SUSE Linux Enterprise Desktop 15 SP2 Security and Hardening Guide Security and Hardening Guide SUSE Linux Enterprise Desktop 15 SP2 Introduces basic concepts of system security, covering both local and network security aspects. Shows how to use the product inherent security software like AppArmor, SELinux, or the auditing system that reliably collects information about any security-relevant events. Supports the administrator with security-related choices and decisions in installing and setting up a secure SUSE Linux Enterprise Server and additional processes to further secure and harden that installation. Publication Date: September 24, 2021 SUSE LLC 1800 South Novell Place Provo, UT 84606 USA https://documentation.suse.com Copyright © 2006– 2021 SUSE LLC and contributors. All rights reserved. Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or (at your option) version 1.3; with the Invariant Section being this copyright notice and license. A copy of the license version 1.2 is included in the section entitled “GNU Free Documentation License”. For SUSE trademarks, see https://www.suse.com/company/legal/ . All other third-party trademarks are the property of their respective owners. Trademark symbols (®, ™ etc.) denote trademarks of SUSE and its aliates. Asterisks (*) denote third-party trademarks. All information found in this book has been compiled with utmost attention to detail. However, this does not guarantee complete accuracy. Neither SUSE LLC, its aliates, the authors nor the translators shall be held liable for possible errors or the consequences thereof. Contents About This Guide xvi 1 Available Documentation xvi 2 Giving Feedback xvii 3 Documentation Conventions xviii 4 Product Life Cycle and Support xx Support Statement for SUSE Linux Enterprise Desktop xx • Technology Previews xxi 1 Security and Confidentiality 1 1.1 Overview 1 1.2 Passwords 2 1.3 System Integrity 2 1.4 File Access 3 1.5 Networking 4 1.6 Software Vulnerabilities 4 1.7 Malware 5 1.8 Important Security Tips 6 1.9 Reporting Security Issues 7 2 Common Criteria 8 2.1 Introduction 8 2.2 Evaluation Assurance Level (EAL) 8 2.3 Generic Guiding Principles 9 2.4 For More Information 11 iii Security and Hardening Guide I AUTHENTICATION 13 3 Authentication with PAM 14 3.1 What is PAM? 14 3.2 Structure of a PAM Configuration File 15 3.3 The PAM Configuration of sshd 17 3.4 Configuration of PAM Modules 20 pam_env.conf 20 • pam_mount.conf.xml 21 • limits.conf 21 3.5 Configuring PAM Using pam-config 22 3.6 Manually Configuring PAM 23 3.7 For More Information 23 4 Using NIS 25 4.1 Configuring NIS Servers 25 4.2 Configuring NIS Clients 25 5 Setting Up Authentication Clients Using YaST 27 5.1 Configuring an Authentication Client with YaST 27 5.2 SSSD 27 Checking the Status 28 • Caching 28 6 LDAP—A Directory Service 29 6.1 Structure of an LDAP Directory Tree 29 6.2 Installing the Software for 389 Directory Server 32 6.3 For More Information 32 7 Network Authentication with Kerberos 33 7.1 Conceptual Overview 33 7.2 Kerberos Terminology 33 iv Security and Hardening Guide 7.3 How Kerberos Works 35 First Contact 35 • Requesting a Service 36 • Mutual Authentication 37 • Ticket Granting—Contacting All Servers 37 7.4 User View of Kerberos 38 7.5 Setting up Kerberos using LDAP and Kerberos Client 39 7.6 Kerberos and NFS 42 Group Membership 43 • Performance and Scalability 44 • Master KDC, Multiple Domains, and Trust Relationships 45 7.7 For More Information 46 8 Active Directory Support 47 8.1 Integrating Linux and Active Directory Environments 47 8.2 Background Information for Linux Active Directory Support 48 Domain Join 50 • Domain Login and User Homes 51 • Offline Service and Policy Support 52 8.3 Configuring a Linux Client for Active Directory 53 Choosing Which YaST Module to Use for Connecting to Active Directory 54 • Joining Active Directory Using User Logon Management 55 • Joining Active Directory Using Windows Domain Membership 59 • Checking Active Directory Connection Status 62 8.4 Logging In to an Active Directory Domain 62 GDM 62 • Console Login 63 8.5 Changing Passwords 63 9 Setting Up a FreeRADIUS Server 65 9.1 Installation and Testing on SUSE Linux Enterprise 65 II LOCAL SECURITY 68 10 Physical Security 69 10.1 System Locks 69 v Security and Hardening Guide 10.2 Locking Down the BIOS 70 10.3 Security via the Boot Loaders 71 10.4 Retiring Linux Servers with Sensitive Data 71 scrub: Disk Overwrite Utility 72 10.5 Restricting Access to Removable Media 73 11 Automatic Security Checks with seccheck 75 11.1 Seccheck Timers 75 11.2 Enabling Seccheck Timers 75 11.3 Daily, Weekly, and Monthly Checks 76 11.4 Automatic Logout 78 12 Software Management 79 12.1 Removing Unnecessary Software Packages (RPMs) 79 12.2 Patching Linux Systems 81 YaST Online Update 82 • Automatic Online Update 82 • Repository Mirroring Tool—RMT 82 • SUSE Manager 83 13 File Management 85 13.1 Disk Partitions 85 13.2 Checking File Permissions and Ownership 86 13.3 Default umask 86 13.4 SUID/SGID Files 87 13.5 World-Writable Files 88 13.6 Orphaned or Unowned Files 89 vi Security and Hardening Guide 14 Encrypting Partitions and Files 90 14.1 Setting Up an Encrypted File System with YaST 90 Creating an Encrypted Partition during Installation 91 • Creating an Encrypted Partition on a Running System 92 • Encrypting the Content of Removable Media 92 14.2 Encrypting Files with GPG 93 15 Storage Encryption for Hosted Applications with cryptctl 94 15.1 Setting Up a cryptctl Server 95 15.2 Setting Up a cryptctl Client 97 15.3 Checking Partition Unlock Status Using Server-side Commands 100 15.4 Unlocking Encrypted Partitions Manually 101 15.5 Maintenance Downtime Procedure 101 15.6 For More Information 101 16 User Management 102 16.1 Various Account Checks 102 Unlocked Accounts 102 • Unused Accounts 102 16.2 Enabling Password Aging 103 16.3 Stronger Password Enforcement 105 16.4 Password and Login Management with PAM 105 Password Strength 106 • Restricting Use of Previous Passwords 107 • Locking User Accounts After Too Many Login Failures 108 16.5 Restricting root Logins 109 Restricting Local Text Console Logins 109 • Restricting Graphical Session Logins 111 • Restricting SSH Logins 111 16.6 Setting an Inactivity Timeout for Interactive Shell Sessions 112 vii Security and Hardening Guide 16.7 Preventing Accidental Denial of Service 114 Example for Restricting System Resources 114 16.8 Displaying Login Banners 117 16.9 Connection Accounting Utilities 118 17 Spectre/Meltdown Checker 119 17.1 Using spectre-meltdown-checker 119 17.2 Additional Information about Spectre/Meltdown 121 18 Configuring Security Settings with YaST 122 18.1 Security Overview 122 18.2 Predefined Security Configurations 123 18.3 Password Settings 124 18.4 Boot Settings 125 18.5 Login Settings 125 18.6 User Addition 125 18.7 Miscellaneous Settings 125 19 Authorization with PolKit 127 19.1 Conceptual Overview 127 Available Authentication Agents 127 • Structure of PolKit 127 • Available Commands 128 • Available Policies and Supported Applications 128 19.2 Authorization Types 130 Implicit Privileges 130 • Explicit Privileges 131 • Default Privileges 131 19.3 Querying Privileges 131 19.4 Modifying Configuration Files 132 Adding Action Rules 132 • Adding Authorization Rules 133 • Modifying Configuration Files for Implicit Privileges 134 19.5 Restoring the Default Privileges 135 viii Security and Hardening Guide 20 Access Control Lists in Linux 137 20.1 Traditional File Permissions 137 The setuid Bit 138 • The setgid Bit 138 • The Sticky Bit 139 20.2 Advantages of ACLs 139 20.3 Definitions 139 20.4 Handling ACLs 140 ACL Entries and File Mode Permission Bits 141 • A Directory with an ACL 142 • A Directory with a Default ACL 145 • The ACL Check Algorithm 147 20.5 ACL Support in Applications 148 20.6 For More Information 148 21 Certificate Store 149 21.1 Activating Certificate Store 149 21.2 Importing Certificates 149 22 Intrusion Detection with AIDE 151 22.1 Why Use AIDE? 151 22.2 Setting Up an AIDE Database 151 22.3 Local AIDE Checks 154 22.4 System Independent Checking 156 22.5 For More Information 157 III NETWORK SECURITY 158 23 X Window System and X Authentication 159 24 SSH: Secure Network Operations 160 24.1 ssh—Secure Shell 160 Starting X Applications on a Remote Host 161 • Agent Forwarding 161 ix Security and Hardening Guide 24.2 scp—Secure Copy 161 24.3 sftp—Secure File Transfer 162 Using sftp 162 • Setting Permissions for File Uploads 163 24.4 The SSH Daemon (sshd) 164 Maintaining SSH Keys 165 • Rotating Host Keys 165 24.5 SSH Authentication Mechanisms 166 Generating an SSH Key 167 • Copying an SSH Key 167 • Using the ssh- agent 168 24.6 Port Forwarding 169 24.7 Adding and Removing Public Keys on an Installed System 170 24.8 For More Information 170 25 Masquerading and Firewalls 172 25.1 Packet Filtering with iptables 172 25.2 Masquerading Basics 175 25.3 Firewalling Basics 176 25.4 firewalld 177 Configuring the Firewall with NetworkManager 178 • Configuring the Firewall with YaST 178 • Configuring the Firewall on the Command Line 179 • Accessing Services Listening on Dynamic Ports 183 25.5 Migrating from SuSEfirewall2 186 25.6 For More Information 188 26 Configuring a VPN Server 189 26.1 Conceptual Overview 189 Terminology 189 • VPN Scenarios 190 26.2 Setting Up a Simple Test Scenario 192 Configuring the VPN Server 193 • Configuring the VPN Clients 194 • Testing the VPN Example Scenario 195 x Security and Hardening Guide 26.3 Setting Up Your VPN
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages403 Page
-
File Size-