RHCSA Exam objective – Manage Security
Download As PDF
- Configure firewall settings using system-config-firewall or iptables.
- Set enforcing and permissive modes for SELinux.
- List and identify SELinux file and process context.
- Restore default file contexts.
- Use boolean settings to modify system SELinux settings.
- Diagnose and address routine SELinux policy violations.
1. Configure firewall settings using system-config-firewall or iptables.
To enable firewall, run system-config-securitylevel-tui on command level
# system-config-securitylevel-tui
New window will open like below, and enable Firewall option.
Options for SELinux are also enabled here.
By selecting ‘customize’ option, various services can be allowed or blocked in Firewall.
Firewall settings can also be configured through system-config-firewall-tui command.
#system-config-firewall-tui
IPTables Firewall configuration
Iptables is an administration tool for IP packet filtering and NAT.
Iptables is used to set up, maintain, and inspect the tables of IPv4 packet filter rules in the Linux kernel.
Sample Iptables command to allow traffic on port 80 or allow web service.
#iptables -I INPUT –p tcp –dport=80 –j ACCEPT
(This will add firewall rule on top of all rules)
# iptables -A INPUT –p tcp –dport=80 –j ACCEPT
(This adds firewall rule at the end. By default the last rule on Iptables would block all traffic. If any rule is add with -A switch means, the rule will be inactive)
To block some services for example FTP service,
#iptables -I INPUT –p tcp --dport=21 –j DROP
To enable FTP access only to network 192.168.1.0/24
#iptables -I INPUT -p tcp ! –s 192.168.1.0/24 –dport=21 –j DROP
This rule is to only accept FTP access from 192.168.1.0/24 subnet
2. Set enforcing and permissive modes for SELinux
SELinux modes can be changed under /etc/sysconfig/selinux file.
To change SELinux modes, just change SELINUX option to either enforcing/permissive/disabled.
Enforcing mode – all SELinux contexts and boolens are enabled.
Permissive mode – SELinux contexts and controls are still active, but deny policy defined in SELinux rule will also allowed and will be audited.
Disabled – completely disables SELinux mode.
#setenforce enforcing
#setenforce permissive are straight forward commands to change SELinux modes.
3. List and identify SELinux file and process context
(SELinux file contexts are in this file,
/etc/selinux/targeted/contexts/files/file_contexts
Any user defined contexts are under SELinux_contexts.local file.)
#ls -Z command lists current SELinux file contexts.
For example ls -Z for file anaconda-ks.cfg in /root directory lists all available SELinux file contexts
-rw-------. root root system_u:object_r:admin_home_t:s0 anaconda-ks.cfg
It lists general ugo/rwx permissions plus four elements of SELinux security; user, role, type and MLS level for the noted file.
Generally user, role elements doesn’t affect access to file and may include in nest SELinux release. But ‘type’ is the important element to control access to file.
#ls -Z /var/ftp
drwxr-xr-x. root root system_u:object_r:public_content_t:s0 pub
Here type of this folder pub is public_content_t, which can be accessed via FTP.
Same way, if you want to configure any non standard directory for FTP or HTTP or any other standard service, you need to change the context type of that particular file or folder.
chcon command is used to change context of any folder.
Scenario: create folder /ftp under root user and allow contents of /ftp folder for FTP access.
#mkdir /ftp
#ls –Z /
drwxr-xr-x. root root unconfined_u:object_r:default_t:s0 ftp
The content type of folder /ftp is default_t
To change context of this folder
#chcon -R –u system_u -t public_content_t /ftp
# ls -Z
drwxr-xr-x. root root system_u:object_r:public_content_t:s0 ftp
The switch –R recursively change context types for all file and folders under /ftp
public_content_t – gives read permissions for all FTP users.
If you want support uploads to your FTP server, you will have assign different context type.
#chcon -R -u system_u -t public_content_rw_t /ftp
There is an alternate way to configure context type based on source context.
For example context for folder /ftp is going be same like system ftp directory /var/ftp
So the following command uses same user, role and context from directory /var/ftp and applies recursively
#chcon -R –reference=/var/ftp /ftp
#chcon -R --reference=/var/www/html /webcontent – enables contents of /webcontent directory accessed by web service
Process contexts can be identified by running
#ps -eZ
4. Restore default file contexts
Default contexts are configured in /etc/selinux/targeted/contexts/files/file_contexts. If you think you made a mistake and want to restore default contexts or original SELinux settings for a file, restorecon command restore those settings based on default file contexts configuration file.
#restorecon /ftp – this restores /ftp directory to original contexts
drwxr-xr-x. root root system_u:object_r:default_t:s0 ftp
#restorecon -F /ftp – the switch –F forces to restore contexts based default context configuration file in /etc/selinux/targeted/contexts/files/file_contexts .
The first line in context file describe this line
/.* system_u:object_r:default_t:s0 – which means all folder under / has the same default contexts.
The file_contexts is important for another reason, if you create any folder within system defined folders, it inherit parents file contexts. For example if you create any directory within /var folder will have var_t context type.
5. Use boolean settings to modify system SELinux settings.
Most SELinux settings are in Boolean format – they are activated and deactivated by setting them to 1 or 0. The Booleans are stored in /selinux/booleans directory.
For example user_ping, whichis normally set to 1, which allows users to run ping command.
SELinux boolean settings can be read with the getsebool and modified with setsebool commands. For example, the following output from the getsebool allow_user_exec_content command confirms that SELinux allow users to execute scripts either in their home directories or from the /tmp directory.
allow_user_exec_script -- > on
this default applies to SELinux user_u users. In other words such users can create and execute scripts in the noted directories. The Boolean can be disabled either temporarily, or in a way that survives a reboot. One method for doing so is with the setsebool command. For example, the following command disables the noted Boolean until the system is rebooted.
#setsebool allow_user_exec_content off
You can also substitute =0 for off in the command. However –P is required to make the chane to the Boolean survive a system reboot.
#setsebool -P allow_user_exec_content off
The full list of Boolean is available in the output to the command
#getsebool -a
For more information on each Boolean, run the
#semange login -l command
#semange login -l command | grep user_ping -- > displays information about user_ping Boolean setting
6. Diagnose and address routine SELinux policy violations.
Most common SELinux related problems are:
1. Labeling
2. Context
3. Boolean settings
As first two relate to those context shown in the output ls -Z command.
SELinux audits
All logs associated with SELinux are in /va/log/audit directory. The logs in this directory may be confusing; especially at the first time you read it. There are number of tools are available help decipher this log.
First, the audit search (ausearch) command can help filter specific types of problems.
#ausearch -m avc -c sudo - this command lists all SELinux events associated with the use of sudo command
-m avc – Access vector cache maessages
-c allows to specify the name commonly used in the log.
This command provides more information about SELinux policy valuations.
#sealert -a /var/log/audit/audit.log
SELinux label and context issues
#selaert /var/log/secure – manually see SELinux issues
#sealert -a /var/log/audit/audit.log
To troubleshoot label and context issues, sealert command helps to identify the problems and displays the possible solutions.
No comments:
Post a Comment