Security Guide Opensuse Leap 42.3 Security Guide Opensuse Leap 42.3
Total Page:16
File Type:pdf, Size:1020Kb
Security Guide openSUSE Leap 42.3 Security Guide openSUSE Leap 42.3 Introduces basic concepts of system security, covering both local and network secu- rity aspects. Shows how to use the product inherent security software like AppAr- mor or the auditing system that reliably collects information about any security-rel- evant events. Publication Date: November 05, 2018 SUSE LLC 10 Canal Park Drive Suite 200 Cambridge MA 02141 USA https://www.suse.com/documentation Copyright © 2006– 2018 SUSE LLC and contributors. All rights reserved. Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Docu- mentation License, Version 1.2 or (at your option) version 1.3; with the Invariant Section being this copyright notice and license. A copy of the license version 1.2 is included in the section entitled “GNU Free Documentation License”. For SUSE trademarks, see http://www.suse.com/company/legal/ . All other third-party trademarks are the prop- erty of their respective owners. Trademark symbols (®, ™ etc.) denote trademarks of SUSE and its affiliates. Asterisks (*) denote third-party trademarks. All information found in this book has been compiled with utmost attention to detail. However, this does not guarantee complete accuracy. Neither SUSE LLC, its affiliates, the authors nor the translators shall be held liable for possible errors or the consequences thereof. Contents About This Guide xv 1 Security and Confidentiality 1 1.1 Local Security and Network Security 1 Local Security 3 • Network Security 6 1.2 Some General Security Tips and Tricks 10 1.3 Using the Central Security Reporting Address 12 I AUTHENTICATION 13 2 Authentication with PAM 14 2.1 What is PAM? 14 2.2 Structure of a PAM Configuration File 15 2.3 The PAM Configuration of sshd 17 2.4 Configuration of PAM Modules 20 pam_env.conf 20 • pam_mount.conf.xml 21 • limits.conf 21 2.5 Configuring PAM Using pam-config 21 2.6 Manually Configuring PAM 22 2.7 For More Information 23 3 Using NIS 24 3.1 Configuring NIS Servers 24 Configuring a NIS Master Server 25 • Configuring a NIS Slave Server 29 3.2 Configuring NIS Clients 30 iii Security Guide 4 Setting Up Authentication Servers and Clients Using YaST 32 4.1 Configuring an Authentication Server with YaST 32 Initial Configuration of an Authentication Server 32 • Editing an Authentication Server Configuration with YaST 36 • Editing LDAP Users and Groups 41 4.2 Configuring an Authentication Client with YaST 41 4.3 SSSD 42 Checking the Status 42 • Caching 42 • For More Information 43 5 LDAP—A Directory Service 44 5.1 LDAP versus NIS 45 5.2 Structure of an LDAP Directory Tree 45 5.3 Configuring an LDAP Client with YaST 48 5.4 Configuring LDAP Users and Groups in YaST 50 5.5 Manually Configuring an LDAP Server 51 5.6 Manually Administering LDAP Data 52 Inserting Data into an LDAP Directory 52 • Modifying Data in the LDAP Directory 54 • Searching or Reading Data from an LDAP Directory 55 • Deleting Data from an LDAP Directory 56 5.7 For More Information 56 6 Network Authentication with Kerberos 58 6.1 Kerberos Terminology 58 6.2 How Kerberos Works 60 First Contact 60 • Requesting a Service 61 • Mutual Authentication 61 • Ticket Granting—Contacting All Servers 62 6.3 User View of Kerberos 63 iv Security Guide 6.4 Installing and Administering Kerberos 64 Kerberos Network Topology 65 • Choosing the Kerberos Realms 66 • Setting Up the KDC Hardware 66 • Configuring Time Synchronization 67 • Configuring the KDC 68 • Configuring Kerberos Clients 71 • Configuring Remote Kerberos Administration 74 • Creating Kerberos Service Principals 75 • Enabling PAM Support for Kerberos 77 • Configuring SSH for Kerberos Authentication 78 • Using LDAP and Kerberos 79 6.5 Setting up Kerberos using LDAP and Kerberos Client 81 6.6 For More Information 84 7 Active Directory Support 85 7.1 Integrating Linux and Active Directory Environments 85 7.2 Background Information for Linux Active Directory Support 86 Domain Join 88 • Domain Login and User Homes 89 • Offline Service and Policy Support 90 7.3 Configuring a Linux Client for Active Directory 91 Choosing Which YaST Module to Use for Connecting to Active Directory 92 • Joining Active Directory Using User Logon Management 93 • Joining Active Directory Using Windows Domain Membership 97 • Checking Active Directory Connection Status 99 7.4 Logging In to an Active Directory Domain 100 GDM 100 • Console Login 100 7.5 Changing Passwords 101 II LOCAL SECURITY 103 8 Configuring Security Settings with YaST 104 8.1 Security Overview 104 8.2 Predefined Security Configurations 105 8.3 Password Settings 106 v Security Guide 8.4 Boot Settings 106 8.5 Login Settings 107 8.6 User Addition 107 8.7 Miscellaneous Settings 107 9 Authorization with PolKit 109 9.1 Conceptual Overview 109 Available Authentication Agents 109 • Structure of PolKit 109 • Available Commands 110 • Available Policies and Supported Applications 110 9.2 Authorization Types 112 Implicit Privileges 112 • Explicit Privileges 113 • Default Privileges 113 9.3 Querying Privileges 113 9.4 Modifying Configuration Files 114 Adding Action Rules 114 • Adding Authorization Rules 116 • Modifying Configuration Files for Implicit Privileges 116 9.5 Restoring the Default Privileges 117 10 Access Control Lists in Linux 119 10.1 Traditional File Permissions 119 The setuid Bit 119 • The setgid Bit 120 • The Sticky Bit 120 10.2 Advantages of ACLs 120 10.3 Definitions 121 10.4 Handling ACLs 122 ACL Entries and File Mode Permission Bits 123 • A Directory with an ACL 124 • A Directory with a Default ACL 126 • The ACL Check Algorithm 129 10.5 ACL Support in Applications 130 10.6 For More Information 130 vi Security Guide 11 Encrypting Partitions and Files 131 11.1 Setting Up an Encrypted File System with YaST 132 Creating an Encrypted Partition during Installation 132 • Creating an Encrypted Partition on a Running System 133 • Creating an Encrypted Virtual Disk 134 • Encrypting the Content of Removable Media 134 11.2 Using Encrypted Home Directories 135 11.3 Encrypting Files with GPG 136 12 Certificate Store 137 12.1 Activating Certificate Store 137 12.2 Importing Certificates 137 13 Intrusion Detection with AIDE 139 13.1 Why Use AIDE? 139 13.2 Setting Up an AIDE Database 139 13.3 Local AIDE Checks 142 13.4 System Independent Checking 143 13.5 For More Information 144 III NETWORK SECURITY 145 14 SSH: Secure Network Operations 146 14.1 ssh—Secure Shell 146 Starting X Applications on a Remote Host 147 • Agent Forwarding 147 14.2 scp—Secure Copy 147 14.3 sftp—Secure File Transfer 148 Using sftp 148 • Setting Permissions for File Uploads 149 14.4 The SSH Daemon (sshd) 150 Maintaining SSH Keys 151 • Rotating Host Keys 151 vii Security Guide 14.5 SSH Authentication Mechanisms 152 Generating an SSH Key 153 • Copying an SSH Key 153 • Using the ssh- agent 154 14.6 Port Forwarding 155 14.7 For More Information 155 15 Masquerading and Firewalls 157 15.1 Packet Filtering with iptables 157 15.2 Masquerading Basics 160 15.3 Firewalling Basics 161 15.4 SuSEFirewall2 162 Configuring the Firewall with YaST 163 • Configuring Manually 166 15.5 For More Information 169 16 Configuring a VPN Server 170 16.1 Conceptual Overview 170 Terminology 170 • VPN Scenarios 171 16.2 Setting Up a Simple Test Scenario 174 Configuring the VPN Server 175 • Configuring the VPN Clients 176 • Testing the VPN Example Scenario 177 16.3 Setting Up Your VPN Server Using a Certificate Authority 177 Creating Certificates 178 • Configuring the VPN Server 181 • Configuring the VPN Clients 183 16.4 Setting Up a VPN Server or Client Using YaST 184 16.5 For More Information 185 17 Managing X.509 Certification 187 17.1 The Principles of Digital Certification 187 Key Authenticity 188 • X.509 Certificates 188 • Blocking X.509 Certificates 189 • Repository for Certificates and CRLs 190 • Proprietary PKI 191 viii Security Guide 17.2 YaST Modules for CA Management 191 Creating a Root CA 191 • Changing Password 193 • Creating or Revoking a Sub-CA 194 • Creating or Revoking User Certificates 196 • Changing Default Values 197 • Creating Certificate Revocation Lists (CRLs) 198 • Exporting CA Objects to LDAP 199 • Exporting CA Objects as a File 200 • Importing Common Server Certificates 201 IV CONFINING PRIVILEGES WITH APPARMOR 202 18 Introducing AppArmor 203 18.1 AppArmor Components 203 18.2 Background Information on AppArmor Profiling 204 19 Getting Started 205 19.1 Installing AppArmor 205 19.2 Enabling and Disabling AppArmor 206 19.3 Choosing Applications to Profile 207 19.4 Building and Modifying Profiles 207 19.5 Updating Your Profiles 209 20 Immunizing Programs 210 20.1 Introducing the AppArmor Framework 211 20.2 Determining Programs to Immunize 213 20.3 Immunizing cron Jobs 214 20.4 Immunizing Network Applications 214 Immunizing Web Applications 216 • Immunizing Network Agents 218 21 Profile Components and Syntax 219 21.1 Breaking an AppArmor Profile into Its Parts 220 ix Security Guide 21.2 Profile Types 222 Standard Profiles 222 • Unattached Profiles 223 • Local Profiles 223 • Hats 224 • Change rules 224 21.3 Include Statements 225 Abstractions 227 • Program Chunks 227 • Tunables 227 21.4 Capability Entries (POSIX.1e) 227 21.5 Network Access Control 228 21.6 Profile Names, Flags, Paths, and Globbing 229 Profile Flags 230 • Using Variables in Profiles 231 • Pattern Matching 232 • Namespaces 233 • Profile Naming and Attachment Specification 233 • Alias Rules 234 21.7 File Permission Access Modes 234 Read Mode (r) 235 • Write Mode (w) 235 • Append Mode (a) 235 • File Locking Mode (k) 235 •