Jump to contentJump to page navigation: previous page [access key p]/next page [access key n]
openSUSE Leap 15.2

Security Guide

Introduces basic concepts of system security, covering both local and network security aspects. Shows how to use the product inherent security software like AppArmor or the auditing system that reliably collects information about any security-relevant events.

Publication Date: July 06, 2020
About This Guide
Available Documentation
Giving Feedback
Documentation Conventions
1 Security and Confidentiality
1.1 Overview
1.2 Passwords
1.3 System Integrity
1.4 File Access
1.5 Networking
1.6 Software Vulnerabilities
1.7 Malware
1.8 Important Security Tips
1.9 Reporting Security Issues
I Authentication
2 Authentication with PAM
2.1 What is PAM?
2.2 Structure of a PAM Configuration File
2.3 The PAM Configuration of sshd
2.4 Configuration of PAM Modules
2.5 Configuring PAM Using pam-config
2.6 Manually Configuring PAM
2.7 For More Information
3 Using NIS
3.1 Configuring NIS Servers
3.2 Configuring NIS Clients
4 Setting Up Authentication Clients Using YaST
4.1 Configuring an Authentication Client with YaST
4.2 SSSD
5 LDAP—A Directory Service
5.1 Structure of an LDAP Directory Tree
5.2 Installing the Software for 389 Directory Server
5.3 Manually Configuring a 389 Directory Server
5.4 Setting Up a 389 Directory Server with YaST
5.5 Manually Administering LDAP Data
5.6 For More Information
6 Network Authentication with Kerberos
6.1 Conceptual Overview
6.2 Kerberos Terminology
6.3 How Kerberos Works
6.4 User View of Kerberos
6.5 Installing and Administering Kerberos
6.6 Setting up Kerberos using LDAP and Kerberos Client
6.7 Kerberos and NFS
6.8 For More Information
7 Active Directory Support
7.1 Integrating Linux and Active Directory Environments
7.2 Background Information for Linux Active Directory Support
7.3 Configuring a Linux Client for Active Directory
7.4 Logging In to an Active Directory Domain
7.5 Changing Passwords
II Local Security
8 Spectre/Meltdown Checker
8.1 Using spectre-meltdown-checker
8.2 Additional Information about Spectre/Meltdown
9 Configuring Security Settings with YaST
9.1 Security Overview
9.2 Predefined Security Configurations
9.3 Password Settings
9.4 Boot Settings
9.5 Login Settings
9.6 User Addition
9.7 Miscellaneous Settings
10 Authorization with PolKit
10.1 Conceptual Overview
10.2 Authorization Types
10.3 Querying Privileges
10.4 Modifying Configuration Files
10.5 Restoring the Default Privileges
11 Access Control Lists in Linux
11.1 Traditional File Permissions
11.2 Advantages of ACLs
11.3 Definitions
11.4 Handling ACLs
11.5 ACL Support in Applications
11.6 For More Information
12 Encrypting Partitions and Files
12.1 Setting Up an Encrypted File System with YaST
12.2 Encrypting Files with GPG
13 Storage Encryption for Hosted Applications with cryptctl
13.1 Setting Up a cryptctl Server
13.2 Setting Up a cryptctl Client
13.3 Checking Partition Unlock Status Using Server-side Commands
13.4 Unlocking Encrypted Partitions Manually
13.5 Maintenance Downtime Procedure
13.6 For More Information
14 Certificate Store
14.1 Activating Certificate Store
14.2 Importing Certificates
15 Intrusion Detection with AIDE
15.1 Why Use AIDE?
15.2 Setting Up an AIDE Database
15.3 Local AIDE Checks
15.4 System Independent Checking
15.5 For More Information
III Network Security
16 X Window System and X Authentication
17 SSH: Secure Network Operations
17.1 ssh—Secure Shell
17.2 scp—Secure Copy
17.3 sftp—Secure File Transfer
17.4 The SSH Daemon (sshd)
17.5 SSH Authentication Mechanisms
17.6 Port Forwarding
17.7 Adding and Removing Public Keys on an Installed System
17.8 For More Information
18 Masquerading and Firewalls
18.1 Packet Filtering with iptables
18.2 Masquerading Basics
18.3 Firewalling Basics
18.4 firewalld
18.5 Migrating From SuSEfirewall2
18.6 For More Information
19 Configuring a VPN Server
19.1 Conceptual Overview
19.2 Setting Up a Simple Test Scenario
19.3 Setting Up Your VPN Server Using a Certificate Authority
19.4 Setting Up a VPN Server or Client Using YaST
19.5 For More Information
IV Confining Privileges with AppArmor
20 Introducing AppArmor
20.1 AppArmor Components
20.2 Background Information on AppArmor Profiling
21 Getting Started
21.1 Installing AppArmor
21.2 Enabling and Disabling AppArmor
21.3 Choosing Applications to Profile
21.4 Building and Modifying Profiles
21.5 Updating Your Profiles
22 Immunizing Programs
22.1 Introducing the AppArmor Framework
22.2 Determining Programs to Immunize
22.3 Immunizing cron Jobs
22.4 Immunizing Network Applications
23 Profile Components and Syntax
23.1 Breaking an AppArmor Profile into Its Parts
23.2 Profile Types
23.3 Include Statements
23.4 Capability Entries (POSIX.1e)
23.5 Network Access Control
23.6 Profile Names, Flags, Paths, and Globbing
23.7 File Permission Access Modes
23.8 Mount Rules
23.9 Pivot Root Rules
23.10 PTrace Rules
23.11 Signal Rules
23.12 Execute Modes
23.13 Resource Limit Control
23.14 Auditing Rules
24 AppArmor Profile Repositories
25 Building and Managing Profiles with YaST
25.1 Manually Adding a Profile
25.2 Editing Profiles
25.3 Deleting a Profile
25.4 Managing AppArmor
26 Building Profiles from the Command Line
26.1 Checking the AppArmor Status
26.2 Building AppArmor Profiles
26.3 Adding or Creating an AppArmor Profile
26.4 Editing an AppArmor Profile
26.5 Unloading Unknown AppArmor Profiles
26.6 Deleting an AppArmor Profile
26.7 Two Methods of Profiling
26.8 Important File Names and Directories
27 Profiling Your Web Applications Using ChangeHat
27.1 Configuring Apache for mod_apparmor
27.2 Managing ChangeHat-Aware Applications
28 Confining Users with pam_apparmor
29 Managing Profiled Applications
29.1 Reacting to Security Event Rejections
29.2 Maintaining Your Security Profiles
30 Support
30.1 Updating AppArmor Online
30.2 Using the Man Pages
30.3 For More Information
30.4 Troubleshooting
30.5 Reporting Bugs for AppArmor
31 AppArmor Glossary
V SELinux
32 Configuring SELinux
32.1 Why Use SELinux?
32.2 Policy
32.3 Installing SELinux Packages and Modifying GRUB 2
32.4 SELinux Policy
32.5 Configuring SELinux
32.6 Managing SELinux
32.7 Troubleshooting
VI The Linux Audit Framework
33 Understanding Linux Audit
33.1 Introducing the Components of Linux Audit
33.2 Configuring the Audit Daemon
33.3 Controlling the Audit System Using auditctl
33.4 Passing Parameters to the Audit System
33.5 Understanding the Audit Logs and Generating Reports
33.6 Querying the Audit Daemon Logs with ausearch
33.7 Analyzing Processes with autrace
33.8 Visualizing Audit Data
33.9 Relaying Audit Event Notifications
34 Setting Up the Linux Audit Framework
34.1 Determining the Components to Audit
34.2 Configuring the Audit Daemon
34.3 Enabling Audit for System Calls
34.4 Setting Up Audit Rules
34.5 Configuring Audit Reports
34.6 Configuring Log Visualization
35 Introducing an Audit Rule Set
35.1 Adding Basic Audit Configuration Parameters
35.2 Adding Watches on Audit Log Files and Configuration Files
35.3 Monitoring File System Objects
35.4 Monitoring Security Configuration Files and Databases
35.5 Monitoring Miscellaneous System Calls
35.6 Filtering System Call Arguments
35.7 Managing Audit Event Records Using Keys
36 Useful Resources
A GNU Licenses
A.1 GNU Free Documentation License
List of Examples
2.1 PAM Configuration for sshd (/etc/pam.d/sshd)
2.2 Default Configuration for the auth Section (common-auth)
2.3 Default Configuration for the account Section (common-account)
2.4 Default Configuration for the password Section (common-password)
2.5 Default Configuration for the session Section (common-session)
2.6 pam_env.conf
5.1 Excerpt from CN=schema
5.2 Basic Instance Configuration File
5.3 A .dsrc File for Remote Administration
5.4 A .dsrc File for Local Administration
6.1 Example KDC Configuration, /etc/krb5.conf
18.1 Callback Port Configuration for the nfs Kernel Module in /etc/modprobe.d/60-nfs.conf
18.2 Commands to Define a new firewalld RPC Service for NFS
19.1 VPN Server Configuration File
19.2 VPN Client Configuration File
21.1 Output of aa-unconfined
26.1 Learning Mode Exception: Controlling Access to Specific Resources
26.2 Learning Mode Exception: Defining Permissions for an Entry
32.1 Security Context Settings Using ls -Z
32.2 Verifying that SELinux is functional
32.3 Getting a List of Booleans and Verifying Policy Access
32.4 Getting File Context Information
32.5 The default context for directories in the root directory
32.6 Showing SELinux settings for processes with ps Zaux
32.7 Viewing Default File Contexts
32.8 Example Lines from /etc/audit/audit.log
32.9 Analyzing Audit Messages
32.10 Viewing Which Lines Deny Access
32.11 Creating a Policy Module Allowing an Action Previously Denied
33.1 Example output of auditctl -s
33.2 Example Audit Rules—Audit System Parameters
33.3 Example Audit Rules—File System Auditing
33.4 Example Audit Rules—System Call Auditing
33.5 Deleting Audit Rules and Events
33.6 Listing Rules with auditctl -l
33.7 A Simple Audit Event—Viewing the Audit Log
33.8 An Advanced Audit Event—Login via SSH
33.9 Example /etc/audisp/audispd.conf
33.10 Example /etc/audisp/plugins.d/syslog.conf

Copyright © 2006– 2020 SUSE LLC and contributors. All rights reserved.

Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or (at your option) version 1.3; with the Invariant Section being this copyright notice and license. A copy of the license version 1.2 is included in the section entitled GNU Free Documentation License.

For SUSE trademarks, see https://www.suse.com/company/legal/. All other third-party trademarks are the property of their respective owners. Trademark symbols (®, ™ etc.) denote trademarks of SUSE and its affiliates. Asterisks (*) denote third-party trademarks.

All information found in this book has been compiled with utmost attention to detail. However, this does not guarantee complete accuracy. Neither SUSE LLC, its affiliates, the authors nor the translators shall be held liable for possible errors or the consequences thereof.

Print this page