RedHat Hardening Exam

March 14, 2018 | Author: Ashief Ahmed | Category: Superuser, Computer File, Unix, Computer Security, Online Safety & Privacy
Share Embed Donate


Short Description

Rehat...

Description

RED HAT SERVER HARDENING EXAM PREPARATION (RH413) Exam Instructions Your domain subnet: domain6.example.com and network is 172.24.0.0/24 Two Virtual Machines are given which belongs to your domain which is domain6.example.com and the information of that two VMs are following station1.domain6.example.com and IP Address is 172.24.6.100 station2.domain6.example.com and IP Address is 172.24.6.120 You have following questions to answer. Question #1 Configure station1.domain6.example.com as centralized IPA server and create the following users set default UID and GID from 5000 to 18000. Create the below users defined in the below table: User Name

First Name

Last Name

mrahman aislam rhat

Mustafijur Ariful Red

Rahman Islam Hat

UID 6001 7001 9001

GID 6001 7001 9001

Solution: >Disable NetwokManager /etc/init.d/NetworkManager stop chkconfig NetworkManager off

>Open network configuration file and make some changes #vim /etc/sysconfig/network-scripts/ifcfg-eth0 ##Change with your requirement BOOTPROTO=”static” NM_CONTROLLED=”no” IPADDR= 172.24.6.100 NETMASK=255.255.255.0 GATEWAY=172.24.6.254 DNS1=172.24.6.254

Home Dir /home/remotehost/mrahman /home/remotehost/aislam /home/remotehost/rhat

>Change /etc/hosts vim /etc/hosts ##Change with your requirement 172.24.6.100

station1.domain6.example.com

station1

>Restart Network and make auto start /etc/init.d/network restart chkconfig network on

>Install IPA server packages yum install ipa-server

>Install IPA server instance ipa-server-install --hostname=station1.domain6.example.com -n domain6.example.com -r DOMAIN6.EXAMPLE.COM -p redhat13 -a redhat13 --idstart=5000 --idmax=18000 -U OR ipa-server-install --idstart=5000 --idmax=18000 ##Input following values with your requirements Server host name [station1.domain6.example.com]: Enter Please confirm the domain name [domain6.example.com]: Enter Please provide a realm name [DOMAIN6.EXAMPLE.COM]: Enter Directory Manager password: redhat13 IPA admin password: redhat13 Continue to configure the system with these values? [no]: yes

>Restart ssh service to obtain Kerberos credentials. /etc/init.d/sshd restart

>Verify IdM instance by verifying Kerberos authentication kinit admin

>Verifying IPA access ipa user-find admin

>Add all 3 users in IPA server #First User ipa user-add mrahman --first=Mustafijur --last=Rahman --homedir=/home/remotehost/mrahman --uid=6001 --gidnumber=6001 --password #Second User ipa user-add aislam --first=Ariful --last=Islam --homedir=/home/remotehost/aislam --uid=7001 --gidnumber=7001 --password #Third User ipa user-add rhat --first=Red --last=Hat --homedir=/home/remotehost/rhat --uid=9001 --gidnumber=9001 --password

Question #2 Configure station2.domain6.example.com as IPA client of station1. So that home directory automatically mount. Solution: >Install IPA client packages yum -y install ipa-client

>Install IPA Client intance ipa-client-install --mkhomedir ##Input following values with your requirements Provide the domain name of your IPA server (ex: example.com): domain6.example.com Provide your IPA server name (ex: ipa.example.com): station1.domain6.example.com Proceed with fixed values and no DNS discovery? [no]: yes Continue to configure the system with these values? [no]: yes User authorized to enroll computers: admin Password for [email protected]: redhat13

>Login to newly created user on station1 from station2 su - mrahman su - aislam su - rhat

Question #3 List all security packages and put the list to /root/rhsa.txt and update all security updates.

Solution: >First create repo file vim /etc/yum.repos.d/rhbase.repo ##Add below lines. Make changes with your requirements. [rhbase] name=YUM baseurl=file:///mnt/Server ##Change baseurl with provided url in exam enabled=1 gpgcheck=1 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release Save and exit >Now clean all yum cache yum clean all

>Install yum-plugin-security to view updates yum install yum-plugin-security

>Check for update packages and store the information /root/rhsa.txt yum updateinfo > /root/rhsa.txt

>Install only security updates yum update --security

Question #4 Given three rpm from unknown source and install the suitable one. Solution: >Check the rpms which are suitable to install. rpm -qp --scripts /net/instructor/var/ftp/pub/app1.rpm rpm -qp --scripts /net/instructor/var/ftp/pub/app2.rpm rpm -qp --scripts /net/instructor/var/ftp/pub/app3.rpm

>After find suitable rpm install the package. Suppose app2.rpm is suitable to install.

rpm -ivh /net/instructor/var/ftp/pub/app2.rpm

Question #5 Import GPG-KEY and verify which key is needed to verify. Solution: >Import given GPG-KEY. Suppose you have given a gpg key RPM-GPG-KEY-redhat-GLS in ftp location. rpm --import /net/instructor/var/ftp/pub/RPM-GPG-KEY-redhat-GLS

>Suppose you have given a ftp package and asked to verify the package with gpg-key. Now check with below command. rpm -vvK ftp://instructor/pub/packages/ftp-0.17-53.el6.x86_64.rpm 2>/dev/null

Question #6 Set default mask, so that zelane user create a file which will get permission as r-- r-- r-- and for folder it will get permission of r-x r-x r-x Solution: >Login to user zelane su - zelane

>Change .bash_profile for user zelane vim .bash_profile ##Add below line at the bottom of the file umask 222 Save and exit >Run below command to reload .bash_profile setting source ~/.bash_profile OR Logout and login again to user zelane

>Check umask value, this time it should be 222 umask

>Create a file and folder.

touch testfile.txt mkdir testdir

>Check permissions for newly created file and directory. Is it match the given conditios? ls -l

Question #7 Create a folder /engineering/data and give permission to musician group as read and write. Solution: >Create the directory /engineering/data mkdir /engineering/data >Check the partition or disk have acl permission cat /etc/fstab OR tune2fs -l /dev/vda1 Note: Disk name (eg. /dev/vda1) may vary in exam. >If acl not existing then apply it from /etc/fstab and remount the partition. Suppose you have given a partition named /engineering, then do the following Open /etc/fstab

vim /etc/fstab ##Add acl to /engineering /dev/mapper/vg_server-lv_engineer

/engineering

Save and exit. >Remount the /engineering partition mount -o remount,acl /engineering

>Now set acl on /engineering/data setfacl -m g:musician:rw /engineering/data

>Check acl on /engineering/data getfacl /engineering/data

ext4

defaults,acl

1 2

Question #8 Delete a file /root/abc.txt Solution: >Check the file attribute of given file lsattr /root/abc.txt

>If you found that the file is immutable ( i ) then change the file attribute chattr -i /root/abc.txt

>Now remove the file rm -rf /root/abc.txt

Question #9 Locate all special permission for /sbin directory and put them in /root/special.txt Solution: >Run below command to find all files with special permissions and stored in /root/special.txt find /sbin -type f -perm /700 > /root/special.txt

Question #10 Configure password policy, so that all new users password expires after 3 days. Solution: >Open login.defs vim /etc/login.defs

##Change as below PASS_MAX_DAYS 3 Save and exit Question #11 Configure station1 and station2, so that if any user fails to login 3 times, then that account become locked for 2 mins. Solution:

On station1.domain6.example.com >Open system-auth vim /etc/pam.d/system-auth ##Add below line auth

required

pam_tally2.so deny=3 even_deny_root

account

required

pam_tally2.so

unlock_time=120

Save and exit > Open password-auth and do the same as system-auth vim /etc/pam.d/system-auth ##Add below line auth

required

pam_tally2.so deny=3 even_deny_root

account

required

pam_tally2.so

unlock_time=120

Save and exit >Check the applied rule by logging with any user with 3 times worng password su - student

On station2.domain6.example.com >Do the same as station1.example.com Question #12 Configure a group admin so that all the users of that group get 2 mins cpu times when logged in a session.

Solution: >Open limits.conf vim /etc/limits.conf ##Add below line @admin

-

cpu

2

Save and exit. Note: Here we use @ symbol before admin. Because only admin indicates a single user. @admin indicates a group. Question #13 Watch /root/413.txt, so that any write and execution can be monitored using 413-change Solution: >Open audit.rules vim /etc/audit/audit.rules ##Add below line at the bottom of the file -w /root/413.txt -p wx -k 413-change Save and exit. >Restart audit service and enable auto startup /etc/init.d/auditd restart chkconfig auditd on

>Now modify the file and check the audit log cat /var/log/audit/audit.log |grep “413-change” OR ausearch -k “413-change” |aureport -f -i

Question #14 Configure firewall as per following conditions: (Both station1 and station 2) i. Allow loopback communication ii. Reject all source except the following services and from anywhere except domain6.example.com 1. ssh allow from anywhere. 2. http from station1.

Solution:

On station1.domain6.example.com >Open iptables vim /etc/sysconfig/iptables ##Add below rules -A INPUT -i lo -j ACCEPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT -A INPUT -s 172.24.0.0/24 -j ACCEPT -A INPUT -j REJECT

>Restart iptables /etc/init.d/iptables restart

On station2.domain6.example.com >Open iptables vim /etc/sysconfig/iptables ##Add below rules -A INPUT -i lo -j ACCEPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A INPUT -s 172.24.0.0/24 -j ACCEPT -A INPUT -j REJECT

>Restart iptables /etc/init.d/iptables restart

Question #15 Configure a application so that when you /sbin/als then parameter it takes input as string and save any place. Additional information /sbin/gls.sh user /usr/abc.dat file which is created fist time login. Give dbmpr and root user the /usr/abc/dat file for modifying.

Question #16 Create a syslog server, so that it takes log from any remote host and create a rule so that any message from remote host coming go to /var/log/remote.log Solution: >Open rsyslog.conf file vim /etc/rsyslog.conf ##Uncomment below lines $ModLoad imudp $UDPServerRun 514 $ModLoad imtcp $InputTCPServerRun 514 Save and exit. >Make a rule for incoming remote logs. vim /etc/rsyslog.d/remote.conf #Add below lines :fromhost, !isequal, "127.0.0.1"

/var/log/remote.log

:fromhost, !isequal, "127.0.0.1"

~

Save and exit >Restart rsyslog servie /etc/init.d/rsyslog restart

>Send some logs from remote host and check you receive logs. tailf /var/log/remote.log

Question #17 Create a syslog client so that all the message goes to syslog host station1.domain.example.com. Solution: >Open rsyslog.conf file

vim /etc/rsyslog.conf ##Find and modify below lines *.info;mail.none;authpriv.none;cron.none

@station1.domain6.example.com

authpriv.*

@station1.domain6.example.com

mail.*

@station1.domain6.example.com

cron.*

@station1.domain6.example.com

*.emerg uucp,news.crit

@station1.domain6.example.com @station1.domain6.example.com

local7.*

@station1.domain6.example.com

Save and exit >Restart rsyslog servie /etc/init.d/rsyslog restart

>Send test log logger This is test log

Question #18 Make a new logical volume with the remaining space in the vgsrv volume group, use LUKS to encrypt it, and make sure it mounts unattended as /home at system boot. Solution: > Suppose you have a volume group vgsrv. Check the free space on that vg. vgs

>Create a lv with available free space. Suppose we have 2GB free space. lvcreate –L +2G -n lv_crypthome vgsrv

>Create a LUKS encrypted volume. cryptsetup luksFormat /dev/vgsrv/lv_crypthome

>Open the encrypted volume cryptsetup luksOpen /dev/vgsrv/lv_crypthome home

>Create an ext4 filesystem. mkfs.ext4 /dev/mapper/lv_crypthome

>Mount the filesystem to /mnt and copy all data from /home mount /dev/mapper/lv_crypthome /mnt cp -pvrf /home/* /mnt

>Create a key file to unlock the encrypted volume. dd if=/dev/urandom of=/root/luks-key.txt bs=4096 count=1 chmod 600 /root/luks-key.txt

>Apply the key to /dev/vgsrv/lv_crypthome cryptsetup luksAddKey /dev/vgsrv/lv_crypthome /root/luks-key.txt

>Make sure the encrypted volume is opened automatically at boot time. vim /etc/crypttab ##Add below line home

/dev/vgsrv/lv_crypthome

/root/luks-key.txt

Save and exit. >Update /etc/fstab entry for newly created encrypted volume. vim /etc/fstab ##Modify the existing /home partition entry with yours /dev/mapper/home

/home

ext4

defaults

1

2

>Reboot your PC to verify. reboot

Question #19 Configure AIDE to only check /etc/rh413.txt for permission or ownership changes. Solution: >Install AIDE yum install aide

>Open aide.conf vim /etc/aide.conf

##In the selection line add the below rule /etc/rh413.txt

PERMS

Save and exit. >Initialize AIDE aide --init

>Rename the newly created database. cd /var/lib/aide/ mv aide.db.new.gz aide.db.gz

>Now make some changes on /etc/rh413.txt and check for changes aide --check

Question #19 Deny root ssh access for both from station1 and station2. Solution: >Open sshd_config vim /etc/ssh/sshd_config ##Find below line and change as below PermitRootLogin no Save and exit. >Restart sshd service /etc/init.d/sshd restart

View more...

Comments

Copyright ©2017 KUPDF Inc.
SUPPORT KUPDF