Manage security

Question 1

how to set firewall zone

Answer 1

firewall-cmd –set-default-zone=dmz

Question 2

how to allow specific IP/range through firewall

Answer 2

firewall-cmd –permanent –zone=internal –add-source=192.168.0.0/24

Question 3

how to allow specific service through firewall

Answer 3

firewall-cmd –permanent –zone=internal –add-service=mysql

Question 4

how to allow specific port through firewall

Answer 4

firewall-cmd –permanent –zone=internal –add-port=1001/tcp

Question 5

how to save current firewall rules

Answer 5

firewall-cmd –reload

Question 6

how to list firewall rules by zone

Answer 6

firewall-cmd –permanent –zone=internal –list-all

Question 7

how to set ACL on a file for a specific user

Answer 7

setfacl -m u:name:rwX file

Question 8

how to delete all ACL rules on a file

Answer 8

setfacl -x file

Question 9

how to set ACL on a directory and all files under it

Answer 9

setfacl -R -m d:u:name:rwX directory

Question 10

how to check ACL’s on a file

Answer 10

getfacl file-A

Question 11

how to copy ACL’s that one file has to another easily

Answer 11

getfacl file-A | setfacl –set-file=- file-B

Question 12

how to live change SELinux to enforcing

Answer 12

setenforce 1

Question 13

how to live change SELinux to permissive

Answer 13

setenforce 0

Question 14

how to check current status of SELinux

Answer 14

getenforce

Question 15

where is the file to permanently change SELinux mode

Answer 15

vim /etc/selinux/config

Question 16

how to check SELinux context of a file

Answer 16

ls -Z /file/or/folder

Question 17

how to change SELinux context of a file

Answer 17

chcon -t httpd_sys_content_t /virtual
Or (this sets it for that folder and anything under it)
semanage fcontext -a -t httpd_sys_content_t ‘/virtual(/.*)?’

Question 18

how to restore default file context

Answer 18

restorecon -v /virtual
or recursively for that folder and everything under it
restorecon -RFvv /virtual

Question 19

how to view the documents with the descriptions of the purpose of each available SELinux booleans

Answer 19

(first make sure they are installed “selinux-policy-doc”)

man -k ‘_selinux’

Question 20

how to list all SELinux booleans and their state

Answer 20

getsebool -a

Question 21

how to list a specific SELinux boolean and its state

Answer 21

getsebool httpd_enable_homedirs

Question 22

how to temporarily change the state of a SELinux boolean

Answer 22

setsebool httpd_enable_homedirs on

Question 23

how to permanently change the state of a SELinux boolean

Answer 23

setsebool -P httpd_enable_homedirs on

Question 24

how to list SELinux booleans in which the current state differs from the default state

Answer 24

semanage boolean -l -C

Question 25

what log file would you check for SELinux policy violations

Answer 25

tail /var/log/messages

Question 26

what command would you run to get extra information on a SELinux violation

Answer 26

sealert -l 613ca624-248d-48a2-a7d9-d28f5bbe2763

Question 27

what command would you use to easily see recent audit messages

Answer 27

ausearch -m AVC -ts recent

To search the /var/log/audit.log file use the ausearch command. The -m searches on the message type. The -ts option searches based on time.

Question 28

how to block an IP address/range through the firewall

Answer 28

firewall-cmd –permanent –zone=block –add-source=192.168.0.1/32