Security and Hardening Guide Security and Hardening Guide SUSE Linux Enterprise Server 15 SP1

Security and Hardening Guide Security and Hardening Guide SUSE Linux Enterprise Server 15 SP1

SUSE Linux Enterprise Server 15 SP1 Security and Hardening Guide Security and Hardening Guide SUSE Linux Enterprise Server 15 SP1 Introduces basic concepts of system security, covering both local and network security aspects. Shows how to use the product inherent security software like AppArmor, SELinux, or the auditing system that reliably collects information about any security-relevant events. Supports the administrator with security-related choices and decisions in installing and setting up a secure SUSE Linux Enterprise Server and additional processes to further secure and harden that installation. Publication Date: September 24, 2021 SUSE LLC 1800 South Novell Place Provo, UT 84606 USA https://documentation.suse.com Copyright © 2006– 2021 SUSE LLC and contributors. All rights reserved. Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or (at your option) version 1.3; with the Invariant Section being this copyright notice and license. A copy of the license version 1.2 is included in the section entitled “GNU Free Documentation License”. For SUSE trademarks, see https://www.suse.com/company/legal/ . All other third-party trademarks are the property of their respective owners. Trademark symbols (®, ™ etc.) denote trademarks of SUSE and its aliates. Asterisks (*) denote third-party trademarks. All information found in this book has been compiled with utmost attention to detail. However, this does not guarantee complete accuracy. Neither SUSE LLC, its aliates, the authors nor the translators shall be held liable for possible errors or the consequences thereof. Contents About This Guide xviii 1 Available Documentation xviii 2 Giving Feedback xx 3 Documentation Conventions xxi 4 Product Life Cycle and Support xxii Support Statement for SUSE Linux Enterprise Server xxiii • Technology Previews xxiv 1 Security and Confidentiality 1 1.1 Overview 1 1.2 Passwords 2 1.3 Backups 2 1.4 System Integrity 3 1.5 File Access 4 1.6 Networking 4 1.7 Software Vulnerabilities 5 1.8 Malware 6 1.9 Important Security Tips 7 1.10 Reporting Security Issues 7 2 Common Criteria 8 2.1 Introduction 8 2.2 Evaluation Assurance Level (EAL) 8 2.3 Generic Guiding Principles 9 iii Security and Hardening Guide 2.4 For More Information 11 I AUTHENTICATION 13 3 Authentication with PAM 14 3.1 What is PAM? 14 3.2 Structure of a PAM Configuration File 15 3.3 The PAM Configuration of sshd 17 3.4 Configuration of PAM Modules 20 pam_env.conf 20 • pam_mount.conf.xml 21 • limits.conf 21 3.5 Configuring PAM Using pam-config 22 3.6 Manually Configuring PAM 23 3.7 For More Information 23 4 Using NIS 25 4.1 Configuring NIS Servers 25 Configuring a NIS Master Server 25 • Configuring a NIS Slave Server 30 4.2 Configuring NIS Clients 31 5 Setting Up Authentication Clients Using YaST 33 5.1 Configuring an Authentication Client with YaST 33 5.2 SSSD 33 Checking the Status 34 • Caching 34 6 LDAP—A Directory Service 35 6.1 Structure of an LDAP Directory Tree 35 6.2 Installing the Software for 389 Directory Server 38 6.3 Manually Configuring a 389 Directory Server 38 Creating the 389 Directory Server Instance 39 • Using CA Certificates for TLS 40 • Configuring Admin Credentials for Remote/Local iv Security and Hardening Guide Access 41 • Configuring LDAP Users and Groups 42 • Setting Up SSSD 44 6.4 Setting Up a 389 Directory Server with YaST 46 Creating an 389 Directory Server Instance with YaST 46 • Configuring an LDAP Client with YaST 47 6.5 Manually Administering LDAP Data 50 6.6 For More Information 50 7 Network Authentication with Kerberos 51 7.1 Conceptual Overview 51 7.2 Kerberos Terminology 51 7.3 How Kerberos Works 53 First Contact 53 • Requesting a Service 54 • Mutual Authentication 55 • Ticket Granting—Contacting All Servers 55 7.4 User View of Kerberos 56 7.5 Installing and Administering Kerberos 57 Kerberos Network Topology 58 • Choosing the Kerberos Realms 59 • Setting Up the KDC Hardware 59 • Configuring Time Synchronization 60 • Configuring the KDC 61 • Configuring Kerberos Clients 65 • Configuring Remote Kerberos Administration 67 • Creating Kerberos Service Principals 69 • Enabling PAM Support for Kerberos 71 • Configuring SSH for Kerberos Authentication 71 • Using LDAP and Kerberos 72 7.6 Setting up Kerberos using LDAP and Kerberos Client 75 7.7 Kerberos and NFS 79 Group Membership 80 • Performance and Scalability 81 • Master KDC, Multiple Domains, and Trust Relationships 82 7.8 For More Information 83 8 Active Directory Support 84 8.1 Integrating Linux and Active Directory Environments 84 v Security and Hardening Guide 8.2 Background Information for Linux Active Directory Support 85 Domain Join 87 • Domain Login and User Homes 88 • Offline Service and Policy Support 89 8.3 Configuring a Linux Client for Active Directory 90 Choosing Which YaST Module to Use for Connecting to Active Directory 91 • Joining Active Directory Using User Logon Management 92 • Joining Active Directory Using Windows Domain Membership 96 • Checking Active Directory Connection Status 99 8.4 Logging In to an Active Directory Domain 99 GDM 99 • Console Login 100 8.5 Changing Passwords 100 9 Setting Up a FreeRADIUS Server 102 9.1 Installation and Testing on SUSE Linux Enterprise 102 II LOCAL SECURITY 105 10 Physical Security 106 10.1 System Locks 106 10.2 Locking Down the BIOS 107 10.3 Security via the Boot Loaders 108 10.4 Retiring Linux Servers with Sensitive Data 108 scrub: Disk Overwrite Utility 109 10.5 Restricting Access to Removable Media 110 11 Automatic Security Checks with seccheck 112 11.1 Seccheck Timers 112 11.2 Enabling Seccheck Timers 112 11.3 Daily, Weekly, and Monthly Checks 113 11.4 Automatic Logout 115 vi Security and Hardening Guide 12 Software Management 116 12.1 Removing Unnecessary Software Packages (RPMs) 116 12.2 Patching Linux Systems 118 YaST Online Update 119 • Automatic Online Update 119 • Repository Mirroring Tool—RMT 119 • SUSE Manager 120 13 File Management 122 13.1 Disk Partitions 122 13.2 Checking File Permissions and Ownership 123 13.3 Default umask 123 13.4 SUID/SGID Files 124 13.5 World-Writable Files 125 13.6 Orphaned or Unowned Files 126 14 Encrypting Partitions and Files 127 14.1 Setting Up an Encrypted File System with YaST 127 Creating an Encrypted Partition during Installation 128 • Creating an Encrypted Partition on a Running System 129 • Encrypting the Content of Removable Media 129 14.2 Encrypting Files with GPG 130 15 User Management 131 15.1 Various Account Checks 131 Unlocked Accounts 131 • Unused Accounts 131 15.2 Enabling Password Aging 132 15.3 Stronger Password Enforcement 134 15.4 Password and Login Management with PAM 134 Password Strength 135 • Restricting Use of Previous Passwords 136 • Locking User Accounts After Too Many Login Failures 137 vii Security and Hardening Guide 15.5 Restricting root Logins 138 Restricting Local Text Console Logins 138 • Restricting Graphical Session Logins 140 • Restricting SSH Logins 140 15.6 Setting an Inactivity Timeout for Interactive Shell Sessions 141 15.7 Preventing Accidental Denial of Service 143 Example for Restricting System Resources 143 15.8 Displaying Login Banners 146 15.9 Connection Accounting Utilities 147 16 Spectre/Meltdown Checker 148 16.1 Using spectre-meltdown-checker 148 16.2 Additional Information about Spectre/Meltdown 150 17 Configuring Security Settings with YaST 151 17.1 Security Overview 151 17.2 Predefined Security Configurations 152 17.3 Password Settings 153 17.4 Boot Settings 154 17.5 Login Settings 154 17.6 User Addition 154 17.7 Miscellaneous Settings 154 18 Authorization with PolKit 156 18.1 Conceptual Overview 156 Available Authentication Agents 156 • Structure of PolKit 156 • Available Commands 157 • Available Policies and Supported Applications 157 18.2 Authorization Types 159 Implicit Privileges 159 • Explicit Privileges 159 • Default Privileges 160 18.3 Querying Privileges 160 viii Security and Hardening Guide 18.4 Modifying Configuration Files 161 Adding Action Rules 161 • Adding Authorization Rules 162 • Modifying Configuration Files for Implicit Privileges 163 18.5 Restoring the Default Privileges 164 19 Access Control Lists in Linux 166 19.1 Traditional File Permissions 166 The setuid Bit 167 • The setgid Bit 167 • The Sticky Bit 168 19.2 Advantages of ACLs 168 19.3 Definitions 168 19.4 Handling ACLs 169 ACL Entries and File Mode Permission Bits 170 • A Directory with an ACL 171 • A Directory with a Default ACL 174 • The ACL Check Algorithm 176 19.5 ACL Support in Applications 177 19.6 For More Information 177 20 Certificate Store 178 20.1 Activating Certificate Store 178 20.2 Importing Certificates 178 21 Intrusion Detection with AIDE 180 21.1 Why Use AIDE? 180 21.2 Setting Up an AIDE Database 180 21.3 Local AIDE Checks 183 21.4 System Independent Checking 185 21.5 For More Information 186 ix Security and Hardening Guide III NETWORK SECURITY 187 22 X Window System and X Authentication 188 23 SSH: Secure Network Operations 189 23.1 ssh—Secure Shell 189 Starting X Applications on a Remote Host 190 • Agent Forwarding 190 23.2 scp—Secure Copy 190 23.3 sftp—Secure File Transfer 191 Using sftp 191 • Setting Permissions for File Uploads 192 23.4 The SSH Daemon (sshd) 193 Maintaining SSH Keys 194 • Rotating Host Keys 194 23.5 SSH Authentication Mechanisms 195 Generating an SSH Key 196 • Copying an SSH Key 196 • Using the ssh- agent 197 23.6 Port Forwarding 198 23.7 Adding and Removing Public Keys on an Installed System 199 23.8 For More Information 199 24 Masquerading and Firewalls

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    473 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us