BIND9をchrootして実行する設定手順。~
root権限で稼動するBINDをchroot動作させることで、権限奪取のアタックを受けた場合の被害を最小限に抑えることが可能である。
-BINDのインストール~
groupadd -g 400 named
useradd -g named -u 400 named
wget http://ftp.isc.org/isc/bind9/9.3.2/bind-9.3.2.tar.gz
tar xfvz bind-9.3.2.tar.gz
cd bind-9.3.2
./configure
make
make install
-chroot先ディレクトリの作成~
mkdir /var/chroot
mkdir /var/chroot/named
mkdir /var/chroot/named/etc
mkdir /var/chroot/named/var
mkdir /var/chroot/named/dev
-デバイスファイルの作成~
mknod /var/chroot/named/dev/null c 1 3
mknod /var/chroot/named/dev/random c 1 8
cp /etc/localtime /var/chroot/named/etc
-syslogの設定~
syslogへの出力用ポートを作成する~
vi /etc/init.d/syslog
修正
start() {
echo -n $"Starting system logger: "
#daemon syslogd $SYSLOGD_OPTIONS
daemon syslogd -m 0 -a /var/chroot/named/dev/log ←修正
RETVAL=$?
echo
echo -n $"Starting kernel logger: "
daemon klogd $KLOGD_OPTIONS
echo
[ $RETVAL -eq 0 ] && touch /var/lock/subsys/syslog
return $RETVAL
}
syslogを再起動する~
/etc/init.d/syslog restart
ps ax | grep syslog
13633 ? Ss 0:00 syslogd -m 0 -a /var/chroot/named/dev/log
-named.confとゾーンファイル~
named.confとゾーンファイルはchrootディレクトリに実体を置き、所定位置にはリンクを張る~
mv -f /var/named /var/chroot/named/var
mv /etc/named.conf /var/chroot/named/etc
cd /etc
ln -s /var/chroot/named/etc/named.conf named.conf
cd /var
ln -s /var/chroot/named/var/named named
-自動起動設定~
-自動起動設定(bind.init)~
下記スクリプトを使用~
#!/bin/sh
#
# named This shell script takes care of starting and stopping
# named (BIND DNS server).
#
# chkconfig: 345 55 45
# description: named (BIND) is a Domain Name Server (DNS) \
# that is used to resolve host names to IP addresses.
# probe: true
# Source function library.
. /etc/rc.d/init.d/functions
# Source networking configuration.
. /etc/sysconfig/network
# Check that networking is up.
[ ${NETWORKING} = "no" ] && exit 0
[ -f /usr/local/sbin/named ] || exit 0
[ -f /var/chroot/named/etc/named.conf ] || exit 0
# See how we were called.
case "$1" in
start)
# Start daemons.
echo -n "Starting named: "
daemon /usr/local/sbin/named -u named -t /var/chroot/named -c /etc/named.conf
echo
touch /var/lock/subsys/named
;;
stop)
# Stop daemons.
echo -n "Shutting down named: "
killall named
rm -f /var/lock/subsys/named
echo
;;
status)
status named
exit $?
;;
restart)
$0 stop
$0 start
exit $?
;;
reload)
/usr/local/sbin/rndc reload
exit $?
;;
probe)
# named knows how to reload intelligently; we don't want linuxconf
# to offer to restart every time
/usr/local/sbin/rndc reload >/dev/null 2>&1 || echo start
exit 0
;;
*)
echo "Usage: named {start|stop|status|restart|reload}"
exit 1
esac
exit 0