RedHat Linux Security

RedHat Linux Security:

Security Context:
user:role:type:sesitivity:category
[root@rhel6server ~]# ls -Z | head
-rw-r–r–. root root unconfined_u:object_r:admin_home_t:s0 1
-rw——-. root root system_u:object_r:admin_home_t:s0 anaconda-ks.cfg
drwxr-xr-x. root root unconfined_u:object_r:admin_home_t:s0 Desktop
drwxr-xr-x. root root unconfined_u:object_r:admin_home_t:s0 Documents
drwxr-xr-x. root root unconfined_u:object_r:admin_home_t:s0 Downloads
-rw-r–r–. root root system_u:object_r:admin_home_t:s0 install.log
-rw-r–r–. root root system_u:object_r:admin_home_t:s0 install.log.syslog
drwxr-xr-x. root root unconfined_u:object_r:admin_home_t:s0 Music
-rw-r–r–. root root unconfined_u:object_r:admin_home_t:s0 nmapexclude.txt
-rw-r–r–. root root unconfined_u:object_r:admin_home_t:s0 packettrace.txt
[root@rhel6server ~]#

[root@rhel6server ~]# ps -Z | head
LABEL PID TTY TIME CMD
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 2987 pts/1 00:00:00 su
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 2998 pts/1 00:00:00 bash
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 3531 pts/1 00:00:00 ps
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 3532 pts/1 00:00:00 head

[root@rhel6server ~]# ps -Z
LABEL PID TTY TIME CMD
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 2987 pts/1 00:00:00 su
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 2998 pts/1 00:00:00 bash
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 3561 pts/1 00:00:00 ps
[root@rhel6server ~]#

To determine if process is protected:
[root@rhel6server ~]# ps -ZC bash
LABEL PID TTY TIME CMD
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 2682 pts/0 00:00:00 bash
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 2711 pts/0 00:00:00 bash
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 2954 pts/1 00:00:00 bash
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 2998 pts/1 00:00:00 bash

To see security Context of file:
[root@rhel6server ~]# ls -Z /var/log/messages
-rw——-. root root system_u:object_r:var_log_t:s0 /var/log/messages

[root@rhel6server ~]# ls -Zd /etc /etc/hosts
drwxr-xr-x. root root system_u:object_r:etc_t:s0 /etc
-rw-r–r–. root root system_u:object_r:net_conf_t:s0 /etc/hosts
[root@rhel6server ~]#

Process whose type is unconfined_t is not yet restricted by SELinux
[root@rhel6server ~]# ps -eZ | tail
unconfined_u:unconfined_r:unconfined_dbusd_t:s0-s0:c0.c1023 2801 ? 00:00:00 dbus-daemon
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 2804 ? 00:00:00 gconfd-2
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 2954 pts/1 00:00:00 bash
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 2987 pts/1 00:00:00 su
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 2998 pts/1 00:00:00 bash
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 3197 ? 00:00:00 gconfd-2
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 3346 ? 00:00:05 gedit
unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 3843 ? 00:00:00 sshd
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 4000 pts/1 00:00:00 ps
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 4001 pts/1 00:00:00 tail
[root@rhel6server ~]#

[root@rhel6server ~]# ps Zax | tail
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 2800 pts/0 S 0:00 dbus-launch –autolaunch f59387e61dbd3978bade10cd0000002d –binary-syntax –close-stderr
unconfined_u:unconfined_r:unconfined_dbusd_t:s0-s0:c0.c1023 2801 ? Ssl 0:00 /bin/dbus-daemon –fork –print-pid 5 –print-address 7 –session
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 2954 pts/1 Ss 0:00 bash
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 2987 pts/1 S 0:00 su –
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 2998 pts/1 S 0:00 -bash
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 3197 ? S 0:00 /usr/libexec/gconfd-2
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 3346 ? S 0:06 gedit
unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 3843 ? Ss 0:00 /usr/sbin/sshd
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 4017 pts/1 R+ 0:00 ps Zax
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 4018 pts/1 S+ 0:00 tail
[root@rhel6server ~]#

[root@rhel6server ~]# getsebool -a | head
abrt_anon_write –> off
allow_console_login –> on
allow_cvs_read_shadow –> off
allow_daemons_dump_core –> on
allow_daemons_use_tcp_wrapper –> off
allow_daemons_use_tty –> on
allow_domain_fd_use –> on
allow_execheap –> off
allow_execmem –> on
allow_execmod –> on
[root@rhel6server ~]#

[root@rhel6server ~]# getenforce
Enforcing
[root@rhel6server ~]# setenforce 0
[root@rhel6server ~]# getenforce
Permissive

[root@rhel6server ~]# cat /var/log/audit/audit.log | head -5
type=DAEMON_START msg=audit(1500245965.007:5052): auditd start, ver=2.1 format=raw kernel=2.6.32-131.0.15.el6.i686 auid=4294967295 pid=1714 subj=system_u:system_r:auditd_t:s0 res=success
type=CONFIG_CHANGE msg=audit(1500245965.158:4): audit_backlog_limit=320 old=64 auid=4294967295 ses=4294967295 subj=system_u:system_r:auditctl_t:s0 res=1
type=USER_ACCT msg=audit(1500246001.593:5): user pid=2372 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg=’op=PAM:accounting acct=”root” exe=”/usr/sbin/crond” hostname=? addr=? terminal=cron res=success’
type=CRED_ACQ msg=audit(1500246001.608:6): user pid=2372 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg=’op=PAM:setcred acct=”root” exe=”/usr/sbin/crond” hostname=? addr=? terminal=cron res=success’
type=LOGIN msg=audit(1500246001.617:7): pid=2372 uid=0 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 old auid=4294967295 new auid=0 old ses=4294967295 new ses=1
[root@rhel6server ~]#

TO examine Firewall rules:
[root@rhel6server etc]# iptables -L -n -v
Chain INPUT (policy ACCEPT 274 packets, 34916 bytes)
pkts bytes target prot opt in out source destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 105 packets, 10658 bytes)
pkts bytes target prot opt in out source destination
[root@rhel6server etc]#