Part VII. Security And Authentication

Part VII. Security And Authentication

Whether system administrators need to secure their mission-critical systems, services, or data, Red Hat Enterprise Linux provides a range of tools and methods to serve as part of a comprehensive security strategy.

This chapter provides a general introduction to security, and from the perspective of Red Hat Enterprise Linux in particular. It provides conceptual information in the areas of security assessment, common exploits, and intrusion and incident response. It also provides conceptual and specific configuration information on how to use SELinux to harden Workstation, Server, VPN, firewall and other implementations.

This chapter assumes a basic knowledge of IT security, and consequently provides only minimal coverage of common security practices such as controlling physical access, sound account-keeping policies and procedures, auditing, etc. Where appropriate, reference is made to external resources for this and related information.

Table of Contents

42. Security Overview
42.1. Introduction to Security
42.1.1. What is Computer Security?
42.1.2. Security Controls
42.1.3. Conclusion
42.2. Vulnerability Assessment
42.2.1. Thinking Like the Enemy
42.2.2. Defining Assessment and Testing
42.2.3. Evaluating the Tools
42.3. Attackers and Vulnerabilities
42.3.1. A Quick History of Hackers
42.3.2. Threats to Network Security
42.3.3. Threats to Server Security
42.3.4. Threats to Workstation and Home PC Security
42.4. Common Exploits and Attacks
42.5. Security Updates
42.5.1. Updating Packages
43. Securing Your Network
43.1. Workstation Security
43.1.1. Evaluating Workstation Security
43.1.2. BIOS and Boot Loader Security
43.1.3. Password Security
43.1.4. Administrative Controls
43.1.5. Available Network Services
43.1.6. Personal Firewalls
43.1.7. Security Enhanced Communication Tools
43.2. Server Security
43.2.1. Securing Services With TCP Wrappers and xinetd
43.2.2. Securing Portmap
43.2.3. Securing NIS
43.2.4. Securing NFS
43.2.5. Securing the Apache HTTP Server
43.2.6. Securing FTP
43.2.7. Securing Sendmail
43.2.8. Verifying Which Ports Are Listening
43.3. Single Sign-on (SSO)
43.3.1. Introduction
43.3.2. Getting Started with your new Smart Card
43.3.3. How Smart Card Enrollment Works
43.3.4. How Smart Card Login Works
43.3.5. Configuring Firefox to use Kerberos for SSO
43.4. Pluggable Authentication Modules (PAM)
43.4.1. Advantages of PAM
43.4.2. PAM Configuration Files
43.4.3. PAM Configuration File Format
43.4.4. Sample PAM Configuration Files
43.4.5. Creating PAM Modules
43.4.6. PAM and Administrative Credential Caching
43.4.7. PAM and Device Ownership
43.4.8. Additional Resources
43.5. TCP Wrappers and xinetd
43.5.1. TCP Wrappers
43.5.2. TCP Wrappers Configuration Files
43.5.3. xinetd
43.5.4. xinetd Configuration Files
43.5.5. Additional Resources
43.6. Kerberos
43.6.1. What is Kerberos?
43.6.2. Kerberos Terminology
43.6.3. How Kerberos Works
43.6.4. Kerberos and PAM
43.6.5. Configuring a Kerberos 5 Server
43.6.6. Configuring a Kerberos 5 Client
43.6.7. Domain-to-Realm Mapping
43.6.8. Setting Up Secondary KDCs
43.6.9. Setting Up Cross Realm Authentication
43.6.10. Additional Resources
43.7. Virtual Private Networks (VPNs)
43.7.1. How Does a VPN Work?
43.7.2. VPNs and Red Hat Enterprise Linux
43.7.3. IPsec
43.7.4. Creating an IPsec Connection
43.7.5. IPsec Installation
43.7.6. IPsec Host-to-Host Configuration
43.7.7. IPsec Network-to-Network Configuration
43.7.8. Starting and Stopping an IPsec Connection
43.8. Firewalls
43.8.1. Netfilter and IPTables
43.8.2. Basic Firewall Configuration
43.8.3. Using IPTables
43.8.4. Common IPTables Filtering
43.8.5. FORWARD and NAT Rules
43.8.6. Malicious Software and Spoofed IP Addresses
43.8.7. IPTables and Connection Tracking
43.8.8. IPv6
43.8.9. Additional Resources
43.9. IPTables
43.9.1. Packet Filtering
43.9.2. Differences Between IPTables and IPChains
43.9.3. Command Options for IPTables
43.9.4. Saving IPTables Rules
43.9.5. IPTables Control Scripts
43.9.6. IPTables and IPv6
43.9.7. Additional Resources
44. Security and SELinux
44.1. Access Control Mechanisms (ACMs)
44.1.1. Discretionary Access Control (DAC)
44.1.2. Access Control Lists (ACLs)
44.1.3. Mandatory Access Control (MAC)
44.1.4. Role-based Access Control (RBAC)
44.1.5. Multi-Level Security (MLS)
44.1.6. Multi-Category Security (MCS)
44.2. Introduction to SELinux
44.2.1. SELinux Overview
44.2.2. Files Related to SELinux
44.2.3. Additional Resources
44.3. Brief Background and History of SELinux
44.4. Multi-Category Security (MCS)
44.4.1. Introduction
44.4.2. Applications for Multi-Category Security
44.4.3. SELinux Security Contexts
44.5. Getting Started with Multi-Category Security (MCS)
44.5.1. Introduction
44.5.2. Comparing SELinux and Standard Linux User Identities
44.5.3. Configuring Categories
44.5.4. Assigning Categories to Users
44.5.5. Assigning Categories to Files
44.6. Multi-Level Security (MLS)
44.6.1. Why Multi-Level?
44.6.2. Security Levels, Objects and Subjects
44.6.3. MLS Policy
44.6.4. LSPP Certification
44.7. SELinux Policy Overview
44.7.1. What is the SELinux Policy?
44.7.2. Where is the Policy?
44.7.3. The Role of Policy in the Boot Process
44.7.4. Object Classes and Permissions
44.8. Targeted Policy Overview
44.8.1. What is the Targeted Policy?
44.8.2. Files and Directories of the Targeted Policy
44.8.3. Understanding the Users and Roles in the Targeted Policy
45. Working With SELinux
45.1. End User Control of SELinux
45.1.1. Moving and Copying Files
45.1.2. Checking the Security Context of a Process, User, or File Object
45.1.3. Relabeling a File or Directory
45.1.4. Creating Archives That Retain Security Contexts
45.2. Administrator Control of SELinux
45.2.1. Viewing the Status of SELinux
45.2.2. Relabeling a File System
45.2.3. Managing NFS Home Directories
45.2.4. Granting Access to a Directory or a Tree
45.2.5. Backing Up and Restoring the System
45.2.6. Enabling or Disabling Enforcement
45.2.7. Enable or Disable SELinux
45.2.8. Changing the Policy
45.2.9. Specifying the Security Context of Entire File Systems
45.2.10. Changing the Security Category of a File or User
45.2.11. Running a Command in a Specific Security Context
45.2.12. Useful Commands for Scripts
45.2.13. Changing to a Different Role
45.2.14. When to Reboot
45.3. Analyst Control of SELinux
45.3.1. Enabling Kernel Auditing
45.3.2. Dumping and Viewing Logs
46. Customizing SELinux Policy
46.1. Introduction
46.1.1. Modular Policy
46.2. Building a Local Policy Module
46.2.1. Using audit2allow to Build a Local Policy Module
46.2.2. Analyzing the Type Enforcement (TE) File
46.2.3. Loading the Policy Package
47. References

Note: This documentation is provided {and copyrighted} by Red Hat®, Inc. and is released via the Open Publication License. The copyright holder has added the further requirement that Distribution of substantively modified versions of this document is prohibited without the explicit permission of the copyright holder. The CentOS project redistributes these original works (in their unmodified form) as a reference for CentOS-5 because CentOS-5 is built from publicly available, open source SRPMS. The documentation is unmodified to be compliant with upstream distribution policy. Neither CentOS-5 nor the CentOS Project are in any way affiliated with or sponsored by Red Hat®, Inc.