Jump to contentJump to page navigation: previous page [access key p]/next page [access key n]
SUSE Linux Enterprise Desktop 15 SP2

Security and Hardening Guide

Introduces basic concepts of system security, covering both local and network security aspects. Shows how to use the product inherent security software like AppArmor, SELinux, or the auditing system that reliably collects information about any security-relevant events. Supports the administrator with security-related choices and decisions in installing and setting up a secure SUSE Linux Enterprise Server and additional processes to further secure and harden that installation.

Publication Date: November 16, 2021
About This Guide
Verfügbare Dokumentation
Konventionen in der Dokumentation
Produktlebenszyklus und Support
1 Security and Confidentiality
1.1 Overview
1.2 Passwords
1.3 System Integrity
1.4 File Access
1.5 Networking
1.6 Software Vulnerabilities
1.7 Malware
1.8 Important Security Tips
1.9 Reporting Security Issues
2 Common Criteria
2.1 Introduction
2.2 Evaluation Assurance Level (EAL)
2.3 Generic Guiding Principles
2.4 For More Information
I Authentication
3 Authentication with PAM
3.1 What is PAM?
3.2 Structure of a PAM Configuration File
3.3 The PAM Configuration of sshd
3.4 Configuration of PAM Modules
3.5 Configuring PAM Using pam-config
3.6 Manually Configuring PAM
3.7 For More Information
4 Using NIS
4.1 Configuring NIS Servers
4.2 Configuring NIS Clients
5 Setting Up Authentication Clients Using YaST
5.1 Configuring an Authentication Client with YaST
5.2 SSSD
6 LDAP with 389 Directory Server
6.1 Structure of an LDAP directory tree
6.2 Installing 389 Directory Server
6.3 Firewall configuration
6.4 Backing up and restoring 389 Directory Server
6.5 Managing LDAP users and groups
6.6 Using SSSD to manage authentication
6.7 Managing modules
6.8 Importing TLS server certificates and keys
6.9 Setting up replication
6.10 More information
7 Network Authentication with Kerberos
7.1 Conceptual Overview
7.2 Kerberos Terminology
7.3 How Kerberos Works
7.4 User View of Kerberos
7.5 Setting up Kerberos using LDAP and Kerberos Client
7.6 Kerberos and NFS
7.7 For More Information
8 Active Directory Support
8.1 Integrating Linux and Active Directory Environments
8.2 Background Information for Linux Active Directory Support
8.3 Configuring a Linux Client for Active Directory
8.4 Logging In to an Active Directory Domain
8.5 Changing Passwords
9 Setting Up a FreeRADIUS Server
9.1 Installation and Testing on SUSE Linux Enterprise
II Local Security
10 Physical Security
10.1 System Locks
10.2 Locking Down the BIOS
10.3 Security via the Boot Loaders
10.4 Retiring Linux Servers with Sensitive Data
10.5 Restricting Access to Removable Media
11 Software Management
11.1 Removing Unnecessary Software Packages (RPMs)
11.2 Patching Linux Systems
12 File Management
12.1 Disk Partitions
12.2 Modifying permissions of certain system files
12.3 Changing Home Directory Permissions from 755 to 700
12.4 Default umask
12.5 SUID/SGID Files
12.6 World-Writable Files
12.7 Orphaned or Unowned Files
13 Encrypting Partitions and Files
13.1 Setting Up an Encrypted File System with YaST
13.2 Encrypting Files with GPG
14 Storage Encryption for Hosted Applications with cryptctl
14.1 Setting Up a cryptctl Server
14.2 Setting Up a cryptctl Client
14.3 Checking Partition Unlock Status Using Server-side Commands
14.4 Unlocking Encrypted Partitions Manually
14.5 Maintenance Downtime Procedure
14.6 For More Information
15 User Management
15.1 Various Account Checks
15.2 Enabling Password Aging
15.3 Stronger Password Enforcement
15.4 Password and Login Management with PAM
15.5 Restricting root Logins
15.6 Restricting sudo Users
15.7 Setting an Inactivity Timeout for Interactive Shell Sessions
15.8 Preventing Accidental Denial of Service
15.9 Displaying Login Banners
15.10 Connection Accounting Utilities
16 Restricting cron and at
16.1 Restricting the cron Daemon
16.2 Restricting the at scheduler
17 Spectre/Meltdown Checker
17.1 Using spectre-meltdown-checker
17.2 Additional Information about Spectre/Meltdown
18 Configuring Security Settings with YaST
18.1 Security Overview
18.2 Predefined Security Configurations
18.3 Password Settings
18.4 Boot Settings
18.5 Login Settings
18.6 User Addition
18.7 Miscellaneous Settings
19 Authorization with PolKit
19.1 Conceptual Overview
19.2 Authorization Types
19.3 Querying Privileges
19.4 Modifying Configuration Files
19.5 Restoring the Default Privileges
20 Access Control Lists in Linux
20.1 Traditional File Permissions
20.2 Advantages of ACLs
20.3 Definitions
20.4 Handling ACLs
20.5 ACL Support in Applications
20.6 For More Information
21 Certificate Store
21.1 Activating Certificate Store
21.2 Importing Certificates
22 Intrusion Detection with AIDE
22.1 Why Use AIDE?
22.2 Setting Up an AIDE Database
22.3 Local AIDE Checks
22.4 System Independent Checking
22.5 For More Information
III Network Security
23 X Window System and X Authentication
24 SSH: Secure Network Operations
24.1 ssh—Secure Shell
24.2 scp—Secure Copy
24.3 sftp—Secure File Transfer
24.4 The SSH Daemon (sshd)
24.5 SSH Authentication Mechanisms
24.6 Restricting SSH Logins
24.7 Port Forwarding
24.8 Adding and Removing Public Keys on an Installed System
24.9 For More Information
25 Masquerading and Firewalls
25.1 Packet Filtering with iptables
25.2 Masquerading Basics
25.3 Firewalling Basics
25.4 firewalld
25.5 Migrating from SuSEfirewall2
25.6 For More Information
26 Configuring a VPN Server
26.1 Conceptual Overview
26.2 Setting Up a Simple Test Scenario
26.3 Setting Up Your VPN Server Using a Certificate Authority
26.4 For More Information
27 Improving Network Security with sysctl Variables
28 Enabling FIPS 140-2
28.1 Enabling FIPS
IV Confining Privileges with AppArmor
29 Introducing AppArmor
29.1 AppArmor Components
29.2 Background Information on AppArmor Profiling
30 Getting Started
30.1 Installing AppArmor
30.2 Enabling and Disabling AppArmor
30.3 Choosing Applications to Profile
30.4 Building and Modifying Profiles
30.5 Updating Your Profiles
31 Immunizing Programs
31.1 Introducing the AppArmor Framework
31.2 Determining Programs to Immunize
31.3 Immunizing cron Jobs
31.4 Immunizing Network Applications
32 Profile Components and Syntax
32.1 Breaking an AppArmor Profile into Its Parts
32.2 Profile Types
32.3 Include Statements
32.4 Capability Entries (POSIX.1e)
32.5 Network Access Control
32.6 Profile Names, Flags, Paths, and Globbing
32.7 File Permission Access Modes
32.8 Mount Rules
32.9 Pivot Root Rules
32.10 PTrace Rules
32.11 Signal Rules
32.12 Execute Modes
32.13 Resource Limit Control
32.14 Auditing Rules
33 AppArmor Profile Repositories
34 Building and Managing Profiles with YaST
34.1 Manually Adding a Profile
34.2 Editing Profiles
34.3 Deleting a Profile
34.4 Managing AppArmor
35 Building Profiles from the Command Line
35.1 Checking the AppArmor Status
35.2 Building AppArmor Profiles
35.3 Adding or Creating an AppArmor Profile
35.4 Editing an AppArmor Profile
35.5 Unloading Unknown AppArmor Profiles
35.6 Deleting an AppArmor Profile
35.7 Two Methods of Profiling
35.8 Important File Names and Directories
36 Profiling Your Web Applications Using ChangeHat
36.1 Configuring Apache for mod_apparmor
36.2 Managing ChangeHat-Aware Applications
37 Confining Users with pam_apparmor
38 Managing Profiled Applications
38.1 Reacting to Security Event Rejections
38.2 Maintaining Your Security Profiles
39 Support
39.1 Updating AppArmor Online
39.2 Using the Man Pages
39.3 For More Information
39.4 Troubleshooting
39.5 Reporting Bugs for AppArmor
40 AppArmor Glossary
V The Linux Audit Framework
41 Understanding Linux Audit
41.1 Introducing the Components of Linux Audit
41.2 Configuring the Audit Daemon
41.3 Controlling the Audit System Using auditctl
41.4 Passing Parameters to the Audit System
41.5 Understanding the Audit Logs and Generating Reports
41.6 Querying the Audit Daemon Logs with ausearch
41.7 Analyzing Processes with autrace
41.8 Visualizing Audit Data
41.9 Relaying Audit Event Notifications
42 Setting Up the Linux Audit Framework
42.1 Determining the Components to Audit
42.2 Configuring the Audit Daemon
42.3 Enabling Audit for System Calls
42.4 Setting Up Audit Rules
42.5 Configuring Audit Reports
42.6 Configuring Log Visualization
43 Introducing an Audit Rule Set
43.1 Adding Basic Audit Configuration Parameters
43.2 Adding Watches on Audit Log Files and Configuration Files
43.3 Monitoring File System Objects
43.4 Monitoring Security Configuration Files and Databases
43.5 Monitoring Miscellaneous System Calls
43.6 Filtering System Call Arguments
43.7 Managing Audit Event Records Using Keys
44 Useful Resources
A GNU-Lizenzen
A.1 GNU Free Documentation License

Copyright © 2006– 2021 SUSE LLC und Mitwirkende. Alle Rechte vorbehalten.

Es wird die Genehmigung erteilt, dieses Dokument unter den Bedingungen der GNU Free Documentation License, Version 1.2 oder (optional) Version 1.3 zu vervielfältigen, zu verbreiten und/oder zu verändern; die unveränderlichen Abschnitte hierbei sind der Urheberrechtshinweis und die Lizenzbedingungen. Eine Kopie dieser Lizenz (Version 1.2) finden Sie im Abschnitt GNU Free Documentation License.

Die SUSE-Marken finden Sie unter https://www.suse.com/company/legal/. Alle anderen Marken von Drittanbietern sind Besitz ihrer jeweiligen Eigentümer. Markensymbole (®, ™ usw.) kennzeichnen Marken von SUSE und der Tochtergesellschaften. Sternchen (*) kennzeichnen Marken von Drittanbietern.

Alle Informationen in diesem Buch wurden mit größter Sorgfalt zusammengestellt. Doch auch dadurch kann hundertprozentige Richtigkeit nicht gewährleistet werden. Weder SUSE LLC noch ihre Tochtergesellschaften noch die Autoren noch die Übersetzer können für mögliche Fehler und deren Folgen haftbar gemacht werden.

Print this page