This project aims to introduce you to the wonderful world of virtualization.
Share some love, star this repo buddy <3
Warning: Check thoroughly what you are configuring, I made a few last minute changes with my VM before the eval, so some configs might not be all good!
- General guidelines
- VMs
- OS
- Hostname
- Encrypted partitions
- Graphical
- sudo
- SSH
- UFW
- Password policy
- Monitoring script
- Bonus
- Eval Cheat Sheet
- The use of VirtualBox (or UTM if you can’t use VirtualBox) is mandatory.
- You only have to turn in a
signature.txt
file at the root of your repository. You must paste in it the signature of your machine’s virtual disk. Go to Submission and peer-evaluation for more information.
- During eval:
Explain simply:
- How a virtual machine works.
- The purpose of virtual machines.
- During eval:
Explain simply:
- Their choice of operating system.
- The basic differences between CentOS and Debian.
- Debian: the difference between aptitude and apt, and what APPArmor is.
The hostname of your virtual machine must be your login ending with 42 (e.g., abeznik42).
- During eval:
- Check that the hostname of the machine is correctly formatted as follows: login42 (login of the student being evaluated).
- Modify this hostname by replacing the login with evaluator's login, then restart the machine. If on restart, the hostname has not been updated, the evaluation stops here.
- You can now restore the machine to the original hostname.
You must create at least 2 encrypted partitions using LVM. Below is an example of the expected partitioning:
- During eval:
- Show the partitions for this virtual machine.
- Compare the output with the example given in the subject. Please note: if bonuses, refer to the bonus example.
- Give a brief explanation of how LVM works and what it is all about.
- Show the partitions for this virtual machine.
Using the command lsblk
will display the partitions.
Since it is a matter of setting up a server, you will install the minimum of services. For this reason, a graphical interface is of no user here. It is therefore forbidden to install X.org or any other equivalent graphics server.
- During eval:
- Ensure that the machine does not have a graphical environment at launch.
Deselect Desktop environment and GNOME from software selection during the install in order to get a non-GUI Debian install.
To set up a strong configuration for your sudo group, you have to comply with the following requirements:
- Authentication using sudo has to be limited to 3 attempts in the event of an incorrect password.
- A custom message of your choice has to be displayed if an error due to a wrong password occurs when using sudo.
- Each action using sudo has to be archived, both inputs and outputs. The log file has to be saved in the /var/log/sudo/ folder.
- The TTY mode has to be enabled for security reasons.
- For security reasons the paths that can be used by
sudo
must be restricted. Example:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin
- During eval:
- Check that the "sudo" program is properly installed on the virtual machine.
- Show assigning new user to the "sudo" group.
- The subject imposes strict rules for sudo. First explain the value and operation of sudo using examples.
- Show the implementation of the rules imposed by the subject.
- Verify that the "/var/log/sudo/" folder exists and has at least one file.
- Check the contents of the files in this folder, You should see a history of the commands used with sudo.
- Run a command via sudo. See if the file(s) in the "/var/log/sudo/" folder have been updated.
A SSH service will be running on port 4242 only. For security reasons, it must not be possible to connect using SSH as root.
- During eval:
- Check that the SSH service is properly installed on the virtual machine.
- Check that it is working properly.
- Explain to you basically what SSH is and the value of using it
- Verify that the SSH service only uses port 4242.
- Use SSH in order to log in with the newly created user.
- you can use a key or a simple password.
- make sure you cannot use SSH with the "root" user.
You have to configure your operating system with the UFW firewall (Uncomplicated FireWall) and thus leave only port 4242 open.
- During eval:
- Check that the "UFW" program is properly installed on the virtual machine.
- Check that it is working properly.
- Explain to you basically what UFW is and the value of using it.
- List the active rules in UFW. A rule must exist for port 4242.
- Add a new rule to open port 8080. Check that this one has been added by listing the active rules.
- Finally, delete this new rule with the help of the student being evaluated.
To set up a strong password policy, you have to comply with the following requirements:
- Password has to expire every 30 days.
- Minimum number of days allowed before modification of a password will be set to 2.
- User has to receive a warning message 7 days before their password expires.
- Password must:
- be at least 10 characters long
- contain an uppercase letter and number
- not contain more than 3 consecutive identical characters
- not include the name of the user
- does not apply to root password: have at least 7 character that are not part of the former password
- does apply to root password: after setting up config files, you will have to change all the passwords of the acounts present on the VM.
- During eval:
- Explain advantages of this password policy.
- Explain advantages and disadvantages of its implementation.
In addition to the root user, a user with your login as username has to be present. And has to belong to
sudo
anduser42
groups.
- During eval:
- A user with the login of the student being evaluated has to be already present on the virtual machine.
- Check that it has been added and that it belongs to the "sudo" and "user42" groups.
- Make sure the rules imposed in the subject concerning the password policy have been put in place by following the following steps.
- Create new user.
- Assign password of choice (respecting rules) and explain how these rules were set up. (there should be one or two modified files)
- Create a group named "evaluating" and assign it to this user.
- Finally, check that this user belongs to the "evaluating" group.
- A user with the login of the student being evaluated has to be already present on the virtual machine.
monitoring.sh
developped inbash
.- At server startup, the script will display some information on all terminals every 10min (see
wall
), banner is optional, no error must be visible.- Following information must be displayed:
- Architecture of your OS and its kernel version
- The number of physical processors.
- The number of virtual processors.
- The current available RAM on your server and its utilization rate as a percentage.
- The current available memory on your server and its utilization rate as a percentage.
- The current utilization rate of your processors as a percentage.
- The date and time of the last reboot.
- Whether LVM is active or not.
- The number of active connections.
- The number of users using the server.
- The IPv4 address of your server and its MAC (Media Access Control) address.
- The number of commands executed with the
sudo
program.
- During eval:
- How the script works, by showing the code.
- What "cron" is.
- How it was set up so that it runs every 10min.
- Ensure that this script runs every minute, make sure that the script runs with dynamic values correctly.
- Make the script stop running when the server has started up, without modifying the script itself. (you'll have to restart one last time)
- At startup, check if the script still exists in the same place, rights have remained unchanged, and not been modified.
- Example below:
Network adapter configuration
You may not be able to connect to your VM via SSH with standard settings in VirtualBox. Theres a way to wix it!
- Turn off your VM
- Go to your VM settings in VirtualBox
- Network -> Adapter 1 -> Advanced -> Port forwarding
- Add new rule (little green button on right top side) and next parameters:
Protocol | Host IP | Host Port | Guest IP | Guest Port |
---|---|---|---|---|
TCP | 127.0.0.1 | 4242 | 10.0.2.15 | 4242 |
- In your host (physical) machine open Terminal and run
[ssh <vmusername>@localhost -p 4242]
Now you can control your virtual machine from the host terminal.
For the eval, since you have to compare the signature.txt in your git with the signature of the VM you're doing the eval on, I made a snapshot of my VM. And I would just have to reset the initial state of the snapshot after the eval, and I would therefore have the same signature for all 3 evals. ez pz.
head -n 2 /etc/os-release
-> display OSss -tunlp
-> display socketslsblk
-> check partitionssudo aa-status
-> AppArmor statusgetent group sudo
-> sudo group usersgetent group user42
-> user42 group userssudo service ssh status
-> ssh statussudo ufw status
-> ufw statusssh username@ipadress -p 4242
-> connect to VM from your host (physical) machine via SSHsudo visudo
-> sudo policynano /etc/login.defs
-> password expire policynano /etc/pam.d/common-password
-> password policysudo crontab -l
-> cron schedule
How to add a new user?
sudo adduser <user_name>
How to create a new group?
sudo addgroup <group_name>
How to add a user to a group?
sudo usermod -aG <group_name> <user_name>
How to change hostname?
hostnamectl set-hostname <server_name>
Then connect to the server via ssh ssh username@ipadress -p 4242
, you should see that the hostname has changed, but we still need to edit this file:
sudo nano /etc/hosts
And change the line with the former hostname to the new hostname. You can then reboot sudo reboot
and the hostname should still be the new one.
Where is sudo logs in /var/log/sudo?
cd /var/log/sudo/00/00
ls
You will see a lot of directories with names like 01 2B 9S 4D etc. They contain the logs we need.
sudo apt update
ls
sudo echo hey
Now you see that we have a new directory here.
cd <nameofnewdirectory> && ls
How to add and remove port 8080 in UFW?
sudo ufw allow 8080 <- allow
sudo ufw status <- check
sudo ufw delete allow 8080 <- delete
How to run script every 30 seconds?
sudo crontab -e
Remove or commit previous cron "schedule" and add next lines in crontab file
*/1 * * * * /path/to/monitoring.sh
*/1 * * * * sleep 30s && /path/to/monitoring.sh
To stop script running on boot you just need to remove or commit
@reboot /path/to/monitoring.sh
line in crontab file.