handout

Document Sample
handout Powered By Docstoc
					     Techlinks — April 30th, 2003                                 Overview of talk
                                                    Start with a virgin system




                                                 
                                                    I'll be using Red Hat Linux 9




                                                 
     Securing Red Hat Linux for the non-Unix             More modern versions more security-aware




                                                     ¡
               Computer Officer
                                                    Turn off unwanted services




                                                 
                  Bob Dowling                            Once per system




                                                     ¡
          University Computing Service              Updating packages




                                                 
                                                         Regularly




                                                     ¡
    Turning off unwanted services                        What services are needed?
    Every break-in needs an “in”                    Need to know what we need
 




                                                 
    Need to know what services are required         Need a tight specification of the system
 




                                                 
    Network services especially important                From an academic?!?!
 




                                                     ¡
    Need to know how to turn them off (or on)       The “Vaguely Defined Workstation”:



                                                 
 




    GUI: redhat-config-services                          X11 — Graphics




                                                     ¡
 




                                                         NTP — Timekeeping


                                                     ¡
                                                         SSH — Secure access (for you, at least!)
                                                     ¡
                                                     ¡
                                                         NFS — Client-side remote file access
     redhat-config-services                                     Network services to leave on
                                                           Basic networking           Time-keeping




                                                        




                                                                                   
                                                                network                    ntpd




                                                            ¡




                                                                                       ¡
                                                                portmap               Windowing system




                                                                                   
                                                            ¡
                                                           NFS client                      sgi_fam




                                                        




                                                                                       ¡
                                                                netfs                      xinetd




                                                            ¡




                                                                                       ¡
                                                                nfslock               Secure access




                                                                                   
                                                            ¡
                                                                                           sshd




                                                                                       ¡
         Network services to turn off                              Networking summary
    Turn off every other network service                   Turn off unwanted services
 




                                                        
         You just need to recognise network services       GUI: redhat-config-services




                                                        
     ¡




    All network services depend on network                 Reboot after making the changes
 




                                                        
    Some depend on portmap and xinetd                      But wait until software upgraded too
 




                                                        
    These three are already on
 
                 Software upgrades                                                         Recognising Red Hat packages
    A break-in requires something to be broken                                             Red Hat sign their packages
 




                                                                                        
    Keep our network services up-to-date                                                   We need a key to recognise the signature
 




                                                                                        
    Keep all our software up-to-date!                                                      /usr/share/doc/rpm-4.2/RPM-GPG-KEY




                                                                                   ¢
 




    Want to recognise real Red Hat packages                                                Only need do this once




                                                                                   ¢
 




    Need to be an NFS client
 




         Accessing the Unix Support NFS server                                    # rpm --import /usr/share/doc/rpm-4.2/RPM-GPG-KEY
     ¡




          Unix Support NFS Server                                                                 NFS Server Contents
    nfs-uxsup.csx.cam.ac.uk                                                       # mount /mnt/redhat
 




                                                                                  # cd /mnt/redhat
    /linux/redhat
 




                                                                                  # ls
    Need to “mount” it locally                                                    5.2 7.0       7.2   8.0   beta   contrib    enterprise     rawhide
 




                                                                                  6.2 7.1       7.3   9     code   current    local_extras   updates

    mkdir /mnt/redhat                                                             # ls 9/en/os/i386
 




                                                                                  autorun   EULA images            README    RELEASE-NOTES   SRPMS
                                                                                  dosutils GPL    isolinux         RedHat    RPM-GPG-KEY
    Add a line to /etc/fstab:
 




                                                                                  # ls updates/9/en/os
    nfs-uxsup.csx.cam.ac.uk:/linux/redhat   /mnt/redhat   nfs   ro,noauto   0 0   athlon i386 i586 i686            noarch    SRPMS

    mount /mnt/redhat
 
                          Updates                                         An assisting package
     Red Hat updates software after release                  Want to avoid “dependency hell”
  




                                                          
          Newer versions of entire packages                  Want assistance resolving dependencies




                                                          
      ¡




          Not just ad hoc patches                            Packaged dependency database
      ¡




                                                          
     There are automated procedures
  




                                                        # cd        /mnt/redhat/9/en/os/i386/RedHat/RPMS
          Red Hat Network, rpm-apt
      ¡




                                                        # ls rpmdb-*
          cost, loss of control                         rpmdb-redhat-9-0.20030313.i386.rpm
      ¡




     Manual upgrading is still the best                 # rpm        --install   rpmdb-*
  




          Configuring rpmdb-redhat                                           Updates directory
     Need to configure it for our systems                    Directory of upgrades
  




                                                          
          /etc/rpm/macros.solve                              /mnt/redhat/updates/9/en/os/




                                                          
      ¡




     Need to tell it where the main packages are             Three possible subdirectories:
  




                                                          
          /mnt/redhat/9/en/os/i386/RedHat/RPMS                      i686 — kernel, C library
      ¡




                                                                ¡
# The path to the dependency universe packages.
# This should be a path to the packages contained                   i386 — almost everything




                                                                ¡
# in the solve database.
                                                                    noarch — architecture-independent packages


                                                                ¡
%_solve_pkgsdir /mnt/redhat/9/en/os/i386/RedHat/RPMS/
                Updates procedure                                          Kernel and C library updates
     rpm --freshen                                                   Do we need to update at all?
  




                                                                  
          Only updates packages already installed                    Update with the i686 versions
      ¡




                                                                  
     Need to cover three subdirectories                              Often dependencies in i386 and noarch
  




                                                                  
     Must update kernel and C library first                          Occasional dependencies in main release
  




                                                                  
          Reboot before proceeding                                         Dependency database will help you here
      ¡




                                                                       ¡
     Update everything else second                                   Reboot afterwards
  




                                                                  
          Reboot
      ¡




Kernel & C library update needed?                               Kernel & C library update example
# cd /mnt/redhat/updates/9/en/os                                # rpm --freshen i686/{glibc,kernel}-*.i686.rpm
                                                                error: Failed dependencies:
# ls i686                                                          glibc-common = 2.3.2-27.9 is needed by glibc-2.3.2-27.9
glibc-2.3.2-27.9.i686.rpm      nptl-devel-2.3.2-27.9.i686.rpm
kernel-2.4.20-9.i686.rpm       openssl-0.9.7a-5.i686.rpm        # rpm --freshen i686/{glibc,kernel}-*.i686.rpm i386/glibc-
kernel-smp-2.4.20-9.i686.rpm                                    common-2.3.2-27.9.i386.rpm

# rpm --query kernel glibc                                      # cd
kernel-2.4.20-8
glibc-2.3.2-11.9                                                # reboot
       Applications update example                              Applications update example
# mount    /mnt/redhat                                   # mount    /mnt/redhat

# cd   /mnt/redhat/updates/9/en/os                       # cd   /mnt/redhat/updates/9/en/os

# rpm --freshen {noarch,i386,i686}/*.rpm                 # rpm --freshen {noarch,i386,i686}/*.rpm
warning: package openssl = 0.9.7a-5 was already added,   warning: package openssl = 0.9.7a-5 was already added,
replacing with openssl <= 0.9.7a-5                       replacing with openssl <= 0.9.7a-5

# reboot                                                 # reboot


                                                              Order of architectures matters




                                                           
                                                              Later listed packages “win”




                                                           
           Updating summary: Once                               Updating summary: Routine
     Load GPG key                                             Mount /mnt/redhat
  




                                                           
     Create /mnt/redhat directory                             Kernel and glibc updates available?
  




                                                           
     Update /etc/fstab file                                   Update kernel and glibc packages
  




                                                           
     Load & configure rpmdb-redhat package                    Reboot
  




                                                           
                                                              Update everything


                                                           
                                                              Reboot
                                                           
                       Conclusion
    Security is not so hard
 




    Decide what the system is for (hard)
£




    Turn off unnecessary services (easy)
£




         redhat-config-services
     ¤




    Keep packages up to date (boring)
£




         Set up once
     ¤




         Update routinely (weekly?)
     ¤




         rpm --freshen
     ¤

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:2
posted:12/19/2011
language:
pages:7