[[Category:OPS235]]{{Admon/caution|Fall 2010 Version!THIS IS AN OLD VERSION OF THE ASSIGNMENT|'''This is the Fall 2010 an archived version of the assignment. Do not use the information on this page until the assignment has been updated for Winter 2011 and this banner has been removedin your OPS235 course.'''}}{{Admon/note|= OPS235 Assignment Material May Appear on Tests and Exam|Doing your assignment is part of your ongoing learning process. As such you will be tested on this material in future tests and exams. If you have any questions or need help, please consult your instructor in a timely manner. The due date for this assignment will not be extended. As it must be marked in class.This assignment will be marked partially through demonstration and partially through the submission of files.}}2 =

Weight'''Due Date: 5% of the overall grade''' Week 13 <br />Refer to your instructor for submission instructions

{{Admon/important|It is YOUR responsibility to Backup Your Configuration Filesyour centos3 VM for this Assignment!|Before making any changes You are required to frequently backup your system configuration, backup VM prior to exiting a work session during this assignment. Your instructor will NOT accept the original fact that your hard disk crashed and lost all of your work. If you properly backed up your VM images and xml configuration files into the <code>/backups</code> directoryto a USB, then you can purchase a new hard-disk or wipe and recreate your hard disk and use <code>git</code> to manage restore your changeVMs.}}<br>

In this assignment, you will demonstrate the skills you have learned to this point by configuring two services: a '''database server ''' and a '''web server'''. You will install and use a database-backed web application, MediaWiki'''Wordpress''', to show that these services have been installed properly. Finally, you You will also configure the SELinux security system and the web server to serve files in the <code>public_html</code> subdirectory of each user's home directory, including a short web script. In this assignment, you will attempt to maintain a high level of security, by using SELinux and the iptables firewall to guard against unauthorized access. This lab may be performed using any combination of your virtual machines and/or host disk pack. == About SELinux == SELinux stands for ''Security Enhanced Linux'' and is based on research performed at NSA and other locations. Where the normal Unix/Linux security system, based upon file permissions, is a ''discretionary access control'' system (DAC), SELinux is a ''mandatory access control'' system (MAC). This means that it attempts to enforce a consistent policy across the entire system, regardless of settings that any user has configured. SELinux decisions are based on the ''security context'' of system resources such as files and processes. The security context consists of a user, role, type, and sensitivity component; you can see the security context of files and processes by adding the <code>-Z</code> option to further enhance the <code>ls</code> and <code>ps</code> commands:  $ ls -lZ drwxr-xr-x. root root '''system_u:object_r:file_t:s0''' arm drwxr-xr-x. chris chris '''unconfined_u:object_r:user_home_t:s0''' arm2 drwxrwxr-x. chris chris '''unconfined_u:object_r:user_home_t:s0''' bin drwxr-xr-x. chris chris '''unconfined_u:object_r:user_home_t:s0''' Desktop drwxr-xr-x. chris chris '''unconfined_u:object_r:user_home_t:s0''' Documents drwxr-xr-x. chris chris '''unconfined_u:object_r:user_home_t:s0''' Downloads -rw-------. chris chris '''unconfined_u:object_r:user_home_t:s0''' fedora0.ks -rw-------. chris chris '''unconfined_u:object_r:user_home_t:s0''' fedora1.ks -rw-------. chris chris '''unconfined_u:object_r:user_home_t:s0''' fedora2.ks -rw-------. chris chris '''unconfined_u:object_r:user_home_t:s0''' fedora3.ks -rw-rw-r--. chris chris '''unconfined_u:object_r:user_home_t:s0''' foo -rw-r--r--. chris chris '''unconfined_u:object_r:user_home_t:s0''' hosts drwxr-xr-x. chris chris '''unconfined_u:object_r:user_home_t:s0''' Music drwxr-xr-x. chris chris '''unconfined_u:object_r:user_home_t:s0''' Pictures drwxrwxr-x. chris chris '''unconfined_u:object_r:user_home_t:s0''' play drwxr-xr-x. chris chris '''unconfined_u:object_r:user_home_t:s0''' Public drwxr-xr-x. chris chris '''unconfined_u:object_r:user_home_t:s0''' Templates drwxr-xr-x. chris chris '''unconfined_u:object_r:user_home_t:s0''' Videos -rw-r--r--. chris chris '''unconfined_u:object_r:user_home_t:s0''' x [chris@muskoka ~]$ ps -Z LABEL PID TTY TIME CMD '''unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023''' 2595 pts/1 00:00:00 bash '''unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023''' 2612 pts/1 00:00:00 ps The SELinux policy controls the interactions between security contexts. For example, the policy may specify that the Apache httpd webserver cannot read files in <code>/etc</code>, so if an attacker finds a way to make httpd (or a script run by httpd) read a file in <code>/etc</code>, SELinux will recognize that this is not normal and will deny the access. Since this is done at the kernel level, httpd will get a "file not found" error, even though the file is present, and there is no way for httpd to work around that error. === SELinux Context Commands === There are two main commands used to set the SELinux security context of files:# chcon - sets the security context of a file to a particular value#* Example: setting the ''type'' of a file: <code>chcon -t ''unconfined_t'' ''/tmp/foo''</code>#* Example: setting the user/role/type of a file: <code>chcon ''unconfined_u:object_r:user_home_t'' ''~/foo''</code># restorecon - resets the default security context of a file#* Example: reset the context of one file: <code>restorecon /etc/services</code>#* Example: recursively reset the contexts of all of the files in a directory: <code>restorecon -R ~</code> You can reset the default security context of the entire your computer system at the next boot with this command:  touch /.autorelabel === SELinux Booleans === SELinux policy can be tuned (without writing an entirely new policy) through the use of ''booleans'' or option switches. Each boolean can have a value of on (1) or off (0). The <code>getsebool</code> and <code>setsebool</code> commands can be used to view and set SELinux boolean values: {|class="mediawiki sortable" border="1" cellspacing="0"!Command!Description|-|<code>getsebool -a</code>|Displays all SELinux booleans|-|<code>getsebool ''foo''</code>|Displays the SELinux boolean ''foo''|-|<code>setsebool ''foo'' ''value''</code>|Sets the SELinux boolean ''foo'' to ''value'' (where ''value'' is 0 or "off", or 1 or "on")|}  === SELinux Graphical Tools ===

The ''system-config-selinux'' tool, which is on NOTE: Do this assignment inside the menu as System>Adminstration>SELinux Management, provides a GUI for managing SELinux booleans and morecentos3 virtual machine.'''

{{Admon<u>Install these packages using ''yum''</note|Takes Notes!|Take detailed notes of the steps you perform from this point onward -- you will need them for the wiki pages you will create later.}}u>

# Start the httpd service using the :*'''servicePreferred method:''' command.Use an alternative package (for example: '''mariadb''' and '''mariadb-server''')# Confirm that you can connect to your web server using :*Download a web browser -"zipped tar- both from the machine on which the server is running as well as ball" from another machine on the same network. You should see a test page.# Configure this software to start when the system is booted.# Create a very simple HTML index page for your systemwebsite (google-search), decompress, and place it at <code> /var/www/html/index.html </code># Confirm that you can view the index page. If not, adjust your iptables configuration as necessary, or check for errors in <code>/var/log/httpd</code>compile

=== MySQL =Configuring Apache ==

# Start the MySQL httpd service (mysqld)using '''systemctl'''.# '''When started for Ensure that the first time, this httpd service will print a message telling starts automatically during boot.# Confirm that you how can connect to set your web server using a password and take other basic steps to secure the the MySQL server.web browser -- both from centos3 (you can test using '''links''' Follow those instructions to set a password, recording ) as well as from the host. You should see the detail of what you do for later useApache Test Page.# Configure this software If you can't connect to start when it from outside the system machine - perhaps your firewall is bootedblocking access to the web server.

=== MediaWiki =Configuring MySQL ==

# Edit MediaWikiStart the MySQL service (mysqld or mariadb) using '''systemctl'''s httpd configuration file, <code>/etc/httpd/conf.d/mediawiki.conf</code>#* Uncomment Ensure that the first two <code>Alias<mysqld/code> linesmariadb service starts automatically during boot.#* Reload the httpd configuration using You may get messages after starting the <code>MySQL service</code> command# Access <code>http://localhost/wiki</code> on for the machine on which the web server is running (this will first time. Do not work if done remotelyignore these messages, unless it will tell you use an ssh tunnel so that the access appears how to set a password and take other basic steps to be coming from the local host). You will see secure the MediaWiki welcome page; click on the setup linkMySQL server.# Enter Follow those instructions to set a password, recording the setup information detail of what you do for your wiki:later use.#* Enter a name for If you do not see any messages, research how you can secure the wiki#* Enter your learn e-mail address as MySQL installation and set the contact information#* Disable all eMySQL-mail featuresroot password.#* Leave the database host as Read those messages carefully, you are setting up a production MySQL server and there shouldn't be any "localhosttest"databases or anonymous users or users without a password.#* Set up a database your MySQL root passwordto your learn ID (without the @senecac.on.ca part).#* Get MediaWiki This following part is challenging so take your time and read the instructions to make sure you do it properly, we have to set up the superuser account a dedicated user and database for wordpress:## Start by checking the appropriate box and entering the superuser password ('''Notelooking at http:''' This is the database superuser password, NOT the root password)//codex.wordpress.org/Installing_WordPress# Click Using_the_MySQL_Client where you will find instructions for the "Install MediaWiki!" buttonsetup.# Once the setup is complete, you # You will need to move run those commands in a file within the MediaWiki directory (inside <code>/var/www</code>). Refer to the directions in the confirmation web pagecentos3 terminal.## Your adminusername is root## Your databasename is myblog## Your wordpressusername is your learn ID## The password should also be your learn ID## Your hostname is localhost

# Configure httpd to serve Download the <code>~/public_html</code> directories of latest .tar.gz version from wodpress.org into your userscentos3 (use wget). This will require changes to <code># Extract it into '''/etcvar/httpdwww/conf/httpd.conf</code> as well as html'''# Now we need to allow Apache to modify the SELinux configurationwordpress installation. See To do this use chown -R to make the man page for <code>httpd_selinux</code> owner and group of every file and the Apache [http://httpd.directory inside wordpress "apache.org/docs/2.2/ httpd documentation] for details".# Prove that this works Check your work so far by creating a page in pointing your <code>~/public_html</code> directory. The URL will be <code>web browser to http://''hostname''centos3/wordpress/~where you will get an error starting with "There doesn''yourt seem to be a wp-user-id''/</code>config.php file"# Create a short web script which displays Copy the available disk space on the computerwp-config-sample.php file to wp-config. At its most basic level, a web script is php and edit the same as a regular script, with this additional requirementnew file:#* It must output Change the line "Content-type: text/plain" or "Content-type: text/html" (depending on whether DB_NAME, DB_USER, DB_PASSWORD to the script output is plain text or HTML), followed by a blank lineappropriate values.# Name the script <code>~/public_html/diskfree.cgi</code> - The URL will be <code>Now go back to http://''hostname''centos3/wordpress/~''your-user-id''you should see a Wordpress Welcome/diskfreeSetup page.cgi</code># Configure httpd and SELinux to allow your script * Set the title to Your Name's Blog. For example for me it would be run from "Andrew Smith's Blog"#* Set the web. This will require changes password to <code>/etc/httpd/conf/httpdyour learn ID.conf</code> as well as #* Set the SELinux configuration (possibly including both booleans and SELinux context)email to your Seneca email address. As with step 1#* Click "Install Wordpress", you should see the man page for <code>httpd_selinux</code> and the Apache [http://httpd.apache.org/docs/2.2/ httpd documentation] for details. {{Admon/tip|Hint|Look for an a "add-handlerSuccess!" line in your httpd.conf filemessage.}}

Create Write a high-quality write-up of this assignment blog post on your wiki. '''Describe in detail exactly what you did to set up each component'''. Include at least these pagesnew blog explaining:# A main page, describing in general terms what you did and containing links to the other wiki pages, as well as a link to the page and the script in your <code>~/public_html</code> directory.# A page for your httpd configuration. Along with a description* What is Apache, include the exact text of your httpd.conf file.# A page for your MySQL configuration. Along with a descriptionPHP, include the details of the steps you performed to set up MySQL.# A page for your SELinux configuration. Along with a description, include a list of all of your booleans and their current settings. Show that the configuration is as tight as possible (e.g., don't change booleans unnecessarily)Wordpress.# A page for your MediaWiki configuration. Along with a description, include your MediaWiki configuration file.# A page for your iptables configuration. Show the exact iptables rules that are in effect. Demonstrate that the configuration is as tight as possible * What problems (for example, test access to other services, minor and include the results of those tests in the wiki pagemajor). The easiest way to create new page is to create a link to it from an existing page (such as you ran into during the main page), installation and then follow that linkhow you solved them.

'''Write well and be creativea second post on your blog explaining:'''* Make sure your spelling and grammar are correct (they count!)Are you ready for the exam or not.* Present List the pages attractively, and take advantage of graphics, colour, and fonts as appropriate -- for example, material you may want to highlight are strong on.* List the changes that material you made in the configuration files using '''bold''' print, use outline numbering, divide the pages into easy-to-navigate sections, or use colour to show the <span style="color:orange">commands you typed</span> and <span style="color:green">what the system displayed in response</span>are worried about.* Stick to the important information - avoid including excessive text which doesn't add List any questions or topics you would like me to the content that you are presenting (remember, your professor will be reading hundreds of wiki pages while marking!)address during exam review.

Resources on wiki markup:* [http://en''' Make your posts look professional.wikipediaThat means use good english, headings, bullet or numbered lists, etc.org/wiki/Help:Wiki_markup Wiki markup] - Wikipedia* [[Sandbox|Sandbox page on this wiki]] - examples

== Submitting '''Due date:''' Your name will be called in the Assignment ==lab on the due date for the assignment. If you are not there when your name is called - you will lose 20% of your mark. In that case you may show me your submission in the second lab that week instead. Assignments submitted after that will receive a grade of 0, but must still be completed satisfactorily in order to pass the course.

Your professor will require you === Ready to submit this assignment in at least one of two ways:show ===

# Demonstrate that the wiki is working.# Use wget Open one or more terminals in c7host, SSH to harvest centos3 from those terminals, and have the wiki pagesfollowing ready:#* Make sure all The correct RPMs are installed* Output showing firewall has been properly set up* Output of chkconfig --list mysqld* Output of chkconfig --list httpd* MySQL output of the <code><nowiki>http://</nowiki></code>-style links (for the wiki image, the link to diskfree.cfgishow databases; use mysql; select User, and so forth) use the same hostname (don't Password from user; use "localhost" for one and "f13host" for another, for example).myblog; show tables;#* Issue the command: <code>wget Output of ls -prk http:la /var/www/''hostname''html/wiki<wodpress/code> * Output of head -- where ''hostname'' matches the hostname used in the <code><nowiki>http:30 /var/www/<html/nowiki><wodpress/code> links in your wiki pageswp-config.php#* Create Open a compressed tar file containing the results. (name the file <learnid>-a2.tgz)#* Check the tar file to see that it contains everything necessary to view your site (in particular, check that all needed image files are included). Do not edit the files in the tar archive -- if changes are needed, modify your wiki, and then repeat the <code>wget<firefox with http://centos3/code> and <code>tar<wordpress/code> steps above.#* Submit the tar file to your professor in the manner he specifies.

=== Section A - Raymond Chan Rubric ===

* See your professor for submission instructions {| class="wikitable" border="1"! Task !! Maximum mark !! Actual mark|-| Correct packages installed || 1 |||-| Firewall setup properly || 2 |||-| Apache set up and due date.running || 2 |||-| MySQL set up correctly || 3 |||-| Wordpress extracted correctly || 1 |||-| Wordpress set up correctly || 2 |||-| Wordpress showing in Firefox || 1 |||-| Everything ready to show || 2 |||-| First blog post || 3 |||-| Second blog post || 3 |||-| '''Total''' || 20 ||

* See your professor for submission instructions and due date. === Sections D, E & F - Murray Saul === * See your professor for submission instructions and due date. === Section G - Chris Tyler ===  == Assessment == * 50% - completion of steps - quality of configuration, iptables and SELinux configuration as tight as possible* 50% - documentation on the wiki - quality of writing, quality of presentation, and accuracy and completeness of information* +5% - bonus for replacing the wiki logo[[Category:OPS235]]