You are on page 1of 458

SUSE Linux Enterprise Server

11 SP1

www.novell.com

May 11, 2010

Security Guide

May 11, 2010 Security Guide
SUSE Linux Enterprise Server 11 SP1 www.novell.com May 11, 2010 Security Guide

Security Guide

All content is copyright © 2006–2010 Novell, Inc. All rights reserved.

Legal Notice

This manual is protected under Novell intellectual property rights. By reproducing, duplicating or distributing this manual you explicitly agree to conform to the terms and conditions of this license agreement.

This manual may be freely reproduced, duplicated and distributed either as such or as part of a bundled package in electronic and/or printed format, provided however that the following conditions are ful- filled:

That this copyright notice and the names of authors and contributors appear clearly and distinctively on all reproduced, duplicated and distributed copies. That this manual, specifically for the printed format, is reproduced and/or distributed for noncommercial use only. The express authorization of Novell, Inc must be obtained prior to any other use of any manual or part thereof.

For Novell trademarks, see the Novell Trademark and Service Mark list http://www.novell .com/company/legal/trademarks/tmlist.html. * Linux is a registered trademark of Linus Torvalds. All other third party trademarks are the property of their respective owners. A trademark symbol (®, ™ etc.) denotes a Novell trademark; an asterisk (*) denotes a third party trademark.

All information found in this book has been compiled with utmost attention to detail. However, this does not guarantee complete accuracy. Neither Novell, Inc., SUSE LINUX Products GmbH, the authors, nor the translators shall be held liable for possible errors or the consequences thereof.

Contents

 

About This Guide

xi

1

Security and Confidentiality

 

1

1.1 Local Security and Network Security

 

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

2

1.2 Some General Security Tips and Tricks

 

10

1.3 Using the Central Security Reporting Address

 

13

Part I Authentication

 

15

2 Authentication with PAM

 

17

 

2.1 What is PAM?

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

17

2.2 Structure of a PAM Configuration File .

 

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

18

2.3 The PAM Configuration of sshd .

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

21

2.4 Configuration of PAM Modules .

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

23

2.5 Configuring PAM Using pam-config

 

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

25

2.6 For More Information .

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

26

3 Using NIS

 

29

 

3.1 Configuring NIS Servers

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

29

3.2 Configuring NIS Clients

 

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

35

4 LDAP—A Directory Service

 

37

 

4.1 LDAP versus NIS

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

38

4.2 Structure of an LDAP Directory Tree .

 

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

39

4.3 Configuring an LDAP Server with YaST

 

42

4.4 Configuring an LDAP Client with YaST .

 

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

51

4.5

Configuring LDAP Users and Groups in YaST

59

4.6 Browsing the LDAP Directory Tree .

 

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

61

4.7 Manually Configuring an LDAP Server

 

62

4.8 Manually Administering LDAP Data

 

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

63

4.9 For More Information .

 

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

67

5 Active Directory Support

 

69

5.1 Integrating Linux and AD Environments

 

69

5.2 Background Information for Linux AD Support

 

70

5.3 Configuring a Linux Client for Active Directory

76

5.4 Logging In to an AD Domain

 

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

79

5.5 Changing Passwords .

 

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

81

6 Network Authentication with Kerberos

 

83

6.1 Kerberos Terminology

 

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

84

6.2 How Kerberos Works

 

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

85

6.3 Users' View of Kerberos .

 

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

88

6.4 Installing and Administering Kerberos

 

89

6.5 For More Information

 

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

110

7 Using the Fingerprint Reader

 

111

7.1 Supported Applications and Actions

 

111

7.2 Managing Fingerprints with YaST .

 

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

112

Part II Local Security

 

115

8 Configuring Security Settings with YaST

 

117

8.1 Security Overview

 

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

117

8.2 Predefined Security Configurations

 

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

118

8.3 Password Settings

 

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

119

8.4 Boot Settings

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

120

8.5 Login Settings .

 

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

120

8.6 User Addition .

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

121

8.7 Miscellaneous Settings

 

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

121

9 PolicyKit

123

9.1 Available Policies and Supported Applications

 

123

9.2 Authorization Types

 

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

124

9.3 Modifying and Setting Privileges .

 

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

126

1

0 Access Control Lists in Linux

135

10.1 Traditional File Permissions

 

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

135

10.2 Advantages of ACLs

 

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

137

10.3 Definitions

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

137

10.4 Handling ACLs .

 

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

138

10.5 ACL Support in Applications .

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

146

10.6 For More Information

 

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

147

1 1 Encrypting Partitions and Files

 

149

11.1 Setting Up an Encrypted File System with YaST

 

150

11.2 Using Encrypted Home Directories .

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

153

11.3 Using vi to Encrypt Single ASCII Text Files

 

154

1 2 Certificate Store

 

155

12.1 Activating Certificate Store

 

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

155

12.2 Importing Certificates

 

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

156

1 3 Intrusion Detection with AIDE

 

157

13.1 Why Using AIDE?

 

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

157

13.2 Setting Up an AIDE Database

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

158

13.3 Local AIDE Checks .

 

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

160

13.4 System Independent Checking .

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

161

13.5 For More Information

 

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

163

Part III Network Security

 

165

1 4 SSH: Secure Network Operations

 

167

14.1 The OpenSSH Package

 

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

167

14.2 The ssh Program .

 

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

168

14.3 scp—Secure Copy .

 

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

168

14.4 sftp—Secure File Transfer .

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

169

14.5 The SSH Daemon (sshd)—Server-Side

 

169

14.6 SSH Authentication Mechanisms

 

.

.

.

.

.

.

.

.

.

.

.

.

.

.

170

14.7 X, Authentication, and Forwarding Mechanisms

 

172

14.8 Configuring An SSH Daemon with YaST

 

173

1 5 Masquerading and Firewalls

 

175

15.1 Packet Filtering with iptables .

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

175

15.2 Masquerading Basics .

 

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

178

 

15.3 Firewalling Basics

 

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

179

15.4 SuSEfirewall2

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

180

15.5 For More Information

 

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

185

1 6 Configuring VPN Server

 

187

 

16.1 Overview .

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

187

16.2 Creating the Simplest VPN Example .

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

191

16.3 Setting Up Your VPN Server Using Certificate Authority

.

.

.

.

.

.

.

.

193

16.4 Changing Nameservers in VPN .

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

199

16.5 KDE- and GNOME Applets For Clients .

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

200

16.6 For More Information

 

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

202

1 7 Managing X.509 Certification

 

203

 

17.1 The Principles of Digital Certification

 

203

17.2 YaST Modules for CA Management .

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

207

17.3 For More Information

 

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

219

Part IV Confining Privileges with Novell AppArmor

 

221

1

8 Introducing AppArmor

 

223

18.1

Background Information on AppArmor Profiling

 

224

1

9 Getting Started

225

19.1 Installing Novell AppArmor .

 

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

226

19.2 Enabling and Disabling Novell AppArmor

 

226

19.3 Choosing the Applications to Profile .

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

227

19.4 Building and Modifying Profiles

 

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

228

19.5 Configuring Novell AppArmor Event Notification and Reports

 

230

19.6 Updating Your Profiles

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

232

2

0 Immunizing Programs

 

233

20.1 Introducing the AppArmor Framework

 

234

20.2 Determining Programs to Immunize

 

236

20.3 Immunizing cron Jobs .

 

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

237

20.4 Immunizing Network Applications

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

238

2

1 Profile Components and Syntax

 

243

21.2 Profile Types

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

247

21.3 #include Statements .

 

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

250

21.4 Capability Entries (POSIX.1e) .

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

251

21.5 Network Access Control

 

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

251

21.6 Paths and Globbing

 

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

252

21.7 File Permission Access Modes .

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

255

21.8 Execute Modes

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

258

21.9 Resource Limit Control .

 

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

263

21.10 Auditing Rules .

 

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

264

21.11 Setting Capabilities per Profile .

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

265

2 2 AppArmor Profile Repositories

 

267

22.1 Using the Local Repository

 

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

267

22.2 Using the External Repository .

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

268

2 3 Building and Managing Profiles with YaST

 

271

23.1 Adding a Profile Using the Wizard .

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

273

23.2 Manually Adding a Profile .

 

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

281

23.3 Editing Profiles

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

281

23.4 Deleting a Profile

 

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

287

23.5 Updating Profiles from Log Entries .

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

287

23.6 Managing Novell AppArmor and Security Event Status

 

288

2 4 Building Profiles from the Command Line

 

291

24.1 Checking the AppArmor Module Status

 

291

24.2 Building AppArmor Profiles .

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

293

24.3 Adding or Creating an AppArmor Profile

 

294

24.4 Editing an AppArmor Profile .

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

294

24.5 Deleting an AppArmor Profile .

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.