Security Issues Labs

1. SELinux

  1. On the server1.example.com system, ensure that the system is configured with SELinux set to enforcing at boot time, and that it is currently enabled.

  2. Configure /etc/httpd/conf.d/my.conf created in a previous lab to point to /var/mywww.

  3. Restart httpd.

  4. Create index.html in /var/mywww.

    If SELinux is enabled, accessing index.html in this directory via curl should fail.

  5. Fix SELinux issues with the new directory and make it permanent.

2. IPA Authentication

  1. As root on server1 download and uncompress the lab scripts tarball in /root:

    [root@server1 ~]# wget http://www.opentlc.com/download/RTlabscripts.tar.gz
[root@server1 ~]# tar -xf RTlabscripts.tar.gz

  2. On the server1.example.com system, use yum (not rpm) to install the /root/configipasrv-1.0-1.noarch.rpm package.

    [root@server1 ~]# yum -y install /root/configipasrv-1.0-1.noarch.rpm

  3. Run /root/installIPA.sh to configure the VM as an IPA server.

    [root@server1 ~]# /root/installIPA.sh
[root@server1 ~]# systemctl stop firewalld

    This process will take several minutes as the script configures an entire IPA server environment.

  4. Make sure the following ports are open on server1:

    • TCP Ports:

      • 80, 443: HTTP/HTTPS

      • 389, 636: LDAP/LDAPS

      • 88, 464: kerberos

      • 53: bind

    • UDP Ports:

      • 88, 464: kerberos

      • 53: bind

  5. Configure desktop1.example.com to be an IPA client.

    [root@desktop1 ~]# echo "192.168.0.101 server.example.com" >> /etc/hosts
[root@desktop1 ~]# yum -y install ipa-client
[root@desktop1 ~]# systemctl start ntpdate
[root@desktop1 ~]# systemctl start ntpd
[root@desktop1 ~]# systemctl enable ntpdate
[root@desktop1 ~]# systemctl enable ntpd
[root@desktop1 ~]# echo "DNS1=192.168.0.101" >> /etc/sysconfig/network-scripts/ifcfg-eth0
[root@desktop1 ~]# sed -i "s/PEERDNS=yes/PEERDNS=no/" /etc/sysconfig/network-scripts/ifcfg-eth0
[root@desktop1 ~]# systemctl restart network
[root@desktop1 ~]# ipa-client-install -N -U -p admin -w r3dh@t13 --hostname client.example.com --domain EXAMPLE.COM --server server.example.com --force

3. Authentication

  1. Create a local user called newguy and set the password to newguy123.

  2. Test using ssh to connect to desktop1.example.com as local user newguy with the password newguy123.

  3. Test using ssh to connect to desktop1.example.com as remote user remote1 with the password r3dh@t13.

  4. Install /root/authlab1-1.0-1.noarch.rpm on desktop1.example.com.

  5. Use ssh to attempt to connect to desktop1.example.com as local user newguy with the password newguy123.

  6. Debug why this fails, without changing the password.

  7. Use ssh to attempt to connect to desktop1.example.com as remote user remote1 with the password r3dh@t13.

  8. See if the user is visible on desktop1.example.com.

    [root@desktop1 ~]# getent passwd remote1

  9. Debug why this fails.