Scribd
Upload
16 views17 pages

Srping2024 Osp201 Lab6

Uploaded by

tu03xly
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
16 views17 pages

Srping2024 Osp201 Lab6

Uploaded by

tu03xly
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 17

8.

1 – Creating a shared group directory

1. On any virtual machine, create the sales group:

sudo groupadd sales

2. Create the users mimi, mrgray, and mommy, adding them to the sales group as you create the accounts.

On CentOS or AlamaLinux, do this:

sudo useradd -G sales mimi

sudo useradd -G sales mrgray, sudo useradd -G sales mommy

4. Create the sales directory in the root level of the filesystem. Set proper ownership and permissions,

including the SGID and sticky bits:

sudo mkdir /sales

sudo chown nobody:sales /sales

sudo chmod 3770 /sales


ls -ld /sales

5. Log in as Mimi, and have her create a file:


su - mimi
cd /sales
echo "This file belongs to Mimi." > mimi_file.txt
ls -l
6. Have Mimi set an ACL on her file, allowing only Mr. Gray to read it. Then, have
Mimi log back out:
chmod 600 mimi_file.txt
setfacl -m u:mrgray:r mimi_file.txt
getfacl mimi_file.txt
ls -l
exit

7. Have Mr. Gray log in to see what he can do with Mimi’s file. Then, have Mr.
Gray create his own file and log back
out:
su - mrgray
cd /sales
cat mimi_file.txt
echo "I want to add something to this file." >> mimi_file.txt
echo "Mr. Gray will now create his own file." > mr_gray_file.txt

Security Strategies in Linux Platforms and Applications – Lab manual


ls -l
exit
8. Mommy will now log in and try to wreak havoc by snooping in other users’ files
and by trying to delete them:
su - mommy
cat mimi_file.txt
cat mr_gray_file.txt
rm -f mimi_file.txt
rm -f mr_gray_file.txt
exit
9. End of lab.

8.2 – SELinux type enforcement


1. Install Apache, along with all the required SELinux tools on CentOS 7:
sudo yum install httpd setroubleshoot setools policycoreutils
policycoreutils-python

2. Activate setroubleshoot by restarting the auditd service:


sudo service auditd restart

3. Enable and start the Apache service and open port 80 on the firewall:
sudo systemctl enable --now httpd
sudo firewall-cmd --permanent --add-service=http
sudo firewall-cmd --reload

4. In the /var/www/html/ directory, create an index.html file with the following


contents:
Security Strategies in Linux Platforms and Applications – Lab manual
<html>
<head>
<title>SELinux Test Page</title>
</head>
<body>
This is a test of SELinux.
</body>
</html>

5. View the information about the index.html file:


Ls -Z index.html
6. In your host machine’s web browser, navigate to the IP address of the CentOS
virtual machine. You should be able
to view the page.
7. Induce an SELinux violation by changing the type of the index.html file to
something that’s incorrect:
sudo chcon -t tmp_t index.html
ls -Z index.html
8. Go back to your host machine’s web browser and reload the document. You
should now see a Forbidden message.
9. Use restorecon to change the file back to its correct type:
sudo restorecon index.html

10. Reload the page in your host machine’s web browser. You should now be able
to view the page.
11. End of lab.

9.1 – SELinux Booleans and ports

In this lab, you’ll view the effects of having Apache try to listen on an
unauthorized port:
1. View the ports that SELinux allows the Apache web server daemon to use:
sudo semanage port -l | grep 'http'

2. Open the /etc/httpd/conf/httpd.conf file in your favorite text editor. Find the line
that says Listen 80 and change it
to Listen 82. Restart Apache by entering the following:
sudo systemctl restart httpd

3. View the error message you receive by entering:


sudo tail -20 /var/log/messages

4. Add port 82 to the list of authorized ports and restart Apache:


sudo semanage port -a 82 -t http_port_t -p tcp
sudo semanage port -l
sudo systemctl restart httpd

5. Delete the port that you just added:


sudo semanage -d 82 -t http_port_t -p tcp

6. Go back into the /etc/httpd/conf/httpd.conf file and change Listen 82 back to


Listen 80.
Restart the Apache daemon to return to normal operation.

7. End of lab.
9.2 – Troubleshooting an AppArmor profile
1. Install the AppArmor utilities and the extra profiles:
sudo apt install apparmor-utils apparmor-profiles apparmor-profiles-extra

2. Install Samba and verify that it’s running:


sudo apt install samba

sudo systemctl status smbd


sudo systemctl status nmbd

3. Set the two aforementioned Samba policies to enforce mode and try to restart
Samba:
cd /etc/apparmor.d
sudo aa-enforce /usr/sbin/smbd usr.sbin.smbd
sudo aa-enforce /usr/sbin/nmbd usr.sbin.nmbd
sudo systemctl restart smbd
4. Note that Samba should fail to restart. (It will take quite a while before it finally
errors out, so be patient.)
5. Look in the /var/log/syslog file to see if you can spot the problem.
6. Edit the /etc/apparmor.d/usr.sbin.smbd file. In the capability stanza, add this line:
capability net_admin

7. At the bottom of the rules sections, under the /var/spool/samba/** rw, line, add
this line:
/run/systemd/notify rw,
8. Save the file and reload the policy:
sudo apparmor_parser -r usr.sbin.smbd
9. As before, try to restart the Samba service, and verify that it started properly:
sudo systemctl restart smbd
sudo systemctl status smbd
10. End of lab.

You might also like