Tài liệu hạn chế xem trước, để xem đầy đủ mời bạn chọn Tải xuống
1
/ 44 trang
THÔNG TIN TÀI LIỆU
Thông tin cơ bản
Định dạng
Số trang
44
Dung lượng
178,42 KB
Nội dung
CHAPTER 11 INFRASTRUCTURE ENHANCEMENT 341 _`z+i]opanbehao+LNK@+nalh+nkkp+ ig`en)lge_gop]np+ndah1[. o_l)nnkkp<ndi]opan6+ge_gop]np+_bajceja).*.*3ge_gop]np+ o_l)nnkkp<ndi]opan6+ge_gop]np+o_nelpoge_gop]np+ o_lnkkp<ndi]opan6+ge_gop]np+ndah1[.+go*_bcge_gop]np+ndah1[.+ orj]``ge_gop]np After that, we needed to copy out these files to the +ge_gop]np directory on the host rhmaster using cfengine. Once again in our working copy, we created the directory LNK@+ ejlqpo+p]ogo+]ll+ge_gop]np, and created a task in the directory called _b*_klu[ge_gop]np[ `en with these contents: _klu6 ge_gop]np[oanran66 $i]opan%+nalh+nkkp+ge_gop]np `aop9+ge_gop]np ik`a9311 n9ejb ksjan9nkkp cnkql9nkkp pula9_da_goqi oanran9 $behaoanran% aj_nulp9pnqa `ena_pkneao6 ge_gop]np[oanran66 +ge_gop]npik`a9311ksjan9nkkpcnkql9nkkpejbkni9b]hoa We added the LNK@+ejlqpo+p]ogo+]ll+ge_gop]np directory to Subversion with orj]`` once we had the task file inside it. Next, we needed to do the usual steps in order to make this task get used by our Kickstart server. Here’s a summary of the steps: 1. Create the ge_gop]np[oanran class in LNK@+ejlqpo+_h]ooao+_b*i]ej[_h]ooao. 2. Create the hostgroup file at LNK@+ejlqpo+dkopcnkqlo+_b*ge_gop]np[oanran that imports the _b*_klu[ge_gop]np[`en task. Add the file to the Subversion repository. 3. Set up the hostgroup import in the hostgroup mapping file LNK@+ejlqpo+ dkopcnkqlo+_b*dkopcnkql[i]llejco. 4. Commit the changes to your working copy, and update the production working copy on the cfengine master. CHAPTER 11 INFRASTRUCTURE ENHANCEMENT 342 Now our important Kickstart files are contained in Subversion and will be restored by cfengine via a copy if we ever have to rebuild our Kickstart server. FAI When we set up FAI, we were careful to modify the default FAI configuration files as little as possible. We wanted to be able to push new files as much as possible, since we knew that we would want to distribute those files using cfengine later on. We collected all the files under the +onr+b]e+_kjbec directory that we modified or added back in Chapter 6 in our working copy of the repository: ls` +dkia+j]pa+i]opanbehao+LNK@+nalh+nkkp+onr+b]e+_kjbec ho)N *6 *+**+_h]oo+`eog[_kjbec+behao+dkkgo+l]_g]ca[_kjbec+o_nelpo+ *+_h]oo6 *+**+2,)ikna)dkop)_h]ooao&B=E>=OA*r]n *+`eog[_kjbec6 *+**+HKCDKOPSA> *+behao6 *+**+ap_+ *+behao+ap_6 *+**+_bajceja+ *+behao+ap_+_bajceja6 *+**+_b]cajp*_kjb+ql`]pa*_kjb+ *+behao+ap_+_bajceja+_b]cajp*_kjb6 *+**+B=E>=OA& *+behao+ap_+_bajceja+ql`]pa*_kjb6 *+**+B=E>=OA& *+dkkgo6 *+**+o]rahkc*H=OP*okqn_a& CHAPTER 11 INFRASTRUCTURE ENHANCEMENT 343 *+l]_g]ca[_kjbec6 *+**+B=E>=OAHKCDKOPSA> *+o_nelpo6 *+**+B=E>=OA+ *+o_nelpo+B=E>=OA6 *+**+1,)_bajceja&2,)_na]pa)_b)_kjbec& We’ll distribute all these as another recursive copy, this time into the +onr+b]e+_kjbec directory on the FAI server (goldmaster). We have some additional files that we modified during the setup of our FAI server: +ap_+b]e+i]ga)b]e)jbonkkp*_kjb +ap_+`d_l/+`d_l`*_kjb +ap_+ejap`*_kjb There is a problem with +ap_+ejap`*_kjb: in the task LNK@+ejlqpo+p]ogo+]ll+nouj_+ _b*aj]^ha[nouj_[`]aikj, we add a line to +ap_+ejap`*_kjb using the a`epbehao action. This a`epbehao action must be changed or removed, since it makes no sense to have an a`epbehao action acting on a file that cfengine is also copying out. Two scenarios could result, depending on the contents of the ejap`*_kjb file that cfengine copies into place: +ap_+ejap`*_kjb file won’t have the entry that the task _b*aj]^ha[ nouj_[`]aikj is looking for, and it will be added by the a`epbehao action. This means that the next time cfengine runs, +ap_+ejap`*_kjb won’t match the check- sum of the file in the i]opanbehao tree, and ejap`*_kjb will be copied again. After that, the a`epbehao action will once again notice that the required entry isn’t there, and it will add it yet again. This loop will continue on every time cfengine runs. +ap_+ejap`*_kjb file will already have the required entry, making the a`epbehao action unnecessary. You can see that, either way, we don’t need the a`epbehao action. It either pro- duces what we can only consider an error by constantly changing the file or is totally unneeded. We’ll simply place the required entry in the ejap`*_kjb file that we copy out and remove the a`epbehao section from the _b*aj]^ha[nouj_[`]aikj task. We will add a comment to the task, however, stating that the enable of the daemon is handled via a static file copy in another task and provide the task file name in the comment. After editing the LNK@+ejlqpo+p]ogo+]ll+nouj_+_b*aj]^ha[nouj_[`]aikj task to com- ment out the a`epbehao section and add the new comment, we placed these files into our working copy of the cfengine tree: CHAPTER 11 INFRASTRUCTURE ENHANCEMENT 344 ls` +dkia+j]pa+i]opanbehao+LNK@+nalh _l+ap_+ejap`*_kjbnkkp+ap_+ orj]``nkkp+ap_+ejap`*_kjb =nkkp+ap_+ejap`*_kjb _l+ap_+b]e+i]ga)b]e)jbonkkp*_kjbnkkp+ap_+b]e+ orj]``nkkp+ap_+b]e+i]ga)b]e)jbonkkp*_kjb =nkkp+ap_+b]e+i]ga)b]e)jbonkkp*_kjb ig`ennkkp+ap_+`d_l/ _l+ap_+`d_l/+`d_l`*_kjbnkkp+ap_+`d_l/+ orj]``nkkp+ap_+`d_l/ =nkkp+ap_+`d_l/ =nkkp+ap_+`d_l/+`d_l`*_kjb Note that the copies were local since we were working in our home directory from the goldmaster system itself. We created a task at LNK@+ejlqpo+p]ogo+]ll+b]e+_b*_klu[b]e[behao with these contents: _kjpnkh6 b]e[oanran66 =``Ejop]hh]^ha9$naop]np[ejap`naop]np[`d_l`% _klu6 b]e[oanran66 $i]opan%+nalh+nkkp+onr `aop9+onr ik`a9311 n9ejb ksjan9nkkp cnkql9nkkp pula9_da_goqi oanran9 $behaoanran% aj_nulp9pnqa $i]opan[ap_%+ejap`*_kjb `aop9+ap_+ejap`*_kjb ik`a9311 ksjan9nkkp cnkql9nkkp CHAPTER 11 INFRASTRUCTURE ENHANCEMENT 345 pula9_da_goqi oanran9 $behaoanran% aj_nulp9pnqa `abeja9naop]np[ejap` $i]opan[ap_%+b]e+i]ga)b]e)jbonkkp*_kjb `aop9+ap_+b]e+i]ga)b]e)jbonkkp*_kjb ik`a9311 ksjan9nkkp cnkql9nkkp pula9_da_goqi oanran9 $behaoanran% aj_nulp9pnqa $i]opan[ap_%+`d_l/+`d_l`*_kjb `aop9+ap_+`d_l/+`d_l`*_kjb ik`a9311 ksjan9nkkp cnkql9nkkp pula9_da_goqi oanran9 $behaoanran% aj_nulp9pnqa `abeja9naop]np[`d_l` `ena_pkneao6 b]e[oanran66 +onrik`a9311ksjan9nkkpcnkql9nkkpejbkni9b]hoa odahh_kii]j`o6 `a^e]j*naop]np[ejap`66 +ap_+ejep*`+klaj^o`)ejap`naop]nppeiakqp9/,ejbkni9pnqa `a^e]j*naop]np[`d_l`66 +ap_+ejep*`+`d_l/)oanrannaop]nppeiakqp9/,ejbkni9pnqa We made sure to add the new p]ogo+]ll+b]e directory to the repository. We need to create the b]e[oanran class, create a dkopcnkql file for it, and import it in the _b*dkopcnkql[ i]llejco file. Here’s a summary of the steps: CHAPTER 11 INFRASTRUCTURE ENHANCEMENT 346 1. Create the b]e[oanran class in LNK@+ejlqpo+_h]ooao+_b*i]ej[_h]ooao. 2. Create the hostgroup file at LNK@+ejlqpo+dkopcnkqlo+_b*b]e[oanran that imports the _b*_klu[b]e[behao task. Add the file to the Subversion repository. 3. Set up the hostgroup import in the hostgroup mapping file LNK@+ejlqpo+ dkopcnkqlo+_b*dkopcnkql[i]llejco. 4. Commit the changes to your working copy, and update the production working copy on the cfengine master. Subversion Backups The procedure to back up a Subversion repository is quite simple. We can use the orj]`iej command with the dkp_klu argument to properly lock the repository and per- form a file-based backup. Backing up this way is much better than performing a _l or nouj_ copy of the repository files, which might result in a corrupted backup. Use the command like this: orj]`iejdkp_klu+l]pd+pk+nalkoepknu+l]pd+pk+^]_gql)nalkoepknu The repository made by orj]`iejdkp_klu is fully functional; we are able to drop it in place of our current repository should something go wrong. We can create periodic back- ups of our repository this way and copy the backups to another host on our network or even to an external site. Be aware that each time a hot copy is made, it will use up the same amount of disk space as the original repository. Backup scripts that make multiple copies using orj]`iej dkp_klu will need to be careful not to fill up the local disk with backups. We’ll create a script at LNK@+nalh+]`iej)o_nelpo+orj)^]_gql with these contents (explained section by section): +^ej+od Pdeoo_nelpeopaopa`kj@a^e]jHejqtkjhu* L=PD9+o^ej6+qon+o^ej6+^ej6+qon+^ej6+klp+]`iej)o_nelpo ORJ[NALKO9+r]n+orj+nalkoepknu+^ej]nu)oanran+r]n+orj+nalkoepknu+_bajceja _]oa\dkopj]ia\ej ap_dh]il&% a_dkPdeoeopdadkopkjsde_dpk^]_gqlpdaOq^ranoekjnalk(_kjpejqejc* 77 &% CHAPTER 11 INFRASTRUCTURE ENHANCEMENT 347 a_dkPdeoeoJKPpdadkopkjsde_dpk^]_gqlpdaORJnalk(atepejc*** atep- 77 ao]_ Since we copied the script to all hosts on our network, we took steps to make sure that it only runs on the proper host: >=?GQL[>=OA[@EN9+r]n+^]_gqlo HK?GBEHA9+nkkp+orj[^]_gql[hk_g ni[hk_g[beha$%w ni)b HK?GBEHA y We’ll be using file locking to prevent two invocations of this script from running at once. nkp]pa[^]_gqlo$%w >=?GQL[@EN[J=IA9 - eb_` >=?GQL[@EN[J=IA pdaj bknjqiej210/.- `k kja[ikna9\atln jqi'-\ ebW)`^]_gql* wjqiyY pdaj ebW)`^]_gql* wkja[iknayY pdaj ni)nb^]_gql* wkja[iknay""X ir^]_gql* wjqiy^]_gql* wkja[iknay ahoa ir^]_gql* wjqiy^]_gql* wkja[iknay be be `kja ahoa a_dk?]j#p_`pk >=?GQL[@EN[J=IA)atepejcjks ni[hk_g[beha atep- be y CHAPTER 11 INFRASTRUCTURE ENHANCEMENT 348 We wrote a subroutine to manage our stored backup directories. It takes an argument of a repository directory that needs to be backed up, and it moves any numbered backup directories to a new backup directory with the number incremented by one. A backup directory with the number 7 is removed, since we only save seven of them. For example, the directory +r]n+^]_gqlo+^ej]nu)oanran+^]_gql*3+ is removed, and the directory +r]n+^]_gqlo+^ej]nu)oanran+^]_gql*2+ is moved to the name +r]n+^]_g) qlo+^ej]nu)oanran+^]_gql*3+. The subroutine then progresses backward numerically from 5 to 1, moving each directory to another directory with the same name except the number incremented by 1. When it is done, there is no directory named +r]n+^]_gqlo+ ^ej]nu)oanran+^]_gql*-+, which is the directory name we’ll use for a new Subversion backup: `kj#parannqjpskkbpdaoa]pkj_a hk_gbeha HK?GBEHAxxatep- bknNALKej ORJ[NALKO `k ODKNPJ=IA9\^]oaj]ia NALK\ >=?GQL[@EN9 >=?GQL[>=OA[@EN+ ODKNPJ=IA W)` >=?GQL[@ENYxxig`en)l >=?GQL[@EN _` >=?GQL[@EN""nkp]pa[^]_gqlo >=?GQL[@EN +qon+^ej+orj]`iejdkp_klu NALK >=?GQL[@EN+^]_gql*- `kja In this section, we perform these steps: 1. Retrieve just the short portion of the directory name using the ^]oaj]ia command so that the variable ODKNPJ=IA contains the value ^ej]nu)oanran or _bajceja—the two repository directory names. 2. We then make sure that the directory used for the backups exists and create it if necessary. 3. Now that the directory is known to exist, we change directory to the proper backup directory and use our subroutine that rotates the previous backup directories. 4. Then we use the orj]`iejdkp_klu command to create a new backup of the reposi- tory. This is done for each directory listed in the variable ORJ[NALKO. ebsacapdanasepdkqpannkno(_ha]jql ni[hk_g[beha CHAPTER 11 INFRASTRUCTURE ENHANCEMENT 349 Finally, we removed the lock file that is used to prevent two of these from running at once. We ran the script eight times in a row to demonstrate the output, here it is: dkopj]ia ap_dh]il ho)hpn+r]n+^]_gqlo+^ej]nu)oanran+ pkp]h.4 `nstn)tn)t3nkkpnkkp0,52.,,4),5),-./6/-^]_gql*3 `nstn)tn)t3nkkpnkkp0,52.,,4),5),-./6/-^]_gql*2 `nstn)tn)t3nkkpnkkp0,52.,,4),5),-./6/-^]_gql*1 `nstn)tn)t3nkkpnkkp0,52.,,4),5),-./6/-^]_gql*0 `nstn)tn)t3nkkpnkkp0,52.,,4),5),-./6/-^]_gql*/ `nstn)tn)t3nkkpnkkp0,52.,,4),5),-./6/-^]_gql*. `nstn)tn)t3nkkpnkkp0,52.,,4),5),-./6/-^]_gql*- ho)hpn+r]n+^]_gqlo+_bajceja+ pkp]h.4 `nstn)tn)t3nkkpnkkp0,52.,,4),5),-./6/-^]_gql*3 `nstn)tn)t3nkkpnkkp0,52.,,4),5),-./6/-^]_gql*2 `nstn)tn)t3nkkpnkkp0,52.,,4),5),-./6/-^]_gql*1 `nstn)tn)t3nkkpnkkp0,52.,,4),5),-./6/-^]_gql*0 `nstn)tn)t3nkkpnkkp0,52.,,4),5),-./6/-^]_gql*/ `nstn)tn)t3nkkpnkkp0,52.,,4),5),-./6/-^]_gql*. `nstn)tn)t3nkkpnkkp0,52.,,4),5),-./6/-^]_gql*- In order to use the hk_gbeha command (contained in the script), the package lnk_i]eh needs to be installed. Add the string lnk_i]eh on a line by itself to your working copy of LNK@+nalh+nkkp+onr+b]e+_kjbec+l]_g]ca[_kjbec+B=E>=OA, and check in the modification so that all future hosts get the package installed. For now, just install the lnk_i]eh package using ]lp)cap on the Subversion sever (the system etchlamp). We’ll create a task to run the backup script once per day, in a file at the location LNK@+ejlqpo+p]ogo+]ll+orj+_b*orj[^]_gqlo with these contents (be sure to add it into the Subversion repository): odahh_kii]j`o6 orj[oanran*`a^e]j*Dn,,*Iej,,[,166 +klp+]`iej)o_nelpo+orj)^]_gql peiakqp92,, We’re using cfengine to run the backups every day between midnight and five min- utes after midnight. Remember that we set a five-minute Olh]uPeia, so _b]cajp will run CHAPTER 11 INFRASTRUCTURE ENHANCEMENT 350 at some time in the five minutes after midnight. We need to specify the range so that our odahh_kii]j`o action will run. The absolute time class of Iej,, probably wouldn’t match, but the range Iej,,[,1 definitely will. Now, we need to add this line to LNK@+ejlqpo+dkopcnkqlo+_b*orj[oanran: p]ogo+]ll+orj+_b*orj[^]_gqlo Commit your changes to the repository, and update the production working copy. Now, every night at midnight, a new backup will be created, and we’ll always have seven day’s worth of backups on hand. Copying the Subversion Backups to Another Host We will copy the Subversion backup directories to another host on our local network using cfengine, so we’ll be able to quickly restore our two Subversion repositories if the Subversion server fails. We’ll modify our site’s shared _boanr`*_kjb configuration file to grant access to the backup directories on etchlamp from a designated backup host. We will use the cfengine master as the backup host and always keep a complete backup of those directories. We added these lines to LNK@+ejlqpo+_boanr`*_kjb in the ]`iep6 section: ap_dh]il66 Cn]jp]__aoopkpdaOq^ranoekj^]_gqlopkpdackh`i]opandkop +r]n+^]_gqlo+^ej]nu)oanran-5.*-24*-*.05 +r]n+^]_gqlo+_bajceja-5.*-24*-*.05 Then, we created a task to copy the directories, the file LNK@+ejlqpo+p]ogo+]ll+orj+ _b*_klu[orj[^]_gqlo with these contents (and we added the file to the repository, of course): _klu6 behaoanran*Dn,,*Iej.,[.166 +r]n+^]_gqlo+_bajceja `aop9+r]n+^]_gqlo+orj^]_gqlo+_bajceja ik`a9111 n9ejb lqnca9b]hoa ksjan9nkkp cnkql9nkkp pula9_da_goqi oanran9 $orj[oanran% aj_nulp9pnqa pnqopgau9pnqa [...]... suffered total system failure on any of our hosts, including the critical cfengine master, we can restore the system to full functionality CHAPT ER 12 Improving System Security E arly in this book, we established that managing the contents and permission of files is the core of UNIX /Linux system administration UNIX /Linux security is also almost entirely concerned with file contents and permissions... manage look at LDAP System Administration CHAPTER 12 IMPROVING SYSTEM SECURITY Security with Kerberos is an authentication system designed to be used between trusted hosts on an security system and basic information can be found at same accounts across multiple systems Unlike many other options,... audit trail, we want administrators to execute commands that require root privileges with single command like this: This way, root commands are logged via syslog by the command, so our log host gets the logs, and the regular logcheck reports will include all commands run as root There is a problem, though Nothing stops our administrators from running a command that gives them a root shell: ... Linux systems through cfengine, and then later install a new Linux sys following sections Just be aware that this is far from a comprehensive list Your own systems will almost certainly have more areas where you can use cfengine to enhance their security book will tell you what to configure, and. .. command will work on all systems at our example site, should be run as , and allows us to view the list and determine what to allow: This command to save the output into a file for later investigation, while still displaying the output to the screen Linux. .. this a feature, not a bug No new programs will last more than a day with the setuid bit set on our systems IMPROVING SYSTEM SECURITY CHAPTER 12 Protecting System Accounts system accounts are commonly used for brute force login attempts to systems Every day, lists of common system accounts along with common passwords are used to ... field denotes either “passworded” or “locked,” but we know our command expects a particular string command doesn’t understand it Applying Patches and Vendor Updates Both Enterprise systems fully patched and up to date: ... programs such as chkrootkit If you confirm that a rootkit is installed on one of your systems, remove the system from the network, retrieve any important data, and reimage the host The follow-on actions are to confirm that your data isn’t compromised, that the attacker isn’t on any of your other systems, and that your system is secured after reimaging (preferably during reimaging) so that the attacker... ), since most modern UNIX systems support ents, take a well as client libraries and compiles on a wide variety of systems A second, newer alternative is tion It takes a bit of work to set up, and you have to make sure your systems can take advantage of... be performing very familiar operations when using cfengine to increase the security of our UNIX and Linux hosts At various points in this book, we’ve taken security into account when configuring our systems or when implementing some new functionality easily change passwords and add and remove accounts across our site sion) has the . the system to full functionality. 353 CHAPTER 12 Improving System Security Early in this book, we established that managing the contents and permission of files is the core of UNIX /Linux system. setuid bit set on our systems. CHAPTER 12 IMPROVING SYSTEM SECURITY 3 59 Protecting System Accounts system accounts are commonly used for brute force login attempts to systems. Every day,. $i]opan%+nalh+nkkp+onr `aop9+onr ik`a9311 n9ejb ksjan9nkkp cnkql9nkkp pula9_da_goqi oanran9