Обновил php до версии 5.2.17-12 в репозитории CentALT для CentOS 5.x добавив патч Fixed arbitrary remote code execution vulnerability reported by Stefan Esser, CVE-2012—0830. Предыдущие патчи Обновил php до версии php 5.2.17-10 для CentOS 5.x Обновил php до версии php 5.2.17-9 для CentOS 5.x Обновил php до версии php 5.2.17-8 для CentOS 5.x Обновил php [...]
Архив тега ‘centos’
RPM Httpd 2.2.22 for CentOS 5/6 (перепечатка)
Собрал в репозиторий последний apache 2.2.22 с включенным патчем ITK Скачать rpm для CentOS 5 можно здесь. Либо подключив репозиторий CentALT для CentOS 5. Скачать rpm для CentOS 6 можно здесь. Либо подключив репозиторий CentALT для CentOS 6. Changes with Apache 2.2.22 *) SECURITY: CVE-2011—3368 (cve.mitre.org) Reject requests where the request-URI does not match the [...]
RPM Nginx 1.1.14 for CentOS 5/6 (перепечатка)
Собрал последнюю версию Nginx 1.1.14. Скачать rpm для CentOS 5 можно здесь. Либо подключив репозиторий CentALT для CentOS 5. Скачать rpm для CentOS 6 можно здесь. Либо подключив репозиторий CentALT для CentOS 6.
Getting started with SELinux (перепечатка)
I used to be one of those folks who would install Fedora, CentOS, Scientific Linux, or Red Hat and disable SELinux during the installation. It always seemed like SELinux would get in my way and keep me from getting work done.
Later on, I found that one of my servers (which I'd previously secured quite thoroughly) had some rogue processes running that were spawned through httpd. Had I actually been using SELinux in enforcing mode, those processes would have probably never even started.
If you're trying to get started with SELinux but you're not sure how to do it without completely disrupting your server's workflow, these tips should help:
Get some good reporting and monitoring
Two of the most handy SELinux tools are . If you're running a server without X, you can use . You will receive email alerts within seconds of an AVC denial and the emails should contain tips on how to resolve the denial if the original action should be allowed. If the AVC denial caught something you didn't expect, you'll know about the potential security breach almost immediately.
Start out with SELinux in permissive mode
If you're overly concerned about SELinux getting in your way, or if you're enabling SELinux on a server that has been running without SELinux since it was installed, start out with SELinux in permissive mode. To make the change effective immediately, just run:
# setenforce 0 # getenforce Permissive
Edit /etc/sysconfig/selinux to make it persistent across reboots:
# This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=permissive
Adjust booleans before adding your own custom modules
There are a lot of booleans you can toggle to get the functionality you need without adding your own custom SELinux modules with audit2allow. If you wanted to see all of the applicable booleans for httpd, just use getsebool:
# getsebool -a | grep httpd httpd_builtin_scripting --> on httpd_can_check_spam --> off httpd_can_network_connect --> on httpd_can_network_connect_cobbler --> off httpd_can_network_connect_db --> off httpd_can_network_memcache --> off httpd_can_network_relay --> on httpd_can_sendmail --> on ... and so on ...
Toggling booleans is easy with togglesebool:
# togglesebool httpd_can_network_memcache httpd_can_network_memcache: active
Now httpd can talk to memcache. You can also use setsebool if you want to be specific about your setting (this is good for scripts):
# setsebool httpd_can_network_memcache on
Tracking your history of AVC denials
All of your AVC denals are logged by auditd in /var/log/audit/audit.log but it's not the easiest file to read and parse. That's where aureport comes in:
# aureport --avc | tail -n 5 45. 01/24/2012 04:23:29 postdrop unconfined_u:system_r:httpd_t:s0 4 fifo_file getattr system_u:object_r:postfix_public_t:s0 denied 1061 46. 01/24/2012 04:23:29 postdrop unconfined_u:system_r:httpd_t:s0 2 fifo_file write system_u:object_r:postfix_public_t:s0 denied 1062 47. 01/24/2012 04:23:29 postdrop unconfined_u:system_r:httpd_t:s0 2 fifo_file open system_u:object_r:postfix_public_t:s0 denied 1062 48. 01/24/2012 14:01:58 sendmail unconfined_u:system_r:httpd_t:s0 160 process setrlimit unconfined_u:system_r:httpd_t:s0 denied 1123 49. 01/24/2012 14:01:58 postdrop unconfined_u:system_r:httpd_t:s0 4 dir search system_u:object_r:postfix_public_t:s0 denied 1124
Summary
There's no need to be scared of or be annoyed by SELinux in your server environment. While it takes some getting used to (and what new software doesn't?), you'll have an extra layer of security and access restrictions which should let you sleep a little better at night.
is a post from: Major Hayden's blog.
Thanks for following the blog via the RSS feed. Please don't copy my posts or quote portions of them without attribution.
RPM php-suhosin 0.9.33 for CentOS 5 (перепечатка)
Обновил пакет php-suhosin до версии 0.9.33. Скачать rpm для CentOS 5 можно здесь. Либо подключив репозиторий CentALT для CentOS 5.
RPM Nginx 1.1.13 for CentOS 5/6 (перепечатка)
Собрал последнюю версию Nginx 1.1.13. Скачать rpm для CentOS 5 можно здесь. Либо подключив репозиторий CentALT для CentOS 5. Скачать rpm для CentOS 6 можно здесь. Либо подключив репозиторий CentALT для CentOS 6.
Обновил php до версии php 5.2.17-10 для CentOS 5.x (перепечатка)
Обновил php до версии 5.2.17-10 в репозитории CentALT для CentOS 5.x добавив патчи 60206 60138 60120 55674 55509 55504 52461 55366 55273 52624 43200 54682 60455 60183 55478 Предыдущие патчи Обновил php до версии php 5.2.17-9 для CentOS 5.x Обновил php до версии php 5.2.17-8 для CentOS 5.x Обновил php до версии php 5.2.17-7 Обновил [...]
Добавил в репозиторий redis (перепечатка)
Добавил в репозиторий CentOS 5.x/6.x redis. Установить можно так: yum install redis Стартовать можно так service redis start
Обновил php до версии php 5.2.17-9 для CentOS 5.x (перепечатка)
Обновил php до версии 5.2.17-9 в репозитории CentALT для CentOS 5.x добавив патч который закрывает уязвимость CVE-2011—4566 Данная уязвимость закрыта в php 5.3.9 Предыдущие патчи Обновил php до версии php 5.2.17-8 для CentOS 5.x Обновил php до версии php 5.2.17-7 Обновил php до 5.2.17-4 под CentOS 5
Добавил в репозиторий udpxy (перепечатка)
Добавил в репозиторий CentOS 5.x/6.x udpxy. Установить можно так: yum install udpxy Стартовать можно так service udpxy start Порт задается в файле /etc/sysconfig/udpxy.