7 embedded system design issues 7.1 system although embedded system applications face a very broad, the complexity of application vary, personalized requirements.
However, the overall design of embedded system requires consideration of key issues still can be summarized into the following areas: · in-depth analysis of the system, have a thorough understanding of the application depending on the application needs. ·, forming the overall scheme, select or to build a development platform, complete algorithms and architectures for mapping; formation of hardware and software co-design programme; · embedded processor selection; · real-time operating system (RTOS) selection; · development tools (such as compilers, emulators) selection or development; design · data paths; · Testability design; design · reusability; · to imitated card, verify that the establishment of the environment; · the target node of planning; 7.2 embedded processor embedded processor is based on application and user-oriented core embedded system, because the application-oriented, object-oriented features of the industry, for different applications and different semiconductor process, various kinds of embedded processors variants include more than 1000 can be divided into: · embedded microprocessor: arm, MIPS, PowerPC, 68000, 386EX; · embedded microcontroller: 8051, MC68HC05, MC68HC11, 68300, Am186, TMS320C2X; · embedded DSP processors: TMS320 series, DSP56000 series; · embedded SOC (System on chip): OMAP, M-Core; 7.3 embedded processor development with embedded applications of expanding, such as disk drives, mobile phone, PDA, network switches, printers, and so on, to define the concept of the "embedded" in itself is becoming increasingly difficult. But what is certain is that many embedded applications in areas such as performance, cost, power consumption, and other indicators are ever-changing requirements. In order to adapt to the different requirements of the application for a variety of processors are also rapidly. The following to apply a broad United Kingdom ARM company's embedded ARM processor, for example, for analysis. ARM processor microarchitecture of evolution--for the past 10 years, ARM processor developed from simple ARM7TDMI core development to the latest arm11EJ-S kernel, its major progress: · from simple three-line to 8-level advanced pipeline architecture. Single clock for comparison, the performance difference was not significant. · ARM11 is the ARM family of performance of a series. ARM7TM usually only in the following frequencies of 200MHz; in 0.13 Micron process, arm11TM run frequency up to 500-700MHz, brought more powerful ARM processors · performance. increasing line series, structure and design improvements. In arm1026EJ-STM kernel, with a return stack, reduce the subroutine returns the line refresh time, improves system performance arm11 increased ·. static and dynamic combinations of jump prejudging. · arm11 support single instruction multiple data (SIMD) instructions. 7.4 real-time operating system (RTOS) software is one of the core for embedded systems, embedded systems often have real-time requirements, and real-time operating systems with simple, compact, and other characteristics, as a result, embedded systems often use embedded real-time operating system. For embedded systems and real-time operating systems, however, not every embedded real-time operating system can support the embedded processor. Therefore, the embedded processor with embedded real-time operating system selection must also consider. Common embedded real-time operating system: VxWorks; · OS-9 ·; · PSOS; · QNX · VRTX;; · real time operating system based on Linux; · real time operating system based on Windows; · domestic independent development of real-time operating systems;Monday, April 25, 2011
Linux operations command log
In a Linux Terminal, for the convenience of checking operations possible errors, as well as avoid screen scroll limit, we may record the operations log.
Common tool screen, script, and the tee. 1.screen — screenmanagerwithVT100/ANSIterminalemulatio > screen-L > here is what we do > exit after a similar file name: screenlog.0 > morescreenlog.0 so you can see what you have just done, find possible problems 2.script — maketypescriptofterminalsession > script > our operations > exit generates one such file: typescript > moretypescript here we do 3.tee – readfromstandardinputandwritetostandardoutputandfiles this command can read Terminal input and output to a terminal or file, sometimes it can be used to record make commands can produce output to the terminal by a large amount of content is output to the file. This way you can easily record a log of these commands. > Make2 > & 1 | teemake.log, of course, we can also redirect to a file > make > make.logPS: 2 > & 1 to log the error log ifyouwanttofilterthecontrolsymbols, trytousethe "col" commandliketis: $ catscreenlog.0 | col-b > screenlogor $ cattypescript | col-b > scriptlogCreateProcessW implementation on full control of process creation
【 Preface 】 write this document when I met enough food, many problems, I would like to thank bkbll, SobeIt a1rsupply and pointing, TCH of hard work, only the birth of this document, this article there may be some errors, the error is due to my mistake, if you have any comments, welcome to http://www.itaq.org noted or E-mail: zf35@citiz.net 【 overview 】 implementation on the server to process created by the control has a great significance, by monitoring the process of creating, we can make the process of being allowed to run correctly, and it is not permitted by the program will create fails, this can prevent unknown Trojans, virus and worm threats on the server.
To achieve these purposes, you must create a process-related hookwindows API, under the insidethewindowsNT "and" NativeAPIReference records, plus the actual track, softIce windows create process API call procedures are as follows: 【 code 】 CreateProcessA-> CreateProcessW-> CreateProcessInternalW-> ... > end call-ZwCreateProcess this document we use CreateProcessW to achieve our goal, of course, you can also use other several API. This document demonstrates code is a little changes can be applied to arbitrary Ring3 function. For hook an API, you can use a lot of ways, this article use override function entry point approach to achieve hook CreateProcessW, more detailed information please refer to the windows SobeIt write down some way hookAPI. 【 Copy-on-write 】 initial test, I use the rewrite function aCreateProcessW softice is the entry point code, F5 to switch back to windows after the discovery of all things, but when I write a program to modify the entry point code CreateProcessW, your changes are only valid for this process, other processes for system did not produce any effect. Use softice track and found this process CreateProcessW virtual address is mapped to a new, and other process on a different physical address, if you read the Webcrazy copy-on-write mechanism ", it is not hard to see that this is the impact of copy-on-write mechanism. For the system DLLs, each DLL that is mapped to a different process on the same virtual address, these virtual address and point to the same physical address by which system the lowest resource consumption when a process tries to overwrite data in physical memory, in order not to affect other processes, the system automatically assigns a new physical memory, the original data in physical memory copy, overwrite, and then to overwrite memory of the process's virtual address remap it to a new physical memory, and other process or map in the original physical memory, this is the "copy-on-write technique" (copy-on-write), then the system is how to determine when you should use copy-on-write? this is a virtual address to determine, PTE when copy-on-write flag in the PTE is set, any of the virtual address of the write operation will cause a copy-on-writ 【 three viable 】 in order to achieve a global hook, we cannot be restricted by copy-on-write mechanism, now I thought of three approaches to achieving our aim. 1. through the driver to modify the page table entry (PTE) properties so that the corresponding virtual address CreateProcessW lost copy-on-write property, which in itself processes on CreateProcessW entry point code modifications will take effect for all processes in the system, enabling global hook. 2. through the windows themselves an object to the physical memory \\phymem for direct reading and writing, first positioning itself processes Eprocess (KTEB) (PS: how to navigate in Ring3 arbitrary process Eprocess please refer to the written before I get process Eprocess "), you can get after Eprocess process page catalog, and then use \\phymem read stored page catalog contents of physical memory, and then simulate operating system virtual address-> physical memory address conversion, the resulting CreateProcessW corresponding physical address, use \\phymem we avoid copy-on-write mechanism directly overwrite CreateProcessW. 3. through the most conventional means to achieve the objective, the first enumeration system all processes and then by VirtualAllocEx, VirtualProtectEx VirtualQueryEx, etc functions modify each process page properties, allocate new space. Finally our code using WriteProcessMemory wrote all process space, the use of override CreateProcessW entrance to Jmp * ** * ** * to go to our code, change the function of the flow of execution. The above three methods, method 1 is only a concept, not a reality, drop, I go back and try the page Welcome to master to achieve, and then mail a copy of the code give me: P method 2 I wrote a complete code to implement it, but in this documentNot for discussion, the document will become very long, I will be in a separate document specifically describes the approach of specific implementation. Method 3 so that the focus of this article, the following is a detailed description of the method 3. Query the base address and CreateProcessW properties here we use the function, its VirtualQueryEx prototype is as follows: SIZE_T VirtualQueryEx (HANDLEhProcess, LPCVOIDlpAddress, PMEMORY_BASIC_INFORMATIONlpBufer, SIZE_TdwLengt); Parameter description: HANDLEhProcess want to query the memory information on the process handle LPCVOIDlpAddress point to a memory area you want to query the pointer PMEMORY_BASIC_INFORMATIONlpBuffer MEMORY_BASIC_INFORMATION structure pointer points to SIZE_TdwLengthlpBuffer size after you call this function, related information is stored in the structure pointed to by lpBuffer is modified in the page properties for CreateProcessW a page that has the following properties: PAGE_EXECUTE PAGE_EXECUTE_READ PAGE_EXECUTE_READWRITE PAGE_EXECUTE_WRITECOPY PAGE_NOACCESS PAGE_READONLY PAGE_READWRITE PAGE_WRITECOPY we modify by VirtualProtectEx page properties: BOOL VirtualProtectEx (HANDLEhProcess, LPVOIDlpAddress, SIZE_TdwSize, DWORDflNewProtect, PDWORDlpflOldProtect); Parameter description: HANDLEhProce ss process handle LPVOIDlpAddress point to want to modify a pointer to the memory region SIZE_TdwSize modify the size of the memory area DWORDflNewProtect new page attributes PDWORDlpflOldProtect links to save the old page property of memory from the back of the code we can see that in order to overwrite the function entry point code, we must give it PAGE_EXECUTE_READWRITE property. In the process of allocating free space optical modify function entry point code is not enough. We must have written some code to take over the work, as CreateProcessW process space is isolated, in order to achieve the goal of a global hook, we must provide each process for a piece of space to store our code, this is going to use this function, VirtualAllocEx VirtualAllocEx prototype is as follows: LPVOID VirtualAllocEx (HANDLEhProcess, LPVOIDlpAddress, SIZE_TdwSize, DWORDflAllocationType, DWORDflProtect); Parameter description: HANDLEhProcess process handle LPVOIDlpAddress points to a pointer to the allocated memory area SIZE_TdwSize assigned area DWORDflAllocationType memory type DWORDflProtect new memory properties we use WriteProcessMemory function to write to the remote process's code and data, the prototype is as follows: BOOL WriteProcessMemory (HANDLEhProcess, LPVOIDlpBaseAddress, LPCVOIDlpBufer, SIZE_TnSize, SIZE_T * lpNumberOfBytesWritten); Parameter description: HANDLEhProcess process handle LPVOIDlpBaseAddress point to write address pointer LPCVOIDlpBuffer point to write the data pointer size of SIZE_T * SIZE_TnSizelpBuffer lpNumberOfBytesWritten actual number of bytes written for the magic in my compiler using WriteProcessMemory put myself to write a function JmpToAddress writes the contents of the remote process space, regardless of my JmpToAddress content is written to the space are E9 ** ** the few bytes, which made me very confused, from machine code, this is a relative jump instruction. It is come from it, in order to understand this problem, I used the VC Debug it, enter in the watch window, showing JmpToAddress JmpToAddress virtual address 0x00410XXX, and then open the memory window to view the memory storage of content, discovery is JmpToAddress code, this is strange, mysterious E9 * *** fromWhat to do, so I ask the a1rsupply, he told me that the debug version of the VC will generate a jump table, light, original play of magic is a compiler. In order to remote processes properly written code, we must calculate the real function address, the following I wrote a piece of code to calculate the real function address: __asm {pusad leaeax, JmpToAddress movecx, JmpToAddress shrecx, 8 addeax addeax, ecx, eax, 5 movJmpAfterCalc popad} solve trouble-positioning problem in writing the code, I encountered another big question is how to locate the address. I write JmpToAddress () function as follows: JmpToAddress void__declspec (naked) (void) {__a smjmp [HookedAddr]} in the local process this code no problem, but when it is written to the remote process problems will arise, we take a look at its assembly code, following jmp [00401Cxxx] we note this process in the virtual address is deposited in the HookedAddr address, but the remote process, this address points to is something else, jmp past will produce unexpected results, in order to achieve the correct behavior, we'll write to the remote process WriteProcessMemory HookedAddr content, and then use a relative address references it JmpAddress void__declspec (naked) (void) {__asmcalllag flag: __asmmovebx __asmpopeax __asmaddeax, 0x0e, [eax] __asmjmpebx} popeax, eax is deposited inside of this directive, the address of the virtual, plus a fixed value, [eax] is through WritePrFirefox upgrade: System Administrator security considerations
Mozilla's Firefox is recognized as not only is an excellent browser, but its safety factor is also very high.
Many have used InternetExplorer or ActiveX technology in institutions because of their security and ease of operation and prepare for change to Firefox. High safety factor does not mean that Firefox can shield all viruses or no security vulnerabilities. However, in the most recent version, Mozilla 1.0 issued a series of upgrade package to make up for the Firefox security vulnerability in the latest version 1.0.6, the system has been up for a series of code vulnerabilities. However, the problem is that an organization's network administrator whether it is necessary to constantly track Firefox version updates and keep pace with it. In General, you can have two situations, to distinguish between the approach: one is the personal that is the system user end, desktop users, to be responsible for your own system's update, we called a poweruser. Another case is the software installed by system administrators control the end user only permission to run the program, you cannot remove the installation, we called JoeUser. 1.Powerusers Firefox's default settings, once a day to prompt for a new core program or plug-in, when Firefox found can be used to do the upgrade plugin, a green arrow will appear next to the throbber, this in the browser icon in the upper right corner of the download process will blink. If the user clicks on the green arrow, Firefox will start to download the latest version, before beginning the installation, Firefox will prompt the user to close the browser. In short, powerusers if necessary their own program of upgrading and installation. For an experienced user, these operations do not bother. But on the other hand, if your environment requires that the user won't have to install a program on the system, then this convenient and free will. 2. "JoeUsers" Firefox is as a cross-platform applications to write, so it on Windows, does not automatically through the central authentication system upgrade, or even automatically in the enterprise for new product configurations. This has always been considered to be the Firefox of the biggest flaws. At the same time, it is also the problem of Firefox users cannot change system settings, because many Firefox settings are not retained in the registry, but only as text exists. MozillaFirefox near new FrontMotion, is considered the most comprehensive solution to the problem of software, and therefore also has been a large number of users install MozillaFirefoxMSI, MSIs (MicrosoftInstallerpackages) was installed at the same time, it will issue a series of directives, so that the MSIs to each whole unit installed in the computer. MSIs has many advantages, such as its send mode for many administrators with a convenient, at the same time, it can first reconnaissance out during the upgrade process if there is a running Firefox process and prompts the user to close. More convenient is that FrontMotion also created a Firefox community to help administrators through Active Directory settings for Firefox to download, if you are just starting to set in the Organization and use Firefox, and you want to rely on existing systems rather than a specific solution, you can get help in the Firefox community. In addition, the FFDeploy script package BobTempleton is also a good choice, it is easier to configure, because use is the VBS script, programmers can easily be modified to configure a Firefox image. This is a relatively simple way, since it avoids a manageable environment deployment complexity of Firefox.Linux system some SU command security recommendations
First of all we see su in man help page for an explanation, that is to say by su-runashellwithsubstituteuserandgroupIDs su we do not provide user and group name you can start a shell program.
Su is a binary executable file, command file path which is/bin/su, the following is from the command line query su file type and the path: case study 1: islab $ whic su/bin/su case study two: islab $ file/bin/su/bin/su: setuidELF32-bitLSBsharedobject, Intel80386, version1 (SYSV), forGNU/Linux2.6.9, stripped cases III: islab $ ll/bin/su-rwsr-xr-x1rootroot24060Jan102007/bin/su cases and cases II we can see the su is a setuid program (the setuid bit chmodu + s can be used, such as ls displays su file owner property hired setuid bit), in this case, you can get su than its owner higher privileges, i.e. run su, your permission will be promoted, with root permissions equivalent. Case study three we can see the file type is ELF32-bitLSBsharedobject (set the setuid bit), which means that the program requires libc functions library, also requires the use of the ELF interpreter, and comply with the LSB specification. Question: normal user can copy from other machines in the su command. A: they can copy from the other machine su command, but they will not be able to su to correct permissions settings such as chownroot and chmodu + s, and so on. So the copy over the su is not working correctly. Question 2: how to prevent normal users from executing the su command. A: 1.) You can set up a special group, only members of the group to perform the su command islab # groupaddweelislab # useraddweelislab # chownroot: mysql/bin/bas islab # chmod4750/bin/su2). Only the root user can perform the su command. islab#chmod4700/bin/su3)。 By pam library implementation only wheel group membership required to perform the su command, the following example adds the account to the wheel group zhaoke. Islab # groupaddweelislab # useraddweelislab # usermod-Gwheelzhaokeislab # ll/lib/security/pam_wheel.so-rwxr-xr-x1rootroot5692Feb222007/lib/security/pam_wheel.soislab # vi/etc/pam.d/su increase following line authrequired/lib/security/pam_wheel.souse_uid then save exit su profile. Question three: the average user though unable to perform the su command, but it is also possible through brute force attacks to obtain root password answer: normal user can shell or ssh on the root account for brute force attacks. We can consider a number of security tools such as pam_abl for ssh for protection. Pam_abl will be able to set the time on error log-in account to a temporary block. Of course, normal users can also elevate privileges through program vulnerabilities such as buffer overflows.Friday, April 15, 2011
Embedded Linux in industrial control applications
4.2 software design for embedded operating system is the core of the entire embedded system.
As mentioned earlier, the embedded system memory and storage capacity is insufficient, you must design for reduction of linux. In the cutting process, the main technologies involved are the following. (1) the streamlining of the standard Linux kernel is oriented to the PC, it integrates many of the needs of the embedded PC system and unwanted features. Therefore, you can add or remove the independence of function block, you can compile the kernel, the only embedded system function modules and remove unnecessary function block. Then, recompile the kernel will be significantly reduced. (2) of the virtual memory system shield after analysis found that virtual memory is the leading Linux real-time is not strong. In the industrial control, certain tasks must meet certain requirements of real-time, shielding the kernel virtual memory management mechanism to enhance real-time Linux. When you want to change the kernel of a mechanism, generally do not have to write code on a large scale, you can use conditional compilation method. At the same time as the linux system on the application process is fair time allocation scheduling algorithm, this algorithm cannot guarantee that the system of real-time requirements, and requirements change. Change the way there are two: one by POSIX, the second is through the underlying programming. The author is linux real-time named pipe (FIFO) queue of special handling real-time task sequencing. In fact, real time named pipe like as never change real-time tasks, so the page can dramatically reduce the memory page without delay caused by uncertainty. (3) written device driver determines the basic functionality of the kernel, is written for a specific device driver, you can follow to write a Linux driver under the rules for writing. Writing a device driver should have the following features: • the initialize and release; • complete data from the kernel to the hardware device delivery and read data from hardware two functions; • read application passed to the device file data as well as the echo application requests for data; • the detection and treatment equipment error. (4) development of Flash-based JFS file system applications and critical data is typically a document to be stored in the Flash file system. JFFS2 file system is a log-structured, which means that it is essentially a long column node. Each node contains information about the parts of the file. JFFS2 is specifically designed for that kind of like flash chip embedded device creation, so it's entire design provides better Flash management with other file systems, incomparable advantages. Follows: ● JFFS2 at sector level Flash erase/write/read operations than Ext2 file system. ● JFFS2 provides better than Ext2fs crash/power-down protection. When you want to change small amounts of data, the Ext2 file system will copy the entire sectors into memory (DRAM), and in memory to be merged into a new data and then written back to the entire sector. But you can always change the JFFS2 need (not override) the entire sector, and also has a crash/power-down function security. Implementation of the above steps, a mini Linux operating system is constructed. Structure of Linux including process management, memory management and document management, etc. It supports multiple tasks in parallel, there is a complete TCP/IP Protocol, while Linux built-in on Ethernet controllers support, you can connect through Ethernet to Ethernet for remote configuration and monitoring. Will crop the good kernel porting to the target Board, first of all should be compiled into the kernel for the processor of the target code. Because of different hardware system of the transplantations boot code will differ, therefore, some kernel program may want to overwrite. Involves writing a Linux boot code and modify the relevant part of the architecture code mainly boot, memory management and interrupt handling. The company will be M-System DOC2000 as system boot device, the boot code can be placed in DOC. This system is powered on, boot code to perform basic hardware initialization, then the kernel image is loaded into memory and runs, in the end, then debug the good kernel and applications programming in Flash memory. Because of this crop of Linux was successfully ported to target platforms, so that you can run the start of the development system, you can apply under specific to developing applications. If the data acquisition module, data processing module, communications and data dissemination module and so on. 5 conclusion today, Internet applications are go to embedded device as the Center, therefore, labor control system combined with the Internet to achieve Internet is an inevitable trend. The embedded Linux kernel embedded microprocessor-based StrongarmSA1110 32-bit MCU system, and then by constructing a TCP/IP multiple network protocols and basic network communication protocols, and then use the embedded operating system on the underlying hardware and network protocols support, as well as on requirements of industrial control system real-time lin-ux kernel and virtual memory mechanisms to ensure the transformation, and control tasks to complete in real-time and reliability. It is foreseeable that this programme in the field of industrial control with good prospects, and a short development cycle, performance stable reliable, adaptable, and so on.Linux + NT OS Loader mini-HOWTO translation Edition
1. the summary 2.NTOSLoader work?
3. how to install a WindowsNT and Linux on the same system on 3.1. install WindowsNT 3.2. partitioning 3.3. install Linux 3.4.Lilo 4.Bootpart 5.Linux part of some work 7 6.WindowsNT-do it again 8. exclude issues 9. other 9.1. reference 9.2. thanks 9.3. feedback 9.4. tainted NTLoader starts: FreeBSD 1. abstract this document describes using WindowsNTbootloader to start Linux method. this procedure has been in WindowsNT4.0Workstation Edition and tested Linux2.0.2.NTOSLoader work? NTOSloader hope from other operating system boot sectors into a file that Access reads the records. it and start the selected operating system, that is, or the operation of the different models of WindowsNT or any other operating system. (3) how to install a WindowsNT and Linux on the same system on 3.1. install WindowsNT first try installing WindowsNT. If you want to use NTFS as your file WindowsNT partition system, remember, the current version of Linux is unable to access NTFS partitions, one can read NTFS partitions of the Alpha version of the drivers can be found at http://www.informatik.hu-berlin.de/~loewis/ntfs. you can create another FAT partition as a data interchange, or you can use the DOS format of soft disc. 3.2. partitioning another mini-howto recommended to not use NT's "Disk Administrator" to build a Linux replacement as well as the root partition, it will leave some space, I also recommend using Linux fdisk. 3.3. install Linux boot from floppy disks, replacement and Linux root partition .Fdisk NTFS partitions will be considered as HPFS partitions, this is normal. start again from the magnet Linux and press your preferences Setup Linux. during the installation it is recommended you hang up the HPFS partition found: ignore when it vs. 3.4.Lilo when you do install Lilo's part, specify your Linux root partition as your boot device for your floppy disk's master boot record (MBR) is now a WindowsNT all. This means that your/etc/lilo.conf for root project and boot project will have the same value if you have an IDE hard disk and your Linux partition is in the second partition on your/etc/lilo.conf for boot project will look like: boot =/dev/da2 if you have two drives and your Linux lies on the second disc of the first partition on your/etc/lilo.conf for boot project will look like: boot =/dev/db1 to match your system's core implementation lilo. If you are not sure, then start from the magnet to examine core. If you are unable to start the WindowsNT, you are in trouble, I hope that you have established the most recent fix magnet. 4.Bootpart has a G.Vollant written by NT program called bootpasr can do for you the following two points made in this .Bootpart: http://ourworld.compuserve.com/homepages/gvollant/bootpart.htm. If you want to know how it operates, with the fifth and sixth section describes some of the steps. work your 5.Linux must start from the magnet Linux until some changing for the better until NT. now you need from your Linux root partition to start out of the magnetic zone if/dev/hda2 is your Linux partition, the dd command is: # ddif =/dev/hda2of =/bootsect.lnxbs = 512count = 1 if your bootsect.lnx exceeds 512 bit tuples so that something was amiss. now copy the files to a bootsect.lnx DOS formatted the disk, if this is your file transfer to the NTFS partition area method so you can do to copy # mcopy/bootsect.lnxa: or # mount-tmsdos/dev/fd0/mnt # copy/bootsect.lnx/mnt # umount/mnt 6.WindowsNT portion of work from copies of the files on disk to the c: ootsect.lnx. I will not tell you what to do. (translation: copya: bootsect.lnxc:, should be.) just like Linux lilo.conf, under WindowsNT is c: oot.ini. in compiling it before you use this command to remove its system and read-only properties: C:attrib-s-rc: oot.ini now use an editor to change the boot.ini file, for example notepad, like this:[bootloader] timeout=30 default=multi(0)disk(0)rdisk(0)partition(1)WINNT [operatingsystems] multi(0)disk(0)rdisk(0)partition(1)WINNT="WindowsNTWorkstation... multi(0)disk(0)rdisk(0)partition(1)WINNT="WindowsNTWorkstation... C:BOOTSECT.LNX = "Linux" in this case only joined the last line in your store with this directive after the boot.ini back its properties: C:attrib + s + rc: oot.ini in turn off your WindowsNT and restarted after you should see something like this: OSLoaderV4.00 please select what you want to start the operating system: WindowsNTWorkstationVersion4.0 WindowsNTWorkstationVersion4.0 [VGAmode] Linux using the ↑ and ↓ keys to the options you want, select highlight theearth please press ENTER to confirm the selection of Linux and see LILOloadingzImage .... 7. do it again each time your Linux partition boot sectors are modified after the publication of a new copy of bootsect.lnx must transfer to C:BOOTSECT.LNX. one example is when you use lilo installation a new core when so you can see that such a system is not designed to test the core. 8. exclude problem if things are not working as expected, with a magnet to check if you can start a sexual/dev/hdb1 is your Linux partition, your/etc/lilo.conf has the following items: root =/dev/db1 boot =/dev/d0 insert a magnet and execute lilo. now try to start from magnet. If you're on Linux cannot/dev/hdb1 was activated, then NTOSloader also will not start it if you see a pile of 01010101, that your root disks do not have access to. check all your disks are detected by the BIOS. If the magnet you can boot your Linux partition, you can use the following instructions to check out your boot sectors to NTOSloader used: # ddif =/dev/fd0of =/bootsect.lnxbs = 512count = 1 you can retain this magnet in your WindowsNT Setup problems when you first aid magnet. 9. other 9.1. reference TheLinux + WindowsNTmini-OWTO TheFAQforFreeBSD2.X 9.2. thank thank XiaomingYi prompts these procedures in addition to the first floppy disk on a different disk for the operation. provide disk skills FrankDennler. 9.3. feedback comments are very welcome. 9.4. translation: to start FreeBSD because the translator NTLoader PC and Linux in addition to WindowsNT4.0, installed, then just follow the FreeBSD2.2 above to try NTLoader is there a way to start FreeBSD. my FreeBSD installed in/dev/sda2, FreeBSD 's/dev/sd0s2. follow the above practices I first put the bootsector stored/dev/sda2 into one archive: # ddif =/dev/sda2of =/bootsect.bsdbs = 512count = 1 and copy it to c: boot.ini again to add C:BOOTSECT.BSD = "FreeBSD", but this method could fail to boot FreeBSD! On the one hand, think that down, on the one hand, and did not give up suddenly thought, lilo, or you can take to start FreeBSD. Hence, do the following experiment, after entering the Linux will change to:/etc/lilo.conf boot =/dev/d0 install =/boot/boot.b vga = normal other =/dev/sda2 label = FreeBSD table =/dev/sda loader =/dev/os2_d.b into a format the disk, and then run lilo-v. then will the boot sectors disk into a file: # ddif =/dev/fd0of =/bootsect.bsdbs = 512count = 1 and into c:. Remove magnet after reboot, NTLoader menu under Select FreeBSD, then you see: LILOloadingFreeBSD > > FreeBSDBOOT @ 0x10000: 639/65536kofmemory Usage: [[0:] [fd] (0, a)]/kernel] [-abcCdrsv] Use1: sd (0, a)/kerneltobootsd0ifitisBIOSdrive1 forfilelistorpressEnterforde Use?faults Boot:CentOS 4.4 and most commonly used under Linux is the most effective security settings
CentOS or users to first RedHadEnterpriseLinux4 to open SElinux by modifying/etc/selinux/config file SELINUX = "" for enforcing.
It can ensure that your system does not crash the non-normal. Some people think it should be shut down, I strongly recommend not, of course only be centos to play, not for actual server then does not matter. Iptables firewall 2, enable, and increase system security has many benefits. Set up firewall rules. 3. Execute setup off those unwanted services, keep in mind less open a service, the less a risk. 4. prohibit Control-Alt-Delete keyboard close command/etc/inittab "file, comment out this line (using #): ca:: ctrlaltdel:/sbin/shutdown-r now t3-read: # ca:: ctrlaltdel:/sbin/shutdown-t3-r now in order to make the changes take effect, enter the following command: #/sbin/init q5, to the script file in/etc/rc.d/init.d" set the permissions to execute, or turn off the startup of the program is executed when the script file to set permissions. # Chmod-R 700/etc/rc.d/init.d/* This means that only the root are allowed to read, write, and execute the script file. 6. modify the/etc/host.conf file/etc/host.conf "explains how to resolve the address. Editing/etc/host.conf file (vi/etc/host.conf) by adding the following line: # Lookup names via DNS first then fall back to/etc/hosts. order bind,hosts # We have machines with multiple IP addresses. multi on # Check for IP address spoofing. Nospoof on the first one sets the first DNS resolving IP address, and then through the hosts file to resolve. The second set test whether "/etc/hosts" file in the host has multiple IP addresses (for example, has more than one Ethernet interface card). The third Setup instructions to note on native unauthorized spoofing. 7. enable "/etc/services" file immune to "/etc/services" file to prevent unauthorized immunization, delete or add services: # chattr + I/etc/services8. prevent your system from the response any external/internal to ping request. Since no one can ping-pass your machine and receive a response, you can greatly enhance the security of your site. You can add the following line to/etc/rc.d/rc.local so that each time you start to run automatically after. Echo1 >/proc/sys/net/ipv4/icmp_echo_ignore_all9, on your system, all of the user to set resource limits can prevent DOS type attack (denialofserviceattacks) as the maximum number of processes, the amount of memory. For example, restrictions to all users, like this: vi/etc/security/limits.con the following code example, all users each session is limited to 10MB and allows at the same time there are four login. The third line to disable the kernel dump for everyone. The fourth row to remove all the user bin. Ftp allows 10 concurrent sessions (on an anonymous FTP account is especially practical); member of the managers group, number of processes is limited to 40. Developers have 64 MB of memlock restrictions, a member of wwwusers cannot create greater than 50 MB of files. Listing 3. set quotas and restrictions * hardrss10000 * hardmaxlogins4 * hardcore0bin-ftphardmaxlogins10 @ managers hardnproc40 @ developers hardmemlock64000 @ wwwusers hardfsize50000 to activate these restrictions, you need to add the following line at the bottom of/etc/pam.d/login: sessionrequired/lib/security/pam_limits.so.Using ssh to secure connection
MindTerm, VNC, socat there Oh, no!, while the ability to remote work is always system programmers and administrators like one of the advantages of Linux, but setting up remote access is not a simple thing.
Select the appropriate remote service each month, the server must describe how the clinic to get the most out of the use of the hardware in the server room. This often involves the use of Linux methods that do not like the well-deserved, as we all know: will Linux for Fortran program, the Linux operating system is made for the old design applications, and so on. Followed by a second topic is the topic of this column: security. Your servers are physically should be quarantined, you should disable all unnecessary network access and can only be through SSH or better way to access the server. In particular, as little use real-time Telnet, ftp, rsh and rlogin, and related services; they are simply too dangerous. Suppose that you have done all these things. Now your away-may in your product, or in consultation with new customers, or in the discussion needs to end a meeting (which was already included in your training budget). You need to bring up certain materials in the company. So what should you do? first, you should try something. Programmers and administrators could during normal working hours in their quiet workplace, but they do like to force yourself to do this work, the assault but this. You don't become a victim of this kind of behavior that you make! connected with the legitimate business purposes, is not a breach. However, if you used to have these organizational issues, join the answer is "ssh". Even if you are in principle more dependent on virtual private network (VPN) instead of ssh, I still think it's an emergency, if you cannot use the regular method, then set up ssh access would be more careful. VPN, there are still some difficult and you need to rely on particular hardware configuration. If you are using the client's network (mostly use ordinary desktop machines) "call hosts", you can make selection is extremely limited. Ssh needs good news is that ssh in these limits are usually also niche meets your needs. Even if you are out of work, but in the public access points (such as "Internet"), you may have insufficient resources to enable ssh work. You may not be able to rely on their equipment. Very seriously, with any large than handheld devices around, is another security risk; worse, many places are not allowed to insert external hardware. Typically, you must use the provided to your hardware. But download puTTY, ssh or MindTerm client is generally very quickly. But I also like doing that. Anyone with enough network stack, you can connect to your server room of hosts, there may be permitted to download a Web browser. Use the already installed the client must carefully; for some people, the client with a modified, can capture keystrokes (or worse) of the client it is too easy. Another way is to construct embedded MindTerm client as an applet in a Web page, this seems very attractive. But my experience tells himself this way useful. Most places are disable Java, or provide only have the old Java runtime engine (JRE) in your browser, or use other ways to reduce the applet's convenience. If I want to use the MindTerm, you only want to download and install the client and the compatibility of the JRE. For constructs for end-user application, applet usually is a good technique. Applet also suitable for read-only configuration. However, I found this usage is rare. Therefore, in order to make your work with efficiency, not worth the time to solve the applet may exist in your environment. I have always felt that find a megabyte of free high-capacity storage and install ssh client easier. You sit down one after the new installation should be ssh clients and starts it. However, this may not be enough. Some local firewall turned off most of the port, or at least close by including standard ssh port 22, many ports. Here is another way to be prepared to provide help. In my at least one host, I hope to make sshd (ssh daemon) is usually assigned to common Internet services (such as ftp, http, smtp or pop3) port. Even the most stringent firewall to open port 8080, 21, 25 and 110. Your machine is set to "capture" of such communications, you can make it through most firewalls. If this sounds like "break-in" talking? I do not agree with the abuse of the network. Often have other companies ' employees invited me to use their network, although they also know that sensitive manner (such as temporary open port 22) change their firewall systems, the company is not feasible. I began to accept this recognition: ready to use "plots" is also part of the current professional practice, but I need to make sure you only in a responsible way to finish the job. Of course, as the ssh channel open, I would have like to sit in the server room in console almost all features before. If you need a graphics display, I can use by channel X or VNC, or from the command line access to all the other common activities. This started my work session, and then: I downloaded reference ssh client, quick installation and launch them, and then use SSL-secured password back validation I left in the server room a ssd in the running. Please note that I'm still vulnerable to tampering with a host of attacks. A fully modified desktop machine or a vigilance "voyeuristic fantasy" can arrive at the keystroke information SSL library before it is logged. This solution is the use of one-time password (OTP) system. To date, inIt seems to me that OTP trouble than security. OTP to yourself the cost and revenue certainty at least slightly different. Anyway, back to the daily workplace could be a good time to update the password. The use of standard parts I want server clinics every month display working code. In this article, it is difficult to add any code. I recommended configuration is very simple, standard reference materials are made in full. For example, to a second port on the ssh service, just add the following line: Port8080 added to existing/etc/ssh/sshd_config, and then restart the sshd. Another method is to use "Web proxy" or "port forwarder" (such as netcat or socat), it refers back local host (localhost) standard SSH port, this method runs tests and tuning log records or extra security is very useful. Agent here in the context of an "agent" is a small "translator", it simply allows network traffic through. If I set up on port 22 sshd server and you want to port 110 sets another sshd server, then the realization of the idea of a method is to install the network agent. This agent on port 110 is used as a server, and receives from the outside world. It adopted in port 22 on acts as a client to handle these groupings. Basic sshd Server completes all the actual work; agent role just from one port to another port (possibly on another host). This is particularly true for the column value does not lie in the esoteric code, but merely to convey a clear concept, you should take this as the target to enable your remote services. I've tried many methods. Take advantage of these experiences, in particular to understand how not to do, at least to understand when you are first setting up the server room not to do: disable Telnet, don't let the unused service always on, there is no need to worry about applet (in particular, don't worry about applet signing), and if you don't feel wrong for remote login. On the other hand, be sure to use standard components. I've tried a lot of clever ideas, for adjusting the ssh protocol or your firewall to block "Black Hat" hacker (of specialized skills using network intrusion network failure, translator's note). And these ideas offer security compared to a small increase, their maintenance more difficult, so some gain. Unless I prepare a clear security project of the budget, and with clear long-term target, otherwise it is best to spend time on using ssh rather spend time trying to improve it. Using the above steps, you will have a server room, it security is not as simple as you only use the standard Linux Server installation. You can find almost all the world of remote management on the synchronization connection. For your own security plan, this is a good starting point.Friday, April 8, 2011
On Linux system administration and auditing of accounts
1. log in account management in Linux login user account management via the utmp and wtmp these two tools.
Wtmp also records the system reset and system state information about the changes. All the utmp and wtmp-relevant data have been saved in/var/run/utmp and/var/log/wtmp both files. These two files are relegated to the root user and access permissions are set to 644, the data in these files are encrypted. You can use this tool to original dump-utmp data converted to ASCII data for system administrators to analyze user logon and system reset and system state information about the changes. Login to account management related command last command provides each user logging in and out of time, there are also system restart and run state changes. By default, the last analysis/var/log/wtmp file and displays each connection and run the state change. Last output information that may be too much to see who cannot cope with, the typical usage is to last – 5, view the latest/var/log/wtmp 5 records. The main use of the who command is reporting system currently logged in user information. Who command provides the following information: user login into use of the system of terminal equipment, the user's address, host name, used by the X display window (if using the XWindows system), the user accepts the other user's messages and chat requests, etc. Ac command provides statistics about user connections, we can use the labels of d and p ac command. Mark d displays the day of total connection statistics, mark p shows each time a user's connection. This statistical information to understand and detect intrusion related user information and other activities. Lastlog command reads the file and produces/var/log/lastlog user last logon information report lastlog command is also used in the Linux system checks unusual log records. 2. System account audit Linux operating system by setting the log file to each user of each order record, but this feature is not turned on by default. Turn on this feature of the process: # touch/var/log/pacct # action/var/log/pact can also use your own file to replace/var/log/pacct this file. However, it must be the path and file name are correct. Sa command and ac command, sa is a statistics command. The command to get each user or each command of the process used, and provides information on the consumption of system resources. To a large extent, sa is a accounting command, identify a particular user, particularly known for special users suspect command is very useful. In addition, because the amount is large, need to deal with a script or program to filter the information. Lastcomm command, and sa command, lastcomm command provides the output of each command, print out and executing each command the time stamp. On this point and said that more than sa lastcomm security. If the system is intrusion, do not believe in the lastlog, utmp, wtm's information in the records, but also not ignored because this information may be modified. Additionally there may be someone who is replaced to deceive the public. In General, has identified some suspicious activity, process accounting can effectively play its role. Use the lastcomm can isolate user activities or execute commands at a specific time. 3. use logrorate on audit file management/var/log/utmp,/var/log/wtmp and/var/log/pacct file is dynamic data files. Wtmp and pacct file is a file tail increasing record. On a busy network, these files become large. Linux provides a program called logrotate, it allows administrators to manage these files. Logrotate read/etc/logrotate.d directory files. Administrator through the directory of the script files that control the operation of the logrotate program. A typical script files: {rotate5 weekly errors root @ serve1r mail root @ server1 copytruncate compress size100k} script files have the following meanings: ● rotate5 — to keep the file with a copy of the current backup and 5 copies of old backups. • Weekly-the weekly address files one at a time, usually the first day of the week. • Errors-to e-mail address to send the error report. ● Mail — send to e-mail address. ● Copytruncate — allows a process to continuously records, backup files are created, the activity log file empty. ● Gzip compress — use the tools on the old log file is compressed. ● Size100k — when the files are automatically processed exceeded 100k.LIlo's introduction to everyone to learn
Author: answer LINUX and Linux-LILO boot can take many forms, the loader LILO (LinuxLoader) is a flexible boot loader, and other popular bootloader LILO boot mode compared to seem more artistry, in-depth understanding, will help us to easily process multiple systems, the network boot, large hard drive and memory, and many other difficult issues.
First, LILO boot mechanism is well known that the computer's BIOS initially started from control, on some hardware (such as memory, keyboard, etc.) after initialization, it attempts to load the hard disk's master boot record (MBR) or floppy disk boot sector. MBR can run in two ways, one is to go to the active partition and load the appropriate boot sector, and the boot sector is complete the partition operating system loads the basic components; the second is directly from a specified partition loads the information and pass it into any section of the operating system, such as LILO, OS/2bootloader and PartitionMagic etc the boot loader can be configured in this way. Floppy disk boot sector amounted to a hard drive for the active partition's boot sector, it is typically used to load the operating system on the floppy disk. Thus, as long as the LILO is installed in the MBR, the active partition or boot floppy disk, you will be able to take over control of the computer, and then by LILO complete subsequent boot process. LILO is a boot in the built-in table address coding, it's boot program will be able to navigate to the Linux kernel files, this address coding you can follow the cylinder/head/sector (CHS) mode, you can use LBA mode for linear block codes, therefore, even on some SCSI controller LILO can work well. When LILO to navigate to the configuration file after preview displays the boot process, prompt: LILOboot: at this point, the system allows to select a boot different operating systems or different kernel configuration, press the tab key to display the available options list, and then enter the optional or directly enter to select the default configuration, if you choose to boot Linux, you can also pass arguments directly to the system kernel. And the other system's boot loader, LILO has more flexibility, more ways to boot. ● When LILO is installed on the hard disk's MBR, active partition or boot floppy disk, as the bootstrapper's stand-in, it can boot any of the hard drive of any partition on Linux and other operating systems; in addition to the boot sector, it does not have any hidden files do not need to use a specific partition, its configuration file can be in any area, even in Linux irrelevant DOS partition of a subdirectory; it can boot several different kernel configuration, or even several different kernel; • it can boot on the same machine on multiple Linux distributions; it can boot Linux from the network. LILO's flexibility allows its configuration becomes quite complicated, when there are multiple systems coexist, it is recommended to install other operating systems, and finally install Linux, so setting LILO boot on other system would be relatively simple. Second, several important LILO boot LILO boot parameter arguments, only on some of the more important parameter for a presentation. 1. the "boot =" this argument is specified that contains the boot sector of the device name (e.g./dev/had), if this is omitted, the current root partition to read the boot sector. 2. "root =" this parameter tells the kernel starts to which device is used as the root file system, its set value to construct the kernel root file systems device_name, available in the device name is: (1)/dev/hdaN ~/dev/hddN ST-506 compatible hard drives: a to d n partition (2)/dev/sdaN ~/dev/sdeN: SCSI-compatible hard drive, a to e, n partitions (3)/dev/xdaN ~/dev/xdbN XT compatible hard drives: a to b n partitions (4): floppy disk, A/dev/fdN: (N = 0) or B (N = 1) and (5) obtained by the network/dev/nfs: the root file system flags 3. " Nfsroot = "If you need to provide through NFS root file system to boot a diskless workstation, this parameter specifies the network for the kernel root file system is located in computer programs, directories, and NFS, the format is: nfsroot = (page〈 server_ip >:) page〈 root_dir > (, nfs_options >) 4." Nfsaddrs = "set up a network communications requirements of various network interface address, in the absence of this parameter, the kernel will attempt to use a reverse address resolution protocol (RARP) or boot protocol (BOOTP) identify these parameters, the format is: nfsaddrs = page〈 client IP >: page〈 service-IP >: page〈 gateway IP >: page〈 subnet mask >: page〈 client name >: page〈 network device name >: page〈 auto > 5." Image = "Linux kernel file specified. 6. "delay =" set boot the first image the wait time before. 7. "disk =" this argument is a special hard disk definition non-standard parameters. 8. "append =" kernel pass an optionalParameter rows, its typical applications are not fully recognized by the system to automatically specify the parameters of the hard disk, such as: append = "hd = 64, 32,202" 9. " Label = "this parameter for each image, specify a name for the boot-time selection. 10. "read-only" set to read-only linked into the root file system, used for file system consistency check (fsck). 11. "install =" install one of the specified file as the new boot sector, the default is/boot/boot.b. 12. "loader =" describes the use of chain loader (chainloader), the default is/boot/chain.b, if not from the first hard drive or floppy disk boot, this option must be a description. 13. "table =" description contains the partition table of the device name, if this parameter is ignored, the boot loader will not be able to pass the partition information to boot operating system. When this parameter points to the partition table is modified, you must rerun/sbin/lilo. 14. "init =" kernel initialization time execution of the program, usually process as init, getty, rc and s, version of the Linux kernel since 1.3.43 to execute command line/sbin/init description, if there is a problem in the boot process, you can set init =/bin/sh skip directly to the Shell. 15. "ramdisk_start =" because the kernel can not be placed on compression memory file system image to the kernel image to and compressed memory image placed on a floppy, joined "ramdisk_start = page〈 offset >" so that the kernel before? Begin execution. 16. "mem =" one of the aims of this parameter is used for Linux specifies the amount of memory, such as mem = 96MB, bis is mem = nopentium specified tell the kernel do not use 4MB paginated table. 17. the "vga =" set display mode, such as 80 × 50, 132 × 44. Third, LILO typical configuration methods typically, Linux installation program itself can complete the LILO installation configuration, to better solve the problem of multiple system boot, if your system does not automatically complete this configuration, you can manually modify the configuration file/etc/lilo.conf to boot under different conditions. 1. when the system can automatically complete the configuration for this scenario is only one suggestion: LILO installed to a Linux partition's root, not the MBR troubled areas. Assuming the current hda1 in DOS/Windows installed, hda2 Linux installed, then the contents of the/etc/lilo.conf as follows: boot =/dev/hda2 # specifies the boot location compactdelay = 50 # delay 5 seconds # root root = current in the current partition image =/boot/vmlinuz # specify the linux kernel file label = linux # used linux as representative name other =/dev/hda1 # other operating system is located in the partition table =/dev/ad # specify a hard disk that contains the partition table label = dos # use dos as representative name 2. when the system is unable to automatically complete the configuration system does not automatically complete the configuration of the following two ways: (1) BIOS can't directly see Linux root partition; (2) BIOS can only read and write to the standard IDE hard drives before 504MB. At this point, you must follow one of the most basic principles: establishing a BIOS access of smaller Linux partition that contains the kernel files, maps, documents and procedures necessary to load the chain, and root you can be a separate partition. As for the other details on the configuration, we adopted the following instances for instructions. Example 1: the primary hard disk to the IDE interface, second hard drive is a SCSI interface, the root files in SCSI. Solution: in the IDE hard drive partition a smaller Linux partition (/dev/hda2), which contains the basic file, attached to/u2, its main configuration file/etc/lilo.conf to boot =/dev/had # lilo installed in the mbr of the master ide install = install from boot.b/u2/etc/lilo/boot.b # lilo boot record map =/u2/etc/lilo/map # setup build this map file, tell the boot loader the kernel block position compact timeout = 50 image =/u2/vmlinuz # kernel file should be copied to the next label = linux/u2 root =/dev/sda1 # tell kernel root system in other scsi hard disk read-only =/dev/da1 loader =/u2/etc/lilo/chain.b # specified loader label = dos example 2: a standard IDE hard drives to install Linux and DOS/Windows. For large hard disk problems, many people only know less than 1024 cylinder limit, but somehow the standard IDE hard disk only accredit 504MB. In fact, the BIOS int13 calls is a three-digit tuple of CHS coding, 10-bit for the cylinder number, 8 bits for the head number, 6 bits for the sector number. Possible number of cylinders is 0-1023,Vpn under Centos (pptpd) deployment
6. dial-up login.
Dial-up, log in to view the log of the VPN server, see the user's connection, the following is a fragment of the interception, for reference: Dec1917: 16 01max-vpnpppd [9833]: Plugin/usr/lib/pptpd-logwtmp.soloaded.Dec1917: pptpd/16: 01max-vpnpppd [9833]: pptpd-logwtmp: $ Version $ Dec1917: 16 01max-vpnpppd [9833]: pppdoptionsineffect: Dec1917: 16 01max-vpnpppd [9833]: debug # (from/etc/ppp/options.pptpd) Dec1917: 16 01max-vpnpppd [9833]: logfile/etc/ppp/vpn.log # (from/etc/ppp/options.pptpd) Dec1917: 16 01max-vpnpppd [9833]: dump # (from/etc/ppp/options.pptpd) Dec1917: 16 01max-vpnpppd [9833]: plugin/usr/lib/pptpd/pptpd-logwtmp.so # (fromcommandline) Dec1917: 16 01max-vpnpppd [9833]: require-mschap-v2 # (from/etc/ppp/options.pptpd) Dec1917: 16 01max-vpnpppd [9833]: refuse-pap # (from/etc/ppp/options.pptpd) Dec1917: 16 01max-vpnpppd [9833]: refuse-chap # (from/etc/ppp/options.pptpd) Dec1917: 16 01max-vpnpppd [9833]: refuse-mschap # (from/etc/ppp/options.pptpd) Dec1917: 16 01max-vpnpppd [9833]: namepptpd # (from/etc/ppp/options.pptpd) Dec1917: 16 01max-vpnpppd [9833]: pptpd-original-ip200.199.118.72 # (fromcommandline) Dec1917: 16 01max-vpnpppd [9833]: 115200 # (fromcommandline) Dec1917: 16 01max-vpnpppd [9833]: lock # (from/etc/ppp/options.pptpd) Dec1917: 16 01max-vpnpppd [9833]: local # (fromcommandline) Dec1917: 16 01max-vpnpppd [9833]: novj # (from/etc/ppp/options.pptpd) Dec1917: 16 01max-vpnpppd [9833]: novjccomp # (from/etc/ppp/options.pptpd) Dec1917: 16 01max-vpnpppd [9833]: ipparam200.199.118.72 # (fromcommandline) Dec1917: 16 01max-vpnpppd [9833]: ms-dnsxxx # [don'tknowhowtoprintvalue] # (from/etc/ppp/options.pptpd) Dec1917: 16 01max-vpnpppd [9833]: proxyarp # (from/etc/ppp/options.pptpd) Dec1917: 16 01max-vpnpppd [9833]: 172.16.195.1: 172.16.195.101-200 # (fromcommandline) Dec1917: 16 02max-vpnpppd [9833]: nobsdcomp # (from/etc/ppp/options.pptpd) Dec1917: 16 02max-vpnpppd [9833]: require-mppe-128 # (from/etc/ppp/options.pptpd) Dec1917: 16 02max-vpnpppd [9833]: pppd2.4.4startedbyroot, uid0Dec1917: 16 02max-vpnpppd [9833]: Usinginterfaceppp0Dec1917: 16 02max-vpnpppd [9833]: Connect: ppp0 <-->/dev/pts/1Dec1917: 16 02max-vpnpptpd [9832]: CTRL: IgnoredaSETLINKINFOpacketwithreaLACCMs! Dec1917: 16 02max-vpnpppd [9833]: Unsupportedprotocol'IPv6ControlProtovol ' (0x8057) receivedDec1917: 16 02max-vpnpppd [9833]: MPPE128-bitstatelesscompressionenabledDec1917: 16 04max-vpnpppd [9833]: CannotdetermineethernetaddressforproxyARPDec1917: 16 04max-vpnpppd [9833]: localIPaddress172.16.195.1Dec1917: 16 04max-vpnpppd [9833]: remoteIPaddress172.16.195.101Dec1917: 16 04max-vpnpppd [9833]: pptpd-logwtmp.soip-upppp0sery200.199.118.72root @ max-vpn ~] # this log indicates that there is already a from 200.199.118.72 connect to the VPN server, the account number for sery, assign to the VPN client machine address 172.16.195.101. in the dial-up machine (windows) to view their current network parameters C:\Users\sery > ipconfig/allWindowsIP configure hostname ... ... ... ....: sery-sony primary DNS suffix ... ... ... ..: node type ... ... ... ...: hybrid IP routing enabled. ....: no WINS proxy enabled ... ... ...: no DNS suffix search list ... ... ..: maxthon.netPPP adapter VPN connection: connection-specific DNS suffix .......: description ... ... ... ... ...: the physical address of the VPN connection ... ... ... ....: DHCP enabled ... ... ... ..: no automatic configuration are enabled ... ...: is the IPv4 address of ... ... ... ...: 172.16.195.101 (preferred) subnet mask ... ... ... ...: 255.255.255.255 default gateway ... ... ... ....: 0.0.0.0DNS server ... ... ... ..: 61.135.154.5159.226.240.66TCPIP NetBIOS on ...: enabled seven, set routing and IP masquerading. Although you can log in here, but because of the VPN server does not have a set of related forwarding rules, or no way to access a private network behind the vpn or VPN to access the Internet (Windows machine in the network connection icon in the status bar displays a yellow exclamation mark). Therefore you also need to complete the next steps would be truly finished — read some articles on the Internet, usually just end up here, it seems that the author is logged in the virtual environment. (A) turn on IP forwarding: modify/etc/sysctl.conf configuration file to enable net.ipv4.ip_forward = 1 (2) write a script file, routing, and its contents is as follows: root @ max-vpn ~] # more/usr/local/bin/vpn_route.sh #!/bin/bash/sbin/iptables-tnat-APOSTROUTING-s192.168.195.0/24-oeth0-jSNAT--to-source61.135.251.50/sbin/iptables-tnat-APOSTROUTING-s172.16.195.0/24-oeth1-jSNAT--to-source192.168.195.166/sbin/iptables-tnat-APOSTROUTING-oeth0-jMASQUERADE destination network/vpn's internal network as 192.168.195.0/24, the VPN server has two network adapters, one to connect public network (eth0), the IP address is another NIC 61.135.251.51 even the private network, ip is 192.168.195.166. This will properly routed network involved. Manual execution of this script, see client (windows) can access the target machine in the network: the easiest way is to ping, assumes that destination network has a 192.168.195.100 machine and allow icmp, ping192.168.195.100, normal, and then further access to the server (remote login). No problem, it adds in the power-on self restart it. For security reasons, you can add in this script more iptables rules. This article is taken from "sery" blog, be sure to keep this source http://sery.blog.51cto.com/10037/122108Hacker technology advanced skills and practice Linux backdoors
Introduction to intruders full back door control system, to facilitate the next time you access and use of a technology.
General by modifying the system configuration file and install a third-party tools to implement the back door. Has a hidden, can bypass the system log, not easily found by the system administrator. Common backdoor technology increase root # echo "e4gle: x: 0: 0::/:/bin/sh" > >/etc/passwd # echo "e4gle::-1:-1:-1:-1:-1:-1: 500" > >/etc/shadow if the system does not allow the uid = 0 in the user log in remotely, you also need to add a normal user account. Crack/sniff the user password for shadow file, use a tool to crack weak JohntheRipper user password. Installation tools, such as sniff sniffit listens to telnet, FTP port, collect the user's password. Place the SUIDSell # cp/bin/bash/dev/.rootsell # chmodu + s/dev/.rootsell ordinary users to run in native, you can obtain a/dev/.rootshell root permissions of shell. Rhosts ++ # echo "+ +" >/.rosts # rsh-lrootvictim.comcs-I can get a rootshell remotely. Use of system services program. Modify/etc/inetd.conf, daytimestreamtcpnowait/bin/shsh-I; replace with the trojan programs, such as in.telnetd in.rexecd inted service program, redirect login program. TCP/UDP/ICMPSellBindShell, mostly based on TCP/UDP protocols of network services programs, high port sniffing, can easily be found. PingBackdoor ICMP packet activation by a Shell back door. TCPACK packet back door, to be able to travel across the firewall. Crontab scheduled task scheduling through the Crontab program installed backdoor scheduled run, usually in the late evening hours, is the system administrator is not online. Shared library file in a shared library embedded backdoor function uses the backdoor password activation Shell, obtain permission to escape the system administrator on binary checksum of the file itself. Kit Rootkit contains a series of systems and the backdoor tool:-clear log in logon log-camouflage checksum-replace netstat, ps, and other network tools-backdoor login program is easy to install and use to load kernel modules (LKM) LKM: dynamic loading of LoadableKernelModules, do not need to recompile the kernel. Intercepted system call, with the hidden directories, files, processes, network connections, and other powerful features. Their invisibility, find difficult. Famous adore LKM and knark Pack. Backdoor detection to my own experience, combined with specific tools, hand work some testing. Use md5 checksum Tripwire or to check the system. With the IDS system, listen to the target machine's suspicious network connection. Example: Login backdoor intruder put original/bin/login backup, and then replace with a paragraph/bin/login. Intruder Telnet came in through the environment variable, or a terminal type, pass the correct backdoor password, will directly receive a Shell; if it is a normal user log in, you will be redirected to the original login file, to handle the normal login. The most simple login backdoor ulogin.c source: instance:Linux system password attacks and intrusion protection against hackers
See everyone so enthusiastically that claim the research theme, I couldn't help trying to reclaim a.
Looking to find out, just briefly say Linux system password attack and defense. In the early days of Linux system,/etc/passwd file contains system information for each user, of course, the user's password after a certain amount of numbers and logic algorithm is a result of the operation (visible string) into the passwd file, encryption strength is not very big. Thus, early hackers just got/etc/passwd this file, the system has been hacked into half. Later, as the security level, a passwd file password separate encryption, password encrypted result and other auxiliary information saved to a shadow file. As for how to save the form and the encryption algorithm, you can use the program to set/usr/sbin/authconfig. User login password by calculation and/etc/passwd and/etc/shadow results compared to conform to the allowed login, otherwise login denied. A strong and effective password should be at least 8 characters long, and do not have access to personal information (such as birthdays, name, user name, computer models, and so also try not to connect the phone number in the password and the 2002, 2000, 888, and other digital), the common English words are not good (because available dictionary attacks), the best in passwords have some non-letters (such as numbers, punctuation, control character, and so on), try not to write on paper or computer files, select the password of a good is not related to the letters and numbers or control characters, and is composed of not less than 8-bit length. In order to force the user to specify the password that is strong enough to be modified in the arguments PASS_MIN_LEN/etc/login.defs file (password minimum length). At the same time should limit password use and ensure the regular replacement of the password, it is recommended that you modify the parameter PASS_MIN_DAYS (password use time). Linux is using the DES (the encryption function is a Crypt) or MD5 (functional is Md) encryption algorithm, because of the large, almost difficult to reverse. DES passwords the ciphertext is 13 ASCII characters in the string, and MD5 passwords the ciphertext of the start character is always "$ 1 $". OK, we all know about it. Next, we have to demonstrate it. Is a capture of Red Hat Linux series. Intruder remote overflow servers get a root permission logon interface. How to know the root password? intruder opens/etc/passwd file. It seems that the host account is encrypted with a shadow. Continue reading/etc/shadow. Root of the colon is the encrypted password. Start breaking work. Crack Linux password there are a lot of tools, such as a CrackerJack CrackbyAlexMuffett JohntheRipper, and so on, and JohntheRipper's most powerful, fastest speed. Will download to a local/etc/shadow, start with a simple model of JohntheRipper try, but no results and then hanging a Dictionary look. Here, use the "-w = specify the dictionary file 1.txt". Soon, the root password out, turned out to be: "bigapple". Have the root password, then enter the server easier.Sunday, April 3, 2011
Linux ADSL dial-up Internet access on the operating system's method in Visual FoxPro
4. start the PPPOE client software using command:/usr/sbin/adsl-start launch PPPOE client software to connect, if successful, will be Connected; if not successful, check the network cables, ADSLMODEM etc physical devices, and view information in/var/log/messages/usr/sbin/adsl-stop close and ISP connections/usr/sbin/adsl-status view the current state of the connection if you want the Linux system starts automatically start ADSL connection, enter the following command # chkconfig-addadsl will currently run level down to the custom boot script to ADSL.
5. test when the connection is successful, use the command: # ifconfig-a in output should contain information of a pile of ppp0, which also bind IP address, instructions have been gained from dial-up IP address. Use the command # netstat-nr view the routing table information, then the default route is the IP address above. If no default route, we can manually add: # routeadddefaultgw above to obtain IP address with the command # nslookupwww sina.com .cn if parse out the SINA's IP, description is already correctly from dial-up access to a DNS server. Finally, use the command ping a domain name or IP, if you have a response that you have finished.Linux based on PPP protocol and the Windows CE network
Jiang Qing ye qyjohn @ SMTH) software engineering expert, the United States navigation and control of the company (AmericanGNCCorporation) this article describes the Linux host over a network, implement and WindowsCE devices work together.
This article first using the PPP protocol on the Linux host and WindowsCE devices establish a connection, and then run the WindowsCE devices on an FTP server makes Linux hosts can access resources on WindowsCE devices. This article describes solutions for Windows9x/2000/NT host also applies. Background on Linux is an operating system similar to UNIX, it originated in Finland a LinusTorvalds's hobby, but it is now one of the most popular free operating system. Ordinary users in Linux Office, browse the Web, send messages and play the game, many universities and research institutes also Linux to complete everyday computing tasks. In the commercial space, because the Linux system price low, security property of high and very stable, many companies have their own server built on Linux. According to the international commercial data Corporation (IDC), the world's approximately one third of the Web server using Linux as the operating system. WindowsCE, according to Microsoft in WindowsCEandPocketPC: FAQ is defined in the operating systems development business to build a proprietary operating system, a series of components. Original equipment manufacturers (OEMs) can purchase one from Microsoft is called WindowsCE platform development system for the integrated development environment and leverage the system Assembly and compile based WindowsCE operating system, the operating system includes a range of component based WindowsCE and self development of application software or device drivers. As an operating system based on WindowsCE has the Microsoft Windows family of operating systems similar user interface, and therefore subject to many end users and developers of all ages. Currently WindowsCE has been widely used in mobile phones, palmtop computers, personal digital assistants, Salina and electronic dictionaries, and other portable devices. For a long time, WindowsCE devices also need to be equipped with one based on Windows9x/2000/NT host used to Exchange data with WindowsCE devices. Running on that host Microsoft WindowsCE services provided by the software, the software through a data cable and RS-232 WindowsCE devices establish a point-to-point connection, the user can access through the service software, LAN WindowsCE devices inside the other computer is not able to access the WindowsCE devices. If you need to make the LAN inside the other computer can access the device, you need to install the equipment expensive dedicated network adapters and the associated access device that is a very economical solution. This article uses RedHatLinux7.2 operating system PPP server and WindowsCE devices establish a TCP/IP connection, and then run the WindowsCE devices on an FTP server makes Linux hosts can access resources on WindowsCE devices. As a result of this approach is based on WindowsCE devices with RS-232 data cable, do not need to purchase any additional equipment, it is an economical and practical solutions. In addition, the solution presented in this article, on Windows9x/2000/NT host also applies. Connect Linux and WindowsCE point-to-point data transfer protocols (PointtoPointProtocol, PPP) is a transmission through serial line IP packet protocol. Using the PPP protocol, a computer via a serial line, telephone and other communication device login to a remote host and the host or the host's network resources. In point-to-point communication includes server and client in two parts, one client to the server requests a network connection, the server receives the client's request to establish a network connection and assigned to clients the appropriate network resources. When the network connection is established, the server and the client is strictly equivalent. Since Linux operating systems usually have a PPP server and client programs, and WindowsCE operating system usually is only with a PPP client program, so we use the Linux host as a PPP server, WindowsCE devices as a PPP client. In order to use the Linux host as a PPP server, we must first verify that the host has been installed on the PPP server program pppd. Usually this program is installed in the directory,/usr/sbin we can use the following command to find the directory for the existence of this file under: ls/usr/sbin/pppd recent official release of the Linux operating system (for example RedHatLinux6.x/7.x) usually have previously installed a PPP server program. If you have not installed the Linux host server PPP, then we should first of all, download and install a PPP server program, for example pppd2.3.4. Install the package may also require other packages of support, because the application installation is beyond the scope of this article, the interested reader to refer to other relevant information. Confirm that the PPP server is already installed on a Linux host, we need to do some Linux host necessary configuration, in order to make these configuration we need to have root privileges. Build file/etc/ppp/peers/wince, reads as follows:/Dev/ttyS0115200crtscts noaut/usr/sbin/chat-v-f/etc/ppp/wince.cat ' connect ' local 90.0.0.1: 90.0.0.2 build file/etc/ppp/wince.chat, reads as follows: TIMEOUT3600 "CLIENT" "" "" "CLIENT\c SERVER\c" in the above two configuration files, use the wince as the file name is used to indicate the profile is for an WindowsCE devices use. Readers can also use other file name, such as a palm or a handheld, and so on, but you must ensure that both the file name is the same. Configuration file specified using the serial port ttyS0/etc/ppp/peers/wince to 115, rate and customer 200bps devices connect, noauth parameter description in the client request did not need the connection authentication. In the peer-to-peer connections, the server (Linux host) of the IP is 90.0.0.1, client (WindowsCe devices) of the IP is 90.0.0.2. Profile/etc/ppp/wince.chat in TIMEOUT parameter specifies the server wait time, if you exceed this time still did not receive the client connection request the termination of the current server program. If any readers need to further understand the related configuration, please refer to their own chat documentation and pppd. WindowsCE devices-end configuration needs to be done relatively simple. Because the default for WindowsCE AutoConnect feature uses the device's serial port, we first need to stop using that function. In the start menu, select settings > phone > PC-connection "and set it to not enable connection with PC to stop the function. And then we re-establish a connection, in the start menu choose programs > communication->-connection manager, and then click on "make new connection icon to add a new connection named Linux and specify the connection type to linear connection", in the next step specifies use COM1 for connection and set its communication speed is 115,200, specify the TCP/IP settings for the device's IP is 90.0.0.2. Click OK to save the connection appears in the program-> communication menu inside. Use the following command at the Linux host start PPP server: pppdcallwince WindowsCE devices to start the new connection (program-> communication-> Linux), the network connection icon appears in the taskbar WindowsCE devices, Linux host displays the following information that is already successful and WindowsCE devices established connections: Serialconnectionestablised. Usinginterfaceppp0 Connect: ppp0ttyS0 foundinterfaceeth0forproxyarp localIPaddress90.0.0.1 remoteIPaddress90.0.0.2 we can also use Linux host provides the ping command to verify that you have successfully establish a connection with WindowsCE devices: ping90.0.0.2 If Linux host is already successful and WindowsCE devices establish a connection, then we should be able to see information similar to the following: PING90.0.0.2 (90.0.0.2) from90.0.0.1: 56 (84) bytesofdata. 64bytesfrom90.0.0.2: icmp_seq = 0ttl = 32time = 26.587msec 64bytesfrom90.0.0.2: icmp_seq = 1ttl = 32time = 19.928msec 64bytesfrom90.0.0.2: icmp_seq = 2ttl = 32time = 19.939msec 64bytesfrom90.0.0.2: icmp_seq = 3ttl = 32time = 19.947msec FTP software based WindowsCE when we are successful in the Linux host and WindowsCE devices establish a PPP connection, the next step can do something about it? of course, we need some suitable programs for Linux and WindowsCE devices for file exchange. We are now able to use the TCP/IP Protocol on the Linux host and transfer data between WindowsCE devices, obviously FTP program is an appropriate choice. FTP (FileTransportProtocol, file transfer protocol) is a widely used on the network protocol for file exchange. As a result of data transmission reliability requirements, FTP is a transport protocol based on TCP/IP. During an FTP session includes a server-side and a client, the client active connection to the server-side and the server sends a file transfer request, the server waits for the client access and processing the client's file transfer requests. PEFTPExplorer is very popular on WindowsCE FTP client software is also available as a full-featured file browser. And on PC commonly used such as CuteFTP and WSFTP FTP client similar to, a user can use the mouse (pointer) scale local-side and server-side tree, uploadOr download the file and directory, or file is a directory to rename, and delete. This software is available from CEArchive website (http://www.cearchives.com/ftp.html). In the Web site readers can also find another very popular FTP client vxFTP. FTP clients software functionality although it is very complete and simple operation, but still inevitable to receive small monitor portable devices. If you can establish a portable device on the FTP server, a file transfer operation can use commonly used on Linux host FTP client. Ftpsrv.exe is one based on WindowsCE FTP server software. The only 28.5KB applets, but does not provide authentication features and Passive transfer mode, is able to handle most common FTP requests. Use Microsoft WindowsCE service software will ftpsrv.exe uploaded to your portable device in any directory, launch the program later in the task bar will appear similar to the one computer connects two portable devices in small icons. Use the pointer to click on the icon will appear a small control window, here we can change the port number of the FTP server or terminate the program. Ftpsrv.exe from http://pda.tucows.com/or http://www.oohito.com/. In this two website readers can also find more useful applet. Other ifCentOS Linux system administrator general user group
In General, the average user by executing "su-" command, enter the correct root password, you can log in as root user to the system administrator-level configuration.
However, in order to further enhance system security, the need for an administrator's group to allow only the users of this group to perform the command "su-" log on as root user, and let other users even if the execution of the group "su-" and enter the correct root password and cannot login as root user. Under UNIX, this group name is usually the "wheel". Root @ sample ~] # usermod-GwheelCentOSpub ← general user CentOSpub plus in Administrators group wheel group root @ sample ~] # vi/etc/pam.d/su ← open the configuration file # authrequired/lib/security/$ ISA/find this line, pam_wheel.souse_uid ← removed line of "#" ↓ authrequired/lib/security/$ ISA/pam_wheel.souse_uid ← into this State (about line 6) root @ sample ~] # echo "SU_WHEEL_ONLYyes" > >/etc/login.defs ← add statements to the end of the line after the completion of the above actions, you can then create a new user, and then use this new user testing shows that isn't in the wheel group of users, execute the command "su-", even if you have entered the correct root password and cannot login as root user.Hacker technology advanced skills and practice Linux backdoors
Introduction to intruders full back door control system, to facilitate the next time you access and use of a technology.
General by modifying the system configuration file and install a third-party tools to implement the back door. Has a hidden, can bypass the system log, not easily found by the system administrator. Common backdoor technology increases the super user account cracking/Sniffer user password placed SUIDSell rhosts ++ use system service TCP/UDP/ICMPSell Crontab scheduled tasks shared library file Kit mountable kernel module rootkit (LKM) increase root # echo "e4gle: x: 0: 0::/:/bin/sh" > >/etc/passwd # echo "e4gle::-1:-1:-1:-1:-1:-1: 500" > >/etc/shadow if the system does not allow the uid = 0 in the user log in remotely, you also need to add a normal user account. Crack/sniff the user password for shadow file, use a tool to crack weak JohntheRipper user password. Installation tools, such as sniff sniffit listens to telnet, FTP port, collect the user's password. Place the SUIDSell # cp/bin/bash/dev/.rootsell # chmodu + s/dev/.rootsell ordinary users to run in native, you can obtain a/dev/.rootshell root permissions of shell. Rhosts ++ # echo "+ +" >/.rhosts # rsh-lrootvictim.comcs-I can get a rootshell remotely. Use of system services program. Modify/etc/inetd.conf, daytimestreamtcpnowait/bin/shsh-I; replace with the trojan programs, such as in.telnetd in.rexecd inted service program, redirect login program. TCP/UDP/ICMPSell BindShell, mostly based on TCP/UDP protocols of network services programs, high port sniffing, can easily be found. PingBackdoor ICMP packet activation by a Shell back door. TCPACK packet back door, to be able to travel across the firewall. Crontab scheduled task scheduling through the Crontab program installed backdoor scheduled run, usually in the late evening hours, is the system administrator is not online. Shared library file in a shared library embedded backdoor function uses the backdoor password activation Shell, obtain permission to escape the system administrator on binary checksum of the file itself. Kit Rootkit contains a series of systems and the backdoor tool:-clear log in logon log-camouflage checksum-replace netstat, ps, and other network tools-backdoor login program is easy to install and use to load kernel modules (LKM) LKM: dynamic loading of LoadableKernelModules, do not need to recompile the kernel. Intercepted system call, with the hidden directories, files, processes, network connections, and other powerful features. Their invisibility, find difficult. Famous adore LKM and knark Pack. Backdoor detection to my own experience, combined with specific tools, hand work some testing. Use md5 checksum Tripwire or to check the system. With the IDS system, listen to the target machine's suspicious network connection. Example: Login backdoor intruder put original/bin/login backup, and then replace with a paragraph/bin/login. Intruder Telnet came in through the environment variable, or a terminal type, pass the correct backdoor password, will directly receive a Shell; if it is a normal user log in, you will be redirected to the original login file, to handle the normal login. The most simple login backdoor ulogin.c source: instance:Use SELinux and Smack reinforced lightweight containers
Secure Linux container implementation guide lightweight containers also called VirtualPrivateServers (VPS) or Jails, they are often used to restrict the untrusted application or user of the tool.
But recently constructed of lightweight containers did not provide sufficient security guarantees. Use SELinux or Smack strategy reinforced these containers, you can implement in Linux?, more secure container. This article describes how to create a Linux security module to protect of the more secure container. SELinux and Smack policy development is in progress, and in their communities to help continually improve. People hear when the container is first reaction is "how to create secure containers?". This article by using the Linux security modules (LSM LinuxSecurityModules,) enhanced container security to solve the problem. This article specifically shows how to set security goals and Smack and SELinux security module. To learn more about Linux container's background knowledge, please read the "LXC: Linux container tools" (developerWorks, February 2009). Linux container is based on several Linux technology to build the conceptual piece: resource name space allows you to find the process, the container's internal documents, SYSVIPC resources, network interface, and so on. Control group (Controlgroups) allows restrictions placed on the container's resources. Function bindings (Capabilitybounding) sets limits container access privileges. You must coordinate the use of these technologies to achieve consistent with the vision of the container. There are two projects provide this functionality: Libvirt is able to use the Xen hypervisor, qemu emulator, kvmis even lightweight containers to create a virtual machine for large projects. Liblxc is a small library and a collection of user space command, their purpose is to help the kernel developers to quickly and easily test container functionality. Because the "LXC: Linux container tool" is prepared based on liblxc, so I am here to continue to use liblxc; but here do have the ability to use a container supports easy libvirt. Main element 1: LSM before you begin, if you do not know much about LSM, now you can quickly browse through. According to the Wikipedia definition: LinuxSecurityModules (LSM) is a Linux kernel supports a variety of computer security model framework, while not dependent on specific security implementation. This framework consists of the terms authorized use, GNUGeneralPublicLicense and Linux2.6 after a standard part of Linux kernel. Design LSM aims to achieve mandatory access control module provides all the necessary elements, while minimizing the changes to the Linux kernel. LSM avoids Systrace system call insert in, because it does not support multiple processor cores, and vulnerable to attacks TOCTTOU (race). On the contrary, when a user-level system will access to important internal kernel object (such as the inode and mission control block), LSM will insert "in the kernel hooks (hook)" (upcalls module). This project is dedicated to solving the problem of access control to avoid mainstream kernel for a large number of complex modifications. The project is not intended to be a common "hook" or "up call" mechanism, nor does it support virtualization. LSM access control goals and resolve system audit issues are closely related, but distinct. The audit requirement records each access attempt. LSM does not resolve this problem, because it requires a lot of hooks, to detect the kernel "short circuit" fault system where calling, and close to important object returns the error code. System security including two some conflict of objectives. The first goal is to achieve complete fine-grained access control. Must have may leak or damaged information location control. Too coarse-grained control and does not control. For example, if all the files must be classified as a type, and there is no file is open, all files are open. On the other hand, the configuration must be simple, administrators need to manage many access (but again, this does not control and is the same). For example, if you make the program work correctly requires large amounts of access rules, the administrator will add to the program, many access instead of testing these access rules are necessary. Linux in two basic security module uses different methods to balance this contradiction. SELinux implementation first on all things while using powerful control policy language simplified policy management. Smack mainly provides simple access control. Main element 2: SELinux far, SELinux is most famous for Linux, Mac systems (mandatory access control). Although still people against it, but popular Fedora? release from a few years ago, and deployed with SELinux, which is its powerful proof of success. SELinux using modular policy language configuration, users can easily update the installed policies. This language also provides interfaces that allow the use of more advanced statement expression for a set of low-level statement. In this article, we will use a new interface to define the container. Although the container to add many access make the interface itself become very large, but use the interface to create a new container is very simple. This interface is very promising to become a core part of the publishing strategy. Main element 3: SmackSmack is the simplified mandatory access control kernel (SimplifiedMandatoryAccessControlKernel) abbreviation. It is the first to use simple text label mark all processes, files and network traffic. Use the label creation processCreate a new file. Usually there are some with a clear definition of the default type of access rule. Process often can have the same label object for read and write. Bypass the Smack of access rules to control the privileges by POSIX function, so the tasks with CAP_MAC_OVERRIDE can overwrite rules; the tasks with CAP_MAC_ADMIN can change rules and labels. "POSIXfilecapabilities: Parcelingthepowerofroot" (reference) demonstrates these privileges.
Subscribe to:
Comments (Atom)