Wednesday, 27 February 2013

RHCSA: Single User Mode Security

In yesterday's blog post, I showed how it's possible to prevent users from making changes to the boot options by adding a password to the GRUB menu. For the extra paranoid, it's not a bad idea to prevent anonymous root login in single-user mode. The drawback to this is that you won't be able to log in and change your root password in the case that you might forget it. You'll be taking an additional step to protecting your system from those who have physical access to your machines though, so perhaps it's worth it, just make sure you don't forget your root password!

In order to prevent anonymous root login, you need to make a change to /etc/sysconfig/init. You'll see at the bottom of this file, a line that controls the login shell in single-user mode (in bold):

 [root@rhel6 ~]# cat /etc/sysconfig/init  
 # color => new RH6.0 bootup  
 # verbose => old-style bootup  
 # anything else => new style bootup without ANSI colors or positioning  
 BOOTUP=color  
 # column to start "[ OK ]" label in   
 RES_COL=60  
 # terminal sequence to move to that column. You could change this  
 # to something like "tput hpa ${RES_COL}" if your terminal supports it  
 MOVE_TO_COL="echo -en \\033[${RES_COL}G"  
 # terminal sequence to set color to a 'success' color (currently: green)  
 SETCOLOR_SUCCESS="echo -en \\033[0;32m"  
 # terminal sequence to set color to a 'failure' color (currently: red)  
 SETCOLOR_FAILURE="echo -en \\033[0;31m"  
 # terminal sequence to set color to a 'warning' color (currently: yellow)  
 SETCOLOR_WARNING="echo -en \\033[0;33m"  
 # terminal sequence to reset to the default color.  
 SETCOLOR_NORMAL="echo -en \\033[0;39m"  
 # Set to anything other than 'no' to allow hotkey interactive startup...  
 PROMPT=yes  
 # Set to 'yes' to allow probing for devices with swap signatures  
 AUTOSWAP=no  
 # What ttys should gettys be started on?  
 ACTIVE_CONSOLES=/dev/tty[1-6]  
 # Set to '/sbin/sulogin' to prompt for password on single-user mode  
 # Set to '/sbin/sushell' otherwise  
 SINGLE=/sbin/sushell  

The two lines above tell you all you need to know, change this line from SINGLE=/sbin/sushell to read SINGLE=/sbin/sulogin. Doing this will ensure that the root password is required to log in to the system and give you that extra bit of security beyond password protecting the GRUB menu.

Of course, there are other things that determined attacker can do if you don't harden your systems. A boot CD could by put in the optical drive and an alternate environment loaded from which tools can be run to get to your data. the first thing you should do in that case is disable booting from anything other than the hard disk in the BIOS and password protect it.

You could also encrypt the filesystem to prevent it being looked at by a person boting from a Live-CD. Another idea would be to disable the Ctrl-Alt-Del keypress in order to stop the system being rebooted by a person who hasn't logged in. I'll be looking at how to do these in a future blog post.

It goes without saying, of course, that the best way to stop your system from being attacked by somebody with physical access is to prevent physical access. Keep all doors to datacentres locked with a cipher lock and key if possible, put up some CCTV as a further deterrent and ensure that only trusted colleagues are able to gain access.


RHCSA: The GRUB Bootloader

Currently supported Red Hat systems use the GRUB (GRand Unified Bootloader). Older Red Hat systems used to use a different bootloader, LiLo (Linux Loader) but for the Red Hat exams you only need to know about GRUB. The GRUB bootloader reads its config from /etc/grub.conf. Here is what is contained in my /etc/grub.conf file:

 # grub.conf generated by anaconda  
 #  
 # Note that you do not have to rerun grub after making changes to this file  
 # NOTICE: You have a /boot partition. This means that  
 #     all kernel and initrd paths are relative to /boot/, eg.  
 #     root (hd0,0)  
 #     kernel /vmlinuz-version ro root=/dev/mapper/vg_cordelia-lv_root  
 #     initrd /initrd-[generic-]version.img  
 #boot=/dev/sda  
 default=0  
 timeout=5  
 splashimage=(hd0,0)/grub/splash.xpm.gz  
 hiddenmenu  
 title Red Hat Enterprise Linux Client (2.6.32-358.el6.x86_64)  
      root (hd0,0)  
      kernel /vmlinuz-2.6.32-358.el6.x86_64 ro root=/dev/mapper/vg_rhel6-lv_root rd_NO_LUKS KEYBOARDTYPE=pc KEYTABLE=uk LANG=en_US.UTF-8 rd_NO_MD SYSFONT=latarcyrheb-sun16 rd_LVM_LV=vg_cordelia/lv_swap rd_LVM_LV=vg_cordelia/lv_root rd_NO_DM rhgb quiet crashkernel=auto  
      initrd /initramfs-2.6.32-358.el6.x86_64.img  
 title Red Hat Enterprise Linux Client (2.6.32-279.22.1.el6.x86_64)  
      root (hd0,0)  
      kernel /vmlinuz-2.6.32-279.22.1.el6.x86_64 ro root=/dev/mapper/vg_rhel6-lv_root rd_NO_LUKS KEYBOARDTYPE=pc KEYTABLE=uk LANG=en_US.UTF-8 rd_NO_MD SYSFONT=latarcyrheb-sun16 rd_LVM_LV=vg_cordelia/lv_swap rd_LVM_LV=vg_cordelia/lv_root rd_NO_DM rhgb quiet crashkernel=auto  
      initrd /initramfs-2.6.32-279.22.1.el6.x86_64.img  

The file is pretty easy to read. Reading down the file, we can see default=0, which means it will choose the first stanza as the default kernel  and kernel options to boot from. Next we see timeout=5, meaning that the GRUB menu will remain on the screen for 5 seconds before moving on and booting from the first stanza. The next line, hiddenmenu, means you will need to press a key to enable to the menu at boot time otherwise it will pause for 5 seconds for a keypress before booting the default option.
Next up is the first stanza, containing the title given to this boot choice and in brackets the kernel. Next line we see the device and partition that the system will boot from, followed by the location of the kernel and the boot options appended to the end of the line. Lots of boot options here, at this study level we aren't required to know about all of them. What we do need to be aware of though, is that we can append boot options to the end of this line. To do this, we need to press the 'e' key on the GRUB menu. Here's what the menu looks like on a Fedora system:


If we were to press the 'e' key on the GRUB menu and then add a number 1 to the end of the boot options, that would boot the system into single-user mode. Single-user mode can be thought of as similar to Safe Mode on a Windows system, it boots up with a minimum of services running and can be used for troubleshooting problems. Because single-user mode boots us straight into the root account, we can reset the root user's password. While this is great if you are the only person who will ever have access to the system, it isn't so great from a security standpoint - if you can reset the root password you can perform any kind of system admininistration task, delete users, uninstall critical services, delete config file etc. I wouldn't like to leave GRUB open on any system I maintain, so it's possible to password protect the GRUB menu, here's how:


As root, type grub-md5-crypt at a command prompt. You will be prompted for a password and then asked to repeat it before the password is hashed and the hash of the password is echoed back to your screen:

 [root@rhel6 ~]# grub-md5-crypt   
 Password:   
 Retype password:   
 $1$isrO31$O6vMiDSfnaeOlepqP4ceA

You can then take the hashed password and add it to your grub.conf file like so:


 # grub.conf generated by anaconda  
 #  
 # Note that you do not have to rerun grub after making changes to this file  
 # NOTICE: You have a /boot partition. This means that  
 #     all kernel and initrd paths are relative to /boot/, eg.  
 #     root (hd0,0)  
 #     kernel /vmlinuz-version ro root=/dev/mapper/vg_cordelia-lv_root  
 #     initrd /initrd-[generic-]version.img  
 #boot=/dev/sda  
 default=0  
 timeout=5  
 splashimage=(hd0,0)/grub/splash.xpm.gz  
 hiddenmenu  
 password --md5  $1$isrO31$O6vMiDSfnaeOlepqP4ceA
 title Red Hat Enterprise Linux Client (2.6.32-358.el6.x86_64)  
      root (hd0,0)  

By doing this, you can protect your GRUB menu from those who gain physical access to your system, the menu will now require you to press 'p' to enter your password before you can proceed to press 'e' to change the kernel boot options.

More information about GRUB is available here:

http://www.gnu.org/software/grub/manual/grub.html

and of course in the man pages on your system.

Friday, 22 February 2013

RHCSA: Controlling System Services


Here's another post that I'm doing to to help me remember the details of controlling system services on a RHEL system. Perhaps you'll find it useful too.

On Red Hat systems we can find our services in /etc/init.d/. They are really just script files that can be configured to run services at system startup.  There are a number of things we can do with services, such as starting, stopping, checking service status and reloading/rereading config files.

Check Service Status

We can do this in one of two ways:

 #/etc/init.d/ httpd status  

or

 #service httpd status  

We can use the first method on many different Linux systems. The second method is "The Red Hat Way" so you may find it doesn't work on all systems.

Starting,Stopping and Restarting a Service

Again, there are two ways:

 #/etc/init.d/ httpd start  
 #/etc/init.d/ httpd stop  

and "The Red Hat Way":

 #service httpd start  
 #service httpd stop  


We can also restart a service in the same way, just use the word "restart" at the end of the command.

If a change has been made to a config file and we want our service to reread the config, we can use:

 #/etc/init.d/httpd reload  

or

 #/service httpd reload  


Check Service Runlevels

We can use the chkconfig command to see if a service is set to run at startup. If we want to see all of the services and their runlevels, we would use
 chkconfig --list  
 NetworkManager      0:off     1:off     2:on     3:on     4:on     5:on     6:off  
 abrt-ccpp        0:off     1:off     2:off     3:on     4:off     5:on     6:off  
 abrt-oops        0:off     1:off     2:off     3:on     4:off     5:on     6:off  
 abrtd          0:off     1:off     2:off     3:on     4:off     5:on     6:off  
 acpid          0:off     1:off     2:on     3:on     4:on     5:on     6:off  
 atd           0:off     1:off     2:off     3:on     4:on     5:on     6:off  
 auditd          0:off     1:off     2:on     3:on     4:on     5:on     6:off  
 autofs          0:off     1:off     2:off     3:on     4:on     5:on     6:off  
 avahi-daemon       0:off     1:off     2:off     3:on     4:on     5:on     6:off  
 bluetooth        0:off     1:off     2:off     3:on     4:on     5:on     6:off  
 certmonger        0:off     1:off     2:off     3:on     4:on     5:on     6:off  
 cgconfig         0:off     1:off     2:on     3:on     4:on     5:on     6:off  
 cgred          0:off     1:off     2:off     3:off     4:off     5:off     6:off  
 cpuspeed         0:off     1:on     2:on     3:on     4:on     5:on     6:off  
 crond          0:off     1:off     2:on     3:on     4:on     5:on     6:off  
 cups           0:off     1:off     2:on     3:on     4:on     5:on     6:off  
 dnsmasq         0:off     1:off     2:off     3:off     4:off     5:off     6:off  
 ebtables         0:off     1:off     2:off     3:off     4:off     5:off     6:off  
 firstboot        0:off     1:off     2:off     3:off     4:off     5:off     6:off  
 haldaemon        0:off     1:off     2:off     3:on     4:on     5:on     6:off  
 httpd          0:off     1:off     2:off     3:on     4:on     5:on     6:off  
 ip6tables        0:off     1:off     2:on     3:on     4:on     5:on     6:off  
 ipsec          0:off     1:off     2:off     3:off     4:off     5:off     6:off  
 iptables         0:off     1:off     2:on     3:on     4:on     5:on     6:off  
 irqbalance        0:off     1:off     2:off     3:on     4:on     5:on     6:off  
 iscsi          0:off     1:off     2:off     3:on     4:on     5:on     6:off  
 iscsid          0:off     1:off     2:off     3:on     4:on     5:on     6:off  
 kdump          0:off     1:off     2:off     3:off     4:off     5:off     6:off  
 ksm           0:off     1:off     2:off     3:on     4:on     5:on     6:off  
 ksmtuned         0:off     1:off     2:off     3:on     4:on     5:on     6:off  
 libvirt-guests      0:off     1:off     2:on     3:on     4:on     5:on     6:off  
 libvirtd         0:off     1:off     2:off     3:on     4:on     5:on     6:off  
 lvm2-monitor       0:off     1:on     2:on     3:on     4:on     5:on     6:off  
 mdmonitor        0:off     1:off     2:on     3:on     4:on     5:on     6:off  
 messagebus        0:off     1:off     2:on     3:on     4:on     5:on     6:off  
 netconsole        0:off     1:off     2:off     3:off     4:off     5:off     6:off  
 netfs          0:off     1:off     2:off     3:on     4:on     5:on     6:off  
 network         0:off     1:off     2:on     3:on     4:on     5:

(Above output is truncated)

If we want to look at a single service, we would use the same command but also specify the service we are interested in:

 # chkconfig --list httpd  
 httpd          0:off     1:off     2:off     3:off     4:off     5:off     6:off  

We can see here that the httpd service is not currently configured to run at any runlevels. If we wanted to make a change so that it runs at renlevels 3,4 and 5:

 # chkconfig --level 345 httpd on  

And then take another look:

 # chkconfig --list httpd  
 httpd          0:off     1:off     2:off     3:on     4:on     5:on     6:off  


We can see now that the httpd service will start automatically on runlevels 3,4, and 5. If we wanted to change this would could issue the chkconfig --level  command with the runlevel we want to remove httpd from and the off command.

GUI Service Control

There is also a GUI tool that can be used to make changes to system services, if you want to use it then you will need to install system-config-services from the software repositories. Although it is there to be used if you really feel it necessary, I recommend learning and sticking to the command line tools as described above.  They are quick and simple to get to grips with and you don't know when you'll come face to face with a system which has no GUI. If you know how to use the above commands you should be able to configure services on any Red Hat system you encounter.

Wednesday, 20 February 2013

RHCSA: How To Grant Access To The Sudo Command

Use of the sudo command allows non-root users to make administrative changes on a system without granting them access to the root user account.

If you need to give somebody access the sudo command on a system it is necessary to make changes to the /etc/sudoers file. While in theory it is possible to use vi, nano or the editor of your choice the preferred method is to use visudo. Visudo has built in error checking to ensure that the syntax of the /etc/sudoers file is correct, otherwise you can find yourself locked out of a system and unable to make changes you need to fix it again. So make sure you use visudo.

In the /etc/sudoers file you will find a line that allows root to run all commands:


## Allow root to run any commands anywhere   
 root     ALL=(ALL)      ALL  


A quick and easy way to allow a user to run all commands is to add an additional line just below this one, like so:


## Allow root to run any commands anywhere   
 root     ALL=(ALL)      ALL 
 mugwriter     ALL=(ALL)      ALL  


This will allow the user mugwriter to use sudo to run any command. Rather than typing the root user password, mugwriter will use his own password in order to system administrative tasks.

Raspberry Pi Radio Streamer

Another use I've found for my Raspberry Pi is to use it to stream music from the BBC and also  http://somafm.com. I'm using the command line rather than the GUI so I can't easily browse to the site and launch the stream through the media player. Here's the code:


 #! /bin/bash  
 clear  
 TODAY=$(date)  
 HOST=$(hostname)  
 echo "-----------------------------------------------------"  
 echo "$HOST       $TODAY"  
 echo "                           "  
 echo "Welcome to the Raspberry Pi Radio Streamer      "  
 echo "-----------------------------------------------------"  
 echo "Hi, $USER!"  
 echo "Which station would you like to listen to?"  
 echo "1) BBC Radio 1"  
 echo "2) BBC Radio 2"  
 echo "3) BBC Radio 3"  
 echo "4) BBC Radio 4"  
 echo "5) BBC Radio 5 Live"  
 echo "6) BBC 6 Music"  
 echo "7) Jazz FM"  
 echo "8) Smooth 70s"  
 echo "9) Birdsong Radio"  
 echo "20) SomaFM - Mission Control"  
 read n  
 case $n in  
     1) echo "Playing BBC Radio 1" && mplayer http://www.bbc.co.uk/radio/listen/live/r1_aaclca.pls > /dev/null 2>&1 & ;;  
     2) echo "Playing BBC Radio 2" && nohup mplayer http://www.bbc.co.uk/radio/listen/live/r2_aaclca.pls > /dev/null 2>&1 & ;;  
     3) echo "Playing BBC Radio 3" && mplayer http://www.bbc.co.uk/radio/listen/live/r3_aaclca.pls > /dev/null 2>&1 & ;;  
     4) echo "Playing BBC Radio 4" && mplayer http://www.bbc.co.uk/radio/listen/live/r4_aaclca.pls > /dev/null 2>&1 & ;;  
     5) echo "Playing BBC Radio 5 Live" && mplayer http://www.bbc.co.uk/radio/listen/live/r5l_aaclca.pls > /dev/null 2>&1 & ;;  
     6) echo "Playing BBC 6 Music" && mplayer http://www.bbc.co.uk/radio/listen/live/r6_aaclca.pls & ;;  
     7) echo "Playing Jazz FM" && mplayer http://listen.onmyradio.net:8002/ > /dev/null 2>&1 & ;;  
     8) echo "Playing Smooth 70s" && mplayer http://shoutcast.gmgradio.com:10008/ > /dev/null 2>&1 & ;;  
     9) echo "Playing Birdsong Radio" && mplayer http://stardust.wavestreamer.com:8062 > /dev/null 2>&1 & ;;  
     20) echo "Playing SomaFM - Mission Control" && mplayer http://somafm.com/missioncontrol.pls > /dev/null 2>&1 & ;;  
     *) invalid option;;  
 esac  
It's not terribly complicated, it presents a simple menu, reads user input and points mplayer towards a corresponding stream. It's designed to be portable and should work on any system that has mplayer installed. I want to try to get a "Now Playing" message added to it as the next step. I suppose I need to get it to read the BBC website and scrape it from there somehow and echo it back to the screen. I also need to work out a better way of stopping it playing other than "killall mplayer" when I need to shut it off.

Feel free to take the code and modify it, it's very rough and could use more features. It's very simple but it does the job well enough for my needs.

Saturday, 16 February 2013

Raspberry Pi

A couple of weeks back I saw this  article and decided that, at that price point, a Raspberry Pi Model A was something that I could now justifiably buy as something just to tinker with. A hobby system that I can play around with. I also justified it by telling myself that I could use it for learning to code Python on, whether that ever happens I don't know but I'd like to have a go at it some time. 

With my Pi being something of an impulse purchase, I didn't really spend the time to research what the differences were between the Model A and the older Model B. The main differences are that the Model A lacks the onboard 10/100 ethernet port and also only has a single USB port. No problem I thought, I can just use my USB hub and use my Linksys wifi dongle. Another thing that differentiates the Model A and B is the that the Model A draws less power. Even so, I've got mine running from a micro USB power supply that came with my Kindle. It's recommended that the Pi should be provided at least 1A from the power supply. The Kindle PSU that I had available is only rated for 0.85A output but, even so, seems to provide adequate juice. Perhaps that's down to the reduced power consumption of the Model A version.

My Pi is currently running Raspian, an ARM version of Debian that is optimised for the system. It seemed nippy enough when I had it connected to my TV but I've since decided that the best way to run it by using SSH to log into it remotely and use the command line. 

My Pi in its case with exciting robot USB hub.
As far as a use for the Pi, I had toyed with the idea of running a blog from it but running Apache on it made it really rather slow. Perhaps the updated Model B version with its 512MB of RAM would cope better. I might try nginx in the future but so far I've not had time to investigate it. For the time being I've settle on using to scrape the BBC Iplayer site and download radio and video using Get-Iplayer before converting the formats into something more useable and adding them to a Samba share on my home network. I'll put up a post in the near future about how I've done this. I've found it useful so far, there are lots of radio shows that I like on the BBC and I often forget to listen to them. This way it's automated and I can just pick up the episodes and listen to them when my schedule allows. Why yes, of course I delete them once I'm done with them!

I've got a few other ideas for something to do with the Pi in the future, perhaps I'll build a weather station with it. I quite fancy having a go at that and it's something that I think my kids might be interested in. I'm also tempted to get a second unit, perhaps I'll go for the Model B next time. 




Friday, 15 February 2013

Red Hat RHCSA

So I'm getting ready to do my first Red Hat course next month. I'm fortunate enough that my employer has agreed to fund it for me, otherwise it would be out of my reach. This being said, I'm not going to go into the course and the following exam without covering as much of the syllabus myself beforehand. I'm working my way through Michael Jang RHCSA/RHCE Red Hat Linux Certification Study Guide and also watching some   video training from VTC.com. I'm hopeful that laying down this ground work before I go on the course will be enough to ensure I'm not everwhelmed with new information once the day of the Red Hat course rolls around. I've got around a month to go, so I'll be using this site to keep a record of my learning and to give me something to refer back to in the future.