After that, we needed to copy out these files to the +ge_gop]np directory on the host rhmaster using cfengine.. Once again in our working copy, we created the directory LNK@+ ejlqpo+p]og
Trang 1After that, we needed to copy out these files to the +ge_gop]np directory on the host
rhmaster using cfengine Once again in our working copy, we created the directory LNK@+
ejlqpo+p]ogo+]ll+ge_gop]np, and created a task in the directory called _b*_klu[ge_gop]np[
`en with these contents:
We added the LNK@+ejlqpo+p]ogo+]ll+ge_gop]np directory to Subversion with orj ]``
once we had the task file inside it Next, we needed to do the usual steps in order to make
this task get used by our Kickstart server Here’s a summary of the steps:
1 Create the ge_gop]np[oanran class in LNK@+ejlqpo+_h]ooao+_b*i]ej[_h]ooao
2 Create the hostgroup file at LNK@+ejlqpo+dkopcnkqlo+_b*ge_gop]np[oanran that
imports the _b*_klu[ge_gop]np[`en task Add the file to the Subversion repository
3 Set up the hostgroup import in the hostgroup mapping file LNK@+ejlqpo+
dkopcnkqlo+_b*dkopcnkql[i]llejco
4 Commit the changes to your working copy, and update the production working
copy on the cfengine master
Trang 2When we set up FAI, we were careful to modify the default FAI configuration files as little
as possible We wanted to be able to push new files as much as possible, since we knew that we would want to distribute those files using cfengine later on
We collected all the files under the +onr+b]e+_kjbec directory that we modified or added back in Chapter 6 in our working copy of the repository:
Trang 3We’ll distribute all these as another recursive copy, this time into the +onr+b]e+_kjbec
directory on the FAI server (goldmaster) We have some additional files that we modified
during the setup of our FAI server:
+ap_+b]e+i]ga)b]e)jbonkkp*_kjb
+ap_+`d_l/+`d_l`*_kjb
+ap_+ejap`*_kjb
There is a problem with +ap_+ejap`*_kjb: in the task LNK@+ejlqpo+p]ogo+]ll+nouj_+
_b*aj]^ha[nouj_[`]aikj, we add a line to +ap_+ejap`*_kjb using the a`epbehao action
This a`epbehao action must be changed or removed, since it makes no sense to have an
a`epbehao action acting on a file that cfengine is also copying out Two scenarios could
result, depending on the contents of the ejap`*_kjb file that cfengine copies into place:
+ap_+ejap`*_kjb file won’t have the entry that the task _b*aj]^ha[
nouj_[`]aikj is looking for, and it will be added by the a`epbehao action This
means that the next time cfengine runs, +ap_+ejap`*_kjb won’t match the
check-sum of the file in the i]opanbehao tree, and ejap`*_kjb will be copied again After
that, the a`epbehao action will once again notice that the required entry isn’t there,
and it will add it yet again This loop will continue on every time cfengine runs
+ap_+ejap`*_kjb file will already have the required entry, making the
a`epbehao action unnecessary
You can see that, either way, we don’t need the a`epbehao action It either
pro-duces what we can only consider an error by constantly changing the file or is totally
unneeded We’ll simply place the required entry in the ejap`*_kjb file that we copy out
and remove the a`epbehao section from the _b*aj]^ha[nouj_[`]aikj task We will add a
comment to the task, however, stating that the enable of the daemon is handled via a
static file copy in another task and provide the task file name in the comment
After editing the LNK@+ejlqpo+p]ogo+]ll+nouj_+_b*aj]^ha[nouj_[`]aikj task to
com-ment out the a`epbehao section and add the new comment, we placed these files into our
working copy of the cfengine tree:
Trang 4Note that the copies were local since we were working in our home directory from the
goldmaster system itself.
We created a task at LNK@+ejlqpo+p]ogo+]ll+b]e+_b*_klu[b]e[behao with these
Trang 5We made sure to add the new p]ogo+]ll+b]e directory to the repository We need to
create the b]e[oanran class, create a dkopcnkql file for it, and import it in the _b*dkopcnkql[
i]llejco file Here’s a summary of the steps:
Trang 6C H A P T E R 1 1 IN F R A S T R U C T U R E E N H A N C E M E N T
346
1 Create the b]e[oanran class in LNK@+ejlqpo+_h]ooao+_b*i]ej[_h]ooao
2 Create the hostgroup file at LNK@+ejlqpo+dkopcnkqlo+_b*b]e[oanran that imports the
_b*_klu[b]e[behao task Add the file to the Subversion repository
3 Set up the hostgroup import in the hostgroup mapping file LNK@+ejlqpo+
dkopcnkqlo+_b*dkopcnkql[i]llejco
4 Commit the changes to your working copy, and update the production working copy on the cfengine master
Subversion Backups
The procedure to back up a Subversion repository is quite simple We can use the
orj]`iej command with the dkp_klu argument to properly lock the repository and form a file-based backup Backing up this way is much better than performing a _l or
per-nouj_ copy of the repository files, which might result in a corrupted backup
Use the command like this:
orj]`iej dkp_klu +l]pd+pk+nalkoepknu +l]pd+pk+^]_gql)nalkoepknu
The repository made by orj]`iej dkp_klu is fully functional; we are able to drop it in place of our current repository should something go wrong We can create periodic back-ups of our repository this way and copy the backups to another host on our network or even to an external site
Be aware that each time a hot copy is made, it will use up the same amount of disk space as the original repository Backup scripts that make multiple copies using orj]`iej dkp_klu will need to be careful not to fill up the local disk with backups
We’ll create a script at LNK@+nalh+]`iej)o_nelpo+orj)^]_gql with these contents (explained section by section):
Trang 7Since we copied the script to all hosts on our network, we took steps to make sure
that it only runs on the proper host:
Trang 8C H A P T E R 1 1 IN F R A S T R U C T U R E E N H A N C E M E N T
348
We wrote a subroutine to manage our stored backup directories It takes an argument
of a repository directory that needs to be backed up, and it moves any numbered backup directories to a new backup directory with the number incremented by one A backup directory with the number 7 is removed, since we only save seven of them
For example, the directory +r]n+^]_gqlo+^ej]nu)oanran+^]_gql*3+ is removed, and the directory +r]n+^]_gqlo+^ej]nu)oanran+^]_gql*2+ is moved to the name +r]n+^]_g)qlo+^ej]nu)oanran+^]_gql*3+ The subroutine then progresses backward numerically from 5 to 1, moving each directory to another directory with the same name except the number incremented by 1 When it is done, there is no directory named +r]n+^]_gqlo+
^ej]nu)oanran+^]_gql*-+, which is the directory name we’ll use for a new Subversion backup:
In this section, we perform these steps:
1 Retrieve just the short portion of the directory name using the ^]oaj]ia command
so that the variable ODKNPJ=IA contains the value ^ej]nu)oanran or _bajceja—the two repository directory names
2 We then make sure that the directory used for the backups exists and create it if necessary
3 Now that the directory is known to exist, we change directory to the proper backup directory and use our subroutine that rotates the previous backup directories
4 Then we use the orj]`iej dkp_klu command to create a new backup of the tory This is done for each directory listed in the variable ORJ[NALKO
reposi- eb sa cap dana sepdkqp annkno( _ha]j ql
ni[hk_g[beha
Trang 9C H A P T E R 1 1 IN F R A S T R U C T U R E E N H A N C E M E N T 349
Finally, we removed the lock file that is used to prevent two of these from running at
once We ran the script eight times in a row to demonstrate the output, here it is:
`nstn)tn)t 3 nkkp nkkp 0,52 .,,4),5),- ./6/- ^]_gql*-In order to use the hk_gbeha command (contained in the script), the package lnk_i]eh
needs to be installed Add the string lnk_i]eh on a line by itself to your working copy of
LNK@+nalh+nkkp+onr+b]e+_kjbec+l]_g]ca[_kjbec+B=E>=OA, and check in the modification so
that all future hosts get the package installed For now, just install the lnk_i]eh package
using ]lp)cap on the Subversion sever (the system etchlamp).
We’ll create a task to run the backup script once per day, in a file at the location
LNK@+ejlqpo+p]ogo+]ll+orj+_b*orj[^]_gqlo with these contents (be sure to add it into the
We’re using cfengine to run the backups every day between midnight and five
min-utes after midnight Remember that we set a five-minute Olh]uPeia, so _b]cajp will run
Trang 10C H A P T E R 1 1 IN F R A S T R U C T U R E E N H A N C E M E N T
350
at some time in the five minutes after midnight We need to specify the range so that our
odahh_kii]j`o action will run The absolute time class of Iej,, probably wouldn’t match, but the range Iej,,[,1 definitely will
Now, we need to add this line to LNK@+ejlqpo+dkopcnkqlo+_b*orj[oanran:
p]ogo+]ll+orj+_b*orj[^]_gqlo
Commit your changes to the repository, and update the production working copy Now, every night at midnight, a new backup will be created, and we’ll always have seven day’s worth of backups on hand
Copying the Subversion Backups to Another Host
We will copy the Subversion backup directories to another host on our local network using cfengine, so we’ll be able to quickly restore our two Subversion repositories if the Subversion server fails
We’ll modify our site’s shared _boanr`*_kjb configuration file to grant access to the
backup directories on etchlamp from a designated backup host We will use the cfengine
master as the backup host and always keep a complete backup of those directories
We added these lines to LNK@+ejlqpo+_boanr`*_kjb in the ]`iep6 section:
Trang 11We then added this line to LNK@+ejlqpo+_kjpnkh+_b*_kjpnkh[_b]cajp[_kjb so that we
could abstract the hostname of the Subversion server with a variable:
We then needed a hostgroup file for the lkhe_udkop machine, so we created LNK@+
ejlqpo+dkopcnkqlo+_b*lkhe_udkop with these contents:
eilknp6
]ju66
p]ogo+]ll+orj+_b*_klu[orj[^]_gqlo
Trang 12We’ll leave the task of copying the backup directories to an offsite host as an exercise for you.
We have a real advantage in the existence of our @AR cfengine branch, and we should use
it as much as possible to try out new configurations and applications
Our backup measures are certainly minimal, but they’re effective If we suffered total system failure on any of our hosts, including the critical cfengine master, we can restore the system to full functionality
Trang 13C H A P T E R 1 2
Improving System Security
Early in this book, we established that managing the contents and permission of files
is the core of UNIX/Linux system administration UNIX/Linux security is also almost
entirely concerned with file contents and permissions Even when configuring network
settings for security reasons, we’re usually configuring file contents This means that, in
general, we’ll be performing very familiar operations when using cfengine to increase the
security of our UNIX and Linux hosts
At various points in this book, we’ve taken security into account when configuring
our systems or when implementing some new functionality
easily change passwords and add and remove accounts across our site
sion)
-
has the fewest features possible, which should decrease the likelihood of our site
being vulnerable to remote Apache exploits
more of a disaster recovery measure, but modern data security is just as
con-cerned with a disaster destroying information as it is about damage from
attackers
In this chapter, we focus on security itself, but we don’t mean to give you the idea
that security is a separate duty from your normal ones If treated as an afterthought, good security is difficult to obtain and, in fact, becomes something of a burden if addressed
during the later phases of a project
Trang 14 ing off point to attack other hosts.
- remember that internal users are a major risk Even if the users selves aren’t malicious, their credentials or their computer systems can be compromised
them- methods No modern network should have a crunchy exterior and a chewy interior—meaning perimeter network protection without internal protection mechanisms
Note As you might guess, we can’t provide a comprehensive security guide in just one chapter What
we can do, however, is recommend the book Practical UNIX & Internet Security by Simson Garfinkel, Alan Schwartz, and Gene Spafford (O’Reilly Media Inc., 2003)
Security Enhancement with cfengine
Cfengine configure systems in a consistent manner The cfengine configuration is general enough that you can quickly apply your changes to other hosts in the same or different classes, even to systems that haven’t been installed yet This means that if you correct a security problem on your Linux systems through cfengine, and then later install a new Linux sys-
Trang 15C H A P T E R 1 2 I M P R O V I N G S Y S T E M S E C U R I T Y 355
As always, we do all of our system administration in our example infrastructure using cfengine, so this final chapter doesn’t look all that different from the earlier ones The dif-
ference here is that we’re not focusing much on the cfengine configuration but more on
the security gains from the changes we make
Removing the SUID Bit
One of the most common ways for a malicious user to gain privileged access is via flaws
to be executed with the privileges of the file’s owner, not those of the user executing the program It is a UNIX mechanism that allows nonprivileged users to perform tasks that
error or flaw in such a program is often disastrous to local security The two ways to
avoid becoming a victim of such a flaw are to keep your system up to date with security
and bug fixes and to limit the number of setuid binaries on your system that are owned
by the root user
-tems, which will allow us to make educated decisions about what to exclude from a
following bej` command will work on all
systems at our example site, should be run as nkkp, and allows us to view the list and
determine what to allow:
bej` + )bopula jbo )lnqja )k )qoan nkkp )lani ),0,,, )ho x paa +r]n+pil+oqe`*heop
This bej`
paa
command to save the output into a file for later investigation, while still displaying the
output to the screen
Trang 17 nkkpksja`behao filter from the file LNK@+ejlqpo+behpano+_b*nkkp[ksja`,
which is imported from _b]cajp*_kjb The file has these contents:
Trang 18C H A P T E R 1 2 I M P R O V I N G S Y S T E M S E C U R I T Y
358
particular attributes in order to successfully match The preceding filter is a very simple file one that matches when a file is owned by root In conjunction with these lines from
To activate this task, we added this line to LNK@+ejlqpo+dkopcnkqlo+_b*]ju:
p]ogo+ko+_b*oqe`[naikr]h
Be careful to test out these changes on just one host of each platform As a rary measure, you can override the hostgroups mechanism with lines like these in LNK@+ejlqpo+dkopcnkqlo+_b*]ju:
on our systems
Trang 19C H A P T E R 1 2 I M P R O V I N G S Y S T E M S E C U R I T Y 359
Protecting System Accounts
system accounts are commonly used for brute force login attempts to systems
Every day, lists of common system accounts along with common passwords are used to
-tion of the root account
Note In the past, we’ve observed problems with daemons that utilized oq Ì =??KQJP in start-up scripts
If a daemon or script tries to execute a login shell this way, it won’t function in our environment Such
start-up scripts don’t require us to give the account a working shell, we can simply modify the script to use the )o +^ej+od option to oq in order to make them work
+ap_+l]oos` files in our
envi- @AR repository and test on
changes Once tested, merge the changed l]oos` files back to the LNK@ branch, and
+^ej+b]hoa, remove any
accounts that aren’t needed at your site This may take some trial and error and should
also be tested in a nonproduction environment before the changes are used in the LNK@
branch
Next, edit the shadow files for all your site’s platforms Make sure that each account’s encrypted password entry has an invalid string:
j]ceko6 6-0 16,65555563666
Trang 20C H A P T E R 1 2 I M P R O V I N G S Y S T E M S E C U R I T Y
360
) character in the encrypted password field of the j]ceko user account is
an invalid string, locking the account You can validate this with the )O argument to the
l]oos` command on Linux:
oq`k l]oos` )O j]ceko
j]ceko H ,4+.0+.,,4 , 55555 3 )-The H in the output shows that the account is locked This is the desired state for all
)o argument is used:
oq`k l]oos` )o j]ceko
j]ceko LO ,4+.0+,4 , 55555 3
The LO field denotes either “passworded” or “locked,” but we know our j]ceko
l]oos` command expects a particular string
&HG&
l]oos` command doesn’t understand it
Applying Patches and Vendor Updates
odahh_kii]j`o Enterprise systems fully patched and up to date:
Red Hat: +qon+^ej+uqi qlcn]`a
cedure,
-
- restored
Trang 21At the time of this writing, we recommend Live Upgrade and look forward to
devel-oping a proper automated mechanism for the third edition of this book
Shutting Down Unneeded Daemons
that accept network connections are like a door into your systems Those doors might be locked, but most doors—like many network-enabled daemons—can be forced
open If you don’t need the program, it should be shut down to reduce the overall
expo-sure of your systems to network-based intrusion
In this section, we will develop a task that shuts down a single service on each of the
platforms in our example infrastructure to give you an example of how to do it on your
task in such a way that if the programs aren’t enabled, cfengine will do nothing
task at LNK@+ejlqpo+p]ogo+ko+_b*gehh[qjs]jpa`[oanre_ao with these
Trang 22C H A P T E R 1 2 I M P R O V I N G S Y S T E M S E C U R I T Y
362
`phkcej daemon handles graphical logins, which we don’t need on our server
tbo daemon is the X font server, also not needed on our server systems
-rience gained so far in this book, you shouldn’t have a trouble working out how to shut
`phkcej daemon is shut down, via a process kill along with a disable of the start-up script
_b*gehh[qjs]jpa`[oanre_ao task to the _b*]ju hostgroup, checked in our changes, and updated the LNK@ tree on the cfengine master
Removing Unsafe Files
You
*_b)`eo]^ha` extension and their permissions are set to ,0,, In our example
environ- skng`en+^]_gqlo), so the files are moved there for long-term storage
The ejbkni9pnqa entries will result in _b]cajp sending a message to standard output if and when it disables the files This message will show up in _bata_` e-mails, as well as in