SUSE Linux Enterprise Server

Security Guide

12/15/2010

All content is copyright © 2006– 2010 Novell, Inc. All rights reserved.

Legal Notice

This manual is protected under Novell intellectual property rights. By reproducing, duplicating or distributing this manual you explicitly agree to conform to the terms and conditions of this license agreement.

This manual may be freely reproduced, duplicated and distributed either as such or as part of a bundled package in electronic and/or printed format, provided however that the following conditions are fulfilled:

That this copyright notice and the names of authors and contributors appear clearly and distinctively on all reproduced, duplicated and distributed copies. That this manual, specifically for the printed format, is reproduced and/or distributed for noncommercial use only. The express authorization of Novell, Inc must be obtained prior to any other use of any manual or part thereof.

For Novell trademarks, see the Novell Trademark and Service Mark list http://www.novell.com/company/legal/trademarks/tmlist.html. Linux* is a registered trademark of Linus Torvalds. All other third party trademarks are the property of their respective owners. A trademark symbol (®, ™ etc.) denotes a Novell trademark; an asterisk (*) denotes a third party trademark.

All information found in this book has been compiled with utmost attention to detail. However, this does not guarantee complete accuracy. Neither Novell, Inc., SUSE LINUX Products GmbH, the authors, nor the translators shall be held liable for possible errors or the consequences thereof.


Contents

About This Guide
1. Available Documentation
2. Feedback
3. Documentation Conventions
1. Security and Confidentiality
1.1. Local Security and Network Security
1.2. Some General Security Tips and Tricks
1.3. Using the Central Security Reporting Address
I. Authentication
2. Authentication with PAM
2.1. What is PAM?
2.2. Structure of a PAM Configuration File
2.3. The PAM Configuration of sshd
2.4. Configuration of PAM Modules
2.5. Configuring PAM Using pam-config
2.6. For More Information
3. Using NIS
3.1. Configuring NIS Servers
3.2. Configuring NIS Clients
4. LDAP—A Directory Service
4.1. LDAP versus NIS
4.2. Structure of an LDAP Directory Tree
4.3. Configuring an LDAP Server with YaST
4.4. Configuring an LDAP Client with YaST
4.5. Configuring LDAP Users and Groups in YaST
4.6. Browsing the LDAP Directory Tree
4.7. Manually Configuring an LDAP Server
4.8. Manually Administering LDAP Data
4.9. For More Information
5. Active Directory Support
5.1. Integrating Linux and AD Environments
5.2. Background Information for Linux AD Support
5.3. Configuring a Linux Client for Active Directory
5.4. Logging In to an AD Domain
5.5. Changing Passwords
6. Network Authentication with Kerberos
6.1. Kerberos Terminology
6.2. How Kerberos Works
6.3. Users' View of Kerberos
6.4. Installing and Administering Kerberos
6.5. For More Information
7. Using the Fingerprint Reader
7.1. Supported Applications and Actions
7.2. Managing Fingerprints with YaST
II. Local Security
8. Configuring Security Settings with YaST
8.1. Security Overview
8.2. Predefined Security Configurations
8.3. Password Settings
8.4. Boot Settings
8.5. Login Settings
8.6. User Addition
8.7. Miscellaneous Settings
9. PolicyKit
9.1. Available Policies and Supported Applications
9.2. Authorization Types
9.3. Modifying and Setting Privileges
10. Access Control Lists in Linux
10.1. Traditional File Permissions
10.2. Advantages of ACLs
10.3. Definitions
10.4. Handling ACLs
10.5. ACL Support in Applications
10.6. For More Information
11. Encrypting Partitions and Files
11.1. Setting Up an Encrypted File System with YaST
11.2. Using Encrypted Home Directories
11.3. Using vi to Encrypt Single ASCII Text Files
12. Certificate Store
12.1. Activating Certificate Store
12.2. Importing Certificates
13. Intrusion Detection with AIDE
13.1. Why Using AIDE?
13.2. Setting Up an AIDE Database
13.3. Local AIDE Checks
13.4. System Independent Checking
13.5. For More Information
III. Network Security
14. SSH: Secure Network Operations
14.1. The OpenSSH Package
14.2. The ssh Program
14.3. scp—Secure Copy
14.4. sftp—Secure File Transfer
14.5. The SSH Daemon (sshd)—Server-Side
14.6. SSH Authentication Mechanisms
14.7. X, Authentication, and Forwarding Mechanisms
14.8. Configuring An SSH Daemon with YaST
15. Masquerading and Firewalls
15.1. Packet Filtering with iptables
15.2. Masquerading Basics
15.3. Firewalling Basics
15.4. SuSEfirewall2
15.5. For More Information
16. Configuring VPN Server
16.1. Overview
16.2. Creating the Simplest VPN Example
16.3. Setting Up Your VPN Server Using Certificate Authority
16.4. Changing Nameservers in VPN
16.5. KDE- and GNOME Applets For Clients
16.6. For More Information
17. Managing X.509 Certification
17.1. The Principles of Digital Certification
17.2. YaST Modules for CA Management
17.3. For More Information
IV. Confining Privileges with Novell AppArmor
18. Introducing AppArmor
18.1. Background Information on AppArmor Profiling
19. Getting Started
19.1. Installing Novell AppArmor
19.2. Enabling and Disabling Novell AppArmor
19.3. Choosing the Applications to Profile
19.4. Building and Modifying Profiles
19.5. Configuring Novell AppArmor Event Notification and Reports
19.6. Updating Your Profiles
20. Immunizing Programs
20.1. Introducing the AppArmor Framework
20.2. Determining Programs to Immunize
20.3. Immunizing cron Jobs
20.4. Immunizing Network Applications
21. Profile Components and Syntax
21.1. Breaking a Novell AppArmor Profile into Its Parts
21.2. Profile Types
21.3. #include Statements
21.4. Capability Entries (POSIX.1e)
21.5. Network Access Control
21.6. Paths and Globbing
21.7. File Permission Access Modes
21.8. Execute Modes
21.9. Resource Limit Control
21.10. Auditing Rules
21.11. Setting Capabilities per Profile
22. AppArmor Profile Repositories
22.1. Using the Local Repository
22.2. Using the External Repository
23. Building and Managing Profiles with YaST
23.1. Adding a Profile Using the Wizard
23.2. Manually Adding a Profile
23.3. Editing Profiles
23.4. Deleting a Profile
23.5. Updating Profiles from Log Entries
23.6. Managing Novell AppArmor and Security Event Status
24. Building Profiles from the Command Line
24.1. Checking the AppArmor Module Status
24.2. Building AppArmor Profiles
24.3. Adding or Creating an AppArmor Profile
24.4. Editing an AppArmor Profile
24.5. Deleting an AppArmor Profile
24.6. Two Methods of Profiling
24.7. Important Filenames and Directories
25. Profiling Your Web Applications Using ChangeHat
25.1. Apache ChangeHat
25.2. Configuring Apache for mod_apparmor
26. Confining Users with pam_apparmor
27. Managing Profiled Applications
27.1. Monitoring Your Secured Applications
27.2. Configuring Security Event Notification
27.3. Configuring Reports
27.4. Configuring and Using the AppArmor Desktop Monitor Applet
27.5. Reacting to Security Event Rejections
27.6. Maintaining Your Security Profiles
28. Support
28.1. Updating Novell AppArmor Online
28.2. Using the Man Pages
28.3. For More Information
28.4. Troubleshooting
28.5. Reporting Bugs for AppArmor
29. AppArmor Glossary
V. The Linux Audit Framework
30. Understanding Linux Audit
30.1. Introducing the Components of Linux Audit
30.2. Configuring the Audit Daemon
30.3. Controlling the Audit System Using auditctl
30.4. Passing Parameters to the Audit System
30.5. Understanding the Audit Logs and Generating Reports
30.6. Querying the Audit Daemon Logs with ausearch
30.7. Analyzing Processes with autrace
30.8. Visualizing Audit Data
30.9. Relaying Audit Event Notifications
31. Setting Up the Linux Audit Framework
31.1. Determining the Components to Audit
31.2. Configuring the Audit Daemon
31.3. Enabling Audit for System Calls
31.4. Setting Up Audit Rules
31.5. Configuring Audit Reports
31.6. Configuring Log Visualization
32. Introducing an Audit Rule Set
32.1. Adding Basic Audit Configuration Parameters
32.2. Adding Watches on Audit Log Files and Configuration Files
32.3. Monitoring File System Objects
32.4. Monitoring Security Configuration Files and Databases
32.5. Monitoring Miscellaneous System Calls
32.6. Filtering System Call Arguments
32.7. Managing Audit Event Records Using Keys
33. Useful Resources

List of Figures

3.1. NIS Server Setup
3.2. Master Server Setup
3.3. Changing the Directory and Synchronizing Files for a NIS Server
3.4. NIS Server Maps Setup
3.5. Setting Request Permissions for a NIS Server
3.6. Setting Domain and Address of a NIS Server
4.1. Structure of an LDAP Directory
4.2. YaST LDAP Server Configuration
4.3. YaST LDAP Server—New Database
4.4. YaST LDAP Server Configuration
4.5. YaST LDAP Server Database Configuration
4.6. YaST: LDAP Client Configuration
4.7. YaST: Advanced Configuration
4.8. YaST: Module Configuration
4.9. YaST: Configuration of an Object Template
4.10. YaST: Additional LDAP Settings
4.11. Browsing the LDAP Directory Tree
4.12. Browsing the Entry Data
5.1. Active Directory Authentication Schema
5.2. Determining Windows Domain Membership
5.3. Providing Administrator Credentials
6.1. Kerberos Network Topology
6.2. YaST: Basic Configuration of a Kerberos Client
6.3. YaST: Advanced Configuration of a Kerberos Client
8.1. YaST Local Security - Security Overview
9.1. The Authorizations Tool
10.1. Minimum ACL: ACL Entries Compared to Permission Bits
10.2. Extended ACL: ACL Entries Compared to Permission Bits
15.1. iptables: A Packet's Possible Paths
16.1. Routed VPN
16.2. Bridged VPN - Scenario 1
16.3. Bridged VPN - Scenario 2
16.4. Bridged VPN - Scenario 3
17.1. YaST CA Module—Basic Data for a Root CA
17.2. YaST CA Module—Using a CA
17.3. Certificates of a CA
17.4. YaST CA Module—Extended Settings
23.1. YaST Controls for AppArmor
23.2. Learning Mode Exception: Controlling Access to Specific Resources
23.3. Learning Mode Exception: Defining Execute Permissions for an Entry
30.1. Introducing the Components of Linux Audit
30.2. Flow Graph—Program versus System Call Relationship
30.3. Bar Chart—Common Event Types

List of Tables

4.1. Commonly Used Object Classes and Attributes
10.1. ACL Entry Types
10.2. Masking Access Permissions
13.1. Important AIDE Checking Options
17.1. X.509v3 Certificate
17.2. X.509 Certificate Revocation List (CRL)
17.3. Passwords during LDAP Export
28.1. Man Pages: Sections and Categories
30.1. Audit Status Flags

List of Examples

2.1. PAM Configuration for sshd (/etc/pam.d/sshd)
2.2. Default Configuration for the auth Section
2.3. Default Configuration for the account Section
2.4. Default Configuration for the password Section
2.5. Default Configuration for the session Section
2.6. pam_env.conf
4.1. Excerpt from schema.core
4.2. An LDIF File
4.3. ldapadd with example.ldif
4.4. LDIF Data for Tux
4.5. Modified LDIF File tux.ldif
9.1. An example /etc/PolicyKit/PolicyKit.conf file
16.1. VPN Server Configuration File
16.2. VPN Client Configuration File
19.1. Output of aa-unconfined
24.1. Learning Mode Exception: Controlling Access to Specific Resources
24.2. Learning Mode Exception: Defining Execute Permissions for an Entry
25.1. Example phpsysinfo Hat
30.1. Example output of auditctl -s
30.2. Example Audit Rules—Audit System Parameters
30.3. Example Audit Rules—File System Auditing
30.4. Example Audit Rules—System Call Auditing
30.5. Deleting Audit Rules and Events
30.6. Listing Rules with auditctl -l
30.7. A Simple Audit Event—Viewing the Audit Log
30.8. An Advanced Audit Event—Login via SSH
30.9. Example /etc/audisp/audispd.conf
30.10. Example /etc/audisp/plugins.d/syslog.conf