Skip to content

ArthurBeznik/42_codam_Born2beRoot

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

196 Commits

apparmor

apparmor

 
 

hostname

hostname

 
 

lvm

lvm

 
 

passwd

passwd

 
 

script

script

 
 

ssh

ssh

 
 

sudo

sudo

 
 

ufw

ufw

 
 

user

user

 
 

Born2beroot.pdf

Born2beroot.pdf

 
 

README.md

README.md

 
 

eval_sheet_b2br.pdf

eval_sheet_b2br.pdf

 
 

Repository files navigation

Born2beRoot - 42 Codam project

This project aims to introduce you to the wonderful world of virtualization.

Screen Shot 2021-10-23 at 4 39 08 PM

Share some love, star this repo buddy <3

Warning: Check thoroughly what you are configuring, I made a few last minute changes with my VM before the eval, so some configs might not be all good!

Table of entries

Subject / Eval sheet

General guidelines

  • The use of VirtualBox (or UTM if you can’t use VirtualBox) is mandatory.
  • You only have to turn in a signature.txt file at the root of your repository. You must paste in it the signature of your machine’s virtual disk. Go to Submission and peer-evaluation for more information.

VMs

  • During eval: Explain simply:
    • How a virtual machine works.
    • The purpose of virtual machines.

Useful links

OS: Debian

  • During eval: Explain simply:
    • Their choice of operating system.
    • The basic differences between CentOS and Debian.
    • Debian: the difference between aptitude and apt, and what APPArmor is.

Useful links

Hostname

The hostname of your virtual machine must be your login ending with 42 (e.g., abeznik42).

  • During eval:
    • Check that the hostname of the machine is correctly formatted as follows: login42 (login of the student being evaluated).
    • Modify this hostname by replacing the login with evaluator's login, then restart the machine. If on restart, the hostname has not been updated, the evaluation stops here.
    • You can now restore the machine to the original hostname.

Changing hostname

Encrypted partitions

You must create at least 2 encrypted partitions using LVM. Below is an example of the expected partitioning:

Screen Shot 2021-10-10 at 4 03 40 PM

  • During eval:
    • Show the partitions for this virtual machine.
      • Compare the output with the example given in the subject. Please note: if bonuses, refer to the bonus example.
    • Give a brief explanation of how LVM works and what it is all about.

Using the command lsblk will display the partitions.

Encrypt partitions with LVM

No graphical interface

Since it is a matter of setting up a server, you will install the minimum of services. For this reason, a graphical interface is of no user here. It is therefore forbidden to install X.org or any other equivalent graphics server.

  • During eval:
    • Ensure that the machine does not have a graphical environment at launch.

Deselect Desktop environment and GNOME from software selection during the install in order to get a non-GUI Debian install.

sudo

To set up a strong configuration for your sudo group, you have to comply with the following requirements:

  • Authentication using sudo has to be limited to 3 attempts in the event of an incorrect password.
  • A custom message of your choice has to be displayed if an error due to a wrong password occurs when using sudo.
  • Each action using sudo has to be archived, both inputs and outputs. The log file has to be saved in the /var/log/sudo/ folder.
  • The TTY mode has to be enabled for security reasons.
  • For security reasons the paths that can be used by sudo must be restricted. Example: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin
  • During eval:
    • Check that the "sudo" program is properly installed on the virtual machine.
    • Show assigning new user to the "sudo" group.
    • The subject imposes strict rules for sudo. First explain the value and operation of sudo using examples.
    • Show the implementation of the rules imposed by the subject.
    • Verify that the "/var/log/sudo/" folder exists and has at least one file.
      • Check the contents of the files in this folder, You should see a history of the commands used with sudo.
    • Run a command via sudo. See if the file(s) in the "/var/log/sudo/" folder have been updated.

sudo installation & configuration

SSH service

A SSH service will be running on port 4242 only. For security reasons, it must not be possible to connect using SSH as root.

  • During eval:
    • Check that the SSH service is properly installed on the virtual machine.
    • Check that it is working properly.
    • Explain to you basically what SSH is and the value of using it
    • Verify that the SSH service only uses port 4242.
    • Use SSH in order to log in with the newly created user.
      • you can use a key or a simple password.
      • make sure you cannot use SSH with the "root" user.

SSH installation & configuration

UFW firewall

You have to configure your operating system with the UFW firewall (Uncomplicated FireWall) and thus leave only port 4242 open.

  • During eval:
    • Check that the "UFW" program is properly installed on the virtual machine.
    • Check that it is working properly.
    • Explain to you basically what UFW is and the value of using it.
    • List the active rules in UFW. A rule must exist for port 4242.
    • Add a new rule to open port 8080. Check that this one has been added by listing the active rules.
    • Finally, delete this new rule with the help of the student being evaluated.

UFW installation & configuration

Strong password policy

To set up a strong password policy, you have to comply with the following requirements:

  • Password has to expire every 30 days.
  • Minimum number of days allowed before modification of a password will be set to 2.
  • User has to receive a warning message 7 days before their password expires.
  • Password must:
    • be at least 10 characters long
    • contain an uppercase letter and number
    • not contain more than 3 consecutive identical characters
    • not include the name of the user
    • does not apply to root password: have at least 7 character that are not part of the former password
    • does apply to root password: after setting up config files, you will have to change all the passwords of the acounts present on the VM.
  • During eval:
    • Explain advantages of this password policy.
    • Explain advantages and disadvantages of its implementation.

Strong password installation & configuration

User

In addition to the root user, a user with your login as username has to be present. And has to belong to sudo and user42 groups.

  • During eval:
    • A user with the login of the student being evaluated has to be already present on the virtual machine.
      • Check that it has been added and that it belongs to the "sudo" and "user42" groups.
    • Make sure the rules imposed in the subject concerning the password policy have been put in place by following the following steps.
      • Create new user.
      • Assign password of choice (respecting rules) and explain how these rules were set up. (there should be one or two modified files)
      • Create a group named "evaluating" and assign it to this user.
        • Finally, check that this user belongs to the "evaluating" group.

Users, groups, ...

Monitoring script

  • monitoring.sh developped in bash.
  • At server startup, the script will display some information on all terminals every 10min (see wall), banner is optional, no error must be visible.
  • Following information must be displayed:
    • Architecture of your OS and its kernel version
    • The number of physical processors.
    • The number of virtual processors.
    • The current available RAM on your server and its utilization rate as a percentage.
    • The current available memory on your server and its utilization rate as a percentage.
    • The current utilization rate of your processors as a percentage.
    • The date and time of the last reboot.
    • Whether LVM is active or not.
    • The number of active connections.
    • The number of users using the server.
    • The IPv4 address of your server and its MAC (Media Access Control) address.
    • The number of commands executed with the sudo program.
  • During eval:
    • How the script works, by showing the code.
    • What "cron" is.
    • How it was set up so that it runs every 10min.
    • Ensure that this script runs every minute, make sure that the script runs with dynamic values correctly.
    • Make the script stop running when the server has started up, without modifying the script itself. (you'll have to restart one last time)
    • At startup, check if the script still exists in the same place, rights have remained unchanged, and not been modified.
  • Example below:

Screen Shot 2021-10-10 at 5 11 35 PM

Monitoring script

Bonus (work in progress)

Network adapter configuration

You may not be able to connect to your VM via SSH with standard settings in VirtualBox. Theres a way to wix it!

  1. Turn off your VM
  2. Go to your VM settings in VirtualBox
  3. Network -> Adapter 1 -> Advanced -> Port forwarding
  4. Add new rule (little green button on right top side) and next parameters:
Protocol Host IP Host Port Guest IP Guest Port
TCP 127.0.0.1 4242 10.0.2.15 4242
  1. In your host (physical) machine open Terminal and run
[ssh <vmusername>@localhost -p 4242]

Now you can control your virtual machine from the host terminal.

Useful links

Eval Cheat Sheet

For the eval, since you have to compare the signature.txt in your git with the signature of the VM you're doing the eval on, I made a snapshot of my VM. And I would just have to reset the initial state of the snapshot after the eval, and I would therefore have the same signature for all 3 evals. ez pz.

Screen Shot 2021-10-10 at 5 12 50 PM

  1. head -n 2 /etc/os-release -> display OS
  2. ss -tunlp -> display sockets
  3. lsblk -> check partitions
  4. sudo aa-status -> AppArmor status
  5. getent group sudo -> sudo group users
  6. getent group user42 -> user42 group users
  7. sudo service ssh status -> ssh status
  8. sudo ufw status -> ufw status
  9. ssh username@ipadress -p 4242 -> connect to VM from your host (physical) machine via SSH
  10. sudo visudo -> sudo policy
  11. nano /etc/login.defs -> password expire policy
  12. nano /etc/pam.d/common-password -> password policy
  13. sudo crontab -l -> cron schedule

How to add a new user?

sudo adduser <user_name>

How to create a new group?

sudo addgroup <group_name>

How to add a user to a group?

sudo usermod -aG <group_name> <user_name>

How to change hostname?

hostnamectl set-hostname <server_name>

Then connect to the server via ssh ssh username@ipadress -p 4242, you should see that the hostname has changed, but we still need to edit this file:

sudo nano /etc/hosts

And change the line with the former hostname to the new hostname. You can then reboot sudo reboot and the hostname should still be the new one.

Where is sudo logs in /var/log/sudo?

cd /var/log/sudo/00/00
ls

You will see a lot of directories with names like 01 2B 9S 4D etc. They contain the logs we need.

sudo apt update
ls
sudo echo hey

Now you see that we have a new directory here.

cd <nameofnewdirectory> && ls

How to add and remove port 8080 in UFW?

sudo ufw allow 8080 <- allow
sudo ufw status <- check
sudo ufw delete allow 8080 <- delete

How to run script every 30 seconds?

sudo crontab -e

Remove or commit previous cron "schedule" and add next lines in crontab file

*/1 * * * * /path/to/monitoring.sh
*/1 * * * * sleep 30s && /path/to/monitoring.sh

To stop script running on boot you just need to remove or commit

@reboot /path/to/monitoring.sh

line in crontab file.

That's all folks!

About

This project aims to introduce you to the wonderful world of virtualization.

Topics

linux bash debian virtual-machine

Resources

Readme
Activity

Stars

7 stars

Watchers

2 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

No packages published

Languages