DOCSLIB.ORG

SUSE Linux Enterprise Server 15 SP2 Security and Hardening Guide Security and Hardening Guide SUSE Linux Enterprise Server 15 SP2

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

SUSE Linux Enterprise Server 15 SP2 Security and Hardening Guide Security and Hardening Guide SUSE Linux Enterprise Server 15 SP2 Introduces basic concepts of system security, covering both local and network security aspects. Shows how to use the product inherent security software like AppArmor, SELinux, or the auditing system that reliably collects information about any security-relevant events. Supports the administrator with security-related choices and decisions in installing and setting up a secure SUSE Linux Enterprise Server and additional processes to further secure and harden that installation. Publication Date: September 24, 2021 SUSE LLC 1800 South Novell Place Provo, UT 84606 USA https://documentation.suse.com Copyright © 2006– 2021 SUSE LLC and contributors. All rights reserved. Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or (at your option) version 1.3; with the Invariant Section being this copyright notice and license. A copy of the license version 1.2 is included in the section entitled “GNU Free Documentation License”. For SUSE trademarks, see https://www.suse.com/company/legal/ . All other third-party trademarks are the property of their respective owners. Trademark symbols (®, ™ etc.) denote trademarks of SUSE and its aliates. Asterisks (*) denote third-party trademarks. All information found in this book has been compiled with utmost attention to detail. However, this does not guarantee complete accuracy. Neither SUSE LLC, its aliates, the authors nor the translators shall be held liable for possible errors or the consequences thereof. Contents About This Guide xviii 1 Available Documentation xviii 2 Giving Feedback xx 3 Documentation Conventions xxi 4 Product Life Cycle and Support xxii Support Statement for SUSE Linux Enterprise Server xxiii • Technology Previews xxiv 1 Security and Confidentiality 1 1.1 Overview 1 1.2 Passwords 2 1.3 System Integrity 2 1.4 File Access 3 1.5 Networking 4 1.6 Software Vulnerabilities 4 1.7 Malware 5 1.8 Important Security Tips 6 1.9 Reporting Security Issues 7 2 Common Criteria 8 2.1 Introduction 8 2.2 Evaluation Assurance Level (EAL) 8 2.3 Generic Guiding Principles 9 2.4 For More Information 11 iii Security and Hardening Guide I AUTHENTICATION 13 3 Authentication with PAM 14 3.1 What is PAM? 14 3.2 Structure of a PAM Configuration File 15 3.3 The PAM Configuration of sshd 17 3.4 Configuration of PAM Modules 20 pam_env.conf 20 • pam_mount.conf.xml 21 • limits.conf 21 3.5 Configuring PAM Using pam-config 22 3.6 Manually Configuring PAM 23 3.7 For More Information 23 4 Using NIS 25 4.1 Configuring NIS Servers 25 Configuring a NIS Master Server 25 • Configuring a NIS Slave Server 30 4.2 Configuring NIS Clients 31 5 Setting Up Authentication Clients Using YaST 33 5.1 Configuring an Authentication Client with YaST 33 5.2 SSSD 33 Checking the Status 34 • Caching 34 6 LDAP—A Directory Service 35 6.1 Structure of an LDAP Directory Tree 35 6.2 Installing the Software for 389 Directory Server 38 6.3 Manually Configuring a 389 Directory Server 38 Creating the 389 Directory Server Instance 39 • Using CA Certificates for TLS 40 • Configuring Admin Credentials for Remote/Local Access 41 • Configuring LDAP Users and Groups 42 • Setting Up SSSD 44 iv Security and Hardening Guide 6.4 Setting Up a 389 Directory Server with YaST 46 Creating a 389 Directory Server Instance with YaST 46 • Configuring an LDAP Client with YaST 47 6.5 Manually Administering LDAP Data 50 6.6 For More Information 50 7 Network Authentication with Kerberos 51 7.1 Conceptual Overview 51 7.2 Kerberos Terminology 51 7.3 How Kerberos Works 53 First Contact 53 • Requesting a Service 54 • Mutual Authentication 55 • Ticket Granting—Contacting All Servers 55 7.4 User View of Kerberos 56 7.5 Installing and Administering Kerberos 57 Kerberos Network Topology 58 • Choosing the Kerberos Realms 59 • Setting Up the KDC Hardware 59 • Configuring Time Synchronization 60 • Configuring the KDC 61 • Configuring Kerberos Clients 65 • Configuring Remote Kerberos Administration 67 • Creating Kerberos Service Principals 69 • Enabling PAM Support for Kerberos 71 • Configuring SSH for Kerberos Authentication 71 • Using LDAP and Kerberos 72 7.6 Setting up Kerberos using LDAP and Kerberos Client 75 7.7 Kerberos and NFS 79 Group Membership 80 • Performance and Scalability 81 • Master KDC, Multiple Domains, and Trust Relationships 82 7.8 For More Information 83 8 Active Directory Support 84 8.1 Integrating Linux and Active Directory Environments 84 v Security and Hardening Guide 8.2 Background Information for Linux Active Directory Support 85 Domain Join 87 • Domain Login and User Homes 88 • Offline Service and Policy Support 89 8.3 Configuring a Linux Client for Active Directory 90 Choosing Which YaST Module to Use for Connecting to Active Directory 91 • Joining Active Directory Using User Logon Management 92 • Joining Active Directory Using Windows Domain Membership 96 • Checking Active Directory Connection Status 99 8.4 Logging In to an Active Directory Domain 99 GDM 99 • Console Login 100 8.5 Changing Passwords 100 9 Setting Up a FreeRADIUS Server 102 9.1 Installation and Testing on SUSE Linux Enterprise 102 II LOCAL SECURITY 105 10 Physical Security 106 10.1 System Locks 106 10.2 Locking Down the BIOS 107 10.3 Security via the Boot Loaders 108 10.4 Retiring Linux Servers with Sensitive Data 108 scrub: Disk Overwrite Utility 109 10.5 Restricting Access to Removable Media 110 11 Automatic Security Checks with seccheck 112 11.1 Seccheck Timers 112 11.2 Enabling Seccheck Timers 112 11.3 Daily, Weekly, and Monthly Checks 113 11.4 Automatic Logout 115 vi Security and Hardening Guide 12 Software Management 116 12.1 Removing Unnecessary Software Packages (RPMs) 116 12.2 Patching Linux Systems 118 YaST Online Update 119 • Automatic Online Update 119 • Repository Mirroring Tool—RMT 119 • SUSE Manager 120 13 File Management 122 13.1 Disk Partitions 122 13.2 Checking File Permissions and Ownership 123 13.3 Default umask 123 13.4 SUID/SGID Files 124 13.5 World-Writable Files 125 13.6 Orphaned or Unowned Files 126 14 Encrypting Partitions and Files 127 14.1 Setting Up an Encrypted File System with YaST 127 Creating an Encrypted Partition during Installation 128 • Creating an Encrypted Partition on a Running System 129 • Encrypting the Content of Removable Media 129 14.2 Encrypting Files with GPG 130 15 Storage Encryption for Hosted Applications with cryptctl 131 15.1 Setting Up a cryptctl Server 132 15.2 Setting Up a cryptctl Client 134 15.3 Checking Partition Unlock Status Using Server-side Commands 137 15.4 Unlocking Encrypted Partitions Manually 138 15.5 Maintenance Downtime Procedure 138 15.6 For More Information 138 vii Security and Hardening Guide 16 User Management 139 16.1 Various Account Checks 139 Unlocked Accounts 139 • Unused Accounts 139 16.2 Enabling Password Aging 140 16.3 Stronger Password Enforcement 142 16.4 Password and Login Management with PAM 142 Password Strength 143 • Restricting Use of Previous Passwords 144 • Locking User Accounts After Too Many Login Failures 145 16.5 Restricting root Logins 146 Restricting Local Text Console Logins 146 • Restricting Graphical Session Logins 148 • Restricting SSH Logins 148 16.6 Setting an Inactivity Timeout for Interactive Shell Sessions 149 16.7 Preventing Accidental Denial of Service 151 Example for Restricting System Resources 151 16.8 Displaying Login Banners 154 16.9 Connection Accounting Utilities 155 17 Spectre/Meltdown Checker 156 17.1 Using spectre-meltdown-checker 156 17.2 Additional Information about Spectre/Meltdown 158 18 Configuring Security Settings with YaST 159 18.1 Security Overview 159 18.2 Predefined Security Configurations 160 18.3 Password Settings 161 18.4 Boot Settings 162 18.5 Login Settings 162 18.6 User Addition 162 viii Security and Hardening Guide 18.7 Miscellaneous Settings 162 19 Authorization with PolKit 164 19.1 Conceptual Overview 164 Available Authentication Agents 164 • Structure of PolKit 164 • Available Commands 165 • Available Policies and Supported Applications 165 19.2 Authorization Types 167 Implicit Privileges 167 • Explicit Privileges 167 • Default Privileges 168 19.3 Querying Privileges 168 19.4 Modifying Configuration Files 169 Adding Action Rules 169 • Adding Authorization Rules 170 • Modifying Configuration Files for Implicit Privileges 171 19.5 Restoring the Default Privileges 172 20 Access Control Lists in Linux 174 20.1 Traditional File Permissions 174 The setuid Bit 175 • The setgid Bit 175 • The Sticky Bit 176 20.2 Advantages of ACLs 176 20.3 Definitions 176 20.4 Handling ACLs 177 ACL Entries and File Mode Permission Bits 178 • A Directory with an ACL 179 • A Directory with a Default ACL 182 • The ACL Check Algorithm 184 20.5 ACL Support in Applications 185 20.6 For More Information 185 21 Certificate Store 186 21.1 Activating Certificate Store 186 21.2 Importing Certificates 186 ix Security and Hardening Guide 22 Intrusion Detection with AIDE 188 22.1 Why Use AIDE? 188 22.2 Setting Up an AIDE Database 188 22.3 Local AIDE Checks 191 22.4 System Independent Checking 193 22.5 For More Information 194 III NETWORK SECURITY 195 23 X Window System and X Authentication 196 24 SSH: Secure Network Operations 197 24.1 ssh—Secure Shell 197 Starting X Applications on a Remote Host 198 • Agent Forwarding 198 24.2 scp—Secure Copy 198 24.3 sftp—Secure File Transfer 199 Using sftp 199 • Setting Permissions for File Uploads 200 24.4 The SSH Daemon (sshd) 201
Recommended publications
  • Desktop Migration and Administration Guide

    Desktop Migration and Administration Guide

    Red Hat Enterprise Linux 7 Desktop Migration and Administration Guide GNOME 3 desktop migration planning, deployment, configuration, and administration in RHEL 7 Last Updated: 2021-05-05 Red Hat Enterprise Linux 7 Desktop Migration and Administration Guide GNOME 3 desktop migration planning, deployment, configuration, and administration in RHEL 7 Marie Doleželová Red Hat Customer Content Services [email protected] Petr Kovář Red Hat Customer Content Services [email protected] Jana Heves Red Hat Customer Content Services Legal Notice Copyright © 2018 Red Hat, Inc. This document is licensed by Red Hat under the Creative Commons Attribution-ShareAlike 3.0 Unported License. If you distribute this document, or a modified version of it, you must provide attribution to Red Hat, Inc. and provide a link to the original. If the document is modified, all Red Hat trademarks must be removed. Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law. Red Hat, Red Hat Enterprise Linux, the Shadowman logo, the Red Hat logo, JBoss, OpenShift, Fedora, the Infinity logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries. Linux ® is the registered trademark of Linus Torvalds in the United States and other countries. Java ® is a registered trademark of Oracle and/or its affiliates. XFS ® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States and/or other countries. MySQL ® is a registered trademark of MySQL AB in the United States, the European Union and other countries.
  • Version 7.8-Systemd

    Version 7.8-Systemd

    Linux From Scratch Version 7.8-systemd Created by Gerard Beekmans Edited by Douglas R. Reno Linux From Scratch: Version 7.8-systemd by Created by Gerard Beekmans and Edited by Douglas R. Reno Copyright © 1999-2015 Gerard Beekmans Copyright © 1999-2015, Gerard Beekmans All rights reserved. This book is licensed under a Creative Commons License. Computer instructions may be extracted from the book under the MIT License. Linux® is a registered trademark of Linus Torvalds. Linux From Scratch - Version 7.8-systemd Table of Contents Preface .......................................................................................................................................................................... vii i. Foreword ............................................................................................................................................................. vii ii. Audience ............................................................................................................................................................ vii iii. LFS Target Architectures ................................................................................................................................ viii iv. LFS and Standards ............................................................................................................................................ ix v. Rationale for Packages in the Book .................................................................................................................... x vi. Prerequisites
  • Pluggable Authentication Modules

    Pluggable Authentication Modules

    Who this book is written for This book is for experienced system administrators and developers working with multiple Linux/UNIX servers or with both UNIX and Pluggable Authentication Windows servers. It assumes a good level of admin knowledge, and that developers are competent in C development on UNIX-based systems. Pluggable Authentication Modules PAM (Pluggable Authentication Modules) is a modular and flexible authentication management layer that sits between Linux applications and the native underlying authentication system. The PAM framework is widely used by most Linux distributions for authentication purposes. Modules Originating from Solaris 2.6 ten years ago, PAM is used today by most proprietary and free UNIX operating systems including GNU/Linux, FreeBSD, and Solaris, following both the design concept and the practical details. PAM is thus a unifying technology for authentication mechanisms in UNIX. This book provides a practical approach to UNIX/Linux authentication. The design principles are thoroughly explained, then illustrated through the examination of popular modules. It is intended as a one-stop introduction and reference to PAM. What you will learn from this book From Technologies to Solutions • Install, compile, and configure Linux-PAM on your system • Download and compile third-party modules • Understand the PAM framework and how it works • Learn to work with PAM’s management groups and control fl ags • Test and debug your PAM confi guration Pluggable Authentication Modules • Install and configure the pamtester utility
  • 1. D-Bus a D-Bus FAQ Szerint D-Bus Egy Interprocessz-Kommunikációs Protokoll, És Annak Referenciamegvalósítása

    1. D-Bus a D-Bus FAQ Szerint D-Bus Egy Interprocessz-Kommunikációs Protokoll, És Annak Referenciamegvalósítása

    Az Udev / D-Bus rendszer - a modern asztali Linuxok alapja A D-Bus rendszer minden modern Linux disztribúcióban jelen van, sőt mára már a Linux, és más UNIX jellegű, sőt nem UNIX rendszerek (különösen a desktopon futó változatok) egyik legalapvetőbb technológiája, és az ismerete a rendszergazdák számára lehetővé tesz néhány rendkívül hasznos trükköt, az alkalmazásfejlesztőknek pedig egyszerűen KÖTELEZŐ ismerniük. Miért ilyen fontos a D-Bus? Mit csinál? D-Bus alapú technológiát teszik lehetővé többek között azt, hogy közönséges felhasználóként a kedvenc asztali környezetünkbe bejelentkezve olyan feladatokat hajtsunk végre, amiket a kernel csak a root felasználónak engedne meg. Felmountolunk egy USB meghajtót? NetworkManagerrel konfiguráljuk a WiFi-t, a 3G internetet vagy bármilyen más hálózati csatolót, és kapcsolódunk egy hálózathoz? Figyelmeztetést kapunk a rendszertől, hogy új szoftverfrissítések érkeztek, majd telepítjük ezeket? Hibernáljuk, felfüggesztjük a gépet? A legtöbb esetben ma már D-Bus alapú technológiát használunk ilyen esetben. A D-Bus lehetővé teszi, hogy egymástól függetlenül, jellemzően más UID alatt indított szoftverösszetevők szabványos és biztonságos módon igénybe vegyék egymás szolgáltatásait. Ha valaha lesz a Linuxhoz professzionális desktop tűzfal vagy vírusirtó megoldás, a dolgok jelenlegi állasa szerint annak is D- Bus technológiát kell használnia. A D-Bus technológia legfontosabb ihletője a KDE DCOP rendszere volt, és mára a D-Bus leváltotta a DCOP-ot, csakúgy, mint a Gnome Bonobo technológiáját. 1. D-Bus A D-Bus FAQ szerint D-Bus egy interprocessz-kommunikációs protokoll, és annak referenciamegvalósítása. Ezen referenciamegvalósítás egyik összetevője, a libdbus könyvtár a D- Bus szabványnak megfelelő kommunikáció megvalósítását segíti. Egy másik összetevő, a dbus- daemon a D-Bus üzenetek routolásáért, szórásáért felelős.
  • CIS Ubuntu Linux 18.04 LTS Benchmark

    CIS Ubuntu Linux 18.04 LTS Benchmark

    CIS Ubuntu Linux 18.04 LTS Benchmark v1.0.0 - 08-13-2018 Terms of Use Please see the below link for our current terms of use: https://www.cisecurity.org/cis-securesuite/cis-securesuite-membership-terms-of-use/ 1 | P a g e Table of Contents Terms of Use ........................................................................................................................................................... 1 Overview ............................................................................................................................................................... 12 Intended Audience ........................................................................................................................................ 12 Consensus Guidance ..................................................................................................................................... 13 Typographical Conventions ...................................................................................................................... 14 Scoring Information ..................................................................................................................................... 14 Profile Definitions ......................................................................................................................................... 15 Acknowledgements ...................................................................................................................................... 17 Recommendations ............................................................................................................................................
  • A Brief History of GNOME

    A Brief History of GNOME

    A Brief History of GNOME Jonathan Blandford <[email protected]> July 29, 2017 MANCHESTER, UK 2 A Brief History of GNOME 2 Setting the Stage 1984 - 1997 A Brief History of GNOME 3 Setting the stage ● 1984 — X Windows created at MIT ● ● 1985 — GNU Manifesto Early graphics system for ● 1991 — GNU General Public License v2.0 Unix systems ● 1991 — Initial Linux release ● Created by MIT ● 1991 — Era of big projects ● Focused on mechanism, ● 1993 — Distributions appear not policy ● 1995 — Windows 95 released ● Holy Moly! X11 is almost ● 1995 — The GIMP released 35 years old ● 1996 — KDE Announced A Brief History of GNOME 4 twm circa 1995 ● Network Transparency ● Window Managers ● Netscape Navigator ● Toolkits (aw, motif) ● Simple apps ● Virtual Desktops / Workspaces A Brief History of GNOME 5 Setting the stage ● 1984 — X Windows created at MIT ● 1985 — GNU Manifesto ● Founded by Richard Stallman ● ● 1991 — GNU General Public License v2.0 Our fundamental Freedoms: ○ Freedom to run ● 1991 — Initial Linux release ○ Freedom to study ● 1991 — Era of big projects ○ Freedom to redistribute ○ Freedom to modify and ● 1993 — Distributions appear improve ● 1995 — Windows 95 released ● Also, a set of compilers, ● 1995 — The GIMP released userspace tools, editors, etc. ● 1996 — KDE Announced This was an overtly political movement and act A Brief History of GNOME 6 Setting the stage ● 1984 — X Windows created at MIT “The licenses for most software are ● 1985 — GNU Manifesto designed to take away your freedom to ● 1991 — GNU General Public License share and change it. By contrast, the v2.0 GNU General Public License is intended to guarantee your freedom to share and ● 1991 — Initial Linux release change free software--to make sure the ● 1991 — Era of big projects software is free for all its users.
  • Security Guide

    Security Guide

    Fedora 19 Security Guide A Guide to Securing Fedora Linux Johnray Fuller John Ha David O'Brien Scott Radvan Eric Christensen Adam Ligas Murray McAllister Scott Radvan Daniel Walsh Security Guide Dominick Grift Eric Paris James Morris Fedora 19 Security Guide A Guide to Securing Fedora Linux Edition 19.1 Author Johnray Fuller [email protected] Author John Ha [email protected] Author David O'Brien [email protected] Author Scott Radvan [email protected] Author Eric Christensen [email protected] Author Adam Ligas [email protected] Author Murray McAllister [email protected] Author Scott Radvan [email protected] Author Daniel Walsh [email protected] Author Dominick Grift [email protected] Author Eric Paris [email protected] Author James Morris [email protected] Copyright © 2007-2013 Fedora Project Contributors. The text of and illustrations in this document are licensed by Red Hat under a Creative Commons Attribution–Share Alike 3.0 Unported license ("CC-BY-SA"). An explanation of CC-BY-SA is available at http://creativecommons.org/licenses/by-sa/3.0/. The original authors of this document, and Red Hat, designate the Fedora Project as the "Attribution Party" for purposes of CC-BY-SA. In accordance with CC-BY-SA, if you distribute this document or an adaptation of it, you must provide the URL for the original version. Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law. Red Hat, Red Hat Enterprise Linux, the Shadowman logo, JBoss, MetaMatrix, Fedora, the Infinity Logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries.
  • Version 20160304-Systemd

    Version 20160304-Systemd

    Linux From Scratch Version 20160304-systemd Created by Gerard Beekmans Edited by Douglas R. Reno Linux From Scratch: Version 20160304-systemd by Created by Gerard Beekmans and Edited by Douglas R. Reno Copyright © 1999-2016 Gerard Beekmans Copyright © 1999-2016, Gerard Beekmans All rights reserved. This book is licensed under a Creative Commons License. Computer instructions may be extracted from the book under the MIT License. Linux® is a registered trademark of Linus Torvalds. Linux From Scratch - Version 20160304-systemd Table of Contents Preface .......................................................................................................................................................................... vii i. Foreword ............................................................................................................................................................. vii ii. Audience ............................................................................................................................................................ vii iii. LFS Target Architectures ................................................................................................................................ viii iv. LFS and Standards ............................................................................................................................................ ix v. Rationale for Packages in the Book ...................................................................................................................
  • AIX 4.3 Quick Beginnings

    AIX 4.3 Quick Beginnings

    Bull AIX 4.3 Quick Beginnings AIX ORDER REFERENCE 86 A2 75HX 04 Bull AIX 4.3 Quick Beginnings AIX Software September 1999 BULL ELECTRONICS ANGERS CEDOC 34 Rue du Nid de Pie – BP 428 49004 ANGERS CEDEX 01 FRANCE ORDER REFERENCE 86 A2 75HX 04 The following copyright notice protects this book under the Copyright laws of the United States of America and other countries which prohibit such actions as, but not limited to, copying, distributing, modifying, and making derivative works. Copyright Bull S.A. 1992, 1999 Printed in France Suggestions and criticisms concerning the form, content, and presentation of this book are invited. A form is provided at the end of this book for this purpose. To order additional copies of this book or other Bull Technical Publications, you are invited to use the Ordering Form also provided at the end of this book. Trademarks and Acknowledgements We acknowledge the right of proprietors of trademarks mentioned in this book. AIXR is a registered trademark of International Business Machines Corporation, and is being used under licence. UNIX is a registered trademark in the United States of America and other countries licensed exclusively through the Open Group. Year 2000 The product documented in this manual is Year 2000 Ready. The information in this document is subject to change without notice. Groupe Bull will not be liable for errors contained herein, or for incidental or consequential damages in connection with the use of this material. About This Book: AIX 4.3 Quick Beginnings This book contains information for first–time users who have little or no experience with the AIX operating system.
  • Fedora 25 Networking Guide

    Fedora 25 Networking Guide

    Fedora 25 Networking Guide Configuration and Administration of Networking for Fedora 25 Stephen Wadeley Networking Guide Draft Fedora 25 Networking Guide Configuration and Administration of Networking for Fedora 25 Edition 1 Author Stephen Wadeley [email protected] Copyright © 2016 Red Hat, Inc. and others. The text of and illustrations in this document are licensed by Red Hat under a Creative Commons Attribution–Share Alike 3.0 Unported license ("CC-BY-SA"). An explanation of CC-BY-SA is available at http://creativecommons.org/licenses/by-sa/3.0/. The original authors of this document, and Red Hat, designate the Fedora Project as the "Attribution Party" for purposes of CC-BY-SA. In accordance with CC-BY-SA, if you distribute this document or an adaptation of it, you must provide the URL for the original version. Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law. Red Hat, Red Hat Enterprise Linux, the Shadowman logo, JBoss, MetaMatrix, Fedora, the Infinity Logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries. For guidelines on the permitted uses of the Fedora trademarks, refer to https://fedoraproject.org/wiki/ Legal:Trademark_guidelines. Linux® is the registered trademark of Linus Torvalds in the United States and other countries. Java® is a registered trademark of Oracle and/or its affiliates. XFS® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States and/or other countries.
  • Guide to the Secure Configuration of Red Hat Enterprise Linux 5

    Guide to the Secure Configuration of Red Hat Enterprise Linux 5

    Guide to the Secure Configuration of Red Hat Enterprise Linux 5 Revision 4.2 August 26, 2011 Operating Systems Division Unix Team of the Systems and Network Analysis Center National Security Agency 9800 Savage Rd. Suite 6704 Ft. Meade, MD 20755-6704 2 Warnings Do not attempt to implement any of the recommendations in this guide without first testing in a non- production environment. This document is only a guide containing recommended security settings. It is not meant to replace well- structured policy or sound judgment. Furthermore this guide does not address site-specific configuration concerns. Care must be taken when implementing this guide to address local operational and policy concerns. The security changes described in this document apply only to Red Hat Enterprise Linux 5. They may not translate gracefully to other operating systems. Internet addresses referenced were valid as of 1 Dec 2009. Trademark Information Red Hat is a registered trademark of Red Hat, Inc. Any other trademarks referenced herein are the property of their respective owners. Change Log Revision 4.2 is an update of Revision 4.1 dated February 28, 2011. Added section 2.5.3.1.3, Disable Functionality of IPv6 Kernel Module Through Option. Added discussion to section 2.5.3.1.1, Disable Automatic Loading of IPv6 Kernel Module, indicating that this is no longer the preferred method for disabling IPv6. Added section 2.3.1.9, Set Accounts to Disable After Password Expiration. Revision 4.1 is an update of Revision 4 dated September 14, 2010. Added section 2.2.2.6, Disable All GNOME Thumbnailers if Possible.
  • CS 460 Operating Systems

    CS 460 Operating Systems

    CS 460 Operating Systems Linux Boot Process Arch Linux CS460 02/03/20 Pacific University 1 Resources https://wiki.archlinux.org/index.php/Arch_boot_process https://doc.opensuse.org/documentation/leap/reference/html/ book.opensuse.reference/cha.boot.html https://doc.opensuse.org/documentation/leap/reference/html/ book.opensuse.reference/cha.systemd.html http://www.thegeekstuff.com/2011/02/linux-boot-process (a bit dated) https://www.freedesktop.org/wiki/Software/systemd/ https://wiki.archlinux.org/index.php/systemd https://opensource.com/article/18/1/analyzing-linux-boot-process https://0xax.gitbooks.io/linux-insides/content/ https://0xax.github.io CS460 02/03/20 Pacific University 2 Process - Linux ● POST ● BIOS/UEFI – disk partitions – file hierarchy standard ● Boot Loader ● Kernel ● initramfs ● init process / SystemD ● Display Manager / Getty CS460 02/03/20 Pacific University 3 POST ● Power On Self Test – firmware on motherboard does check of the hardware ● Common failures CS460 02/03/20 Pacific University 4 BIOS/UEFI ● Main job: launch the boot loader ● BIOS – basic input/output system ● UEFI – Unified Extensible Firmware Interface – can handle larger boot disks – 32bit or 64 bit mode (larger address space) – Secure boot – can have network capabilities – shell CS460 02/03/20 Pacific University 5 Devices Physical device vs partition vs file system Same information can be obtained with: df -h CS460 02/03/20 Pacific University 8 Boot loader ● Load the OS Kernel into memory and go – provide parameters to the kernel – initial RAM disk: