HostedDB - Dedicated UNIX Servers
Securing-Optimizing-RH-Linux-1_2_238
Comments and suggestions concerning this book should be mailed to gmourani@videotron.ca © Copyright 1999-2000 Gerhard Mourani and Open Network Architecture ® 238 file system attacks. Early in  our Linux installation procedure we have create a special partition “/chroot” for this purpose. [root@deep /]# /etc/rc.d/init.d/named stop (require only if an existing named daemon is running) Shutting down named:                                       [  OK  ] [root@deep /]# mkdir -p /chroot/named Next, create the rest of directories like the following: [root@deep /]# mkdir /chroot/named/dev [root@deep /]# mkdir /chroot/named/lib [root@deep /]# mkdir /chroot/named/etc [root@deep /]# mkdir -p /chroot/named/usr/sbin [root@deep /]# mkdir -p /chroot/named/var/run Now, copy the main configuration file, the zone files, the named and named-xfer programs into their appropriated places in the chroot jail directory: [root@deep /]# cp /etc/named.conf /chroot/named/etc/ [root@deep /]# mkdir /chroot/named/var/named [root@deep /]# cd /var/named ; cp -a . /chroot/named/var/named/ [root@deep /]# mknod /chroot/named/dev/null c 1 3 [root@deep /]# chmod 666 /chroot/named/dev/null [root@deep /]# cp /usr/sbin/named /chroot/named/usr/sbin/ [root@deep /]# cp /usr/sbin/named-xfer /chroot/named/usr/sbin/ IMPORTANT NOTE: The owner of the “/chroot/named/var/named” directory and all files in this directory must be the process name “named” under the slave server and only the slave  server or you wouldn’t be able to make a zone transfer. · To make the “named” directory and all its files own by “named” process name under the slave server, use the command: [root@deep /]# chown -R named.named /chroot/named/var/named/ Step 4 Copy the shared libraries identified in the step 1 above to the chrooted lib directory: [root@deep /]# cp /lib/libc.so.6 /chroot/named/lib/ [root@deep /]# cp /lib/ld-linux.so.2 /chroot/named/lib/ Step 5 Copy the “localtime” and “nsswitch.conf” files to the chrooted etc directory so that log entries are adjusted for your local timezone properly: [root@deep /]# cp /etc/localtime /chroot/named/etc/ [root@deep /]# cp /etc/nsswitch.conf /chroot/named/etc/ Step 6 We must set some files under the “/chroot/named/etc” directory with the immutable bit enable for better security: · Set the immutable bit on “nsswitch.conf” file: [root@deep /]# cd /chroot/named/etc/ [root@deep etc]# chattr +i nsswitch.conf