nita 412 - linux security administration - lab #3
TRANSCRIPT
8/3/2019 NITA 412 - Linux Security Administration - Lab #3
http://slidepdf.com/reader/full/nita-412-linux-security-administration-lab-3 1/2
Lab #3 - SELinux Basics; Apache with htaccess & PHP Stanislav
Lab Steps:I. Interacting With Basic SELinux Commands
A. As root, run sestatus to view the SELinux overview settings.B. To check the contexts of a file or directory, use ls -Z , such as ls -Z /home/bjones/.bashrcC. To check the contexts of a process, use ps -Z , such as ps -ZC cupsd to check CUPS.
D. To check what boolean values are for various SELinux context features, use getsebool -a. Using
grep , you can narrow what you are viewing, such as getsebool -a | grep ^httpd for Apache.E. Using the command setenforce 0 temporarily disable SELinux and check using the sestatus
command again. The status should now be Permissive, not Enforcing.F. Set SELinux back to Enforcing once again using setenforce 1G. To view the webserver context, run semanage port -l | grep ^http_port_t
II. Initial Apache Webserver Installation and Basic Configuration
A. Use the command yum install httpd mod_ssl and confirm the downloads when prompted.
B. To ensure that Apache starts on boot, execute the command chkco nfig httpd on
C. Start the Apache service manually by running /etc/init.d/httpd startD. Edit the /etc/sysconfig/iptables configuration file and below the SSH port rule, add the following:
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
E. After saving the configuration file, execute /etc/init.d/iptables start to load the new rules.F. Using the links console browser go to both http://localhost and https://localhost
1. Note: Press the q key to quit links
III. Enable mod_userdir for Your Userʼs Account
A. Edit the Apache server configuration file, located at /etc/httpd/conf/httpd.conf B. Locate the UserDir disable directive and change it to UserDir public_html C. Under the directive you just edited, uncomment the <Directory> section (12 lines total) just below.D. After saving the configuration file, restart Apache using service httpd restart
E. Create your user̓ s web directory using sudo -u bjones mkdir /home/bjones/public_html F. To fix SELinux privileges, run chcon -t httpd_sys_content_t -R /home/bjones/public_html G. To allow directory read access for Apache, execute chmod 751 /home/bjones
H. Check that you are able to view the web directory by running links http://localhost/~bjones/
IV. Configure Directory Password Protection Using htaccess
A. Become your regular user if you arenʼt already (su - bjones or just login again).B. Inside of your home directory, execute htpasswd -bc .htpasswd bjones testing123C. Change directory to public_html and create a file called .htaccess with the following contents:
" " AuthUserFile /home/bjones/.htpasswd
" " AuthName “My Web Directory”
" " AuthType “Basic”
" "require user bjonesD. Execute sudo chcon -t httpd_sys_content_t /home/bjones/.htpasswd to fix privileges.
E. Using links , again connect to http://localhost/~bjones/ and authenticate with bjones/testing123
F. Change the working directory back to your home. To use SHA1 instead of crypt for the password
obfuscation, execute htpasswd -bcs .htpasswd bjones testing123G. View the contents of the .htpasswd file and you will note the {SHA} prefix to the hash.H. Once again authenticate to verify the changed password-type worked.
8/3/2019 NITA 412 - Linux Security Administration - Lab #3
http://slidepdf.com/reader/full/nita-412-linux-security-administration-lab-3 2/2
V. Install PHP, Reconfigure Apache, and Test the Installation
A. Using yum, install the package php.i386
B. Edit /etc/httpd/conf.d/php.conf and allow .woot as a valid PHP handler and type.
C. Restart the Apache web service (httpd ). Exit your root shell and login as your regular account.D. Create the file index.php inside of your userʼs public_html web directory with the following line:
" " <?php phpinfo(); ?>
E. View your userʼs web directory using links and verify that you received a PHP information page.
F. Create the file bjones.woot in your web directory and add the following line:
" " <?php echo “Oh, Hello!”; ?> G. View the file you created using links to verify that the statement was evaluated properly by PHP.H. Using the command telnet localhost 80 type the following when you connect:
" " HEAD / HTTP/1.0 Press the enter key twiceI. Verify that you received a ʻHTTP/1.1 403 Forbiddenʼ message back from the server.
VI. Configure Web Root Privilege and Create a Basic Index Page
A. As root, use usermod -a -G apache bjones to make the user be part of the apache group.B. Change ownership of the web server directory with chown apache:apache /var/www/html C. Change the permissions of the directory in our favor with chmod 775 /var/www/html D. Execute an su - bjones to become that user and execute newgrp apache
E. Change your working directory to /var/www/html and create a small index.html file with text.F. Using the command links http://localhost verify that your index page shows up properly.
G. Logout of your shells and take a snapshot of your VM and call it “Lab #3 Completed”.