Manualshelf

User guide

ManualsBrandsRed Hat ManualsOtherENTERPRISE LINUX 4 - SELINUX GUIDE
61626364656667686970
Chapter 2. Securing Your Network
58
2.3.2.2. Option Fields
In addition to basic rules that allow and deny access, the Red Hat Enterprise Linux implementation
of TCP Wrappers supports extensions to the access control language through option fields. By using
option fields in hosts access rules, administrators can accomplish a variety of tasks such as altering
log behavior, consolidating access control, and launching shell commands.
2.3.2.2.1. Logging
Option fields let administrators easily change the log facility and priority level for a rule by using the
severity directive.
In the following example, connections to the SSH daemon from any host in the example.com domain
are logged to the default authpriv syslog facility (because no facility value is specified) with a
priority of emerg:
sshd : .example.com : severity emerg
It is also possible to specify a facility using the severity option. The following example logs any SSH
connection attempts by hosts from the example.com domain to the local0 facility with a priority of
alert:
sshd : .example.com : severity local0.alert
Note
In practice, this example does not work until the syslog daemon (syslogd) is configured to log
to the local0 facility. Refer to the syslog.conf man page for information about configuring
custom log facilities.
2.3.2.2.2. Access Control
Option fields also allow administrators to explicitly allow or deny hosts in a single rule by adding the
allow or deny directive as the final option.
For example, the following two rules allow SSH connections from client-1.example.com, but
deny connections from client-2.example.com:
sshd : client-1.example.com : allow
sshd : client-2.example.com : deny
By allowing access control on a per-rule basis, the option field allows administrators to consolidate all
access rules into a single file: either hosts.allow or hosts.deny. Some administrators consider
this an easier way of organizing access rules.
2.3.2.2.3. Shell Commands
Option fields allow access rules to launch shell commands through the following two directives:
spawn — Launches a shell command as a child process. This directive can perform tasks like using
/usr/sbin/safe_finger to get more information about the requesting client or create special
log files using the echo command.
In the following example, clients attempting to access Telnet services from the example.com
domain are quietly logged to a special file: