2015年5月27日 星期三

Solaris 11 快速設定 AMP (Apache, MySQL, PHP)



  • 安裝及檢視AMP Package



root@s11:/# pkg info -r group/feature/amp
          Name: group/feature/amp
       Summary: AMP (Apache, MySQL, PHP) Deployment Kit for Oracle Solaris
   Description: Provides a set of components for deployment of an AMP (Apache,
                MySQL, PHP) stack on Oracle Solaris
      Category: Meta Packages/Group Packages (org.opensolaris.category.2008)
                Web Services/Application and Web Servers (org.opensolaris.category.2008)
         State: Installed
     Publisher: solaris
       Version: 0.5.11
 Build Release: 5.11
        Branch: 0.175.1.0.0.24.0
Packaging Date: September  4, 2012 06:03:28 PM
          Size: 5.46 kB
          FMRI: pkg://solaris/group/feature/amp@0.5.11,5.11-0.175.1.0.0.24.0:20120904T180328Z
root@s11:/#
root@s11:/# svcadm enable apache22r
root@s11:/# svcs | grep apache
online 18:16:02 svc:/network/http:apache22
root@s11:/#cd /var/apache2/2.2/htdocs
root@s11:/# cd /var/apache2
root@s11:/var/apache2/2.2# cd htdocs
root@s11:/var/apache2/2.2/htdocs# ls -al
total 16
drwxr-xr-x 2 root bin 6 May 27 18:21 .
drwxr-xr-x 9 root bin 9 Sep 20 2012 ..
-r--r--r-- 1 root bin 377 Sep 20 2012 favicon.gif
-r--r--r-- 1 root bin 1406 Sep 20 2012 favicon.ico
-r--r--r-- 1 root bin 44 Sep 20 2012 index.html
-rw-r--r-- 1 root root 68 May 27 18:21 phpinfo.php
root@s11:/var/apache2/2.2/htdocs#

  • 開啟瀏覽器測試Apache Server是否OK







  • 建立一個phpinfo.php的檔案,測試PHP是否OK
root@s11:/var/apache2/2.2/htdocs# cat phpinfo.php
<?php

// Show all information, defaults to INFO_ALL
phpinfo();

?>
root@s11:/var/apache2/2.2/htdocs#






  • 設定Mysql

root@s11:/# svcs -a | grep mysql
disabled       17:36:09 svc:/application/database/mysql:version_51
root@s11:/# svcadm enable mysql
root@s11:/# svcs -a | grep mysql
online         18:43:38 svc:/application/database/mysql:version_51

  • 檢查是否有mysql的user 和 group


root@s11:/usr/mysql/5.1/bin# cat /etc/passwd | grep mysql
mysql:x:70:70:MySQL Reserved UID:/:
root@s11:/usr/mysql/5.1/bin# cat /etc/group | grep mysql
mysql::70:

# /usr/bin/mysql_secure_installation

NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MySQL
      SERVERS IN PRODUCTION USE!  PLEASE READ EACH STEP CAREFULLY!


In order to log into MySQL to secure it, we'll need the current
password for the root user.  If you've just installed MySQL, and
you haven't set the root password yet, the password will be blank,
so you should just press enter here.


輸入 root 的密碼,如果沒有設定過,直接按 Enter 鍵即可

Enter current password for root (enter for none):
OK, successfully used password, moving on...

Setting the root password ensures that nobody can log into the MySQL
root user without the proper authorisation.


# 是否設定 root 的密碼

Set root password? [Y/n] y
New password: abc123
Re-enter new password: abc123
Password updated successfully!
Reloading privilege tables..
 ... Success!


By default, a MySQL installation has an anonymous user, allowing anyone
to log into MySQL without having to have a user account created for
them.  This is intended only for testing, and to make the installation
go a bit smoother.  You should remove them before moving into a
production environment.


移除 anonymous 使用者

Remove anonymous users? [Y/n] y
 ... Success!

Normally, root should only be allowed to connect from 'localhost'.  This
ensures that someone cannot guess at the root password from the network.


# 是否取消 root 遠端登入

Disallow root login remotely? [Y/n] y
 ... Success!

By default, MySQL comes with a database named 'test' that anyone can
access.  This is also intended only for testing, and should be removed
before moving into a production environment.


# 是否移除 test 資料表

Remove test database and access to it? [Y/n] y
 - Dropping test database...
 ... Success!
 - Removing privileges on test database...
 ... Success!


Reloading the privilege tables will ensure that all changes made so far
will take effect immediately.


# 是否重新載入資料表權限

Reload privilege tables now? [Y/n] y
 ... Success!

Cleaning up...



All done!  If you've completed all of the above steps, your MySQL
installation should now be secure.

Thanks for using MySQL!

  • 檢視資料庫內容

root@s11:/usr/mysql/5.1/bin#  ./mysqlshow -p
Enter password: 
+--------------------+
|     Databases      |
+--------------------+
| information_schema |
| mysql              |
+--------------------+
root@s11:/usr/mysql/5.1/bin#  ./mysqlshow -pabc123 (abc123為密碼)
+--------------------+
|     Databases      |
+--------------------+
| information_schema |
| mysql              |
+--------------------+


  • 登入Mysql資料庫

root@s11:/usr/mysql/5.1/bin# ./mysql  -u root -pabc123
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 14
Server version: 5.1.37 Source distribution

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| mysql              |
+--------------------+
2 rows in set (0.01 sec)

使用mysql這個資料庫
mysql> use mysql;
Database changed

列出資料庫mysqltable

mysql> show tables;
+---------------------------+
| Tables_in_mysql           |
+---------------------------+
| columns_priv              |
| db                        |
| event                     |
| func                      |
| general_log               |
| help_category             |
| help_keyword              |
| help_relation             |
| help_topic                |
| host                      |
| ndb_binlog_index          |
| plugin                    |
| proc                      |
| procs_priv                |
| servers                   |
| slow_log                  |
| tables_priv               |
| time_zone                 |
| time_zone_leap_second     |
| time_zone_name            |
| time_zone_transition      |
| time_zone_transition_type |
| user                      |
+---------------------------+
23 rows in set (0.00 sec)

mysql>quit

2015年5月6日 星期三

Solaris 設定 Audit


  • 顯示可歸屬事項預選類

root@s11:/var/audit# auditconfig -getflags
active user default audit flags = lo(0x1000,0x1000)
configured user default audit flags = lo(0x1000,0x1000)


  • 顯示不可歸屬事項預選類
root@s11:/etc/security# auditconfig -getnaflags
active non-attributable audit flags = lo(0x1000,0x1000)configured non-attributable audit flags = lo(0x1000,0x1000)


  • 顯示Audit策略

root@s11:/etc/security# auditconfig -getpolicy
configured audit policies = cntactive audit policies = cnt


  • 顯示Plugin相關訊息

root@s11:/etc/security# auditconfig -getplugin
Plugin: audit_binfile (active)        Attributes: p_dir=/var/audit;p_fsize=0;p_minfree=1
Plugin: audit_syslog (inactive)        Attributes: p_flags=
Plugin: audit_remote (inactive)        Attributes: p_hosts=;p_retries=3;p_timeout=5


  • 顯示Audit佇列控制

root@s11:/etc/security# auditconfig -getqctrlno configured audit queue hiwater markno configured audit queue lowater markno configured audit queue buffer sizeno configured audit queue delayactive audit queue hiwater mark (records) = 100active audit queue lowater mark (records) = 10active audit queue buffer size (bytes) = 8192active audit queue delay (ticks) = 20root@s11:/etc/security#


  • 顯示User Audit設定
root@s11:/etc/security# who
root       pts/1         5月  5日 18:15  (172.16.37.211)
mds        pts/2         5月  5日 18:49  (172.16.37.211)
root@s11:/etc/security# userattr audit_flags root
lo:no
root@s11:/etc/security# userattr audit_flags mds
root@s11:/etc/security#


  • 驗證Audit是否已啟動


root@s11:/var/audit# auditconfig -getcond
audit condition = auditing

root@s11:/var/audit# audit -v
configuration ok

Audit Flags的定義


Short NameLong NameShort Description
nono_classNull value for turning off event preselection
frfile_readRead of data, open for reading
fwfile_writeWrite of data, open for writing
fafile_attr_accAccess of object attributes: statpathconf
fmfile_attr_modChange of object attributes: chownflock
fcfile_creationCreation of object
fdfile_deletionDeletion of object
clfile_closeclose system call
pcprocessProcess operations: forkexecexit
ntnetworkNetwork events: bindconnectaccept
ipipcSystem V IPC operations
nanon_attribNonattributable events
adadministrativeAdministrative actions
lologin_logoutLogin and logout events
apapplicationApplication-defined event
ioioctlioctl system call
exexecProgram execution
ototherMiscellaneous
allallAll flags set
New audit classes are defined. The ft audit class contains file transfer audit events

建議設定:
To enforce this setting, use the command:
# auditconfig -conf
# auditconfig -setflags lo,ad,ft,ex
# auditconfig -setnaflags lo
# auditconfig -setpolicy cnt,argv,zonename
# auditconfig -setplugin audit_binfile active p_minfree=1
# audit -s
auditconfig -setpolicy cnt,argv,zonename

# rolemod -K audit_flags=lo,ad,ft,ex:no root

PS. 為避免audit log過大難以讀取,設定每小時將目前的audit log關掉,並開啟一個新的audit log檔

# EDITOR=ed crontab -e root << END_CRON

a
0 * * * * /usr/sbin/audit -n
w
q
END_CRON

# chown root:root /var/audit
# chmod 750 /var/audit

查看audit log
# praudit xxxxxxx





開啟及關閉audit

root@s11:~# audit -t    關閉
root@s11:~# auditconfig -getcond
audit condition = noaudit
root@s11:~# audit -s    開啟
root@s11:~# auditconfig -getcond
audit condition = auditing

Clean up the old not_terminated file.
# auditreduce -O system-name old-not-terminated-file
root@s11:/var/audit# auditreduce -O s11 20150505092159.not_terminated.s11.1

DEMO:

建立一個帳號 -  johnny



 撈出關於帳號johnny的audit log













參考資料:
http://www.oracle.com/technetwork/articles/servers-storage-admin/sol-audit-quick-start-1942928.html#Custom


2015年5月5日 星期二

Solaris 11 新建使用者賦與su 權限


  • 一般使用者登入系統,欲切換為root


login as: mds
Using keyboard-interactive authentication.
Password:
Last login: Tue Jan 13 16:21:07 2015 from 172.16.37.211
Oracle Corporation      SunOS 5.11      11.1    May 2014
-bash-4.1$ su -
Password:
Roles can only be assumed by authorized users

  • 先使用root權限登入.
root@LDAPc25:~# usermod -R root mds
UX: usermod: mds is currently logged in, some changes may not take effect until next login. 


  • 下次登入時生效

login as: mds
Using keyboard-interactive authentication.
Password:
Last login: Wed May  6 10:22:15 2015 from 172.16.37.211
Oracle Corporation      SunOS 5.11      11.1    May 2014
-bash-4.1$ su -
Password:
Oracle Corporation      SunOS 5.11      11.1    May 2014
root@LDAPc25:~#