I. Use of SELinux
There are 2 types of access control for Linux:
Autonomous access control resources are managed by users themselves
Mandatory access control resources are managed by an administrator
1 SElinux introduces Linux extended security, is a means of implementing mandatory access control, by the United States
The kernel, developed by the National Security Agency, is supported by Linux operations in the 2.6 and later versions.
2 Viewing the status of the current system SELinux
[Email protected] ~]# Sestatus
SELinux status:enabled
SELINUXFS Mount:/sys/fs/selinux
SELinux root directory:/etc/selinux
Loaded Policy name:targeted
Current Mode:permissive
Mode from config file:enforcing
Policy MLS status:enabled
Policy Deny_unknown status:allowed
Max Kernel Policy version:28
[Email protected] ~]#
selinuxtype=targeted status
# Enforcing-selinux security policy is enforced. Enable
# Permissive-selinux Prints warnings instead of enforcing. Loose
Mode
# disabled-no SELinux policy is loaded. Disable
SELinux type?
Targeted only protects common network services
MLS protects all Files
Modify the configuration file to permanently set the status of SELinux
Vim/etc/sysconfig/selinux
Selinux=enforcing
selinuxtype=targeted
Temporarily modify the status of the system SELinux
[Email protected] ~]# Getenforce
Permissive
Temporarily modify the status of the system SELinux
Setenforce 0/1
0 1
Disabled <---permissive----->enforcing
View the security context? -Z
File Ls-lz filename
Directory Ls-ldz Directory Name
Process PS Aux-z
PS Aux-z | grep process Name
The composition of the security context?
User: Role: Access type: Options ...
What is the general rule after SELinux is enabled?
Create new File/directory: Inherit the security context of the parent directory
Move File/directory: Keep the original security context property intact
Copy files/directories: Continue the security context of the destination directory
Modify the security context of a file?
# chcon-r-T access type directory name
# chcon-t Access Type file name
# chcon-t Httpd_sys_content_t/var/www/html/x99.html
Restore the security context of a file?
# Restorecon file name
# restorecon/var/www/html/x203.html
SELinux boolean value? (selinux function switch)
View SELinux Boolean values
#getsebool-A
Modify the status of SELinux Boolean values?
Open/Close
#setsebool-P option on/off
#setsebool-P option =1/0
Running the VSFTPD service on a 13 server allows anonymous users to access the FTP server
/var/ftp/shardir directory has permission to upload and download files
#yum-y Install vsftpd
#mkdir/var/ftp/sharedir
#chmod O+w/var/ftp/sharedir
#cp/etc/passwd/var/ftp/sharedir/
[Email protected] ~]# sed-n ' 29p '/etc/vsftpd/vsftpd.conf
Anon_upload_enable=yes
#systemctl Start VSFTPD
#netstat-utnalp | Grep:21
#getenforce
#setsebool-P ftpd_anon_write on
#setsebool-P ftpd_full_access on
#getsebool-A | grep FTP
Client Access
#yum-y Install FTP
#ftp 192.168.4.13
Install log program that records selinux error messages
[Email protected] ~]# Rpm-qa | grep setroubleshoot
Setroubleshoot-plugins-3.0.59-1.el7.noarch
Setroubleshoot-3.2.24-1.1.el7.x86_64
Setroubleshoot-server-3.2.24-1.1.el7.x86_64
# 596 Cat/var/log/messages | grep Setroubleshoot | Tail-1
# sealert-l 677ed5b2-40c3-4275-a8df-c213d23ea372
+++++++++++++++++++++++++++++++++++++
Grab bag and Scan
Scan Nmap
#rpm-Q Nmap
#which Nmap
#man Nmap
Command format: nmap [Scan type] [options] < scan target ...>
Common types of scans
-SS,TCP SYN Scan (semi-open)
-ST,TCP Connection Scan (full open)
-SU,UDP Scan
-SP,ICMP Scan
Options
-A, target system comprehensive analysis
-A is a composite option that is equivalent to:
-O (OS detection),-SV (version detection),-SC (script detection), traceroute tracking
-P Port
-N Do not do DNS parsing
The native Execute script/root/check_web.sh function checks the running state of the Web site service on the specified host.
When executing a script, you can specify the number of servers and IP addresses to check
and displays the status of the Web service on the server being inspected
Statistics website Service the number of servers that are not open send concurrent information to this machine's email account [email protected]
Using SELinux, packet capture and scanning