DOCSLIB.ORG

A Guide to Securing Fedora Linux

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
A Guide to Securing Fedora Linux Fedora Documentation Security Guide A Guide to Securing Fedora Linux Johnray Fuller John Ha David O'Brien Scott Radvan Eric Christensen Adam Ligas Security Guide Fedora Documentation Security Guide A Guide to Securing Fedora Linux Edition 14.1 Author Johnray Fuller [email protected] Author John Ha [email protected] Author David O'Brien [email protected] Author Scott Radvan [email protected] Author Eric Christensen [email protected] Author Adam Ligas [email protected] Copyright © 2010 Red Hat, Inc. The text of and illustrations in this document are licensed by Red Hat under a Creative Commons Attribution–Share Alike 3.0 Unported license ("CC-BY-SA"). An explanation of CC-BY-SA is available at http://creativecommons.org/licenses/by-sa/3.0/. The original authors of this document, and Red Hat, designate the Fedora Project as the "Attribution Party" for purposes of CC-BY-SA. In accordance with CC-BY-SA, if you distribute this document or an adaptation of it, you must provide the URL for the original version. Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law. Red Hat, Red Hat Enterprise Linux, the Shadowman logo, JBoss, MetaMatrix, Fedora, the Infinity Logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries. For guidelines on the permitted uses of the Fedora trademarks, refer to https://fedoraproject.org/wiki/ Legal:Trademark_guidelines. Linux® is the registered trademark of Linus Torvalds in the United States and other countries. Java® is a registered trademark of Oracle and/or its affiliates. XFS® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States and/or other countries. All other trademarks are the property of their respective owners. The Fedora Security Guide is designed to assist users of Fedora in learning the processes and practices of securing workstations and servers against local and remote intrusion, exploitation, and malicious activity. Focused on Fedora Linux but detailing concepts and techniques valid for all Linux systems, the Fedora Security Guide details the planning and the tools involved in creating a secured computing environment for the data center, workplace, and home. With proper administrative knowledge, vigilance, and tools, systems running Linux can be both fully functional and secured from most common intrusion and exploit methods. Preface vii 1. Document Conventions .................................................................................................. vii 1.1. Typographic Conventions .................................................................................... vii 1.2. Pull-quote Conventions ....................................................................................... viii 1.3. Notes and Warnings ............................................................................................ ix 2. We Need Feedback! ....................................................................................................... ix 1. Security Overview 1 1.1. Introduction to Security ................................................................................................. 1 1.1.1. What is Computer Security? ............................................................................... 1 1.1.2. SELinux ............................................................................................................ 3 1.1.3. Security Controls ............................................................................................... 3 1.1.4. Conclusion ........................................................................................................ 4 1.2. Vulnerability Assessment .............................................................................................. 5 1.2.1. Thinking Like the Enemy ................................................................................... 5 1.2.2. Defining Assessment and Testing ....................................................................... 6 1.2.3. Evaluating the Tools .......................................................................................... 7 1.3. Attackers and Vulnerabilities ......................................................................................... 9 1.3.1. A Quick History of Hackers ................................................................................ 9 1.3.2. Threats to Network Security ............................................................................. 10 1.3.3. Threats to Server Security ............................................................................... 11 1.3.4. Threats to Workstation and Home PC Security .................................................. 13 1.4. Common Exploits and Attacks ..................................................................................... 13 1.5. Security Updates ........................................................................................................ 16 1.5.1. Updating Packages .......................................................................................... 16 1.5.2. Verifying Signed Packages ............................................................................... 16 1.5.3. Installing Signed Packages .............................................................................. 17 1.5.4. Applying the Changes ...................................................................................... 18 2. Securing Your Network 21 2.1. Workstation Security ................................................................................................... 21 2.1.1. Evaluating Workstation Security ........................................................................ 21 2.1.2. BIOS and Boot Loader Security ........................................................................ 21 2.1.3. Password Security ........................................................................................... 23 2.1.4. Administrative Controls .................................................................................... 29 2.1.5. Available Network Services .............................................................................. 35 2.1.6. Personal Firewalls ........................................................................................... 38 2.1.7. Security Enhanced Communication Tools .......................................................... 39 2.2. Server Security .......................................................................................................... 39 2.2.1. Securing Services With TCP Wrappers and xinetd ............................................. 40 2.2.2. Securing Portmap ............................................................................................ 43 2.2.3. Securing NIS ................................................................................................... 44 2.2.4. Securing NFS .................................................................................................. 46 2.2.5. Securing the Apache HTTP Server ................................................................... 47 2.2.6. Securing FTP .................................................................................................. 48 2.2.7. Securing Sendmail ........................................................................................... 50 2.2.8. Verifying Which Ports Are Listening .................................................................. 51 2.3. Single Sign-on (SSO) ................................................................................................. 53 2.3.1. Introduction ..................................................................................................... 53 2.3.2. Getting Started with your new Smart Card ........................................................ 54 2.3.3. How Smart Card Enrollment Works .................................................................. 55 2.3.4. How Smart Card Login Works .......................................................................... 56 iii Security Guide 2.3.5. Configuring Firefox to use Kerberos for SSO ..................................................... 57 2.4. Pluggable Authentication Modules (PAM) ..................................................................... 59 2.4.1. Advantages of PAM ......................................................................................... 60 2.4.2. PAM Configuration Files ................................................................................... 60 2.4.3. PAM Configuration File Format ......................................................................... 60 2.4.4. Sample PAM Configuration Files ...................................................................... 63 2.4.5. Creating PAM Modules .................................................................................... 64 2.4.6. PAM and Administrative Credential Caching ...................................................... 64 2.4.7. PAM and Device Ownership ............................................................................. 66 2.4.8. Additional Resources ....................................................................................... 67 2.5. TCP Wrappers and xinetd ........................................................................................... 68 2.5.1. TCP Wrappers ................................................................................................. 69 2.5.2. TCP Wrappers Configuration
Load more

Recommended publications
  • I.MX Encrypted Storage Using CAAM Secure Keys Rev
    AN12714 i.MX Encrypted Storage Using CAAM Secure Keys Rev. 1 — 11/2020 Application Note Contents 1 Preface 1 Preface............................................1 Devices often contain highly sensitive information which is consistently at risk 1.1 Intended audience and scope......1 1.2 References...................................1 to get physically lost or stolen. Setting user passwords does not guarantee data 2 Overview......................................... 1 protection against unauthorized access. The attackers can simply bypass the 2.1 DM-Crypt......................................1 software system of a device and access the data storage directly. Only the 2.2 DM-Crypt accelerated by CAAM use of encryption can guarantee data confidentiality in the case where storage .....................................................2 media is directly accessed. 2.3 DM-Crypt using CAAM's Secure Key...............................................3 This document provides steps to run a transparent storage encryption at block 3 Hands-On........................................4 level using DM-Crypt taking advantage of the secure key feature provided 3.1 Installation....................................4 by i.MXs Cryptographic Accelerator and Assurance Module (CAAM). The 3.2 Usage...........................................6 document applies to all i.MX SoCs having CAAM module. The feature is not 3.3 Performance................................ 9 available on i.MX SoCs with DCP. 4 Revision History............................ 10 5 Appendix A. Configuration...........
    [Show full text]
  • New Methods in Hard Disk Encryption
    New Methods in Hard Disk Encryption Clemens Fruhwirth <[email protected]> Institute for Computer Languages Theory and Logic Group Vienna University of Technology July 18, 2005 Abstract This work investigates the state of the art in hard disk cryptography. As the choice of the cipher mode is essential for the security of hard disk data, we discuss the recent cipher mode developments at two standardisation bodies, NIST and IEEE. It is a necessity to consider new developments, as the most common cipher mode – namely CBC – has many security problems. This work devotes a chapter to the analysis of CBC weaknesses. Next to others, the main contributions of this work are (1) efficient algorithms for series of multiplications in a finite field (Galois Field), (2) analysis of the security of password-based cryptography with respect to low entropy attacks and (3) a design template for secure key management, namely TKS1. For the latter, it is assumed that key management has to be done on regular user hardware in the absence of any special security hardware like key tokens. We solve the problems arising from magnetic storage by introducing a method called anti-forensic information splitter. This work is complemented by the presentation of a system implementing a variant of TKS1. It is called LUKS and it was developed and implemented by the author of this work. Contents Preface v 1 Introduction 1 2 Design ingredients 3 2.1 The many faces of n ........................ 3 2.2 Galois Field arithmetic . 4 2.3 Algorithms for GF(2η)....................... 9 2.4 Sequences of multiplications in GF(2η) .
    [Show full text]
  • I.MX Linux® User's Guide NXP Semiconductors
    NXP Semiconductors Document identifier: IMXLUG User Guide Rev. LF5.10.52_2.1.0, 30 September 2021 i.MX Linux® User's Guide NXP Semiconductors Contents Chapter 1 Overview............................................................................................... 6 1.1 Audience....................................................................................................................................6 1.2 Conventions...............................................................................................................................6 1.3 Supported hardware SoCs and boards..................................................................................... 6 1.4 References................................................................................................................................ 7 Chapter 2 Introduction........................................................................................... 9 Chapter 3 Basic Terminal Setup.......................................................................... 10 Chapter 4 Booting Linux OS................................................................................ 11 4.1 Software overview................................................................................................................... 11 4.1.1 Bootloader.................................................................................................................................12 4.1.2 Linux kernel image and device tree.........................................................................................
    [Show full text]
  • Linux Kernel Security Overview
    Linux Kernel Security Overview Kernel Conference Australia Brisbane, 2009 James Morris [email protected] Introduction Historical Background ● Linux started out with traditional Unix security – Discretionary Access Control (DAC) ● Security has been enhanced, but is constrained by original Unix design, POSIX etc. ● Approach is continual retrofit of newer security schemes, rather than fundamental redesign “The first fact to face is that UNIX was not developed with security, in any realistic sense, in mind; this fact alone guarantees a vast number of holes.” Dennis Ritchie, “On the Security of UNIX”, 1979 DAC ● Simple and quite effective, but inadequate for modern environment: – Does not protect against flawed or malicious code ● Linux implementation stems from traditional Unix: – User and group IDs – User/group/other + read/write/execute – User controls own policy – Superuser can violate policy “It must be recognized that the mere notion of a super-user is a theoretical, and usually practical, blemish on any protection scheme.” Ibid. Extended DAC ● POSIX Capabilities (privileges) – Process-based since Linux kernel v2.2 ● Limited usefulness – File-based support relatively recent (v2.6.24) ● May help eliminate setuid root binaries ● Access Control Lists (ACLs) – Based on abandoned POSIX spec – Uses extended attributes API Linux Namespaces ● File system namespaces introduced in 2000, derived from Plan 9. – Not used much until mount propagation provided more flexibility (e.g. shared RO “/”) – Mounts private by default ● Syscalls unshare(2) and
    [Show full text]
  • Oracle® Linux 7 Managing Storage and Storage Devices
    Oracle® Linux 7 Managing Storage and Storage Devices F32385-02 October 2020 Oracle Legal Notices Copyright © 2020, Oracle and/or its affiliates. This software and related documentation are provided under a license agreement containing restrictions on use and disclosure and are protected by intellectual property laws. Except as expressly permitted in your license agreement or allowed by law, you may not use, copy, reproduce, translate, broadcast, modify, license, transmit, distribute, exhibit, perform, publish, or display any part, in any form, or by any means. Reverse engineering, disassembly, or decompilation of this software, unless required by law for interoperability, is prohibited. The information contained herein is subject to change without notice and is not warranted to be error-free. If you find any errors, please report them to us in writing. If this is software or related documentation that is delivered to the U.S. Government or anyone licensing it on behalf of the U.S. Government, then the following notice is applicable: U.S. GOVERNMENT END USERS: Oracle programs (including any operating system, integrated software, any programs embedded, installed or activated on delivered hardware, and modifications of such programs) and Oracle computer documentation or other Oracle data delivered to or accessed by U.S. Government end users are "commercial computer software" or "commercial computer software documentation" pursuant to the applicable Federal Acquisition Regulation and agency-specific supplemental regulations. As such, the use, reproduction, duplication, release, display, disclosure, modification, preparation of derivative works, and/or adaptation of i) Oracle programs (including any operating system, integrated software, any programs embedded, installed or activated on delivered hardware, and modifications of such programs), ii) Oracle computer documentation and/or iii) other Oracle data, is subject to the rights and limitations specified in the license contained in the applicable contract.
    [Show full text]
  • Oracle® Linux 7 Security Guide
    Oracle® Linux 7 Security Guide E54670-34 June 2021 Oracle Legal Notices Copyright © 2014, 2021, Oracle and/or its affiliates. This software and related documentation are provided under a license agreement containing restrictions on use and disclosure and are protected by intellectual property laws. Except as expressly permitted in your license agreement or allowed by law, you may not use, copy, reproduce, translate, broadcast, modify, license, transmit, distribute, exhibit, perform, publish, or display any part, in any form, or by any means. Reverse engineering, disassembly, or decompilation of this software, unless required by law for interoperability, is prohibited. The information contained herein is subject to change without notice and is not warranted to be error-free. If you find any errors, please report them to us in writing. If this is software or related documentation that is delivered to the U.S. Government or anyone licensing it on behalf of the U.S. Government, then the following notice is applicable: U.S. GOVERNMENT END USERS: Oracle programs (including any operating system, integrated software, any programs embedded, installed or activated on delivered hardware, and modifications of such programs) and Oracle computer documentation or other Oracle data delivered to or accessed by U.S. Government end users are "commercial computer software" or "commercial computer software documentation" pursuant to the applicable Federal Acquisition Regulation and agency-specific supplemental regulations. As such, the use, reproduction, duplication, release, display, disclosure, modification, preparation of derivative works, and/or adaptation of i) Oracle programs (including any operating system, integrated software, any programs embedded, installed or activated on delivered hardware, and modifications of such programs), ii) Oracle computer documentation and/or iii) other Oracle data, is subject to the rights and limitations specified in the license contained in the applicable contract.
    [Show full text]
  • Authenticated and Resilient Disk Encryption
    Masaryk University Faculty of Informatics Authenticated and Resilient Disk Encryption Doctoral Thesis Milan Brož Brno, Fall 2018 Masaryk University Faculty of Informatics Authenticated and Resilient Disk Encryption Doctoral Thesis Milan Brož Brno, Fall 2018 Declaration Hereby I declare that this thesis is my original authorial work, which I have worked out on my own. All sources, references, and literature used or ex- cerpted during elaboration of this work are properly cited and listed in com- plete reference to the due source. Milan Brož Advisor: prof. RNDr. Václav Matyáš, M.Sc., Ph.D. i Abstract Full Disk Encryption (FDE) is a security feature that is present in many sys- tems – from mobile devices to encrypted data in the cloud. Transparent on- the-fly encryption of storage devices operates directly on disk sectors layer and can be divided into the encryption of data by a symmetric encryption algorithm and key management. We analyzed both areas on real use cases and proposed new concepts that improve security considerably. FDE was perceived as a security feature that cannot provide data in- tegrity protection and focused on confidentiality only. To disprove this com- mon claim, we implemented authenticated encryption that provides both confidentiality and integrity protection. Our approach is based on per-sector authentication tags that are stored in configurable software-defined metadata areas on the same disk. Ontopof this metadata store, we implemented authenticated encryption that utilizes state-of-the-art authenticated encryption algorithms. Our open-source solu- tion was accepted into the mainline Linux kernel and contains an extension of the dm-crypt disk encryption driver and our newly designed per-sector metadata store dm-integrity driver.
    [Show full text]
  • A Device Mapper Based Encryption Layer for Transcrypt
    A Device Mapper based Encryption Layer for TransCrypt Sainath S Vellal Department of Computer Science & Engineering Indian Institute of Technology Kanpur June 2008 A Device Mapper based Encryption Layer for TransCrypt A Thesis Submitted In Partial Fulfillment of the Requirements For the Degree of Master of Technology by Sainath S Vellal to the Department of Computer Science & Engineering Indian Institute of Technology Kanpur June 2008 Certificate This is to certify that the work contained in the thesis entitled \A Device- Mapper based Encryption Layer for TransCrypt", by Sainath S Vellal, has been carried out under my supervision and that this work has not been submitted elsewhere for a degree. (Prof. Rajat Moona) (Prof. Dheeraj Sanghi) Department of Computer Department of Computer Science & Engineering, Science & Engineering, Indian Institute of Technology Indian Institute of Technology Kanpur, Kanpur, Kanpur, Uttar Pradesh 208016 Kanpur, Uttar Pradesh 208016 Abstract Data security has come to be of utmost importance in the recent times. Several encrypting file systems have been designed to solve the problem of providing data security in a secure and transparent manner. TransCrypt is such an encrypting file system, which is implemented in kernel space, has an advanced key management scheme and is designed to be deployable in an enterprise scenario. It uses per-file cryptographic keys for flexible sharing and does not include even the superuser in its trust model. Earlier, TransCrypt was implemented on the Linux kernel (version 2.6). In the implementation, several modifications were made to the existing kernel to embed the TransCrypt functionality. Such modifications also changed the file I/O behaviour in the kernel, in order to add a cryptographic layer to perform encryption and decryption on the file data.
    [Show full text]
  • Oracle® Linux 8 Managing Storage Devices
    Oracle® Linux 8 Managing Storage Devices F29276-08 August 2021 Oracle Legal Notices Copyright © 2020, 2021, Oracle and/or its affiliates. This software and related documentation are provided under a license agreement containing restrictions on use and disclosure and are protected by intellectual property laws. Except as expressly permitted in your license agreement or allowed by law, you may not use, copy, reproduce, translate, broadcast, modify, license, transmit, distribute, exhibit, perform, publish, or display any part, in any form, or by any means. Reverse engineering, disassembly, or decompilation of this software, unless required by law for interoperability, is prohibited. The information contained herein is subject to change without notice and is not warranted to be error-free. If you find any errors, please report them to us in writing. If this is software or related documentation that is delivered to the U.S. Government or anyone licensing it on behalf of the U.S. Government, then the following notice is applicable: U.S. GOVERNMENT END USERS: Oracle programs (including any operating system, integrated software, any programs embedded, installed or activated on delivered hardware, and modifications of such programs) and Oracle computer documentation or other Oracle data delivered to or accessed by U.S. Government end users are "commercial computer software" or "commercial computer software documentation" pursuant to the applicable Federal Acquisition Regulation and agency-specific supplemental regulations. As such, the use, reproduction, duplication, release, display, disclosure, modification, preparation of derivative works, and/or adaptation of i) Oracle programs (including any operating system, integrated software, any programs embedded, installed or activated on delivered hardware, and modifications of such programs), ii) Oracle computer documentation and/or iii) other Oracle data, is subject to the rights and limitations specified in the license contained in the applicable contract.
    [Show full text]
  • Security Analysis of Cryptsetup/LUKS
    Security Analysis of Cryptsetup/LUKS Ubuntu Privacy Remix Team <[email protected]> August 12, 2012 Contents 1. Introduction...................................................................................................................................1 2. Analyzed Version of Cryptsetup....................................................................................................2 Data of Cryptsetup 1.4.1.........................................................................................................2 3. Compiling Cryptsetup from Sources.............................................................................................2 4. Methodology of Analysis...............................................................................................................3 5. The Programs luksanalyzer and hashtest.....................................................................................4 The Program luksanalyzer......................................................................................................4 The Program hashtest.............................................................................................................5 6. Findings of Analysis......................................................................................................................6 The License of Cryptsetup......................................................................................................6 Website and Documentation of Cryptsetup/LUKS...................................................................6
    [Show full text]
  • Optimizing Dm-Crypt for XTS-AES: Getting The
    Optimizing dm-crypt for XTS-AES: Getting the Best of Atmel Cryptographic Co-Processors (long version) Levent Demir, Mathieu Thiery, Vincent Roca, Jean-Michel Tenkes, Jean-Louis Roch To cite this version: Levent Demir, Mathieu Thiery, Vincent Roca, Jean-Michel Tenkes, Jean-Louis Roch. Optimizing dm-crypt for XTS-AES: Getting the Best of Atmel Cryptographic Co-Processors (long version). SE- CRYPT 2020 - 17th International Conference on Security and Cryptography, Jul 2020, Paris, France. pp.1-11. hal-02555457 HAL Id: hal-02555457 https://hal.archives-ouvertes.fr/hal-02555457 Submitted on 27 Apr 2020 HAL is a multi-disciplinary open access L’archive ouverte pluridisciplinaire HAL, est archive for the deposit and dissemination of sci- destinée au dépôt et à la diffusion de documents entific research documents, whether they are pub- scientifiques de niveau recherche, publiés ou non, lished or not. The documents may come from émanant des établissements d’enseignement et de teaching and research institutions in France or recherche français ou étrangers, des laboratoires abroad, or from public or private research centers. publics ou privés. Optimizing dm-crypt for XTS-AES: Getting the Best of Atmel Cryptographic Co-Processors (long version) Levent Demir1,2, Mathieu Thiery1,2, Vincent Roca1, Jean-Michel Tenkes2, and Jean-Louis Roch3 1Incas ITSec, France 2Univ. Grenoble Alpes, Inria, France 3Univ. Grenoble Alpes, Grenoble INP, LIG, France Keywords: Full disk encryption, XTS-AES, Linux dm-crypt module, cryptographic co-processor, Atmel board. Abstract: Linux implementation of Full Disk Encryption (FDE) relies on the dm-crypt kernel module, and is based on the XTS-AES encryption mode.
    [Show full text]
  • Linux Journal 33 Reality 2.0: a Linux Journal Podcast 34 News Briefs
    Easier Python Write Secure Free Software, paths with pathlib Shell Scripts Open Science and R Since 1994: The original magazine of the Linux community THE SECURITY ISSUE The Heads Project: a Free Software Solution for Secure Booting YubiKey 5 and Web Authentication The New Purism Librem Key Hardware Token Password Manager Roundup De-mystifying X.509 Certificates ISSUE 295 | FEBRUARY 2019 www.linuxjournal.com FEBRUARY 2019 CONTENTS ISSUE 295 62 DEEP DIVE: Security 63 Password Manager Roundup by Shawn Powers If you can remember all of your passwords, they’re not good passwords. 80 Everyday Security Tips by Michael McCallister Make your computer safer with these guidelines based on the Linux Foundation’s Security Checklist developed for corporate systems. 91 Understanding Public Key Infrastructure and X.509 Certificates by Jeff Woods An introduction to PKI, TLS and X.509, from the ground up. 104 WebAuthn Web Authentication with YubiKey 5 by Todd A. Jacobs A look at the recently released YubiKey 5 hardware authenticator series and how web authentication with the new WebAuthn API leverages devices like the YubiKey for painless website registration and strong user authentication. 122 The Purism Librem Key by Todd A. Jacobs The Librem Key is a new hardware token for improving Linux security by adding a physical authentication factor to booting, login and disk decryption on supported systems. 134 Tamper-Evident Boot with Heads by Kyle Rankin Learn about how the cutting-edge, free software Heads project detects BIOS and kernel tampering, all with keys under your control. 2 | February 2019 | https://www.linuxjournal.com CONTENTS 6 The Security Issue by Bryan Lunduke 10 From the Editor—Doc Searls A Line in the Sand 14 Letters UPFRONT 20 Some (Linux) Bugs Have All the Fun by Bryan Lunduke 24 Astronomy Software by Any Other Name by Joey Bernard 32 Patreon and Linux Journal 33 Reality 2.0: a Linux Journal Podcast 34 News Briefs COLUMNS 38 Reuven M.
    [Show full text]