Jump to contentJump to page navigation: previous page [access key p]/next page [access key n]
SUSE Linux Enterprise Server 12 SP5

Security Guide

Abstract

Introduces basic concepts of system security, covering both local and network security aspects. Shows how to use the product inherent security software like AppArmor or the auditing system that reliably collects information about any security-relevant events.

Publication Date: May 04, 2022
About This Guide
Documentación disponible
Comentarios
Convenciones de la documentación
Product Life Cycle and Support
1 Security and Confidentiality
1.1 Local Security and Network Security
1.2 Some General Security Tips and Tricks
1.3 Using the Central Security Reporting Address
I Authentication
2 Authentication with PAM
2.1 What is PAM?
2.2 Structure of a PAM Configuration File
2.3 The PAM Configuration of sshd
2.4 Configuration of PAM Modules
2.5 Configuring PAM Using pam-config
2.6 Manually Configuring PAM
2.7 For More Information
3 Using NIS
3.1 Configuring NIS Servers
3.2 Configuring NIS Clients
4 Setting Up Authentication Servers and Clients Using YaST
4.1 Configuring an Authentication Server with YaST
4.2 Configuring an Authentication Client with YaST
4.3 SSSD
5 LDAP—A Directory Service
5.1 LDAP versus NIS
5.2 Structure of an LDAP Directory Tree
5.3 Configuring an LDAP Client with YaST
5.4 Configuring LDAP Users and Groups in YaST
5.5 Manually Configuring an LDAP Server
5.6 Manually Administering LDAP Data
5.7 New negation feature in sudoers.ldap
5.8 For More Information
6 Network Authentication with Kerberos
6.1 Conceptual Overview
6.2 Kerberos Terminology
6.3 How Kerberos Works
6.4 User View of Kerberos
6.5 Installing and Administering Kerberos
6.6 Setting up Kerberos using LDAP and Kerberos Client
6.7 Kerberos and NFS
6.8 For More Information
7 Active Directory Support
7.1 Integrating Linux and Active Directory Environments
7.2 Background Information for Linux Active Directory Support
7.3 Configuring a Linux Client for Active Directory
7.4 Logging In to an Active Directory Domain
7.5 Changing Passwords
II Local Security
8 Spectre/Meltdown Checker
8.1 Using spectre-meltdown-checker
8.2 Additional Information about Spectre/Meltdown
9 Configuring Security Settings with YaST
9.1 Security Overview
9.2 Predefined Security Configurations
9.3 Password Settings
9.4 Boot Settings
9.5 Login Settings
9.6 User Addition
9.7 Miscellaneous Settings
10 Authorization with PolKit
10.1 Conceptual Overview
10.2 Authorization Types
10.3 Querying Privileges
10.4 Modifying Configuration Files
10.5 Restoring the Default Privileges
11 Access Control Lists in Linux
11.1 Traditional File Permissions
11.2 Advantages of ACLs
11.3 Definitions
11.4 Handling ACLs
11.5 ACL Support in Applications
11.6 For More Information
12 Encrypting Partitions and Files
12.1 Setting Up an Encrypted File System with YaST
12.2 Using Encrypted Home Directories
12.3 Encrypting Files with GPG
13 Certificate Store
13.1 Activating Certificate Store
13.2 Importing Certificates
14 Intrusion Detection with AIDE
14.1 Why Use AIDE?
14.2 Setting Up an AIDE Database
14.3 Local AIDE Checks
14.4 System Independent Checking
14.5 For More Information
III Network Security
15 SSH: Secure Network Operations
15.1 ssh—Secure Shell
15.2 scp—Secure Copy
15.3 sftp—Secure File Transfer
15.4 The SSH Daemon (sshd)
15.5 SSH Authentication Mechanisms
15.6 Port Forwarding
15.7 For More Information
16 Masquerading and Firewalls
16.1 Packet Filtering with iptables
16.2 Masquerading Basics
16.3 Firewalling Basics
16.4 SuSEFirewall2
16.5 For More Information
17 Configuring a VPN Server
17.1 Conceptual Overview
17.2 Setting Up a Simple Test Scenario
17.3 Setting Up Your VPN Server Using a Certificate Authority
17.4 Setting Up a VPN Server or Client Using YaST
17.5 For More Information
18 Managing X.509 Certification
18.1 The Principles of Digital Certification
18.2 YaST Modules for CA Management
19 Enabling compliance with FIPS 140-2
19.1 FIPS 140-2 overview
19.2 When to enable FIPS mode
19.3 Installing FIPS
19.4 Enabling FIPS mode
19.5 MD5 not supported in Samba/CIFS
IV Confining Privileges with AppArmor
20 Introducing AppArmor
20.1 AppArmor Components
20.2 Background Information on AppArmor Profiling
21 Getting Started
21.1 Installing AppArmor
21.2 Enabling and Disabling AppArmor
21.3 Choosing Applications to Profile
21.4 Building and Modifying Profiles
21.5 Updating Your Profiles
22 Immunizing Programs
22.1 Introducing the AppArmor Framework
22.2 Determining Programs to Immunize
22.3 Immunizing cron Jobs
22.4 Immunizing Network Applications
23 Profile Components and Syntax
23.1 Breaking an AppArmor Profile into Its Parts
23.2 Profile Types
23.3 Include Statements
23.4 Capability Entries (POSIX.1e)
23.5 Network Access Control
23.6 Profile Names, Flags, Paths, and Globbing
23.7 File Permission Access Modes
23.8 Execute Modes
23.9 Resource Limit Control
23.10 Auditing Rules
24 AppArmor Profile Repositories
25 Building and Managing Profiles with YaST
25.1 Manually Adding a Profile
25.2 Editing Profiles
25.3 Deleting a Profile
25.4 Managing AppArmor
26 Building Profiles from the Command Line
26.1 Checking the AppArmor Status
26.2 Building AppArmor Profiles
26.3 Adding or Creating an AppArmor Profile
26.4 Editing an AppArmor Profile
26.5 Unloading Unknown AppArmor Profiles
26.6 Deleting an AppArmor Profile
26.7 Two Methods of Profiling
26.8 Important File Names and Directories
27 Profiling Your Web Applications Using ChangeHat
27.1 Configuring Apache for mod_apparmor
27.2 Managing ChangeHat-Aware Applications
28 Confining Users with pam_apparmor
29 Managing Profiled Applications
29.1 Reacting to Security Event Rejections
29.2 Maintaining Your Security Profiles
30 Support
30.1 Updating AppArmor Online
30.2 Using the Man Pages
30.3 For More Information
30.4 Troubleshooting
30.5 Reporting Bugs for AppArmor
31 AppArmor Glossary
V SELinux
32 Configuring SELinux
32.1 Why Use SELinux?
32.2 Policy
32.3 Installing SELinux Packages and Modifying GRUB 2
32.4 SELinux Policy
32.5 Configuring SELinux
32.6 Managing SELinux
32.7 Troubleshooting
VI The Linux Audit Framework
33 Understanding Linux Audit
33.1 Introducing the Components of Linux Audit
33.2 Configuring the Audit Daemon
33.3 Controlling the Audit System Using auditctl
33.4 Passing Parameters to the Audit System
33.5 Understanding the Audit Logs and Generating Reports
33.6 Querying the Audit Daemon Logs with ausearch
33.7 Analyzing Processes with autrace
33.8 Visualizing Audit Data
33.9 Relaying Audit Event Notifications
34 Setting Up the Linux Audit Framework
34.1 Determining the Components to Audit
34.2 Configuring the Audit Daemon
34.3 Enabling Audit for System Calls
34.4 Setting Up Audit Rules
34.5 Configuring Audit Reports
34.6 Configuring Log Visualization
35 Introducing an Audit Rule Set
35.1 Adding Basic Audit Configuration Parameters
35.2 Adding Watches on Audit Log Files and Configuration Files
35.3 Monitoring File System Objects
35.4 Monitoring Security Configuration Files and Databases
35.5 Monitoring Miscellaneous System Calls
35.6 Filtering System Call Arguments
35.7 Managing Audit Event Records Using Keys
36 Useful Resources
A Achieving PCI DSS Compliance
A.1 What is the PCI DSS?
A.2 Focus of This Document: Areas Relevant to the Operating System
A.3 Requirements in Detail
B GNU Licenses
B.1 GNU Free Documentation License
List of Figures
3.1 NIS Server Setup
3.2 Master Server Setup
3.3 Changing the Directory and Synchronizing Files for a NIS Server
3.4 NIS Server Maps Setup
3.5 Setting Request Permissions for a NIS Server
3.6 Setting Domain and Address of a NIS Server
4.1 YaST Authentication Server Configuration
4.2 YaST LDAP Server—New Database
4.3 YaST Kerberos Authentication
4.4 YaST Editing Authentication Server Configuration
4.5 YaST Authentication Server Database Configuration
5.1 Structure of an LDAP Directory
5.2 LDAP and Kerberos Client Window
6.1 Kerberos Network Topology
6.2 LDAP and Kerberos Client Window
7.1 Schema of Winbind-based Active Directory Authentication
7.2 Main Window of User Logon Management
7.3 Enrolling into a Domain
7.4 Configuration Window of User Logon Management
7.5 Determining Windows Domain Membership
7.6 Providing Administrator Credentials
8.1 Output from spectre-meltdown-checker
9.1 YaST Security Center and Hardening: Security Overview
11.1 Minimum ACL: ACL Entries Compared to Permission Bits
11.2 Extended ACL: ACL Entries Compared to Permission Bits
16.1 iptables: A Packet's Possible Paths
16.2 Firewall Configuration: Allowed Services
17.1 Routed VPN
17.2 Bridged VPN - Scenario 1
17.3 Bridged VPN - Scenario 2
17.4 Bridged VPN - Scenario 3
18.1 YaST CA Module—Basic Data for a Root CA
18.2 YaST CA Module—Using a CA
18.3 Certificates of a CA
18.4 YaST CA Module—Extended Settings
26.1 aa-notify Message in GNOME
27.1 Adminer Login Page
32.1 Selecting all SELinux Packages in YaST
33.1 Introducing the Components of Linux Audit
33.2 Flow Graph—Program versus System Call Relationship
33.3 Bar Chart—Common Event Types
List of Examples
2.1 PAM Configuration for sshd (/etc/pam.d/sshd)
2.2 Default Configuration for the auth Section (common-auth)
2.3 Default Configuration for the account Section (common-account)
2.4 Default Configuration for the password Section (common-password)
2.5 Default Configuration for the session Section (common-session)
2.6 pam_env.conf
5.1 Excerpt from schema.core
5.2 An LDIF File
5.3 ldapadd with example.ldif
5.4 LDIF Data for Tux
5.5 Modified LDIF File tux.ldif
17.1 VPN Server Configuration File
17.2 VPN Client Configuration File
21.1 Output of aa-unconfined
26.1 Learning Mode Exception: Controlling Access to Specific Resources
26.2 Learning Mode Exception: Defining Permissions for an Entry
32.1 Security Context Settings Using ls -Z
32.2 Verifying that SELinux is functional
32.3 Getting a List of Booleans and Verifying Policy Access
32.4 Getting File Context Information
32.5 The default context for directories in the root directory
32.6 Showing SELinux settings for processes with ps Zaux
32.7 Viewing Default File Contexts
32.8 Example Lines from /etc/audit/audit.log
32.9 Analyzing Audit Messages
32.10 Viewing Which Lines Deny Access
32.11 Creating a Policy Module Allowing an Action Previously Denied
33.1 Example output of auditctl -s
33.2 Example Audit Rules—Audit System Parameters
33.3 Example Audit Rules—File System Auditing
33.4 Example Audit Rules—System Call Auditing
33.5 Deleting Audit Rules and Events
33.6 Listing Rules with auditctl -l
33.7 A Simple Audit Event—Viewing the Audit Log
33.8 An Advanced Audit Event—Login via SSH
33.9 Example /etc/audisp/audispd.conf
33.10 Example /etc/audisp/plugins.d/syslog.conf

Copyright © 2006– 2022 SUSE LLC y colaboradores. Reservados todos los derechos.

Está permitido copiar, distribuir y modificar este documento según los términos de la licencia de documentación gratuita GNU, versión 1.2 o (según su criterio) versión 1.3. Este aviso de copyright y licencia deberán permanecer inalterados. En la sección titulada GNU Free Documentation License (Licencia de documentación gratuita GNU) se incluye una copia de la versión 1.2 de la licencia.

Para obtener información sobre las marcas comerciales de SUSE, consulte http://www.suse.com/company/legal/. Todas las marcas comerciales de otros fabricantes son propiedad de sus respectivas empresas. Los símbolos de marca comercial (®,™ etc.) indican marcas comerciales de SUSE y sus afiliados. Los asteriscos (*) indican marcas comerciales de otros fabricantes.

Toda la información recogida en esta publicación se ha compilado prestando toda la atención posible al más mínimo detalle. Sin embargo, esto no garantiza una precisión total. Ni SUSE LLC, ni sus filiales, ni los autores o traductores serán responsables de los posibles errores o las consecuencias que de ellos pudieran derivarse.

Print this page