Scribd
Upload
75 views

Objectifs 2. Environnement: Shared Ethernet Bridged Ethernet

1. This document discusses the configuration of a virtual machine including the choice of operating system, installation of software packages, disk partitioning, user and group management, and basic security configurations. 2. Configuration files for services, networking, startup processes, and firewall rules are reviewed. Network file sharing using NFS, user authentication with NIS or LDAP, and a basic Apache web server are configured. 3. Periodic commands, firewall rules, and SELinux policies are discussed for access control and system security. Managing multiple websites on one server using virtual hosts is covered briefly.

Uploaded by

maxdurieux88
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
75 views

Objectifs 2. Environnement: Shared Ethernet Bridged Ethernet

1. This document discusses the configuration of a virtual machine including the choice of operating system, installation of software packages, disk partitioning, user and group management, and basic security configurations. 2. Configuration files for services, networking, startup processes, and firewall rules are reviewed. Network file sharing using NFS, user authentication with NIS or LDAP, and a basic Apache web server are configured. 3. Periodic commands, firewall rules, and SELinux policies are discussed for access control and system security. Managing multiple websites on one server using virtual hosts is covered briefly.

Uploaded by

maxdurieux88
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 8

1. Objectifs 2.

Environnement
Choix du matriel Choix du systme dexploitation Virtualisation Network Shared Ethernet Bridged Ethernet Host-Only Disque de 16 GB + Disque supplmentaire de 8 GB Ram 1024 MB 2 CPUs

3. Installation
Type dinstallation Automatisation kickstart Language English - discussion Keyboard be-latin1 Disk / 1.0 GB disk1 /usr 8.0 GB disk1 /usr/local remaining disk1 /var 2.0 GB disk1 swap 2.0 GB disk1 /disks/home 2.0 GB disk2 /disks/share remaining disk2 Choix des packages logiciels Ajout des outils de dveloppements

4. Program
1 Basic installation 2 Local system Users - Management 3 Systems in network - NFS 4 Network directories 5 - Windows 6 Security - Web servers

5. Post installation
No user added SELinux enabled (mode enforcing) anaconda-ks.cfg (for further reinstallation) run level : switch from 5 to 3 /etc/inittab telinit 3

6. Disk/Partition Management
fdisk, mke2fs, mount Policies Data separated from systems /disks/home, /disks/share, /usr/local Filesystem Hierarchy Standard / /bin /boot /dev /lib /usr /etc /var /tmp /sbin

/opt

7. User Management
Policy for user directories useradd, userdel, groupadd, groupdel su ; sudo ; visudo Disk space management du, df quota usrquota, grpquota (/etc/fstab) (need to remount) quotacheck cug filesystem repquota a edquota [-p] user

8. Startup and configuration files


/etc/inittab (run level & init script) /etc/rc.d/rc.sysinit ( /etc/rc.sysinit) . /etc/sysconfig/network (explain dot) /etc/rc.d/rc $runLevel.d /etc/rc.local /etc/rc$runLevel.d/K* and S* /etc/init.d/serviceName (Network) services and configuration files /etc/sysconfig /etc/sysconfig/network-scripts/ifcfg-eth0 /etc/init.d/network /etc/init.d/nfs Other less used daemons from /etc/init.d/xinetd Missing from the base install Yum install xinetd Configs in /etc/xinetd.conf and /etc/xinetd.d/ Example rsync NFS File /etc/exports /etc/init.d/nfs start /sbin/services nfs start /sbin/chkconfig level 345 nfs on

9. Client system
Iplclnt01 installation Fedora Core 13 Avoid express installation (keyboard) Create local login mandatory

10. NFS server w/ client


Client cannot connect to server Firewall Disable by chkconfig level 345 iptables off Problems with selinux (enforcing -> permissive solved !) Setenforce permissive Upfate /etcs/ysconfig/selinux Update /etc/fstab Userdel r nina

11. Lsof Directory - NIS


NIS Network Information Service YP Yellow Page (protected trademark) Architecture Server

Master Slave Client Specialized server : files, authentification Domaine # domainname ipl # /etc/sysconfig/network Server iplsrv01 Software package # yum install ypserv Initialization # /usr/lib64/yp/ypinit m dbm files in /var/yp/(domainname) /etc/init.d/ypserv start chkconfig --level 345 ypserv on /etc/init.d/ypbind start chkconfig --level 345 ypbind on Update /etc/hosts Update dbm files from /var/yp (make) Firewall issues Bind ypserv on port 714 /etc/sysconfig/network YPSERV_ARGS=-p 714 Update /etc/sysconfig/iptables Client iplclnt01 Domainname /etc/sysconfig/network /etc/yp.conf # /etc/init.d/iptables stop /etc/nsswitch.conf

12. Directory OpenLDAP


LDAP Lightweight Directory Access Protocol Entry unit in LDAP directory identified by its DN yum install openldap-servers disk space problem (missing 6 MB) tune2fs -m 1 /dev/sda2 yum install openldap-clients Snapshot Begin Lesson 5 Attributes described in a schema file /etc/openldap/schema objectClass (example avec nis.schema) LDIF LDAP Data Interchange Format Update /etc/openldap/slapd.conf Directory hierarchy Suffix : o=ipl,c=be (alternative dc=ipl,dc=be) Rootdn = cn=Manager,o=ipl,c=be slappasswd -> rootpw Copy /etc/openldap/DB_CONFIG.example to /var/lib/ldap/DB_CONFIG /etc/init.d/ldap start chkconfig level 345 ldap on Population du ldap LDIF : LDAP Directory Interchange Format Codage base 64 (pur ASCII) Construire larborescence : Base.ldif Comptes utilisateurs et groupes Passwd.ldif Group.ldif Scripts de migration dans /usr/share/openldap/migration ldapadd -x -D "cn=manager,o=ipl,c=be" -W -f .ldif ldapdelete -x -D "cn=manager,o=ipl,c=be" W "cn=secretariat,ou=group,o=ipl,c=be" slapcat ldapsearch -x -D "cn=manager,o=ipl;c=be" -b "o=ipl,c=be" -W uid=titane Browser via netbeans Client install yum install openldap-clients Update de /etc/ldap.conf et /etc/openldap/ldap.conf Configuration de /etc/nsswitch.conf Choix du rpertoire Local, Nis, Dns, Ldap

13. Samba
Implmentation open source des protocoles MS /etc/samba/smb.conf Share : secretariat Discussion sur permissions du rpertoire Authentification windows : smbpasswd (-a) /etc/sysconfig/iptables : tcp/udp portes 137:139 et 445 nmblookup A 10.0.0.192 smbclient L 10.0.0.192 U titane smbclient //10.0.0.192/secretariat U titane Montage depuis un poste windows

14. Extended security (PAS VU EN 2011/2012)


Classical security model : DAC (3 X 3 rwx X ugo) DAC discretionary access control Anyone can propagate access control to an owned ressource Additionnal security with extended attributes Commands lsattr, chattr a append only d no dump i immutable u undeletable A no atime update Enhanced security model (selinux) : MAC Sysadm can restrict propagation of a user owned ressource - Type enforcement - Role Based Access Control - Multi-level security Security defined in a policy Targeted policy (confines key system process to a domain) ls Z, ps aZx Access only allowed between similar types Semanage port l Getsebool -a selinux state : enforcing permissive disabled commands : getenforce, setenforce, sestatus Exemple du bad login de carbone sur iplclnt01 (cant access homedir) Modification de la policy Sur base des messages derreurs dans /var/log/audit/audit.log audit2allow -a -M clientlocal > clientlocal.te grep /var/log/audit/audit.log | audit2allow -M clientlocal semodule i clientlocal.pp could get the same result with boolean nfs_home_dirs !!!

15. Serveur Web Apache


Cours sans demo live (dsol) ! Comment grer plusieurs sites web sur un seul serveur ? Problme de noms de domaines Une seule adresse IP multiples noms de domaines Serveurs virtuels Rsolution au niveau applicatif Fichier de configuration /etc/httpd/conf/httpd.conf /etc/httpd/conf.d/* VirtualHost

Servername DocumentRoot Alias Logs

16. Pare-feu iptables 17. Excution de commandes priodiques et pare-feu

You might also like