Jump to contentJump to page navigation: previous page [access key p]/next page [access key n]
SUSE Linux Enterprise Server 12 SP4

Security Guide


Introduces basic concepts of system security, covering both local and network security aspects. Shows how to use the product inherent security software like AppArmor or the auditing system that reliably collects information about any security-relevant events.

Publication Date: May 04, 2022
About This Guide
Documentación disponible
Convenciones de la documentación
Product Life Cycle and Support
1 Security and Confidentiality
1.1 Local Security and Network Security
1.2 Some General Security Tips and Tricks
1.3 Using the Central Security Reporting Address
I Authentication
2 Authentication with PAM
2.1 What is PAM?
2.2 Structure of a PAM Configuration File
2.3 The PAM Configuration of sshd
2.4 Configuration of PAM Modules
2.5 Configuring PAM Using pam-config
2.6 Manually Configuring PAM
2.7 For More Information
3 Using NIS
3.1 Configuring NIS Servers
3.2 Configuring NIS Clients
4 Setting Up Authentication Servers and Clients Using YaST
4.1 Configuring an Authentication Server with YaST
4.2 Configuring an Authentication Client with YaST
4.3 SSSD
5 LDAP—A Directory Service
5.1 LDAP versus NIS
5.2 Structure of an LDAP Directory Tree
5.3 Configuring an LDAP Client with YaST
5.4 Configuring LDAP Users and Groups in YaST
5.5 Manually Configuring an LDAP Server
5.6 Manually Administering LDAP Data
5.7 For More Information
6 Network Authentication with Kerberos
6.1 Conceptual Overview
6.2 Kerberos Terminology
6.3 How Kerberos Works
6.4 User View of Kerberos
6.5 Installing and Administering Kerberos
6.6 Setting up Kerberos using LDAP and Kerberos Client
6.7 Kerberos and NFS
6.8 For More Information
7 Active Directory Support
7.1 Integrating Linux and Active Directory Environments
7.2 Background Information for Linux Active Directory Support
7.3 Configuring a Linux Client for Active Directory
7.4 Logging In to an Active Directory Domain
7.5 Changing Passwords
II Local Security
8 Configuring Security Settings with YaST
8.1 Security Overview
8.2 Predefined Security Configurations
8.3 Password Settings
8.4 Boot Settings
8.5 Login Settings
8.6 User Addition
8.7 Miscellaneous Settings
9 Authorization with PolKit
9.1 Conceptual Overview
9.2 Authorization Types
9.3 Querying Privileges
9.4 Modifying Configuration Files
9.5 Restoring the Default Privileges
10 Access Control Lists in Linux
10.1 Traditional File Permissions
10.2 Advantages of ACLs
10.3 Definitions
10.4 Handling ACLs
10.5 ACL Support in Applications
10.6 For More Information
11 Encrypting Partitions and Files
11.1 Setting Up an Encrypted File System with YaST
11.2 Using Encrypted Home Directories
11.3 Encrypting Files with GPG
12 Certificate Store
12.1 Activating Certificate Store
12.2 Importing Certificates
13 Intrusion Detection with AIDE
13.1 Why Use AIDE?
13.2 Setting Up an AIDE Database
13.3 Local AIDE Checks
13.4 System Independent Checking
13.5 For More Information
III Network Security
14 SSH: Secure Network Operations
14.1 ssh—Secure Shell
14.2 scp—Secure Copy
14.3 sftp—Secure File Transfer
14.4 The SSH Daemon (sshd)
14.5 SSH Authentication Mechanisms
14.6 Port Forwarding
14.7 For More Information
15 Masquerading and Firewalls
15.1 Packet Filtering with iptables
15.2 Masquerading Basics
15.3 Firewalling Basics
15.4 SuSEFirewall2
15.5 For More Information
16 Configuring a VPN Server
16.1 Conceptual Overview
16.2 Setting Up a Simple Test Scenario
16.3 Setting Up Your VPN Server Using a Certificate Authority
16.4 Setting Up a VPN Server or Client Using YaST
16.5 For More Information
17 Managing X.509 Certification
17.1 The Principles of Digital Certification
17.2 YaST Modules for CA Management
18 Enabling compliance with FIPS 140-2
18.1 FIPS 140-2 overview
18.2 When to enable FIPS mode
18.3 Installing FIPS
18.4 Enabling FIPS mode
18.5 MD5 not supported in Samba/CIFS
IV Confining Privileges with AppArmor
19 Introducing AppArmor
19.1 AppArmor Components
19.2 Background Information on AppArmor Profiling
20 Getting Started
20.1 Installing AppArmor
20.2 Enabling and Disabling AppArmor
20.3 Choosing Applications to Profile
20.4 Building and Modifying Profiles
20.5 Updating Your Profiles
21 Immunizing Programs
21.1 Introducing the AppArmor Framework
21.2 Determining Programs to Immunize
21.3 Immunizing cron Jobs
21.4 Immunizing Network Applications
22 Profile Components and Syntax
22.1 Breaking an AppArmor Profile into Its Parts
22.2 Profile Types
22.3 Include Statements
22.4 Capability Entries (POSIX.1e)
22.5 Network Access Control
22.6 Profile Names, Flags, Paths, and Globbing
22.7 File Permission Access Modes
22.8 Execute Modes
22.9 Resource Limit Control
22.10 Auditing Rules
23 AppArmor Profile Repositories
24 Building and Managing Profiles with YaST
24.1 Manually Adding a Profile
24.2 Editing Profiles
24.3 Deleting a Profile
24.4 Managing AppArmor
25 Building Profiles from the Command Line
25.1 Checking the AppArmor Status
25.2 Building AppArmor Profiles
25.3 Adding or Creating an AppArmor Profile
25.4 Editing an AppArmor Profile
25.5 Unloading Unknown AppArmor Profiles
25.6 Deleting an AppArmor Profile
25.7 Two Methods of Profiling
25.8 Important File Names and Directories
26 Profiling Your Web Applications Using ChangeHat
26.1 Configuring Apache for mod_apparmor
26.2 Managing ChangeHat-Aware Applications
27 Confining Users with pam_apparmor
28 Managing Profiled Applications
28.1 Reacting to Security Event Rejections
28.2 Maintaining Your Security Profiles
29 Support
29.1 Updating AppArmor Online
29.2 Using the Man Pages
29.3 For More Information
29.4 Troubleshooting
29.5 Reporting Bugs for AppArmor
30 AppArmor Glossary
V SELinux
31 Configuring SELinux
31.1 Why Use SELinux?
31.2 Policy
31.3 Installing SELinux Packages and Modifying GRUB 2
31.4 SELinux Policy
31.5 Configuring SELinux
31.6 Managing SELinux
31.7 Troubleshooting
VI The Linux Audit Framework
32 Understanding Linux Audit
32.1 Introducing the Components of Linux Audit
32.2 Configuring the Audit Daemon
32.3 Controlling the Audit System Using auditctl
32.4 Passing Parameters to the Audit System
32.5 Understanding the Audit Logs and Generating Reports
32.6 Querying the Audit Daemon Logs with ausearch
32.7 Analyzing Processes with autrace
32.8 Visualizing Audit Data
32.9 Relaying Audit Event Notifications
33 Setting Up the Linux Audit Framework
33.1 Determining the Components to Audit
33.2 Configuring the Audit Daemon
33.3 Enabling Audit for System Calls
33.4 Setting Up Audit Rules
33.5 Configuring Audit Reports
33.6 Configuring Log Visualization
34 Introducing an Audit Rule Set
34.1 Adding Basic Audit Configuration Parameters
34.2 Adding Watches on Audit Log Files and Configuration Files
34.3 Monitoring File System Objects
34.4 Monitoring Security Configuration Files and Databases
34.5 Monitoring Miscellaneous System Calls
34.6 Filtering System Call Arguments
34.7 Managing Audit Event Records Using Keys
35 Useful Resources
A Achieving PCI DSS Compliance
A.1 What is the PCI DSS?
A.2 Focus of This Document: Areas Relevant to the Operating System
A.3 Requirements in Detail
B Documentation Updates
B.1 October 2018 (Maintenance Release for SUSE Linux Enterprise Server 12 SP3)
B.2 September 2017 (Initial Release of SUSE Linux Enterprise Server 12 SP3)
B.3 November 2016 (Initial Release of SUSE Linux Enterprise Server 12 SP2)
B.4 March 2016 (Documentation Maintenance Update for SUSE Linux Enterprise Server 12 SP1)
B.5 December 2015 (Initial Release of SUSE Linux Enterprise Server 12 SP1)
B.6 February 2015 (Documentation Maintenance Update)
B.7 October 2014 (Initial Release of SUSE Linux Enterprise Server 12)
C Licencias GNU
C.1 GNU Free Documentation License
List of Figures
3.1 NIS Server Setup
3.2 Master Server Setup
3.3 Changing the Directory and Synchronizing Files for a NIS Server
3.4 NIS Server Maps Setup
3.5 Setting Request Permissions for a NIS Server
3.6 Setting Domain and Address of a NIS Server
4.1 YaST Authentication Server Configuration
4.2 YaST LDAP Server—New Database
4.3 YaST Kerberos Authentication
4.4 YaST Editing Authentication Server Configuration
4.5 YaST Authentication Server Database Configuration
5.1 Structure of an LDAP Directory
5.2 LDAP and Kerberos Client Window
6.1 Kerberos Network Topology
6.2 LDAP and Kerberos Client Window
7.1 Schema of Winbind-based Active Directory Authentication
7.2 Main Window of User Logon Management
7.3 Enrolling into a Domain
7.4 Configuration Window of User Logon Management
7.5 Determining Windows Domain Membership
7.6 Providing Administrator Credentials
8.1 YaST Security Center and Hardening: Security Overview
10.1 Minimum ACL: ACL Entries Compared to Permission Bits
10.2 Extended ACL: ACL Entries Compared to Permission Bits
15.1 iptables: A Packet's Possible Paths
15.2 Firewall Configuration: Allowed Services
16.1 Routed VPN
16.2 Bridged VPN - Scenario 1
16.3 Bridged VPN - Scenario 2
16.4 Bridged VPN - Scenario 3
17.1 YaST CA Module—Basic Data for a Root CA
17.2 YaST CA Module—Using a CA
17.3 Certificates of a CA
17.4 YaST CA Module—Extended Settings
25.1 aa-notify Message in GNOME
26.1 Adminer Login Page
31.1 Selecting all SELinux Packages in YaST
32.1 Introducing the Components of Linux Audit
32.2 Flow Graph—Program versus System Call Relationship
32.3 Bar Chart—Common Event Types
List of Examples
2.1 PAM Configuration for sshd (/etc/pam.d/sshd)
2.2 Default Configuration for the auth Section (common-auth)
2.3 Default Configuration for the account Section (common-account)
2.4 Default Configuration for the password Section (common-password)
2.5 Default Configuration for the session Section (common-session)
2.6 pam_env.conf
5.1 Excerpt from schema.core
5.2 An LDIF File
5.3 ldapadd with example.ldif
5.4 LDIF Data for Tux
5.5 Modified LDIF File tux.ldif
16.1 VPN Server Configuration File
16.2 VPN Client Configuration File
20.1 Output of aa-unconfined
25.1 Learning Mode Exception: Controlling Access to Specific Resources
25.2 Learning Mode Exception: Defining Permissions for an Entry
31.1 Security Context Settings Using ls -Z
31.2 Verifying that SELinux is functional
31.3 Getting a List of Booleans and Verifying Policy Access
31.4 Getting File Context Information
31.5 The default context for directories in the root directory
31.6 Showing SELinux settings for processes with ps Zaux
31.7 Viewing Default File Contexts
31.8 Example Lines from /etc/audit/audit.log
31.9 Analyzing Audit Messages
31.10 Viewing Which Lines Deny Access
31.11 Creating a Policy Module Allowing an Action Previously Denied
32.1 Example output of auditctl -s
32.2 Example Audit Rules—Audit System Parameters
32.3 Example Audit Rules—File System Auditing
32.4 Example Audit Rules—System Call Auditing
32.5 Deleting Audit Rules and Events
32.6 Listing Rules with auditctl -l
32.7 A Simple Audit Event—Viewing the Audit Log
32.8 An Advanced Audit Event—Login via SSH
32.9 Example /etc/audisp/audispd.conf
32.10 Example /etc/audisp/plugins.d/syslog.conf

Copyright © 2006– 2022 SUSE LLC y colaboradores. Reservados todos los derechos.

Está permitido copiar, distribuir y modificar este documento según los términos de la licencia de documentación gratuita GNU, versión 1.2 o (según su criterio) versión 1.3. Este aviso de copyright y licencia deberán permanecer inalterados. En la sección titulada GNU Free Documentation License (Licencia de documentación gratuita GNU) se incluye una copia de la versión 1.2 de la licencia.

Para obtener información sobre las marcas comerciales de SUSE, consulte http://www.suse.com/company/legal/. Todas las marcas comerciales de otros fabricantes son propiedad de sus respectivas empresas. Los símbolos de marca comercial (®,™ etc.) indican marcas comerciales de SUSE y sus afiliados. Los asteriscos (*) indican marcas comerciales de otros fabricantes.

Toda la información recogida en esta publicación se ha compilado prestando toda la atención posible al más mínimo detalle. Sin embargo, esto no garantiza una precisión total. Ni SUSE LLC, ni sus filiales, ni los autores o traductores serán responsables de los posibles errores o las consecuencias que de ellos pudieran derivarse.

Print this page