Jump to contentJump to page navigation: previous page [access key p]/next page [access key n]
Security and Hardening Guide
  1. About This Guide
  2. 1 Security and Confidentiality
  3. 2 Common Criteria
  4. I Authentication
    1. 3 Authentication with PAM
    2. 4 Using NIS
    3. 5 Setting Up Authentication Clients Using YaST
    4. 6 LDAP with 389 Directory Server
    5. 7 Network Authentication with Kerberos
    6. 8 Active Directory Support
    7. 9 Setting Up a FreeRADIUS Server
  5. II Local Security
    1. 10 Physical Security
    2. 11 Software Management
    3. 12 File Management
    4. 13 Encrypting Partitions and Files
    5. 14 Storage Encryption for Hosted Applications with cryptctl
    6. 15 User Management
    7. 16 Restricting cron and at
    8. 17 Spectre/Meltdown Checker
    9. 18 Configuring Security Settings with YaST
    10. 19 The Polkit authentication framework
    11. 20 Access Control Lists in Linux
    12. 21 Intrusion Detection with AIDE
  6. III Network Security
    1. 22 X Window System and X Authentication
    2. 23 Securing network operations with OpenSSH
    3. 24 Masquerading and Firewalls
    4. 25 Configuring a VPN Server
    5. 26 Improving Network Security with sysctl Variables
    6. 27 Enabling compliance with FIPS 140-2
  7. IV Confining Privileges with AppArmor
    1. 28 Introducing AppArmor
    2. 29 Getting Started
    3. 30 Immunizing Programs
    4. 31 Profile Components and Syntax
    5. 32 AppArmor Profile Repositories
    6. 33 Building and Managing Profiles with YaST
    7. 34 Building Profiles from the Command Line
    8. 35 Profiling Your Web Applications Using ChangeHat
    9. 36 Confining Users with pam_apparmor
    10. 37 Managing Profiled Applications
    11. 38 Support
    12. 39 AppArmor Glossary
  8. V SELinux
    1. 40 Configuring SELinux
  9. VI The Linux Audit Framework
    1. 41 Understanding Linux Audit
    2. 42 Setting Up the Linux Audit Framework
    3. 43 Introducing an Audit Rule Set
    4. 44 Useful Resources
  10. A Payment Card Industry Data Security Standard (PCI DSS)
  11. B Licencias GNU
SUSE Linux Enterprise Server 15 SP2

Security and Hardening Guide


Introduces basic concepts of system security, covering both local and network security aspects. Shows how to use the product inherent security software like AppArmor, SELinux, or the auditing system that reliably collects information about any security-relevant events. Supports the administrator with security-related choices and decisions in installing and setting up a secure SUSE Linux Enterprise Server and additional processes to further secure and harden that installation.

Publication Date: July 26, 2022
About This Guide
Documentación disponible
Proporcionar comentarios
Convenciones de la documentación
Ciclo de vida y asistencia del producto
1 Security and Confidentiality
1.1 Overview
1.2 Passwords
1.3 System Integrity
1.4 File Access
1.5 Networking
1.6 Software Vulnerabilities
1.7 Malware
1.8 Important Security Tips
1.9 Reporting Security Issues
2 Common Criteria
2.1 Introduction
2.2 Evaluation Assurance Level (EAL)
2.3 Generic Guiding Principles
2.4 For More Information
I Authentication
3 Authentication with PAM
3.1 What is PAM?
3.2 Structure of a PAM Configuration File
3.3 The PAM Configuration of sshd
3.4 Configuration of PAM Modules
3.5 Configuring PAM Using pam-config
3.6 Manually Configuring PAM
3.7 For More Information
4 Using NIS
4.1 Configuring NIS Servers
4.2 Configuring NIS Clients
5 Setting Up Authentication Clients Using YaST
5.1 Configuring an Authentication Client with YaST
5.2 SSSD
6 LDAP with 389 Directory Server
6.1 Structure of an LDAP directory tree
6.2 Installing 389 Directory Server
6.3 Firewall configuration
6.4 Backing up and restoring 389 Directory Server
6.5 Managing LDAP users and groups
6.6 Using SSSD to manage LDAP authentication
6.7 Managing modules
6.8 Importing TLS server certificates and keys
6.9 Setting up replication
6.10 Synchronizing with Microsoft Active Directory
6.11 More information
7 Network Authentication with Kerberos
7.1 Conceptual Overview
7.2 Kerberos Terminology
7.3 How Kerberos Works
7.4 User View of Kerberos
7.5 Installing and Administering Kerberos
7.6 Setting up Kerberos using LDAP and Kerberos Client
7.7 Kerberos and NFS
7.8 For More Information
8 Active Directory Support
8.1 Integrating Linux and Active Directory Environments
8.2 Background Information for Linux Active Directory Support
8.3 Configuring a Linux Client for Active Directory
8.4 Logging In to an Active Directory Domain
8.5 Changing Passwords
9 Setting Up a FreeRADIUS Server
9.1 Installation and Testing on SUSE Linux Enterprise
II Local Security
10 Physical Security
10.1 System Locks
10.2 Locking Down the BIOS
10.3 Security via the Boot Loaders
10.4 Retiring Linux Servers with Sensitive Data
10.5 Restricting Access to Removable Media
11 Software Management
11.1 Removing Unnecessary Software Packages (RPMs)
11.2 Patching Linux Systems
12 File Management
12.1 Disk Partitions
12.2 Modifying permissions of certain system files
12.3 Changing Home Directory Permissions from 755 to 700
12.4 Default umask
12.5 SUID/SGID Files
12.6 World-Writable Files
12.7 Orphaned or Unowned Files
13 Encrypting Partitions and Files
13.1 Setting Up an Encrypted File System with YaST
13.2 Encrypting Files with GPG
14 Storage Encryption for Hosted Applications with cryptctl
14.1 Setting Up a cryptctl Server
14.2 Setting Up a cryptctl Client
14.3 Checking Partition Unlock Status Using Server-side Commands
14.4 Unlocking Encrypted Partitions Manually
14.5 Maintenance Downtime Procedure
14.6 For More Information
15 User Management
15.1 Various Account Checks
15.2 Enabling Password Aging
15.3 Stronger Password Enforcement
15.4 Password and Login Management with PAM
15.5 Restricting root Logins
15.6 Restricting sudo Users
15.7 Setting an Inactivity Timeout for Interactive Shell Sessions
15.8 Preventing Accidental Denial of Service
15.9 Displaying Login Banners
15.10 Connection Accounting Utilities
16 Restricting cron and at
16.1 Restricting the cron Daemon
16.2 Restricting the at scheduler
17 Spectre/Meltdown Checker
17.1 Using spectre-meltdown-checker
17.2 Additional Information about Spectre/Meltdown
18 Configuring Security Settings with YaST
18.1 Security Overview
18.2 Predefined Security Configurations
18.3 Password Settings
18.4 Boot Settings
18.5 Login Settings
18.6 User Addition
18.7 Miscellaneous Settings
19 The Polkit authentication framework
19.1 Conceptual overview
19.2 Authorization types
19.3 Querying Privileges
19.4 Modifying Polkit Configuration
19.5 Restoring the SUSE default privileges
20 Access Control Lists in Linux
20.1 Traditional File Permissions
20.2 Advantages of ACLs
20.3 Definitions
20.4 Handling ACLs
20.5 ACL Support in Applications
20.6 For More Information
21 Intrusion Detection with AIDE
21.1 Why Use AIDE?
21.2 Setting Up an AIDE Database
21.3 Local AIDE Checks
21.4 System Independent Checking
21.5 For More Information
III Network Security
22 X Window System and X Authentication
23 Securing network operations with OpenSSH
23.1 OpenSSH overview
23.2 Server hardening
23.3 Password authentication
23.4 Managing client and host encryption keys
23.5 Rotating host keys
23.6 Public key authentication
23.7 Passphrase-less public key authentication
23.8 Automatic public key logins
23.9 Changing an SSH private key passphrase
23.10 Retrieving a key fingerprint
23.11 Starting X11 applications on a remote host
23.12 Agent forwarding
23.13 scp—secure copy
23.14 sftp—secure file transfer
23.15 Port forwarding (SSH tunneling)
23.16 More information
24 Masquerading and Firewalls
24.1 Packet Filtering with iptables
24.2 Masquerading Basics
24.3 Firewalling Basics
24.4 firewalld
24.5 Migrating from SuSEfirewall2
24.6 For More Information
25 Configuring a VPN Server
25.1 Conceptual Overview
25.2 Setting Up a Simple Test Scenario
25.3 Setting Up Your VPN Server Using a Certificate Authority
25.4 Setting Up a VPN Server or Client Using YaST
25.5 For More Information
26 Improving Network Security with sysctl Variables
27 Enabling compliance with FIPS 140-2
27.1 FIPS 140-2 overview
27.2 When to enable FIPS mode
27.3 Installing FIPS
27.4 Enabling FIPS mode
27.5 MD5 not supported in Samba/CIFS
IV Confining Privileges with AppArmor
28 Introducing AppArmor
28.1 AppArmor Components
28.2 Background Information on AppArmor Profiling
29 Getting Started
29.1 Installing AppArmor
29.2 Enabling and Disabling AppArmor
29.3 Choosing Applications to Profile
29.4 Building and Modifying Profiles
29.5 Updating Your Profiles
30 Immunizing Programs
30.1 Introducing the AppArmor Framework
30.2 Determining Programs to Immunize
30.3 Immunizing cron Jobs
30.4 Immunizing Network Applications
31 Profile Components and Syntax
31.1 Breaking an AppArmor Profile into Its Parts
31.2 Profile Types
31.3 Include Statements
31.4 Capability Entries (POSIX.1e)
31.5 Network Access Control
31.6 Profile Names, Flags, Paths, and Globbing
31.7 File Permission Access Modes
31.8 Mount Rules
31.9 Pivot Root Rules
31.10 PTrace Rules
31.11 Signal Rules
31.12 Execute Modes
31.13 Resource Limit Control
31.14 Auditing Rules
32 AppArmor Profile Repositories
33 Building and Managing Profiles with YaST
33.1 Manually Adding a Profile
33.2 Editing Profiles
33.3 Deleting a Profile
33.4 Managing AppArmor
34 Building Profiles from the Command Line
34.1 Checking the AppArmor Status
34.2 Building AppArmor Profiles
34.3 Adding or Creating an AppArmor Profile
34.4 Editing an AppArmor Profile
34.5 Unloading Unknown AppArmor Profiles
34.6 Deleting an AppArmor Profile
34.7 Two Methods of Profiling
34.8 Important File Names and Directories
35 Profiling Your Web Applications Using ChangeHat
35.1 Configuring Apache for mod_apparmor
35.2 Managing ChangeHat-Aware Applications
36 Confining Users with pam_apparmor
37 Managing Profiled Applications
37.1 Reacting to Security Event Rejections
37.2 Maintaining Your Security Profiles
38 Support
38.1 Updating AppArmor Online
38.2 Using the Man Pages
38.3 For More Information
38.4 Troubleshooting
38.5 Reporting Bugs for AppArmor
39 AppArmor Glossary
V SELinux
40 Configuring SELinux
40.1 Why use SELinux?
40.2 SELinux policy overview
40.3 Installing SELinux packages
40.4 Installing an SELinux policy
40.5 Modifying the GRUB 2 bootloader
40.6 Configuring SELinux
40.7 Managing SELinux
40.8 Troubleshooting
VI The Linux Audit Framework
41 Understanding Linux Audit
41.1 Introducing the Components of Linux Audit
41.2 Configuring the Audit Daemon
41.3 Controlling the Audit System Using auditctl
41.4 Passing Parameters to the Audit System
41.5 Understanding the Audit Logs and Generating Reports
41.6 Querying the Audit Daemon Logs with ausearch
41.7 Analyzing Processes with autrace
41.8 Visualizing Audit Data
41.9 Relaying Audit Event Notifications
42 Setting Up the Linux Audit Framework
42.1 Determining the Components to Audit
42.2 Configuring the Audit Daemon
42.3 Enabling Audit for System Calls
42.4 Setting Up Audit Rules
42.5 Configuring Audit Reports
42.6 Configuring Log Visualization
43 Introducing an Audit Rule Set
43.1 Adding Basic Audit Configuration Parameters
43.2 Adding Watches on Audit Log Files and Configuration Files
43.3 Monitoring File System Objects
43.4 Monitoring Security Configuration Files and Databases
43.5 Monitoring Miscellaneous System Calls
43.6 Filtering System Call Arguments
43.7 Managing Audit Event Records Using Keys
44 Useful Resources
A Payment Card Industry Data Security Standard (PCI DSS)
B Licencias GNU
B.1 GNU Free Documentation License
List of Examples
3.1 PAM Configuration for sshd (/etc/pam.d/sshd)
3.2 Default Configuration for the auth Section (common-auth)
3.3 Default Configuration for the account Section (common-account)
3.4 Default Configuration for the password Section (common-password)
3.5 Default Configuration for the session Section (common-session)
3.6 pam_env.conf
6.1 Excerpt from CN=schema
6.2 Minimal 389 Directory Server instance configuration file
6.3 A .dsrc file for local administration
6.4 Two supplier replicas
6.5 Four supplier replicas
6.6 Six replicas
6.7 Six replicas with read-only consumers
7.1 Example KDC Configuration, /etc/krb5.conf
23.1 Example sshd.conf
24.1 Callback Port Configuration for the nfs Kernel Module in /etc/modprobe.d/60-nfs.conf
24.2 Commands to Define a new firewalld RPC Service for NFS
25.1 VPN Server Configuration File
25.2 VPN Client Configuration File
29.1 Output of aa-unconfined
34.1 Learning Mode Exception: Controlling Access to Specific Resources
34.2 Learning Mode Exception: Defining Permissions for an Entry
40.1 Security context settings using ls -Z
40.2 Verifying that SELinux is functional
40.3 Getting a list of booleans and verifying policy access
40.4 Getting file context information
40.5 The default context for directories in the root directory
40.6 Showing SELinux settings for processes with ps Zaux
40.7 Viewing default file contexts
40.8 Example lines from /etc/audit/audit.log
40.9 Analyzing audit messages
40.10 Viewing which lines deny access
40.11 Creating a policy module allowing an action previously denied
41.1 Example output of auditctl -s
41.2 Example Audit Rules—Audit System Parameters
41.3 Example Audit Rules—File System Auditing
41.4 Example Audit Rules—System Call Auditing
41.5 Deleting Audit Rules and Events
41.6 Listing Rules with auditctl -l
41.7 A simple audit event—viewing the audit log
41.8 An Advanced Audit Event—Login via SSH
41.9 Example /etc/audisp/audispd.conf
41.10 Example /etc/audisp/plugins.d/syslog.conf

Copyright © 2006– 2022 SUSE LLC y colaboradores. Reservados todos los derechos.

Está permitido copiar, distribuir y modificar este documento según los términos de la licencia de documentación gratuita GNU, versión 1.2 o (según su criterio) versión 1.3. Este aviso de copyright y licencia deberán permanecer inalterados. En la sección titulada GNU Free Documentation License (Licencia de documentación gratuita GNU) se incluye una copia de la versión 1.2 de la licencia.

Para obtener información sobre las marcas comerciales de SUSE, consulte https://www.suse.com/company/legal/. Todas las marcas comerciales de otros fabricantes son propiedad de sus respectivas empresas. Los símbolos de marca comercial (®,™ etc.) indican marcas comerciales de SUSE y sus afiliados. Los asteriscos (*) indican marcas comerciales de otros fabricantes.

Toda la información recogida en esta publicación se ha compilado prestando toda la atención posible al más mínimo detalle. Sin embargo, esto no garantiza una precisión total. Ni SUSE LLC, ni sus filiales, ni los autores o traductores serán responsables de los posibles errores o las consecuencias que de ellos pudieran derivarse.

Print this page