Jump to contentJump to page navigation: previous page [access key p]/next page [access key n]
SUSE Linux Enterprise Server 15

Security and Hardening Guide

Introduces basic concepts of system security, covering both local and network security aspects. Shows how to use the product inherent security software like AppArmor, SELinux, or the auditing system that reliably collects information about any security-relevant events. Supports the administrator with security-related choices and decisions in installing and setting up a secure SUSE Linux Enterprise Server and additional processes to further secure and harden that installation.

Publication Date: September 16, 2021
About This Guide
Available Documentation
Giving Feedback
Documentation Conventions
Product Life Cycle and Support
1 Security and Confidentiality
1.1 Overview
1.2 Passwords
1.3 Backups
1.4 System Integrity
1.5 File Access
1.6 Networking
1.7 Software Vulnerabilities
1.8 Malware
1.9 Important Security Tips
1.10 Reporting Security Issues
2 Common Criteria
2.1 Introduction
2.2 Evaluation Assurance Level (EAL)
2.3 Generic Guiding Principles
2.4 For More Information
I Authentication
3 Authentication with PAM
3.1 What is PAM?
3.2 Structure of a PAM Configuration File
3.3 The PAM Configuration of sshd
3.4 Configuration of PAM Modules
3.5 Configuring PAM Using pam-config
3.6 Manually Configuring PAM
3.7 For More Information
4 Using NIS
4.1 Configuring NIS Servers
4.2 Configuring NIS Clients
5 Setting Up Authentication Clients Using YaST
5.1 Configuring an Authentication Client with YaST
5.2 SSSD
6 LDAP—A Directory Service
6.1 Structure of an LDAP Directory Tree
6.2 Installing the Software for 389 Directory Server
6.3 Manually Configuring a 389 Directory Server
6.4 Setting Up a 389 Directory Server with YaST
6.5 Manually Administering LDAP Data
6.6 For More Information
7 Network Authentication with Kerberos
7.1 Conceptual Overview
7.2 Kerberos Terminology
7.3 How Kerberos Works
7.4 User View of Kerberos
7.5 Installing and Administering Kerberos
7.6 Setting up Kerberos using LDAP and Kerberos Client
7.7 Kerberos and NFS
7.8 For More Information
8 Active Directory Support
8.1 Integrating Linux and Active Directory Environments
8.2 Background Information for Linux Active Directory Support
8.3 Configuring a Linux Client for Active Directory
8.4 Logging In to an Active Directory Domain
8.5 Changing Passwords
9 Setting Up a FreeRADIUS Server
9.1 Installation and Testing on SUSE Linux Enterprise
II Local Security
10 Physical Security
10.1 System Locks
10.2 Locking Down the BIOS
10.3 Security via the Boot Loaders
10.4 Retiring Linux Servers with Sensitive Data
10.5 Restricting Access to Removable Media
11 Automatic Security Checks with seccheck
11.1 Seccheck Timers
11.2 Enabling Seccheck Timers
11.3 Daily, Weekly, and Monthly Checks
11.4 Automatic Logout
12 Software Management
12.1 Removing Unnecessary Software Packages (RPMs)
12.2 Patching Linux Systems
13 File Management
13.1 Disk Partitions
13.2 Checking File Permissions and Ownership
13.3 Default umask
13.4 SUID/SGID Files
13.5 World-Writable Files
13.6 Orphaned or Unowned Files
14 Encrypting Partitions and Files
14.1 Setting Up an Encrypted File System with YaST
14.2 Encrypting Files with GPG
15 User Management
15.1 Various Account Checks
15.2 Enabling Password Aging
15.3 Stronger Password Enforcement
15.4 Password and Login Management with PAM
15.5 Restricting root Logins
15.6 Setting an Inactivity Timeout for Interactive Shell Sessions
15.7 Preventing Accidental Denial of Service
15.8 Displaying Login Banners
15.9 Connection Accounting Utilities
16 Configuring Security Settings with YaST
16.1 Security Overview
16.2 Predefined Security Configurations
16.3 Password Settings
16.4 Boot Settings
16.5 Login Settings
16.6 User Addition
16.7 Miscellaneous Settings
17 Authorization with PolKit
17.1 Conceptual Overview
17.2 Authorization Types
17.3 Querying Privileges
17.4 Modifying Configuration Files
17.5 Restoring the Default Privileges
18 Access Control Lists in Linux
18.1 Traditional File Permissions
18.2 Advantages of ACLs
18.3 Definitions
18.4 Handling ACLs
18.5 ACL Support in Applications
18.6 For More Information
19 Certificate Store
19.1 Activating Certificate Store
19.2 Importing Certificates
20 Intrusion Detection with AIDE
20.1 Why Use AIDE?
20.2 Setting Up an AIDE Database
20.3 Local AIDE Checks
20.4 System Independent Checking
20.5 For More Information
III Network Security
21 X Window System and X Authentication
22 SSH: Secure Network Operations
22.1 ssh—Secure Shell
22.2 scp—Secure Copy
22.3 sftp—Secure File Transfer
22.4 The SSH Daemon (sshd)
22.5 SSH Authentication Mechanisms
22.6 Port Forwarding
22.7 For More Information
23 Masquerading and Firewalls
23.1 Packet Filtering with iptables
23.2 Masquerading Basics
23.3 Firewalling Basics
23.4 firewalld
23.5 Migrating From SuSEfirewall2
23.6 For More Information
24 Configuring a VPN Server
24.1 Conceptual Overview
24.2 Setting Up a Simple Test Scenario
24.3 Setting Up Your VPN Server Using a Certificate Authority
24.4 Setting Up a VPN Server or Client Using YaST
24.5 For More Information
25 Enabling FIPS 140-2
25.1 Enabling FIPS
IV Confining Privileges with AppArmor
26 Introducing AppArmor
26.1 AppArmor Components
26.2 Background Information on AppArmor Profiling
27 Getting Started
27.1 Installing AppArmor
27.2 Enabling and Disabling AppArmor
27.3 Choosing Applications to Profile
27.4 Building and Modifying Profiles
27.5 Updating Your Profiles
28 Immunizing Programs
28.1 Introducing the AppArmor Framework
28.2 Determining Programs to Immunize
28.3 Immunizing cron Jobs
28.4 Immunizing Network Applications
29 Profile Components and Syntax
29.1 Breaking an AppArmor Profile into Its Parts
29.2 Profile Types
29.3 Include Statements
29.4 Capability Entries (POSIX.1e)
29.5 Network Access Control
29.6 Profile Names, Flags, Paths, and Globbing
29.7 File Permission Access Modes
29.8 Mount Rules
29.9 Pivot Root Rules
29.10 PTrace Rules
29.11 Signal Rules
29.12 Execute Modes
29.13 Resource Limit Control
29.14 Auditing Rules
30 AppArmor Profile Repositories
31 Building and Managing Profiles with YaST
31.1 Manually Adding a Profile
31.2 Editing Profiles
31.3 Deleting a Profile
31.4 Managing AppArmor
32 Building Profiles from the Command Line
32.1 Checking the AppArmor Status
32.2 Building AppArmor Profiles
32.3 Adding or Creating an AppArmor Profile
32.4 Editing an AppArmor Profile
32.5 Unloading Unknown AppArmor Profiles
32.6 Deleting an AppArmor Profile
32.7 Two Methods of Profiling
32.8 Important File Names and Directories
33 Profiling Your Web Applications Using ChangeHat
33.1 Configuring Apache for mod_apparmor
33.2 Managing ChangeHat-Aware Applications
34 Confining Users with pam_apparmor
35 Managing Profiled Applications
35.1 Reacting to Security Event Rejections
35.2 Maintaining Your Security Profiles
36 Support
36.1 Updating AppArmor Online
36.2 Using the Man Pages
36.3 For More Information
36.4 Troubleshooting
36.5 Reporting Bugs for AppArmor
37 AppArmor Glossary
V SELinux
38 Configuring SELinux
38.1 Why Use SELinux?
38.2 Installing SELinux Packages and Modifying GRUB 2
38.3 SELinux Policy
38.4 Configuring SELinux
38.5 Managing SELinux
38.6 Troubleshooting
VI The Linux Audit Framework
39 Understanding Linux Audit
39.1 Introducing the Components of Linux Audit
39.2 Configuring the Audit Daemon
39.3 Controlling the Audit System Using auditctl
39.4 Passing Parameters to the Audit System
39.5 Understanding the Audit Logs and Generating Reports
39.6 Querying the Audit Daemon Logs with ausearch
39.7 Analyzing Processes with autrace
39.8 Visualizing Audit Data
39.9 Relaying Audit Event Notifications
40 Setting Up the Linux Audit Framework
40.1 Determining the Components to Audit
40.2 Configuring the Audit Daemon
40.3 Enabling Audit for System Calls
40.4 Setting Up Audit Rules
40.5 Configuring Audit Reports
40.6 Configuring Log Visualization
41 Introducing an Audit Rule Set
41.1 Adding Basic Audit Configuration Parameters
41.2 Adding Watches on Audit Log Files and Configuration Files
41.3 Monitoring File System Objects
41.4 Monitoring Security Configuration Files and Databases
41.5 Monitoring Miscellaneous System Calls
41.6 Filtering System Call Arguments
41.7 Managing Audit Event Records Using Keys
42 Useful Resources
A Achieving PCI DSS Compliance
A.1 What Is the PCI DSS?
A.2 Focus of This Document: Areas Relevant to the Operating System
A.3 Requirements in Detail
B GNU Licenses
B.1 GNU Free Documentation License
List of Examples
3.1 PAM Configuration for sshd (/etc/pam.d/sshd)
3.2 Default Configuration for the auth Section (common-auth)
3.3 Default Configuration for the account Section (common-account)
3.4 Default Configuration for the password Section (common-password)
3.5 Default Configuration for the session Section (common-session)
3.6 pam_env.conf
6.1 Excerpt from CN=schema
6.2 Basic Instance Configuration File
6.3 A .dsrc File for Remote Administration
6.4 A .dsrc File for Local Administration
7.1 Example KDC Configuration, /etc/krb5.conf
23.1 Callback Port Configuration for the nfs Kernel Module in /etc/modprobe.d/60-nfs.conf
23.2 Commands to Define a new firewalld RPC Service for NFS
24.1 VPN Server Configuration File
24.2 VPN Client Configuration File
27.1 Output of aa-unconfined
32.1 Learning Mode Exception: Controlling Access to Specific Resources
32.2 Learning Mode Exception: Defining Permissions for an Entry
38.1 Verifying that SELinux is functional
38.2 Getting a List of Booleans and Verifying Policy Access
38.3 Getting File Context Information
38.4 The default context for directories in the root directory
38.5 Showing SELinux settings for processes with ps Zaux
38.6 Viewing Default File Contexts
38.7 Example Lines from /etc/audit/audit.log
38.8 Analyzing Audit Messages
38.9 Viewing Which Lines Deny Access
38.10 Creating a Policy Module Allowing an Action Previously Denied
39.1 Example output of auditctl -s
39.2 Example Audit Rules—Audit System Parameters
39.3 Example Audit Rules—File System Auditing
39.4 Example Audit Rules—System Call Auditing
39.5 Deleting Audit Rules and Events
39.6 Listing Rules with auditctl -l
39.7 A simple audit event—viewing the audit log
39.8 An Advanced Audit Event—Login via SSH
39.9 Example /etc/audisp/audispd.conf
39.10 Example /etc/audisp/plugins.d/syslog.conf

Copyright © 2006– 2021 SUSE LLC and contributors. All rights reserved.

Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or (at your option) version 1.3; with the Invariant Section being this copyright notice and license. A copy of the license version 1.2 is included in the section entitled GNU Free Documentation License.

For SUSE trademarks, see https://www.suse.com/company/legal/. All other third-party trademarks are the property of their respective owners. Trademark symbols (®, ™ etc.) denote trademarks of SUSE and its affiliates. Asterisks (*) denote third-party trademarks.

All information found in this book has been compiled with utmost attention to detail. However, this does not guarantee complete accuracy. Neither SUSE LLC, its affiliates, the authors nor the translators shall be held liable for possible errors or the consequences thereof.

Print this page