openSUSE 12.3

Security Guide

Date de publication 12/08/2013

Copyright © 2006–2013 SUSE LLC and contributors. All rights reserved.

Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or (at your option) version 1.3; with the Invariant Section being this copyright notice and license. A copy of the license version 1.2 is included in the section entitled « GNU Free Documentation License ».

For SUSE or Novell trademarks, see the Novell Trademark and Service Mark list http://www.novell.com/company/legal/trademarks/tmlist.html. All other third party trademarks are the property of their respective owners. A trademark symbol (®, ™ etc.) denotes a SUSE or Novell trademark; an asterisk (*) denotes a third party trademark.

All information found in this book has been compiled with utmost attention to detail. However, this does not guarantee complete accuracy. Neither SUSE LLC, its affiliates, the authors nor the translators shall be held liable for possible errors or the consequences thereof.


Table des matières

About This Guide
1. Documentation disponible
2. Remarques
3. Conventions de la documentation
4. À propos de la création de ce manuel
5. Code source
6. Remerciements
1. Security and Confidentiality
1.1. Local Security and Network Security
1.2. Some General Security Tips and Tricks
1.3. Using the Central Security Reporting Address
I. Authentication
2. Authentication with PAM
2.1. What is PAM?
2.2. Structure of a PAM Configuration File
2.3. The PAM Configuration of sshd
2.4. Configuration of PAM Modules
2.5. Configuring PAM Using pam-config
2.6. Manually Configuring PAM
2.7. For More Information
3. Using NIS
3.1. Configuring NIS Servers
3.2. Configuring NIS Clients
4. LDAP—A Directory Service
4.1. LDAP versus NIS
4.2. Structure of an LDAP Directory Tree
4.3. Configuring an LDAP Server with YaST
4.4. Configuring an LDAP Client with YaST
4.5. Configuring LDAP Users and Groups in YaST
4.6. Browsing the LDAP Directory Tree
4.7. Manually Configuring an LDAP Server
4.8. Manually Administering LDAP Data
4.9. For More Information
5. Active Directory Support
5.1. Integrating Linux and AD Environments
5.2. Background Information for Linux AD Support
5.3. Configuring a Linux Client for Active Directory
5.4. Logging In to an AD Domain
5.5. Changing Passwords
6. Network Authentication with Kerberos
6.1. Kerberos Terminology
6.2. How Kerberos Works
6.3. Users' View of Kerberos
6.4. Installing and Administering Kerberos
6.5. For More Information
7. Using the Fingerprint Reader
7.1. Supported Applications and Actions
7.2. Managing Fingerprints with YaST
II. Local Security
8. Configuring Security Settings with YaST
8.1. Security Overview
8.2. Predefined Security Configurations
8.3. Password Settings
8.4. Boot Settings
8.5. Login Settings
8.6. User Addition
8.7. Miscellaneous Settings
9. Access Control Lists in Linux
9.1. Traditional File Permissions
9.2. Advantages of ACLs
9.3. Definitions
9.4. Handling ACLs
9.5. ACL Support in Applications
9.6. For More Information
10. Encrypting Partitions and Files
10.1. Setting Up an Encrypted File System with YaST
10.2. Using Encrypted Home Directories
10.3. Using vi to Encrypt Single ASCII Text Files
11. Intrusion Detection with AIDE
11.1. Why Using AIDE?
11.2. Setting Up an AIDE Database
11.3. Local AIDE Checks
11.4. System Independent Checking
11.5. For More Information
III. Network Security
12. SSH: Secure Network Operations
12.1. ssh—Secure Shell
12.2. scp—Secure Copy
12.3. sftp—Secure File Transfer
12.4. The SSH Daemon (sshd)
12.5. SSH Authentication Mechanisms
12.6. Port Forwarding
12.7. Configuring An SSH Daemon with YaST
12.8. For More Information
13. Masquerading and Firewalls
13.1. Packet Filtering with iptables
13.2. Masquerading Basics
13.3. Firewalling Basics
13.4. SuSEfirewall2
13.5. For More Information
14. Configuring VPN Server
14.1. Conceptual Overview
14.2. Creating the Simplest VPN Example
14.3. Setting Up Your VPN Server Using Certificate Authority
14.4. Changing Nameservers in VPN
14.5. KDE- and GNOME Applets For Clients
14.6. For More Information
15. Managing X.509 Certification
15.1. The Principles of Digital Certification
15.2. YaST Modules for CA Management
15.3. For More Information
IV. Confining Privileges with AppArmor
16. Introducing AppArmor
16.1. Background Information on AppArmor Profiling
17. Getting Started
17.1. Installing AppArmor
17.2. Enabling and Disabling AppArmor
17.3. Choosing the Applications to Profile
17.4. Building and Modifying Profiles
17.5. Updating Your Profiles
18. Immunizing Programs
18.1. Introducing the AppArmor Framework
18.2. Determining Programs to Immunize
18.3. Immunizing cron Jobs
18.4. Immunizing Network Applications
19. Profile Components and Syntax
19.1. Breaking a AppArmor Profile into Its Parts
19.2. Profile Types
19.3. #include Statements
19.4. Capability Entries (POSIX.1e)
19.5. Network Access Control
19.6. Paths and Globbing
19.7. File Permission Access Modes
19.8. Execute Modes
19.9. Resource Limit Control
19.10. Auditing Rules
20. AppArmor Profile Repositories
20.1. Using the Local Repository
21. Building and Managing Profiles with YaST
21.1. Adding a Profile Using the Wizard
21.2. Manually Adding a Profile
21.3. Editing Profiles
21.4. Deleting a Profile
21.5. Updating Profiles from Log Entries
21.6. Managing AppArmor
22. Building Profiles from the Command Line
22.1. Checking the AppArmor Module Status
22.2. Building AppArmor Profiles
22.3. Adding or Creating an AppArmor Profile
22.4. Editing an AppArmor Profile
22.5. Deleting an AppArmor Profile
22.6. Two Methods of Profiling
22.7. Important Filenames and Directories
23. Profiling Your Web Applications Using ChangeHat
23.1. Apache ChangeHat
23.2. Configuring Apache for mod_apparmor
24. Confining Users with pam_apparmor
25. Managing Profiled Applications
26. Support
26.1. Updating AppArmor Online
26.2. Using the Man Pages
26.3. For More Information
26.4. Troubleshooting
26.5. Reporting Bugs for AppArmor
27. AppArmor Glossary
A. Licences GNU
A.1. GNU General Public License
A.2. GNU Free Documentation License

Liste des illustrations

3.1. NIS Server Setup
3.2. Master Server Setup
3.3. Changing the Directory and Synchronizing Files for a NIS Server
3.4. NIS Server Maps Setup
3.5. Setting Request Permissions for a NIS Server
3.6. Setting Domain and Address of a NIS Server
4.1. Structure of an LDAP Directory
4.2. YaST LDAP Server Configuration
4.3. YaST LDAP Server—New Database
4.4. YaST LDAP Server Configuration
4.5. YaST LDAP Server Database Configuration
4.6. YaST: LDAP Client Configuration
4.7. YaST: Advanced Configuration
4.8. YaST: Module Configuration
4.9. YaST: Configuration of an Object Template
4.10. YaST: Additional LDAP Settings
4.11. Browsing the LDAP Directory Tree
4.12. Browsing the Entry Data
5.1. Active Directory Authentication Schema
5.2. Determining Windows Domain Membership
5.3. Providing Administrator Credentials
6.1. Kerberos Network Topology
6.2. YaST: Basic Configuration of a Kerberos Client
6.3. YaST: Advanced Configuration of a Kerberos Client
8.1. YaST Security Center and Hardening - Security Overview
9.1. Minimum ACL: ACL Entries Compared to Permission Bits
9.2. Extended ACL: ACL Entries Compared to Permission Bits
13.1. iptables: A Packet's Possible Paths
13.2. The YaST Firewall Configuration
14.1. Routed VPN
14.2. Bridged VPN - Scenario 1
14.3. Bridged VPN - Scenario 2
14.4. Bridged VPN - Scenario 3
15.1. YaST CA Module—Basic Data for a Root CA
15.2. YaST CA Module—Using a CA
15.3. Certificates of a CA
15.4. YaST CA Module—Extended Settings
21.1. YaST Controls for AppArmor
21.2. Learning Mode Exception: Controlling Access to Specific Resources
21.3. Learning Mode Exception: Defining Execute Permissions for an Entry

Liste des tableaux

4.1. Commonly Used Object Classes and Attributes
9.1. ACL Entry Types
9.2. Masking Access Permissions
11.1. Important AIDE Checking Options
15.1. X.509v3 Certificate
15.2. X.509 Certificate Revocation List (CRL)
15.3. Passwords during LDAP Export
26.1. Man Pages: Sections and Categories

Liste des exemples

2.1. PAM Configuration for sshd (/etc/pam.d/sshd)
2.2. Default Configuration for the auth Section (common-auth)
2.3. Default Configuration for the account Section (common-account)
2.4. Default Configuration for the password Section (common-password)
2.5. Default Configuration for the session Section (common-session)
2.6. pam_env.conf
4.1. Excerpt from schema.core
4.2. An LDIF File
4.3. ldapadd with example.ldif
4.4. LDIF Data for Tux
4.5. Modified LDIF File tux.ldif
14.1. VPN Server Configuration File
14.2. VPN Client Configuration File
17.1. Output of aa-unconfined
22.1. Learning Mode Exception: Controlling Access to Specific Resources
22.2. Learning Mode Exception: Defining Execute Permissions for an Entry
23.1. Example phpsysinfo Hat

openSUSE Security Guide 12.3