Security and Hardening Guide

Publication Date: December 16, 2020 · The Linux Audit Framework

root # command
tux > sudo command
tux > command
TYPE  CONTROL
 MODULE_PATH  MODULE_ARGS
#%PAM-1.0 1
auth     requisite      pam_nologin.so                              2
auth     include        common-auth                                 3
account  requisite      pam_nologin.so                              2
account  include        common-account                              3
password include        common-password                             3
session  required       pam_loginuid.so                             4
session  include        common-session                              3
session  optional       pam_lastlog.so   silent noupdate showfailed 5
auth  required  pam_env.so                   1
auth  optional  pam_gnome_keyring.so         2
auth  required  pam_unix.so  try_first_pass 3
account  required  pam_unix.so  try_first_pass
password  requisite  pam_cracklib.so
password  optional   pam_gnome_keyring.so  use_authtok
password  required   pam_unix.so  use_authtok nullok shadow try_first_pass
session  required  pam_limits.so
session  required  pam_unix.so  try_first_pass
session  optional  pam_umask.so
session  optional  pam_systemd.so
session  optional  pam_gnome_keyring.so auto_start only_if=gdm,gdm-password,lxdm,lightdm
session  optional  pam_env.so
VARIABLE  [DEFAULT=VALUE]  [OVERRIDE=VALUE]
REMOTEHOST  DEFAULT=localhost          OVERRIDE=@{PAM_RHOST}
DISPLAY     DEFAULT=${REMOTEHOST}:0.0  OVERRIDE=${DISPLAY}
255.0.0.0     127.0.0.0
0.0.0.0       0.0.0.0
255.0.0.0     127.0.0.0
0.0.0.0       0.0.0.0
root # systemctl status sssd
sssd.service - System Security Services Daemon
   Loaded: loaded (/usr/lib/systemd/system/sssd.service; enabled)
   Active: active (running) since Thu 2015-10-23 11:03:43 CEST; 5s ago
   [...]
tux > sudo systemctl stop sssd
tux > sudo rm -f /var/lib/sss/db/*
tux > sudo systemctl start sssd
attributetype (1.2.840.113556.1.2.102 NAME 'memberOf' 1
       DESC 'Group that the entry belongs to' 2
       SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 3
       X-ORIGIN 'Netscape Delegated Administrator') 4

objectclass (2.16.840.1.113730.3.2.333 NAME 'nsPerson' 5
       DESC 'A representation of a person in a directory server' 6
       SUP top STRUCTURAL 7
       MUST ( displayName $ cn ) 8
       MAY ( userPassword $ seeAlso $ description $ legalName $ mail \
             $ preferredLanguage ) 9
       X-ORIGIN '389 Directory Server Project’
  ...
tux > sudo zypper install 389-ds
# /tmp/instance.inf
[general]
config_version = 2

[slapd]
root_password = YOUR_PASSWORD_FOR_CN=DIRECTORY_MANAGER1

[backend-userroot]
sample_entries = yes
suffix = dc=example,dc=com
tux > sudo dscreate from-file /tmp/instance.inf
tux > sudo dscreate -v from-file /tmp/instance.inf
tux > sudo dsctl localhost status
instance 'Localhost' is running
tux > sudo dsctl localhost remove --do-it
root # openssl pkcs12 -export -in SERVER.crt \
  -inkey SERVER.key -out SERVER.p12 \
  -name Server-Cert
pk12util -i PATH_TO_SERVER.p12 -d sql:PATH_TO_NSS_DB -n Server-cert -W SERVER.p12_PASSWORD
pk12util -i SERVER.p12 -d PATH_TO_NSS_DB
# cat ~/.dsrc
[localhost]
uri = ldaps://REMOTE_URI 1
basedn = dc=example,dc=com
binddn = cn=Directory Manager
tls_cacertdir = PATH_TO_CERTDIR 2
# cat ~/.dsrc
[localhost]
# Note that '/' is replaced with '%%2f'.
uri = ldapi://%%2fvar%%2frun%%2fslapd-localhost.socket 1
basedn = dc=example,dc=com
binddn = cn=Directory Manager
tux > sudo dsidm localhost user create --uid wilber \
  --cn wilber --displayName 'Wilber Fox' --uidNumber 1000 --gidNumber 1000 \
  --homeDirectory /home/wilber
tux > sudo dsidm localhost user get wilber
dn: uid=wilber,ou=people,dc=example,dc=com
[...]
tux > sudo dsidm localhost account reset_password \
  uid=wilber,ou=people,dc=example,dc=com
reset password for uid=wilber,ou=people,dc=example,dc=com
tux > sudo dsidm localhost user create --uid \
  --cn geeko --displayName 'Suzanne Geeko' \
  --uidNumber 1001 --gidNumber 1001 --homeDirectory /home/geeko
tux > sudo dsidm localhost group create
Enter value for cn :
tux > sudo dsidm localhost group add_member server_admins uid=wilber,ou=people,dc=example,dc=com
added member: uid=wilber,ou=people,dc=example,dc=com
tux > sudo ldapwhoami -H ldaps://localhost -D \
  uid=wilber,ou=people,dc=example,dc=com -W -x
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
TLS_CACERT /etc/dirsrv/slapd-localhost/ca.crt
tux > sudo LDAPTLS_CACERT=/etc/dirsrv/slapd-localhost/ca.crt \
  ldapwhoami -H ldaps://localhost -D \
  uid=wilber,ou=people,dc=example,dc=com -W -x
tux > sudo zypper in sssd
tux > sudo systemctl disable nscd && systemctl stop nscd
tux > sudo dsidm localhost client_config sssd.conf server_admins
tux > sudo mkdir -p /etc/openldap/certs
cp [...]>/ca.crt /etc/openldap/certs/
/usr/bin/c_rehash /etc/openldap/certs
tux > sudo systemctl enable sssd
systemctl start sssd
tux > sudo id wilber
    uid=1000(wilber) gid=100(users) groups=100(users)
USER/INSTANCE@REALM
passwd:         files
group:          files
[libdefaults]
 dns_canonicalize_hostname = false
 rdns = false
 default_realm = example.com
 ticket_lifetime = 24h
 renew_lifetime = 7d

[realms]
  example.com = {
  kdc = kdc.example.com.:88
  admin_server = kdc.example.com
  default_domain = example.com
 }

 [logging]
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log
 default = SYSLOG:NOTICE:DAEMON

[domain_realm]
 .example.com = example.com
 example.com = example.com
tux > sudo kdb5_util create -r EXAMPLE.COM -s
Initializing database '/var/lib/kerberos/krb5kdc/principal' for realm 'EXAMPLE.COM',
master key name 'K/M@EXAMPLE.COM'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key:  1
Re-enter KDC database master key to verify:  2
tux > kadmin.local

kadmin> listprincs
K/M@EXAMPLE.COM
kadmin/admin@EXAMPLE.COM
kadmin/changepw@EXAMPLE.COM
krbtgt/EXAMPLE.COM@EXAMPLE.COM
tux > kadmin.local

kadmin> ank geeko
geeko@EXAMPLE.COM's Password: 1
Verifying password: 2
tux > sudo systemctl start krb5kdc
sudo systemctl start kadmind
tux > sudo systemctl enable krb5kdc kadmind
[libdefaults]
        default_realm = EXAMPLE.COM

[realms]
        EXAMPLE.COM = {
                kdc = kdc.example.com
                admin_server = kdc.example.com
        }
[domain_realm]
.example.com = EXAMPLE.COM
www.example.org = EXAMPLE.COM
_kerberos._udp.EXAMPLE.COM.  IN  SRV    0 0 88 kdc.example.com.
_kerberos._tcp.EXAMPLE.COM.  IN  SRV    0 0 88 kdc.example.com.
_kerberos-adm._tcp.EXAMPLE.COM. IN  SRV    0 0 749 kdc.example.com.
_kerberos.www.example.org.  IN TXT "EXAMPLE.COM"
[libdefaults]
        clockskew = 60
geeko/admin              *
tux > kadmin -p geeko/admin
Authenticating as principal geeko/admin@EXAMPLE.COM with password.
Password for geeko/admin@EXAMPLE.COM:
kadmin:  getprivs
current privileges: GET ADD MODIFY DELETE
kadmin:
tux > kadmin -p geeko/admin
Authenticating as principal geeko/admin@EXAMPLE.COM with password.
Password for geeko/admin@EXAMPLE.COM:

kadmin:  getprinc geeko
Principal: geeko@EXAMPLE.COM
Expiration date: [never]
Last password change: Wed Jan 12 17:28:46 CET 2005
Password expiration date: [none]
Maximum ticket life: 0 days 10:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Wed Jan 12 17:47:17 CET 2005 (admin/admin@EXAMPLE.COM)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 2
Key: vno 1, Triple DES cbc mode with HMAC/sha1, no salt
Key: vno 1, DES cbc mode with CRC-32, no salt
Attributes:
Policy: [none]

kadmin:  modify_principal -maxlife "8 hours" geeko
Principal "geeko@EXAMPLE.COM" modified.
kadmin:  getprinc geeko
Principal: geeko@EXAMPLE.COM
Expiration date: [never]
Last password change: Wed Jan 12 17:28:46 CET 2005
Password expiration date: [none]
Maximum ticket life: 0 days 08:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Wed Jan 12 17:59:49 CET 2005 (geeko/admin@EXAMPLE.COM)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 2
Key: vno 1, Triple DES cbc mode with HMAC/sha1, no salt
Key: vno 1, DES cbc mode with CRC-32, no salt
Attributes:
Policy: [none]
kadmin:
tux > kadmin -p geeko/admin
Authenticating as principal geeko/admin@EXAMPLE.COM with password.
Password for geeko/admin@EXAMPLE.COM:
kadmin:  addprinc -randkey host/jupiter.example.com
WARNING: no policy specified for host/jupiter.example.com@EXAMPLE.COM;
defaulting to no policy
Principal "host/jupiter.example.com@EXAMPLE.COM" created.
kadmin:  ktadd host/jupiter.example.com
Entry for principal host/jupiter.example.com with kvno 3, encryption type Triple
DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/jupiter.example.com with kvno 3, encryption type DES
cbc mode with CRC-32 added to keytab WRFILE:/etc/krb5.keytab.
kadmin:
tux > sudo pam-config --add --krb5-ignore_unknown_principals
tux > sudo pam-config --add --krb5
# These are for protocol version 1
#
# KerberosAuthentication yes
# KerberosTicketCleanup yes

# These are for version 2 - better to use this
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
tux > sudo systemctl edit dirsrv@INSTANCE
[Service]
  Environment=KRB5_KTNAME=/etc/dirsrv/slapd-INSTANCE/krb5.keytab
tux > sudo chown dirsrv:dirsrv /etc/dirsrv/slapd-INSTANCE/krb5.keytab
tux > sudo chmod 600 /etc/dirsrv/slapd-INSTANCE/krb5.keytab
tux > kinit geeko@EXAMPLE.COM
tux > ldapwhoami -Y GSSAPI -H ldap://ldapkdc.example.com
dn: uid=testuser,ou=People,dc=example,dc=com

tux > dsconf INSTANCE sasl list
Kerberos uid mapping
rfc 2829 dn syntax
rfc 2829u syntax
uid mapping
tux > sudo dsconf INSTANCE sasl get "Kerberos uid mapping"
dn: cn=Kerberos uid mapping,cn=mapping,cn=sasl,cn=config
cn: Kerberos uid mapping
nsSaslMapBaseDNTemplate: dc=\2,dc=\3
nsSaslMapFilterTemplate: (uid=\1)
nsSaslMapRegexString: \(.*\)@\(.*\)\.\(.*\)
objectClass: top
objectClass: nsSaslMapping
tux > sudo dsconf INSTANCE sasl delete "Kerberos uid mapping"
Deleting SaslMapping cn=Kerberos uid mapping,cn=mapping,cn=sasl,cn=config :
Successfully deleted cn=Kerberos uid mapping,cn=mapping,cn=sasl,cn=config
tux > sudo dsconf localhost sasl create --cn=bhgssapi --nsSaslMapRegexString "\
(.*\)@EXAMPLE.NET.DE" --nsSaslMapBaseDNTemplate="dc=example,dc=net,dc=de" --nsSaslMapFilterTemplate="(uid=\1)"
tux > sudo Enter value for nsSaslMapPriority :
Successfully created bhgssapi
tux > sudo dsconf localhost sasl get "bhgssapi"
dn: cn=bhgssapi,cn=mapping,cn=sasl,cn=config
cn: bhgssapi
nsSaslMapBaseDNTemplate: dc=example,dc=net,dc=de
nsSaslMapFilterTemplate: (uid=\1)
nsSaslMapPriority: 100
nsSaslMapRegexString: \(.*\)@EXAMPLE.NET.DE
objectClass: top
objectClass: nsSaslMapping
tux > sudo kadmin.local
kadmin.local > listprincs
kadmin.local > ank admin@EXAMPLE.COM
tux > sudo ldapsearch -D 'cn=Directory Manager' -w password -b 'cn=EXAMPLE.COM,cn=kdc,dc=example,dc=com' -H ldaps://localhost
tux > sudo admin@EXAMPLE.COM, EXAMPLE.COM, kdc, example.com
dn: krbprincipalname=admin@EXAMPLE.COM,cn=EXAMPLE.COM,cn=kdc,dc=example,dc=com
krbLoginFailedCount: 0
krbPrincipalName: admin@EXAMPLE.COM
krbPrincipalKey:: MIG2oAMCAQGhAwIBAaIDAgEBowMCAQGkgZ8wgZwwVKAHMAWgAwIBAKFJMEeg
 AwIBEqFABD4gAKXAsMf7oV5vITzV5OpclhdomR+SdIRCkouS2GeNF9lVgxjT29RpnipNlCjgGOkpr
 93d0nh82WhrrAF6bzBEoAcwBaADAgEAoTkwN6ADAgERoTAELhAAFiGRiI0yUjBteGHhTB6ESJYsYJ
 WxFa4UslUNZD1GEQGlZ/0nltLsyD2ytGc=
krbLastPwdChange: 20190702032802Z
krbExtraData:: AAJCzxpdcm9vdC9hZG1pbkBFWEFNUExFLkNPTQA=
krbExtraData:: AAgBAA==
objectClass: krbprincipal
objectClass: krbprincipalaux
objectClass: krbTicketPolicyAux
objectClass: top
tux > sudo kinit admin@EXAMPLE.COM
tux > sudo klist
Ticket cache: DIR::/run/user/0/krb5cc/tkt
Default principal: admin@EXAMPLE.COM

Valid starting     Expires            Service principal
07/02/19 13:29:04  07/03/19 13:29:04  krbtgt/EXAMPLE.COM@EXAMPLE.COM
tux > ssh DOMAIN_NAME\\USER_NAME@HOST_NAME
root # zypper in freeradius-server
root # cd /etc/raddb/certs
root # ./bootstrap
root # radiusd -X
[...]
Listening on auth address * port 1812 bound to server default
Listening on acct address * port 1813 bound to server default
Listening on auth address :: port 1812 bound to server default
Listening on acct address :: port 1813 bound to server default
Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel
Listening on proxy address * port 54435
Listening on proxy address :: port 58415
Ready to process requests
tux > radiusd -X | tee radiusd.text
bob   Cleartext-Password := "hello"
Reply-Message := "Hello, %{User-Name}"
tux > radtest bob hello 127.0.0.1 0 testing123
Sent Access-Request Id 241 from 0.0.0.0:35234 to 127.0.0.1:1812 length 73
        User-Name = "bob"
        User-Password = "hello"
        NAS-IP-Address = 127.0.0.1
        NAS-Port = 0
        Message-Authenticator = 0x00
        Cleartext-Password = "hello"
Received Access-Accept Id 241 from 127.0.0.1:1812 to 0.0.0.0:0 length 20
(3) pap: Login attempt with password
(3) pap: Comparing with "known good" Cleartext-Password
(3) pap: User authenticated successfully
(3)     [pap] = ok
[...]
(3) Sent Access-Accept Id 241 from 127.0.0.1:1812 to 127.0.0.1:35234 length 0
(3) Finished request
Waking up in 4.9 seconds.
(3) Cleaning up request packet ID 241 with timestamp +889
client private-network-1 }
  ipaddr          = 192.0.2.0/24
  secret          = testing123-1 
  {
tux > radtest bob hello 192.168.2.100 0 testing123-1
tux > sudo groupadd mmedia_all
tux > sudo usermod -a -G mmedia_all tux
tux > cat /etc/polkit-1/rules.d/10-mount.rules
polkit.addRule(function(action, subject) {
 if (action.id =="org.freedesktop.udisks2.eject-media"
  && subject.isInGroup("mmedia_all")) {
   return polkit.Result.YES;
  }
});

polkit.addRule(function(action, subject) {
 if (action.id =="org.freedesktop.udisks2.filesystem-mount"
  && subject.isInGroup("mmedia_all")) {
   return polkit.Result.YES;
  }
});
root # systemctl restart udisks2
root # systemctl restart polkit
SECCHK_USER="firewall"
tux > sudo systemctl enable --now seccheck-daily.timer
tux > sudo systemctl list-timers
tux > sudo systemctl list-timers --all
root # zypper packages -i
root # zypper info PACKAGE_NAME
root # zypper rm -D PACKAGE_NAME
root # zypper rm -u PACKAGE_NAME
tux > umask
022
tux > touch a
tux > mkdir b
tux > ls -on
total 16
-rw-r--r--. 1 17086    0 Nov 29 15:05 a
drwxr-xr-x. 2 17086 4096 Nov 29 15:05 b
tux > umask 111
tux > touch c
tux > mkdir d
tux > ls -on
total 16
-rw-rw-rw-. 1 17086    0 Nov 29 15:05 c
drw-rw-rw-. 2 17086 4096 Nov 29 15:05 d
tux > umask 037
tux > touch e
tux > mkdir f
tux > ls -on
total 16
-rw-r-----. 1 17086    0 Nov 29 15:06 e
drwxr-----. 2 17086 4096 Nov 29 15:06 f
root # find /bin /boot /etc /home /lib /lib64 /opt /root /sbin /srv /tmp /usr /var -type f -perm '/6000' -ls
root # getcap -v /usr/bin/ping
      /usr/bin/ping = cap_new_raw+eip
root # find /bin /boot /etc /home /lib /lib64 /opt /root /sbin /srv /tmp /usr /var -type f -perm -2 ! -type l -ls
tux > ls -ld /tmp
drwxrwxrwt 18 root root 16384 Dec 23 22:20 /tmp
root # find /bin /boot /etc /home /lib /lib64 /opt /root /sbin /srv /tmp /usr /var -nouser -o -nogroup
tux > find /bin /lib /lib64 /usr -path /usr/local -prune -o -type f -a -exec /bin/sh -c "rpm -qf {} &> /dev/null || echo {}" \;
tux > gpg -e -r UID
  FILE
tux > gpg -e -r Tux secret.txt
tux > gpg -d -o DECRYPTED_FILE
  ENCRYPTED_FILE
root # cryptctl init-server
root # systemctl status cryptctl-server
root # cryptctl encrypt
tux > lsblk -o NAME,MOUNTPOINT,UUID
NAME                        MOUNTPOINT          UUID
[...]
sdc
└─sdc1                                          PARTITION_UUID
  └─cryptctl-unlocked-sdc1  /secret-partition   UNLOCKED_UUID
root # cryptctl list-keys
2019/06/06 15:50:00 ReloadDB: successfully loaded database of 1 records
Total: 1 records (date and time are in zone EDT)
Used By     When                 UUID  Max.Users  Num.Users  Mount Point
IP_ADDRESS  2019-06-06 15:00:50  UUID  1          1          /secret-partition
2019/06/06 15:50:00 ReloadDB: successfully loaded database of 1 records
Total: 1 records (date and time are in zone EDT)
Used By      When                 UUID  Max.Users  Num.Users  Mount Point
             2019-06-06 15:00:50  UUID  1          1          /secret-partition
root # cryptctl list-keys
root # cryptctl show-key UUID
root # systemctl stop cryptctl-server
root # egrep -v ':\*|:\!' /etc/shadow | awk -F: '{print $1}'
root # grep -v ':x:' /etc/passwd
root # find / -path /proc -prune -o -user ACCOUNT -ls
root # userdel -r ACCOUNT
root # useradd -c "TEST_USER" -g USERS TEST
root # id TEST
uid=509(test) gid=100(users) groups=100(users)
root # grep TEST /etc/shadow
test:!!:12742:7:60:7:14::
root # chage -M -1 SYSTEM_ACCOUNT_NAME
root # chage -l SYSTEM_ACCOUNT_NAME
root # chage -l TEST
Minimum: 7
Maximum: 60
Warning: 7
Inactive: 14
Last Change: Jan 11, 2015
Password Expires: Mar 12, 2015
Password Inactive: Mar 26, 2015
Account Expires: Never
# This file is autogenerated by pam-config. All changes
# will be overwritten.
tux > sudo pam-config -a --cracklib-minlen=8 --cracklib-retry=3 \
--cracklib-lcredit=-1 --cracklib-ucredit=-1 --cracklib-dcredit=-1 \
--cracklib-ocredit=-1 --cracklib
tux > sudo pam-config -a --pwhistory --pwhistory-remember=26
auth      required   pam_env.so
auth      required   pam_unix.so     try_first_pass
account   required   pam_unix.so     try_first_pass
password  requisit   pam_cracklib.so
password  required   pam_pwhistory.so        remember=26
password  optional   pam_gnome_keyring.so    use_authtok
password  required   pam_unix.so     use_authtok nullok shadow try_first_pass
session   required   pam_limits.so
session   required   pam_unix.so     try_first_pass
session   optional   pam_umask.so
auth required pam_tally2.so deny=6 unlock_time=600
#%PAM-1.0
auth     requisite      pam_nologin.so
auth     include        common-auth
auth     required       pam_tally2.so deny=6 unlock_time=600
account  include        common-account
account  required       pam_tally2.so
password include        common-password
session  required       pam_loginuid.so
session  include        common-session
#session  optional       pam_lastlog.so nowtmp showfailed
session  optional       pam_mail.so standard
auth required pam_tally2.so deny=6 even_deny_root unlock_time=600
auth required pam_tally2.so deny=6 root_unlock_time=120  unlock_time=600
root # pam_tally2 -u username
Login           Failures Latest failure     From
username            6    12/17/19 13:49:43  pts/1

root # pam_tally2 -r -u username
auth     requisite      pam_nologin.so
 auth     [user_unknown=ignore success=ok ignore=ignore auth_err=die default=bad] pam_securetty.so noconsole
 auth     include        common-auth
#
# This file contains the device names of tty lines (one per line,
# without leading /dev/) on which root is allowed to login.
#
tty1
PermitRootLogin no
systemctl restart sshd.service
# /etc/profile.d/timeout.sh for SUSE Linux
#
# Timeout in seconds until the bash/ksh session is terminated
# in case of inactivity.
# 24h = 86400 sec
readonly TMOUT=86400
root # ulimit -a
UseLogin no
UsePAM no
PasswordAuthentication no
PubkeyAuthentication yes
oracle           soft    nofile          4096
oracle           hard    nofile          63536
root # ulimit -n 63536
session     required      /lib/security/pam_limits.so
session     required      /lib/security/pam_unix.so
root # su – oracle
tux > ulimit -n
4096
root # su – oracle
tux > ulimit -n
4096
tux > ulimit -n 63536
tux > ulimit -n
63536
root # su - oracle
tux > cat >> ~oracle/.bash_profile << EOF
ulimit -n 63536
EOF
if ! /usr/bin/gdialog --yesno '\nThis system is classified...\n' 10 10; then
    /usr/bin/gdialog --infobox 'Aborting login'
    exit 1;
fi
root # zypper in spectre-meltdown-checker
root # spectre-meltdown-checker.sh
root # spectre-meltdown-checker.sh --no-color| tee filename.txt
root # cd /boot
root # spectre-meltdown-checker.sh \
--no-color \
--kernel vmlinuz-4.12.14-lp151.28.13-default \
--config config-4.12.14-lp151.28.13-default \
--map System.map-4.12.14-lp151.28.13-default| tee filename.txt
tux > pkaction -v --action-id=org.freedesktop.login1.reboot
org.freedesktop.login1.reboot:
  description:       Reboot the system
  message:           Authentication is required to allow rebooting the system
  vendor:            The systemd Project
  vendor_url:        http://www.freedesktop.org/wiki/Software/systemd
  icon:
  implicit any:      auth_admin_keep
  implicit inactive: auth_admin_keep
  implicit active:   yes
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE policyconfig PUBLIC
 "-//freedesktop//DTD PolicyKit Policy Configuration 1.0//EN"
 "http://www.freedesktop.org/standards/PolicyKit/1.0/policyconfig.dtd">
<policyconfig> 1

  <action id="org-opensuse-policykit-gparted"> 2
    <message>Authentication is required to run the GParted Partition Editor</message>
    <icon_name>gparted</icon_name>
    <defaults> 3
      <allow_any>auth_admin</allow_any>
      <allow_inactive>auth_admin</allow_inactive>
     < allow_active>auth_admin</allow_active>
    </defaults>
    <annotate 4
      key="org.freedesktop.policykit.exec.path">/usr/sbin/gparted</annotate>
    <annotate 4
      key="org.freedesktop.policykit.exec.allow_gui">true</annotate>
  </action>

</policyconfig>
/* Allow users in admin group to run GParted without authentication */
polkit.addRule(function(action, subject) {
    if (action.id == "org.opensuse.policykit.gparted" &&
        subject.isInGroup("admin")) {
        return polkit.Result.YES;
    }
});
<privilege_identifier>     <any session>:<inactive session>:<active session>
org.freedesktop.policykit.modify-defaults     auth_admin_keep_always
# /sbin/set_polkit_default_privs
tux > sudo rm -f /var/lib/polkit/* && set_polkit_default_privs
-rwsr-xr-x  1 root shadow 80036 2004-10-02 11:08 /usr/bin/passwd
drwxrws--- 2 tux archive 48 Nov 19 17:12  backup
drwxrwxrwt 2 root root 1160 2002-11-19 17:15 /tmp
drwxr-x--- ... tux project3 ... mydir
# file: mydir
# owner: tux
# group: project3
user::rwx
group::r-x
other::---
root # setfacl -m user:geeko:rwx,group:mascots:rwx mydir
# file: mydir
# owner: tux
# group: project3
user::rwx
user:geeko:rwx
group::r-x
group:mascots:rwx
mask::rwx
other::---
drwxrwx---+ ... tux project3 ... mydir
drwxr-x---+ ... tux project3 ... mydir
# file: mydir
# owner: tux
# group: project3
user::rwx
user:geeko:rwx          # effective: r-x
group::r-x
group:mascots:rwx       # effective: r-x
mask::r-x
other::---
tux > setfacl -d -m group:mascots:r-x mydir
tux > getfacl mydir

# file: mydir
# owner: tux
# group: project3
user::rwx
user:geeko:rwx
group::r-x
group:mascots:rwx
mask::rwx
other::---
default:user::rwx
default:group::r-x
default:group:mascots:r-x
default:mask::r-x
default:other::---
tux > mkdir mydir/mysubdir

getfacl mydir/mysubdir

# file: mydir/mysubdir
# owner: tux
# group: project3
user::rwx
group::r-x
group:mascots:r-x
mask::r-x
other::---
default:user::rwx
default:group::r-x
default:group:mascots:r-x
default:mask::r-x
default:other::---
-rw-r-----+ ... tux project3 ... mydir/myfile
# file: mydir/myfile
# owner: tux
# group: project3
user::rw-
group::r-x          # effective:r--
group:mascots:r-x   # effective:r--
mask::r--
other::---
export NSS_USE_SHARED_DB=1
Binlib     = p+i+n+u+g+s+b+m+c+md5+sha1
/sbin  Binlib
!/sbin/conf.d
root # aide --config-check
root # aide --config-check
35:syntax error:!
35:Error while reading configuration:!
Configuration error
root # aide -i
root # mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db
root # aide --check
root # aide --check
AIDE found differences between database and filesystem!!

Summary:
  Total number of files:        1992
  Added files:                  0
  Removed files:                0
  Changed files:                1
root # aide --check -V
AIDE found differences between database and filesystem!!
Start timestamp: 2009-02-18 15:14:10

Summary:
  Total number of files:        1992
  Added files:                  0
  Removed files:                0
  Changed files:                1

---------------------------------------------------
Changed files:
---------------------------------------------------

changed: /etc/passwd

--------------------------------------------------
Detailed information about changes:
---------------------------------------------------

File: /etc/passwd
  Mtime    : 2009-02-18 15:11:02              , 2009-02-18 15:11:47
  Ctime    : 2009-02-18 15:11:02              , 2009-02-18 15:11:47
root # cp DVD1/suse/ARCH/aideVERSION.ARCH.rpm /srv/ftp
root # cp DVD1/suse/ARCH/mhashVERSION.ARCH.rpm /srv/ftp
dud:ftp://ftp.example.com/aideVERSION.ARCH.rpm
dud:ftp://ftp.example.com/mhashVERSION.ARCH.rpm
info=ftp://ftp.example.com/info.txt
tux > ssh tux@sun
tux > ssh -l tux sun
tux > ssh root@sun "dmesg -T | tail -n 25"
tux > ssh root@sun "cat /etc/issue && uptime"
tux > scp ~/MyLetter.tex tux@sun:/tmp 1
tux > scp tux@sun:/tmp/MyLetter.tex ~ 2
tux > scp -r src/ sun:backup/
tux > sftp sun
Enter passphrase for key '/home/tux/.ssh/id_rsa':
Connected to sun.
sftp> help
Available commands:
bye                                Quit sftp
cd path                            Change remote directory to 'path'
[...]
Subsystem sftp /usr/lib/ssh/sftp-server -u 0002
Subsystem sftp /usr/lib/ssh/sftp-server -m 600
tux > sudo journalctl -u sshd
tux > ~/.ssh/id_rsa.pub
ssh-copy-id -i tux@sun

tux > ~/.ssh/id_dsa.pub
ssh-copy-id -i ~/.ssh/id_dsa.pub  tux@sun

tux > ~notme/.ssh/id_rsa.pub
ssh-copy-id -i ~notme/.ssh/id_rsa.pub  tux@sun
if [ -f ~/.xinitrc.template ]; then mv ~/.xinitrc.template ~/.xinitrc; \
else cp /etc/skel/.xinitrc.template ~/.xinitrc; fi
# if test -S "$SSH_AUTH_SOCK" -a -x "$SSH_ASKPASS"; then
#       ssh-add < /dev/null
# fi
tux > ssh-agent -s /bin/bash
eval $(ssh-agent)
root # ssh -L 25:sun:25 jupiter
root # ssh -L 110:sun:110 jupiter
root # firewall-cmd --runtime-to-permanent
root # firewall-cmd --reload
root # systemctl reload firewalld
root # firewall-cmd --zone=public --list-interfaces
eth0
root # firewall-cmd --get-zone-of-interface=eth0
public
root # firewall-cmd --zone=internal --add-interface=eth0
root # firewall-cmd --zone=internal --change-interface=eth0
root # firewall-cmd --get-default-zone
dmz
root # firewall-cmd --set-default-zone=public
root # firewall-cmd --get-services
[...] dhcp dhcpv6 dhcpv6-client dns docker-registry [...]
root # firewall-cmd --info-service dhcp
dhcp
  ports: 67/udp
  protocols:
  source-ports:
  modules:
  destination:
root # firewall-cmd --add-service=http --zone=internal
root # firewall-cmd --add-port=8000/tcp --zone=internal
root # firewall-cmd --add-service=imap --zone=internal --timeout=5m
root # firewall-cmd  --direct --add-rule ipv4 filter FORWARD 0 -i eth0 -o eth1 \
    -p tcp --dport 80 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
root # firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" \
    source address="192.168.2.4" drop'
root # firewall-cmd --zone=internal --add-masquerade
root # firewall-cmd --zone=public \
    --add-forward-port=port=80:proto=tcp:toport=80:toaddr=192.168.1.10
options nfs callback_tcpport=21005
root # firewall-cmd --permanent --new-service=nfs-rpc
root # firewall-cmd --permanent --service=nfs-rpc --set-description="NFS related, statically configured RPC ports"
# add UDP and TCP ports for the given sequence
root # for port in 21001 21002 21003 21004; do
    firewall-cmd --permanent --service=nfs-rpc --add-port ${port}/udp --add-port ${port}/tcp
done
# the callback port is TCP only
root # firewall-cmd --permanent --service=nfs-rpc --add-port 21005/tcp

# show the complete definition of the new custom service
root # firewall-cmd --info-service=nfs-rpc --permanent -v
nfs-rpc
  summary:
  description: NFS and related, statically configured RPC ports
  ports: 4711/tcp 21001/udp 21001/tcp 21002/udp 21002/tcp 21003/udp 21003/tcp 21004/udp 21004/tcp
  protocols:
  source-ports:
  modules:
  destination:

# reload firewalld to make the new service definition available
root # firewall-cmd --reload

# the new service definition can now be used to open the ports for example in the internal zone
root # firewall-cmd --add-service=nfs-rpc --zone=internal
root # zypper in susefirewall2-to-firewalld
root # susefirewall2-to-firewalld
INFO: Reading the /etc/sysconfig/SuSEfirewall2 file
INFO: Ensuring all firewall services are in a well-known state.
INFO: This will start/stop/restart firewall services and it's likely
INFO: to cause network disruption.
INFO: If you do not wish for this to happen, please stop the script now!
5...4...3...2...1...Lets do it!
INFO: Stopping firewalld
INFO: Restarting SuSEfirewall2_init
INFO: Restarting SuSEfirewall2
INFO: DIRECT: Adding direct rule="ipv4 -t filter -A INPUT -p udp -m udp --dport 5353 -m pkttype
  --pkt-type multicast -j ACCEPT"
[...]
INFO: Enabling direct rule=ipv6 -t filter -A INPUT -p udp -m udp --dport 546 -j ACCEPT
INFO: Enabling direct rule=ipv6 -t filter -A INPUT -p udp -m udp --dport 5353 -m pkttype
  --pkt-type multicast -j ACCEPT
INFO: Enable logging for denied packets
INFO: ##########################################################
INFO:
INFO: The dry-run has been completed. Please check the above output to ensure
INFO: that everything looks good.
INFO:
INFO: ###########################################################
INFO: Stopping firewalld
INFO: Restarting SuSEfirewall2_init
INFO: Restarting SuSEfirewall2
root # susefirewall2-to-firewalld | tee newfirewallrules.txt
root # openvpn --genkey --secret /etc/openvpn/secret.key
root # scp /etc/openvpn/secret.key root@IP_OF_CLIENT:/etc/openvpn/
dev tun
ifconfig IP_OF_SERVER IP_OF_CLIENT
secret secret.key
STARTMODE='manual'
BOOTPROTO='static'
TUNNEL='tun'
TUNNEL_SET_OWNER='nobody'
TUNNEL_SET_GROUP='nobody'
LINK_REQUIRED=no
PRE_UP_SCRIPT='systemd:openvpn@server'
PRE_DOWN_SCRIPT='systemd:openvpn@service'
tux > sudo wicked ifup tun0
tun0            up
remote DOMAIN_OR_PUBLIC_IP_OF_SERVER
dev tun
ifconfig IP_OF_CLIENT IP_OF_SERVER
secret secret.key
STARTMODE='manual'
BOOTPROTO='static'
TUNNEL='tun'
TUNNEL_SET_OWNER='nobody'
TUNNEL_SET_GROUP='nobody'
LINK_REQUIRED=no
PRE_UP_SCRIPT='systemd:openvpn@client'
PRE_DOWN_SCRIPT='systemd:openvpn@client'
tux > sudo wicked ifup tun0
tun0            up
ip addr show tun0
ping -I tun0 IP_OF_SERVER
ping -I tun0 IP_OF_CLIENT
# /etc/openvpn/server.conf
port 1194 1
proto udp 2
dev tun0 3

# Security 4

ca    vpn_ca.pem
cert  server_crt.pem
key   server_key.pem

# ns-cert-type server 
remote-cert-tls client 5
dh   server/dh2048.pem 6

server 192.168.1.0 255.255.255.0 7
ifconfig-pool-persist /var/run/openvpn/ipp.txt 8

# Privileges 9
user nobody
group nobody

# Other configuration 10
keepalive 10 120
comp-lzo
persist-key
persist-tun
# status      /var/log/openvpn-status.tun0.log 11
# log-append  /var/log/openvpn-server.log 12
verb 4
openssl dhparam -out /etc/openvpn/dh2048.pem 2048
... Initialization Sequence Completed
# /etc/openvpn/client.conf
client 1
dev tun 2
proto udp 3
remote IP_OR_HOST_NAME 1194 4
resolv-retry infinite
nobind

remote-cert-tls server 5

# Privileges 6
user nobody
group nobody

# Try to preserve some state across restarts.
persist-key
persist-tun

# Security 7
pkcs12 client1.p12

comp-lzo 8
tux > sudo zypper in -t pattern apparmor
19848 /usr/sbin/cupsd not confined
19887 /usr/sbin/sshd not confined
19947 /usr/lib/postfix/master not confined
1328 /usr/sbin/smbd confined by '/usr/sbin/smbd (enforce)'
/etc/crontab
/etc/cron.d/*
/etc/cron.daily/*
/etc/cron.hourly/*
/etc/cron.monthly/*
/etc/cron.weekly/*
37021 /usr/sbin/sshd2 confined
   by '/usr/sbin/sshd3 (enforce)'
4040 /usr/sbin/smbd confined by '/usr/sbin/smbd (enforce)'
4373 /usr/lib/postfix/master confined by '/usr/lib/postfix/master (enforce)'
4505 /usr/sbin/httpd2-prefork confined by '/usr/sbin/httpd2-prefork (enforce)'
646 /usr/lib/wicked/bin/wickedd-dhcp4 not confined
647 /usr/lib/wicked/bin/wickedd-dhcp6 not confined
5592 /usr/bin/ssh not confined
7146 /usr/sbin/cupsd confined by '/usr/sbin/cupsd (complain)'
/usr/bin/httpd2-prefork {
  # ...
  ^/cgi-bin/localtime.php {
    /etc/localtime                  r,
    /srv/www/cgi-bin/localtime.php  r,
    /usr/lib/locale/**              r,
  }
}
^DEFAULT_URI {
    /usr/sbin/suexec2                  mixr,
    /var/log/apache2/**                rwl,
    @{HOME}/public_html                r,
    @{HOME}/public_html/**             r,
    /srv/www/htdocs                    r,
    /srv/www/htdocs/**                 r,
    /srv/www/icons/*.{gif,jpg,png}     r,
    /srv/www/vhosts                    r,
    /srv/www/vhosts/**                 r,
    /usr/share/apache2/**              r,
    /var/lib/php/sess_*                rwl
}
#include <tunables/global>1

# a comment naming the application to confine
/usr/bin/foo2 {3
   #include <abstractions/base>4

   capability setgid5,
   network inet tcp6,

   link /etc/sysconfig/foo -> /etc/foo.conf,7
   /bin/mount            ux,
   /dev/{,u}8random     r,
   /etc/ld.so.cache      r,
   /etc/foo/*            r,
   /lib/ld-*.so*         mr,
   /lib/lib*.so*         mr,
   /proc/[0-9]**         r,
   /usr/lib/**           mr,
   /tmp/                 r,9
   /tmp/foo.pid          wr,
   /tmp/foo.*            lrw,
   /@{HOME}10/.foo_file   rw,
   /@{HOME}/.foo_lock    kw,
   owner11 /shared/foo/** rw,
   /usr/bin/foobar       Cx,12
   /bin/**               Px -> bin_generic,13

   # a comment about foo's local (children) profile for /usr/bin/foobar.

   profile /usr/bin/foobar14 {
      /bin/bash          rmix,
      /bin/cat           rmix,
      /bin/more          rmix,
      /var/log/foobar*   rwl,
      /etc/foobar        r,
   }

  # foo's hat, bar.
   ^bar15 {
    /lib/ld-*.so*         mr,
    /usr/bin/bar          px,
    /var/spool/*          rwl,
   }
}
/usr/bin/foo {
...
}
profile /usr/bin/foo {
...
}
/usr/bin/foo {
...
}
/parent/profile {
   ...
   profile /local/profile {
      ...
   }
}
change_profile -> /usr/bin/foobar,
include "/etc/apparmor.d/abstractions/foo"
#include "/etc/apparmor.d/abstractions/foo"
include "/etc/apparmor.d/abstractions/foo"   # absolute path
include "abstractions/foo"   # relative path to the directory of current file
include "abstractions/foo"
include "example"
-I /etc/apparmor.d/ -I /usr/share/apparmor/
include <abstractions/foo>
Include /usr/share/apparmor/
Include /etc/apparmor.d/
capability dac_override sys_admin,   # multiple capabilities
capability,                          # grant all capabilities
network [[<domain>1][<type2>][<protocol3>]]
network1,
network inet2,
network inet63,
network inet stream4,
network inet tcp5,
network tcp6,
/usr/bin/foo { ... }
/path/to/profiled/binary flags=(list_of_flags) {
  [...]
}
ln -s /etc/apparmor.d/bin.ping /etc/apparmor.d/force-complain/bin.ping
@{CHROOT_BASE}=/tmp/foo
/sbin/rsyslogd {
...
# chrooted applications
@{CHROOT_BASE}/var/lib/*/dev/log w,
@{CHROOT_BASE}/var/log/** w,
...
}
@{HOMEDIRS}=/home/
@{HOME}=@{HOMEDIRS}/*/ /root/
[...]
@{HOMEDIRS}+=/srv/nfs/home/ /mnt/home/
/{usr/,}bin/foo { ... }
/bin/foo { ... }

/bin/f*  { ... }

/bin/**  { ... }
:childNameSpace://
:childNameSpace://apache
/path/to/executable px -> :childNameSpace://apache
/** { ... }
profile default /** { ... }
/usr/lib64/firefox*/firefox-*bin { ... }
profile firefox /usr/lib64/firefox*/firefox-*bin { ... }
alias /home/ -> /usr/home/
/home/username/** r,
/usr/home/username/** r,
alias /home/ -> /usr/home/
alias /home/ -> /mnt/home/
/srv/www/htdocs/index.html rl,
link /srv/www/htdocs/index.html -> /var/www/index.html
/var/www/index.html l,
link subset /var/www/index.html -> /**,
allow file /example r,
allow /example r,
allow network,
file /example/rule r,
/example/rule r,
file,
/** rwmlk,
/path rw,            # old style
rw /path,            # leading permission
file rw /path,       # with explicit 'file' keyword
allow file rw /path, # optional 'allow' keyword added
owner /home/*/** rw
/foo r,
owner /foo rw,  # or w,
owner /foo rw,
other /foo r,
deny /home/*/.ssh/** w,
owner /home/*/** rw,
mount options=ro /dev/foo -E /mnt/,
root # mount -o ro /dev/foo /mnt
root # mount -o ro,atime /dev/foo /mnt
root # mount -o rw /dev/foo /mnt
mount options in (ro,atime) /dev/foo -> /mnt/,
root # mount -o ro /dev/foo /mnt
root # mount -o ro,atime /dev/foo /mnt
root # mount -o atime /dev/foo /mnt
root # mount -o ro,sync /dev/foo /mnt
root # mount -o ro,atime,sync /dev/foo /mnt
root # mount -o rw /dev/foo /mnt
root # mount -o rw,noatime /dev/foo /mnt
root # mount /dev/foo /mnt
mount options=ro options=atime
root # mount -o ro /dev/foo /mnt
root # mount -o atime /dev/foo /mnt
root # mount -o ro,atime /dev/foo /mnt
mount options=ro,
mount options=atime,
mount options=(ro,atime),
mount options in (ro,atime),
mount options=(ro, atime) options in (nodev, user) /dev/foo -> /mnt/,
root # mount -o ro,atime /dev/foo /mnt
root # mount -o nodev /dev/foo /mnt
root # mount -o user /dev/foo /mnt
root # mount -o nodev,user /dev/foo /mnt
pivot_root [oldroot=OLD_ROOT] NEW_ROOT
# Allow any pivot
pivot_root,

# Allow pivoting to any new root directory and putting the old root
# directory at /mnt/root/old/
pivot_root oldroot=/mnt/root/old/,

# Allow pivoting the root directory to /mnt/root/
pivot_root /mnt/root/,

# Allow pivoting to /mnt/root/ and putting the old root directory at
# /mnt/root/old/
pivot_root oldroot=/mnt/root/old/ /mnt/root/,

# Allow pivoting to /mnt/root/, putting the old root directory at
# /mnt/root/old/ and transition to the /mnt/root/sbin/init profile
pivot_root oldroot=/mnt/root/old/ /mnt/root/ -> /mnt/root/sbin/init,
# Allow all PTrace access
ptrace,

# Explicitly allow all PTrace access,
ptrace (read, readby, trace, tracedby),

# Explicitly deny use of ptrace(2)
deny ptrace (trace),

# Allow unconfined processes (eg, a debugger) to ptrace us
ptrace (readby, tracedby) peer=unconfined,

# Allow ptrace of a process running under the /usr/bin/foo profile
ptrace (trace) peer=/usr/bin/foo,
# Allow all signal access
signal,

# Explicitly deny sending the HUP and INT signals
deny signal (send) set=(hup, int),

# Allow unconfined processes to send us signals
signal (receive) peer=unconfined,

# Allow sending of signals to a process running under the /usr/bin/foo
# profile
signal (send) peer=/usr/bin/foo,

# Allow checking for PID existence
signal (receive, send) set=("exists"),

# Allow us to signal ourselves using the built-in @{profile_name} variable
signal peer=@{profile_name},

# Allow two real-time signals
signal set=(rtmin+0 rtmin+32),

1	Declares the version of this configuration file for PAM 1.0. This is merely a convention, but could be used in the future to check the version.
2	Checks, if `/etc/nologin` exists. If it does, no user other than `root` may log in.
3	Refers to the configuration files of four module types: `common-auth`, `common-account`, `common-password`, and `common-session`. These four files hold the default configuration for each module type.
4	Sets the login UID process attribute for the process that was authenticated.
5	Displays information about the last login of a user.

Object Class	Meaning	Example Entry	Req. Attr.
`domain`	name components of the domain	example	displayName
`organizationalUnit`	organizational unit	doc	ou
`nsPerson`	person-related data for the intranet or Internet	Geeko Linux	cn

1	The name of the attribute, its unique object identifier (OID, numerical), and the abbreviation of the attribute.
2	A brief description of the attribute with `DESC`. The corresponding RFC, on which the definition is based, may also mentioned here.
3	The type of data that can be held in the attribute. In this case, it is a case-insensitive directory string.
4	The source of the schema element (for example, the name of the project).
5	The definition of the object class `nsPerson` begins with an OID and the name of the object class (like the definition of the attribute).
6	A brief description of the object class.
7	The `SUP top` entry indicates that this object class is not subordinate to another object class.
8	With `MUST` list all attribute types that must be used with an object of the type `nsPerson`.
9	With `MAY` list all attribute types that are optionally permitted with this object class.

Service Descriptor	Service
`host`	Telnet, RSH, SSH
`nfs`	NFSv4 (with Kerberos support)
`HTTP`	HTTP (with Kerberos authentication)
`imap`	IMAP
`pop`	POP3
`ldap`	LDAP

`/etc/passwd` check	length/number/contents of fields, accounts with same UID accounts with UID/GID of 0 or 1 beside root and bin
`/etc/shadow` check	length/number/contents of fields, accounts with no password
`/etc/group` check	length/number/contents of fields
user root checks	secure umask and `PATH`
`/etc/ftpusers`	checks if important system users are put there
`/etc/aliases`	checks for mail aliases which execute programs
`.rhosts` check	checks if users' `.rhosts` file contain + signs
home directory	checks if home directories are writable or owned by someone else
dot-files check	checks many dot-files in the home directories if they are writable or owned by someone else
mailbox check	checks if user mailboxes are owned by user and are readable
NFS export check	exports should not be exported globally
NFS import check	NFS mounts should have the `nosuid` option set
promisc check	checks if network cards are in promiscuous mode
list modules	lists loaded modules
list sockets	lists open ports

1	`pam_env.so` loads `/etc/security/pam_env.conf` to set the environment variables as specified in this file. It can be used to set the `DISPLAY` variable to the correct value, because the `pam_env` module knows about the location from which the login is taking place.
2	`pam_gnome_keyring.so` checks the user's login and password against the GNOME key ring
3	`pam_unix` checks the user's login and password against `/etc/passwd` and `/etc/shadow`.

1	Needs to point to the LDAP server instance. If not specified otherwise, the default instance name is `localhost`.
2	Path to the certificate, at a readable location or on the client machine, from which you use the `ds*` commands.

password check	runs `john` to crack the password file, user will receive an e-mail notice to change their password
RPM md5 check	checks for changed files via RPM's MD5 checksum feature
suid/sgid check	lists all suid and sgid files
exec group write	lists all executables which are group/world-writable
writable check	lists all files which are world-writable (including executables)
device check	lists all devices

`/etc/login.defs`	`PASS_MAX_DAYS`	Maximum number of days a password is valid.
`/etc/login.defs`	`PASS_MIN_DAYS`	Minimum number of days before a user can change the password since the last change.
`/etc/login.defs`	`PASS_WARN_AGE`	Number of days when the password change reminder starts.
`/etc/default/useradd`	`INACTIVE`	Number of days after password expiration that account is disabled.
`/etc/default/useradd`	`EXPIRE`	Account expiration date in the format YYYY-MM-DD.

`pam_cracklib.so`	`minlen=8`	Minimum length of password is 8
`pam_cracklib.so`	`lcredit=-1`	Minimum number of lowercase letters is 1
`pam_cracklib.so`	`ucredit=-1`	Minimum number of uppercase letters is 1
`pam_cracklib.so`	`dcredit=-1`	Minimum number of digits is 1
`pam_cracklib.so`	`ocredit=-1`	Minimum number of other characters is 1

package	shell personalities	shell variable	time unit	readonly setting	config path (only login shell)	config path (all shells)
`bash`	`bash, sh`	`TMOUT`	seconds	`readonly TMOUT=`	`/etc/profile.local`, `/etc/profile.d/`	`/etc/bash.bashrc`
`mksh`	`ksh, lksh, mksh, pdksh`	`TMOUT`	seconds	`readonly TMOUT=`	`/etc/profile.local`, `/etc/profile.d/`	`/etc/ksh.kshrc.local`
`tcsh`	`csh, tcsh`	`autologout`	minutes	`set -r autologout=`	`/etc/csh.login.local`	`/etc/csh.cshrc.local`
`zsh`	`zsh`	`TMOUT`	seconds	`readonly TMOUT=`	`/etc/profile.local`, `/etc/profile.d/`	`/etc/zsh.zshrc.local`

1	Root element of the policy file.
2	Contains one single action.
3	The `defaults` element contains several permissions used in remote sessions like SSH, VNC (element `allow_inactive`), when logged directly into the machine on a TTY or X display (element `allow_active`), or for both (element `allow_any`). The value `auth_admin` indicates authentication is required as an administrative user.
4	The `annotate` element contains specific information regarding how PolKit performs an action. In this case, it contains the path to the executable and states whether a GUI is allowed to open a X display.

Type	Text Form
owner	`user::rwx`
named user	`user:name:rwx`
owning group	`group::rwx`
named group	`group:name:rwx`
mask	`mask::rwx`
other	`other::rwx`

Entry Type	Text Form	Permissions
named user	`user:geeko:r-x`	`r-x`
mask	`mask::rw-`	`rw-`
	effective permissions:	`r--`

Option	Description
p	Check for the file permissions of the selected files or directories.
i	Check for the inode number. Every file name has a unique inode number that should not change.
n	Check for the number of links pointing to the relevant file.
u	Check if the owner of the file has changed.
g	Check if the group of the file has changed.
s	Check if the file size has changed.
b	Check if the block count used by the file has changed.
m	Check if the modification time of the file has changed.
c	Check if the files access time has changed.
S	Check for a changed file size.
I	Ignore changes of the file name.
md5	Check if the md5 checksum of the file has changed. We recommend to use sha256 or sha512.
sha1	Check if the sha1 (160 Bit) checksum of the file has changed. We recommend to use sha256 or sha512.
sha256	Check if the sha256 checksum of the file has changed.
sha512	Check if the sha512 checksum of the file has changed.

permissions original	umask	permissions uploaded
0666	0002	0664
0600	0002	0600
0775	0025	0750

File Path	Variable Name	Example Value
`/etc/sysconfig/nfs`	MOUNTD_PORT	21001
	STATD_PORT	21002
	LOCKD_TCPPORT	21003
	LOCKD_UDPPORT	21003
	RQUOTAD_PORT	21004
`/etc/sysconfig/ypbind`	YPBIND_OPTIONS	-p 24500
`/etc/sysconfig/ypserv`	YPXFRD_ARGS	-p 24501
	YPSERV_ARGS	-p 24502
	YPPASSWDD_ARGS	--port 24503

1	This loads a file containing variable definitions.
2	The normalized path to the program that is confined.
3	The curly braces (`{}`) serve as a container for include statements, subprofiles, path entries, capability entries, and network entries.
4	This directive pulls in components of AppArmor profiles to simplify profiles.
5	Capability entry statements enable each of the 29 POSIX.1e draft capabilities.
6	A directive determining the kind of network access allowed to the application. For details, refer to Section 30.5, “Network Access Control”.
7	A link pair rule specifying the source and the target of a link. See Section 30.7.6, “Link Pair” for more information.
8	The curly braces (`{}`) here allow for each of the listed possibilities, one of which is the empty string.
9	A path entry specifying what areas of the file system the program can access. The first part of a path entry specifies the absolute path of a file (including regular expression globbing) and the second part indicates permissible access modes (for example `r` for read, `w` for write, and `x` for execute). A whitespace of any kind (spaces or tabs) can precede the path name, but must separate the path name and the mode specifier. Spaces between the access mode and the trailing comma are optional. Find a comprehensive overview of the available access modes in Section 30.7, “File Permission Access Modes”.
10	This variable expands to a value that can be changed without changing the entire profile.
11	An owner conditional rule, granting read and write permission on files owned by the user. Refer to Section 30.7.8, “Owner Conditional Rules” for more information.
12	This entry defines a transition to the local profile `/usr/bin/foobar`. Find a comprehensive overview of the available execute modes in Section 30.12, “Execute Modes”.
13	A named profile transition to the profile bin_generic located in the global scope. See Section 30.12.7, “Named Profile Transitions” for details.
14	The local profile `/usr/bin/foobar` is defined in this section.
15	This section references a “hat” subprofile of the application. For more details on AppArmor's ChangeHat feature, refer to Chapter 34, Profiling Your Web Applications Using ChangeHat.

1	The TCP/UDP port on which OpenVPN listens. You need to open the port in the firewall, see Chapter 25, Masquerading and Firewalls. The standard port for VPN is 1194, so you can usually leave that as it is.
2	The protocol, either UDP or TCP.
3	The tun or tap device. For the difference between these, see Section 26.1.1, “Terminology”.
4	The following lines contain the relative or absolute path to the root server CA certificate (`ca`), the root CA key (`cert`), and the private server key (`key`). These were generated in Section 26.3.1, “Creating Certificates”.
5	Require that peer certificates have been signed with an explicit key usage and extended key usage based on RFC3280 TLS rules.
6	The Diffie-Hellman parameters. Create the required file with the following command: openssl dhparam -out /etc/openvpn/dh2048.pem 2048
7	Supplies a VPN subnet. The server can be reached by `192.168.1.1`.
8	Records a mapping of clients and its virtual IP address in the given file. Useful when the server goes down and (after the restart) the clients get their previously assigned IP address.
9	For security reasons, run the OpenVPN daemon with reduced privileges. To do so, specify that it should use the group and user `nobody`.
10	Several configuration options—see the comment in the example configuration file: `/usr/share/doc/packages/openvpn/sample-config-files`.
11	Enable this option to write short status updates with statistical data (“operational status dump”) to the named file. By default, this is not enabled. All output is written to the system journal, which can be displayed with `journalctl`. If you have more than one configuration file (for example, one for home and another for work), it is recommended to include the device name into the file name. This avoids overwriting output files accidentally. In this case, it is `tun0`, taken from the `dev` directive—see 3.
12	By default, log messages go to syslog. Overwrite this behavior by removing the hash character. In that case, all messages go to `/var/log/openvpn-server.log`. Do not forget to configure a logrotate service. See `man 8 logrotate` for further details.

1	Specifies that this machine is a client.
2	The network device. Both clients and server must use the same device.
3	The protocol. Use the same settings as on the server.
5	This is security option for clients which ensures that the host they connect to is a designated server.
4	Replace the placeholder IP_OR_HOST_NAME with the respective host name or IP address of your VPN server. After the host name, the port of the server is given. You can have multiple lines of `remote` entries pointing to different VPN servers. This is useful for load balancing between different VPN servers.
6	For security reasons, run the OpenVPN daemon with reduced privileges. To do so, specify that it should use the group and user `nobody`.
7	Contains the client files. For security reasons, use a separate pair of files for each client.
8	Turn on compression. Only use this parameter if compression is enabled on the server as well.

1	The first portion is a number. This number is the process ID number (PID) of the listening program.
2	The second portion is a string that represents the absolute path of the listening program
3	The final portion indicates the profile confining the program, if any.

1	Supported domains: `inet`, `ax25`, `ipx`, `appletalk`, `netrom`, `bridge`, `x25`, `inet6`, `rose`, `netbeui`, `security`, `key`, `packet`, `ash`, `econet`, `atmsvc`, `sna`, `pppox`, `wanpipe`, `bluetooth`, `unix`, `atmpvc`,`netlink`, `llc`, `can`, `tipc`, `iucv`, `rxrpc`, `isdn`, `phonet`, `ieee802154`, `caif`, `alg`, `nfc`, `vsock`
2	Supported types: `stream`, `dgram`, `seqpacket`, `rdm`, `raw`, `packet`
3	Supported protocols: `tcp`, `udp`, `icmp`

1	Allow all networking. No restrictions applied with regard to domain, type, or protocol.
2	Allow general use of IPv4 networking.
3	Allow general use of IPv6 networking.
4	Allow the use of IPv4 TCP networking.
5	Allow the use of IPv4 TCP networking, paraphrasing the rule above.
6	Allow the use of both IPv4 and IPv6 TCP networking.

`*`	Substitutes for any number of any characters, except `/`. Example: An arbitrary number of file path elements.
`**`	Substitutes for any number of characters, including `/`. Example: An arbitrary number of path elements, including entire directories.
`?`	Substitutes for any single character, except `/`.
`[abc]`	Substitutes for the single character `a`, `b`, or `c`. Example: a rule that matches `/home[01]/*/.plan` allows a program to access `.plan` files for users in both `/home0` and `/home1`.
`[a-c]`	Substitutes for the single character `a`, `b`, or `c`.
`{ab,cd}`	Expands to one rule to match `ab` and one rule to match `cd`. Example: a rule that matches `/{usr,www}/pages/**` grants access to Web pages in both `/usr/pages` and `/www/pages`.
`[^a]`	Substitutes for any character except `a`.

`r`	Read mode
`w`	Write mode (mutually exclusive to `a`)
`a`	Append mode (mutually exclusive to `w`)
`k`	File locking mode
`l`	Link mode
`link FILE -> TARGET`	Link pair rule (cannot be combined with other access modes)

`Px`	Discrete profile execute mode
`Cx`	Discrete local profile execute mode
`Ux`	Unconfined execute mode
`ix`	Inherit execute mode
`m`	Allow `PROT_EXEC` with `mmap(2)` calls

openSUSE Leap 15.2

Security and Hardening Guide

About This Guide #Edit source

1 Available Documentation #Edit source

Note: Online Documentation and Latest Updates

2 Giving Feedback #Edit source

3 Documentation Conventions #Edit source

Warning: Warning Notice

Important: Important Notice

Note: Note Notice

Tip: Tip Notice

1 Security and Confidentiality #Edit source

1.1 Overview #Edit source

1.2 Passwords #Edit source

1.3 System Integrity #Edit source

1.4 File Access #Edit source

1.5 Networking #Edit source

1.6 Software Vulnerabilities #Edit source

1.7 Malware #Edit source

1.8 Important Security Tips #Edit source

1.9 Reporting Security Issues #Edit source

2 Common Criteria #Edit source

2.1 Introduction #Edit source

2.2 Evaluation Assurance Level (EAL) #Edit source

2.3 Generic Guiding Principles #Edit source

Warning: Backdoors

2.4 For More Information #Edit source

Part I Authentication #Edit source

3 Authentication with PAM #Edit source

3.1 What is PAM? #Edit source

3.2 Structure of a PAM Configuration File #Edit source

Note: 64-Bit and 32-Bit Mixed Installations

3.3 The PAM Configuration of sshd #Edit source

Example 3.1: PAM Configuration for sshd (/etc/pam.d/sshd) #

Example 3.2: Default Configuration for the auth Section (common-auth) #

Example 3.3: Default Configuration for the account Section (common-account) #

Example 3.4: Default Configuration for the password Section (common-password) #

Example 3.5: Default Configuration for the session Section (common-session) #

3.4 Configuration of PAM Modules #Edit source

3.4.1 pam_env.conf #Edit source

Example 3.6: pam_env.conf #

3.4.2 pam_mount.conf.xml #Edit source

Note: LUKS2 Support

3.4.3 limits.conf #Edit source

3.5 Configuring PAM Using pam-config #Edit source

3.6 Manually Configuring PAM #Edit source

Warning: Include pam_systemd.so in Configuration

3.7 For More Information #Edit source

4 Using NIS #Edit source

4.1 Configuring NIS Servers #Edit source

4.1.1 Configuring a NIS Master Server #Edit source

Tip: Already Installed NIS Server Software

Figure 4.1: NIS Server Setup #

Figure 4.2: Master Server Setup #

Figure 4.3: Changing the Directory and Synchronizing Files for a NIS Server #

Figure 4.4: NIS Server Maps Setup #

Figure 4.5: Setting Request Permissions for a NIS Server #

4.1.2 Configuring a NIS Slave Server #Edit source

Tip

4.2 Configuring NIS Clients #Edit source

Figure 4.6: Setting Domain and Address of a NIS Server #

5 Setting Up Authentication Clients Using YaST #Edit source

5.1 Configuring an Authentication Client with YaST #Edit source

5.2 SSSD #Edit source

5.2.1 Checking the Status #Edit source

5.2.2 Caching #Edit source

6 LDAP—A Directory Service #Edit source

6.1 Structure of an LDAP Directory Tree #Edit source

Figure 6.1: Structure of an LDAP Directory #

Table 6.1: Commonly Used Object Classes and Attributes #

Example 6.1: Excerpt from CN=schema #

6.2 Installing the Software for 389 Directory Server #Edit source

6.3 Manually Configuring a 389 Directory Server #Edit source

6.3.1 Creating the 389 Directory Server Instance #Edit source

Note: Instance Name

Example 6.2: Basic Instance Configuration File #

6.3.2 Using CA Certificates for TSL #Edit source

Important: *.p12 File and Friendly Name

6.3.3 Configuring Admin Credentials for Remote/Local Access #Edit source

Example 6.3: A .dsrc File for Remote Administration #

Example 3.1: PAM Configuration for sshd (`/etc/pam.d/sshd`) #

Example 3.2: Default Configuration for the `auth` Section (`common-auth`) #

Example 3.3: Default Configuration for the `account` Section (`common-account`) #

Example 3.4: Default Configuration for the `password` Section (`common-password`) #

Example 3.5: Default Configuration for the `session` Section (`common-session`) #

Warning: Include `pam_systemd.so` in Configuration

Important: `*.p12` File and Friendly Name

Example 6.3: A `.dsrc` File for Remote Administration #

Example 6.4: A `.dsrc` File for Local Administration #

Example 7.1: Example KDC Configuration, `/etc/krb5.conf` #