Wednesday, August 30, 2023

Manage Security in Linux(Part-9)

   In Part 8 of the Learning Linux blog series, we learned how to configure and manage users and groups in Linux systems.

In part 9, We will construct basic commands, and understand security in the Linux Operating System.


  • Configure key-based authentication for SSH
    • ssh-keygen (This process will generate private and public keys(id_rsa, id_rsa.pub)
    • ssh-copy-id aaron@10.11.12.9 (This will copy the public key on the target ip under .ssh/authotized_keys files, or you can manually login to target server and add the public key on .ssh/authorized_keys file)
    • SSH Server Conf file - /etc/ssh/sshd_config, SSH Client Conf File - /etc/ssh/ssh_conf, Custom ssh client Conf file dir path - /etc/ssh/ssh_config.d/
  • List and Identify the SELinux file and process contexts
    • getenforce (To view the SE Linux mode), 
    • ls -Z (see the file/folder se context), unconfined_u:object_r:user_home_t:s0(user:role:type:level), 
    • id -Z (TO see the current user logged with se context view), 
    • sudo semanage login -l (To view the user' se context)
    • sudo semanage user -l (To view the se roles assigned to each user ids),
  • Change kernel runtime parameters, persistent and non-persistent
    • sudo sysctl -a (List kernel runtime parameters), 
    • sudo sysctl -w 'paramter=1/0' (non-persistence change),
    • sudo vi /etc/sysctl.d/swap-less.conf (Persistence change at this conf folder location), 
    • sudo sysctl -p 'conf. file path' (This will apply the changes without reboot), 
    • sudo chcon -t httpd_sys_content_t /var/index.html (Set se linux contex)
  • Restore default file contexts
    • enforcing=0 (GRUB Paramter to boot Linux into Permissive mode), 
    • selinux=0 (Kernel will not do anything related to SE Linux and post-reboot it will perform autorelabel. Setting this parameter in GRUB Conf. will cause it to perform autorelebel=1 for all files), 
    • autorelebel=1 (relabel all files)
  • Diagnose and troubleshoot SE Linux Policy Violation:
    • Scenario1: Httpd process stoped post changing listining port,
      • ausearch -c 'httpd' --raw | audit2allow -M m-httpd (Create Policy set),
      • semodule -i my-httpd.pp (enforce this policy)
    • Scenario2: Chaning the root httpd file path
      • grep 'httpd' /var/log/messages | less (search se linux related error message), 
      • semanage fcontext -a -t httpd_sys_content_t "/Directoty(/.*)?" (Change the files SE context type to service httpd se account type)
      • restorecon -R /Directory/ (To restore the new contexts for directory)
#> echo "Thank you :)"

Posted by at No comments:
Subscribe to: Posts (Atom)