0% found this document useful (0 votes)

47 views46 pages

Advanced SUSE Linux Enterprise Server Administration (Course 3038)

This document discusses securing a SUSE Linux Enterprise Server. It covers creating a security concept by analyzing communication, protection requirements, and the current situation to identify necessary enhancements. Topics include limiting physical and software access, understanding Linux authentication with PAM, ensuring file system security with permissions and ACLs, configuring security settings with YaST, and applying security updates.

Uploaded by

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PPT, PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

47 views46 pages

Advanced SUSE Linux Enterprise Server Administration (Course 3038)

Uploaded by

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PPT, PDF, TXT or read online on Scribd

You are on page 1/ 46

Advanced SUSE Linux

Enterprise Server
Administration (Course 3038)
Chapter 4
Secure a SLES 9 Server

Objectives

Create a Security Concept

Limit Physical Access to Server Systems
Limit the Installed Software Packages
Understand the Linux User Authentication
Ensure File System Security
Use ACLs for Advanced Access Control
Configure Security Settings with YaST
Stay Informed About Security Issues
Apply Security Updates

Advanced SUSE Linux Enterprise Server Administration (Course 3038)

Create a Security Concept

Objectives

Understand the Basics of a Security Concept

Perform a Communication Analysis
Analyze the Protection Requirements
Analyze the Current Situation and Necessary
Enhancements

Advanced SUSE Linux Enterprise Server Administration (Course 3038)

Understand the Basics of a Security

Concept
You must know what you are protecting your system
from
If users work on different computers and use
common resources
Security concept pertaining to a network must be
considered

Creating security concept

Helps to detect errors and sources of danger that are
not obvious
Provides good documentation of the concept
Advanced SUSE Linux Enterprise Server Administration (Course 3038)

Analyze the Protection Requirements

Expense of securing individual resources
Determined by amount of potential damage

Estimate frequency of occurrence of possible

damage
To use in your calculations

Important parts of the communication analysis

Can be represented in tables, also known as access
matrices

Advanced SUSE Linux Enterprise Server Administration (Course 3038)

Analyze the Current Situation and

Necessary Enhancements
Company-wide security policy should guarantee
Confidentiality, data integrity, availability, and
transparency

Security policy
Determines what security demands are required for
specific data and resources
Should include the analysis of the remaining risk
Describes the current actual state of security

Advanced SUSE Linux Enterprise Server Administration (Course 3038)

Analyze the Current Situation and

Necessary Enhancements (continued)
Security of Network Components

Advanced SUSE Linux Enterprise Server Administration (Course 3038)

Analyze the Current Situation and

Necessary Enhancements (continued)
Power failure measures

Advanced SUSE Linux Enterprise Server Administration (Course 3038)

Analyze the Current Situation and

Necessary Enhancements (continued)
Fire fighting measures

Advanced SUSE Linux Enterprise Server Administration (Course 3038)

Analyze the Current Situation and

Necessary Enhancements (continued)
Data storage issues

Advanced SUSE Linux Enterprise Server Administration (Course 3038)

Analyze the Current Situation and

Necessary Enhancements (continued)
Software security updates

Advanced SUSE Linux Enterprise Server Administration (Course 3038)

Analyze the Current Situation and

Necessary Enhancements (continued)
Virus protection of the IT systems

Advanced SUSE Linux Enterprise Server Administration (Course 3038)

Analyze the Current Situation and

Necessary Enhancements (continued)
Documentation of the IT infrastructure

Advanced SUSE Linux Enterprise Server Administration (Course 3038)

Limit Physical Access to Server

Systems
Objectives
Place the Server in a Separate, Locked Room
Secure the BIOS with a Password
Secure the GRUB Boot Loader with a Password

Advanced SUSE Linux Enterprise Server Administration (Course 3038)

Limit the Installed Software Packages

Remove unnecessary software packages
From a production server

A server should never offer any network services that

are not needed
Check which services are configured to start and their
run levels
chkconfig -l
Command displays a line for every service installed

Remove a service from its default run levels:

insserv -r service_name
Advanced SUSE Linux Enterprise Server Administration (Course 3038)

Understand the Linux User

Authentication
Authentication on a Linux system
Based on Pluggable Authentication Modules (PAM)

Advanced SUSE Linux Enterprise Server Administration (Course 3038)

How PAM Works

Pluggable Authentication Modules (PAM)
Collection of software modules
Handles the authentication process

User logs into a Linux system on a virtual terminal

Program called login is usually called

Before PAM was introduced

PAM creates a software level

With clearly defined interfaces
Advanced SUSE Linux Enterprise Server Administration (Course 3038)

How PAM Works (continued)

Advanced SUSE Linux Enterprise Server Administration (Course 3038)

PAM Configuration
PAM modules are located in directory /lib/security
Every filename starts with the prefix pam_.

PAM configuration is done in directory /etc/pam.d/

Contains a configuration file for every application that
uses PAM

Configuration file entries structure

module-type
Auth, account, session, password

control-flag
Required, sufficient, optional, etc.
Advanced SUSE Linux Enterprise Server Administration (Course 3038)

PAM Configuration (continued)

Configuration file entries structure (continued)
auth required pam_env.so
auth required pam_mail.so
password required pam_pwcheck.so

Advanced SUSE Linux Enterprise Server Administration (Course 3038)

The Requirements for a Secure

Password
Even the best security setup for a system
Can be defeated if users choose easy to guess
passwords

Dictionary attacks
Password cracking program just tries one word after
another from a dictionary file

Enable a special PAM module pam_pwcheck.so

To test a password first before a user can set it

Advanced SUSE Linux Enterprise Server Administration (Course 3038)

Ensure File System Security

Objectives
The Basic Rule for User Write Access
The Basic Rule for User Read Access
How Special File Permissions Affect the Security of
the System

Advanced SUSE Linux Enterprise Server Administration (Course 3038)

The Basic Rule for User Write Access

File systems used in Linux
Structurally similar to UNIX file systems
Support the typical UNIX file access permissions
(read, write, execute, sticky bit, SUID, SGID, etc.)

Normal user should only have write access to

The home directory of the user
The /tmp directory to store temporary files

Depending on the purpose of a computer

Other directories can be writable by users
Advanced SUSE Linux Enterprise Server Administration (Course 3038)

The Basic Rule for User Read Access

Some files should be protected from user read
access
Especially files that store passwords

/etc/shadow
/etc/samba/smbpasswd
Files with Apache passwords
/etc/openldap/slapd.conf
/boot/grub/menu.lst

Some password files can be readable for a nonroot

account
Advanced SUSE Linux Enterprise Server Administration (Course 3038)

How Special File Permissions Affect

the Security of the System
Three file system rights that influence the security in
a special way
SUID bit
Set for an executable
Program is started under the user ID of the file owner

SGID bit
Lets program run under the GID of the group to which
the executable file belongs

Sticky bit
Prevents users from deleting/renaming each others files
Advanced SUSE Linux Enterprise Server Administration (Course 3038)

Use ACLs for Advanced Access

Control

Advanced SUSE Linux Enterprise Server Administration (Course 3038)

The Basics of ACLs

Set of permissions
read (r), write (w), execute (x)

Types of users
File owner, group, and other users

ACLs (Access Control Lists)

Assign permissions to individual users or groups
Supported by the ReiserFS, Ext2, Ext3, JFS, and XFS

Useful when
Replacing Windows server with Linux server
Providing file and print services with Samba
Advanced SUSE Linux Enterprise Server Administration (Course 3038)

Important ACL Terms

user class
The owner, the owning group, and other users

access ACL
User and group access permissions for all kinds of file
system objects

default ACL
Determine the permissions a file system object inherits
from its parent directory

ACL entry
Contains a type, a qualifier for the user or group to which
the entry refers, and a set of permissions
Advanced SUSE Linux Enterprise Server Administration (Course 3038)

ACL Types
Two basic classes of ACLs
Minimum ACL, Extended ACL

ACLs extend the classic Linux file permission

By the following permission types
named user, named group, mask

Permissions defined in the entries owner and other

are always effective

Advanced SUSE Linux Enterprise Server Administration (Course 3038)

How ACLs and Permission Bits Map to

Each Other
Assigning an ACL to a file or directory
Permissions set in the ACL are mapped to the
standard UNIX permissions

Advanced SUSE Linux Enterprise Server Administration (Course 3038)

How to Use the ACL Command-Line

Tools
Command-line tools
getfacl
setfacl

Examples
setfacl -m u:tux:rx my_file
setfacl -m g:accounting:rw my_file
setfacl -m m:rx

Advanced SUSE Linux Enterprise Server Administration (Course 3038)

How to Configure a Directory with an

Access ACL
Steps
Use the umask command to define access permissions
to be masked
Each time a file object is created

Check initial state of the ACL by entering:

getfacl mydir

Modify the ACL

setfacl -m user:jane:rwx,group:jungle:rwx mydir

Take a look at the resulting ACL:

getfacl mydir

Add or remove permissions with chmod

Advanced SUSE Linux Enterprise Server Administration (Course 3038)

How to Configure a Directory with a

Default ACL
Default ACL
Defines access permissions objects under the
directory inherit when they are created

Passing permissions of a directorys default ACL

Subdirectory inherits default ACL of parent directory
Both as its own default ACL and as an access ACL

File inherits default ACL as its own access ACL

Parent directory does not have a default ACL

umask permission bits are subtracted from the mode
parameter permissions
Advanced SUSE Linux Enterprise Server Administration (Course 3038)

How to Configure a Directory with a

Default ACL (continued)
Parent directory has a default ACL
Permission bits correspond to overlapping portion of
mode parameter permissions and default ACL

Add a default ACL to the existing directory mydir

setfacl -d -m group:jungle:r-x mydir

Create a subdirectory in mydir, which inherits the

default ACL
mkdir mydir/mysubdir
getfacl mydir/mysubdir
Advanced SUSE Linux Enterprise Server Administration (Course 3038)

How Applications Handle ACLs

Important applications still lack ACL support
There are no backup applications that guarantee full
preservation of ACLs

Basic file commands (cp, mv, ls, and so on) support

ACLs
But many editors and file managers (such as
Konqueror) do not

Advanced SUSE Linux Enterprise Server Administration (Course 3038)

Configure Security Settings with YaST

Open the YaST Control Center
Select Security and Users > Security settings

You can change the following settings

The password settings

The boot behavior of the system
The login behavior
The user ID limitations
General file system security

Advanced SUSE Linux Enterprise Server Administration (Course 3038)

Configure Security Settings with YaST

Levels of Local Security

Advanced SUSE Linux Enterprise Server Administration (Course 3038)

Configure Security Settings with YaST

Password Settings (continued)

Advanced SUSE Linux Enterprise Server Administration (Course 3038)

Configure Security Settings with YaST

Boot Settings

Advanced SUSE Linux Enterprise Server Administration (Course 3038)

Configure Security Settings with YaST

Advanced SUSE Linux Enterprise Server Administration (Course 3038)

Configure Security Settings with YaST

User/Group ID Limitations

Advanced SUSE Linux Enterprise Server Administration (Course 3038)

Configure Security Settings with YaST

Setting of File Permissions

Advanced SUSE Linux Enterprise Server Administration (Course 3038)

Configure Security Settings with YaST

(continued)

Advanced SUSE Linux Enterprise Server Administration (Course 3038)

Stay Informed About Security Issues

Resources
www.suse.de/en/business/security.html
www.suse.de/en/business/mailinglists.html
suse-security
suse-security-announce

www.securityfocus.com/

Advanced SUSE Linux Enterprise Server Administration (Course 3038)

Register Your Product

Access the update packages
Need to enter a user name and a password
Create an account for the SUSE support portal

SUSE support portal http://portal.suse.com

Registered products can be updated with the YOU

module (Enterprise Server, not OpenSUSE)

Advanced SUSE Linux Enterprise Server Administration (Course 3038)

Use the YaST Online Update

Steps for SLES9 use the YOU module (YaST),
Steps for OpenSUSE - use the Online Update
module (YaST)
module retrieves information about the available
patches
Select packages to install
By selecting Accept, the selected updates are
downloaded and installed

Advanced SUSE Linux Enterprise Server Administration (Course 3038)

LAB MANUAL-SLE301v15-SLES Advanced Administration Secure
No ratings yet
LAB MANUAL-SLE301v15-SLES Advanced Administration Secure
110 pages
LECTURE MANUAL-SLE301v15-SLE Advanced Administration Secure
100% (1)
LECTURE MANUAL-SLE301v15-SLE Advanced Administration Secure
710 pages
Hardening Oracle Linux Server
No ratings yet
Hardening Oracle Linux Server
4 pages
SLE201v15 SLES15 Admin Course Description
50% (2)
SLE201v15 SLES15 Admin Course Description
2 pages
Rules of Engagement
No ratings yet
Rules of Engagement
4 pages
LAB MANUAL-SUSE Linux Enterprise Server Administration - Lms
100% (1)
LAB MANUAL-SUSE Linux Enterprise Server Administration - Lms
172 pages
LAB MANUAL-SUSE Linux Enterprise Server Administration - LMS
No ratings yet
LAB MANUAL-SUSE Linux Enterprise Server Administration - LMS
167 pages
Linux Security Checklist
No ratings yet
Linux Security Checklist
5 pages
Isc2 CCSP Student Guide 3rdedition 2017 First 50 Pages 428415
100% (6)
Isc2 CCSP Student Guide 3rdedition 2017 First 50 Pages 428415
70 pages
Ed 505 Digital Citizenship Project - Netiquette-2
No ratings yet
Ed 505 Digital Citizenship Project - Netiquette-2
6 pages
SUSE Linux Enterprise Server: 11 SP3 Security and Hardening Guide
No ratings yet
SUSE Linux Enterprise Server: 11 SP3 Security and Hardening Guide
82 pages
SLES 11 Book Hardening PDF
No ratings yet
SLES 11 Book Hardening PDF
84 pages
Advanced SUSE Linux Enterprise Server Administration (Course 3038)
No ratings yet
Advanced SUSE Linux Enterprise Server Administration (Course 3038)
30 pages
LFT Pub Intro Linux Security PDF
No ratings yet
LFT Pub Intro Linux Security PDF
6 pages
SUSE Linux Enterprise Server Administration (Course 3037) : Manage The Linux File System
No ratings yet
SUSE Linux Enterprise Server Administration (Course 3037) : Manage The Linux File System
98 pages
Protecting Confidential Files Selinux 2009
No ratings yet
Protecting Confidential Files Selinux 2009
8 pages
Cheatsheet
No ratings yet
Cheatsheet
2 pages
L Harden Server PDF
No ratings yet
L Harden Server PDF
20 pages
CH 5
No ratings yet
CH 5
40 pages
12 Linux Security
No ratings yet
12 Linux Security
51 pages
Advanced SUSE Linux Enterprise Server Administration (Course 3038)
No ratings yet
Advanced SUSE Linux Enterprise Server Administration (Course 3038)
69 pages
Ubuntu Administration Essentials: Definitive Reference for Developers and Engineers
From Everand
Ubuntu Administration Essentials: Definitive Reference for Developers and Engineers
Richard Johnson
No ratings yet
Ch5.
No ratings yet
Ch5.
42 pages
Kerry Thompson, Open Systems Specialists LTD (OSS)
No ratings yet
Kerry Thompson, Open Systems Specialists LTD (OSS)
20 pages
Hardening
No ratings yet
Hardening
509 pages
L Harden Server PDF
No ratings yet
L Harden Server PDF
14 pages
PPT ch02
No ratings yet
PPT ch02
61 pages
Sanet.cd_B0713PYBK7
No ratings yet
Sanet.cd_B0713PYBK7
206 pages
AIX Security Guide
100% (15)
AIX Security Guide
36 pages
Linux Security On HP Servers: Security Enhanced Linux: Technical Introduction
No ratings yet
Linux Security On HP Servers: Security Enhanced Linux: Technical Introduction
13 pages
SELinux For Dummies
No ratings yet
SELinux For Dummies
38 pages
CH 17
No ratings yet
CH 17
35 pages
Linuxsec3e PPT ch02
No ratings yet
Linuxsec3e PPT ch02
32 pages
Computer Security and Penetration Testing: Linux Vulnerabilities
No ratings yet
Computer Security and Penetration Testing: Linux Vulnerabilities
35 pages
Advanced Topics and Troubleshooting: The Complete Guide To Linux System Administration
No ratings yet
Advanced Topics and Troubleshooting: The Complete Guide To Linux System Administration
57 pages
Linux Lecture1
No ratings yet
Linux Lecture1
37 pages
Linux Administration: Unit 1
No ratings yet
Linux Administration: Unit 1
59 pages
_semester-5_2018_november_linux-system-administration-cbcs
No ratings yet
_semester-5_2018_november_linux-system-administration-cbcs
37 pages
openSUSE LEAP
No ratings yet
openSUSE LEAP
2 pages
Chapter 3 - Using Linux
No ratings yet
Chapter 3 - Using Linux
11 pages
SELinux by Example - Using Security Enhanced Linux
No ratings yet
SELinux by Example - Using Security Enhanced Linux
9 pages
Chapter 5
No ratings yet
Chapter 5
16 pages
Linux Operating System Security: Joen A. Sinamag
No ratings yet
Linux Operating System Security: Joen A. Sinamag
12 pages
NETWORK ADMINISTRATION AND MANAGEMENT PRESENTATIONS
No ratings yet
NETWORK ADMINISTRATION AND MANAGEMENT PRESENTATIONS
8 pages
Access Control List
No ratings yet
Access Control List
28 pages
Cyberops Module 4 - Studynotes - TH
No ratings yet
Cyberops Module 4 - Studynotes - TH
6 pages
Week 07 Slides
No ratings yet
Week 07 Slides
33 pages
LAB MANUAL-SLE201-SUSE Linux Enterprise Administration - LMS PDF
100% (1)
LAB MANUAL-SLE201-SUSE Linux Enterprise Administration - LMS PDF
153 pages
LAB MANUAL-SLE201-SUSE Linux Enterprise Administration - LMS PDF
No ratings yet
LAB MANUAL-SLE201-SUSE Linux Enterprise Administration - LMS PDF
153 pages
Client Response Memo
No ratings yet
Client Response Memo
7 pages
Book Security PDF
No ratings yet
Book Security PDF
488 pages
Linuxsec ppt15 l14
No ratings yet
Linuxsec ppt15 l14
19 pages
Host Hardening
100% (1)
Host Hardening
28 pages
3115 PPT
No ratings yet
3115 PPT
30 pages
Linux
No ratings yet
Linux
13 pages
UNIX Administration Course: Tel: (+44) (0) 1772 893297 Fax: (+44) (0) 1772 892913 WWW: HTTP://WWW - Futuretech.vuurwerk - NL
No ratings yet
UNIX Administration Course: Tel: (+44) (0) 1772 893297 Fax: (+44) (0) 1772 892913 WWW: HTTP://WWW - Futuretech.vuurwerk - NL
22 pages
SEcurity Enhanced Linux Overview
No ratings yet
SEcurity Enhanced Linux Overview
25 pages
SuSE Linux Enterprise Server Security Guide 11 SP4
No ratings yet
SuSE Linux Enterprise Server Security Guide 11 SP4
488 pages
Least Privilege Security for Windows 7, Vista and XP
From Everand
Least Privilege Security for Windows 7, Vista and XP
Russell Smith
No ratings yet
Best Free Open Source Data Recovery Apps for Mac OS English Edition
From Everand
Best Free Open Source Data Recovery Apps for Mac OS English Edition
Cyber Jannah Sakura
No ratings yet
Operating Systems: Concepts to Save Money, Time, and Frustration
From Everand
Operating Systems: Concepts to Save Money, Time, and Frustration
Jonathan Rigdon
No ratings yet
Slackware Essentials: Definitive Reference for Developers and Engineers
From Everand
Slackware Essentials: Definitive Reference for Developers and Engineers
Richard Johnson
No ratings yet
Zorin OS Administration and User Guide: Definitive Reference for Developers and Engineers
From Everand
Zorin OS Administration and User Guide: Definitive Reference for Developers and Engineers
Richard Johnson
No ratings yet
Wireshark SSL v6.0
No ratings yet
Wireshark SSL v6.0
4 pages
Colored Coins - BitcoinX - Google Drive
No ratings yet
Colored Coins - BitcoinX - Google Drive
23 pages
KT - IsO 27001 Statement of Applicability
No ratings yet
KT - IsO 27001 Statement of Applicability
37 pages
U2000 Health Check For Fortune Network 2019 Q3
No ratings yet
U2000 Health Check For Fortune Network 2019 Q3
19 pages
Incident Response Process
No ratings yet
Incident Response Process
3 pages
COSC 475: Discuss The Hadoop Distributed File System (HDFS)
No ratings yet
COSC 475: Discuss The Hadoop Distributed File System (HDFS)
3 pages
Activities Teaching Keyboarding
No ratings yet
Activities Teaching Keyboarding
3 pages
CRN PTK 5-2
No ratings yet
CRN PTK 5-2
11 pages
1 CP041
No ratings yet
1 CP041
10 pages
Template No. 3 Attendance Sheet
No ratings yet
Template No. 3 Attendance Sheet
1 page
MB0051 - Legal Aspects of Business Assignment Set-1
No ratings yet
MB0051 - Legal Aspects of Business Assignment Set-1
12 pages
Wps Emp 01-16 s275jr - s275jr BW P Smaw Awsd1 1
No ratings yet
Wps Emp 01-16 s275jr - s275jr BW P Smaw Awsd1 1
2 pages
Network Traffic Anomaly Detection
No ratings yet
Network Traffic Anomaly Detection
5 pages
Menvier TS-590 Operators Manual
No ratings yet
Menvier TS-590 Operators Manual
40 pages
Immediate download Cyber Security Awareness for Accountants and CPAs 1st Edition David Willson ebooks 2024
100% (2)
Immediate download Cyber Security Awareness for Accountants and CPAs 1st Edition David Willson ebooks 2024
65 pages
Signs of the Inka Khipu Binary Coding in the Andean Knotted String Records 1st Edition Gary Urton - The ebook with rich content is ready for you to download
100% (2)
Signs of the Inka Khipu Binary Coding in the Andean Knotted String Records 1st Edition Gary Urton - The ebook with rich content is ready for you to download
44 pages
United States District Court District of New Jersey
No ratings yet
United States District Court District of New Jersey
12 pages
Chaka Force Profile Dar es salaam
No ratings yet
Chaka Force Profile Dar es salaam
23 pages
The Death of Privacy
No ratings yet
The Death of Privacy
84 pages
Introduction To Information Technology Law CH 1&2
100% (1)
Introduction To Information Technology Law CH 1&2
50 pages
Fortran 95 Practical Exercises
No ratings yet
Fortran 95 Practical Exercises
10 pages
Ps 1
No ratings yet
Ps 1
4 pages
Intro To Ethical Hacking - PPT
No ratings yet
Intro To Ethical Hacking - PPT
37 pages
Operating Instructions For The Caller ID Card (KX-TA30893) : Advanced Hybrid System
No ratings yet
Operating Instructions For The Caller ID Card (KX-TA30893) : Advanced Hybrid System
28 pages
Teen Chat Room Acronyms, Internet Texting Slang Used by Kids and Teens
No ratings yet
Teen Chat Room Acronyms, Internet Texting Slang Used by Kids and Teens
30 pages
TSARNI
No ratings yet
TSARNI
2 pages