Changes

'''Weight: ''' 5% of the overall grade

'''Due Date: 8th of August at the start of class''' Week 13 <br />Refer to your instructor for submission instructions

In {{Admon/important|It is YOUR responsibility to Backup your centos3 VM for this Assignment!|You are required to frequently backup your VM prior to exiting a work session during this assignment, you . Your instructor will demonstrate NOT accept the skills you have learned to this point by configuring two services: a '''database server''' fact that your hard disk crashed and a '''web server'''lost all of your work. You will install If you properly backed up your VM images and use xml configuration files to a database-backed web application, '''MediaWiki''', to show that these services have been installed properly. In this assignmentUSB, then you will attempt to maintain can purchase a high level of security, by using '''iptables''' firewall to guard against unauthorized access. You will also configure the '''SELinux''' security system to further enhance the security of new hard-disk or wipe and recreate your hard disk and restore your computer systemVMs.}}<br>

'''NOTE: This assignment may be performed using any combination of your virtual machines == Introduction and/or host disk pack. '''Purpose ==

== Required Tasks (ASSIGNMENT TOTALIn this assignment, you will demonstrate the skills you have learned to this point by configuring two services: 70 Marks) ==a '''database server''' and a '''web server'''. You will install and use a database-backed web application, '''Wordpress''', to show that these services have been installed properly. You will also configure the '''SELinux''' security system to further enhance the security of your computer system.

===A'''NOTE: Do this assignment inside the centos3 virtual machine. Installing Packages (Section Total: 8 Marks)==='''

====* '''httpd''' - this is the Apache httpd (Section Total: 10 Marks)====web server software.* '''php''' - this is the PHP server software, which allows Apache to run more complex websites.* '''php-mysql''' - this is a PHP extension that allows PHP to use a MySQL server.

==== <u>Install the '''mysql-server''' (MySQL (Section Total: 6 Marksdatabase server)====package</u>

:# Start the MySQL service (mysqld) using the '''systemctl''' (or '''service''') command.NOTE:# '''When started for the first time, this service will print a message telling you how to set a password and take other basic steps to secure This package may not be in the the MySQL servermain repository.''' Follow those instructions to set There a password, recording the detail couple of what you do for later use. '''If this message does not appear on the screen, look in <code>/var/log/httpd/messages</code>'''options:# Configure this software to start when the system is booted using '''systemctl'''.

==== MediaWiki :*'''Preferred method:''' Use an alternative package (Section Totalfor example: 12 Marks'''mariadb''' and '''mariadb-server'''):*Download a "zipped tar-ball" from a website (google-search)====, decompress, and compile

::# Start the httpd service using '''NOTE:systemctl''' When .# Ensure that the httpd service starts automatically during boot.# Confirm that you are done, can connect to your web server using a web browser -- both from centos3 (you should be able to go to <code>http://can test using '''hostnamelinks'''/wiki</code> ) as well as from any directlythe host. You should see the Apache Test Page.# If you can't connect to it from outside the machine -connected machineperhaps your firewall is blocking access to the web server.

==== Serving Personal Web Pages (Section Total: 12 Marks)==Configuring MySQL ==

:# Configure httpd to serve Start the <code>~/public_html</code> directories of your users. This will require changes to <code>/etc/httpd/conf/httpd.conf</code> as well as the SELinux configuration. See the man page for <code>httpd_selinux</code> and the Apache [http://httpd.apache.org/docs/2.2/ httpd documentation] for details.:# Prove that this works by creating a page in your <code>~/public_html</code> directory. The URL will be <code>http://MySQL service (mysqld or mariadb) using ''hostname'systemctl'/~''your-user-id''.# Ensure that the mysqld/</code>mariadb service starts automatically during boot.:# Create a short web script which displays You may get messages after starting the available disk space on MySQL service for the computerfirst time. At its most basic levelDo not ignore these messages, it will tell you how to set a web script is password and take other basic steps to secure the the same as MySQL server. Follow those instructions to set a regular scriptpassword, with this additional requirement:recording the detail of what you do for later use.:#* It must output If you do not see any messages, research how you can secure the line MySQL installation and set the MySQL-root password.#* Read those messages carefully, you are setting up a production MySQL server and there shouldn't be any "Content-type: text/plaintest" databases or "Content-type: text/html" (depending on whether the script output is plain text anonymous users or HTML), followed by users without a blank linepassword.:# Name Set your MySQL root password to your learn ID (without the script <code>~/public_html/diskfree@senecac.on.cgi</code> - The URL will be <code>http://''hostname''/~''your-user-id''/diskfreeca part).cgi</code>:# Configure httpd to allow This following part is challenging so take your script time and read the instructions to be run from the web. This will require changes make sure you do it properly, we have to <code>/etc/httpd/conf/httpd.conf</code> as well as the SELinux configuration (possibly including both booleans set up a dedicated user and SELinux context). As with step 1, see the man page database for <code>httpd_selinux</code> and the Apache [wordpress:## Start by looking at http://httpdcodex.apachewordpress.org/docs/2Installing_WordPress#Using_the_MySQL_Client where you will find instructions for the setup.2/ httpd documentation] for details## You will need to run those commands in a centos3 terminal.## Your adminusername is root## Your databasename is myblog## Your wordpressusername is your learn ID## The password should also be your learn ID## Your hostname is localhost

===C. Write-up Wordpress (Section Total: 12 Markslike most web applications)===is not available in the Fedora repositories, it must be downloaded and installed manually.

Create a high-quality write-up of this assignment on # Download the latest .tar.gz version from wodpress.org into your wikicentos3 (use wget). # Extract it into '''Describe in detail exactly what you did to set up each component/var/www/html'''. Include at least these pages:# A main page (page name Main Page), describing in general terms what you did and containing links Now we need to allow Apache to modify the other wiki pages, as well as a link wordpress installation. To do this use chown -R to make the page owner and group of every file and the script in your <code>~/public_html</code> directoryinside wordpress "apache".# A page for Check your work so far by pointing your httpd configuration (page name httpd_conf). Along web browser to http://centos3/wordpress/ where you will get an error starting with "There doesn't seem to be a description, include wp-config.php file"# Copy the exact text of your httpdwp-config-sample.conf php fileto wp-config.php and edit the new file:# A page for your MySQL configuration (page name mysql_conf). Along with a description* Change the DB_NAME, DB_USER, include the details of DB_PASSWORD to the steps you performed to set up MySQLappropriate values.# A Now go back to http://centos3/wordpress/ - you should see a Wordpress Welcome/Setup page for your MediaWiki configuration (page name mediawiki_conf). Along with a description, include your MediaWiki configuration file.# A page for your iptables configuration (page name iptables_conf). Show * Set the exact iptables rules that are in effecttitle to Your Name's Blog. Demonstrate that For example for me it would be "Andrew Smith's Blog"#* Set the configuration is as tight as possible (for example, test access password to other services, and include the results of those tests in the wiki page)your learn ID.# A page for * Set the SELinux configuration (page name selinux_conf). Show the SELinux booleans and the context of email to your script fileSeneca email address. The easiest way to create new page is to create #* Click "Install Wordpress", you should see a link to it from an existing page (such as the main page), and then follow that link"Success!" message.

'''== Write well and be creative:'''* Make sure your spelling and grammar are correct (they count!).* Present the pages attractively, and take advantage of graphics, colour, and fonts as appropriate -- for example, you may want to highlight the changes that you made in the configuration files using '''bold''' print, use outline numbering, divide the pages into easy-to-navigate sections, or use colour to show the <span styleup ="color:orange">commands you typed</span> and <span style="color:green">what the system displayed in response</span>.* Stick to the important information - avoid including excessive text which doesn't add to the content that you are presenting (remember, your professor will be reading hundreds of wiki pages while marking!).

Resources Write a blog post on wiki markupyour new blog explaining:* [http://enWhat is Apache, PHP, MySQL, and Wordpress.wikipedia.org/wiki/Help:Wiki_markup Wiki markup] - Wikipedia* [[Sandbox|Sandbox page on this wiki]] - examplesWhat problems (minor and major) you ran into during the installation and how you solved them.

{{Admon/tip|TipWrite a second post on your blog explaining: Customizing your WIKI|Change * Are you ready for the default icon in exam or not.* List the upper-left corner of your MediaWiki installation to a picture of your choosingmaterial you are strong on. Be sure that * List the material you have copyright clearance to use that image (eare worried about.g., it is licensed to you, * List any questions or it is a picture topics you own)would like me to address during exam review.}}

=== D''' Make your posts look professional. That means use good english, headings, bullet or numbered lists, etc. Security with SELinux (10 Marks) ===

== About SELinux Submitting Your Assignment ==

SELinux stands for ''Security Enhanced Linux'Due date:''' and Your name will be called in the lab on the due date for the assignment. If you are not there when your name is based on research performed at NSA and other locationscalled - you will lose 20% of your mark. Where In that case you may show me your submission in the normal Unix/Linux security system, based upon file permissions, is a ''discretionary access control'' system (DAC), SELinux is a ''mandatory access control'' system (MAC)second lab that week instead. This means Assignments submitted after that it attempts to enforce will receive a consistent policy across the entire systemgrade of 0, on top of but must still be completed satisfactorily in order to pass the settings that any user has configuredcourse.

SELinux decisions are based on the ''security context'' of system resources such as files and processes. The security context consists of a user, role, type, and sensitivity component; you can see the security context of files and processes by adding the <code>-Z</code> option === Ready to the <code>ls</code> and <code>ps</code> commands:show ===

$ ls -lZ drwxr-xr-x. root root '''system_u:object_rOpen one or more terminals in c7host, SSH to centos3 from those terminals, and have the following ready:file_t:s0''' arm drwxr-xr-x. chris chris '''unconfined_u:object_r:user_home_t:s0''' arm2* The correct RPMs are installed drwxrwxr-x. chris chris '''unconfined_u:object_r:user_home_t:s0''' bin* Output showing firewall has been properly set up drwxr* Output of chkconfig -xr-x. chris chris '''unconfined_u:object_r:user_home_t:s0''' Desktoplist mysqld drwxr* Output of chkconfig -xr-x. chris chris '''unconfined_u:object_r:user_home_t:s0''' Documentslist httpd drwxr-xr-x. chris chris '''unconfined_u:object_r* MySQL output of:user_home_t:s0''' Downloadsshow databases; use mysql; select User,Password from user; use myblog; show tables; * Output of ls -rw-------. chris chris '''unconfined_u:object_r:user_home_t:s0''' fedora0.ksla /var/www/html/wodpress/ -rw----* Output of head -30 /var/www/html/wodpress/wp--. chris chris '''unconfined_u:object_r:user_home_t:s0''' fedora1config.ksphp -rw-------. chris chris '''unconfined_u* Open a firefox with http:object_r:user_home_t:s0''' fedora2.ks -rw-------. chris chris '''unconfined_u:object_r:user_home_t:s0''' fedora3.ks -rw-rw-r--. chris chris '''unconfined_u:object_r:user_home_t:s0''' foo -rw-r--r--. chris chris '''unconfined_u:object_r:user_home_t:s0''' hosts drwxr-xr-x. chris chris '''unconfined_u:object_r:user_home_t:s0''' Music drwxr-xr-x. chris chris '''unconfined_u:object_r:user_home_t:s0''' Pictures drwxrwxr-x. chris chris '''unconfined_u:object_r:user_home_t:s0''' play drwxr-xr-x. chris chris '''unconfined_u:object_r:user_home_t:s0''' Public drwxr-xr-x. chris chris '''unconfined_u:object_r:user_home_t:s0''' Templates drwxr-xr-x. chris chris '''unconfined_u:object_r:user_home_t:s0''' Videos -rw-r--r--. chris chris '''unconfined_u:object_r:user_home_t:s0''' x [chris@muskoka ~]$ ps -Z LABEL PID TTY TIME CMD '''unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023''' 2595 pts/1 00:00:00 bash '''unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023''' 2612 pts/1 00:00:00 pscentos3/wordpress/

{| class="wikitable" border== SELinux Context Commands ==="1"! Task !! Maximum mark !! Actual markThere are two main commands used to set the SELinux security context of files:|-# chcon - sets the security context of a file to a particular value| Correct packages installed || 1 ||#* Example: setting the ''type'' of a file: <code>chcon |-t ''unconfined_t'' ''/tmp/foo''</code>#* Example: setting the user/role/type of a file: <code>chcon ''unconfined_u:object_r:user_home_t'' ''~/foo''</code>| Firewall setup properly || 2 ||# restorecon |- resets the default security context of a file#* Example: reset the context of one file: <code>restorecon /etc/services</code>| Apache set up and running || 2 ||#* Example: recursively reset the contexts of all of the files in a directory: <code>restorecon |-R ~</code>| MySQL set up correctly || 3 ||You can reset the default security context of the entire system at the next boot with this command:|-  touch /.autorelabel === SELinux Booleans === SELinux policy can be tuned (without writing an entirely new policy) through the use of ''booleans'' or option switches. Each boolean can have a value of on (| Wordpress extracted correctly || 1) or off (0).|||-The <code>getsebool</code> and <code>setsebool</code> commands can be used to view and | Wordpress set SELinux boolean values:up correctly || 2 |||-{|class="mediawiki sortable" border="Wordpress showing in Firefox || 1" cellspacing="0"||!Command|-!Description| Everything ready to show || 2 ||

|<code>getsebool -a</code>First blog post || 3 ||Displays all SELinux booleans

|<code>getsebool ''foo''</code>Second blog post || 3 ||Displays the SELinux boolean ''foo''

|<code>setsebool ''foo'Total' ''value''</code>|Sets the SELinux boolean ''foo'' to ''value'' (where ''value'' is 0 or "off", or 1 or "on")| 20 || Use the <code>-P</code> option to make the change permanent.