Howto: Redhat Enterprise Linux SELinux policy guide

Posted on in Categories CentOS, Howto, Linux, Linux distribution, RedHat/Fedora Linux, Security, Sys admin, Troubleshooting, Tuning last updated August 22, 2007

Security-Enhanced Linux (SELinux) is a Linux mandatory access controls, through the use of Linux Security Modules (LSM) in the Linux kernel. SELinux is enabled by default in RHEL 5 / CentOS 5 / Fedora etc. But many admin disabled it due to troubles and hard configuration options. So if you are afraid of SELinux, try new GUI tools to customizing your system’s protection by creating new policy modules is easier than ever. In this article, Dan Walsh gently walks you through the policy module creation process:

A lot of people think that building a new SELinux policy is magic, but magic tricks never seem quite as difficult once you know how they’re done. This article explains how I build a policy module and gives you the step-by-step process for using the tools to build your own.

=> A step-by-step guide to building a new SELinux policy module

SCO Cannot Sue Linux Community as Novell Wins Ruling Against SCO

Posted on in Categories Linux, News last updated August 12, 2007

On May 12, 2003 Sco attacked Linux and other companies. Now U.S. District Court Judge Dale Kimball has ruled that Novell owns Unix’s IP (intellectual property) rights i.e SCO has no rights to use Unix’s IP and Unixware software.

This ruling is good news for organizations and end users like you and me who use Linux and open-source software products everyday.

It was all started when SCO filed a suit against IBM claiming that it had violated SCO’s rights by contributing Unix code to Linux kernel. Now SCO’s threat to the Linux community is over.

Novell Wins Ruling Against SCO In High-Profile Linux Case:

The court’s ruling has cut out the core of SCO’s case and, as a result, eliminates SCO’s threat to the Linux community based upon allegations of copyright infringement of UNIX,” Novell said in a statement. “We are extremely pleased with the outcome.

Quick tip: Tell what hardware is connected via USB to my Linux desktop

Posted on in Categories Howto, Linux, Linux desktop, Linux laptop, Linux portables, Troubleshooting, Ubuntu Linux last updated July 6, 2007

USB devices are quite common these days. I’ve digital cam, Pen drive, external hard disk, mouse and other stuff. So how do I tell what hardware is connected via USB to my Linux desktop?

lsusb is a utility for displaying information about USB buses in the system and the devices connected to them. To make use of all the features of this program, you need to have a Linux kernel which supports the /proc/bus/usb interface.

-v command option is very informative. It tells lsusb to be verbose and display detailed information about the devices shown. This includes configuration descriptors for the device’s current speed. Class descriptors will be shown, when available, for USB device classes including hub, audio, HID, communications, and chipcard.

lsusb command Examples

lsusb
lsusb -t
lsusb -v

Linux device driver tutorial using kernel driver frameworks

Posted on in Categories Howto, Linux, Open source coding last updated July 5, 2007

A device driver is computer program allowing other computer programs to interact with a computer hardware device. Writing a Linux device driver is considered as a black art by many. If you ever been tempted to try writing a device driver, this howto will serve as a kick start guide:

For many seasoned Linux developers, device drivers still remain a bit of a mysterious black art practiced by a select few. While no single article could possibly attempt to covered everything there is to know about writing drivers, Valerie Henson gives us a brief taste of what’s involved, by implementing a device to return “Hello World” using all the major driver frameworks.

On a related note if you just want get a comprehensive overview of kernel configuration and building, a critical task for Linux users and administrators, try Linux Kernel in a Nutshell

/dev/hello_world: A Simple Introduction to Device Drivers under Linux (linuxdevcenter.com)

/proc/filesystems: Find out what filesystems supported by kernel

Posted on in Categories File system, Linux last updated July 4, 2007

/proc/filesystems is the file used to detect filesystems supported by running kernel. You can quickly run grep or cat command to display the list of all supported file system. nodev indicates that the file system is not associated with a physical device such as /dev/sdb1. If you see ext3 or vfat, it means you will be able to mount ext3 and vfat based file systems.

Following cat command will quickly tell you what filesystems supported by currently running Linux kernel:

$ cat /proc/filesystems
Output:

nodev   sysfs
nodev   rootfs
nodev   proc
nodev   usbfs
        ext3
        vfat
....

For example, if the iso9660 fllesystem not listed, you can not mount standard CD-ROM file system. To add support simply recompile kernel with iso9660 filesystem support.

Redhat Enterprise Linux securely mount remote Linux / UNIX directory or file system using SSHFS

Posted on in Categories Backup, CentOS, File system, Howto, Linux, RedHat/Fedora Linux, Security, Sys admin, Tips last updated May 9, 2007

You can easily mount remote server file system or your own home directory using special sshfs and fuse tools.

FUSE – Filesystem in Userspace

FUSE is a Linux kernel module also available for FreeBSD, OpenSolaris and Mac OS X that allows non-privileged users to create their own file systems without the need to write any kernel code. This is achieved by running the file system code in user space, while the FUSE module only provides a “bridge” to the actual kernel interfaces. FUSE was officially merged into the mainstream Linux kernel tree in kernel version 2.6.14.

You need to use SSHFS to access to a remote filesystem through SSH or even you can use Gmail account to store files.

Following instructions are tested on CentOS, Fedora Core and RHEL 4/5 only. But instructions should work with any other Linux distro without a problem.

Step # 1: Download and Install FUSE

Visit fuse home page and download latest source code tar ball. Use wget command to download fuse package:
# wget http://superb-west.dl.sourceforge.net/sourceforge/fuse/fuse-2.6.5.tar.gz
Untar source code:
# tar -zxvf fuse-2.6.5.tar.gz
Compile and Install fuse:
# cd fuse-2.6.5
# ./configure
# make
# make install

Step # 2: Configure Fuse shared libraries loading

You need to configure dynamic linker run time bindings using ldconfig command so that sshfs command can load shared libraries such as libfuse.so.2:
# vi /etc/ld.so.conf.d/fuse.conf
Append following path:
/usr/local/lib
Run ldconfig:
# ldconfig

Step # 3: Install sshfs

Now fuse is loaded and ready to use. Now you need sshfs to access and mount file system using ssh. Visit sshfs home page and download latest source code tar ball. Use wget command to download fuse package:
# wget http://easynews.dl.sourceforge.net/sourceforge/fuse/sshfs-fuse-1.7.tar.gz
Untar source code:
# tar -zxvf sshfs-fuse-1.7.tar.gz
Compile and Install fuse:
# cd sshfs-fuse-1.7
# ./configure
# make
# make install

Mounting your remote filesystem

Now you have working setup, all you need to do is mount a filesystem under Linux. First create a mount point:
# mkdir /mnt/remote
Now mount a remote server filesystem using sshfs command:
# sshfs vivek@rock.nixcraft.in: /mnt/remote
Where,

  • sshfs : SSHFS is a command name
  • vivek@rock.nixcraft.in: – vivek is ssh username and rock.nixcraft.in is my remote ssh server.
  • /mnt/remote : a local mount point

When promoted supply vivek (ssh user) password. Make sure you replace username and hostname as per your requirements.

Now you can access your filesystem securely using Internet or your LAN/WAN:
# cd /mnt/remote
# ls
# cp -a /ftpdata . &

To unmount file system just type:
# fusermount -u /mnt/remote
or
# umount /mnt/remote

Further readings:

Turbo charge lighttpd with Linux AIO – Gain more performance

Posted on in Categories Howto, lighttpd, Linux, Networking, RedHat/Fedora Linux, Tuning last updated April 4, 2007

Support for Linux kernel AIO (Asynchronous I/O) has been included in the version 2.6. By enabling Lighttpd AIO you can gain good performance gain. But what is AIO?

Usually your application needs to wait till I/O call is finished. AIO enables even a single application thread to overlap I/O operations with other processing, by providing an interface for submitting one or more I/O requests in one system call without waiting for completion, and a separate interface to reap completed I/O operations associated with a given completion group (see Linux AIO home page for more details).

Lighttpd 1.5.x support AIO. First make sure you have libaio installed:
# yum install libaio-devel

Next grab lighttpd source code and compile with –with-linux-aio option:
# ./configure --with-openssl --with-linux-aio

Install lighttpd
# make; make install

Create configuration file and put following directive in lighttpd.conf file:
server.network-backend = "linux-aio-sendfile"

Save and close the file. Restart lighttpd:
# /etc/init.d/lighttpd restart

Use httpd_load / ab command Performance Benchmarks a Web server.

Please note that I’ve tested above instructions on Redhat Enterprise Linux 4/5 and Cent OS.

Force iptables to log messages to a different log file

Posted on in Categories Iptables, Linux, Monitoring, Security last updated October 3, 2006

According to man page:
Iptables is used to set up, maintain, and inspect the tables of IP packet filter rules in the Linux kernel. Several different tables may be defined. Each table contains a number of built-in chains and may also contain user defined chains.

By default, Iptables log message to a /var/log/messages file. However you can change this location. I will show you how to create a new logfile called /var/log/iptables.log. Changing or using a new file allows you to create better statistics and/or allows you to analyze the attacks.

Iptables default log file

For example, if you type the following command, it will display current iptables log from /var/log/messages file:
# tail -f /var/log/messages
Output:

Oct  4 00:44:28 debian gconfd (vivek-4435): Resolved address "xml:readonly:/etc/gconf/gconf.xml.defaults" to a read-only configuration source at position 2
Oct  4 01:14:19 debian kernel: IN=ra0 OUT= MAC=00:17:9a:0a:f6:44:00:08:5c:00:00:01:08:00 SRC=200.142.84.36 DST=192.168.1.2 LEN=60 TOS=0x00 PREC=0x00 TTL=51 ID=18374 DF PROTO=TCP SPT=46040 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0
Oct  4 00:13:55 debian kernel: IN=ra0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:18:de:55:0a:56:08:00 SRC=192.168.1.30 DST=192.168.1.255LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=13461 PROTO=UDP SPT=137 DPT=137 LEN=58

Procedure to log the iptables messages to a different log file

Open your /etc/syslog.conf file:
# vi /etc/syslog.conf
Append following line
kern.warning /var/log/iptables.log
Save and close the file.

Restart the syslogd (Debian / Ubuntu Linux):# /etc/init.d/sysklogd restartOn the other hand, use following command to restart syslogd under Red Hat/Cent OS/Fedora Core Linux:# /etc/init.d/syslog restart

Now make sure you pass the log-level 4 option with log-prefix to iptables. For example:
# DROP everything and Log it
iptables -A INPUT -j LOG --log-level 4
iptables -A INPUT -j DROP

For example, drop and log all connections from IP address 64.55.11.2 to your /var/log/iptables.log file:
iptables -A INPUT -s 64.55.11.2 -m limit --limit 5/m --limit-burst 7 -j LOG --log-prefix '** HACKERS **'--log-level 4
iptables -A INPUT -s 64.55.11.2 -j DROP

Where,

  • –log-level 4: Level of logging. The level # 4 is for warning.
  • –log-prefix ‘*** TEXT ***’: Prefix log messages with the specified prefix (TEXT); up to 29 letters long, and useful for distinguishing messages in the logs.

You can now see all iptables message logged to /var/log/iptables.log file:
# tail -f /var/log/iptables.log

Updated for accuracy.