Pre-Installation consideration
1. What partition schema will be used
Software RAID:
LVM:
Traditional Partition schema
2. What file system
Each of the various file system types available have distinct advantages and disadvantages. System performance can be tuned by selecting a file system that best fits the expected usage of the system.
3. Role of the system
Every software package installed on the system should be considered a potential security vulnerability. One of the most important steps in securing a system is simply ensuring that it is not running any services that are not absolutely required.
4. OS partition and drive constraints.
Sharing partitions between operating systems. For example, create a single shared swap partition that is mounted by each of the three different versions of Linux installations. For Linux and Windows co-exist dual booting, a data partition that will be very useful.
5. Backing up and restoring the MBR
Issue the following command as root to back up the MBR installed in the system. If Linux is not installed, using a bootable Linux disk or CD:
##if your hard disk is IDE based
dd if=/dev/hda of=MBR bs=446 count=1
##in SCSI hard disks, issue the following command:
dd if=/dev/sda of=MBR bs=446 count=1
Then the root's home directory got a MBR file.
To restore the MBR, issue the following command:
dd if=MBR of=/dev/hda bs=446 count=1
####dd is the data replicate command. IF parameter is the source, and OF is the target.
6. Partition consideration
Partition table structure.
File systems are not typically created on bare hard drives; rather, they are created on partitions.
Required Partitions:
Partitions serve many useful purposes. They impose maximum size limits to file systems, making them useful security tools for constraining usage of system resources. Partitions also make it easy to divide up hard drive space into smaller functional units, simplifying long-term system management.
First required partition is the /boot partition, contain only the essential files needed to boot linux.
Second partition is a swap partition, used to page out programs from RAM.
The third required partition is the root partition, /. needs to be large enough to contain all other files that will be installed.
There maybe other partitions depends on different distribution of the Linux.
Journaling File system implementation
All file systems are essentially databases which organize files on a disk by using metadata about files to locate them. When a file is modified in any way, two filesystem transactions are required. The first one updates the data and the other transaction updates the metadata. In an inconsistent file system, the data and the metadata disagree. When the file system is in an inconsistent state, it must be repaired. using fsck.
Journal-based file system remove this need for fsck to repair inconsistencies by keeping a journal of all intended transactions before they are carried out. This introduces a little more filesystem overhead, but makes recovery in the case of any inconsistencies trivial, since any incomplete transactions listed in the journal simply need to be rolled back to repair the file system.
Traditional Linux filesystem ext2 does not journal data or metadata.
Some journal-based file systems include : ext3, ReiserFS, JFS by IBM, XFS.
Installation Modes: GUI, Text, Kickstart.
If a mouse is plugged into the system, and the installer is able to initialize video card, graphical mode is the default. Text mode is similar to the graphical mode and is even available over serial consoles, making the installation of headless servers possible. Semi- and fully-automated installation is possible using kickstart configuration files.
Seems the GUI install can use VNC, it's really amazing, maybe need a try.
Linux Devices Files
The /dev directory is usually the only directory with any device files.
System boot procedure
LILO and GRUB
different processes and procedures.
/sbin/init program
On all unix systems, the final action taken by the kernel during system boot-up is to start an initial program, usually /sbin/init. This initial program always has a process ID of 1, and its successful operation is absolutely essential for the stability of the system. Linux and most other unix kernels will crash if this initial program ever stops running for any some reasons.
runlevel
After the kernel runs /sbin/init, and init reads it's configuration file and starts all programs listed there, bringing the system up to a predefined working state or run level. BSD-style init programs only have one pre-defined runlevel to which they can start, while System V-derived init programs usually have a variety of different pre-defined runlevels which can be selected. System-V style makes it possible to configure the system in a variety of different ways. These different runlevels can then be selected as necessary, depending upon circumstances. Most of the Unixes and Linux these days use System V-style init rather than BSD-style init.
Predefined run levels include: Actually, the comments in the /etc/inittab file has the available run levels in this system.
0 - halt
1 - Prepare for single user mode
2 - Full multi-user, without networking
3 - Full multi-user mode with text mode login
4 - unused
5 - Full multi-user mode with graphical X11 login
6 - reboot
s,S,single - Single-user mode
emergency - Given root shell (sulogin); no scripts run
On oracle EL init has been patched to run /bin/bash when entering runlevel S, rather than /sbin/sulogin. So changing or booting to either runlevels 1 or S provides a root shell without requiring a root password. On some distributions, the only way to get a root shell without providing the root password is to boot with the init=/bin/bash or similar kernel parameter.
runlevels are implemented as directories on the system which contain shell scripts to start and stop specific services for the given runlevel. The system has directories for runlevels 0 through 6, respectively: runlevel 0 in /etc/rc0.d, runlevel 1 in /etc/rc1.d, ... The scripts within each directory are named with either a capital S or a capital K, followed by a two-digital number, followed by the name of the service being referenced. Names beginning with capital S represent scripts with are started upon entering that runlevel, while the names beginning with capital K represent scripts which are stopped, while the numbers specify the order in which the scripts should be executed.
All scripts in the /etc/init.d or the /ect/rc#.d must support two parameters: start and stop.
Service in the linux
Service on Linux either get started directly by SysV Init scripts, or they get started by the xinetd super server. Which services automatically start in a given run level can be controlled manually; ln -s and rm can be used to create and delete symbolic links in the runlevel directories.
files /etc/passwd and /etc/group store user account information. Each line of passwd file lists a separate user account and consists of seven colon-delimited fields.
group file contains separate lines for every group defined on the system.
using shadow system to overcome security deficiencies inherent in the original unix password system. Encrypted passwords are instead stored in separate files which only the root use can read. User password are stored in the shadow file. Group passwords are stored in the gshadow.
Login's behavior
/etc/nologin : created by the root user to prevent all logins to the system by non-root users; All users attempting to login will be refused access and shown the contents of this nologin file.
/etc/security: to restrict root access to the machine; root logins are permitted only on devices which are listed in this file.
.hushlogin in the user's home directory: if exists, login will suppress display of most initial messages.
/etc/issue and /etc/issue.net files: pre-login message.
/etc/motd: displayed by the login program after a successful program.
PAM : pluggable authentication modules.
File sharing via NFS:
NFS is the standard UNIX file sharing protocol. Alternatives to NFS include AFS, Coda, GFS, SFS.
/etc/exports file: All NFS shares are defined in the /etc/exports file.
exportfs -vra : command to notify the kernel that the /etc/exports file has been changed and to re-read and make the current sharing match what is in the file.
Swap
System administrators need to pay close attention to swap usage and needs. Memory usage and swap usage can be checked using tools such as free, top, vmstat, cat /proc/meminfo and swapon -s
Adding Additional swap space: a three steps process on page 228.
Disk usage
df and du commands.
file systems can run out of both free space(data blocks) and name space for new files (inodes), so usage of both needs to be monitored.
Disk Quotas
Quotas can be implemented on a user and/or group basis. User quotas are enabled by the usrquota mount option and group quotas are enabled by the grpquota mount option.
File Access Control Lists
Provide flexibility to assign permissions for multiple users and group to a single file. It’s different from the standard owner/group/other permissions.
The setfacl command…
using ls –l to check if a file has FACL attached.
-rw-rw----+ root root *** hello.txt
The + means there is a FACL attached.
Most backup software does not yet have the capability to backup FACLs along with other file metadata.
##################getfacl –R * > FACLs.txt
create a file with the ACLs of all files in the current directory, including sub-directories.
Then
#### setfacl --restore=FACLs.txt
Logical Volume Management
LVM
Linux has support for logical volumes management (LVM). LVM introduces an abstraction layer between the physical disk and the file system. In the 2.6 kernel, LVM2 was introduced and operates on top of a low level volume manager called device mapper.
Redundant Array of Independent Disk
RAID
mdadm –monitor and mdmonitor
Task automation and process accounting
Automatic Job Execution
Cron
at
batch
Memory status
Examining the memory usage on running systems:
free
cat /proc/meminfo
swap usage can be summarized by either of the following:
swapon –s
cat /proc/swaps
vmstat : to examine memory usage.
IO status
basic I/O information is provided by vmstat. In addition, iostat can be run with a few different options.
iostat –d: summary
iostat –c: provides a summary of CPU utilization
mpstat: provides detailed CPU utilization
mpstat –p ALL: to display information about all processors on the system
TCP/IP fundamentals
Linux OS handles networking through virtual devices called interfaces. For most practical purpose, an interface is a network connection, such as a connection to an ethernet network, or a modem connection, such as one negotiated using PPP or SLIP. Several interfaces can be bound to any single physical networking device. This is done through a method known as ‘IP aliasing’.
Local loopback interface
The loopback interface (lo) is a special network interface that points back to the machine itself.
ethtool
Display and configure ethernet interface settings.
runtime configuration change
ifconfig
The ifconfig lets multiple parameters of various network interfaces be controlled, including whether or not the interface is active(up) or not (down).
Using ifconfig, the configuration is defined on the command prompt and non-persistent across reboots. It does not consult the persistent configuration files in the /etc/sysconfig directory tree.
Modern replacement of ifconfig----ip..
ifconfig eth0 up or ifconfig eth0 down
route:
tool for runtime management of network routing tables
ARP
DNS Resolver
cat /etc/hosts
Network configuration
system-config-network tool..
ping is useful for sending ICMP echo request packets to hosts. Any host which receives an ICMP echo request will reply with an ICMP echo response. Ping to test connectivity between sites and the time elapsed between echo request and echo reply can be used to gauge the speed of the connection between the two hosts.
Probing for free addresses:
The X window System
The graphical environment for Linux is not a core part of the operating system. It is a service provided by a running process much like a web server. The name X refers to both a network protocol and a software implementation of that protocol. An server is responsible for controlling the video card on a system. An X client, for example a graphical text editor, communicates with the X server in order to display graphical content. One of the greatest advantages of X is the fact that X clients only communicate with the X server via the X protocol. This means that X clients and X servers can natively and transparently communicate over a network. In fact, they can even running on entirely different operating systems.
Configure X Manually
The main X configuration file -- /etc/X11/xorg.conf
X font server, xfs. was created to move font rendering outside of the X server to another application.
All X clients use the value of the $DISPLAY environmental variable to determine which X server to use. Because multiple X servers can be run on the same host, each X server has a unique number, starting with 0 for the first server. $DISPLAY=hostname:0.
Remote X servers:
Remote X connection use TCP. The first X server on a host listens on port 6000, the second X server listens on 6001, and so on. So, $DISPLAY of theta.cn.oracle.com:0 means graphical application should make a network connection to TCP port 6000 on theta.cn.oracle.com to access the users’ X server.
When using putty to access a remote Linux machine. At first, I only knew the command line method.
When try to use the GUI type interface, for example, when issue the xclock or oracle’s installation startup script on the putty client, there is always a X connection to localhost:* broken. or can not open display error.
Every time, I used VNCView instead.
In order to use the X server connection, I have to install a X Window Server Like Xming X server on the PC.
After some cracking, the putty on my windows XP can issue GUI command to the remote linux server.
The putty’s setting as below:
1. The keyboard’s back space key setting: Control- H
2. SSH’s Auth: Allow agent forwarding
3. SSH’s X11: enable X11 forwarding
X display location: localhost:0
xhost
The xhost command can be used to control host-based access control. Using xhost is extremely simple. On the server, simple specify any hosts which are permitted to connect to the server:
xhost +foo.example.com
To revoke a specific permission to access the server, simply replace the plus sign with a minus sign.
xhost –foo.example.com
X11 forwarding considerations
Using SSH to securely run remote graphical applications is simple because SSH does all of the heavy lifting. The following is a basic description of how SSH establishes a secure X connection:
1. The SSH client connects and logs into the SSH Server
2. The SSH client request X11 forwarding. The SSH server can deny this request
3. The SSH server creates a lightweight proxy X server and sets $DISPLAY to the appropriate value
4. The SSH server runs the xauth command to create an MIT magic cookie and sets $XAUTHORITY to the appropriate value
5. The proxy X server on the SSH server passes X traffic to the SSH client over the encrypted SSH connection
6. The SSH client filters out dangerous X requests limiting the capabilities of remote graphical applications
7. The SSH client forwards acceptable X traffic to the real X server.
Three points: A. The SSH server can refuse a client’s request to enable X11 forwarding. This is controlled by the X11Forwarding directive of the sshd_config configuration file.
B. The SSH server actual starts a lightweight proxy to tunnel X traffic. Because of the proxy, a $DISPLAY variable of localhost:10.0 is reasonable.
C. the xauth command must be available to use X11 forwarding.
XDMCP
X Display Manager Control Protocol
can be used to run an entire desktop session on a remote system. and should only be used on a trusted network. XDMCP even supports remote graphical logins.
Alternative Remote Graphical Protocol
VNC
X allows individual applications to be run remotely and displayed locally, while VNC allows entire desktops to be displayed remotely.
Using windows remotely by the rdesktop command.
Security Concepts
Principle of Least Privilege
Multiple Layers of Defense & Diversity in Layers of defense
Only as secure as the weakest link
Simplicity is a Virtue
Security by Obscurity is not security
Tightening Default Security
disabled all unneeded services
1. standalone daemons
using command: ntsysv, system-config-services or chkconfig
2. xinetd
Many services are started by an internet super-daemon like xinetd.
Staying current:
bugs will present security implications. An important task of all system administrators is ensuring that installed software is kept current and free of security holes.
SELinux Security Framework
Allows administrator to specify security policy. A policy details the interactions that are expected for correct operation of the system and its services.
The security policy determines the permissible interactions between objects on the system. To determine if a specific interaction is permitted, the system compares the security context of the interacting objects with the security policy.
system-config-securitylevel: graphical application to ease the administration of SELinux and policy creation.
TCP Wrappers provides another tool for limiting access to services by remote IP address.
/>