openSUSE

Security Guide

Legal Notice

Contents

About This Guide
1. Verfügbare Dokumentation
2. Rückmeldungen
3. Konventionen in der Dokumentation
4. Informationen über die Herstellung dieses Handbuchs
5. Quellcode
6. Danksagung
1. Security and Confidentiality
1.1. Local Security and Network Security
1.2. Some General Security Tips and Tricks
1.3. Using the Central Security Reporting Address
I. Authentication
2. Authentication with PAM
2.1. What is PAM?
2.2. Structure of a PAM Configuration File
2.3. The PAM Configuration of sshd
2.4. Configuration of PAM Modules
2.5. Configuring PAM Using pam-config
2.6. For More Information
3. Using NIS
3.1. Configuring NIS Servers
3.2. Configuring NIS Clients
4. LDAP—A Directory Service
4.1. LDAP versus NIS
4.2. Structure of an LDAP Directory Tree
4.3. Configuring an LDAP Server with YaST
4.4. Configuring an LDAP Client with YaST
4.5. Configuring LDAP Users and Groups in YaST
4.6. Browsing the LDAP Directory Tree
4.7. Manually Configuring an LDAP Server
4.8. Manually Administering LDAP Data
4.9. For More Information
5. Active Directory Support
5.1. Integrating Linux and AD Environments
5.2. Background Information for Linux AD Support
5.3. Configuring a Linux Client for Active Directory
5.4. Logging In to an AD Domain
5.5. Changing Passwords
6. Network Authentication with Kerberos
6.1. Kerberos Terminology
6.2. How Kerberos Works
6.3. Users' View of Kerberos
6.4. For More Information
7. Using the Fingerprint Reader
7.1. Supported Applications and Actions
7.2. Managing Fingerprints with YaST
II. Local Security
8. Configuring Security Settings with YaST
8.1. Security Overview
8.2. Predefined Security Configurations
8.3. Password Settings
8.4. Boot Settings
8.5. Login Settings
8.6. User Addition
8.7. Miscellaneous Settings
9. PolicyKit
9.1. Available Policies and Supported Applications
9.2. Authorization Types
9.3. Modifying and Setting Privileges
10. Access Control Lists in Linux
10.1. Traditional File Permissions
10.2. Advantages of ACLs
10.3. Definitions
10.4. Handling ACLs
10.5. ACL Support in Applications
10.6. For More Information
11. Encrypting Partitions and Files
11.1. Setting Up an Encrypted File System with YaST
11.2. Using Encrypted Home Directories
11.3. Using vi to Encrypt Single ASCII Text Files
12. Intrusion Detection with AIDE
12.1. Why Using AIDE?
12.2. Setting Up an AIDE Database
12.3. Local AIDE Checks
12.4. System Independent Checking
12.5. For More Information
III. Network Security
13. SSH: Secure Network Operations
13.1. The OpenSSH Package
13.2. The ssh Program
13.3. Configuration Files
13.4. scp—Secure Copy
13.5. sftp—Secure File Transfer
13.6. The SSH Daemon (sshd)—Server-Side
13.7. Authentificate Without Entering Your Passphrase
13.8. SSH Authentication Mechanisms
13.9. X, Authentication, and Forwarding Mechanisms
13.10. For More Information
14. Masquerading and Firewalls
14.1. Packet Filtering with iptables
14.2. Masquerading Basics
14.3. Firewalling Basics
14.4. SuSEfirewall2
14.5. For More Information
15. Configuring VPN Server
15.1. Overview
15.2. Creating the Simplest VPN Example
15.3. Setting Up Your VPN Server Using Certificate Authority
15.4. KDE- and GNOME Applets For Clients
15.5. For More Information
16. Managing X.509 Certification
16.1. The Principles of Digital Certification
16.2. YaST Modules for CA Management
IV. Confining Privileges with Novell AppArmor
17. Introducing AppArmor
17.1. Background Information on AppArmor Profiling
18. Getting Started
18.1. Installing Novell AppArmor
18.2. Enabling and Disabling Novell AppArmor
18.3. Choosing the Applications to Profile
18.4. Building and Modifying Profiles
18.5. Configuring Novell AppArmor Event Notification and Reports
18.6. Updating Your Profiles
19. Immunizing Programs
19.1. Introducing the AppArmor Framework
19.2. Determining Programs to Immunize
19.3. Immunizing cron Jobs
19.4. Immunizing Network Applications
20. Profile Components and Syntax
20.1. Breaking a Novell AppArmor Profile into Its Parts
20.2. Profile Types
20.3. #include Statements
20.4. Capability Entries (POSIX.1e)
20.5. Network Access Control
20.6. Paths and Globbing
20.7. File Permission Access Modes
20.8. Execute Modes
20.9. Resource Limit Control
20.10. Auditing Rules
20.11. Setting Capabilities per Profile
21. AppArmor Profile Repositories
21.1. Using the Local Repository
21.2. Using the External Repository
22. Building and Managing Profiles with YaST
22.1. Adding a Profile Using the Wizard
22.2. Manually Adding a Profile
22.3. Editing Profiles
22.4. Deleting a Profile
22.5. Updating Profiles from Log Entries
22.6. Managing Novell AppArmor and Security Event Status
23. Building Profiles from the Command Line
23.1. Checking the AppArmor Module Status
23.2. Building AppArmor Profiles
23.3. Adding or Creating an AppArmor Profile
23.4. Editing an AppArmor Profile
23.5. Deleting an AppArmor Profile
23.6. Two Methods of Profiling
23.7. Important Filenames and Directories
24. Profiling Your Web Applications Using ChangeHat
24.1. Apache ChangeHat
24.2. Configuring Apache for mod_apparmor
25. Confining Users with pam_apparmor
26. Managing Profiled Applications
26.1. Monitoring Your Secured Applications
26.2. Configuring Security Event Notification
26.3. Configuring Reports
26.4. Configuring and Using the AppArmor Desktop Monitor Applet
26.5. Reacting to Security Event Rejections
26.6. Maintaining Your Security Profiles
27. Support
27.1. Updating Novell AppArmor Online
27.2. Using the Man Pages
27.3. For More Information
27.4. Troubleshooting
27.5. Reporting Bugs for AppArmor
28. AppArmor Glossary
V. The Linux Audit Framework
29. Understanding Linux Audit
29.1. Introducing the Components of Linux Audit
29.2. Configuring the Audit Daemon
29.3. Controlling the Audit System Using auditctl
29.4. Passing Parameters to the Audit System
29.5. Understanding the Audit Logs and Generating Reports
29.6. Querying the Audit Daemon Logs with ausearch
29.7. Analyzing Processes with autrace
29.8. Visualizing Audit Data
30. Setting Up the Linux Audit Framework
30.1. Determining the Components to Audit
30.2. Configuring the Audit Daemon
30.3. Enabling Audit for System Calls
30.4. Setting Up Audit Rules
30.5. Configuring Audit Reports
30.6. Configuring Log Visualization
31. Introducing an Audit Rule Set
31.1. Adding Basic Audit Configuration Parameters
31.2. Adding Watches on Audit Log Files and Configuration Files
31.3. Monitoring File System Objects
31.4. Monitoring Security Configuration Files and Databases
31.5. Monitoring Miscellaneous System Calls
31.6. Filtering System Call Arguments
31.7. Managing Audit Event Records Using Keys
32. Useful Resources
A. GNU-Lizenzen
A.1. GNU General Public License
A.2. GNU Free Documentation License

List of Figures

3.1. Master Server Setup
3.2. Setting Domain and Address of a NIS Server
4.1. Structure of an LDAP Directory
4.2. YaST LDAP Server Configuration
4.3. YaST LDAP Server—New Database
4.4. YaST LDAP Server Configuration
4.5. YaST LDAP Server Database Configuration
4.6. YaST: LDAP Client Configuration
4.7. YaST: Advanced Configuration
4.8. YaST: Module Configuration
4.9. YaST: Configuration of an Object Template
4.10. YaST: Additional LDAP Settings
4.11. Browsing the LDAP Directory Tree
4.12. Browsing the Entry Data
5.1. Active Directory Authentication Schema
5.2. Determining Windows Domain Membership
5.3. Providing Administrator Credentials
8.1. YaST Local Security - Security Overview
9.1. The Authorizations Tool
10.1. Minimum ACL: ACL Entries Compared to Permission Bits
10.2. Extended ACL: ACL Entries Compared to Permission Bits
14.1. iptables: A Packet's Possible Paths
14.2. The YaST Firewall Configuration
15.1. Routed VPN
15.2. Bridged VPN - Scenario 1
15.3. Bridged VPN - Scenario 2
15.4. Bridged VPN - Scenario 3
16.1. YaST CA Module—Basic Data for a Root CA
16.2. YaST CA Module—Using a CA
16.3. Certificates of a CA
16.4. YaST CA Module—Extended Settings
22.1. YaST Controls for AppArmor
22.2. Learning Mode Exception: Controlling Access to Specific Resources
22.3. Learning Mode Exception: Defining Execute Permissions for an Entry
29.1. Introducing the Components of Linux Audit
29.2. Flow Graph—Program versus System Call Relationship
29.3. Bar Chart—Common Event Types

List of Tables

2.1. Module Types
2.2. Control Flags
4.1. Commonly Used Object Classes and Attributes
10.1. ACL Entry Types
10.2. Masking Access Permissions
12.1. Important AIDE Checking Options
16.1. X.509v3 Certificate
16.2. X.509 Certificate Revocation List (CRL)
16.3. Passwords during LDAP Export
27.1. Man Pages: Sections and Categories
29.1. Audit Status Flags

List of Examples

2.1. Syntax of Configuration Files under /etc/pam.d/
2.2. PAM Configuration for sshd (/etc/pam.d/sshd)
2.3. Default Configuration for the auth Section
2.4. Default Configuration for the account Section
2.5. Default Configuration for the password Section
2.6. Default Configuration for the session Section
2.7. pam_env.conf
4.1. Excerpt from schema.core
4.2. Example for an LDIF File
4.3. ldapadd with example.ldif
4.4. LDIF Data for Tux
4.5. Modified LDIF File tux.ldif
9.1. An example /etc/PolicyKit/PolicyKit.conf file
15.1. VPN Server Configuration File
15.2. VPN Client Configuration File
18.1. Output of aa-unconfined
23.1. Learning Mode Exception: Controlling Access to Specific Resources
23.2. Learning Mode Exception: Defining Execute Permissions for an Entry
24.1. Example phpsysinfo Hat
29.1. Example output of auditctl -s
29.2. Example Audit Rules—Audit System Parameters
29.3. Example Audit Rules—File System Auditing
29.4. Example Audit Rules—System Call Auditing
29.5. Deleting Audit Rules and Events
29.6. Listing Rules with auditctl -l
29.7. A Simple Audit Event—Viewing the Audit Log
29.8. An Advanced Audit Event—Login via SSH