wA@As峹аѦo

qLĤ@g大A{bAӤwgQ Linux sW Internet FCOA Linux {b٬OwC ]Ab}lA]weAڭ̥nAtαjǡIHקKQcN cracker ҧڡIbo@A ڭ̷|Ыʥ]yVAMھڸӬyVӨqtαjƪy{I]AuW۰ʤɯšBAȺޱH SELinux C{bNAAoI

7.1 ʥ]suiJDy{
@@7.1.1 ʥ]iJDy{
@@7.1.2 `kPO@G qKX, |}, u{, {~, rootkit, DDoS
@@7.1.3 D@O@GnsBֺAȡBҰ SELinux
7.2 ۰ʤɯųn
@@7.2.1 pinɯ
@@7.2.2 CentOS yum nsBMgϥΪz
@@7.2.3 yum ϥG w, ns, tΧs
@@7.2.4 DSwMgGק yum ]wɻPM yum ֨
7.3 suf (port)
@@7.3.1 O port
@@7.3.2 f[G netstat, nmap
@@7.3.3 fPAȪҰ/ζ}ɪA]wG A,
@@7.3.4 wʦҶq-AȰf
7.4 SELinux ޲zh
@@7.4.1 SELinux B@ҦG , domain/type
@@7.4.2 SELinux ҰʡBP[G getenforce, setenforce
@@7.4.3 SELinux type קG chcon, restorecon, semanage
@@7.4.4 SELinux FWhLȭ׭qG seinfo, sesearch, getsebool, setsebool
@@7.4.5 SELinux nɰOһݪA-H httpd dҡG setroubleshoot, sealert
7.5 Q᪺D״_u@
@@7.5.1 ޤHƪޯ
@@7.5.2 D_u@y{
7.6 I^U
7.7 D
7.8 ѦҸƻP\Ū
7.9 w糧媺ijGhttp://phorum.vbird.org/viewtopic.php?p=114062

7.1 ʥ]suiJDy{

bo@Aڭ̭nQתOAӦۤ@ӺWsunDQiJڭ̪DɡA oӺʥ]biJDڨoƪӬy{OpHAѤFӬy{A A~|o{GӨtξާ@򥻷OpnI ӧA]~|AѭnpO@ADwoIܤֻA̻@@@C


7.1.1 ʥ]iJDy{

bĤ@ڭ̴N͹Lsuy{A |ҤlOƱAiHzѬԣ[]AݭnAѧ@~tΪ[Cbo@Aڭ̭nNӬy{ӽoƻA ]AzLoӬy{RAA|Dԣڭ̪DݭniL@Ǩ@AtΤ~jC~AzLĤGAA]AѤFOVAAPΤݳon IP:port ~n糊۷qC{bA]ADO WWW AAzLUϥܡAʥ]piJADOH

ʥ]iJDy{
7.1-1Bʥ]iJDy{
  1. gL𪺤RG

    Linux tΦتA]Asuणন\Aonݨy~Cw] Linux NӾAoӾOWߦsbA]ڭ̹w]NhCĤ@hOʥ]Lo netfilter A t@ӫhOzLn鱱ު TCP Wrappers C

    • ʥ]LoGIP Filtering Net Filter
      niJ Linux ʥ]|qL Linux ֤ߪw]ANO٬ netfilter NNA²檺ANO iptables oӳnҴѪ\C٬ʥ]LoOH]LDnOR TCP/IP ʥ]YӶiLoADnRO OSI ĤGBTB|hADnNO MAC, IP, ICMP, TCP P UDP fPA (SYN, ACK...) CԲӪƧڭ̷|b𳹸`СC

    • ĤGhGTCP Wrappers
      qL netfilter Aʥ]|}l Super daemons TCP_Wrappers AӬOOH FNO /etc/hosts.allow P /etc/hosts.deny ]wɥ\oC oӥ\]Ow TCP Header iARAP˧AiH]w@ǾөY IP Port Anӷݪʥ]QγqLF

    zL𪺺ޱAڭ̥iHNjӦۺںUsuAu\ۤv}񪺪AȪsuiJӤwA iHF̰¦w@C

  2. A (daemon) 򥻥\G

    w]O Linux إ\ADn޲zO MAC, IP, Port ʥ]Y譱TApGQnެYǥؿiHiJA YǥؿhLkϥΪ\ANonzLvHΦAn鸪Ѫ\FC|ҨӻAAiHb httpd.conf oӳ]wɤWdY IP ӷϥ httpd oӪAȨӨoDơA Yϸ IP qLehLoALµLkoD귽In`NOA pG httpd o{ӴNDܡA client ݱNiQ httpd n骺|}ӤJIDAӤݭnoD root KXI]A np߳oDZҰʦbںWnI

  3. SELinux AȪӳvG

    FקKe@ӨBJv~ΡAΪ̬O{ǦDҳywpA] Security Enhanced Linux (wj Linux) Nӵo\աI²檺ASELinux iHwAȪvӳ]w@dzWh (policy) A{ǯi檺\঳A ]YϨϥΪ̪ɮv]w~AHε{ǦDɡAӵ{ǯi檺ʧ@٬OQAYϸӵ{ǨϥΪO root v]@ˡC|ҨӻAe@ӨBJ httpd uQ cracker o root ϥvAѩ httpd wgQ SELinux b /var/www/html ̭ABi檺\wgQWdFA] cracker NLkϥθӵ{ǨӶitΪi@B}aoC{bo SELinux @wn}ҳI

  4. ϥΥDɮרtθ귽G

    Q@QAAϥss WWW D̥DnتOHMNOŪD WWW ưաI WWW ƬOԣHNOɮװڡI^_^IҥHA̲׺ʥ]OnVDnDɮרtΪưաC ڭ̳o̰]Anϥ httpd o{ӨotΪɮ׸ơA httpd w]OѤ@ӨtαbW٬ httpd ӱҰʪAҥHGAƪvMNOn httpd o{iHŪ~ڡIpGAeT]w OK A̲v]w~AϥΪ̨µLksAƪC

boǨBJ~Aڭ̪ Linux Hάn鳣iٷ|䴩nɰO\AFOv{A HK޲z̦bӪ~d߻PJIA}nRnɪߺDO@wnإߪAרO /var/log/messages P /var/log/secure oǭɮסIMUjDn Linux distribution jhXAXL̦ۤvnɤRnAҦp CentOS logwatch ALӳnäoAXҦ distributions AҥHզۤvgF@ logfile.sh shell scriptAAiHbU}Uӵ{G

nFAھڳoǬy{AAıo cracker oǭaJ˪ڭ̪tΩOHonQn}aA ڭ̤~QkӸɱjtιIU򥻪koC


7.1.2 `kPO@

ڭ̥ 7.1-1 AѨƶǰe쥻ɩһݭngLXDuAvO̫᪺աI {bAӤMڭ̱``b¦g̭@ͨ]wTviHO@ADFaH cracker OpzLWzy{ٯAtΰڡHUNڭ̨ӤRRC


















7.1.3 D@O@G nsBֺAȡBҰ SELinux

ھڥeRA{bADʥ]yVHΥD򥻻ݭni檺@FCLAγ\٬Oü{ANOA JMڳwgFAvްաBKXYKʰաBAn骺sաBSELinux յA O_NSo򭫭nOHOʥ]iJĤ@dIoYAiHyLePܡH...AFI }YǪAȪAӻAAyڥ򧾤@ˡAOSΪIz򻡩OH






ھڳo˪RAڭ̥iHDAHɧstγnBsufHγzLҰ SELinux ӭAȪvAgLoT²檺BJAAtαNiHo۷jO@IMաA 򪺨HΨtεnɤRu@Oݭni檺CN̾ڳoTIӲ`JСC


7.2 ۰ʤɯųn

b{bںWAcracker bOӦhFIoǶH|QΤwgsbtκ|}AӶi氻BJIADC ]AFӬ[]𤧥~A̭n Linux `޲zu@ALn骺ɯŤFI LApGϥΪٱonۤvC[wqAåDʥhdߦUj distribution woǺ|}ӴѤɯųn]A uOӤHʤƤFI]AثeNܦhuWsX{FIFoǽuWsn骺qPkA ڭ̨tκ޲zb޲zDtΤWAiNPhoI


7.2.1 pinɯ

q`w˦n Linux A|}Ҩtιw]AMĤ@ƱNOitΧsաI ׬O@M Linux Oo˰A]nקKnwDInFA Linux WnӦpisPɯũOH ٰOoAOpw˳n骺ܡHNO rpm, tarball P dpkg ܡH ҥHoAAnpGQnɯšANo̾ڷɧAw˸ӳn骺觋ӶiɯŰڡIӨCؤ觋AΩʡG

|ҨӻApGAtάO CentOS Aڭ̪DLϥΪO RPM n޲zҦApGAQnw B2D nHn`NA B2D Oϥ debian dpkg Ӻ޲zn骺ĄäۦPڡInۦwˤFI ҥHAnɯŪܡAoAѨAtΤWnw˻P޲zk~C

LAӯSרҡANOª Linux (Ҧp Red Hat 9) nɯŸӦpOnH ѩªn䴩ץӴNtAӷ~qΪ̬Os]SohߤObª䴩WA ҥHAAoӮɭԥiHܡG (1)ɯŨsAҦp CentOS 5.xAΪ̬O (2)Q Tarball ӦۦɯŮ֤߻PnCLAijɯŨsաA]nۦHʤ觋 Tarball w˨̷sAbOܶOɶOOAӥBٱon``d\xұX̷sA |L@hio͵LkwpC

ڭ̳ob Windows ҤUALѤ@ Live update إiH۰ʪuWɯšA ƦܫܦhrnP차n]XYɪuWsAp@ӥiHznb̷spA uOnڡIxIڭ̪ Linux O_o˪\HpGܡAtΦ۰ʶinɯšA NiHPSּ֤FHSITOo˪IҥHNڭ̨ӽͤ@ Linux uWɯžaI

b Linux ̱`nwˤ觋G RPM / Tarball / dpkg ATarball ѩoOlXA ҥHn Tarball ӧ@uW۰ʧsOӥii檺AҥHȯ RPM dpkg oسn޲z觋ӶiuWsFC

RPM P dpkg OҿתۨݩʶܡHoˤݭnߧoI]ڭ̪ RPM P dpkg nɮ׳@dzn骺򥻸TA æPɰOFn骺ۨݩ (Ooϥ rpm -q d߶)AҥHRoǰ򥻸TèϥΤ@ǾNoǬ̸ۨTOUӫA AzL@B~\AN۰ʪRAtλP׸ɳn𫗪tA åii@BARһݭnɯŻPۨݩʪnANiF۰ʤɯŪzQաI

ѩUa distributions b޲ztΤWۤvWSQkAҥHbR RPM dpkg nP觋WNҤPA ]NUoǤPuWɯžաG

FoǤɯžåBP distribution @FAANAѨGyC distribution iHϥΪuWɯžۦPzڡIҥHаѦҧA distribution ҴѪӶiuWɯŪ]wI_hNonۦʤUwˤFI @_@

o̳Oϥ CentOS o Red Hat ۮe distributions ӤЪA]AUȤФF yum ӤwC LAyum wgAΩ CentOS, Red Hat Enterprise Linux, Fedora A]ӬOΪFI t~A¦g̭wg͹L rpm P yum ΪkAҥHbo̶ȬO[jлPsΪkӤwI


7.2.2 CentOS yum nsBMgϥΪz

ڭ̴gb¦g̭͹L yum FA򥻤WLzOAڭ̪ CentOS |] yum AWYAUFxX RPM YMơAӸưFOC RPM n骺̩ۨʤ~A]F RPM ɮשҩme (repository) ҦbC]zLRoǸơAڭ̪ CentOS Nϥ yum hUPw˩һݭnnFI ԲӹϥܻPy{IoˡG

ϥ yum UMYPoeƥܷN
7.2-1Bϥ yum UMYPoeƥܷN
  1. ѳ]wɧP_ yum server Ҧb IP }F
  2. s yum server AUs RPM ɮתYơF
  3. RϥΪ̩ұw/ɯŪɮסAôѨϥΪ̽T{F
  4. UϥΪ̿ܪɮרtΤ /var/cache/yum AöiڦwˡF

ѩAҤUMwgtҦxX RPM ɮתYۨݩʪYA ҥHpGAQnw˪n]tYǩ|w˪̳ۨnɡAڭ̪ yum |KAUһݭnLnAww˫A Aw˧AҹڻݭnnIqRBUwˡA@fdwI²檺աI

LA٬ODCpG@ɨϥ CentOS BͳqqsuP@ Yum AhUһݭn RPM ɮסAzI WeNܮeQzIHSYAҿתMgڡI CentOS b@ɦUaMgAoǬMg|Nx yum Aƽƻs@APɦbMgW]ѦP˪ yum \A]AAiHb@ yum AMgWUPw˳nCUO CentOS xWCXȬwaϬMg@G

{b yum SoA|۰ʪhRAD̪񪺨MgAM᪽ϥθӳMgD@A yum ӷA ]AyzפWzAݭnʥ]wAbxWAA CentOS N|ϥΥxWaϪ yum AoINo²I ҥHAUӴNڭ̪ӽͽͫϥ yum aI

yum zPϥΡAڭ̦b¦g̭wgOйLFA]UȴNnФ@UoI

7.2.3 yum ϥΡG w, ns, tΧs

yum iuW۰ʤɯŦӤwAL٥iH@dߡBnsժwˡB骩ɯŵAnΪI ӽͽפ@U yum oӫOΪkaG

[root@www ~]# yum [option] [dߪu@] [Ѽ]
ﶵPѼơG
optionGDnѼơA]AG
   -y G yum ߰ݨϥΪ̪NɡADʦ^ yes ӤݭnLJF

[dߪu@]Gѩ󤣦PϥαAӦ@ǿܪءA]AG
   install Gww˪nW١AҥH᭱ݱy nW z
   update  GiɯŪ欰FM]iHYӳnAȤɯŤ@ӳnF
   remove  GYӳnA᭱ݱnW١F
   search  GjMYӳnΪ̬OnrF
   list    GCXثe yum Һ޲zҦnWٻPAI rpm -qaF
   info    GPWALI rpm -qai 浲GF
   clean   GUɮ׳Q /var/cache/yum Aiϥ clean NLA
             iMءGpackages | headers | metadata | cache F

b[dߪu@]٥iH㦳Ӹsճn骺wˤ觋ApUҥܡG
   grouplist   GCXҦiϥΪynsաzAҦp Development Tools F
   groupinfo   G᭱ group_nameAhiAѸ group tҦnWF
   groupinstallGoӦnΡIiHwˤ@ժnsաA۷ΡI
                 `P --installroot=/some/path @ΨӦw˷st
   groupremove GYӳnsաF

# dҤ@GjM CentOS xѪnW٬O_P RAID H
[root@www ~]# yum search raid
Loaded plugins: fastestmirror
Determining fastest mirrors     <==o̴NObճ̧֪Mg
 * addons: ftp.twaren.net       <==@|Ӯee
 * base: ftp.twaren.net         <==CӮeb ftp.twaren.net W
 * extras: ftp.twaren.net
 * updates: ftp.twaren.net
addons                          |  951 B     00:00    <==Un骺YM椤
base                            | 2.1 kB     00:00
extras                          | 2.1 kB     00:00
extras/primary_db               | 187 kB     00:00
updates                         | 1.9 kB     00:00
=============== Matched: raid ======================  <==쪺GpU
....(ٲ)....
lvm2.i386 : ϧΤƪ޿U޲zu
mdadm.i386 : mdadm  Linux md ˸m]n RAID }C^
mkinitrd.i386 : إ߹wҲթһݪl ramdisk MɡC

# dҤGGWzXGA mdadm \ରH
[root@www ~]# yum info mdadm
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
 * addons: ftp.twaren.net
 * base: ftp.twaren.net
 * extras: ftp.twaren.net
 * updates: ftp.twaren.net
Installed Packages  <==o̻oOwgw˪nI
Name       : mdadm
Arch       : i386
Version    : 2.6.9
Release    : 3.el5
Size       : 1.8 M
Repo       : installed
Summary    : mdadm  Linux md ˸m]n RAID }C^
URL        : http://www.kernel.org/pub/linux/utils/raid/mdadm/
License    : GPL
....(Uٲ)....

yum uOӫܦnΪFAiHd߬O_YǯSnW١C|ҨӻAAiHQΩUӤ觋onW١G

MAHWܪkorAΪ̬Oy yum list "nW" zNDӳn骺γ~A̫AMwnnw˰ڡIWdҤ@NObXϺа}C޲znC pGTwnwˮɡANѦҰѦҩUy{aI


# dҤTGwˬYӳnaIH mdadm oӳnWҡG
[root@www ~]# yum install mdadm
....(eٲ)....
Setting up Install Process
Package mdadm-2.6.9-3.el5.i386 already installed and latest version
Nothing to do

[root@www ~]# yum install mdadma
Setting up Install Process
No package mdadma available.
Nothing to do

JӪݤWzӫOAĤGӫOGNgrAnW٥ mdadm ܦ mdadma FIPǦpGrɩҿXTCѤWzTAiHDAP˵GOyNothing to dozAO yum |iDAӳnOyww (installed and lastest version)z٬OySӳn (No package mdadma avaliable)zC@oӽdҬOƱB̯ͭJӪݿXTաInաIڭ٬OӦwˤ@Ӥ˹LA N javacc oMnӸˬݬݦnFI

[root@www ~]# yum list javacc*
Available Packages
javacc.i386             4.0-3jpp.3       base
javacc-demo.i386        4.0-3jpp.3       base
javacc-manual.i386      4.0-3jpp.3       base
# @TMnAOO javacc, javacc-demo, javacc-manual A 4.0-3jpp.3A
# nOmW٬ base es񪺡C

[root@www ~]# yum install javacc
....(eٲ)....
Setting up Install Process
Resolving Dependencies
--> Running transaction check  <==}lˬdSۨݩʪnD
---> Package javacc.i386 0:4.0-3jpp.3 set to be updated
--> Finished Dependency Resolution

Dependencies Resolved

=======================================================
 Package     Arch      Version         Repository Size
=======================================================
Installing:
 javacc      i386      4.0-3jpp.3      base      850 k

Transaction Summary
=======================================================
Install       1 Package(s)  <==w˳nJA@w 1 ӡAɯ 0 ӳn
Upgrade       0 Package(s)

Total download size: 850 k
Is this ok [y/N]: y
Downloading Packages:
javacc-4.0-3jpp.3.i386.rpm      | 850 kB     00:00
Running rpm_check_debug
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
  Installing     : javacc                          1/1

Installed:
  javacc.i386 0:4.0-3jpp.3

Complete!

@IgL yum ڭ̥iHܻPNw˦n@ӳnAåBoӳnwgDʪڭ̰nۨݩʪJAFA uOKzIt~ACentOS 5.x w]pUAyum UưFCӮeYMɮפ~AҦU RPM ɮ׳|bw˧ᤩHRI o˧AtδN|eqQUƶzDCpGAQnU RPM ɮ~Odb /var/cache/yum ANonק /etc/yum.conf ]wɤFI

[root@www ~]# vim /etc/yum.conf
[main]
cachedir=/var/cache/yum
keepcache=1
debuglevel=2
logfile=/var/log/yum.log
distroverpkg=redhat-release
tolerant=1
exactarch=1
obsoletes=1
gpgcheck=1
plugins=1

WzSraN 0 令 1 Ao˴NA RPM ɮ׫OsUӡCLADAnhDnsA AQQΤ@x yum ɯťBUAMNҦ RPM ɮצ_ӵɯ (rpm -Fvh *.rpm) ~A W vim קʧ@ijקI]A /var ȷ|QzڡIAI


OynsաzOHѩ RPM nN@ӤjMפnXӤppeӰACӤppeiHWߦwˡA o˪nBOiHϥΪ̻Pnoi̦wˤPҡI|ҨӻAڭ̨ϥ KDE ୱANO@Τ᪺ϥΦӤwA èSݭnb Linux Uw KDE oiuէaH KDE M׭peNn@ϥ "KDE (K Desktop Environment)" εoi "KDE Software Development" ҡACӳnsդSthӤP RPM nɮסI o˰γ~OKϥΪ̦wˤ@MMװաI

tΦhֳnsթOHSӦp[Yӳnsզ֦ RPM ɮשOHڭ̴NQ KDE oӱMרӻ@UoG

# dҥ|GdߨtΦnsզh֭ӡH
[root@www ~]# LANG=C yum grouplist
Installed Groups:             <==oӬOww˪ns
   Administration Tools
   DNS Name Server
   Dialup Networking Support
   Editors
   FTP Server
....(ٲ)....
Available Groups:             <==oӬO|iw˪ns
   Authoring and Publishing
   Base
   Beagle
   Cluster Storage
....(ٲ)....
   KDE (K Desktop Environment)
   KDE Software Development
....(᭱ٲ)....

# dҤG KDE (K Desktop Environment) th֭ RPM nOH
[root@www ~]# yum groupinfo "KDE (K Desktop Environment)"
Group: KDE ୱ
 Description: KDE Oӥ\jjϧΨϥΪ̤AtOBୱBtιϥ 
              Hιϧɮ׺޲zC
 Mandatory Packages:
   arts
   kdebase
 Default Packages:    <==Dn|Qw˪n驰o
   desktop-printing
   im-chooser
   kdeaccessibility
   kdeaddons
....(ٲ)....
 Optional Packages:   <==~A|iD諸n驰o
   kdeadmin
# pGATwnw˳oӳnsժܡANo˰G

[root@www ~]# yum groupinstall "KDE (K Desktop Environment)"

Qγoӡy yum groupinstall "nsզW" ziHA@fw˫ܦhnA Ӥ߬YӳnѰOˤFIbOܤաӥBQ groupinfo \A]iHo{@ǤnơA p@ӡAANiHK޲zA Linux tΤFAܤaI


ڭ̳DϥΡyyum updatezNiHin骺sCLAoܡH yum update ]iHiP@ɯųI|ҨӻAAiHq 5.5 ɯŨ 5.6 IӥBL{LhI N@nɯŦӤwAèSPIr֧aI

LApGAOQnqª CentOS 4.x ɯŨ 5.x ܡAiNonhOǥ\ҤFCԣn֩OH]AiwgǸƳ]wnAҥHQܧI ѹ껡AP (ex> 4.x --> 5.x) ɯų̦n٬OnհաIsw˥iO̦npC UCXžǶ骺eѪɯŤ觋AH CentOS xѪɯŤ觋AѦҰѦҡG

DG
г]w@Uu@Ƶ{AA centOS iHCѦ۰ʧst
G
iHϥΡy crontab -e zӰʧ@A]iHsy vim /etc/crontab zӰʧ@A ѩoӧsOtΤ譱AҥHߺDϥ vim /etc/crontab ӶiOC ꤺe²G
40 5 * * * root yum -y update && yum clean packages
o˴NiH۰ʧsFA ɶqbCѪ 5:40 C


7.2.4 DSwMgGק yum ]wɻPM yum ֨

M yum OADsuW Internet NiHϥΪALAѩ CentOS Mgxi|A |ҨӻAڭ̦bxWAO CentOS MgxoܨFj_ʩΪ̬O饻hASioͰڡI ڡIоǤ譱N``oͳo˪DAnDAڭ̳sujΤ饻t׬OD`COIH MNOʪק@U yum ]wɴNnoI

bxWAx CentOS MgxDnt߻PqjǡAӤntߡA Gstפ֡AӥBsxWdzN]D`ֳtI]AUijxWBͨϥΰtߪ ftp D귽ӧ@ yum AӷIثet߹ CentOS ҴѪ}pUG

pGAsWz}AN|o{̭@sAdzsNOo yum AҴѪeFI ҥHtߤ]ѤF addons, centosplus, extras, fasttrack, os, updates eA̦n{eNO os (tιw]n) P updates (nɯŪ) oIѩ󳾭bڪեΥDOQ i386 A ] os AIihN|opUiѦw˪}G

bWz}OHSI̭nSNOӡy repodata zؿIӥؿNOR RPM nҲͪnݩʬ̸ۨƩmBI]AAneҦb}ɡA ̭nNOӺ}U@wnӦW repodata ؿsbINOe}FI LeT}ANЦUݭۦM@UI{bڭ̭ק]wɧaI

[root@www ~]# vim /etc/yum.repos.d/CentOS-Base.repo
[base]
name=CentOS-$releasever - Base
mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=os
#baseurl=http://mirror.centos.org/centos/$releasever/os/$basearch/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5

pWҥܡAȦCX base oӮeeӤwALeeЦۦd\oIWƻݭn`NOG

Aѳoӳ]wɤAUڭ̭קɮתeAڭ̳oDiHϥΰtߪ귽aI ק諸觋ȦCX base oӮeئӤwALؽбzۦ̷ӤWz@kӳBzYiI

[root@www ~]# vim /etc/yum.repos.d/CentOS-Base.repo
[base]
name=CentOS-$releasever - Base
baseurl=http://ftp.twaren.net/Linux/CentOS/5/os/i386/
gpgcheck=1
gpgkey=http://mirror.centos.org/centos/RPM-GPG-KEY-CentOS-5
# ULeءAЦۦ찪tߥhd߫ۤvBzI

UӷMNOLդ@UoIpթOHAϥ yum YiڡI

# dҡGCXثe yum server ҨϥΪeǡH
[root@www ~]# yum repolist all
repo id         repo name                status
addons          CentOS-5 - Addons        enabled:     0
base            CentOS-5 - Base          enabled: 2,599
c5-media        CentOS-5 - Media         disabled
centosplus      CentOS-5 - Plus          disabled
contrib         CentOS-5 - Contrib       disabled
extras          CentOS-5 - Extras        enabled:   335
updates         CentOS-5 - Updates       enabled:   488
repolist: 3,422
# b status Wg enabled ~OҰʪIѩ /etc/yum.repos.d/
# hӳ]wɡAҥHA|o{٦LesbC


ѩڭ̬Oקtιw]]wɡAƹWAڭӭnb /etc/yum.repos.d/ Usؤ@ɮסA ӰɦWO .repo ~I]ڭ̨ϥΪOwSwMgxAӤOLn}oʹѪeA ]~קtιw]]wɡCOiѩϥΪes¤AAonDA yum |UeM쥻 /var/cache/yum ̭hIڭ̭קF}oSקeW (r)A iN|yMP yum AM椣PBAɴN|X{LksDFI

ڡH²ANMW¸ƧYiIݭnʳBzܡHݭnA zL yum clean بӳBzYiI

[root@www ~]# yum clean [packages|headers|all] 
ﶵPѼơG
 packagesGNwUnɮקR
 headers GNUnYR
 all     GNҦeƳRI

# dҡGRwULҦe (tn饻PM)
[root@www ~]# yum clean all
DG
@Ӻ}G http://free.nchc.org.tw/drbl-core/i386/RPMS.drbl-stable/ A̭]tFxWatߩҵoiۥѳnC Ш̾ڸӺ}ѪơAtΥiH۰ʺw˪ yum 榡C
G
ѩ http://free.nchc.org.tw/drbl-core/i386/RPMS.drbl-stable/ ̭N repodata/ ؿA]AoӺ}iH yum e]wɡC AiHo򰵪G
[root@www ~]# vim /etc/yum.repos.d/drbl.repo
[drbl]
name=This is DRBL site
baseurl=http://free.nchc.org.tw/drbl-core/i386/RPMS.drbl-stable/
enable=1
gpgcheck=0

[root@www ~]# yum search drbl
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
============================== Matched: drbl ==============================
clonezilla.i386 : Opensource Clone System (ocs), clonezilla
drbl.i386 : DRBL (Diskless Remote Boot in Linux) package.
drbl-chntpw.i386 : Offline NT password and registry editor
....(Uٲ)....

[root@www ~]# yum repolist all
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
repo id         repo name                status
addons          CentOS-5 - Addons        enabled:     0
base            CentOS-5 - Base          enabled: 2,599
c5-media        CentOS-5 - Media         disabled
centosplus      CentOS-5 - Plus          disabled
contrib         CentOS-5 - Contrib       disabled
drbl            This is DRBL site        enabled:    16
extras          CentOS-5 - Extras        enabled:   335
updates         CentOS-5 - Updates       enabled:   488
repolist: 3,438
drbl oӷsWḙA֦ 16 ӳnIo˰MܡH


7.3 suf (port)

ڭ̪D|^W@ǭnDʥ]OHҦpڭ̳]wF@ WWW DAӦ Internet WWW nDɡAڭ̪DN|H^AoO]ڭ̪DҥΤF WWW ťfڡIҥHAڭ̱ҥΤF@ daemon ɡANi|yDfbiťʧ@Aɸ daemon NOwgWѪAȤFIU@o daemon {|}A]LѤF Internet AȡAҥHNeQ Internet W cracker ҧFIҥHAJӪˬdۤvtΤWf쩳}Fh֭ӡAåBHY檺޲zA~CQiʰڡI


7.3.1 O port

걼FIpҰʤ@ӺAȡAoӪAȷ|̾ TCP/IP qTwҰʤ@ӰfbiťA NO TCP/UDP ʥ] port (f) FCڭ̱qĤG]DsuOVAAݱonҰʤ@ӺťfA ΤݱonHҰʤ@Ӱfӱ^Ƥ~CAݪAȬO_ݭnҰʦbTwfH ΤݪfO_SOTwOHڭ̱NĤGP port ƵoJ@UG


7.3.2 f[G netstat, nmap

nFAڭ̲{bDo port O򰭪FFAAӴNOnAѤ@UAڭ̪D쩳O}Fh֪ port OHѩ port ҰʻPAȦAyAȡzy port zɮ׬O@ӡHA@IOy /etc/services zաIӱ`Ψ[ port hUӵ{G

LjYIϥ nmap |HkHѩ nmap \ӱjjFAҥHܦh cracker |HLӰOHDAoӮɭԴNiyHkաIunAϥ nmap ɭԤnhOHqDAN|DաIUڭ̤Oӻ@o_aI



bA Linux tΤA}ҪAȶVֶVnI ]֪AȥiHe (debug) PAѦw|}AåiקKnJI޹DI ҥHAoӮɭԽAѤ@UztηSǪAȳQ}ҤFOH nAѦۤvtηAȶءA²KkNOϥ netstat FIoӪF褣²AӥB\]OܤC oӫOϥΤkb Linux `κ\OзLFA Uڭ̶ȴѦpϥγoӤu㪺koI


pGAn]ƨèSiAnJ@~tήɡAӫH|ҨӻAAQnAѤ@UqLO_}YǨwɡA ӦpBzڡH{bAD netstat iHΨӬd\W\hťqTwA ҦpLo˪D]ơAnpd߰ڡHI nmap NFI

nmap (1)n黡W٬GyNetwork exploration tool and security / port scannerzAUWqA oӪFOQtκ޲zΨӺ޲ztΦwʬd֪uILyz]FA nmap iHgѵ{ۦwqX port ơAӬdX port AȬAҥHڭ̤]iHǦAѧڭ̥D port 쩳OFΪIb CentOS YO nmap A pGASwˡANϥ yum hw˥LaI

[root@www ~]# nmap [] [˰Ѽ] [hosts }Pd]
ﶵPѼơG
[]GDnUXءG
    -sTG TCP ʥ]wإߪsu connect() I
    -sSG TCP ʥ]a SYN Ҫ
    -sPGH ping 觋i汽
    -sUGH UDP ʥ]榡i汽
    -sOGH IP w (protocol) iD
[˰Ѽ]GDn˰ѼƦXءG
    -PTGϥ TCP Y ping 觋Ӷi汽ˡAiH򪾥ثeXqs(`)
    -PIGϥιڪ ping (a ICMP ʥ]) Ӷi汽
    -p GoӬO port range AҦp 1024-, 80-1023, 30000-60000 ϥΤ觋
[Hosts }Pd]GoӦhFAX
    192.168.1.100  GgJ HOST IP ӤwAˬd@F
    192.168.1.0/24 G C Class AA
    192.168.*.*@@GKKIhܬ B Class AFI˪dܼsFI
    192.168.1.0-50,60-100,103,200 GoجOܧΪDdաIܦnΧaI

# dҤ@Gϥιw]ѼƱ˥ұҥΪ port (u| TCP)
[root@www ~]# nmap localhost
PORT    STATE SERVICE
22/tcp  open  ssh
25/tcp  open  smtp
111/tcp open  rpcbind
631/tcp open  ipp
# bw]pUA nmap ȷ| TCP wI

nmap Ϊk²oINbO᭱W IP Ϊ̬ODW٧YiCLAbw]pU nmap ȷ|AR TCP oӳqTwӤwAWoӨҤlXGCuIOD]N}ҸӰfAȤ]CXӤFA uOnI ^_^IpGQnPɤR TCP/UDP oӱ`qTwOHiHo˰G

# dҤGGPɱ˥ TCP/UDP f
[root@www ~]# nmap -sTU localhost
PORT    STATE         SERVICE
22/tcp  open          ssh
25/tcp  open          smtp
111/tcp open          rpcbind
631/tcp open          ipp
137/udp open|filtered netbios-ns
138/udp open|filtered netbios-dgm
631/udp open|filtered unknown

KKIPedҤ@UAA|o{ohFX UDP fAoˤRnhFIMA pGAQnAѤ@U쩳XDbAɡAhiHo˰G

# dҤTGzL ICMP ʥ]˴ARϺXDOҰʪ
[root@www ~]# nmap -sP 192.168.1.0/24
Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2010-09-15 00:30 CST
Host www.centos.vbird (192.168.1.11) appears to be up.
Host 192.168.1.254 appears to be up.
MAC Address: 00:0C:6E:85:D5:69 (Asustek Computer)
Nmap finished: 256 IP addresses (2 hosts up) scanned in 5.596 seconds

ݨ_HҷⳡDۧoIåB IP ҹ MAC ]|QOUӡA ܤaIpGAٷQnNUӥDҰʪ port @@fܡANonϥΡG

[root@www ~]# nmap 192.168.1.0/24

AN|ݨ@ port number QXùWopGQnHɰOӺqDO_p߶}FYǪAȡA KKIQ nmap tXƬyɦV (>, >> ) ӿXɮסA HɥiHxzϰCDAȱҰʪpڡI ^_^

ЯSOdNAo nmap \۷jjA]O]pAҥHܦhbmߪ«ȷ|ϥγoӳnӰOHqC oӮɭԽбzSOdNAثeܦhHwgySO觋zӶinu@IҦpH TCP_Wrappers (/etc/hosts.allow, /etc/hosts.deny) \ӰOgL port IPI oӳnΨӡyۤvwʡzOܤ@ӤuAOpGΨӰOHDA iO|yYWxqzISOdNII


7.3.3 fPAȪҰ/ζ}ɪA]w

qĤGƧڭ̴NDA port OѰYdzn𫗪QnҰʪCҥHnY port ɡANNYӵ{LNOFIkAMiHϥ killALoOΪѨMDA] kill oӫOq`㦳jYǵ{\Aڭ̷Qn`ӵ{ڡI ҥHANQΨtεڭ̪ script NnFڡC bPɡAڭ̴NoAӵyLƲߤ@UA@DzΪAȦXH


ڭ̦b¦Dz߽gͨAb@륿` Linux tҤUAAȪҰʻP޲zDnؤ觋G

ԲӪAȻAаѦҰ¦g{ѪA@A bo̤AحzCnApGڷQnNڨtΤW port 631 ܡA ӦpOH²檺@kNOX port 631 Ұʵ{I

[root@www ~]# netstat -tnlp | grep 631
tcp        0      0 127.0.0.1:631   0.0.0.0:*     LISTEN   2058/cupsd
# ӥΪO cupsd oӪAȵ{I

[root@www ~]# which cupsd
/usr/sbin/cupsd
# ɮ׫AAH rpm BzBz

[root@www ~]# rpm -qf /usr/sbin/cupsd
cups-1.3.7-18.el5_5.4
# FINOoӳnIҥHNLkiNOG

[root@www ~]# rpm -qc cups | grep init
/etc/rc.d/init.d/cups
[root@www ~]# /etc/init.d/cups stop

zLWoӤRy{AAiHQΨtδѪܦhKuӹFYӪAȪI ԣo·СHOQ kill -9 2058 NiHRӪAȤFܡH OSաILAADӪAȬOԣΪܡHADNLAAtη|XDܡH pGDܡAQΤWy{NiHXӪAȮMAAQ rpm dߥ\A NDӪAȪ@ΤFHҥHAoӤ觋٬Oz|UաI Uбzյ۱Nz CentOS Ϊ̬OL Linux Telnet }լݬݡC

DG
ڭ̪DtΪ Telnet Aȳq`OH super daemon ӱުAбzҰʱztΪ telnet լݬݡC
G
  1. nҰ telnet nwgwˤF telnet A~AҥHХH rpm d߬ݬݬO_w telnet-server OH yrpm -qa | grep telnet-serverzpGSw˪ܡAЧQέ쪩ШӦwˡAΪ̨ϥΡyyum install telnet-serverz wˤ@UF
  2. ѩO super daemon ޡAҥHнs /etc/xinetd.d/telnet oɮסAN𫟺ydisable = yesz令 ydisable = nozHy/etc/init.d/xinetd restartzsҰ super daemon aI
  3. Q netstat -tnlp ݬO_Ұ port 23 OH


WY@kȬOyߧYNӪAȱҰʩzIä|vTU}ɡAoӪAȬO_w]ҰʪpC pGAQnb}ɭԴNҰʩΤҰʬYAȮɡANonAѤ@U¦Dz߽g̭ͨ쪺}y{޲zeաIb Unix like tηڭ̳OzL run level ӳ]wYǰ浥ŻݭnҰʪAȡAH Red Hat tΨӻAo run level ҰʪƳOmb /etc/rc.d/rc[0-6].d/ ̭Ap޲zӥؿU script OHʳBzܡH|ƱoIҥHAnx chkconfig Red Hat tΪ ntsysv oXӫO~I

oXӫOܡHoӮɭԳoFGy man ΪݥΡAݵL man Ŧ۲qz򵹥L man UhաI
DG
(1)pd\ portmap oӵ{@}NH (2)pG}NApNLאּ}ɤnҰʡH (3)pߧYo portmap AȡH
G
  1. iHzLy chkconfig --list | grep portmap zPy runlevel zT{@UAһP portmap O_ҰʡH
  2. pGҰʡAizLy chkconfig --level 35 portmap off zӳ]w}ɤnҰʡF
  3. iHzLy /etc/init.d/portmap stop zӥߧYLI

oA@w|ݻGyAANOunNtΩҦAȳAtδN|woHz M....OI]yܦhtΪAȬOnsbA_htαN|XDz |ҨӻAӫOtΥiH㦳u@Ƶ{ crond AȴN@wnsbAӨӰOtΪp syslogd ]Mnsb_h窾DtΥXFԣDHҥHoADADCӪAȪتOԣA_hnHKӪAȡC UCXXӱ`nsbtΪAȵjaѦҰѦҥIoǪAȽФnڡI

AȦWAȤe
acpidsq޲zҲաAq`ij}ҡALAYǵOqiण䴩AȡANo
atdb޲z@wRO檺AȡAӭnҰʪ
crondb޲zu@Ƶ{nAȡAаȥnҰʰڡI
haldaemon@tεwܧ󰻴AȡAP USB ]Yܤj
iptablesLinux تnAoӤ]iHҰʰաI
networkoӭnFaHnNnLڡI
sendmailtΤlǻAȡAnHKLI
sshdoOtιw]|ҰʪAiHAbݥHrA׺ݾnJI
syslogtΪnɰOAܭnAȥҰʰڡI
xinetdNO super daemon IҥH]nҰʰաI
xfsΨӺ޲z X Window rθƪAȡApGA|ݭn X Window ɡAoӪAȭnҰʡC

WCXODݭnIAȡAбznLIDAD@F|GC|ҨӻAApGݭn X window A N xfs ]SYڡIpGAݭnѻݳsu\A sshd ]iHڡILADAȫH SYAunOAȡAAiHOdLIpGOAȩOH...ijADAȴNLI Hڭ̽ͨCӬAȮɡAA@Ӥ@ӥ}YiCUڭ̴NӰ@ݳoӳI


7.3.4 wʦҶq-AȰf

ڭ̪ Linux distribution ܦnߪϥΪ̷QܦhFAҥHb@w˧A tη|}Ҥ@靈SAȡAҦp portmap NNAHκL cups AȵA oǪFAγ\Dγ\DALLNO}ҡڭ̪DNOΨӰAA ҥHoǥӹwpn client ϥΪAȨ꦳Iyh@|zPı ҥHաAЧANLaIUڭ|²檺ҤlӳBzANAANnALbtΤAȡA NȮɫOdaI

DG
XثetΤWbB@AȡAåB۹Ұʸ} (b /etc/init.d ɦWN)C
G
nXAȡANQ netstat -tunlp YiIHqĤ@w˪ܽdҡAثeҰʪAȦUoǡG
[root@www ~]# netstat -tlunp
Active Internet connections (only servers)
Proto  Local Address        State     PID/Program name
tcp    127.0.0.1:2208       LISTEN    2026/hpiod
tcp    0.0.0.0:139          LISTEN    2155/smbd
tcp    0.0.0.0:111          LISTEN    1790/portmap
tcp    127.0.0.1:631        LISTEN    2053/cupsd
tcp    127.0.0.1:25         LISTEN    2085/sendmail: acce
tcp    0.0.0.0:732          LISTEN    1822/rpc.statd
tcp    0.0.0.0:445          LISTEN    2155/smbd
tcp    127.0.0.1:2207       LISTEN    2031/python
tcp    :::22                LISTEN    2044/sshd
udp    192.168.1.11:137               2158/nmbd
udp    0.0.0.0:137                    2158/nmbd
udp    192.168.1.11:138               2158/nmbd
udp    0.0.0.0:138                    2158/nmbd
udp    0.0.0.0:726                    1822/rpc.statd
udp    0.0.0.0:729                    1822/rpc.statd
udp    0.0.0.0:111                    1790/portmap
udp    0.0.0.0:631                    2053/cupsd
# WzXyL²Ƥ@dzAҥH줣FC
# oӭIuOni{X̫@ӤwաI
ݰ_`@ cupsd, hpiod, nmbd, portmap, python, rpc.statd, sendmail, smbd, sshd oXӪAȡAӫe@p`ƤeӬݡA sendmail, sshd ALNHڡIzLeӤp`СAϥ which P rpm jMaI|ҨӻA hpiod Ұʸ}bGyrpm -qc $(rpm -qf $(which hpiod) ) | grep initzo˧AGOby/etc/rc.d/init.d/hplipzo̡I SO python աIL٦nLOҰʦb 127.0.0.1 AiHȮɩLC]̲תGpUG
cupsd     /etc/rc.d/init.d/cups
hpiod     /etc/rc.d/init.d/hplip
nmbd      /etc/rc.d/init.d/smb
portmap   /etc/rc.d/init.d/portmap
rpc.statd /etc/rc.d/init.d/nfs
          /etc/rc.d/init.d/nfslock
          /etc/rc.d/init.d/rpcgssd
          /etc/rc.d/init.d/rpcidmapd
          /etc/rc.d/init.d/rpcsvcgssd
smbd      /etc/rc.d/init.d/smb
UӴNONӪAAåB]w}ҰʧaI
[root@www ~]# vim closedaemon.sh
for daemon in cups hplip smb portmap nfs nfslock rpcgssd \
              rpcidmapd rpcsvcgssd smb
do
	chkconfig $daemon off
	/etc/init.d/$daemon stop
done
[root@www ~]# sh closedaemon.sh

WҤlAAAUF netstat -tlunp A|oȳ port 25, 22 ӤwI p@ӡAjAΤ쪺AȴNQAAӥBYϭs}]|QҰʪաI ^_^


7.4 SELinux ޲zh

SELinux ϥΩҿתes (Mandatory Access Control, MAC) ALiHwSw{ǻPSwɮ׸귽ӶivޡI ]NOAYϧAO root AbϥΤP{ǮɡAAүovä@wO root Aӱonݷɸӵ{Ǫ]wөwC p@ӡAڭ̰wﱱyDzܦFy{ǡzӤOyϥΪ̡zI]Aov޲zҦNSOAXAȪy{ǡzFI ]AYϧA{Ǩϥ root hҰʡApGoӵ{dzQӳQoާ@vAӵ{ǯ@Ʊ٬OA ]Q SELinux Fi檺u@FI

|ҨӻA WWW An骺F{Ǭ httpd o{A ӹw]pUA httpd ȯb /var/www/ oӥؿUsɮסApG httpd oӵ{ǷQnLؿhsƮɡAFWh]wn}~AؼХؿ]on]w httpd iŪҦ (type) ~ID`hI ҥHAYϤp httpd Q cracker oFvAL]Lvs /etc/shadow n]wɳI


7.4.1 SELinux B@Ҧ

Aƻ@UASELinux OzL MAC 觋ӱ޵{ǡALDO{ǡA ӥؼЫhOӵ{ǯ_Ūyɮ׸귽zIҥHӻ@UoǩNNʰաI

SELinux B@U󤧬
7.4-1BSELinux B@U󤧬(ϰѦҤp{ѮvWq)

WϪIbyDzpoyؼСz귽svI ѤWϧڭ̥iHo{A(1)D{ǥnqL SELinux FWhANiHPؼи귽iwʥ媺A (2)Y異ѫhLksؼСAY令\hiH}lsؼCDOA̲ׯ_sؼ٬OPɮרtΪ rwx v]wIp@ӡA[JF SELinux AX{vŪpɡAANon@B@BRi઺DFI


CentOS 5.x target Fwgڭ̨qnD`hWhFA]AunDp}/YWhP_YiC Ӧwʥ·СI]Aiݭnۦ]wɮתwʥOIݭnۦ]wڡH |ҨӻAA]``iɮת rwx s]wܡHowʥANNLQ SELinux ƪ rwx NOFIoˤnzѰաC

wʥsbD{ǤPؼɮ׸귽C{ǦbO馎AҥHwʥiHsJOSDC ɮתwʥOOb̩OHƹWAwʥOmɮת inode A]D{ǷQnŪؼɮ׸귽ɡAP˻ݭnŪ inode A o inode NiHwʥH rwx vȬO_TAӵAŪv̾ڡC

wʥ쩳O˪sbOHڭ̥Ӭݬ /root UɮתwʥnFC [wʥiϥΡy ls -Z zh[pUG(`NGAwgҰʤF SELinux ~IY|ҰʡAoеyLݹL@MYiCU|ЦpҰ SELinux I)

[root@www ~]# ls -Z
drwxr-xr-x  root root root:object_r:user_home_t   Desktop
-rw-r--r--  root root root:object_r:user_home_t   install.log
-rw-r--r--  root root root:object_r:user_home_t   install.log.syslog
# WzSr骺ANOwʥ媺eI

pWҥܡAwʥDnΫ_TAoT쪺NqG

Identify:role:type
ѧO::


oTpQΩOHڭ̨@@D{ǦboT쪺NqIzLѧOP쪺wqA ڭ̥iHDYӵ{ǩҥNNqI򥻤WAoǹƦb targeted FUpUG

ѧOӹb targeted Nq
rootsystem_rN root bnJɩҨov
system_usystem_rѩ󬰨tαbA]ODͦtιB@{
user_usystem_r@inJϥΪ̪{oI

NpWҭzA̭nOADPؼФO_㦳iHŪgvAP{Ǫ domain ɮת type Io̪Yڭ̥iHϥιF WWW A\઺ httpd o{P /var/www/html oӺmؿӻC AݬݳoөNNwʥ夺eG

[root@www ~]# ll -Zd /usr/sbin/httpd /var/www/html
-rwxr-xr-x  root root system_u:object_r:httpd_exec_t   /usr/sbin/httpd
drwxr-xr-x  root root system_u:object_r:httpd_sys_content_t /var/www/html
# ̪쳣O object_r ANOɮסI httpd ݩ httpd_exec_t A
# /var/www/html hݩ httpd_sys_content_t oI

httpd ݩ httpd_exec_t oӥiH檺A /var/www/html hݩ httpd_sys_content_t oӥiH httpd (domain) ŪCrݰ_ӤӮeAѧaIڭ̨ϥιϥܨӻo̪YI

D{Ǩo domain Pؼɮ׸귽 type ۤY
7.4-2BD{Ǩo domain Pؼɮ׸귽 type ۤY

WϪNqڭ̥iHoˬݪG

  1. AڭIJo@ӥi檺ؼɮסANO㦳 httpd_exec_t o /usr/sbin/httpd
  2. ɮת|oɮשҳyD{ (Subject) 㦳 httpd oӻ (domain)A ڭ̪FwoӻwgwF\hWhA𫟺]AoӻiHŪؼи귽F
  3. ѩ httpd domain Q]wiHŪ httpd_sys_content_t oؼɮ (Object)A ]Am /var/www/html/ ؿUANQ httpd {ǩŪFF
  4. ̲ׯणŪ쥿TơAٱon rwx O_ŦX Linux vWdI

Wzy{iDڭ̴XӭIAĤ@ӬOFݭnqԲӪ domain/type ʡFĤGӬOYɮת type ]w~A Yv]w rwx } 777 AӥD{Ǥ]LkŪؼɮ׸귽աILp@ӡA ]NiHקKϥΪ̱NLaؿ]w 777 ɩҳyvxZC


7.4.2 SELinux ҰʡBP[

ëDҦ Linux distributions 䴩 SELinux AҥHAn[@UAtΪI o̤Ъ CentOS 5.x N䴩 SELinux աIҥHAݭnۦsĶ SELinux A Linux ֤ߤI ثe SELinux 䴩TؼҦAOpUG

A򪾹Dثe SELinux ҦOHNzL getenforce aI

[root@www ~]# getenforce
Enforcing  <==աINܥXثeҦ Enforcing oI

t~Aڭ̤Sp󪾹D SELinux F (Policy) OHoɥiH[]wɰաG

[root@www ~]# vim /etc/selinux/config
SELINUX=enforcing     <==վ enforcing|disabled|permissive
SELINUXTYPE=targeted  <==ثeȦ targeted P strict


WOw]FPҰʪҦIAn`NOApGܤFFhݭns}FpG enforcing permissive 令 disabled AΥ disabled 令LӡA]ns}CoO] SELinux OX֤߸̭hA AuiHb SELinux B@Uj (enforcing) μee (permissive) ҦA SELinux I pGAo{ getenforce X{ disabled ɡAШWzɮ׭ק令 enforcing M᭫s}aI

LAn`NOApGq disable Ұ SELinux ҦɡA ѩtΥnwɮ׼gJwʥ媺TA]}L{|O֮ɶbݭsgJ SELinux wʥ (ɤ]٬ SELinux Label) AӥBbgٱonAs}@IAnݯ@qɶI U}\AAϥ getenforce [ݬݦ_\Ұʨ Enforcing ҦoI

pGAwgb Enforcing ҦAOiѩ@dz]wDɭP SELinux YǪAȵLk`B@A ɧAiHN Enforcing Ҧאּee (permissive) ҦA SELinux u|ĵiLkQsuTA ӤOץD{ǪŪvC SELinux Ҧb enforcing P permissive kG

[root@www ~]# setenforce [0|1]
ﶵPѼơG
0 Gন permissive eeҦF
1 Gন Enforcing jҦ

# dҤ@GN SELinux b Enforcing P permissive P[
[root@www ~]# setenforce 0
[root@www ~]# getenforce
Permissive
[root@www ~]# setenforce 1
[root@www ~]# getenforce
Enforcing

LЪ`NA setenforce Lkb Disabled ҦUiҦI


7.4.3 SELinux type ק

JM SELinux (type) o򭫭nApקPܧoAMNO̭n@oC Aڭ̨ӬݬݦpGƻs@ɮר줣PؿhA|oͤ򪬪paI

# dҡGN /etc/hosts ƻs root aؿA[ SELinux ܤ
[root@www ~]# cp /etc/hosts /root
[root@www ~]# ls -dZ /etc/hosts /root/hosts /root
-rw-r--r--  root root system_u:object_r:etc_t          /etc/hosts
drwxr-x---  root root root:object_r:user_home_dir_t    /root
-rw-r--r--  root root root:object_r:user_home_t        /root/hosts

# dҡGN /root/hosts ʨ /tmp UA[ SELinux ܤ
[root@www ~]# mv /root/hosts /tmp
[root@www ~]# ls -dZ /tmp /tmp/hosts
drwxrwxrwt  root root system_u:object_r:tmp_t          /tmp
-rw-r--r--  root root root:object_r:user_home_t        /tmp/hosts

ݨSHAªƻsɡASELinux type O|~ӥؼХؿAҥH /root/hosts N|ܦ user_home_t oFCOpGOʩOHsP SELinux ]|QʹLhA] /tmp/hosts |«O user_home_t Ӥ|ܦ /tmp tmp_t oIn`NIn`NIApN /tmp/hosts ܧ󦨬̭l etc_t oOHNonϥ chcon oI



[root@www ~]# chcon [-R] [-t type] [-u user] [-r role] ɮ
[root@www ~]# chcon [-R] --reference=d ɮ
ﶵPѼơG
-R  GsPӥؿUؿ]PɭקF
-t  G᭱wʥ媺IҦp httpd_sys_content_t F
-u  G᭱ѧOAҦp system_uF
-r  G᭱󨤦AҦp system_rF
--reference=dɡGYɮ׷dҨӭק򱵪ɮתI

# dҡGN𫍧 /tmp/hosts אּ etc_t 
[root@www ~]# chcon -t etc_t /tmp/hosts
[root@www ~]# ll -Z /tmp/hosts
-rw-r--r--  root root root:object_r:etc_t              /tmp/hosts

# dҡGH /var/spool/mail/ ̾ڡAN /tmp/hosts ק令
[root@www ~]# ll -dZ /var/spool/mail
drwxrwxr-x  root mail system_u:object_r:mail_spool_t   /var/spool/mail
[root@www ~]# chcon --reference=/var/spool/mail /tmp/hosts
[root@www ~]# ll -Z /tmp/hosts
-rw-r--r--  root root system_u:object_r:mail_spool_t   /tmp/hosts

chcon ק觋Aڭ̥nD̲קڭ̪ SELinux type OԣA~ܧ󦨥\C pGAQn@Oy_즨즳 SELinux typezOHiHѦҩUOӶiI



[root@www ~]# restorecon [-Rv] ɮשΥؿ
ﶵPѼơG
-R  GsPؿ@_קF
-v  GNL{ܨùW

# dҡGN /tmp/hosts ʦ /root åHw]wʥ勵L
[root@www ~]# mv /tmp/hosts /root
[root@www ~]# ll -Z /root/hosts
-rw-r--r--  root root system_u:object_r:mail_spool_t   /root/hosts
[root@www ~]# restorecon -Rv /root
restorecon reset /root/hosts context system_u:object_r:mail_spool_t:s0->
root:object_r:user_home_t:s0
# WoOP@IܱN hosts  mail_spool_t אּ user_home_t


zLWoXӽmߡAAN|DաASELinux type ȷ|bɮתƻs/ʮɲͤ@ܤơA]ݭn chcon, restorecon OӶi׭qCA٬O|Q@ơANOA restorecon |DCӥؿOw] SELinux type OHoO]tΦOIOb /etc/selinux/targeted/contextsAOӥؿܦhPơA nϥΤrs边hd\ܳ·СAɡAڭ̥iHzL semanage oӫO\Ӭd߻PקI

[root@www ~]# semanage {login|user|port|interface|fcontext|translation} -l
[root@www ~]# semanage fcontext -{a|d|m} [-frst] file_spec
ﶵPѼơG
fcontext GDnΦbwʥ譱γ~A -l dߪNF
-a GW[NAAiHW[@ǥؿw]wʥ]wF
-m Gק諸NF
-d GRNC

# dҡGdߤ@U /var/www/ w]wʥ]wI
[root@www ~]# semanage fcontext -l | grep '/var/www'
SELinux fcontext      type       Context
/var/www(/.*)?        all files  system_u:object_r:httpd_sys_content_t:s0
....(᭱ٲ)....

qWAڭ̪D semanage iHBzD`hȡALAboӤp`ڭ̥DnQAѪOCӥؿw]wʥC pWdҩҥܡAڭ̥iHdߪCӥؿwʥաIӥؿ]wiHϥWܪkhw@ӽdCpGڭ̷QnW[YǦۭqؿwʥOH |ҨӻAڷQnq /srv/vbird public_content_t ɡAӦpwOH

# dҡGQ semanage ]w /srv/vbird ؿw]wʥ婴 public_content_t
[root@www ~]# mkdir /srv/vbird
[root@www ~]# ll -Zd /srv/vbird
drwxr-xr-x  root root root:object_r:var_t    /srv/vbird
# pWҥܡAw]pӬO var_t oөNNI

[root@www ~]# semanage fcontext -l | grep '/srv'
/srv/.*                   all files  system_u:object_r:var_t:s0 <==ݳo
/srv/([^/]*/)?ftp(/.*)?   all files  system_u:object_r:public_content_t:s0
....(Uٲ)....
# WhOw] /srv UwʥơALAèSw /srv/vbird 

[root@www ~]# semanage fcontext -a -t public_content_t "/srv/vbird(/.*)?"
[root@www ~]# semanage fcontext -l | grep '/srv/vbird'
/srv/vbird(/.*)?          all files  system_u:object_r:public_content_t:s0

[root@www ~]# cat /etc/selinux/targeted/contexts/files/file_contexts.local
# This file is auto-generated by libsemanage
# Please use the semanage command to make changes
/srv/vbird(/.*)?    system_u:object_r:public_content_t:s0
# NOgJoɮתoI ^_^

[root@www ~]# restorecon -Rv /srv/vbird* <==ի_w]
[root@www ~]# ll -Zd /srv/vbird
drwxr-xr-x  root root system_u:object_r:public_content_t /srv/vbird
# w]ȡAH restorecon ӭק²I

semanage \ܦhALDnΨ쪺Ȧ fcontext oӶتʧ@ӤwCpWҥܡA AiHϥ semanage ӬdߩҦؿw]ȡA]ϥΥLӼW[w]Ȫ]wIpGzǷ|oǰ¦uA SELinux AӻA]ONNoI


7.4.4 SELinux FWhLȭ׭q

eAnqL SELinux Ҥ~}lɮv rwx P_A SELinux P_DnO (1)FWhP (2){ǻPɮת SELinux type nŦX~Ce@Ӥp`ͪO SELinux type AoӤp`NOnͤ@UFWhoA ]Apd߻PקWhP_oC


CentOS 5.x w]Ϩϥ targeted FAoӬFѦh֬WhOHɥiHzL seinfo Ӭd߳I

[root@www ~]# seinfo [-Atrub]
ﶵPѼơG
-A  GCX SELinux ABWhLȡBѧOBBOҦT
-t  GCX SELinux ҦO (type) 
-r  GCX SELinux Ҧ (role) 
-u  GCX SELinux ҦѧO (user) 
-b  GCXҦWh (L)

# dҤ@GCX SELinux bFUέpA
[root@www ~]# seinfo
Statistics for policy file: /etc/selinux/targeted/policy/policy.21
Policy Version & Type: v.21 (binary, MLS) <==CXFҦbɻP

   Classes:            61    Permissions:       220
   Types:            1831    Attributes:        214
   Users:               3    Roles:               6
   Booleans:          263    Cond. Expr.:       246
   Sensitivities:       1    Categories:       1024
   Allow:          128513    Neverallow:          0
   Auditallow:         42    Dontaudit:        7215
   Role allow:          5    Role trans:          0
....(Uٲ)....
# qWڭ̥iHݨoӬFO targeted AF SELinux type  1831 ӡF
# ӰwAȪWh (Booleans) @qF 263 WhI

# dҤGGCXP httpd Wh (booleans) ǡH
[root@www ~]# seinfo -b | grep httpd
Rule loading disabled
Conditional Booleans: 263
   allow_httpd_mod_auth_pam
   allow_httpd_bugzilla_script_anon_write
   httpd_enable_ftp_server
....(Uٲ)....
# AiHݨAD`hP httpd WhqwOI

qWڭ̥iHݨP httpd LȡAP˪ApGAQn즳 httpd r˪wʥOɡA NiHϥΡy seinfo -t | grep httpd zӬdߤFIpGdߨOΪ̬OLȫAQnDԲӪWhɡA Nonϥ sesearch oӫOFI

[root@www ~]# sesearch [-a] [-s DO] [-t ؼO] [-b L]
ﶵPѼơG
-a  GCXOΥLȪҦT
-t  G᭱٭nOAҦp -t httpd_t
-b  G᭱٭nLȪWhAҦp -b httpd_enable_ftp_server

# dҤ@GXؼɮ׸귽O httpd_sys_content_t T
[root@www ~]# sesearch -a -t httpd_sys_content_t
Found 95 av rules:
   allow rpm_t httpd_sys_content_t : file { ioctl read write ... };
   allow semanage_t httpd_sys_content_t : file { ioctl read  ... };
   allow rpm_t httpd_sys_content_t : dir { ioctl read write  ... };
....(Uٲ)....
# y allow  D{ǦwʥO  ؼɮצwʥO z
# pWAoOiHQӥDD{ǪOŪAHΥؼɮ׸귽榡C

# dҤGGXD{Ǭ httpd_t BؼɮO httpd ҦT
[root@www ~]# sesearch -s httpd_t -t httpd_* -a
Found 205 av rules:
....(ٲ)....
   allow httpd_t httpd_sys_content_t : file { ioctl read getattr lock };
   allow httpd_t httpd_sys_content_t : dir { ioctl read getattr lock search };
   allow httpd_t httpd_sys_content_t : lnk_file { ioctl read getattr lock };
....(᭱ٲ)....
# qWƴNiHݥX{Ǭ httpd_t oOAOiHŪ 
# httpd_sys_content_t I

AiHܻdߨYӥD{ (subject) iHŪؼɮ׸귽 (Object) A qڭ̤WmߡAڭ̤]iHܻPNDA httpd_t iHŪ httpd_sys_content_t oI pGOLȩOH̭SWdFHڭ̨ӬݬݥG

# dҤTGڪDӥLȬ httpd_enable_homedirs AаݸӥLȳWdhֳWhH
[root@www ~]# sesearch -b httpd_enable_homedirs -a
Found 21 av rules:
   allow httpd_suexec_t user_home_dir_t : dir { getattr search };
   allow httpd_suexec_t cifs_t : file { ioctl read getattr ... };
   allow httpd_suexec_t cifs_t : dir { ioctl read getattr  ... };
....(᭱ٲ)....

qoӥLȪ]wڭ̥iHݨ̭WdFD`hD{ǻPؼɮ׸귽P_I ҥHADFAڳWdodzWhANOLȪذաI]NOڭ̤eһ@WhO]I AD{ǯ_Yǥؼɮ׶isAPoӥLȫD`YI]LȥiHNWh]wҰ (1) Ϊ̬O (0) աI


Wڭ̳zL sesearch DFA Subject P Object _svAOPLȦA tΦh֥LȥiHzL seinfo -b ӬdߡAACӥLȬOҰʪ٬OOHoNӬd߬ݬݧaG

[root@www ~]# getsebool [-a] [Lȱ]
ﶵPѼơG
-a  GCXثetΤWҦLȱڳ]w}ҩ

# dҤ@GdߥtΤҦLȳ]wp
[root@www ~]# getsebool -a
NetworkManager_disable_trans --> off
aisexec_disable_trans --> off
allow_console_login --> off
....(Uٲ)....
# z@IoNiDAثeLȪAoI

pGdߨYӥLȡAåBH sesearch DӥLȪγ~AQnαҰʥLASӦpBmH

[root@www ~]# setsebool [-P] L=[0|1]
ﶵPѼơG
-P  GN]wȼgJ]wɡAӳ]wƥӷ|ͮĪI

# dҤ@Gd httpd_enable_homedirs O_AYALI
[root@www ~]# getsebool httpd_enable_homedirs
httpd_enable_homedirs --> on  <==GO on ADNLI

[root@www ~]# setsebool -P httpd_enable_homedirs=0
[root@www ~]# getsebool httpd_enable_homedirs
httpd_enable_homedirs --> off

o setsebool ̦nOo@wn[W -P ﶵI]oˤ~N]wgJ]wɡI oOD`ΪuաIA@wnDpϥ getsebool P setsebool ~I


7.4.5 SELinux nɰOһݪA

WzO\AרO setsebool, chcon, restorecon AOFAYǺAȵLk`Ѭ\ɡA ~ݭniק諸@ǫOʧ@COAڭ̫򪾹DӮɭԤ~ݭnioǫOקڡHڭ̫򪾹DtΦ] SELinux DɭPAȤlڡHpGnaΤݳsuѤ~ӭDA]ӨSIJvFIҥHAڭ̪ CentOS 5.x Ѥ@䰻AȦbn SELinux ͪ~INO setroubleshoot C


XGҦ SELinux {|H se }YAoӪAȤ]OH se }YI troubleshoot jaDO~JAA ]o setroubleshoot ۵MNonҰʥLաIoӪAȷ|N SELinux ~TPJAkO /var/log/messages YAҥHA@wonҰʳoӪAȤ~nCҰʳoӪAȤeMNOonw˥աIoN`@ݭnӳnAOO setroublshoot P setroubleshoot-serverApGASwˡAЦۦϥ yum w˧aI pb}ɭԴNҰ setroubleshoot OHo˳BzG

[root@www ~]# chkconfig --list setroubleshoot
setroubleshoot  0:off  1:off  2:off 3:on  4:on  5:on  6:off
# ڭ̪ Linux B@ҦOb 3  5 A]oӭn on YiC

[root@www ~]# chkconfig setroubleshoot on
#  chkconfig ڭ̷|b᭱`СA --list OCXثe浥ŬO_ҰʡA
# pG[W on AhOb}ɱҰʡAY off h}ɤҰʡC

oAȹw]XG|ҰʰաIDAݨ 3:off 5:off ɡA~ݭnHy chkconfig setroubleshoot on z h]w@UCpGoͿ~ɡATOHڭ̨ϥ httpd o{ͪ~ӻnFC]AݭnҰ WWW AA ڭ̪ WWW O httpd oAȴѪA]Anw˥BҰʥ~G

[root@www ~]# yum install httpd
[root@www ~]# /etc/init.d/httpd start
[root@www ~]# netstat -tlnp | grep http
tcp     0   0 :::80   :::*              LISTEN      2455/httpd
tcp     0   0 :::443  :::*              LISTEN      2455/httpd
# ݨSHҰ port 80 FIoOII

oӮɭԧڭ̪ WWW ANw˧FCڭ̪Om /var/www/html ؿUABɦWnO index.htmlC pGڨϥΩUҦӶi歺BzɡAiN| SELinux DFIڭ̴NӼ@UXDpaI

[root@www ~]# echo "My first selinux check" & index.html
[root@www ~]# ll index.html
-rw-r--r-- 1 root root 23  9 20 23:27 index.html  <==vSD
[root@www ~]# mv index.html /var/www/html

ɧڭ̴NiH}sAMbsWJ Linux ۤv IP ӬdݡAݯणsWۤv WWW C Oo}Cݭno˿J~Ghttps:///index.htmlAA|ݨpUeG

SELinux XܷN
7.4-3BSELinux XܷN

e̩㪺aNOiDAAAèSviHs index.html IFIvO諸IH SYANzL setroubleshoot \hˬdݬݡCɽФR@U /var/log/messages eaIIoˡG

[root@www ~]# cat /var/log/messages | grep setroubleshoot
Sep 20 23:29:55 www setroubleshoot: SELinux is preventing the httpd from 
using potentially mislabeled files (/var/www/html/index.html). For complete 
SELinux messages. run sealert -l 077202c1-561a-4f27-9ba7-bf08e134f006

W~TiOP@IjOySElinux QΨקK httpd Ū~wʥA Qnd\㪺ơAа sealert -l ...zSIA`NFIINO sealert -l աI WѪTäAQn󧹾㪺ona sealert tX쪺~NXӳBzC ڳBz|oˡG

[root@www ~]# sealert -l 077202c1-561a-4f27-9ba7-bf08e134f006
Summary:

SELinux is preventing the httpd from using potentially mislabeled files
(/var/www/html/index.html).  <==NO /var/log/messages T

Detailed Description:        <==UO󧹾㪺yzInݡI

SELinux has denied httpd access to potentially mislabeled file(s)
(/var/www/html/index.html). This means that SELinux will not allow httpd to use
these files. It is common for users to edit files in their home directory or tmp
directories and then move (mv) them to system directories. The problem is that
the files end up with the wrong file context which confined applications are not
allowed to access.

Allowing Access:   <==Yn\sAAݭni檺ʧ@I

If you want httpd to access this files, you need to relabel them using
restorecon -v '/var/www/html/index.html'. You might want to relabel the entire
directory using restorecon -R -v '/var/www/html'.
....(Uٲ)....

INOWSrܪaIAunӵۡyAllowing Accessz̭ܥhiBzA NA SELinux ]wFIڭ̤WӤp`쪺 restorecon P chcon ANDA setroubleshoot ѪThĤFaI ޥXFԣ SELinux DAjb setroubleshoot AȤN|iDAѨMDIҥHAܦhF卖έII


pGCճon /var/log/messages hRAuO·ЪڡISYAڭ̥iHzL email console 觋ӱNT͡I ]NOAڭ̥iH setroubleshoot DʪoeͪTڭ̫w email Ao˥iHKڭ̧YɪRIH Nק setroubleshoot ]wɧYiCAiHd\ /etc/setroubleshoot/setroubleshoot.cfg oɮתeA ڭ̥uݭnק諸apUG

[root@www ~]# vim /etc/setroubleshoot/setroubleshoot.cfg
[email]
# jb 76 楪kAonsb~I
recipients_filepath = /var/lib/setroubleshoot/email_alert_recipients

# jb 169 楪kAN쥻 False ק令 True I
console = True

[root@www ~]# vim /var/lib/setroubleshoot/email_alert_recipients
root@localhost
your@email.address

[root@www ~]# /etc/init.d/setroubleshoot restart

ANiHzLRA email Өo SELinux ~ToID`²aIuOn`NAWzg email ɮפA ugbAAnsP @localhost gWAo˥W root ~বHINo²I ^_^


ڭ̨²檺`aI]AsunqL SELinux ~vPw~~ rwx vC SELinux DnSG (1)ݭnqLFUWh (2)~i SELinux type wʥ媺Aoⶵu@onT~Cӫ SELinux קDnOzL chcon, restorecon, setsebool OӳBzCOpBzOHiHzLR /var/log/messages Ѫ setroubleshoot TӳBmIo˴NܻPiH޲zA SELinux oI

OpG]Yǭ]A|Ҩӻ CentOS SWd쪺 setroubleshoot TɡAiA٬OLkAѨƱ쩳O̥XC ɧڭ̷|o˫ijG

  1. bAȻP rwx vSDAoLk\ϥκAȮɡF
  2. ϥ setenforce 0 ]weeҦF
  3. AϥθӺAȡApGo˴NΡA SELinux XDAЩU~BzCpGo٤ΡADNOb SELinux WIЦALѨMkAUʧ@AXAF
  4. R /var/log/messages TA sealert -l TåBF
  5. Allow Access rAӸ̭ʧ@Ӷi SELinux ~JAF
  6. Bzs setenforce 1 AAպAȧaI

o˴NܻP޲zA SELinux աIݭnQӦhIRnɴNաI


7.5 Q᪺D״_u@

pGADQӳQoavܡAӧA]ѩAѨDʱݭnAҥHb̵uɶo{@ƥA ӦpwoӳQJIDӭ״_HpGAn״_ܡAAoӺޤHٻݭnB~ޯH Uڭ̴Nӽͤ@͡C


7.5.1 ޤHƪޯ

qĤ@p`RAA|o{ٯuO֪ALݭn@~tΦ@w{תxA {ǪB@PvhݭnAѡA_hN·ФFIF@~tΪ򥻷~A ̺ٻݭnԣSޥOHMݭnڡI@Ḏ`oͰDpA Oѡy~ΩҲͪzAҥHڡAAuަnDӤwOySkDzաI UNӽͽͧAٻݭnԣޥOH


7.5.2 D_u@y{

ҿסyʱK@zڡAHOA`|Ҽ{gpAU@ADN]oy@zɭPQJIFA ӫHѤWAڭ̪Dy차zOYA]L|bAtΤU}ӫ (Back door) ̥iHnJADAӥBٷ|«A Linux W{AA䤣Ӥ차{IH

ܦhBͳߺDyϥunN root KX^ӴNnFz o˪[IAƹWAˤ@D٬OQ~MIڡIҥHA U@ADQJIFA̦nk٬OyswLinux z|bI

Ӧp󭫷sw˩OHܦhBͤ@AawˡAo@AaQJI㬰OH]LSyOаVzڡII Uڭ̴Nӽͤ@͡A@QJIDӦp״_nH

  1. ߧYްuG

    JMo{QJIFAĤ@ƱNO\I\²檺@k۵MNOޱuFI ƹWAu̥Dn\ణFO@ۤv~A٥iHO@P쪺LDC򻡩OH| 2003 ~ 8 ofefrnFAL|PVP줧LDIҥHAްuAݪ̥ߧYNLkiJA Linux DAӥBA٥iHO@줺LDڡI

  2. RnɸTAjMi઺JI~|G

    QJIAMOunsw˴NnAٻݭnB~R yڪDo@|QJIAOpJIHzA pGAXDIA򤣦A Linux \OߨWjFAD]|VӶVwI ӦpGADpXQJIi~|A򭫷sw˫AU٬OiQHP˪kJIڡI ·ЪաInFAӦpXJI~|OH

    • RnGCŪ cracker q`ȬOQΤunӤJIAtΡAҥHڭ̥iHǥѤR@ǥDnnɨӧX𫍧 IP HΥi঳D|}CiHR /var/log/messages, /var/log/secure ٦Q last OӧXWnJ̪TC

    • ˬdD}񪺪AGܦh Linux ϥΪ̱``oۤvtΤW}Fh֪AȡHڭ̻LACӪAȳ|}Ϊ̬OӱҥΪWjΪ̬Oի\A ҥHAXAtΤWAȡAåBˬd@UCӪAȬO_|}AΪ̬Ob]wWFʥAM@Ӥ@ӪzaI

    • d Internet WwqG zLwqAѤ@U̷s|}TAwADNbWI

  3. nƳƥG

    DQJIAoD۷YAOH]DW۷nưڡIpGDWSnơA 򪽱sw˴NnFIҥHAQJIAˬdFJI~|AAӴNOnƥnƤFC nFAݭӰDAOynzHwho, ps, ls OOnƶܡH٬O httpd.conf ]wɬOnơHSΪ̬O /etc/passwd, /etc/shadow ~OnơH

    I򥻤WAnӬOyD Linux tΤW즳zAҦp /etc/passwd, /etc/shadow, WWW , /home ̭ϥΪ̭nɮ׵Aܩ /etc/*, /usr/, /var ؿUơANoݭnƥFC `NGnƥ@ binary ɡA] Linux tΦw˧᥻ӴNoɮסA~A oɮפ]ܦiywgQ«LFzAƥoǸơAϦӳyUt٬ObI

  4. sswˡG

    ƥFơAAӴNOsw Linux tΤFCӦbowˤA A̦nܾAXAۤvwˮMYiAnM󳣵LwˤWhڡIMII

  5. M󪺺|}׸ɡG

    OoڡAsw˧AХߧYsAtήMA_h٬O|QJIաIwbLbҤUN Internet W|}׸ɮMUUӡAMN_ӡAM᮳ۤvw˧tΤWAmount CD LsAsAåB]wFAPɶiU@BJy βݭnAzAڤ~NuWDdWI ]Twbw˧AsW Internet hsM󪺳oqɶA||SJI....

  6. βݭnAȡG

    oӭnʤݭnAFaHIҥζV֪AȡAtηMiHQJIiʴNCC

  7. Ʀ^_P_Aȳ]wG

    ƥƭn򪺽ƻs^ӨtΡAPɱNtΪAȦAs}AЪ`NA oǪAȪ]w̦nAT{@UAקK@Ǥ]wѼƦbYI

  8. sW InternetG

    Ҧu@i檺thFA~N讳uWӧaI_DB@FI

gLo@sꪺʧ@AADӷ|_bҡA٤౼HߡA ̦n٬OѦҨ𪺳]wAåBh譱Ѧ Internet W@ǦѤ⪺gAnADiHw@ǡI


I^U

ҫm

ѦҸƻP\Ū

2002/08/12GĤ@I
2003/08/23GssƻPW[I^UBҫm
2006/08/31GNª峹ʨBC
2006/09/06GW[ SELinux ²满AW[ ACL ءI
2010/09/06GNª CentOS 4.x g峹ʦBC
2010/09/09G]¨ϥ CentOS A]F apt s\oI
2010/09/21GNª suf P ɯŮM ʨsؿhFI
2010/09/21G٦\hƥ]A(1)I^U/(2)ҫm/(3)\Ū٨SJnCuOio@ӤwC