CentOS 7- Apache | httpd – gitea

Most guides that I see use nginx as the reverse proxy and Ubuntu as the OS. One that did cover CentOS 7 setup did so by starting out disabling selinx… what a shame since there are environments that require it. I think its sloppy to just disable it. I will be creating on that covers nginx as well

Step 1 – installing apache and mariadb

## installs required services 
yum -y install httpd mariadb-server
systemctl start httpd
systemctl enable httpd
systemctl start mariadb
systemctl enable mariadb

## to set root password
mysql_secure_installation

Step 2 – setting up DB

The next step is setting up DB for gitea to use: mysql -u root -p

CREATE DATABASE gitea;
CREATE USER gitea@localhost IDENTIFIED BY '<insertDesiredPasswordHere>';
GRANT ALL PRIVILEGES ON gitea.* TO gitea@localhost IDENTIFIED BY '<insertDesiredPasswordHere>';
FLUSH PRIVILEGES;

Step 3 – install gitea

useradd -rm git
su - git
mkdir -p /home/git/gitea/{custom,data,indexers,public,log}
chmod 750 /home/git/gitea/{data,indexers,log}
cd gitea
wget -O gitea https://dl.gitea.io/gitea/1.7/gitea-1.7-linux-amd64
chmod +x gitea

Step 4 – setup gitea service and reverse proxy

cd ~/gitea
# modify as needed. If you are following this guide no mode required
wget https://greplog.com/scratch/gitea.service
# must be ran as privilege account 
ln -s /home/git/gitea/gitea.service /etc/systemd/system/gitea.service

systemctl daemon-reload
systemctl start gitea
systemctl status gitea
systemctl enable gitea

basic Apache reverse proxy – /etc/httpd/conf.d/devopsbeta.com.conf

<virtualhost *:80> 
  ServerName devopsbeta.com 
  ProxyPreserveHost On 
  ProxyRequests off 
  ProxyPass / http://localhost:3000/ 
  ProxyPassReverse / http://localhost:3000/ 
</virtualhost>

seboolean for reverse proxy – HTTPD

sudo setsebool -P httpd_can_network_connect 1 systemctl restart httpd

The first time you access site you will be able to complete gitea configuration.

Step 5 – Setting up certbot

yum -y install epel-release
yum -y install certbot
certbot

Then follow the on screen wizard. I suggest redirecting http to https. This is only necessary if this is a public system.

Step 6 – Setting up fail2ban

# from epel-release
yum -y install fail2ban


# /etc/fail2ban/filter.d/gitea.conf

echo """[Definition] failregex = .*Failed authentication attempt for .* from <host> ignoreregex =""" > /etc/fail2ban/filter.d/gitea.conf</host>

# /etc/fail2ban/jail.d/jail.local

echo """[gitea] enabled = true port = http,https filter = gitea logpath = /home/git/gitea/log/gitea.log maxretry = 10 findtime = 3600 bantime = 900 action = iptables-allports""" > /etc/fail2ban/jail.d/jail.local

systemctl restart fail2ban

NFS server setup

IP of nfs server: 10.0.0.200

Step 01 – enable / start nfs

systemctl enable nfs
systemctl start nfs

Step 02 – Setup share in exports

# example share called datavault - that allows read / write 
echo '/datavault 10.0.0.0/24(rw,no_root_squash)' >> /etc/exports

Step 03 – Setup firewall

firewall-cmd --permanent --add-service=nfs
firewall-cmd --permanent --add-service=rpc-bind
firewall-cmd --permanent --add-service=mountd
firewall-cmd --reload

Step 04 – Setup SELinux

# set selinux to allow nfs export
setsebool -P nfs_export_all_rw 1
setsebool -P nfs_export_all_ro 1
# set selinux context for datavault
semanage fcontext -a -t public_content_rw_t  "/datavault(/.*)?"
# restore context to datavault
restorecon -Rv /datavault

Step 05 – restart nfs service and verify /datavault is viewable from another system

systemctl restart nfs 
# to check shares from linux client
showmount -e 10.0.0.200

Step 06 – mount /datavault on another system

# /etc/fstab
10.0.0.200:/datavault  /mnt     nfs defaults 0 0

RHCSA-Objective07-07: Diagnose and address routine SELinux policy violations

Checking SELinux status

# will only display just the mode
getenforce
# for additional information including se policy 
sestatus     

Log file Location

TS and address routine selinux policy violations logs are stored in /var/log/audit/audit.log

sealert – will give commands to use to correct the violation

yum install setroubleshoot
# installs sealert command
sealert -a /var/log/audit/audit.log

SElinux app port – TS

Also if you are using a non standard port be sure to use.
Example:
semanage port -l | grep http
if you are not using one of the ports it is recommending use:
semanage -port -a -t http_port_t -p tcp <custom port number>

set SElinux to permissive

Set SE Linux on Permissive to see if you can perform the action. if so use sealert to generate commands to correct the violation

create custom policy – if sealert does not provide solution

# generate policy validations for a service into a file 
sealert -a /var/log/audit/audit.log | grep <service> > seerror.txt

# now use audit2allow to create a policy file
#This will create a policy file mypol.pp   
audit2allow -M mypol -i seerror.txt

# Now load the policy using semodule
semodule -i mypol.pp

RHCSA-Objective07-06: Use boolean settings to modify system SELinux settings

SELinux – Boolean – a conditional rule that allows modifications of the security policy without having to load a new policy.
Ie – allow cgi scripts to be executed – enable httpd_enable_cgi .

Man pages:
Booleans(8)
Selinux(8)
Getsebool(8)

## Get bool values 
getsebool -a 
semanage boolean -l # more detail 

enable or disabled selinux setting for services

# non persistent change - good for testing
setsebool httpd_enable_homedirs on

# persistant change
setsebool -P httpd_enable_homedirs on

RHCSA-Objective07-05: Restore default file contexts

to restore context

 ## Restore context for a single file
`restorecon <file>`

 ## Restore context recursivly 
`restorecon -Rv <dir>(/.*)?`

 ## Restore context for all files
`touch /.autorelabel`

Example – setting up alt directory for httpd named /content/www

## for syntax
semanage fcontext -l | grep /var/www

## to add 
semanage fcontext -a -t httpd_sys_content_t '/content/www(/.*)?'

# to restore contents based on contexts
restorecon -Rv /content/www


# to check/ verify
semanage -l | grep /content/www

# to remove context
semanage -d "/content/www(/.*)?"
restorecon -Rv /content/www

RHCSA-Objective07-04: List and identify SELinux file and process context

Each file/folder , processes , user account, user groups on the system have SELinux context / Security context.

Each context consist of 4 colon delimited string. Each string consist of Security attribute## To list file context

To list file context

`ls -Z /etc/*.conf`
## output:  ##
-rw-r--r--. root root system_u:object_r:syslog_conf_t:s0 /etc/rsyslog.conf

## To ID SELinux file context
# Colon delimited security context breakdown
SELinux User Context : SELinux role : Type of File/Grouping of File : Security Context  /file/path
# user:role:type:level  /file

To list process context

ps -efZ | grep 'httpd' 

netstat -Z | head

RHCSA-Objective07-03: Set enforcing and permissive modes for SELinux

SElinux is a Mandatory Access Control(MAC)that is supported on the kernel level.
It provides damage control once a system is compromise by isoloating sements relating to the service. So if nginx is compromised only the locations that nginx has SELinux permissions to can be accessed.

Its like an application firewall . It defines a set of rules that determine what process can access specific files. A context is assigned to every process , directory, and port which is used to determine if a process can access that specific resource.

Linux systems check DAC(Discretionary access control) via rwx and MAC before granting access to any file.

Make your life easier dealing with SELinux with the following

# install Base/CLI tools
yum -y install  setools-console setroubleshoot 

# installs GUI SElinux tools
yum install -y setools-gui policycoreutils-gui

How to check mode

getenforce – current SELinux Mode
sestatus – gives SELinux Mode along with Mode specified in config file

Set SElinux Mode – non-persistent/Instant change

setenforce 0 or setenforce permissive– Permissive Mode – Will log events
setenforce 1 or setenforce enforcing – Enforcing Mode – Will stop events

Set SElinux mode – persistent/Reboot required change

Modify the configuration file /etc/selinux/config

Set the SELINUX= to one of the following

## Three modes of SElinux
SELINUX=Enforcing    # linux objects are labaled and policy is being used and will deny access
SELINUX=Permissive   # linux objects are labaled and policy is being used but it will only monitor and write infractions to log files
# logs are located at /var/log/audit/audit.log 
SELINUX=Disabled   # no linux objects are labeled with security context - Only DAC security layer is used. 

A reboot is required after changing modes in the config file.

RHCSA-Objective07-01: Configure firewall settings using firewall-config, firewall-cmd, or iptables

Overview:

firewall-cmd has the following uses

filter packets (in-bound and out-bound)
port forwarding
routing – NAT aka masquarading (as seen with –list-all output)

netfilter is the underlining app that iptables or firewalld is using

To install with GUI manager (firewall-config)

# to install GUI and firewalld
#firewalld is included by default with minimum installation of CentOS  
yum -y install firewalld firewall-config

#ensure it is started and enabled
systemctl enable firewalld
systemctl start firewalld

You can do this all GUI or CLI. Since I’m more familar with CLI I will focus on that way. Make sure you cover GUI(firewall-config) in VM if you plan to use it during the exam.

zones

### list available zones
`firewall-cmd –-get-zones`

### list default zone
`firewall-cmd –-get-default-zone`

### list active zones - provides nic as well
`firewall-cmd –-get-active-zones`

### shows current zone information
`firewall-cmd --list-all`

### show all firewall rules
`iptable -L `

adding rules

### adds firewall rule by port
`firewall-cmd --zone=public --add-port=80/tcp --permanent`
You can leave off permanent for non-persistant change


### reloads the config - you must refresh to set permanent changes
`firewall-cmd --reload`
or
`systemctl restart firewalld`

#### verify the ports are open by running 
`nmap -sT <ipAddr>`


### adds the subnet to the zone as acceptable source
`firewall-cmd --zone=home  --add-source=192.168.1.0/24`
`firewall-cmd --zone=public --add-source=10.0.0.0/24 --permenant`

Extra Information

you can create your own service by using another template located in:

/usr/lib/firewalld/services/

the custom templates then need to be added in

/etc/firewalld/services

firewalld GUI

The firewalld GUI can be accessed with the following command
firewall-config

RHSCA-Objective04-06: Diagnose and correct file permission problems

cannot access a file/folder

Check: with ls -al to see if you have permissions. If you see + at the end of permissions for the file use getfacl
Correct: with chmod
or setfacl

Can not delete a file

Check: sticky bit / not root user
Correct: with chmod

Check: use lsattr
Correct: with chattr

Can not navigate directories

Check: to see if directory has executable permission for your user or group or for world
Correct: chmod +X /dirName – to allow everyone to browse directory – can be used recursively

Can not access file/folder after file move

cp – does not preserve acls – See previous Objective on copying ACL between files
mv – does preserve acls

Application cannot write from directory

Check to see if it works as expected after temporary setting selinux to permissive

If you have any more you would like to add please leave a comment and I will update article.

RHCSA-Objective04-05: Create and manage Access Control Lists (ACLs)

Info about ACLs:

  • ACLs suppported filesystems ext4 and xfs
  • Good for granting access to a file owned by another group or user
    that you do not want to be a member of the group
  • You can tell if a file has an acl associated with it by a + at the
    end of permissions listed when you run ls -al

To view ACLs on a file:

getfacl file1

## output ## 
# file: t1
# owner: user
# group: user
user::rw-
group::r--
other::r--

Create ACLs

# sets extended permission - user 
setfacl -m u:user2:rw file1  # -m  - modify  # u:  - nameduser

# sets extended permission - group
setfacl -m g:group2:rw file1

Viewing ACl using ls -al

# The plus sign + is used to denote acl or extended permissions
    drwxrwxr-x. 6 user user 66 Jun 28 15:59 .
    drwx------. 3 user user 95 Jun 28 15:49 ..
    -rw-rw-r--+ 1 user user  0 Jun 28 15:59 3d

getfacl file1
## Output ##
# file: 3d
# owner: user
# group: user
user::rw-
user:user2:rw-
group::r--
mask::rw-  ### mask is the most max level of permission anyone has 
other::r--

Create default ACL for folder

# sub dir and files will inherit
setfacl -d -m u:sasquatch:rwx dir1

Removes default ACL

setfacl --remove-default dir1

Remove ACL user

setfacl -x u:user1 file1

Remove ACL group

setfact -x g:group1 file1

Recursive ACL

# -R - recursive ACL
setfacl -R -m g:group1:rwX,u:sasquatch:rw dir1

How to copy ACL from one file to another

getfacl file1 | setfacl --set-file=- file