Part II Local Security #
- 8 Spectre/Meltdown Checker
spectre-meltdown-checker
is a shell script to test if your system is vulnerable to the several speculative execution vulnerabilities that are present in nearly all CPUs manufactured in the past 20 years. This is a hardware flaw that potentially allows an attacker to read all data on the system. On cloud computing services, where multiple virtual machines are on a single physical host, an attacker can gain access to all virtual machines. Fixing these vulnerabilities requires re-designing and replacing CPUs. Until this happens, there are several software patches that mitigate these vulnerabilities. If you have kept your SUSE systems updated, all of these patches should already be installed.spectre-meltdown-checker
generates a detailed report. It is impossible to guarantee that your system is secure, but it shows you which mitigations are in place, and potential vulnerabilities.- 9 Configuring Security Settings with YaST
The YaST module SUSE Linux Enterprise Server. Use it to configure security aspects such as settings for the login procedure and for password creation, for boot permissions, user creation or for default file permissions. Launch it from the YaST control center by › . The dialog always starts with the , and other configuration dialogs are available from the right pane.
offers a central clearinghouse to configure security-related settings for- 10 Authorization with Polkit
Polkit (formerly known as PolicyKit) is an application framework that acts as a negotiator between the unprivileged user session and the privileged system context. Whenever a process from the user session tries to carry out an action in the system context, Polkit is queried. Based on its configuration—specified in a so-called “policy”—the answer could be “yes”, “no”, or “needs authentication”. Unlike classical privilege authorization programs such as sudo, Polkit does not grant
root
permissions to an entire session, but only to the action in question.- 11 Access Control Lists in Linux
POSIX ACLs (access control lists) can be used as an expansion of the traditional permission concept for file system objects. With ACLs, permissions can be defined more flexibly than with the traditional permission concept.
- 12 Encrypting Partitions and Files
Encrypting files, partitions, and entire disks prevents unauthorized access to your data and protects your confidential files and documents.
- 13 Certificate Store
Certificates play an important role in the authentication of companies and individuals. Usually certificates are administered by the application itself. In some cases, it makes sense to share certificates between applications. The certificate store is a common ground for Firefox, Evolution, and NetworkManager. This chapter explains some details.
- 14 Intrusion Detection with AIDE
Securing your systems is a mandatory task for any mission-critical system administrator. Because it is impossible to always guarantee that the system is not compromised, it is very important to do extra checks regularly (for example with
cron
) to ensure that the system is still under your control. This is where AIDE, the Advanced Intrusion Detection Environment, comes into play.