cron
and at
pam_apparmor
A very important step in securing a Linux system is to determine the primary function(s) or role(s) of the Linux server. Otherwise, it can be difficult to understand what needs to be secured and securing these Linux systems can prove ineffective. Therefore, it is critical to look at the default list of software packages and remove any unnecessary packages or packages that do not comply with your defined security policies.
Generally, an RPM software package consists of the following:
The package's meta data that is written to the RPM database upon installation.
The package's files and directories.
Scripts that are being executed before and after installation and removal.
Packages generally do not impose any security risk to the system unless they contain:
setuid or setgid bits on any of the installed files
group- or world-writable files or directories
a service that is activated upon installation, or by default
Assuming that none of the three conditions above apply, a package is merely a collection of files. Neither installation nor uninstallation of such packages has any influence on the security value of the system.
Nevertheless, it is useful to restrict the installed packages in your system to a minimum. Doing this will result in fewer packages that require updates and will simplify maintenance efforts when security alerts and patches are released. It is a best practice not to install, among others, development packages or desktop software packages (for example, an X Server) on production servers. If you do not need them, you should also not install, for example, the Apache Web server or Samba file sharing server.
Many third-party vendors like Oracle and IBM require a desktop environment and development libraries to run installers. To prevent this from having an impact on the security of their production servers, many organizations work around this by creating a silent installation (response file) in a development lab.
Also, other packages like FTP and Telnet daemons should not be installed
unless there is a justified business reason for it.
ssh
, scp
or sftp
should be used as replacements.
One of the first action items should be to create a Linux image that only contains RPMs needed by the system and applications, and those needed for maintenance and troubleshooting purposes. A good approach is to start with a minimum list of RPMs and then add packages as needed.
The SUSE Appliance Program includes a component called JeOS (Just Enough Operating System). JeOS has a very small footprint and can be customized to fit the specific needs of a system developer. The main uses of JeOS are for hardware/software appliance or virtual machine development. The key benefits of JeOS are efficiency, higher performance, increased security, and simplified management.
If JeOS is not an option for you, a good choice is the minimal installation pattern.
To generate a list of all installed packages, use the following command:
#
zypper packages -i
To retrieve details about a particular package, run:
#
zypper info PACKAGE_NAME
To check for and report potential conflicts and dependencies when deleting a package, run:
#
zypper rm -D PACKAGE_NAME
This can be very useful, as running the removal command without a test can often yield a lot of complaints and require manual recursive dependency hunting.
When removing packages, be careful not to remove any essential system packages. This could put your system into a broken state in which it can no longer be booted or repaired. If you are uncertain about this, then it is best to do a complete backup of your system before you start to remove any packages.
For the final removal of one or more packages use the following
zypper
command with the added “-u”
switch, which removes any unused dependencies:
#
zypper rm -u PACKAGE_NAME
Building an infrastructure for patch management is another very important part of a proactive and secure Linux production environment.
It is recommended to have a written security policy and procedure to handle Linux security updates and issues. For example, a security policy should detail the time frame for assessment, testing, and roll out of patches. Network related security vulnerabilities should get the highest priority and should be addressed immediately within a short time frame. The assessment phase should occur within a testing lab, and initial rollout should occur on development systems first.
A separate security log file should contain details on which Linux security announcements have been received, which patches have been researched and assessed, when patches were applied, and so on.
SUSE releases patches in three categories: security, recommended, and optional. There are a few options that can be used to keep systems patched, up to date, and secure. Each system can register and then retrieve updates via the SUSE Update Web site using the included YaST tool—YaST Online Update. SUSE has also created the Repository Mirroring Tool (RMT), an efficient way to maintain a local repository of available/released patches/updates/fixes that systems can then pull from (reducing Internet traffic). SUSE also offers SUSE Manager for the maintenance, patching, reporting, and centralized management of Linux systems, not only SUSE, but other distributions as well.
On a per-server basis, installation of important updates and improvements is possible using the YaST Online Update tool. Current updates for the SUSE Linux Enterprise family are available from the product specific update catalogs containing patches. Installation of updates and improvements is accomplished using YaST and selecting
in the group. All new patches (except the optional ones) that are currently available for your system will already be marked for installation. Clicking will then automatically install these patches.YaST also offers the possibility to set up an automatic update. Select
› . Configure a Daily or a Weekly update. Some patches, such as kernel updates, require user interaction, which would cause the automatic update procedure to stop. Check for the update procedure to proceed automatically.In this case, run a manual Online Update from time to install patches that require interaction.
When rpm
or
zypper
.
The Repository Mirroring Tool for SUSE Linux Enterprise goes one step further than the Online Update process by establishing a proxy system with repository and registration targets. This helps customers centrally manage software updates within the firewall on a per-system basis, while maintaining their corporate security policies and regulatory compliance.
The RMT (https://documentation.suse.com/sles/15-SP3/html/SLES-all/book-rmt.html) is integrated with SUSE Customer Center (https://scc.suse.com/) and provides a repository and registration target that is synchronized with it. This can be very helpful in tracking entitlements in large deployments. The RMT maintains all the capabilities of SUSE Customer Center, while allowing a more secure centralized deployment. It is included with every SUSE Linux Enterprise subscription and is therefore fully supported.
The RMT provides an alternative to the default configuration, which requires opening the firewall to outbound connections for each device to receive updates. That requirement often violates corporate security policies and can be seen as a threat to regulatory compliance by some organizations. Through its integration with SUSE Customer Center, the RMT ensures that each device can receive its appropriate updates without the need to open the firewall, and without any redundant bandwidth requirements.
The RMT also enables customers to locally track their SUSE Linux Enterprise devices (that is, servers, desktops, or Point of Service terminals) throughout their enterprise. Now they can easily determine how many entitlements are in need of renewal at the end of a billing cycle without having to physically walk through the data center to manually update spreadsheets.
The RMT informs the SUSE Linux Enterprise devices of any available software updates. Each device then obtains the required software updates from the RMT. The introduction of the RMT improves the interaction among SUSE Linux Enterprise devices within the network and simplifies how they receive their system updates. The RMT enables an infrastructure for several hundred SUSE Linux Enterprise devices per instance of each installation (depending on the specific usage profile). This offers more accurate and efficient server tracking.
In a nutshell, the Repository Mirroring Tool for SUSE Linux Enterprise provides customers with:
Assurance of firewall and regulatory compliance
Reduced bandwidth usage during software updates
Full support under active subscription from SUSE
Maintenance of existing customer interface with SUSE Customer Center
Accurate server entitlement tracking and effective measurement of subscription usage
Automated process to easily tally entitlement totals (no more spreadsheets!)
Simple installation process that automatically synchronizes server entitlement with SUSE Customer Center
SUSE Manager automates Linux server management, allowing you to provision and maintain your servers faster and more accurately. It monitors the health of each Linux server from a single console so you can identify server performance issues before they impact your business. And it lets you comprehensively manage your Linux servers across physical, virtual, and cloud environments while improving data center efficiency. SUSE Manager delivers complete lifecycle management for Linux:
Asset management
Provisioning
Package management
Patch management
Configuration management
Redeployment
For more information on SUSE Manager, refer to https://www.suse.com/products/suse-manager/.