bind: mise à jour en conformité avec ansible-roles, ajout section AppArmor
This commit is contained in:
David Prevot
parent
a56bf88fbe
commit
a5e0d8cec5
67
HowtoBind.md
67
HowtoBind.md
|
|
@ -15,13 +15,40 @@ title: Howto BIND
|
|||
# apt install bind9
|
||||
|
||||
$ /usr/sbin/named -V
|
||||
BIND 9.10.3-P4-Debian <id:ebd72b3>
|
||||
built by make with '--prefix=/usr' '--mandir=/usr/share/man' '--libdir=/usr/lib/x86_64-linux-gnu' '--infodir=/usr/share/info' '--sysconfdir=/etc/bind' '--with-python=python3' '--localstatedir=/' '--enable-threads' '--enable-largefile' '--with-libtool' '--enable-shared' '--enable-static' '--with-gost=no' '--with-openssl=/usr' '--with-gssapi=/usr' '--with-gnu-ld' '--with-geoip=/usr' '--with-atf=no' '--enable-ipv6' '--enable-rrl' '--enable-filter-aaaa' '--enable-native-pkcs11' '--with-pkcs11=/usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so' '--with-randomdev=/dev/urandom' 'CFLAGS=-g -O2 -fdebug-prefix-map=/build/bind9-iBGKO7/bind9-9.10.3.dfsg.P4=. -fstack-protector-strong -Wformat -Werror=format-security -fno-strict-aliasing -fno-delete-null-pointer-checks -DNO_VERSION_DATE -DDIG_SIGCHASE' 'LDFLAGS=-Wl,-z,relro -Wl,-z,now' 'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2'
|
||||
compiled by GCC 6.3.0 20170516
|
||||
compiled with OpenSSL version: OpenSSL 1.0.2l 25 May 2017
|
||||
linked to OpenSSL version: OpenSSL 1.0.2l 25 May 2017
|
||||
compiled with libxml2 version: 2.9.4
|
||||
linked to libxml2 version: 20904
|
||||
BIND 9.18.19-1~deb12u1-Debian (Extended Support Version) <id:>
|
||||
running on Linux x86_64 6.1.0-13-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.55-1 (2023-09-29)
|
||||
built by make with '--build=x86_64-linux-gnu' '--prefix=/usr' '--includedir=${prefix}/include' '--mandir=${prefix}/share/man' '--infodir=${prefix}/share/info' '--sysconfdir=/etc' '--localstatedir=/var' '--disable-option-checking' '--disable-silent-rules' '--libdir=${prefix}/lib/x86_64-linux-gnu' '--runstatedir=/run' '--disable-maintainer-mode' '--disable-dependency-tracking' '--libdir=/usr/lib/x86_64-linux-gnu' '--sysconfdir=/etc/bind' '--with-python=python3' '--localstatedir=/' '--enable-threads' '--enable-largefile' '--with-libtool' '--enable-shared' '--disable-static' '--with-gost=no' '--with-openssl=/usr' '--with-gssapi=yes' '--with-libidn2' '--with-json-c' '--with-lmdb=/usr' '--with-gnu-ld' '--with-maxminddb' '--with-atf=no' '--enable-ipv6' '--enable-rrl' '--enable-filter-aaaa' '--disable-native-pkcs11' '--enable-dnstap' 'build_alias=x86_64-linux-gnu' 'CFLAGS=-g -O2 -ffile-prefix-map=/build/reproducible-path/bind9-9.18.19=. -fstack-protector-strong -Wformat -Werror=format-security -fno-strict-aliasing -fno-delete-null-pointer-checks -DNO_VERSION_DATE -DDIG_SIGCHASE' 'LDFLAGS=-Wl,-z,relro -Wl,-z,now' 'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2'
|
||||
compiled by GCC 12.2.0
|
||||
compiled with OpenSSL version: OpenSSL 3.0.10 1 Aug 2023
|
||||
linked to OpenSSL version: OpenSSL 3.0.11 19 Sep 2023
|
||||
compiled with libuv version: 1.44.2
|
||||
linked to libuv version: 1.44.2
|
||||
compiled with libnghttp2 version: 1.52.0
|
||||
linked to libnghttp2 version: 1.52.0
|
||||
compiled with libxml2 version: 2.9.14
|
||||
linked to libxml2 version: 20914
|
||||
compiled with json-c version: 0.16
|
||||
linked to json-c version: 0.16
|
||||
compiled with zlib version: 1.2.13
|
||||
linked to zlib version: 1.2.13
|
||||
linked to maxminddb version: 1.7.1
|
||||
compiled with protobuf-c version: 1.4.1
|
||||
linked to protobuf-c version: 1.4.1
|
||||
threads support is enabled
|
||||
DNSSEC algorithms: RSASHA1 NSEC3RSASHA1 RSASHA256 RSASHA512 ECDSAP256SHA256 ECDSAP384SHA384 ED25519 ED448
|
||||
DS algorithms: SHA-1 SHA-256 SHA-384
|
||||
HMAC algorithms: HMAC-MD5 HMAC-SHA1 HMAC-SHA224 HMAC-SHA256 HMAC-SHA384 HMAC-SHA512
|
||||
TKEY mode 2 support (Diffie-Hellman): yes
|
||||
TKEY mode 3 support (GSS-API): yes
|
||||
|
||||
default paths:
|
||||
named configuration: /etc/bind/named.conf
|
||||
rndc configuration: /etc/bind/rndc.conf
|
||||
DNSSEC root key: /etc/bind/bind.keys
|
||||
nsupdate session key: //run/named/session.key
|
||||
named PID file: //run/named/named.pid
|
||||
named lock file: //run/named/named.lock
|
||||
geoip-directory: /usr/share/GeoIP
|
||||
~~~
|
||||
|
||||
Sous Debian 8, l'unité [systemd](HowtoSystemd) ne gère pas les options dans `/etc/default/bind9`, il faut corriger l'unité en copiant :
|
||||
|
|
@ -57,7 +84,6 @@ Fichiers de configuration :
|
|||
├── db.255
|
||||
├── db.empty
|
||||
├── db.local
|
||||
├── db.root
|
||||
├── named.conf
|
||||
├── named.conf.default-zones
|
||||
├── named.conf.local
|
||||
|
|
@ -203,6 +229,29 @@ RESOLVCONF=no
|
|||
OPTIONS=" -u bind -t /var/chroot-bind"
|
||||
~~~
|
||||
|
||||
### AppArmor depuis Buster (Debian 10)
|
||||
|
||||
AppArmor protège par défaut les chemins utilisés par la version distribuée par Debian, il faut ajouter les chemins effectivement utilisés dans le chroot.
|
||||
|
||||
~~~ { .sh }
|
||||
# cat /etc/apparmor.d/local/usr.sbin.named
|
||||
/var/chroot-bind/etc/bind/** r,
|
||||
/var/chroot-bind/var/** rw,
|
||||
/var/chroot-bind/dev/** rw,
|
||||
/var/chroot-bind/run/** rw,
|
||||
/var/chroot-bind/usr/** r,
|
||||
~~~
|
||||
|
||||
Il faut relancer apparmor et bind9 après ces ajouts.
|
||||
|
||||
~~~ { .sh }
|
||||
# systemctl daemon-reload
|
||||
# systemctl apparmor restart
|
||||
# systemctl apparmor bind9
|
||||
~~~
|
||||
|
||||
Sinon vous aurez des erreurs `open: /etc/bind/named.conf: permission denied` et `audit: type=1400 audit(1689581621.287:26): apparmor="DENIED" operation="open" profile="/usr/sbin/named" name="/var/chroot-bind/etc/bind/named.conf" pid=3205399 comm="named" requested_mask="r" denied_mask="r" fsuid=115 ouid=115` dans `/var/log/syslog`.
|
||||
|
||||
### bind mount à partir de Bookworm (Debian 12)
|
||||
|
||||
Depuis Bookworm, des points de montage sont nécessaires pour un fonctionnement normal de systemd et journald (sinon l’unité systemd ne renvoie jamais de signal après un redémarrage correct).
|
||||
|
|
@ -239,8 +288,6 @@ Vous devez alors relancer BIND :
|
|||
### Problèmes de permissions avec chroot
|
||||
|
||||
* Si erreur : `named: chroot(): Permission denied`, vérifier que `/var/chroot-bind` est en `750`.
|
||||
* [Debian >= 10] Dans `/etc/apparmor.d/usr.sbin.named`, dupliquer toutes les règles contenant des chemins, et y ajouter le préfixe `/var/chroot-bind`. Puis redémarrer le service AppArmor et Bind9.
|
||||
* Sinon vous aurez des erreurs `open: /etc/bind/named.conf: permission denied` et `audit: type=1400 audit(1689581621.287:26): apparmor="DENIED" operation="open" profile="/usr/sbin/named" name="/var/chroot-bind/etc/bind/named.conf" pid=3205399 comm="named" requested_mask="r" denied_mask="r" fsuid=115 ouid=115` dans `/var/log/syslog`.
|
||||
* Si `/var/log/bind_queries.log` n'existe pas, il faut créer le lien symbolique : `ln -s /var/chroot-bind/var/log/bind_queries.log /var/log/bind_queries.log`
|
||||
|
||||
|
||||
|
|
|
|||
Loading…
Reference in a new issue