Red Hat ENTERPRISE LINUX 4 - SELINUX GUIDE Guida Utente Pagina 1

Red Hat Enterprise Linux 6Security GuideA Guide to Securing Red Hat Enterprise Linux

x

Chapter 2. Securing Your Network90• <user-defined-chain> — A user-defined chain within the table. User-defined chain names mustbe unique. This t

Saving IPTables Rules912.6.2.6. Listing OptionsThe default list command, iptables -L [<chain-name>], provides a very basic overview of thedefaul

Chapter 2. Securing Your Network92NoteNote the difference between the iptables command (/sbin/iptables), which is used tomanipulate the tables and cha

IPTables Control Scripts93value of IPTABLES_STATUS_NUMERIC to no. Refer to Section 2.6.4.1, “IPTables Control ScriptsConfiguration File” for more info

Chapter 2. Securing Your Network94• IPTABLES_STATUS_NUMERIC — Outputs IP addresses in numeric form instead of domain orhostnames. This directive accep

Chapter 3.95EncryptionThere are two main types of data that must be protected: data at rest and data in motion. Thesedifferent types of data are prote

Chapter 3. Encryption96should also be protected when transmitted across a network. If the network session was encryptedthen you would not have to worr

LUKS Disk Encryption97default_algorithms = ALLdynamic_path = /usr/lib/openssl/engines/libpadlock.soinit = 1Note: for 64-bit systems, use dynamic_path

Chapter 3. Encryption983.8.2. Manually Encrypting DirectoriesWarningFollowing this procedure will remove all data on the partition that you are encryp

What you have just accomplished.993.8.4. What you have just accomplished.Congratulations, you now have an encrypted partition for all of your data to

Chapter 1.1Security OverviewBecause of the increased reliance on powerful, networked computers to help run businesses andkeep track of our personal in

Chapter 3. Encryption100WarningIf you forget your passphrase, the key cannot be used and any data encrypted using that key willbe lost.To find your GP

About Public Key Encryption101At the confirmation prompt, enter the letter O to continue if all entries are correct, or use the otheroptions to fix an

102

Chapter 4.103General Principles of InformationSecurityThe following general principals provide an overview of good security practices:• encrypt all da

104

Chapter 5.105Secure InstallationSecurity begins with the first time you put that CD or DVD into your disk drive to install Red HatEnterprise Linux. Co

106

Chapter 6.107Software MaintenanceSoftware maintenance is extremely important to maintaining a secure system. It is vital to patchsoftware as soon as i

108

Chapter 7.109Federal Standards and Regulations7.1. IntroductionIn order to maintain security levels, it is possible for your organization to make effo

Chapter 1. Security Overview2The Internet and its earlier protocols, however, were developed as a trust-based system. That is,the Internet Protocol (I

Chapter 7. Federal Standards and Regulations1107.3. National Industrial Security Program Operating Manual(NISPOM)The NISPOM (also called DoD 5220.22-M

Chapter 8.111ReferencesThe following references are pointers to additional information that is relevant to SELinux and RedHat Enterprise Linux but bey

Chapter 8. References112CommunityFedora SELinux User Guidehttp://docs.fedoraproject.org/Fedora SELinux Managing Confined Services Guidehttp://docs.fed

113Appendix A. Encryption StandardsA.1. Synchronous EncryptionA.1.1. Advanced Encryption Standard - AESIn cryptography, the Advanced Encryption Standa

Appendix A. Encryption Standards114collaborated to publicly break a DES key in 22 hours and 15 minutes (see chronology). There are alsosome analytical

RSA115communications channel. This key can then be used to encrypt subsequent communications using asymmetric key cipher.12A.2.1.1. Diffie-Hellman His

Appendix A. Encryption Standards116of the decisional Diffie–Hellman assumption. Developed by Ronald Cramer and Victor Shoup in 1998,it is an extension

117Appendix B. Revision HistoryRevision 1.5 Apr 19 2010 Scott Radvan [email protected] fixes, final build for BetaRevision 1.4.1 Mar 5 2010 Scot

118

SELinux3system administrators, developers, and engineers to ensure 24x7 reliability of their systems, services,and information. Falling victim to mali

Chapter 1. Security Overview41.1.3.1. Physical ControlsPhysical control is the implementation of security measures in a defined structure used to dete

Vulnerability Assessment51.2. Vulnerability AssessmentGiven time, resources, and motivation, an attacker can break into nearly any system. All of thes

Chapter 1. Security Overview61.2.2. Defining Assessment and TestingVulnerability assessments may be broken down into one of two types: Outside looking

Evaluating the Tools7• Finds potential exploits before crackers find them• Results in systems being kept up to date and patched• Promotes growth and a

Chapter 1. Security Overview81.2.3.1.1. Using NmapNmap can be run from a shell prompt by typing the nmap command followed by the hostname or IPaddress

Attackers and Vulnerabilities91.2.3.4. Anticipating Your Future NeedsDepending upon your target and resources, there are many tools available. There a

Security GuideRed Hat Enterprise Linux 6 Security GuideA Guide to Securing Red Hat Enterprise LinuxEdition 1.5AuthorCopyright © 2010 Red Hat, Inc.The

Chapter 1. Security Overview10Gray hat hackers typically subscribe to another form of the hacker ethic, which says it is acceptable tobreak into syste

Threats to Server Security11pathway into the system for crackers. Refer To Section 2.2, “Server Security” for information on closingports and disablin

Chapter 1. Security Overview12Inherently, such services can also more easily fall prey to what the security industry terms the man-in-the-middle attac

Common Exploits and Attacks13explanations of how they are performed and how administrators can properly safeguard their networkagainst such attacks.Ta

Chapter 1. Security Overview14Exploit Description NotesPreventative measures includeservices with cryptographic keyexchange, one-time passwords, orenc

Security Updates15Exploit Description Notesalleviate the burdens of multi-seatsecurity deployments.Denial of Service(DoS) AttacksAttacker or group of

Chapter 1. Security Overview161.5.2. Verifying Signed PackagesAll Red Hat Enterprise Linux packages are signed with the Red Hat GPG key. GPG stands fo

Applying the Changes17rpm -ivh /tmp/updates/<kernel-package>Replace <kernel-package> in the previous example with the name of the kernel R

Chapter 1. Security Overview18Shared LibrariesShared libraries are units of code, such as glibc, which are used by a number of applicationsand service

Applying the Changes19In the previous examples, replace <PID> with the process identification number (found in thesecond column of the ps comman

iiiPreface vii

20

Chapter 2.21Securing Your Network2.1. Workstation SecuritySecuring a Linux environment begins with the workstation. Whether locking down a personal ma

Chapter 2. Securing Your Network22user mode, which in turn allows them to start arbitrary processes on the system or copy sensitivedata.2. Preventing

Password Security23Replace <password-hash> with the value returned by /sbin/grub-md5-crypt2.The next time the system boots, the GRUB menu preven

Chapter 2. Securing Your Network24cracker starts an attack in the middle of the night on a system with weak passwords, the cracker mayhave gained acce

Password Security25• Your name• The names of pets• The names of family members• Any birth dates• Your phone number or zip code• Do Not Invert Recogniz

Chapter 2. Securing Your Network26• Next, turn it into an acronym (including the punctuation).otrattw,tghwg.• Add complexity by substituting numbers a

Password Security27• Slurpie — Slurpie is similar to John The Ripper and Crack, but it is designed to run onmultiple computers simultaneously, creatin

Chapter 2. Securing Your Network28Refer to the man page for chage for more information on the available options.You can also use the graphical User Ma

Administrative Controls29NoteThe s may be upper case or lower case. If it appears as upper case, it means that the underlyingpermission bit has not be

Security Guideiv2.4.2. Openswan ... 672.5. Firew

Chapter 2. Securing Your Network30Method Description Effects Does Not Affect· kdm· xdm· su· ssh· scp· sftp· FTP clients· Email clientsDisablingrootacc

Administrative Controls31ImportantPrograms that do not require access to the shell, such as email clients or the sudo command,can still access the roo

Chapter 2. Securing Your Network32sense=deny file=/etc/vsftpd.ftpusers onerr=succeedThis instructs PAM to consult the /etc/vsftpd.ftpusers file and de

Administrative Controls33Figure 2.2. Adding users to the "wheel" group.Open the PAM configuration file for su (/etc/pam.d/su) in a text edit

Chapter 2. Securing Your Network34ImportantUsers of the sudo command should take extra care to log out before walking away from theirmachines since su

Available Network Services35• Distributed Denial of Service Attack (DDoS) — A type of DoS attack which uses multiplecompromised machines (often number

Chapter 2. Securing Your Network36same is true for portmap. If you do not mount NFSv3 volumes or use NIS (the ypbind service), thenportmap should be d

Personal Firewalls37Other services like finger and rwhod reveal information about users of the system.Examples of inherently insecure services include

Chapter 2. Securing Your Network38firewall). This tool creates broad iptables rules for a general-purpose firewall using a controlpanel interface.Refe

Securing Services With TCP Wrappers and xinetd39• Serve only one type of network service per machine whenever possible.• Monitor all servers carefully

v7.4. Payment Card Industry Data Security Standard (PCI DSS) ... 1107.5. Security Technical Implementation Guid

Chapter 2. Securing Your Network402.2.1.1.2. TCP Wrappers and Attack WarningsIf a particular host or network has been detected attacking the server, T

Securing Services With TCP Wrappers and xinetd41Edit the file /etc/xinetd.d/telnet and change the flags line to read:flags = SENSORAdd the f

Chapter 2. Securing Your Network422.2.2. Securing PortmapThe portmap service is a dynamic port assignment daemon for RPC services such as NIS and NFS.

Securing NIS43• /usr/sbin/rpc.ypxfrd — Also called the ypxfrd service, this daemon is responsible for NISmap transfers over the network.• /usr/sbin/yp

Chapter 2. Securing Your Network44Below is a sample entry from a /var/yp/securenets file:255.255.255.0 192.168.0.0WarningNever start an NIS server

Securing NFS452.2.4. Securing NFSImportantThe version of NFS included in Red Hat Enterprise Linux 6, NFSv4, no longer requires theportmap service as o

Chapter 2. Securing Your Network46• MOUNTD_PORT — TCP and UDP port for mountd (rpc.mountd)• STATD_PORT — TCP and UDP port for status (rpc.statd)• LOCK

Securing FTP47ImportantDo not remove the IncludesNoExec directive. By default, the Server-Side Includes (SSI)module cannot execute commands. It is rec

Chapter 2. Securing Your Network48It also is possible to send additional banners to incoming connections using TCP Wrappers asdescribed in Section 2.2

Securing Sendmail49local_enable=NO2.2.6.3.1. Restricting User AccountsTo disable FTP access for specific accounts or specific groups of accounts, such

vi

Chapter 2. Securing Your Network50NoteWith NFSv4 using Kerberos, this is not the case, since the SECRPC_GSS kernel module does notutilize UID-based au

TCP Wrappers and xinetd51This output shows the system is running portmap due to the presence of the sunrpc service.However, there is also a mystery se

Chapter 2. Securing Your Network52Figure 2.4. Access Control to Network ServicesThis chapter focuses on the role of TCP Wrappers and xinetd in control

TCP Wrappers Configuration Files53Because TCP Wrappers are a valuable addition to any server administrator's arsenal of security tools,most netwo

Chapter 2. Securing Your Network54• Because access rules in hosts.allow are applied first, they take precedence over rules specifiedin hosts.deny. The

TCP Wrappers Configuration Files55NoteMore information on some of the terms above can be found elsewhere in this guide:• Section 2.3.2.1.1, “Wildcards

Chapter 2. Securing Your Network56ImportantThe KNOWN, UNKNOWN, and PARANOID wildcards should be used with care, because they rely ona functioning DNS

TCP Wrappers Configuration Files57• The slash (/) — If a client list begins with a slash, it is treated as a file name. This is useful if rulesspecify

Chapter 2. Securing Your Network582.3.2.2. Option FieldsIn addition to basic rules that allow and deny access, the Red Hat Enterprise Linux implementa

TCP Wrappers Configuration Files59in.telnetd : .example.com \ : spawn /bin/echo `/bin/date` from %h>>/var/log/telnet.log \ : allow• twist — Repl

viiPreface1. Document ConventionsThis manual uses several conventions to highlight certain words and phrases and draw attention tospecific pieces of i

Chapter 2. Securing Your Network60 : spawn /bin/echo `/bin/date` access denied to %h>>/var/log/sshd.log \ : denySimilarly, expansions can be use

xinetd Configuration Files61includedir /etc/xinetd.dThese lines control the following aspects of xinetd:• instances — Specifies the maximum number of

Chapter 2. Securing Your Network62• service — Specifies the service name, usually one of those listed in the /etc/services file.• flags — Sets any of

xinetd Configuration Files63This section discusses using xinetd to control access to services.NoteUnlike TCP Wrappers, changes to access control only

Chapter 2. Securing Your Network64When using TCP Wrappers in conjunction with xinetd access controls, it is important to understandthe relationship be

Additional Resources65 socket_type = stream wait = no server = /usr/kerberos/sbin/telnetd log_on_success += DURATION USERID log_on_failure

Chapter 2. Securing Your Network66• /usr/share/doc/tcp_wrappers-<version>/ — This directory contains a README file thatdiscusses how TCP Wrapper

How Does a VPN Work?672.4.1. How Does a VPN Work?When a packet is transmitted from a client, it sends it through the VPN router or gateway, which adds

Chapter 2. Securing Your Network68• /etc/ipsec.d/cert*.db - Certificate database files. The old default NSS database file iscert8.db. From Red Hat Ent

Firewalls69• Adding/deleting a connection:• ipsec auto --add/delete <connection name>• Connection establishment/breaking:• ipsec auto --up/down

PrefaceviiiClose to switch the primary mouse button from the left to the right (making the mousesuitable for use in the left hand).To insert a special

Chapter 2. Securing Your Network70Apart from the differences between hardware and software firewalls, there are also differences in theway firewalls f

Netfilter and IPTables712.5.1. Netfilter and IPTablesThe Linux kernel features a powerful networking subsystem called Netfilter. The Netfilter subsyst

Chapter 2. Securing Your Network72Figure 2.5. Firewall Configuration ToolNoteThe Firewall Configuration Tool only configures a basic firewall. If the

Basic Firewall Configuration732.5.2.3. Trusted ServicesEnabling options in the Trusted services list allows the specified service to pass through the

Chapter 2. Securing Your Network742.5.2.5. Saving the SettingsClick OK to save the changes and enable or disable the firewall. If Enable firewall was

Common IPTables Filtering75The three built-in chains are INPUT, OUTPUT, and FORWARD. These chains are permanent andcannot be deleted. The chain specif

Chapter 2. Securing Your Network76To allow users to perform network-related functions and to use networking applications, administratorsmust open cert

FORWARD and NAT Rules77Administrators must, therefore, find alternative ways to share access to Internet services without givingpublic IP addresses to

Chapter 2. Securing Your Network78To allow LAN nodes with private IP addresses to communicate with external public networks, configurethe firewall for

Malicious Software and Spoofed IP Addresses79With this command, all HTTP connections to port 80 from outside of the LAN are routed to the HTTPserver o

Notes and Warningsixpublic class ExClient{ public static void main(String args[]) throws Exception { InitialContext iniCtx = new Initi

Chapter 2. Securing Your Network80• ESTABLISHED — A packet that is part of an existing connection.• RELATED — A packet that is requesting a new connec

IPTables812.5.9.3. Related Documentation• Red Hat Linux Firewalls, by Bill McCarty; Red Hat Press — a comprehensive reference to buildingnetwork and s

Chapter 2. Securing Your Network82The built-in chains for the nat table are as follows:• PREROUTING — Alters network packets when they arrive.• OUTPUT

Command Options for IPTables83Regardless of their destination, when packets match a particular rule in one of the tables, a targetor action is applied

Chapter 2. Securing Your Network84Type iptables -h to view a comprehensive list of iptables command structures.2.6.2.2. Command OptionsCommand options

Command Options for IPTables85• -N — Creates a new chain with a user-specified name. The chain name must be unique, otherwisean error message is displ

Chapter 2. Securing Your Network86If the -i parameter is used but no interface is specified, then every interface is affected by the rule.• -j — Jumps

Command Options for IPTables87WarningSecure the /etc/services file to prevent unauthorized editing. If this file is editable, crackerscan use it to en

Chapter 2. Securing Your Network88• SYN• URG• ALL• NONEFor example, an iptables rule that contains the following specification only matches TCP packet

Command Options for IPTables89The limit module enables the following options:• --limit — Sets the maximum number of matches for a particular time peri