Différences
Ci-dessous, les différences entre deux révisions de la page.
| Les deux révisions précédentesRévision précédenteProchaine révision | Révision précédente | ||
| elearning:workbooks:centos:8:avance:l104 [2021/09/05 15:07] – admin | elearning:workbooks:centos:8:avance:l104 [2022/02/22 15:15] (Version actuelle) – created admin | ||
|---|---|---|---|
| Ligne 1: | Ligne 1: | ||
| ~~PDF: | ~~PDF: | ||
| + | |||
| + | Version : **2022.01** | ||
| Dernière mise-à-jour : ~~LASTMOD~~ | Dernière mise-à-jour : ~~LASTMOD~~ | ||
| - | ======LCF604 - Gestion du Réseau, le Pare-feu | + | ======LCF604 - Présentation, Installation |
| =====Contenu du Module===== | =====Contenu du Module===== | ||
| - | * **LCF604 - Gestion du Réseau, le Pare-feu | + | * **LCF604 - Présentation, Installation |
| * Contenu du Module | * Contenu du Module | ||
| * Présentation | * Présentation | ||
| - | * La Commande nmcli | + | |
| - | | + | * 1.1 - Installation des Paquets Requis |
| - | * 1.1 - Connections et Profils | + | * 1.2 - Activation et Démarrage du Service libvirtd |
| - | * 1.2 - Résolution des Noms | + | * 1.3 - Modules du Noyau |
| - | * 1.3 - Ajouter une Deuxième Adresse IP à un Profil | + | * LAB #2 - Configuration de KVM |
| - | * 1.4 - La Commande hostname | + | * 2.1 - Configuration du Pare-feu |
| - | * 1.5 - La Commande ip | + | * 2.2 - Configuration du Réseau |
| - | * 1.6 - Activer/ | + | * 2.3 - Configuration |
| - | * 1.7 - Routage Statique | + | |
| - | * La commande ip | + | |
| - | * Activer/ | + | |
| - | * LAB #2 - Diagnostique du Réseau | + | |
| - | * 2.1 - ping | + | |
| - | * 2.2 - netstat | + | |
| - | * 2.3 - traceroute | + | |
| - | * LAB #3 - Connexions à Distance | + | |
| - | * 3.1 - Telnet | + | |
| - | * 3.2 - wget | + | |
| - | * 3.3 - ftp | + | |
| - | * 3.4 - SSH | + | |
| - | * Présentation | + | |
| - | * SSH-1 | + | |
| - | * SSH-2 | + | |
| - | * Authentification par mot de passe | + | |
| - | * Authentification par clef asymétrique | + | |
| - | * Configuration du Serveur | + | |
| - | * Configuration du Client | + | |
| - | * Tunnels SSH | + | |
| - | * 3.5 - SCP | + | |
| - | * Présentation | + | |
| - | * Utilisation | + | |
| - | * 3.6 - Mise en Place des Clefs Asymétriques | + | |
| - | * LAB #4 - La Configuration de firewalld | + | |
| - | * 4.1 - Présentation | + | |
| - | * 4.2 - La Configuration de Base de firewalld | + | |
| - | * 4.3 - L' | + | |
| - | * 4.4 - La Configuration | + | |
| - | * 4.5 - Le mode Panic de firewalld | + | |
| - | * LAB #5 - L' | + | |
| - | * 5.1 - Introducton | + | |
| - | * Security Context | + | |
| - | * Domains et Types | + | |
| - | * Roles | + | |
| - | * Politiques de Sécurité | + | |
| - | * Langage des Politiques | + | |
| - | * allow | + | |
| - | * type | + | |
| - | * type_transition | + | |
| - | * Décisions de SELinux | + | |
| - | * Décisions d' | + | |
| - | * Décisions de Transition | + | |
| - | * Commandes SELinux | + | |
| - | * Les Etats de SELinux | + | |
| - | * Booléens | + | |
| - | * 5.2 - Copier et Déplacer des Fichiers | + | |
| - | * 5.3 - Vérifier les SC des Processus | + | |
| - | * 5.4 - Visualiser la SC d'un Utilisateur | + | |
| - | * 5.5 - Vérifier la SC d'un fichier | + | |
| - | * 5.6 - La commande chcon | + | |
| - | * 5.7 - La commande restorecon | + | |
| - | * 5.8 - Le fichier / | + | |
| - | * 5.9 - La commande semanage | + | |
| - | * 5.10 - La commande audit2allow | + | |
| =====Présentation===== | =====Présentation===== | ||
| - | RHEL/CentOS 8 utilise **Network Manager** pour gérer le réseau. Network Manager est composé de deux éléments : | + | ====La Virtualisation==== |
| - | | + | Le système de base hébergeant les machines virtuelles est appelé l'**hôte** tandis que les machines virtuelles sont appelées |
| - | | + | |
| - | <WRAP center round important> | + | Il existe différentes méthodes |
| - | **Important** : Notez qu' | + | |
| - | </ | + | |
| - | Le service NetworkManager doit toujours | + | * **Virtualisation au niveau du système d' |
| + | * **Description** : Les systèmes invités utilisent le même noyau et une partie du système de fichiers de l' | ||
| + | * **L' | ||
| + | * **L' | ||
| + | * **Logiciels concernés** | ||
| - | < | + | {{ :elearning:workbooks:centos:6:senior:inheritedpackageszones.png? |
| - | [root@centos8 ~]# systemctl status NetworkManager.service | + | |
| - | ● NetworkManager.service - Network Manager | + | |
| - | | + | |
| - | | + | |
| - | Docs: man:NetworkManager(8) | + | |
| - | Main PID: 1002 (NetworkManager) | + | |
| - | Tasks: 3 (limit: 23535) | + | |
| - | | + | |
| - | | + | |
| - | | + | |
| - | Warning: Journal has been rotated since unit was started. Log output is incomplete or> | + | * **Paravirtualisation ou // |
| - | lines 1-11/11 (END) | + | * **Description** |
| - | [^q] | + | * **L' |
| - | </ | + | * **L' |
| + | * **Logiciels concernés** : Xen, VMWare(tm) ESX, Microsoft(tm) Hyper-V. | ||
| - | ===La Commande nmcli=== | + | {{ : |
| - | La commande | + | |
| + | * **Description** : Le programme simule du matériel virtuel qui apparaît du point de vue de l' | ||
| + | * **L' | ||
| + | * **L' | ||
| + | * **Logiciels concernés** : VMWare(tm) Fusion, VMWare(tm) Player, VMWare(tm) Server, VMWare(tm) Fusion, Parallels Desktop, Parallels Server, Sun/Oracle %%VirtualBox%%, | ||
| - | Les options et les sous-commandes peuvent être consultées en utilisant les commandes suivantes | + | {{ :elearning: |
| - | < | + | * **Paravirtualisation avec prise en charge de matériel** |
| - | [root@centos8 ~]# nmcli help | + | * **Description** : Les processeurs Intel-VT et AMD-V contiennent des instructions matérielles pour faciliter la virtualisation. Pour déterminer si le processeur dispose des fonctionnalités de virtualisation matérielles, |
| - | Usage: nmcli [OPTIONS] OBJECT { COMMAND | help } | + | * **L' |
| + | * **L' | ||
| + | * **Logiciels concernés** : Xen, KVM | ||
| - | OPTIONS | + | {{ : |
| - | | + | |
| - | -c, --colors auto|yes|no | + | |
| - | -e, --escape yes|no | + | |
| - | -f, --fields <field,...>|all|common | + | |
| - | -g, --get-values < | + | |
| - | -h, --help | + | |
| - | -m, --mode tabular|multiline | + | |
| - | -o, --overview | + | |
| - | -p, --pretty | + | |
| - | -s, --show-secrets | + | |
| - | -t, --terse | + | |
| - | -v, --version | + | |
| - | -w, --wait < | + | |
| - | OBJECT | + | ====Xen==== |
| - | g[eneral] | + | |
| - | n[etworking] | + | |
| - | r[adio] | + | |
| - | c[onnection] | + | |
| - | d[evice] | + | |
| - | a[gent] | + | |
| - | m[onitor] | + | |
| - | </ | + | |
| - | =====LAB #1 - Configuration | + | * **[[http:// |
| + | * Xen est un produit en licence GPL, | ||
| + | * Il existe des systèmes de virtualisation commerciaux à base de Xen dont le plus connu est actuellement **Citrix %%XenServer%%**, | ||
| + | * Xen est un système de virtualisation principalement destiné à la virtualisation de serveurs, | ||
| + | * Xen est un système de **paravirtualisation** qui nécessite un noyau Linux modifié, | ||
| + | * Xen ne peut pas lancé donc un système non-modifié tel Windows(tm) en mode paravirtualisation, | ||
| + | * Xen peut lancer des systèmes non modifiés dans des **HVM** ( //Hardware Virtual Machine// ) depuis sa version 3 en utilisant une partie | ||
| - | ====1.1 - Connections et Profils==== | + | ====KVM==== |
| - | NetworkManager inclus la notion de **connections** ou **profils** permettant des configurations différentes en fonction de la localisation. Pour voir les connections actuelles, utilisez la commande | + | **[[http:// |
| - | < | + | |
| - | [root@centos8 ~]# nmcli c show | + | |
| - | NAME UUID TYPE DEVICE | + | * est un projet issu de QEMU. |
| - | ens18 | + | |
| - | virbr0 | + | |
| - | </ | + | |
| - | Créez donc un profil IP fixe rattaché au périphérique | + | <WRAP center round important 60%> |
| + | Important : Le module KVM est intégré dans le noyau Linux depuis la version 2.6.20 et permet la paravirtualisation depuis le noyau **2.6.25**. | ||
| + | </ | ||
| - | < | + | **KVM** appartient à la société **Red Hat**. |
| - | [root@centos8 ~]# nmcli connection add con-name ip_fixe ifname ens18 type ethernet ip4 10.0.2.46/24 gw4 10.0.2.1 | + | |
| - | Connection ' | + | |
| - | </ | + | |
| - | Constatez sa présence | + | KVM permet de virtualiser |
| - | < | + | * Windows(tm) à partir de Windows(tm) 2000, |
| - | [root@centos8 ~]# nmcli c show | + | * Toutes les distributions Linux, |
| - | NAME | + | * La majorité des Unix BSD, |
| - | ens18 fc4a4d23-b15e-47a7-bcfa-b2e08f49553e | + | |
| - | virbr0 | + | |
| - | ip_fixe | + | |
| - | </ | + | |
| - | Notez que la sortie n' | + | KVM offre un support du matériel suivant |
| - | < | + | * USB, |
| - | [root@centos8 ~]# nmcli d show | + | * Ethernet, |
| - | GENERAL.DEVICE: | + | * PCI Hotplug, |
| - | GENERAL.TYPE: | + | * Carte Son, |
| - | GENERAL.HWADDR: | + | * **Virtuo** - un périphérique disque paravirtualisé. |
| - | GENERAL.MTU: | + | |
| - | GENERAL.STATE: | + | Les avantages de KVM par rapport à Xen sont : |
| - | GENERAL.CONNECTION: | + | |
| - | GENERAL.CON-PATH: | + | |
| - | WIRED-PROPERTIES.CARRIER: | + | |
| - | IP4.ADDRESS[1]: | + | |
| - | IP4.GATEWAY: | + | |
| - | IP4.ROUTE[1]: | + | |
| - | IP4.ROUTE[2]: | + | |
| - | IP4.DNS[1]: | + | |
| - | IP6.ADDRESS[1]: | + | |
| - | IP6.GATEWAY: -- | + | |
| - | IP6.ROUTE[1]: | + | |
| - | IP6.ROUTE[2]: | + | |
| - | GENERAL.DEVICE: | + | * l’utilisation de noyaux non-modifiés au niveaux des invités, |
| - | GENERAL.TYPE: | + | * l' |
| - | GENERAL.HWADDR: | + | |
| - | GENERAL.MTU: | + | |
| - | GENERAL.STATE: | + | |
| - | GENERAL.CONNECTION: | + | |
| - | GENERAL.CON-PATH: / | + | |
| - | IP4.ADDRESS[1]: | + | |
| - | IP4.GATEWAY: | + | |
| - | IP4.ROUTE[1]: | + | |
| - | IP6.GATEWAY: | + | |
| - | GENERAL.DEVICE: | + | =====LAB #1 - Installation de KVM===== |
| - | GENERAL.TYPE: | + | |
| - | GENERAL.HWADDR: | + | |
| - | GENERAL.MTU: | + | |
| - | GENERAL.STATE: | + | |
| - | GENERAL.CONNECTION: | + | |
| - | GENERAL.CON-PATH: | + | |
| - | IP4.ADDRESS[1]: | + | |
| - | IP4.GATEWAY: | + | |
| - | IP6.ADDRESS[1]: | + | |
| - | IP6.GATEWAY: | + | |
| - | IP6.ROUTE[1]: | + | |
| - | GENERAL.DEVICE: | + | ====1.1 - Installation des Paquets Requis==== |
| - | GENERAL.TYPE: | + | |
| - | GENERAL.HWADDR: | + | Avant d' |
| - | GENERAL.MTU: | + | |
| - | GENERAL.STATE: | + | < |
| - | GENERAL.CONNECTION: -- | + | [root@centos8 ~]# egrep '(vmx|svm)' / |
| - | GENERAL.CON-PATH: | + | 8 |
| - | lines 28-50/ | + | |
| - | [q] | + | |
| </ | </ | ||
| - | Pour activer le profil ip_fixe, utilisez | + | La majorité des paquets necéssaires pour la virtualisation sous KVM ont été regroupés dans un **module** dénommé **virt**. Il convient donc de l' |
| - | < | + | < |
| - | [root@centos8 ~]# nmcli connection up ip_fixe | + | [root@centos8 ~]# dnf module install virt -y |
| + | </ | ||
| + | |||
| + | Si vous souhaitez utiliser l' | ||
| + | < | ||
| + | [root@centos8 ~]# dnf install virt-install virt-viewer -y | ||
| </ | </ | ||
| - | Notez que votre terminal | + | Le paquet **bridge-utils** |
| < | < | ||
| - | root@compute10:~# ssh -l trainee 10.0.2.46 | + | [root@centos8 |
| - | The authenticity of host ' | + | [root@centos8 ~]# dnf install bridge-utils -y |
| - | ECDSA key fingerprint is SHA256: | + | </ |
| - | Are you sure you want to continue connecting (yes/no)? yes | + | |
| - | Warning: Permanently added ' | + | |
| - | trainee@10.0.2.46' | + | |
| - | Activate the web console with: systemctl enable | + | |
| - | Last login: Sun Aug 29 00:31:15 2021 from 10.0.2.1 | + | Dernièrement, |
| - | [trainee@centos8 ~]$ su - | + | |
| - | Password: fenestros | + | |
| - | [root@centos8 ~]# | + | |
| - | </ | + | |
| - | Le profil ip_fixe est maintenant activé tandis que le profil enp0s3 a été désactivé : | + | < |
| + | [root@centos8 ~]# dnf install virt-top libguestfs-tools -y | ||
| + | </ | ||
| - | < | + | ====1.2 - Activation et Démarrage du Service libvirtd==== |
| - | [root@centos8 ~]# nmcli c show | + | |
| - | NAME | + | |
| - | ip_fixe | + | |
| - | virbr0 | + | |
| - | ens18 fc4a4d23-b15e-47a7-bcfa-b2e08f49553e | + | |
| - | + | ||
| - | [root@centos8 ~]# nmcli d show | + | |
| - | GENERAL.DEVICE: | + | |
| - | GENERAL.TYPE: | + | |
| - | GENERAL.HWADDR: | + | |
| - | GENERAL.MTU: | + | |
| - | GENERAL.STATE: | + | |
| - | GENERAL.CONNECTION: | + | |
| - | GENERAL.CON-PATH: | + | |
| - | WIRED-PROPERTIES.CARRIER: | + | |
| - | IP4.ADDRESS[1]: | + | |
| - | IP4.GATEWAY: | + | |
| - | IP4.ROUTE[1]: | + | |
| - | IP4.ROUTE[2]: | + | |
| - | IP6.ADDRESS[1]: | + | |
| - | IP6.GATEWAY: | + | |
| - | IP6.ROUTE[1]: | + | |
| - | IP6.ROUTE[2]: | + | |
| - | + | ||
| - | GENERAL.DEVICE: | + | |
| - | GENERAL.TYPE: | + | |
| - | GENERAL.HWADDR: | + | |
| - | GENERAL.MTU: | + | |
| - | GENERAL.STATE: | + | |
| - | GENERAL.CONNECTION: | + | |
| - | GENERAL.CON-PATH: | + | |
| - | IP4.ADDRESS[1]: | + | |
| - | IP4.GATEWAY: | + | |
| - | IP4.ROUTE[1]: | + | |
| - | IP6.GATEWAY: | + | |
| - | GENERAL.DEVICE: | + | Activez et démarrez le service **libvirtd** pour démarrer KVM. Notez l' |
| - | GENERAL.TYPE: | + | |
| - | GENERAL.HWADDR: | + | |
| - | GENERAL.MTU: | + | |
| - | GENERAL.STATE: | + | |
| - | GENERAL.CONNECTION: | + | |
| - | GENERAL.CON-PATH: | + | |
| - | IP4.ADDRESS[1]: | + | |
| - | IP4.GATEWAY: | + | |
| - | IP6.ADDRESS[1]: | + | |
| - | IP6.GATEWAY: | + | |
| - | IP6.ROUTE[1]: | + | |
| - | GENERAL.DEVICE: | + | < |
| - | GENERAL.TYPE: | + | [root@centos8 ~]# systemctl enable |
| - | GENERAL.HWADDR: | + | |
| - | GENERAL.MTU: | + | |
| - | GENERAL.STATE: | + | |
| - | GENERAL.CONNECTION: | + | |
| - | GENERAL.CON-PATH: | + | |
| - | lines 27-49/49 (END) | + | |
| - | [q] | + | |
| </ | </ | ||
| - | Pour consulter les paramètres | + | Vérifiez le statut |
| < | < | ||
| - | [root@centos8 ~]# nmcli -p connection show ens18 | + | [root@centos8 ~]# systemctl status libvirtd |
| - | =============================================================================== | + | ● libvirtd.service |
| - | Connection profile details (ens18) | + | Loaded: loaded (/ |
| - | =============================================================================== | + | Active: active |
| - | connection.id: ens18 | + | Docs: man:libvirtd(8) |
| - | connection.uuid: | + | https://libvirt.org |
| - | connection.stable-id: -- | + | Main PID: 7502 (libvirtd) |
| - | connection.type: | + | Tasks: 19 (limit: 32768) |
| - | connection.interface-name: | + | Memory: 49.3M |
| - | connection.autoconnect: | + | CGroup: /system.slice/ |
| - | connection.autoconnect-priority: | + | ├─1942 / |
| - | connection.autoconnect-retries: | + | ├─1943 / |
| - | connection.multi-connect: 0 (default) | + | └─7502 / |
| - | connection.auth-retries: | + | |
| - | connection.timestamp: 1630224060 | + | Sep 01 10:19:05 centos8.ittraining.loc |
| - | connection.read-only: no | + | Sep 01 10:19:05 centos8.ittraining.loc systemd[1]: Started Virtualization daemon. |
| - | connection.permissions: -- | + | Sep 01 10:19:06 centos8.ittraining.loc dnsmasq[1942]: read / |
| - | connection.zone: -- | + | Sep 01 10:19:06 centos8.ittraining.loc dnsmasq[1942]: read / |
| - | connection.master: | + | Sep 01 10:19:06 centos8.ittraining.loc dnsmasq-dhcp[1942]: read / |
| - | connection.slave-type: | + | |
| - | connection.autoconnect-slaves: | + | |
| - | connection.secondaries: -- | + | |
| - | connection.gateway-ping-timeout: | + | |
| - | connection.metered: unknown | + | |
| - | connection.lldp: | + | |
| - | connection.mdns: | + | |
| - | connection.llmnr: -1 (default) | + | |
| - | connection.wait-device-timeout: -1 | + | |
| - | ------------------------------------------------------------------------------- | + | |
| - | 802-3-ethernet.port: -- | + | |
| - | 802-3-ethernet.speed: 0 | + | |
| - | 802-3-ethernet.duplex: | + | |
| - | 802-3-ethernet.auto-negotiate: | + | |
| - | 802-3-ethernet.mac-address: | + | |
| - | 802-3-ethernet.cloned-mac-address: | + | |
| - | 802-3-ethernet.generate-mac-address-mask: | + | |
| - | 802-3-ethernet.mac-address-blacklist: | + | |
| - | 802-3-ethernet.mtu: | + | |
| - | 802-3-ethernet.s390-subchannels: | + | |
| - | 802-3-ethernet.s390-nettype: | + | |
| - | 802-3-ethernet.s390-options: | + | |
| - | 802-3-ethernet.wake-on-lan: | + | |
| - | 802-3-ethernet.wake-on-lan-password: -- | + | |
| - | ------------------------------------------------------------------------------- | + | |
| - | ipv4.method: | + | |
| - | ipv4.dns: | + | |
| - | ipv4.dns-search: | + | |
| - | ipv4.dns-options: -- | + | |
| - | ipv4.dns-priority: | + | |
| - | ipv4.addresses: | + | |
| - | ipv4.gateway: | + | |
| - | ipv4.routes: -- | + | |
| - | ipv4.route-metric: -1 | + | |
| - | ipv4.route-table: | + | |
| - | ipv4.routing-rules: | + | |
| - | ipv4.ignore-auto-routes: | + | |
| - | ipv4.ignore-auto-dns: | + | |
| - | ipv4.dhcp-client-id: | + | |
| - | ipv4.dhcp-iaid: | + | |
| - | ipv4.dhcp-timeout: | + | |
| - | ipv4.dhcp-send-hostname: | + | |
| - | ipv4.dhcp-hostname: | + | |
| - | ipv4.dhcp-fqdn: | + | |
| - | ipv4.dhcp-hostname-flags: | + | |
| - | ipv4.never-default: | + | |
| - | ipv4.may-fail: | + | |
| - | ipv4.dad-timeout: | + | |
| - | ipv4.dhcp-vendor-class-identifier: -- | + | |
| - | ipv4.dhcp-reject-servers: | + | |
| - | ------------------------------------------------------------------------------- | + | |
| - | ipv6.method: | + | |
| - | ipv6.dns: -- | + | |
| - | ipv6.dns-search: | + | |
| - | ipv6.dns-options: | + | |
| - | ipv6.dns-priority: | + | |
| - | ipv6.addresses: -- | + | |
| - | ipv6.gateway: -- | + | |
| - | ipv6.routes: -- | + | |
| - | ipv6.route-metric: | + | |
| - | ipv6.route-table: 0 (unspec) | + | |
| - | ipv6.routing-rules: | + | |
| - | ipv6.ignore-auto-routes: | + | |
| - | ipv6.ignore-auto-dns: | + | |
| - | ipv6.never-default: no | + | |
| - | ipv6.may-fail: yes | + | |
| - | ipv6.ip6-privacy: | + | |
| - | ipv6.addr-gen-mode: stable-privacy | + | |
| - | ipv6.ra-timeout: 0 (default) | + | |
| - | ipv6.dhcp-duid: | + | |
| - | ipv6.dhcp-iaid: -- | + | |
| - | ipv6.dhcp-timeout: 0 (default) | + | |
| - | ipv6.dhcp-send-hostname: | + | |
| - | ipv6.dhcp-hostname: | + | |
| - | ipv6.dhcp-hostname-flags: | + | |
| - | ipv6.token: | + | |
| - | ------------------------------------------------------------------------------- | + | |
| - | proxy.method: | + | |
| - | proxy.browser-only: | + | |
| - | proxy.pac-url: | + | |
| - | proxy.pac-script: | + | |
| - | ------------------------------------------------------------------------------- | + | |
| - | lines 56-100/100 (END) | + | |
| - | [q] | + | |
| </ | </ | ||
| - | De même, pour consulter les paramètres | + | ====1.3 - Modules |
| + | |||
| + | Votre VM présente aux système hôte un processeur de type Intel(tm). Pour que KVM puisse fonctionner dans cet environnement il a besoin que deux modules soient chargés : | ||
| + | |||
| + | | ||
| + | * **kvm-intel** | ||
| + | |||
| + | Vérifiez donc le bon chargement des modules concernés | ||
| < | < | ||
| - | [root@centos8 ~]# nmcli -p connection show ip_fixe | + | [root@centos8 ~]# modinfo kvm |
| - | =============================================================================== | + | filename: / |
| - | | + | license: |
| - | =============================================================================== | + | author: Qumranet |
| - | connection.id: | + | rhelversion: 8.4 |
| - | connection.uuid: 0f48c74d-5d16-4c37-8220-24644507b589 | + | srcversion: 0B52FB25C4DD9865FC4FABA |
| - | connection.stable-id: -- | + | depends: |
| - | connection.type: 802-3-ethernet | + | intree: Y |
| - | connection.interface-name: | + | name: kvm |
| - | connection.autoconnect: | + | vermagic: 4.18.0-305.7.1.el8.i2tch.x86_64 SMP mod_unload modversions |
| - | connection.autoconnect-priority: | + | sig_id: PKCS#7 |
| - | connection.autoconnect-retries: -1 (default) | + | signer: CentOS kernel signing key |
| - | connection.multi-connect: 0 (default) | + | sig_key: 38:77:B1:DF:46:4F: |
| - | connection.auth-retries: | + | sig_hashalgo: sha256 |
| - | connection.timestamp: 1630224329 | + | signature: 24:2A:F9:57:2C: |
| - | connection.read-only: no | + | |
| - | connection.permissions: -- | + | |
| - | connection.zone: -- | + | |
| - | connection.master: -- | + | |
| - | connection.slave-type: | + | BD:34:10: |
| - | connection.autoconnect-slaves: | + | |
| - | connection.secondaries: | + | |
| - | connection.gateway-ping-timeout: | + | CD:3D:F7: |
| - | connection.metered: | + | |
| - | connection.lldp: default | + | |
| - | connection.mdns: -1 (default) | + | |
| - | connection.llmnr: -1 (default) | + | |
| - | connection.wait-device-timeout: -1 | + | |
| - | ------------------------------------------------------------------------------- | + | |
| - | 802-3-ethernet.port: -- | + | |
| - | 802-3-ethernet.speed: 0 | + | |
| - | 802-3-ethernet.duplex: -- | + | |
| - | 802-3-ethernet.auto-negotiate: no | + | |
| - | 802-3-ethernet.mac-address: -- | + | |
| - | 802-3-ethernet.cloned-mac-address: -- | + | parm: tdp_mmu: |
| - | 802-3-ethernet.generate-mac-address-mask:-- | + | parm: nx_huge_pages: |
| - | 802-3-ethernet.mac-address-blacklist: -- | + | parm: |
| - | 802-3-ethernet.mtu: auto | + | parm: flush_on_reuse: |
| - | 802-3-ethernet.s390-subchannels: -- | + | parm: ignore_msrs: |
| - | 802-3-ethernet.s390-nettype: -- | + | parm: |
| - | 802-3-ethernet.s390-options: -- | + | parm: |
| - | 802-3-ethernet.wake-on-lan: default | + | parm: kvmclock_periodic_sync: |
| - | 802-3-ethernet.wake-on-lan-password: -- | + | parm: tsc_tolerance_ppm:uint |
| - | ------------------------------------------------------------------------------- | + | parm: lapic_timer_advance_ns: |
| - | ipv4.method: | + | parm: vector_hashing:bool |
| - | ipv4.dns: -- | + | parm: enable_vmware_backdoor:bool |
| - | ipv4.dns-search: -- | + | parm: force_emulation_prefix:bool |
| - | ipv4.dns-options: -- | + | parm: pi_inject_timer: |
| - | ipv4.dns-priority: 0 | + | parm: halt_poll_ns:uint |
| - | ipv4.addresses: | + | parm: halt_poll_ns_grow:uint |
| - | ipv4.gateway: 10.0.2.1 | + | parm: halt_poll_ns_grow_start:uint |
| - | ipv4.routes: -- | + | parm: halt_poll_ns_shrink:uint |
| - | ipv4.route-metric: -1 | + | |
| - | ipv4.route-table: 0 (unspec) | + | |
| - | ipv4.routing-rules: -- | + | |
| - | ipv4.ignore-auto-routes: no | + | |
| - | ipv4.ignore-auto-dns: no | + | |
| - | ipv4.dhcp-client-id: -- | + | |
| - | ipv4.dhcp-iaid: -- | + | |
| - | ipv4.dhcp-timeout: 0 (default) | + | |
| - | ipv4.dhcp-send-hostname: | + | |
| - | ipv4.dhcp-hostname: -- | + | |
| - | ipv4.dhcp-fqdn: -- | + | |
| - | ipv4.dhcp-hostname-flags: 0x0 (none) | + | |
| - | ipv4.never-default: no | + | |
| - | ipv4.may-fail: yes | + | |
| - | ipv4.dad-timeout: -1 (default) | + | |
| - | ipv4.dhcp-vendor-class-identifier: -- | + | |
| - | ipv4.dhcp-reject-servers: -- | + | |
| - | ------------------------------------------------------------------------------- | + | |
| - | ipv6.method: | + | |
| - | ipv6.dns: -- | + | |
| - | ipv6.dns-search: -- | + | |
| - | ipv6.dns-options: -- | + | |
| - | ipv6.dns-priority: 0 | + | |
| - | ipv6.addresses: -- | + | |
| - | ipv6.gateway: -- | + | |
| - | ipv6.routes: -- | + | |
| - | ipv6.route-metric: -1 | + | |
| - | ipv6.route-table: 0 (unspec) | + | |
| - | ipv6.routing-rules: -- | + | |
| - | ipv6.ignore-auto-routes: | + | |
| - | ipv6.ignore-auto-dns: no | + | |
| - | ipv6.never-default: no | + | |
| - | ipv6.may-fail: yes | + | |
| - | ipv6.ip6-privacy: -1 (unknown) | + | |
| - | ipv6.addr-gen-mode: stable-privacy | + | |
| - | ipv6.ra-timeout: 0 (default) | + | |
| - | ipv6.dhcp-duid: -- | + | |
| - | ipv6.dhcp-iaid: -- | + | |
| - | ipv6.dhcp-timeout: 0 (default) | + | |
| - | ipv6.dhcp-send-hostname: yes | + | |
| - | ipv6.dhcp-hostname: -- | + | |
| - | ipv6.dhcp-hostname-flags: 0x0 (none) | + | |
| - | ipv6.token: -- | + | |
| - | ------------------------------------------------------------------------------- | + | |
| - | proxy.method: none | + | |
| - | proxy.browser-only: no | + | |
| - | proxy.pac-url: -- | + | |
| - | proxy.pac-script: -- | + | |
| - | ------------------------------------------------------------------------------- | + | |
| - | =============================================================================== | + | |
| - | Activate connection details (0f48c74d-5d16-4c37-8220-24644507b589) | + | |
| - | =============================================================================== | + | |
| - | GENERAL.NAME: ip_fixe | + | |
| - | GENERAL.UUID: 0f48c74d-5d16-4c37-8220-24644507b589 | + | |
| - | GENERAL.DEVICES: ens18 | + | |
| - | GENERAL.IP-IFACE: ens18 | + | |
| - | GENERAL.STATE: | + | |
| - | GENERAL.DEFAULT: yes | + | |
| - | GENERAL.DEFAULT6: no | + | |
| - | GENERAL.SPEC-OBJECT: -- | + | |
| - | GENERAL.VPN: no | + | |
| - | GENERAL.DBUS-PATH: / | + | |
| - | GENERAL.CON-PATH: / | + | |
| - | GENERAL.ZONE: -- | + | |
| - | GENERAL.MASTER-PATH: -- | + | |
| - | ------------------------------------------------------------------------------- | + | |
| - | IP4.ADDRESS[1]: 10.0.2.46/ | + | |
| - | IP4.GATEWAY: | + | |
| - | IP4.ROUTE[1]: dst = 10.0.2.0/ | + | |
| - | IP4.ROUTE[2]: dst = 0.0.0.0/0, nh = 10.0.2.1, mt = 100 | + | |
| - | ------------------------------------------------------------------------------- | + | |
| - | IP6.ADDRESS[1]: fe80::5223:aee1:998e:9f27/64 | + | |
| - | IP6.GATEWAY: -- | + | |
| - | IP6.ROUTE[1]: dst = fe80::/64, nh = ::, mt = 100 | + | |
| - | IP6.ROUTE[2]: dst = ff00::/8, nh = ::, mt = 256, table=255 | + | |
| - | ------------------------------------------------------------------------------- | + | |
| - | lines 83-127/127 (END) | + | |
| - | [q] | + | |
| </ | </ | ||
| - | |||
| - | Pour consulter la liste profils associés à un périphérique, | ||
| < | < | ||
| - | [root@centos8 ~]# nmcli -f CONNECTIONS device show ens18 | + | [root@centos8 ~]# modinfo kvm_intel |
| - | CONNECTIONS.AVAILABLE-CONNECTION-PATHS: /org/freedesktop/ | + | filename: |
| - | CONNECTIONS.AVAILABLE-CONNECTIONS[1]: fc4a4d23-b15e-47a7-bcfa-b2e08f49553e | ens18 | + | license: |
| - | CONNECTIONS.AVAILABLE-CONNECTIONS[2]: 0f48c74d-5d16-4c37-8220-24644507b589 | ip_fixe | + | author: |
| + | rhelversion: | ||
| + | srcversion: | ||
| + | alias: | ||
| + | depends: | ||
| + | intree: | ||
| + | name: | ||
| + | vermagic: | ||
| + | sig_id: PKCS#7 | ||
| + | signer: | ||
| + | sig_key: | ||
| + | sig_hashalgo: sha256 | ||
| + | signature: | ||
| + | 11: | ||
| + | 91: | ||
| + | BB: | ||
| + | E4: | ||
| + | 2B: | ||
| + | 56: | ||
| + | 3B: | ||
| + | 6C: | ||
| + | 51: | ||
| + | D0: | ||
| + | 25: | ||
| + | 97: | ||
| + | 7D: | ||
| + | AC: | ||
| + | 2E: | ||
| + | 8D: | ||
| + | D7: | ||
| + | A3: | ||
| + | E6: | ||
| + | parm: | ||
| + | parm: | ||
| + | parm: | ||
| + | parm: | ||
| + | parm: | ||
| + | parm: | ||
| + | parm: | ||
| + | parm: | ||
| + | parm: | ||
| + | parm: | ||
| + | parm: | ||
| + | parm: | ||
| + | parm: | ||
| + | parm: | ||
| + | parm: | ||
| + | parm: | ||
| + | parm: | ||
| + | parm: | ||
| + | parm: | ||
| + | parm: | ||
| + | parm: | ||
| + | parm: | ||
| + | parm: | ||
| </ | </ | ||
| - | Les fichiers | + | =====LAB #2 - Configuration |
| + | |||
| + | ====2.1 - Configuration du Pare-feu==== | ||
| + | |||
| + | Si vous souhaitez vous connecter aux machines virtuelles créées sous KVM en utilisant | ||
| < | < | ||
| - | [root@centos8 ~]# ls -l / | + | [root@centos8 ~]# firewall-cmd --permanent |
| - | -rw-r--r--. 1 root root 417 Jun 16 06:39 ifcfg-ens18 | + | success |
| - | -rw-r--r--. 1 root root 326 Aug 29 03:58 ifcfg-ip_fixe | + | |
| + | [root@centos8 ~]# firewall-cmd --reload | ||
| + | success | ||
| </ | </ | ||
| - | ====1.2 - Résolution | + | ====2.2 - Configuration du Réseau |
| - | L'étude du fichier | + | Lors de l'installation de KVM un pont a été créé ayant le nom **virbr0** et l' |
| + | |||
| + | * La plage des adresses IP disponible pour les machines virtuelles KVM va de **192.168.122.2/24** à **192.168.122.254/24**, | ||
| + | * Ce pont met en place une connectivité | ||
| + | * Une interface réseau fictive, **virbr0-nic** et appelée une esclave, a été ajoutée à ce pont principalement pour fournir une adresse MAC stable, | ||
| + | * Normalement au fur et au mesure que d' | ||
| + | |||
| + | Les configurations ci-dessus peuvent être visualisées grâce à la commande **ip a ** : | ||
| < | < | ||
| - | [root@centos8 ~]# cat / | + | [root@centos8 ~]# ip a |
| - | TYPE=Ethernet | + | ... |
| - | PROXY_METHOD=none | + | 4: virbr0: < |
| - | BROWSER_ONLY=no | + | |
| - | BOOTPROTO=none | + | inet 192.168.122.1/24 brd 192.168.122.255 scope global virbr0 |
| - | IPADDR=10.0.2.46 | + | valid_lft forever preferred_lft forever |
| - | PREFIX=24 | + | 5: virbr0-nic: < |
| - | GATEWAY=10.0.2.1 | + | |
| - | DEFROUTE=yes | + | |
| - | IPV4_FAILURE_FATAL=no | + | |
| - | IPV6INIT=yes | + | |
| - | IPV6_AUTOCONF=yes | + | |
| - | IPV6_DEFROUTE=yes | + | |
| - | IPV6_FAILURE_FATAL=no | + | |
| - | IPV6_ADDR_GEN_MODE=stable-privacy | + | |
| - | NAME=ip_fixe | + | |
| - | UUID=0f48c74d-5d16-4c37-8220-24644507b589 | + | |
| - | DEVICE=ens18 | + | |
| - | ONBOOT=yes | + | |
| </ | </ | ||
| + | | ||
| + | Dans le cas où on ne souhaite pas ou on ne peut pas utiliser le pont créé par défaut, il convient de créer un autre pont. Dans notre cas, l' | ||
| - | La résolution des noms est donc inactive | + | < |
| + | [root@centos8 ~]# ip a show ens19 | ||
| + | 3: ens19: < | ||
| + | link/ether 46: | ||
| + | </ | ||
| + | |||
| + | Elle n'est pas visible dans la sortie de la commande **nmcli c show** : | ||
| + | |||
| + | < | ||
| + | [root@centos8 ~]# nmcli c show | ||
| + | NAME | ||
| + | ip_fixe | ||
| + | virbr0 | ||
| + | ens18 fc4a4d23-b15e-47a7-bcfa-b2e08f49553e | ||
| + | </ | ||
| + | |||
| + | Créez | ||
| < | < | ||
| - | [root@centos8 ~]# ping www.free.fr | + | [root@centos8 ~]# nmcli connection add con-name ip_kvm ifname ens19 type ethernet ip4 192.168.56.2/24 gw4 192.168.56.1 |
| - | ping: www.free.fr: Name or service not known | + | Connection ' |
| + | [root@centos8 ~]# nmcli c show | ||
| + | NAME | ||
| + | ip_fixe | ||
| + | ip_kvm | ||
| + | virbr0 | ||
| + | ens18 fc4a4d23-b15e-47a7-bcfa-b2e08f49553e | ||
| </ | </ | ||
| - | Modifiez donc la configuration du profil | + | Utilisez |
| < | < | ||
| - | [root@centos8 ~]# nmcli connection mod ip_fixe ipv4.dns 8.8.8.8 | + | [root@centos8 ~]# ip a show ens19 |
| + | 3: ens19: < | ||
| + | link/ether 46: | ||
| + | inet 192.168.56.2/24 brd 192.168.56.255 scope global noprefixroute ens19 | ||
| + | | ||
| + | inet6 fe80:: | ||
| + | | ||
| </ | </ | ||
| - | L' | + | Notez que cette configuration a été stockée dans le fichier **/ |
| < | < | ||
| - | [root@centos8 ~]# cat / | + | [root@centos8 ~]# cat / |
| TYPE=Ethernet | TYPE=Ethernet | ||
| PROXY_METHOD=none | PROXY_METHOD=none | ||
| BROWSER_ONLY=no | BROWSER_ONLY=no | ||
| BOOTPROTO=none | BOOTPROTO=none | ||
| - | IPADDR=10.0.2.46 | + | IPADDR=192.168.56.2 |
| PREFIX=24 | PREFIX=24 | ||
| - | GATEWAY=10.0.2.1 | + | GATEWAY=192.168.56.1 |
| DEFROUTE=yes | DEFROUTE=yes | ||
| IPV4_FAILURE_FATAL=no | IPV4_FAILURE_FATAL=no | ||
| Ligne 631: | Ligne 397: | ||
| IPV6_FAILURE_FATAL=no | IPV6_FAILURE_FATAL=no | ||
| IPV6_ADDR_GEN_MODE=stable-privacy | IPV6_ADDR_GEN_MODE=stable-privacy | ||
| - | NAME=ip_fixe | + | NAME=ip_kvm |
| - | UUID=0f48c74d-5d16-4c37-8220-24644507b589 | + | UUID=afc8b175-f2cb-47b2-baca-66454058c36f |
| - | DEVICE=ens18 | + | DEVICE=ens19 |
| ONBOOT=yes | ONBOOT=yes | ||
| - | DNS1=8.8.8.8 | ||
| </ | </ | ||
| - | Afin que la modification du serveur DNS soit prise en compte, re-démarrez le service NetworkManager | + | Vérifiez maintenant |
| < | < | ||
| - | root@centos8 ~]# systemctl restart NetworkManager.service | + | [root@centos8 ~]# ping 192.168.56.1 |
| - | [root@centos8 ~]# systemctl status NetworkManager.service | + | PING 192.168.56.1 (192.168.56.1) 56(84) bytes of data. |
| - | ● NetworkManager.service - Network Manager | + | 64 bytes from 192.168.56.1: icmp_seq=1 ttl=64 time=14.6 ms |
| - | | + | 64 bytes from 192.168.56.1: icmp_seq=2 ttl=64 time=0.209 ms |
| - | Active: active (running) since Sun 2021-08-29 04:15:11 EDT; 8s ago | + | 64 bytes from 192.168.56.1: icmp_seq=3 ttl=64 time=0.160 ms |
| - | Docs: man: | + | ^C |
| - | Main PID: 973390 (NetworkManager) | + | --- 192.168.56.1 ping statistics --- |
| - | Tasks: 4 (limit: 23535) | + | 3 packets transmitted, 3 received, 0% packet loss, time 2002ms |
| - | | + | rtt min/ |
| - | | + | |
| - | | + | |
| - | + | ||
| - | Aug 29 04:15:12 centos8.ittraining.loc NetworkManager[973390]: | + | |
| - | Aug 29 04:15:12 centos8.ittraining.loc NetworkManager[973390]: < | + | |
| - | Aug 29 04:15:12 centos8.ittraining.loc NetworkManager[973390]: | + | |
| - | Aug 29 04:15:12 centos8.ittraining.loc NetworkManager[973390]: | + | |
| - | Aug 29 04:15:12 centos8.ittraining.loc NetworkManager[973390]: | + | |
| - | Aug 29 04:15:12 centos8.ittraining.loc NetworkManager[973390]: | + | |
| - | Aug 29 04:15:12 centos8.ittraining.loc NetworkManager[973390]: | + | |
| - | Aug 29 04:15:12 centos8.ittraining.loc NetworkManager[973390]: | + | |
| - | Aug 29 04:15:12 centos8.ittraining.loc NetworkManager[973390]: | + | |
| - | Aug 29 04:15:12 centos8.ittraining.loc NetworkManager[973390]: | + | |
| - | lines 1-20/20 (END) | + | |
| - | [q] | + | |
| </ | </ | ||
| - | Vérifiez que le fichier **/etc/resolv.conf** ait été modifié par NetworkManager | + | Pour pouvoir gérer l' |
| < | < | ||
| - | [root@centos8 ~]# cat /etc/resolv.conf | + | [root@centos8 ~]# vi /etc/sysconfig/ |
| - | # Generated by NetworkManager | + | [root@centos8 ~]# cat / |
| - | search ittraining.loc | + | TYPE=Ethernet |
| - | nameserver 8.8.8.8 | + | BOOTPROTO=none |
| + | NAME=ip_kvm | ||
| + | UUID=afc8b175-f2cb-47b2-baca-66454058c36f | ||
| + | DEVICE=ens19 | ||
| + | ONBOOT=yes | ||
| + | BRIDGE=virbr0 | ||
| </ | </ | ||
| - | Dernièrement vérifiez la resolution des noms : | + | Pour créer le pont, il convient de créer le fichier **/ |
| < | < | ||
| - | [root@centos8 ~]# ping www.free.fr | + | [root@centos8 ~]# ls -l / |
| - | PING www.free.fr (212.27.48.10) 56(84) bytes of data. | + | ls: cannot access '/ |
| - | 64 bytes from www.free.fr (212.27.48.10): | + | |
| - | 64 bytes from www.free.fr (212.27.48.10): | + | [root@centos8 ~]# vi / |
| - | 64 bytes from www.free.fr (212.27.48.10): | + | [root@centos8 ~]# cat / |
| - | 64 bytes from www.free.fr (212.27.48.10): | + | TYPE=BRIDGE |
| - | ^C | + | DEVICE=virbr0 |
| - | --- www.free.fr ping statistics --- | + | BOOTPROTO=non |
| - | 4 packets transmitted, | + | ONBOOT=yes |
| - | rtt min/ | + | IPADDR=192.168.56.2 |
| + | NETMASK=255.255.255.0 | ||
| + | GATEWAY=192.168.56.1 | ||
| </ | </ | ||
| - | <WRAP center round important> | + | <WRAP center round important |
| - | **Important** : Notez qu'il existe un front-end graphique en mode texte, **nmtui**, pour configurer NetworkManager. | + | **Important** : Notez que le nom du pont est identique au pont existant. Ceci n'a pas d' |
| </ | </ | ||
| - | ====1.3 - Ajouter une Deuxième Adresse IP à un Profil==== | + | Pour que la configuration puisse fonctionner, il est necéssaire |
| - | + | ||
| - | Pour ajouter une deuxième adresse IP à un profil sous RHEL/CentOS 8, il convient | + | |
| < | < | ||
| - | [root@centos8 ~]# nmcli connection mod ip_fixe +ipv4.addresses 192.168.1.2/24 | + | [root@centos8 ~]# echo net.ipv4.ip_forward = 1 >> / |
| + | [root@centos8 ~]# cat / | ||
| + | # The kernel allocates aio memory on demand, and this number limits the | ||
| + | # number of parallel aio requests; the only drawback of a larger limit is | ||
| + | # that a malicious guest could issue parallel requests to cause the kernel | ||
| + | # to set aside memory. | ||
| + | # 128 * (number of virtual disks on the host) | ||
| + | # Libvirt uses a default of 1M requests to allow 8k disks, with at most | ||
| + | # 64M of kernel memory if all disks hit an aio request at the same time. | ||
| + | fs.aio-max-nr = 1048576 | ||
| + | net.ipv4.ip_forward = 1 | ||
| </ | </ | ||
| - | Rechargez | + | En utilisant |
| < | < | ||
| - | [root@centos8 ~]# nmcli con up ip_fixe | + | [root@centos8 ~]# / |
| + | fs.aio-max-nr = 1048576 | ||
| + | net.ipv4.ip_forward = 1 | ||
| </ | </ | ||
| - | Saisissez ensuite la commande suivante | + | Dernièrement, |
| < | < | ||
| - | [root@centos8 ~]# nmcli connection show ip_fixe | + | [root@centos8 ~]# firewall-cmd --permanent |
| - | connection.id: | + | success |
| - | connection.uuid: | + | [root@centos8 ~]# firewall-cmd --permanent |
| - | connection.stable-id: -- | + | success |
| - | connection.type: | + | |
| - | connection.interface-name: | + | |
| - | connection.autoconnect: | + | |
| - | connection.autoconnect-priority: | + | |
| - | connection.autoconnect-retries: | + | |
| - | connection.multi-connect: | + | |
| - | connection.auth-retries: | + | |
| - | connection.timestamp: | + | |
| - | connection.read-only: | + | |
| - | connection.permissions: | + | |
| - | connection.zone: | + | |
| - | connection.master: | + | |
| - | connection.slave-type: | + | |
| - | connection.autoconnect-slaves: | + | |
| - | connection.secondaries: | + | |
| - | connection.gateway-ping-timeout: | + | |
| - | connection.metered: | + | |
| - | connection.lldp: | + | |
| - | connection.mdns: | + | |
| - | connection.llmnr: | + | |
| - | connection.wait-device-timeout: | + | |
| - | 802-3-ethernet.port: | + | |
| - | 802-3-ethernet.speed: | + | |
| - | 802-3-ethernet.duplex: | + | |
| - | 802-3-ethernet.auto-negotiate: | + | |
| - | 802-3-ethernet.mac-address: | + | |
| - | 802-3-ethernet.cloned-mac-address: | + | |
| - | 802-3-ethernet.generate-mac-address-mask: | + | |
| - | 802-3-ethernet.mac-address-blacklist: | + | |
| - | 802-3-ethernet.mtu: | + | |
| - | 802-3-ethernet.s390-subchannels: | + | |
| - | 802-3-ethernet.s390-nettype: | + | |
| - | 802-3-ethernet.s390-options: | + | |
| - | 802-3-ethernet.wake-on-lan: | + | |
| - | 802-3-ethernet.wake-on-lan-password: | + | |
| - | ipv4.method: | + | |
| - | ipv4.dns: | + | |
| - | ipv4.dns-search: | + | |
| - | ipv4.dns-options: | + | |
| - | ipv4.dns-priority: | + | |
| - | ipv4.addresses: | + | |
| - | ipv4.gateway: | + | |
| - | ipv4.routes: | + | |
| - | ipv4.route-metric: | + | |
| - | ipv4.route-table: | + | |
| - | ipv4.routing-rules: | + | |
| - | ipv4.ignore-auto-routes: | + | |
| - | ipv4.ignore-auto-dns: | + | |
| - | ipv4.dhcp-client-id: | + | |
| - | ipv4.dhcp-iaid: | + | |
| - | ipv4.dhcp-timeout: | + | |
| - | ipv4.dhcp-send-hostname: | + | |
| - | ipv4.dhcp-hostname: | + | |
| - | ipv4.dhcp-fqdn: | + | |
| - | ipv4.dhcp-hostname-flags: | + | |
| - | ipv4.never-default: | + | |
| - | ipv4.may-fail: | + | |
| - | ipv4.dad-timeout: | + | |
| - | ipv4.dhcp-vendor-class-identifier: | + | |
| - | ipv4.dhcp-reject-servers: | + | |
| - | ipv6.method: | + | |
| - | ipv6.dns: | + | |
| - | ipv6.dns-search: | + | |
| - | ipv6.dns-options: | + | |
| - | ipv6.dns-priority: | + | |
| - | ipv6.addresses: | + | |
| - | ipv6.gateway: | + | |
| - | ipv6.routes: | + | |
| - | ipv6.route-metric: | + | |
| - | ipv6.route-table: | + | |
| - | ipv6.routing-rules: | + | |
| - | ipv6.ignore-auto-routes: | + | |
| - | ipv6.ignore-auto-dns: | + | |
| - | ipv6.never-default: | + | |
| - | ipv6.may-fail: | + | |
| - | ipv6.ip6-privacy: | + | |
| - | ipv6.addr-gen-mode: | + | |
| - | ipv6.ra-timeout: | + | |
| - | ipv6.dhcp-duid: | + | |
| - | ipv6.dhcp-iaid: | + | |
| - | ipv6.dhcp-timeout: | + | |
| - | ipv6.dhcp-send-hostname: | + | |
| - | ipv6.dhcp-hostname: | + | |
| - | ipv6.dhcp-hostname-flags: | + | |
| - | ipv6.token: | + | |
| - | proxy.method: | + | |
| - | proxy.browser-only: | + | |
| - | proxy.pac-url: | + | |
| - | proxy.pac-script: | + | |
| - | GENERAL.NAME: | + | |
| - | GENERAL.UUID: | + | |
| - | GENERAL.DEVICES: | + | |
| - | GENERAL.IP-IFACE: | + | |
| - | GENERAL.STATE: | + | |
| - | GENERAL.DEFAULT: | + | |
| - | GENERAL.DEFAULT6: | + | |
| - | GENERAL.SPEC-OBJECT: | + | |
| - | GENERAL.VPN: | + | |
| - | GENERAL.DBUS-PATH: | + | |
| - | GENERAL.CON-PATH: | + | |
| - | GENERAL.ZONE: | + | |
| - | GENERAL.MASTER-PATH: | + | |
| - | IP4.ADDRESS[1]: | + | |
| - | IP4.ADDRESS[2]: | + | |
| - | IP4.GATEWAY: | + | |
| - | IP4.ROUTE[1]: | + | |
| - | IP4.ROUTE[2]: | + | |
| - | IP4.ROUTE[3]: | + | |
| - | IP4.DNS[1]: | + | |
| - | IP6.ADDRESS[1]: | + | |
| - | IP6.GATEWAY: | + | |
| - | IP6.ROUTE[1]: | + | |
| - | IP6.ROUTE[2]: | + | |
| - | lines 72-116/116 (END) | + | |
| - | [q] | + | |
| </ | </ | ||
| - | |||
| - | <WRAP center round important> | ||
| - | **Important** : Notez l' | ||
| - | </ | ||
| - | |||
| - | Consultez maintenant le contenu du fichier **/ | ||
| < | < | ||
| - | [root@centos8 ~]# cat / | + | [root@centos8 ~]# firewall-cmd --reload |
| - | TYPE=Ethernet | + | success |
| - | PROXY_METHOD=none | + | |
| - | BROWSER_ONLY=no | + | |
| - | BOOTPROTO=none | + | |
| - | IPADDR=10.0.2.46 | + | |
| - | PREFIX=24 | + | |
| - | GATEWAY=10.0.2.1 | + | |
| - | DEFROUTE=yes | + | |
| - | IPV4_FAILURE_FATAL=no | + | |
| - | IPV6INIT=yes | + | |
| - | IPV6_AUTOCONF=yes | + | |
| - | IPV6_DEFROUTE=yes | + | |
| - | IPV6_FAILURE_FATAL=no | + | |
| - | IPV6_ADDR_GEN_MODE=stable-privacy | + | |
| - | NAME=ip_fixe | + | |
| - | UUID=0f48c74d-5d16-4c37-8220-24644507b589 | + | |
| - | DEVICE=ens18 | + | |
| - | ONBOOT=yes | + | |
| - | DNS1=8.8.8.8 | + | |
| - | IPADDR1=192.168.1.2 | + | |
| - | PREFIX1=24 | + | |
| </ | </ | ||
| - | <WRAP center round important> | + | La configuration faite, vérifiez |
| - | **Important** : Notez l' | + | |
| - | </ | + | |
| - | + | ||
| - | ====1.4 - La Commande hostname==== | + | |
| - | + | ||
| - | La procédure de la modification du hostname est simplifiée et sa prise en compte est immédiate | + | |
| < | < | ||
| - | [root@centos8 ~]# hostname | + | [root@centos8 ~]# ip a |
| - | centos8.ittraining.loc | + | |
| - | + | ||
| - | [root@centos8 ~]# nmcli general hostname centos.ittraining.loc | + | |
| - | + | ||
| - | [root@centos8 ~]# cat / | + | |
| - | centos.ittraining.loc | + | |
| - | + | ||
| - | [root@centos8 ~]# hostname | + | |
| - | centos.ittraining.loc | + | |
| - | + | ||
| - | [root@centos8 ~]# nmcli general hostname centos8.ittraining.loc | + | |
| - | + | ||
| - | [root@centos8 ~]# cat / | + | |
| - | centos8.ittraining.loc | + | |
| - | + | ||
| - | [root@centos8 ~]# hostname | + | |
| - | centos8.ittraining.loc | + | |
| - | </ | + | |
| - | + | ||
| - | ====1.5 - La Commande | + | |
| - | + | ||
| - | Sous RHEL/CentOS 8 la commande **ip** est préférée par rapport à la commande ifconfig : | + | |
| - | + | ||
| - | < | + | |
| - | [root@centos8 ~]# ip address | + | |
| 1: lo: < | 1: lo: < | ||
| link/ | link/ | ||
| Ligne 913: | Ligne 508: | ||
| inet6 fe80:: | inet6 fe80:: | ||
| | | ||
| - | 3: virbr0: < | + | 3: ens19: < |
| + | link/ether 46: | ||
| + | inet 192.168.56.2/ | ||
| + | | ||
| + | inet6 fe80:: | ||
| + | | ||
| + | 4: virbr0: < | ||
| link/ether 52: | link/ether 52: | ||
| inet 192.168.122.1/ | inet 192.168.122.1/ | ||
| | | ||
| - | 4: virbr0-nic: < | + | 5: virbr0-nic: < |
| link/ether 52: | link/ether 52: | ||
| </ | </ | ||
| - | ===Options de la Commande ip=== | + | <WRAP center round important |
| - | + | **Important** : Notez que la configuration n' | |
| - | Les options de cette commande sont : | + | |
| - | + | ||
| - | < | + | |
| - | [root@centos8 ~]# ip --help | + | |
| - | Usage: ip [ OPTIONS ] OBJECT { COMMAND | help } | + | |
| - | ip [ -force ] -batch filename | + | |
| - | where OBJECT := { link | address | addrlabel | route | rule | neigh | ntable | | + | |
| - | | + | |
| - | netns | l2tp | fou | macsec | tcp_metrics | token | netconf | ila | | + | |
| - | vrf | sr | nexthop | mptcp } | + | |
| - | | + | |
| - | -h[uman-readable] | -iec | -j[son] | -p[retty] | | + | |
| - | -f[amily] { inet | inet6 | mpls | bridge | link } | | + | |
| - | -4 | -6 | -I | -D | -M | -B | -0 | | + | |
| - | -l[oops] { maximum-addr-flush-attempts } | -br[ief] | | + | |
| - | -o[neline] | -t[imestamp] | -ts[hort] | -b[atch] [filename] | | + | |
| - | -rc[vbuf] [size] | -n[etns] name | -N[umeric] | -a[ll] | | + | |
| - | -c[olor]} | + | |
| - | + | ||
| - | </ | + | |
| - | + | ||
| - | ====1.6 - Activer/ | + | |
| - | + | ||
| - | Deux commandes existent pour désactiver et activer manuellement une interface réseau : | + | |
| - | + | ||
| - | < | + | |
| - | # nmcli device disconnect enp0s3 | + | |
| - | # nmcli device connect enp0s3 | + | |
| - | </ | + | |
| - | + | ||
| - | <WRAP center round important> | + | |
| - | **Important** : Veuillez ne **PAS** exécuter ces deux commandes. | + | |
| </ | </ | ||
| - | ====1.7 - Routage Statique==== | + | Consultez maintenant la list des réseaux configurés |
| - | + | ||
| - | ===La commande ip=== | + | |
| - | + | ||
| - | Sous RHEL/CentOS 8, pour supprimer la route vers le réseau 192.168.1.0 il convient d' | + | |
| < | < | ||
| - | [root@centos8 ~]# ip route | + | [root@centos8 ~]# virsh net-list |
| - | default via 10.0.2.1 dev ens18 proto static metric 100 | + | Name State Autostart |
| - | 10.0.2.0/24 dev ens18 proto kernel scope link src 10.0.2.46 metric 100 | + | -------------------------------------------- |
| - | 192.168.1.0/ | + | |
| - | 192.168.122.0/ | + | |
| - | + | ||
| - | root@centos8 ~]# ip route del 192.168.1.0/ | + | |
| - | [root@centos8 ~]# ip route | + | |
| - | default | + | |
| - | 10.0.2.0/24 dev ens18 proto kernel scope link src 10.0.2.46 metric 100 | + | |
| - | 192.168.122.0/ | + | |
| </ | </ | ||
| - | Pour ajouter | + | En utilisant |
| < | < | ||
| - | [root@centos8 ~]# ip route add 192.168.1.0/ | + | [root@centos8 ~]# virsh net-dumpxml default |
| - | [root@centos8 ~]# ip route | + | < |
| - | default | + | < |
| - | 10.0.2.0/24 dev ens18 proto kernel scope link src 10.0.2.46 metric 100 | + | < |
| - | 192.168.1.0/24 via 10.0.2.1 dev ens18 | + | < |
| - | 192.168.122.0/24 dev virbr0 proto kernel scope link src 192.168.122.1 linkdown | + | < |
| + | <port start=' | ||
| + | </ | ||
| + | </ | ||
| + | <bridge name=' | ||
| + | <mac address=' | ||
| + | < | ||
| + | < | ||
| + | < | ||
| + | </ | ||
| + | </ | ||
| + | </ | ||
| </ | </ | ||
| - | <WRAP center round important> | + | Il est donc nécessaire d' |
| - | **Important** - La commande utilisée | + | |
| - | </ | + | |
| - | + | ||
| - | ===Désactiver/ | + | |
| - | + | ||
| - | Pour désactiver le routage sur le serveur, il convient de désactiver la retransmission des paquets: | + | |
| < | < | ||
| - | [root@centos8 ~]# cat /proc/sys/net/ | + | [root@centos8 ~]# virsh net-edit default |
| - | 1 | + | |
| - | [root@centos8 ~]# echo 0 > / | + | |
| - | [root@centos8 ~]# cat / | + | |
| - | 0 | + | |
| </ | </ | ||
| - | Pour activer le routage sur le serveur, il convient d' | + | A l'issu de votre édition, votre fichier doit correspondre |
| - | + | ||
| - | < | + | |
| - | [root@centos8 ~]# echo 1 > / | + | |
| - | [root@centos8 ~]# cat / | + | |
| - | 1 | + | |
| - | </ | + | |
| - | + | ||
| - | =====LAB #2 - Diagnostique du Réseau===== | + | |
| - | + | ||
| - | ====2.1 - ping==== | + | |
| - | + | ||
| - | Pour tester | + | |
| - | + | ||
| - | < | + | |
| - | [root@centos8 ~]# ping -c4 10.0.2.1 | + | |
| - | PING 10.0.2.1 (10.0.2.1) 56(84) bytes of data. | + | |
| - | 64 bytes from 10.0.2.1: icmp_seq=1 ttl=64 time=0.104 ms | + | |
| - | 64 bytes from 10.0.2.1: icmp_seq=2 ttl=64 time=0.325 ms | + | |
| - | 64 bytes from 10.0.2.1: icmp_seq=3 ttl=64 time=0.250 ms | + | |
| - | 64 bytes from 10.0.2.1: icmp_seq=4 ttl=64 time=0.123 ms | + | |
| - | + | ||
| - | --- 10.0.2.1 ping statistics --- | + | |
| - | 4 packets transmitted, | + | |
| - | rtt min/ | + | |
| - | </ | + | |
| - | + | ||
| - | ===Options | + | |
| - | + | ||
| - | Les options de cette commande sont : | + | |
| - | + | ||
| - | < | + | |
| - | [root@centos8 ~]# ping --help | + | |
| - | ping: invalid option -- ' | + | |
| - | Usage: ping [-aAbBdDfhLnOqrRUvV64] [-c count] [-i interval] [-I interface] | + | |
| - | [-m mark] [-M pmtudisc_option] [-l preload] [-p pattern] [-Q tos] | + | |
| - | [-s packetsize] [-S sndbuf] [-t ttl] [-T timestamp_option] | + | |
| - | [-w deadline] [-W timeout] [hop1 ...] destination | + | |
| - | Usage: ping -6 [-aAbBdDfhLnOqrRUvV] [-c count] [-i interval] [-I interface] | + | |
| - | [-l preload] [-m mark] [-M pmtudisc_option] | + | |
| - | [-N nodeinfo_option] [-p pattern] [-Q tclass] [-s packetsize] | + | |
| - | [-S sndbuf] [-t ttl] [-T timestamp_option] [-w deadline] | + | |
| - | [-W timeout] destination | + | |
| - | </ | + | |
| - | + | ||
| - | ====2.2 - netstat -i==== | + | |
| - | + | ||
| - | Pour visualiser les statistiques réseaux, vous disposez de la commande **netstat** : | + | |
| - | + | ||
| - | < | + | |
| - | [root@centos8 ~]# netstat -i | + | |
| - | Kernel Interface table | + | |
| - | Iface | + | |
| - | ens18 1500 | + | |
| - | lo 65536 10936 0 0 0 | + | |
| - | virbr0 | + | |
| - | </ | + | |
| - | + | ||
| - | ===Options de la commande netstat=== | + | |
| - | + | ||
| - | Les options de cette commande sont : | + | |
| - | + | ||
| - | < | + | |
| - | [root@centos8 ~]# netstat --help | + | |
| - | usage: netstat [-vWeenNcCF] [< | + | |
| - | | + | |
| - | | + | |
| - | + | ||
| - | -r, --route | + | |
| - | -I, --interfaces=< | + | |
| - | -i, --interfaces | + | |
| - | -g, --groups | + | |
| - | -s, --statistics | + | |
| - | -M, --masquerade | + | |
| - | + | ||
| - | -v, --verbose | + | |
| - | -W, --wide | + | |
| - | -n, --numeric | + | |
| - | --numeric-hosts | + | |
| - | --numeric-ports | + | |
| - | --numeric-users | + | |
| - | -N, --symbolic | + | |
| - | -e, --extend | + | |
| - | -p, --programs | + | |
| - | -o, --timers | + | |
| - | -c, --continuous | + | |
| - | + | ||
| - | -l, --listening | + | |
| - | -a, --all display all sockets (default: connected) | + | |
| - | -F, --fib display Forwarding Information Base (default) | + | |
| - | -C, --cache | + | |
| - | -Z, --context | + | |
| - | + | ||
| - | < | + | |
| - | | + | |
| - | < | + | |
| - | List of possible address families (which support routing): | + | |
| - | inet (DARPA Internet) inet6 (IPv6) ax25 (AMPR AX.25) | + | |
| - | netrom (AMPR NET/ROM) ipx (Novell IPX) ddp (Appletalk DDP) | + | |
| - | x25 (CCITT X.25) | + | |
| - | </ | + | |
| - | + | ||
| - | ====2.3 - traceroute==== | + | |
| - | + | ||
| - | La commande ping est à la base de la commande **traceroute**. Cette commande sert à découvrir la route empruntée pour accéder à un site donné : | + | |
| - | + | ||
| - | < | + | |
| - | [root@centos8 ~]# traceroute www.ittraining.network | + | |
| - | bash: traceroute: command not found... | + | |
| - | Install package ' | + | |
| - | + | ||
| - | + | ||
| - | * Waiting in queue... | + | |
| - | The following packages have to be installed: | + | |
| - | | + | |
| - | Proceed with changes? [N/y] y | + | |
| - | + | ||
| - | + | ||
| - | * Waiting in queue... | + | |
| - | * Waiting for authentication... | + | |
| - | * Waiting in queue... | + | |
| - | * Downloading packages... | + | |
| - | * Requesting data... | + | |
| - | * Testing changes... | + | |
| - | * Installing packages... | + | |
| - | traceroute to www.ittraining.network (109.228.56.52), | + | |
| - | | + | |
| - | | + | |
| - | | + | |
| - | | + | |
| - | | + | |
| - | | + | |
| - | | + | |
| - | | + | |
| - | | + | |
| - | 10 ae-14.bb-b.fr7.fra.de.oneandone.net (212.227.120.149) | + | |
| - | 11 port-channel-3.gw-ngcs-1.dc1.con.glo.gb.oneandone.net (88.208.255.131) | + | |
| - | 12 109.228.63.209 (109.228.63.209) | + | |
| - | 13 * 109.228.63.209 (109.228.63.209) | + | |
| - | 14 * * * | + | |
| - | 15 * * * | + | |
| - | 16 * * * | + | |
| - | 17 * * * | + | |
| - | 18 * * * | + | |
| - | 19 * * * | + | |
| - | 20 * * * | + | |
| - | 21 * * * | + | |
| - | 22 * * * | + | |
| - | 23 * * * | + | |
| - | 24 * * * | + | |
| - | 25 * * * | + | |
| - | 26 * * * | + | |
| - | 27 * * * | + | |
| - | 28 * * * | + | |
| - | 29 * * *^C | + | |
| - | </ | + | |
| - | + | ||
| - | ===Options de la commande traceroute=== | + | |
| - | + | ||
| - | Les options de cette commande sont : | + | |
| - | + | ||
| - | < | + | |
| - | [root@centos8 ~]# traceroute --help | + | |
| - | Usage: | + | |
| - | traceroute [ -46dFITnreAUDV ] [ -f first_ttl ] [ -g gate,... ] [ -i device ] [ -m max_ttl ] [ -N squeries ] [ -p port ] [ -t tos ] [ -l flow_label ] [ -w MAX, | + | |
| - | Options: | + | |
| - | -4 Use IPv4 | + | |
| - | -6 Use IPv6 | + | |
| - | -d --debug | + | |
| - | -F --dont-fragment | + | |
| - | -f first_ttl | + | |
| - | Start from the first_ttl hop (instead from 1) | + | |
| - | -g gate, | + | |
| - | Route packets through the specified gateway | + | |
| - | (maximum 8 for IPv4 and 127 for IPv6) | + | |
| - | -I --icmp | + | |
| - | -T --tcp Use TCP SYN for tracerouting (default port is 80) | + | |
| - | -i device | + | |
| - | Specify a network interface to operate with | + | |
| - | -m max_ttl | + | |
| - | Set the max number of hops (max TTL to be | + | |
| - | reached). Default is 30 | + | |
| - | -N squeries | + | |
| - | Set the number of probes to be tried | + | |
| - | simultaneously (default is 16) | + | |
| - | -n Do not resolve IP addresses to their domain names | + | |
| - | -p port --port=port | + | |
| - | initial udp port value for " | + | |
| - | (incremented by each probe, default is 33434), or | + | |
| - | initial seq for " | + | |
| - | default from 1), or some constant destination | + | |
| - | port for other methods (with default of 80 for | + | |
| - | " | + | |
| - | -t tos --tos=tos | + | |
| - | traffic class) value for outgoing packets | + | |
| - | -l flow_label | + | |
| - | Use specified flow_label for IPv6 packets | + | |
| - | -w MAX, | + | |
| - | Wait for a probe no more than HERE (default 3) | + | |
| - | times longer than a response from the same hop, | + | |
| - | or no more than NEAR (default 10) times than some | + | |
| - | next hop, or MAX (default 5.0) seconds (float | + | |
| - | point values allowed too) | + | |
| - | -q nqueries | + | |
| - | Set the number of probes per each hop. Default is | + | |
| - | 3 | + | |
| - | -r Bypass the normal routing and send directly to a | + | |
| - | host on an attached network | + | |
| - | -s src_addr | + | |
| - | Use source src_addr for outgoing packets | + | |
| - | -z sendwait | + | |
| - | Minimal time interval between probes (default 0). | + | |
| - | If the value is more than 10, then it specifies a | + | |
| - | number in milliseconds, | + | |
| - | seconds (float point values allowed too) | + | |
| - | -e --extensions | + | |
| - | -A --as-path-lookups | + | |
| - | print results directly after the corresponding | + | |
| - | addresses | + | |
| - | -M name --module=name | + | |
| - | for traceroute operations. Most methods have | + | |
| - | their shortcuts (`-I' | + | |
| - | -O OPTS, | + | |
| - | Use module-specific option OPTS for the | + | |
| - | traceroute module. Several OPTS allowed, | + | |
| - | separated by comma. If OPTS is " | + | |
| - | about available options | + | |
| - | --sport=num | + | |
| - | `-N 1' | + | |
| - | --fwmark=num | + | |
| - | -U --udp Use UDP to particular port for tracerouting | + | |
| - | (instead of increasing the port per each probe), | + | |
| - | default port is 53 | + | |
| - | -UL Use UDPLITE for tracerouting (default dest port | + | |
| - | is 53) | + | |
| - | -D --dccp | + | |
| - | is 33434) | + | |
| - | -P prot --protocol=prot | + | |
| - | --mtu | + | |
| - | `-F -N 1' | + | |
| - | --back | + | |
| - | print if it differs | + | |
| - | -V --version | + | |
| - | --help | + | |
| - | + | ||
| - | Arguments: | + | |
| - | + | + | |
| - | packetlen | + | |
| - | header plus 40). Can be ignored or increased to a minimal | + | |
| - | allowed value | + | |
| - | </ | + | |
| - | + | ||
| - | =====LAB #3 - Connexions à Distance===== | + | |
| - | + | ||
| - | ==== 3.1 - Telnet ==== | + | |
| - | + | ||
| - | WRAP center round important> | + | |
| - | **Important** - Si la commande **telnet** n'est pas installée sous CentOS 8, installez-le à l'aide de la commande **dnf install telnet** en tant que root. | + | |
| - | </ | + | |
| - | + | ||
| - | La commande **telnet** est utilisée pour établir une connexion à distance avec un serveur telnet | + | |
| < | < | ||
| - | # telnet numero_ip | + | < |
| + | < | ||
| + | < | ||
| + | <forward mode=' | ||
| + | <bridge name=' | ||
| + | <mac address=' | ||
| + | <ip address=' | ||
| + | < | ||
| + | <range start=' | ||
| + | </ | ||
| + | </ | ||
| + | </ | ||
| </ | </ | ||
| - | <WRAP center round important> | + | Sortez du mode édition. Vous noterez |
| - | **Important** - Le service telnet revient à une redirection des canaux standards d' | + | |
| - | </ | + | |
| - | + | ||
| - | ===Options de la commande telnet=== | + | |
| - | + | ||
| - | Les options de cette commande sont : | + | |
| < | < | ||
| - | [[root@centos8 ~]# telnet | + | [ESC]:q |
| - | telnet: invalid option -- ' | + | [root@centos8 ~]# virsh net-edit default |
| - | Usage: telnet [-4] [-6] [-8] [-E] [-L] [-S tos] [-a] [-c] [-d] [-e char] [-l user] | + | Network default XML configuration edited. |
| - | [-n tracefile] [-b hostalias ] [-r] | + | |
| - | | + | |
| </ | </ | ||
| - | ==== 3.2 - wget ==== | + | Par contre, la simple édition du fichier n'a pas modifiée la configuration en cours : |
| - | + | ||
| - | La commande **wget** est utilisée pour récupérer un fichier via http, https ou ftp : | + | |
| < | < | ||
| - | [root@centos8 ~]# wget https:// | + | [root@centos8 ~]# virsh net-dumpxml default |
| - | --2021-08-29 06: | + | < |
| - | Resolving www.dropbox.com (www.dropbox.com)... 162.125.67.18, | + | < |
| - | Connecting to www.dropbox.com (www.dropbox.com)|162.125.67.18|: | + | < |
| - | HTTP request sent, awaiting response... 301 Moved Permanently | + | < |
| - | Location: | + | < |
| - | --2021-08-29 06: | + | < |
| - | Reusing existing connection to www.dropbox.com: | + | </nat> |
| - | HTTP request sent, awaiting response... 302 Found | + | </forward> |
| - | Location: https://uc8a5f475f4a5f849fd1055f560f.dl.dropboxusercontent.com/cd/ | + | |
| - | --2021-08-29 06: | + | < |
| - | Resolving uc8a5f475f4a5f849fd1055f560f.dl.dropboxusercontent.com (uc8a5f475f4a5f849fd1055f560f.dl.dropboxusercontent.com)... 162.125.67.15, | + | < |
| - | Connecting to uc8a5f475f4a5f849fd1055f560f.dl.dropboxusercontent.com (uc8a5f475f4a5f849fd1055f560f.dl.dropboxusercontent.com)|162.125.67.15|:443... connected. | + | < |
| - | HTTP request sent, awaiting response... 200 OK | + | <range start=' |
| - | Length: 46 [text/plain] | + | </dhcp> |
| - | Saving to: ‘wget_file.txt’ | + | |
| - | + | </network> | |
| - | wget_file.txt | + | |
| - | + | ||
| - | 2021-08-29 06:22:27 (26.9 MB/s) - ‘wget_file.txt’ saved [46/46] | + | |
| - | + | ||
| - | [root@centos8 ~]# cat wget_file.txt | + | |
| - | This is a file retrieved by the wget command. | + | |
| </ | </ | ||
| - | ===Options | + | Notez que même en cas de re-démarrage du service, |
| - | + | ||
| - | Les options de cette commande sont : | + | |
| < | < | ||
| - | [root@centos8 ~]# wget --help | + | [root@centos8 ~]# systemctl restart libvirtd |
| - | GNU Wget 1.19.5, a non-interactive network retriever. | + | [root@centos8 ~]# systemctl status libvirtd |
| - | Usage: wget [OPTION]... [URL]... | + | ● libvirtd.service |
| - | + | Loaded: loaded | |
| - | Mandatory arguments to long options are mandatory for short options too. | + | Active: active |
| - | + | Docs: man: | |
| - | Startup: | + | https:// |
| - | -V, --version | + | Main PID: 4037 (libvirtd) |
| - | | + | |
| - | -b, --background | + | Memory: 57.5M |
| - | -e, --execute=COMMAND | + | CGroup: |
| - | + | ├─1950 / | |
| - | Logging and input file: | + | ├─1951 |
| - | -o, --output-file=FILE | + | └─4037 / |
| - | -a, --append-output=FILE | + | |
| - | -d, --debug | + | |
| - | -q, --quiet | + | |
| - | -v, --verbose | + | |
| - | -nv, --no-verbose | + | |
| - | | + | |
| - | -i, --input-file=FILE | + | |
| - | | + | |
| - | -F, --force-html | + | |
| - | -B, --base=URL | + | |
| - | relative to URL | + | |
| - | | + | |
| - | | + | |
| - | | + | |
| - | + | ||
| - | Download: | + | |
| - | -t, --tries=NUMBER | + | |
| - | --retry-connrefused | + | |
| - | --retry-on-http-error=ERRORS | + | |
| - | -O, --output-document=FILE | + | |
| - | -nc, --no-clobber | + | |
| - | | + | |
| - | --no-netrc | + | |
| - | -c, --continue | + | |
| - | | + | |
| - | | + | |
| - | | + | |
| - | -N, --timestamping | + | |
| - | | + | |
| - | | + | |
| - | | + | |
| - | | + | |
| - | the one on the server | + | |
| - | -S, --server-response | + | |
| - | | + | |
| - | -T, --timeout=SECONDS | + | |
| - | | + | |
| - | | + | |
| - | | + | |
| - | -w, --wait=SECONDS | + | |
| - | | + | |
| - | --random-wait | + | |
| - | | + | |
| - | -Q, --quota=NUMBER | + | |
| - | | + | |
| - | --limit-rate=RATE | + | |
| - | | + | |
| - | | + | |
| - | | + | |
| - | -4, --inet4-only | + | |
| - | -6, --inet6-only | + | |
| - | | + | |
| - | one of IPv6, IPv4, or none | + | |
| - | | + | |
| - | | + | |
| - | | + | |
| - | | + | |
| - | | + | |
| - | | + | |
| - | | + | |
| - | | + | |
| - | | + | |
| - | | + | |
| - | | + | |
| - | | + | |
| - | --metalink-index=NUMBER | + | |
| - | | + | |
| - | | + | |
| - | | + | |
| - | + | ||
| - | Directories: | + | |
| - | -nd, --no-directories | + | |
| - | -x, --force-directories | + | |
| - | -nH, --no-host-directories | + | |
| - | | + | |
| - | -P, --directory-prefix=PREFIX | + | |
| - | --cut-dirs=NUMBER | + | |
| - | + | ||
| - | HTTP options: | + | |
| - | --http-user=USER set http user to USER | + | |
| - | | + | |
| - | | + | |
| - | --default-page=NAME | + | |
| - | this is 'index.html' | + | |
| - | | + | |
| - | --ignore-length | + | |
| - | | + | |
| - | --compression=TYPE | + | |
| - | | + | |
| - | | + | |
| - | | + | |
| - | | + | |
| - | | + | |
| - | -U, --user-agent=AGENT | + | |
| - | | + | |
| - | | + | |
| - | | + | |
| - | | + | |
| - | | + | |
| - | | + | |
| - | | + | |
| - | | + | |
| - | | + | |
| - | | + | |
| - | | + | |
| - | | + | |
| - | | + | |
| - | | + | |
| - | | + | |
| - | | + | |
| - | + | ||
| - | HTTPS (SSL/TLS) options: | + | |
| - | --secure-protocol=PR | + | |
| - | | + | |
| - | | + | |
| - | | + | |
| - | | + | |
| - | | + | |
| - | | + | |
| - | | + | |
| - | | + | |
| - | | + | |
| - | | + | |
| - | | + | |
| - | of base64 encoded sha256 hashes preceded by | + | |
| - | ' | + | |
| - | peer against | + | |
| - | + | ||
| - | | + | |
| - | Use with care. This option overrides --secure-protocol. | + | |
| - | The format and syntax of this string depend on the specific SSL/TLS engine. | + | |
| - | HSTS options: | + | |
| - | | + | |
| - | | + | |
| - | + | ||
| - | FTP options: | + | |
| - | | + | |
| - | | + | |
| - | | + | |
| - | --no-glob turn off FTP file name globbing | + | |
| - | --no-passive-ftp | + | |
| - | | + | |
| - | | + | |
| - | + | ||
| - | FTPS options: | + | |
| - | | + | |
| - | | + | |
| - | | + | |
| - | | + | |
| - | | + | |
| - | WARC options: | + | |
| - | | + | |
| - | --warc-header=STRING | + | |
| - | | + | |
| - | | + | |
| - | | + | |
| - | | + | |
| - | | + | |
| - | --no-warc-keep-log | + | |
| - | | + | |
| - | WARC writer | + | |
| - | + | ||
| - | Recursive download: | + | |
| - | -r, --recursive | + | |
| - | -l, --level=NUMBER | + | |
| - | | + | |
| - | -k, --convert-links | + | |
| - | local files | + | |
| - | | + | |
| - | | + | |
| - | -K, --backup-converted | + | |
| - | -m, --mirror | + | |
| - | -p, --page-requisites | + | |
| - | | + | |
| - | Recursive accept/ | + | Sep 02 10:27:41 centos8.ittraining.loc systemd[1]: Starting Virtualization daemon... |
| - | | + | Sep 02 10:27:41 centos8.ittraining.loc systemd[1]: Started Virtualization daemon. |
| - | | + | Sep 02 10:27:41 centos8.ittraining.loc dnsmasq[1950]: |
| - | | + | Sep 02 10:27:41 centos8.ittraining.loc dnsmasq[1950]: |
| - | | + | Sep 02 10:27:41 centos8.ittraining.loc dnsmasq-dhcp[1950]: read / |
| - | | + | |
| - | -D, --domains=LIST | + | |
| - | | + | |
| - | | + | |
| - | | + | |
| - | | + | |
| - | -H, --span-hosts go to foreign hosts when recursive | + | |
| - | | + | |
| - | -I, --include-directories=LIST | + | |
| - | | + | |
| - | | + | |
| - | -X, --exclude-directories=LIST | + | |
| - | -np, --no-parent | + | |
| - | Email bug reports, questions, discussions to <bug-wget@gnu.org> | + | [root@centos8 ~]# virsh net-dumpxml default |
| - | and/or open issues at https://savannah.gnu.org/bugs/?func=additem& | + | <network> |
| + | < | ||
| + | < | ||
| + | < | ||
| + | < | ||
| + | <port start=' | ||
| + | </nat> | ||
| + | </forward> | ||
| + | <bridge name=' | ||
| + | <mac address=' | ||
| + | <ip address=' | ||
| + | < | ||
| + | <range start=' | ||
| + | </ | ||
| + | </ | ||
| + | </ | ||
| </ | </ | ||
| - | ==== 3.3 - ftp ==== | + | Re-démarrez donc votre VM : |
| - | + | ||
| - | <WRAP center round important> | + | |
| - | **Important** - Si la commande **ftp** n'est pas installée sous CentOS 8, installez-le à l'aide de la commande **dnf install ftp** en tant que root. | + | |
| - | </ | + | |
| - | + | ||
| - | La commande **ftp** est utilisée pour le transfert de fichiers. Une fois connecté, il convient d' | + | |
| < | < | ||
| - | ftp> help | + | [root@centos8 ~]# reboot |
| - | Commands may be abbreviated. | + | |
| - | + | ||
| - | ! debug mdir sendport site | + | |
| - | $ dir mget put size | + | |
| - | account disconnect mkdir pwd status | + | |
| - | append exit mls quit struct | + | |
| - | ascii form mode quote system | + | |
| - | bell get modtime recv sunique | + | |
| - | binary glob mput reget tenex | + | |
| - | bye hash newer rstatus tick | + | |
| - | case help nmap rhelp trace | + | |
| - | cd idle nlist rename type | + | |
| - | cdup image ntrans reset user | + | |
| - | chmod lcd open restart umask | + | |
| - | close ls prompt rmdir verbose | + | |
| - | cr macdef passive runique ? | + | |
| - | delete mdelete proxy send | + | |
| - | ftp> | + | |
| </ | </ | ||
| - | Le caractère | + | Connectez-vous de nouveau à votre VM et contrôler la sortie de la commande |
| < | < | ||
| - | ftp> !pwd | + | [root@centos8 ~]# nmcli c show |
| - | /root | + | NAME |
| + | ip_fixe | ||
| + | virbr0 | ||
| + | ip_kvm | ||
| + | ens18 fc4a4d23-b15e-47a7-bcfa-b2e08f49553e | ||
| </ | </ | ||
| - | Pour transférer un fichier vers le serveur, il convient d' | + | Utilisez ensuite |
| - | + | ||
| - | < | + | |
| - | ftp> put nom_fichier_local nom_fichier_distant | + | |
| - | </ | + | |
| - | + | ||
| - | Vous pouvez également transférer plusieurs fichiers à la fois grâce à la commande **mput**. Dans ce cas précis, il convient | + | |
| - | + | ||
| - | < | + | |
| - | ftp> mput nom*.* | + | |
| - | </ | + | |
| - | + | ||
| - | Pour transférer un fichier du serveur, il convient d' | + | |
| - | + | ||
| - | < | + | |
| - | ftp> get nom_fichier | + | |
| - | </ | + | |
| - | + | ||
| - | Vous pouvez également transférer plusieurs fichiers à la fois grâce à la commande **mget** ( voir la commande **mput** ci-dessus ). | + | |
| - | + | ||
| - | Pour supprimer un fichier sur le serveur, il convient d' | + | |
| - | + | ||
| - | < | + | |
| - | ftp> del nom_fichier | + | |
| - | </ | + | |
| - | + | ||
| - | Pour fermer la session, il convient d' | + | |
| < | < | ||
| - | ftp> quit | + | [root@centos8 |
| - | [root@centos7 | + | 1: lo: < |
| + | link/ | ||
| + | inet 127.0.0.1/8 scope host lo | ||
| + | | ||
| + | inet6 ::1/128 scope host | ||
| + | | ||
| + | 2: ens18: < | ||
| + | link/ether 4e: | ||
| + | inet 10.0.2.46/ | ||
| + | | ||
| + | inet 192.168.1.2/ | ||
| + | | ||
| + | inet6 fe80:: | ||
| + | | ||
| + | 3: ens19: < | ||
| + | link/ether 46: | ||
| + | 4: virbr0: < | ||
| + | link/ether 52: | ||
| + | inet 192.168.56.10/ | ||
| + | | ||
| + | 5: virbr0-nic: < | ||
| + | link/ether 52: | ||
| </ | </ | ||
| - | ====3.4 - SSH==== | + | Dernièrement, vérifier |
| - | + | ||
| - | ===Présentation=== | + | |
| - | + | ||
| - | La commande **[[wpfr> | + | |
| - | + | ||
| - | * Le **serveur SSH** | + | |
| - | * le démon sshd, qui s' | + | |
| - | * Le **client SSH** | + | |
| - | * ssh ou scp, qui assure | + | |
| - | * La **session** qui représente | + | |
| - | | + | |
| - | * **Couple de clef utilisateur asymétriques** et persistantes qui assurent l' | + | |
| - | * **Clef hôte asymétrique et persistante** garantissant l' | + | |
| - | * **Clef serveur asymétrique et temporaire** utilisée par le protocole SSH1 qui sert au chiffrement de la clé de session, | + | |
| - | * **Clef de session symétrique qui est générée aléatoirement** et qui permet le chiiffrement de la communication entre le client et le serveur. Elle est détruite en fin de session. SSH-1 utilise une seule clef tandis que SSH-2 utilise une clef par direction de la communication, | + | |
| - | * La **base de données des hôtes connus** qui stocke les clés des connexions précédentes. | + | |
| - | + | ||
| - | SSH fonctionne de la manière suivante pour la la mise en place d'un canal sécurisé: | + | |
| - | + | ||
| - | * Le client contacte le serveur sur son port 22, | + | |
| - | * Les client et le serveur échangent leur version de SSH. En cas de non-compatibilité de versions, l'un des deux met fin au processus, | + | |
| - | * Le serveur SSH s' | + | |
| - | * Sa clé hôte, | + | |
| - | * Sa clé serveur, | + | |
| - | * Une séquence aléatoire de huit octets à inclure dans les futures réponses du client, | + | |
| - | * Une liste de méthodes de chiffrage, compression et authentification, | + | |
| - | * Le client et le serveur produisent un identifiant identique, un haché MD5 long de 128 bits contenant la clé hôte, la clé serveur et la séquence aléatoire, | + | |
| - | * Le client génère sa clé de session symétrique et la chiffre deux fois de suite, une fois avec la clé hôte du serveur et la deuxième fois avec la clé serveur. Le client envoie cette clé au serveur accompagnée de la séquence aléatoire et un choix d' | + | |
| - | * Le serveur déchiffre la clé de session, | + | |
| - | * Le client et le serveur mettent en place le canal sécurisé. | + | |
| - | + | ||
| - | ==SSH-1== | + | |
| - | + | ||
| - | SSH-1 utilise une paire de clefs de type RSA1. Il assure l' | + | |
| - | + | ||
| - | Afin de s' | + | |
| - | + | ||
| - | * **Kerberos**, | + | |
| - | * **Rhosts**, | + | |
| - | * **%%RhostsRSA%%**, | + | |
| - | * Par **clef asymétrique**, | + | |
| - | * **TIS**, | + | |
| - | * Par **mot de passe**. | + | |
| - | + | ||
| - | ==SSH-2== | + | |
| - | + | ||
| - | SSH-2 utilise **DSA** ou **RSA**. Il assure l' | + | |
| - | + | ||
| - | * **SSH-TRANS** – Transport Layer Protocol, | + | |
| - | * **SSH-AUTH** – Authentification Protocol, | + | |
| - | * **SSH-CONN** – Connection Protocol. | + | |
| - | + | ||
| - | SSH-2 diffère de SSH-1 essentiellement dans la phase authentification. | + | |
| - | + | ||
| - | Trois méthodes d' | + | |
| - | + | ||
| - | * Par **clef asymétrique**, | + | |
| - | * Identique à SSH-1 sauf avec l' | + | |
| - | * **%%RhostsRSA%%**, | + | |
| - | * Par **mot de passe**. | + | |
| - | + | ||
| - | ==Options de la commande== | + | |
| - | + | ||
| - | Les options de cette commande sont : | + | |
| < | < | ||
| - | [root@centos8 ~]# ssh --help | + | [root@centos8 ~]# ping 192.168.56.1 |
| - | unknown option -- - | + | PING 192.168.56.1 (192.168.56.1) 56(84) bytes of data. |
| - | usage: ssh [-46AaCfGgKkMNnqsTtVvXxYy] [-B bind_interface] | + | 64 bytes from 192.168.56.1: icmp_seq=1 ttl=64 time=14.8 ms |
| - | [-b bind_address] [-c cipher_spec] [-D [bind_address:]port] | + | 64 bytes from 192.168.56.1: icmp_seq=2 ttl=64 time=0.154 ms |
| - | [-E log_file] [-e escape_char] [-F configfile] [-I pkcs11] | + | 64 bytes from 192.168.56.1: icmp_seq=3 ttl=64 time=0.153 ms |
| - | [-i identity_file] [-J [user@]host[:port]] [-L address] | + | ^C |
| - | [-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port] | + | --- 192.168.56.1 ping statistics |
| - | [-Q query_option] [-R address] [-S ctl_path] [-W host:port] | + | 3 packets transmitted, |
| - | [-w local_tun[: | + | rtt min/ |
| </ | </ | ||
| - | ===Authentification par mot de passe=== | + | ====2.3 - Configuration du Stockage==== |
| - | L'utilisateur fournit | + | KVM a besoin d' |
| - | + | ||
| - | Avantage: | + | |
| - | * Aucune configuration de clef asymétrique n'est nécessaire. | + | |
| - | + | ||
| - | Inconvénients: | + | |
| - | * L'utilisateur doit fournir à chaque connexion | + | |
| - | | + | |
| - | + | ||
| - | ===Authentification par clef asymétrique=== | + | |
| - | + | ||
| - | | + | |
| - | | + | |
| - | * Dans le cas où une correspondance n'est pas trouvée, le serveur met fin à la communication, | + | |
| - | * Dans le cas contraire le serveur génère une chaîne aléatoire de 256 bits appelée un **challenge** et la chiffre avec la **clé publique du client**, | + | |
| - | * Le **client** reçoit le challenge et le décrypte avec la partie privée de sa clé. Il combine le challenge avec l' | + | |
| - | * Le **serveur** génère le même haché et le compare avec celui reçu du client. Si les deux hachés sont identiques, l' | + | |
| - | + | ||
| - | ===Configuration du Serveur=== | + | |
| - | + | ||
| - | La configuration du serveur s' | + | |
| < | < | ||
| - | [root@centos8 ~]# cat / | + | [root@centos8 ~]# lsblk |
| - | # | + | NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT |
| - | + | sda 8:0 0 | |
| - | # This is the sshd server system-wide configuration file. See | + | ├─sda1 |
| - | # sshd_config(5) for more information. | + | └─sda2 |
| - | + | | |
| - | # This sshd was compiled with PATH=/ | + | |
| - | + | sdb | |
| - | # The strategy used for options in the default sshd_config shipped with | + | sdc 8:32 |
| - | # OpenSSH is to specify options with their default value where | + | └─sdc1 |
| - | # possible, but leave them commented. | + | sdd |
| - | # default value. | + | sr0 11:0 1 1024M 0 rom |
| - | + | ||
| - | # If you want to change the port on a SELinux system, you have to tell | + | |
| - | # SELinux about this change. | + | |
| - | # semanage port -a -t ssh_port_t -p tcp # | + | |
| - | # | + | |
| - | #Port 22 | + | |
| - | # | + | |
| - | # | + | |
| - | # | + | |
| - | + | ||
| - | HostKey | + | |
| - | HostKey / | + | |
| - | HostKey / | + | |
| - | + | ||
| - | # Ciphers and keying | + | |
| - | #RekeyLimit default none | + | |
| - | + | ||
| - | # This system is following system-wide crypto policy. The changes to | + | |
| - | # crypto properties (Ciphers, MACs, ...) will not have any effect here. | + | |
| - | # They will be overridden by command-line options passed to the server | + | |
| - | # on command line. | + | |
| - | # Please, check manual pages for update-crypto-policies(8) and sshd_config(5). | + | |
| - | + | ||
| - | # Logging | + | |
| - | # | + | |
| - | SyslogFacility AUTHPRIV | + | |
| - | #LogLevel INFO | + | |
| - | + | ||
| - | # Authentication: | + | |
| - | + | ||
| - | # | + | |
| - | PermitRootLogin yes | + | |
| - | # | + | |
| - | # | + | |
| - | # | + | |
| - | + | ||
| - | # | + | |
| - | + | ||
| - | # The default is to check both .ssh/ | + | |
| - | # but this is overridden so installations will only check .ssh/ | + | |
| - | AuthorizedKeysFile | + | |
| - | + | ||
| - | # | + | |
| - | + | ||
| - | # | + | |
| - | # | + | |
| - | + | ||
| - | # For this to work you will also need host keys in / | + | |
| - | # | + | |
| - | # Change to yes if you don't trust ~/ | + | |
| - | # HostbasedAuthentication | + | |
| - | # | + | |
| - | # Don't read the user's ~/.rhosts and ~/.shosts files | + | |
| - | # | + | |
| - | + | ||
| - | # To disable tunneled clear text passwords, change to no here! | + | |
| - | # | + | |
| - | # | + | |
| - | PasswordAuthentication yes | + | |
| - | + | ||
| - | # Change to no to disable s/key passwords | + | |
| - | # | + | |
| - | ChallengeResponseAuthentication no | + | |
| - | + | ||
| - | # Kerberos options | + | |
| - | # | + | |
| - | # | + | |
| - | # | + | |
| - | # | + | |
| - | # | + | |
| - | + | ||
| - | # GSSAPI options | + | |
| - | GSSAPIAuthentication yes | + | |
| - | GSSAPICleanupCredentials no | + | |
| - | # | + | |
| - | # | + | |
| - | # | + | |
| - | + | ||
| - | # Set this to ' | + | |
| - | # and session processing. If this is enabled, PAM authentication will | + | |
| - | # be allowed through the ChallengeResponseAuthentication and | + | |
| - | # PasswordAuthentication. | + | |
| - | # PAM authentication via ChallengeResponseAuthentication may bypass | + | |
| - | # the setting of " | + | |
| - | # If you just want the PAM account and session checks to run without | + | |
| - | # PAM authentication, | + | |
| - | # and ChallengeResponseAuthentication to ' | + | |
| - | # WARNING: ' | + | |
| - | # problems. | + | |
| - | UsePAM yes | + | |
| - | + | ||
| - | # | + | |
| - | # | + | |
| - | # | + | |
| - | X11Forwarding yes | + | |
| - | # | + | |
| - | # | + | |
| - | #PermitTTY yes | + | |
| - | + | ||
| - | # It is recommended to use pam_motd in /etc/pam.d/sshd instead of PrintMotd, | + | |
| - | # as it is more configurable and versatile than the built-in version. | + | |
| - | PrintMotd no | + | |
| - | + | ||
| - | # | + | |
| - | # | + | |
| - | # | + | |
| - | # | + | |
| - | # | + | |
| - | # | + | |
| - | #UseDNS no | + | |
| - | #PidFile / | + | |
| - | # | + | |
| - | # | + | |
| - | # | + | |
| - | # | + | |
| - | + | ||
| - | # no default banner path | + | |
| - | #Banner none | + | |
| - | + | ||
| - | # Accept locale-related environment variables | + | |
| - | AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES | + | |
| - | AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT | + | |
| - | AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE | + | |
| - | AcceptEnv XMODIFIERS | + | |
| - | + | ||
| - | # override default of no subsystems | + | |
| - | Subsystem | + | |
| - | + | ||
| - | # Example of overriding settings on a per-user basis | + | |
| - | #Match User anoncvs | + | |
| - | # | + | |
| - | # | + | |
| - | # | + | |
| - | # | + | |
| </ | </ | ||
| - | Pour ôter les lignes | + | Créez donc sur **/ |
| < | < | ||
| - | [root@centos8 ~]# cd /tmp ; grep -E -v ' | + | [root@centos8 ~]# pvcreate |
| - | [root@centos8 | + | Physical volume "/dev/sdd" successfully created. |
| - | HostKey | + | [root@centos8 |
| - | HostKey / | + | |
| - | HostKey / | + | |
| - | SyslogFacility AUTHPRIV | + | |
| - | PermitRootLogin yes | + | |
| - | AuthorizedKeysFile | + | |
| - | PasswordAuthentication yes | + | |
| - | ChallengeResponseAuthentication no | + | |
| - | GSSAPIAuthentication yes | + | |
| - | GSSAPICleanupCredentials no | + | |
| - | UsePAM yes | + | |
| - | X11Forwarding yes | + | |
| - | PrintMotd no | + | |
| - | AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES | + | |
| - | AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT | + | |
| - | AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE | + | |
| - | AcceptEnv XMODIFIERS | + | |
| - | Subsystem | + | |
| </ | </ | ||
| - | |||
| - | Pour sécuriser le serveur ssh, ajoutez ou modifiez les directives suivantes : | ||
| - | |||
| - | < | ||
| - | AllowGroups adm | ||
| - | Banner / | ||
| - | HostbasedAuthentication no | ||
| - | IgnoreRhosts yes | ||
| - | LoginGraceTime 60 | ||
| - | LogLevel INFO | ||
| - | PermitEmptyPasswords no | ||
| - | PermitRootLogin no | ||
| - | PrintLastLog yes | ||
| - | Protocol 2 | ||
| - | StrictModes yes | ||
| - | X11Forwarding no | ||
| - | </ | ||
| - | |||
| - | Votre fichier ressemblera à celui-ci : | ||
| < | < | ||
| - | [root@centos8 | + | [root@centos8 |
| - | [root@centos8 tmp]# cat sshd_config | + | |
| - | AllowGroups adm | + | |
| - | Banner /etc/issue.net | + | |
| - | HostbasedAuthentication no | + | |
| - | IgnoreRhosts yes | + | |
| - | LoginGraceTime 60 | + | |
| - | LogLevel INFO | + | |
| - | PermitEmptyPasswords no | + | |
| - | PermitRootLogin no | + | |
| - | PrintLastLog yes | + | |
| - | Protocol 2 | + | |
| - | StrictModes yes | + | |
| - | X11Forwarding no | + | |
| - | HostKey / | + | |
| - | HostKey / | + | |
| - | HostKey / | + | |
| - | SyslogFacility AUTHPRIV | + | |
| - | PermitRootLogin yes | + | |
| - | AuthorizedKeysFile | + | |
| - | PasswordAuthentication yes | + | |
| - | ChallengeResponseAuthentication no | + | |
| - | GSSAPIAuthentication yes | + | |
| - | GSSAPICleanupCredentials no | + | |
| - | UsePAM yes | + | |
| - | PrintMotd no | + | |
| - | AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES | + | |
| - | AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT | + | |
| - | AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE | + | |
| - | AcceptEnv XMODIFIERS | + | |
| - | Subsystem | + | |
| </ | </ | ||
| - | Renommez le fichier | + | Créez ensuite un volume logique, dénommé |
| < | < | ||
| - | [root@centos8 | + | [root@centos8 |
| + | Logical volume " | ||
| + | |||
| + | [root@centos8 ~]# lvs | ||
| + | LV | ||
| + | root | ||
| + | swap | ||
| + | kvm_lv kvm_storage -wi-a----- <32.00g | ||
| </ | </ | ||
| - | Copiez le fichier | + | Créez ensuite un système de fichiers de type **xfs** sur le volume logique |
| + | |||
| < | < | ||
| - | [root@centos8 | + | [root@centos8 |
| - | cp: overwrite '/etc/ssh/sshd_config'? | + | meta-data=/dev/mapper/kvm_storage-kvm_lv isize=512 |
| + | | ||
| + | | ||
| + | | ||
| + | data | ||
| + | | ||
| + | naming | ||
| + | log =internal log | ||
| + | | ||
| + | realtime =none | ||
| + | Discarding blocks...Done. | ||
| </ | </ | ||
| - | Redémarrez | + | Éditez ensuite |
| < | < | ||
| - | [root@centos8 | + | [root@centos8 |
| - | [root@centos8 | + | [root@centos8 |
| - | ● sshd.service - OpenSSH server daemon | + | |
| - | | + | |
| - | | + | |
| - | Docs: man: | + | |
| - | | + | |
| - | Main PID: 1042039 (sshd) | + | |
| - | Tasks: 1 (limit: 23535) | + | |
| - | | + | |
| - | | + | |
| - | | + | |
| - | Aug 30 02:17:00 centos8.ittraining.loc systemd[1]: Starting OpenSSH server daemon... | ||
| - | Aug 30 02:17:00 centos8.ittraining.loc sshd[1042039]: | ||
| - | Aug 30 02:17:00 centos8.ittraining.loc sshd[1042039]: | ||
| - | Aug 30 02:17:00 centos8.ittraining.loc systemd[1]: Started OpenSSH server daemon. | ||
| - | [q] | ||
| - | </ | ||
| - | |||
| - | Mettez l' | ||
| - | |||
| - | < | ||
| - | [root@centos8 tmp]# groups trainee | ||
| - | trainee : trainee | ||
| - | [root@centos8 tmp]# usermod -aG adm trainee | ||
| - | [root@centos8 tmp]# groups trainee | ||
| - | trainee : trainee adm | ||
| - | </ | ||
| - | |||
| - | Pour générer les clefs du serveur, saisissez la commande suivante en tant que **root**. Notez que la passphrase doit être **vide**. | ||
| - | |||
| - | < | ||
| - | [root@centos8 tmp]# ssh-keygen -t dsa | ||
| - | Generating public/ | ||
| - | Enter file in which to save the key (/ | ||
| - | Created directory '/ | ||
| - | Enter passphrase (empty for no passphrase): | ||
| - | Enter same passphrase again: | ||
| - | Your identification has been saved in / | ||
| - | Your public key has been saved in / | ||
| - | The key fingerprint is: | ||
| - | SHA256: | ||
| - | The key's randomart image is: | ||
| - | +---[DSA 1024]----+ | ||
| - | | | | ||
| - | | . | | ||
| - | |.o . o.+ | | ||
| - | |E. o.*.. . | | ||
| - | |+ooo.o +S o o | | ||
| - | |X==++ o o o | | ||
| - | |B/ | ||
| - | |Ooo++ | ||
| - | |. .o | | ||
| - | +----[SHA256]-----+ | ||
| - | </ | ||
| - | |||
| - | Le chemin à indiquer pour le fichier est **/ | ||
| - | |||
| - | De la même façon, il est possible de générer les clefs au format **[[https:// | ||
| - | |||
| - | < | ||
| - | [root@centos8 tmp]# ssh-keygen -t rsa | ||
| - | Generating public/ | ||
| - | Enter file in which to save the key (/ | ||
| - | Enter passphrase (empty for no passphrase): | ||
| - | Enter same passphrase again: | ||
| - | Your identification has been saved in / | ||
| - | Your public key has been saved in / | ||
| - | The key fingerprint is: | ||
| - | SHA256: | ||
| - | The key's randomart image is: | ||
| - | +---[RSA 3072]----+ | ||
| - | | | ||
| - | | o oo o=+ . | | ||
| - | |.. oo=+=o . + | | ||
| - | |oo .+E++.+ = * | | ||
| - | |o.. +.S B * . | | ||
| - | |. B + = | | ||
| - | | = | | ||
| - | | | ||
| - | | . | | ||
| - | +----[SHA256]-----+ | ||
| - | [root@centos8 tmp]# ssh-keygen -t ecdsa | ||
| - | Generating public/ | ||
| - | Enter file in which to save the key (/ | ||
| - | Enter passphrase (empty for no passphrase): | ||
| - | Enter same passphrase again: | ||
| - | Your identification has been saved in / | ||
| - | Your public key has been saved in / | ||
| - | The key fingerprint is: | ||
| - | SHA256: | ||
| - | The key's randomart image is: | ||
| - | +---[ECDSA 256]---+ | ||
| - | |++*=+ | ||
| - | |oX.=o+ o o | | ||
| - | |o %.B + + | | ||
| - | |...O.= o | ||
| - | |..E.o . S o | | ||
| - | |. . o = | | ||
| - | | . * . | | ||
| - | | . ... o | | ||
| - | | ..ooo.. | ||
| - | +----[SHA256]-----+ | ||
| - | [root@centos8 tmp]# ssh-keygen -t ed25519 | ||
| - | Generating public/ | ||
| - | Enter file in which to save the key (/ | ||
| - | Enter passphrase (empty for no passphrase): | ||
| - | Enter same passphrase again: | ||
| - | Your identification has been saved in / | ||
| - | Your public key has been saved in / | ||
| - | The key fingerprint is: | ||
| - | SHA256: | ||
| - | The key's randomart image is: | ||
| - | +--[ED25519 256]--+ | ||
| - | | | ||
| - | | . .. . o| | ||
| - | | . . . +.| | ||
| - | | o . oB ..o.=| | ||
| - | | o o S*+=o* *+| | ||
| - | | . . .o.*o*.+.B| | ||
| - | | . o o +o++| | ||
| - | | o =o| | ||
| - | | . o| | ||
| - | +----[SHA256]-----+ | ||
| - | </ | ||
| - | |||
| - | Les clefs publiques générées possèdent l' | ||
| - | |||
| - | < | ||
| - | [root@centos8 tmp]# ls /etc/ssh | ||
| - | moduli | ||
| - | ssh_config | ||
| - | </ | ||
| - | |||
| - | Re-démarrez ensuite le service sshd : | ||
| - | |||
| - | < | ||
| - | [root@centos8 tmp]# systemctl restart sshd.service | ||
| - | [root@centos8 tmp]# systemctl status sshd.service | ||
| - | ● sshd.service - OpenSSH server daemon | ||
| - | | ||
| - | | ||
| - | Docs: man:sshd(8) | ||
| - | | ||
| - | Main PID: 1042204 (sshd) | ||
| - | Tasks: 1 (limit: 23535) | ||
| - | | ||
| - | | ||
| - | | ||
| - | |||
| - | Aug 30 02:24:57 centos8.ittraining.loc systemd[1]: Starting OpenSSH server daemon... | ||
| - | Aug 30 02:24:57 centos8.ittraining.loc sshd[1042204]: | ||
| - | Aug 30 02:24:57 centos8.ittraining.loc sshd[1042204]: | ||
| - | Aug 30 02:24:57 centos8.ittraining.loc systemd[1]: Started OpenSSH server daemon. | ||
| - | [q] | ||
| - | </ | ||
| - | |||
| - | ===Configuration du Client=== | ||
| - | |||
| - | Saisissez maintenant les commandes suivantes en tant que **trainee** : | ||
| - | |||
| - | <WRAP center round important> | ||
| - | **Important** - Lors de la génération des clefs, la passphrase doit être **vide**. | ||
| - | </ | ||
| - | |||
| - | < | ||
| - | [root@centos8 tmp]# exit | ||
| - | logout | ||
| - | [trainee@centos8 ~]$ ssh-keygen -t dsa | ||
| - | Generating public/ | ||
| - | Enter file in which to save the key (/ | ||
| - | Created directory '/ | ||
| - | Enter passphrase (empty for no passphrase): | ||
| - | Enter same passphrase again: | ||
| - | Your identification has been saved in / | ||
| - | Your public key has been saved in / | ||
| - | The key fingerprint is: | ||
| - | SHA256: | ||
| - | The key's randomart image is: | ||
| - | +---[DSA 1024]----+ | ||
| - | | =o+o.o+OB| | ||
| - | | o +o=o oo=| | ||
| - | | . +.+oB+ | | ||
| - | | o o.&+o.| | ||
| - | | S o o.*.o| | ||
| - | | o o o.| | ||
| - | | . + + | | ||
| - | | + . o | | ||
| - | | E .| | ||
| - | +----[SHA256]-----+ | ||
| - | [trainee@centos8 ~]$ ssh-keygen -t rsa | ||
| - | Generating public/ | ||
| - | |||
| - | Enter file in which to save the key (/ | ||
| - | Enter same passphrase again: | ||
| - | Your identification has been saved in / | ||
| - | Your public key has been saved in / | ||
| - | The key fingerprint is: | ||
| - | SHA256: | ||
| - | The key's randomart image is: | ||
| - | +---[RSA 3072]----+ | ||
| - | |o+o++oo | ||
| - | |=+o.oo . .=B . | | ||
| - | |=. ..o o+... | | ||
| - | |. =.o o.. . | | ||
| - | | oS= = o | | ||
| - | | .. = = | | ||
| - | | | ||
| - | | +...E | | ||
| - | | . o+... | | ||
| - | +----[SHA256]-----+ | ||
| - | [trainee@centos8 ~]$ ssh-keygen -t ecdsa | ||
| - | Generating public/ | ||
| - | Enter file in which to save the key (/ | ||
| - | Enter passphrase (empty for no passphrase): | ||
| - | Enter same passphrase again: | ||
| - | Your identification has been saved in / | ||
| - | Your public key has been saved in / | ||
| - | The key fingerprint is: | ||
| - | SHA256: | ||
| - | The key's randomart image is: | ||
| - | +---[ECDSA 256]---+ | ||
| - | |o.. | | ||
| - | |.oo | | ||
| - | |.*o . . | | ||
| - | |+.++ B | | ||
| - | |+o =B + S | | ||
| - | |=*oo.* = | | ||
| - | |B.* o O . | | ||
| - | |.= = = o.. | | ||
| - | |. E o oo+. | | ||
| - | +----[SHA256]-----+ | ||
| - | [trainee@centos8 ~]$ ssh-keygen -t ed25519 | ||
| - | Generating public/ | ||
| - | Enter file in which to save the key (/ | ||
| - | Enter passphrase (empty for no passphrase): | ||
| - | Enter same passphrase again: | ||
| - | Your identification has been saved in / | ||
| - | Your public key has been saved in / | ||
| - | The key fingerprint is: | ||
| - | SHA256: | ||
| - | The key's randomart image is: | ||
| - | +--[ED25519 256]--+ | ||
| - | | | ||
| - | | o==O+Boo | | ||
| - | | o ooE.O. | | ||
| - | | | ||
| - | | S + ...| | ||
| - | | | ||
| - | | . + o.o| | ||
| - | | + +.oo| | ||
| - | | o..o.| | ||
| - | +----[SHA256]-----+ | ||
| - | </ | ||
| - | |||
| - | Les clés générées seront placées dans le répertoire **~/.ssh/** : | ||
| - | |||
| - | < | ||
| - | [trainee@centos8 ~]$ ls .ssh | ||
| - | id_dsa | ||
| - | </ | ||
| - | |||
| - | ===Tunnels SSH=== | ||
| - | |||
| - | Le protocole SSH peut être utilisé pour sécuriser les protocoles tels telnet, pop3 etc.. En effet, on peut créer un //tunnel// SSH dans lequel passe les communications du protocole non-sécurisé. | ||
| - | |||
| - | La commande pour créer un tunnel ssh prend la forme suivante : | ||
| - | |||
| - | ssh -N -f compte@hôte -Lport-local: | ||
| - | |||
| - | Dans votre cas, vous allez créer un tunnel dans votre propre vm entre le port 15023 et le port 23 : | ||
| - | |||
| - | < | ||
| - | [root@centos8 ~]# ssh -N -f trainee@localhost -L15023: | ||
| - | \S | ||
| - | Kernel \r on an \m | ||
| - | trainee@localhost' | ||
| - | </ | ||
| - | |||
| - | Installez maintenant le serveur telnet : | ||
| - | |||
| - | < | ||
| - | [root@centos8 ~]# dnf install telnet-server | ||
| - | </ | ||
| - | |||
| - | Telnet n'est ni démarré ni activé. Il convient donc de le démarrer et de l' | ||
| - | |||
| - | < | ||
| - | [root@centos8 ~]# systemctl status telnet.socket | ||
| - | ● telnet.socket - Telnet Server Activation Socket | ||
| - | | ||
| - | | ||
| - | Docs: man: | ||
| - | | ||
| - | | ||
| - | |||
| - | [root@centos8 ~]# systemctl start telnet.socket | ||
| - | |||
| - | [root@centos8 ~]# systemctl status telnet.socket | ||
| - | ● telnet.socket - Telnet Server Activation Socket | ||
| - | | ||
| - | | ||
| - | Docs: man: | ||
| - | | ||
| - | | ||
| - | | ||
| - | |||
| - | Aug 30 02:44:01 centos8.ittraining.loc systemd[1]: Listening on Telnet Server Activation Socket. | ||
| - | |||
| - | [root@centos8 ~]# systemctl enable telnet.socket | ||
| - | Created symlink / | ||
| - | </ | ||
| - | |||
| - | Connectez-vous ensuite via telnet sur le port 15023, vous constaterez que votre connexion n' | ||
| - | |||
| - | < | ||
| - | [root@centos8 ~]# telnet localhost 15023 | ||
| - | Trying ::1... | ||
| - | Connected to localhost. | ||
| - | Escape character is ' | ||
| - | |||
| - | Kernel 4.18.0-305.7.1.el8.i2tch.x86_64 on an x86_64 | ||
| - | centos8 login: trainee | ||
| - | Password: | ||
| - | Last login: Mon Aug 30 02:37:00 from ::1 | ||
| - | [trainee@centos8 ~]$ whoami | ||
| - | trainee | ||
| - | [trainee@centos8 ~]$ pwd | ||
| - | / | ||
| - | </ | ||
| - | |||
| - | <WRAP center round important> | ||
| - | **Important** - Notez bien que votre communication telnet passe par le tunnel SSH. | ||
| - | </ | ||
| - | |||
| - | ====3.5 - SCP==== | ||
| - | |||
| - | ===Présentation=== | ||
| - | |||
| - | La commande **scp** est le successeur et la remplaçante de la commande **rcp** de la famille des commandes **remote**. Il permet de faire des transferts sécurisés à partir d'une machine distante : | ||
| - | |||
| - | $ scp compte@numero_ip(nom_de_machine):/ | ||
| - | |||
| - | ou vers une machine distante : | ||
| - | |||
| - | $ scp / | ||
| - | |||
| - | ===Utilisation=== | ||
| - | |||
| - | Nous allons maintenant utiliser **scp** pour chercher un fichier sur le << | ||
| - | |||
| - | Créez le fichier **/ | ||
| - | |||
| - | < | ||
| - | [trainee@centos8 ~]$ touch scp-test | ||
| - | [trainee@centos8 ~]$ exit | ||
| - | logout | ||
| - | Connection closed by foreign host. | ||
| - | [root@centos8 ~]# | ||
| - | </ | ||
| - | |||
| - | Récupérez le fichier **scp_test** en utilisant scp : | ||
| - | |||
| - | < | ||
| - | [root@centos8 ~]# scp trainee@127.0.0.1:/ | ||
| - | The authenticity of host ' | ||
| - | ECDSA key fingerprint is SHA256: | ||
| - | Are you sure you want to continue connecting (yes/ | ||
| - | Warning: Permanently added ' | ||
| - | \S | ||
| - | Kernel \r on an \m | ||
| - | trainee@127.0.0.1' | ||
| - | scp-test | ||
| - | |||
| - | [root@centos8 ~]# ls -l | ||
| - | total 32 | ||
| - | -rw-------. 1 root root 1358 Jun 16 06:40 anaconda-ks.cfg | ||
| - | drwxr-xr-x. 3 root root 21 Jun 16 06:39 home | ||
| - | -rw-r--r--. 1 root root 1749 Aug 24 11:20 I2TCH.asc | ||
| - | -rw-r--r--. 1 root root 1853 Jun 16 06:54 initial-setup-ks.cfg | ||
| - | -rw-r--r--. 1 root root 31 Aug 24 11:22 message.txt | ||
| - | -rw-r--r--. 1 root root 561 Aug 24 11:32 message.txt.asc | ||
| - | -rw-r--r--. 1 root root 367 Aug 24 11:30 message.txt.gpg | ||
| - | -rw-r--r--. 1 root root 329 Aug 24 11:23 message.txt.sig | ||
| - | -rw-r--r--. 1 root root 0 Aug 30 03:55 scp-test | ||
| - | -rw-r--r--. 1 root root 46 Aug 29 06:22 wget_file.txt | ||
| - | </ | ||
| - | |||
| - | ====3.6 - Mise en Place des Clefs Asymétriques==== | ||
| - | |||
| - | Il convient maintenant de se connecter sur le << | ||
| - | |||
| - | < | ||
| - | [root@centos8 ~]# ssh -l trainee 127.0.0.1 | ||
| - | \S | ||
| - | Kernel \r on an \m | ||
| - | trainee@127.0.0.1' | ||
| - | Activate the web console with: systemctl enable --now cockpit.socket | ||
| - | |||
| - | [trainee@centos8 ~]$ ls -la | grep .ssh | ||
| - | drwx------. | ||
| - | </ | ||
| - | |||
| - | <WRAP center round important> | ||
| - | **Important** - Si le dossier distant .ssh n' | ||
| - | </ | ||
| - | |||
| - | Ensuite, il convient de transférer le fichier local **.ssh/ | ||
| - | |||
| - | < | ||
| - | [trainee@centos8 ~]$ exit | ||
| - | logout | ||
| - | Connection to 127.0.0.1 closed. | ||
| - | |||
| - | [root@centos8 ~]# exit | ||
| - | logout | ||
| - | |||
| - | [trainee@centos8 ~]$ scp .ssh/ | ||
| - | The authenticity of host ' | ||
| - | ECDSA key fingerprint is SHA256: | ||
| - | Are you sure you want to continue connecting (yes/ | ||
| - | Warning: Permanently added ' | ||
| - | \S | ||
| - | Kernel \r on an \m | ||
| - | trainee@127.0.0.1' | ||
| - | id_ecdsa.pub | ||
| - | </ | ||
| - | |||
| - | Connectez-vous via telnet : | ||
| - | |||
| - | < | ||
| - | [trainee@centos8 ~]$ ssh -l trainee localhost | ||
| - | The authenticity of host ' | ||
| - | ECDSA key fingerprint is SHA256: | ||
| - | Are you sure you want to continue connecting (yes/ | ||
| - | Warning: Permanently added ' | ||
| - | \S | ||
| - | Kernel \r on an \m | ||
| - | Activate the web console with: systemctl enable --now cockpit.socket | ||
| - | |||
| - | Last login: Mon Aug 30 03:57:14 2021 from 127.0.0.1 | ||
| - | [trainee@centos8 ~]$ | ||
| - | </ | ||
| - | |||
| - | <WRAP center round important> | ||
| - | **Important** - Lors de la connexion au serveur, l' | ||
| - | </ | ||
| - | |||
| - | Insérez maintenant les clefs publiques restantes dans le fichier .ssh/ | ||
| - | |||
| - | < | ||
| - | [trainee@centos8 ~]$ cd .ssh | ||
| - | [trainee@centos8 .ssh]$ ls | ||
| - | authorized_keys | ||
| - | [trainee@centos8 .ssh]$ cat authorized_keys | ||
| - | ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBHDrzSXP+Ecxf/ | ||
| - | |||
| - | [trainee@centos8 .ssh]$ cat id_rsa.pub >> authorized_keys | ||
| - | [trainee@centos8 .ssh]$ cat id_dsa.pub >> authorized_keys | ||
| - | [trainee@centos8 .ssh]$ cat id_ed25519.pub >> authorized_keys | ||
| - | |||
| - | [trainee@centos8 .ssh]$ cat authorized_keys | ||
| - | ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBHDrzSXP+Ecxf/ | ||
| - | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQD3ZSMn/ | ||
| - | ssh-dss AAAAB3NzaC1kc3MAAACBALIdwEEqHrMWSUdzARm9ldsZK9ebbtZShtmwgdjphOk77fxymK0y6wV7QEmLL25LOcLb12uZ1F0LtRt/ | ||
| - | ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOfFQULLU8IZyKiSU63D2Zz6yGLqyHcBHnCRdSR9JSmc trainee@centos8.ittraining.loc | ||
| - | </ | ||
| - | |||
| - | =====LAB #4 - La Configuration de firewalld===== | ||
| - | |||
| - | ====4.1 - Présentation==== | ||
| - | |||
| - | firewalld utilise **[[https:// | ||
| - | |||
| - | * **trusted** - un réseau fiable. Dans ce cas tous les ports sont autorisés, | ||
| - | * **work**, **home**, **internal** - un réseau partiellement fiable. Dans ce cas quelques ports sont autorisés, | ||
| - | * **dmz**, **public**, **external** - un réseau non fiable. Dans ce cas peu de ports sont autorisés, | ||
| - | * **block**, **drop** - tout est interdit. La zone drop n' | ||
| - | |||
| - | <WRAP center round important> | ||
| - | **Important** - Une interface ne peut être que dans une zone à la fois tandis que plusieurs interfaces peuvent être dans la même zone. | ||
| - | </ | ||
| - | |||
| - | Le service firewalld doit toujours être lancé : | ||
| - | |||
| - | < | ||
| - | [trainee@centos8 .ssh]$ exit | ||
| - | logout | ||
| - | Connection to localhost closed. | ||
| - | [trainee@centos8 ~]$ su - | ||
| - | Password: fenestros | ||
| - | |||
| - | [root@centos8 ~]# systemctl status firewalld | ||
| - | ● firewalld.service - firewalld - dynamic firewall daemon | ||
| - | | ||
| - | | ||
| - | Docs: man: | ||
| - | Main PID: 960 (code=exited, | ||
| - | |||
| - | Warning: Journal has been rotated since unit was started. Log output is incomplete or unavailable. | ||
| - | |||
| - | [root@centos8 ~]# systemctl start firewalld | ||
| - | [root@centos8 ~]# systemctl status firewalld | ||
| - | ● firewalld.service - firewalld - dynamic firewall daemon | ||
| - | | ||
| - | | ||
| - | Docs: man: | ||
| - | Main PID: 1045271 (firewalld) | ||
| - | Tasks: 2 (limit: 23535) | ||
| - | | ||
| - | | ||
| - | | ||
| - | |||
| - | Aug 30 04:13:49 centos8.ittraining.loc systemd[1]: Starting firewalld - dynamic firewall daemon... | ||
| - | Aug 30 04:13:51 centos8.ittraining.loc systemd[1]: Started firewalld - dynamic firewall daemon. | ||
| - | Aug 30 04:13:51 centos8.ittraining.loc firewalld[1045271]: | ||
| - | [q] | ||
| - | </ | ||
| - | |||
| - | ====4.2 - La Configuration de Base de firewalld==== | ||
| - | |||
| - | La configuration par défaut de firewalld se trouve dans **/ | ||
| - | |||
| - | < | ||
| - | [root@centos8 ~]# ls -l / | ||
| - | total 16 | ||
| - | drwxr-xr-x. 2 root root 224 Jul 19 10:39 helpers | ||
| - | drwxr-xr-x. 2 root root 4096 Jul 19 10:39 icmptypes | ||
| - | drwxr-xr-x. 2 root root 20 Jul 19 10:39 ipsets | ||
| - | drwxr-xr-x. 2 root root 8192 Jul 19 10:39 services | ||
| - | drwxr-xr-x. 2 root root 203 Jul 19 10:39 zones | ||
| - | |||
| - | [root@centos8 ~]# ls -l / | ||
| - | total 52 | ||
| - | -rw-r--r--. 1 root root 125 Jun 29 13:27 amanda.xml | ||
| - | -rw-r--r--. 1 root root 119 Jun 29 13:27 ftp.xml | ||
| - | -rw-r--r--. 1 root root 85 Jun 29 13:27 h323.xml | ||
| - | -rw-r--r--. 1 root root 134 Jun 29 13:27 irc.xml | ||
| - | -rw-r--r--. 1 root root 141 Jun 29 13:27 netbios-ns.xml | ||
| - | -rw-r--r--. 1 root root 136 Jun 29 13:27 pptp.xml | ||
| - | -rw-r--r--. 1 root root 90 Jun 29 13:27 proto-gre.xml | ||
| - | -rw-r--r--. 1 root root 122 Jun 29 13:27 Q.931.xml | ||
| - | -rw-r--r--. 1 root root 122 Jun 29 13:27 RAS.xml | ||
| - | -rw-r--r--. 1 root root 122 Jun 29 13:27 sane.xml | ||
| - | -rw-r--r--. 1 root root 158 Jun 29 13:27 sip.xml | ||
| - | -rw-r--r--. 1 root root 135 Jun 29 13:27 snmp.xml | ||
| - | -rw-r--r--. 1 root root 120 Jun 29 13:27 tftp.xml | ||
| - | |||
| - | [root@centos8 ~]# ls -l / | ||
| - | total 180 | ||
| - | -rw-r--r--. 1 root root 385 Jun 29 13:27 address-unreachable.xml | ||
| - | -rw-r--r--. 1 root root 258 Jun 29 13:27 bad-header.xml | ||
| - | -rw-r--r--. 1 root root 294 Jun 29 13:27 beyond-scope.xml | ||
| - | -rw-r--r--. 1 root root 279 Jun 29 13:27 communication-prohibited.xml | ||
| - | -rw-r--r--. 1 root root 222 Jun 29 13:27 destination-unreachable.xml | ||
| - | -rw-r--r--. 1 root root 173 Jun 29 13:27 echo-reply.xml | ||
| - | -rw-r--r--. 1 root root 210 Jun 29 13:27 echo-request.xml | ||
| - | -rw-r--r--. 1 root root 261 Jun 29 13:27 failed-policy.xml | ||
| - | -rw-r--r--. 1 root root 280 Jun 29 13:27 fragmentation-needed.xml | ||
| - | -rw-r--r--. 1 root root 266 Jun 29 13:27 host-precedence-violation.xml | ||
| - | -rw-r--r--. 1 root root 257 Jun 29 13:27 host-prohibited.xml | ||
| - | -rw-r--r--. 1 root root 242 Jun 29 13:27 host-redirect.xml | ||
| - | -rw-r--r--. 1 root root 239 Jun 29 13:27 host-unknown.xml | ||
| - | -rw-r--r--. 1 root root 247 Jun 29 13:27 host-unreachable.xml | ||
| - | -rw-r--r--. 1 root root 229 Jun 29 13:27 ip-header-bad.xml | ||
| - | -rw-r--r--. 1 root root 355 Jun 29 13:27 neighbour-advertisement.xml | ||
| - | -rw-r--r--. 1 root root 457 Jun 29 13:27 neighbour-solicitation.xml | ||
| - | -rw-r--r--. 1 root root 250 Jun 29 13:27 network-prohibited.xml | ||
| - | -rw-r--r--. 1 root root 248 Jun 29 13:27 network-redirect.xml | ||
| - | -rw-r--r--. 1 root root 239 Jun 29 13:27 network-unknown.xml | ||
| - | -rw-r--r--. 1 root root 247 Jun 29 13:27 network-unreachable.xml | ||
| - | -rw-r--r--. 1 root root 239 Jun 29 13:27 no-route.xml | ||
| - | -rw-r--r--. 1 root root 328 Jun 29 13:27 packet-too-big.xml | ||
| - | -rw-r--r--. 1 root root 225 Jun 29 13:27 parameter-problem.xml | ||
| - | -rw-r--r--. 1 root root 233 Jun 29 13:27 port-unreachable.xml | ||
| - | -rw-r--r--. 1 root root 256 Jun 29 13:27 precedence-cutoff.xml | ||
| - | -rw-r--r--. 1 root root 249 Jun 29 13:27 protocol-unreachable.xml | ||
| - | -rw-r--r--. 1 root root 185 Jun 29 13:27 redirect.xml | ||
| - | -rw-r--r--. 1 root root 244 Jun 29 13:27 reject-route.xml | ||
| - | -rw-r--r--. 1 root root 241 Jun 29 13:27 required-option-missing.xml | ||
| - | -rw-r--r--. 1 root root 227 Jun 29 13:27 router-advertisement.xml | ||
| - | -rw-r--r--. 1 root root 223 Jun 29 13:27 router-solicitation.xml | ||
| - | -rw-r--r--. 1 root root 248 Jun 29 13:27 source-quench.xml | ||
| - | -rw-r--r--. 1 root root 236 Jun 29 13:27 source-route-failed.xml | ||
| - | -rw-r--r--. 1 root root 253 Jun 29 13:27 time-exceeded.xml | ||
| - | -rw-r--r--. 1 root root 233 Jun 29 13:27 timestamp-reply.xml | ||
| - | -rw-r--r--. 1 root root 228 Jun 29 13:27 timestamp-request.xml | ||
| - | -rw-r--r--. 1 root root 258 Jun 29 13:27 tos-host-redirect.xml | ||
| - | -rw-r--r--. 1 root root 257 Jun 29 13:27 tos-host-unreachable.xml | ||
| - | -rw-r--r--. 1 root root 272 Jun 29 13:27 tos-network-redirect.xml | ||
| - | -rw-r--r--. 1 root root 269 Jun 29 13:27 tos-network-unreachable.xml | ||
| - | -rw-r--r--. 1 root root 293 Jun 29 13:27 ttl-zero-during-reassembly.xml | ||
| - | -rw-r--r--. 1 root root 256 Jun 29 13:27 ttl-zero-during-transit.xml | ||
| - | -rw-r--r--. 1 root root 259 Jun 29 13:27 unknown-header-type.xml | ||
| - | -rw-r--r--. 1 root root 249 Jun 29 13:27 unknown-option.xml | ||
| - | |||
| - | [root@centos8 ~]# ls -l / | ||
| - | total 4 | ||
| - | -rw-r--r--. 1 root root 29 Jun 29 13:27 README | ||
| - | |||
| - | [root@centos8 ~]# ls -l / | ||
| - | total 688 | ||
| - | -rw-r--r--. 1 root root 399 Jun 29 13:27 amanda-client.xml | ||
| - | -rw-r--r--. 1 root root 427 Jun 29 13:27 amanda-k5-client.xml | ||
| - | -rw-r--r--. 1 root root 283 Jun 29 13:27 amqps.xml | ||
| - | -rw-r--r--. 1 root root 273 Jun 29 13:27 amqp.xml | ||
| - | -rw-r--r--. 1 root root 285 Jun 29 13:27 apcupsd.xml | ||
| - | -rw-r--r--. 1 root root 301 Jun 29 13:27 audit.xml | ||
| - | -rw-r--r--. 1 root root 320 Jun 29 13:27 bacula-client.xml | ||
| - | -rw-r--r--. 1 root root 346 Jun 29 13:27 bacula.xml | ||
| - | -rw-r--r--. 1 root root 429 Jun 29 13:27 bb.xml | ||
| - | -rw-r--r--. 1 root root 339 Jun 29 13:27 bgp.xml | ||
| - | -rw-r--r--. 1 root root 275 Jun 29 13:27 bitcoin-rpc.xml | ||
| - | -rw-r--r--. 1 root root 307 Jun 29 13:27 bitcoin-testnet-rpc.xml | ||
| - | -rw-r--r--. 1 root root 281 Jun 29 13:27 bitcoin-testnet.xml | ||
| - | -rw-r--r--. 1 root root 244 Jun 29 13:27 bitcoin.xml | ||
| - | -rw-r--r--. 1 root root 410 Jun 29 13:27 bittorrent-lsd.xml | ||
| - | -rw-r--r--. 1 root root 294 Jun 29 13:27 ceph-mon.xml | ||
| - | -rw-r--r--. 1 root root 329 Jun 29 13:27 ceph.xml | ||
| - | -rw-r--r--. 1 root root 168 Jun 29 13:27 cfengine.xml | ||
| - | -rw-r--r--. 1 root root 211 Jun 29 13:27 cockpit.xml | ||
| - | -rw-r--r--. 1 root root 296 Jun 29 13:27 collectd.xml | ||
| - | -rw-r--r--. 1 root root 260 Jun 29 13:27 condor-collector.xml | ||
| - | -rw-r--r--. 1 root root 296 Jun 29 13:27 ctdb.xml | ||
| - | -rw-r--r--. 1 root root 305 Jun 29 13:27 dhcpv6-client.xml | ||
| - | -rw-r--r--. 1 root root 234 Jun 29 13:27 dhcpv6.xml | ||
| - | -rw-r--r--. 1 root root 227 Jun 29 13:27 dhcp.xml | ||
| - | -rw-r--r--. 1 root root 205 Jun 29 13:27 distcc.xml | ||
| - | -rw-r--r--. 1 root root 318 Jun 29 13:27 dns-over-tls.xml | ||
| - | -rw-r--r--. 1 root root 346 Jun 29 13:27 dns.xml | ||
| - | -rw-r--r--. 1 root root 374 Jun 29 13:27 docker-registry.xml | ||
| - | -rw-r--r--. 1 root root 391 Jun 29 13:27 docker-swarm.xml | ||
| - | -rw-r--r--. 1 root root 228 Jun 29 13:27 dropbox-lansync.xml | ||
| - | -rw-r--r--. 1 root root 338 Jun 29 13:27 elasticsearch.xml | ||
| - | -rw-r--r--. 1 root root 304 Jun 29 13:27 etcd-client.xml | ||
| - | -rw-r--r--. 1 root root 304 Jun 29 13:27 etcd-server.xml | ||
| - | -rw-r--r--. 1 root root 224 Jun 29 13:27 finger.xml | ||
| - | -rw-r--r--. 1 root root 709 Jun 29 13:27 freeipa-4.xml | ||
| - | -rw-r--r--. 1 root root 489 Jun 29 13:27 freeipa-ldaps.xml | ||
| - | -rw-r--r--. 1 root root 488 Jun 29 13:27 freeipa-ldap.xml | ||
| - | -rw-r--r--. 1 root root 242 Jun 29 13:27 freeipa-replication.xml | ||
| - | -rw-r--r--. 1 root root 657 Jun 29 13:27 freeipa-trust.xml | ||
| - | -rw-r--r--. 1 root root 361 Jun 29 13:27 ftp.xml | ||
| - | -rw-r--r--. 1 root root 292 Jun 29 13:27 galera.xml | ||
| - | -rw-r--r--. 1 root root 184 Jun 29 13:27 ganglia-client.xml | ||
| - | -rw-r--r--. 1 root root 176 Jun 29 13:27 ganglia-master.xml | ||
| - | -rw-r--r--. 1 root root 212 Jun 29 13:27 git.xml | ||
| - | -rw-r--r--. 1 root root 218 Jun 29 13:27 grafana.xml | ||
| - | -rw-r--r--. 1 root root 119 Jun 29 13:27 gre.xml | ||
| - | -rw-r--r--. 1 root root 608 Jun 29 13:27 high-availability.xml | ||
| - | -rw-r--r--. 1 root root 448 Jun 29 13:27 https.xml | ||
| - | -rw-r--r--. 1 root root 353 Jun 29 13:27 http.xml | ||
| - | -rw-r--r--. 1 root root 372 Jun 29 13:27 imaps.xml | ||
| - | -rw-r--r--. 1 root root 327 Jun 29 13:27 imap.xml | ||
| - | -rw-r--r--. 1 root root 454 Jun 29 13:27 ipp-client.xml | ||
| - | -rw-r--r--. 1 root root 427 Jun 29 13:27 ipp.xml | ||
| - | -rw-r--r--. 1 root root 894 Jun 29 13:27 ipsec.xml | ||
| - | -rw-r--r--. 1 root root 255 Jun 29 13:27 ircs.xml | ||
| - | -rw-r--r--. 1 root root 247 Jun 29 13:27 irc.xml | ||
| - | -rw-r--r--. 1 root root 264 Jun 29 13:27 iscsi-target.xml | ||
| - | -rw-r--r--. 1 root root 358 Jun 29 13:27 isns.xml | ||
| - | -rw-r--r--. 1 root root 213 Jun 29 13:27 jenkins.xml | ||
| - | -rw-r--r--. 1 root root 182 Jun 29 13:27 kadmin.xml | ||
| - | -rw-r--r--. 1 root root 272 Jun 29 13:27 kdeconnect.xml | ||
| - | -rw-r--r--. 1 root root 233 Jun 29 13:27 kerberos.xml | ||
| - | -rw-r--r--. 1 root root 384 Jun 29 13:27 kibana.xml | ||
| - | -rw-r--r--. 1 root root 249 Jun 29 13:27 klogin.xml | ||
| - | -rw-r--r--. 1 root root 221 Jun 29 13:27 kpasswd.xml | ||
| - | -rw-r--r--. 1 root root 182 Jun 29 13:27 kprop.xml | ||
| - | -rw-r--r--. 1 root root 242 Jun 29 13:27 kshell.xml | ||
| - | -rw-r--r--. 1 root root 308 Jun 29 13:27 kube-apiserver.xml | ||
| - | -rw-r--r--. 1 root root 232 Jun 29 13:27 ldaps.xml | ||
| - | -rw-r--r--. 1 root root 199 Jun 29 13:27 ldap.xml | ||
| - | -rw-r--r--. 1 root root 385 Jun 29 13:27 libvirt-tls.xml | ||
| - | -rw-r--r--. 1 root root 389 Jun 29 13:27 libvirt.xml | ||
| - | -rw-r--r--. 1 root root 269 Jun 29 13:27 lightning-network.xml | ||
| - | -rw-r--r--. 1 root root 324 Jun 29 13:27 llmnr.xml | ||
| - | -rw-r--r--. 1 root root 349 Jun 29 13:27 managesieve.xml | ||
| - | -rw-r--r--. 1 root root 432 Jun 29 13:27 matrix.xml | ||
| - | -rw-r--r--. 1 root root 424 Jun 29 13:27 mdns.xml | ||
| - | -rw-r--r--. 1 root root 245 Jun 29 13:27 memcache.xml | ||
| - | -rw-r--r--. 1 root root 343 Jun 29 13:27 minidlna.xml | ||
| - | -rw-r--r--. 1 root root 237 Jun 29 13:27 mongodb.xml | ||
| - | -rw-r--r--. 1 root root 473 Jun 29 13:27 mosh.xml | ||
| - | -rw-r--r--. 1 root root 211 Jun 29 13:27 mountd.xml | ||
| - | -rw-r--r--. 1 root root 296 Jun 29 13:27 mqtt-tls.xml | ||
| - | -rw-r--r--. 1 root root 287 Jun 29 13:27 mqtt.xml | ||
| - | -rw-r--r--. 1 root root 170 Jun 29 13:27 mssql.xml | ||
| - | -rw-r--r--. 1 root root 190 Jun 29 13:27 ms-wbt.xml | ||
| - | -rw-r--r--. 1 root root 242 Jun 29 13:27 murmur.xml | ||
| - | -rw-r--r--. 1 root root 171 Jun 29 13:27 mysql.xml | ||
| - | -rw-r--r--. 1 root root 342 Jun 29 13:27 nfs3.xml | ||
| - | -rw-r--r--. 1 root root 324 Jun 29 13:27 nfs.xml | ||
| - | -rw-r--r--. 1 root root 293 Jun 29 13:27 nmea-0183.xml | ||
| - | -rw-r--r--. 1 root root 247 Jun 29 13:27 nrpe.xml | ||
| - | -rw-r--r--. 1 root root 389 Jun 29 13:27 ntp.xml | ||
| - | -rw-r--r--. 1 root root 368 Jun 29 13:27 nut.xml | ||
| - | -rw-r--r--. 1 root root 335 Jun 29 13:27 openvpn.xml | ||
| - | -rw-r--r--. 1 root root 260 Jun 29 13:27 ovirt-imageio.xml | ||
| - | -rw-r--r--. 1 root root 343 Jun 29 13:27 ovirt-storageconsole.xml | ||
| - | -rw-r--r--. 1 root root 235 Jun 29 13:27 ovirt-vmconsole.xml | ||
| - | -rw-r--r--. 1 root root 1024 Jun 29 13:27 plex.xml | ||
| - | -rw-r--r--. 1 root root 433 Jun 29 13:27 pmcd.xml | ||
| - | -rw-r--r--. 1 root root 474 Jun 29 13:27 pmproxy.xml | ||
| - | -rw-r--r--. 1 root root 544 Jun 29 13:27 pmwebapis.xml | ||
| - | -rw-r--r--. 1 root root 460 Jun 29 13:27 pmwebapi.xml | ||
| - | -rw-r--r--. 1 root root 357 Jun 29 13:27 pop3s.xml | ||
| - | -rw-r--r--. 1 root root 348 Jun 29 13:27 pop3.xml | ||
| - | -rw-r--r--. 1 root root 181 Jun 29 13:27 postgresql.xml | ||
| - | -rw-r--r--. 1 root root 509 Jun 29 13:27 privoxy.xml | ||
| - | -rw-r--r--. 1 root root 213 Jun 29 13:27 prometheus.xml | ||
| - | -rw-r--r--. 1 root root 261 Jun 29 13:27 proxy-dhcp.xml | ||
| - | -rw-r--r--. 1 root root 424 Jun 29 13:27 ptp.xml | ||
| - | -rw-r--r--. 1 root root 414 Jun 29 13:27 pulseaudio.xml | ||
| - | -rw-r--r--. 1 root root 297 Jun 29 13:27 puppetmaster.xml | ||
| - | -rw-r--r--. 1 root root 273 Jun 29 13:27 quassel.xml | ||
| - | -rw-r--r--. 1 root root 520 Jun 29 13:27 radius.xml | ||
| - | -rw-r--r--. 1 root root 183 Jun 29 13:27 rdp.xml | ||
| - | -rw-r--r--. 1 root root 212 Jun 29 13:27 redis-sentinel.xml | ||
| - | -rw-r--r--. 1 root root 268 Jun 29 13:27 redis.xml | ||
| - | -rw-r--r--. 1 root root 737 Jun 29 13:27 RH-Satellite-6.xml | ||
| - | -rw-r--r--. 1 root root 214 Jun 29 13:27 rpc-bind.xml | ||
| - | -rw-r--r--. 1 root root 213 Jun 29 13:27 rquotad.xml | ||
| - | -rw-r--r--. 1 root root 310 Jun 29 13:27 rsh.xml | ||
| - | -rw-r--r--. 1 root root 311 Jun 29 13:27 rsyncd.xml | ||
| - | -rw-r--r--. 1 root root 350 Jun 29 13:27 rtsp.xml | ||
| - | -rw-r--r--. 1 root root 329 Jun 29 13:27 salt-master.xml | ||
| - | -rw-r--r--. 1 root root 371 Jun 29 13:27 samba-client.xml | ||
| - | -rw-r--r--. 1 root root 1298 Jun 29 13:27 samba-dc.xml | ||
| - | -rw-r--r--. 1 root root 448 Jun 29 13:27 samba.xml | ||
| - | -rw-r--r--. 1 root root 324 Jun 29 13:27 sane.xml | ||
| - | -rw-r--r--. 1 root root 283 Jun 29 13:27 sips.xml | ||
| - | -rw-r--r--. 1 root root 496 Jun 29 13:27 sip.xml | ||
| - | -rw-r--r--. 1 root root 299 Jun 29 13:27 slp.xml | ||
| - | -rw-r--r--. 1 root root 231 Jun 29 13:27 smtp-submission.xml | ||
| - | -rw-r--r--. 1 root root 577 Jun 29 13:27 smtps.xml | ||
| - | -rw-r--r--. 1 root root 550 Jun 29 13:27 smtp.xml | ||
| - | -rw-r--r--. 1 root root 308 Jun 29 13:27 snmptrap.xml | ||
| - | -rw-r--r--. 1 root root 342 Jun 29 13:27 snmp.xml | ||
| - | -rw-r--r--. 1 root root 405 Jun 29 13:27 spideroak-lansync.xml | ||
| - | -rw-r--r--. 1 root root 275 Jun 29 13:27 spotify-sync.xml | ||
| - | -rw-r--r--. 1 root root 173 Jun 29 13:27 squid.xml | ||
| - | -rw-r--r--. 1 root root 421 Jun 29 13:27 ssdp.xml | ||
| - | -rw-r--r--. 1 root root 463 Jun 29 13:27 ssh.xml | ||
| - | -rw-r--r--. 1 root root 631 Jun 29 13:27 steam-streaming.xml | ||
| - | -rw-r--r--. 1 root root 287 Jun 29 13:27 svdrp.xml | ||
| - | -rw-r--r--. 1 root root 231 Jun 29 13:27 svn.xml | ||
| - | -rw-r--r--. 1 root root 297 Jun 29 13:27 syncthing-gui.xml | ||
| - | -rw-r--r--. 1 root root 311 Jun 29 13:27 syncthing.xml | ||
| - | -rw-r--r--. 1 root root 496 Jun 29 13:27 synergy.xml | ||
| - | -rw-r--r--. 1 root root 444 Jun 29 13:27 syslog-tls.xml | ||
| - | -rw-r--r--. 1 root root 329 Jun 29 13:27 syslog.xml | ||
| - | -rw-r--r--. 1 root root 393 Jun 29 13:27 telnet.xml | ||
| - | -rw-r--r--. 1 root root 252 Jun 29 13:27 tentacle.xml | ||
| - | -rw-r--r--. 1 root root 288 Jun 29 13:27 tftp-client.xml | ||
| - | -rw-r--r--. 1 root root 424 Jun 29 13:27 tftp.xml | ||
| - | -rw-r--r--. 1 root root 221 Jun 29 13:27 tile38.xml | ||
| - | -rw-r--r--. 1 root root 336 Jun 29 13:27 tinc.xml | ||
| - | -rw-r--r--. 1 root root 771 Jun 29 13:27 tor-socks.xml | ||
| - | -rw-r--r--. 1 root root 244 Jun 29 13:27 transmission-client.xml | ||
| - | -rw-r--r--. 1 root root 264 Jun 29 13:27 upnp-client.xml | ||
| - | -rw-r--r--. 1 root root 593 Jun 29 13:27 vdsm.xml | ||
| - | -rw-r--r--. 1 root root 475 Jun 29 13:27 vnc-server.xml | ||
| - | -rw-r--r--. 1 root root 310 Jun 29 13:27 wbem-https.xml | ||
| - | -rw-r--r--. 1 root root 352 Jun 29 13:27 wbem-http.xml | ||
| - | -rw-r--r--. 1 root root 323 Jun 29 13:27 wsmans.xml | ||
| - | -rw-r--r--. 1 root root 316 Jun 29 13:27 wsman.xml | ||
| - | -rw-r--r--. 1 root root 329 Jun 29 13:27 xdmcp.xml | ||
| - | -rw-r--r--. 1 root root 509 Jun 29 13:27 xmpp-bosh.xml | ||
| - | -rw-r--r--. 1 root root 488 Jun 29 13:27 xmpp-client.xml | ||
| - | -rw-r--r--. 1 root root 264 Jun 29 13:27 xmpp-local.xml | ||
| - | -rw-r--r--. 1 root root 545 Jun 29 13:27 xmpp-server.xml | ||
| - | -rw-r--r--. 1 root root 314 Jun 29 13:27 zabbix-agent.xml | ||
| - | -rw-r--r--. 1 root root 315 Jun 29 13:27 zabbix-server.xml | ||
| - | |||
| - | [root@centos8 ~]# ls -l / | ||
| - | total 44 | ||
| - | -rw-r--r--. 1 root root 299 Jun 29 13:27 block.xml | ||
| - | -rw-r--r--. 1 root root 293 Jun 29 13:27 dmz.xml | ||
| - | -rw-r--r--. 1 root root 291 Jun 29 13:27 drop.xml | ||
| - | -rw-r--r--. 1 root root 304 Jun 29 13:27 external.xml | ||
| - | -rw-r--r--. 1 root root 397 Jun 29 13:27 home.xml | ||
| - | -rw-r--r--. 1 root root 412 Jun 29 13:27 internal.xml | ||
| - | -rw-r--r--. 1 root root 809 Nov 26 2019 libvirt.xml | ||
| - | -rw-r--r--. 1 root root 729 Feb 1 2021 nm-shared.xml | ||
| - | -rw-r--r--. 1 root root 343 Jun 29 13:27 public.xml | ||
| - | -rw-r--r--. 1 root root 162 Jun 29 13:27 trusted.xml | ||
| - | -rw-r--r--. 1 root root 339 Jun 29 13:27 work.xml | ||
| - | </ | ||
| - | |||
| - | Ces fichiers sont au format **xml**, par exemple : | ||
| - | |||
| - | < | ||
| - | [root@centos8 ~]# cat / | ||
| - | <?xml version=" | ||
| - | < | ||
| - | < | ||
| - | < | ||
| - | <service name=" | ||
| - | <service name=" | ||
| - | <service name=" | ||
| - | <service name=" | ||
| - | <service name=" | ||
| - | </ | ||
| - | </ | ||
| - | |||
| - | La configuration de firewalld ainsi que les définitions et règles personnalisées se trouvent dans **/ | ||
| - | |||
| - | < | ||
| - | [root@centos8 ~]# ls -l / | ||
| - | total 8 | ||
| - | -rw-r--r--. 1 root root 2747 Jun 29 13:27 firewalld.conf | ||
| - | drwxr-x---. 2 root root 6 Jun 29 13:27 helpers | ||
| - | drwxr-x---. 2 root root 6 Jun 29 13:27 icmptypes | ||
| - | drwxr-x---. 2 root root 6 Jun 29 13:27 ipsets | ||
| - | -rw-r--r--. 1 root root 283 Jun 29 13:27 lockdown-whitelist.xml | ||
| - | drwxr-x---. 2 root root 6 Jun 29 13:27 services | ||
| - | drwxr-x---. 2 root root 46 Jun 29 13:27 zones | ||
| - | </ | ||
| - | |||
| - | Le fichier de configuration de firewalld est **/ | ||
| - | |||
| - | < | ||
| - | [root@centos8 ~]# cat / | ||
| - | # firewalld config file | ||
| - | |||
| - | # default zone | ||
| - | # The default zone used if an empty zone string is used. | ||
| - | # Default: public | ||
| - | DefaultZone=public | ||
| - | |||
| - | # Clean up on exit | ||
| - | # If set to no or false the firewall configuration will not get cleaned up | ||
| - | # on exit or stop of firewalld | ||
| - | # Default: yes | ||
| - | CleanupOnExit=yes | ||
| - | |||
| - | # Lockdown | ||
| - | # If set to enabled, firewall changes with the D-Bus interface will be limited | ||
| - | # to applications that are listed in the lockdown whitelist. | ||
| - | # The lockdown whitelist file is lockdown-whitelist.xml | ||
| - | # Default: no | ||
| - | Lockdown=no | ||
| - | |||
| - | # IPv6_rpfilter | ||
| - | # Performs a reverse path filter test on a packet for IPv6. If a reply to the | ||
| - | # packet would be sent via the same interface that the packet arrived on, the | ||
| - | # packet will match and be accepted, otherwise dropped. | ||
| - | # The rp_filter for IPv4 is controlled using sysctl. | ||
| - | # Default: yes | ||
| - | IPv6_rpfilter=yes | ||
| - | |||
| - | # IndividualCalls | ||
| - | # Do not use combined -restore calls, but individual calls. This increases the | ||
| - | # time that is needed to apply changes and to start the daemon, but is good for | ||
| - | # debugging. | ||
| - | # Default: no | ||
| - | IndividualCalls=no | ||
| - | |||
| - | # LogDenied | ||
| - | # Add logging rules right before reject and drop rules in the INPUT, FORWARD | ||
| - | # and OUTPUT chains for the default rules and also final reject and drop rules | ||
| - | # in zones. Possible values are: all, unicast, broadcast, multicast and off. | ||
| - | # Default: off | ||
| - | LogDenied=off | ||
| - | |||
| - | # FirewallBackend | ||
| - | # Selects the firewall backend implementation. | ||
| - | # Choices are: | ||
| - | # - nftables (default) | ||
| - | # - iptables (iptables, ip6tables, ebtables and ipset) | ||
| - | FirewallBackend=nftables | ||
| - | |||
| - | # FlushAllOnReload | ||
| - | # Flush all runtime rules on a reload. In previous releases some runtime | ||
| - | # configuration was retained during a reload, namely; interface to zone | ||
| - | # assignment, and direct rules. This was confusing to users. To get the old | ||
| - | # behavior set this to " | ||
| - | # Default: yes | ||
| - | FlushAllOnReload=yes | ||
| - | |||
| - | # RFC3964_IPv4 | ||
| - | # As per RFC 3964, filter IPv6 traffic with 6to4 destination addresses that | ||
| - | # correspond to IPv4 addresses that should not be routed over the public | ||
| - | # internet. | ||
| - | # Defaults to " | ||
| - | RFC3964_IPv4=yes | ||
| - | |||
| - | # AllowZoneDrifting | ||
| - | # Older versions of firewalld had undocumented behavior known as "zone | ||
| - | # drifting" | ||
| - | # violation of zone based firewalls. However, some users rely on this behavior | ||
| - | # to have a " | ||
| - | # desire such behavior. It's disabled by default for security reasons. | ||
| - | # Note: If " | ||
| - | # based zones (including the default zone). Packets never drift from interface | ||
| - | # based zones to other interfaces based zones (including the default zone). | ||
| - | # Possible values; " | ||
| - | AllowZoneDrifting=yes | ||
| - | </ | ||
| - | |||
| - | ====4.3 - L' | ||
| - | |||
| - | firewalld s' | ||
| - | |||
| - | <WRAP center round important> | ||
| - | **Important** - firewall-cmd est le front-end de firewalld en ligne de commande. Il existe aussi la commande **firewall-config** qui lance un outi de configuration graphique. | ||
| - | </ | ||
| - | |||
| - | Pour obtenir la liste de toutes les zones prédéfinies, | ||
| - | |||
| - | < | ||
| - | [root@centos8 ~]# firewall-cmd --get-zones | ||
| - | block dmz drop external home internal libvirt nm-shared public trusted work | ||
| - | </ | ||
| - | |||
| - | Pour obtenir la liste de toutes les services prédéfinis, | ||
| - | |||
| - | < | ||
| - | [root@centos8 ~]# firewall-cmd --get-services | ||
| - | RH-Satellite-6 amanda-client amanda-k5-client amqp amqps apcupsd audit bacula bacula-client bb bgp bitcoin bitcoin-rpc bitcoin-testnet bitcoin-testnet-rpc bittorrent-lsd ceph ceph-mon cfengine cockpit collectd condor-collector ctdb dhcp dhcpv6 dhcpv6-client distcc dns dns-over-tls docker-registry docker-swarm dropbox-lansync elasticsearch etcd-client etcd-server finger freeipa-4 freeipa-ldap freeipa-ldaps freeipa-replication freeipa-trust ftp galera ganglia-client ganglia-master git grafana gre high-availability http https imap imaps ipp ipp-client ipsec irc ircs iscsi-target isns jenkins kadmin kdeconnect kerberos kibana klogin kpasswd kprop kshell kube-apiserver ldap ldaps libvirt libvirt-tls lightning-network llmnr managesieve matrix mdns memcache minidlna mongodb mosh mountd mqtt mqtt-tls ms-wbt mssql murmur mysql nfs nfs3 nmea-0183 nrpe ntp nut openvpn ovirt-imageio ovirt-storageconsole ovirt-vmconsole plex pmcd pmproxy pmwebapi pmwebapis pop3 pop3s postgresql privoxy prometheus proxy-dhcp ptp pulseaudio puppetmaster quassel radius rdp redis redis-sentinel rpc-bind rquotad rsh rsyncd rtsp salt-master samba samba-client samba-dc sane sip sips slp smtp smtp-submission smtps snmp snmptrap spideroak-lansync spotify-sync squid ssdp ssh steam-streaming svdrp svn syncthing syncthing-gui synergy syslog syslog-tls telnet tentacle tftp tftp-client tile38 tinc tor-socks transmission-client upnp-client vdsm vnc-server wbem-http wbem-https wsman wsmans xdmcp xmpp-bosh xmpp-client xmpp-local xmpp-server zabbix-agent zabbix-server | ||
| - | </ | ||
| - | |||
| - | Pour obtenir la liste de toutes les types ICMP prédéfinis, | ||
| - | |||
| - | < | ||
| - | [root@centos8 ~]# firewall-cmd --get-icmptypes | ||
| - | address-unreachable bad-header beyond-scope communication-prohibited destination-unreachable echo-reply echo-request failed-policy fragmentation-needed host-precedence-violation host-prohibited host-redirect host-unknown host-unreachable ip-header-bad neighbour-advertisement neighbour-solicitation network-prohibited network-redirect network-unknown network-unreachable no-route packet-too-big parameter-problem port-unreachable precedence-cutoff protocol-unreachable redirect reject-route required-option-missing router-advertisement router-solicitation source-quench source-route-failed time-exceeded timestamp-reply timestamp-request tos-host-redirect tos-host-unreachable tos-network-redirect tos-network-unreachable ttl-zero-during-reassembly ttl-zero-during-transit unknown-header-type unknown-option | ||
| - | </ | ||
| - | |||
| - | Pour obtenir la liste des zones de la configuration courante, utilisez la commande suivante : | ||
| - | |||
| - | < | ||
| - | [root@centos8 ~]# firewall-cmd --get-active-zones | ||
| - | public | ||
| - | interfaces: ens18 | ||
| - | </ | ||
| - | |||
| - | Pour obtenir la liste des zones de la configuration courante pour une interface spécifique, | ||
| - | |||
| - | < | ||
| - | [root@centos8 ~]# firewall-cmd --get-zone-of-interface=ens18 | ||
| - | public | ||
| - | </ | ||
| - | |||
| - | Pour obtenir la liste des services autorisés pour la zone public, utilisez la commande suivante : | ||
| - | |||
| - | < | ||
| - | [root@centos8 ~]# firewall-cmd --zone=public --list-services | ||
| - | cockpit dhcpv6-client ssh | ||
| - | </ | ||
| - | |||
| - | Pour obtenir toute la configuration pour la zone public, utilisez la commande suivante : | ||
| - | |||
| - | < | ||
| - | [root@centos8 ~]# firewall-cmd --zone=public --list-all | ||
| - | public (active) | ||
| - | target: default | ||
| - | icmp-block-inversion: | ||
| - | interfaces: ens18 | ||
| - | sources: | ||
| - | services: cockpit dhcpv6-client ssh | ||
| - | ports: 5901/tcp | ||
| - | protocols: | ||
| - | masquerade: no | ||
| - | forward-ports: | ||
| - | source-ports: | ||
| - | icmp-blocks: | ||
| - | rich rules: | ||
| - | </ | ||
| - | |||
| - | Pour obtenir la liste complète de toutes les zones et leurs configurations, | ||
| - | |||
| - | < | ||
| - | [root@centos8 ~]# firewall-cmd --list-all-zones | ||
| - | block | ||
| - | target: %%REJECT%% | ||
| - | icmp-block-inversion: | ||
| - | interfaces: | ||
| - | sources: | ||
| - | services: | ||
| - | ports: | ||
| - | protocols: | ||
| - | masquerade: no | ||
| - | forward-ports: | ||
| - | source-ports: | ||
| - | icmp-blocks: | ||
| - | rich rules: | ||
| - | |||
| - | dmz | ||
| - | target: default | ||
| - | icmp-block-inversion: | ||
| - | interfaces: | ||
| - | sources: | ||
| - | services: ssh | ||
| - | ports: | ||
| - | protocols: | ||
| - | masquerade: no | ||
| - | forward-ports: | ||
| - | source-ports: | ||
| - | icmp-blocks: | ||
| - | rich rules: | ||
| - | |||
| - | drop | ||
| - | target: DROP | ||
| - | icmp-block-inversion: | ||
| - | interfaces: | ||
| - | sources: | ||
| - | services: | ||
| - | ports: | ||
| - | protocols: | ||
| - | masquerade: no | ||
| - | forward-ports: | ||
| - | source-ports: | ||
| - | icmp-blocks: | ||
| - | rich rules: | ||
| - | |||
| - | external | ||
| - | target: default | ||
| - | icmp-block-inversion: | ||
| - | interfaces: | ||
| - | sources: | ||
| - | services: ssh | ||
| - | ports: | ||
| - | protocols: | ||
| - | masquerade: yes | ||
| - | forward-ports: | ||
| - | source-ports: | ||
| - | icmp-blocks: | ||
| - | rich rules: | ||
| - | |||
| - | home | ||
| - | target: default | ||
| - | icmp-block-inversion: | ||
| - | interfaces: | ||
| - | sources: | ||
| - | services: cockpit dhcpv6-client mdns samba-client ssh | ||
| - | ports: | ||
| - | protocols: | ||
| - | masquerade: no | ||
| - | forward-ports: | ||
| - | source-ports: | ||
| - | icmp-blocks: | ||
| - | rich rules: | ||
| - | |||
| - | internal | ||
| - | target: default | ||
| - | icmp-block-inversion: | ||
| - | interfaces: | ||
| - | sources: | ||
| - | services: cockpit dhcpv6-client mdns samba-client ssh | ||
| - | ports: | ||
| - | protocols: | ||
| - | masquerade: no | ||
| - | forward-ports: | ||
| - | source-ports: | ||
| - | icmp-blocks: | ||
| - | rich rules: | ||
| - | |||
| - | libvirt | ||
| - | target: ACCEPT | ||
| - | icmp-block-inversion: | ||
| - | interfaces: | ||
| - | sources: | ||
| - | services: dhcp dhcpv6 dns ssh tftp | ||
| - | ports: | ||
| - | protocols: icmp ipv6-icmp | ||
| - | masquerade: no | ||
| - | forward-ports: | ||
| - | source-ports: | ||
| - | icmp-blocks: | ||
| - | rich rules: | ||
| - | rule priority=" | ||
| - | |||
| - | nm-shared | ||
| - | target: ACCEPT | ||
| - | icmp-block-inversion: | ||
| - | interfaces: | ||
| - | sources: | ||
| - | services: dhcp dns ssh | ||
| - | ports: | ||
| - | protocols: icmp ipv6-icmp | ||
| - | masquerade: no | ||
| - | forward-ports: | ||
| - | source-ports: | ||
| - | icmp-blocks: | ||
| - | rich rules: | ||
| - | rule priority=" | ||
| - | |||
| - | public (active) | ||
| - | target: default | ||
| - | icmp-block-inversion: | ||
| - | interfaces: ens18 | ||
| - | sources: | ||
| - | services: cockpit dhcpv6-client ssh | ||
| - | ports: 5901/tcp | ||
| - | protocols: | ||
| - | masquerade: no | ||
| - | forward-ports: | ||
| - | source-ports: | ||
| - | icmp-blocks: | ||
| - | rich rules: | ||
| - | |||
| - | trusted | ||
| - | target: ACCEPT | ||
| - | icmp-block-inversion: | ||
| - | interfaces: | ||
| - | sources: | ||
| - | services: | ||
| - | ports: | ||
| - | protocols: | ||
| - | masquerade: no | ||
| - | forward-ports: | ||
| - | source-ports: | ||
| - | icmp-blocks: | ||
| - | rich rules: | ||
| - | |||
| - | work | ||
| - | target: default | ||
| - | icmp-block-inversion: | ||
| - | interfaces: | ||
| - | sources: | ||
| - | services: cockpit dhcpv6-client ssh | ||
| - | ports: | ||
| - | protocols: | ||
| - | masquerade: no | ||
| - | forward-ports: | ||
| - | source-ports: | ||
| - | icmp-blocks: | ||
| - | rich rules: | ||
| - | </ | ||
| - | |||
| - | Pour changer la zone par défaut de public à work, utilisez la commande suivante : | ||
| - | |||
| - | < | ||
| - | [root@centos8 ~]# firewall-cmd --set-default-zone=work | ||
| - | success | ||
| - | |||
| - | [root@centos8 ~]# firewall-cmd --get-active-zones | ||
| - | work | ||
| - | interfaces: ens18 | ||
| - | </ | ||
| - | |||
| - | Pour ajouter l' | ||
| - | |||
| - | < | ||
| - | [root@centos8 ~]# firewall-cmd --zone=work --add-interface=ip_fixe | ||
| - | success | ||
| - | [root@centos8 ~]# firewall-cmd --get-active-zones | ||
| - | work | ||
| - | interfaces: ens18 ip_fixe | ||
| - | </ | ||
| - | |||
| - | Pour supprimer l' | ||
| - | |||
| - | < | ||
| - | [root@centos8 ~]# firewall-cmd --zone=work --remove-interface=ip_fixe | ||
| - | success | ||
| - | [root@centos8 ~]# firewall-cmd --get-active-zones | ||
| - | work | ||
| - | interfaces: ens18 | ||
| - | </ | ||
| - | |||
| - | Pour ajouter le service **http** à la zone **work**, utilisez la commande suivante : | ||
| - | |||
| - | < | ||
| - | [root@centos8 ~]# firewall-cmd --zone=work --add-service=http | ||
| - | success | ||
| - | [root@centos8 ~]# firewall-cmd --zone=work --list-services | ||
| - | cockpit dhcpv6-client http ssh | ||
| - | </ | ||
| - | |||
| - | Pour supprimer le service **http** de la zone **work**, utilisez la commande suivante : | ||
| - | |||
| - | < | ||
| - | [root@centos8 ~]# firewall-cmd --zone=work --remove-service=http | ||
| - | success | ||
| - | [root@centos8 ~]# firewall-cmd --zone=work --list-services | ||
| - | cockpit dhcpv6-client ssh | ||
| - | </ | ||
| - | |||
| - | Pour ajouter un nouveau bloc ICMP, utilisez la commande suivante : | ||
| - | |||
| - | < | ||
| - | [root@centos8 ~]# firewall-cmd --zone=work --add-icmp-block=echo-reply | ||
| - | success | ||
| - | [root@centos8 ~]# firewall-cmd --zone=work --list-icmp-blocks | ||
| - | echo-reply | ||
| - | </ | ||
| - | |||
| - | Pour supprimer un bloc ICMP, utilisez la commande suivante : | ||
| - | |||
| - | < | ||
| - | [root@centos8 ~]# firewall-cmd --zone=work --remove-icmp-block=echo-reply | ||
| - | success | ||
| - | [root@centos8 ~]# firewall-cmd --zone=work --list-icmp-blocks | ||
| - | |||
| - | [root@centos8 ~]# | ||
| - | </ | ||
| - | |||
| - | Pour ajouter le port 591/tcp à la zone work, utilisez la commande suivante : | ||
| - | |||
| - | < | ||
| - | [root@centos8 ~]# firewall-cmd --zone=work --add-port=591/ | ||
| - | success | ||
| - | [root@centos8 ~]# firewall-cmd --zone=work --list-ports | ||
| - | 591/tcp | ||
| - | </ | ||
| - | |||
| - | Pour supprimer le port 591/tcp à la zone work, utilisez la commande suivante : | ||
| - | |||
| - | < | ||
| - | root@centos8 ~]# firewall-cmd --zone=work --remove-port=591/ | ||
| - | success | ||
| - | [root@centos8 ~]# firewall-cmd --zone=work --list-ports | ||
| - | |||
| - | [root@centos8 ~]# | ||
| - | </ | ||
| - | |||
| - | Pour créer un nouveau service, il convient de : | ||
| - | |||
| - | * copier un fichier existant se trouvant dans le répertoire **/ | ||
| - | * modifier le fichier, | ||
| - | * recharger la configuration de firewalld, | ||
| - | * vérifier que firewalld voit le nouveau service. | ||
| - | |||
| - | Par exemple : | ||
| - | |||
| - | < | ||
| - | [root@centos8 ~]# cp / | ||
| - | |||
| - | [root@centos8 ~]# vi / | ||
| - | [root@centos8 ~]# cat / | ||
| - | <?xml version=" | ||
| - | < | ||
| - | < | ||
| - | < | ||
| - | <port protocol=" | ||
| - | </ | ||
| - | |||
| - | [root@centos8 ~]# firewall-cmd --reload | ||
| - | success | ||
| - | |||
| - | [root@centos8 ~]# firewall-cmd --get-services | grep filemaker | ||
| - | RH-Satellite-6 amanda-client amanda-k5-client amqp amqps apcupsd audit bacula bacula-client bb bgp bitcoin bitcoin-rpc bitcoin-testnet bitcoin-testnet-rpc bittorrent-lsd ceph ceph-mon cfengine cockpit collectd condor-collector ctdb dhcp dhcpv6 dhcpv6-client distcc dns dns-over-tls docker-registry docker-swarm dropbox-lansync elasticsearch etcd-client etcd-server filemaker finger freeipa-4 freeipa-ldap freeipa-ldaps freeipa-replication freeipa-trust ftp galera ganglia-client ganglia-master git grafana gre high-availability http https imap imaps ipp ipp-client ipsec irc ircs iscsi-target isns jenkins kadmin kdeconnect kerberos kibana klogin kpasswd kprop kshell kube-apiserver ldap ldaps libvirt libvirt-tls lightning-network llmnr managesieve matrix mdns memcache minidlna mongodb mosh mountd mqtt mqtt-tls ms-wbt mssql murmur mysql nfs nfs3 nmea-0183 nrpe ntp nut openvpn ovirt-imageio ovirt-storageconsole ovirt-vmconsole plex pmcd pmproxy pmwebapi pmwebapis pop3 pop3s postgresql privoxy prometheus proxy-dhcp ptp pulseaudio puppetmaster quassel radius rdp redis redis-sentinel rpc-bind rquotad rsh rsyncd rtsp salt-master samba samba-client samba-dc sane sip sips slp smtp smtp-submission smtps snmp snmptrap spideroak-lansync spotify-sync squid ssdp ssh steam-streaming svdrp svn syncthing syncthing-gui synergy syslog syslog-tls telnet tentacle tftp tftp-client tile38 tinc tor-socks transmission-client upnp-client vdsm vnc-server wbem-http wbem-https wsman wsmans xdmcp xmpp-bosh xmpp-client xmpp-local xmpp-server zabbix-agent zabbix-server | ||
| - | </ | ||
| - | |||
| - | ====4.4 - La Configuration Avancée de firewalld==== | ||
| - | |||
| - | La configuration de base de firewalld ne permet que la configuration des zones, services, blocs ICMP et les ports non-standard. Cependant firewalld peut également être configuré avec des **Rich Rules** ou **//Règles Riches//**. Rich Rules ou Règles Riches évaluent des **critères** pour ensuite entreprendre une **action**. | ||
| - | |||
| - | Les **Critères** sont : | ||
| - | |||
| - | * **source address="< | ||
| - | * **destination address="< | ||
| - | * **rule port port="< | ||
| - | * **service name=< | ||
| - | |||
| - | Les **Actions** sont : | ||
| - | |||
| - | * **accept**, | ||
| - | * **reject**, | ||
| - | * une Action reject peut être associée avec un message d' | ||
| - | * **drop**. | ||
| - | |||
| - | Saisissez la commande suivante pour ouvrir le port 80 : | ||
| - | |||
| - | < | ||
| - | [root@centos8 ~]# firewall-cmd --add-rich-rule=' | ||
| - | success | ||
| - | [root@centos8 ~]# firewall-cmd --list-all | ||
| - | work (active) | ||
| - | target: default | ||
| - | icmp-block-inversion: | ||
| - | interfaces: ens18 | ||
| - | sources: | ||
| - | services: cockpit dhcpv6-client ssh | ||
| - | ports: | ||
| - | protocols: | ||
| - | masquerade: no | ||
| - | forward-ports: | ||
| - | source-ports: | ||
| - | icmp-blocks: | ||
| - | rich rules: | ||
| - | rule port port=" | ||
| - | </ | ||
| - | |||
| - | <WRAP center round important 50%> | ||
| - | **Important** - Notez que la Rich Rule doit être entourée de caractères **' | ||
| - | </ | ||
| - | |||
| - | Saisissez la commande suivante pour visualiser la règle nftables : | ||
| - | |||
| - | < | ||
| - | [root@centos8 ~]# nft list ruleset | grep 80 | ||
| - | ip6 daddr fe80::/64 udp dport 546 ct state { new, untracked } accept | ||
| - | tcp dport 80 ct state { new, untracked } accept | ||
| - | </ | ||
| - | |||
| - | Cette nouvelle règle est écrite en mémoire mais non pas sur disque : | ||
| - | |||
| - | < | ||
| - | [root@centos8 ~]# ls -l / | ||
| - | total 12 | ||
| - | -rw-r--r--. 1 root root 380 Jun 16 12:02 public.xml | ||
| - | -rw-r--r--. 1 root root 343 Jun 16 06:39 public.xml.old | ||
| - | </ | ||
| - | |||
| - | Pour l' | ||
| - | |||
| - | < | ||
| - | [root@centos7 ~]# firewall-cmd --add-rich-rule=' | ||
| - | success | ||
| - | |||
| - | [root@centos8 ~]# ls -l / | ||
| - | total 12 | ||
| - | -rw-r--r--. 1 root root 380 Jun 16 12:02 public.xml | ||
| - | -rw-r--r--. 1 root root 343 Jun 16 06:39 public.xml.old | ||
| - | -rw-r--r--. 1 root root 409 Aug 30 06:43 work.xml | ||
| - | |||
| - | [root@centos8 ~]# cat / | ||
| - | <?xml version=" | ||
| - | < | ||
| - | < | ||
| - | < | ||
| - | <service name=" | ||
| - | <service name=" | ||
| - | <service name=" | ||
| - | < | ||
| - | <port port=" | ||
| - | < | ||
| - | </ | ||
| - | </ | ||
| - | </ | ||
| - | |||
| - | <WRAP center round important 50%> | ||
| - | Attention ! La règle ajoutée avec l' | ||
| - | </ | ||
| - | |||
| - | Notez que la Rich Rule est créée dans la Zone par Défaut. Il est possible de créer une Rich Rule dans une autre zone en utilisant l' | ||
| - | |||
| - | < | ||
| - | [root@centos8 ~]# firewall-cmd --zone=public --add-rich-rule=' | ||
| - | success | ||
| - | |||
| - | [root@centos8 ~]# firewall-cmd --list-all --zone=public | ||
| - | public | ||
| - | target: default | ||
| - | icmp-block-inversion: | ||
| - | interfaces: | ||
| - | sources: | ||
| - | services: cockpit dhcpv6-client ssh | ||
| - | ports: 5901/tcp | ||
| - | protocols: | ||
| - | masquerade: no | ||
| - | forward-ports: | ||
| - | source-ports: | ||
| - | icmp-blocks: | ||
| - | rich rules: | ||
| - | rule port port=" | ||
| - | </ | ||
| - | |||
| - | Pour supprimer une Rich Rule, il faut copier la ligne entière la concernant qui se trouve dans la sortie de la commande **firewall-cmd --list-all-zones** : | ||
| - | |||
| - | < | ||
| - | [root@centos8 ~]# firewall-cmd --zone=public --remove-rich-rule=' | ||
| - | success | ||
| - | |||
| - | [root@centos8 ~]# firewall-cmd --list-all --zone=public | ||
| - | public | ||
| - | target: default | ||
| - | icmp-block-inversion: | ||
| - | interfaces: | ||
| - | sources: | ||
| - | services: cockpit dhcpv6-client ssh | ||
| - | ports: 5901/tcp | ||
| - | protocols: | ||
| - | masquerade: no | ||
| - | forward-ports: | ||
| - | source-ports: | ||
| - | icmp-blocks: | ||
| - | rich rules: | ||
| - | </ | ||
| - | |||
| - | ====4.5 - Le mode Panic de firewalld==== | ||
| - | |||
| - | Le mode Panic de firewalld permet de bloquer tout le trafic avec une seule commande. Pour connaître l' | ||
| - | |||
| - | < | ||
| - | [root@centos7 ~]# firewall-cmd --query-panic | ||
| - | no | ||
| - | </ | ||
| - | |||
| - | Pour activer le mode Panic, il convient de saisir la commande suivante : | ||
| - | |||
| - | < | ||
| - | # firewall-cmd --panic-on | ||
| - | </ | ||
| - | |||
| - | <WRAP center round warning 50%> | ||
| - | **Attention** - Veuillez ne **PAS** saisir la commande ci-dessus. | ||
| - | </ | ||
| - | |||
| - | Pour désactiver le mode Panic, il convient de saisir la commande suivante : | ||
| - | |||
| - | < | ||
| - | # firewall-cmd --panic-off | ||
| - | </ | ||
| - | |||
| - | <WRAP center round warning 50%> | ||
| - | **Attention** - Veuillez ne **PAS** saisir la commande ci-dessus. | ||
| - | </ | ||
| - | |||
| - | =====LAB #5 - L' | ||
| - | |||
| - | ====5.1 - Introducton==== | ||
| - | |||
| - | L' | ||
| - | ur | ||
| - | ^ Type de Sécurité ^ Nom ^ Description ^ | ||
| - | | TE | //Type enforcement// | ||
| - | | RBAC | //Role Based Access Control// | ||
| - | | MAC | //Mandatory Access Control// | ||
| - | | MLS | // | ||
| - | |||
| - | Même quand le modèle %%SELinux%% de sécurité est actif, la sécurité type DAC est toujours active. Cependant dans le cas où la sécurité du type DAC autorise une action, %%SELinux%% va évaluer cette action par rapport à ses propres règles avant de l' | ||
| - | |||
| - | %%SELinux%% évalue toujours des **// | ||
| - | |||
| - | Dans le contexte de %%SELinux%% : | ||
| - | |||
| - | * un **// | ||
| - | * un **// | ||
| - | * une **// | ||
| - | |||
| - | Chaque **//classe d' | ||
| - | |||
| - | ===Security Context=== | ||
| - | |||
| - | %%SELinux%% associe un //Security Context// (SC) à chaque **// | ||
| - | |||
| - | Un SC prend la forme **identité: | ||
| - | |||
| - | ^ Nom ^ Descriptions ^ | ||
| - | | Identité | Le nom du propriétaire de l' | ||
| - | | Rôle | Essentiellement appliqué aux processus, le rôle est appelé une domaine. Dans le cas d'un rôle de fichier, celui-ci est toujours **object_r**. Un rôle se termine généralement par **_r**. | | ||
| - | | Type | Définit la classification de sécurité de l' | ||
| - | | Niveau | Un niveau est un attribut de MLS et MCS. Une plage MLS est une paire de niveaux exprimée en utilisant la syntaxe // | ||
| - | |||
| - | Sous RHEL/CentOS 7, le fichier **/ | ||
| - | |||
| - | < | ||
| - | [root@centos7 /]# cat / | ||
| # | # | ||
| - | # Multi-Category Security translation table for SELinux | + | # /etc/fstab |
| - | # | + | # Created by anaconda on Wed Jun 16 06:21:32 2021 |
| - | # Uncomment the following to disable translation libary | + | |
| - | # disable=1 | + | |
| # | # | ||
| - | # Objects can be categorized with 0-1023 categories defined | + | # Accessible filesystems, |
| - | # Objects can be in more than one category at a time. | + | # See man pages fstab(5), findfs(8), mount(8) |
| - | # Categories | + | |
| - | # table to translate the categories into a more meaningful output. | + | |
| - | # Examples: | + | |
| - | # s0: | + | |
| - | # s0: | + | |
| - | # s0: | + | |
| - | # s0: | + | |
| - | # s0: | + | |
| - | s0=SystemLow | + | |
| - | s0-s0: | + | |
| - | s0: | + | |
| - | </ | + | |
| - | + | ||
| - | Dans le contexte d'un SC pour un **//sujet//**, le champ **identité** indique les privilèges de l'utilisateur %%SELinux%% utilisés par le **// | + | |
| - | + | ||
| - | Dans le contexte d'un SC pour un **// | + | |
| - | + | ||
| - | %%SELinux%% maintient sa propre liste d' | + | |
| - | + | ||
| - | < | + | |
| - | [root@centos8 ~]# / | + | |
| - | + | ||
| - | Login Name | + | |
| - | + | ||
| - | __default__ | + | |
| - | root | + | |
| - | </ | + | |
| - | + | ||
| - | ===Domains et Types=== | + | |
| - | + | ||
| - | Le **Domain** est l' | + | |
| - | + | ||
| - | Le **Domain** contient des **// | + | |
| - | + | ||
| - | Dans %%SELinux%% on utilise le mot : | + | |
| - | + | ||
| - | * **Domain** pour un processus, | + | |
| - | * **Type** pour un fichier. | + | |
| - | + | ||
| - | ===Roles=== | + | |
| - | + | ||
| - | Un **Rôle** est comme un utilisateur dans le système de sécurité DAC de Linux. Chaque utilisateur autorisé peut assumer l' | + | |
| - | + | ||
| - | ===Politiques de Sécurité=== | + | |
| - | + | ||
| - | Une politique de sécurité définit les SC de chaque application. Elle définit des droits d' | + | |
| - | + | ||
| - | ^ Politique ^ Description ^ | + | |
| - | | targeted | Les politiques de sécurité ne s' | + | |
| - | | mls | Multi Level Security protection | | + | |
| - | + | ||
| - | Les politiques de sécurité se trouvent dans le répertoire **/ | + | |
| - | + | ||
| - | < | + | |
| - | [root@centos8 ~]# ls -lR / | + | |
| - | / | + | |
| - | total 8 | + | |
| - | -rw-r--r--. 1 root root 548 Sep 5 07:26 config | + | |
| - | -rw-r--r--. 1 root root 2647 Feb 3 2021 semanage.conf | + | |
| - | drwxr-xr-x. 5 root root 133 Jun 16 11:34 targeted | + | |
| - | + | ||
| - | / | + | |
| - | total 16 | + | |
| - | -rw-r--r--. 1 root root 2367 Mar 18 12:30 booleans.subs_dist | + | |
| - | drwxr-xr-x. 4 root root 4096 Jun 16 06:27 contexts | + | |
| - | drwxr-xr-x. 2 root root 6 Mar 18 12:30 logins | + | |
| - | drwxr-xr-x. 2 root root 23 Jun 16 11:34 policy | + | |
| - | -rw-r--r--. 1 root root 607 Mar 18 12:30 setrans.conf | + | |
| - | -rw-r--r--. 1 root root 73 Jun 16 11:34 seusers | + | |
| - | + | ||
| - | / | + | |
| - | total 68 | + | |
| - | -rw-r--r--. 1 root root 262 Jun 16 06:27 customizable_types | + | |
| - | -rw-r--r--. 1 root root 195 Mar 18 12:29 dbus_contexts | + | |
| - | -rw-r--r--. 1 root root 1111 Mar 18 12:29 default_contexts | + | |
| - | -rw-r--r--. 1 root root 114 Mar 18 12:29 default_type | + | |
| - | -rw-r--r--. 1 root root 29 Mar 18 12:29 failsafe_context | + | |
| - | drwxr-xr-x. 2 root root 213 Jun 16 11:34 files | + | |
| - | -rw-r--r--. 1 root root 30 Mar 18 12:29 initrc_context | + | |
| - | -rw-r--r--. 1 root root 372 Mar 18 12:29 lxc_contexts | + | |
| - | -rw-r--r--. 1 root root 27 Mar 18 12:29 openssh_contexts | + | |
| - | -rw-r--r--. 1 root root 33 Mar 18 12:29 removable_context | + | |
| - | -rw-r--r--. 1 root root 74 Mar 18 12:30 securetty_types | + | |
| - | -rw-r--r--. 1 root root 1170 Mar 18 12:29 sepgsql_contexts | + | |
| - | -rw-r--r--. 1 root root 53 Mar 18 12:29 snapperd_contexts | + | |
| - | -rw-r--r--. 1 root root 57 Mar 18 12:29 systemd_contexts | + | |
| - | -rw-r--r--. 1 root root 33 Mar 18 12:29 userhelper_context | + | |
| - | drwxr-xr-x. 2 root root 114 Jun 16 06:26 users | + | |
| - | -rw-r--r--. 1 root root 62 Mar 18 12:29 virtual_domain_context | + | |
| - | -rw-r--r--. 1 root root 71 Mar 18 12:29 virtual_image_context | + | |
| - | -rw-r--r--. 1 root root 2920 Mar 18 12:29 x_contexts | + | |
| - | + | ||
| - | / | + | |
| - | total 1000 | + | |
| - | -rw-r--r--. 1 root root 404956 Jun 16 11:33 file_contexts | + | |
| - | -rw-r--r--. 1 root root 570698 Jun 16 11:33 file_contexts.bin | + | |
| - | -rw-r--r--. 1 root root 13880 Jun 16 11:33 file_contexts.homedirs | + | |
| - | -rw-r--r--. 1 root root 19104 Jun 16 11:33 file_contexts.homedirs.bin | + | |
| - | -rw-r--r--. 1 root root 0 Mar 18 12:30 file_contexts.local | + | |
| - | --More-- | + | |
| - | </ | + | |
| - | + | ||
| - | Afin d' | + | |
| - | + | ||
| - | < | + | |
| - | [root@centos8 ~]# dnf -y install setools-console | + | |
| - | </ | + | |
| - | + | ||
| - | Pour consulter les statistiques de la politique, il convient d' | + | |
| - | + | ||
| - | < | + | |
| - | [root@centos8 ~]# seinfo | + | |
| - | Statistics for policy file: / | + | |
| - | Policy Version: | + | |
| - | Target Policy: | + | |
| - | Handle unknown classes: | + | |
| - | Classes: | + | |
| - | Sensitivities: | + | |
| - | Types: | + | |
| - | Users: | + | |
| - | Booleans: | + | |
| - | Allow: | + | |
| - | Auditallow: | + | |
| - | Type_trans: | + | |
| - | Type_member: | + | |
| - | Role allow: | + | |
| - | Constraints: | + | |
| - | MLS Constrain: | + | |
| - | Permissives: | + | |
| - | Defaults: | + | |
| - | Allowxperm: | + | |
| - | Auditallowxperm: | + | |
| - | Ibendportcon: | + | |
| - | Initial SIDs: | + | |
| - | Genfscon: | + | |
| - | Netifcon: | + | |
| - | </ | + | |
| - | + | ||
| - | <WRAP center round important 50%> | + | |
| - | **Important** : Notez ici le grand nombre de la catégorie **Dontaudit**. | + | |
| - | </ | + | |
| - | + | ||
| - | ===Langage de Politiques=== | + | |
| - | + | ||
| - | Un politique est composé de centaines de directives. Les principales directives sont : | + | |
| - | + | ||
| - | ==allow== | + | |
| - | + | ||
| - | **allow** autorise l' | + | |
| - | + | ||
| - | allow user_t domaine_t : file (read execute getattr) ; | + | |
| - | + | ||
| - | Dans cette directive : | + | |
| - | + | ||
| - | * user_t est le type de fichier, | + | |
| - | * domaine_t est le domaine des processus qui sont autorisés par allow, | + | |
| - | * file (droit1 droit2 etc) est la liste des permissions accordées. | + | |
| - | + | ||
| - | Les permissions possibles sont : | + | |
| - | + | ||
| - | * read | + | |
| - | * write | + | |
| - | * append | + | |
| - | * execute | + | |
| - | * getattr | + | |
| - | * setattr | + | |
| - | * lock | + | |
| - | * link | + | |
| - | * unlink | + | |
| - | * rename | + | |
| - | * ioctl | + | |
| - | + | ||
| - | ==type== | + | |
| - | + | ||
| - | La directive **type** définit un type %%SELinux%%. Le type se termine généralement par **_t**. | + | |
| - | + | ||
| - | **auditallow, dontaudit** | + | |
| - | + | ||
| - | La directive **auditallow** demande l' | + | |
| - | + | ||
| - | L' | + | |
| - | + | ||
| - | ===type_transition=== | + | |
| - | + | ||
| - | Normalement quand un fichier est créé, il hérite du SC du répertoire parent. De même quand un processus %%SELinux%% active un nouveau processus, ce dernier s' | + | |
| - | + | ||
| - | ===Décisions de SELinux=== | + | |
| - | + | ||
| - | Il existe deux types de décisions auxquelles %%SELinux%% doit faire face : | + | |
| - | + | ||
| - | * **Décisions d' | + | |
| - | * **Décisions de Transition** | + | |
| - | + | ||
| - | ==Décisions d' | + | |
| - | + | ||
| - | Dans ce type de décision %%SELinux%% doit décider d' | + | |
| - | + | ||
| - | * un **// | + | |
| - | * un **// | + | |
| - | + | ||
| - | ==Décisions de Transition== | + | |
| - | + | ||
| - | Dans ce type de décision %%SELinux%% doit décider d' | + | |
| - | + | ||
| - | * d' | + | |
| - | * de créer des **// | + | |
| - | + | ||
| - | ===Commandes SELinux=== | + | |
| - | + | ||
| - | ^ Commande ^ Description ^ | + | |
| - | | chcon | Changer le SC d'un fichier | | + | |
| - | | audit2allow | Générer la source de la règle de sécurité à l' | + | |
| - | | restorecon | Restaurer le SC par défaut à un ou plusieurs fichiers | | + | |
| - | | setfiles -n | Vérifier si les SC sont corrects | + | |
| - | | semodule | Gèrer les modules de politiques | | + | |
| - | | semodule -i | Installer un module de politiques | | + | |
| - | | checkmodule | Compiler un module | | + | |
| - | | semodule_package | Créer un module installable par semodule | | + | |
| - | | semanage | Administrer une politique | | + | |
| - | | audit2allow -M | Créer un module à partir d'un message d' | + | |
| - | | sesearch | Recherche des règles %%SELinux%% | | + | |
| - | | seinfo | Effectuer des recherches dans la politique | | + | |
| - | | getsebool | Affiche l' | + | |
| - | | getsebool -a | Affiche l' | + | |
| - | | sestatus -b | Affiche l' | + | |
| - | | setsebool | Modifie l' | + | |
| - | | togglesebool | Bascule la valeur d'un booléen | | + | |
| - | + | ||
| - | ===Les Etats de SELinux=== | + | |
| - | + | ||
| - | %%SELinux%% connait trois états : | + | |
| - | + | ||
| - | ^ Etat ^ Description ^ | + | |
| - | | disabled | %%SELinux%% est inactif. | | + | |
| - | | permissive | %%SELinux%% est actif mais tout est permis. Des interdictions ne font que de générer des messages d' | + | |
| - | | enforcing | %%SELinux%% est actif. | | + | |
| - | + | ||
| - | L' | + | |
| - | + | ||
| - | ^ Valeur ^ Description ^ | + | |
| - | | 0 | %%SELinux%% est en mode // | + | |
| - | | 1 | %%SELinux%% est en mode // | + | |
| - | + | ||
| - | La configuration de l' | + | |
| - | + | ||
| - | < | + | |
| - | [root@centos8 ~]# cat / | + | |
| - | + | ||
| - | # This file controls the state of SELinux on the system. | + | |
| - | # SELINUX= can take one of these three values: | + | |
| - | # | + | |
| - | # | + | |
| - | # | + | |
| - | SELINUX=permissive | + | |
| - | # SELINUXTYPE= can take one of these three values: | + | |
| - | # | + | |
| - | # | + | |
| - | # mls - Multi Level Security protection. | + | |
| - | SELINUXTYPE=targeted | + | |
| - | </ | + | |
| - | + | ||
| - | Afin de connaître l' | + | |
| - | + | ||
| - | < | + | |
| - | [root@centos8 ~]# getenforce | + | |
| - | Permissive | + | |
| - | </ | + | |
| - | + | ||
| - | Pour modifier l' | + | |
| - | + | ||
| - | < | + | |
| - | [root@centos8 ~]# setenforce enforcing | + | |
| - | [root@centos8 ~]# getenforce | + | |
| - | Enforcing | + | |
| - | </ | + | |
| - | + | ||
| - | La commande **sestatus** vous informe sur la configuration de %%SELinux%% et notamment sur la version de la politique utilisée : | + | |
| - | + | ||
| - | < | + | |
| - | [root@centos8 ~]# sestatus | + | |
| - | SELinux status: | + | |
| - | SELinuxfs | + | |
| - | SELinux root directory: | + | |
| - | Loaded policy name: | + | |
| - | Current mode: | + | |
| - | Mode from config file: permissive | + | |
| - | Policy MLS status: | + | |
| - | Policy deny_unknown status: | + | |
| - | Memory protection checking: | + | |
| - | Max kernel policy version: | + | |
| - | </ | + | |
| - | + | ||
| - | Les différentes versions de politiques évolue en même temps que le noyau Linux. | + | |
| - | + | ||
| - | La commande sestatus peut aussi prendre l' | + | |
| - | + | ||
| - | < | + | |
| - | [root@centos8 ~]# sestatus -v | + | |
| - | SELinux status: | + | |
| - | SELinuxfs mount: | + | |
| - | SELinux root directory: | + | |
| - | Loaded policy name: | + | |
| - | Current mode: | + | |
| - | Mode from config file: permissive | + | |
| - | Policy MLS status: | + | |
| - | Policy deny_unknown status: | + | |
| - | Memory protection checking: | + | |
| - | Max kernel policy version: | + | |
| - | + | ||
| - | Process contexts: | + | |
| - | Current context: | + | |
| - | Init context: | + | |
| - | / | + | |
| - | + | ||
| - | File contexts: | + | |
| - | Controlling terminal: | + | |
| - | / | + | |
| - | / | + | |
| - | / | + | |
| - | / | + | |
| - | / | + | |
| - | / | + | |
| - | / | + | |
| - | / | + | |
| - | </ | + | |
| - | + | ||
| - | ===Booléens=== | + | |
| - | + | ||
| - | Les booléens permettent à des ensembles de règles d' | + | |
| - | + | ||
| - | Pour visualiser l' | + | |
| - | + | ||
| - | < | + | |
| - | [root@centos8 ~]# getsebool -a | more | + | |
| - | abrt_anon_write --> off | + | |
| - | abrt_handle_event --> off | + | |
| - | abrt_upload_watch_anon_write --> on | + | |
| - | antivirus_can_scan_system --> off | + | |
| - | antivirus_use_jit --> off | + | |
| - | auditadm_exec_content --> on | + | |
| - | authlogin_nsswitch_use_ldap --> off | + | |
| - | authlogin_radius --> off | + | |
| - | authlogin_yubikey --> off | + | |
| - | awstats_purge_apache_log_files --> off | + | |
| - | boinc_execmem --> on | + | |
| - | cdrecord_read_content --> off | + | |
| - | cluster_can_network_connect --> off | + | |
| - | cluster_manage_all_files --> off | + | |
| - | cluster_use_execmem --> off | + | |
| - | cobbler_anon_write --> off | + | |
| - | cobbler_can_network_connect --> off | + | |
| - | cobbler_use_cifs --> off | + | |
| - | cobbler_use_nfs --> off | + | |
| - | collectd_tcp_network_connect --> off | + | |
| - | colord_use_nfs --> off | + | |
| - | condor_tcp_network_connect --> off | + | |
| - | conman_can_network --> off | + | |
| - | conman_use_nfs --> off | + | |
| - | container_connect_any --> off | + | |
| - | container_manage_cgroup --> off | + | |
| - | container_use_cephfs --> off | + | |
| - | cron_can_relabel --> off | + | |
| - | cron_system_cronjob_use_shares --> off | + | |
| - | cron_userdomain_transition --> on | + | |
| - | cups_execmem --> off | + | |
| - | cvs_read_shadow --> off | + | |
| - | daemons_dump_core --> off | + | |
| - | daemons_enable_cluster_mode --> off | + | |
| - | daemons_use_tcp_wrapper --> off | + | |
| - | daemons_use_tty --> off | + | |
| - | dbadm_exec_content --> on | + | |
| - | dbadm_manage_user_files --> off | + | |
| - | dbadm_read_user_files --> off | + | |
| - | deny_bluetooth --> off | + | |
| - | deny_execmem --> off | + | |
| - | deny_ptrace --> off | + | |
| - | dhcpc_exec_iptables --> off | + | |
| - | dhcpd_use_ldap --> off | + | |
| - | --More-- | + | |
| - | </ | + | |
| - | + | ||
| - | ou la commande **sestatus -b** : | + | |
| - | + | ||
| - | < | + | |
| - | [root@centos8 ~]# sestatus -b | more | + | |
| - | SELinux status: | + | |
| - | SELinuxfs mount: | + | |
| - | SELinux root directory: | + | |
| - | Loaded policy name: | + | |
| - | Current mode: | + | |
| - | Mode from config file: permissive | + | |
| - | Policy MLS status: | + | |
| - | Policy deny_unknown status: | + | |
| - | Memory protection checking: | + | |
| - | Max kernel policy version: | + | |
| - | + | ||
| - | Policy booleans: | + | |
| - | abrt_anon_write | + | |
| - | abrt_handle_event | + | |
| - | abrt_upload_watch_anon_write | + | |
| - | antivirus_can_scan_system | + | |
| - | antivirus_use_jit | + | |
| - | auditadm_exec_content | + | |
| - | authlogin_nsswitch_use_ldap | + | |
| - | authlogin_radius | + | |
| - | authlogin_yubikey | + | |
| - | awstats_purge_apache_log_files | + | |
| - | boinc_execmem | + | |
| - | cdrecord_read_content | + | |
| - | cluster_can_network_connect | + | |
| - | cluster_manage_all_files | + | |
| - | cluster_use_execmem | + | |
| - | cobbler_anon_write | + | |
| - | cobbler_can_network_connect | + | |
| - | cobbler_use_cifs | + | |
| - | cobbler_use_nfs | + | |
| - | collectd_tcp_network_connect | + | |
| - | colord_use_nfs | + | |
| - | condor_tcp_network_connect | + | |
| - | conman_can_network | + | |
| - | conman_use_nfs | + | |
| - | container_connect_any | + | |
| - | container_manage_cgroup | + | |
| - | container_use_cephfs | + | |
| - | cron_can_relabel | + | |
| - | cron_system_cronjob_use_shares | + | |
| - | cron_userdomain_transition | + | |
| - | cups_execmem | + | |
| - | cvs_read_shadow | + | |
| - | --More-- | + | |
| - | </ | + | |
| - | + | ||
| - | Pour fixer l' | + | |
| - | + | ||
| - | < | + | |
| - | [root@centos8 ~]# setsebool antivirus_can_scan_system 1 | + | |
| - | [root@centos8 ~]# getsebool antivirus_can_scan_system | + | |
| - | antivirus_can_scan_system --> on | + | |
| - | [root@centos8 ~]# setsebool antivirus_can_scan_system 0 | + | |
| - | [root@centos8 ~]# getsebool antivirus_can_scan_system | + | |
| - | antivirus_can_scan_system --> off | + | |
| - | </ | + | |
| - | + | ||
| - | Afin reconstruire la politique actuelle **sans** les règles **dontaudit**, | + | |
| - | + | ||
| - | < | + | |
| - | [root@centos7 ~]# semodule -DB | + | |
| - | </ | + | |
| - | + | ||
| - | Vérifiez qu'il ne reste aucune règle de type **dontaudit** : | + | |
| - | + | ||
| - | < | + | |
| - | [root@centos8 ~]# seinfo | + | |
| - | Statistics for policy file: / | + | |
| - | Policy Version: | + | |
| - | Target Policy: | + | |
| - | Handle unknown classes: | + | |
| - | Classes: | + | |
| - | Sensitivities: | + | |
| - | Types: | + | |
| - | Users: | + | |
| - | Booleans: | + | |
| - | Allow: | + | |
| - | Auditallow: | + | |
| - | Type_trans: | + | |
| - | Type_member: | + | |
| - | Role allow: | + | |
| - | Constraints: | + | |
| - | MLS Constrain: | + | |
| - | Permissives: | + | |
| - | Defaults: | + | |
| - | Allowxperm: | + | |
| - | Auditallowxperm: | + | |
| - | Ibendportcon: | + | |
| - | Initial SIDs: | + | |
| - | Genfscon: | + | |
| - | Netifcon: | + | |
| - | </ | + | |
| - | + | ||
| - | ====5.2 - Copier et Déplacer des Fichiers==== | + | |
| - | + | ||
| - | Créez deux fichiers **file1** et **file2** en tant que l' | + | |
| - | + | ||
| - | < | + | |
| - | [root@centos7 /]# exit | + | |
| - | logout | + | |
| - | [trainee@centos7 ~]$ touch file1 file2 | + | |
| - | + | ||
| - | [trainee@centos8 ~]$ ls -lZ file* | + | |
| - | -rw-rw-r--. 1 trainee trainee unconfined_u: | + | |
| - | -rw-rw-r--. 1 trainee trainee unconfined_u: | + | |
| - | </ | + | |
| - | + | ||
| - | Notez que le type des deux fichiers est **user_home_t**. | + | |
| - | + | ||
| - | Copiez maintenant le fichier **file1** vers **/tmp** en utilisant la commande **cp** et visualiser son SC : | + | |
| - | + | ||
| - | < | + | |
| - | [trainee@centos8 ~]$ cp file1 /tmp | + | |
| - | + | ||
| - | [trainee@centos8 ~]$ ls -lZ / | + | |
| - | -rw-rw-r--. 1 trainee trainee unconfined_u: | + | |
| - | </ | + | |
| - | + | ||
| - | Notez que le fichier ainsi copié a hérité du **type** du répertoire parent, à savoir **tmp_t**. | + | |
| - | + | ||
| - | Déplacez maintenant le fichier **file2** dans le répertoire **/tmp** et contrôlez son SC : | + | |
| - | + | ||
| - | < | + | |
| - | [trainee@centos8 ~]$ mv file2 /tmp | + | |
| - | + | ||
| - | [trainee@centos8 ~]$ ls -lZ / | + | |
| - | -rw-rw-r--. 1 trainee trainee unconfined_u: | + | |
| - | </ | + | |
| - | + | ||
| - | Notez que la commande **mv** maintient le **type** d' | + | |
| - | + | ||
| - | ====5.3 - Vérifier les SC des Processus==== | + | |
| - | + | ||
| - | Il convient d' | + | |
| - | + | ||
| - | < | + | |
| - | [trainee@centos8 ~]$ ps auxZ | more | + | |
| - | LABEL | + | |
| - | system_u: | + | |
| - | system_u: | + | |
| - | system_u: | + | |
| - | system_u: | + | |
| - | system_u: | + | |
| - | system_u: | + | |
| - | system_u: | + | |
| - | system_u: | + | |
| - | system_u: | + | |
| - | system_u: | + | |
| - | system_u: | + | |
| - | system_u: | + | |
| - | system_u: | + | |
| - | system_u: | + | |
| - | system_u: | + | |
| - | system_u: | + | |
| - | system_u: | + | |
| - | system_u: | + | |
| - | system_u: | + | |
| - | system_u: | + | |
| - | system_u: | + | |
| - | system_u: | + | |
| - | system_u: | + | |
| - | system_u: | + | |
| - | system_u: | + | |
| - | system_u: | + | |
| - | system_u: | + | |
| - | system_u: | + | |
| - | system_u: | + | |
| - | system_u: | + | |
| - | system_u: | + | |
| - | system_u: | + | |
| - | system_u: | + | |
| - | system_u: | + | |
| - | system_u: | + | |
| - | system_u: | + | |
| - | system_u: | + | |
| - | system_u: | + | |
| - | system_u: | + | |
| - | system_u: | + | |
| - | system_u: | + | |
| - | system_u: | + | |
| - | system_u: | + | |
| - | --More-- | + | |
| - | </ | + | |
| - | + | ||
| - | ====5.4 - Visualiser la SC d'un Utilisateur==== | + | |
| - | + | ||
| - | Utilisez l' | + | |
| - | + | ||
| - | < | + | |
| - | [trainee@centos8 ~]$ id -Z | + | |
| - | unconfined_u: | + | |
| - | </ | + | |
| - | + | ||
| - | Notez que vous ne pouvez pas consulter le SC d'un autre utilisateur : | + | |
| - | + | ||
| - | < | + | |
| - | [trainee@centos8 ~]$ id root | + | |
| - | uid=0(root) gid=0(root) groups=0(root) | + | |
| - | [trainee@centos8 ~]$ id -Z root | + | |
| - | id: cannot print security context when user specified | + | |
| - | </code> | + | |
| - | + | ||
| - | ====5.5 - Vérifier la SC d'un fichier==== | + | |
| - | + | ||
| - | Il convient d' | + | |
| - | + | ||
| - | < | + | |
| - | [trainee@centos8 ~]$ cd /etc | + | |
| - | + | ||
| - | [trainee@centos8 etc]$ ls -Z l* -dl | + | |
| - | -rw-r--r--. 1 root root unconfined_u: | + | |
| - | -rw-r--r--. 1 root root system_u: | + | |
| - | drwxr-xr-x. 2 root root system_u: | + | |
| - | -rw-r-----. 1 root root system_u: | + | |
| - | drwxr-xr-x. 3 root root system_u: | + | |
| - | -rw-r--r--. 1 root root system_u: | + | |
| - | drwxr-xr-x. 2 root root system_u: | + | |
| - | drwxr-xr-x. 2 root root system_u: | + | |
| - | drwxr-xr-x. 2 root root system_u: | + | |
| - | drwxr-xr-x. 6 root root system_u: | + | |
| - | drwxr-xr-x. 2 root root system_u: | + | |
| - | -rw-r--r--. 1 root root system_u: | + | |
| - | drwx------. 6 root root system_u: | + | |
| - | -rw-r--r--. 1 root root system_u: | + | |
| - | lrwxrwxrwx. 1 root root system_u: | + | |
| - | -rw-r--r--. 1 root root system_u: | + | |
| - | -rw-r--r--. 1 root root system_u: | + | |
| - | drwxr-xr-x. 2 root root system_u: | + | |
| - | drwxr-xr-x. 3 root root system_u: | + | |
| - | drwxr-xr-x. 6 root root system_u: | + | |
| - | </ | + | |
| - | + | ||
| - | ====5.6 - La commande chcon==== | + | |
| - | + | ||
| - | L' | + | |
| - | + | ||
| - | Si le démon **auditd** est démarré, les messages de %%SELinux%% sont consignés dans le fichier **/ | + | |
| - | + | ||
| - | La commande **chcon** permet de modifier // | + | |
| - | + | ||
| - | < | + | |
| - | [trainee@centos8 etc]$ cd ~ | + | |
| - | + | ||
| - | [trainee@centos8 ~]$ chcon --help | + | |
| - | Usage: chcon [OPTION]... CONTEXT FILE... | + | |
| - | | + | |
| - | or: chcon [OPTION]... --reference=RFILE FILE... | + | |
| - | Change the SELinux security context of each FILE to CONTEXT. | + | |
| - | With --reference, | + | |
| - | + | ||
| - | Mandatory arguments to long options are mandatory for short options too. | + | |
| - | --dereference | + | |
| - | the default), rather than the symbolic link itself | + | |
| - | -h, --no-dereference | + | |
| - | -u, --user=USER | + | |
| - | -r, --role=ROLE | + | |
| - | -t, --type=TYPE | + | |
| - | -l, --range=RANGE | + | |
| - | --no-preserve-root | + | |
| - | --preserve-root | + | |
| - | --reference=RFILE | + | |
| - | a CONTEXT value | + | |
| - | -R, --recursive | + | |
| - | -v, --verbose | + | |
| - | + | ||
| - | The following options modify how a hierarchy is traversed when the -R | + | |
| - | option is also specified. | + | |
| - | one takes effect. | + | |
| - | + | ||
| - | -H if a command line argument is a symbolic link | + | |
| - | to a directory, traverse it | + | |
| - | -L | + | |
| - | | + | |
| - | -P do not traverse any symbolic links (default) | + | |
| - | + | ||
| - | --help | + | |
| - | --version | + | |
| - | + | ||
| - | GNU coreutils online help: < | + | |
| - | Full documentation at: < | + | |
| - | or available locally via: info ' | + | |
| - | </ | + | |
| - | + | ||
| - | Prenons le cas de la création d'un répertoire à la racine du système de fichiers afin d'y stocker les pages web du serveur apache : | + | |
| - | + | ||
| - | < | + | |
| - | [trainee@centos8 ~]$ su - | + | |
| - | Password: fenestros | + | |
| - | + | ||
| - | [root@centos8 ~]# mkdir /www | + | |
| - | + | ||
| - | [root@centos8 ~]# touch / | + | |
| - | </ | + | |
| - | + | ||
| - | Installez maintenant le serveur Apache : | + | |
| - | + | ||
| - | < | + | |
| - | [root@centos8 ~]# dnf -y install httpd | + | |
| - | </ | + | |
| - | + | ||
| - | Modifiez ensuite la directive **%%DocumentRoot%%** dans le fichier **/ | + | |
| - | + | ||
| - | < | + | |
| - | [...] | + | |
| - | # | + | |
| - | DocumentRoot "/ | + | |
| - | [...] | + | |
| - | </ | + | |
| - | + | ||
| - | Ajoutez les section **< | + | |
| - | + | ||
| - | < | + | |
| - | ... | + | |
| # | # | ||
| - | # Relax access | + | # After editing this file, run ' |
| + | # units generated from this file. | ||
| # | # | ||
| - | < | + | /dev/mapper/cl_centos8-root |
| - | AllowOverride None | + | UUID=1c04981e-5317-4b73-9695-3ce25246835d /boot |
| - | # Allow open access: | + | /dev/mapper/cl_centos8-swap swap swap defaults |
| - | Require all granted | + | UUID=f76d6b66-985b-4a91-af9c-4987e8c1443c |
| - | </Directory> | + | |
| - | + | ||
| - | < | + | |
| - | Options Indexes FollowSymLinks | + | |
| - | | + | |
| - | | + | |
| - | </Directory> | + | |
| - | + | ||
| - | # Further relax access to the default document root: | + | |
| - | < | + | |
| - | ... | + | |
| - | </ | + | |
| - | + | ||
| - | # Further relax access to the default document root: | + | |
| - | < | + | |
| - | ... | + | |
| - | </ | + | |
| - | + | ||
| - | Sauvegardez et quittez le fichier. Créez le fichier **/ | + | |
| - | + | ||
| - | < | + | |
| - | [root@centos8 ~]# vi /www/index.html | + | |
| - | [root@centos8 ~]# cat /www/index.html | + | ## KVM Guest Image Store |
| - | < | + | /dev/mapper/kvm_storage-kvm_lv |
| - | < | + | |
| - | This is a test | + | |
| - | </title> | + | |
| - | < | + | |
| - | www test page | + | |
| - | </body> | + | |
| - | </html> | + | |
| </ | </ | ||
| - | Modifiez | + | Montez |
| < | < | ||
| - | [root@centos8 ~]# chown -R apache: | + | [root@centos8 ~]# df -h |
| - | </code> | + | Filesystem |
| + | devtmpfs | ||
| + | tmpfs 1.9G | ||
| + | tmpfs 1.9G 9.5M 1.9G 1% /run | ||
| + | tmpfs 1.9G | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | tmpfs 374M | ||
| + | tmpfs 374M 1.2M 373M 1% /run/user/42 | ||
| - | Dernièrement, | + | [root@centos8 ~]# mount -a |
| - | < | + | [root@centos8 ~]# df -h |
| - | [root@centos8 ~]# touch /var/www/html/index.html | + | Filesystem |
| + | devtmpfs | ||
| + | tmpfs | ||
| + | tmpfs | ||
| + | tmpfs 1.9G | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | tmpfs | ||
| + | tmpfs | ||
| + | / | ||
| </ | </ | ||
| - | Redémarrez maintenant le service httpd : | + | Notez que ce volume est actuellement vide : |
| < | < | ||
| - | [root@centos8 ~]# systemctl restart httpd.service | + | [root@centos8 ~]# ls -l /var/lib/libvirt/images/ |
| - | [root@centos8 ~]# systemctl status httpd.service | + | total 0 |
| - | ● httpd.service | + | |
| - | | + | |
| - | | + | |
| - | Docs: man: | + | |
| - | Main PID: 49273 (httpd) | + | |
| - | | + | |
| - | Tasks: 213 (limit: 23535) | + | |
| - | | + | |
| - | | + | |
| - | | + | |
| - | | + | |
| - | | + | |
| - | | + | |
| - | | + | |
| - | + | ||
| - | Sep 05 08:57:25 centos8.ittraining.loc systemd[1]: Starting The Apache HTTP Server... | + | |
| - | Sep 05 08:57:26 centos8.ittraining.loc systemd[1]: Started The Apache HTTP Server. | + | |
| - | Sep 05 08:57:26 centos8.ittraining.loc httpd[49273]: | + | |
| </ | </ | ||
| - | Passez SELinux en mode Permissive | + | Utilisez la commande **virsh pool-list** pour voir les pools de stockage déjà configurés. Cette liste devrait être vide : |
| < | < | ||
| - | [root@centos8 ~]# getenforce | + | [root@centos8 ~]# virsh pool-list |
| - | Enforcing | + | Name |
| - | [root@centos8 ~]# setenforce permissive | + | --------------------------- |
| - | [root@centos8 ~]# getenforce | + | |
| - | Permissive | + | |
| - | </ | + | |
| - | Installez le navigateur web en mode texte **lynx** : | ||
| - | |||
| - | < | ||
| - | [root@centos8 ~]# dnf install -y lynx | ||
| </ | </ | ||
| - | Consultez | + | Définissez |
| < | < | ||
| - | [root@centos8 ~]# lynx localhost | + | [root@centos8 ~]# virsh pool-define-as kvm-storagepool --type=dir --target / |
| + | Pool kvm-storagepool defined | ||
| </ | </ | ||
| - | La commande | + | <WRAP center round important 60%> |
| + | **Important** : Consultez | ||
| + | </ | ||
| - | < | + | Consultez **[[https://libvirt.org/storage.html# |
| - | [root@centos8 ~]# sealert -a /var/log/ | + | |
| - | </ | + | |
| - | Consultez | + | Démarrez maintenant |
| < | < | ||
| - | [root@centos8 ~]# more / | + | [root@centos8 ~]# virsh pool-start kvm-storagepool |
| - | + | Pool kvm-storagepool started | |
| - | found 16 alerts in / | + | |
| - | -------------------------------------------------------------------------------- | + | |
| - | + | ||
| - | SELinux is preventing / | + | |
| - | + | ||
| - | ***** Plugin catchall (100. confidence) suggests | + | |
| - | + | ||
| - | If you believe that pkla-check-authorization should be allowed noatsecure access on processes labeled policykit_auth_t by default. | + | |
| - | Then you should report this as a bug. | + | |
| - | You can generate a local policy module to allow this access. | + | |
| - | Do | + | |
| - | allow this access for now by executing: | + | |
| - | # ausearch -c ' | + | |
| - | # semodule -X 300 -i my-pklacheckauth.pp | + | |
| - | + | ||
| - | + | ||
| - | Additional Information: | + | |
| - | Source Context | + | |
| - | Target Context | + | |
| - | Target Objects | + | |
| - | Source | + | |
| - | Source Path / | + | |
| - | Port < | + | |
| - | Host < | + | |
| - | Source RPM Packages | + | |
| - | Target RPM Packages | + | |
| - | SELinux Policy RPM selinux-policy-targeted-3.14.3-67.el8.noarch | + | |
| - | Local Policy RPM selinux-policy-targeted-3.14.3-67.el8.noarch | + | |
| - | Selinux Enabled | + | |
| - | Policy Type | + | |
| - | Enforcing Mode Permissive | + | |
| - | Host Name | + | |
| - | Platform | + | |
| - | 4.18.0-305.7.1.el8.i2tch.x86_64 #1 SMP Tue Jul 20 | + | |
| - | 05:05:15 EDT 2021 x86_64 x86_64 | + | |
| - | Alert Count 16 | + | |
| - | First Seen 2021-09-05 08:40:01 EDT | + | |
| - | Last Seen | + | |
| - | Local ID 53085ad7-2855-4b4c-a781-5b47ef2f34c7 | + | |
| - | + | ||
| - | Raw Audit Messages | + | |
| - | type=AVC msg=audit(1630845907.307: | + | |
| - | policykit_auth_t: | + | |
| - | + | ||
| - | + | ||
| - | type=AVC msg=audit(1630845907.307: | + | |
| - | stem_r: | + | |
| - | + | ||
| - | + | ||
| - | type=AVC msg=audit(1630845907.307: | + | |
| - | m_r: | + | |
| - | + | ||
| - | + | ||
| - | type=SYSCALL msg=audit(1630845907.307: | + | |
| - | 34 auid=4294967295 uid=998 gid=996 euid=998 suid=998 fsuid=998 egid=996 sgid=996 fsgid=996 tty=(none) ses=4294967295 comm=pkla-check-auth exe=/ | + | |
| - | zation subj=system_u: | + | |
| - | lkitd SGID=polkitd FSGID=polkitd | + | |
| - | + | ||
| - | type=CWD msg=audit(1630845907.307: | + | |
| - | + | ||
| - | type=PATH msg=audit(1630845907.307: | + | |
| - | _so_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID=root OGID=root | + | |
| - | + | ||
| - | Hash: pkla-check-auth, | + | |
| - | + | ||
| - | -------------------------------------------------------------------------------- | + | |
| - | + | ||
| - | SELinux is preventing / | + | |
| - | + | ||
| - | ***** Plugin catchall (100. confidence) suggests | + | |
| - | + | ||
| - | If you believe that dbus-daemon-launch-helper should have the net_admin capability by default. | + | |
| - | Then you should report this as a bug. | + | |
| - | You can generate a local policy module to allow this access. | + | |
| - | Do | + | |
| - | allow this access for now by executing: | + | |
| - | # ausearch -c ' | + | |
| - | # semodule -X 300 -i my-dbusdaemonlau.pp | + | |
| - | + | ||
| - | + | ||
| - | Additional Information: | + | |
| - | Source Context | + | |
| - | Target Context | + | |
| - | Target Objects | + | |
| - | Source | + | |
| - | Source Path / | + | |
| - | Port < | + | |
| - | --More--(5%) | + | |
| </ | </ | ||
| - | Cherchez dans le fichier la chaine | + | Contrôlez l' |
| < | < | ||
| - | [root@centos8 ~]# more / | + | [root@centos8 ~]# virsh pool-list |
| - | SELinux is preventing / | + | Name State Autostart |
| - | If you want to allow httpd to have getattr access on the index.html file | + | --------------------------------------- |
| - | Then you need to change the label on / | + | kvm-storagepool |
| - | # semanage fcontext | + | |
| - | restorecon | + | |
| - | If you believe that httpd should be allowed getattr access on the index.html file by default. | + | |
| - | Target Objects | + | |
| - | type=AVC msg=audit(1630847051.967: | + | |
| - | SELinux is preventing / | + | |
| - | If you want to allow httpd to have read access on the index.html file | + | |
| - | Then you need to change the label on index.html | + | |
| - | # semanage fcontext | + | |
| - | restorecon | + | |
| - | If you believe that httpd should be allowed read access on the index.html file by default. | + | |
| - | Target Objects | + | |
| - | type=AVC msg=audit(1630847051.967: | + | |
| - | type=AVC msg=audit(1630847051.967: | + | |
| - | SELinux is preventing / | + | |
| - | If you want to allow httpd to have map access on the index.html file | + | |
| - | Then you need to change the label on / | + | |
| - | # semanage fcontext | + | |
| - | restorecon | + | |
| - | If you believe that httpd should be allowed map access on the index.html file by default. | + | |
| - | Target Objects | + | |
| - | type=AVC msg=audit(1630847051.967: | + | |
| </ | </ | ||
| - | Ce message a été généré parce que le repertoire /www ainsi que le fichier index.html ne possèdent pas le **type** nécessaire pour que le service apache puisse les utiliser : | + | <WRAP center round important |
| - | + | **Important** : Notez que le pool ne sera pas démarré automatiquement parce que la valeur d**' | |
| - | < | + | |
| - | [root@centos8 ~]# ls -lZ / | + | |
| - | -rw-r--r--. 1 apache apache unconfined_u: | + | |
| - | + | ||
| - | [root@centos8 ~]# ls -lZ / | + | |
| - | -rw-r--r--. 1 root root unconfined_u: | + | |
| - | </ | + | |
| - | + | ||
| - | L' | + | |
| - | + | ||
| - | Modifiez donc la SC de /www et / | + | |
| - | + | ||
| - | < | + | |
| - | [root@centos8 ~]# chcon -Rv --type=httpd_sys_content_t /www | + | |
| - | changing security context of '/ | + | |
| - | changing security context of '/ | + | |
| - | + | ||
| - | [root@centos8 ~]# ls -lZ / | + | |
| - | -rw-r--r--. 1 apache apache unconfined_u: | + | |
| - | </ | + | |
| - | + | ||
| - | Afin de maintenir ces SC lors d'une **restauration des SC par défaut**, il convient d' | + | |
| - | + | ||
| - | < | + | |
| - | [root@centos8 ~]# semanage fcontext -a -t httpd_sys_content_t "/ | + | |
| - | </ | + | |
| - | + | ||
| - | ====5.7 - La commande restorecon==== | + | |
| - | + | ||
| - | Pour illustrer l' | + | |
| - | + | ||
| - | < | + | |
| - | [root@centos8 ~]# cd /tmp ; touch copy.html move.html | + | |
| - | + | ||
| - | [root@centos8 tmp]# ls -lZ | grep html | + | |
| - | -rw-r--r--. 1 root root unconfined_u: | + | |
| - | -rw-r--r--. 1 root root unconfined_u: | + | |
| - | </ | + | |
| - | + | ||
| - | **Copiez** le fichier copy.html vers / | + | |
| - | + | ||
| - | < | + | |
| - | [root@centos8 tmp]# cp copy.html / | + | |
| - | + | ||
| - | [root@centos8 tmp]# mv move.html / | + | |
| - | + | ||
| - | [root@centos8 tmp]# ls -lZ / | + | |
| - | total 0 | + | |
| - | -rw-r--r--. 1 root root unconfined_u: | + | |
| - | -rw-r--r--. 1 root root unconfined_u: | + | |
| - | -rw-r--r--. 1 root root unconfined_u: | + | |
| - | </ | + | |
| - | + | ||
| - | <WRAP center round important | + | |
| - | **Important** : Notez ici que copy.html a pris le type du répertoire de destination tandis | + | |
| </ | </ | ||
| - | Restaurez maintenant | + | Fixez la valeur d' |
| < | < | ||
| - | [root@centos8 | + | [root@centos8 |
| - | Relabeled / | + | Pool kvm-storagepool marked as autostarted |
| - | [root@centos8 | + | [root@centos8 |
| - | total 0 | + | Name State Autostart |
| - | -rw-r--r--. 1 root root unconfined_u: | + | --------------------------------------- |
| - | -rw-r--r--. 1 root root unconfined_u: | + | |
| - | -rw-r--r--. 1 root root unconfined_u: | + | |
| </ | </ | ||
| - | ====5.8 - Le fichier / | + | Dernièrement, |
| - | + | ||
| - | En cas de besoin il est intéressant de pouvoir restaurer | + | |
| < | < | ||
| - | [root@centos8 | + | [root@centos8 |
| - | + | Name State | |
| - | [root@centos8 tmp]# shutdown | + | ------------------------------------------------------------------------------------------ |
| + | | ||
| </ | </ | ||
| - | |||
| - | ====5.9 - La commande semanage==== | ||
| - | |||
| - | La commande **semanage** peut prendre plusieurs options : | ||
| - | |||
| - | < | ||
| - | [root@centos8 ~]# semanage --help | ||
| - | usage: semanage [-h] | ||
| - | {import, | ||
| - | ... | ||
| - | |||
| - | semanage is used to configure certain elements of SELinux policy with-out | ||
| - | requiring modification to or recompilation from policy source. | ||
| - | |||
| - | positional arguments: | ||
| - | {import, | ||
| - | import | ||
| - | export | ||
| - | login | ||
| - | confined users | ||
| - | user Manage SELinux confined users (Roles and levels for an | ||
| - | SELinux user) | ||
| - | port Manage network port type definitions | ||
| - | ibpkey | ||
| - | ibendport | ||
| - | interface | ||
| - | module | ||
| - | node Manage network node type definitions | ||
| - | fcontext | ||
| - | boolean | ||
| - | permissive | ||
| - | dontaudit | ||
| - | |||
| - | optional arguments: | ||
| - | -h, --help | ||
| - | </ | ||
| - | |||
| - | Pour illustrer l' | ||
| - | |||
| - | %%SELinux%% gère aussi l' | ||
| - | |||
| - | < | ||
| - | [root@centos8 ~]# semanage port -l | grep http | ||
| - | http_cache_port_t | ||
| - | http_cache_port_t | ||
| - | http_port_t | ||
| - | pegasus_http_port_t | ||
| - | pegasus_https_port_t | ||
| - | </ | ||
| - | |||
| - | Notez que le serveur apache est autorisé à utiliser les ports suivants : | ||
| - | |||
| - | < | ||
| - | http_port_t | ||
| - | </ | ||
| - | |||
| - | Dans le cas où on souhaite qu' | ||
| - | |||
| - | < | ||
| - | [root@centos8 ~]# semanage port -a -t http_port_t -p tcp 8090 | ||
| - | </ | ||
| - | |||
| - | Vous noterez que le port 8090 a été ajouté à la liste des ports reconnus comme valides par %%SELinux%% : | ||
| - | |||
| - | < | ||
| - | [root@centos8 ~]# semanage port -l | grep http | ||
| - | http_cache_port_t | ||
| - | http_cache_port_t | ||
| - | http_port_t | ||
| - | pegasus_http_port_t | ||
| - | pegasus_https_port_t | ||
| - | </ | ||
| - | |||
| - | ====5.10 - La commande audit2allow==== | ||
| - | |||
| - | La création d'un module de politique personnalisé se fait en utilisant la commande **audit2allow**. L' | ||
| - | |||
| - | * la résolution du problème n'est pas possible en utilisant une des commandes précédemment citées, | ||
| - | * il n' | ||
| - | |||
| - | < | ||
| - | [root@centos8 ~]# audit2allow --help | ||
| - | Usage: audit2allow [options] | ||
| - | |||
| - | Options: | ||
| - | --version | ||
| - | -h, --help | ||
| - | -b, --boot | ||
| - | -a, --all read input from audit log - conflicts with -i | ||
| - | -p POLICY, --policy=POLICY | ||
| - | Policy file to use for analysis | ||
| - | -d, --dmesg | ||
| - | --input | ||
| - | -i INPUT, --input=INPUT | ||
| - | read input from < | ||
| - | -l, --lastreload | ||
| - | -r, --requires | ||
| - | -m MODULE, --module=MODULE | ||
| - | set the module name - implies --requires | ||
| - | -M MODULE_PACKAGE, | ||
| - | generate a module package - conflicts with -o and -m | ||
| - | -o OUTPUT, --output=OUTPUT | ||
| - | append output to < | ||
| - | -D, --dontaudit | ||
| - | -R, --reference | ||
| - | -N, --noreference | ||
| - | -v, --verbose | ||
| - | -e, --explain | ||
| - | -t TYPE, --type=TYPE | ||
| - | regex | ||
| - | --perm-map=PERM_MAP | ||
| - | --interface-info=INTERFACE_INFO | ||
| - | file name of interface information | ||
| - | -x, --xperms | ||
| - | --debug | ||
| - | -w, --why | ||
| - | of why the access was denied | ||
| - | </ | ||
| - | |||
| - | Pour illustrer l' | ||
| - | |||
| - | < | ||
| - | [root@centos8 ~]# mkdir /www1 | ||
| - | [root@centos8 ~]# touch / | ||
| - | </ | ||
| - | |||
| - | Éditez le fichier **/ | ||
| - | |||
| - | < | ||
| - | [...] | ||
| - | # DocumentRoot "/ | ||
| - | DocumentRoot "/ | ||
| - | [...] | ||
| - | </ | ||
| - | |||
| - | Ajoutez les section **< | ||
| - | |||
| - | < | ||
| - | ... | ||
| - | # | ||
| - | # Relax access to content within /var/www. | ||
| - | # | ||
| - | < | ||
| - | AllowOverride None | ||
| - | # Allow open access: | ||
| - | Require all granted | ||
| - | </ | ||
| - | |||
| - | < | ||
| - | Options Indexes FollowSymLinks | ||
| - | AllowOverride None | ||
| - | Require all granted | ||
| - | </ | ||
| - | |||
| - | # Further relax access to the default document root: | ||
| - | < | ||
| - | ... | ||
| - | </ | ||
| - | |||
| - | Créez le fichier **/ | ||
| - | |||
| - | < | ||
| - | [root@centos7 ~]# vi / | ||
| - | [root@centos7 ~]# cat / | ||
| - | < | ||
| - | < | ||
| - | This is a test | ||
| - | </ | ||
| - | < | ||
| - | www test page | ||
| - | </ | ||
| - | </ | ||
| - | </ | ||
| - | |||
| - | Modifiez ensuite le propriétaire et le groupe du répertoire **/www1** et son contenu : | ||
| - | |||
| - | < | ||
| - | [root@centos8 ~]# chown -R apache: | ||
| - | </ | ||
| - | |||
| - | Redémarrez le service httpd : | ||
| - | |||
| - | < | ||
| - | [root@centos8 ~]# systemctl restart httpd.service | ||
| - | [root@centos8 ~]# systemctl status httpd.service | ||
| - | ● httpd.service - The Apache HTTP Server | ||
| - | | ||
| - | | ||
| - | Docs: man: | ||
| - | Main PID: 51662 (httpd) | ||
| - | | ||
| - | Tasks: 213 (limit: 23535) | ||
| - | | ||
| - | | ||
| - | | ||
| - | | ||
| - | | ||
| - | | ||
| - | | ||
| - | |||
| - | Sep 05 09:35:28 centos8.ittraining.loc systemd[1]: Starting The Apache HTTP Server... | ||
| - | Sep 05 09:35:28 centos8.ittraining.loc systemd[1]: Started The Apache HTTP Server. | ||
| - | Sep 05 09:35:28 centos8.ittraining.loc httpd[51662]: | ||
| - | </ | ||
| - | |||
| - | Consultez le site localhost en utilisant **lynx** : | ||
| - | |||
| - | < | ||
| - | [root@centos8 ~]# lynx localhost | ||
| - | </ | ||
| - | |||
| - | Le fichier **/ | ||
| - | |||
| - | < | ||
| - | [root@centos8 ~]# cat / | ||
| - | type=AVC msg=audit(1630846645.968: | ||
| - | type=AVC msg=audit(1630846646.078: | ||
| - | type=AVC msg=audit(1630846646.094: | ||
| - | type=AVC msg=audit(1630846646.160: | ||
| - | type=AVC msg=audit(1630846646.160: | ||
| - | type=AVC msg=audit(1630846646.161: | ||
| - | type=AVC msg=audit(1630846646.163: | ||
| - | type=AVC msg=audit(1630846646.163: | ||
| - | type=AVC msg=audit(1630846646.163: | ||
| - | type=AVC msg=audit(1630846646.163: | ||
| - | type=AVC msg=audit(1630846646.164: | ||
| - | type=AVC msg=audit(1630846646.164: | ||
| - | type=AVC msg=audit(1630846646.165: | ||
| - | type=AVC msg=audit(1630846646.165: | ||
| - | type=AVC msg=audit(1630846655.174: | ||
| - | type=AVC msg=audit(1630846665.186: | ||
| - | type=AVC msg=audit(1630846675.198: | ||
| - | type=AVC msg=audit(1630846685.209: | ||
| - | type=AVC msg=audit(1630846695.221: | ||
| - | type=AVC msg=audit(1630846705.233: | ||
| - | type=AVC msg=audit(1630846715.244: | ||
| - | type=AVC msg=audit(1630846725.256: | ||
| - | type=AVC msg=audit(1630846735.268: | ||
| - | type=AVC msg=audit(1630846745.279: | ||
| - | type=AVC msg=audit(1630846755.290: | ||
| - | type=AVC msg=audit(1630846765.302: | ||
| - | type=AVC msg=audit(1630846775.313: | ||
| - | type=AVC msg=audit(1630846785.325: | ||
| - | type=AVC msg=audit(1630846795.337: | ||
| - | type=AVC msg=audit(1630846805.348: | ||
| - | type=AVC msg=audit(1630846925.487: | ||
| - | type=AVC msg=audit(1630846985.607: | ||
| - | type=AVC msg=audit(1630847051.967: | ||
| - | type=AVC msg=audit(1630847051.967: | ||
| - | type=AVC msg=audit(1630847051.967: | ||
| - | type=AVC msg=audit(1630847051.967: | ||
| - | type=AVC msg=audit(1630847065.699: | ||
| - | type=AVC msg=audit(1630847265.927: | ||
| - | type=AVC msg=audit(1630847536.237: | ||
| - | type=AVC msg=audit(1630847736.467: | ||
| - | type=AVC msg=audit(1630848237.039: | ||
| - | type=AVC msg=audit(1630848287.098: | ||
| - | type=AVC msg=audit(1630848767.654: | ||
| - | type=AVC msg=audit(1630848928.625: | ||
| - | type=AVC msg=audit(1630848972.446: | ||
| - | type=AVC msg=audit(1630848972.446: | ||
| - | type=AVC msg=audit(1630848972.446: | ||
| - | type=AVC msg=audit(1630848972.446: | ||
| - | type=AVC msg=audit(1630849007.711: | ||
| - | </ | ||
| - | |||
| - | A l'aide de la commande grep, il convient maintenant d' | ||
| - | |||
| - | < | ||
| - | [root@centos8 ~]# grep httpd_t / | ||
| - | </ | ||
| - | |||
| - | L' | ||
| - | |||
| - | < | ||
| - | [root@centos8 ~]# cat httpdlocal.te | ||
| - | |||
| - | module httpdlocal 1.0; | ||
| - | |||
| - | require { | ||
| - | type httpd_t; | ||
| - | type default_t; | ||
| - | class capability net_admin; | ||
| - | class file { getattr map open read }; | ||
| - | } | ||
| - | |||
| - | # | ||
| - | |||
| - | #!!!! This avc can be allowed using the boolean ' | ||
| - | allow httpd_t default_t: | ||
| - | allow httpd_t default_t: | ||
| - | allow httpd_t self: | ||
| - | </ | ||
| - | |||
| - | L' | ||
| - | |||
| - | < | ||
| - | [root@centos8 ~]# grep httpd_t / | ||
| - | ******************** IMPORTANT *********************** | ||
| - | To make this policy package active, execute: | ||
| - | |||
| - | semodule -i httpdlocal.pp | ||
| - | </ | ||
| - | |||
| - | Chargez maintenant le module dans la politique %%SELinux%% : | ||
| - | |||
| - | < | ||
| - | [root@centos8 ~]# semodule -i httpdlocal.pp | ||
| - | </ | ||
| - | |||
| - | Vérifiez que le module est chargé : | ||
| - | |||
| - | < | ||
| - | [root@centos8 ~]# semodule -l | grep httpd | ||
| - | httpdlocal | ||
| - | </ | ||
| - | |||
| - | Redémarrez le service httpd : | ||
| - | |||
| - | < | ||
| - | [root@centos8 ~]# systemctl restart httpd.service | ||
| - | [root@centos8 ~]# systemctl status httpd.service | ||
| - | ● httpd.service - The Apache HTTP Server | ||
| - | | ||
| - | | ||
| - | Docs: man: | ||
| - | Main PID: 52079 (httpd) | ||
| - | | ||
| - | Tasks: 213 (limit: 23535) | ||
| - | | ||
| - | | ||
| - | | ||
| - | | ||
| - | | ||
| - | | ||
| - | | ||
| - | |||
| - | Sep 05 09:42:18 centos8.ittraining.loc systemd[1]: Starting The Apache HTTP Server... | ||
| - | Sep 05 09:42:18 centos8.ittraining.loc systemd[1]: Started The Apache HTTP Server. | ||
| - | Sep 05 09:42:18 centos8.ittraining.loc httpd[52079]: | ||
| - | </ | ||
| - | |||
| - | Videz le fichier **/ | ||
| - | |||
| - | < | ||
| - | [root@centos8 ~]# rm -rf / | ||
| - | [root@centos8 ~]# touch / | ||
| - | [root@centos8 ~]# chmod 600 / | ||
| - | [root@centos8 ~]# ls -l / | ||
| - | -rw-------. 1 root root 0 Sep 5 09:43 / | ||
| - | </ | ||
| - | |||
| - | Consultez le site localhost : | ||
| - | |||
| - | < | ||
| - | [root@centos8 ~]# lynx localhost | ||
| - | </ | ||
| - | |||
| - | Constatez que la consultation ne génère plus de messages de type **AVC** : | ||
| < | < | ||
| - | [root@centos8 ~]# cat /var/log/audit/audit.log | + | [root@centos8 ~]# df -h /var/lib/libvirt/ |
| - | [root@centos8 ~]# | + | Filesystem |
| + | / | ||
| </ | </ | ||
| ----- | ----- | ||
| - | < | + | Copyright © 2022 Hugh Norris. |
| - | <div align=" | + | |
| - | Copyright © 2021 Hugh Norris.< | + | |
| - | </ | + | |
| - | </ | + | |
