Final Essay Example | Topics and Well Written Essays - 500 words - 17

Final - Essay Example Then, in an essay that synthesizes at least four of the six provided sources for support, take a position that qualifies the claim that GMO should be discouraged because it is a probable health risk and an environmental hazard. This article presents an assessment of the effect GMO technology is having on global agriculture from both economic and environmental perspectives. The article seems to assert that there could be a possibility of having positive economic impact when all factors are put into consideration. This source is significantly resourceful in presenting counterargument when discussing the negative impacts of GMO technology. This article highlights some of the widely argued biomedical risks of GM foods such as potential allergenicity, and most importantly, horizontal gene transfer. The source also discusses the environmental side effects on biodiversity. Since the source also discusses the benefits of the first generation of GM foods, then a good comparison can be made from the same source. This source gives a clear list of reasons why GMOs should not be used. The article highlights little knowledge on GMOs as one of the issues challenging use of GMOs. Increased pesticide use is also a notable cause for alarm on use of GMO. This source gives a quick peek. However, it offers a good start into more indepth research

Personality Impact Paper Essay Example for Free

Personality Impact Paper Essay In order for managers and employees to effectively get along in the workplace they must first learn how to understand and appreciate one another. The Journal of Adlerian Theory published an article discussing the various personalities’ styles in the workplace. The report states that being able to recognize characters from in workers and managers is important for those who lead or manage as others as well as for those who consult or treat workers and leaders (page 2). The purpose of this paper is to summarize Exhibit 2. 5, 2.6, and 2.7 assessments, it will also summarize my primary personality aspects, cognitive abilities that I can apply to my workplace, and mitigate any shortcomings. Exhibit 2.5, 2.6, 2.7 Exhibit 2.5 is an assessment that measures the extraversion or positive affectivity of a person. According to the text a person, which is positively effective, is predisposed to experience positive emotional states and feel good about themselves and the world around them (page 43). People, who are extroverted, tend to be more sociable and affectionate towards others. Exhibit 2.6 is to measure the neuroticism or negative affectivity. Negative affectivity in the textbook is defined as people tendencies to experience negative emotional states, feel distressed, and view themselves and the world around them negatively (page 44). This is the exact opposite at positive affectivity. People, who have high neuroticism, are more likely to experience more stress over time and often have negative moods at work/ home. Exhibit 2.7 is a measure of agreeableness, conscientiousness, and openness to experiences. The textbook explains agreeableness as individuals who get along well with other people and those who do not (page 45). People, who are agreeable, are very likable, care for others, and tend to be affectionate. A person, who is conscientiousness, is careful, scrupulous, and persevering (page 45). People, who score high in the area, are found to  be very tidy and organized, as well as self-disciplined. People, who are open to experiences, have broad interests and are willing to take risks (page 46). Summary of My Testing Results In Exhibit 2.5 I scored high on positive affectivity. and answered all of the questions with true. This result would show that I am a happy person and views my work and the world around myself positively. My results of Exhibit 2.6 indicate a low level of negative affectivity. I means that sometimes he feels tense all day because of the challenges he has ahead of myself at work and also gets nervous from time to time. This would again reaffirm the results of Exhibit 2.5 which I have a positive outlook on life. The results of Exhibit 2.7 proved what I was already aware of. I tends to be an agreeable person who is open to experiences. I scored the lowest on conscientiousness, implying that is can be somewhat careless. I have a strong personality and a lot of good characteristics to offer as a leader. I did very charismatic and pragmatic. As a leader, this would be necessary in times of boosting morale and encouraging others around myself. my view on things from a positive light as well and tends to be open-minded. Cognitively I am numerically conscious, is also able to use reasoning, deductive abilities, and is perceptual. I scored the lowest on conscientiousness, which as a leader could mean that he is willing to take more risks. Conclusion The purpose of this paper was to summarize Exhibit 2.5, 2.6, and 2.7 assessments, define My primary personality aspects, cognitive abilities that he can apply to the workplace, and mitigate any shortcomings. People all over the world tend to operate based on feelings and innate habits they learned from their surroundings. Having a clear understanding of these feelings and how it drives our individual personalities can create successful business relationships. References Jennifer M. George, Garth R. Jones (2012). Understanding and Managing Organized Behavior. 6th Edition. Published by Prentice Hall Sperry, Len (1995). Individual Psychology. Personality Styles in the Workplace, Volume 51 (Issue 4), pages 422.

Criminal Justice System

Criminal Justice System Introduction Criminal justice system is a phrase used to express the interdependent components of the courts, police, and correctional facilities in the government. The term also describes the criminal justice agencies found within states in a federal government. As a whole the criminal justice system is thus made up of the three aforementioned interdependent components. Law-making has often been added by some as the forth criminal justice component, since all legitimate activity of the criminal justice system emanates from the law (Fuller, 2005). The understanding of this is important because if the process of criminal justice is unfair, a portion of the unfairness will for sure stem from the criminal law. The substantive law aspect reflects the what of the statute, in that laws are established to define certain behaviour as crime, and thus give punishment to those who violate the law (Bohm Walker, 2007). However in the recent times there have been calls for an overhaul of the criminal justice system. This stems from the diminishing public confidence in the system that has been accused of unfairness and inequity in performing its mandate. Hence a review of the criminal justice system is aimed at improving it to be fair, firm but compassionate, and colour-blind truly Fair and Effectiveness The effectiveness of the law can be evaluated based on the access and equality of the law, its enforceability, resource efficiency, protection of individual rights, and a means to establish a balance between the rights of the society and individuals. To act effectively, the criminal justice system must render equal treatment to everyone, regardless of their income, education, age, social status or ethnicity. If it is discovered that an individual has been discriminate against, then the criminal justice system is deemed to have failed if its task. Equality before should have effective adaptations in order to suit the changing values and attitudes of the society and individuals (Karmen, 2009). Another factor that can determine whether or not the criminal justice system is effective is delays in the system. Criminal justice often takes too long before finalizing cases. Years elapse between the date when the crime was committed, and the time when the offender is sentenced. Such delays in the criminal justice system can result in the victim suffering from continuous trauma because of the offender not being punished. Delay can also result in witnesses forgetting important information that is relevant to the case in question. A fair and effective criminal justice should not be expensive to mete upon everyone. The criminal justice system can be very costly. Numerous citizens cannot afford legal representation. In some cases courts have recognized the necessity for adequate legal representation. Hence attempts to redress inequalities of accessing the legal system have been done through Legal Aid. This offers cheap legal representation to individuals on a limited income. Nonetheless, not everyone is provided with the legal aid. In order for people to qualify for legal aid, they need to pass a test asserting their assets or level of income, and a merit test where matters are serious enough with a likelihood of winning (Fuller, 2005). In view of all this issues, the criminal justice system cannot be said to be wholly effective and fair. The Rule of Law Doubts have of late arisen on whether the criminal justice system abides by the principle of the rule of law. Arguments have been laid that misconceptions regarding criminal trails, and the power vested in organized crime, is the source of the degradation and corruption in the criminal justice system. This implies that the system is not performing on the principle of rule of law. Rather than serve the society by protecting the victims and convicting the guilty, the criminal justice system is dominated by indifferent court staff and judges, wily defence lawyers and defendants who bully witnesses. Hence the public confidence in the criminal justice system has been eroding with time. Another problem forming the opposite view stems from wrongful convictions. In Australia, a spate of wrongful convictions has resulted in certain jurisdictions sending their judges to undertake courses in avoiding wrongful convictions (Fairchild Dammer, 2000). Factors like overconfident eyewitnesses and bog us prosecution experts have been identified among the causes of misrepresented justice. There is also the aspect of lying jailhouse informants who invent confession frequently. Inept lawyers and overzealous prosecutors often jeopardize the accused right to trial. Another factor in wrongful convictions is the tendency especially in high profile cases, of the police, press and public figures seeking publicity, convicting the accused prior to trial. Comments on whether the criminal justice system stands by rule of law have been plentiful in debate. Some have suggested that the best approach to cut crime is social action, so that the criminal justice issue never comes up, because there are no crimes committed. An excellent example of that approach is through job creation. Of course the problem is that organized and disorganized or random crime will not be affected by the creation of jobs. Gangs that terrorize neighbourhoods have never been impressed by make-work and flower planting programs. Therefore the issue of the criminal justice system is not fully addressed. Crimes will continue to happen and the criminal justice system will still experience the problems therein Strengths One objective of the criminal justice system is to reduce crime. There is no doubt that a broad consensus is present that the basic structure of the criminal justice system should remain as a predominant feature in administering criminal justice in Australia. However a range of complementary or alternative approaches can also be utilized within the same framework. Crime reduction can be achieved via reactive means. This includes response to a call for service, arresting, obtaining a criminal conviction, and serving the sentence imposed by the court (Karmen, 2009). The criminal justice system can also employ proactive means like eliminating conditions that result in criminality. The former method of reducing crime is referred to as crime control, and accurately portrays the majority of criminal justice activity in Australia. The latter form of crime reduction is called crime prevention and is less emphasized in most countries. The quality goal of a criminal justice system that dominantly counts as its strength is doing justice. Doing justice has two related implications both of which are reflected in the blindfolded lady justice, Justitia, who holds a sword and scales and adorns several legal building and courthouses across the nation. It is thought that the sword represents the first meaning of justice, whose aim is to hold the guilty responsible for the harms and damages inflicted by them. If an offender is not penalized by his wrongdoings, then justice has not been achieved and therefore the criminal justice system has in itself failed (Reichel, 2004). This form of justice is termed corrective justice as is the case with punishment or corrections. The blindfold and scales are thought to represent fairness, which is the second meaning of justice. Such conception of justice assumes that every individual will be equally treated in the eyes of the law. That justice will be blind to income, social standing, and colour among other inequities in society. Hence justice would be absent in cases where any group is somehow singled out or left for differential treatment by the law. This form of justice is called procedural justice. The strength of the current criminal justice system draws stems from the way it incorporates both corrective justice and procedural justice. The procedures of the court call for every suspect to be considered innocent until proven guilty by an impartial court of law. Thus the system allows the offender to be subjected to a fair trial that should be devoid of unfair advantage or external interference. The necessary evidence is gathered and witnesses availed prior to the commencement of the trial. This ensures that cases are handled with due diligence, and that the victims or offenders are not disadvantaged by any hurried move by the court. In addition, judgment in the court is passed based on the collected facts or evidence, not on the whims of public opinion or emotions in the courtroom (Kappeler, Potter, 2004). Hence correctional justice ensures that both parties in a disputed are satisfied with the outcome of the case, since it incorporates a high degree of fairness. The role of procedural justice is to guarantee parties that the trial is free of just. The various components of the criminal justice system in the name of the name of the police, court and correction process, each plays its part. This ensures the provision of a fair process of arrest, hearing, and the correction procedure. Proponents of justice as an outcome seek to make the Australian criminal justice more punitive. This is aimed at achieving vengeance for victims of crime and retribution for society. Research shows that efforts like increased incarceration, long average sentences and more executions over the past years, have eroded the procedures that make the Australian criminal justice process fair. Weaknesses Wrongful convictions have seriously dominated the weakness of the criminal justice system. When individuals sit wrongly convicted for several years, major miscarriages of justice does occur. It is in such acts that innocent are convicted and the guilty are set free. Public opinion has also been counted among factors that have influenced the operations of the system (Crow Johnson, 2008). The courts are faced with a difficult balance to accomplish. While they are not controlled by public sentiment, the courts should also not lose the confidence of the population. A curious reluctance exists, especially among lawyers, in submitting the conceptual underpinnings of the criminal justice system to close examination or empirical information on its functioning. The establishment of a dichotomy between the legal and moral rights of the victims of crime and accused persons has always been a false venture. Most annalists make reference to the way politicians conduct media campaigns on law and order, and play or prey on the fears of the populace, for political gain. Hence politicians also employ this tactics in intimidating the fair outcome of a trial that they may be party or interested. The judge is threatened behind the scenes to make certain lines of action besides the rampant corruption present. The fairness and justice that is supposed to be exercised by the criminal justice system to make it effective, has been affected negatively by political interference (Beckett Sasson, 2003). The public often despair of the oversimplification of issues of criminal justice in the popular media. The press with its popularity just like politics is in nature adversarial. The media thrives on the conflicts established by the dichotomies. Thus it depicts itself as the arena where the conflict between good and evil is constructed righteously in the minds of men. Most conflicts highlighted by the media have been reframed in the public discussion of the same issues. Thus the media has in certain occasions influenced the outcome of a court decision. Nevertheless, it would be preferable if this were created other than via reiteration or iteration. Some scholars have argued that the criminal justice system lacks clear objectives and is devoid of uniformity. Essentially it is deficiency of the features of a system. Hence it is assumed sometimes that the public appears to be more punitive than what the current criminal justice system is. Among the weakness of the current criminal justice system emanate from the delays in conducting trials. Offenders spend several years in remand before their cases are handled. This does not assist the victim either, because there is continuous suffering of trauma as the criminal is being unpunished. Witness also end up losing vital information relevant to the case since it takes long from the time crime is committed to the period the is finally heard. The issue of bail over remand has also eroded public confidence in the system. The society has been living in fear as dangerous criminals are bailed out to come and carry out revenge after being arrested and on release. This has been taken in certain quarters as a form of lenience that encourages criminals to continue terrorizing the society. Judges have also accused of passing lenient sentences to convicted criminals (Pizzi, 2000). Such weaknesses in the criminal justice system has worked in degrading and diminishing the performance of this establishment in eyes of the public, which it is mandated to serve fairly and effectively. The Current Criminal Justice System With regard to the preceding discussions, the current criminal justice system faces the litmus test of being fair and effective. An examination of the law-making process and law makers in Australia reveals some important facts for understanding the processes of criminal justice. Law makers at both state and federal government are disproportionately white, male, and more than twenty years older than an average Australian. There is a lot of money involved in the political and criminal justice system. The current system is accused of bias based on gender, color and social status among other parameters. The issue of how white collar crime is handled under the system has been a source of heightened concern. The system has ignored the most harmful act against Australians, deeming it unfair as the perpetrators are not held accountable (Lab, 2007). Logically criminal justice activity would be unfair because police, courts and corrections carry out criminal law. Thus the criminal justice proc ess does not achieve desert, as a key component of fairness if the law is applied discriminately. There are cases where the police, courts and corrections enforce unfair law unintentionally, the term innocent bias is applied. Innocent bias to exist does not require dishonest court staff, bad police officers, or unethical correctional personnel. The fact is that even if all employees of the justice system were fair, just, equitable, unbiased, impartial, objective and dispassionate, the Australian criminal justice process would be unjust still due to innocent bias (Reichel, 2004). This is the most significant and dangerous form of unfairness, with widespread effects that cannot be rooted out easily, unlike most apparent forms like corruption, police brutality, bribery, and prosecutorial misconduct among others. Hence the criminal justice system as it stands currently cannot be assumed to be fair and effective. It should be understood that after the apparent threats to unfairness have been identified and dealt with, the issue of innocent bias will still remain to hound the effective ness and fairness of the system. Conclusion It is important to acknowledge that the opinion of the public generally suggests citizen agreement with criminal law. The acts recognized in law as serious crimes are still those that the populace tends to think are most serious. Because the police probe alleged crimes and are the primary point of entry for cases in the criminal justice system, innocent bias established in the criminal law in perpetuated in the activities of law enforcement. Therefore the disparities in the system such as based on race, class, gender can be minimized, but not dealt with permanently. The idea on innocent bias will always be interpreted by either side to soothe their line of argument in accusing criminal law. Hence for the system to be fair and effective, a remedy for innocent bias ought to be invented if possible.

Free Essays - Essay on Medea and Antigone :: comparison compare contrast essays

Medea and Antigone are two stories of women fighting back for what they want, or what they feel is right. These stories take place in ancient Greece, around the time of its rise to power. Medea and Antigone are both strong, sometimes-manipulative characters but have different moral settings that control what they do. Medea is often very demanding in getting what it is that she wants; Antigone, will do what she need to do in order to get what she wants. With Antigone she is defies the law of a king to uphold the law of her spiritual belief. In the middle of the night she lives the house and sneaks into a field to bury her dead brother. Medea killed many people, including her own sons and a princess, in order to only spite her unlawful and cheating husband. The two women are like alligators, waiting motionless for the right time to strike. In the case of Medea, swift, violent strikes. And with Antigone, a cool collected precise one. These women are always determined to get what they want.   In classic works being a strong woman seems to run hand in hand with being manipulative. Medea lied and cheated friends to try to acquire time in order to get what she wants. In this case what she wants is revenge agents her ex-husband. She tricks a friend to give her asylum in Athens after she has committed her insane task. Medea even goes so far as to be able to con Kreon, the king himself into giving her an extra day. This unwittingly gives her exactly what she needs. Antigone tries her hand at manipulation but is not as successful as Medea. Antigone tries, with no avail, to persuade her sister, Ismene, to help her give their brother Polyneices a proper burial. In this way they are more like foxes, cunning but not always getting it right. Their deceitful nature is their strength.   While both women do wrong by the law of man, and Medea against the law of the gods, they do it for different reasons.   In the beginning Medea kills many people and monsters with little or no concern of the consequence. When the story deals with modern times Medea kills out of pure revenge and spite for Jason.   She plots for weeks to kill Jason’s new bride and poisons her, and then before she leaves the country she murders her two sons, she had with Jason, before she rides off in her bright white chariot.

Selinux

Blueprints First Steps with Security-Enhanced Linux (SELinux): Hardening the Apache Web Server Blueprints First Steps with Security-Enhanced Linux (SELinux): Hardening the Apache Web Server Note Before using this information and the product it supports, read the information in â€Å"Notices† on page 17. First Edition (August 2009)  © Copyright IBM Corporation 2009. US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. Contents Introduction . . . . . . . . . . . . . v First Steps with Security-Enhanced Linux (SELinux): Hardening the Apache Web Server . . . . . . . . . . . . 1 Scope, requirements, and support Security-Enhanced Linux overview Access control: MAC and DAC SELinux basics. . . . . . SELinux and Apache . . . . Installing and running HTTPD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 1 1 2 5 5 HTTPD and context types . . . . . . . . . 5 HTTPD and SE Linux Booleans . . . . . . . 8 Configuring HTTPD security using SELinux . . . . 9 Securing Apache (static content only) . . . . . 9 Hardening CGI scripts with SELinux . . . . . 12 Appendix. Related information and downloads . . . . . . . . . . . . . 15 Notices . . . . . . . . . . . . . . 17 Trademarks . . . . . . . . . . . . . 18  © Copyright IBM Corp. 2009 iii iv Blueprints: First Steps with Security-Enhanced Linux (SELinux): Hardening the Apache Web Server Introduction This blueprint provides a brief introduction to basic Security-Enhanced Linux (SELinux) commands and concepts, including Boolean variables. In addition, the paper shows you how to increase the security of the Apache Web server with SELinux by using these concepts. Key tools and technologies discussed in this demonstration include security-enhanced Linux (SELinux), mandatory access control (MAC), getenforce, sestatus, getsebool, and setsebool. Intended audienceThis blueprint is intended for Linux system or network administrators who want to learn more about securing their systems with SELinux. You should be familiar with installing and configuring Linux distributions, networks, and the Apache Web server. Scope and purpose This paper provides a basic overview of SELinux, SELinux Boolean variables, and hardening Apache on Red Hat Enterprise Linux (RHEL) 5. 3. For more information about configuring RHEL 5. 3, see the documentation supplied with your installation media or the distribution Web site. For more information about SELinux, see â€Å"Related information and downloads,† on page 15.Software requirements This blueprint is written and tested using Red Hat Enterprise Linux (RHEL) 5. 3. Hardware requirements The information contained in this blueprint is tested on different models of IBM System x and System p hardware. For a list of hardware supported by RHEL 5. 3, see the documentation supplied with your Linux distribution. Author names Robert Sisk Other contributors Monza Lui Kersten Richter Robb Romans IBM Services Linux offers flexibility, options, and competitive total cost of ownership with a world class enterprise operating system.Community innovation integrates leading-edge technologies and best practices into Linux. IBM ® is a leader in the Linux community with over 600 developers in the IBM Linux Technology Center working on over 100 open source projects in the community. IBM supports Linux on all IBM servers, storage, and middleware, offering the broadest flexibility to match your business needs.  © Copyright IBM Corp. 2009 v For more information about IBM and Linux, go to ibm. com/linux (https://www. ibm. com/linux) IBM Support Questions and comments regarding this documentation can be posted on the developerWorks Security Blueprint Community Forum: http://www. bm. com/developerworks/forums/forum. jspa? forumID=1271 The IBM developerWorks ® discussion forums let you ask questions, share knowledge, ideas, and opinions about technologies and progr amming techniques with other developerWorks users. Use the forum content at your own risk. While IBM will attempt to provide a timely response to all postings, the use of this developerWorks forum does not guarantee a response to every question that is posted, nor do we validate the answers or the code that are offered. Typographic conventionsThe following typographic conventions are used in this Blueprint: Bold Identifies commands, subroutines, keywords, files, structures, directories, and other items whose names are predefined by the system. Also identifies graphical objects such as buttons, labels, and icons that the user selects. Identifies parameters whose actual names or values are to be supplied by the user. Identifies examples of specific data values, examples of text like what you might see displayed, examples of portions of program code like what you might write as a programmer, messages from the system, or information you should actually type.Italics Monospace Related ref erence: â€Å"Scope, requirements, and support† on page 1 This blueprint applies to System x ® running Linux and PowerLinux. You can learn more about the systems to which this information applies. vi Blueprints: First Steps with Security-Enhanced Linux (SELinux): Hardening the Apache Web Server First Steps with Security-Enhanced Linux (SELinux): Hardening the Apache Web Server Scope, requirements, and support This blueprint applies to System x running Linux and PowerLinux. You can learn more about the systems to which this information applies.Systems to which this information applies System x running Linux and PowerLinux Security-Enhanced Linux overview Security-Enhanced Linux (SELinux) is a component of the Linux operating system developed primarily by the United States National Security Agency. SELinux provides a method for creation and enforcement of mandatory access control (MAC) policies. These policies confine users and processes to the minimal amount of privilege req uired to perform assigned tasks. For more information about the history of SELinux, see http://en. wikipedia. org/wiki/Selinux.Since its release to the open source community in December 2000, the SELinux project has gained improvements such as predefined Boolean variables that make it easier to use. This paper helps you understand how to use these variables to configure SELinux policies on your system and to secure the Apache httpd daemon. Related reference: â€Å"Scope, requirements, and support† This blueprint applies to System x running Linux and PowerLinux. You can learn more about the systems to which this information applies. Access control: MAC and DAC Access level is important to computer system security.To compromise a system, attackers try to gain any possible level of access and then try to escalate that level until they are able to obtain restricted data or make unapproved system modifications. Because each user has some level of system access, every user account on your system increases the potential for abuse. System security has historically relied on trusting users not to abuse their access, but this trust has proven to be problematic. Today, server consolidation leads to more users per system. Outsourcing of Systems Management gives legitimate access, often at the system administrator level, to unknown users.Because server consolidation and outsourcing can be financially advantageous, what can you do to prevent abuse on Linux systems? To begin to answer that question, let's take a look at discretionary access control (DAC) and mandatory access control (MAC) and their differences. Discretionary access control (DAC), commonly known as file permissions, is the predominant access control mechanism in traditional UNIX and Linux systems. You may recognize the drwxr-xr-x or the ugo abbreviations for owner, group, and other permissions seen in a directory listing. In DAC, generally the resource owner (a user) controls who has access to a resour ce.For convenience, some users commonly set dangerous DAC file permissions that allow every user on the system to read, write, and execute many files that they own. In addition, a process started by a user can modify or delete any file to which the user has access. Processes that elevate their privileges high enough could therefore modify or delete system files. These instances are some of the disadvantages of DAC.  © Copyright IBM Corp. 2009 1 In contrast to DAC, mandatory access control (MAC) regulates user and process access to resources based upon an organizational (higher-level) security policy.This policy is a collection of rules that specify what types of access are allowed on a system. System policy is related to MAC in the same way that firewall rules are related to firewalls. SELinux is a Linux kernel implementation of a flexible MAC mechanism called type enforcement. In type enforcement, a type identifier is assigned to every user and object. An object can be a file or a process. To access an object, a user must be authorized for that object type. These authorizations are defined in a SELinux policy. Let's work through some examples and you will develop a better understanding of MAC and how it relates to SELinux.Related reference: â€Å"Scope, requirements, and support† on page 1 This blueprint applies to System x running Linux and PowerLinux. You can learn more about the systems to which this information applies. SELinux basics It is a good practice not to use the root user unless necessary. However for demonstrating how to use SELinux, the root user is used in the examples in this blueprint. Some of the commands shown require root privileges to run them; for example, running getenforce and editing the /etc/selinux/config file. Related reference: â€Å"Scope, requirements, and support† on page 1 This blueprint applies to System x running Linux and PowerLinux.You can learn more about the systems to which this information applies. Run modes You can enable or disable SELinux policy enforcement on a Red Hat Enterprise Linux system during or after operating system installation. When disabled, SELinux has no effect on the system. When enabled, SELinux runs in one of two modes: v Enforcing: SELinux is enabled and SELinux policy is enforced v Permissive: SELinux is enabled but it only logs warnings instead of enforcing the policy When prompted during operating system installation, if you choose to enable SELinux, it is installed with a default security policy and set to run in the enforcing mode.Confirm the status of SELinux on your system. Like in many UNIX or Linux operating systems, there is more than one way to perform a task. To check the current mode, run one of the following commands: getenforce, sestatus, or cat /etc/selinux/config. v The getenorce command returns the current SELinux run mode, or Disabled if SELinux is not enabled. In the following example, getenforce shows that SELinux is enabled and enforcin g the current SELinux policy: [[email  protected] ~]$ getenforce EnforcingIf your system is displaying Permissive or Disabled and you want to follow along with the instructions, change the /etc/selinux/config file to run in Enforcing mode before continuing with the demonstration. Remember that if you are in Disabled mode, you should change first to Permissive and then to Enforcing. v The setstatus command returns the current run mode, along with information about the SELinux policy if SELinux is enabled. In the following example, setstatus shows that SELinux is enabled and enforcing the current SELinux policy: [[email  protected] ~]$ sestatus SELinux status: SELinuxfs mount: enabled /selinux Blueprints: First Steps with Security-Enhanced Linux (SELinux): Hardening the Apache Web Server Current mode: Mode from config file: Policy version: Policy from config file: enforcing enforcing 21 targeted v The /etc/selinux/config file configures SELinux and controls the mode as well as the active policy. Changes to the /etc/selinux/config file become effective only after you reboot the system. In the following example, the file shows that the mode is set to enforcing and the current policy type is targeted. [[email  protected] ~]$ cat /etc/selinux/config # This file controls the state of SELinux on the system. SELINUX= can take one of these three values: # enforcing – SELinux security policy is enforced. # permissive – SELinux prints warnings instead of enforcing. # disabled – SELinux is fully disabled. SELINUX=enforcing # SELINUXTYPE= type of policy in use. Possible values are: # targeted – Only targeted network daemons are protected. # strict – Full SELinux protection. SELINUXTYPE=targeted To enable SELinux, you need to set the value of the SELINUX parameter in the /etc/selinux/config file to either enforcing or permissive. If you enable SELinux in the config file, you must reboot your system to start SELinux.We recommend that y ou set SELINUX=permissive if the file system has never been labeled, has not been labeled recently, or you are not sure when it was last labeled. Note that file system labeling is the process of assigning a label containing security-relevant information to each file. In SELinux a file label is composed of the user, role, and type such as system_u:object_r:httpd_sys_content_t. Permissive mode ensures that SELinux does not interfere with the boot sequence if a command in the sequence occurs before the file system relabel is completed. Once the system is up and running, you can change the SELinux mode to enforcing.If you want to change the mode of SELinux on a running system, use the setenforce command. Entering setenforce enforcing changes the mode to enforcing and setenforce permissive changes the mode to permissive. To disable SELinux, edit the /etc/selinux/config file as described previously and reboot. You cannot disable or enable SELinux on a running system from the command line; you can only switch between enforcing and permissive when SELinux is enabled. Change the mode of SELinux to permissive by entering the following command: [[email  protected] ~]$ setenforce permissiveRecheck the output from getenforce, sestatus, and cat /etc/selinux/config. v The getenforce command returns Permissive, confirming the mode change: [[email  protected] ~]$ getenforce Permissive v The sestatus command also returns a Permissive mode value: [[email  protected] ~]$sestatus SELinux status: SELinuxfs mount: Current mode: Mode from config file: Policy version: Policy from config file: enabled /selinux permissive enforcing 21 targeted v After changing the mode to permissive, both the getenforce and sestatus commands return the correct permissive mode.However, look carefully at the output from the sestatus command: [[email  protected] ~]$ cat /etc/selinux/config # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enfo rcing – SELinux security policy is enforced. # permissive – SELinux prints warnings instead of enforcing. First Steps with Security-Enhanced Linux (SELinux) 3 # disabled – SELinux is fully disabled. SELINUX=enforcing # SELINUXTYPE= type of policy in use. Possible values are: # targeted – Only targeted network daemons are protected. # strict – Full SELinux protection.SELINUXTYPE=targeted [[email  protected] ~]$ The Mode from config file parameter is enforcing. This setting is consistent with the cat /etc/selinux/config output because the config file was not changed. This status implies that the changes made by the setenforce command does not carry over to the next boot. If you reboot, SELinux returns to run state as configured in /etc/selinux/conf in enforcing mode. Change the running mode back to enforcing by entering the following command: [[email  protected] ~]$ setenforce enforcing The following output confirms the mode change: [[email  pr otected] ~]$ getenforce EnforcingRelated reference: â€Å"Scope, requirements, and support† on page 1 This blueprint applies to System x running Linux and PowerLinux. You can learn more about the systems to which this information applies. Security contexts The concept of type enforcement and the SELinux type identifier were discussed in the Overview. Let's explore these concepts in more detail. The SELinux implementation of MAC employs a type enforcement mechanism that requires every subject and object to be assigned a type identifier. The terms subject and object are defined in the Bell-La Padula multilevel security model (see http://en. wikipedia. rg/wiki/Bell-La_Padula_model for more information). Think of the subject as a user or a process and the object as a file or a process. Typically, a subject accesses an object; for example, a user modifies a file. When SELinux runs in enforcing mode, a subject cannot access an object unless the type identifier assigned to the subje ct is authorized to access the object. The default policy is to deny all access not specifically allowed. Authorization is determined by rules defined in the SELinux policy. An example of a rule granting access may be as simple as: allow httpd_t httpd_sys_content_t : file {ioctol read getattr lock};In this rule, the subject http daemon, assigned the type identifier of httpd_t, is given the permissions ioctol, read, getattr, and lock for any file object assigned the type identifier httpd_sys_content_t. In simple terms, the http daemon is allowed to read a file that is assigned the type identifier httpd_sys_content_t. This is a basic example of an allow rule type. There are many types of allow rules and some are very complex. There are also many type identifiers for use with subjects and objects. For more information about rule definitions, see: SELinux by Example in the â€Å"Related information and downloads,† on page 15 section.SELinux adds type enforcement to standard Linux distributions. To access an object, the user must have both the appropriate file permissions (DAC) and the correct SELinux access. An SELinux security context contains three parts: the user, the role, and the type identifier. Running the ls command with the –Z switch displays the typical file information as well as the security context for each item in the subdirectory. In the following example, the security context for the index. html file is composed of user_u as the user, object_r as the role, and httpd_sys_content_t as the type identifier [[email  protected] html]$ ls -Z index. tml -rw-r–r– web_admin web_admin user_u:object_r:httpd_sys_content_t index. html 4 Blueprints: First Steps with Security-Enhanced Linux (SELinux): Hardening the Apache Web Server Related reference: â€Å"Scope, requirements, and support† on page 1 This blueprint applies to System x running Linux and PowerLinux. You can learn more about the systems to which this information a pplies. SELinux and Apache Related reference: â€Å"Scope, requirements, and support† on page 1 This blueprint applies to System x running Linux and PowerLinux. You can learn more about the systems to which this information applies.Installing and running HTTPD Now that you have a general understanding of the SELinux security context, you can secure an Apache Web server using SELinux. To follow along, you must have Apache installed on your system. You can install Apache on Red Hat Linux by entering the following command: [[email  protected] html]$ yum install httpd Next, start the Apache http daemon by entering service httpd start, as follows: [[email  protected] html]$ service httpd start Starting httpd: Related reference: â€Å"Scope, requirements, and support† on page 1 This blueprint applies to System x running Linux and PowerLinux.You can learn more about the systems to which this information applies. HTTPD and context types Red Hat Enterprise Linux 5. 3, at th e time of this writing, uses selinux-policy-2. 4. 6-203. el5. This policy defines the security context for the http daemon object as httpd_t. Because SELinux is running in enforcing mode, entering /bin/ps axZ | grep httpd produces the following output: [[email  protected] html]$ ps axZ | grep http rootroot:system_r:httpd_t 2555 ? Ss 0:00 /usr/sbin/httpd rootroot:system_r:httpd_t 2593 ? S 0:00 /usr/sbin/httpd rootroot:system_r:httpd_t 2594 ? S 0:00 /usr/sbin/httpd root:system_r:httpd_t 2595 ?S 0:00 /usr/sbin/httpd root:system_r:httpd_t 2596 ? S 0:00 /usr/sbin/httpd root:system_r:httpd_t 2597 ? S 0:00 /usr/sbin/httpd root:system_r:httpd_t 2598 ? S 0:00 /usr/sbin/httpd root:system_r:httpd_t 2599 ? S 0:00 /usr/sbin/httpd root:system_r:httpd_t 2600 ? S 0:00 /usr/sbin/httpd The Z option to ps shows the security context for the httpd processes as root:system_r:httpd_t, confirming that httpd is running as the security type httpd_t. The selinux-policy-2. 4. 6-203. el5 also defines several file security context types to be used with the http daemon. For a listing, see the man page for httpd_selinux.The httpd_sys_content_t context type is used for files and subdirectories containing content to be accessible by the http daemon and all httpd scripts. Entering ls –Z displays the security context for items in the default http directory (/var/www/), as follows: [[email  protected] ~]$ ls -Z /var/www/ | grep html drwxr-xr-x root root system_u:object_r:httpd_sys_content_t html First Steps with Security-Enhanced Linux (SELinux) 5 The /var/www/html directory is the default location for all Web server content (defined by the variable setting of DocumentRoot /var/www/html in the /etc/httpd/conf/httpd. conf http configuration file).This directory is assigned the type httpd_sys_content_t as part of its security context which allows the http daemon to access its contents. Any file or subdirectory inherits the security context of the directory in which it is created; therefo re a file created in the html subdirectory inherits the httpd_sys_content_t type. In the following example, the root user creates the index. html file in the /root directory. The index. html inherits the security root:object_r:user_home_t context which is the expected security context for root in RHEL 5. 3. [[email  protected] ~]$ touch /root/index. html [[email  protected] ~]$ ls -Z /root/index. tml -rw-r–r– root root root:object_r:user_home_t /root/index. html If the root user copies the newly created index. html file to the /var/www/html/ directory, the file inherits the security context (httpd_sys_content_t) of the html subdirectory because a new copy of the file is created in the html subdirectory: [[email  protected] ~]$ cp /root/index. html /var/www/html [[email  protected] ~]$ ls -Z /var/www/html/index. html -rw-r–r– root root user_u:object_r:httpd_sys_content_t /var/www/html/index. html If you move the index. html file instead of copying it, a new file is not created in the html subdirectory and index. tml retains the user_home_t type: [[email  protected] ~]$ mv -f /root/index. html /var/www/html [[email  protected] ~]$ ls -Z /var/www/html/index. html -rw-r–r– root root user_u:object_r:user_home_t /var/www/html/index. html When a Web browser or network download agent like wget makes a request to the http daemon for the moved index. html file, with user_home_t context, the browser is denied access because SELinux is running in enforcing mode. [[email  protected] ~]# wget localhost/index. html –21:10:00– http://localhost/index. html Resolving localhost†¦ 127. 0. 0. 1 Connecting to localhost|127. 0. 0. 1|:80†¦ onnected. HTTP request sent, awaiting response†¦ 403 Forbidden 21:10:00 ERROR 403: Forbidden. SELinux generates error messages in both /var/log/messages and /var/log/httpd/error_log. The following message in /var/log/httpd/error_log is not very helpful because it t ells you only that access is being denied: [Wed May 20 12:47:57 2009] [error] [client 172. 16. 1. 100] (13) Permission denied: access to /index. html denied The following error message in /var/log/messages is more helpful because it tells you why SELinux is preventing access to the /var/www/html/index. html file – a potentially mislabeled file.Furthermore, it provides a command that you can use to produce a detailed summary of the issue. May 20 12:22:48 localhost setroubleshoot: SELinux is preventing the httpd from using potentially mislabeled files (/var/www/html/index. html). For complete SELinux messages. run sealert -l 9e568d42-4b20-471c-9214-b98020c4d97a Entering sealert –l 9e568d42-4b20-471c-9214-b98020c4d97 as suggested in the previous error message returns the following detailed error message: [[email  protected] ~]$ sealert –l 9e568d42-4b20-471c-9214-b98020c4d97 Summary: SELinux is preventing the httpd from using potentially mislabeled files (/var/www /html/index. html).Detailed Description: SELinux has denied httpd access to potentially mislabeled file(s) (/var/www/html/index. html). This means that SELinux will not allow httpd to use these files. It is common for users to edit files in their home directory or tmp directories and then 6 Blueprints: First Steps with Security-Enhanced Linux (SELinux): Hardening the Apache Web Server move (mv) them to system directories. The problem is that the files end up with the wrong file context which confined applications are not allowed to access. Allowing Access: If you want httpd to access this files, you need to relabel them using restorecon -v ’/var/www/html/index. tml’. You might want to relabel the entire directory using restorecon -R -v ’/var/www/html’. Additional Information: Source Context root:system_r:httpd_t Target Context root:object_r:user_home_t Target Objects /var/www/html/index. html [ file ] Source httpd Source Path /usr/sbin/httpd Port Host loc alhost. localdomain Source RPM Packages httpd-2. 2. 3-22. el5 Target RPM Packages Policy RPM selinux-policy-2. 4. 6-203. el5 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name home_tmp_bad_labels Host Name localhost. localdomain Platform Linux localhost. ocaldomain 2. 6. 18-128. 1. 10. el5 #1 SMP Wed Apr 29 13:55:17 EDT 2009 i686 i686 Alert Count 24 First Seen Fri May 15 13:36:32 2009 Last Seen Wed May 20 12:47:56 2009 Local ID 9e568d42-4b20-471c-9214-b98020c4d97a Line Numbers Raw Audit Messages host=localhost. localdomain type=AVC msg=audit(1242838076. 937:1141): avc: denied { getattr } for pid=3197 comm=†httpd† path=†/var/www/html/index. html† dev=dm-0 ino=3827354 scontext=root:system_r:httpd_t:s0 context=root:object_r:user_home_t:s0 tclass=file host=localhost. localdomain type=SYSCALL msg=audit(1242838076. 37:1141): arch=40000003 syscall=196 success=no exit=-13 a0=8eaa788 a1=bfc8d49c a2=419ff4 a3=2008171 items=0 ppid=3273 pid=3197 auid=500 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4 comm=†httpd† exe=†/usr/sbin/httpd† subj=root:system_r:httpd_t:s0 key=(null) Although called a summary, this output is a very detailed report that provides the necessary commands to resolve the issue. As shown below, entering /sbin/restorecon -v ’/var/www/html/index. html as suggested not only resolves the problem, but also explains how you should change the security context for the /var/www/html/index. tml file. [[email  protected] ~]$ restorecon -v ’/var/www/html/index. html’ /sbin/restorecon reset /var/www/html/index. html context root:object_r:user_home_t:s0-; root:object_r:httpd_sys_content_t:s0 The previous restorecon -v command changed the security context of /var/www/html/index. html from root:object_r:user_home_t to root:object_r:httpd_sys_content_t. With a root:object_r:httpd_sys_content_t security context, the http dae mon can now access /var/www/html/index. html. Use a Web browser or wget to make another request to the httpd daemon for the index. html file with a restored security context.This time, the request is permitted: [[email  protected] ~]# wget localhost/index. html –21:09:21– http://localhost/index. html Resolving localhost†¦ 127. 0. 0. 1 Connecting to localhost|127. 0. 0. 1|:80†¦ connected. HTTP request sent, awaiting response†¦ 200 OK Length: 0 [text/html] Saving to: ’index. html’ First Steps with Security-Enhanced Linux (SELinux) 7 [ ] 0 –. -K/s in 0s 21:09:21 (0. 00 B/s) – ’index. html’ saved [0/0] Related reference: â€Å"Scope, requirements, and support† on page 1 This blueprint applies to System x running Linux and PowerLinux. You can learn more about the systems to which this information applies.HTTPD and SELinux Booleans SELinux has a set of built-in switches named Booleans or conditional policies t hat you can use to turn specific SELinux features on or off. Entering the getsebool -a | grep http command lists the 23 Booleans related to the http daemon, which are a subset of the 234 Booleans currently defined in the selinux-policy-2. 4. 6-203. el5 policy. These 23 Booleans allow you to customize SELinux policy for the http daemon during runtime without modifying, compiling, or loading a new policy. You can customize the level of http security by setting the relevant Boolean values or toggling between on and off values. [email  protected] ~]$ getsebool -a | grep http allow_httpd_anon_write –> off allow_httpd_bugzilla_script_anon_write –> off allow_httpd_mod_auth_pam –> off allow_httpd_nagios_script_anon_write –> off allow_httpd_prewikka_script_anon_write –> off allow_httpd_squid_script_anon_write –> off allow_httpd_sys_script_anon_write –> off httpd_builtin_scripting –> on httpd_can_network_connect –> off httpd_can _network_connect_db –> off httpd_can_network_relay –> off httpd_can_sendmail –> on httpd_disable_trans –> off httpd_enable_cgi –> on httpd_enable_ftp_server –> off httpd_enable_homedirs –> on httpd_rotatelogs_disable_trans –> off httpd_ssi_exec –> off httpd_suexec_disable_trans –> off httpd_tty_comm –> on httpd_unified –> on httpd_use_cifs –> off httpd_use_nfs –> off SELinux provides three command-line tools for working with Booleans: getsebool, setsebool, and togglesebool. The getsebool –a command returns the current state of all the SELinux Booleans defined by the policy.You can also use the command without the –a option to return settings for one or more specific Booleans entered on the command line, as follows: [[email  protected] ~]$ getsebool httpd_enable_cgi httpd_enable_cgi –> on Use setsebool to set the current state of one or more Booleans by specifying the Boolean and its value. Acceptable values to enable a Boolean are 1, true, and on. Acceptable values to disable a Boolean are 0, false, and off. See the following cases for examples. You can use the -P option with the setsebool command to write the specified changes to the SELinux policy file. These changes are persistent across reboots; unwritten changes remain in effect until you change them or the system is rebooted. Use setsebool to change status of the httpd_enable_cgi Boolean to off: [[email  protected] ~]$ setsebool httpd_enable_cgi 0 8Blueprints: First Steps with Security-Enhanced Linux (SELinux): Hardening the Apache Web Server Confirm status change of the httpd_enable_cgi Boolean: [[email  protected] ~]$ getsebool httpd_enable_cgi httpd_enable_cgi –> off The togglesebool tool flips the current value of one or more Booleans. This tool does not have an option that writes the changes to the policy file. Changes remain in effect until changed or the system is reb ooted. Use the togglesebool tool to switch the status of the httpd_enable_cgi Boolean, as follows: [[email  protected] ~]$ togglesebool httpd_enable_cgi httpd_enable_cgi: active Confirm the status change of the httpd_enable_cgi Boolean: [[email  protected] ~]$ getsebool httpd_enable_cgi httpd_enable_cgi –> onRelated reference: â€Å"Scope, requirements, and support† on page 1 This blueprint applies to System x running Linux and PowerLinux. You can learn more about the systems to which this information applies. Configuring HTTPD security using SELinux Related reference: â€Å"Scope, requirements, and support† on page 1 This blueprint applies to System x running Linux and PowerLinux. You can learn more about the systems to which this information applies. Securing Apache (static content only) The default Red Hat Enterprise Linux 5. 3 installation with SELinux running in enforcing mode provides a basic level of Web server security. You can increase that security level with a little effort.Because security is related to the function of the system, let's start with a Web server that only serves static content from the /var/www/html directory. 1. Ensure that SELinux is enabled and running in enforcing mode: [[email  protected] ~]$ sestatus SELinux status: SELinuxfs mount: Current mode: Mode from config file: Policy version: Policy from config file: enabled /selinux enforcing enforcing 21 2. Confirm that httpd is running as type httpd_t: [[email  protected] html]$ /bin/ps axZ root:system_r:httpd_t 2555 ? root:system_r:httpd_t 2593 ? root:system_r:httpd_t 2594 ? root:system_r:httpd_t 2595 ? root:system_r:httpd_t 2596 ? root:system_r:httpd_t 2597 ? root:system_r:httpd_t 2598 ? root:system_r:httpd_t 2599 ? root:system_r:httpd_t 2600 ? grep http Ss 0:00 httpd S 0:00 httpd S 0:00 httpd S 0:00 httpd S 0:00 httpd S 0:00 httpd S 0:00 httpd S 0:00 httpd S 0:00 httpd 3. Confirm that the /var/www/html directory is assigned the httpd_sys_content_t con text type: [[email  protected] ~]$ ls -Z /var/www/ drwxr-xr-x root root root:object_r:httpd_sys_script_exec_t cgi-bin drwxr-xr-x root root root:object_r:httpd_sys_content_t error drwxr-xr-x root root root:object_r:httpd_sys_content_t html First Steps with Security-Enhanced Linux (SELinux) 9 drwxr-xr-x drwxr-xr-x drwxr-xr-x root root root:object_r:httpd_sys_content_t icons root root root:object_r:httpd_sys_content_t manual webalizer root root:object_r:httpd_sys_content_t usage 4.Confirm that the content to be served is assigned the httpd_sys_content_t context type. For example: [[email  protected] ~]$ ls -Z /var/www/html/index. html -rw-r–r– root root root:object_r:httpd_sys_content_t /var/www/html/index. html Use a Web browser or wget to make a request to the httpd daemon for the index. html file and you should see that permission is granted. To increase the level of protection provided by SELinux, disable any httpd-related features that you do not want by turning off their corresponding Boolean. By default, the following six Boolean are set to on. If you do not need these features, turn them off by setting their Boolean variables to off. [email  protected] ~]# getsebool -a|grep http|grep â€Å"–> on† httpd_builtin_scripting –> on httpd_can_sendmail –> on httpd_enable_cgi –> on httpd_enable_homedirs –> on httpd_tty_comm –> on httpd_unified –> on httpd_can_sendmail If the Web server does not use Sendmail, turn this Boolean to off. This action prevents unauthorized users from sending e-mail spam from this system. httpd_enable_homedirs When this Boolean is set to on, it allows httpd to read content from subdirectories located under user home directories. If the Web server is not configured to serve content from user home directories, set this Boolean to off. httpd_tty_comm By default, httpd is allowed to access the controlling terminal.This action is necessary in certain situations where httpd must prompt the user for a password. If the Web server does not require this feature, set the Boolean to off. httpd_unified This Boolean affects the transition of the http daemon to security domains defined in SELinux policy. Enabling this Boolean creates a single security domain for all http-labeled content. For more information, see SELinux by Example listed under the â€Å"Related information and downloads,† on page 15 section. httpd_enable_cgi If your content does not use the Common Gateway Interface (CGI) protocol, set this Boolean to off. If you are unsure about using CGI in the Web server, try setting it to off and examine the log entries in the /var/log/messages file.The following example shows an error message from /var/log/messages resulting from SELinux blocking httpd execution of a CGI script: May 28 15:48:37 localhost setroubleshoot: SELinux is preventing the http daemon from executing cgi scripts. For complete SELinux messages. run sealert -l 0fdf4649-60df -47b5-bfd5-a72772207adc Entering sealert -l 0fdf4649-60df-47b5-bfd5-a72772207adc produces the following output: Summary: SELinux is preventing the http daemon from executing cgi scripts. Detailed Description: SELinux has denied the http daemon from executing a cgi script. httpd can be setup in a locked down mode where cgi scripts are not allowed to be executed. If the httpd server has been setup to not execute cgi scripts, this could signal a intrusion attempt.Allowing Access: If you want httpd to be able to run cgi scripts, you need to turn on the httpd_enable_cgi Boolean: â€Å"setsebool -P httpd_enable_cgi=1†³ 10 Blueprints: First Steps with Security-Enhanced Linux (SELinux): Hardening the Apache Web Server The following command will allow this access: setsebool -P httpd_enable_cgi=1 Additional Information: Source Context root:system_r:httpd_t Target Context root:object_r:httpd_sys_script_exec_t Target Objects /var/www/cgi-bin [ dir ] Source httpd Source Path httpd Port Hos t localhost. localdomain Source RPM Packages httpd-2. 2. 3-22. el5 Target RPM Packages httpd-2. 2. 3-22. el5 Policy RPM selinux-policy-2. 4. 6-203. l5 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name httpd_enable_cgi Host Name localhost. localdomain Platform Linux localhost. localdomain 2. 6. 18-128. 1. 10. el5 #1 SMP Wed Apr 29 13:55:17 EDT 2009 i686 i686 Alert Count 1 First Seen Thu May 28 15:48:36 2009 Last Seen Thu May 28 15:48:36 2009 Local ID 0fdf4649-60df-47b5-bfd5-a72772207adc Line Numbers Raw Audit Messages host=localhost. localdomain type=AVC msg=audit(1243540116. 963:248): avc: denied { getattr } for pid=2595 comm=†httpd† path=†/var/www/cgi-bin† dev=dm-0 ino=5527166 scontext=root:system_r:httpd_t:s0 tcontext=root:object_r:httpd_sys_script_exec_t:s0 tclass=dir host=localhost. localdomain type=SYSCALL msg=audit(1243540116. 63:248): arch=40000003 syscall=196 success=no exit=-13 a0=8bd0a88 a1=bfc790bc a2=4 d0ff4 a3=2008171 items=0 ppid=2555 pid=2595 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm=†httpd† exe=†httpd† subj=root:system_r:httpd_t:s0 key=(null) At the end of the previous output, listed under the Raw Audit Messages are these lines: â€Å"scontext=root:system_r:httpd_t:s0 tcontext=root:object_r:httpd_sys_script_exec_t:s0 tclass=dir† This output shows you that httpd attempted to access a subdirectory with the httpd_sys_script_exec_t context type. This type is the context type of /var/www/cgi-bin, the directory where httpd looks for CGI scripts. The httpd daemon, with a httpd_t context type, was unable to access this subdirectory because the httpd_enable_cgi variable is set to off.With this configuration, SELinux does not allow a user or process of type httpd_t to access a directory, file, or process of type httpd_sys_script_exec_t. Therefore, the http daemon was denied access to the CGI script located in /var/www/cgi-bin. If you find similar messages in your log file, set the httpd_enable_cgi Boolean to on. httpd_builtin_scripting If you did not configure Apache to load scripting modules by changing the /etc/httpd/conf/ httpd. conf configuration file, set this Boolean to off. If you are unsure, turn httpd_builtin_scripting to off and check the /var/log/messages file for any httpd-related SELinux warnings. See the description of httpd_enable_cgi for an example. PHP and other scripting modules run with the same level of access as the http daemon.Therefore, turning httpd_builtin_scripting to off reduces the amount of access available if the Web server is compromised. To turn off all six of these Booleans and write the values to the policy file by using the setsebool -P command follow these steps: 1. Enter the setsebool -P command: First Steps with Security-Enhanced Linux (SELinux) 11 [[email  protected] ~]# setsebool -P httpd_can_sendmail=0 httpd_enable_homedirs =0 httpd_tty_comm=0 httpd_unified=0 httpd_enable_cgi=0 httpd_builtin_scripting=0 2. Check all the Boolean settings related to httpd by entering getsebool –a | grep httpd. The following output shows that all Boolean are set to off, including the six previously described variables which default to on. [email  protected] ~]$ getsebool -a | grep httpd allow_httpd_anon_write –> off allow_httpd_bugzilla_script_anon_write –> off allow_httpd_mod_auth_pam –> off allow_httpd_nagios_script_anon_write –> off allow_httpd_prewikka_script_anon_write –> off allow_httpd_squid_script_anon_write –> off allow_httpd_sys_script_anon_write –> off httpd_builtin_scripting –> off httpd_can_network_connect –> off httpd_can_network_connect_db –> off httpd_can_network_relay –> off httpd_can_sendmail –> off httpd_disable_trans –> off httpd_enable_cgi –> off httpd_enable_ftp_server –> off httpd_enable _homedirs –> off httpd_rotatelogs_disable_trans –> off httpd_ssi_exec –> off httpd_suexec_disable_trans –> off httpd_tty_comm –> off httpd_unified –> off httpd_use_cifs –> off httpd_use_nfs –> off 3. Use a Web browser or wget to make another request to the httpd daemon for the index. html file and you should succeed. Rebooting your machine does not change this configuration. This completes the necessary basic SELinux settings for hardening a Web server with static content. Next, look at hardening scripts accessed by the http daemon. Related reference: â€Å"Scope, requirements, and support† on page 1 This blueprint applies to System x running Linux and PowerLinux. You can learn more about the systems to which this information applies.Hardening CGI scripts with SELinux In the previous section, you used SELinux Booleans to disable scripting because the Web server used only static content. Beginning with that configuration, you can enable CGI scripting and use SELinux to secure the scripts. 1. Confirm that your Web server is configured as described in section â€Å"Securing Apache (static content only)† on page 9. 2. Red Hat Enterprise Linux provides a CGI script that you can use for testing. You can find the script at /usr/lib/perl5/5. 8. 8/CGI/eg/tryit. cgi. Copy this script to the /var/www/cgi-bin/ directory, as follows: [[email  protected] ~]$ cp /usr/lib/perl5/5. 8. 8/CGI/eg/tryit. gi /var/www/cgi-bin/ 3. Make sure that the first line of the tryit. cgi script contains the correct path to the perl binary. From the which perl output shown below, the path should be changed to ! #/usr/bin/perl. [[email  protected] ~]# which perl /usr/bin/perl [[email  protected] ~]# head -1 /var/www/cgi-bin/tryit. cgi #! /usr/local/bin/perl 4. Confirm that /var/www/cgi-bin is assigned the httpd_sys_script_exec_t context type as follows: [[email  protected] ~]$ ls -Z /var/www/ | grep cgi-bin drwxr-xr-x root root root:object_r:httpd_sys_script_exec_t cgi-bin 12 Blueprints: First Steps with Security-Enhanced Linux (SELinux): Hardening the Apache Web Server 5.Allow and confirm read and execute permission for the tryit. cgi script to all users: [[email  protected] cgi-bin]# chmod 555 /var/www/cgi-bin/tryit. cgi [[email  protected] cgi-bin]# ls -Z -r-xr-xr-x root root root:object_r:httpd_sys_script_exec_t tryit. cgi 6. Confirm that /var/www/cgi-bin/tryit. cgi is assigned the httpd_sys_script_exec_t context type: [[email  protected] ~]$ ls -Z /var/www/cgi-bin/tryit. cgi -r-xr-xr-x root root root:object_r:httpd_sys_script_exec_t /var/www/cgi-bin/tryit. cgi 7. Enable CGI scripting in SELinux and confirm that it is enabled: [[email  protected] cgi-bin]$ setsebool httpd_enable_cgi=1 [[email  protected] cgi-bin]$ getsebool httpd_enable_cgi httpd_enable_cgi –> on 8.Open a Web browser and type the Web server address into the location bar. Include the /cgi-bin/tryit. cgi in the URL. For example, type http://192. 168. 1. 100/cgi-bin/tryit. cgi. The tryit. cgi script should return output similar to Figure 1: Figure 1. Figure 1: A Simple Example 9. Provide test answers to the form fields and click Submit Query. The tryit. cgi script should return output similar to Figure 2: First Steps with Security-Enhanced Linux (SELinux) 13 Figure 2. Figure 2: A Simple Example with results Related reference: â€Å"Scope, requirements, and support† on page 1 This blueprint applies to System x running Linux and PowerLinux. You can learn more about the systems to which this information applies. 14Blueprints: First Steps with Security-Enhanced Linux (SELinux): Hardening the Apache Web Server Appendix. Related information and downloads Related information v Wikipedia: Security-Enhanced Linux http://en. wikipedia. org/wiki/Selinux v Bell-La Padula model http://en. wikipedia. org/wiki/Bell-La_Padula_model v NSA Security-Enhanced Linux http://www. nsa. gov/research/selinux /index. shtml v Managing Red Hat Enterprise Linux 5 presentation http://people. redhat. com/dwalsh/SELinux/Presentations/ManageRHEL5. pdf v developerWorks Security Blueprint Community Forum http://www. ibm. com/developerworks/forums/forum. jspa? forumID=1271 v Red Hat Enterprise Linux 4: Red Hat SELinux Guide http://www. linuxtopia. rg/online_books/redhat_selinux_guide/rhlcommon-section-0055. html v F. Mayer, K. MacMillan, D. Caplan, â€Å"SELinux By Example – Using Security Enhanced Linux† Prentice Hall, 2007 Related reference: â€Å"Scope, requirements, and support† on page 1 This blueprint applies to System x running Linux and PowerLinux. You can learn more about the systems to which this information applies.  © Copyright IBM Corp. 2009 15 16 Blueprints: First Steps with Security-Enhanced Linux (SELinux): Hardening the Apache Web Server Notices This information was developed for products and services offered in the U. S. A. IBM may not offer the products, s ervices, or features discussed in this document in other countries.Consult your local IBM representative for information on the products and services currently available in your area. Any reference to an IBM product, program, or service is not intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent product, program, or service that does not infringe any IBM intellectual property right may be used instead. However, it is the user's responsibility to evaluate and verify the operation of any non-IBM product, program, or service. IBM may have patents or pending patent applications covering subject matter described in this document. The furnishing of this document does not grant you any license to these patents.You can send license inquiries, in writing, to: IBM Director of Licensing IBM Corporation North Castle Drive Armonk, NY 10504-1785 U. S. A. The following paragraph does not apply to the United Kingdom or any other country where such provisions are inconsistent with local law: INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION â€Å"AS IS† WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or implied warranties in certain transactions, therefore, this statement may not apply to you. This information could include technical inaccuracies or typographical errors.Changes are periodically made to the information herein; these changes will be incorporated in new editions of the publication. IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this publication at any time without notice. Licensees of this program who wish to have information about it for the purpose of enabling: (i) the exchange of information between independently created programs and other progr ams (including this one) and (ii) the mutual use of the information which has been exchanged, should contact: IBM Corporation Dept. LRAS/Bldg. 903 11501 Burnet Road Austin, TX 78758-3400 U. S. A. Such information may be available, subject to appropriate terms and conditions, including in some cases, payment of a fee.The licensed program described in this document and all licensed material available for it are provided by IBM under terms of the IBM Customer Agreement, IBM International Program License Agreement or any equivalent agreement between us.  © Copyright IBM Corp. 2009 17 For license inquiries regarding double-byte (DBCS) information, contact the IBM Intellectual Property Department in your country or send inquiries, in writing, to: IBM World Trade Asia Corporation Licensing 2-31 Roppongi 3-chome, Minato-ku Tokyo 106-0032, Japan IBM may use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation to you. Informatio n concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources.IBM has not tested those products and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products. Any references in this information to non-IBM Web sites are provided for convenience only and do not in any manner serve as an endorsement of those Web sites. The materials at those Web sites are not part of the materials for this IBM product and use of those Web sites is at your own risk. This information contains examples of data and reports used in daily business operations. To illustrate them as completely as possible, the examples include the names of individuals, companies, brands, and products.All of these names are fictitious and any similarity to the names and addresses used by an ac tual business enterprise is entirely coincidental. Trademarks IBM, the IBM logo, and ibm. com ® are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both. If these and other IBM trademarked terms are marked on their first occurrence in this information with a trademark symbol ( ® and â„ ¢), these symbols indicate U. S. registered or common law trademarks owned by IBM at the time this information was published. Such trademarks may also be registered or common law trademarks in other countries. A current list of IBM trademarks is available on the Web at Copyright and trademark information at www. ibm. com/legal/copytrade. html Adobe, the Adobe logo, PostScript, and the PostScript logo are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States, and/or other countries. Java and all Java-based trademarks and logos are registered trademarks of Sun Microsystems, Inc. in the United States, other countries, or both. Linux is a trademark of Linus Torvalds in the United States, other countries, or both. UNIX is a registered trademark of The Open Group in the United States and other countries. Other company, product, or service names may be trademarks or service marks of others. 18 Blueprints: First Steps with Security-Enhanced Linux (SELinux): Hardening the Apache Web Server Printed in USA

Free Essays on Flextime

Flextime is a new work concept, which I feel will help employees want to come to work on time and actually get what they have to do done. It’s being used my numerous corporations Flextime is a work concept which divides the day into "core time," when all employees are expected to be at work, and "flexible time," usually at the beginning and end of the day, when employees may select their own arrival and departure times. A weekly period of 35 hours must be established. Acceptance of flextime is completely voluntary; employees may choose to remain with a standard summer schedule of 8:30 a.m. to 4:30 p.m. with a one-hour lunch. In addition, certain departments, such as CCS and Facilities, will have schedules that vary from hours described below or have particular needs that may, in some instances, be addressed outside this policy. Following are the procedures for implementing flextime at Rider University. Department heads should meet with staff before the effective dates of this policy to discuss relevant issues including the following: 1. Effective dates for summer, 2001, are Monday, May 14th, to Friday, August 24th. 2. The core time is 9:00 a.m. to 3:30 p.m. All employees must be in attendance during this period. Flexible hours are from 8:00 a.m. to 9:00 a.m. and 3:30 p.m. to 4:30 p.m. The base period of the standard work day is 7 hours. A lunch time of at least 30 minutes must be taken each day. Time sheets, where applicable, should accurately reflect hours worked. 3. Schedules must be coordinated within working units and approved by the supervisor, so that department coverage continues to be provided for the business period of 8:30 a.m. to 4:30 p.m. Schedule selection will be made on an month-by-month basis and, except for emergency situations and coverage for absences, these schedules may not be changed. 4. Overtime: Hours worked in excess of the weekly base period of 35 hours (37.5 hours for maintenance employees) are... Free Essays on Flextime Free Essays on Flextime Flextime is a new work concept, which I feel will help employees want to come to work on time and actually get what they have to do done. It’s being used my numerous corporations Flextime is a work concept which divides the day into "core time," when all employees are expected to be at work, and "flexible time," usually at the beginning and end of the day, when employees may select their own arrival and departure times. A weekly period of 35 hours must be established. Acceptance of flextime is completely voluntary; employees may choose to remain with a standard summer schedule of 8:30 a.m. to 4:30 p.m. with a one-hour lunch. In addition, certain departments, such as CCS and Facilities, will have schedules that vary from hours described below or have particular needs that may, in some instances, be addressed outside this policy. Following are the procedures for implementing flextime at Rider University. Department heads should meet with staff before the effective dates of this policy to discuss relevant issues including the following: 1. Effective dates for summer, 2001, are Monday, May 14th, to Friday, August 24th. 2. The core time is 9:00 a.m. to 3:30 p.m. All employees must be in attendance during this period. Flexible hours are from 8:00 a.m. to 9:00 a.m. and 3:30 p.m. to 4:30 p.m. The base period of the standard work day is 7 hours. A lunch time of at least 30 minutes must be taken each day. Time sheets, where applicable, should accurately reflect hours worked. 3. Schedules must be coordinated within working units and approved by the supervisor, so that department coverage continues to be provided for the business period of 8:30 a.m. to 4:30 p.m. Schedule selection will be made on an month-by-month basis and, except for emergency situations and coverage for absences, these schedules may not be changed. 4. Overtime: Hours worked in excess of the weekly base period of 35 hours (37.5 hours for maintenance employees) are...