rewriting Postfix SMTP Restrictions Postfix Operation Procmail, A Mail Delivery Agent Procmail and Access Controls Intro to Procmail Configuration Sample Procmail Recipe Mail Retrieval Protocols Service Profile: Dovecot Dovecot Configuration Verifying POP Operation Verifying IMAP Operation End of Unit 7 Unit 8 - Securing Data Objectives The Need For Encryption Cryptographic Building Blocks Random Number Generator One-Way Hashes Symmetric Encryption Asymmetric Encryption I Asymmetric Encryption II Public Key Infrastructures Digital Certificates Generating Digital Certificates OpenSSH Overview http://www.way2download.com/linux/RH253/ (8 of 10) [2008/02/06 08:25:50 PM]
  9. 9. RH253 - Red Hat Enterprise Linux Network Services and Security Administration OpenSSH Authentication The OpenSSH Server Service Profile: SSH OpenSSH Server Configuration The OpenSSH Client Protecting Your Keys Applications: RPM End of Unit 8 Unit 9 - Account Management Objectives User Accounts Account Information (Name Service) Name Service Switch (NSS) getent Authentication Pluggable Authentication Modules (PAM) PAM Operation /etc/pam.d/ Files: Tests /etc/pam.d/ Files: Control Values Example: /etc/pam.d/login File The system_auth file pam_unix.so Network Authentication auth Modules Password Security Password Policy session Modules Utilities and Authentication PAM Troubleshooting http://www.way2download.com/linux/RH253/ (9 of 10) [2008/02/06 08:25:50 PM]
  10. 10. RH253 - Red Hat Enterprise Linux Network Services and Security Administration End of Unit 9 Appendix A - Installing Software Software Installation http://www.way2download.com/linux/RH253/ (10 of 10) [2008/02/06 08:25:50 PM]
  11. 11. Introduction Introduction RH253: Network Services and Security Administration 1 RH253-RH253-RHEL5-en-1- Copyright © 2007 Red Hat, Inc. 20070325 All rights reserved http://www.way2download.com/linux/RH253/introduction/page01.html [2008/02/06 08:25:57 PM]
  12. 12. Copyright Copyright ● The contents of this course and all its modules and related materials, including handouts to audience members, are Copyright © 2007 Red Hat, Inc. ● No part of this publication may be stored in a retrieval system, transmitted or reproduced in any way, including, but not limited to, photocopy, photograph, magnetic, electronic or other record, without the prior written permission of Red Hat, Inc. ● This instructional program, including all material provided herein, is supplied without any guarantees from Red Hat, Inc. Red Hat, Inc. assumes no liability for damages or legal action arising from the use or misuse of contents or details contained herein. ● If you believe Red Hat training materials are being used, copied, or otherwise improperly distributed please email training@redhat.com or phone toll-free (USA) +1 866 626 2994 or +1 919 754 3700. 2 RH253-RH253-RHEL5-en-1- Copyright © 2007 Red Hat, Inc. 20070325 All rights reserved http://www.way2download.com/linux/RH253/introduction/page02.html [2008/02/06 08:25:59 PM]
  13. 13. Welcome Welcome Please let us know if you have any special needs while at our training facility. 3 RH253-RH253-RHEL5-en-1- Copyright © 2007 Red Hat, Inc. 20070325 All rights reserved http://www.way2download.com/linux/RH253/introduction/page03.html [2008/02/06 08:26:04 PM]
  14. 14. Participant Introductions Participant Introductions Please introduce yourself to the rest of the class! 4 RH253-RH253-RHEL5-en-1- Copyright © 2007 Red Hat, Inc. 20070325 All rights reserved http://www.way2download.com/linux/RH253/introduction/page04.html [2008/02/06 08:26:10 PM]
  15. 15. Red Hat Enterprise Linux Red Hat Enterprise Linux ● Enterprise-targeted operating system ● Focused on mature open source technology ● 18-24 month release cycle r Certified with leading OEM and ISV products ● Purchased with one year Red Hat Network subscription and support contract r Support available for seven years after release r Up to 24x7 coverage plans available 5 RH253-RH253-RHEL5-en-1- Copyright © 2007 Red Hat, Inc. 20070325 All rights reserved http://www.way2download.com/linux/RH253/introduction/page05.html [2008/02/06 08:26:13 PM]
  16. 16. Red Hat Enterprise Linux Variants Red Hat Enterprise Linux Variants ● Two Install Sets available ● Server Spin r Red Hat Enterprise Linux r Red Hat Enterprise Linux Advanced Platform ● Client Spin r Red Hat Enterprise Linux Desktop r Workstation Option r Multi-OS Option 6 RH253-RH253-RHEL5-en-1- Copyright © 2007 Red Hat, Inc. 20070325 All rights reserved http://www.way2download.com/linux/RH253/introduction/page06.html [2008/02/06 08:26:23 PM]
  17. 17. Red Hat Network Red Hat Network ●A comprehensive software delivery, system management, and monitoring framework r Update Module : Provides software updates ■ Included with all Red Hat Enterprise Linux subscriptions r Management Module : Extended capabilities for large deployments r Provisioning Module : Bare-metal installation, configuration management, and multi-state configuration rollback capabilities r Monitoring Module provides infrastructure health monitoring of networks, systems, applications, etc. 7 RH253-RH253-RHEL5-en-1- Copyright © 2007 Red Hat, Inc. 20070325 All rights reserved http://www.way2download.com/linux/RH253/introduction/page07.html [2008/02/06 08:26:25 PM]
  18. 18. Other Red Hat Supported Software Other Red Hat Supported Software ● Global Filesystem ● Directory Server ● Certificate Server ● Red Hat Application Stack ● JBoss Middleware Application Suite 8 RH253-RH253-RHEL5-en-1- Copyright © 2007 Red Hat, Inc. 20070325 All rights reserved http://www.way2download.com/linux/RH253/introduction/page08.html [2008/02/06 08:26:27 PM]
  19. 19. The Fedora Project The Fedora Project ● Red Hat sponsored open source project ● Focused on latest open source technology r Rapid four to six month release cycle r Available as free download from the Internet ● An open, community-supported proving ground for technologies which may be used in upcoming enterprise products ● Red Hat does not provide formal support 9 RH253-RH253-RHEL5-en-1- Copyright © 2007 Red Hat, Inc. 20070325 All rights reserved http://www.way2download.com/linux/RH253/introduction/page09.html [2008/02/06 08:26:28 PM]
  20. 20. Classroom Network Classroom Network Names IP Addresses Our Network example.com 192.168.0.0/24 Our Server server1.example.com 192.168.0.254 Our Stations stationX.example.com 192.168.0.X Hostile Network cracker.org 192.168.1.0/24 Hostile Server server1.cracker.org 192.168.1.254 Hostile Stations stationX.cracker.org 192.168.1.X Trusted Station trusted.cracker.org 192.168.1.21 10 RH253-RH253-RHEL5-en-1- Copyright © 2007 Red Hat, Inc. 20070325 All rights reserved http://www.way2download.com/linux/RH253/introduction/page10.html [2008/02/06 08:26:29 PM]
  21. 21. Objectives of RH253 Objectives of RH253 ● To become a system administrator who can setup a Red Hat Enterprise Linux server and configure common network services and implement a security policy at a basic level. 11 RH253-RH253-RHEL5-en-1- Copyright © 2007 Red Hat, Inc. 20070325 All rights reserved http://www.way2download.com/linux/RH253/introduction/page11.html [2008/02/06 08:26:36 PM]
  22. 22. Audience and Prerequisites Audience and Prerequisites ● Audience: System administrators, consultants, and other IT professionals ● Prerequisites: RH033 Red Hat Linux Essentials and RH133 Red Hat Linux System Administration , or equivalent skills and experience. A working knowledge of Internet Protocol(IP) networking. 12 Copyright © 2007 Red Hat, Inc. RH253-RH253-RHEL5-en-1-20070325 All rights reserved http://www.way2download.com/linux/RH253/introduction/page12.html [2008/02/06 08:26:42 PM]
  23. 23. Unit 1 Unit 1 System Performance and Security 1-1 RH253-RH253-RHEL5-en-1- Copyright © 2007 Red Hat, Inc. 20070325 All rights reserved http://www.way2download.com/linux/RH253/unit-1/page01.html [2008/02/06 08:26:44 PM]
  24. 24. Objectives Objectives Upon completion of this unit, you should be able to: ● Understand System Performance Security Goals ● Describe Security Domains ● Describe System Faults ● Explain System Fault Analysis Methods ● Explain Benefits of Maintaining System State ● Describe Networking Resource Concerns ● Describe Data Storage Resource Concerns ● Describe Processing Resource Concerns ● Describe Log File Analysis 1-2 RH253-RH253-RHEL5-en-1- Copyright © 2007 Red Hat, Inc. 20070325 All rights reserved http://www.way2download.com/linux/RH253/unit-1/page02.html [2008/02/06 08:26:45 PM]
  25. 25. System Resources as Services System Resources as Services ● Computing infrastructure is comprised of roles r systems that serve r systems that request ● System infrastructure is comprised of roles r processes that serve r processes that request ● Processing infrastructure is comprised of roles r accounts that serve r accounts that request ● System resources, and their use, must be accounted for as policy of securing the system 1-3 RH253-RH253-RHEL5-en-1- Copyright © 2007 Red Hat, Inc. 20070325 All rights reserved http://www.way2download.com/linux/RH253/unit-1/page03.html [2008/02/06 08:26:47 PM]
  26. 26. Security in Principle Security in Principle ● Security Domains r Physical r Local r Remote r Personnel 1-4 RH253-RH253-RHEL5-en-1- Copyright © 2007 Red Hat, Inc. 20070325 All rights reserved http://www.way2download.com/linux/RH253/unit-1/page04.html [2008/02/06 08:26:51 PM]
  27. 27. Security in Practice Security in Practice ● By design, the system serves available resources ● By policy, the system preserves available resources ● Host only services you must, and only to those you must r "Do I need or know to host this?" r "Do they need or know to access this?" r "Is this consistent with past records of system behavior?" r "Have I applied all relevant security updates?" ● Monitor system resources for vulnerabilities and poor performance 1-5 RH253-RH253-RHEL5-en-1- Copyright © 2007 Red Hat, Inc. 20070325 All rights reserved http://www.way2download.com/linux/RH253/unit-1/page05.html [2008/02/06 08:26:58 PM]
  28. 28. Security Policy: the People Security Policy: the People ● Managing human activities r includes Security Policy maintenance ● Who is in charge of what? ● Who makes final decision about false alarms? ● When is law-enforcement notified? 1-6 RH253-RH253-RHEL5-en-1- Copyright © 2007 Red Hat, Inc. 20070325 All rights reserved http://www.way2download.com/linux/RH253/unit-1/page06.html [2008/02/06 08:27:00 PM]
  29. 29. Security Policy: the System Security Policy: the System ● Managing system activities ● Regular system monitoring r Log to an external server in case of compromise r Monitor logs with logwatch r Monitor bandwidth usage inbound and outbound ● Regular backups of system data 1-7 RH253-RH253-RHEL5-en-1- Copyright © 2007 Red Hat, Inc. 20070325 All rights reserved http://www.way2download.com/linux/RH253/unit-1/page07.html [2008/02/06 08:27:02 PM]
  30. 30. Response Strategies Response Strategies ● Assume suspected system is untrustworthy r Do not run programs from the suspected system r Boot from trusted media to verify breach r Analyze logs of remote logger and "local" logs r Check file integrity against read-only backup of rpm database ● Make an image of the machine for further analysis/evidence-gathering ● Wipe the machine, re-install and restore from backup 1-8 RH253-RH253-RHEL5-en-1- Copyright © 2007 Red Hat, Inc. 20070325 All rights reserved http://www.way2download.com/linux/RH253/unit-1/page08.html [2008/02/06 08:27:04 PM]
  31. 31. System Faults and Breaches System Faults and Breaches ● Both effect system performance ● System performance is the security concern r a system fault yields an infrastructure void r an infrastructure void yields opportunity for alternative resource access r an opportunity for alternative resource access yields unaccountable resource access r an unaccountable resource access is a breach of security policy 1-9 RH253-RH253-RHEL5-en-1- Copyright © 2007 Red Hat, Inc. 20070325 All rights reserved http://www.way2download.com/linux/RH253/unit-1/page09.html [2008/02/06 08:27:05 PM]
  32. 32. Method of Fault Analysis Method of Fault Analysis ● Characterize the problem ● Reproduce the problem ● Find further information 1-10 RH253-RH253-RHEL5-en-1- Copyright © 2007 Red Hat, Inc. 20070325 All rights reserved http://www.way2download.com/linux/RH253/unit-1/page10.html [2008/02/06 08:27:06 PM]
  33. 33. Fault Analysis: Hypothesis Fault Analysis: Hypothesis ● Form a series of hypotheses ● Pick a hypothesis to check ● Test the hypothesis 1-11 RH253-RH253-RHEL5-en-1- Copyright © 2007 Red Hat, Inc. 20070325 All rights reserved http://www.way2download.com/linux/RH253/unit-1/page11.html [2008/02/06 08:27:09 PM]
  34. 34. Method of Fault Analysis, continued Method of Fault Analysis, continued ● Note the results, then reform or test a new hypothesis if needed ● If the easier hypotheses yield no positive result, further characterize the problem 1-12 RH253-RH253-RHEL5-en-1- Copyright © 2007 Red Hat, Inc. 20070325 All rights reserved http://www.way2download.com/linux/RH253/unit-1/page12.html [2008/02/06 08:27:12 PM]
  35. 35. Fault Analysis: Gathering Data Fault Analysis: Gathering Data ● strace command ● tail -f logfile ● *.debug in syslog ● --debug option in application 1-13 RH253-RH253-RHEL5-en-1- Copyright © 2007 Red Hat, Inc. 20070325 All rights reserved http://www.way2download.com/linux/RH253/unit-1/page13.html [2008/02/06 08:27:14 PM]
  36. 36. Benefits of System Monitoring Benefits of System Monitoring ● System performance and security may be maintained with regular system monitoring ● System monitoring includes: r Network monitoring and analysis r File system monitoring r Process monitoring r Log file analysis 1-14 RH253-RH253-RHEL5-en-1- Copyright © 2007 Red Hat, Inc. 20070325 All rights reserved http://www.way2download.com/linux/RH253/unit-1/page14.html [2008/02/06 08:27:16 PM]
  37. 37. Network Monitoring Utilities Network Monitoring Utilities ● Network interfaces (ip) r Show what interfaces are available on a system ● Port scanners (nmap) r Show what services are available on a system ● Packet sniffers (tcpdump, wireshark) r Stores and analyzes all network traffic visible to the "sniffing" system 1-15 RH253-RH253-RHEL5-en-1- Copyright © 2007 Red Hat, Inc. 20070325 All rights reserved http://www.way2download.com/linux/RH253/unit-1/page15.html [2008/02/06 08:27:17 PM]
  38. 38. Networking, a Local view Networking, a Local view ● The ip utility r Called by initialization scripts r Greater capability than ifconfig ● Use netstat -ntaupe for a list of: r active network servers r established connections 1-16 RH253-RH253-RHEL5-en-1- Copyright © 2007 Red Hat, Inc. 20070325 All rights reserved http://www.way2download.com/linux/RH253/unit-1/page16.html [2008/02/06 08:27:20 PM]
  39. 39. Networking, a Remote view Networking, a Remote view ● nmap reports active services on ports open to remote connection attempts r Advanced scanning options available r Offers remote OS detection r Scans on small or large subnets ● Do not use without written permission of the scanned system's admin! ● Graphical front-end available (nmapfe) 1-17 RH253-RH253-RHEL5-en-1- Copyright © 2007 Red Hat, Inc. 20070325 All rights reserved http://www.way2download.com/linux/RH253/unit-1/page17.html [2008/02/06 08:27:22 PM]
  40. 40. File System Analysis File System Analysis ● Regular file system monitoring can prevent: r Exhausting system resources r Security breaches due to poor access controls ● File system monitoring should include: r Data integrity scans r Investigating suspect files ● Utilities: df, du 1-18 RH253-RH253-RHEL5-en-1- Copyright © 2007 Red Hat, Inc. 20070325 All rights reserved http://www.way2download.com/linux/RH253/unit-1/page18.html [2008/02/06 08:27:24 PM]
  41. 41. Typical Problematic Permissions Typical Problematic Permissions ● Files without known owners may indicate unauthorized access: r Locate files and directories with no user or group entries in the /etc/passwd file: find / ( -nouser -o -nogroup ) ● Files/Directories with "other" write permission (o+w) may indicate a problem r Locate other-writable files with: find / -type f -perm -002 r Locate other-writable directories with: find / -type d -perm -2 1-19 RH253-RH253-RHEL5-en-1- Copyright © 2007 Red Hat, Inc. 20070325 All rights reserved http://www.way2download.com/linux/RH253/unit-1/page19.html [2008/02/06 08:27:26 PM]
  42. 42. Monitoring Processes Monitoring Processes ● Monitor processes to determine: r Cause of decreased performance r If suspicious processes are executing ● Monitoring utilities r top r gnome-system-monitor r sar 1-20 RH253-RH253-RHEL5-en-1- Copyright © 2007 Red Hat, Inc. 20070325 All rights reserved http://www.way2download.com/linux/RH253/unit-1/page20.html [2008/02/06 08:27:29 PM]
  43. 43. Process Monitoring Utilities Process Monitoring Utilities ● top r view processor activity in real-time r interactively kill or renice processes r watch system statistics update through time, either in units or cumulatively ● GUI system monitoring tools: r gnome-system-monitor: GNOME process, CPU, and memory monitor r kpm: KDE version of top 1-21 RH253-RH253-RHEL5-en-1- Copyright © 2007 Red Hat, Inc. 20070325 All rights reserved http://www.way2download.com/linux/RH253/unit-1/page21.html [2008/02/06 08:27:30 PM]
  44. 44. System Activity Reporting System Activity Reporting ● Frequent reports, over time r cron spawns sa1 and sa2 r sar reads and generates "human friendly" logs ● Commonly used for performance tuning r more accurate statistics ■ binary "database" collection method ■ regular intervals r Evidence of pattern establishes "normal" activity 1-22 RH253-RH253-RHEL5-en-1- Copyright © 2007 Red Hat, Inc. 20070325 All rights reserved http://www.way2download.com/linux/RH253/unit-1/page22.html [2008/02/06 08:27:32 PM]
  45. 45. Managing Processes by Account Managing Processes by Account ● Use PAM to set controls on account resource limits: r pam_access.so can be used to limit access by account and location r pam_time.so can be used to limit access by day and time r pam_limits.so can be used to limit resources available to process 1-23 RH253-RH253-RHEL5-en-1- Copyright © 2007 Red Hat, Inc. 20070325 All rights reserved http://www.way2download.com/linux/RH253/unit-1/page23.html [2008/02/06 08:27:34 PM]
  46. 46. System Log Files System Log Files ● Why monitor log files? ● Which logs to monitor? ● Logging Services: r Many daemons send messages to syslogd r Kernel messages are handled by klogd 1-24 RH253-RH253-RHEL5-en-1- Copyright © 2007 Red Hat, Inc. 20070325 All rights reserved http://www.way2download.com/linux/RH253/unit-1/page24.html [2008/02/06 08:27:36 PM]
  47. 47. syslogd and klogd Configuration syslogd and klogd Configuration ● syslogd and klogd are configured in /etc/ syslog.conf ● Syntax: facility.priority log_location ● Example: mail.info /dev/tty8 1-25 RH253-RH253-RHEL5-en-1- Copyright © 2007 Red Hat, Inc. 20070325 All rights reserved http://www.way2download.com/linux/RH253/unit-1/page25.html [2008/02/06 08:27:38 PM]
  48. 48. Log File Analysis Log File Analysis ● Should be performed on a regular basis ● logwatch can be installed to run by crond every hour to report possible issues ● When looking for anomalies, logwatch uses negative lists r Discard everything normal r Analyze the rest 1-26 RH253-RH253-RHEL5-en-1- Copyright © 2007 Red Hat, Inc. 20070325 All rights reserved http://www.way2download.com/linux/RH253/unit-1/page26.html [2008/02/06 08:27:39 PM]
  49. 49. End of Unit 1 End of Unit 1 ● Questions and Answers ● Summary r Address questions r Preparation for Lab r Goals r Sequences r Deliverables r Please ask the instructor for assistance when needed 1-27 RH253-RH253-RHEL5-en-1- Copyright © 2007 Red Hat, Inc. 20070325 All rights reserved http://www.way2download.com/linux/RH253/unit-1/page27.html [2008/02/06 08:27:41 PM]
  50. 50. Unit 2 Unit 2 System Service Access Controls 2-1 RH253-RH253-RHEL5-en-1- Copyright © 2007 Red Hat, Inc. 20070325 All rights reserved http://www.way2download.com/linux/RH253/unit-2/page01.html [2008/02/06 08:27:42 PM]
  51. 51. Objectives Objectives Upon completion of this unit, you should be able to: ● Understand how services are managed ● Learn common traits among services ● Describe Service Configuration Resources ● Implement Access Controls ● SELinux Overview ● SELinux Management 2-2 RH253-RH253-RHEL5-en-1- Copyright © 2007 Red Hat, Inc. 20070325 All rights reserved http://www.way2download.com/linux/RH253/unit-2/page02.html [2008/02/06 08:27:44 PM]
  52. 52. System Resources Managed by init System Resources Managed by init ● Services listening for serial protocol connections r a serial console r a modem ● Configured in /etc/inittab ● Calls the command rc to spawn initialization scripts ● Calls a script to start the X11 Display Manager ● Provides respawn capability co:23:respawn:/sbin/agetty -f /etc/issue.serial 19200 ttyS1 2-3 Copyright © 2007 Red Hat, Inc. RH253-RH253-RHEL5-en-1-20070325 All rights reserved http://www.way2download.com/linux/RH253/unit-2/page03.html [2008/02/06 08:27:48 PM]
  53. 53. System Initialization and Service Management System Initialization and Service Management ● Commonly referred to as "System V" or "SysV" r Many scripts organized by file system directory semantics r Resource services are either enabled or disabled ● Several configuration files are often used ● Most services start one or more processes ● Commands are "wrapped" by scripts ● Services are managed by these scripts, found in /etc/init.d/ ● Examples: r /etc/init.d/network status r service network status 2-4 RH253-RH253-RHEL5-en-1- Copyright © 2007 Red Hat, Inc. 20070325 All rights reserved http://www.way2download.com/linux/RH253/unit-2/page04.html [2008/02/06 08:27:50 PM]
  54. 54. chkconfig chkconfig ● Manages service definitions in run levels ● To start the cups service on boot: chkconfig cups on ● Does not modify current run state of System V services ● Used for standalone and transient services ● Called by other applications, including system-config-services ● To list run level assignments, run chkconfig --list 2-5 RH253-RH253-RHEL5-en-1- Copyright © 2007 Red Hat, Inc. 20070325 All rights reserved http://www.way2download.com/linux/RH253/unit-2/page05.html [2008/02/06 08:27:51 PM]
  55. 55. Initialization Script Management Initialization Script Management ● Determine which services are configured to run a system boot r chkconfig --list ● Shows which services should run ● Only reports the status of the symbolic links it manages 2-6 RH253-RH253-RHEL5-en-1- Copyright © 2007 Red Hat, Inc. 20070325 All rights reserved http://www.way2download.com/linux/RH253/unit-2/page06.html [2008/02/06 08:27:54 PM]
  56. 56. xinetd Managed Services xinetd Managed Services ● Transient services are managed by the xinetd service ● Incoming requests are brokered by xinetd ● Configuration files: /etc/xinetd.conf, / etc/xinetd.d/service ● Linked with libwrap.so ● Services controlled with chkconfig: chkconfig tftp on 2-7 RH253-RH253-RHEL5-en-1- Copyright © 2007 Red Hat, Inc. 20070325 All rights reserved http://www.way2download.com/linux/RH253/unit-2/page07.html [2008/02/06 08:27:56 PM]
  57. 57. xinetd Default Controls xinetd Default Controls ● Top-level configuration file # /etc/xinetd.conf defaults { instances = 60 log_type = SYSLOG authpriv log_on_success = HOST PID log_on_failure = HOST cps = 25 30 } includedir /etc/xinetd.d 2-8 RH253-RH253-RHEL5-en-1- Copyright © 2007 Red Hat, Inc. 20070325 All rights reserved http://www.way2download.com/linux/RH253/unit-2/page08.html [2008/02/06 08:27:58 PM]
  58. 58. xinetd Service Configuration xinetd Service Configuration ● Service specific configuration r /etc/xinetd.d/service /etc/xinetd.d/tftp: # default: off service tftp { disable = yes socket_type = dgram protocol = udp wait = yes user = root server = /usr/sbin/in.tftpd server_args = -c -s /tftpboot per_source = 11 cps = 100 2 flags = IPv4 } 2-9 RH253-RH253-RHEL5-en-1- Copyright © 2007 Red Hat, Inc. 20070325 All rights reserved http://www.way2download.com/linux/RH253/unit-2/page09.html [2008/02/06 08:28:00 PM]
  59. 59. xinetd Access Controls xinetd Access Controls ● Syntax r Allow with only_from = host_pattern r Deny with no_access = host_pattern r The most exact specification is authoritative ● Example r only_from = 192.168.0.0/24 r no_access = 192.168.0.1 2-10 RH253-RH253-RHEL5-en-1- Copyright © 2007 Red Hat, Inc. 20070325 All rights reserved http://www.way2download.com/linux/RH253/unit-2/page10.html [2008/02/06 08:28:01 PM]
  60. 60. Host Pattern Access Controls Host Pattern Access Controls ● Host masks for xinetd may be: r numeric address (192.168.1.0) r network name (from /etc/networks) r hostname or domain (.domain.com) r IP address/netmask range (192.168.0.0/24) ● Number of simultaneous connections r Syntax: per_source = 2 r Cannot exceed maximum instances 2-11 RH253-RH253-RHEL5-en-1- Copyright © 2007 Red Hat, Inc. 20070325 All rights reserved http://www.way2download.com/linux/RH253/unit-2/page11.html [2008/02/06 08:28:03 PM]
  61. 61. The /etc/sysconfig/ files The /etc/sysconfig/ files ● Some services are configured for how they run r named r sendmail r dhcpd r samba r init r syslog 2-12 RH253-RH253-RHEL5-en-1- Copyright © 2007 Red Hat, Inc. 20070325 All rights reserved http://www.way2download.com/linux/RH253/unit-2/page12.html [2008/02/06 08:28:04 PM]
  62. 62. Service and Application Access Controls Service and Application Access Controls ● Service-specific configuration r Daemons like httpd, smbd, squid, etc. provide service-specific security mechanisms ● General configuration r All programs linked with libwrap.so use common configuration files r Because xinetd is linked with libwrap.so, its services are effected r Checks for host and/or remote user name 2-13 RH253-RH253-RHEL5-en-1- Copyright © 2007 Red Hat, Inc. 20070325 All rights reserved http://www.way2download.com/linux/RH253/unit-2/page13.html [2008/02/06 08:28:06 PM]
  63. 63. tcp_wrappers Configuration tcp_wrappers Configuration ● Three stages of access checking r Is access explicitly permitted? r Otherwise, is access explicitly denied? r Otherwise, by default, permit access! ● Configuration stored in two files: r Permissions in /etc/hosts.allow r Denials in /etc/hosts.deny ● Basic syntax: daemon_list: client_list [:options] 2-14 RH253-RH253-RHEL5-en-1- Copyright © 2007 Red Hat, Inc. 20070325 All rights reserved http://www.way2download.com/linux/RH253/unit-2/page14.html [2008/02/06 08:28:07 PM]
  64. 64. Daemon Specification Daemon Specification ● Daemon name: r Applications pass name of their executable r Multiple services can be specified r Use wildcard ALL to match all daemons r Limitations exist for certain daemons ● Advanced Syntax: daemon@host: client_list ... 2-15 RH253-RH253-RHEL5-en-1- Copyright © 2007 Red Hat, Inc. 20070325 All rights reserved http://www.way2download.com/linux/RH253/unit-2/page15.html [2008/02/06 08:28:09 PM]
  65. 65. Client Specification Client Specification ● Host specification r by IP address (192.168.0.1,10.0.0.) r by name (www.redhat.com, .example.com) r by netmask (192.168.0.0/255.255.255.0) r by network name 2-16 RH253-RH253-RHEL5-en-1- Copyright © 2007 Red Hat, Inc. 20070325 All rights reserved http://www.way2download.com/linux/RH253/unit-2/page16.html [2008/02/06 08:28:11 PM]
  66. 66. Macro Definitions Macro Definitions ● Host name macros r LOCAL r KNOWN, UNKNOWN, PARANOID ● Host and service macro r ALL ● EXCEPT r Can be used for client and service list r Can be nested 2-17 RH253-RH253-RHEL5-en-1- Copyright © 2007 Red Hat, Inc. 20070325 All rights reserved http://www.way2download.com/linux/RH253/unit-2/page17.html [2008/02/06 08:28:12 PM]
  67. 67. Extended Options Extended Options ● Syntax: daemon_list: client_list [:opt1 :opt2...] ● spawn r Can be used to start additional programs r Special expansions are available (%c, %s) ● Example: in.telnetd: ALL : spawn echo "login attempt from %c to %s" | mail -s warning root ● DENY r Can be used as an option in hosts.allow ● Example: ALL: ALL: DENY 2-18 Copyright © 2007 Red Hat, Inc. RH253-RH253-RHEL5-en-1-20070325 All rights reserved http://www.way2download.com/linux/RH253/unit-2/page18.html [2008/02/06 08:28:14 PM]
  68. 68. A tcp_wrappers Example A tcp_wrappers Example # /etc/hosts.allow vsftpd : 192.168.0. in.telnetd, sshd : .example.com 192.168.2.5 # /etc/hosts.deny ALL : ALL 2-19 RH253-RH253-RHEL5-en-1- Copyright © 2007 Red Hat, Inc. 20070325 All rights reserved http://www.way2download.com/linux/RH253/unit-2/page19.html [2008/02/06 08:28:15 PM]
  69. 69. xinetd and tcp_wrappers xinetd and tcp_wrappers ● xinetd provides its own set of access control functions r host-based r time-based ● tcp_wrappers is still used r xinetd is compiled with libwrap support r If libwrap.so allows the connection, then xinetd security configuration is evaluated 2-20 RH253-RH253-RHEL5-en-1- Copyright © 2007 Red Hat, Inc. 20070325 All rights reserved http://www.way2download.com/linux/RH253/unit-2/page20.html [2008/02/06 08:28:16 PM]
  70. 70. SELinux SELinux ● Mandatory Access Control (MAC) -vs- Discretionary Access Control (DAC) ● A rule set called the policy determines how strict the control ● Processes are either restricted or unconfined ● The policy defines what resources restricted processes are allowed to access ● Any action that is not explicitly allowed is, by default, denied 2-21 RH253-RH253-RHEL5-en-1- Copyright © 2007 Red Hat, Inc. 20070325 All rights reserved http://www.way2download.com/linux/RH253/unit-2/page21.html [2008/02/06 08:28:17 PM]
  71. 71. SELinux, continued SELinux, continued ● All files and processes have a security context ● The context has several elements, depending on the security needs r user:role:type:sensitivity:category r user_u:object_r:tmp_t:s0:c0 r Not all systems will display s0:c0 ● ls -Z ● ps -Z r Usually paired with other options, such as -e 2-22 RH253-RH253-RHEL5-en-1- Copyright © 2007 Red Hat, Inc. 20070325 All rights reserved http://www.way2download.com/linux/RH253/unit-2/page22.html [2008/02/06 08:28:19 PM]
  72. 72. SELinux: Targeted Policy SELinux: Targeted Policy ● The targeted policy is loaded at install time ● Most local processes are unconfined ● Principally uses the type element for type enforcement ● The security context can be changed with chcon r chcon -t tmp_t /etc/hosts ● Safer to use restorecon r restorecon /etc/hosts 2-23 RH253-RH253-RHEL5-en-1- Copyright © 2007 Red Hat, Inc. 20070325 All rights reserved http://www.way2download.com/linux/RH253/unit-2/page23.html [2008/02/06 08:28:20 PM]
  73. 73. SELinux: Management SELinux: Management ● Modes: Enforcing, Permissive, Disabled r Changing enforcement is allowed in the Targeted policy r getenforce r setenforce 0 | 1 r Disable from GRUB with selinux=0 ● system-config-selinux r Changes mode, and targeted policy controls. Mode change requires system reboot r Booleans ● /etc/sysconfig/selinux ● setroubleshootd r Advises on how to avoid errors, not ensure security! 2-24 RH253-RH253-RHEL5-en-1- Copyright © 2007 Red Hat, Inc. 20070325 All rights reserved http://www.way2download.com/linux/RH253/unit-2/page24.html [2008/02/06 08:28:21 PM]
  74. 74. SELinux: semanage SELinux: semanage ● Some features controlled by semanage ● Recompiles small portions of the policy ● semanage function -l ● Most useful in high security environments 2-25 RH253-RH253-RHEL5-en-1- Copyright © 2007 Red Hat, Inc. 20070325 All rights reserved http://www.way2download.com/linux/RH253/unit-2/page25.html [2008/02/06 08:28:23 PM]
  75. 75. SELinux: File Types SELinux: File Types ● A managed service type is called its domain ● Allow rules in the policy define what file types a domain may access ● The policy is stored in a binary format, obscuring the rules from casual viewing ● Types can be viewed with semanage r semanage fcontext -l ● public_content_t 2-26 RH253-RH253-RHEL5-en-1- Copyright © 2007 Red Hat, Inc. 20070325 All rights reserved http://www.way2download.com/linux/RH253/unit-2/page26.html [2008/02/06 08:28:25 PM]
  76. 76. End of Unit 2 End of Unit 2 ● Questions and Answers ● Summary r Address questions r Preparation for Lab r Goals r Sequences r Deliverables r Please ask the instructor for assistance when needed r SELinux Management 2-27 RH253-RH253-RHEL5-en-1- Copyright © 2007 Red Hat, Inc. 20070325 All rights reserved http://www.way2download.com/linux/RH253/unit-2/page27.html [2008/02/06 08:28:26 PM]
  77. 77. Unit 3 Unit 3 Network Resource Access Controls 3-1 RH253-RH253-RHEL5-en-1- Copyright © 2007 Red Hat, Inc. 20070325 All rights reserved http://www.way2download.com/linux/RH253/unit-3/page01.html [2008/02/06 08:28:27 PM]
  78. 78. Objectives Objectives Upon completion of this unit, you should be able to: ● Describe IP and Routing ● Compare IPv4 and IPv6 ● Describe IPv6 Features ● Understand Netfilter Architecture ● Learn to use the iptables command ● Understand Network Address Translation (NAT) 3-2 RH253-RH253-RHEL5-en-1- Copyright © 2007 Red Hat, Inc. 20070325 All rights reserved http://www.way2download.com/linux/RH253/unit-3/page02.html [2008/02/06 08:28:29 PM]
  79. 79. Routing Routing ● Routers transport packets between different networks ● Each machine needs a default gateway to reach machines outside the local network ● Additional routes can be set using the route command 3-3 RH253-RH253-RHEL5-en-1- Copyright © 2007 Red Hat, Inc. 20070325 All rights reserved http://www.way2download.com/linux/RH253/unit-3/page03.html [2008/02/06 08:28:30 PM]
  80. 80. IPv6 Features IPv6 Features IP version 6 ● Larger Addresses r 128-bit Addressing r Extended Address Hierarchy ● Flexible Header Format r Base header - 40 octets r Next Header field supports Optional Headers for current and future extensions ● More Support for Autoconfiguration r Link-Local Addressing r Router Advertisement Daemon r Dynamic Host Configuration Protocol version 6 3-4 RH253-RH253-RHEL5-en-1- Copyright © 2007 Red Hat, Inc. 20070325 All rights reserved http://www.way2download.com/linux/RH253/unit-3/page04.html [2008/02/06 08:28:32 PM]
  81. 81. Implementing IPv6 Implementing IPv6 ● Kernel ipv6 module enables stateless autoconfiguration ● Additional configuration implemented by / etc/rc.d/init.d/network initialization script r NETWORKING_IPV6=yes in /etc/sysconfig/ network r IPV6INIT=yes in /etc/sysconfig/network- scripts/ifcfg-ethX 3-5 RH253-RH253-RHEL5-en-1- Copyright © 2007 Red Hat, Inc. 20070325 All rights reserved http://www.way2download.com/linux/RH253/unit-3/page05.html [2008/02/06 08:28:33 PM]
  82. 82. IPv6: Dynamic Interface Configuration IPv6: Dynamic Interface Configuration ● Two ways to dynamically configure IPv6 addresses: r Router Advertisement Daemon ■ Runs on (Linux) Default Gateway - radvd ■ Only specifies prefix and default gateway ■ Enabled with IPV6_AUTOCONF=yes Interface ID automatically generated based on ■ the MAC address of the system r DHCP version 6 ■ dhcp6s supports more configuration options ■ Enabled with DHCPV6C=yes 3-6 RH253-RH253-RHEL5-en-1- Copyright © 2007 Red Hat, Inc. 20070325 All rights reserved http://www.way2download.com/linux/RH253/unit-3/page06.html [2008/02/06 08:28:34 PM]
  83. 83. IPv6: Static Interface Configuration IPv6: Static Interface Configuration ● /etc/sysconfig/network-scripts/ ifcfg-ethX r IPV6ADDR=<ipv6_address>[/prefix_length] r Device aliases unnecessary... r IPV6ADDR_SECONDARIES=<ipv6_address>[/ prefix_length] [...] 3-7 RH253-RH253-RHEL5-en-1- Copyright © 2007 Red Hat, Inc. 20070325 All rights reserved http://www.way2download.com/linux/RH253/unit-3/page07.html [2008/02/06 08:28:35 PM]
  84. 84. IPv6: Routing Configuration IPv6: Routing Configuration ● Default Gateway r Dynamically from radvd or dhcpv6s r Manually specified in /etc/sysconfig/network ■ IPV6_DEFAULTGW=<IPv6_address[% interface]> ■ IPV6_DEFAULTDEV=<interface> - only valid on point-to-point interfaces ● Static Routes r Defined per interface in /etc/sysconfig/ network-scripts/route6-ethX ■ Uses ip -6 route add syntax ■ <ipv6_network/prefix> via <ipv6_routeraddress> 3-8 RH253-RH253-RHEL5-en-1- Copyright © 2007 Red Hat, Inc. 20070325 All rights reserved http://www.way2download.com/linux/RH253/unit-3/page08.html [2008/02/06 08:28:37 PM]
  85. 85. tcp_wrappers and IPv6 tcp_wrappers and IPv6 ● tcp_wrappers is IPv6 aware r When IPv6 is fully implemented throughout the domain, ensure tcp_wrappers rules include IPv6 addresses ● Example: preserving localhost connectivity, add to /etc/hosts.allow r ALL: [::1] 3-9 RH253-RH253-RHEL5-en-1- Copyright © 2007 Red Hat, Inc. 20070325 All rights reserved http://www.way2download.com/linux/RH253/unit-3/page09.html [2008/02/06 08:28:38 PM]
  86. 86. New and Modified Utilities New and Modified Utilities ● ping6 ● traceroute6 ● tracepath6 ● ip -6 ● host -t AAAA hostname6.domain6 3-10 RH253-RH253-RHEL5-en-1- Copyright © 2007 Red Hat, Inc. 20070325 All rights reserved http://www.way2download.com/linux/RH253/unit-3/page10.html [2008/02/06 08:28:39 PM]
  87. 87. Netfilter Overview Netfilter Overview ● Filtering in the kernel: no daemon ● Asserts policies at layers 2, 3 & 4 of the OSI Reference Model ● Only inspects packet headers ● Consists of netfilter modules in kernel, and the iptables user-space software 3-11 RH253-RH253-RHEL5-en-1- Copyright © 2007 Red Hat, Inc. 20070325 All rights reserved http://www.way2download.com/linux/RH253/unit-3/page11.html [2008/02/06 08:28:40 PM]
  88. 88. Netfilter Tables and Chains Netfilter Tables and Chains 3-12 Copyright © 2007 Red Hat, Inc. RH253-RH253-RHEL5-en-1-20070325 All rights reserved http://www.way2download.com/linux/RH253/unit-3/page12.html [2008/02/06 08:28:44 PM]
  89. 89. Netfilter Packet Flow Netfilter Packet Flow 3-13 Copyright © 2007 Red Hat, Inc. RH253-RH253-RHEL5-en-1-20070325 All rights reserved http://www.way2download.com/linux/RH253/unit-3/page13.html [2008/02/06 08:28:48 PM]
  90. 90. Rule Matching Rule Matching ● Rules in ordered list ● Packets tested against each rule in turn ● On first match, the target is evaluated: usually exits the chain ● Rule may specify multiple criteria for match ● Every criterion in a specification must be met for the rule to match (logical AND) ● Chain policy applies if no match 3-14 RH253-RH253-RHEL5-en-1- Copyright © 2007 Red Hat, Inc. 20070325 All rights reserved http://www.way2download.com/linux/RH253/unit-3/page14.html [2008/02/06 08:28:50 PM]
  91. 91. Rule Targets Rule Targets ● Built-in targets: DROP, ACCEPT ● Extension targets: LOG, REJECT, custom chain r REJECT sends a notice returned to sender r LOG connects to system log kernel facility r LOG match does not exit the chain ● Target is optional, but no more than one per rule and defaults to the chain policy if absent 3-15 RH253-RH253-RHEL5-en-1- Copyright © 2007 Red Hat, Inc. 20070325 All rights reserved http://www.way2download.com/linux/RH253/unit-3/page15.html [2008/02/06 08:28:51 PM]
  92. 92. Simple Example Simple Example ● An INPUT rule for the filter table: 3-16 Copyright © 2007 Red Hat, Inc. RH253-RH253-RHEL5-en-1-20070325 All rights reserved http://www.way2download.com/linux/RH253/unit-3/page16.html [2008/02/06 08:28:55 PM]
  93. 93. Basic Chain Operations Basic Chain Operations ● List rules in a chain or table (-L or -vL) ● Append a rule to the chain (-A) ● Insert a rule to the chain (-I) r -I CHAIN (inserts as the first rule) r -I CHAIN 3 (inserts as rule 3) ● Delete an individual rule (-D) r -D CHAIN 3 (deletes rule 3 of the chain) r -D CHAIN RULE (deletes rule explicitly) 3-17 RH253-RH253-RHEL5-en-1- Copyright © 2007 Red Hat, Inc. 20070325 All rights reserved http://www.way2download.com/linux/RH253/unit-3/page17.html [2008/02/06 08:28:56 PM]
  94. 94. Additional Chain Operations Additional Chain Operations ● Assign chain policy (-P CHAIN TARGET) r ACCEPT (default, a built-in target) r DROP (a built-in target) r REJECT (not permitted, an extension target) ● Flush all rules of a chain (-F) r Does not flush the policy ● Zero byte and packet counters (-Z [CHAIN]) r Useful for monitoring chain statistics ● Manage custom chains (-N, -X) r -N Your_Chain-Name (adds chain) r -X Your_Chain-Name (deletes chain) 3-18 RH253-RH253-RHEL5-en-1- Copyright © 2007 Red Hat, Inc. 20070325 All rights reserved http://www.way2download.com/linux/RH253/unit-3/page18.html [2008/02/06 08:28:57 PM]
  95. 95. Rules: General Considerations Rules: General Considerations ● Mostly closed is appropriate r iptables -P INPUT DROP or r iptables -A INPUT -j DROP r iptables -A INPUT -j REJECT ● Criteria also apply to loopback interface r The example rules above will have the side effect of blocking localhost! ● Rules, like routes, are loaded in memory and must be saved to a file for persistence across reboots 3-19 RH253-RH253-RHEL5-en-1- Copyright © 2007 Red Hat, Inc. 20070325 All rights reserved http://www.way2download.com/linux/RH253/unit-3/page19.html [2008/02/06 08:28:59 PM]
  96. 96. Match Arguments Match Arguments ● Matches may be made by: r IP address, or host name ■ Warning: host names are resolved at the time of rule insertion r Port number, or service name r Arguments may be negated with `!' ● Inclusive port range may be specified '0:1023' ● Masks may use VLSN or CIDR notation 3-20 RH253-RH253-RHEL5-en-1- Copyright © 2007 Red Hat, Inc. 20070325 All rights reserved http://www.way2download.com/linux/RH253/unit-3/page20.html [2008/02/06 08:28:59 PM]
  97. 97. Connection Tracking Connection Tracking ● Provides inspection of packet's "state" r a packet can be tested in a specific context ● Simplifies rule design r without connection tracking, rules are usually in pairs (inbound & outbound) ● Implemented in "state" match extension ● Recognized states: NEW, ESTABLISHED, RELATED, INVALID ● Requires more memory 3-21 RH253-RH253-RHEL5-en-1- Copyright © 2007 Red Hat, Inc. 20070325 All rights reserved http://www.way2download.com/linux/RH253/unit-3/page21.html [2008/02/06 08:29:01 PM]
  98. 98. Connection Tracking, continued Connection Tracking, continued ● Connection tracking modules r ip_conntrack_ftp r ip_conntrack_tftp r ip_nat_ftp r ip_nat_tftp (and others) ● /etc/sysconfig/iptables-config 3-22 RH253-RH253-RHEL5-en-1- Copyright © 2007 Red Hat, Inc. 20070325 All rights reserved http://www.way2download.com/linux/RH253/unit-3/page22.html [2008/02/06 08:29:02 PM]
  99. 99. Connection Tracking Example Connection Tracking Example ● One rule to permit established connections: iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT ● Many rules; one for each permitted service: iptables -A INPUT -m state --state NEW -p tcp --dport 25 -j ACCEPT ● Lastly, one rule to block all others inbound: iptables -A INPUT -m state --state NEW -j DROP 3-23 Copyright © 2007 Red Hat, Inc. RH253-RH253-RHEL5-en-1-20070325 All rights reserved http://www.way2download.com/linux/RH253/unit-3/page23.html [2008/02/06 08:29:04 PM]
  100. 100. Network Address Translation (NAT) Network Address Translation (NAT) ● Translates one IP address into another (inbound and/or outbound) ● Allows "hiding" internal IP addresses behind a single public IP ● Rules set within the nat table ● Network Address Translation types: r Destination NAT (DNAT) - Set in the PREROUTING chain where filtering uses translated address r Source NAT (SNAT, MASQUERADE) - Set in the POSTROUTING chain where filtering never uses translated address 3-24 RH253-RH253-RHEL5-en-1- Copyright © 2007 Red Hat, Inc. 20070325 All rights reserved http://www.way2download.com/linux/RH253/unit-3/page24.html [2008/02/06 08:29:06 PM]
  101. 101. DNAT Examples DNAT Examples ● INBOUND iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-dest 192.168.0.20 ● OUTBOUND (with port redirection) iptables -t nat -A OUTPUT -p tcp --dport 80 -j DNAT --to-dest 192.168.0.200:3128 3-25 Copyright © 2007 Red Hat, Inc. RH253-RH253-RHEL5-en-1-20070325 All rights reserved http://www.way2download.com/linux/RH253/unit-3/page25.html [2008/02/06 08:29:07 PM]
  102. 102. SNAT Examples SNAT Examples ● MASQUERADE iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE ● SNAT iptables -t nat -A POSTROUTING -j SNAT --to-source 1.2.3.45 3-26 Copyright © 2007 Red Hat, Inc. RH253-RH253-RHEL5-en-1-20070325 All rights reserved http://www.way2download.com/linux/RH253/unit-3/page26.html [2008/02/06 08:29:08 PM]
  103. 103. Rules Persistence Rules Persistence ● iptables is not a daemon, but loads rules into memory and exits ● Rules are not persistent across reboot r service iptables save will store rules to /etc/ sysconfig/iptables(Ensure this file has proper SELinux context!) r System V management may be used, and is run before networking is configured 3-27 RH253-RH253-RHEL5-en-1- Copyright © 2007 Red Hat, Inc. 20070325 All rights reserved http://www.way2download.com/linux/RH253/unit-3/page27.html [2008/02/06 08:29:10 PM]
  104. 104. Sample /etc/sysconfig/iptables Sample /etc/sysconfig/iptables *filter :INPUT DROP [573:46163] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [641:68532] -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m tcp --dport 143 -j ACCEPT -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT -A INPUT -p tcp -m tcp --dport 25 -s 123.123.123.1 -j ACCEPT -A INPUT -p tcp -m tcp --dport 53 -j ACCEPT -A INPUT -p udp -m udp --dport 53 -j ACCEPT -A INPUT -p udp -m udp --dport 123 -s 123.123.123.1 -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -p tcp -m tcp --dport 113 -j REJECT --reject-with tcp-reset COMMIT 3-28 Copyright © 2007 Red Hat, Inc. RH253-RH253-RHEL5-en-1-20070325 All rights reserved http://www.way2download.com/linux/RH253/unit-3/page28.html [2008/02/06 08:29:11 PM]
  105. 105. IPv6 and ip6tables IPv6 and ip6tables ● Packet filtering for IPv6 traffic ● Provided by the iptables-ipv6 package ● Rules stored in /etc/sysconfig/ ip6tables ● Does not yet support: r REJECT target r nat table r connection tracking with the state module 3-29 RH253-RH253-RHEL5-en-1- Copyright © 2007 Red Hat, Inc. 20070325 All rights reserved http://www.way2download.com/linux/RH253/unit-3/page29.html [2008/02/06 08:29:12 PM]
  106. 106. End of Unit 3 End of Unit 3 ● Questions and Answers ● Summary r Address questions r Preparation for Lab r Goals r Scenario r Deliverables r Please ask the instructor for assistance when needed 3-30 RH253-RH253-RHEL5-en-1- Copyright © 2007 Red Hat, Inc. 20070325 All rights reserved http://www.way2download.com/linux/RH253/unit-3/page30.html [2008/02/06 08:29:13 PM]
  107. 107. Unit 4 Unit 4 Organizing Networked Systems 4-1 RH253-RH253-RHEL5-en-1- Copyright © 2007 Red Hat, Inc. 20070325 All rights reserved http://www.way2download.com/linux/RH253/unit-4/page01.html [2008/02/06 08:29:14 PM]
  108. 108. Objectives Objectives Upon completion of this unit, you should be able to: ● Understand host name resolution and its impact on networked systems organization ● Use common utilities to explore and verify DNS server operation ● Describe the Domain Name System (DNS) ● Perform essential BIND DNS configuration ● DHCP Overview ● DHCP Configuration 4-2 RH253-RH253-RHEL5-en-1- Copyright © 2007 Red Hat, Inc. 20070325 All rights reserved http://www.way2download.com/linux/RH253/unit-4/page02.html [2008/02/06 08:29:15 PM]
  109. 109. Host Name Resolution Host Name Resolution ● Some name services provide mechanisms to translate host names into lower-layer addresses so that computers can communicate r Example: Name --> MAC address (link layer) r Example: Name --> IP address (network layer) --> MAC address (link layer) ● Common Host Name Services r Files (/etc/hosts and /etc/networks) r DNS r NIS ● Multiple client-side resolvers: r "stub" r dig r host r nslookup 4-3 RH253-RH253-RHEL5-en-1- Copyright © 2007 Red Hat, Inc. 20070325 All rights reserved http://www.way2download.com/linux/RH253/unit-4/page03.html [2008/02/06 08:29:17 PM]
  110. 110. The Stub Resolver The Stub Resolver ● Generic resolver library available to all applications r Provided through gethostbyname() and other glibc functions r Not capable of sophisticated access controls, such as packet signing or encryption ● Can query any name service supported by glibc ● Reads /etc/nsswitch.conf to determine the order in which to query name services, as shown here for the default configuration: hosts: files dns ● The NIS domain name and the DNS domain name should usually be different to simplify troubleshooting and avoid name collisions 4-4 RH253-RH253-RHEL5-en-1- Copyright © 2007 Red Hat, Inc. 20070325 All rights reserved http://www.way2download.com/linux/RH253/unit-4/page04.html [2008/02/06 08:29:18 PM]
  111. 111. DNS-Specific Resolvers DNS-Specific Resolvers ● host r Never reads /etc/nsswitch.conf r By default, looks at both the nameserver and search lines in /etc/resolv.conf r Minimal output by default ● dig r Never reads /etc/nsswitch.conf r By default, looks only at the nameserver line in / etc/resolv.conf r Output is in RFC-standard zone file format, the format used by DNS servers, which makes dig particularly useful for exploring DNS resolution 4-5 RH253-RH253-RHEL5-en-1- Copyright © 2007 Red Hat, Inc. 20070325 All rights reserved http://www.way2download.com/linux/RH253/unit-4/page05.html [2008/02/06 08:29:20 PM]
  112. 112. Trace a DNS Query with dig Trace a DNS Query with dig ● dig +trace redhat.com r Reads /etc/resolv.conf to determine nameserver r Queries for root name servers r Chases referrals to find name records (answers) r See notes for sample output in case the training center's firewall restricts outbound DNS ● This is known as an iterative query ● Initial Observations: r Names are organized in an inverted tree with root (.) at top r The name hierarchy allows DNS to cross organizational boundaries r Names in records end with a dot when fully-qualified 4-6 RH253-RH253-RHEL5-en-1- Copyright © 2007 Red Hat, Inc. 20070325 All rights reserved http://www.way2download.com/linux/RH253/unit-4/page06.html [2008/02/06 08:29:22 PM]

×