Document Sample
handout Powered By Docstoc
					     Techlinks — April 30th, 2003                                 Overview of talk
                                                    Start with a virgin system

                                                    I'll be using Red Hat Linux 9

     Securing Red Hat Linux for the non-Unix             More modern versions more security-aware

               Computer Officer
                                                    Turn off unwanted services

                  Bob Dowling                            Once per system

          University Computing Service              Updating packages


    Turning off unwanted services                        What services are needed?
    Every break-in needs an “in”                    Need to know what we need

    Need to know what services are required         Need a tight specification of the system

    Network services especially important                From an academic?!?!

    Need to know how to turn them off (or on)       The “Vaguely Defined Workstation”:


    GUI: redhat-config-services                          X11 — Graphics


                                                         NTP — Timekeeping

                                                         SSH — Secure access (for you, at least!)
                                                         NFS — Client-side remote file access
     redhat-config-services                                     Network services to leave on
                                                           Basic networking           Time-keeping


                                                                network                    ntpd


                                                                portmap               Windowing system

                                                           NFS client                      sgi_fam


                                                                netfs                      xinetd


                                                                nfslock               Secure access


         Network services to turn off                              Networking summary
    Turn off every other network service                   Turn off unwanted services

         You just need to recognise network services       GUI: redhat-config-services


    All network services depend on network                 Reboot after making the changes

    Some depend on portmap and xinetd                      But wait until software upgraded too

    These three are already on
                 Software upgrades                                                         Recognising Red Hat packages
    A break-in requires something to be broken                                             Red Hat sign their packages

    Keep our network services up-to-date                                                   We need a key to recognise the signature

    Keep all our software up-to-date!                                                      /usr/share/doc/rpm-4.2/RPM-GPG-KEY


    Want to recognise real Red Hat packages                                                Only need do this once


    Need to be an NFS client

         Accessing the Unix Support NFS server                                    # rpm --import /usr/share/doc/rpm-4.2/RPM-GPG-KEY

          Unix Support NFS Server                                                                 NFS Server Contents
    nfs-uxsup.csx.cam.ac.uk                                                       # mount /mnt/redhat

                                                                                  # cd /mnt/redhat

                                                                                  # ls
    Need to “mount” it locally                                                    5.2 7.0       7.2   8.0   beta   contrib    enterprise     rawhide

                                                                                  6.2 7.1       7.3   9     code   current    local_extras   updates

    mkdir /mnt/redhat                                                             # ls 9/en/os/i386

                                                                                  autorun   EULA images            README    RELEASE-NOTES   SRPMS
                                                                                  dosutils GPL    isolinux         RedHat    RPM-GPG-KEY
    Add a line to /etc/fstab:

                                                                                  # ls updates/9/en/os
    nfs-uxsup.csx.cam.ac.uk:/linux/redhat   /mnt/redhat   nfs   ro,noauto   0 0   athlon i386 i586 i686            noarch    SRPMS

    mount /mnt/redhat
                          Updates                                         An assisting package
     Red Hat updates software after release                  Want to avoid “dependency hell”

          Newer versions of entire packages                  Want assistance resolving dependencies


          Not just ad hoc patches                            Packaged dependency database

     There are automated procedures

                                                        # cd        /mnt/redhat/9/en/os/i386/RedHat/RPMS
          Red Hat Network, rpm-apt

                                                        # ls rpmdb-*
          cost, loss of control                         rpmdb-redhat-9-0.20030313.i386.rpm

     Manual upgrading is still the best                 # rpm        --install   rpmdb-*

          Configuring rpmdb-redhat                                           Updates directory
     Need to configure it for our systems                    Directory of upgrades

          /etc/rpm/macros.solve                              /mnt/redhat/updates/9/en/os/


     Need to tell it where the main packages are             Three possible subdirectories:

          /mnt/redhat/9/en/os/i386/RedHat/RPMS                      i686 — kernel, C library

# The path to the dependency universe packages.
# This should be a path to the packages contained                   i386 — almost everything

# in the solve database.
                                                                    noarch — architecture-independent packages

%_solve_pkgsdir /mnt/redhat/9/en/os/i386/RedHat/RPMS/
                Updates procedure                                          Kernel and C library updates
     rpm --freshen                                                   Do we need to update at all?

          Only updates packages already installed                    Update with the i686 versions

     Need to cover three subdirectories                              Often dependencies in i386 and noarch

     Must update kernel and C library first                          Occasional dependencies in main release

          Reboot before proceeding                                         Dependency database will help you here

     Update everything else second                                   Reboot afterwards


Kernel & C library update needed?                               Kernel & C library update example
# cd /mnt/redhat/updates/9/en/os                                # rpm --freshen i686/{glibc,kernel}-*.i686.rpm
                                                                error: Failed dependencies:
# ls i686                                                          glibc-common = 2.3.2-27.9 is needed by glibc-2.3.2-27.9
glibc-2.3.2-27.9.i686.rpm      nptl-devel-2.3.2-27.9.i686.rpm
kernel-2.4.20-9.i686.rpm       openssl-0.9.7a-5.i686.rpm        # rpm --freshen i686/{glibc,kernel}-*.i686.rpm i386/glibc-
kernel-smp-2.4.20-9.i686.rpm                                    common-2.3.2-27.9.i386.rpm

# rpm --query kernel glibc                                      # cd
glibc-2.3.2-11.9                                                # reboot
       Applications update example                              Applications update example
# mount    /mnt/redhat                                   # mount    /mnt/redhat

# cd   /mnt/redhat/updates/9/en/os                       # cd   /mnt/redhat/updates/9/en/os

# rpm --freshen {noarch,i386,i686}/*.rpm                 # rpm --freshen {noarch,i386,i686}/*.rpm
warning: package openssl = 0.9.7a-5 was already added,   warning: package openssl = 0.9.7a-5 was already added,
replacing with openssl <= 0.9.7a-5                       replacing with openssl <= 0.9.7a-5

# reboot                                                 # reboot

                                                              Order of architectures matters

                                                              Later listed packages “win”

           Updating summary: Once                               Updating summary: Routine
     Load GPG key                                             Mount /mnt/redhat

     Create /mnt/redhat directory                             Kernel and glibc updates available?

     Update /etc/fstab file                                   Update kernel and glibc packages

     Load & configure rpmdb-redhat package                    Reboot

                                                              Update everything

    Security is not so hard

    Decide what the system is for (hard)

    Turn off unnecessary services (easy)


    Keep packages up to date (boring)

         Set up once

         Update routinely (weekly?)

         rpm --freshen

Shared By: