Ngā pūnaha haumarutanga Linux

Ko tētahi o ngā take mō te angitu nui Linux He tino teitei te taumata haumarutanga o te pūnaha whakahaere i runga i ngā taputapu pūkoro me ngā tūmau mō te kernel, ngā ratonga e pā ana, me ngā tono. Engari ki te mea titiro ake ki te hanganga kernel Linux, kāti, kāore e kitea he tapawhā kei roto e kawenga ana mō te haumarutanga. Kei hea te pūnaha haumarutanga e huna ana? Linux ā, he aha ngā mea kei roto i tēnei?

prehistory Linux Ngā Kōwae Haumarutanga me te SELinux

Haumarutanga Whakarei Ake Linux he huinga ture me ngā tikanga urunga e hangai ana ki ngā tauira urunga whakahau me ngā tauira urunga e hangai ana ki ngā mahi hei tiaki i ngā pūnaha Linux hei ārai i ngā tūmomo mōrearea pea me ngā whakatikatika mō ngā hapa o te Discretionary Access Control (DAC), he pūnaha haumarutanga Unix tuku iho. I tīmata te kaupapa i roto i te US National Security Agency, me te whanaketanga i mahia e ngā kaimahi kirimana Secure Computing Corporation me MITRE, me te maha o ngā taiwhanga rangahau.

Ngā pūnaha haumarutanga Linux
Linux Ngā Kōwae Haumarutanga

He maha ngā kōrero a Linus Torvalds mō ngā whanaketanga hou a te NSA kia taea ai te whakauru atu ki te kernel matua. LinuxI whakaahuahia e ia tētahi taiao noa, me tētahi huinga o ngā kaiwawao hei whakahaere i ngā mahi ahanoa me tētahi huinga o ngā āpure tiaki i roto i ngā hanganga raraunga kernel hei penapena i ngā huanga e rite ana. Kātahi ka taea te whakamahi i tēnei taiao e ngā kōwae kernel ka taea te uta hei whakatinana i tētahi tauira haumarutanga e hiahiatia ana. I whakaurua katoatia te LSM ki roto i te kernel. Linux putanga 2.6 i te tau 2003.

Kei roto i te angamahi LSM nga waahi tiaki i roto i nga hanganga raraunga me nga waea ki nga mahi haukoti i nga waahi tino nui i roto i te waehere kernel ki te raweke me te whakahaere urunga. Ka taapirihia nga mahi mo te rehitatanga o nga waahanga haumarutanga. Kei roto i te atanga /sys/kernel/security/lsm he rarangi o nga waahanga hohe i runga i te punaha. Kei te rongoa nga matau LSM ki nga rarangi ka karangahia i roto i te raupapa kua tohua ki CONFIG_LSM. Ko nga tuhinga taipitopito mo nga matau kei roto i te konae pane ko/linux/lsm_hooks.h.

Nā te pūnaha LSM i taea ai te whakauru katoa o SELinux te putanga ōrite o te kernel pumau Linux putanga 2.6. I te SE tonu tonuLinux kua noho hei paerewa tūturu mō ngā taiao haumaru Linux ā, kua riro hei wāhanga o ngā tohatoha rongonui: RedHat Enterprise Linux, Fedora, Debian, Ubuntu.

Papakupu SELinux

  • Te tuakiri — Kaiwhakamahi SELinux kāore i rite ki te Unix/ noaLinux ID kaiwhakamahi, ka taea e rātou te noho tahi i runga i te pūnaha kotahi, engari he tino rerekē te āhua. Ia pūkete paerewa Linux tērā pea ka ōrite ki tētahi, ki ētahi atu rānei i te SELinuxTuakiri SELinux he wāhanga nui o te horopaki haumarutanga whānui e whakatau ana ko ēhea ngā rohe ka taea te whakauru me ēhea kāore e taea.
  • Nga Rohe — I te Tai RāwhitiLinux Ko te rohe te horopaki whakahaere o tētahi kaupapa, arā, he tukanga. Mā te rohe e whakatau tika te urunga o tētahi tukanga. Ko te rohe he rārangi o ngā mahi ka taea e ngā tukanga te mahi, ngā mahi rānei ka taea e tētahi tukanga te mahi me ngā momo rerekē. Ko ētahi tauira o ngā rohe ko te sysadm_t mō te whakahaere pūnaha, me te user_t, he rohe kaiwhakamahi noa, kāore i te whai mana. Ka rere te pūnaha init i roto i te rohe init_t, ā, ka rere te tukanga kua whakaingoatia i roto i te rohe named_t.
  • Ngā Rohe — He aha te takawaenga i waenga i ngā rohe me ngā kaiwhakamahi SELinuxMā ngā tūranga ka whakatau ko ēhea rohe ka taea e te kaiwhakamahi te whakauru atu, me ngā momo taonga ka taea e rātou te uru atu. Ka ārai tēnei tikanga whakahaere urunga i te riri o ngā whakaeke whakanui mana. Kua whakauruhia ngā tūranga ki roto i te tauira haumarutanga Mana Uru Atu e Hangai Ana ki te Tūranga (RBAC) e whakamahia ana i roto i te SE.Linux.
  • Ngā momo — He huanga rarangi Whakamana Momo kua tautapa ki tetahi ahanoa me te whakatau ko wai ka uru atu. He rite ki te whakamaramatanga rohe, engari ko tera rohe ka pa ki tetahi tukanga, ka pa te momo ki nga mea penei i nga raarangi, nga konae, nga turanga, me era atu.
  • Kaupapa me nga taonga - Ko nga tukanga he kaupapa me te whakahaere i roto i tetahi horopaki motuhake, rohe haumaru ranei. Ko nga rauemi o te punaha whakahaere: ko nga konae, nga raarangi, nga turanga, me etahi atu, he mea kua tohua ki tetahi momo, ara, he taumata tūmataiti.
  • Ngā Kaupapa Here SELinux - Hei tiaki i te pūnaha SELinux e whakamahi ana i ngā kaupapa here maha. Kaupapa Here SELinux Ka tautuhi i te urunga a te kaiwhakamahi ki ngā tūranga, ngā tūranga ki ngā rohe, me ngā rohe ki ngā momo. Tuatahi, ka whakamanahia te kaiwhakamahi ki tētahi tūranga, kātahi ka whakamanahia te tūranga ki te uru atu ki ngā rohe. Hei whakamutunga, ka taea e te rohe te uru atu ki ētahi momo ahanoa anake.

Te hoahoanga LSM me te SELinux

Ahakoa te ingoa, ehara ngā LSM i te kōwae utaina. LinuxHeoi, pērā i a SELinux, ka whakauruhia tika ki roto i te kernel. Me whai kohinga kernel hou mō ngā huringa katoa ki te waehere pūtake LSM. Me whakahohe te kōwhiringa e rite ana i roto i ngā tautuhinga kernel, ki te kore, kāore te waehere LSM e whakahohehia i muri i te whakaara. Heoi, ahakoa i tēnei take, ka taea te whakahohe mā te kōwhiringa bootloader OS.

Ngā pūnaha haumarutanga Linux
LSM taki tāpae

Kei te LSM he matau i roto i nga mahi kernel matua e tika ana mo nga arowhai. Ko tetahi o nga ahuatanga matua o nga LSM ko te mea kua taapuhia. No reira, kei te mahia tonutia nga arowhai paerewa, a ko ia paparanga o te LSM anake ka taapiri atu i nga mana me nga mana whakahaere. Ko te tikanga e kore e taea te whakamuri te aukati. Ka whakaatuhia tenei ki te ahua; mena he rahua te hua o nga arowhai DAC, karekau te take e tae ki nga matau LSM.

SELinux i tangohia te hoahoa haumarutanga Flask o te pūnaha whakahaere rangahau Fluke, inā koa te kaupapa o te iti rawa o te mana. Ko te uho o tēnei ariā, e ai ki te ingoa, ko te tuku noa i ngā mana e tika ana ki te kaiwhakamahi, ki te tukatuka rānei hei mahi i te mahi e whakaarohia ana. Ka whakatinanahia tēnei kaupapa mā te pato urunga ā-ture, kia whakahaeretia ai ngā mana urunga i roto i te SE.Linux i runga i te tauira momo rohe =>.

Nā te pato ā-ture o te urunga SELinux he nui ake ngā āheinga whakahaere urunga nui atu i te tauira DAC tuku iho e whakamahia ana i roto i te Unix OS/LinuxHei tauira, ka taea e koe te whakawhāiti i te tau tauranga whatunga ka whakarongohia e te tūmau FTP, e āhei ai te tuhi me te whakarerekē i ngā kōnae i roto i tētahi kōpaki motuhake, engari kāore e taea te muku.

Ngā wāhanga matua o te SELinux koia ēnei:

  • Tūmau Whakamana Kaupapahere — Ko te tikanga matua mo te whakahaere mana uru.
  • Pūnaha haumaru kaupapa here pātengi raraunga.
  • Te taunekeneke me te kaiwawao kaupapa LSM.
  • Selinuxfs — He rūpahu-FS, he rite ki te /proc, ā, kua tāuta ki roto i te /sys/fs/selinux. Kua whakakīia e te kernel. Linux i te wā e whakahaerehia ana, ā, kei roto ngā kōnae kei roto ngā mōhiohio mō te tūnga SELinux.
  • Uru Keteroki Vector — He tikanga awhina hei whakanui ake i te hua.

Ngā pūnaha haumarutanga Linux
Kaupapa Whakahaere SELinux

He penei te mahi katoa.

  1. He kaupapa motuhake, i roto i ngā kupu SELinux, ka mahi i te mahi kua whakaaetia ki te ahanoa i muri i te manatoko DAC, e whakaaturia ana i te ahua i runga ake nei. Ka tukuna tēnei tono ki te kaiwawao takahanga LSM.
  2. Mai i reira, ka tukuna te tono, me te horopaki haumarutanga o te kaupapa me te ahanoa, ki te kōwae SE.Linux Ko te Whakarāpopototanga me te Arorau Matau, te kawenga mō te taunekeneke me te LSM.
  3. Ko te Tūmau Whakamana Kaupapahere te mana whakatau mō te urunga atu o tētahi kaupapa ki tētahi mea, ā, ka whiwhi raraunga ia mai i te SE.Linux AnHL.
  4. Hei whakatau mo te uru me te whakakore ranei, ka huri te Tūmau Whakamana Kaupapahere ki te Punaharoto Keteroki Vector Access (AVC) mo nga ture e tino whakamahia ana.
  5. Ki te kore e kitea he otinga mo te ture e rite ana i roto i te keteroki, ka tukuna te tono ki te paataka kaupapa here haumarutanga.
  6. Ko te hua rapu mai i te paataka raraunga me te AVC ka whakahokia ki te Tūmau Whakamana Kaupapahere.
  7. Ki te taurite te kaupapa here i kitea ki te mahi i tonoa, ka whakaaetia te mahi. Ki te kore, ka rahuitia te mahi.

Te whakahaere i ngā tautuhinga SELinux

SELinux e mahi ana i roto i tētahi o ngā aratau e toru:

  • Whakahau - Kia mau ki nga kaupapa here haumaru.
  • Whakaae - Ka whakaaetia te takahi i nga here; ka tuhia he tuhipoka rite ki te hautaka.
  • Kua monoa—Kaore nga kaupapa here haumaru i te mana.

Tirohia te aratau kei roto a SELinux Ka taea e koe te mahi i tēnei mā te whakahau e whai ake nei.

[admin@server ~]$ getenforce
Permissive

Te huri i te aratau i mua i te whakaara ano, hei tauira, te whakarite ki te uruhi, ki te 1 ranei. Ko te tawhā whakaae e rite ana ki te waehere tau 0.

[admin@server ~]$ setenfoce enforcing
[admin@server ~]$ setenfoce 1 #то же самое

Ka taea hoki te huri i te aratau ma te whakatika i te konae:

[admin@server ~]$ cat /etc/selinux/config

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE= can take one of three values:
# targeted - Targeted processes are protected,
# minimum - Modification of targeted policy. Only selected processes are protected.
# mls - Multi Level Security protection.

SELINUXTYPE=whāngai

Ko te rerekētanga ki te setenfoce ko te wā e tīmata ai te pūnaha whakahaere, ka tīmata te aratau SE.Linux ka whakatakotoria kia rite ki te uara o te tawhā kōnae whirihoranga SELINUX. Hei tāpiri, ka whai mana ngā huringa ki te whakamana i te <=> kua monoa i muri i te whakatika i te kōnae /etc/selinux/config me muri i te whakaara anō.

Tirohia tetahi purongo mana poto:

[admin@server ~]$ sestatus

SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: permissive
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Max kernel policy version: 31

Hei tiro i ngā huanga SELinux Ka whakamahia e ētahi taputapu paerewa te tawhā -Z.

[admin@server ~]$ ls -lZ /var/log/httpd/
-rw-r--r--. root root system_u:object_r:httpd_log_t:s0 access_log
-rw-r--r--. root root system_u:object_r:httpd_log_t:s0 access_log-20200920
-rw-r--r--. root root system_u:object_r:httpd_log_t:s0 access_log-20200927
-rw-r--r--. root root system_u:object_r:httpd_log_t:s0 access_log-20201004
-rw-r--r--. root root system_u:object_r:httpd_log_t:s0 access_log-20201011
[admin@server ~]$ ps -u apache -Z
LABEL                             PID TTY          TIME CMD
system_u:system_r:httpd_t:s0     2914 ?        00:00:04 httpd
system_u:system_r:httpd_t:s0     2915 ?        00:00:00 httpd
system_u:system_r:httpd_t:s0     2916 ?        00:00:00 httpd
system_u:system_r:httpd_t:s0     2917 ?        00:00:00 httpd
...
system_u:system_r:httpd_t:s0     2918 ?        00:00:00 httpd

Ka whakatauritea ki te putanga noa o ls -l, he maha atu nga mara kei te whakatakotoranga e whai ake nei:

<user>:<role>:<type>:<level>

Ko te mara whakamutunga e tohu ana i tetahi mea penei i te whakarōpūtanga haumarutanga me te huinga o nga huānga e rua:

  • s0 - hiranga, i tuhia ano hei waahi taumata iti-tiketike
  • c0, c1… c1023 - kāwai.

Te huri i te whirihoranga uru

Whakamahia te semodule hei uta i ngā kōwae SELinux, tāpirihia, ka tangohia atu.

[admin@server ~]$ semodule -l |wc -l #список всех модулей
408
[admin@server ~]$ semodule -e abrt #enable - активировать модуль
[admin@server ~]$ semodule -d accountsd #disable - отключить модуль
[admin@server ~]$ semodule -r avahi #remove - удалить модуль

Kapa tuatahi takiuru wikige hono i te kaiwhakamahi SELinux me te kaiwhakamahi pūnaha whakahaere, ka whakaatuhia te rārangi e te tuarua. Hei whakamutunga, ka tangohia e te whakahau whakamutunga me te pana -r te mahere kaiwhakamahi SELinux ki ngā pūkete OS. Kua whakamāramahia te wetereo o ngā uara MLS/MCS Range i te wāhanga o mua.

[admin@server ~]$ semanage login -a -s user_u karol
[admin@server ~]$ semanage login -l

Login Name SELinux User MLS/MCS Range Service
__default__ unconfined_u s0-s0:c0.c1023 *
root unconfined_u s0-s0:c0.c1023 *
system_u system_u s0-s0:c0.c1023 *
[admin@server ~]$ semanage login -d karol

rōpū kaiwhakamahi wikige e whakamahia ana hei whakahaere i ngā mahere i waenga i ngā kaiwhakamahi me ngā tūranga SELinux.

[admin@server ~]$ semanage user -l
                Labeling   MLS/       MLS/                          
SELinux User    Prefix     MCS Level  MCS Range             SELinux Roles
guest_u         user       s0         s0                    guest_r
staff_u         staff      s0         s0-s0:c0.c1023        staff_r sysadm_r
...
user_u          user       s0         s0                    user_r
xguest_u        user       s0         s0                    xguest_r
[admin@server ~]$ semanage user -a -R 'staff_r user_r'
[admin@server ~]$ semanage user -d test_u

Tawhā whakahau:

  • -he taapiri i te urunga maapiri ritenga;
  • -l rarangi o nga kaiwhakamahi e rite ana me nga mahi;
  • -d mukua te urunga mahere mahi a te kaiwhakamahi;
  • -R rarangi o nga mahi e piri ana ki te kaiwhakamahi;

Kōnae, Tauranga me nga Uara Boolean

Ia kōwae SELinux E whakarato ana i tētahi huinga ture tohu kōnae, engari ka taea hoki e koe te tāpiri i ō ake ture mēnā e tika ana. Hei tauira, e hiahia ana mātou ki te hoatu i ngā mana uru ki te tūmau tukutuku ki te kōpaki /srv/www.

[admin@server ~]$ semanage fcontext -a -t httpd_sys_content_t "/srv/www(/.*)?
[admin@server ~]$ restorecon -R /srv/www/

Ko te whakahau tuatahi ka rehita i nga ture tohu hou, a ko te tuarua ka tautuhi, ka whakatau ranei i nga momo konae kia rite ki nga ture o naianei.

Waihoki, ka tohua nga tauranga TCP/UDP kia taea ai e nga ratonga tika anake te whakarongo ki a raatau. Hei tauira, kia whakarongo ai te tūmau tukutuku ki te tauranga 8080, me whakahaere e koe te whakahau.

[admin@server ~]$ semanage port -m -t http_port_t -p tcp 8080

He maha ngā kōwae SELinux he tawhā kei a rātou e taea ai te tango i ngā uara Boolean. Ka taea te tiro i te rārangi katoa o aua tawhā mā te whakamahi i te getsebool -a. Ka taea te whakarerekē i ngā uara Boolean mā te whakamahi i te setsebool.

[admin@server ~]$ getsebool httpd_enable_cgi
httpd_enable_cgi --> on
[admin@server ~]$ setsebool -P httpd_enable_cgi off
[admin@server ~]$ getsebool httpd_enable_cgi
httpd_enable_homedirs --> off

Awheawhe, uru atu ki te atanga paetukutuku-Pgadmin

Me titiro tatou ki tetahi tauira whaihua: i whakauruhia e matou te pgadmin7.6-tukutuku i runga i te RHEL 4 hei whakahaere i te papanga raraunga PostgreSQL. I hikoi iti matou rapunga me nga tautuhinga o pg_hba.conf, postgresql.conf me config_local.py, tautuhia nga whakaaetanga kōpaki, whakauruhia nga waahanga Python kua ngaro mai i te pip. Kua rite nga mea katoa, ka whakarewahia e matou ka whiwhi 500 Hapa Tūmau Roto.

Ngā pūnaha haumarutanga Linux

Ka tiimata me nga whakapae noa, te tirotiro /var/log/httpd/error_log. Kei reira etahi whakaurunga whakamere.

[timestamp] [core:notice] [pid 23689] SELinux policy enabled; httpd running as context system_u:system_r:httpd_t:s0
...
[timestamp] [wsgi:error] [pid 23690] [Errno 13] Permission denied: '/var/lib/pgadmin'
[timestamp] [wsgi:error] [pid 23690]
[timestamp] [wsgi:error] [pid 23690] HINT : You may need to manually set the permissions on
[timestamp] [wsgi:error] [pid 23690] /var/lib/pgadmin to allow apache to write to it.

Koinei te wāhi e noho ana te nuinga o ngā kaiwhakahaere Linux Ka puta he whakamātautau kaha ki te whakahaere i te setencorce 0, ā, ko te mutunga tēnā. He pono, koinā taku i mahi ai i te wā tuatahi. He otinga pono tēnei, engari ehara i te mea pai rawa atu.

Ahakoa te matotoru o ngā hoahoa SELinux He māmā noa iho te whakamahi. Tāutahia te mōkihi setroubleshoot ka tiro i te rangitaki pūnaha.

[admin@server ~]$ yum install setroubleshoot
[admin@server ~]$ journalctl -b -0
[admin@server ~]$ service restart auditd

Kia mahara ko te ratonga arotake me timata ano i tenei huarahi, kaua e whakamahi i te systemctl, ahakoa te noho o te systemd i roto i te OS. I roto i te raarangi punaha ka tohuhia ehara i te mea ko te aukati anake, engari ko te take me te ara ki te hinga i te aukati.

Ngā pūnaha haumarutanga Linux

Ka mahia e matou enei whakahau:

[admin@server ~]$ setsebool -P httpd_can_network_connect 1
[admin@server ~]$ setsebool -P httpd_can_network_connect_db 1

Ka tirohia e matou te uru ki te wharangi paetukutuku pgadmin4-web, ka mahi nga mea katoa.

Ngā pūnaha haumarutanga Linux

Ngā pūnaha haumarutanga Linux

Source: will.com

Hokona te manaaki pono mo nga waahi me te tiaki DDoS, nga kaiwhakarato VPS VDS 🔥 Hokona he manaaki paetukutuku pono me te tiakitanga DDoS, ngā tūmau VPS VDS | ProHoster