Jump to contentJump to page navigation: previous page [access key p]/next page [access key n]
SUSE Linux Enterprise Server 15

Security and Hardening Guide


Introduces basic concepts of system security, covering both local and network security aspects. Shows how to use the product inherent security software like AppArmor, SELinux, or the auditing system that reliably collects information about any security-relevant events. Supports the administrator with security-related choices and decisions in installing and setting up a secure SUSE Linux Enterprise Server and additional processes to further secure and harden that installation.

Publication Date: May 02, 2022
About This Guide
Verfügbare Dokumentation
Konventionen in der Dokumentation
Product Life Cycle and Support
1 Security and Confidentiality
1.1 Overview
1.2 Passwords
1.3 Backups
1.4 System Integrity
1.5 File Access
1.6 Networking
1.7 Software Vulnerabilities
1.8 Malware
1.9 Important Security Tips
1.10 Reporting Security Issues
2 Common Criteria
2.1 Introduction
2.2 Evaluation Assurance Level (EAL)
2.3 Generic Guiding Principles
2.4 For More Information
I Authentication
3 Authentication with PAM
3.1 What is PAM?
3.2 Structure of a PAM Configuration File
3.3 The PAM Configuration of sshd
3.4 Configuration of PAM Modules
3.5 Configuring PAM Using pam-config
3.6 Manually Configuring PAM
3.7 For More Information
4 Using NIS
4.1 Configuring NIS Servers
4.2 Configuring NIS Clients
5 Setting Up Authentication Clients Using YaST
5.1 Configuring an Authentication Client with YaST
5.2 SSSD
6 LDAP—A Directory Service
6.1 OpenLDAP is deprecated
7 Network Authentication with Kerberos
7.1 Conceptual Overview
7.2 Kerberos Terminology
7.3 How Kerberos Works
7.4 User View of Kerberos
7.5 Installing and Administering Kerberos
7.6 Setting up Kerberos using LDAP and Kerberos Client
7.7 Kerberos and NFS
7.8 For More Information
8 Active Directory Support
8.1 Integrating Linux and Active Directory Environments
8.2 Background Information for Linux Active Directory Support
8.3 Configuring a Linux Client for Active Directory
8.4 Logging In to an Active Directory Domain
8.5 Changing Passwords
9 Setting Up a FreeRADIUS Server
9.1 Installation and Testing on SUSE Linux Enterprise
II Local Security
10 Physical Security
10.1 System Locks
10.2 Locking Down the BIOS
10.3 Security via the Boot Loaders
10.4 Retiring Linux Servers with Sensitive Data
10.5 Restricting Access to Removable Media
11 Automatic Security Checks with seccheck
11.1 Seccheck Timers
11.2 Enabling Seccheck Timers
11.3 Daily, Weekly, and Monthly Checks
11.4 Automatic Logout
12 Software Management
12.1 Removing Unnecessary Software Packages (RPMs)
12.2 Patching Linux Systems
13 File Management
13.1 Disk Partitions
13.2 Checking File Permissions and Ownership
13.3 Default umask
13.4 SUID/SGID Files
13.5 World-Writable Files
13.6 Orphaned or Unowned Files
14 Encrypting Partitions and Files
14.1 Setting Up an Encrypted File System with YaST
14.2 Encrypting Files with GPG
15 User Management
15.1 Various Account Checks
15.2 Enabling Password Aging
15.3 Stronger Password Enforcement
15.4 Password and Login Management with PAM
15.5 Restricting root Logins
15.6 Setting an Inactivity Timeout for Interactive Shell Sessions
15.7 Preventing Accidental Denial of Service
15.8 Displaying Login Banners
15.9 Connection Accounting Utilities
16 Configuring Security Settings with YaST
16.1 Security Overview
16.2 Predefined Security Configurations
16.3 Password Settings
16.4 Boot Settings
16.5 Login Settings
16.6 User Addition
16.7 Miscellaneous Settings
17 Authorization with PolKit
17.1 Conceptual Overview
17.2 Authorization Types
17.3 Querying Privileges
17.4 Modifying Configuration Files
17.5 Restoring the Default Privileges
18 Access Control Lists in Linux
18.1 Traditional File Permissions
18.2 Advantages of ACLs
18.3 Definitions
18.4 Handling ACLs
18.5 ACL Support in Applications
18.6 For More Information
19 Certificate Store
19.1 Activating Certificate Store
19.2 Importing Certificates
20 Intrusion Detection with AIDE
20.1 Why Use AIDE?
20.2 Setting Up an AIDE Database
20.3 Local AIDE Checks
20.4 System Independent Checking
20.5 For More Information
III Network Security
21 X Window System and X Authentication
22 Securing network operations with OpenSSH
22.1 OpenSSH overview
22.2 Server hardening
22.3 Password authentication
22.4 scp—Secure Copy
22.5 sftp—Secure File Transfer
22.6 The SSH Daemon (sshd)
22.7 SSH Authentication Mechanisms
22.8 Port Forwarding
22.9 For More Information
23 Masquerading and Firewalls
23.1 Packet Filtering with iptables
23.2 Masquerading Basics
23.3 Firewalling Basics
23.4 firewalld
23.5 Migrating From SuSEfirewall2
23.6 For More Information
24 Configuring a VPN Server
24.1 Conceptual Overview
24.2 Setting Up a Simple Test Scenario
24.3 Setting Up Your VPN Server Using a Certificate Authority
24.4 Setting Up a VPN Server or Client Using YaST
24.5 For More Information
25 Enabling compliance with FIPS 140-2
25.1 FIPS 140-2 overview
25.2 When to enable FIPS mode
25.3 Installing FIPS
25.4 Enabling FIPS mode
25.5 MD5 not supported in Samba/CIFS
IV Confining Privileges with AppArmor
26 Introducing AppArmor
26.1 AppArmor Components
26.2 Background Information on AppArmor Profiling
27 Getting Started
27.1 Installing AppArmor
27.2 Enabling and Disabling AppArmor
27.3 Choosing Applications to Profile
27.4 Building and Modifying Profiles
27.5 Updating Your Profiles
28 Immunizing Programs
28.1 Introducing the AppArmor Framework
28.2 Determining Programs to Immunize
28.3 Immunizing cron Jobs
28.4 Immunizing Network Applications
29 Profile Components and Syntax
29.1 Breaking an AppArmor Profile into Its Parts
29.2 Profile Types
29.3 Include Statements
29.4 Capability Entries (POSIX.1e)
29.5 Network Access Control
29.6 Profile Names, Flags, Paths, and Globbing
29.7 File Permission Access Modes
29.8 Mount Rules
29.9 Pivot Root Rules
29.10 PTrace Rules
29.11 Signal Rules
29.12 Execute Modes
29.13 Resource Limit Control
29.14 Auditing Rules
30 AppArmor Profile Repositories
31 Building and Managing Profiles with YaST
31.1 Manually Adding a Profile
31.2 Editing Profiles
31.3 Deleting a Profile
31.4 Managing AppArmor
32 Building Profiles from the Command Line
32.1 Checking the AppArmor Status
32.2 Building AppArmor Profiles
32.3 Adding or Creating an AppArmor Profile
32.4 Editing an AppArmor Profile
32.5 Unloading Unknown AppArmor Profiles
32.6 Deleting an AppArmor Profile
32.7 Two Methods of Profiling
32.8 Important File Names and Directories
33 Profiling Your Web Applications Using ChangeHat
33.1 Configuring Apache for mod_apparmor
33.2 Managing ChangeHat-Aware Applications
34 Confining Users with pam_apparmor
35 Managing Profiled Applications
35.1 Reacting to Security Event Rejections
35.2 Maintaining Your Security Profiles
36 Support
36.1 Updating AppArmor Online
36.2 Using the Man Pages
36.3 For More Information
36.4 Troubleshooting
36.5 Reporting Bugs for AppArmor
37 AppArmor Glossary
V SELinux
38 Configuring SELinux
38.1 Why use SELinux?
38.2 SELinux policy overview
38.3 Installing SELinux packages
38.4 Installing an SELinux policy
38.5 Modifying the GRUB 2 bootloader
38.6 Configuring SELinux
38.7 Managing SELinux
38.8 Troubleshooting
VI The Linux Audit Framework
39 Understanding Linux Audit
39.1 Introducing the Components of Linux Audit
39.2 Configuring the Audit Daemon
39.3 Controlling the Audit System Using auditctl
39.4 Passing Parameters to the Audit System
39.5 Understanding the Audit Logs and Generating Reports
39.6 Querying the Audit Daemon Logs with ausearch
39.7 Analyzing Processes with autrace
39.8 Visualizing Audit Data
39.9 Relaying Audit Event Notifications
40 Setting Up the Linux Audit Framework
40.1 Determining the Components to Audit
40.2 Configuring the Audit Daemon
40.3 Enabling Audit for System Calls
40.4 Setting Up Audit Rules
40.5 Configuring Audit Reports
40.6 Configuring Log Visualization
41 Introducing an Audit Rule Set
41.1 Adding Basic Audit Configuration Parameters
41.2 Adding Watches on Audit Log Files and Configuration Files
41.3 Monitoring File System Objects
41.4 Monitoring Security Configuration Files and Databases
41.5 Monitoring Miscellaneous System Calls
41.6 Filtering System Call Arguments
41.7 Managing Audit Event Records Using Keys
42 Useful Resources
A Achieving PCI DSS Compliance
A.1 What Is the PCI DSS?
A.2 Focus of This Document: Areas Relevant to the Operating System
A.3 Requirements in Detail
B GNU-Lizenzen
B.1 GNU Free Documentation License
List of Examples
3.1 PAM Configuration for sshd (/etc/pam.d/sshd)
3.2 Default Configuration for the auth Section (common-auth)
3.3 Default Configuration for the account Section (common-account)
3.4 Default Configuration for the password Section (common-password)
3.5 Default Configuration for the session Section (common-session)
3.6 pam_env.conf
7.1 Example KDC Configuration, /etc/krb5.conf
23.1 Callback Port Configuration for the nfs Kernel Module in /etc/modprobe.d/60-nfs.conf
23.2 Commands to Define a new firewalld RPC Service for NFS
24.1 VPN Server Configuration File
24.2 VPN Client Configuration File
27.1 Output of aa-unconfined
32.1 Learning Mode Exception: Controlling Access to Specific Resources
32.2 Learning Mode Exception: Defining Permissions for an Entry
38.1 Security context settings using ls -Z
38.2 Verifying that SELinux is functional
38.3 Getting a list of booleans and verifying policy access
38.4 Getting file context information
38.5 The default context for directories in the root directory
38.6 Showing SELinux settings for processes with ps Zaux
38.7 Viewing default file contexts
38.8 Example lines from /etc/audit/audit.log
38.9 Analyzing audit messages
38.10 Viewing which lines deny access
38.11 Creating a policy module allowing an action previously denied
39.1 Example output of auditctl -s
39.2 Example Audit Rules—Audit System Parameters
39.3 Example Audit Rules—File System Auditing
39.4 Example Audit Rules—System Call Auditing
39.5 Deleting Audit Rules and Events
39.6 Listing Rules with auditctl -l
39.7 A simple audit event—viewing the audit log
39.8 An Advanced Audit Event—Login via SSH
39.9 Example /etc/audisp/audispd.conf
39.10 Example /etc/audisp/plugins.d/syslog.conf

Copyright © 2006– 2022 SUSE LLC und Mitwirkende. Alle Rechte vorbehalten.

Es wird die Genehmigung erteilt, dieses Dokument unter den Bedingungen der GNU Free Documentation License, Version 1.2 oder (optional) Version 1.3 zu vervielfältigen, zu verbreiten und/oder zu verändern; die unveränderlichen Abschnitte hierbei sind der Urheberrechtshinweis und die Lizenzbedingungen. Eine Kopie dieser Lizenz (Version 1.2) finden Sie im Abschnitt GNU Free Documentation License.

Die SUSE-Marken finden Sie unter http://www.suse.com/company/legal/. Alle anderen Marken von Drittanbietern sind Besitz ihrer jeweiligen Eigentümer. Markensymbole (®, ™ usw.) kennzeichnen Marken von SUSE und der Tochtergesellschaften. Sternchen (*) kennzeichnen Marken von Drittanbietern.

Alle Informationen in diesem Buch wurden mit größter Sorgfalt zusammengestellt. Doch auch dadurch kann hundertprozentige Richtigkeit nicht gewährleistet werden. Weder SUSE LLC noch ihre Tochtergesellschaften noch die Autoren noch die Übersetzer können für mögliche Fehler und deren Folgen haftbar gemacht werden.

Print this page