Quote:
Originally Posted by unSpawn
What things? What settings? Please be specific. Let's focus on one service at a time.
If you suspect SELinux what could be interesting instead is:
- 'getsebool -a | grep -i ssh',
- 'rpm -Vv openssh-server|grep -v "\.\{8\}"',
- 'rpm -ql openssh-server|xargs ls -alZ',
- 'ausearch -ts yesterday -sv no -c sshd',
- 'audit2allow < /var/log/audit/audit.log'.
Ah, not adhering to security best practices I see?
What's this?
|
I enabled SeLinux using the config file to make it enforcing from permissive.
We have a master server that we allow root in from so that message is OK.
getsebool -a | grep -i ssh
allow_ssh_keysign --> on
run_ssh_inetd --> off
ssh_sysadm_login --> on
rpm -Vv openssh-server|grep -v "\.\{8\}"
S.5....T c /etc/ssh/sshd_config
rpm -ql openssh-server|xargs ls -alZ
-rw-r--r-- root root system_u:object_r:etc_t:s0 /etc/pam.d/sshd
-rwxr-xr-x root root system_u:object_r:initrc_exec_t:s0 /etc/rc.d/init.d/sshd
-rw------- root root root:object_r:etc_t:s0 /etc/ssh/sshd_config
-rwxr-xr-x root root system_u:object_r:bin_t:s0 /usr/libexec/openssh/sftp-server
-rwxr-xr-x root root system_u:object_r:sshd_exec_t:s0 /usr/sbin/sshd
-rw-r--r-- root root system_u:object_r:sbin_t:s0 /usr/sbin/.sshd.hmac
-rw-r--r-- root root system_u:object_r:man_t:s0 /usr/share/man/man5/sshd_config.5.gz
-rw-r--r-- root root system_u:object_r:man_t:s0 /usr/share/man/man8/sftp-server.8.gz
-rw-r--r-- root root system_u:object_r:man_t:s0 /usr/share/man/man8/sshd.8.gz
-rw-r--r-- root root system_u:object_r:locale_t:s0 /var/empty/sshd/etc/localtime
/etc/ssh:
drwxr-xr-x root root system_u:object_r:etc_t:s0 .
drwxr-xr-x root root system_u:object_r:etc_t:s0 ..
-rw------- root root system_u:object_r:etc_t:s0 moduli
-rw-r--r-- root root system_u:object_r:etc_t:s0 ssh_config
-rw------- root root root:object_r:etc_t:s0 sshd_config
-rw------- root root system_u:object_r:sshd_key_t:s0 ssh_host_dsa_key
-rw-r--r-- root root system_u:object_r:etc_t:s0 ssh_host_dsa_key.pub
-rw------- root root system_u:object_r:sshd_key_t:s0 ssh_host_key
-rw-r--r-- root root system_u:object_r:etc_t:s0 ssh_host_key.pub
-rw------- root root system_u:object_r:sshd_key_t:s0 ssh_host_rsa_key
-rw-r--r-- root root system_u:object_r:etc_t:s0 ssh_host_rsa_key.pub
/var/empty/sshd:
drwx--x--x root root system_u:object_r:var_t:s0 .
drwxr-xr-x root root system_u:object_r:var_t:s0 ..
drwxr-xr-x root root system_u:object_r:etc_t:s0 etc
/var/empty/sshd/etc:
drwxr-xr-x root root system_u:object_r:etc_t:s0 .
drwx--x--x root root system_u:object_r:var_t:s0 ..
-rw-r--r-- root root system_u:object_r:locale_t:s0 localtime
ausearch -ts yesterday -sv no -c sshd
audit log is not writable by owner
NOTE - using built-in logs: /var/log/audit/audit.log
<no matches>
audit2allow < /var/log/audit/audit.log
#============= audisp_t ==============
allow audisp_t httpd_sys_content_t:dir search;
#============= avahi_t ==============
allow avahi_t tmp_t:file { write read };
allow avahi_t user_home_t:file { read write };
#============= gpm_t ==============
allow gpm_t httpd_sys_content_t:dir search;
#============= httpd_t ==============
allow httpd_t file_t:dir { search getattr };
#============= ifconfig_t ==============
allow ifconfig_t tmp_t:file { write read };
allow ifconfig_t user_home_t:file { read write };
#============= iptables_t ==============
allow iptables_t tmp_t:file { write read };
allow iptables_t user_home_t:file { read write };
#============= irqbalance_t ==============
allow irqbalance_t httpd_sys_content_t:dir search;
#============= setrans_t ==============
allow setrans_t httpd_sys_content_t:dir search;