Contents
Security Guide
- About This Guide
- 1 Security and Confidentiality
- I Authentication
- II Local Security
- III Network Security
- IV Confining Privileges with AppArmor
- 18 Introducing AppArmor
- 19 Getting Started
- 20 Immunizing Programs
- 21 Profile Components and Syntax
- 22 AppArmor Profile Repositories
- 23 Building and Managing Profiles with YaST
- 24 Building Profiles from the Command Line
- 25 Profiling Your Web Applications Using ChangeHat
- 26 Confining Users with
pam_apparmor - 27 Managing Profiled Applications
- 28 Support
- 29 AppArmor Glossary
- V SELinux
- VI The Linux Audit Framework
- A GNU Licenses
- About This Guide
- 1 Security and Confidentiality
- I Authentication
- 2 Authentication with PAM
- 3 Using NIS
- 4 LDAP—A Directory Service
- 4.1 LDAP versus NIS
- 4.2 Structure of an LDAP Directory Tree
- 4.3 Configuring an LDAP Server with YaST
- 4.4 Configuring an LDAP Client with YaST
- 4.5 Configuring LDAP Users and Groups in YaST
- 4.6 Browsing the LDAP Directory Tree
- 4.7 Manually Configuring an LDAP Server
- 4.8 Manually Administering LDAP Data
- 4.9 For More Information
- 5 Active Directory Support
- 6 Network Authentication with Kerberos
- 7 Using the Fingerprint Reader
- II Local Security
- III Network Security
- IV Confining Privileges with AppArmor
- 18 Introducing AppArmor
- 19 Getting Started
- 20 Immunizing Programs
- 21 Profile Components and Syntax
- 21.1 Breaking a AppArmor Profile into Its Parts
- 21.2 Profile Types
- 21.3
#includeStatements - 21.4 Capability Entries (POSIX.1e)
- 21.5 Network Access Control
- 21.6 Paths and Globbing
- 21.7 File Permission Access Modes
- 21.8 Execute Modes
- 21.9 Resource Limit Control
- 21.10 Auditing Rules
- 21.11 Setting Capabilities per Profile
- 22 AppArmor Profile Repositories
- 23 Building and Managing Profiles with YaST
- 24 Building Profiles from the Command Line
- 25 Profiling Your Web Applications Using ChangeHat
- 26 Confining Users with
pam_apparmor - 27 Managing Profiled Applications
- 28 Support
- 29 AppArmor Glossary
- V SELinux
- VI The Linux Audit Framework
- 31 Understanding Linux Audit
- 31.1 Introducing the Components of Linux Audit
- 31.2 Configuring the Audit Daemon
- 31.3 Controlling the Audit System Using auditctl
- 31.4 Passing Parameters to the Audit System
- 31.5 Understanding the Audit Logs and Generating Reports
- 31.6 Querying the Audit Daemon Logs with ausearch
- 31.7 Analyzing Processes with autrace
- 31.8 Visualizing Audit Data
- 31.9 Relaying Audit Event Notifications
- 32 Setting Up the Linux Audit Framework
- 33 Introducing an Audit Rule Set
- 33.1 Adding Basic Audit Configuration Parameters
- 33.2 Adding Watches on Audit Log Files and Configuration Files
- 33.3 Monitoring File System Objects
- 33.4 Monitoring Security Configuration Files and Databases
- 33.5 Monitoring Miscellaneous System Calls
- 33.6 Filtering System Call Arguments
- 33.7 Managing Audit Event Records Using Keys
- 34 Useful Resources
- A GNU Licenses
List of Figures
- 3.1 NIS Server Setup
- 3.2 Master Server Setup
- 3.3 Changing the Directory and Synchronizing Files for a NIS Server
- 3.4 NIS Server Maps Setup
- 3.5 Setting Request Permissions for a NIS Server
- 3.6 Setting Domain and Address of a NIS Server
- 4.1 Structure of an LDAP Directory
- 4.2 YaST LDAP Server Configuration
- 4.3 YaST LDAP Server—New Database
- 4.4 YaST LDAP Server Configuration
- 4.5 YaST LDAP Server Database Configuration
- 4.6 YaST: LDAP Client Configuration
- 4.7 YaST: Advanced Configuration
- 4.8 YaST: Module Configuration
- 4.9 YaST: Configuration of an Object Template
- 4.10 YaST: Additional LDAP Settings
- 4.11 Browsing the LDAP Directory Tree
- 4.12 Browsing the Entry Data
- 5.1 Active Directory Authentication Schema
- 5.2 Determining Windows Domain Membership
- 5.3 Providing Administrator Credentials
- 6.1 Kerberos Network Topology
- 6.2 YaST: Basic Configuration of a Kerberos Client
- 6.3 YaST: Advanced Configuration of a Kerberos Client
- 8.1 YaST Security Center and Hardening - Security Overview
- 9.1 The Main Window (GNOME)
- 10.1 Minimum ACL: ACL Entries Compared to Permission Bits
- 10.2 Extended ACL: ACL Entries Compared to Permission Bits
- 15.1 iptables: A Packet's Possible Paths
- 16.1 Routed VPN
- 16.2 Bridged VPN - Scenario 1
- 16.3 Bridged VPN - Scenario 2
- 16.4 Bridged VPN - Scenario 3
- 17.1 YaST CA Module—Basic Data for a Root CA
- 17.2 YaST CA Module—Using a CA
- 17.3 Certificates of a CA
- 17.4 YaST CA Module—Extended Settings
- 23.1 YaST Controls for AppArmor
- 23.2 Learning Mode Exception: Controlling Access to Specific Resources
- 23.3 Learning Mode Exception: Defining Execute Permissions for an Entry
- 30.1 Selecting all SELinux Packages in YaST2
- 30.2 Get an open source policy package from http://software.opensuse.org
- 31.1 Introducing the Components of Linux Audit
- 31.2 Flow Graph—Program versus System Call Relationship
- 31.3 Bar Chart—Common Event Types
List of Tables
List of Examples
- 2.1 PAM Configuration for sshd (
/etc/pam.d/sshd) - 2.2 Default Configuration for the
authSection (common-auth) - 2.3 Default Configuration for the
accountSection (common-account) - 2.4 Default Configuration for the
passwordSection (common-password) - 2.5 Default Configuration for the
sessionSection (common-session) - 2.6 pam_env.conf
- 4.1 Excerpt from schema.core
- 4.2 An LDIF File
- 4.3 ldapadd with example.ldif
- 4.4 LDIF Data for Tux
- 4.5 Modified LDIF File tux.ldif
- 9.1 An example
/etc/PolicyKit/PolicyKit.conffile - 16.1 VPN Server Configuration File
- 16.2 VPN Client Configuration File
- 19.1 Output of
aa-unconfined - 24.1 Learning Mode Exception: Controlling Access to Specific Resources
- 24.2 Learning Mode Exception: Defining Execute Permissions for an Entry
- 25.1 Example phpsysinfo Hat
- 30.1 Showing security context settings using ls -Z
- 30.2 After labeling the file system you can verify that SELinux is functional using
sestatus -v - 30.3 Use
semanage boolean -lto get a list of Booleans and verify policy access - 30.4 Use
semanage fcontext -lto get file context information - 30.5 The default context for directories in the root directory
- 30.6 Showing SELinux settings for processes
- 30.7 Showing Displaying default file contexts with
semanage fcontext -l - 30.8 The first 20 lines from the
apache.fcfile - 30.9 Example lines from
/etc/audit/audit.log - 30.10 Analyzing audit messages using audit2allow
- 30.11 Using audit2allow to see which lines have denied access
- 30.12 Use audit2allow to create a policy module that will allow the action that was previously denied
- 30.13 The messages that you'll see, just before the system stops, look as follows:
- 31.1 Example output of
auditctl-s - 31.2 Example Audit Rules—Audit System Parameters
- 31.3 Example Audit Rules—File System Auditing
- 31.4 Example Audit Rules—System Call Auditing
- 31.5 Deleting Audit Rules and Events
- 31.6 Listing Rules with
auditctl-l - 31.7 A Simple Audit Event—Viewing the Audit Log
- 31.8 An Advanced Audit Event—Login via SSH
- 31.9 Example /etc/audisp/audispd.conf
- 31.10 Example /etc/audisp/plugins.d/syslog.conf
Copyright © 2006–2020 SUSE LLC and contributors. All rights reserved.
この文書は、GNUフリー文書ライセンスのバージョン1.2または(オプションとして)バージョン1.3の条項に従って、複製、頒布、および/または改変が許可されています。ただし、この著作権表示およびライセンスは変更せずに記載すること。ライセンスバージョン1.2のコピーは、“GNUフリー文書ライセンス”セクションに含まれています。
SUSEおよびNovellの商標については、商標とサービスマークの一覧http://www.novell.com/company/legal/trademarks/tmlist.htmlを参照してください。他のすべての第三者の商標は、各商標権者が所有しています。商標記号(®、™など) は、SUSEまたはNovellの商標を示し、アスタリスク(*)は、サードパーティの商標を示します。
本書のすべての情報は、細心の注意を払って編集されています。しかし、このことは絶対に正確であることを保証するものではありません。SUSE LLC、その関係者、著者、翻訳者のいずれも誤りまたはその結果に対して一切責任を負いかねます。