• Have any questions?
  • info.zbook.org@gmail.com

Guide Security And Hardening - OpenSUSE Documentation

5m ago
38 Views
2 Downloads
3.67 MB
458 Pages
Last View : 1d ago
Last Download : 13d ago
Upload by : Philip Renner
Share:
Transcription

Security and HardeningGuideopenSUSE Leap 15.2

Security and Hardening GuideopenSUSE Leap 15.2Introduces basic concepts of system security, covering both local and networksecurity aspects. Shows how to use the product inherent security software likeAppArmor, SELinux, or the auditing system that reliably collects information aboutany security-relevant events. Supports the administrator with security-relatedchoices and decisions in installing and setting up a secure SUSE Linux EnterpriseServer and additional processes to further secure and harden that installation.Publication Date: December 16, 2020SUSE LLC1800 South Novell PlaceProvo, UT 84606USAhttps://documentation.suse.comCopyright 2006– 2020 SUSE LLC and contributors. All rights reserved.Permission is granted to copy, distribute and/or modify this document under the terms of the GNU FreeDocumentation License, Version 1.2 or (at your option) version 1.3; with the Invariant Section being thiscopyright notice and license. A copy of the license version 1.2 is included in the section entitled “GNUFree Documentation License”.For SUSE trademarks, see https://www.suse.com/company/legal/ . All other third-party trademarks are theproperty of their respective owners. Trademark symbols ( , etc.) denote trademarks of SUSE and itsa liates. Asterisks (*) denote third-party trademarks.All information found in this book has been compiled with utmost attention to detail. However, this doesnot guarantee complete accuracy. Neither SUSE LLC, its a liates, the authors nor the translators shall beheld liable for possible errors or the consequences thereof.

Contents11.1Overview 11.2Passwords 21.3System Integrity 21.4File Access 31.5Networking 41.6Software Vulnerabilities 41.7Malware 51.8Important Security Tips 61.9Reporting Security Issues 62Common Criteria 82.1Introduction 82.2Evaluation Assurance Level (EAL) 82.3Generic Guiding Principles 92.4For More Information 11I33.1iiiAbout This Guide xviiSecurity and Confidentiality 1AUTHENTICATION 13Authentication with PAM 14What is PAM? 143.2Structure of a PAM Configuration File 153.3The PAM Configuration of sshd 17Security and Hardening Guide

3.4Configuration of PAM Modules 20pam env.conf 20 pam mount.conf.xml 21 limits.conf 213.5Configuring PAM Using pam-config 223.6Manually Configuring PAM 233.7For More Information 2344.1Using NIS 25Configuring NIS Servers 25Configuring a NIS Master Server 25 Configuring a NIS Slave Server 304.25Configuring NIS Clients 31Setting Up Authentication Clients Using YaST 335.1Configuring an Authentication Client with YaST 335.2SSSD 33Checking the Status 34 Caching 346LDAP—A Directory Service 356.1Structure of an LDAP Directory Tree 356.2Installing the Software for 389 Directory Server 386.3Manually Configuring a 389 Directory Server 38Creating the 389 Directory Server Instance 39 Using CA Certificatesfor TSL 40 Configuring Admin Credentials for Remote/LocalAccess 41 Configuring LDAP Users and Groups 42 Setting UpSSSD 456.4Setting Up a 389 Directory Server with YaST 46Creating a 389 Directory Server Instance with YaST 46 Configuring an LDAPClient with YaST 47iv6.5Manually Administering LDAP Data 506.6For More Information 50Security and Hardening Guide

7Network Authentication with Kerberos 517.1Conceptual Overview 517.2Kerberos Terminology 517.3How Kerberos Works 53First Contact 53 Requesting a Service 54 MutualAuthentication 55 Ticket Granting—Contacting All Servers 557.4User View of Kerberos 567.5Installing and Administering Kerberos 57Kerberos Network Topology 58 Choosing the KerberosRealms 59 Setting Up the KDC Hardware 59 Configuring TimeSynchronization 60 Configuring the KDC 61 Configuring KerberosClients 65 Configuring Remote Kerberos Administration 67 CreatingKerberos Service Principals 69 Enabling PAM Support forKerberos 71 Configuring SSH for Kerberos Authentication 71 UsingLDAP and Kerberos 727.6Setting up Kerberos using LDAP and Kerberos Client 757.7Kerberos and NFS 79Group Membership 80 Performance and Scalability 81 Master KDC,Multiple Domains, and Trust Relationships 827.88For More Information 83Active Directory Support 848.1Integrating Linux and Active Directory Environments 848.2Background Information for Linux Active Directory Support 85Domain Join 87 Domain Login and User Homes 88 Offline Serviceand Policy Support 898.3Configuring a Linux Client for Active Directory 90Choosing Which YaST Module to Use for Connecting to ActiveDirectory 91 Joining Active Directory Using User LogonManagement 91 Joining Active Directory Using Windows DomainMembership 96 Checking Active Directory Connection Status 98vSecurity and Hardening Guide

8.4Logging In to an Active Directory Domain 99GDM 99 Console Login 998.599.1II1010.1Changing Passwords 100Setting Up a FreeRADIUS Server 102Installation and Testing on SUSE Linux Enterprise 102LOCAL SECURITY 105Physical Security 106System Locks 10610.2Locking Down the BIOS 10710.3Security via the Boot Loaders 10810.4Retiring Linux Servers with Sensitive Data 108scrub: Disk Overwrite Utility 10910.511Restricting Access to Removable Media 110Automatic Security Checks with seccheck 11211.1Seccheck Timers 11211.2Enabling Seccheck Timers 11211.3Daily, Weekly, and Monthly Checks 11311.4Automatic Logout 11512Software Management 11612.1Removing Unnecessary Software Packages (RPMs) 11612.2Patching Linux Systems 118YaST Online Update 119 Automatic Online Update 119 RepositoryMirroring Tool—RMT 119 SUSE Manager 1201313.1viFile Management 122Disk Partitions 122Security and Hardening Guide

13.2Checking File Permissions and Ownership 12313.3Default umask 12313.4SUID/SGID Files 12413.5World-Writable Files 12513.6Orphaned or Unowned Files 1261414.1Encrypting Partitions and Files 127Setting Up an Encrypted File System with YaST 127Creating an Encrypted Partition during Installation 128 Creating anEncrypted Partition on a Running System 129 Encrypting the Content ofRemovable Media 12914.215Encrypting Files with GPG 130Storage Encryption for Hosted Applications withcryptctl 13115.1Setting Up a cryptctl Server 13215.2Setting Up a cryptctl Client 13415.3Checking Partition Unlock Status Using Server-side Commands 13715.4Unlocking Encrypted Partitions Manually 13815.5Maintenance Downtime Procedure 13815.6For More Information 1381616.1User Management 139Various Account Checks 139Unlocked Accounts 139 Unused Accounts 139vii16.2Enabling Password Aging 14016.3Stronger Password Enforcement 142Security and Hardening Guide

16.4Password and Login Management with PAM 142Password Strength 143 Restricting Use of PreviousPasswords 144 Locking User Accounts After Too Many Login Failures 14516.5Restricting root Logins 146Restricting Local Text Console Logins 146 Restricting Graphical SessionLogins 148 Restricting SSH Logins 14816.6Setting an Inactivity Timeout for Interactive Shell Sessions 14916.7Preventing Accidental Denial of Service 151Example for Restricting System Resources 15116.8Displaying Login Banners 15416.9Connection Accounting Utilities 15517Spectre/Meltdown Checker 15617.1Using spectre-meltdown-checker 15617.2Additional Information about Spectre/Meltdown 15818Configuring Security Settings with YaST 15918.1Security Overview 15918.2Predefined Security Configurations 16018.3Password Settings 16118.4Boot Settings 16218.5Login Settings 16218.6User Addition 16218.7Miscellaneous Settings 1621919.1Authorization with PolKit 164Conceptual Overview 164Available Authentication Agents 164 Structure of PolKit 164 AvailableCommands 165 Available Policies and Supported Applications 165viiiSecurity and Hardening Guide

19.2Authorization Types 167Implicit Privileges 167 Explicit Privileges 168 Default Privileges 16819.3Querying Privileges 16819.4Modifying Configuration Files 169Adding Action Rules 169 Adding Authorization Rules 170 ModifyingConfiguration Files for Implicit Privileges 17119.52020.1Restoring the Default Privileges 172Access Control Lists in Linux 174Traditional File Permissions 174The setuid Bit 175 The setgid Bit 175 The Sticky Bit 17620.2Advantages of ACLs 17620.3Definitions 17620.4Handling ACLs 177ACL Entries and File Mode Permission Bits 178 A Directory with anACL 179 A Directory with a Default ACL 182 The ACL CheckAlgorithm 18420.5ACL Support in Applications 18520.6For More Information 18521Certificate Store 18621.1Activating Certificate Store 18621.2Importing Certificates 18622ixIntrusion Detection with AIDE 18822.1Why Use AIDE? 18822.2Setting Up an AIDE Database 18822.3Local AIDE Checks 19122.4System Independent Checking 192Security and Hardening Guide

22.5IIIFor More Information 194NETWORK SECURITY 19523X Window System and X Authentication 19624SSH: Secure Network Operations 19724.1ssh—Secure Shell 197Starting X Applications on a Remote Host 198 Agent Forwarding 19824.2scp—Secure Copy 19824.3sftp—Secure File Transfer 199Using sftp 199 Setting Permissions for File Uploads 20024.4The SSH Daemon (sshd) 201Maintaining SSH Keys 202 Rotating Host Keys 20224.5SSH Authentication Mechanisms 203Generating an SSH Key 204 Copying an SSH Key 204 Using the sshagent 20524.6Port Forwarding 20624.7Adding and Removing Public Keys on an Installed System 20724.8For More Information 20725Masquerading and Firewalls 20925.1Packet Filtering with iptables 20925.2Masquerading Basics 21225.3Firewalling Basics 21325.4firewalld 214Configuring the Firewall on the Command Line 215 Accessing ServicesListening on Dynamic Ports 220x25.5Migrating from SuSEfirewall2 22325.6For More Information 225Security and Hardening Guide

2626.1Configuring a VPN Server 226Conceptual Overview 226Terminology 226 VPN Scenarios 22726.2Setting Up a Simple Test Scenario 229Configuring the VPN Server 230 Configuring the VPNClients 231 Testing the VPN Example Scenario 23226.3Setting Up Your VPN Server Using a Certificate Authority 232Creating Certificates 233 Configuring the VPN Server 234 Configuringthe VPN Clients 23626.4Setting Up a VPN Server or Client Using YaST 23726.5For More Information 238IV2727.127.2Introducing AppArmor 240AppArmor Components 240Background Information on AppArmor Profiling 24128Getting Started 24228.1Installing AppArmor 24228.2Enabling and Disabling AppArmor 24328.3Choosing Applications to Profile 24428.4Building and Modifying Profiles 24428.5Updating Your Profiles 24629xiCONFINING PRIVILEGES WITH APPARMOR 239Immunizing Programs 24729.1Introducing the AppArmor Framework 24829.2Determining Programs to Immunize 25029.3Immunizing cron Jobs 251Security and Hardening Guide

29.4Immunizing Network Applications 251Immunizing Web Applications 253 Immunizing Network Agents 25530Profile Components and Syntax 25630.1Breaking an AppArmor Profile into Its Parts 25730.2Profile Types 259Standard Profiles 259 Unattached Profiles 260 LocalProfiles 260 Hats 261 Change rules 26130.3Include Statements 262Abstractions 264 Program Chunks 264 Tunables 26430.4Capability Entries (POSIX.1e) 26430.5Network Access Control 26530.6Profile Names, Flags, Paths, and Globbing 266Profile Flags 267 Using Variables in Profiles 268 PatternMatching 269 Namespaces 270 Profile Naming and AttachmentSpecification 270 Alias Rules 27130.7File Permission Access Modes 271Read Mode (r) 272 Write Mode (w) 272 Append Mode (a) 272 FileLocking Mode (k) 272 Link Mode (l) 273 Link Pair 273 Optionalallow and file Rules 273 Owner Conditional Rules 274 DenyRules 27530.8Mount Rules 27530.9Pivot Root Rules 27730.10PTrace Rules 27830.11Signal Rules 27830.12Execute Modes 279Discrete Profile Execute Mode (Px) 279 Discrete Local Profile ExecuteMode (Cx) 280 Unconfined Execute Mode (Ux) 280 Unsafe ExecModes 280 Inherit Execute Mode (ix) 281 Allow Executable Mapping(m) 281 Named Profile Transitions 281 Fallback Modes for ProfilexiiSecurity and Hardening Guide

Transitions 282 Variable Settings in Execution Modes 283 safe andunsafe Keywords 28430.13Resource Limit Control 28430.14Auditing Rules 28631AppArmor Profile Repositories 28732Building and Managing Profiles with YaST 28832.1Manually Adding a Profile 28832.2Editing Profiles 289Adding an Entry 291 Editing an Entry 295 Deleting an Entry 29532.3Deleting a Profile 29532.4Managing AppArmor 295Changing AppArmor Status 296 Changing the Mode of IndividualProfiles 29733Building Profiles from the Command Line 29833.1Checking the AppArmor Status 29833.2Building AppArmor Profiles 29933.3Adding or Creating an AppArmor Profile 30033.4Editing an AppArmor Profile 30033.5Unloading Unknown AppArmor Profiles 30033.6Deleting an AppArmor Profile 30133.7Two Methods of Profiling 301Stand-Alone Profiling 302 Systemic Profiling 302 Summary of ProfilingTools 30433.8xiiiImportant File Names and Directories 324Security and Hardening Guide

3434.1Profiling Your Web Applications UsingChangeHat 325Configuring Apache for mod apparmor 326Virtual Host Directives 327 Location and Directory Directives 32734.2Managing ChangeHat-Aware Applications 328With AppArmor's Command Line Tools 328 Adding Hats and Entries to Hatsin YaST 33435Confining Users with pam apparmor 33636Managing Profiled Applications 33736.1Reacting to Security Event Rejections 33736.2Maintaining Your Security Profiles 337Backing Up Your Security Profiles 337 Changing Your SecurityProfiles 338 Introducing New Software into Your Environment 33837Support 33937.1Updating AppArmor Online 33937.2Using the Man Pages 33937.3For More Information 34137.4Troubleshooting 341How to React to odd Application Behavior? 341 My Profiles Do not Seemto Work Anymore 341 Resolving Issues with Apache 345 How toExclude Certain Profiles from the List of Profiles Used? 345 Can I ManageProfiles for Applications not Installed on my System? 345 How to Spot andFix AppArmor Syntax Errors 34537.5xivReporting Bugs for AppArmor 346Security and Hardening Guide

38V3939.1AppArmor Glossary 348SELINUX 351Configuring SELinux 352Why Use SELinux? 352Support Status 353 Understanding SELinux Components 35439.2Policy 35539.3Installing SELinux Packages and Modifying GRUB 2 35639.4SELinux Policy 35839.5Configuring SELinux 35939.6Managing SELinux 361Viewing the Security Context 361 Selecting the SELinuxMode 363 Modifying SELinux Context Types 364 Applying FileContexts 366 Configuring SELinux Policies 367 Working with SELinuxModules 36839.7VI4040.1Troubleshooting 369THE LINUX AUDIT FRAMEWORK 373Understanding Linux Audit 374Introducing the Components of Linux Audit 37740.2Configuring the Audit Daemon 37940.3Controlling the Audit System Using auditctl 38440.4Passing Parameters to the Audit System 38740.5Understanding the Audit Logs and Generating Reports 390Understanding the Audit Logs 390 Generating Custom Audit Reports 395xv40.6Querying the Audit Daemon Logs with ausearch 40240.7Analyzing Processes with autrace 40540.8Visualizing Audit Data 406Security and Hardening Guide

40.941Setting Up the Linux Audit Framework 41141.1Determining the Components to Audit 41241.2Configuring the Audit Daemon 41241.3Enabling Audit for System Calls 41441.4Setting Up Audit Rules 41441.5Configuring Audit Reports 41641.6Configuring Log Visualization 42042Introducing an Audit Rule Set 42342.1Adding Basic Audit Configuration Parameters 42442.2Adding Watches on Audit Log Files and Configuration Files 42442.3Monitoring File System Objects 42542.4Monitoring Security Configuration Files and Databases 42742.5Monitoring Miscellaneous System Calls 42942.6Filtering System Call Arguments 42942.7Managing Audit Event Records Using Keys 43243AA.1xviRelaying Audit Event Notifications 408Useful Resources 434GNU Licenses 436GNU Free Documentation License 436Security and Hardening Guide

About This GuideThis manual introduces the basic concepts of system security on openSUSE Leap. It coversextensive documentation about the authentication mechanisms available on Linux, such as NISor LDAP. It deals with aspects of local security like access control lists, encryption and intrusiondetection. In the network security part you learn how to secure computers with rewalls andmasquerading, and how to set up virtual private networks (VPN). This manual shows how to usesecurity software like AppArmor (which lets you specify per program which les the programmay read, write, and execute) or the auditing system that collects information about securityrelevant events.1 Available DocumentationNote: Online Documentation and Latest UpdatesDocumentation for our products is available at http://doc.opensuse.org/ , where youcan also nd the latest updates, and browse or download the documentation in variousformats. The latest documentation updates are usually available in the English versionof the documentation.The following documentation is available for this product:Book “Start-Up”This manual will see you through your initial contact with openSUSE Leap. Check outthe various parts of this manual to learn how to install, use and enjoy your system.Book “Reference”Covers system administration tasks like maintaining, monitoring and customizing aninitially installed system.Book “Virtualization Guide”Describes virtualization technology in general, and introduces libvirt—the uni edinterface to virtualization—and detailed information on speci c hypervisors.Book “AutoYaST Guide”xviiAvailable DocumentationopenSUSE Leap 15.2

AutoYaST is a system for unattended mass deployment of openSUSE Leap systems using anAutoYaST pro le containing installation and con guration data. The manual guides youthrough the basic steps of auto-installation: preparation, installation, and con guration.Security and Hardening GuideIntroduces basic concepts of system security, covering both local and network securityaspects. Shows how to use the product inherent security software like AppArmor, SELinux,or the auditing system that reliably collects information about any security-relevant events.Supports the administrator with security-related choices and decisions in installing andsetting up a secure SUSE Linux Enterprise Server and additional processes to further secureand harden that installation.Book “System Analysis and Tuning Guide”An administrator's guide for problem detection, resolution and optimization. Find how toinspect and optimize your system by means of monitoring tools and how to e cientlymanage resources. Also contains an overview of common problems and solutions and ofadditional help and documentation resources.Book “GNOME User Guide”Introduces the GNOME desktop of openSUSE Leap. It guides you through using andcon guring the desktop and helps you perform key tasks. It is intended mainly for endusers who want to make e cient use of GNOME as their default desktop.The release notes for this product are available at https://www.suse.com/releasenotes/ .2 Giving FeedbackYour feedback and contributions to this documentation are welcome! Several channels areavailable:Bug ReportsReport issues with the documentation at https://bugzilla.opensuse.org/ . To simplify thisprocess, you can use the Report Documentation Bug links next to headlines in the HTMLversion of this document. These preselect the right product and category in Bugzilla andadd a link to the current section. You can start typing your bug report right away. ABugzilla account is required.ContributionsxviiiGiving FeedbackopenSUSE Leap 15.2

To contribute to this documentation, use the Edit Source links next to headlines in theHTML version of this document. They take you to the source code on GitHub, where youcan open a pull request. A GitHub account is vironmentusedforthisdocumentation, see the repository's README E.adoc).MailAlternatively, you can report errors and send feedback concerning the documentation todoc-team@suse.com . Make sure to include the document title, the

Security and Hardening Guide openSUSE Leap 15.2 Introduces basic concepts of system security, covering both local and network security aspects. Shows how to use the product inherent security software like AppArmor, SELinux, or the auditing system that reliably collects information about any security-relevant events. Supports the administrator with security-related choices and decisions in .