ISE-311 (Spring 2010) Homework Assignment #2 Handout number 4 (100 points, 20% of your overall grade) Version 2b (3/23/2010) Due Thursday 4/15/2010 @ 11:59pm * PURPOSE: To learn about security: firewalls, encryption, authentication, and authorization. * TASK: This assignment has five sub-tasks: Linux Fedora Core installation, setup file-based log encryption, setup MySQL and a trouble-ticketing system, setup SUDO, setup firewall, and document your work. They are described in detail below. 1. Install Fedora Core 12 [10 pts]. You can use the ISO image in /home/ise311/Fedora-12-i386-DVD.iso. Use the partitions as follows: / small enough to fit what you need (use HW1 as an estimate) swap 128MB max /var 500MB max Use the hostname based on your OSLAB username (you can find it by typing "id"). If your username is, say, 'ezk', then your assigned hostname is ezk.oslab.cs.sunysb.edu. You will have to configure your machine with your specific IP address, which you can find using, for example: $ host ezk.oslab.cs.sunysb.edu Use 130.245.127.1 for default route and default DNS server. Be sure to pick a /24 netmask (i.e., 255.255.255.0). Be sure to run the 'host' command on one of the vmpool machines, NOT inside your VM. Note: your installed Linux system should be as small as it can be, fully up-to-date and patched (as with HW1). 2. Setup encrypted /var/log [20 pts] Use eCryptfs from FC12 to encrypt the files in /var/log, so all your system logs are protected. 3. Setup Bugzilla (BZ) Bug-tracking system [20 pts] Any good IT site will have a system to track problems and/or tickets that users submit. A bug-tracking system like BZ is one form of such a system. Put in /root/README any info needed re: passwords, users, accounts Logs should be in /var/log, encrypted You will need a secure Web server to access Bugzilla. Also, Bugzilla uses MySQL as their backend. You'll have to set it up. Test that your BZ system works: check that you can insert a dummy bug report, update it, and close it. Note, you may have to use ym to install the bugzilla package. 4. Setup SUDO [15 pts] Copy the entries for users ezk, zhicli, borhan, and yourself from oslab to the /etc/passwd of your VM (instructor, TAs, and you). Run this on your oslab login (not inside your VM): $ ypcat passwd | egrep -i "(ezk|zhicli|mduddin|$USER)" Then cut and paste those entries to the end of your /etc/passwd INSIDE your VM. Then, setup "sudo" to allow those users to login as themselves, then "sudo" to root or to any action needed. This would eliminate the need to give out a root password. In fact, you can now setup whatever root password you want and not give it to the TAs. 5. Setup firewall [25 pts] Setup your secure Web server to run not on port 443, but on port 10000. Bugzilla should use this secure Web site, under the URL https://ezk.oslab.cs.sunysb.edu/bugzilla/ (replace 'ezk' with your userID based on your hostname). Setup your SSH server to run not on port 22, but on port 130. Setup a firewall to allow: - incoming https access from anywhere (port 10000) - incoming ssh access only from campus networks (130.245.0.0/16 and 129.49.0.0/16). Port 130 only. - anything else needed for proper system functioning and NO MORE - nothing else should be allowed in. Disallow outgoing email connections (port 25) to prevent infected machines from spamming the Internet. 6. /root/README [20 pts] Describe the steps your took in text file /root/README, any sources of info you found on the Internet, etc. 1-2 pages max. * SUBMISSION To submit, you will execute a script which would make a copy of your virtual machine for us to run. The script archives and compresses your VM using GNU tar, then emails you and the instructor a short log to let you know what was submitted, how large, and when. To determine if you submitted on time, we will use the last modification time of the submitted archive and the email message which is sent at the END of submission. Follow these instructions: 1. Shutdown your VM. 2. Delete all snapshots to ensure that your VM is as small as it can be. 3. Run the script /home/ise311/submit-hw2.sh and follow the instructions. Notes: - The larger your VM is, the longer it'll take to submit it, so keep it as small as you can. Copying several gigabytes of data can easily take 10-15 minutes, more if the system is overloaded while everyone's submitting at the same time. - Deleting snapshots can take a long time, esp. if you have many of them. So don't start this five minutes before the deadline. While it is a good idea to keep snapshots you can revert to, once you are sure that something you did worked, you can delete the snapshots before that point. In other words, keep only a few snapshots for the most recent unstable changes you've done. Once you're sure you've gotten a part of the system working, you can delete previous snapshots. For the final submission, however, remove all snapshots to save space. - I prefer no snapshots in submissions, but if you keep 1-2, that's fine. I don't want to see a large number of huge snapshots (5+ taking many gigabytes of space). - you may submit as many times as you want, but we will grade only the last one submitted (with late-submission penalties as appropriate). * EXTRA CREDIT (OPTIONAL, total 10 points) [A] Setup encrypted / (root) disk [10 pts] Use disk-based encryption to encrypt the entire "/" disk with a given key. This partition will be used to store the Bugzilla subsystem. This can be done at FC12 install time. Pick a reasonably strong encryption system. [B] Encrypt all files in /var/log (not just new ones) [5 pts] To TAs: I promised this to the class in email to the ML. [C] Early submission. Anyone submitting by 4/13/2010 at 11:59pm, gets extra 5 points of Extra credit. Good luck. * Change History: 2/21/2010: first version 3/1/2010: revised. 3/3/2010: correct "/data" and "RT" typos in EC. 3/23/2010: clarify where to run 'host' 4/10/2010: correct username for one TA