Step-by-step installation of MSVS 3.0 from the disk. Mobile system of armed forces (OS MSVS): Protected Operating System General

Mobile system Armed Forces (MSVS) - a secure multiplayer multitasking operating system (OS) of general purpose with a division developed on the basis of the Red Hat Linux OS. OS provides a multi-level priority system with displacing multitasking, virtual memory organization and full network support; Works with multiprocessor (SMP - Symmetrical Multiprocessing) and cluster configurations on intel platforms, IBM S390, MIPS (Complexes of the Baguette Production of Corundum Company) and SPARC (Elbrus-90Micro). The feature of the ICA 3.0 is the built-in means of protection against unauthorized access that meet the requirements of the State Council of the State Technical Commission under the President of the Russian Federation for 2 funds of computing technology. Protection Tools include mandatory access control, access control lists, role model and developed audit tools (Event Logging). MSVS OS is designed to build stationary protected automated systems. The developer of the ISMU is the All-Russian Research Institute of Automation of Management in the non-industrial sphere. V. V. Solomatina (VNIII). Adopted for supplying in the Armed Forces of the Russian Federation in 2002.

The ISWS 3.0 file system supports file names long up to 256 characters with the ability to create Russian-speaking file names and directories, symbolic links, quotas and access rights lists. There is the ability to mount FAT and NTFS file systems, as well as ISO-9660 (CDs). The quota mechanism allows you to control the use of disk space users, the number of running processes and the amount of memory allocated to each process. The system can be configured to issue warnings when the user requested by the user is approached to a given quota.

MSVS 3.0 is a graphical system based on X Window. Two window managers are supplied to work in the graphics environment: Icewm and KDE. Most programs in the ISA OS are focused on working in a graphical environment, which creates favorable conditions not only for users' operation, but also for their transition to Windows OS on the ISP OS.

MSA 3.0 OS is delivered in a configuration that, in addition to the main control program (kernel), includes a set of additional software products. OS itself is used as a basic element of the organization of automated workplaces (ARMS) and the construction of automated systems. Additional software (Software) can be installed on the choice, and is focused on the maximum automation of the management and administration of the domain, which reduces the cost of maintenance of ARMM and concentrate on the execution of their target task. The installation program allows you to install the OS from the boot CD or on the network via the FTP protocol. Usually, the installation server is installed and configured from the disks, and then the installation of other computers is installed over the network. The installation server in the working domain performs the task of updating and restoring the software at workplaces. The new version is laid out only on the server and then occurs automatic update On workplaces. When damaged by on workplaces (for example, when deleting a program file or mismatch control sums executable or configuration files), automatically re-installing the corresponding software.

When installing the administrator, it is proposed to choose either one of the standard types of installation, or custom installation. Standard types are used when installed on standard jobs and cover the main standard options for organizing jobs on the basis of ASS 3.0. Each standard type defines a set of installed software products, a disk configuration, a set of file systems and a number of system settings. Custom installation allows us to explicitly set all the indicated characteristics of the final system up to the selection of individual software packages. When you select a custom installation, you can install an ASS 3.0 OS to a computer with an already installed other OS (for example, Windows NT).

MSVS 3.0 enters one system Documentation (ECD) with information about the most different aspects of the system functioning. Esd consists of a documentation server and a database containing descriptions of descriptions, access to which is possible through browsers. When installing an additional software, the corresponding reference sections are set to the EDD database. Esd can be placed locally at each workplace, or a special documentation server may be allocated in the ISWS domain. The latter option is useful to use large dimension in the MSVS domains to save the total disk space, simplify the management and documentation update process. Access to documentation from other jobs is possible through a Web browser supplied with MSVS 3.0.

MSA 3.0 is Russified in both alphanumeric and graphic modes. Virtual terminals are supported, switching between which is carried out using the key combination.

The key point in terms of the integrity of the system is the registration operation of new users of the ISP, when the user attributes are defined, including security attributes, in accordance with which the access control system will continue to control the user. The basis for the mandate model is the information entered when registering a new user.

To implement discretionary access control, traditional mechanisms are used for UNIX mechanisms of access rights and access rights lists (ACL - Access Control List). Both mechanisms are implemented at the File System level of ASS 3.0 and serve to set the rights to access the file system objects. Bits allow you to determine the rights for three categories of users (owner, group, other), however, this is not a fairly flexible mechanism and is applied when specifying rights for most OS files, the most used part of users is equally used. Using ACL lists, you can set rights at the level individual users and / or user groups, and thereby achieve significant detail in the task of rights. Lists are applied when working with files for which it is required, for example, to set different access rights for several specific users.

Specifications MSVS 3.0 OS:

Parameter	Characteristic
Information security system	Built-in
Information Protection Model	Discretionary model, mandate model, role model
Szi compatibility with other OS	"Omonym-390VS", "Olivia", ISWS 5.0
Core	2.4.32 (2.4.37.9 in fact)
Mandate file system	EXT2, EXT3.
Support for other file systems	FAT16, FAT32, NTFS (RO), ISO9660
File name length	up to 256 characters
Graphic subsystem	X-Window.
Graphic system	Xorg-x11-7.3.
A type	Client - Server
Window manager	ELK, TWM, KDE, ICEWM
Graphic shell	ELK-1.9.9
Support multiprocessor systems	Up to 32 processors
Oz	64 GB
Built-in services	DNS, FTP, Telnet, NTP, FTP, TFTP, SFTP, DHCP, RIP, BGP, OSPF, PPP, PPTP
Supported tires	ISA, All PCI, SCSI, IDE, SATA, SAS, AGP, USB 2.0
Development tools in composition:
Programming languages	C / C ++, Perl, Python, Shell, TCL
C compiler C / C ++	2.95.4, 3.3.6, 4.1.3
System Library	GLIBC-2.3.6.
Qt.	4.6.3
Debugger	GDB ver 6.8.
Installation options	CD-ROM, NGMD, Network

Installation OS MSVS 3.0

In a practical lesson, the installation process of the ISP OS on the PC or the computer network server will be considered. The installation process of the ICA 3.0 consists of the following steps:

Loading a PC or a computer network server from a media of the information on which the distribution is located with an ASS 3.0 OS. After the loading process is completed from the media, the image presented in Figure will be displayed on the screen. 2.1. To continue, press the key<Ввод> ().

Figure 2.1. Installation Wizard Start Wizard 3.0.

The MSVS OS kernel is initialized and the equipment detection, after which the image shown is displayed in Fig. 2.2. To continue, click the button<Готово>.

Figure 2.2. Screen detected devices.

"Greeting" is displayed on the screen, presented in Fig. 2.3. To continue, click the button<Да>.

Figure 2.3. The screen "Greetings".

Select a mouse model connected to a computer (Fig. 2.4). Due to the fact that the "Mouse" manipulator will not be used in further work, you should select the item "No mouse" and click the button<Да>.

Figure 2.4. Select a mouse model connected to a computer.

Marking hard disk - One of the most responsible moments during the installation of the ISA OS. Not because the hard disk markup is so complicated, but because the error allowed during its error can only be corrected with great difficulty and this process can be fraught with loss of data.

This chapter discusses the following questions:

Users;

Differences between privileged and unprivileged users;

File / etc / passwd;

File / etc / shadow;

File / etc / gshadow;

File /etc/login.defs;

Modification of information about password obsolescence;

The basis of the Safety of MSAs is the concept of users and groups. All decisions about what is allowed or is not allowed to make the user are made on the basis of who the user has entered the system from the point of view of the operating system kernel.

General view of users

MSVS is a multitasking multiplayer system. The duties of the operating system include isolation and protection of users from each other. The system monitors each of the users and, based on who this user is, determines whether it is possible to provide it with access to a particular file or allow the launch of a program or another.

When creating a new user, he is put in line with a unique name

NOTE

The system determines the user privileges based on the user ID (UserID, UID). Unlike the username, the UID may not be unique, in which case the first found name is taken to match the name of the user, the UID of which coincides with the data.

Each new recorded in the system, the user is as compliance with certain elements of the system.

Privileged and unprivileged users

When adding a new user to the system, a special number is highlighted, called user identifier (UserID, UID). In Caldera MSVA, the allocation of identifiers to new users begins with 500 and continues towards large numbers, up to 65,534. The numbers up to 500 are reserved for system accounts.

In general, identifiers with numbers smaller than 500 are no different from other identifiers. Often the program for normal functioning requires a special user with full access to all files.

The numbering of identifiers begins with 0 and continues to 65 535. UID 0 is a special UID. Any process or user with zero identifier is privileged. Such a person or process has unlimited power over the system. Nothing can serve as a ban. Root Account (Account, UID which is 0), also called account superuser, Makes entered with its use if not the owner, then at least his trustee.

UID remains equal to 65,535. It is also not from ordinary. This UID belongs to Nobody (no one).

Sometime, one of the ways of hacking the system was to create a user with an identifier of 65,536, as a result of which he received the privileges of the superuser. Indeed, if you take any UID and translate the corresponding number into a binary form, you will get a combination of sixteen binary discharges, each of which is either 0 or 1. The overwhelming number of identifiers includes both zeros and units. The exception is the zero uid superuser consisting of some zeros, and uidnobody, equal to 65535 and consisting of 16 units, i.e. 111111111111111. The number 65 536 cannot be placed in 16 digits - to represent this number in binary form you need to use 17 discharges. The oldest discharge will be equal to unit (1), all the rest are zero (0). So what happens when creating a user with an identifier of a length of 17 binary discharges - 10000000000000000? Theoretically, the user with a zero identifier: Since only 16 binary discharges are given to the identifier, 17 digit is not known, and it is discarded. Therefore, the only unit of the identifier is lost, and some zeros remain, and a new user appears in the system with an identifier, and hence the privileges, superuser. But now there are no programs in ASVS that would allow you to install UID at 65,536.

NOTE

Users with identifiers exceeding 65,536, it is possible to create, but it will not be used without substitution / bin / login.

Any hacker will definitely try to get the privileges of the superuser. As soon as he receives them, the further fate of the system will fully depend on his intentions. Perhaps he, satisfied with the fact of hacking, will not make anything bad with her and, sending you a letter with a description of the holes found by him in the security system, will forever leave it alone, and perhaps, and not. If the intentions of hacked hacker are not so clean, then the best, what can be hoped is to have a system of failure.

File / etc / passwd

Wishing to log in to the system must enter the username and password that are checked on the user database stored in the / etc / passwd file. In it, among other things, passwords of all users are stored. When connecting to the system, the entered password is checked with a password that corresponds to this name, and if the user is allowed in the system, after which the program specified for this username in the password file is launched. If this is a command shell, the user gets the ability to enter commands.

Consider Listing 1.1. This is a Passwd file in the old style.

Listing 1.1. File / etc / passwd in the old style

root: *: 1i Dywromhmebu: 0: 0: Root :: / root: / bin / bash

bin: *: 1: 1: bin: / bin:

daemon: *: 2: 2: Daemon: / Sbin:

adm: *: 3: 4: Adm: / Var / Adm:

lP: *: 4: 7: LP: / VAR / SPOOL / LPD:

sync: *: 5: 0: Sync: / sbin: / bin / sync

shutdown: *: 6: 11: Shutdown: / Sbin: / Sbin / Shutdown

halt: *: 7: 0: Halt: / Sbin: / Sbin / Halt

mail: *: 8: 12: Mail: / Var / Spool / Mail:

news: *: 9: 13: NEWS: / VAR / SPOOL / NEWS:

uUCP: *: 10: 14: UUCP: / VAR / SPOOL / UUCP:

operator: *: 11: 0: Operator: / root:

games: *: 12: 100: Games: / usr / Games:

gopher: *: 13: 30: Gopher: / USR / 1IB / Gopher-Data:

fTP: *: 14: 50: FTP User: / Home / FTP:

man: *: 15: 15: MANUALS OWNER: /:

majordom: *: 16: 16: MajORDOMO: /: / BIN / FALSE

postgres: * 17: 17: Postgres User: / Home / Postgres: / Bin / Bash

mySQL: *: 18: 18: MySQL User: / USR / Local / Var: / Bin / False

silvia: 1IDYWROMHMEBU: 501: 501: Silvia Bandel: / Home / Silvia: / Bin / Bash

nobody: *: 65534: 65534: Nobody: /: / Bi N / False

david: 1IDYWROMHMEBU: 500: 500: David A. Bandel: / Home / David: / Bin / Bash

Password file has a rigidly specified structure. The contents of the file is a table. Each file row is a table entry. Each entry consists of several fields. Passwd file fields are separated by a colon, so the colon cannot be used in any of the fields. In total, there are seven fields: username, password, user ID, group identifier, gecos field (it is the comment field), home directory and command shell login.

Read more about / etc / group

Each entry of the file / ETC / Group consists of four fields separated by colon. The first field sets the name of the group. Like a username.

The second field is usually empty, since the password password mechanism is usually not used, but if this field is not empty and contains a password, any user can join the group. To do this, you need to execute the newgrp command with the group name as a parameter, after which Introduce right password. If the password for the group is not specified, only users listed on the list of members of the group can join.

The third field sets the group identifier (GroupID, GID). The meaning of it is the same as the user ID.

The latter field is a list of user names belonging to the group. Users are listed through a comma without spaces. The primary user group is indicated (mandatory) in the Passwd file and assigns when the user is connected to the system on the basis of this information. Accordingly, if you change the primary user group in the Passwd file, the user will no longer be able to join its former primary group.

File /etc/login.defs.

You can add a new user to the system in several ways. In ASS, the following programs are used for this: Coastool, Lisa, UseRADD. Something suitable for any of them. The coas utility uses its own file. The USERADD and LISA programs take default values \u200b\u200bfor Passwd and Shadow file fields from the /etc/login.defs file. The contents of this file in the abbreviated form are shown in Listing 1.4.

Listing 1.4. Abbreviated file /etc/login.defs.

# The maximum number of days during which the password is allowed:

# (- 1 - password change is not required) pass_max_days-1

Minimum number of days between password shifts: Pass_min_DaySo

# For some days before the date of the password change, a warning should be issued: pass_warn_age7

# What number of days must pass after the expiration of the password expires before the account will be blocked: pass_inactive-1

# Force the expiration of the password utilization on the specified day:

# (the date is identified by the number of days after 70/1/1, -1 \u003d not forcing) PASS_EXPIRE -1

# Values \u200b\u200bof the Integrated Account Fields for UseRADD

# Team Default: Group100

# Home Catalog:% s \u003d username) NoMe / Home /% s

# Command Sheath Default: Shell / Bin / Bash

Catalog in which the skeleton of the home catalog is located: SKEL / ETC / SKEL

# Minimum and maximum values \u200b\u200bfor automatic GID selection in groupaddgid_min100

The contents of this file sets the default values \u200b\u200bfor the Passwd and Shadow file fields. If you do not override them from the command line, they will be used. As a starting point, these values \u200b\u200bare quite suitable, however, to implement password outdates, some of them will need to be changed. A value equal to -1 means no restrictions.

In the COAS program, the Caldera distribution is used by the graphical user interface

To change the information about the password, for one or two users, you can use the Chage command (Changeaging - change outdated). Unprivileged users can run Chage only with the -L parameters and their own username, that is, to request information about obsoletry only your own password. To change the odds information, it is enough to specify the username, the remaining parameters will be requested in the dialog. Call Chage without parameters will give a brief reference to use.

The COAS program can be used to change password sharing parameters for each of the accounts separately. In this case, the values \u200b\u200bare indicated in days. The program interface is obvious.

Note -

To obtain information about the outdated password of the user or forcing this process, you can use the Expiry command.

Rams security system

The main idea of \u200b\u200bthe frames is that you can always write new module Safety that addressed a file or device for information and returned the result of the execution of the authorization procedure: Success (Success), failure (failure) or ignore (IGNore). And Ram, in turn, will return the success (Success) or failure (Failure) that caused it. Thus, it does not matter what passwords, shadow or ordinary, are used in the system, if there are frames: all supporting frames will work perfectly with those and others.

We now turn to the consideration of the basic principles of the operation of the RAM. Consider Listing 1.6. The /etc/pam.d directory contains configuration files for other services, such as SU, PASSWD, etc., depending on which software is installed in the system. Each service restriction service (restrictedservice) corresponds to its configuration file. If there is no one, then this service with the access restriction enters the "Other" category, with the Other.d configuration file. (A service restriction service is called any service or program to use which is required to undergo authorization. In other words, if under normal conditions, the service requests your username and password, it is a service restriction service.)

Listing 1.6. File configuration Login.

aUTH REQUIRED PAM_SECURETTY.SO.

aUTH REQUIRED PAM_PWDB.SO.

auth Required pam_nologin.so.

#Auth Required pam_dialup.so.

auth Optional Pam_mail.so.

account Required pam_pwdb.so.

session Required pam_pwdb.so.

session optional pam_lastlog.so.

password Required pam_pwdb.so.

As can be seen from the listing, the configuration file consists of three columns. Rows starting with the lattice symbol (#) are ignored. Therefore, the PAM_DialUp module (the fourth line of Listing 1.6) will be missed. The file has rows with the same third field - pam_pwd.so, and first - auth. The use of several rows with the same first field is called the accumulation (stacking) of the modules and allows you to obtain multi-step authorization (stack of modules), which includes several different authorization procedures.

The first column is a type column. The type is determined by one of the four character marks: Auth, Account, Session and Password. The contents of all columns are considered without registering.

Type AUTH (Authentication - Authentication) is used to clarify whether the user is those who gives himself. As a rule, this is achieved by comparing entered and stored passwords, but other options are also possible.

Account type (Account) Checks if the service is allowed to use this user, on what conditions is not the password and so on.

Type Password (password) is used to update authorization markers.

The session (session) type performs certain actions when the user logs in and when the user is output from the system.

Managing Flags

The second column is the field of the control flag, which is determining what to do after returning from the module, that is, the reaction of the RAM to the values \u200b\u200bof the success (Success), ignore (Ignore) and failure (Failure). Allowed values: Requisite, Required, Sufficient and Optional. From the value in this field depends whether the other file lines will be processed.

The Requisite flag sets the most rigid behavior. Processing any row with the Requisite flag, the module of which returned the value of failure (failure) will be discontinued and the service that caused it will be returned to failure. No other lines will be considered. This flag is rare enough. The fact is that if the module marked by them is performed the very first, then the modules following it may not be executed, including those responsible for logging, so the Required flag (required) is usually applied instead.

The Required flag does not interrupt the execution of modules. Whatever the result of the implementation of the module marked by them: Success (Success), ignore (ignore) or failure (failure), the frames always proceed to the processing of the next module. This is the most frequently used flag, since the result of the module is not returned until all other modules work, which means that the modules responsible for logging are defined.

The Sufficient flag (sufficient) leads to an immediate completion of the row processing and returning the value of success (Success), provided that the module marked the value returned the Success value (Success) and previously did not meet the module with the Required flag that returned the failure status (failure). If such a module has met, the Sufficient flag is ignored. If the module marked with this flag returned the value to ignore (ignore) or failure (failure), then the Sufficient flag is seen similarly to the Optional flag.

The result of the execution of the module with the Optional flag (optional) is taken into account only when it is the only module in the stack that has returned the value of success (Success). Otherwise, the result of its execution is ignored. Thus, the unsuccessful fulfillment of the module marked by it does not entail the failure of the entire authorization process.

To ensure that the user is able to access the system, modules marked by the Requisite and Required flags, should not return the failure values \u200b\u200b(Failure). The result of the execution of the module with the Optional flag is assumed only if it is the only module in the stack that has returned success (SUCCESS).

Modules Ram.

The third column contains the full name of the module file associated with this string. In principle, the modules can be located anywhere, but if they are placed in a predefined directory for modules, you can specify one name only, otherwise the path is needed. In ISPS, the predefined catalog is / lib / security.

The fourth column is designed to transmit additional parameters to the module. Not all modules have parameters, and if there is, they may not be used. Transmission of the parameter module allows you to change its behavior in one way or another.

Listing 1.7 contains a list of frame modules that are part of the MSVS.

Listing 1.7. The list of modules of the frames included in the MSVS

pam_rhosts_auth.so.

pam_securetty.so.

pam_unix_acct.so.

pam_unix_auth.so.

pam_unix_passwd.so.

pAM_UNIX_SESSION.SO.

About modules More details

The PAM_Access.so module is used to provide / prohibit access based on the /etc/security/access.conf file. The lines of this file have the following format:

rights: Users: From where

Rights + (Allow) or - (prohibit)

Users - ALL, username or user @ node, where the node corresponds to the name of the local machine, otherwise the record is ignored.

From where is one or more terminal file names (without prefix / dev /), node names, domain names (starting from point), IP addresses, All or Local.

The pam_cracklib.so module checks in dictionary passwords. It is designed to verify a new password and allows you to prevent use in the system easily cracked passwords, which are considered common words, passwords containing repeating characters, and too short passwords. There are optional parameters: Debug, Type \u003d and Retry \u003d. The Debug parameter includes debugging information to the log file. The type parameter, followed by the string, changes in the default NEWUNIXPASSWORD invitation: The UNIX word to the specified string. The RETRY parameter sets the number of attempts provided to the user to enter the password, which the error is returned to the exhaustion (one attempt is given by default).

Consider Listing 1.8. It shows the contents of the file / etc / pam.d / other. This file contains a configuration used by the mechanism of frameworks for services that do not have its own configuration files in the /etc/pam.d directory. In other words, this file applies to all services unknown to the frame system. It presents all four types of authorization, AUTH, Account, Password and Session, each of which causes the PAM_DENY.SO module marked by the refiled flag. Thus, the execution of an unknown service is prohibited.

Listing 1.8. File /etc/pam.d/other.

aUTH REQUIRED PAM_DENY.SO.

aUTH REQUIRED PAM_WARN.SO.

account Required Pam_Deny.So.

password Required Pam_Deny.So.

password Required pam_warn.so.

session Required Pam_Deny.So.

The pam_dialup.so module checks whether to specify a password to access a remote terminal or terminals, which uses the / etc / security / ttys.dialup file. The module is applicable not only to TTYS, but in general to any tty terminal. When a password is needed, it is checked with the file / etc / security / passwd.dialup. Changes in the passwd.dialup file are carried out by the DPASSWD program.

The PAM_GROUP.SO module is checked in accordance with the contents of the /etc/security/group.conf file. This file indicates groups whose member of which can be the user specified in the file when performing certain conditions.

The PAM_LASTLOG.SO module enters the Lastlog file information about when and from where the user has entered the system. Usually this module is marked with the SESSION type and the Optional flag.

The PAM_LIMITS.SO module allows you to impose various restrictions on users logged in. These restrictions do not apply to the root user (or any other user with a zero identifier). The limitations are set at the login level and are not global or permanent, acting only within the same input.

The PAM_LASTFILE.SO module accepts some record (Item), compares it with a list in the file and based on the results of the comparison, returns success (Success) or failure (Failure). The parameters of this module are as follows:

Item \u003d [Terminal User | Remote_uzel | Remote user | Group | sheath]

SENSE \u003d (status to return; when the recording is found in the list, otherwise the status comes opposite to the specified)

file \u003d / Full / path / and / file_name - Onerr \u003d (what status is returned in case of error)

The PAM_NOLOGIN.SO module is used when authorizing the AUTH type with the Required flag. This module checks whether the file / etc / nologin exists, and if not, then returns the value of success (Success), otherwise the contents of the file is shown to the user and returns the failure value (Failure). This module is usually used in cases where the system is not yet fully entered into operation or temporarily closed for maintenance, but not disconnected from the network.

The PAM_PERMIT.SO module is optional to the PAM_DENY.SO module. It always returns the value of success (Success). Any transmitted parameters by the module are ignored.

The PAM_PWDB.So module provides an interface to Passwd and Shadow files. The following parameters are possible:

Debug - recording debug information to the log file;

Audit - additional debug information for those who are not enough ordinary debugging information;

Use_first_pass - Never request a password for a user, and take it from previous stack modules;

Try_first_pass - try to get a password from previous modules, in case of failure to request a user;

Use_AuthTok - Return the value of failure (failure) If PAM_AUTHTOK has not been installed, do not request a password for the user, and take it from previous stack modules (only for stack of Password modules);

Not_set_pass - Do not install a password from this module as a password for subsequent modules;

Shadow - maintain a system of shadow passwords;

UNIX - place passwords to file / etc / passwd;

MD5 - Upon the next password change, use MD5 passwords;

BigCrypt - with the next password change, use DECC2 passwords;

NodeLay - Disable a single-acean delay with unsuccessful authorization.

The PAM_RHOSTS_AUTH.SO module allows / prohibits the use of files.rhosts or hosts.equiv. In addition, it also allows / prohibits the use of "dangerous" entries in these files. The parameters of this module are as follows:

No_hosts_equiv - ignore the /etc/hosts.equiv file;

No_rhosts - ignore file / etc / rhosts or ~ / .rhosts;

Debug - to log debug information;

NoWarn - Do not display warnings;

Suppress - do not output any messages;

Promiscuous - Allow the use of the "+" wildcard symbol in any field.

Module PAM_ROOTOK.SO Returns the value of success (Success) for any user with zero identifier. Being marked with the Sufficient flag, this module allows access to the service without specifying the password. The parameter at the module is only one: Debug.

The PAM_Securetty.so module can only be used for supeructures. This module works with the / etc / securetty file, allowing the superuser to log in to the system only through the terminals listed in this file. If you want to allow the superuser input to the system via Telnet (TTYP pseudo-terminal), then you should either add a string to this file for TTYP0-255, or to comment on the PAM_Securetty.so call in the Login file.

The PAM_SHELLS.SO module returns the Success value if the user's shell specified in the / etc / passwd file is present in the shell list from the / etc / shells file. If the / ETC / PASSWD file does not assign any shell, it starts / bin / sh. If the / ETC / PASSWD file specifies a shell that is missing in the / etc / shells list, the module returns the failure value (Failure). The right to write to file / etc / shells should have only superuser.

The PAM_STRESS.SO module is used to control passwords. He has many parameters, including a constant debug, but in general, only two interests are of all the parameters:

Rootok - Allow the superuser to change user passwords without entering the old password;

Expired - With this parameter, the module is executed as if the user's password is valid already expired.

Other module parameters allow you to disable any of these two modes, use a password from another module or pass the password to another module, etc. Here I will not consider all the parameters of the module, so if you have a need to use the special features of this module, read them Description in the module documentation.

The PAM_TALLY.SO module in the /etc/pam.d files are not used by default. This module calculates the attempts to pass authorization. With the successful passage of authorization, the number of attempts can be reset. If the number of unsuccessful connection attempts exceeded some threshold, access can be prohibited. By default, information about attempts are placed in the / var / log / faillog file. Global parameters are as follows:

Onerr \u003d - What to do if an error occurred, for example, it was not possible to open the file;

FILE \u003d / Full / path / and / file_name - if there is no, then the default file is used. The following parameter makes sense only for AUTH type:

No_magic_root - Includes counting the number of attempts for the superuser (default is not conducted). Useful if the superuser input is allowed to the system via Telnet. The following parameters make sense only for AcCount type:

DENY \u003d N - refuse access after N attempts. When using this parameter, the behavior of the RESET / NO_RESET module varies by default with no_reset on RESET. This happens for all users, with the exception of the root user (UID 0), unless the NO_MAGIC_ROOT parameter is not used;

No_magic_root - Do not ignore the Deny parameter for attempts by the ROOT user. When used in conjunction with the DENY \u003d parameter (see earlier), the RESET behavior is set by default for the Root user, as for all other users;

EVEN_DENY_ROOT_ACCOUNT - Allows the locking of the superuser account if there is no_magic_root parameter. This is issued a warning. If the no_magic_root parameter is not used, then regardless of the number of unsuccessful attempts the superuser account, in contrast to the ordinary users, will never be blocked;

RESET - reset the counter of the number of attempts at a successful entrance;

No_reset - not to reset the number of attempts at a successful entrance; Used by default, unless the DENY parameter is specified \u003d.

The PAM_TIME.SO module allows you to restrict access to the service depending on time. All instructions for its configuration can be found in the / etc / security / time.conf file. It does not have parameters: everything is set in the configuration file.

The PAM_UNIX module is engaged in issues of the usual authorization of the ISWS (usually instead of the module uses pam_pwdb.so). The physically this module consists of four modules, each of which corresponds to one of the types of frames: pam_unix_auth.so, pam_unix_session.so, pam_unix_acct.so and pam_unix_passwd.so. Modules for the types of Account and Auth parameters do not have. The module for the Passwd type parameter is only one: STRICT \u003d false. If available, the module does not check passwords for resistance to hacking, allowing you to use arbitrary, including unsafe (easily guessing or selected) passwords. The session type module understands two parameters: Debug and Trace. The debug information of the Debug parameter is placed in a debug information log file, as indicated in syslog.conf, and the TRACE parameter information is due to its sensitivity - in Authpriv log.

The PAM_WARN.SO module records a message about its call to syslog. Parameters has no.

The pam_wheel.so module allows the superuser only to members of the Wheel group. The Wheel group is a special system group whose members have great privileges than ordinary users, but smaller than the superuser. Its presence reduces the number of users of the system with the privileges of the superuser, making them members of the WHEEL group and thereby increasing the security of the system. If the superuser can only be logged in using the terminal, this module can be used to make an inaccessible job for users via Telnet with superuser privileges, refusing them to access if they do not belong to the Wheelmoduil group uses the following parameters:

Debug - logging of debug information;

USE_UID - Definition of belonging based on the current user ID, and not what was assigned to it when entering the system;

Trust - in the case of the user affiliates to the WHEEL group, return the value of success (Success), and not ignore (Ignore);

DENY - changes the meaning of the procedure to the opposite (refund unsuccessful). In combination with Group \u003d allows you to deny access to members of this group.

Note -

Catalog / ETC / Security is directly related to the /etc/pam.d directory, since contains the configuration files of various frame modules caused in files from /etc/pam.d.

Ram entries in log files

Listing 1.9. Content / Var / Log / Secure

Jan 11 16:45:14 Chiriqui Pam_PWDB: (SU) Session Opened for User Root

Jan 11 16:45:25 Chiriqui Pam_PWDB: (SU) Session Closed for User Root

Jan 11 17:18:06 Chiriqui Login: Failed Login 1 From (NULL) for David,

Authentication Failure.

Jan 11 17:18:13 Chiriqui Login: Failed Login 2 From (NULL) for David.

Authentication Failure.

Jan 11 17:18:06 Chiriqui Login: Failed Login 1 From (NULL) for David.

Authentication Failure.

Jan 11 17:18:13 Chiriqui Login: Failed Login 2 From (NULL) for David,

Authentication Failure.

Jan 11 17:18:17 Chiriqui Pam_PWDB: (Login) Session Opened for User David

Jan 11 17:18:17 Chiriqui - David: Login On Ttyl by David

Jan 11 17:18:20 Chiriqui Pam_PWDB: (Login) Session Closed for User David

Each recording starts from the date, time and node name. After that, the name of the frame module and the process identifier enclosed in square brackets. Then, in parentheses, the name of the service restriction is coming. For Listing 1.9 is either SU or Login. After the service name, either "SessionOpened" (session is open) or "SessionClosed" (Session is closed).

The entry that follows the record with "SessionOpened" is a message about entering the system from which you can find out who and from where it entered the system.

The following questions are considered:

What is the default user group and private user groups;

Change user / group;

How to change the user / group affects the graphical interface;

Security and users;

Security and passwords;

Password protection;

Choosing a good password;

Hacking passwords.

Default Group

Currently, restrictions on the simultaneous user belonging only to one group no longer exists. Any user can belong simultaneously to several groups. On the NewGrp command, the user becomes a member of the group specified in the group, while this group becomes for this user. login group (Logingroup). At the same time, the user continues to be a member of the groups in which he entered before the NEWGRP command. The login group is a group that becomes the group owner of the user files.

The difference between the default group and private user groups is the degree of openness of these two schemes. In the case of a default scheme, any user can read (and often change) other user files. With the private groups, reading or writing a file created by another user is possible only if its owner explicitly provided the rights to these operations to other users.

If it is required that users can join and leave the group without the intervention of the system administrator, the password can be assigned to this group. The user can use the privileges of a specific group only if it belongs to it. There are two options here: either it belongs to the group from the moment of logging into the system, or it becomes a member of the group subsequently, after he began working with the system. So that the user can join the group to which it does not belong, the password must be assigned to this group.

By default, group passwords are not used in ASWS, so the GShadow file in the / etc directory is not.

If you are constantly using only one of the programs to administer users, you are constantly using one of the programs - UseRADD, LISA or COAS, - user settings files are obtained more consistent and easier accompanied.

The advantage of the default scheme with the default group is that it facilitates the sharing of files, since it does not need to take care of access rights. This scheme implies an open approach to the system according to the principle "All that is not prohibited is allowed."

Configuring user parameters by default is a high-priority task that immediately follows when you set the system.

Private groups of users

Private user groups have names that coincide with the user names. The private group is made in the login group, so by default, that is, if the directory attributes do not prescribe anything else, it is assigned as a group-owner of all files of this user.

The advantage of private groups of the user is that users do not need to think about restricting access to their files: by default, access to user files from the very moment of their creation will be limited. In ISWS, when using private groups, the user can read or change only files belonging to it. In addition, it can only create files only in your home directory. This default behavior can be changed by a system administrator or user, and both at the level of the individual file and at the directory level.

There are several commands, with which the user can control its name and / or the group to which it belongs, or by the name or group, on the person of which the program is performed. One of these programs is NewGrp.

The newgrp command can be performed by any user. It allows him to join the group to which it did not belong, but only if a password is assigned to this group. This command will not allow you to join the group without a password if you are not a member of this group.

The NewGRP command can be used in respect of the group, the member of which is already the user. In this case, Newgrp makes the specified login group. User groups are divided into two types: login group and all other groups to which this user belongs. The user can belong to several groups, however, a group of login group in this user will always be assigned a group-owner of the user-based files.

In addition to NewGrp, CHOWN and CHGRP commands can also be used to manage the file affiliation for a file or another user or group.

The NewGrp command area in the XWINDOW environment is limited to the Xterm program in which it has been completed: In the context of the new group, only programs running through this terminal will be executed, and therefore the user cannot change the login group for programs running through Window dispatcher. A program that always needs to be performed in the context of the secondary group can be run through the script setting the required login group for it.

The XWINDOW system always introduces additional difficulties. In this case, these difficulties are not directly related to X, and follow the work logic / etc / groups and / etc / gshadow. Those who do not use shadow passwords for groups, worrying especially about what. In the case of x, set a password-protected group from a simple script, however, for secondary user groups that do not require password input, the change of the group is extremely simple. The following is the following scenario:

sG - Gifs -C / USR / X11R6 / BIN / XV &

As a result of the start of this script, the XV program will be launched, the primary group of which will be the Gifs group. What was required to get.

More difficult for those who use shadow group passwords, because in this case, when executing this script, an error message appears on the screen. When users are listed in the / etc / groups file, any of them is automatically considered to be a member immediately after logging into the system. However, in the case of a shadow password, the list of users of the group is moved to file / etc / gshadow, so that the user logged in to the system is not credited by the machine to its members, but can join it using the NewGRP command or to perform any program from its name with the command using the command SG. The problem is that from point of view x this user (which is not necessarily the user initiated the working session X) is not entitled to install the connection. Therefore, for unprotected password groups, the previously reduced scenario changes as follows:

xHOSTS + Lozalhost.

sG - Gifs -c / USR / X11R6 / BIN / XV &

Added string allows you to access the screen. new group (Gifs). For most workstations, this should not lead to any significant safety issues, since this line Just only allow access to the screen to the local node users (for obtaining for more information About X and XHOST Contact your good Linux system administrator manual).

NOTE

Using the X server (especially in particular with XDM or KDM) entails a number of its subtleties, even more exacerbated by graphic applications, since they can be launched not only through the command line, but also using the icon on the graphics desktop.

Changing the user

NOTE

An ordinary user cannot cause a system so much harm as a careless superuser can do. The consequences of your typos as a superuser can be very fatal, up to the fact that all yours system files (And in general, all files stored in the system can be said to say goodbye. In some companies, after that, they can say "goodbye" and you.

The transformation of one user in another is the SU command. The team received its name from « substitute. user. » (user substitution), but since most often it is used to become a superuser ..

The SU command caused without arguments will ask the user password, after which (receiving the correct password in response) will make you a root user. This command is a service restriction service, so all aspects of its security can be configured through the /etc/pam.d/su file.

Note -

SU circulation without specifying the username (with or without or without a defis or without), as an indication of making you a ROOT user.

This SUDO command allows favorites to users perform some programs on the superstuser rights, and at the user who appeal to this command is not requested as a superuser password, but its own password. Used Sudo like a SG command. The user enters the Sudo Team_Fer_Mill, then your password, and if it is allowed it, the specified command is performed in the context of the superuser privileges.

Security and users

Users are usually interested only in how to log in and launch the programs you need. Interest in security appears from them only after losing important files. But he lasts long. Having learned that measures were accepted, users quickly forget about any precaution.

Generally speaking, not their care - security. The system administrator must consider, implement and maintain a security policy that would allow users to do their work without being distracted by the issues of protection for them.

The main danger to the system, as a rule, comes from the inside, and not outside. Its source (especially in large systems) can be, for example, an angry user. However, it is necessary to avoid excessive suspicion when the harm caused by ignorance is taken for evil intent. About how to protect users from unintentional damage to their and foreign files is described in the first part of the book. As practice shows, the average user is not able to damage the system. It is only necessary to worry about those users who are able to find a loophole in protection mechanisms and are really able to cause targeted harm to the system. But such users are usually few and over time they become known, especially if you know what to pay attention to. The risk group includes users who, by virtue of their position or, thanks to their relationships, can access the root privileges level. As you will master the material of this book, you will find out what exactly should be regarded as signs of impending trouble.

By default, users receive full control over their home catalogs. If you are using the default group, all system users belong to the same group. Any user has the right to access the home directors of other users and the files located in them. When using a scheme with private groups of users, any of the users of the system has access only to their own home directory, and home directories of other users are not available to it.

If all users of the system are required to provide general access To some common file set, it is recommended to create a general catalog specifically for these purposes somewhere, to start a group whose members would be all users (this may be a group of users or any other group you created), and provide this group to this group relevant access rights to this group General catalog. If the user wants to make some of its files available to other users, it can simply copy them to this directory and ensure that these files belong to the same group that all users are members.

Some users need to be used or simply cannot do without programs that are not included in the ASC kit. Most users will eventually acquire a multitude of own files: documents, configuration files, scenarios, etc. The OpenLinux system does not provide users with special care in organizing their files, leaving this task to the system administrator.

The structure of directories created in the home directory of each new user is determined by the contents of the / etc / skel directory. The following directories are usually present in typical / etc / skel:

These directories are used to store (respectively) binary files, source files, document files and other varied files. Many default programs offer to save the files of certain types in one of these subdirectories. Having received an explanation of the appointment of the catalogs available at their disposal, users usually willingly begin to use them, as it eliminates them from the need to invent something. Do not forget to make the ~ / bin directory as one of the latest directories listed in the PATH user variable.

Security and passwords

It is said that where it is fine, there and breaks, - this statement is often remembered when it comes to the significance of passwords in the security system. Generally speaking, the reliability of the security system is determined by the multitude of factors, in particular, what MSV-System services makes accessible to external users (whether it is used as a web server if it is possible to enter it using Telnet, etc.).). Another defining factor is user passwords, which brings us to another factor - compliance with user policies. A simple user knows nothing about security. If we respect the user and do not want to change its attitude to the security forced methods, we should make the security system convenient and understandable for it. The most difficult to provide convenience. Everything safe is usually not too convenient (since the convenience of predictability and elementality are not combined with safety) and therefore enters the conflict with the usual behavior of people who prefer all possible ways the most convenient way. In the end, users work with the system in order to perform the work entrusted to them, and not add a new one. In order, users deliberately did not go along the path of least resistance when working with passwords, I usually try to explain to them, for which passwords are needed and why it is important to maintain their safety. It is important not from general positions like "a low security system can hack and steal or damage important files", and from the position of personal interests of the user.

Most users understand the importance of email for their work. Nevertheless, they do not realize that any entered into the system under their name gets the opportunity to use their email on their behalf against them. Ask the user, whether it uses email for personal purposes. Most likely, he will answer that yes. Then ask him whether he had to solve e-mail Important business questions. There are no less than those who answer "no" every day. But even in case of a negative response, some of the business partners may well consider the transaction by email as binding as a transaction by phone.

After that, to explain to the user that his emails sometimes have the same importance as its personal signature. And although the headline of the electronic message can be replaced, in most cases such a substitution is also illegal as a fake signature. But if someone, in one way or another, having learned the password of another user, will enter the system under his name, then it is, figuratively speaking, will be able to subscribe to another person's signature. Any mail sent to them will be technically indistinguishable from mail sent by the user himself. The practice of providing someone entry capabilities under a different name is undesirable and should be avoided (the exception is the system administrators who use this feature to test the login scenarios and user parameters, but for this they do not need to know the password of this user). Unwanted phenomena should be attributed to the system under someone else's name (even with the permission of another user). How undesirable is it? The answer to this question is determined by the severity of the security policy of the enterprise.

However, users need to understand that there are other no less dangerous ways to get unauthorized access to their account. The case is the most common when the user, fearing to forget the password, makes it simple to memorize, which means guessing, or records a password on a piece of paper that is often just attached to the monitor. The password security system is based on two things: a constant username and a periodically changing password. Most people will not say a PIN code to anyone to access their bank account, but their user password is far from being so jealous. Although, unlike the situation with a bank account, where the constant part, that is, a credit card is a physical object, access to which is still needed to obtain, the constant part of the password security system, that is, the username is known to everyone (at least everyone within Companies and those with whom this user conducted correspondence by email). Therefore, if the variable part is recorded somewhere or easily guessed or is selected by the program that swallows words from a dictionary, then such an account cannot be considered well protected.

Finally, users should be aware of the existence of this method of receiving a password as "social engineering" (Sociaalengineering). Most of us have met in their lives at least with one person who can say "slippery as already." Such people have the ability to convince other people by resorting to logical argument, to provide them with the information they need. But this is not the only one possible method Find out someone else's password. Sometimes it is enough to spill.

A means of opposition to such incidents is the regular password change. You can, of course, change the password time in ten years, but it is better not to take gaps between the shifts too long, as well as better not to make them and too short, for example, once a hour. Do not change the password for too long means exposing yourself to hacking risk.

NOTE-

The penetration of the outsiders in the system under the guise of a regular user can have sad consequences not only for the files of this user, but also for the entire system as a whole, since the more this outsider will know about your system, the easier it will be to find the cuts in its protection.

Please note that before starting work, the script performs some checks: whether it is running at the root privilege level, whether the initial UID is busy and so on. However, it is impossible to say that he checks everything.

Hacking passwords

One of the ways to verify the security of the system implies that to put yourself in the place of an attacker and try to think and act as a person trying to break the defense. This means that it is necessary to walk among users, checking on whether the recorded password is not attached to any monitor, did anyone leave anyone on the table with a piece of identification data on it, or "pass by" just at that morning When users enter the system (perhaps, it will be possible to notice how any of them will dial the password on the keyboard).

It also means that you should pay attention to the orientation of the user's monitor, having access to sensitive information, in order to find out whether it is visible to someone else. Next, when these users leave from their workplace, whether they launch the screensaver program blocked by password, and maybe come out of the system or do nothing?

but best way Check for strength Password security and user relationships to it - try to hack user passwords. Regular execution of the password hacking program can give a fairly good assessment of the fortress of your password protection system.

How to determine whether the operating system is supported this computer?
What installation options provides an ASS 3.0 OS?
What network protocols support the installation program?
In what cases is required to create boot diskettes?
List the main steps of the installation?
What bootloader is used to load the OS kernel?
List the main stages of the kernel loading?
What is lilo and lilo.conf?
How to remove lilo and restore the source loader?
What is the mechanism of the kernel modules?
In which cases are required to use the RAM disk?
How to configure the use of the RAM disk when loading?
What vary boot floppy disks, bootnet and drivers? How to create them? How to check them?
What is a software package, packet dependencies?
What are the capabilities of package managers?
What package manager is used to manage software?
How to install a package from a CD on the network?

Installation OS MSVS 3.0

The main stages of the installation

Installation from a CD includes the following steps:

invitation to the installation and reminder of the documentation;

selection of the Mouse Manipulator;

partitioning disk to sections;

tuning loader;

network configuration;

installing a computer name;

choice of time zone;

selection of complexes for installation;

installation of packages;

installing the ROOT user password;

creating boot diskettes;

setting the video card and monitor;

Each item corresponds to one or more dialog boxes.

When installing over a network using the server, you must produce several additional presets:

production of a set of floppy disks and organization network access to the server;
selecting a network installation option;
network Setup and Network Access to the Server.

After accessing the network to the CD installed in the drive on the server will be installed, the installation program will begin to perform the same steps as when installed from a CD, starting from the second step ("Invitation to Installation"). You will not need to configure the network, it will only be necessary to confirm the settings.

Installation from a CD

Before starting the installation, you need to configure the computer's BIOS so that the first in the loading device list is a CD, and insert a CD with the ISWS 3.0 boot module into the CD-ROM drive.

If the BIOS does not support the boot from the CD, you must additionally insert the BOOT diskette and configure the computer's BIOS so that the first in the loading device list is a floppy disk. Modern computers tend to support the boot from the CD, so the need for a boot diskette may occur only when installing the ISP 3.0 on the "old" computer.

Then you should restart the computer. An invitation will appear on the monitor screen:

In the format of this invitation, it is possible to transfer additional settings for the installation program. For example, the team:

boot: MCBC Mem \u003d 128m

informs the installation program that the volume random access memory This computer is 128 MB.

To start loading the installer, you need to press the key. The loading of the MSA 3.0 kernel, followed by diagnostic messages, then starts the installation program, which automatically loads the CD drive drivers and hard drive drivers present in the computer and supported by ASS 3.0.

If the initialization ended with an error, it means that for this type of CD Drive or Hard Disk, you must load an additional driver. The installer will offer a list of drivers in which you want to select the appropriate driver, and click the "Yes" button.

If the download was made from the BOOT floppy disk, after starting the installation program, the Driver Disc dialog box appears indicating the DRIVER diskette with drivers to drive. At the same time, the boot diskette must be removed and pasted the Drivers floppy disk.

After downloading the required drivers, an invitation appears on the monitor screen (Fig. 9-1).

1.1.41. The Mouse Manipulator

The following after the invitation of the OS 3.0 will appear the "Mouse Selection" dialog box (Fig. 9-2).

Select the type of "mouse", for example, the "normal Mouse PS / 2" and, if the "mouse" has two buttons, you can use the emulation of a three-button mode. To do this, you need to enable the emulation of the third button and click the "Yes" button.

1.1.42. Hard disk disconnection to sections

The "Decision" dialog box (Fig. 9-3) appears and the selection of hard disk partition utility will be selected: "Automatic splitting", Disk Druid or FDISK.

In most cases, the splitting of hard drives, disk arrays, LVM volumes occurs in the Disk Druid program. Moreover, the "Automatic partition" mode is a special case of working with Disk Druid with an automatic calculation of the proportions of disk space in accordance with the actually installed equipment. If necessary, low-level work with a hard disk need to use the FDISK utility.

Select Disk Druid and press the key.

In the "Breakening" dialog box appears (Fig. 9-4), a list of available disks and existing sections will appear.

Also in this window there are buttons to work with sections: "New", "Edit", "Delete", "RAID", "Yes", "Back".

In the bottom line, the hints for using hotkeys are given: "F1-help, F2-new, F3-edit, F4-delete, F5-reset, F12-Yes."

In the general case, MSVS 3.0 is installed on a computer with a pure hard disk. In this case, you can break or using disk program Druid, or choosing an automatic partition.

For a successful installation of ASS 3.0, it is enough to create two partitions: the root section "/" and the swap section (SWAP). The size of the root section should be at least 1,200 MB.

Catalogs / Boot, / Home, / Var, / TMP and others can be discarded on separate sections. This allows you to isolate, for example, home user directories from the root file system.

ATTENTION. In ASS 3.0, you cannot be placed on a separate section directory / usr!

To make the directory to a separate section, you must create a section with the "EXT3" file system and assign it a mount point corresponding to the catalog name.

To create a section, select the New button and press the key. In the "Add section" dialog box that appears (edit a new section) (Fig. 9-5):

select the type of file system (for the swap section - "swap", in other cases - "ext3").
section size in megabytes (if necessary, you can "stretch" the partition to the entire disk);
mounting point, for the root section - this is "/", for the swap section, the setting point is not required.

To edit an existing partition, you must select it and click the "Edit" button. After pressing the Edit button, the Edit / Dev / HDA1 dialog box appears, in case the / dev / hda1 section was selected.

Upon completion of the work on the creation of partitions, in the "Break" window, click the "Yes" button.

The Save Changes dialog box appears on the monitor screen.

Press the "Yes" button.

The next step is to format the sections created. A dialog box with the title "Attention!" Will appear on the MNIT screen. and a list of partitions that will be formatted when the "Yes" button is pressed (Fig. 9-6).

1.1.43. Option of bootloader

The "Loader" configuration dialog box appears on the screen (Fig. 9-7). In this window, you must select the installation option with or without a loader. The bootloader allows you to have several options for its start in the system, or selects the loaded OS (if more than one). In the mode without loader, the kernel of the ISP 3.0 will be monopulatedly load in this system.

Press the "Yes" button.

Next, a dialog box (Figure 9-8) appears on the screen with a suggestion to enter additional parameters that will be used when loading. By default, the LBA32 mode is installed in this window (using 32-bit logical addresses of the hard disk blocks), since this mode in most cases is required to support a large container disc.

If you have a writer IDE-drive IDE, in the parameter entry field, the installer will place the string of the type "HDC \u003d IDE-SCSI" (for example, if the drive is connected in the Master mode to the second IDE controller).

If no other parameters do not need to transmit any other parameters, it is recommended not to change the parameters proposed by the installation program, and click the "Yes" button.

The following procedure in the bootloader setting is a password task to change access. starting parameters Systems. Since if you have a bootloader, it is possible to transfer specialized kernel parameters from the keyboard when the system starts, then to ensure the required level of security this feature Protects password. In the following dialog box that appears (Fig. 9-9), enter the password, the size of which should not be less than 8 characters. Confirm the password by re-introducing it on the next line of the window.

Press the "Yes" button.

A dialog box selection dialog box appears on the screen (Fig. 9-10), with the proposal to specify the other boot sectionswhich can be downloaded using an ASWS 3.0 bootloader. For example, if there is another OS on the computer, you can assign a label to it and upload using an ASS 3.0 OS bootloader.

Enter the necessary data in the appropriate lines and click the Yes button.

In the next window (Fig. 9-11), the location of the bootloader is set to the disk. Two options are possible: the main boot record (MBR) of the hard disk (recommended in most cases), or the boot sector (Boot Record) of the corresponding partition where the installation is made.

Select and press the "Yes" button.

1.1.44. Network Network

In case of detection of the installation program at least one network cardThe screen will appear the sequence of the "Network Setup for Ethx" dialog box (Fig. 9-12), where X is the sequence number in which the parameters are configured for each network card.

Protocols automatic setting Network parameters BOOTP and DHCP are used if there is a special server in the network providing automatic configuration service upon request of the client machine.

If the DHCP server is missing, you must install the network parameters explicitly, for which select "Activate when booting". After that, several rows will be highlighted in the window in which the network connection parameters must be specified.

Network addresses are presented in a decade-point format (for example, 192.168.1.1). Field Filling Information must be provided by the network administrator.

Network address - the IP address of the computer on the network.

Network mask is a parameter characterizing the class of the network segment.

The default gateway is a node that serves the communications of this local network with external network segments.

Primary name server - node that supports domain name resolution service via DNS protocol in IP addresses. In the appropriate fields, enter the IP addresses of additional name servers (DNS). If one name server is used on the network, these fields can be left empty.

Press the "Yes" button.

Fig. 9-13. Installing a computer name.

Fig. 9-14. Choosing a time zone.

Then you need to set the name of the computer. The following "Install Computer Name" dialog box appears on the screen (Fig. 9-13), in which the corresponding field should be filled. The name must also be coordinated with the network administrator.

Press the "Yes" button.

1.1.45. Selection of a clock belt

The following time zone selection dialog box appears on the screen, which uses the system time settings. In ASS 3.0, the countdown is carried out in local mode, i.e. The system hardware clock definitely determines its time without additional conversion relative to different countdown points of the UTC type.

In the window, you should choose the most closely appropriate to the location of the computer's time belt, indicating the difference of the belt time relative to the "zero" belt - Europe / Moscow (Fig. 9-14).

Press the "Yes" button.

1.1.46. Selection and installation of packages

The "Select Complex" dialog box appears on the screen (Fig. 9-15).

In this dialog box, you can choose the following complexes:

Basic OS configuration;
Graphical interface subsystem;
Development tools.

To select the most typical option - the first three complexes marked by default, it is sufficient without producing any other actions, click the "Yes" button. If only the group "Graphic Interface subsystem" group is required or only a group of development tools, it should be noted the corresponding field.

The "Basic Configuration" group selection is required, it contains all the necessary components for the operation of ASS 3.0 OS in the base version (without additional funds).

Installation mode "All (including optional)" means the installation of all distribution packages, including modifications of the OS kernel, nonspecific for this computer and a set of packets required for the manufacture of the ISWS 3.0 boot disk.

For a more detailed selection of packages (perhaps, to save disk space occupied by OS), it is necessary to note the option "Individual selection of packages" and click the "Yes" button. A "Select Package" window (Fig. 9-16) appears with a list of package groups and packets themselves.

A group can be folded / deployed if you bring the backlight line to it and press the key. To obtain information about the package, you need to bring the backlight line to it and press the key. Turning on / off packets to the list for installation is performed by pressing the key.

After completing the selection of packages, click the "Yes" button.

If an individual list of packages has been selected for installation, a situation may occur when unmet dependencies will appear. This means that there are packages in the selected list, which requires other packages from the ISWS 3.0 boot disk, which were not marked. Resolution of packet dependencies will be automatically manufactured by the installation program.

After the package selection is completed, the Start Setup dialog box appears on the screen. This window will contain information about the / root / log file, in which the installer after the end of the work will save the list installed packages.

The actual partitioning of the disk and the installation of the packages will start only after pressing the "Yes" button in the "Start Installation" window. If necessary, up to this point, you can still interrupt the installation process by rebooting the computer. In this case, all data on hard drives will remain unchanged.

To start installing packages, click the "Yes" button.

The "Install Package" window will appear on the screen (Fig. 9-17).

At this stage, you can observe the installation process of the selected packages, which is automatically produced. A brief description is displayed for each package, and statistical information on the process of installing the current package and all packages together is displayed.

1.1.47. Installation of the password of the superuser

The Root User Password dialog box appears on the screen (Fig. 9-18). Set the password in the "Password" line and confirm its entry in the "Confirm password" line (restrictions on the view and size of the password are determined by the security requirements for the system; by default, the password size is at least eight characters). When you specify a password from the keyboard, for security reasons, instead of the input characters, asterisks are displayed. Press the "Yes" button.

1.1.48. Creation of boot floppy disks

The following dialog box "Set of boot diskettes" appears on the screen (Fig. 9-19). The boot diskette kit may be required if you damage the hard disk boot record.

To create boot diskettes, press the button "Yes". Next, follow the instructions offered in dialog boxes.

If the creation of the boot kit is not required, click the "No" button. In the future, you can create a boot disk using a graphic utility or MKBOOTDisk command.

1.1.49. Increased video cards and monitor

At the next step, you need to configure the graphics system. To do this, in dialog boxes, following the instructions, enter information about the video card and monitor.

If the installer will automatically determine the type of video card, information about it will appear (Fig. 9-20).

Fig. 9-19. Creating boot diskettes.

Fig. 9-20. Select video card.

Otherwise, the "Select Map" dialog box appears. Select it type from the list. If the list does not have the desired video card, select the "unspecified card".

In the Server Selection window, select the X server, which is capable of working as an existing video card.

After that, the Monitor Setup dialog box appears (Fig. 9-21). If the installation program does not automatically determine the monitor type, select the appropriate monitor from the Change List.

If necessary, you can specify the manual monitor parameters. To do this, select the type "Other" item in the list and set the operating frequency of the image vertical and horizontal (60 ~ 100 Hz).

Press the "Yes" button.

After selecting the monitor, the "Advanced" window will appear on the screen (Fig. 9-22). Select the desired color depth and monitor resolution in the window. In addition, in this window you can select the login mode to the system "Graphic" (recommended) or "Text". If you select a graphical login to the system, the graphical interface system will be started by default. Select and press the "Yes" button.

After setting up the graphics system, the "Installation Completed" message appears (Fig. 9-23) with the message "Congratulations, Installing an ISWS 3.0 is completed."

Press the "Yes" button to reboot. The computer will start rebooted. During the reboot, the tray with a CD will automatically advance. Remove the disk from the tray.

Fig. 9-23. Installation completed.

Fig. 9-24. Installation Method

In this review, I will try to establish a copy of Redhat Enterprice Linux for the needs of the RF MO to see how it works on modern hardware. The last issue of ISWS was already in 2011, but it still continues to be "useful" in the Army of the Russian Federation:

Getting to install

We will install on the laptop Fujitsu Lifebook N532, which works stably in Linux and in Windows. This laptop was released in 2012, just a year later than MSVS 5.0.

Booting window - Cut-up copy Redhat Enterprice Linux:

They even lazy to make a normal loading window, changed the background / logo, removed unnecessary buttons and that's it.
To continue the installation, simply press ENTER:

The installer was loaded in the retro-style MS-DOS, but before the release of the ISSU 5, almost all distributions had a graphic installer. In Debian, there is also a text installer, but it is much easier and clearer than this. They ask us, check the installation DVD or not. Let's check just in case:

The disc is recorded normally, no errors. Next we are asked to check additional media, but I do not have them.

The disc marking tool boot with the selected deletion option for all sections. What if the officer, hoping to the mind of the domestic IT industry simply press ENTER?
Now proceed to the markup of the disk. On this computer installed two other OS and I chose "Create your own partition"

We have 30GB of unused unformatted space, select "Use free space and create a default partition" and get a break error: it is impossible to distribute the requested sections

Click "Yes" and get an automatic partition error:
Click "Yes" and choose "Create your own partition"
Since this "Dosovsky FDisk" does not show how much busy and free, so that I accidentally delete anything, I decided to view the sections in another OS and pressed the reboot (Alt + Ctrl + Del I remember from MSSO).
The computer is simply hung on these words, but reacts to CapsLock. We are waiting for another 15 minutes and just click reset. We load another OS, we are convinced of the correctness of the choice of free partition, we continue the installation and react to the disc marking step. The selection of file systems is not rich here, only EXT2, EXT3 and VFAT (which has not fitted on the screen).
Let's leave everything by default, that is, we will use GRUB:
Just press Enter.

Next we are asked to create a password to change the parameters of the GRUB loading

i had to enter a long password

Now proceed to install the bootloader. On a laptop installed latest versions Debiana and Ubunti, but the installer did not find them. As a result, after installing the MSVA, the operating system selection menu will disappear and you will have to restore GRUB via LiveCD.
The slider of the list of operating systems at the very bottom, as if to say that something else is. I tried to move it by pressing Tab, Ctrl, Ctrl + Tab and other key combinations. But the slider in what position was, in this and remained:

Click Yes and continue the installation:

Choose where to install the bootloader. I set the loader in all Linux boot record MBR, that is, on / dev / sda, but for recent Windows users, this is a difficult question. Or all Military Russians know Unixes?

Next is the network setting.

We do not have any network connections, choose "no" and click Enter

the window opens with a request to enter additional network settings:

As you can see, the "cancel" and "no" buttons are not necessary, there is no. There is only "yes" and "back". It would be logical if we installed the system over the network, but we have a DVD with a complete set of programs. Click Enter.

You left the empty field "Gateway". Depending on your network environment, there may be problems in the future

click to continue and again ask us to enter additional network parameters. In general, we return to the first network setting window and specify that you need to configure the network interface, although we do not have it.

They ask to enter the network name. Select "manually" and invent the network name

Select your time zone:

Select a root user password (no less than six characters):

Select a list of packages for installation. I chose everything

The further dependence is on, after which the window has opened with the installation log address:

Installation process:

I do not understand, are these problems with fonts or with encodings?

The installation comes up to 100% and the installer happily welcomes us about the completion of the installation, asks to turn off removable media and press ENTER to reboot. Press ENTER and the computer simply hangs like last time.

Press the POWER button, wait a few minutes and oh, horror, everything is in English. Or is it such a Russian language in the Russian army?

Where are our debian and Ubunta? There is only one MSVS. But nothing terrible, it can be corrected by reinstalling the GRUB loader through LiveCD.

Just press ENTER to download

The system is stupid 15 seconds and shows errors: Memory for Crash Kernel (0x0 to 0x0) notwithin permissable; Unable to Query Synaptics Hardware (I can not interview the touchpad)

and continues to download, the settings menu opens during the download process.

Just choose the "output" and click Enter. After 10 seconds, this screen opens, where there is no single hint on the schedule. We enter the login and password and the system is ready to work:

By the way, pay attention, the kernel is installed here 2.6.18. This kernel came out, five years earlier than MSVS 5.0. Yes, in five years it was possible to build whole industries, as in the Stalin five-year plates, but almost 10 years have passed! At that distant time, I was just beginning to be interested in Linux. Although they can five years spent the security audit of the code.
Okay, try to use what is.
We are trying to run graphics. In Nixes to start graphics, you usually need to enter StartX, enter startx:
#startx
and get errors:

Here I specifically opened the error log /var/log/xorg.0.log so that it was clear what's the matter: the system cannot download standard FBDEV and VESA drivers.

We only have to restart the system and return to the working OS, enter the reboot and again get freezing when rebooting:

We try to install via VirtualBox:

We also enter the login root, password and startx

Of course, VNIINS for security reasons does not recommend running the administrator cavities. And why then after the first launch or in the installer itself, it was not suggested for security purposes to create simple users, as in many other distributions?

O_o, it turns out to be working.

Work desk MSVS 5.0

So, what we see are a beautiful lightweight desktop, simulating the old Windows and KDE. But it's just an embellished dessert desktop

File Manager, released 11 years ago, is very similar to the trimmed Konquerror

In the system TRE, the time indicator with the calendar, the keyboard layout switch and the availability level indicator (but it is rather from the MSVS developers).

Settings MSVS 5.0.

In Linux, some programs (for example Chromium) are not running from the ROOT user, on this we first create a new user and go to the system through it:

Start - Settings - ELK Control Panel, User Management - Add New User:

Password must be at least 8 characters!

Safety attributes are impressive, but we will not touch them:

The user was created successfully. We leave the session and get straight into the root account, where a bunch of errors welcomes us:

We leave from this account by pressing Ctrl + D, log in by a new user and run Startx. Ikers started, but the mouse moves and the keyboard combinations do not react. The restart of the virtual machine did not help, the cavities in this account also do not work. Well, you will have to work from root, which is a security disorder.

Screen resolution from us 800x600, try to change it. Go to "Control Panel" and select the "Monitor" icon. The window opens with the message that we do not have a xorg.conf file and that the screen will be dark during its creation. Create it or not?

Click "Yes"

Configuration initialization error:

After that, the window with the monitor settings opens. We try to change anything but no reaction. It is noteworthy that this window shows an example of the Windows 95 screen. And when you press the "Yes" and "Cancel" buttons, the window does not close and nothing happens. Close the window can only be pressed on the cross.

In the "System" menu, there is an item "Switching screen permissions". We choose it and we offer a program in TRE with only two points: 800x600 and 640x480 and 60Hz frequency. But in the Freedos OS, I could put it up and even change the frequency. Hence the conclusion that in the ISWS software schedule worse than in DOS!

We look at the equipment information:

After clicking "OK", this window opens:

MSVS 5.0 programs

Interestingly, when we translate the mouse pointer from EDE programs in KDE, the mouse pointer color changes.
This is because the HSS desktop is a mixture of EDE and KDE desktops.
Net. Total ten programs in this category, including the ELK Observer, IRC, Wireshark, GFTP, Mailing Monitor, Network Monitor and PPP Setup and Network Device Management.

Network devices management

The mail client does not start:

The ELK browser browser is an exact copy of the Aurora browser. See, they renamed it to ELK, but forgot to change the logo:

ELK browser:

Utilities
In utilities, as well as 4 Terminal: ELK-Terminal, X-terminal, console and terminal in superuser mode. Do you know why there are so many of them? Because the WSA desktop is an EDE mixture with KDE. They even inhabited to remove unnecessary utilities, all as the default was so they left.

For this reason, there are many programs from two different desktops, but with the same features. This is especially true of viewing pictures, documents (PDF, DJVU, etc.) and text editors.

Text Emacs text editor in MSVS:

Scientific. In scientific, only the KDE calculator, which was released in 2005:
Graphics. In this section, all programs from KDE + XSane 2007 release.
Games. In games, a set of games from KDE, among which the military games are sapper and parachutes:
Multimedia. A simple media player, audio player, K3B (CD / DVD entry), sound regulator and sound recording program.
To check the sound, you need to download some movie into the virtual system .. The sound and video do not work at all. I put in the settings of VirtualBox ALSA, OSS, SoundBlaster16 - nothing works. I tried OGV, OGG, MP4 - in some cases requires to install codecs, in others - shows an error:
Let's try install FFMPEG:
Open Start - ELK Control Panel - Program Manager
before starting a few seconds, packet lists are checked.
let's try to find FFMPEG.
This is such Russian language in the Russian army!

fFMPEG was in the list of installed packages. And the search for OSS and ALSA (sound systems) did not give any results at all. Office and Firefox requests also did not give any results.

k3B When starting it gives an error that it fails to find the type MIME. You need to press 10 times ok and then it starts:

Turning off the system:
Output ...
1. On modern equipment, ISWS does not work
2. The core of the system as the entire software has been released 11 years ago, respectively, modern equipment is not supported
3. Screen resolution is set to 800x600 and does not change
4. The video system works only in the emulator, but shows errors after completing the work.
5. Sound does not work at all
6. Graphics works only by the root user, which is a security disorder
7. The default shutdown and reboot commands are available only through the console and operate only in the emulator.

General conclusions.

MSVS5.0 - Redhat Enterprice Linux5.0 (2007) copied in 2011 (2007), it works incorrectly on computers issued in 2011. Yes, in the Russian army, it is generally noticeable to a deep old antique, for example, the aviance cruiser "Admiral Kuznetsov" with his springboard instead of a catapult, because of which the aircraft are forced to fly with an incomplete ammunition and sometimes fall into the water when take down for aircraft and with fuel oil installation, needing refueling during the hike ...

Surely at least some of our readers thought about which operating system is used in our armed forces. After all, we all understand that it cannot be on some missile complex that is on combat duty, stand Windows. Today we minimize the curtain of the mystery and tell about the ISA OS. This is the so-called mobile system about the scope of application speaks its name, but about how it works in general terms, we will tell.

Prerequisites for creating

For the first time, the safety criteria for computer systems were formulated in the late 60s of the last century. In the mid-1980s, in the USA, all these developments were collected in one document. So the "Orange Book" of the Ministry of Defense was born - the first standard of security of computer systems. Following such documents appeared in European countries and Canada. In 2005, on their basis, the International Security Standard ISO / IEC 15408 "General Protection Criteria" was prepared.

In Russia, similar studies were conducted in the 22nd Central Research Institute of the Ministry of Defense. The final result of the development was the receipt in 2002 of the ISA OS in the Armed Forces of the Russian Federation. The version of the State Standard based on ISO / IEC requirements was adopted in 2008.

Why the military officer

Operational systems that we use daily are not suitable for use in state storage facilities. Gostekomissia under the President of the Russian Federation formulated them as follows:

The information must be protected from unauthorized access, both from the inside and outside.
The system should not contain undocumented capabilities, in other words, there should be no "Easter eggs" in the OS code.

In addition, the protected operating system must have a multi-level hierarchical access structure and have separated administration functions.

Thus, the task of creating a specialized closed OS is not as simple as it seems at first glance. The absence of undocumented capabilities assumes that the source code and technical description of all work procedures will be thoroughly studied at the certification center. And this is the area of \u200b\u200bcommercial secrets of owner corporations or the intellectual property of developers. Such a paradox makes you draw up the eyes towards the open OS, because it is almost impossible to obtain full technical documentation for proprietary software.

Requirements GOST R.

FSTEC, as a service responsible for information security on the scale of the country, is established by the separation of the OS according to the degree of protection of the processed information. For convenience, all data is reduced to one table.

From the table, it can be seen that, for a number of requirements, three groups and nine security classes from unauthorized access are established, and already a further division is performed for admission to various kinds confidential information.

At the heart of Linux

What is so convenient to Linux, what will be happy to serve in the state apparatus? After all, for the most part simple users They are afraid of him like the hell of Ladan. Let's figure it out. To begin with, pay attention to the license under which "Linux" is distributed. This is the so-called GPL2 - universal public, or free, license. Anyone can get the source code and based on it to create its own product. In other words, no one bothers to take top Distributions Linux and use them in developing their own protected OS.

World experience of government agencies shows that the transition to free software occurs everywhere, the idea is in demand and quite justifies. Leading countries of the world, such as the United States, Germany, Japan and the rapidly approaching China and India, are actively using Linux in the GOSFERE and education.

ISWS and its contents

Mobile system version 3.0 worked in the troops of the ten years, a more perfect product comes to replace it, and we can calmly look at the "hood" veteran. So, this is a network operating system working in multiplayer using the graphical user interface. Supports hardware platforms:

Intel.

SPAPC / "Elbrus".

IBM System / 390.

It is based on the best Linux distributions available at the time. Many system modules were borrowed from Redhat Linux and recompiled taking into account the requirements of the Ministry of Defense. In other words, the Mobile Armed Force system is a RPM-distribution Linux with all related applications and development tools.

File system support is at the beginning of the century level, but since the most common of them then existed, this indicator is not critical.

Versions of MSVS

Despite the fact that this is a network OS, it does not have a software repositories familiar to any linuxoid. All software is supplied complete on installation CDs. Any program that is used in this system is pre-certified in the Ministry of Defense. And since this procedure is far from fast, for everything and a half dozen years of work, a limited number of versions and changes to them were issued.

The developer of the ISMS is the All-Russian Research Institute of Automation of Management in the Immochement Sphere. On his official page, you can find data on Versions of MSVS, which are currently supported and have the necessary security certificates from the Ministry of Defense.

The mobile system of the Armed Forces for 2017 is represented by two supported assemblies:

OS MSVS 3.0 FLIR 80001-12 (Change No. 4).

OS MSVS 3.0 FLIR 80001-12 (change No. 6).

Version 5.0, located on the website of VNIINS, has a security certificate of MO, but officially for supplying to the troops was not accepted.

Premier MSVS

The next protected OS, which was presented as a replacement of the ten-year-old MSVS, was ASTRA Linux. Unlike the predecessor, the security certificate only from the Ministry of Defense, Astra received all possible certificates in Russia, and these are documents from MO, FSB and FSTEC. Due to this, it can be used in any government agencies, and the presence of several versions adapted to different hardware platforms is even more expanding the scope of its use. As a result, it can combine all devices under its control - from mobile to stationary server equipment.

ASTRA Linux is a modern Linux distribution based on deb packets, it uses a fresh version of the kernel and the current software. The list of supported processors and their architectures are also expanded and includes modern samples. The list of officially published versions allows you to hope for the success of this software product at least in the GOSFERE and the defense.

Finally

In this material, we talked about the ICA system - the main operating system of the Armed Forces of the Russian Federation, faithfully served "in the rank" of 15 years and still still on the "combat". In addition, the succession was briefly characterized. Perhaps someone from our readers will push it to see what Linux is, and make an unbiased opinion about the product.

Step-by-step installation of MSVS 3.0 from the disk. Mobile system of armed forces (OS MSVS): Protected Operating System General

Installation OS MSVS 3.0

The main stages of the installation

Installation from a CD

1.1.41. The Mouse Manipulator

1.1.42. Hard disk disconnection to sections

1.1.43. Option of bootloader

1.1.44. Network Network

1.1.45. Selection of a clock belt

1.1.46. Selection and installation of packages

1.1.47. Installation of the password of the superuser

1.1.48. Creation of boot floppy disks

1.1.49. Increased video cards and monitor

Getting to install

Work desk MSVS 5.0

Settings MSVS 5.0.

MSVS 5.0 programs

Prerequisites for creating

Why the military officer

Requirements GOST R.

At the heart of Linux

ISWS and its contents

Versions of MSVS

Premier MSVS

Finally