Jump to contentJump to page navigation: previous page [access key p]/next page [access key n]
ContentsContents
Security and Hardening Guide
  1. Preface
  2. 1 Security and confidentiality
  3. I Authentication
    1. 2 Authentication with PAM
    2. 3 Using NIS
    3. 4 Setting up authentication clients using YaST
    4. 5 LDAP with 389 Directory Server
    5. 6 Network authentication with Kerberos
    6. 7 Active Directory support
    7. 8 Setting up a freeRADIUS server
  4. II Local security
    1. 9 Physical security
    2. 10 Software management
    3. 11 File management
    4. 12 Encrypting partitions and files
    5. 13 Storage encryption for hosted applications with cryptctl
    6. 14 User management
    7. 15 Restricting cron and at
    8. 16 Spectre/Meltdown checker
    9. 17 Configuring security settings with YaST
    10. 18 The Polkit authentication framework
    11. 19 Access control lists in Linux
    12. 20 Intrusion detection with AIDE
  5. III Network security
    1. 21 X Window System and X authentication
    2. 22 Securing network operations with OpenSSH
    3. 23 Masquerading and firewalls
    4. 24 Configuring a VPN server
    5. 25 Managing a PKI with XCA, X certificate and key manager
    6. 26 Improving network security with sysctl variables
  6. IV Confining privileges with AppArmor
    1. 27 Introducing AppArmor
    2. 28 Getting started
    3. 29 Immunizing programs
    4. 30 Profile components and syntax
    5. 31 AppArmor profile repositories
    6. 32 Building and managing profiles with YaST
    7. 33 Building profiles from the command line
    8. 34 Profiling your Web applications using ChangeHat
    9. 35 Confining users with pam_apparmor
    10. 36 Managing profiled applications
    11. 37 Support
    12. 38 AppArmor glossary
  7. V SELinux
    1. 39 Configuring SELinux
  8. VI The Linux Audit Framework
    1. 40 Understanding Linux audit
    2. 41 Setting up the Linux audit framework
    3. 42 Introducing an audit rule set
    4. 43 Useful resources
  9. A GNU licenses
Navigation
openSUSE Leap 15.5

Security and Hardening Guide

Abstract

This guide introduces basic concepts of system security and describes the usage of security software included with the product, such as AppArmor, SELinux, or the auditing system. The guide also supports system administrators in hardening an installation.

Publication Date: August 02, 2023
Preface
Available documentation
Improving the documentation
Documentation conventions
1 Security and confidentiality
1.1 Overview
1.2 Passwords
1.3 Backups
1.4 System integrity
1.5 File access
1.6 Networking
1.7 Software vulnerabilities
1.8 Malware
1.9 Important security tips
1.10 Reporting security issues
I Authentication
2 Authentication with PAM
2.1 What is PAM?
2.2 Structure of a PAM configuration file
2.3 The PAM configuration of sshd
2.4 Configuration of PAM modules
2.5 Configuring PAM using pam-config
2.6 Manually configuring PAM
2.7 More information
3 Using NIS
3.1 Configuring NIS servers
3.2 Configuring NIS clients
4 Setting up authentication clients using YaST
4.1 Configuring an authentication client with YaST
4.2 SSSD
5 LDAP with 389 Directory Server
5.1 Structure of an LDAP directory tree
5.2 Installing 389 Directory Server
5.3 Firewall configuration
5.4 Backing up and restoring 389 Directory Server
5.5 Managing LDAP users and groups
5.6 Managing plug-ins
5.7 Using SSSD to manage LDAP authentication
5.8 Migrating to 389 Directory Server from OpenLDAP
5.9 Importing TLS server certificates and keys
5.10 Setting up replication
5.11 Synchronizing with Microsoft Active Directory
5.12 More information
6 Network authentication with Kerberos
6.1 Conceptual overview
6.2 Kerberos terminology
6.3 How Kerberos works
6.4 User view of Kerberos
6.5 Installing and administering Kerberos
6.6 Kerberos and NFS
6.7 More information
7 Active Directory support
7.1 Integrating Linux and Active Directory environments
7.2 Background information for Linux Active Directory support
7.3 Configuring a Linux client for Active Directory
7.4 Logging in to an Active Directory domain
7.5 Changing passwords
7.6 Active Directory certificate auto-enrollment
8 Setting up a freeRADIUS server
8.1 Installation and testing on openSUSE Leap
II Local security
9 Physical security
9.1 System locks
9.2 Locking down the BIOS
9.3 Security via the boot loaders
9.4 Retiring Linux servers with sensitive data
9.5 Restricting access to removable media
10 Software management
10.1 Removing unnecessary software packages (RPMs)
10.2 Patching Linux systems
11 File management
11.1 Disk partitions
11.2 Modifying permissions of certain system files
11.3 Changing home directory permissions from 755 to 700
11.4 Default umask
11.5 SUID/SGID files
11.6 World-writable files
11.7 Orphaned or unowned files
12 Encrypting partitions and files
12.1 Setting up an encrypted file system with YaST
12.2 Encrypting files with GPG
12.3 Encrypting files with Rage
13 Storage encryption for hosted applications with cryptctl
13.1 Setting up a cryptctl server
13.2 Setting up a cryptctl client
13.3 Configuring /etc/fstab for LUKS volumes
13.4 Checking partition unlock status using server-side commands
13.5 Unlocking encrypted partitions manually
13.6 Maintenance downtime procedure
13.7 Setting up an HA environment for cryptctl-server service
13.8 More information
14 User management
14.1 Various account checks
14.2 Enabling password aging
14.3 Stronger password enforcement
14.4 Password and login management with PAM
14.5 Restricting root logins
14.6 Restricting sudo users
14.7 Setting an inactivity timeout for interactive shell sessions
14.8 Preventing accidental denial of service
14.9 Displaying login banners
14.10 Connection accounting utilities
15 Restricting cron and at
15.1 Restricting the cron daemon
15.2 Restricting the at scheduler
16 Spectre/Meltdown checker
16.1 Using spectre-meltdown-checker
16.2 More information
17 Configuring security settings with YaST
17.1 Security overview
17.2 Predefined security configurations
17.3 Password settings
17.4 Boot settings
17.5 Login settings
17.6 User addition
17.7 Miscellaneous settings
18 The Polkit authentication framework
18.1 Conceptual overview
18.2 Authorization types
18.3 Querying Privileges
18.4 Modifying Polkit Configuration
18.5 Restoring the SUSE default privileges
19 Access control lists in Linux
19.1 Traditional file permissions
19.2 Advantages of ACLs
19.3 Definitions
19.4 Handling ACLs
19.5 ACL support in applications
19.6 More information
20 Intrusion detection with AIDE
20.1 Why use AIDE?
20.2 Setting up an AIDE database
20.3 Local AIDE checks
20.4 System independent checking
20.5 More information
III Network security
21 X Window System and X authentication
22 Securing network operations with OpenSSH
22.1 OpenSSH overview
22.2 Server hardening
22.3 Password authentication
22.4 Managing user and host encryption keys
22.5 Rotating host keys
22.6 Public key authentication
22.7 Passphrase-less public key authentication
22.8 OpenSSH certificate authentication
22.9 Automated public key logins with gnome-keyring
22.10 Automated public key logins with ssh-agent
22.11 Changing an SSH private key passphrase
22.12 Retrieving a key fingerprint
22.13 Starting X11 applications on a remote host
22.14 Agent forwarding
22.15 scp—secure copy
22.16 sftp—secure file transfer
22.17 Port forwarding (SSH tunneling)
22.18 More information
23 Masquerading and firewalls
23.1 Packet filtering with iptables
23.2 Masquerading basics
23.3 Firewalling basics
23.4 firewalld
23.5 Migrating from SuSEfirewall2
23.6 More information
24 Configuring a VPN server
24.1 Conceptual overview
24.2 Setting up a simple test scenario
24.3 Setting up your VPN server using a certificate authority
24.4 Setting up a VPN server or client using YaST
24.5 More information
25 Managing a PKI with XCA, X certificate and key manager
25.1 Installing XCA
25.2 Creating a new PKI
26 Improving network security with sysctl variables
IV Confining privileges with AppArmor
27 Introducing AppArmor
27.1 AppArmor components
27.2 Background information on AppArmor profiling
28 Getting started
28.1 Installing AppArmor
28.2 Enabling and disabling AppArmor
28.3 Choosing applications to profile
28.4 Building and modifying profiles
28.5 Updating your profiles
29 Immunizing programs
29.1 Introducing the AppArmor framework
29.2 Determining programs to immunize
29.3 Immunizing cron jobs
29.4 Immunizing network applications
30 Profile components and syntax
30.1 Breaking an AppArmor profile into its parts
30.2 Profile types
30.3 Include statements
30.4 Capability entries (POSIX.1e)
30.5 Network access control
30.6 Profile names, flags, paths, and globbing
30.7 File permission access modes
30.8 Mount rules
30.9 Pivot root rules
30.10 PTrace rules
30.11 Signal rules
30.12 Execute modes
30.13 Resource limit control
30.14 Auditing rules
31 AppArmor profile repositories
32 Building and managing profiles with YaST
32.1 Manually adding a profile
32.2 Editing profiles
32.3 Deleting a profile
32.4 Managing AppArmor
33 Building profiles from the command line
33.1 Checking the AppArmor status
33.2 Building AppArmor profiles
33.3 Adding or creating an AppArmor profile
33.4 Editing an AppArmor profile
33.5 Unloading unknown AppArmor profiles
33.6 Deleting an AppArmor profile
33.7 Two methods of profiling
33.8 Important file names and directories
34 Profiling your Web applications using ChangeHat
34.1 Configuring Apache for mod_apparmor
34.2 Managing ChangeHat-aware applications
35 Confining users with pam_apparmor
36 Managing profiled applications
36.1 Reacting to security event rejections
36.2 Maintaining your security profiles
37 Support
37.1 Updating AppArmor online
37.2 Using the man pages
37.3 More information
37.4 Troubleshooting
37.5 Reporting bugs for AppArmor
38 AppArmor glossary
V SELinux
39 Configuring SELinux
39.1 Why use SELinux?
39.2 SELinux policy overview
39.3 Installing SELinux packages
39.4 Installing an SELinux policy
39.5 Putting SELinux into permissive mode
39.6 Putting SELinux into enforcing mode
39.7 Configuring SELinux
39.8 Managing SELinux
39.9 Troubleshooting
VI The Linux Audit Framework
40 Understanding Linux audit
40.1 Introducing the components of Linux audit
40.2 Configuring the audit daemon
40.3 Controlling the audit system using auditctl
40.4 Passing parameters to the audit system
40.5 Understanding the audit logs and generating reports
40.6 Querying the audit daemon logs with ausearch
40.7 Analyzing processes with autrace
40.8 Visualizing audit data
40.9 Relaying audit event notifications
41 Setting up the Linux audit framework
41.1 Determining the components to audit
41.2 Configuring the audit daemon
41.3 Enabling audit for system calls
41.4 Setting up audit rules
41.5 Configuring audit reports
41.6 Configuring log visualization
42 Introducing an audit rule set
42.1 Adding basic audit configuration parameters
42.2 Adding watches on audit log files and configuration files
42.3 Monitoring file system objects
42.4 Monitoring security configuration files and databases
42.5 Monitoring miscellaneous system calls
42.6 Filtering system call arguments
42.7 Managing audit event records using keys
43 Useful resources
A GNU licenses
A.1 GNU Free Documentation License
List of Examples
2.1 PAM configuration for sshd (/etc/pam.d/sshd)
2.2 Default configuration for the auth section (common-auth)
2.3 Default configuration for the account section (common-account)
2.4 Default configuration for the password section (common-password)
2.5 Default configuration for the session section (common-session)
2.6 pam_env.conf
5.1 Excerpt from CN=schema
5.2 Minimal 389 Directory Server instance configuration file
5.3 A .dsrc file for local administration
5.4 Two supplier replicas
5.5 Four supplier replicas
5.6 Six replicas
5.7 Six replicas with read-only consumers
6.1 Example KDC configuration, /etc/krb5.conf
22.1 Example sshd.conf
23.1 Callback port configuration for the nfs kernel module in /etc/modprobe.d/60-nfs.conf
23.2 Commands to define a new firewalld RPC service for NFS
24.1 VPN server configuration file
24.2 VPN client configuration file
28.1 Output of aa-unconfined
33.1 Learning mode exception: controlling access to specific resources
33.2 Learning mode exception: defining permissions for an entry
39.1 Security context settings using ls -Z
39.2 Verifying that SELinux is functional
39.3 Getting a list of booleans and verifying policy access
39.4 Getting file context information
39.5 The default context for directories in the root directory
39.6 Showing SELinux settings for processes with ps Zaux
39.7 Viewing default file contexts
39.8 Example lines from /var/log/audit/audit.log
39.9 Analyzing audit messages
39.10 Viewing which lines deny access
39.11 Creating a policy module allowing an action previously denied
40.1 Default /etc/audit/auditd.conf
40.2 Example output of auditctl -s
40.3 Example audit rules—audit system parameters
40.4 Example audit rules—file system auditing
40.5 Example audit rules—system call auditing
40.6 Deleting audit rules and events
40.7 Listing rules with auditctl -l
40.8 A simple audit event—viewing the audit log
40.9 An advanced audit event—login via SSH
40.10 Example /etc/audit/auditd.conf
40.11 Example /etc/audit/plugins.d/syslog.conf

Copyright © 2006–2023 SUSE LLC and contributors. All rights reserved.

Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or (at your option) version 1.3; with the Invariant Section being this copyright notice and license. A copy of the license version 1.2 is included in the section entitled GNU Free Documentation License.

For SUSE trademarks, see http://www.suse.com/company/legal/. All third-party trademarks are the property of their respective owners. Trademark symbols (®, ™ etc.) denote trademarks of SUSE and its affiliates. Asterisks (*) denote third-party trademarks.

All information found in this book has been compiled with utmost attention to detail. However, this does not guarantee complete accuracy. Neither SUSE LLC, its affiliates, the authors nor the translators shall be held liable for possible errors or the consequences thereof.

Print this page