Jump to contentJump to page navigation: previous page [access key p]/next page [access key n]
ContentsContents
Security and Hardening Guide
  1. Preface
  2. 1 Security and confidentiality
  3. 2 Common Criteria
  4. I Authentication
    1. 3 Authentication with PAM
    2. 4 Using NIS
    3. 5 Setting up authentication clients using YaST
    4. 6 LDAP with 389 Directory Server
    5. 7 Network authentication with Kerberos
    6. 8 Active Directory support
    7. 9 Setting up a freeRADIUS server
  5. II Local security
    1. 10 Physical security
    2. 11 Software management
    3. 12 File management
    4. 13 Encrypting partitions and files
    5. 14 Storage encryption for hosted applications with cryptctl
    6. 15 User management
    7. 16 Restricting cron and at
    8. 17 Spectre/Meltdown checker
    9. 18 Configuring security settings with YaST
    10. 19 Authorization with PolKit
    11. 20 Access control lists in Linux
    12. 21 Intrusion detection with AIDE
  6. III Network security
    1. 22 X Window System and X authentication
    2. 23 Securing network operations with OpenSSH
    3. 24 Masquerading and firewalls
    4. 25 Configuring a VPN server
    5. 26 Managing a PKI with XCA, X certificate and key manager
    6. 27 Improving network security with sysctl variables
    7. 28 Enabling compliance with FIPS 140-2
  7. IV Confining privileges with AppArmor
    1. 29 Introducing AppArmor
    2. 30 Getting started
    3. 31 Immunizing programs
    4. 32 Profile components and syntax
    5. 33 AppArmor profile repositories
    6. 34 Building and managing profiles with YaST
    7. 35 Building profiles from the command line
    8. 36 Profiling your Web applications using ChangeHat
    9. 37 Confining users with pam_apparmor
    10. 38 Managing profiled applications
    11. 39 Support
    12. 40 AppArmor glossary
  8. V SELinux
    1. 41 Configuring SELinux
  9. VI The Linux Audit Framework
    1. 42 Understanding Linux audit
    2. 43 Setting up the Linux audit framework
    3. 44 Introducing an audit rule set
    4. 45 Useful resources
  10. A GNU licenses
Navigation
openSUSE Leap 15.3

Security and Hardening Guide

Abstract

This guide introduces basic concepts of system security and describes the usage of security software included with the product, such as AppArmor, SELinux, or the auditing system. The guide also supports system administrators in hardening an installation.

Publication Date: May 25, 2022
Preface
Available documentation
Improving the documentation
Documentation conventions
1 Security and confidentiality
1.1 Overview
1.2 Passwords
1.3 Backups
1.4 System integrity
1.5 File access
1.6 Networking
1.7 Software vulnerabilities
1.8 Malware
1.9 Important security tips
1.10 Reporting security issues
2 Common Criteria
2.1 Introduction
2.2 Evaluation Assurance Level (EAL)
2.3 Generic guiding principles
2.4 More information
I Authentication
3 Authentication with PAM
3.1 What is PAM?
3.2 Structure of a PAM configuration file
3.3 The PAM configuration of sshd
3.4 Configuration of PAM modules
3.5 Configuring PAM using pam-config
3.6 Manually configuring PAM
3.7 More information
4 Using NIS
4.1 Configuring NIS servers
4.2 Configuring NIS clients
5 Setting up authentication clients using YaST
5.1 Configuring an authentication client with YaST
5.2 SSSD
6 LDAP with 389 Directory Server
6.1 Structure of an LDAP directory tree
6.2 Installing 389 Directory Server
6.3 Firewall configuration
6.4 Backing up and restoring 389 Directory Server
6.5 Managing LDAP users and groups
6.6 Using SSSD to manage LDAP authentication
6.7 Managing modules
6.8 Migrating to 389 Directory Server from OpenLDAP
6.9 Importing TLS server certificates and keys
6.10 Setting up replication
6.11 Synchronizing with Microsoft Active Directory
6.12 More information
7 Network authentication with Kerberos
7.1 Conceptual overview
7.2 Kerberos terminology
7.3 How Kerberos works
7.4 User view of Kerberos
7.5 Installing and administering Kerberos
7.6 Kerberos and NFS
7.7 More information
8 Active Directory support
8.1 Integrating Linux and Active Directory environments
8.2 Background information for Linux Active Directory support
8.3 Configuring a Linux client for Active Directory
8.4 Logging in to an Active Directory domain
8.5 Changing passwords
9 Setting up a freeRADIUS server
9.1 Installation and testing on SUSE Linux Enterprise
II Local security
10 Physical security
10.1 System locks
10.2 Locking down the BIOS
10.3 Security via the boot loaders
10.4 Retiring Linux servers with sensitive data
10.5 Restricting access to removable media
11 Software management
11.1 Removing unnecessary software packages (RPMs)
11.2 Patching Linux systems
12 File management
12.1 Disk partitions
12.2 Modifying permissions of certain system files
12.3 Changing home directory permissions from 755 to 700
12.4 Default umask
12.5 SUID/SGID files
12.6 World-writable files
12.7 Orphaned or unowned files
13 Encrypting partitions and files
13.1 Setting up an encrypted file system with YaST
13.2 Encrypting files with GPG
14 Storage encryption for hosted applications with cryptctl
14.1 Setting up a cryptctl server
14.2 Setting up a cryptctl client
14.3 Checking partition unlock status using server-side commands
14.4 Unlocking encrypted partitions manually
14.5 Maintenance downtime procedure
14.6 More information
15 User management
15.1 Various account checks
15.2 Enabling password aging
15.3 Stronger password enforcement
15.4 Password and login management with PAM
15.5 Restricting root logins
15.6 Restricting sudo users
15.7 Setting an inactivity timeout for interactive shell sessions
15.8 Preventing accidental denial of service
15.9 Displaying login banners
15.10 Connection accounting utilities
16 Restricting cron and at
16.1 Restricting the cron daemon
16.2 Restricting the at scheduler
17 Spectre/Meltdown checker
17.1 Using spectre-meltdown-checker
17.2 More information
18 Configuring security settings with YaST
18.1 Security overview
18.2 Predefined security configurations
18.3 Password settings
18.4 Boot settings
18.5 Login settings
18.6 User addition
18.7 Miscellaneous settings
19 Authorization with PolKit
19.1 Conceptual overview
19.2 Authorization types
19.3 Querying privileges
19.4 Modifying configuration files
19.5 Restoring the default privileges
20 Access control lists in Linux
20.1 Traditional file permissions
20.2 Advantages of ACLs
20.3 Definitions
20.4 Handling ACLs
20.5 ACL support in applications
20.6 More information
21 Intrusion detection with AIDE
21.1 Why use AIDE?
21.2 Setting up an AIDE database
21.3 Local AIDE checks
21.4 System independent checking
21.5 More information
III Network security
22 X Window System and X authentication
23 Securing network operations with OpenSSH
23.1 OpenSSH overview
23.2 Server hardening
23.3 Password authentication
23.4 scp—secure copy
23.5 sftp—secure file transfer
23.6 The SSH daemon (sshd)
23.7 SSH authentication mechanisms
23.8 Restricting SSH logins
23.9 Port forwarding
23.10 Adding and removing public keys on an installed system
23.11 More information
24 Masquerading and firewalls
24.1 Packet filtering with iptables
24.2 Masquerading basics
24.3 Firewalling basics
24.4 firewalld
24.5 Migrating from SuSEfirewall2
24.6 More information
25 Configuring a VPN server
25.1 Conceptual overview
25.2 Setting up a simple test scenario
25.3 Setting up your VPN server using a certificate authority
25.4 Setting up a VPN server or client using YaST
25.5 More information
26 Managing a PKI with XCA, X certificate and key manager
26.1 Installing XCA
26.2 Creating a new PKI
27 Improving network security with sysctl variables
28 Enabling compliance with FIPS 140-2
28.1 FIPS 140-2 overview
28.2 When to enable FIPS mode
28.3 Installing FIPS
28.4 Enabling FIPS mode
28.5 MD5 not supported in Samba/CIFS
IV Confining privileges with AppArmor
29 Introducing AppArmor
29.1 AppArmor components
29.2 Background information on AppArmor profiling
30 Getting started
30.1 Installing AppArmor
30.2 Enabling and disabling AppArmor
30.3 Choosing applications to profile
30.4 Building and modifying profiles
30.5 Updating your profiles
31 Immunizing programs
31.1 Introducing the AppArmor framework
31.2 Determining programs to immunize
31.3 Immunizing cron jobs
31.4 Immunizing network applications
32 Profile components and syntax
32.1 Breaking an AppArmor profile into its parts
32.2 Profile types
32.3 Include statements
32.4 Capability entries (POSIX.1e)
32.5 Network access control
32.6 Profile names, flags, paths, and globbing
32.7 File permission access modes
32.8 Mount rules
32.9 Pivot root rules
32.10 PTrace rules
32.11 Signal rules
32.12 Execute modes
32.13 Resource limit control
32.14 Auditing rules
33 AppArmor profile repositories
34 Building and managing profiles with YaST
34.1 Manually adding a profile
34.2 Editing profiles
34.3 Deleting a profile
34.4 Managing AppArmor
35 Building profiles from the command line
35.1 Checking the AppArmor status
35.2 Building AppArmor profiles
35.3 Adding or creating an AppArmor profile
35.4 Editing an AppArmor profile
35.5 Unloading unknown AppArmor profiles
35.6 Deleting an AppArmor profile
35.7 Two methods of profiling
35.8 Important file names and directories
36 Profiling your Web applications using ChangeHat
36.1 Configuring Apache for mod_apparmor
36.2 Managing ChangeHat-aware applications
37 Confining users with pam_apparmor
38 Managing profiled applications
38.1 Reacting to security event rejections
38.2 Maintaining your security profiles
39 Support
39.1 Updating AppArmor online
39.2 Using the man pages
39.3 More information
39.4 Troubleshooting
39.5 Reporting bugs for AppArmor
40 AppArmor glossary
V SELinux
41 Configuring SELinux
41.1 Why use SELinux?
41.2 Installing SELinux packages and modifying GRUB 2
41.3 SELinux policy
41.4 Configuring SELinux
41.5 Managing SELinux
41.6 Troubleshooting
VI The Linux Audit Framework
42 Understanding Linux audit
42.1 Introducing the components of Linux audit
42.2 Configuring the audit daemon
42.3 Controlling the audit system using auditctl
42.4 Passing parameters to the audit system
42.5 Understanding the audit logs and generating reports
42.6 Querying the audit daemon logs with ausearch
42.7 Analyzing processes with autrace
42.8 Visualizing audit data
42.9 Relaying audit event notifications
43 Setting up the Linux audit framework
43.1 Determining the components to audit
43.2 Configuring the audit daemon
43.3 Enabling audit for system calls
43.4 Setting up audit rules
43.5 Configuring audit reports
43.6 Configuring log visualization
44 Introducing an audit rule set
44.1 Adding basic audit configuration parameters
44.2 Adding watches on audit log files and configuration files
44.3 Monitoring file system objects
44.4 Monitoring security configuration files and databases
44.5 Monitoring miscellaneous system calls
44.6 Filtering system call arguments
44.7 Managing audit event records using keys
45 Useful resources
A GNU licenses
A.1 GNU free documentation license
List of Examples
3.1 PAM configuration for sshd (/etc/pam.d/sshd)
3.2 Default configuration for the auth section (common-auth)
3.3 Default configuration for the account section (common-account)
3.4 Default configuration for the password section (common-password)
3.5 Default configuration for the session section (common-session)
3.6 pam_env.conf
6.1 Excerpt from CN=schema
6.2 Minimal 389 Directory Server instance configuration file
6.3 A .dsrc file for local administration
6.4 Two supplier replicas
6.5 Four supplier replicas
6.6 Six replicas
6.7 Six replicas with read-only consumers
7.1 Example KDC configuration, /etc/krb5.conf
24.1 Callback port configuration for the nfs kernel module in /etc/modprobe.d/60-nfs.conf
24.2 Commands to define a new firewalld RPC service for NFS
25.1 VPN server configuration file
25.2 VPN client configuration file
30.1 Output of aa-unconfined
35.1 Learning mode exception: controlling access to specific resources
35.2 Learning mode exception: defining permissions for an entry
41.1 Verifying that SELinux is functional
41.2 Getting a list of booleans and verifying policy access
41.3 Getting file context information
41.4 The default context for directories in the root directory
41.5 Showing SELinux settings for processes with ps Zaux
41.6 Viewing default file contexts
41.7 Example lines from /etc/audit/audit.log
41.8 Analyzing audit messages
41.9 Viewing which lines deny access
41.10 Creating a policy module allowing an action previously denied
42.1 Example output of auditctl -s
42.2 Example audit rules—audit system parameters
42.3 Example audit rules—file system auditing
42.4 Example audit rules—system call auditing
42.5 Deleting audit rules and events
42.6 Listing rules with auditctl -l
42.7 A simple audit event—viewing the audit log
42.8 An advanced audit event—login via SSH
42.9 Example /etc/audisp/audispd.conf
42.10 Example /etc/audisp/plugins.d/syslog.conf

Copyright © 2006– 2022 SUSE LLC and contributors. All rights reserved.

Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or (at your option) version 1.3; with the Invariant Section being this copyright notice and license. A copy of the license version 1.2 is included in the section entitled GNU Free Documentation License.

For SUSE trademarks, see https://www.suse.com/company/legal/. All other third-party trademarks are the property of their respective owners. Trademark symbols (®, ™ etc.) denote trademarks of SUSE and its affiliates. Asterisks (*) denote third-party trademarks.

All information found in this book has been compiled with utmost attention to detail. However, this does not guarantee complete accuracy. Neither SUSE LLC, its affiliates, the authors nor the translators shall be held liable for possible errors or the consequences thereof.

Print this page