kirish
Server xavfsizligining qo'shimcha darajasini ta'minlash uchun siz foydalanishingiz mumkin kirish taqsimoti. Ushbu nashrda siz apache-ni qamoqxonada qanday ishlatishingiz mumkin, faqat apache va php-ning to'g'ri ishlashi uchun kirishni talab qiladigan komponentlarga kirish mumkinligi tasvirlangan. Ushbu tamoyildan foydalanib, siz nafaqat Apache, balki boshqa har qanday stekni ham cheklashingiz mumkin.
o'quv
Bu usul faqat ufs fayl tizimi uchun javob beradi; bu misolda zfs asosiy tizimda, ufs esa turmada ishlatiladi. Birinchi qadam yadroni qayta tiklash; FreeBSD-ni o'rnatishda manba kodini o'rnating.
Tizim o'rnatilgandan so'ng, faylni tahrirlang:
/usr/src/sys/amd64/conf/GENERIC
Ushbu faylga faqat bitta qator qo'shishingiz kerak:
options MAC_MLS
mls/yuqori yorlig'i mls/past yorlig'i ustidan ustun mavqega ega bo'ladi, mls/past yorlig'i bilan ishga tushiriladigan ilovalar mls/yuqori yorliqli fayllarga kira olmaydi. FreeBSD tizimidagi barcha mavjud teglar haqida batafsil ma'lumotni shu yerda topishingiz mumkin .
Keyin, /usr/src katalogiga o'ting:
cd /usr/src
Yadro yaratishni boshlash uchun ishga tushiring (j tugmachasida tizimdagi yadrolar sonini belgilang):
make -j 4 buildkernel KERNCONF=GENERIC
Yadro kompilyatsiya qilingandan so'ng, uni o'rnatish kerak:
make installkernel KERNCONF=GENERIC
Yadroni o'rnatgandan so'ng, tizimni qayta ishga tushirishga shoshilmang, chunki foydalanuvchilarni avvaldan sozlagan holda login sinfiga o'tkazish kerak. /etc/login.conf faylini tahrirlang, ushbu faylda siz standart kirish sinfini tahrirlashingiz kerak, uni shaklga keltiring:
default:
:passwd_format=sha512:
:copyright=/etc/COPYRIGHT:
:welcome=/etc/motd:
:setenv=MAIL=/var/mail/$,BLOCKSIZE=K:
:path=/sbin /bin /usr/sbin /usr/bin /usr/local/sbin /usr/local/bin ~/bin:
:nologin=/var/run/nologin:
:cputime=unlimited:
:datasize=unlimited:
:stacksize=unlimited:
:memorylocked=64K:
:memoryuse=unlimited:
:filesize=unlimited:
:coredumpsize=unlimited:
:openfiles=unlimited:
:maxproc=unlimited:
:sbsize=unlimited:
:vmemoryuse=unlimited:
:swapuse=unlimited:
:pseudoterminals=unlimited:
:kqueues=unlimited:
:umtxp=unlimited:
:priority=0:
:ignoretime@:
:umask=022:
:label=mls/equal:
:label=mls/equal qatori ushbu sinf aʼzosi boʻlgan foydalanuvchilarga istalgan yorliq (mls/past, mls/yuqori) bilan belgilangan fayllarga kirish imkonini beradi. Ushbu manipulyatsiyalardan so'ng siz ma'lumotlar bazasini qayta tiklashingiz va ildiz foydalanuvchini (shuningdek, unga muhtoj bo'lganlarni) ushbu kirish sinfiga joylashtirishingiz kerak:
cap_mkdb /etc/login.conf
pw usermod root -L default
Siyosat faqat fayllarga taalluqli boʻlishi uchun siz /etc/mac.conf faylini tahrirlashingiz va unda faqat bitta qatorni qoldirishingiz kerak:
default_labels file ?mls
Shuningdek, autorun uchun mac_mls.ko modulini qo'shishingiz kerak:
echo 'mac_mls_load="YES"' >> /boot/loader.conf
Shundan so'ng siz tizimni xavfsiz qayta ishga tushirishingiz mumkin. Qanday yaratish kerak Siz uni mening nashrlarimdan birida o'qishingiz mumkin. Ammo qamoqxonani yaratishdan oldin siz qattiq disk qo'shishingiz va unda fayl tizimini yaratishingiz va undagi multilabelni yoqishingiz, klaster hajmi 2 kb bo'lgan ufs64 fayl tizimini yaratishingiz kerak:
newfs -O 2 -b 64kb /dev/ada1
tunefs -l enable /dev/ada1
Fayl tizimini yaratgandan va multilabel qo'shgandan so'ng, qattiq diskni /etc/fstab ga qo'shishingiz kerak, ushbu faylga qatorni qo'shing:
/dev/ada1 /jail ufs rw 0 1
Mountpoint-da qattiq diskni o'rnatadigan katalogni belgilang; Pass-da 1-ni belgilang (bu qattiq disk qaysi ketma-ketlikda tekshiriladi) - bu zarur, chunki ufs fayl tizimi to'satdan elektr uzilishlariga sezgir. . Ushbu bosqichlardan so'ng diskni o'rnating:
mount /dev/ada1 /jail
Jailni ushbu katalogga o'rnating. Qamoqxona ishga tushgandan so'ng, unda asosiy tizimdagi kabi foydalanuvchilar va /etc/login.conf, /etc/mac.conf fayllari bilan bir xil manipulyatsiyalarni bajarishingiz kerak.
moslashish
Kerakli teglarni o'rnatishdan oldin barcha kerakli paketlarni o'rnatishni tavsiya etaman, mening holimda teglar ushbu paketlarni hisobga olgan holda o'rnatiladi:
mod_php73-7.3.4_1 PHP Scripting Language
php73-7.3.4_1 PHP Scripting Language
php73-ctype-7.3.4_1 The ctype shared extension for php
php73-curl-7.3.4_1 The curl shared extension for php
php73-dom-7.3.4_1 The dom shared extension for php
php73-extensions-1.0 "meta-port" to install PHP extensions
php73-filter-7.3.4_1 The filter shared extension for php
php73-gd-7.3.4_1 The gd shared extension for php
php73-gettext-7.3.4_1 The gettext shared extension for php
php73-hash-7.3.4_1 The hash shared extension for php
php73-iconv-7.3.4_1 The iconv shared extension for php
php73-json-7.3.4_1 The json shared extension for php
php73-mysqli-7.3.4_1 The mysqli shared extension for php
php73-opcache-7.3.4_1 The opcache shared extension for php
php73-openssl-7.3.4_1 The openssl shared extension for php
php73-pdo-7.3.4_1 The pdo shared extension for php
php73-pdo_sqlite-7.3.4_1 The pdo_sqlite shared extension for php
php73-phar-7.3.4_1 The phar shared extension for php
php73-posix-7.3.4_1 The posix shared extension for php
php73-session-7.3.4_1 The session shared extension for php
php73-simplexml-7.3.4_1 The simplexml shared extension for php
php73-sqlite3-7.3.4_1 The sqlite3 shared extension for php
php73-tokenizer-7.3.4_1 The tokenizer shared extension for php
php73-xml-7.3.4_1 The xml shared extension for php
php73-xmlreader-7.3.4_1 The xmlreader shared extension for php
php73-xmlrpc-7.3.4_1 The xmlrpc shared extension for php
php73-xmlwriter-7.3.4_1 The xmlwriter shared extension for php
php73-xsl-7.3.4_1 The xsl shared extension for php
php73-zip-7.3.4_1 The zip shared extension for php
php73-zlib-7.3.4_1 The zlib shared extension for php
apache24-2.4.39
Ushbu misolda teglar ushbu paketlarning bog'liqligini hisobga olgan holda o'rnatiladi. Albatta, siz buni oddiyroq qilishingiz mumkin: /usr/local/lib papkasi va ushbu katalogda joylashgan fayllar uchun mls/low yorliqlarini o'rnating va keyingi o'rnatilgan paketlar (masalan, php uchun qo'shimcha kengaytmalar) kirish imkoniyatiga ega bo'ladi. ushbu katalogdagi kutubxonalar, lekin menga faqat kerakli fayllarga kirishni ta'minlash yaxshiroq ko'rinadi. Jailni to'xtating va barcha fayllarga mls/yuqori teglarni o'rnating:
setfmac -R mls/high /jail
Belgilarni o'rnatishda, agar setfmac qattiq havolalarga duch kelsa, jarayon to'xtatiladi, mening misolimda men quyidagi kataloglardagi qattiq havolalarni o'chirib tashladim:
/var/db/etcupdate/current/
/var/db/etcupdate/current/etc
/var/db/etcupdate/current/usr/share/openssl/man/en.ISO8859-15
/var/db/etcupdate/current/usr/share/man/en.ISO8859-15
/var/db/etcupdate/current/usr/share/man/en.UTF-8
/var/db/etcupdate/current/usr/share/nls
/etc/ssl
/usr/local/etc
/usr/local/etc/fonts/conf.d
/usr/local/openssl
Yorliqlar o'rnatilgandan so'ng, siz apache uchun mls/low yorliqlarini o'rnatishingiz kerak, birinchi navbatda, apacheni ishga tushirish uchun qanday fayllar kerakligini aniqlashingiz kerak:
ldd /usr/local/sbin/httpd
Ushbu buyruq bajarilgandan so'ng, ekranda bog'liqliklar paydo bo'ladi, lekin bu fayllarga kerakli teglarni o'rnatish etarli bo'lmaydi, chunki bu fayllar joylashgan kataloglar mls/yuqori yorliqga ega, shuning uchun bu kataloglarni ham etiketlash kerak. mls/past. Ishga tushganda, apache uni ishga tushirish uchun zarur bo'lgan fayllarni ham chiqaradi va PHP uchun bu bog'liqliklarni httpd-error.log jurnalida topish mumkin.
setfmac mls/low /
setfmac mls/low /usr/local/lib/libpcre.so.1
setfmac mls/low /usr/local/lib/libaprutil-1.so.0
setfmac mls/low /usr/local/lib/libdb-5.3.so.0
setfmac mls/low /usr/local/lib/libgdbm.so.6
setfmac mls/low /usr/local/lib/libexpat.so.1
setfmac mls/low /usr/local/lib/libapr-1.so.0
setfmac mls/low /lib/libcrypt.so.5
setfmac mls/low /lib/libthr.so.3
setfmac mls/low /lib/libc.so.7
setfmac mls/low /usr/local/lib/libintl.so.8
setfmac mls/low /var
setfmac mls/low /var/run
setfmac mls/low /var/log
setfmac mls/low /var/log/httpd-access.log
setfmac mls/low /var/log/httpd-error.log
setfmac mls/low /var/run/httpd.pid
setfmac mls/low /lib
setfmac mls/low /lib/libcrypt.so.5
setfmac mls/low /usr/local/lib/db5/libdb-5.3.so.0
setfmac mls/low /usr/local/lib/db5/libdb-5.3.so.0.0.0
setfmac mls/low /usr/local/lib/db5
setfmac mls/low /usr/local/lib
setfmac mls/low /libexec
setfmac mls/low /libexec/ld-elf.so.1
setfmac mls/low /dev
setfmac mls/low /dev/random
setfmac mls/low /usr/local/libexec
setfmac mls/low /usr/local/libexec/apache24
setfmac mls/low /usr/local/libexec/apache24/*
setfmac mls/low /etc/pwd.db
setfmac mls/low /etc/passwd
setfmac mls/low /etc/group
setfmac mls/low /etc/
setfmac mls/low /usr/local/etc
setfmac -R mls/low /usr/local/etc/apache24
setfmac mls/low /usr
setfmac mls/low /usr/local
setfmac mls/low /usr/local/sbin
setfmac mls/low /usr/local/sbin/*
setfmac -R mls/low /usr/local/etc/rc.d/
setfmac mls/low /usr/local/sbin/htcacheclean
setfmac mls/low /var/log/httpd-access.log
setfmac mls/low /var/log/httpd-error.log
setfmac -R mls/low /usr/local/www
setfmac mls/low /usr/lib
setfmac mls/low /tmp
setfmac -R mls/low /usr/local/lib/php
setfmac -R mls/low /usr/local/etc/php
setfmac mls/low /usr/local/etc/php.conf
setfmac mls/low /lib/libelf.so.2
setfmac mls/low /lib/libm.so.5
setfmac mls/low /usr/local/lib/libxml2.so.2
setfmac mls/low /lib/libz.so.6
setfmac mls/low /usr/lib/liblzma.so.5
setfmac mls/low /usr/local/lib/libiconv.so.2
setfmac mls/low /usr/lib/librt.so.1
setfmac mls/low /lib/libthr.so.3
setfmac mls/low /usr/local/lib/libpng16.so.16
setfmac mls/low /usr/lib/libbz2.so.4
setfmac mls/low /usr/local/lib/libargon2.so.0
setfmac mls/low /usr/local/lib/libpcre2-8.so.0
setfmac mls/low /usr/local/lib/libsqlite3.so.0
setfmac mls/low /usr/local/lib/libgd.so.6
setfmac mls/low /usr/local/lib/libjpeg.so.8
setfmac mls/low /usr/local/lib/libfreetype.so
setfmac mls/low /usr/local/lib/libfontconfig.so.1
setfmac mls/low /usr/local/lib/libtiff.so.5
setfmac mls/low /usr/local/lib/libwebp.so.7
setfmac mls/low /usr/local/lib/libjbig.so.2
setfmac mls/low /usr/lib/libssl.so.8
setfmac mls/low /lib/libcrypto.so.8
setfmac mls/low /usr/local/lib/libzip.so.5
setfmac mls/low /etc/resolv.conf
Ushbu ro'yxatda apache va PHP kombinatsiyasining to'g'ri ishlashi uchun zarur bo'lgan barcha fayllar uchun mls/low teglar mavjud (mening misolimda o'rnatilgan paketlar uchun).
Yakuniy teginish qamoqxonani mls/teng darajada, apache esa mls/past darajada ishlashi uchun sozlash bo'ladi. Jailni ishga tushirish uchun siz /etc/rc.d/jail skriptiga o'zgartirishlar kiritishingiz, ushbu skriptdagi jail_start funksiyalarini topishingiz, buyruq o'zgaruvchisini formaga o'zgartirishingiz kerak:
command="setpmac mls/equal $jail_program"
setpmac buyrug'i bajariladigan faylni kerakli qobiliyat darajasida ishga tushiradi, bu holda mls/teng, barcha teglarga kirish huquqiga ega bo'lish uchun. Apache'da siz /usr/local/etc/rc.d/apache24 boshlang'ich skriptini tahrirlashingiz kerak. apache24_prestart funksiyasini o'zgartiring:
apache24_prestart() {
apache24_checkfib
apache24_precmd
eval "setpmac mls/low" ${command} ${apache24_flags}
}
В Qo'llanmada yana bir misol bor, lekin men undan foydalana olmadim, chunki men setpmac buyrug'idan foydalana olmasligim haqida xabar oldim.
xulosa
Kirishni tarqatishning ushbu usuli apache-ga qo'shimcha xavfsizlik darajasini qo'shadi (garchi bu usul har qanday boshqa stek uchun mos bo'lsa-da), qo'shimcha ravishda qamoqxonada ishlaydi, bir vaqtning o'zida administrator uchun bularning barchasi shaffof va sezilmas tarzda sodir bo'ladi.
Ushbu nashrni yozishda menga yordam bergan manbalar ro'yxati:
Manba: www.habr.com