Jump to contentJump to page navigation: previous page [access key p]/next page [access key n]
ContentsContents
Security and Hardening Guide
  1. Preface
  2. 1 Security and confidentiality
  3. 2 Common Criteria
  4. I Authentication
    1. 3 Authentication with PAM
    2. 4 Using NIS
    3. 5 Setting up authentication clients using YaST
    4. 6 LDAP with 389 Directory Server
    5. 7 Network authentication with Kerberos
    6. 8 Active Directory support
    7. 9 Setting up a freeRADIUS server
  5. II Local security
    1. 10 Physical security
    2. 11 Software management
    3. 12 File management
    4. 13 Encrypting partitions and files
    5. 14 Storage encryption for hosted applications with cryptctl
    6. 15 User management
    7. 16 Restricting cron and at
    8. 17 Spectre/Meltdown checker
    9. 18 Configuring security settings with YaST
    10. 19 Authorization with PolKit
    11. 20 Access control lists in Linux
    12. 21 Certificate store
    13. 22 Intrusion detection with AIDE
  6. III Network security
    1. 23 X Window System and X authentication
    2. 24 SSH: secure network operations
    3. 25 Masquerading and firewalls
    4. 26 Configuring a VPN server
    5. 27 Managing a PKI with XCA, X certificate and key manager
    6. 28 Improving network security with sysctl variables
    7. 29 Enabling FIPS 140-2
  7. IV Confining privileges with AppArmor
    1. 30 Introducing AppArmor
    2. 31 Getting started
    3. 32 Immunizing programs
    4. 33 Profile components and syntax
    5. 34 AppArmor profile repositories
    6. 35 Building and managing profiles with YaST
    7. 36 Building profiles from the command line
    8. 37 Profiling your Web applications using ChangeHat
    9. 38 Confining users with pam_apparmor
    10. 39 Managing profiled applications
    11. 40 Support
    12. 41 AppArmor glossary
  8. V SELinux
    1. 42 Configuring SELinux
  9. VI The Linux Audit Framework
    1. 43 Understanding Linux audit
    2. 44 Setting up the Linux audit framework
    3. 45 Introducing an audit rule set
    4. 46 Useful resources
  10. A Achieving PCI DSS compliance
  11. B GNU licenses
Navigation
SUSE Linux Enterprise Server 15 SP3

Security and Hardening Guide

This guide introduces basic concepts of system security and describes the usage of security software included with the product, such as AppArmor, SELinux, or the auditing system. The guide also supports system administrators in hardening an installation.

Publication Date: December 03, 2021
Preface
Documentación disponible
Mejora de la documentación
Convenciones de la documentación
Asistencia
1 Security and confidentiality
1.1 Overview
1.2 Passwords
1.3 Backups
1.4 System integrity
1.5 File access
1.6 Networking
1.7 Software vulnerabilities
1.8 Malware
1.9 Important security tips
1.10 Reporting security issues
2 Common Criteria
2.1 Introduction
2.2 Evaluation Assurance Level (EAL)
2.3 Generic guiding principles
2.4 More information
I Authentication
3 Authentication with PAM
3.1 What is PAM?
3.2 Structure of a PAM configuration file
3.3 The PAM configuration of sshd
3.4 Configuration of PAM modules
3.5 Configuring PAM using pam-config
3.6 Manually configuring PAM
3.7 More information
4 Using NIS
4.1 Configuring NIS servers
4.2 Configuring NIS clients
5 Setting up authentication clients using YaST
5.1 Configuring an authentication client with YaST
5.2 SSSD
6 LDAP with 389 Directory Server
6.1 Structure of an LDAP directory tree
6.2 Installing 389 Directory Server
6.3 Firewall configuration
6.4 Backing up and restoring 389 Directory Server
6.5 Managing LDAP users and groups
6.6 Using SSSD to manage authentication
6.7 Managing modules
6.8 Migrating to 389 Directory Server from OpenLDAP
6.9 Importing TLS server certificates and keys
6.10 Setting up replication
6.11 More information
7 Network authentication with Kerberos
7.1 Conceptual overview
7.2 Kerberos terminology
7.3 How Kerberos works
7.4 User view of Kerberos
7.5 Installing and administering Kerberos
7.6 Kerberos and NFS
7.7 More information
8 Active Directory support
8.1 Integrating Linux and Active Directory environments
8.2 Background information for Linux Active Directory support
8.3 Configuring a Linux client for Active Directory
8.4 Logging in to an Active Directory domain
8.5 Changing passwords
9 Setting up a freeRADIUS server
9.1 Installation and testing on SUSE Linux Enterprise
II Local security
10 Physical security
10.1 System locks
10.2 Locking down the BIOS
10.3 Security via the boot loaders
10.4 Retiring Linux servers with sensitive data
10.5 Restricting access to removable media
11 Software management
11.1 Removing unnecessary software packages (RPMs)
11.2 Patching Linux systems
12 File management
12.1 Disk partitions
12.2 Modifying permissions of certain system files
12.3 Changing home directory permissions from 755 to 700
12.4 Default umask
12.5 SUID/SGID files
12.6 World-writable files
12.7 Orphaned or unowned files
13 Encrypting partitions and files
13.1 Setting up an encrypted file system with YaST
13.2 Encrypting files with GPG
14 Storage encryption for hosted applications with cryptctl
14.1 Setting up a cryptctl server
14.2 Setting up a cryptctl client
14.3 Checking partition unlock status using server-side commands
14.4 Unlocking encrypted partitions manually
14.5 Maintenance downtime procedure
14.6 More information
15 User management
15.1 Various account checks
15.2 Enabling password aging
15.3 Stronger password enforcement
15.4 Password and login management with PAM
15.5 Restricting root logins
15.6 Restricting sudo users
15.7 Setting an inactivity timeout for interactive shell sessions
15.8 Preventing accidental denial of service
15.9 Displaying login banners
15.10 Connection accounting utilities
16 Restricting cron and at
16.1 Restricting the cron daemon
16.2 Restricting the at scheduler
17 Spectre/Meltdown checker
17.1 Using spectre-meltdown-checker
17.2 More information
18 Configuring security settings with YaST
18.1 Security overview
18.2 Predefined security configurations
18.3 Password settings
18.4 Boot settings
18.5 Login settings
18.6 User addition
18.7 Miscellaneous settings
19 Authorization with PolKit
19.1 Conceptual overview
19.2 Authorization types
19.3 Querying privileges
19.4 Modifying configuration files
19.5 Restoring the default privileges
20 Access control lists in Linux
20.1 Traditional file permissions
20.2 Advantages of ACLs
20.3 Definitions
20.4 Handling ACLs
20.5 ACL support in applications
20.6 More information
21 Certificate store
21.1 Activating certificate store
21.2 Importing certificates
22 Intrusion detection with AIDE
22.1 Why use AIDE?
22.2 Setting up an AIDE database
22.3 Local AIDE checks
22.4 System independent checking
22.5 More information
III Network security
23 X Window System and X authentication
24 SSH: secure network operations
24.1 ssh—secure shell
24.2 scp—secure copy
24.3 sftp—secure file transfer
24.4 The SSH daemon (sshd)
24.5 SSH authentication mechanisms
24.6 Restricting SSH logins
24.7 Port forwarding
24.8 Adding and removing public keys on an installed system
24.9 More information
25 Masquerading and firewalls
25.1 Packet filtering with iptables
25.2 Masquerading basics
25.3 Firewalling basics
25.4 firewalld
25.5 Migrating from SuSEfirewall2
25.6 More information
26 Configuring a VPN server
26.1 Conceptual overview
26.2 Setting up a simple test scenario
26.3 Setting up your VPN server using a certificate authority
26.4 Setting up a VPN server or client using YaST
26.5 More information
27 Managing a PKI with XCA, X certificate and key manager
27.1 Installing XCA
27.2 Creating a new PKI
28 Improving network security with sysctl variables
29 Enabling FIPS 140-2
29.1 Enabling FIPS
IV Confining privileges with AppArmor
30 Introducing AppArmor
30.1 AppArmor components
30.2 Background information on AppArmor profiling
31 Getting started
31.1 Installing AppArmor
31.2 Enabling and disabling AppArmor
31.3 Choosing applications to profile
31.4 Building and modifying profiles
31.5 Updating your profiles
32 Immunizing programs
32.1 Introducing the AppArmor framework
32.2 Determining programs to immunize
32.3 Immunizing cron jobs
32.4 Immunizing network applications
33 Profile components and syntax
33.1 Breaking an AppArmor profile into its parts
33.2 Profile types
33.3 Include statements
33.4 Capability entries (POSIX.1e)
33.5 Network access control
33.6 Profile names, flags, paths, and globbing
33.7 File permission access modes
33.8 Mount rules
33.9 Pivot root rules
33.10 PTrace rules
33.11 Signal rules
33.12 Execute modes
33.13 Resource limit control
33.14 Auditing rules
34 AppArmor profile repositories
35 Building and managing profiles with YaST
35.1 Manually adding a profile
35.2 Editing profiles
35.3 Deleting a profile
35.4 Managing AppArmor
36 Building profiles from the command line
36.1 Checking the AppArmor status
36.2 Building AppArmor profiles
36.3 Adding or creating an AppArmor profile
36.4 Editing an AppArmor profile
36.5 Unloading unknown AppArmor profiles
36.6 Deleting an AppArmor profile
36.7 Two methods of profiling
36.8 Important file names and directories
37 Profiling your Web applications using ChangeHat
37.1 Configuring Apache for mod_apparmor
37.2 Managing ChangeHat-aware applications
38 Confining users with pam_apparmor
39 Managing profiled applications
39.1 Reacting to security event rejections
39.2 Maintaining your security profiles
40 Support
40.1 Updating AppArmor online
40.2 Using the man pages
40.3 More information
40.4 Troubleshooting
40.5 Reporting bugs for AppArmor
41 AppArmor glossary
V SELinux
42 Configuring SELinux
42.1 Why use SELinux?
42.2 Installing SELinux packages and modifying GRUB 2
42.3 SELinux policy
42.4 Configuring SELinux
42.5 Managing SELinux
42.6 Troubleshooting
VI The Linux Audit Framework
43 Understanding Linux audit
43.1 Introducing the components of Linux audit
43.2 Configuring the audit daemon
43.3 Controlling the audit system using auditctl
43.4 Passing parameters to the audit system
43.5 Understanding the audit logs and generating reports
43.6 Querying the audit daemon logs with ausearch
43.7 Analyzing processes with autrace
43.8 Visualizing audit data
43.9 Relaying audit event notifications
44 Setting up the Linux audit framework
44.1 Determining the components to audit
44.2 Configuring the audit daemon
44.3 Enabling audit for system calls
44.4 Setting up audit rules
44.5 Configuring audit reports
44.6 Configuring log visualization
45 Introducing an audit rule set
45.1 Adding basic audit configuration parameters
45.2 Adding watches on audit log files and configuration files
45.3 Monitoring file system objects
45.4 Monitoring security configuration files and databases
45.5 Monitoring miscellaneous system calls
45.6 Filtering system call arguments
45.7 Managing audit event records using keys
46 Useful resources
A Achieving PCI DSS compliance
A.1 What is the PCI DSS?
A.2 Focus of this document: areas relevant to the operating system
A.3 Requirements in detail
B GNU licenses
B.1 GNU free documentation license
List of Examples
3.1 PAM configuration for sshd (/etc/pam.d/sshd)
3.2 Default configuration for the auth section (common-auth)
3.3 Default configuration for the account section (common-account)
3.4 Default configuration for the password section (common-password)
3.5 Default configuration for the session section (common-session)
3.6 pam_env.conf
6.1 Excerpt from CN=schema
6.2 Minimal 389 Directory Server instance configuration file
6.3 A .dsrc file for local administration
6.4 Two supplier replicas
6.5 Four supplier replicas
6.6 Six replicas
6.7 Six replicas with read-only consumers
7.1 Example KDC configuration, /etc/krb5.conf
25.1 Callback port configuration for the nfs kernel module in /etc/modprobe.d/60-nfs.conf
25.2 Commands to define a new firewalld RPC service for NFS
26.1 VPN server configuration file
26.2 VPN client configuration file
31.1 Output of aa-unconfined
36.1 Learning mode exception: controlling access to specific resources
36.2 Learning mode exception: defining permissions for an entry
42.1 Verifying that SELinux is functional
42.2 Getting a list of booleans and verifying policy access
42.3 Getting file context information
42.4 The default context for directories in the root directory
42.5 Showing SELinux settings for processes with ps Zaux
42.6 Viewing default file contexts
42.7 Example lines from /etc/audit/audit.log
42.8 Analyzing audit messages
42.9 Viewing which lines deny access
42.10 Creating a policy module allowing an action previously denied
43.1 Example output of auditctl -s
43.2 Example audit rules—audit system parameters
43.3 Example audit rules—file system auditing
43.4 Example audit rules—system call auditing
43.5 Deleting audit rules and events
43.6 Listing rules with auditctl -l
43.7 A simple audit event—viewing the audit log
43.8 An advanced audit event—login via SSH
43.9 Example /etc/audisp/audispd.conf
43.10 Example /etc/audisp/plugins.d/syslog.conf

Copyright © 2006– 2021 SUSE LLC y colaboradores. Reservados todos los derechos.

Está permitido copiar, distribuir y modificar este documento según los términos de la licencia de documentación gratuita GNU, versión 1.2 o (según su criterio) versión 1.3. Este aviso de copyright y licencia deberán permanecer inalterados. En la sección titulada GNU Free Documentation License (Licencia de documentación gratuita GNU) se incluye una copia de la versión 1.2 de la licencia.

Para obtener información sobre las marcas comerciales de SUSE, consulte https://www.suse.com/company/legal/. Todas las marcas comerciales de otros fabricantes son propiedad de sus respectivas empresas. Los símbolos de marca comercial (®,™ etc.) indican marcas comerciales de SUSE y sus afiliados. Los asteriscos (*) indican marcas comerciales de otros fabricantes.

Toda la información recogida en esta publicación se ha compilado prestando toda la atención posible al más mínimo detalle. Sin embargo, esto no garantiza una precisión total. Ni SUSE LLC, ni sus filiales, ni los autores o traductores serán responsables de los posibles errores o las consecuencias que de ellos pudieran derivarse.

Print this page