Managing Security

Question 1

access firewall through GUI

Answer 1

System-Administration-Firewall

Any changes made using this utility will overwrite any manual changes made to the IPtables file

Question 2

/etc/services

Answer 2

/etc/services file is a list of predefined services along with their port numbers and protocols associated with them.

Question 3

Terminal interface to access firewall

Answer 3

#system-config-firewall-tui
Any changes made here will overwrite any manual changes made to the IPtables file

Question 4

netfilter

Answer 4

Netfilter is the standard firewall for Linux, which can be controlled by the IPtables command.

Question 5

files where firewall rules are stored

Answer 5

The firewall rules are stored in /etc/sysconfig/iptables

Question 6

IPtables rules

Answer 6

The iptables rules consist of three chains:
INPUT: processing packets coming into the system.
FORWARD: Packets that would be routed through the system
OUTPUT: Processes packets that originate from the system
Example:
:INPUT ACCEPT [0:0] - all accepted
A INPUT -i lo -j ACCEPT -> loopback address allow input
The IPtables rules are processed from top to bottom

Question 7

IPtables command

Answer 7

#service iptables restart   -> restarts the iptables service
# iptables -L  -> check the rules that are loaded in memory
# iptables -F  -> flush out rules

Question 8

Modifying firewall rules

Answer 8

When modifying firewall rules using the iptables command, better to insert than to append. Insert will put INPUT rule before the REJECT rules. 
# iptables -I INPUT -p tcp --dport 21 -j ACCEPT
This is only temporary, once the machines restart(or the service restarts, all is lost). To permanently add changes:
# service iptables save
#service iptables restart

#iptables -D INPUT -p tcp --dport 21 -j ACCEPT -> delete rule
#service iptables save

Question 9

Example on how to configure key-based authentication

Answer 9

useradd user01 -> create user on server 1 & server2

#passwd user01
# su - user01 -> on server01 connect as this user
Generate a private/public pair for key-based authentication
$ssh-keygen -b 2048 -t rsa -> rsa key with 2048 bits ,no passphrase
$ssh-copy-id -i .ssh/id_rad_pub user01@server2 -> copy key to server02
-on server02, edit /etc/ssh/sshd_config and add, then restart the service
password Authentication no
pubkey Authentication yes

Then from server01, ssh to server02

Question 10

SELinux

Answer 10

Security Enhanced Linux

• is a MAC(Mandatory Access Control) system
• consists of kernel modules and tools in userspace. These kernel modules are known as Linux Security modules.
• utilizes targeted policy
• thee modes for SELinux
• -Enforcing - the default (all enforced)
• • Permissive - used for troubleshooting issues
• • Disabled - no policies are checked, requires a file system relabel(would taka a long time, DO NOT USE IN EXAM)
• messages are cached (messages such as allowing or denying access)
• – The cached messages are known as the Access Vector Cache (ACV)
• messages can be found in /var/log/messages or better in /var/log/audit/audit.log
• messages contain:
• -scontext = source context of the process
• • tcontext = target context of the process

Question 11

Packages to install to troubleshoot SELinux

Answer 11

yum install policycoreutils-gui setroubleshoot

• access system-config-selinux or from the GUI
  System -> Administration -> SeLinux management

Question 12

get and change SELinux modes

Answer 12

In the GUI, under the status category, we can change the enforcing mode.
#getenforce -> see current SELinux mode
# setenforce Permissive
# sertenforce 0 -> boolean value
-> 0 - enforce
-> 1 - Permissive
You can also edit this file /etc/selinux/config (permanent)

You can also get the current SELinux status using:
#sestatus
#setenforce enforcing  -> set enforcing mode

Question 13

List and identify SELinux file and process context

Answer 13

To get a SELinux file context:
#ls -Z
To get a SELinux process context:
#ps -eZ
Any process label unconfined_t are not protected by SELinux

Question 14

change security context on a file

Answer 14

- to change the security context on a file
# chcon --reference /root/anaconda-ks.cfg_backup /etc/ssh/sshd_config
---- copies context from the anaconda file to the sshd_config file
---This actually will break the sshd service. if you try to start the service, you'll get an AVC denial error

Question 15

Parsing SELinux AVC messages

Answer 15

You can sue the sealert command to parse SELinux AVC messages
#sealert -a /var/log/audit/audit.log

Question 16

restore SELinux file context

Answer 16

use the restorecon command to restore SELinux file context
#restorecon -R -v /etc/ssh/sshd_config

Question 17

To set the security context of the file (not mandatory)

Answer 17

#chcon -t etc_t /etc/ssh/sshd_config  -> temporary fix
# semanage fcontext -a -t etc_t "/etc/ssh/sshd_config"  -> to make permanent 
# restorecon -R -v /etc/ssh/sshd_config -> also needed to make permanent

Question 18

list SELinux Booleans

Answer 18

To see a complete list of SELinux Booleans on your system at the command line, run:
#semanage boolean -l | less
you can alose use the System-config-selinux application
#getsebool -a | grep ftp -> get boolean for ftp service

To get a more detailed list of SeLinux booleans by using the semanage command, you might need to nstall first:
#yum install -y setroubleshoot-server
#semanage boolean -l

To get a list of SELinux booleans assigned with non-default value:
#more /etc/selinux/targeted/modules/active/booleans.local

Question 19

set SELinux boolean for services

Answer 19

#setsebool ftp_home_dir on  -> you can also use: off - 0 or false to turn off. on - 1 - or true to turn on 
#setsebool -P ftp_home_dir on -> for permanent change

Question 20

Display the SELinux policy violations

Answer 20

You’ll need to install the setroubleshoot-server
#yum install - settroubleshoot-server
to display the SELinux policy violations:
#sealert -a /var/log/audit/audit.log