SUSE Linux Enterprise Server 11 SP4 Security Guide Security Guide SUSE Linux Enterprise Server 11 SP4 Publication Date: September 24, 2021 SUSE LLC 1800 South Novell Place Provo, UT 84606 USA https://documentation.suse.com Copyright © 2006– 2021 SUSE LLC and contributors. All rights reserved. Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or (at your option) version 1.3; with the Invariant Section being this copyright notice and license. A copy of the license version 1.2 is included in the section entitled “GNU Free Documentation License”. For SUSE trademarks, see http://www.suse.com/company/legal/ . All other third party trademarks are the property of their respective owners. A trademark symbol (®, ™ etc.) denotes a SUSE or Novell trademark; an asterisk (*) denotes a third party trademark. All information found in this book has been compiled with utmost attention to detail. However, this does not guarantee complete accuracy. Neither SUSE LLC, its aliates, the authors nor the translators shall be held liable for possible errors or the consequences thereof. Contents About This Guide xv 1 Available Documentation xv 2 Feedback xvii 3 Documentation Conventions xviii 1 Security and Confidentiality 1 1.1 Local Security and Network Security 1 Local Security 3 • Network Security 6 1.2 Some General Security Tips and Tricks 10 1.3 Using the Central Security Reporting Address 12 I AUTHENTICATION 13 2 Authentication with PAM 14 2.1 What is PAM? 14 2.2 Structure of a PAM Configuration File 15 2.3 The PAM Configuration of sshd 17 2.4 Configuration of PAM Modules 20 pam_env.conf 20 • pam_mount.conf 21 • limits.conf 21 2.5 Configuring PAM Using pam-config 21 2.6 Manually Configuring PAM 22 2.7 For More Information 23 3 Using NIS 24 3.1 Configuring NIS Servers 24 Configuring a NIS Master Server 24 • Configuring a NIS Slave Server 29 iii Security Guide 3.2 Configuring NIS Clients 30 4 LDAP—A Directory Service 32 4.1 LDAP versus NIS 33 4.2 Structure of an LDAP Directory Tree 33 4.3 Configuring an LDAP Server with YaST 36 4.4 Configuring an LDAP Client with YaST 45 Configuring Basic Settings 46 • Configuring the YaST Group and User Administration Modules 49 4.5 Configuring LDAP Users and Groups in YaST 53 4.6 Browsing the LDAP Directory Tree 54 4.7 Manually Configuring an LDAP Server 56 Starting and Stopping the Servers 56 4.8 Manually Administering LDAP Data 57 Inserting Data into an LDAP Directory 57 • Modifying Data in the LDAP Directory 59 • Searching or Reading Data from an LDAP Directory 60 • Deleting Data from an LDAP Directory 60 4.9 For More Information 60 5 Active Directory Support 62 5.1 Integrating Linux and AD Environments 62 5.2 Background Information for Linux AD Support 63 Domain Join 65 • Domain Login and User Homes 65 • Offline Service and Policy Support 67 5.3 Configuring a Linux Client for Active Directory 67 5.4 Logging In to an AD Domain 70 GDM and KDM 71 • Console Login 71 5.5 Changing Passwords 72 iv Security Guide 6 Network Authentication with Kerberos 74 6.1 Kerberos Terminology 74 6.2 How Kerberos Works 76 First Contact 76 • Requesting a Service 77 • Mutual Authentication 77 • Ticket Granting—Contacting All Servers 77 • Compatibility to Windows 2000 78 6.3 Users' View of Kerberos 79 6.4 Installing and Administering Kerberos 80 Kerberos Network Topology 81 • Choosing the Kerberos Realms 82 • Setting Up the KDC Hardware 82 • Configuring Time Synchronization 83 • Configuring the KDC 84 • Configuring Kerberos Clients 87 • Configuring Remote Kerberos Administration 92 • Creating Kerberos Service Principals 94 • Enabling PAM Support for Kerberos 95 • Configuring SSH for Kerberos Authentication 96 • Using LDAP and Kerberos 97 6.5 For More Information 99 7 Using the Fingerprint Reader 101 7.1 Supported Applications and Actions 101 7.2 Managing Fingerprints with YaST 102 II LOCAL SECURITY 104 8 Configuring Security Settings with YaST 105 8.1 Security Overview 105 8.2 Predefined Security Configurations 106 8.3 Password Settings 107 8.4 Boot Settings 108 8.5 Login Settings 108 8.6 User Addition 108 v Security Guide 8.7 Miscellaneous Settings 109 9 PolicyKit 110 9.1 Conceptual Overview 110 Available Policies and Supported Applications 110 • Authorization Types 111 • Default Privileges 112 9.2 Modifying and Setting Privileges 113 Using the Graphical Authorizations Tool 113 • Using the Command Line Tools 115 • Modifying Configuration Files 116 • Restoring the Default Privileges 119 10 Access Control Lists in Linux 120 10.1 Traditional File Permissions 120 The setuid Bit 120 • The setgid Bit 121 • The Sticky Bit 121 10.2 Advantages of ACLs 121 10.3 Definitions 122 10.4 Handling ACLs 123 ACL Entries and File Mode Permission Bits 124 • A Directory with an ACL 125 • A Directory with a Default ACL 127 • The ACL Check Algorithm 130 10.5 ACL Support in Applications 131 10.6 For More Information 131 11 Encrypting Partitions and Files 132 11.1 Setting Up an Encrypted File System with YaST 133 Creating an Encrypted Partition during Installation 133 • Creating an Encrypted Partition on a Running System 135 • Creating an Encrypted File as a Container 135 • Encrypting the Content of Removable Media 135 11.2 Using Encrypted Home Directories 136 11.3 Using vi to Encrypt Single ASCII Text Files 137 vi Security Guide 12 Certificate Store 138 12.1 Activating Certificate Store 138 12.2 Importing Certificates 138 13 Intrusion Detection with AIDE 140 13.1 Why Using AIDE? 140 13.2 Setting Up an AIDE Database 140 13.3 Local AIDE Checks 143 13.4 System Independent Checking 144 13.5 For More Information 145 III NETWORK SECURITY 146 14 SSH: Secure Network Operations 147 14.1 ssh—Secure Shell 147 Starting X Applications on a Remote Host 148 • Agent Forwarding 148 14.2 scp—Secure Copy 148 14.3 sftp—Secure File Transfer 149 14.4 The SSH Daemon (sshd) 150 14.5 SSH Authentication Mechanisms 151 Generating an SSH Key 152 • Copying an SSH Key 153 • Using the ssh- agent 153 14.6 Port Forwarding 154 14.7 Configuring An SSH Daemon with YaST 155 14.8 For More Information 156 15 Masquerading and Firewalls 157 15.1 Packet Filtering with iptables 157 15.2 Masquerading Basics 160 vii Security Guide 15.3 Firewalling Basics 161 15.4 SuSEfirewall2 162 Configuring the Firewall with YaST 163 • Configuring Manually 165 15.5 For More Information 167 16 Configuring VPN Server 168 16.1 Conceptual Overview 168 Terminology 168 • VPN Scenarios 169 16.2 Creating the Simplest VPN Example 172 Configuring the VPN Server 173 • Configuring the VPN Client 173 • Testing the VPN Example 174 16.3 Setting Up Your VPN Server Using Certificate Authority 174 Creating Certificates 175 • Configuring the Server 177 • Configuring the Clients 178 16.4 Changing Nameservers in VPN 180 16.5 KDE- and GNOME Applets For Clients 180 KDE 181 • GNOME 182 16.6 For More Information 183 17 Managing X.509 Certification 184 17.1 The Principles of Digital Certification 184 Key Authenticity 185 • X.509 Certificates 185 • Blocking X.509 Certificates 186 • Repository for Certificates and CRLs 187 • Proprietary PKI 188 17.2 YaST Modules for CA Management 188 Creating a Root CA 188 • Changing Password 190 • Creating or Revoking a Sub-CA 191 • Creating or Revoking User Certificates 193 • Changing Default Values 194 • Creating Certificate Revocation Lists (CRLs) 195 • Exporting CA Objects to LDAP 196 • Exporting CA Objects as a File 197 • Importing Common Server Certificates 198 viii Security Guide IV CONFINING PRIVILEGES WITH APPARMOR 199 18 Introducing AppArmor 200 18.1 Background Information on AppArmor Profiling 200 19 Getting Started 202 19.1 Installing AppArmor 202 19.2 Enabling and Disabling AppArmor 203 19.3 Choosing the Applications to Profile 204 19.4 Building and Modifying Profiles 204 19.5 Configuring AppArmor Event Notification and Reports 206 19.6 Updating Your Profiles 207 20 Immunizing Programs 209 20.1 Introducing the AppArmor Framework 210 20.2 Determining Programs to Immunize 212 20.3 Immunizing cron Jobs 212 20.4 Immunizing Network Applications 213 Immunizing Web Applications 215 • Immunizing Network Agents 217 21 Profile Components and Syntax 218 21.1 Breaking a AppArmor Profile into Its Parts 219 21.2 Profile Types 221 Standard Profiles 222 • Unattached Profiles 222 • Local Profiles 223 • Hats 223 • Change rules 223 21.3 #include Statements 224 Abstractions 224 • Program Chunks 225 • Tunables 225 21.4 Capability Entries (POSIX.1e) 225 21.5 Network Access Control 225 ix Security Guide 21.6 Paths and Globbing 226 Using Variables in Profiles 228 • Alias rules 228 21.7 File Permission Access Modes 229 Read Mode (r) 229 • Write Mode (w) 229 • Append Mode (a) 230 • File Locking Mode (k) 230 • Link Mode (l) 230 • Link Pair 230 • Owner Conditional Rules 231 • Deny Rules 231 21.8 Execute Modes 232 Discrete Profile Execute Mode (px) 232 • Discrete Local Profile Execute Mode (cx) 233 • Unconstrained Execute Mode (ux) 233 • Clean Exec modes 234 • Inherit Execute Mode (ix) 234 • Allow Executable Mapping (m) 234 • Named Profile Transitions 234 • Inheritance Fallback for Profile Transitions 235 • Variable Settings in Execution Modes 236 21.9 Resource Limit Control 237 21.10 Auditing Rules 238 21.11 Setting Capabilities per Profile 239 22 AppArmor Profile Repositories 240 22.1 Using the Local Repository 240 22.2 Using the External Repository 240 Setting up Profile Repository Support 241 • Downloading a Profile 242 • Uploading Your own Profile 242 23 Building and Managing Profiles with YaST 243 23.1 Adding a Profile Using the