Useful Websites

https://access.redhat.com/kb/docs/DOC-6039: The CentOS Knowledgebase article about the kexec and kdump configuration.

http://people.redhat.com/anderson/: The crash utility homepage.

Part VII. Security And Authentication

Whether system administrators need to secure their mission-critical systems, services, or data, Community Enterprise Linux provides a range of tools and methods to serve as part of a comprehensive security strategy.

This chapter provides a general introduction to security, and from the perspective of Community Enterprise Linux in particular. It provides conceptual information in the areas of security assessment, common exploits, and intrusion and incident response. It also provides conceptual and specific configuration information on how to use SELinux to harden Workstation, Server, VPN, firewall and other implementations.

This chapter assumes a basic knowledge of IT security, and consequently provides only minimal coverage of common security practices such as controlling physical access, sound account-keeping policies and procedures, auditing, etc. Where appropriate, reference is made to external resources for this and related information.

Table of Contents

Security Overview

Introduction to Security

What is Computer Security?
Security Controls
Conclusion

Vulnerability Assessment

Thinking Like the Enemy
Defining Assessment and Testing
Evaluating the Tools

Attackers and Vulnerabilities

A Quick History of Hackers
Threats to Network Security
Threats to Server Security
Threats to Workstation and Home PC Security

Common Exploits and Attacks

Security Updates

Updating Packages

Securing Your Network

Workstation Security

Evaluating Workstation Security
BIOS and Boot Loader Security
Password Security
Administrative Controls
Available Network Services
Personal Firewalls
Security Enhanced Communication Tools

Server Security

Securing Services With TCP Wrappers and xinetd
Securing Portmap
Securing NIS
Securing NFS
Securing the Apache HTTP Server
Securing FTP
Securing Sendmail
Verifying Which Ports Are Listening

Single Sign-on (SSO)

Introduction
Getting Started with your new Smart Card
How Smart Card Enrollment Works
How Smart Card Login Works
Configuring Firefox to use Kerberos for SSO

Pluggable Authentication Modules (PAM)

Advantages of PAM
PAM Configuration Files
PAM Configuration File Format
Sample PAM Configuration Files
Creating PAM Modules
PAM and Administrative Credential Caching
PAM and Device Ownership
Additional Resources

TCP Wrappers and xinetd

TCP Wrappers
TCP Wrappers Configuration Files
xinetd
xinetd Configuration Files
Additional Resources

What is Kerberos?
Kerberos Terminology
How Kerberos Works
Kerberos and PAM
Configuring a Kerberos 5 Server
Configuring a Kerberos 5 Client
Domain-to-Realm Mapping
Setting Up Secondary KDCs
Setting Up Cross Realm Authentication
Additional Resources

Virtual Private Networks (VPNs)

How Does a VPN Work?
VPNs and Community Enterprise Linux
IPsec
Creating an IPsec Connection
IPsec Installation
IPsec Host-to-Host Configuration
IPsec Network-to-Network Configuration
Starting and Stopping an IPsec Connection

Netfilter and IPTables
Basic Firewall Configuration
Using IPTables
Common IPTables Filtering
FORWARD and NAT Rules
Malicious Software and Spoofed IP Addresses
IPTables and Connection Tracking
IPv6
Additional Resources

Packet Filtering
Differences Between IPTables and IPChains
Command Options for IPTables
Saving IPTables Rules
IPTables Control Scripts
IPTables and IPv6
Additional Resources

Security and SELinux

Access Control Mechanisms (ACMs)

Discretionary Access Control (DAC)
Access Control Lists (ACLs)
Mandatory Access Control (MAC)
Role-based Access Control (RBAC)
Multi-Level Security (MLS)
Multi-Category Security (MCS)

Introduction to SELinux

SELinux Overview
Files Related to SELinux
Additional Resources

Brief Background and History of SELinux

Multi-Category Security (MCS)

Introduction
Applications for Multi-Category Security
SELinux Security Contexts

Getting Started with Multi-Category Security (MCS)

Introduction
Comparing SELinux and Standard Linux User Identities
Configuring Categories
Assigning Categories to Users
Assigning Categories to Files

Multi-Level Security (MLS)

Why Multi-Level?
Security Levels, Objects and Subjects
MLS Policy
LSPP Certification

SELinux Policy Overview

What is the SELinux Policy?
Where is the Policy?
The Role of Policy in the Boot Process
Object Classes and Permissions

Targeted Policy Overview

What is the Targeted Policy?
Files and Directories of the Targeted Policy
Understanding the Users and Roles in the Targeted Policy

Working With SELinux

End User Control of SELinux

Moving and Copying Files
Checking the Security Context of a Process, User, or File Object
Relabeling a File or Directory
Creating Archives That Retain Security Contexts

Administrator Control of SELinux

Viewing the Status of SELinux
Relabeling a File System
Managing NFS Home Directories
Granting Access to a Directory or a Tree
Backing Up and Restoring the System
Enabling or Disabling Enforcement
Enable or Disable SELinux
Changing the Policy
Specifying the Security Context of Entire File Systems
Changing the Security Category of a File or User
Running a Command in a Specific Security Context
Useful Commands for Scripts
Changing to a Different Role
When to Reboot

Analyst Control of SELinux

Enabling Kernel Auditing
Dumping and Viewing Logs

Customizing SELinux Policy

Introduction

Modular Policy

Building a Local Policy Module

Using audit2allow to Build a Local Policy Module
Analyzing the Type Enforcement (TE) File
Loading the Policy Package