Jump to contentJump to page navigation: previous page [access key p]/next page [access key n]
SUSE Linux Enterprise Server 15

Security and Hardening Guide

Introduces basic concepts of system security, covering both local and network security aspects. Shows how to use the product inherent security software like AppArmor, SELinux, or the auditing system that reliably collects information about any security-relevant events. Supports the administrator with security-related choices and decisions in installing and setting up a secure SUSE Linux Enterprise Server and additional processes to further secure and harden that installation.

Publication Date: November 24, 2020
About This Guide
Available Documentation
Giving Feedback
Documentation Conventions
Product Life Cycle and Support
1 Security and Confidentiality
1.1 Overview
1.2 Passwords
1.3 Backups
1.4 System Integrity
1.5 File Access
1.6 Networking
1.7 Software Vulnerabilities
1.8 Malware
1.9 Important Security Tips
1.10 Reporting Security Issues
2 Common Criteria
2.1 Introduction
2.2 Evaluation Assurance Level (EAL)
2.3 Generic Guiding Principles
2.4 For More Information
I Authentication
3 Authentication with PAM
3.1 What is PAM?
3.2 Structure of a PAM Configuration File
3.3 The PAM Configuration of sshd
3.4 Configuration of PAM Modules
3.5 Configuring PAM Using pam-config
3.6 Manually Configuring PAM
3.7 For More Information
4 Using NIS
4.1 Configuring NIS Servers
4.2 Configuring NIS Clients
5 Setting Up Authentication Clients Using YaST
5.1 Configuring an Authentication Client with YaST
5.2 SSSD
6 LDAP—A Directory Service
6.1 Structure of an LDAP Directory Tree
6.2 Installing the Software for 389 Directory Server
6.3 Manually Configuring a 389 Directory Server
6.4 Setting Up a 389 Directory Server with YaST
6.5 Manually Administering LDAP Data
6.6 For More Information
7 Network Authentication with Kerberos
7.1 Conceptual Overview
7.2 Kerberos Terminology
7.3 How Kerberos Works
7.4 User View of Kerberos
7.5 Installing and Administering Kerberos
7.6 Setting up Kerberos using LDAP and Kerberos Client
7.7 Kerberos and NFS
7.8 For More Information
8 Active Directory Support
8.1 Integrating Linux and Active Directory Environments
8.2 Background Information for Linux Active Directory Support
8.3 Configuring a Linux Client for Active Directory
8.4 Logging In to an Active Directory Domain
8.5 Changing Passwords
9 Setting Up a FreeRADIUS Server
9.1 Installation and Testing on SUSE Linux Enterprise
II Local Security
10 Physical Security
10.1 System Locks
10.2 Locking Down the BIOS
10.3 Security via the Boot Loaders
10.4 Retiring Linux Servers with Sensitive Data
10.5 Restricting Access to Removable Media
11 Automatic Security Checks with seccheck
11.1 Seccheck Timers
11.2 Enabling Seccheck Timers
11.3 Daily, Weekly, and Monthly Checks
11.4 Automatic Logout
12 Software Management
12.1 Removing Unnecessary Software Packages (RPMs)
12.2 Patching Linux Systems
13 File Management
13.1 Disk Partitions
13.2 Checking File Permissions and Ownership
13.3 Default umask
13.4 SUID/SGID Files
13.5 World-Writable Files
13.6 Orphaned or Unowned Files
14 Encrypting Partitions and Files
14.1 Setting Up an Encrypted File System with YaST
14.2 Encrypting Files with GPG
15 User Management
15.1 Various Account Checks
15.2 Enabling Password Aging
15.3 Stronger Password Enforcement
15.4 Password and Login Management with PAM
15.5 Restricting root Logins
15.6 Setting an Inactivity Timeout for Interactive Shell Sessions
15.7 Preventing Accidental Denial of Service
15.8 Displaying Login Banners
15.9 Connection Accounting Utilities
16 Configuring Security Settings with YaST
16.1 Security Overview
16.2 Predefined Security Configurations
16.3 Password Settings
16.4 Boot Settings
16.5 Login Settings
16.6 User Addition
16.7 Miscellaneous Settings
17 Authorization with PolKit
17.1 Conceptual Overview
17.2 Authorization Types
17.3 Querying Privileges
17.4 Modifying Configuration Files
17.5 Restoring the Default Privileges
18 Access Control Lists in Linux
18.1 Traditional File Permissions
18.2 Advantages of ACLs
18.3 Definitions
18.4 Handling ACLs
18.5 ACL Support in Applications
18.6 For More Information
19 Certificate Store
19.1 Activating Certificate Store
19.2 Importing Certificates
20 Intrusion Detection with AIDE
20.1 Why Use AIDE?
20.2 Setting Up an AIDE Database
20.3 Local AIDE Checks
20.4 System Independent Checking
20.5 For More Information
III Network Security
21 X Window System and X Authentication
22 SSH: Secure Network Operations
22.1 ssh—Secure Shell
22.2 scp—Secure Copy
22.3 sftp—Secure File Transfer
22.4 The SSH Daemon (sshd)
22.5 SSH Authentication Mechanisms
22.6 Port Forwarding
22.7 For More Information
23 Masquerading and Firewalls
23.1 Packet Filtering with iptables
23.2 Masquerading Basics
23.3 Firewalling Basics
23.4 firewalld
23.5 Migrating From SuSEfirewall2
23.6 For More Information
24 Configuring a VPN Server
24.1 Conceptual Overview
24.2 Setting Up a Simple Test Scenario
24.3 Setting Up Your VPN Server Using a Certificate Authority
24.4 Setting Up a VPN Server or Client Using YaST
24.5 For More Information
IV Confining Privileges with AppArmor
25 Introducing AppArmor
25.1 AppArmor Components
25.2 Background Information on AppArmor Profiling
26 Getting Started
26.1 Installing AppArmor
26.2 Enabling and Disabling AppArmor
26.3 Choosing Applications to Profile
26.4 Building and Modifying Profiles
26.5 Updating Your Profiles
27 Immunizing Programs
27.1 Introducing the AppArmor Framework
27.2 Determining Programs to Immunize
27.3 Immunizing cron Jobs
27.4 Immunizing Network Applications
28 Profile Components and Syntax
28.1 Breaking an AppArmor Profile into Its Parts
28.2 Profile Types
28.3 Include Statements
28.4 Capability Entries (POSIX.1e)
28.5 Network Access Control
28.6 Profile Names, Flags, Paths, and Globbing
28.7 File Permission Access Modes
28.8 Mount Rules
28.9 Pivot Root Rules
28.10 PTrace Rules
28.11 Signal Rules
28.12 Execute Modes
28.13 Resource Limit Control
28.14 Auditing Rules
29 AppArmor Profile Repositories
30 Building and Managing Profiles with YaST
30.1 Manually Adding a Profile
30.2 Editing Profiles
30.3 Deleting a Profile
30.4 Managing AppArmor
31 Building Profiles from the Command Line
31.1 Checking the AppArmor Status
31.2 Building AppArmor Profiles
31.3 Adding or Creating an AppArmor Profile
31.4 Editing an AppArmor Profile
31.5 Unloading Unknown AppArmor Profiles
31.6 Deleting an AppArmor Profile
31.7 Two Methods of Profiling
31.8 Important File Names and Directories
32 Profiling Your Web Applications Using ChangeHat
32.1 Configuring Apache for mod_apparmor
32.2 Managing ChangeHat-Aware Applications
33 Confining Users with pam_apparmor
34 Managing Profiled Applications
34.1 Reacting to Security Event Rejections
34.2 Maintaining Your Security Profiles
35 Support
35.1 Updating AppArmor Online
35.2 Using the Man Pages
35.3 For More Information
35.4 Troubleshooting
35.5 Reporting Bugs for AppArmor
36 AppArmor Glossary
V SELinux
37 Configuring SELinux
37.1 Why Use SELinux?
37.2 Policy
37.3 Installing SELinux Packages and Modifying GRUB 2
37.4 SELinux Policy
37.5 Configuring SELinux
37.6 Managing SELinux
37.7 Troubleshooting
VI The Linux Audit Framework
38 Understanding Linux Audit
38.1 Introducing the Components of Linux Audit
38.2 Configuring the Audit Daemon
38.3 Controlling the Audit System Using auditctl
38.4 Passing Parameters to the Audit System
38.5 Understanding the Audit Logs and Generating Reports
38.6 Querying the Audit Daemon Logs with ausearch
38.7 Analyzing Processes with autrace
38.8 Visualizing Audit Data
38.9 Relaying Audit Event Notifications
39 Setting Up the Linux Audit Framework
39.1 Determining the Components to Audit
39.2 Configuring the Audit Daemon
39.3 Enabling Audit for System Calls
39.4 Setting Up Audit Rules
39.5 Configuring Audit Reports
39.6 Configuring Log Visualization
40 Introducing an Audit Rule Set
40.1 Adding Basic Audit Configuration Parameters
40.2 Adding Watches on Audit Log Files and Configuration Files
40.3 Monitoring File System Objects
40.4 Monitoring Security Configuration Files and Databases
40.5 Monitoring Miscellaneous System Calls
40.6 Filtering System Call Arguments
40.7 Managing Audit Event Records Using Keys
41 Useful Resources
A Achieving PCI-DSS Compliance
A.1 What Is the PCI-DSS?
A.2 Focus of This Document: Areas Relevant to the Operating System
A.3 Requirements in Detail
B GNU Licenses
B.1 GNU Free Documentation License
List of Examples
3.1 PAM Configuration for sshd (/etc/pam.d/sshd)
3.2 Default Configuration for the auth Section (common-auth)
3.3 Default Configuration for the account Section (common-account)
3.4 Default Configuration for the password Section (common-password)
3.5 Default Configuration for the session Section (common-session)
3.6 pam_env.conf
6.1 Excerpt from CN=schema
6.2 Basic Instance Configuration File
6.3 A .dsrc File for Remote Administration
6.4 A .dsrc File for Local Administration
7.1 Example KDC Configuration, /etc/krb5.conf
23.1 Callback Port Configuration for the nfs Kernel Module in /etc/modprobe.d/60-nfs.conf
23.2 Commands to Define a new firewalld RPC Service for NFS
24.1 VPN Server Configuration File
24.2 VPN Client Configuration File
26.1 Output of aa-unconfined
31.1 Learning Mode Exception: Controlling Access to Specific Resources
31.2 Learning Mode Exception: Defining Permissions for an Entry
37.1 Security Context Settings Using ls -Z
37.2 Verifying that SELinux is functional
37.3 Getting a List of Booleans and Verifying Policy Access
37.4 Getting File Context Information
37.5 The default context for directories in the root directory
37.6 Showing SELinux settings for processes with ps Zaux
37.7 Viewing Default File Contexts
37.8 Example Lines from /etc/audit/audit.log
37.9 Analyzing Audit Messages
37.10 Viewing Which Lines Deny Access
37.11 Creating a Policy Module Allowing an Action Previously Denied
38.1 Example output of auditctl -s
38.2 Example Audit Rules—Audit System Parameters
38.3 Example Audit Rules—File System Auditing
38.4 Example Audit Rules—System Call Auditing
38.5 Deleting Audit Rules and Events
38.6 Listing Rules with auditctl -l
38.7 A Simple Audit Event—Viewing the Audit Log
38.8 An Advanced Audit Event—Login via SSH
38.9 Example /etc/audisp/audispd.conf
38.10 Example /etc/audisp/plugins.d/syslog.conf

Copyright © 2006– 2020 SUSE LLC and contributors. All rights reserved.

Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or (at your option) version 1.3; with the Invariant Section being this copyright notice and license. A copy of the license version 1.2 is included in the section entitled GNU Free Documentation License.

For SUSE trademarks, see https://www.suse.com/company/legal/. All other third-party trademarks are the property of their respective owners. Trademark symbols (®, ™ etc.) denote trademarks of SUSE and its affiliates. Asterisks (*) denote third-party trademarks.

All information found in this book has been compiled with utmost attention to detail. However, this does not guarantee complete accuracy. Neither SUSE LLC, its affiliates, the authors nor the translators shall be held liable for possible errors or the consequences thereof.

Print this page