This guide introduces basic concepts of system security and describes the usage of security software included with the product, such as AppArmor, SELinux, or the auditing system. The guide also supports system administrators in hardening an installation.
- Preface
- 1 Security and confidentiality
- I Authentication- 2 Authentication with PAM
- 3 Using NIS
- 4 Setting up authentication clients using YaST
- 5 LDAP with 389 Directory Server- 5.1 Structure of an LDAP directory tree
- 5.2 Creating and managing a Docker container for 389 Directory Server
- 5.3 Installing 389 Directory Server
- 5.4 Firewall configuration
- 5.5 Backing up and restoring 389 Directory Server
- 5.6 Managing LDAP users and groups
- 5.7 Managing plug-ins
- 5.8 Using SSSD to manage LDAP authentication
- 5.9 Migrating to 389 Directory Server from OpenLDAP
- 5.10 Importing TLS server certificates and keys
- 5.11 Setting up replication
- 5.12 Synchronizing with Microsoft Active Directory
- 5.13 More information
 
- 6 Network authentication with Kerberos
- 7 Active Directory support
- 8 Setting up a freeRADIUS server
 
- II Local security- 9 Physical security
- 10 Software management
- 11 File management
- 12 Encrypting partitions and files
- 13 Storage encryption for hosted applications with cryptctl- 13.1 Setting up a cryptctlserver
- 13.2 Setting up a cryptctlclient
- 13.3 Configuring /etc/fstab for LUKS volumes
- 13.4 Checking partition unlock status using server-side commands
- 13.5 Unlocking encrypted partitions manually
- 13.6 Maintenance downtime procedure
- 13.7 Setting up an HA environment for cryptctl-server service
- 13.8 More information
 
- 13.1 Setting up a 
- 14 User management- 14.1 Various account checks
- 14.2 Enabling password aging
- 14.3 Stronger password enforcement
- 14.4 Password and login management with PAM
- 14.5 Restricting rootlogins
- 14.6 Restricting sudousers
- 14.7 Setting an inactivity timeout for interactive shell sessions
- 14.8 Preventing accidental denial of service
- 14.9 Displaying login banners
- 14.10 Connection accounting utilities
 
- 15 Restricting cronandat
- 16 Spectre/Meltdown checker
- 17 Configuring security settings with YaST
- 18 The Polkit authentication framework
- 19 Access control lists in Linux
- 20 Intrusion detection with AIDE
 
- III Network security- 21 X Window System and X authentication
- 22 Securing network operations with OpenSSH- 22.1 OpenSSH overview
- 22.2 Server hardening
- 22.3 Password authentication
- 22.4 Managing user and host encryption keys
- 22.5 Rotating host keys
- 22.6 Public key authentication
- 22.7 Passphrase-less public key authentication
- 22.8 OpenSSH certificate authentication
- 22.9 Automated public key logins with gnome-keyring
- 22.10 Automated public key logins with ssh-agent
- 22.11 Changing an SSH private key passphrase
- 22.12 Retrieving a key fingerprint
- 22.13 Starting X11 applications on a remote host
- 22.14 Agent forwarding
- 22.15 scp—secure copy
- 22.16 sftp—secure file transfer
- 22.17 Port forwarding (SSH tunneling)
- 22.18 More information
- 22.19 Stopping SSH brute force attacks with Fail2Ban
 
- 23 Masquerading and firewalls
- 24 Configuring a VPN server
- 25 Managing a PKI with XCA, X certificate and key manager
- 26 Improving network security with sysctlvariables
 
- IV Regulations and compliance
- V Confining privileges with AppArmor- 29 Introducing AppArmor
- 30 Getting started
- 31 Immunizing programs
- 32 Profile components and syntax- 32.1 Breaking an AppArmor profile into its parts
- 32.2 Profile types
- 32.3 Include statements
- 32.4 Capability entries (POSIX.1e)
- 32.5 Network access control
- 32.6 Profile names, flags, paths, and globbing
- 32.7 File permission access modes
- 32.8 Mount rules
- 32.9 Pivot root rules
- 32.10 PTrace rules
- 32.11 Signal rules
- 32.12 Execute modes
- 32.13 Resource limit control
- 32.14 Auditing rules
 
- 33 AppArmor profile repositories
- 34 Building and managing profiles with YaST
- 35 Building profiles from the command line
- 36 Profiling your Web applications using ChangeHat
- 37 Confining users with pam_apparmor
- 38 Managing profiled applications
- 39 Support
- 40 AppArmor glossary
 
- VI The Linux Audit Framework- 41 Understanding Linux audit- 41.1 Introducing the components of Linux audit
- 41.2 Configuring the audit daemon
- 41.3 Controlling the audit system using auditctl
- 41.4 Passing parameters to the audit system
- 41.5 Understanding the audit logs and generating reports
- 41.6 Querying the audit daemon logs with ausearch
- 41.7 Analyzing processes with autrace
- 41.8 Visualizing audit data
- 41.9 Relaying audit event notifications
 
- 42 Setting up the Linux audit framework
- 43 Introducing an audit rule set- 43.1 Adding basic audit configuration parameters
- 43.2 Adding watches on audit log files and configuration files
- 43.3 Monitoring file system objects
- 43.4 Monitoring security configuration files and databases
- 43.5 Monitoring miscellaneous system calls
- 43.6 Filtering system call arguments
- 43.7 Managing audit event records using keys
 
- 44 Useful resources
 
- 41 Understanding Linux audit
- A GNU licenses
- 3.1 Setting domain and address of a NIS server
- 5.1 Structure of an LDAP directory
- 7.1 Schema of Winbind-based Active Directory authentication
- 7.2 Main window of
- 7.3 Enrolling into a domain
- 7.4 Configuration window of
- 7.5 Determining Windows domain membership
- 7.6 Providing administrator credentials
- 13.1 Key retrieval with cryptctl(model without connection to KMIP server)
- 16.1 Output from spectre-meltdown-checker
- 17.1 YaST security center and hardening: security overview
- 19.1 Minimum ACL: ACL entries compared to permission bits
- 19.2 Extended ACL: ACL entries compared to permission bits
- 22.1 jail.local file settings
- 23.1 iptables: a packet's possible paths
- 24.1 Routed VPN
- 24.2 Bridged VPN - scenario 1
- 24.3 Bridged VPN - scenario 2
- 24.4 Bridged VPN - scenario 3
- 25.1 Create a new XCA database
- 35.1 aa-notify Message in GNOME
- 36.1 Adminer login page
- 41.1 Introducing the components of Linux audit
- 41.2 Flow graph—program versus system call relationship
- 41.3 Bar chart—common event types
- 5.1 Commonly used object classes and attributes
- 13.1 List of all parameters to define the resource group with the cryptctl crm script.
- 14.1 Sample rules/constraints for password enforcement
- 19.1 ACL entry types
- 19.2 Masking access permissions
- 20.1 Important AIDE check boxes
- 23.1 Important sysconfig variables for static port configuration
- 39.1 Man pages: sections and categories
- 41.1 Audit status flags
- 2.1 PAM configuration for sshd (/etc/pam.d/sshd)
- 2.2 Default configuration for the authsection (common-auth)
- 2.3 Default configuration for the accountsection (common-account)
- 2.4 Default configuration for the passwordsection (common-password)
- 2.5 Default configuration for the sessionsection (common-session)
- 2.6 pam_env.conf
- 5.1 Excerpt from CN=schema
- 5.2 Minimal 389 Directory Server instance configuration file
- 5.3 A .dsrcfile for local administration
- 5.4 Two supplier replicas
- 5.5 Four supplier replicas
- 5.6 Six replicas
- 5.7 Six replicas with read-only consumers
- 9.1 Configuration
- 22.1 Example sshd_config
- 23.1 Callback port configuration for the nfskernel module in/etc/modprobe.d/60-nfs.conf
- 23.2 Commands to define a new firewalldRPC service for NFS
- 24.1 VPN server configuration file
- 24.2 VPN client configuration file
- 30.1 Output of aa-unconfined
- 35.1 Learning mode exception: controlling access to specific resources
- 35.2 Learning mode exception: defining permissions for an entry
- 41.1 Default /etc/audit/auditd.conf
- 41.2 Example output of auditctl-s
- 41.3 Example audit rules—audit system parameters
- 41.4 Example audit rules—file system auditing
- 41.5 Example audit rules—system call auditing
- 41.6 Deleting audit rules and events
- 41.7 Listing rules with auditctl-l
- 41.8 A simple audit event—viewing the audit log
- 41.9 An advanced audit event—login via SSH
- 41.10 Example /etc/audit/auditd.conf
- 41.11 Example /etc/audit/plugins.d/syslog.conf
Copyright © 2006–2025 SUSE LLC and contributors. All rights reserved.
この文書は、GNUフリー文書ライセンスのバージョン1.2または(オプションとして)バージョン1.3の条項に従って、複製、頒布、および/または改変が許可されています。ただし、この著作権表示およびライセンスは変更せずに記載すること。ライセンスバージョン1.2のコピーは、「GNUフリー文書ライセンス」セクションに含まれています。
SUSEの商標については、https://www.suse.com/company/legal/を参照してください。サードパーティ各社とその製品の商標は、所有者であるそれぞれの会社に所属します。商標記号(®、™など)は、SUSEおよびその関連会社の商標を示します。アスタリスク(*)は、第三者の商標を示します。
本書のすべての情報は、細心の注意を払って編集されています。しかし、このことは絶対に正確であることを保証するものではありません。SUSE LLC、その関係者、著者、翻訳者のいずれも誤りまたはその結果に対して一切責任を負いかねます。