RHCSA 7 Exam Notes #7: Manage Security
Word version available here:
https://drive.google.com/file/d/0B9WPh0iDN4KwTUJzWUpid0d1WlU/edit?usp=sharing
Configure firewall
settings using system-config-firewall or iptables
GUI: Applications, Sundry, Firewall or firewall-config for same GUI from cli
Default Zone in bold, can be changed via Options menu and
also tie interfaces to particular zones. My VMs interface is connected to the
public Zone. Services know what ports they need so rules can target services
rather than just ports. Services can be further locked down via IP Address if
required.
firewall-cmd (command
line equivalent)
firewall-cmd --panic-on (or
panic-off, all packets dropped inbound and outbound)firewall-cmd --reload
firewall-cmd --zone=public --list-ports
firewall-cmd --zone=public --add-port=8080/tcp --permanent
firewall-cmd --zone=public --add-service=smtp --permanent
(or use --remove-port --remove-service to get rid of settings and reload afterwards)
/etc/sysconfig/iptables (This
file is not used anymore but is present)
You can switch back to using IP Tables but as they refer to
an invalid command in the requirements of this section I doubt they will ask
for this, but just in case:
systemctl disable firewalld
systemctl stop firewalldyum -y install iptables-services
systemctl start iptables
systemctl start ip6tables
systemctl enable iptables
systemctl enable ip6tables
Configure
key-based authentication for SSH
/etc/ssh/sshd_config (This
is the main file to manipulate ssh authentication)Remove # in front of PubkeyAuthentication and it should be set to yes
Set PasswordAuthentication to no to ensure ssh keys used only
ssh-keygen (this generates two files in ~/.ssh directory, prompted for passphrase )
ssh-copy-id -i root@server1.example.com (copies public key to remote server you are going to log into)
ssh ‘root@10.0.0.128’ (Prompts for passphrase and logs you in, if you left the passphrase blank logs you straight in!)
Set
enforcing and permissive modes for SELinux
getenforce (Checks
current SELinux activation mode)setenforce {enforcing/permissive} (Sets activation mode to Enforcing or Permissive)
List and
identify SELinux file and process context
sestatus -v (Checks
current SELinux Status and File/Process contexts)ll -Z /root/anaconda-ks.cfg (Determine current SELinux context on file)
Restore
default file contexts
restorecon -F /rootrestorecon -F /root/anaconda-ks.cfg
Use boolean
settings to modify system SELinux settings
semanage boolean -l (run
as root)getsebool cvs_read_shadow (lists status of cvs_read_shadow boolean)
setsebool -P httpd_can_network_connect_db on (turns it on permanently)
Diagnose
and address routine SELinux policy violations
yum -y install setroubleshoot setroubleshoot-servergetsebool -a | grep ftp (Check booleans are on)
semanage port -l | grep http
semanage port -a -t http_port_t -p tcp 9876 (Permits non-standard port to be used)
chown apache:apache /var/www/html/index.html (if file was owned by root)
semodule -DB (Temporarily allow all denials to be logged)
semodule -B (Revert)
ausearch -m avc -c httpd {-ts today/-ts recent} (list all httpd denials, today’s, last
10 minutes, can leave out -c httpd to show all)
aureport -a (Summary
of audit system logs)sealaert -b (SELinux Alert Browser)
audit2allow -w -a (Shows why access was denied)
audit2allow -a -M myrulefix (gives command to install myrulefix.pp from current working directory and resolve issue)
grep certwatch /var/log/audit/audit.log | audit2allow -R -M
myrulefix2 (targets issue with certwatch
in logs and only put fix for this in myrulefix2.pp file for later installing)
