[CentOS] securing web applications (Wiki CMS installation)

Tue Feb 12 17:01:46 UTC 2008
kfx <kadafax at gmail.com>

mouss wrote:
> Johnny Hughes wrote:
>> Simon Jolle wrote:
>>> 2008/2/11, James A. Peltier <jpeltier at cs.sfu.ca>:
>>>> This is a very broad question to ask, however, I will appeal to the 
>>>> basics.
>>>>
>>>> 1) Use HTTPS whenever possible to avoid any passwords crossing the 
>>>> wire
>>>> in clear text.
>>>>
>>>> 2) Ensure only the necessary modules are installed or enabled for your
>>>> CMS to operate.
>>>>
>>>> 3) Always think least permissions necessary to perform the task
>>>>
>>>> 4) Ensure that MySQL is locked down with least permissions necessary.
>>>> At the very least after you've installed MySQL make sure to run the
>>>> secure-mysql-installation script to assign a password to the MySQL 
>>>> root
>>>> user and lock down some of the basic tables.
>>>>
>>>> Each system is different and you should follow the guidelines outlined
>>>> by the CMS to properly secure.  If you are not sure of what you are
>>>> deploying, that's kinda scary, you should be weary of that and tread
>>>> lightly.
>>>
>>> thank you
>>>
>>> I will deploy Wikka Wiki [0] - there are no explicit security settings
>>> or guidelines
>>>
>>> How to harden Apache and PHP (without using SELinux)?
>>
>> SELinux is the "best" hardening step available for securing RH based 
>> php/httpd/mysql stacks (IMHO) ... why are you taking it off the table 
>> ???
>
> Let me try:
>
> - because it's too much? complexity is the ennemy of security. lack of 
> adequate documentation is the ennemy of usability. I couldn't find 
> simple directions on how to make a service work correctly in presence 
> of selinux (except disabling it).
---------
# Activate auditd
chkconfig auditd on && /etc/init.d/auditd start

# Start apache and do your stuff to generate messages in audit.log

restorecon -R /var/www/
audit2allow -M rule-name < /var/log/audit/audit.log
semodule -i rule-name.pp
---------

You should read (and maybe modify) the file "rule-name.te" before the 
semodule's command which is created by the audit2allow's one.
It is not really the correct way to do as it is likely going to open too 
much stuff. It's just to show you that you can live with selinux enabled.
Think that selinux can make you save time.

Regards,
kfx


> all docs I've seen place the discussion in a meta-world and require 
> spending time understanding terminology and concepts that I am not 
> sure to find useful.
>
> - because it doesn't secure apache/php. it secures the system against 
> apache (to some extenst) but doesn't help securing apache itself.
>
>
>>
>> besides SELinux, you might want to look at php-suhosin:
>>
>> http://www.hughesjr.com/content/view/21/1/
>
> It would be nice if RH included this by default...
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos