Securing-Optimizing-RH-Linux-1_2_238
Comments and suggestions concerning this book should be mailed to gmourani@videotron.ca
© Copyright 1999-2000 Gerhard Mourani and Open Network Architecture ®
238
file system attacks. Early in our Linux installation procedure we have create a special partition
/chroot for this purpose.
[root@deep /]# /etc/rc.d/init.d/named stop (require only if an existing named daemon is running)
Shutting down named: [ OK ]
[root@deep /]# mkdir -p /chroot/named
Next, create the rest of directories like the following:
[root@deep /]# mkdir /chroot/named/dev
[root@deep /]# mkdir /chroot/named/lib
[root@deep /]# mkdir /chroot/named/etc
[root@deep /]# mkdir -p /chroot/named/usr/sbin
[root@deep /]# mkdir -p /chroot/named/var/run
Now, copy the main configuration file, the zone files, the named and named-xfer programs into
their appropriated places in the chroot jail directory:
[root@deep /]# cp /etc/named.conf /chroot/named/etc/
[root@deep /]# mkdir /chroot/named/var/named
[root@deep /]# cd /var/named ; cp -a . /chroot/named/var/named/
[root@deep /]# mknod /chroot/named/dev/null c 1 3
[root@deep /]# chmod 666 /chroot/named/dev/null
[root@deep /]# cp /usr/sbin/named /chroot/named/usr/sbin/
[root@deep /]# cp /usr/sbin/named-xfer /chroot/named/usr/sbin/
IMPORTANT NOTE: The owner of the /chroot/named/var/named directory and all files in this
directory must be the process name named under the slave server and only the slave server or
you wouldnt be able to make a zone transfer.
·
To make the named directory and all its files own by named process name under the
slave server, use the command:
[root@deep /]# chown -R named.named /chroot/named/var/named/
Step 4
Copy the shared libraries identified in the step 1 above to the chrooted lib directory:
[root@deep /]# cp /lib/libc.so.6 /chroot/named/lib/
[root@deep /]# cp /lib/ld-linux.so.2 /chroot/named/lib/
Step 5
Copy the localtime and nsswitch.conf files to the chrooted etc directory so that log entries are
adjusted for your local timezone properly:
[root@deep /]# cp /etc/localtime /chroot/named/etc/
[root@deep /]# cp /etc/nsswitch.conf /chroot/named/etc/
Step 6
We must set some files under the /chroot/named/etc directory with the immutable bit enable for
better security:
·
Set the immutable bit on nsswitch.conf file:
[root@deep /]# cd /chroot/named/etc/
[root@deep etc]# chattr +i nsswitch.conf