Red Hat Enterprise Linux 6 - Free Download PDF

20d ago
4 Views
0 Downloads
2.35 MB
237 Pages
Transcription

Red Hat Enterprise Linux 6Security GuideA Guide to Securing Red Hat Enterprise LinuxLast Updated: 2020-11-26

Red Hat Enterprise Linux 6 Security GuideA Guide to Securing Red Hat Enterprise LinuxMirek JahodaRed Hat Customer Content [email protected] KrátkýRed Hat Customer Content ServicesMartin PrpičRed Hat Customer Content ServicesTomáš ČapekRed Hat Customer Content ServicesStephen WadeleyRed Hat Customer Content ServicesYoana RusevaRed Hat Customer Content ServicesMiroslav SvobodaRed Hat Customer Content Services

Legal NoticeCopyright 2017 Red Hat, Inc.This document is licensed by Red Hat under the Creative Commons Attribution-ShareAlike 3.0Unported License. If you distribute this document, or a modified version of it, you must provideattribution to Red Hat, Inc. and provide a link to the original. If the document is modified, all Red Hattrademarks must be removed.Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert,Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.Red Hat, Red Hat Enterprise Linux, the Shadowman logo, the Red Hat logo, JBoss, OpenShift,Fedora, the Infinity logo, and RHCE are trademarks of Red Hat, Inc., registered in the United Statesand other countries.Linux is the registered trademark of Linus Torvalds in the United States and other countries.Java is a registered trademark of Oracle and/or its affiliates.XFS is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United Statesand/or other countries.MySQL is a registered trademark of MySQL AB in the United States, the European Union andother countries.Node.js is an official trademark of Joyent. Red Hat is not formally related to or endorsed by theofficial Joyent Node.js open source or commercial project.The OpenStack Word Mark and OpenStack logo are either registered trademarks/service marksor trademarks/service marks of the OpenStack Foundation, in the United States and othercountries and are used with the OpenStack Foundation's permission. We are not affiliated with,endorsed or sponsored by the OpenStack Foundation, or the OpenStack community.All other trademarks are the property of their respective owners.AbstractThis book assists users and administrators in learning the processes and practices of securingworkstations and servers against local and remote intrusion, exploitation and malicious activity.Focused on Red Hat Enterprise Linux but detailing concepts and techniques valid for all Linuxsystems, this guide details the planning and the tools involved in creating a secured computingenvironment for the data center, workplace, and home. With proper administrative knowledge,vigilance, and tools, systems running Linux can be both fully functional and secured from mostcommon intrusion and exploit methods.

Table of ContentsTable of Contents.CHAPTER. . . . . . . . . . 1. .SECURITY. . . . . . . . . . .OVERVIEW. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10.1.1. INTRODUCTION TO SECURITY101.1.1. What is Computer Security?101.1.1.1. How did Computer Security come about?101.1.1.2. Security Today111.1.1.3. Standardizing Security1.1.2. SELinux1.1.3. Security Controls1.1.3.1. Physical Controls1.1.3.2. Technical Controls1.1.3.3. Administrative Controls1.1.4. Conclusion1.2. VULNERABILITY ASSESSMENT1.2.1. Thinking Like the Enemy1.2.2. Defining Assessment and Testing1.2.2.1. Establishing a Methodology1.2.3. Evaluating the Tools1.2.3.1. Scanning Hosts with Nmap1.2.3.1.1. Using Nmap1.2.3.2. Nessus1.2.3.3. Nikto1.2.3.4. Anticipating Your Future Needs1.3. SECURITY THREATS1.3.1. Threats to Network Security1.3.1.1. Insecure Architectures1.3.1.1.1. Broadcast Networks1.3.1.1.2. Centralized 81.3.2. Threats to Server Security1.3.2.1. Unused Services and Open Ports1.3.2.2. Inattentive Administration1818181.3.2.3. Inherently Insecure Services1.3.3. Threats to Workstation and Home PC Security18191.3.3.1. Bad Passwords1.3.3.2. Vulnerable Client Applications19191.4. COMMON EXPLOITS AND ATTACKS1.5. SECURITY UPDATES1.5.1. Updating Packages2022221.5.2. Verifying Signed Packages1.5.3. Installing Signed Packages1.5.4. Applying the Changes232425.CHAPTER. . . . . . . . . . 2. . SECURING. . . . . . . . . . . .YOUR. . . . . . .NETWORK. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .28.2.1. WORKSTATION SECURITY282.1.1. Evaluating Workstation Security282.1.2. BIOS and Boot Loader Security2.1.2.1. BIOS Passwords2.1.2.1.1. Securing Non-x86 Platforms2.1.2.2. Boot Loader Passwords282829292.1.2.2.1. Password Protecting GRUB2.1.2.2.2. Disabling Interactive Startup2.1.3. Password Security2930311

Security Guide2.1.3.1. Creating Strong Passwords2.1.4. Creating User Passwords Within an Organization2.1.4.1. Forcing Strong Passwords2.1.4.2. Passphrases313232332.1.4.3. Password Aging2.1.5. Locking Inactive Accounts2.1.6. Customizing Access Control2.1.7. Time-based Restriction of Access333637382.1.8. Applying Account Limits2.1.9. Administrative Controls2.1.9.1. Allowing Root Access2.1.9.2. Disallowing Root Access2.1.9.3. Enabling Automatic Logouts38394040442.1.9.4. Limiting Root Access2.1.9.5. Account Locking2.1.10. Session Locking2.1.10.1. Locking GNOME Using gnome-screensaver-command454547482.1.10.1.1. Automatic Lock on Screen Saver Activation2.1.10.1.2. Remote Session Locking2.1.10.2. Locking Virtual Consoles Using vlock2.1.11. Available Network Services2.1.11.1. Risks To Services2.1.11.2. Identifying and Configuring Services2.1.11.3. Insecure Services505051522.1.12. Personal Firewalls2.1.13. Security Enhanced Communication Tools53542.1.14. Enforcing Read-Only Mounting of Removable MediaUsing blockdev to Force Read-Only Mounting of Removable Media5455Using udisks to Force Read-Only Mounting of FilesystemsApplying New udev and udisks Settings2.2. SERVER SECURITY2.2.1. Securing Services With TCP Wrappers and xinetd2.2.1.1. Enhancing Security With TCP Wrappers55555556562.2.1.1.1. TCP Wrappers and Connection Banners562.2.1.1.2. TCP Wrappers and Attack Warnings2.2.1.1.3. TCP Wrappers and Enhanced Logging57572.2.1.2. Enhancing Security With xinetd572.2.1.2.1. Setting a Trap2.2.1.2.2. Controlling Server Resources57582.2.2. Securing Portmap2.2.2.1. Protect portmap With TCP Wrappers59592.2.2.2. Protect portmap With iptables2.2.3. Securing NIS2.2.3.1. Carefully Plan the Network2.2.3.2. Use a Password-like NIS Domain Name and Hostname2.2.3.3. Edit the /var/yp/securenets File2.2.3.4. Assign Static Ports and Use iptables Rules24849495959606060612.2.3.5. Use Kerberos Authentication2.2.4. Securing NFS61622.2.4.1. Carefully Plan the Network2.2.4.2. Securing NFS Mount Options62622.2.4.2.1. Review the NFS Server622.2.4.2.2. Review the NFS Client63

Table of Contents2.2.4.3. Beware of Syntax Errors632.2.4.4. Do Not Use the no root squash Option642.2.4.5. NFS Firewall Configuration2.2.5. Securing the Apache HTTP ServerRemoving httpd Moduleshttpd and SELinux2.2.6. Securing FTP64646666662.2.6.1. FTP Greeting Banner2.2.6.2. Anonymous Access66672.2.6.3. User Accounts692.2.6.3.1. Restricting User Accounts2.2.6.4. Use TCP Wrappers To Control Access69692.2.7. Securing Postfix2.2.7.1. Limiting a Denial of Service Attack69692.2.7.2. NFS and Postfix702.2.7.3. Mail-only Users2.2.7.4. Disable Postfix Network Listening70702.2.7.5. Configuring Postfix to Use SASLSetting Up Dovecot7171Setting Up PostfixAdditional Resources2.2.8. Securing Sendmail7272732.2.8.1. Limiting a Denial of Service Attack732.2.8.2. NFS and Sendmail2.2.8.3. Mail-only Users73732.2.8.4. Disable Sendmail Network Listening2.2.9. Verifying Which Ports Are Listening74742.2.10. Disable Source Routing752.2.11. Reverse Path Forwarding2.2.11.1. Additional Resources76772.3. SINGLE SIGN-ON (SSO)2.4. PLUGGABLE AUTHENTICATION MODULES (PAM)77782.5. KERBEROS782.6. TCP WRAPPERS AND XINETD2.6.1. TCP Wrappers78792.6.1.1. Advantages of TCP Wrappers802.6.2. TCP Wrappers Configuration Files802.6.2.1. Formatting Access Rules2.6.2.1.1. Wildcards81822.6.2.1.2. Patterns832.6.2.1.3. Portmap and TCP Wrappers842.6.2.1.4. Operators842.6.2.2. Option Fields2.6.2.2.1. Logging84852.6.2.2.2. Access Control852.6.2.2.3. Shell Commands852.6.2.2.4. Expansions862.6.3. xinetd2.6.4. xinetd Configuration Files87872.6.4.1. The /etc/xinetd.conf File872.6.4.2. The /etc/xinetd.d/ Directory882.6.4.3. Altering xinetd Configuration Files892.6.4.3.1. Logging Options893

Security Guide2.6.4.3.2. Access Control Options2.6.4.3.3. Binding and Redirection Options89912.6.4.3.4. Resource Management Options922.6.5. Additional Resources932.6.5.2. Related Books2.7. SECURING VIRTUAL PRIVATE NETWORKS (VPNS)93932.7.1. IPsec VPN Using Libreswan942.7.2. VPN Configurations Using Libreswan952.7.3. Host-To-Host VPN Using Libreswan952.7.3.1. Verify Host-To-Host VPN Using Libreswan2.7.4. Site-to-Site VPN Using Libreswan96972.7.4.1. Verify Site-to-Site VPN Using Libreswan982.7.5. Site-to-Site Single Tunnel VPN Using Libreswan992.7.6. Subnet Extrusion Using Libreswan992.7.7. Road Warrior Access VPN Using Libreswan2.7.8. Road Warrior Access VPN Using Libreswan and XAUTH with X.5091001012.7.9. Additional Resources1032.7.9.1. Installed Documentation1032.7.9.2. Online Documentation1042.8. FIREWALLS2.8.1. Netfilter and IPTables1041052.8.1.1. IPTables Overview1052.8.2. Basic Firewall Configuration1062.8.2.1. Firewall Configuration Tool1062.8.2.2. Enabling and Disabling the Firewall1072.8.2.3. Trusted Services2.8.2.4. Other Ports1071082.8.2.5. Saving the Settings1092.8.2.6. Activating the IPTables Service1092.8.3. Using IPTables1092.8.3.1. IPTables Command Syntax2.8.3.2. Basic Firewall Policies1091102.8.3.3. Saving and Restoring IPTables Rules1102.8.4. Common IPTables Filtering1102.8.5. FORWARD and NAT Rules1122.8.5.1. Postrouting and IP Masquerading2.8.5.2. Prerouting1131132.8.5.3. DMZs and IPTables1142.8.6. Malicious Software and Spoofed IP Addresses1142.8.7. IPTables and Connection Tracking1152.8.8. IPv62.8.9. IPTables1151162.8.9.1. Packet Filtering1162.8.9.2. Command Options for IPTables1182.8.9.2.1. Structure of IPTables Command Options1192.8.9.2.2. Command Options2.8.9.2.3. IPTables Parameter Options1191202.8.9.2.4. IPTables Match Options1222.8.9.2.5. Target Options1252.8.9.2.6. Listing Options1262.8.9.3. Saving IPTables Rules2.8.9.4. IPTables Control Scripts4922.6.5.1. Installed TCP Wrappers Documentation127127

Table of Contents2.8.9.4.1. IPTables Control Scripts Configuration File1292.8.9.5. IPTables and IP Sets1302.8.9.5.1. Installing ipset1302.8.9.5.2. ipset Commands1302.8.9.5.3. IP Set Types2.8.9.6. IPTables and IPv61321362.8.9.7. Additional Resources1362.8.9.7.1. Useful Firewall Websites1362.8.9.7.2. Related Documentation1362.8.9.7.3. Installed IP Tables Documentation137.CHAPTER. . . . . . . . . . 3. . ENCRYPTION. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .138.3.1. DATA AT REST1383.1.1. Full Disk Encryption1383.1.2. File-Based Encryption1383.1.3. LUKS Disk Encryption138Overview of LUKS3.1.3.1. LUKS Implementation in Red Hat Enterprise Linux1381393.1.3.2. Manually Encrypting Directories1403.1.3.3. Adding a New Passphrase to an Existing Device1423.1.3.4. Removing a Passphrase from an Existing Device1423.1.3.5. Creating Encrypted Block Devices in Anaconda3.1.3.6. Additional Resources1431433.2. DATA IN MOTION1433.2.1. Virtual Private Networks1443.2.2. Secure Shell1443.2.2.1. Cryptographic Login1443.2.2.2. Multiple Authentication Methods3.2.2.3. Other Ways of Securing SSH145145Protocol Version145Key Types145Non-Default Port145No Root Login3.3. OPENSSL INTEL AES-NI ENGINE1461463.4. USING THE RANDOM NUMBER GENERATOR1473.5. GNU PRIVACY GUARD (GPG)1483.5.1. Creating GPG Keys in GNOME1483.5.2. Creating GPG Keys in KDE3.5.3. Creating GPG Keys Using the Command Line1491493.5.4. About Public Key Encryption1513.6. USING STUNNEL1513.6.1. Installing stunnel1523.6.2. Configuring stunnel as a TLS Wrapper3.6.3. Starting, Stopping and Restarting stunnel1521543.7. HARDENING TLS CONFIGURATION1543.7.1. Choosing Algorithms to Enable155Protocol Versions155Public Key Length3.7.2. Using Implementations of TLS1561563.7.2.1. Working with Cipher Suites in OpenSSL1573.7.2.2. Working with Cipher Suites in GnuTLS1583.7.3. Configuring Specific Applications3.7.3.1. Configuring the Apache HTTP Server1591595

Security Guide3.7.4. Additional Information160Installed Documentation160Online Documentation160. . . . . . . . . . . 4.CHAPTER. . .GENERAL. . . . . . . . . . PRINCIPLES. . . . . . . . . . . . . .OF. . . INFORMATION. . . . . . . . . . . . . . . .SECURITY. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .161. . . . . . . . . . . 5.CHAPTER. . SECURE. . . . . . . . . .INSTALLATION. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162.5.1. DISK PARTITIONS5.2. UTILIZE LUKS PARTITION ENCRYPTION162162. . . . . . . . . . . 6.CHAPTER. . .SOFTWARE. . . . . . . . . . . . MAINTENANCE. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .163.6.1. INSTALL MINIMAL SOFTWARE1636.2. PLAN AND CONFIGURE SECURITY UPDATES1636.3. ADJUSTING AUTOMATIC UPDATES1636.4. INSTALL SIGNED PACKAGES FROM WELL KNOWN REPOSITORIES163.CHAPTER. . . . . . . . . . 7. . SYSTEM. . . . . . . . . .AUDITING. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .165.Use Cases1657.1. AUDIT SYSTEM ARCHITECTURE1667.2. INSTALLING THE AUDIT PACKAGES1677.3. CONFIGURING THE AUDIT SERVICE1677.3.1. Configuring auditd for a CAPP Environment7.4. STARTING THE AUDIT SERVICE1671687.5. DEFINING AUDIT RULES7.5.1. Defining Audit Rules with the auditctl UtilityDefining Control Rules169169169Defining File System RulesDefining System Call Rules1701717.5.2. Defining Persistent Audit Rules and Controls in the /etc/audit/audit.rules FileDefining Control RulesDefining File System and System Call Rules172172173Preconfigured Rules Files7.6. UNDERSTANDING AUDIT LOG FILESFirst RecordSecond RecordThird Record1731731741761767.7. SEARCHING THE AUDIT LOG FILES7.8. CREATING AUDIT REPORTS1781787.9. CONFIGURING PAM FOR AUDITING7.9.1. Configuring pam tty audit7.10. ADDITIONAL RESOURCES179179180Online SourcesInstalled DocumentationManual Pages180181181.CHAPTER. . . . . . . . . . 8. . .COMPLIANCE. . . . . . . . . . . . . . .AND. . . . .VULNERABILITY. . . . . . . . . . . . . . . . . SCANNING. . . . . . . . . . . . WITH. . . . . . OPENSCAP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182.8.1. SECURITY COMPLIANCE IN RED HAT ENTERPRISE LINUX1828.2. DEFINING COMPLIANCE POLICY8.2.1. The XCCDF File Format8.2.2. The OVAL File Format1821841868.2.3. The Data Stream Format8.3. USING SCAP WORKBENCH1891908.3.1. Installing SCAP Workbench8.3.2. Running SCAP Workbench6190191

Table of Contents8.3.3. Scanning the System8.3.4. Customizing Security Profiles1931948.3.5. Saving SCAP Content8.3.6. Viewing Scan Results and Generating Scan Reports1961978.4. USING OSCAP8.4.1. Installing oscap8.4.2. Displaying SCAP Content1981982008.4.3. Scanning the System8.4.4. Generating Reports and Guides2012028.4.5. Validating SCAP Content8.4.6. Using OpenSCAP to Remediate the System8.4.6.1. OpenSCAP Online Remediation2032042048.4.6.2. OpenSCAP Offline Remediation8.4.6.3. OpenSCAP Remediation Review8.5. USING OPENSCAP WITH RED HAT SATELLITE8.6. INSTALLING USGCB-COMPLIANT SYSTEM WITH KICKSTART8.7. PRACTICAL EXAMPLES8.7.1. Auditing Security Vulnerabilities of Red Hat Products8.7.2. Auditing System Settings with SCAP Security Guide8.8. ADDITIONAL RESOURCESInstalled DocumentationOnline Documentation205205205205206206206207207207. . . . . . . . . . . 9.CHAPTER. . .CHECKING. . . . . . . . . . . INTEGRITY. . . . . . . . . . . . WITH. . . . . . AIDE. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208.9.1. INTRODUCTION9.2. INSTALLING AIDE2082089.3. PERFORMING INTEGRITY CHECKS9.4. UPDATING AN AIDE DATABASE9.5. ADDITIONAL RESOURCES208209209. . . . . . . . . . . 10.CHAPTER. . . FEDERAL. . . . . . . . . . .STANDARDS. . . . . . . . . . . . . .AND. . . . .REGULATIONS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .210.10.1. INTRODUCTION10.2. FEDERAL INFORMATION PROCESSING STANDARD (FIPS)21021010.2.1. Enabling FIPS Mode10.2.2. Enabling FIPS Mode for Applications Using NSS10.3. NATIONAL INDUSTRIAL SECURITY PROGRAM OPERATING MANUAL (NISPOM)21021221210.4. PAYMENT CARD INDUSTRY DATA SECURITY STANDARD (PCI DSS)10.5. SECURITY TECHNICAL IMPLEMENTATION GUIDE212212. . . . . . . . . . . 11.CHAPTER. . .REFERENCES. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213. . . . . . . . . . . .A.APPENDIX. . ENCRYPTION. . . . . . . . . . . . . . . STANDARDS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215.A.1. SYNCHRONOUS ENCRYPTIONA.1.1. Advanced Encryption Standard - AESA.1.1.1. AES HistoryA.1.2. Data Encryption Standard - DESA.1.2.1. DES HistoryA.2. PUBLIC-KEY ENCRYPTIONA.2.1. Diffie-Hellman215215215215215215216A.2.1.1. Diffie-Hellman HistoryA.2.2. RSAA.2.3. DSA216216217A.2.4. SSL/TLSA.2.5. Cramer-Shoup Cryptosystem2172177

Security GuideA.2.6. ElGamal Encryption217. . . . . . . . . . . .B.APPENDIX. . AUDIT. . . . . . . .SYSTEM. . . . . . . . .REFERENCE. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219.B.1. AUDIT EVENT FIELDSB.2. AUDIT RECORD TYPES219224. . . . . . . . . . . .C.APPENDIX. . .REVISION. . . . . . . . . . HISTORY. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .233.8

Table of Contents9

Security GuideCHAPTER 1. SECURITY OVERVIEWDue to the increased reliance on powerful, networked computers to help run businesses and keep trackof our personal information, entire industries have been formed around the practice of network andcomputer security. Enterprises have solicited the knowledge and skills of security experts to properlyaudit systems and tailor solutions to fit the operating requirements of their organization. Because mostorganizations are increasingly dynamic in nature, their workers are accessing critical company ITresources locally and remotely, hence the need for secure computing environments has become morepronounced.Unfortunately, many organizations (as well as individual users) regard security as more of anafterthought, a process that is overlooked in favor of increased power, productivity, convenience, easeof use, and budgetary concerns. Proper security implementation is often enacted postmortem — after anunauthorized intrusion has already occurred. Taking the correct measures prior to connecting a site to anuntrusted network, such as the Internet, is an effective means of thwarting many attemp

Red Hat Enterprise Linux 6 Security Guide A Guide to Securing Red Hat Enterprise Linux Mirek Jahoda Red Hat Customer Content Services [email protected] Robert Krátký Red Hat Customer Content Services Martin Prpič Red Hat Customer Content Services Tomáš Čapek Red Hat Customer Content Services Stephen Wadeley Red Hat Customer Content Services Yoana Ruseva Red Hat Customer Content Services ...