Contents
Security and Hardening Guide
- About This Guide
- 1 Security and Confidentiality
- 2 Common Criteria
- I Authentication
- II Local Security
- 10 Physical Security
- 11 Automatic Security Checks with seccheck
- 12 Software Management
- 13 File Management
- 14 Encrypting Partitions and Files
- 15 Storage Encryption for Hosted Applications with cryptctl
- 16 User Management
- 17 Spectre/Meltdown Checker
- 18 Configuring Security Settings with YaST
- 19 Authorization with PolKit
- 20 Access Control Lists in Linux
- 21 Certificate Store
- 22 Intrusion Detection with AIDE
- III Network Security
- IV Confining Privileges with AppArmor
- 27 Introducing AppArmor
- 28 Getting Started
- 29 Immunizing Programs
- 30 Profile Components and Syntax
- 31 AppArmor Profile Repositories
- 32 Building and Managing Profiles with YaST
- 33 Building Profiles from the Command Line
- 34 Profiling Your Web Applications Using ChangeHat
- 35 Confining Users with
pam_apparmor - 36 Managing Profiled Applications
- 37 Support
- 38 AppArmor Glossary
- V SELinux
- VI The Linux Audit Framework
- A GNU Licenses
openSUSE Leap 15.2
Security and Hardening Guide
Introduces basic concepts of system security, covering both local and network security aspects. Shows how to use the product inherent security software like AppArmor, SELinux, or the auditing system that reliably collects information about any security-relevant events. Supports the administrator with security-related choices and decisions in installing and setting up a secure SUSE Linux Enterprise Server and additional processes to further secure and harden that installation.
Publication Date:
December 16, 2020
- About This Guide
- 1 Security and Confidentiality
- 2 Common Criteria
- I Authentication
- II Local Security
- 10 Physical Security
- 11 Automatic Security Checks with seccheck
- 12 Software Management
- 13 File Management
- 14 Encrypting Partitions and Files
- 15 Storage Encryption for Hosted Applications with cryptctl
- 16 User Management
- 16.1 Various Account Checks
- 16.2 Enabling Password Aging
- 16.3 Stronger Password Enforcement
- 16.4 Password and Login Management with PAM
- 16.5 Restricting
rootLogins - 16.6 Setting an Inactivity Timeout for Interactive Shell Sessions
- 16.7 Preventing Accidental Denial of Service
- 16.8 Displaying Login Banners
- 16.9 Connection Accounting Utilities
- 17 Spectre/Meltdown Checker
- 18 Configuring Security Settings with YaST
- 19 Authorization with PolKit
- 20 Access Control Lists in Linux
- 21 Certificate Store
- 22 Intrusion Detection with AIDE
- III Network Security
- IV Confining Privileges with AppArmor
- 27 Introducing AppArmor
- 28 Getting Started
- 29 Immunizing Programs
- 30 Profile Components and Syntax
- 30.1 Breaking an AppArmor Profile into Its Parts
- 30.2 Profile Types
- 30.3 Include Statements
- 30.4 Capability Entries (POSIX.1e)
- 30.5 Network Access Control
- 30.6 Profile Names, Flags, Paths, and Globbing
- 30.7 File Permission Access Modes
- 30.8 Mount Rules
- 30.9 Pivot Root Rules
- 30.10 PTrace Rules
- 30.11 Signal Rules
- 30.12 Execute Modes
- 30.13 Resource Limit Control
- 30.14 Auditing Rules
- 31 AppArmor Profile Repositories
- 32 Building and Managing Profiles with YaST
- 33 Building Profiles from the Command Line
- 34 Profiling Your Web Applications Using ChangeHat
- 35 Confining Users with
pam_apparmor - 36 Managing Profiled Applications
- 37 Support
- 38 AppArmor Glossary
- V SELinux
- VI The Linux Audit Framework
- 40 Understanding Linux Audit
- 40.1 Introducing the Components of Linux Audit
- 40.2 Configuring the Audit Daemon
- 40.3 Controlling the Audit System Using
auditctl - 40.4 Passing Parameters to the Audit System
- 40.5 Understanding the Audit Logs and Generating Reports
- 40.6 Querying the Audit Daemon Logs with
ausearch - 40.7 Analyzing Processes with
autrace - 40.8 Visualizing Audit Data
- 40.9 Relaying Audit Event Notifications
- 41 Setting Up the Linux Audit Framework
- 42 Introducing an Audit Rule Set
- 42.1 Adding Basic Audit Configuration Parameters
- 42.2 Adding Watches on Audit Log Files and Configuration Files
- 42.3 Monitoring File System Objects
- 42.4 Monitoring Security Configuration Files and Databases
- 42.5 Monitoring Miscellaneous System Calls
- 42.6 Filtering System Call Arguments
- 42.7 Managing Audit Event Records Using Keys
- 43 Useful Resources
- A GNU Licenses
List of Figures
- 4.1 NIS Server Setup
- 4.2 Master Server Setup
- 4.3 Changing the Directory and Synchronizing Files for a NIS Server
- 4.4 NIS Server Maps Setup
- 4.5 Setting Request Permissions for a NIS Server
- 4.6 Setting Domain and Address of a NIS Server
- 6.1 Structure of an LDAP Directory
- 6.2 Window
- 7.1 Kerberos Network Topology
- 7.2 Window
- 8.1 Schema of Winbind-based Active Directory Authentication
- 8.2 Main Window of
- 8.3 Enrolling into a Domain
- 8.4 Configuration Window of
- 8.5 Determining Windows Domain Membership
- 8.6 Providing Administrator Credentials
- 15.1 Key Retrieval with
cryptctl(Model Without Connection to KMIP Server) - 17.1 Output from spectre-meltdown-checker
- 18.1 YaST Security Center and Hardening: Security Overview
- 20.1 Minimum ACL: ACL Entries Compared to Permission Bits
- 20.2 Extended ACL: ACL Entries Compared to Permission Bits
- 25.1 iptables: A Packet's Possible Paths
- 26.1 Routed VPN
- 26.2 Bridged VPN - Scenario 1
- 26.3 Bridged VPN - Scenario 2
- 26.4 Bridged VPN - Scenario 3
- 33.1
aa-notify Message in GNOME - 34.1 Adminer Login Page
- 39.1 Selecting all SELinux Packages in YaST
- 40.1 Introducing the Components of Linux Audit
- 40.2 Flow Graph—Program versus System Call Relationship
- 40.3 Bar Chart—Common Event Types
List of Tables
- 6.1 Commonly Used Object Classes and Attributes
- 16.1 Sample rules/constraints for password enforcement
- 20.1 ACL Entry Types
- 20.2 Masking Access Permissions
- 22.1 Important AIDE Check Boxes
- 24.1
- 25.1 Important Sysconfig Variables for Static Port Configuration
- 37.1 Man Pages: Sections and Categories
- 40.1 Audit Status Flags
List of Examples
- 3.1 PAM Configuration for sshd (
/etc/pam.d/sshd) - 3.2 Default Configuration for the
authSection (common-auth) - 3.3 Default Configuration for the
accountSection (common-account) - 3.4 Default Configuration for the
passwordSection (common-password) - 3.5 Default Configuration for the
sessionSection (common-session) - 3.6 pam_env.conf
- 6.1 Excerpt from CN=schema
- 6.2 Basic Instance Configuration File
- 6.3 A
.dsrcFile for Remote Administration - 6.4 A
.dsrcFile for Local Administration - 7.1 Example KDC Configuration,
/etc/krb5.conf - 25.1 Callback Port Configuration for the
nfsKernel Module in/etc/modprobe.d/60-nfs.conf - 25.2 Commands to Define a new
firewalldRPC Service for NFS - 26.1 VPN Server Configuration File
- 26.2 VPN Client Configuration File
- 28.1 Output of
aa-unconfined - 33.1 Learning Mode Exception: Controlling Access to Specific Resources
- 33.2 Learning Mode Exception: Defining Permissions for an Entry
- 39.1 Security Context Settings Using
ls -Z - 39.2 Verifying that SELinux is functional
- 39.3 Getting a List of Booleans and Verifying Policy Access
- 39.4 Getting File Context Information
- 39.5 The default context for directories in the root directory
- 39.6 Showing SELinux settings for processes with
ps Zaux - 39.7 Viewing Default File Contexts
- 39.8 Example Lines from
/etc/audit/audit.log - 39.9 Analyzing Audit Messages
- 39.10 Viewing Which Lines Deny Access
- 39.11 Creating a Policy Module Allowing an Action Previously Denied
- 40.1 Example output of
auditctl-s - 40.2 Example Audit Rules—Audit System Parameters
- 40.3 Example Audit Rules—File System Auditing
- 40.4 Example Audit Rules—System Call Auditing
- 40.5 Deleting Audit Rules and Events
- 40.6 Listing Rules with
auditctl-l - 40.7 A Simple Audit Event—Viewing the Audit Log
- 40.8 An Advanced Audit Event—Login via SSH
- 40.9 Example /etc/audisp/audispd.conf
- 40.10 Example /etc/audisp/plugins.d/syslog.conf
Copyright © 2006– 2020 SUSE LLC and contributors. All rights reserved.
Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or (at your option) version 1.3; with the Invariant Section being this copyright notice and license. A copy of the license version 1.2 is included in the section entitled “GNU Free Documentation License”.
For SUSE trademarks, see https://www.suse.com/company/legal/. All other third-party trademarks are the property of their respective owners. Trademark symbols (®, ™ etc.) denote trademarks of SUSE and its affiliates. Asterisks (*) denote third-party trademarks.
All information found in this book has been compiled with utmost attention to detail. However, this does not guarantee complete accuracy. Neither SUSE LLC, its affiliates, the authors nor the translators shall be held liable for possible errors or the consequences thereof.