SELinux
Access control mechanism:
Dac:discretionary Access Control:
An access control mechanism implemented based on the access rights (R,W,X) that the file or data is given to the file system;
Mac:mandatory access control: Access to files or data is not set for user identity, and when a user initiates a process, the process is able to manipulate or process the file or data, depending on whether the process and the file have a matching Domain and Type;selinux are the implementation of MAC access control mechanism in Linux system; SELinux works in the Linux kernel: Rhel 4.0: Beta added selinux security components; Rhel 5.0: Force the installation of this component on a secure operating system, but you can choose to turn off the feature at the time of installation; RHEL 6.0+: Forces the installation of this component when the operating system is installed and automatically starts its function after the system starts; SELinux relies on security policy results for appropriate access control management, There are three known policy results: strict: For each file has strict rules of its type, for each process to set a specific domain, the process of the domain and file type must strictly match to allow the process to access this file; Mls:multi-level security, Multi-level security policy result set; targeted: Only a limited process of the SELinux mandatory access control; As long as the domain of the process and the file type belong to the same large class, it can be matched to allow the process to access the file, in the Rhel system for this policy results; Are those that are prone to be * * * and will pose a security risk to the system; Sandbox: In a Linux system, the entity that can do real work is the process; Subject, action (operation), object subject: Process Action (operation): Open, close, read, write, modify, delete, chmod, Chown, ... object: file, process, socket, link, ... SELinux provides a security label for each file, as well as a set of security labels for each process, which can be called the SELinux security context; User-identify:role:domain|type: sencitivity user-identify:selinux user identification, usually refers to the type of user; RolE: Role Domain|type: The type of the domain or file of the process; sencitivity: sensitivity; Note: In the targeted policy result set, only the type of domain and file that cares about the process can match and has no relationship with other security context identities ; SELinux Policy library: Rule Library: Store rule rules: which domain of the process can access or manipulate which types of files; store in the/etc/selinux/targeted/policy directory; The Etc/sysconfig/selinux file defines the working mode of SELINUX and the Resultant Set of policies used; Selinux=enforcing selinuxtype=targeted SELinux mode of operation: Enforcing-selinux security policy is enforced. Permissive-selinux prints warnings instead of enforcing. Disabled-no SELinux policy is loaded. Note: 1. Any switch from enforcing or permissive mode to Disabled mode, or from disabled mode to enforcing or permissive mode, must be rebooted by the operating system to take effect; 2. Switching from enforcing mode to permissive mode can be done directly using the command line tool and takes effect immediately; Setenforce command: Setenforce-modif Y the mode SELinux is running in. Setenforce [Enforcing | Permissive | 1 | 0] 1:enforcing 0:permissive getenforce command: Getenforce-get the current mode of SELinux Note: The working mode of SELinux modified with the Setenforce command will take effect immediately, but not permanently If you want to make the modified SELinux working mode permanent, you need to modify the value of the SELinux parameter in the/etc/sysconfig/selinux file and reboot the operating system; View the SELinux security context for a process or file: File security Context View: Ls-z|--context [File] Process Security context view: PS Auxz Ps-efz to modify security contexts for files: Chcon command: Chcon- Change file SELinux security context-t,--type=type: Sets the type of the target file directly,-R,--recursive: recursively modifies all files in the directory, including files in subdirectories; --reference=rfile: Refer to the security context of the file represented by Rfile, and set the exact security contexts for the target file; Usage scenarios: Typically when the security context of a process does not match or matches the security context type of the file Set the security context for the document root of the httpd virtual host; Restorcon command: Restorecon-restore file (s) Default SELinux security Co Ntexts. -R,-R: Recursively modifies the security context of the specified directory and its subdirectories as default; View or modify the contents of the policy: Getsebool command: Getsebool-get SELinux boolean value (s)-a:show All SELinux Booleans. Setsebool command: Setsebool-set SELinux boolean value-p:if the-p option is given, all pending values are WRItten to the policy file on disk. So they'll be persistent across reboots. Usage Scenario: System services that support binary policy modification; vsftpd's upload function for anonymous users is limited by SELinux scenario: ~]# setsebool-p ftpd_anon_write on ~]# s Etsebool-p Ftpd_full_access=1 Samba user access to their home directory sharing results is limited by SELinux scenario: ~]# setsebool-p Samba_enable_ Home_dirs the shared directory on the Samba service is created and specified by the administrator: chcon-t samba_share_t/path/to/directory semanage Command: Semanage-selinux Policy Management Tool Note: If you do not have this command, you need to install the Policycoreutils-python package; Semanage Port Command:-A,--add add a record of the specified object type-d,--delete Delete a record of the specified object type-m,--modify modify a record Of the specified object type-l,--list list records of the specified object type Example: ~]# semanage port-a-T http_port_t-p tCP 8088
Tcp_wrappers:tcp wrapper;
is just a library: libwrap.so
Function: IP address-based access control for client hosts that have access to application services that call the Libwrap.so Library; method for library invocation: Static compilation: Dynamic Link: Determines whether an application service can accept Tcp_wrappers access control: 1. For dynamic linking to libwrap.so Application: Ldd/path/to/app_binary_file | grep libwrap.so 2. For statically compiling the LibWrap library into the application: Strings/path/to/app_binary_file use the strings command to view the specified application's binaries, whether the package Contains/etc/hosts.allow,/etc/hosts.deny; If there is such information, it will libwrap library in a static way to compile into the application, that is, the access control can be tcp_wrappers; commonly used based on TCP_ Wrappers Services for access control: sshd, vsftpd;tcp_wrappers configuration file:/etc/hosts.allow/etc/hosts.deny configuration file Matching order:/ETC/HOSTS.A Llow---/etc/hosts.deny default rule: Allow all host data to be released; ways to get help with configuration files: ~]# Man Hosts.allow ~]# Mans Hosts.deny ~]# man hosts_access (recommended) ~]# man hosts_options configuration file format: daemon_list:client_l ist [: Shell_command] daemon_list:client_list:option:option ... daemon_list:1. Single Application service file VSFTPD; 2. A list of names of multiple application service files, separated by ",", such as: VSFTPD, sshd, 3.Wildcard: All non-differentiated for all application service files that are controlled by tcp_wrappers; client_list:1. The IP address or host name of a single host, if you use a host name, you must ensure that the Machine can implement name resolution; 2. Network address: 1) If you write a mask, you must be a network address that is represented by the full subnet mask, which is invalid if you use the prefix length; for example: 172.16.0.0/2 55.255.0.0 is valid; the 172.16.0.0/16 is invalid; 2) If you do not write a mask, you can use a short format: 172. 16.3. Wildcard: All: All client hosts; LOCAL: All host names do not contain "." Known: All client hosts that are capable of properly resolving name resolution by the current host; UNKNOWN: All client hosts that cannot be properly resolved by the current host; P Ananoid: All the forward parsing results are inconsistent with the reverse parsing result of the client host, such as: www.qhdlink.com-192.168.100.1 19 2.168.100.1--Www.qhdink.org:option allow: Allows, primarily for hosts.deny files, to define access control rules that allow for release; Deny: block, Reject, which is used primarily in hosts.allow files, to define access control rules that block access; Spawn Shell_command: Executes the following shell command when the rule is able to match the host; Example 1: Deny 172.16.72.1 Master The 172.16.69.2 host is accessed using the SSH protocol and can be rejected in/etc/hosts.allow: Sshd:172.16.72.1:deny can be rejected in/etc/hosts.deny: sshd:172.16.72.1 Example 2: Denies all hosts in the 172.16.0.0/16, but allows the 172.16.0.1 host to access the 172.16.69.2 host using the SSH protocol;/ETC/HOSTS.DENY:SSHD:172.16.0.0/25 5.255.0.0 EXCEPT 172.16.0.1 Example 3: Allow all hosts in 172.16.0.0/16 only, but deny 172.16.72.1 host access to 172.16.69.2 host using SSH protocol; Scenario 1: /etc/hosts.deny Sshd:all EXCEPT 172.16. EXCEPT 172.16.72.1 Scenario 2:/etc/hosts.deny Sshd:all/etc/hosts.allow sshd:172.16. EXCEPT 172.16.72.1 Spawn Use example:/etc/hosts.deny sshd:all EXCEPT 172.16.0.0/255.255.0.0 EXCEPT 172.16. 72.1:spawn/bin/echo $ (date)%c attempt to login%s >>/var/log/tcp_wrap_sshd.log common Nechanhong:%c Client Information: [email protected], [email protected], a host name, or just an address, depending on how much info Rmation is available. %s Server information: [EmaiL protected], [email protected], or just a daemon name, depending on what much information is available.
NSS & Pam
NSS---nsswitch:name service switch, name service switches;
Name resolution: The process of translating symbols of natural language that humans can recognize and use into digital symbols that computers can recognize and use, including: hostname-to-IP address; user name--UID; Group name--GID; service Name--PO RT; network interface name-to-MAC address;.. Parsing: The process of finding a particular repository based on known information (keywords, key) to obtain additional information about or matching the known information; repositories: files; RDBMS; no-sql; LDAP; ... Login:nsswitch: General Service Framework: provide concise and efficient interface for application; Agent for name resolution Service; function: Link: Provide unified configuration and call interface; Kai: to the various forms of the repository A common framework for implementing name resolution services in Linux systems: NSS-related libraries;/lib64/libnss*/usr/lib64/libnss*/USR/LIB64/LIBNSS3. The SO:NSS Service Framework interface, which is used for bearing; Other libnss*.so library files are interfaces (drivers) for accessing various repositories, and in order to access the repository correctly, for each application that uses the parse library, a specific configuration file defines how the repository is accessed: /etc/nsswitch.conf configuration file format: Db:store_format1 store_format2 ... Each store can be looked up based on the lookup key, and each lookup will have a return status: status = SUCCESS | NOTFOUND | UNAVAIL | Tryagain corresponds to each status return value: Action = return | Continue note: In addition to the default behavior of the success state is return, the default behavior of the remaining states is continue; a combination of custom state and behavior: [Status=action] [! Status=action] Example: hosts:files [Notfound=return] DNS Gets the command to parse the result: getent command: Getent-get entries from Name Service Switch libraries getent database [key ...] Example: getent passwd root getent hosts www.qhdlink.compam:pam:Pluggable authentication Modules; pluggable authentication module; A universal authentication Service framework; Implementation: Provides a common implementation solution for interacting with various types of repositories, relying mainly on the corresponding authentication function modules; module storage path:/lib64/security/pam_*.so profile: Each PAM-based A certified application needs to have a corresponding configuration file that defines how the application uses Pam to achieve a variety of required authentication functions; 1. Global Authentication Profile:/etc/pam.conf Format: Service type Control Module-path module-arguments 2. Private configuration file for each application:/etc/pam.d/*app_name* format: Type cont Rol Module-path module-arguments Type:account: Non-certified class functions related to account management, usually account audit, including: Expiration Auth: Functions related to the authentication and authorization of the account; password: When the password is modified with the user account The functions related to the regulation of the degree of impurity; Session: After the authentication and account audit, the user obtains the service before or after the service completes, needs to carry on the additional audit operation, for example: Log record and so on; control: multiple checks of the same type There are two ways to do this: 1. Simple implementation: Using a keyword to define; Required: If this entry is not met at the time of authentication, then Finally, this certification must fail, but this certification process will not be interrupted, but after the entire stack of rules run, and finally give the "certification failed" signal; the implicit vote of veto power; Requisite: In the case of authentication, if this entry is not satisfied, then the local authentication must fail, and the entire stack immediately terminates and returns the "Authentication failed" signal; an explicit vote of veto; This entry is satisfied, you need to continue to refer to other entries; sufficient: At the time of authentication, if this entry is satisfied and no required entry is judged to fail before this entry, then the entire stack immediately terminates and returns the "Authentication Success" signal; Conditional one pass; If this entry is not met, you will also need to continue to refer to other entry rules; Optional: This entry is only available in the entire stack Only when this is the case, or whether the entry is satisfied or not satisfied is not related to the final authentication result; include: include all the rules in the other configuration file to the current entry, whether the entry is satisfied, depending on the final authentication result of the specified file; It is possible to affect the final authentication result of the current stack; Substack: All the rules in other profiles are included in the current entry, unlike include, whose authentication results do not affect the current stack; 2. Detailed implementation: Use one or more "statsu=action" tags for composition definition; [Value1=action1 value2=action2 ...] Values for value include: Success, Open_err, Symbol_err, Service_err, System_err, Buf_err, perm_denied, auth_e RR, Cred_insufficient, Authinfo_unavail, User_unknown, Maxtries, NEW_AUTHTOK_REQD, acct_expired, Session_err, Cred_ Unavail, cred_expired, Cred_err, No_module_data, Conv_err, Authtok_err, Authtok_recover_err, Authtok_lock_busy, Authtok_disable_aging, Try_again, ignore, Abort, authtok_expired, Module_unknown, Bad_item, Conv_again, incomplete, and Default. Action Value: OK, done, die, bad, ignore, N, Reset, ... Module-path: The path where the module is called; Relative path: The module path relative to the/lib64/security directory; absolute path:/lib64/security/*.so module-arguments: The proprietary of each called module module parameters; In general, if more than one parameter is required for the same module, you only need to separate the parameters with whitespace characters, and if you need to use white space characters such as spaces in a single argument, enclose the entire parameter in brackets ([]); Authentication module: pam_shells.so User account Default Login sheWill ll be a secure shell; a shell that is enumerated in a single line in a/etc/shells file is a secure shell, whereas a shell is not installed; For example, add the following authentication information on the first line of/etc/pam.d/sshd: Auth Required pam_shells.so pam_limits.so system resource allocation control module; Implement a limit on the amount of resources that a specified user can use at the user level; Ulimit command : You can view or temporarily adjust the usage limits of system resources, only the root user can adjust;-N #: Sets the number of open files; Modifying a profile can be a permanent restriction on resource usage:/etc/security/limits. conf/etc/security/limits.d/* format: <domain> <type> <item> <value& Gt <domain> 1. Single user; 2. Group, all user account members in the group; 3.*, which represents all users, usually with To set the default value; <type> Soft:hard:- : both soft and hard; <item> Nofile: Maximum number of files opened at the same time; Nproc: and The maximum number of processes to start, locks: The maximum number of open file locks;
SELinux-related content