Chap 11 System Admin: Core Concepts
A well-maintained system… Runs quickly enough so users don’t get frustrated Has enough storage to accommodate users’ reasonable needs Provides a working environment appropriate to each user’s abilities and requirements Is secure from malicious and accidental acts altering its performance or compromising the security of the data it holds Is backed up regularly Has recent copies of necessary softqare Is easier to administer than a poorly maintained system
System admin and Superuser Root (superuser) –Can add users, partition hard drives, change system configuration files. Sudo can be used to give specific users permission to perform tasks that are normally reserved for superuser. –Rwx file and directory access permissions do not affect root. Superuser can red from, write to, and execute all files. –Root can change a password without knowing the old password –# –/bin and /usr/bin contain utilities used often by root. Included in root’s path Other users must access by absolute path name.
Ways to gain or grant su privileges Bringing up the system in single user mode Log in as root Su when logged in as a regular user and respond with root password Sudo can give users superuser privilege for a limited amount of time on a per-user and per-command basis. User can create a setuid. Remember that when an ordinary user executes a file that is owned by root and has setuid permissions, the program has full root privileges. Examples: passwd, at, crontab
Disabling setuid Setuid can be disabled at the file system level by mounting a file system with the nosuid option.
Root Security Concerns /etc/securetty file controls which terminals a user can log in on as root. /etc/security/access.conf file specifies login controls (see example) RHEL and Fedora Core prohibit the login of root over the Internet. Implemented by the PAM securetty module. /etc/security/access.conf must contain the names of all users and terminals/workstations that you want a user to be able to log in as root. Initially every line is commented out. Root can log in over a network using ssh.
System Administration Tools su user – can create a shell of execute a program as the specified user Recommendation: use /bin/su in case someone has compromised your system with a fake su command Su spawns a new shell, but does not re-run the PATH statement or change the environment Su – or su –l recreates the root environment as well as running the path
consolehelper The consolehelper utility makes it easier for a non-root user to run root system programs. PAM, which authenticates users, can be set to trust all console users, to require user passwords, or to require root passwords before granting trust. For example, a user can log in to the console as himself and run halt without knowing the root password.
kill kill -15 pid - use first Kill -9 pid- use only as a last resort because of the inherent dangers Top can also be used to kill a process by using the k option Pidof vi Killall xeyes vi
Rescue Mode Used to fix a system that is not booting normally 1.Boot from rescue or installation cd 2.At the boot: prompt, press enter 3.linux rescue In rescue mode, you can change or replace configuration files, check and repair partitions using fsck and more
Avoiding Trojan Horses Make sure that PATH variable doesn’t contain : at the beginning or end of the path string Make sure that there are no :: anywhere in the string
Checking for setuid files find / -perm –exec ls –lh {} \; 2>/dev/null
SELinux Traditional Linux Security, called Discretionary Access Control (DAC) is based on users and groups. SELinux (Security Enhanced Linux) was developed by the US National Security Agency and implements Mandatory Access Control (MAC) in the linux kernel. MAC enforces security policies that limit what a user or program can do. IT defines a security policy that controls some or all objects, such as files, devices, sockets, and ports, and some or all subjects such as processes.
SELinux Using SELinux, you can grant a process only the permissions that it needs to be functional, following the principle of “least privilege” Kernel processes MAC after it processes DAC rules
SELinux States Enforcing/Active – default state. SELinux security policy is enforced. No user or program will be able to do anything not permitted by the security policy Permissive/Warn – diagnostic state, wherein SELinux sends warning messages to a log but does not enforce the security policy; can easily change to enforcing or disabled Disabled – no policy is loaded
Degradation Running SELinux in permissive or enforcing state degrades system performance between 5 and 10 percent.
SELinux Policies Targeted – applies SeLinux MAC controls only to certain targeted processes. Daemons and system processes that do not have a specified policy are controlled by traditional Linux DACs. Strict – applies SELinux MAC controls to all processes. Very, very restrictive
Turning off SELinux Modify the /etc/selinux/config file so that it includes the line SELINUX=disabled and reboot or use system-config-securitylevel
The SELinux Configuation FIle /etc/selinux/config file which has a link to /etc/sysconfig/selinux, controls the state of SELinux on the local system Although you can modify this file, it may be more straightforward to work with system- config-securitylevel
To Display the state of SELinux sestatus
System-config-securitylevel utility The system-config-securitylevel utility displays the Security Level Configuration window which controls SeLinux. TO run this utility, enter system-config- securitylevel from a command line in a graphical environment
Booting the System Booting is actually loading the kernel into system RAM and starting it running. As the last step of the boot procedure, Linux runs the init program as PID 1. The init program is the first genuine process to run after booting and is the parent of all system processes. /etc/inittab holds initdefault entry that tells init what runlevel to bring the system to. 3 – text login, 5 – GUI
levelNameLoginNetworkFilesystems 0halt 1Single userTextDownmounted 2Multiuser without NFS TextUpmounted 3MultiuserTextUpMounted 4User defined 5Multiuser with X GUIUpMounted 6reboot
Init Scripts: start and stop system services First script that runs is /etc/rc.d/rc.sysinit which performs basic system configuration. Next, the /etc/rc.d/rc init script runs the scripts for the services that need to be started when you first bring the system up and that need to be started or stopped. The rc scripts are shell scripts located in the /etc/rc.d/init.d directory and run via symbolic links in the /etc/rc.d/rcn.d directories where n is the runlevel the system is entering.
Rc scripts /etc/rc.d/rcn.d directory contains scripts whose names begin with K (Kill) and scripts whose names begin with S (start). When entering a new runlevel, each K script is executed sequentially with a parameter of stop and each S is executed with a parameter of start
/etc/rc.d/init.d Each script should point to a link in /etc/rc.d/rcn.d. The script names are functional and can be used with the start or stop parameter to control these processes
To start/stop system services /etc/rc.d/init.d/nfs stop /etc/rc.d/init.d/network start /etc/rc.d/init.d/network restart
/etc/rc.d/rc.local This file is executed after the other init scripts. Put commands that customize the system in rc.local
service RHEL provides service, a utility that reports on or changes the status of any of the system services in /etc/rc.d/init.d /sbin/service nfs stop /sbin/service network start /sbin/service network restart
chkconfig Chkconfig configures services. Can add, remove, list startup information, and check the directory hierarchy. (configures /etc/rc.d) – changes configuration only, not currently running services! To see list of services configured at each run level, chkconfig –list (2 dashes!) To turn on httpd at runlevels 2, 3, and 4, chkconfig –level 234 httpd on
Chkconfig cont. If you omit the levels, chkconfig defaults to levels 2, 3, 4, and 5. chkconfig sshd off Will turn off sshd for runlevels 2, 3, 4, and 5 Chkconfig sets up the configuration file so that the services specified will be started at boot-up time.
Chkconfig cont. Chkconfig will not turn off services immediately. You must restart the system for changes to take effect. To start or stop services immediately, service sshd stop
Using chkconfig video
To change modes while running /sbin/telinit 1 – changes to runlevel 1 telinit 3 - changes to runlevel 3 runlevel –Displays the current runlevel
Shutdown options To stop the system: shutdown –h now To reboot the system: shutdown –r now
rpcinfo Rpcinfo displays information about programs registered with portmap and makes RPC calls to programs to see if they are alive. –p (probe) lists all RPC programs on host or local system if no host is specified –n (port number) –u (udp) –-t (tcp) rpcinfo –p hostname
Rpcinfo cont Because the portmap daemon holds info about which servers are running on the local system and which port each server is running on, only trusted systems should have access to this information. You can lock it down by adding ‘portmap: hostIP’ to the hosts.allow and by placing ‘portmap: ALL’ in the hosts.deny
Xinetd Superserver More secure than inetd. Listens for network connections. When one is made, it launches a server daemon and forwards the data from the socket to the daemon’s standard input. /etc/xinetd.conf
Pam Linux Pluggable Authentication Modules allow a system administrator to determine how applications use authentication to verity the identity of a user. /etc/pam.d/login
TCP Wrappers When you open a local system to access from remote systems, you must ensure that the following are met: –Open the local system only to systems you want to allow to access it –Allow each remote system to access only the data you want it to access. –Allow each remote system to access data only in the proper manner
TCP wrappers TCP wrappers can be used for any daemon that is linked against libwrap.a. They rely on the /etc/hosts.allow and the /etc/hosts.deny file for access control. If deamon/client pair matches a line in hosts.allow, access is granted If Daemon/clilent pair matches a line in hosts.deny, access is denied. If no match in either, access is granted.
cron Cron is a system scheduler. It uses the crond daemon and the crontab to allow you to run repetitive tasks at the time and date specified by a user in the user’s crontab file. Entries run with the user’s ID and privileges and are stored as the username. Cron wakes up every minute to check to see if there are jobs that need to be run.
Cron example to create or modify the configuration file use: –crontab -e This will allow you to edit your own crontab using vi to view the contents of the file use: –crontab -l to delete the file use: –crontab –r Your configuration file is stored in the directory: /var/spool/crontabs under your username. The crond daemon checks the crontab files every minute to determine if a task should be launched in that minute. Each line in a crontab file has 6 fields: –minute –hour –day of the month –month –day of the week