Security Guide openSUSE Leap 42.2 Security Guide openSUSE Leap 42.2 Introduces basic concepts of system security, covering both local and network secu- rity aspects. Shows how to use the product inherent security software like AppAr- mor or the auditing system that reliably collects information about any security-rel- evant events. Publication Date: November 05, 2018 SUSE LLC 10 Canal Park Drive Suite 200 Cambridge MA 02141 USA https://www.suse.com/documentation Copyright © 2006– 2018 SUSE LLC and contributors. All rights reserved. Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Docu- mentation License, Version 1.2 or (at your option) version 1.3; with the Invariant Section being this copyright notice and license. A copy of the license version 1.2 is included in the section entitled “GNU Free Documentation License”. For SUSE trademarks, see http://www.suse.com/company/legal/ . All other third-party trademarks are the prop- erty of their respective owners. Trademark symbols (®, ™ etc.) denote trademarks of SUSE and its affiliates. Asterisks (*) denote third-party trademarks. All information found in this book has been compiled with utmost attention to detail. However, this does not guarantee complete accuracy. Neither SUSE LLC, its affiliates, the authors nor the translators shall be held liable for possible errors or the consequences thereof. Contents About This Guide xv 1 Security and Confidentiality 1 1.1 Local Security and Network Security 1 Local Security 3 • Network Security 6 1.2 Some General Security Tips and Tricks 10 1.3 Using the Central Security Reporting Address 12 I AUTHENTICATION 13 2 Authentication with PAM 14 2.1 What is PAM? 14 2.2 Structure of a PAM Configuration File 15 2.3 The PAM Configuration of sshd 17 2.4 Configuration of PAM Modules 20 pam_env.conf 20 • pam_mount.conf.xml 21 • limits.conf 21 2.5 Configuring PAM Using pam-config 21 2.6 Manually Configuring PAM 22 2.7 For More Information 23 3 Using NIS 24 3.1 Configuring NIS Servers 24 Configuring a NIS Master Server 25 • Configuring a NIS Slave Server 29 3.2 Configuring NIS Clients 30 iii Security Guide 4 Setting Up Authentication Servers and Clients Using YaST 32 4.1 Configuring an Authentication Server with YaST 32 Initial Configuration of an Authentication Server 32 • Editing an Authentication Server Configuration with YaST 36 • Editing LDAP Users and Groups 41 4.2 Configuring an Authentication Client with YaST (SSSD) 41 5 LDAP—A Directory Service 47 5.1 LDAP versus NIS 48 5.2 Structure of an LDAP Directory Tree 48 5.3 Configuring LDAP Users and Groups in YaST 51 5.4 Manually Configuring an LDAP Server 52 5.5 Manually Administering LDAP Data 53 Inserting Data into an LDAP Directory 53 • Modifying Data in the LDAP Directory 55 • Searching or Reading Data from an LDAP Directory 56 • Deleting Data from an LDAP Directory 56 5.6 For More Information 56 6 Active Directory Support 58 6.1 Integrating Linux and Active Directory Environments 58 6.2 Background Information for Linux Active Directory Support 59 Domain Join 62 • Domain Login and User Homes 62 • Offline Service and Policy Support 64 6.3 Configuring a Linux Client for Active Directory 64 Choosing Which YaST Module to Use for Connecting to Active Directory 65 • Joining Active Directory Using User Logon Management 66 • Joining Active Directory Using Windows Domain Membership 70 • Checking Active Directory Connection Status 72 6.4 Logging In to an Active Directory Domain 73 GDM 73 • Console Login 73 iv Security Guide 6.5 Changing Passwords 74 7 Network Authentication with Kerberos 76 7.1 Kerberos Terminology 76 7.2 How Kerberos Works 78 First Contact 78 • Requesting a Service 79 • Mutual Authentication 79 • Ticket Granting—Contacting All Servers 79 • Compatibility to Windows 2000 80 7.3 Users' View of Kerberos 81 7.4 Installing and Administering Kerberos 82 Kerberos Network Topology 83 • Choosing the Kerberos Realms 84 • Setting Up the KDC Hardware 84 • Configuring Time Synchronization 85 • Configuring the KDC 86 • Configuring Kerberos Clients 89 • Configuring Remote Kerberos Administration 92 • Creating Kerberos Service Principals 93 • Enabling PAM Support for Kerberos 95 • Configuring SSH for Kerberos Authentication 95 • Using LDAP and Kerberos 96 7.5 For More Information 99 II LOCAL SECURITY 100 8 Configuring Security Settings with YaST 101 8.1 Security Overview 101 8.2 Predefined Security Configurations 102 8.3 Password Settings 103 8.4 Boot Settings 103 8.5 Login Settings 104 8.6 User Addition 104 8.7 Miscellaneous Settings 104 v Security Guide 9 Authorization with PolKit 106 9.1 Conceptual Overview 106 Available Authentication Agents 106 • Structure of PolKit 106 • Available Commands 107 • Available Policies and Supported Applications 107 9.2 Authorization Types 109 Implicit Privileges 109 • Explicit Privileges 110 • Default Privileges 110 9.3 Querying Privileges 110 9.4 Modifying Configuration Files 111 Adding Action Rules 111 • Adding Authorization Rules 113 • Modifying Configuration Files for Implicit Privileges 113 9.5 Restoring the Default Privileges 114 10 Access Control Lists in Linux 116 10.1 Traditional File Permissions 116 The setuid Bit 116 • The setgid Bit 117 • The Sticky Bit 117 10.2 Advantages of ACLs 117 10.3 Definitions 118 10.4 Handling ACLs 119 ACL Entries and File Mode Permission Bits 120 • A Directory with an ACL 121 • A Directory with a Default ACL 123 • The ACL Check Algorithm 126 10.5 ACL Support in Applications 127 10.6 For More Information 127 11 Encrypting Partitions and Files 128 11.1 Setting Up an Encrypted File System with YaST 129 Creating an Encrypted Partition during Installation 129 • Creating an Encrypted Partition on a Running System 130 • Creating an Encrypted File as a Container 131 • Encrypting the Content of Removable Media 131 11.2 Using Encrypted Home Directories 132 vi Security Guide 11.3 Using vi to Encrypt Single ASCII Text Files 133 12 Certificate Store 134 12.1 Activating Certificate Store 134 12.2 Importing Certificates 134 13 Intrusion Detection with AIDE 136 13.1 Why Using AIDE? 136 13.2 Setting Up an AIDE Database 136 13.3 Local AIDE Checks 139 13.4 System Independent Checking 140 13.5 For More Information 141 III NETWORK SECURITY 142 14 SSH: Secure Network Operations 143 14.1 ssh—Secure Shell 143 Starting X Applications on a Remote Host 144 • Agent Forwarding 144 14.2 scp—Secure Copy 144 14.3 sftp—Secure File Transfer 145 Using sftp 145 • Setting Permissions for File Uploads 146 14.4 The SSH Daemon (sshd) 147 Maintaining SSH Keys 147 • Rotating Host Keys 148 14.5 SSH Authentication Mechanisms 149 Generating an SSH Key 150 • Copying an SSH Key 150 • Using the ssh- agent 150 14.6 Port Forwarding 152 14.7 For More Information 152 vii Security Guide 15 Masquerading and Firewalls 154 15.1 Packet Filtering with iptables 154 15.2 Masquerading Basics 157 15.3 Firewalling Basics 158 15.4 SuSEFirewall2 159 Configuring the Firewall with YaST 160 • Configuring Manually 163 15.5 For More Information 166 16 Configuring a VPN Server 167 16.1 Conceptual Overview 167 Terminology 167 • VPN Scenarios 168 16.2 Setting Up a Simple Test Scenario 171 Configuring the VPN Server 172 • Configuring the VPN Clients 173 • Testing the VPN Example Scenario 174 16.3 Setting Up Your VPN Server Using a Certificate Authority 174 Creating Certificates 175 • Configuring the VPN Server 178 • Configuring the VPN Clients 180 16.4 Setting Up a VPN Server or Client Using YaST 181 16.5 For More Information 182 17 Managing X.509 Certification 184 17.1 The Principles of Digital Certification 184 Key Authenticity 185 • X.509 Certificates 185 • Blocking X.509 Certificates 186 • Repository for Certificates and CRLs 187 • Proprietary PKI 188 17.2 YaST Modules for CA Management 188 Creating a Root CA 188 • Changing Password 190 • Creating or Revoking a Sub-CA 191 • Creating or Revoking User Certificates 193 • Changing Default Values 194 • Creating Certificate Revocation Lists (CRLs) 195 • Exporting CA Objects to LDAP 196 • Exporting CA Objects as a File 197 • Importing Common Server Certificates 198 viii Security Guide IV CONFINING PRIVILEGES WITH APPARMOR 199 18 Introducing AppArmor 200 18.1 AppArmor Components 200 18.2 Background Information on AppArmor Profiling 201 19 Getting Started 202 19.1 Installing AppArmor 202 19.2 Enabling and Disabling AppArmor 203 19.3 Choosing Applications to Profile 204 19.4 Building and Modifying Profiles 204 19.5 Updating Your Profiles 206 20 Immunizing Programs 207 20.1 Introducing the AppArmor Framework 208 20.2 Determining Programs to Immunize 210 20.3 Immunizing cron Jobs 211 20.4 Immunizing Network Applications 211 Immunizing Web Applications 213 • Immunizing Network Agents 215 21 Profile Components and Syntax 216 21.1 Breaking an AppArmor Profile into Its Parts 217 21.2 Profile Types 219 Standard Profiles 219 • Unattached Profiles 220 • Local Profiles 220 • Hats 221 • Change rules 221 21.3 Include Statements 222 Abstractions 224 • Program Chunks 224 • Tunables 224 21.4 Capability Entries (POSIX.1e) 224 21.5 Network Access Control 225 ix Security Guide 21.6 Profile Names, Flags, Paths, and Globbing 226 Profile Flags 227 • Using Variables in Profiles 228 • Pattern Matching 229 • Namespaces 230 • Profile Naming and Attachment Specification 230 • Alias Rules 231 21.7 File Permission Access Modes 231 Read Mode (r) 232 • Write Mode (w) 232 • Append Mode (a) 232 • File Locking Mode (k) 232 • Link Mode (l) 233 • Link Pair 233 • Optional allow and file Rules 233 • Owner Conditional Rules 234 • Deny Rules
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages411 Page
-
File Size-