4. SELinux 상태확인 ( 상세 ) # sestatus v SELinux status: enabled SELinuxfs mount: /selinux Current mode: enforcing Mode from config file: enforcing Policy

SELinux(Security Enhanced Linux) - 미국 NSA(National Security Agency) 에서개발된보안프로그램 - 시스템데몬의버그를통해루트권한을힉득하더라도, 해당데몬에서만루트권한을행할수있을뿐, 다른시스템의루트권한에는제약을두어더이상의시스템크랙이불가능하도록하여시스템보안을향상. 1. SELinux 설정파일 # vi /etc/sysconfig/selinux SELINUX = Enforcing( 사용함 ) : SELinux 모듈활성화 = permissive( 보안경고만사용 ) : SELinux 정책을체크하지만, 경고메시지만 syslog 에출력 = disabled( 사용안함 ) : SELinux 비활성화 ------------------------------------------------------------------------------------------------------------------ SELINUXTYPE = targeted : 정책유형적용 (Default) = strict : 시스템전체에대해보안정책을적용 SELinux 를처음적용시 permissive 모드정책설정후시스템을시작한후문제가없었을때 enforcing 으로 설정하는것이좋다. 2. SELinux 서비스설정 ( 시스템재부팅시원래상태로변경, 휘발성 ) ### enforcing 모드로변경 # setenforce 1 ### permissive 모드로변경 # setenforce 0 3. SELinux 상태확인 # sestatus SELinux status: enabled SELinuxfs mount: /selinux Current mode: enforcing Mode from config file: enforcing Policy version: 24 Policy from config file: targeted

4. SELinux 상태확인 ( 상세 ) # sestatus v SELinux status: enabled SELinuxfs mount: /selinux Current mode: enforcing Mode from config file: enforcing Policy version: 24 Policy from config file: targeted Process contexts: Current context: Init context: /sbin/mingetty /usr/sbin/sshd unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 system_u:system_r:init_t:s0 system_u:system_r:getty_t:s0 system_u:system_r:sshd_t:s0-s0:c0.c1023 File contexts: Controlling term: /etc/passwd /etc/shadow /bin/bash /bin/login /bin/sh /sbin/agetty /sbin/init /sbin/mingetty /usr/sbin/sshd /lib/libc.so.6 /lib/ld-linux.so.2 unconfined_u:object_r:user_devpts_t:s0 system_u:object_r:etc_t:s0 system_u:object_r:shadow_t:s0 system_u:object_r:shell_exec_t:s0 system_u:object_r:login_exec_t:s0 system_u:object_r:bin_t:s0 -> system_u:object_r:shell_exec_t:s0 system_u:object_r:getty_exec_t:s0 system_u:object_r:init_exec_t:s0 system_u:object_r:getty_exec_t:s0 system_u:object_r:sshd_exec_t:s0 system_u:object_r:lib_t:s0 -> system_u:object_r:lib_t:s0 system_u:object_r:lib_t:s0 -> system_u:object_r:ld_so_t:s0 5. 부팅시활성화제어 (grub.conf) # vi /etc/grub.conf 활성화 : kernel /vmlinuz-2.6.32-220.13.1.el6.x86_64 ro root= ~~~~~~ selinux=1 비활성화 : kernel /vmlinuz-2.6.32-220.13.1.el6.x86_64 ro root= ~~~~~~ selinux=0 # sync;reboot;

SELinux Boolean 설정 ### vsftpd 설치및데몬시작 # yum install vsftpd # service vsftpd restart ### 클라이언트에서접속시아래와같은메시지확인시아래 ftp_home_dir 값설정 << FTP : 500 OOPS: << FTP : cannot change directory:/home/isbyeon << 500 OOPS: child died ### ftp_home_dir 값설정 # setsebool P ftp_home_dir 1 # getsebool ftp_home_dir ftp_home_dir --> on ### 모든 Boolean 설정상태확인하기 # getsebool a abrt_anon_write --> off abrt_handle_event --> off xserver_object_manager --> off ### FTP 관련 Boolean 종류 Boolean 종류 ftp_home_dir allow_ftpd_full_access allow_ftpd_use_nfs allow_ftpd_anon_write allow_ftpd_use_cifs 설명사용자계정접속및계정디렉토리에읽기와쓰기허용로컬사용자의시스템내모든파일을읽기와쓰기허용 nfs 사용허가익명접속시업로드허용삼바사용허가

### 삼바관련 Boolean 종류 Boolean 종류 samba_domain_controller samba_export_all_rw samba_enable_home_dirs samba_share_fusefs samba_run_unconfined 설명삼바 PDC 설정시적용파일과디렉토리에읽기, 쓰기허용사용자계정디렉토리공유허용윈도우운영체제파티션공유허용제한없는 (unconfined) 스크립트실행허용 ### Httpd 관련 Boolean 종류 Boolean 종류 설명 httpd_builtin_scripting Php 와같은스크립트를탑재 ( 빌트인 ) 하도록허용 httpd_can_sendmail 웹데몬에서메일전송허용 httpd_can_network_connect 웹스크립트와모듈이네트워크연결허용 httpd_enable_homedirs 홈디렉토리접근허용 http://tcs-security-blanket.blogspot.com/2011/09/security-blanket-supports-selinux.html

Centos -role file 위치 : /etc/selinux/targeted/contexts/files/file_contexts -t : 해당파일에대한 role 설정 -R : 하위디렉토리내모든파일에대한같은 role 설정 #chcon t httpd_user_content_t 파일명 위명령 chcon 명령을이용하여해당파일명에 httpd_user_content_t 유형을설정 SELinux User(identity) : system_u 역할 (role) : object_r 유형 (type) : user_home_t Level : s0

# 참고 /etc/selinux/targeted/contexts/files/file_contexts 일반적인파일에대한설정 (/etc, /lib, /var 등과같이설정, 실행, 라이브러리, 로그파일등에대한설정 ) /etc/selinux/targeted/contexts/files/file_contexts.homedir 홈디렉토리의파일에대한설정

5. 로그의형식로그의경우 messege, audit 로그에남게된다형식은아래의로그와같다. May 10 00:39:53 server kernel: audit(1178725193.534:53): avc: denied { name_connect } for pid=4178 comm="httpd" dest=3306 scontext=user_u:system_r:httpd_t:s0tcontext=system_u:object_r:mysqld_port_t:s0 tclass=tcp_socket audit(timestamp) 로그가기록되는시간을나타낸다 avc -- This message was from the SELinux access vector cache. Pretty much every message you are likely to see is from this cache. denied accepted 정첵에의해차단되었는지허용되었는지를나타낸다. { read write unlink... } 타입을나타댄다. 파일인지파일이면읽기, 쓰기... for pid : 해당프로세서의 pid 를나타낸다. exe= -- This is the path to the executable that started the process. name= -- This is the name of the target on which the action was attempted. dev= -- This is the device on which the target file is located. ino= -- This is the inode of the target of the action. scontext= -- This is the process's security context. This contains user, role, and type. tcontext= -- This is the security context of the target of this action, for example, the file, directory, etc. tclass= -- This is the class of the target object, such as directory, file, device node, or something else.