SUSE Linux Enterprise Desktop-Dokumentation › Security Guide
ContentsContents
Security Guide
  1. About This Guide
  2. 1 Security and Confidentiality
  3. I Authentication
    1. 2 Authentication with PAM
    2. 3 Using NIS
    3. 4 Authentication Server and Client
    4. 5 LDAP—A Directory Service
    5. 6 Active Directory Support
    6. 7 Network Authentication with Kerberos
  4. II Local Security
    1. 8 Configuring Security Settings with YaST
    2. 9 Authorization with PolKit
    3. 10 Access Control Lists in Linux
    4. 11 Encrypting Partitions and Files
    5. 12 Certificate Store
    6. 13 Intrusion Detection with AIDE
  5. III Network Security
    1. 14 SSH: Secure Network Operations
    2. 15 Masquerading and Firewalls
    3. 16 Configuring VPN Server
    4. 17 Managing X.509 Certification
  6. IV Confining Privileges with AppArmor
    1. 18 Introducing AppArmor
    2. 19 Getting Started
    3. 20 Immunizing Programs
    4. 21 Profile Components and Syntax
    5. 22 AppArmor Profile Repositories
    6. 23 Building and Managing Profiles with YaST
    7. 24 Building Profiles from the Command Line
    8. 25 Profiling Your Web Applications Using ChangeHat
    9. 26 Confining Users with pam_apparmor
    10. 27 Managing Profiled Applications
    11. 28 Support
    12. 29 AppArmor Glossary
  7. V SELinux
    1. 30 Configuring SELinux
  8. VI The Linux Audit Framework
    1. 31 Understanding Linux Audit
    2. 32 Setting Up the Linux Audit Framework
    3. 33 Introducing an Audit Rule Set
    4. 34 Useful Resources
  9. A Documentation Updates
  10. B GNU Licenses
Navigation
SUSE Linux Enterprise Desktop-Dokumentation › Security Guide
Top
SUSE Linux Enterprise Desktop 12

Security Guide

Introduces basic concepts of system security, covering both local and network security aspects. Shows how to make use of the product inherent security software like AppArmor or the auditing system that reliably collects information about any security-relevant events.

Publication date: Sep 30 2014
About This Guide
Verfügbare Dokumentation
Rückmeldungen
Konventionen in der Dokumentation
1 Security and Confidentiality
1.1 Local Security and Network Security
1.2 Some General Security Tips and Tricks
1.3 Using the Central Security Reporting Address
I Authentication
2 Authentication with PAM
2.1 What is PAM?
2.2 Structure of a PAM Configuration File
2.3 The PAM Configuration of sshd
2.4 Configuration of PAM Modules
2.5 Configuring PAM Using pam-config
2.6 Manually Configuring PAM
2.7 For More Information
3 Using NIS
3.1 Configuring NIS Servers
3.2 Configuring NIS Clients
4 Authentication Server and Client
4.1 Configuring an Authentication Server
4.2 Configuring an Authentication Client with YaST (SSSD)
5 LDAP—A Directory Service
5.1 LDAP versus NIS
5.2 Structure of an LDAP Directory Tree
5.3 Configuring LDAP Users and Groups in YaST
5.4 For More Information
6 Active Directory Support
6.1 Integrating Linux and AD Environments
6.2 Background Information for Linux AD Support
6.3 Configuring a Linux Client for Active Directory
6.4 Logging In to an AD Domain
6.5 Changing Passwords
7 Network Authentication with Kerberos
7.1 Kerberos Terminology
7.2 How Kerberos Works
7.3 Users' View of Kerberos
7.4 For More Information
II Local Security
8 Configuring Security Settings with YaST
8.1 Security Overview
8.2 Predefined Security Configurations
8.3 Password Settings
8.4 Boot Settings
8.5 Login Settings
8.6 User Addition
8.7 Miscellaneous Settings
9 Authorization with PolKit
9.1 Conceptual Overview
9.2 Authorization Types
9.3 Querying Privileges
9.4 Modifying Configuration Files
9.5 Restoring the Default Privileges
10 Access Control Lists in Linux
10.1 Traditional File Permissions
10.2 Advantages of ACLs
10.3 Definitions
10.4 Handling ACLs
10.5 ACL Support in Applications
10.6 For More Information
11 Encrypting Partitions and Files
11.1 Setting Up an Encrypted File System with YaST
11.2 Using Encrypted Home Directories
11.3 Using vi to Encrypt Single ASCII Text Files
12 Certificate Store
12.1 Activating Certificate Store
12.2 Importing Certificates
13 Intrusion Detection with AIDE
13.1 Why Using AIDE?
13.2 Setting Up an AIDE Database
13.3 Local AIDE Checks
13.4 System Independent Checking
13.5 For More Information
III Network Security
14 SSH: Secure Network Operations
14.1 ssh—Secure Shell
14.2 scp—Secure Copy
14.3 sftp—Secure File Transfer
14.4 The SSH Daemon (sshd)
14.5 SSH Authentication Mechanisms
14.6 Port Forwarding
14.7 Configuring An SSH Daemon with YaST
14.8 For More Information
15 Masquerading and Firewalls
15.1 Packet Filtering with iptables
15.2 Masquerading Basics
15.3 Firewalling Basics
15.4 SuSEFirewall2
15.5 For More Information
16 Configuring VPN Server
16.1 Conceptual Overview
16.2 Creating the Simplest VPN Example
16.3 Setting Up Your VPN Server Using Certificate Authority
16.4 Changing Name Servers in VPN
16.5 The GNOME Applet
16.6 For More Information
17 Managing X.509 Certification
17.1 The Principles of Digital Certification
17.2 YaST Modules for CA Management
17.3 For More Information
IV Confining Privileges with AppArmor
18 Introducing AppArmor
18.1 Background Information on AppArmor Profiling
19 Getting Started
19.1 Installing AppArmor
19.2 Enabling and Disabling AppArmor
19.3 Choosing Applications to Profile
19.4 Building and Modifying Profiles
19.5 Updating Your Profiles
20 Immunizing Programs
20.1 Introducing the AppArmor Framework
20.2 Determining Programs to Immunize
20.3 Immunizing cron Jobs
20.4 Immunizing Network Applications
21 Profile Components and Syntax
21.1 Breaking an AppArmor Profile into Its Parts
21.2 Profile Types
21.3 Include Statements
21.4 Capability Entries (POSIX.1e)
21.5 Network Access Control
21.6 Profile Names, Flags, Paths, and Globbing
21.7 File Permission Access Modes
21.8 Execute Modes
21.9 Resource Limit Control
21.10 Auditing Rules
22 AppArmor Profile Repositories
22.1 Using the Local Repository
23 Building and Managing Profiles with YaST
23.1 Manually Adding a Profile
23.2 Editing Profiles
23.3 Deleting a Profile
23.4 Managing AppArmor
24 Building Profiles from the Command Line
24.1 Checking the AppArmor Status
24.2 Building AppArmor Profiles
24.3 Adding or Creating an AppArmor Profile
24.4 Editing an AppArmor Profile
24.5 Deleting an AppArmor Profile
24.6 Two Methods of Profiling
24.7 Important File Names and Directories
25 Profiling Your Web Applications Using ChangeHat
25.1 Configuring Apache for mod_apparmor
25.2 Managing ChangeHat-Aware Applications
26 Confining Users with pam_apparmor
27 Managing Profiled Applications
27.1 Reacting to Security Event Rejections
27.2 Maintaining Your Security Profiles
28 Support
28.1 Updating AppArmor Online
28.2 Using the Man Pages
28.3 For More Information
28.4 Troubleshooting
28.5 Reporting Bugs for AppArmor
29 AppArmor Glossary
V SELinux
30 Configuring SELinux
30.1 Why Use SELinux?
30.2 Policy
30.3 Installing SELinux Packages and Modifying GRUB 2
30.4 Compiling a Policy
30.5 Configuring SELinux
30.6 Managing SELinux
30.7 Troubleshooting
30.8 Switching to Enforcing Mode
VI The Linux Audit Framework
31 Understanding Linux Audit
31.1 Introducing the Components of Linux Audit
31.2 Configuring the Audit Daemon
31.3 Controlling the Audit System Using auditctl
31.4 Passing Parameters to the Audit System
31.5 Understanding the Audit Logs and Generating Reports
31.6 Querying the Audit Daemon Logs with ausearch
31.7 Analyzing Processes with autrace
31.8 Visualizing Audit Data
31.9 Relaying Audit Event Notifications
32 Setting Up the Linux Audit Framework
32.1 Determining the Components to Audit
32.2 Configuring the Audit Daemon
32.3 Enabling Audit for System Calls
32.4 Setting Up Audit Rules
32.5 Configuring Audit Reports
32.6 Configuring Log Visualization
33 Introducing an Audit Rule Set
33.1 Adding Basic Audit Configuration Parameters
33.2 Adding Watches on Audit Log Files and Configuration Files
33.3 Monitoring File System Objects
33.4 Monitoring Security Configuration Files and Databases
33.5 Monitoring Miscellaneous System Calls
33.6 Filtering System Call Arguments
33.7 Managing Audit Event Records Using Keys
34 Useful Resources
A Documentation Updates
A.1 October 2014 (Initial Release of SUSE Linux Enterprise Desktop 12)
B GNU Licenses
B.1 GNU Free Documentation License
List of Figures
3.1 Setting Domain and Address of a NIS Server
4.1 Authentication Client Configuration
4.2 Authentication Client: Adding New Domain (LDAP and Kerberos)
5.1 Structure of an LDAP Directory
6.1 Active Directory Authentication Schema
6.2 Determining Windows Domain Membership
6.3 Providing Administrator Credentials
8.1 YaST Security Center and Hardening: Security Overview
10.1 Minimum ACL: ACL Entries Compared to Permission Bits
10.2 Extended ACL: ACL Entries Compared to Permission Bits
15.1 iptables: A Packet's Possible Paths
16.1 Routed VPN
16.2 Bridged VPN - Scenario 1
16.3 Bridged VPN - Scenario 2
16.4 Bridged VPN - Scenario 3
17.1 YaST CA Module—Basic Data for a Root CA
17.2 YaST CA Module—Using a CA
17.3 Certificates of a CA
17.4 YaST CA Module—Extended Settings
24.1 aa-notify Message in GNOME
25.1 Adminer login page
30.1 Selecting all SELinux Packages in YaST
30.2 Downloading a Policy Package From the openSUSE Download Site
31.1 Introducing the Components of Linux Audit
31.2 Flow Graph—Program versus System Call Relationship
31.3 Bar Chart—Common Event Types
List of Tables
5.1 Commonly Used Object Classes and Attributes
10.1 ACL Entry Types
10.2 Masking Access Permissions
13.1 Important AIDE Check Boxes
14.1
17.1 X.509v3 Certificate
17.2 X.509 Certificate Revocation List (CRL)
17.3 Passwords during LDAP Export
28.1 Man Pages: Sections and Categories
31.1 Audit Status Flags
List of Examples
2.1 PAM Configuration for sshd (/etc/pam.d/sshd)
2.2 Default Configuration for the auth Section (common-auth)
2.3 Default Configuration for the account Section (common-account)
2.4 Default Configuration for the password Section (common-password)
2.5 Default Configuration for the session Section (common-session)
2.6 pam_env.conf
5.1 Excerpt from schema.core
16.1 VPN Server Configuration File
16.2 VPN Client Configuration File
19.1 Output of aa-unconfined
24.1 Learning Mode Exception: Controlling Access to Specific Resources
24.2 Learning Mode Exception: Defining Permissions for an Entry
30.1 Security Context Settings Using ls -Z
30.2 Verifying that SELinux is functional
30.3 Getting a List of Booleans and Verifying Policy Access
30.4 Getting File Context Information
30.5 The default context for directories in the root directory
30.6 Showing SELinux settings for processes
30.7 Viewing Default File Contexts
30.8 The First 20 Lines of apache.fc
30.9 Example Lines from /etc/audit/audit.log
30.10 Analyzing Audit Messages
30.11 Viewing Which Lines Deny Access
30.12 Creating a Policy Module Allowing an Action Previously Denied
30.13 Messages That Appear Before the System Stops
31.1 Example output of auditctl -s
31.2 Example Audit Rules—Audit System Parameters
31.3 Example Audit Rules—File System Auditing
31.4 Example Audit Rules—System Call Auditing
31.5 Deleting Audit Rules and Events
31.6 Listing Rules with auditctl -l
31.7 A Simple Audit Event—Viewing the Audit Log
31.8 An Advanced Audit Event—Login via SSH
31.9 Example /etc/audisp/audispd.conf
31.10 Example /etc/audisp/plugins.d/syslog.conf

Copyright © 2006–2017 SUSE LLC und Mitwirkende. Alle Rechte vorbehalten.

Es wird die Genehmigung erteilt, dieses Dokument unter den Bedingungen der GNU Free Documentation License, Version 1.2 oder (optional) Version 1.3 zu vervielfältigen, zu verbreiten und/oder zu verändern; die unveränderlichen Abschnitte hierbei sind der Urheberrechtshinweis und die Lizenzbedingungen. Eine Kopie dieser Lizenz (Version 1.2) finden Sie im Abschnitt GNU Free Documentation License.

Informationen zu SUSE- und Novell-Marken finden Sie in der Liste der Marken und Dienstleistungsmarken von Novell unter http://www.novell.com/company/legal/trademarks/tmlist.html. Alle anderen Drittanbieter-Marken sind das Eigentum der jeweiligen Inhaber. Ein Markensymbol (®, ™ usw.) kennzeichnet eine SUSE- oder Novell-Marke. Ein Sternchen (*) kennzeichnet eine Drittanbietermarke.

Alle Informationen in diesem Buch wurden mit größter Sorgfalt zusammengestellt. Doch auch dadurch kann hundertprozentige Richtigkeit nicht gewährleistet werden. Weder SUSE LLC noch ihre Tochtergesellschaften noch die Autoren noch die Übersetzer können für mögliche Fehler und deren Folgen haftbar gemacht werden.

About This Guide
Print this page

© 2017 SUSE