[ Pobierz całość w formacie PDF ]
change the value to "YES"
- Add a line beneath it that reads 'kern_securelevel="2"'
9669.
Lastly, modify the /etc/fstab file with vi so that we can change how each
partition is mounted...to ensure that hackers can do at little as possible if
they (by chance alone) hack the box. Essentially, we're restricting some of the
partitions so that they are 'nosuid', 'noexec', and 'ro'. The original
/etc/fstab should look something like this. Yours might look a little
different...the first column (device names) might be a little different, but
that's OK. The stuff we'll be modifying is in the 4th column.
# Device Mountpoint FStype Options Dump Pass#
/dev/ad0s1b none swap sw 0 0
/dev/ad0s1a / ufs rw 1 1
/dev/ad0s1e /tmp ufs rw 2 2
/dev/ad0s1g /usr ufs rw 2 2
/dev/ad0s1d /usr/home ufs rw 2 2
/dev/ad0s1h /usr/local ufs rw 2 2
/dev/ad0s1f /var ufs rw 2 2
proc /proc procfs rw 0 0
First, copy the original /etc/fstab file to /etc/fstab.original
Then, make another copy of the /etc/fstab file and call it
/etc/fstab.restrictive
Then, modify the /etc/fstab.restrictive file so that it reads as follows:
# Device Mountpoint FStype Options Dump
Pass#
/dev/ad0s1b none swap sw 0 0
/dev/ad0s1a / ufs rw,nosuid 1 1
/dev/ad0s1e /tmp ufs rw,noexec,nosuid,nodev 2 2
/dev/ad0s1g /usr ufs ro 2 2
/dev/ad0s1d /usr/home ufs rw,noexec,nosuid 2 2
/dev/ad0s1h /usr/local ufs ro,nosuid 2 2
/dev/ad0s1f /var ufs rw,noexec,nosuid 2 2
proc /proc procfs rw 0 0
Next, copy your new /etc/fstab.restrictive file and over-write the original
/etc/fstab...so that your "real" fstab file has the restrictive settings, and
you have the two other config files available (the original and restrictive
one).
[root@numa etc]# cp /etc/fstab.restrictive /etc/fstab
Note that this will make adding new software, etc. much more difficult since
/usr and /usr/local are mounted read-only. This means that programs which try
to install their user-land programs in /usr/local/bin will fail during their
install programs. And cvsup...which will try to update the kernel's source code
in /usr/src and the ports in /usr/ports...well, they're now read-only because
they fall under /usr. So, mounting your partitions in a very restrictive way is
a double-edged sword. It limits what the hacker can do on your system, but it
makes software installs and kernel upgrades more difficult (or impossible...if
the partitions are still mounted in a restrictive way).
Given that, if you want to add new software or upgrade the kernel & ports tree
source code, you'll need to
a. Change the partition's mounting in /etc/fstab back to their original
values by copying your /etc/fstab.original file to /etc/fstab.
b. Bump the kernel security level back down to "1" by setting the
kern_securelevel paramater in your /etc/rc.conf file, and then
c. Reboot the machine
d. Update your sources with cvsup, then make buildworld, make kernel, and
make installworld
Then when you're done upgrading, recompiling, and installing, do the steps in
reverse:
a. Change the partition's mounting in /etc/fstab to their restrictive values
by copying your /etc/fstab.restrictive file to /etc/fstab.
b. Bump the kernel security level back up to "2" by setting the
kern_securelevel paramater in your /etc/rc.conf file, and then
c. Reboot the machine
This may sound like a pain...I know. But this is your firewall, not a desktop
workstation. This is the price you pay for a VERY, VERY secure machine. If you
want an even more secure machine than this, then you can start setting the
immutable flag on files in the filesystem by using the chflags command with the
schg flag...but that's a whole separate howto in-and-of-itself. For now,
though, you shouldn't need to manipulate immutable flags.
9673. the machine so we can finish the job...
Reboot
[root@numa /etc]# shutdown -r now
17. If the system doesn't reboot, it means that you probably made an error in the
kernel configuration file...possibly setting the wrong type of CPU. DON'T
PANIC. We can still boot the machine so that you can fix the error. To boot
into the original version of the kernel, following the steps, below:
A. Reboot the machine (power off, then on)
B. When you reboot the machine and get to the part that says:
Hit [Enter] to boot immediately, or any other key for command
prompt.
Booting [kernel] in 9 seconds...
Hit the [space bar] (anything except the "enter" key), and you'll get to
an "ok" prompt.
C. Type in the following commands (at the "ok" prompt) and you'll boot the
original kernel.
ok unload kernel
ok load kernel.old [ Pobierz całość w formacie PDF ]
zanotowane.pl doc.pisz.pl pdf.pisz.pl aikidobyd.xlx.pl
change the value to "YES"
- Add a line beneath it that reads 'kern_securelevel="2"'
9669.
Lastly, modify the /etc/fstab file with vi so that we can change how each
partition is mounted...to ensure that hackers can do at little as possible if
they (by chance alone) hack the box. Essentially, we're restricting some of the
partitions so that they are 'nosuid', 'noexec', and 'ro'. The original
/etc/fstab should look something like this. Yours might look a little
different...the first column (device names) might be a little different, but
that's OK. The stuff we'll be modifying is in the 4th column.
# Device Mountpoint FStype Options Dump Pass#
/dev/ad0s1b none swap sw 0 0
/dev/ad0s1a / ufs rw 1 1
/dev/ad0s1e /tmp ufs rw 2 2
/dev/ad0s1g /usr ufs rw 2 2
/dev/ad0s1d /usr/home ufs rw 2 2
/dev/ad0s1h /usr/local ufs rw 2 2
/dev/ad0s1f /var ufs rw 2 2
proc /proc procfs rw 0 0
First, copy the original /etc/fstab file to /etc/fstab.original
Then, make another copy of the /etc/fstab file and call it
/etc/fstab.restrictive
Then, modify the /etc/fstab.restrictive file so that it reads as follows:
# Device Mountpoint FStype Options Dump
Pass#
/dev/ad0s1b none swap sw 0 0
/dev/ad0s1a / ufs rw,nosuid 1 1
/dev/ad0s1e /tmp ufs rw,noexec,nosuid,nodev 2 2
/dev/ad0s1g /usr ufs ro 2 2
/dev/ad0s1d /usr/home ufs rw,noexec,nosuid 2 2
/dev/ad0s1h /usr/local ufs ro,nosuid 2 2
/dev/ad0s1f /var ufs rw,noexec,nosuid 2 2
proc /proc procfs rw 0 0
Next, copy your new /etc/fstab.restrictive file and over-write the original
/etc/fstab...so that your "real" fstab file has the restrictive settings, and
you have the two other config files available (the original and restrictive
one).
[root@numa etc]# cp /etc/fstab.restrictive /etc/fstab
Note that this will make adding new software, etc. much more difficult since
/usr and /usr/local are mounted read-only. This means that programs which try
to install their user-land programs in /usr/local/bin will fail during their
install programs. And cvsup...which will try to update the kernel's source code
in /usr/src and the ports in /usr/ports...well, they're now read-only because
they fall under /usr. So, mounting your partitions in a very restrictive way is
a double-edged sword. It limits what the hacker can do on your system, but it
makes software installs and kernel upgrades more difficult (or impossible...if
the partitions are still mounted in a restrictive way).
Given that, if you want to add new software or upgrade the kernel & ports tree
source code, you'll need to
a. Change the partition's mounting in /etc/fstab back to their original
values by copying your /etc/fstab.original file to /etc/fstab.
b. Bump the kernel security level back down to "1" by setting the
kern_securelevel paramater in your /etc/rc.conf file, and then
c. Reboot the machine
d. Update your sources with cvsup, then make buildworld, make kernel, and
make installworld
Then when you're done upgrading, recompiling, and installing, do the steps in
reverse:
a. Change the partition's mounting in /etc/fstab to their restrictive values
by copying your /etc/fstab.restrictive file to /etc/fstab.
b. Bump the kernel security level back up to "2" by setting the
kern_securelevel paramater in your /etc/rc.conf file, and then
c. Reboot the machine
This may sound like a pain...I know. But this is your firewall, not a desktop
workstation. This is the price you pay for a VERY, VERY secure machine. If you
want an even more secure machine than this, then you can start setting the
immutable flag on files in the filesystem by using the chflags command with the
schg flag...but that's a whole separate howto in-and-of-itself. For now,
though, you shouldn't need to manipulate immutable flags.
9673. the machine so we can finish the job...
Reboot
[root@numa /etc]# shutdown -r now
17. If the system doesn't reboot, it means that you probably made an error in the
kernel configuration file...possibly setting the wrong type of CPU. DON'T
PANIC. We can still boot the machine so that you can fix the error. To boot
into the original version of the kernel, following the steps, below:
A. Reboot the machine (power off, then on)
B. When you reboot the machine and get to the part that says:
Hit [Enter] to boot immediately, or any other key for command
prompt.
Booting [kernel] in 9 seconds...
Hit the [space bar] (anything except the "enter" key), and you'll get to
an "ok" prompt.
C. Type in the following commands (at the "ok" prompt) and you'll boot the
original kernel.
ok unload kernel
ok load kernel.old [ Pobierz całość w formacie PDF ]