pam_apparmor
Physical security should be one of the utmost concerns. Linux production servers should be in locked data centers where only people have access that have passed security checks. Depending on the environment and circumstances, you can also consider boot loader passwords.
The seccheck
SUSE Security Checker is a set of
shell scripts designed to automatically check the local security of a system
on a regular schedule, and emails reports to the root user, or any user
as configured by the administrator.
A very important step in securing a Linux system is to determine the primary function(s) or role(s) of the Linux server. Otherwise, it can be difficult to understand what needs to be secured and securing these Linux systems can prove ineffective. Therefore, it is critical to look at the default list…
Servers should have separate file systems for at least /, /boot, /usr, /var, /tmp, and /home. This prevents, for example, that logging space and temporary space under /var and /tmp fill up the root partition. Third-party applications should be on separate file systems as well, for example under /opt…
Encrypting files, partitions, and entire disks prevents unauthorized access to your data and protects your confidential files and documents.
It is important that all system and vendor accounts that are not used for logins are locked. To get a list of unlocked accounts on your system, you can check for accounts that do not have an encrypted password string starting with ! or * in the /etc/shadow file. If you lock an account using passwd -…
The YaST module SUSE Linux Enterprise Server. Use it to configure security aspects such as settings for the login procedure and for password creation, for boot permissions, user creation or for default file permissions. Launch it from the YaST control center by › . The dialog always starts with the , and other configuration dialogs are available from the right pane.
offers a central clearinghouse to configure security-related settings for
PolKit (formerly known as PolicyKit) is an application framework that
acts as a negotiator between the unprivileged user session and the
privileged system context. Whenever a process from the user session
tries to carry out an action in the system context, PolKit is queried.
Based on its configuration—specified in a so-called
“policy”—the answer could be “yes”,
“no”, or “needs authentication”. Unlike
classical privilege authorization programs such as sudo, PolKit does
not grant root
permissions to an entire session, but only to
the action in question.
POSIX ACLs (access control lists) can be used as an expansion of the traditional permission concept for file system objects. With ACLs, permissions can be defined more flexibly than with the traditional permission concept.
Certificates play an important role in the authentication of companies and individuals. Usually certificates are administered by the application itself. In some cases, it makes sense to share certificates between applications. The certificate store is a common ground for Firefox, Evolution, and NetworkManager. This chapter explains some details.
Securing your systems is a mandatory task for any mission-critical
system administrator. Because it is impossible to always guarantee that
the system is not compromised, it is very important to do extra checks
regularly (for example with
cron
) to ensure that the system
is still under your control. This is where AIDE, the
Advanced Intrusion Detection Environment, comes
into play.