Sei sulla pagina 1di 223

Red Hat Enterprise Linux 7

Security Guide

A Guide to Securing Red Hat Enterprise Linux 7

Robert Krtk
Tom apek
Miroslav Svoboda

Mirek Jahoda
Stephen Wadeley

Martin Prpi
Yoana Ruseva

Red Hat Enterprise Linux 7 Security Guide

A Guide to Securing Red Hat Enterprise Linux 7


Robert Krtk
Red Hat Customer Content Services
rkratky@redhat.com
Mirek Jahoda
Red Hat Customer Content Services
mjahoda@redhat.com
Martin Prpi
Red Hat Customer Content Services
Tom apek
Red Hat Customer Content Services
Stephen Wadeley
Red Hat Customer Content Services
Yoana Ruseva
Red Hat Customer Content Services
Miroslav Svoboda
Red Hat Customer Content Services

Legal No tice
Copyright 2016 Red Hat, Inc.
This document is licensed by Red Hat under the Creative Commons AttributionShareAlike 3.0 Unported License. If you distribute this document, or a modified version
of it, you must provide attribution to Red Hat, Inc. and provide a link to the original. If
the document is modified, all Red Hat trademarks must be removed.
Red Hat, as the licensor of this document, waives the right to enforce, and agrees
not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable
law.
Red Hat, Red Hat Enterprise Linux, the Shadowman logo, JBoss, OpenShift, Fedora,
the Infinity logo, and RHCE are trademarks of Red Hat, Inc., registered in the United
States and other countries.
Linux is the registered trademark of Linus Torvalds in the United States and other
countries.
Java is a registered trademark of Oracle and/or its affiliates.
XFS is a trademark of Silicon Graphics International Corp. or its subsidiaries in the
United States and/or other countries.
MySQL is a registered trademark of MySQL AB in the United States, the European
Union and other countries.
Node.js is an official trademark of Joyent. Red Hat Software Collections is not
formally related to or endorsed by the official Joyent Node.js open source or
commercial project.
The OpenStack Word Mark and OpenStack logo are either registered
trademarks/service marks or trademarks/service marks of the OpenStack
Foundation, in the United States and other countries and are used with the
OpenStack Foundation's permission. We are not affiliated with, endorsed or
sponsored by the OpenStack Foundation, or the OpenStack community.
All other trademarks are the property of their respective owners.

Abstract
This book assists users and administrators in learning the processes and practices of
securing workstations and servers against local and remote intrusion, exploitation,
and malicious activity. Focused on Red Hat Enterprise Linux but detailing concepts
and techniques valid for all Linux systems, this guide details the planning and the
tools involved in creating a secured computing environment for the data center,
workplace, and home. With proper administrative knowledge, vigilance, and tools,
systems running Linux can be both fully functional and secured from most common
intrusion and exploit methods.

T able o f Co nt e nt s

T able o f Co ntents

. .hapt
C
. . . .e.r. 1.
. .O
. .ve
. .r.vie
. .w
. .o. f. Se
. . .c.ur
. .it. y. .T.o.pic
. . .s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3. . . . . . . . .
1 .1. What is C om puter Security?
3
1 .2. Security C ontrols
4
1 .3. Vulnerability Assessm ent
5
1 .4. Security Threats
9
1 .5. C om m on Exploits and Attacks
12

. .hapt
C
. . . .e.r. 2.
. . Se
..c
. ur
. . it
. .y. T
. .ips
. . .f .o.r.Ins
. . .t.allat
. . . .io. n
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17
..........
2.1. Securing BIO S
17
2.2. P artitioning the Disk
17
2.3. Installing the Minim um Am ount of P ackages Required
18
2.4. P ost-installation P rocedures
18
2.5. Additional Resources
19

. .hapt
C
. . . .e.r. 3.
. . Ke
..e
. .ping
. . . .Yo
. . ur
. . .Sys
. . .t.e.m
. .Up-t
. . . .o.-Dat
. . . .e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20
..........
3 .1. Maintaining Installed Software
20
3 .2. Using the Red Hat C ustom er P ortal
24
3 .3. Additional Resources

25

. .hapt
C
. . . .e.r. 4. .. Har
. . . de
. . .ning
. . . . Yo
. . ur
. . .Sys
. . .t.e.m
. .wit
. . .h. T. o
. .o.ls. .and
. . . Se
. . .r.vic
. . e. s. . . . . . . . . . . . . . . . . . . .27
..........
4 .1. Desktop Security
4 .2. C ontrolling Root Access

27
36

4 .3. Securing Services


4 .4. Securing Network Access
4 .5. Using Firewalls

43
63
69

4 .6. Securing DNS Traffic with DNSSEC


4 .7. Securing Virtual P rivate Networks (VP Ns)

102
112

4 .8. Using O penSSL


4 .9. Using stunnel

122
128

4 .10. Encryption
4 .11. Hardening TLS C onfiguration

131
146

. .hapt
C
. . . .e.r. 5.
. . Sys
. . . t. e. m
. . Audit
. . . . .ing
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .156
...........
U se C ases
5.1. Audit System Architecture

157
157

5.2. Installing the audit P ackages


5.3. C onfiguring the audit Service
5.4. Starting the audit Service
5.5. Defining Audit Rules

158
158
160
160

5.6. Understanding Audit Log Files


5.7. Searching the Audit Log Files
5.8. C reating Audit Reports
5.9. Additional Resources

165
170
171
172

. .hapt
C
. . . .e.r. 6. .. Co
. . .mplianc
......e
. .and
. . . .Vulne
. . . . .r.abilit
....y
. .Sc
. .anning
. . . . . . .wit
. .h
. .O. pe
. . .nSCAP
. . . . . . . . . . . . . . . . .173
...........
6 .1. Security C om pliance in Red Hat Enterprise Linux
6 .2. Defining C om pliance P olicy
6 .3. Using SC AP Workbench
6 .4. Using oscap

173
173
182
189

6 .5. Using O penSC AP with Docker


6 .6. Using the O penSC AP -daem on and Atom ic Scan
6 .7. Using O penSC AP with Red Hat Satellite
6 .8. P ractical Exam ples

197
198
199
199

Se c ur it y Guide

6 .9. Additional Resources

200

. .hapt
C
. . . .e.r. 7.
. . Fe
. . de
. . .r al
. . St
. . andar
. . . . . .ds
. . and
. . . .Re
. . gulat
. . . . .io
. .ns
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20
. .2. . . . . . . . .
7.1. Federal Inform ation P rocessing Standard (FIP S)
7.2. National Industrial Security P rogram O perating Manual (NISP O M)
7.3. P aym ent C ard Industry Data Security Standard (P C I DSS)
7.4. Security Technical Im plem entation Guide

202
204
204
205

. .ppe
A
. . .ndix
. . . . A.
. . Enc
. . . r. ypt
. . . io
. .n. .St
. .andar
. . . . .ds
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20
. .6. . . . . . . . .
A.1. Synchronous Encryption
A.2. P ublic-key Encryption

206
207

. .ppe
A
. . .ndix
. . . . B.
. . Audit
. . . . . .Sys
. . .t.e.m
. .Re
. .f.e.r.e.nc
. .e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .210
...........
B.1. Audit Event Fields
210
B.2. Audit Record Types
213

. .ppe
A
. . .ndix
. . . . C.
. . Re
. . .vis
. . io
. .n. His
. . . t. o. r. y. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .219
...........

C hapt e r 1. O ve r vie w o f Se c ur it y T o pic s

Chapt er 1. Overview of Securit y Topics


Due to the incre as e d re liance on powe rful, ne tworke d compute rs to he lp run bus ine s s e s
and ke e p track of our pe rs onal information, e ntire indus trie s have be e n forme d around
the practice of ne twork and compute r s e curity. Ente rpris e s have s olicite d the knowle dge
and s kills of s e curity e xpe rts to prope rly audit s ys te ms and tailor s olutions to fit the
ope rating re quire me nts of the ir organiz ation. Be caus e mos t organiz ations are incre as ingly
dynamic in nature , the ir worke rs are acce s s ing critical company IT re s ource s locally and
re mote ly, he nce the ne e d for s e cure computing e nvironme nts has be come more
pronounce d.
Unfortunate ly, many organiz ations (as we ll as individual us e rs ) re gard s e curity as more of
an afte rthought, a proce s s that is ove rlooke d in favor of incre as e d powe r, productivity,
conve nie nce , e as e of us e , and budge tary conce rns . Prope r s e curity imple me ntation is
ofte n e nacte d pos tmorte m after an unauthoriz e d intrus ion has alre ady occurre d. Taking
the corre ct me as ure s prior to conne cting a s ite to an untrus te d ne twork, s uch as the
Inte rne t, is an e ffe ctive me ans of thwarting many atte mpts at intrus ion.

No te
This docume nt make s s e ve ral re fe re nce s to file s in the /lib dire ctory. Whe n us ing
64-bit s ys te ms , s ome of the file s me ntione d may ins te ad be locate d in /lib64.

1.1. What is Comput er Securit y?


Compute r s e curity is a ge ne ral te rm that cove rs a wide are a of computing and information
proce s s ing. Indus trie s that de pe nd on compute r s ys te ms and ne tworks to conduct daily
bus ine s s trans actions and acce s s critical information re gard the ir data as an important
part of the ir ove rall as s e ts . Se ve ral te rms and me trics have e nte re d our daily bus ine s s
vocabulary, s uch as total cos t of owne rs hip (TCO), re turn on inve s tme nt (ROI), and quality
of s e rvice (QoS). Us ing the s e me trics , indus trie s can calculate as pe cts s uch as data
inte grity and high-availability (HA) as part of the ir planning and proce s s manage me nt
cos ts . In s ome indus trie s , s uch as e le ctronic comme rce , the availability and
trus tworthine s s of data can me an the diffe re nce be twe e n s ucce s s and failure .

1.1.1. St andardizing Securit y


Ente rpris e s in e ve ry indus try re ly on re gulations and rule s that are s e t by s tandards making bodie s s uch as the Ame rican Me dical As s ociation (AMA) or the Ins titute of Ele ctrical
and Ele ctronics Engine e rs (IEEE). The s ame ide als hold true for information s e curity. Many
s e curity cons ultants and ve ndors agre e upon the s tandard s e curity mode l known as CIA,
or Confidentiality, Integrity, and Availability. This thre e -tie re d mode l is a ge ne rally
acce pte d compone nt to as s e s s ing ris ks of s e ns itive information and e s tablis hing s e curity
policy. The following de s cribe s the CIA mode l in furthe r de tail:
Confide ntiality Se ns itive information mus t be available only to a s e t of pre -de fine d
individuals . Unauthoriz e d trans mis s ion and us age of information s hould be re s tricte d.
For e xample , confide ntiality of information e ns ure s that a cus tome r's pe rs onal or
financial information is not obtaine d by an unauthoriz e d individual for malicious
purpos e s s uch as ide ntity the ft or cre dit fraud.

Se c ur it y Guide

Inte grity Information s hould not be alte re d in ways that re nde r it incomple te or
incorre ct. Unauthoriz e d us e rs s hould be re s tricte d from the ability to modify or de s troy
s e ns itive information.
Availability Information s hould be acce s s ible to authoriz e d us e rs any time that it is
ne e de d. Availability is a warranty that information can be obtaine d with an agre e d-upon
fre que ncy and time line s s . This is ofte n me as ure d in te rms of pe rce ntage s and agre e d
to formally in Se rvice Le ve l Agre e me nts (SLAs ) us e d by ne twork s e rvice provide rs and
the ir e nte rpris e clie nts .

1.2. Securit y Cont rols


Compute r s e curity is ofte n divide d into thre e dis tinct mas te r cate gorie s , commonly
re fe rre d to as controls:
Phys ical
Te chnical
Adminis trative
The s e thre e broad cate gorie s de fine the main obje ctive s of prope r s e curity
imple me ntation. Within the s e controls are s ub-cate gorie s that furthe r de tail the controls
and how to imple me nt the m.

1.2.1. Physical Cont rols


Phys ical control is the imple me ntation of s e curity me as ure s in a de fine d s tructure us e d to
de te r or pre ve nt unauthoriz e d acce s s to s e ns itive mate rial. Example s of phys ical controls
are :
Clos e d-circuit s urve illance came ras
Motion or the rmal alarm s ys te ms
Se curity guards
Picture IDs
Locke d and de ad-bolte d s te e l doors
Biome trics (include s finge rprint, voice , face , iris , handwriting, and othe r automate d
me thods us e d to re cogniz e individuals )

1.2.2. T echnical Cont rols


Te chnical controls us e te chnology as a bas is for controlling the acce s s and us age of
s e ns itive data throughout a phys ical s tructure and ove r a ne twork. Te chnical controls are
far-re aching in s cope and e ncompas s s uch te chnologie s as :
Encryption
Smart cards
Ne twork authe ntication
Acce s s control lis ts (ACLs )

C hapt e r 1. O ve r vie w o f Se c ur it y T o pic s

File inte grity auditing s oftware

1.2.3. Administ rat ive Cont rols


Adminis trative controls de fine the human factors of s e curity. The y involve all le ve ls of
pe rs onne l within an organiz ation and de te rmine which us e rs have acce s s to what
re s ource s and information by s uch me ans as :
Training and aware ne s s
Dis as te r pre pare dne s s and re cove ry plans
Pe rs onne l re cruitme nt and s e paration s trate gie s
Pe rs onne l re gis tration and accounting

1.3. Vulnerabilit y Assessment


Give n time , re s ource s , and motivation, an attacke r can bre ak into ne arly any s ys te m. All of
the s e curity proce dure s and te chnologie s curre ntly available cannot guarante e that any
s ys te ms are comple te ly s afe from intrus ion. Route rs he lp s e cure gate ways to the
Inte rne t. Fire walls he lp s e cure the e dge of the ne twork. Virtual Private Ne tworks s afe ly
pas s data in an e ncrypte d s tre am. Intrus ion de te ction s ys te ms warn you of malicious
activity. Howe ve r, the s ucce s s of e ach of the s e te chnologie s is de pe nde nt upon a numbe r
of variable s , including:
The e xpe rtis e of the s taff re s pons ible for configuring, monitoring, and maintaining the
te chnologie s .
The ability to patch and update s e rvice s and ke rne ls quickly and e fficie ntly.
The ability of thos e re s pons ible to ke e p cons tant vigilance ove r the ne twork.
Give n the dynamic s tate of data s ys te ms and te chnologie s , s e curing corporate re s ource s
can be quite comple x. Due to this comple xity, it is ofte n difficult to find e xpe rt re s ource s
for all of your s ys te ms . While it is pos s ible to have pe rs onne l knowle dge able in many
are as of information s e curity at a high le ve l, it is difficult to re tain s taff who are e xpe rts in
more than a fe w s ubje ct are as . This is mainly be caus e e ach s ubje ct are a of information
s e curity re quire s cons tant atte ntion and focus . Information s e curity doe s not s tand s till.
A vulne rability as s e s s me nt is an inte rnal audit of your ne twork and s ys te m s e curity; the
re s ults of which indicate the confide ntiality, inte grity, and availability of your ne twork (as
e xplaine d in Se ction 1.1.1, Standardiz ing Se curity). Typically, vulne rability as s e s s me nt
s tarts with a re connais s ance phas e , during which important data re garding the targe t
s ys te ms and re s ource s is gathe re d. This phas e le ads to the s ys te m re adine s s phas e ,
whe re by the targe t is e s s e ntially che cke d for all known vulne rabilitie s . The re adine s s
phas e culminate s in the re porting phas e , whe re the findings are clas s ifie d into cate gorie s
of high, me dium, and low ris k; and me thods for improving the s e curity (or mitigating the
ris k of vulne rability) of the targe t are dis cus s e d
If you we re to pe rform a vulne rability as s e s s me nt of your home , you would like ly che ck
e ach door to your home to s e e if the y are clos e d and locke d. You would als o che ck e ve ry
window, making s ure that the y clos e d comple te ly and latch corre ctly. This s ame conce pt
applie s to s ys te ms , ne tworks , and e le ctronic data. Malicious us e rs are the thie ve s and
vandals of your data. Focus on the ir tools , me ntality, and motivations , and you can the n
re act s wiftly to the ir actions .

1.3.1. Def ining Assessment and T est ing

Se c ur it y Guide

1.3.1. Def ining Assessment and T est ing


Vulne rability as s e s s me nts may be broke n down into one of two type s : outside looking in
and inside looking around.
Whe n pe rforming an outs ide -looking-in vulne rability as s e s s me nt, you are atte mpting to
compromis e your s ys te ms from the outs ide . Be ing e xte rnal to your company provide s
you with the cracke r's vie wpoint. You s e e what a cracke r s e e s publicly-routable IP
addre s s e s , s ys te ms on your DMZ, e xte rnal inte rface s of your fire wall, and more . DMZ
s tands for "de militariz e d z one ", which corre s ponds to a compute r or s mall s ubne twork that
s its be twe e n a trus te d inte rnal ne twork, s uch as a corporate private LAN, and an untrus te d
e xte rnal ne twork, s uch as the public Inte rne t. Typically, the DMZ contains de vice s
acce s s ible to Inte rne t traffic, s uch as We b (HTTP) s e rve rs , FTP s e rve rs , SMTP (e -mail)
s e rve rs and DNS s e rve rs .
Whe n you pe rform an ins ide -looking-around vulne rability as s e s s me nt, you are at an
advantage s ince you are inte rnal and your s tatus is e le vate d to trus te d. This is the
vie wpoint you and your co-worke rs have once logge d on to your s ys te ms . You s e e print
s e rve rs , file s e rve rs , databas e s , and othe r re s ource s .
The re are s triking dis tinctions be twe e n the two type s of vulne rability as s e s s me nts . Be ing
inte rnal to your company give s you more privile ge s than an outs ide r. In mos t
organiz ations , s e curity is configure d to ke e p intrude rs out. Ve ry little is done to s e cure
the inte rnals of the organiz ation (s uch as de partme ntal fire walls , us e r-le ve l acce s s
controls , and authe ntication proce dure s for inte rnal re s ource s ). Typically, the re are many
more re s ource s whe n looking around ins ide as mos t s ys te ms are inte rnal to a company.
Once you are outs ide the company, your s tatus is untrus te d. The s ys te ms and re s ource s
available to you e xte rnally are us ually ve ry limite d.
Cons ide r the diffe re nce be twe e n vulne rability as s e s s me nts and penetration tests. Think of
a vulne rability as s e s s me nt as the firs t s te p to a pe ne tration te s t. The information gle ane d
from the as s e s s me nt is us e d for te s ting. Whe re as the as s e s s me nt is unde rtake n to
che ck for hole s and pote ntial vulne rabilitie s , the pe ne tration te s ting actually atte mpts to
e xploit the findings .
As s e s s ing ne twork infras tructure is a dynamic proce s s . Se curity, both information and
phys ical, is dynamic. Pe rforming an as s e s s me nt s hows an ove rvie w, which can turn up
fals e pos itive s and fals e ne gative s . A fals e pos itive is a re s ult, whe re the tool finds
vulne rabilitie s which in re ality do not e xis t. A fals e ne gative is whe n it omits actual
vulne rabilitie s .
Se curity adminis trators are only as good as the tools the y us e and the knowle dge the y
re tain. Take any of the as s e s s me nt tools curre ntly available , run the m agains t your
s ys te m, and it is almos t a guarante e that the re are s ome fals e pos itive s . Whe the r by
program fault or us e r e rror, the re s ult is the s ame . The tool may find fals e pos itive s , or,
e ve n wors e , fals e ne gative s .
Now that the diffe re nce be twe e n a vulne rability as s e s s me nt and a pe ne tration te s t is
de fine d, take the findings of the as s e s s me nt and re vie w the m care fully be fore conducting
a pe ne tration te s t as part of your ne w be s t practice s approach.

Warning
Do not atte mpt to e xploit vulne rabilitie s on production s ys te ms . Doing s o can have
adve rs e e ffe cts on productivity and e fficie ncy of your s ys te ms and ne twork.

C hapt e r 1. O ve r vie w o f Se c ur it y T o pic s

The following lis t e xamine s s ome of the be ne fits to pe rforming vulne rability as s e s s me nts .
Cre ate s proactive focus on information s e curity.
Finds pote ntial e xploits be fore cracke rs find the m.
Re s ults in s ys te ms be ing ke pt up to date and patche d.
Promote s growth and aids in de ve loping s taff e xpe rtis e .
Abate s financial los s and ne gative publicity.

1.3.2. Est ablishing a Met hodology f or Vulnerabilit y Assessment


To aid in the s e le ction of tools for a vulne rability as s e s s me nt, it is he lpful to e s tablis h a
vulne rability as s e s s me nt me thodology. Unfortunate ly, the re is no pre de fine d or indus try
approve d me thodology at this time ; howe ve r, common s e ns e and be s t practice s can act
as a s ufficie nt guide .
What is the target? Are we looking at one server, or are we looking at our entire network
and everything within the network? Are we external or internal to the company? The
ans we rs to the s e que s tions are important as the y he lp de te rmine not only which tools to
s e le ct but als o the manne r in which the y are us e d.
To le arn more about e s tablis hing me thodologie s , s e e the following we bs ite :
https ://www.owas p.org/ The Open Web Application Security Project

1.3.3. Vulnerabilit y Assessment T ools


An as s e s s me nt can s tart by us ing s ome form of an information-gathe ring tool. Whe n
as s e s s ing the e ntire ne twork, map the layout firs t to find the hos ts that are running. Once
locate d, e xamine e ach hos t individually. Focus ing on the s e hos ts re quire s anothe r s e t of
tools . Knowing which tools to us e may be the mos t crucial s te p in finding vulne rabilitie s .
Jus t as in any as pe ct of e ve ryday life , the re are many diffe re nt tools that pe rform the
s ame job. This conce pt applie s to pe rforming vulne rability as s e s s me nts as we ll. The re
are tools s pe cific to ope rating s ys te ms , applications , and e ve n ne tworks (bas e d on the
protocols us e d). Some tools are fre e ; othe rs are not. Some tools are intuitive and e as y to
us e , while othe rs are cryptic and poorly docume nte d but have fe ature s that othe r tools do
not.
Finding the right tools may be a daunting tas k and, in the e nd, e xpe rie nce counts . If
pos s ible , s e t up a te s t lab and try out as many tools as you can, noting the s tre ngths and
we akne s s e s of e ach. Re vie w the README file or man page for the tools . Additionally, look
to the Inte rne t for more information, s uch as article s , s te p-by-s te p guide s , or e ve n mailing
lis ts s pe cific to the tools .
The tools dis cus s e d be low are jus t a s mall s ampling of the available tools .

1.3.3.1. Scanning Host s wit h Nmap


Nmap is a popular tool that can be us e d to de te rmine the layout of a ne twork. Nmap has
be e n available for many ye ars and is probably the mos t ofte n us e d tool whe n gathe ring
information. An e xce lle nt manual page is include d that provide s de taile d de s criptions of its
options and us age . Adminis trators can us e Nmap on a ne twork to find hos t s ys te ms and
ope n ports on thos e s ys te ms .

Se c ur it y Guide

Nmap is a compe te nt firs t s te p in vulne rability as s e s s me nt. You can map out all the hos ts
within your ne twork and e ve n pas s an option that allows Nmap to atte mpt to ide ntify the
ope rating s ys te m running on a particular hos t. Nmap is a good foundation for e s tablis hing
a policy of us ing s e cure s e rvice s and re s tricting unus e d s e rvice s .
To ins tall Nmap, run the yum install nmap command as the root us e r.
1.3.3.1.1. Using Nmap
Nmap can be run from a s he ll prompt by typing the nmap command followe d by the
hos tname or IP addre s s of the machine to s can:
nmap <hostname>
For e xample , to s can a machine with hos tname foo.example.com, type the following at a
s he ll prompt:
~]$ nmap foo.example.com
The re s ults of a bas ic s can (which could take up to a fe w minute s , de pe nding on whe re the
hos t is locate d and othe r ne twork conditions ) look s imilar to the following:
Interesting ports on foo.example.com:
Not shown: 1710 filtered ports
PORT
STATE SERVICE
22/tcp open
ssh
53/tcp open
domain
80/tcp open
http
113/tcp closed auth
Nmap te s ts the mos t common ne twork communication ports for lis te ning or waiting
s e rvice s . This knowle dge can be he lpful to an adminis trator who wants to clos e
unne ce s s ary or unus e d s e rvice s .
For more information about us ing Nmap, s e e the official home page at the following URL:
http://www.ins e cure .org/

1.3.3.2. Nessus
Nessus is a full-s e rvice s e curity s canne r. The plug-in archite cture of Nessus allows us e rs
to cus tomiz e it for the ir s ys te ms and ne tworks . As with any s canne r, Nessus is only as
good as the s ignature databas e it re lie s upon. Fortunate ly, Nessus is fre que ntly update d
and fe ature s full re porting, hos t s canning, and re al-time vulne rability s e arche s . Re me mbe r
that the re could be fals e pos itive s and fals e ne gative s , e ve n in a tool as powe rful and as
fre que ntly update d as Nessus.

No te
The Nessus clie nt and s e rve r s oftware re quire s a s ubs cription to us e . It has be e n
include d in this docume nt as a re fe re nce to us e rs who may be inte re s te d in us ing
this popular application.

C hapt e r 1. O ve r vie w o f Se c ur it y T o pic s

For more information about Nessus, s e e the official we bs ite at the following URL:
http://www.ne s s us .org/

1.3.3.3. OpenVAS
OpenVAS (Open Vulnerability Assessment System) is a s e t of tools and s e rvice s that can
be us e d to s can for vulne rabilitie s and for a compre he ns ive vulne rability manage me nt.
The OpenVAS frame work offe rs a numbe r of we b-bas e d, de s ktop, and command line
tools for controlling the various compone nts of the s olution. The core functionality of
OpenVAS is provide d by a s e curity s canne r, which make s us e of ove r 33 thous and dailyupdate d Ne twork Vulne rability Te s ts (NVT). Unlike Nessus (s e e Se ction 1.3.3.2, Ne s s us ),
OpenVAS doe s not re quire any s ubs cription.
For more information about Ope nVAS, s e e the official we bs ite at the following URL:
http://www.ope nvas .org/

1.3.3.4. Nikt o
Nikt o is an e xce lle nt common gateway interface (CGI) s cript s canne r. Nikt o not only
che cks for CGI vulne rabilitie s but doe s s o in an e vas ive manne r, s o as to e lude intrus ionde te ction s ys te ms . It come s with thorough docume ntation which s hould be care fully
re vie we d prior to running the program. If you have we b s e rve rs s e rving CGI s cripts ,
Nikt o can be an e xce lle nt re s ource for che cking the s e curity of the s e s e rve rs .
More information about Nikt o can be found at the following URL:
http://cirt.ne t/nikto2

1.4. Securit y T hreat s


1.4.1. T hreat s t o Net work Securit y
Bad practice s whe n configuring the following as pe cts of a ne twork can incre as e the ris k of
an attack.

Insecure Archit ect ures


A mis configure d ne twork is a primary e ntry point for unauthoriz e d us e rs . Le aving a trus tbas e d, ope n local ne twork vulne rable to the highly-ins e cure Inte rne t is much like le aving a
door ajar in a crime -ridde n ne ighborhood nothing may happe n for an arbitrary amount of
time , but s ome one e xploits the opportunity eventually.

Broadcast Net works


Sys te m adminis trators ofte n fail to re aliz e the importance of ne tworking hardware in the ir
s e curity s che me s . Simple hardware , s uch as hubs and route rs , re lie s on the broadcas t or
non-s witche d principle ; that is , whe ne ve r a node trans mits data acros s the ne twork to a
re cipie nt node , the hub or route r s e nds a broadcas t of the data packe ts until the re cipie nt
node re ce ive s and proce s s e s the data. This me thod is the mos t vulne rable to addre s s
re s olution protocol (ARP) or me dia acce s s control (MAC) addre s s s poofing by both outs ide
intrude rs and unauthoriz e d us e rs on local hos ts .

Cent ralized Servers

Se c ur it y Guide

Anothe r pote ntial ne tworking pitfall is the us e of ce ntraliz e d computing. A common cos tcutting me as ure for many bus ine s s e s is to cons olidate all s e rvice s to a s ingle powe rful
machine . This can be conve nie nt as it is e as ie r to manage and cos ts cons ide rably le s s
than multiple -s e rve r configurations . Howe ve r, a ce ntraliz e d s e rve r introduce s a s ingle
point of failure on the ne twork. If the ce ntral s e rve r is compromis e d, it may re nde r the
ne twork comple te ly us e le s s or wors e , prone to data manipulation or the ft. In the s e
s ituations , a ce ntral s e rve r be come s an ope n door that allows acce s s to the e ntire
ne twork.

1.4.2. T hreat s t o Server Securit y


Se rve r s e curity is as important as ne twork s e curity be caus e s e rve rs ofte n hold a gre at
de al of an organiz ation's vital information. If a s e rve r is compromis e d, all of its conte nts
may be come available for the cracke r to s te al or manipulate at will. The following s e ctions
de tail s ome of the main is s ue s .

Unused Services and Open Port s


A full ins tallation of Re d Hat Ente rpris e Linux 7 contains more than 1000 application and
library package s . Howe ve r, mos t s e rve r adminis trators do not opt to ins tall e ve ry s ingle
package in the dis tribution, pre fe rring ins te ad to ins tall a bas e ins tallation of package s ,
including s e ve ral s e rve r applications . Se e Se ction 2.3, Ins talling the Minimum Amount of
Package s Re quire d for an e xplanation of the re as ons to limit the numbe r of ins talle d
package s and for additional re s ource s .
A common occurre nce among s ys te m adminis trators is to ins tall the ope rating s ys te m
without paying atte ntion to what programs are actually be ing ins talle d. This can be
proble matic be caus e unne e de d s e rvice s may be ins talle d, configure d with the de fault
s e ttings , and pos s ibly turne d on. This can caus e unwante d s e rvice s , s uch as Te lne t, DHCP,
or DNS, to run on a s e rve r or works tation without the adminis trator re aliz ing it, which in
turn can caus e unwante d traffic to the s e rve r or e ve n a pote ntial pathway into the s ys te m
for cracke rs . Se e Se ction 4.3, Se curing Se rvice s for information on clos ing ports and
dis abling unus e d s e rvice s .

Unpat ched Services


Mos t s e rve r applications that are include d in a de fault ins tallation are s olid, thoroughly
te s te d pie ce s of s oftware . Having be e n in us e in production e nvironme nts for many ye ars ,
the ir code has be e n thoroughly re fine d and many of the bugs have be e n found and fixe d.
Howe ve r, the re is no s uch thing as pe rfe ct s oftware and the re is always room for furthe r
re fine me nt. More ove r, ne we r s oftware is ofte n not as rigorous ly te s te d as one might
e xpe ct, be caus e of its re ce nt arrival to production e nvironme nts or be caus e it may not be
as popular as othe r s e rve r s oftware .
De ve lope rs and s ys te m adminis trators ofte n find e xploitable bugs in s e rve r applications
and publis h the information on bug tracking and s e curity-re late d we bs ite s s uch as the
Bugtraq mailing lis t (http://www.s e curityfocus .com) or the Compute r Eme rge ncy Re s pons e
Te am (CERT) we bs ite (http://www.ce rt.org). Although the s e me chanis ms are an e ffe ctive
way of ale rting the community to s e curity vulne rabilitie s , it is up to s ys te m adminis trators
to patch the ir s ys te ms promptly. This is particularly true be caus e cracke rs have acce s s to
the s e s ame vulne rability tracking s e rvice s and will us e the information to crack unpatche d
s ys te ms whe ne ve r the y can. Good s ys te m adminis tration re quire s vigilance , cons tant bug
tracking, and prope r s ys te m mainte nance to e ns ure a more s e cure computing
e nvironme nt.

10

C hapt e r 1. O ve r vie w o f Se c ur it y T o pic s

Se e Chapte r 3, Keeping Your System Up-to-Date for more information about ke e ping a
s ys te m up-to-date .

Inat t ent ive Administ rat ion


Adminis trators who fail to patch the ir s ys te ms are one of the gre ate s t thre ats to s e rve r
s e curity. According to the SysAdmin, Audit, Network, Security Institute (SANS), the primary
caus e of compute r s e curity vulne rability is "as s igning untraine d pe ople to maintain
s e curity and providing ne ithe r the training nor the time to make it pos s ible to le arn and do
the job." [1] This applie s as much to ine xpe rie nce d adminis trators as it doe s to
ove rconfide nt or amotivate d adminis trators .
Some adminis trators fail to patch the ir s e rve rs and works tations , while othe rs fail to watch
log me s s age s from the s ys te m ke rne l or ne twork traffic. Anothe r common e rror is whe n
de fault pas s words or ke ys to s e rvice s are le ft unchange d. For e xample , s ome databas e s
have de fault adminis tration pas s words be caus e the databas e de ve lope rs as s ume that
the s ys te m adminis trator change s the s e pas s words imme diate ly afte r ins tallation. If a
databas e adminis trator fails to change this pas s word, e ve n an ine xpe rie nce d cracke r can
us e a wide ly-known de fault pas s word to gain adminis trative privile ge s to the databas e .
The s e are only a fe w e xample s of how inatte ntive adminis tration can le ad to
compromis e d s e rve rs .

Inherent ly Insecure Services


Eve n the mos t vigilant organiz ation can fall victim to vulne rabilitie s if the ne twork s e rvice s
the y choos e are inhe re ntly ins e cure . For ins tance , the re are many s e rvice s de ve lope d
unde r the as s umption that the y are us e d ove r trus te d ne tworks ; howe ve r, this
as s umption fails as s oon as the s e rvice be come s available ove r the Inte rne t which is
its e lf inhe re ntly untrus te d.
One cate gory of ins e cure ne twork s e rvice s are thos e that re quire une ncrypte d
us e rname s and pas s words for authe ntication. Te lne t and FTP are two s uch s e rvice s . If
packe t s niffing s oftware is monitoring traffic be twe e n the re mote us e r and s uch a s e rvice
us e rname s and pas s words can be e as ily inte rce pte d.
Inhe re ntly, s uch s e rvice s can als o more e as ily fall pre y to what the s e curity indus try
te rms the man-in-the-middle attack. In this type of attack, a cracke r re dire cts ne twork
traffic by tricking a cracke d name s e rve r on the ne twork to point to his machine ins te ad of
the inte nde d s e rve r. Once s ome one ope ns a re mote s e s s ion to the s e rve r, the attacke r's
machine acts as an invis ible conduit, s itting quie tly be twe e n the re mote s e rvice and the
uns us pe cting us e r capturing information. In this way a cracke r can gathe r adminis trative
pas s words and raw data without the s e rve r or the us e r re aliz ing it.
Anothe r cate gory of ins e cure s e rvice s include ne twork file s ys te ms and information
s e rvice s s uch as NFS or NIS, which are de ve lope d e xplicitly for LAN us age but are ,
unfortunate ly, e xte nde d to include WANs (for re mote us e rs ). NFS doe s not, by de fault,
have any authe ntication or s e curity me chanis ms configure d to pre ve nt a cracke r from
mounting the NFS s hare and acce s s ing anything containe d the re in. NIS, as we ll, has vital
information that mus t be known by e ve ry compute r on a ne twork, including pas s words and
file pe rmis s ions , within a plain te xt ASCII or DBM (ASCII-de rive d) databas e . A cracke r who
gains acce s s to this databas e can the n acce s s e ve ry us e r account on a ne twork, including
the adminis trator's account.
By de fault, Re d Hat Ente rpris e Linux 7 is re le as e d with all s uch s e rvice s turne d off.
Howe ve r, s ince adminis trators ofte n find the ms e lve s force d to us e the s e s e rvice s ,
care ful configuration is critical. Se e Se ction 4.3, Se curing Se rvice s for more information
about s e tting up s e rvice s in a s afe manne r.

11

Se c ur it y Guide

1.4.3. T hreat s t o Workst at ion and Home PC Securit y


Works tations and home PCs may not be as prone to attack as ne tworks or s e rve rs , but
s ince the y ofte n contain s e ns itive data, s uch as cre dit card information, the y are targe te d
by s ys te m cracke rs . Works tations can als o be co-opte d without the us e r's knowle dge and
us e d by attacke rs as "s lave " machine s in coordinate d attacks . For the s e re as ons , knowing
the vulne rabilitie s of a works tation can s ave us e rs the he adache of re ins talling the
ope rating s ys te m, or wors e , re cove ring from data the ft.

Bad Passwords
Bad pas s words are one of the e as ie s t ways for an attacke r to gain acce s s to a s ys te m.
For more on how to avoid common pitfalls whe n cre ating a pas s word, s e e Se ction 4.1.1,
Pas s word Se curity.

Vulnerable Client Applicat ions


Although an adminis trator may have a fully s e cure and patche d s e rve r, that doe s not
me an re mote us e rs are s e cure whe n acce s s ing it. For ins tance , if the s e rve r offe rs
Te lne t or FTP s e rvice s ove r a public ne twork, an attacke r can capture the plain te xt
us e rname s and pas s words as the y pas s ove r the ne twork, and the n us e the account
information to acce s s the re mote us e r's works tation.
Eve n whe n us ing s e cure protocols , s uch as SSH, a re mote us e r may be vulne rable to
ce rtain attacks if the y do not ke e p the ir clie nt applications update d. For ins tance , v.1 SSH
clie nts are vulne rable to an X-forwarding attack from malicious SSH s e rve rs . Once
conne cte d to the s e rve r, the attacke r can quie tly capture any ke ys troke s and mous e
clicks made by the clie nt ove r the ne twork. This proble m was fixe d in the v.2 SSH protocol,
but it is up to the us e r to ke e p track of what applications have s uch vulne rabilitie s and
update the m as ne ce s s ary.
Se ction 4.1, De s ktop Se curity dis cus s e s in more de tail what s te ps adminis trators and
home us e rs s hould take to limit the vulne rability of compute r works tations .

1.5. Common Exploit s and At t acks


Table 1.1, Common Exploits de tails s ome of the mos t common e xploits and e ntry points
us e d by intrude rs to acce s s organiz ational ne twork re s ource s . Ke y to the s e common
e xploits are the e xplanations of how the y are pe rforme d and how adminis trators can
prope rly s afe guard the ir ne twork agains t s uch attacks .
T able 1.1. Co mmo n Explo it s
Explo it

12

Descript io n

No t es

C hapt e r 1. O ve r vie w o f Se c ur it y T o pic s

Explo it

Descript io n

No t es

Null or De fault
Pas s words

Le aving adminis trative pas s words


blank or us ing a de fault pas s word
s e t by the product ve ndor. This is
mos t common in hardware s uch
as route rs and fire walls , but s ome
s e rvice s that run on Linux can
contain de fault adminis trator
pas s words as we ll (though
Re d Hat Ente rpris e Linux 7 doe s
not s hip with the m).

Commonly as s ociate d with


ne tworking hardware s uch as
route rs , fire walls , VPNs , and
ne twork attache d s torage (NAS)
appliance s .
Common in many le gacy ope rating
s ys te ms , e s pe cially thos e that
bundle s e rvice s (s uch as UNIX
and Windows .)
Adminis trators s ome time s cre ate
privile ge d us e r accounts in a rus h
and le ave the pas s word null,
cre ating a pe rfe ct e ntry point for
malicious us e rs who dis cove r the
account.

De fault Share d
Ke ys

IP Spoofing

Se cure s e rvice s s ome time s


package de fault s e curity ke ys for
de ve lopme nt or e valuation te s ting
purpos e s . If the s e ke ys are le ft
unchange d and are place d in a
production e nvironme nt on the
Inte rne t, all us e rs with the s ame
de fault ke ys have acce s s to that
s hare d-ke y re s ource , and any
s e ns itive information that it
contains .
A re mote machine acts as a node
on your local ne twork, finds
vulne rabilitie s with your s e rve rs ,
and ins talls a backdoor program or
Trojan hors e to gain control ove r
your ne twork re s ource s .

Mos t common in wire le s s acce s s


points and pre configure d s e cure
s e rve r appliance s .

Spoofing is quite difficult as it


involve s the attacke r pre dicting
TCP/IP s e que nce numbe rs to
coordinate a conne ction to targe t
s ys te ms , but s e ve ral tools are
available to as s is t cracke rs in
pe rforming s uch a vulne rability.
De pe nds on targe t s ys te m
running s e rvice s (s uch as rsh,
telnet, FTP and othe rs ) that us e
source-based authe ntication
te chnique s , which are not
re comme nde d whe n compare d to
PKI or othe r forms of e ncrypte d
authe ntication us e d in ssh or
SSL/TLS.

13

Se c ur it y Guide

Explo it

Descript io n

No t es

Eave s dropping

Colle cting data that pas s e s


be twe e n two active node s on a
ne twork by e ave s dropping on the
conne ction be twe e n the two
node s .

This type of attack works mos tly


with plain te xt trans mis s ion
protocols s uch as Te lne t, FTP, and
HTTP trans fe rs .
Re mote attacke r mus t have
acce s s to a compromis e d s ys te m
on a LAN in orde r to pe rform s uch
an attack; us ually the cracke r has
us e d an active attack (s uch as IP
s poofing or man-in-the -middle ) to
compromis e a s ys te m on the LAN.
Pre ve ntative me as ure s include
s e rvice s with cryptographic ke y
e xchange , one -time pas s words , or
e ncrypte d authe ntication to
pre ve nt pas s word s nooping;
s trong e ncryption during
trans mis s ion is als o advis e d.

14

C hapt e r 1. O ve r vie w o f Se c ur it y T o pic s

Explo it

Descript io n

No t es

Se rvice
Vulne rabilitie s

An attacke r finds a flaw or


loophole in a s e rvice run ove r the
Inte rne t; through this vulne rability,
the attacke r compromis e s the
e ntire s ys te m and any data that it
may hold, and could pos s ibly
compromis e othe r s ys te ms on
the ne twork.

HTTP-bas e d s e rvice s s uch as CGI


are vulne rable to re mote
command e xe cution and e ve n
inte ractive s he ll acce s s . Eve n if
the HTTP s e rvice runs as a nonprivile ge d us e r s uch as "nobody",
information s uch as configuration
file s and ne twork maps can be
re ad, or the attacke r can s tart a
de nial of s e rvice attack which
drains s ys te m re s ource s or
re nde rs it unavailable to othe r
us e rs .
Se rvice s s ome time s can have
vulne rabilitie s that go unnotice d
during de ve lopme nt and te s ting;
the s e vulne rabilitie s (s uch as
buffer overflows, whe re attacke rs
cras h a s e rvice us ing arbitrary
value s that fill the me mory buffe r
of an application, giving the
attacke r an inte ractive command
prompt from which the y may
e xe cute arbitrary commands ) can
give comple te adminis trative
control to an attacke r.
Adminis trators s hould make s ure
that s e rvice s do not run as the
root us e r, and s hould s tay vigilant
of patche s and e rrata update s for
applications from ve ndors or
s e curity organiz ations s uch as
CERT and CVE.

15

Se c ur it y Guide

Explo it

Descript io n

No t es

Application
Vulne rabilitie s

Attacke rs find faults in de s ktop


and works tation applications (s uch
as e mail clie nts ) and e xe cute
arbitrary code , implant Trojan
hors e s for future compromis e , or
cras h s ys te ms . Furthe r
e xploitation can occur if the
compromis e d works tation has
adminis trative privile ge s on the
re s t of the ne twork.

Works tations and de s ktops are


more prone to e xploitation as
worke rs do not have the
e xpe rtis e or e xpe rie nce to
pre ve nt or de te ct a compromis e ;
it is impe rative to inform
individuals of the ris ks the y are
taking whe n the y ins tall
unauthoriz e d s oftware or ope n
uns olicite d e mail attachme nts .
Safe guards can be imple me nte d
s uch that e mail clie nt s oftware
doe s not automatically ope n or
e xe cute attachme nts . Additionally,
the automatic update of
works tation s oftware via Re d Hat
Ne twork; or othe r s ys te m
manage me nt s e rvice s can
alle viate the burde ns of multi-s e at
s e curity de ployme nts .

De nial of
Se rvice (DoS)
Attacks

Attacke r or group of attacke rs


coordinate agains t an
organiz ation's ne twork or s e rve r
re s ource s by s e nding
unauthoriz e d packe ts to the targe t
hos t (e ithe r s e rve r, route r, or
works tation). This force s the
re s ource to be come unavailable
to le gitimate us e rs .

The mos t re porte d DoS cas e in


the US occurre d in 2000. Se ve ral
highly-trafficke d comme rcial and
gove rnme nt s ite s we re re nde re d
unavailable by a coordinate d ping
flood attack us ing s e ve ral
compromis e d s ys te ms with high
bandwidth conne ctions acting as
zombies, or re dire cte d broadcas t
node s .
Source packe ts are us ually forge d
(as we ll as re broadcas t), making
inve s tigation as to the true s ource
of the attack difficult.
Advance s in ingre s s filte ring (IETF
rfc2267) us ing iptables and
Ne twork Intrus ion De te ction
Sys te ms s uch as snort as s is t
adminis trators in tracking down
and pre ve nting dis tribute d DoS
attacks .

[1] http://www.sans.org/security-resources/m istakes.php

16

C hapt e r 2. Se c ur it y T ips f o r Ins t allat io n

Chapt er 2. Securit y Tips for Inst allat ion


Se curity be gins with the firs t time you put that CD or DVD into your dis k drive to ins tall
Re d Hat Ente rpris e Linux 7. Configuring your s ys te m s e cure ly from the be ginning make s it
e as ie r to imple me nt additional s e curity s e ttings late r.

2.1. Securing BIOS


Pas s word prote ction for the BIOS (or BIOS e quivale nt) and the boot loade r can pre ve nt
unauthoriz e d us e rs who have phys ical acce s s to s ys te ms from booting us ing re movable
me dia or obtaining root privile ge s through s ingle us e r mode . The s e curity me as ure s you
s hould take to prote ct agains t s uch attacks de pe nds both on the s e ns itivity of the
information on the works tation and the location of the machine .
For e xample , if a machine is us e d in a trade s how and contains no s e ns itive information,
the n it may not be critical to pre ve nt s uch attacks . Howe ve r, if an e mploye e 's laptop with
private , une ncrypte d SSH ke ys for the corporate ne twork is le ft unatte nde d at that s ame
trade s how, it could le ad to a major s e curity bre ach with ramifications for the e ntire
company.
If the works tation is locate d in a place whe re only authoriz e d or trus te d pe ople have
acce s s , howe ve r, the n s e curing the BIOS or the boot loade r may not be ne ce s s ary.

2.1.1. BIOS Passwords


The two primary re as ons for pas s word prote cting the BIOS of a compute r are [2] :
1. Preventing Changes to BIOS Settings If an intrude r has acce s s to the BIOS, the y
can s e t it to boot from a CD-ROM or a flas h drive . This make s it pos s ible for the m to
e nte r re s cue mode or s ingle us e r mode , which in turn allows the m to s tart arbitrary
proce s s e s on the s ys te m or copy s e ns itive data.
2. Preventing System Booting Some BIOSe s allow pas s word prote ction of the boot
proce s s . Whe n activate d, an attacke r is force d to e nte r a pas s word be fore the BIOS
launche s the boot loade r.
Be caus e the me thods for s e tting a BIOS pas s word vary be twe e n compute r
manufacture rs , cons ult the compute r's manual for s pe cific ins tructions .
If you forge t the BIOS pas s word, it can e ithe r be re s e t with jumpe rs on the mothe rboard
or by dis conne cting the CMOS batte ry. For this re as on, it is good practice to lock the
compute r cas e if pos s ible . Howe ve r, cons ult the manual for the compute r or mothe rboard
be fore atte mpting to dis conne ct the CMOS batte ry.

2.1.1.1. Securing Non-BIOS-based Syst ems


Othe r s ys te ms and archite cture s us e diffe re nt programs to pe rform low-le ve l tas ks
roughly e quivale nt to thos e of the BIOS on x86 s ys te ms . For e xample , the Unified
Extensible Firmware Interface (UEFI) s he ll.
For ins tructions on pas s word prote cting BIOS-like programs , s e e the manufacture r's
ins tructions .

2.2. Part it ioning t he Disk


17

Se c ur it y Guide

Re d Hat re comme nds cre ating s e parate partitions for the /boot/, /, /home//tmp/, and
/var/tmp/ dire ctorie s . The re as ons for e ach are diffe re nt, and we will addre s s e ach
partition.
/boot
This partition is the firs t partition that is re ad by the s ys te m during boot up. The
boot loade r and ke rne l image s that are us e d to boot your s ys te m into Re d Hat
Ente rpris e Linux 7 are s tore d in this partition. This partition s hould not be
e ncrypte d. If this partition is include d in / and that partition is e ncrypte d or
othe rwis e be come s unavailable the n your s ys te m will not be able to boot.
/home
Whe n us e r data (/home) is s tore d in / ins te ad of in a s e parate partition, the
partition can fill up caus ing the ope rating s ys te m to be come uns table . Als o, whe n
upgrading your s ys te m to the ne xt ve rs ion of Re d Hat Ente rpris e Linux 7 it is a lot
e as ie r whe n you can ke e p your data in the /home partition as it will not be
ove rwritte n during ins tallation. If the root partition (/) be come s corrupt your data
could be los t fore ve r. By us ing a s e parate partition the re is s lightly more
prote ction agains t data los s . You can als o targe t this partition for fre que nt
backups .
/tmp and /var/tmp
Both the /tmp and /var/tmp dire ctorie s are us e d to s tore data that doe s not
ne e d to be s tore d for a long pe riod of time . Howe ve r, if a lot of data floods one of
the s e dire ctorie s it can cons ume all of your s torage s pace . If this happe ns and
the s e dire ctorie s are s tore d within / the n your s ys te m could be come uns table
and cras h. For this re as on, moving the s e dire ctorie s into the ir own partitions is a
good ide a.

No te
During the ins tallation proce s s , an option to e ncrypt partitions is pre s e nte d to you.
The us e r mus t s upply a pas s phras e . This pas s phras e will be us e d as a ke y to
unlock the bulk e ncryption ke y, which is us e d to s e cure the partition's data. For more
information on LUKS, s e e Se ction 4.10.1, Us ing LUKS Dis k Encryption.

2.3. Inst alling t he Minimum Amount of Packages Required


It is be s t practice to ins tall only the package s you will us e be caus e e ach pie ce of s oftware
on your compute r could pos s ibly contain a vulne rability. If you are ins talling from the DVD
me dia, take the opportunity to s e le ct e xactly what package s you want to ins tall during the
ins tallation. If you find you ne e d anothe r package , you can always add it to the s ys te m
late r.
For more information about ins talling the Minimal install e nvironme nt, s e e the
Software Se le ction chapte r of the Re d Hat Ente rpris e Linux 7 Ins tallation Guide . A minimal
ins tallation can als o be pe rforme d via a Kicks tart file us ing the --nobase option. For more
information about Kicks tart ins tallations , s e e the Package Se le ction s e ction from the
Re d Hat Ente rpris e Linux 7 Ins tallation Guide .

2.4. Post -inst allat ion Procedures


18

C hapt e r 2. Se c ur it y T ips f o r Ins t allat io n

The following s te ps are the s e curity-re late d proce dure s that s hould be pe rforme d
imme diate ly afte r ins tallation of Re d Hat Ente rpris e Linux.
1. Update your s ys te m. Run the following command as root:
~]# yum update
2. Eve n though the fire wall s e rvice , firewalld, is automatically e nable d with the
ins tallation of Re d Hat Ente rpris e Linux, the re are s ce narios whe re it might be
e xplicitly dis able d, for e xample in the kicks tart configuration. In s uch a cas e , it is
re comme nde d to cons ide r re -e nabling the fire wall.
To s tart firewalld run the following commands as root:
~]# systemctl start firewalld
~]# systemctl enable firewalld
3. To e nhance s e curity, dis able s e rvice s you do not ne e d. For e xample , if the re are
no printe rs ins talle d on your compute r, dis able the cups s e rvice us ing the following
command:
~]# systemctl disable cups
To re vie w active s e rvice s , run the following command:
~]$ systemctl list-units | grep service

2.5. Addit ional Resources


For more information about ins tallation in ge ne ral, s e e the Re d Hat Ente rpris e Linux 7
Ins tallation Guide .

[2] Since system BIO Ses differ between m anufacturers, som e m ay not support password
protection of either type, while others m ay support one type but not the other.

19

Se c ur it y Guide

Chapt er 3. Keeping Your Syst em Up-t o-Dat e


This chapte r de s cribe s the proce s s of ke e ping your s ys te m up-to-date , which involve s
planning and configuring the way s e curity update s are ins talle d, applying change s
introduce d by ne wly update d package s , and us ing the Re d Hat Cus tome r Portal for ke e ping
track of s e curity advis orie s .

3.1. Maint aining Inst alled Soft ware


As s e curity vulne rabilitie s are dis cove re d, the affe cte d s oftware mus t be update d in orde r
to limit any pote ntial s e curity ris ks . If the s oftware is a part of a package within a Re d Hat
Ente rpris e Linux dis tribution that is curre ntly s upporte d, Re d Hat is committe d to re le as ing
update d package s that fix the vulne rabilitie s as s oon as pos s ible .
Ofte n, announce me nts about a give n s e curity e xploit are accompanie d with a patch (or
s ource code ) that fixe s the proble m. This patch is the n applie d to the Re d Hat
Ente rpris e Linux package and te s te d and re le as e d as an e rratum update . Howe ve r, if an
announce me nt doe s not include a patch, Re d Hat de ve lope rs firs t work with the maintaine r
of the s oftware to fix the proble m. Once the proble m is fixe d, the package is te s te d and
re le as e d as an e rratum update .
If an e rratum update is re le as e d for s oftware us e d on your s ys te m, it is highly
re comme nde d that you update the affe cte d package s as s oon as pos s ible to minimiz e the
amount of time the s ys te m is pote ntially vulne rable .

3.1.1. Planning and Conf iguring Securit y Updat es


All s oftware contains bugs . Ofte n, the s e bugs can re s ult in a vulne rability that can e xpos e
your s ys te m to malicious us e rs . Package s that have not be e n update d are a common
caus e of compute r intrus ions . Imple me nt a plan for ins talling s e curity patche s in a time ly
manne r to quickly e liminate dis cove re d vulne rabilitie s , s o the y cannot be e xploite d.
Te s t s e curity update s whe n the y be come available and s che dule the m for ins tallation.
Additional controls ne e d to be us e d to prote ct the s ys te m during the time be twe e n the
re le as e of the update and its ins tallation on the s ys te m. The s e controls de pe nd on the
e xact vulne rability, but may include additional fire wall rule s , the us e of e xte rnal fire walls ,
or change s in s oftware s e ttings .
Bugs in s upporte d package s are fixe d us ing the e rrata me chanis m. An e rratum cons is ts of
one or more RPM package s accompanie d by a brie f e xplanation of the proble m that the
particular e rratum de als with. All e rrata are dis tribute d to cus tome rs with active
s ubs criptions through the Red Hat Subscript io n Management s e rvice . Errata that
addre s s s e curity is s ue s are calle d Red Hat Security Advisories.
For more information on working with s e curity e rrata, s e e Se ction 3.2.1, Vie wing Se curity
Advis orie s on the Cus tome r Portal. For de taile d information about the Red Hat
Subscript io n Management s e rvice , including ins tructions on how to migrate from RHN
Classic, s e e the docume ntation re late d to this s e rvice : Re d Hat Subs cription Manage me nt.

3.1.1.1. Using t he Securit y Feat ures of Yum


The Yum package manage r include s s e ve ral s e curity-re late d fe ature s that can be us e d to
s e arch, lis t, dis play, and ins tall s e curity e rrata. The s e fe ature s als o make it pos s ible to
us e Yum to ins tall nothing but s e curity update s .

20

C hapt e r 3. Ke e ping Yo ur Sys t e m Up-t o -Dat e

To che ck for s e curity-re late d update s available for your s ys te m, run the following
command as root:
~]# yum check-update --security
Loaded plugins: langpacks, product-id, subscription-manager
rhel-7-workstation-rpms/x86_64
| 3.4 kB 00:00:00
No packages needed for security; 0 packages available
Note that the above command runs in a non-inte ractive mode , s o it can be us e d in s cripts
for automate d che cking whe the r the re are any update s available . The command re turns
an e xit value of 100 whe n the re are any s e curity update s available and 0 whe n the re are
not. On e ncounte ring an e rror, it re turns 1.
Analogous ly, us e the following command to only ins tall s e curity-re late d update s :
~]# yum update --security
Us e the updateinfo s ubcommand to dis play or act upon information provide d by
re pos itorie s about available update s . The updateinfo s ubcommand its e lf acce pts a
numbe r of commands , s ome of which pe rtain to s e curity-re late d us e s . Se e Table 3.1,
Se curity-re late d commands us able with yum update info for an ove rvie w of the s e
commands .
T able 3.1. Securit y-relat ed co mmands usable wit h yum updat einf o
Co mmand

Descript io n

advisory [advisories]

Dis plays information about one or more advis orie s .


Re place advisories with an advis ory numbe r or
numbe rs .
cves
Dis plays the s ubs e t of information that pe rtains to CVE
(Common Vulnerabilities and Exposures).
security or sec
Dis plays all s e curity-re late d information.
severity [severity_level] Dis plays information about s e curity-re le vant package s
or sev [severity_level]
of the s upplie d severity_level.

3.1.2. Updat ing and Inst alling Packages


Whe n updating s oftware on a s ys te m, it is important to download the update from a
trus te d s ource . An attacke r can e as ily re build a package with the s ame ve rs ion numbe r as
the one that is s uppos e d to fix the proble m but with a diffe re nt s e curity e xploit and
re le as e it on the Inte rne t. If this happe ns , us ing s e curity me as ure s , s uch as ve rifying file s
agains t the original RPM, doe s not de te ct the e xploit. Thus , it is ve ry important to only
download RPMs from trus te d s ource s , s uch as from Re d Hat, and to che ck the package
s ignature s to ve rify the ir inte grity.
Se e the Yum chapte r of the Re d Hat Ente rpris e Linux 7 Sys te m Adminis trator's Guide for
de taile d information on how to us e the Yum package manage r.

3.1.2.1. Verif ying Signed Packages


All Re d Hat Ente rpris e Linux package s are s igne d with the Re d Hat GPG ke y. GPG s tands
for GNU Privacy Guard, or GnuPG, a fre e s oftware package us e d for e ns uring the
authe nticity of dis tribute d file s . If the ve rification of a package s ignature fails , the package
may be alte re d and the re fore cannot be trus te d.

21

Se c ur it y Guide

The Yum package manage r allows for an automatic ve rification of all package s it ins talls or
upgrade s . This fe ature is e nable d by de fault. To configure this option on your s ys te m,
make s ure the gpgcheck configuration dire ctive is s e t to 1 in the /etc/yum.conf
configuration file .
Us e the following command to manually ve rify package file s on your file s ys te m:
rpmkeys --checksig package_file.rpm
Se e the Product Signing (GPG) Ke ys article on the Re d Hat Cus tome r Portal for additional
information about Re d Hat package -s igning practice s .

3.1.2.2. Inst alling Signed Packages


To ins tall ve rifie d package s (s e e Se ction 3.1.2.1, Ve rifying Signe d Package s for
information on how to ve rify package s ) from your file s ys te m, us e the yum install
command as the root us e r as follows :
yum install package_file.rpm
Us e a s he ll glob to ins tall s e ve ral package s at once . For e xample , the following commands
ins talls all .rpm package s in the curre nt dire ctory:
yum install *.rpm

Impo rtant
Be fore ins talling any s e curity e rrata, be s ure to re ad any s pe cial ins tructions
containe d in the e rratum re port and e xe cute the m accordingly. Se e Se ction 3.1.3,
Applying Change s Introduce d by Ins talle d Update s for ge ne ral ins tructions about
applying change s made by e rrata update s .

3.1.3. Applying Changes Int roduced by Inst alled Updat es


Afte r downloading and ins talling s e curity e rrata and update s , it is important to halt the
us age of the old s oftware and be gin us ing the ne w s oftware . How this is done de pe nds on
the type of s oftware that has be e n update d. The following lis t ite miz e s the ge ne ral
cate gorie s of s oftware and provide s ins tructions for us ing update d ve rs ions afte r a
package upgrade .

No te
In ge ne ral, re booting the s ys te m is the s ure s t way to e ns ure that the late s t ve rs ion
of a s oftware package is us e d; howe ve r, this option is not always re quire d, nor is it
always available to the s ys te m adminis trator.
Applicat io ns

22

C hapt e r 3. Ke e ping Yo ur Sys t e m Up-t o -Dat e

Us e r-s pace applications are any programs that can be initiate d by the us e r.
Typically, s uch applications are us e d only whe n the us e r, a s cript, or an
automate d tas k utility launch the m.
Once s uch a us e r-s pace application is update d, halt any ins tance s of the
application on the s ys te m, and launch the program again to us e the update d
ve rs ion.
Kernel
The ke rne l is the core s oftware compone nt for the Re d Hat Ente rpris e Linux 7
ope rating s ys te m. It manage s acce s s to me mory, the proce s s or, and pe riphe rals ,
and it s che dule s all tas ks .
Be caus e of its ce ntral role , the ke rne l cannot be re s tarte d without als o re booting
the compute r. The re fore , an update d ve rs ion of the ke rne l cannot be us e d until
the s ys te m is re boote d.
KVM
Whe n the qemu-kvm and libvirt package s are update d, it is ne ce s s ary to s top all
gue s t virtual machine s , re load re le vant virtualiz ation module s (or re boot the hos t
s ys te m), and re s tart the virtual machine s .
Us e the lsmod command to de te rmine which module s from the following are
loade d: kvm, kvm-intel, or kvm-amd. The n us e the modprobe -r command to
re move and s ubs e que ntly the modprobe -a command to re load the affe cte d
module s . Fox e xample :
~]# lsmod | grep kvm
kvm_intel
143031 0
kvm
460181 1 kvm_intel
~]# modprobe -r kvm-intel
~]# modprobe -r kvm
~]# modprobe -a kvm kvm-intel
Shared Libraries
Share d librarie s are units of code , s uch as glibc, that are us e d by a numbe r of
applications and s e rvice s . Applications utiliz ing a s hare d library typically load the
s hare d code whe n the application is initializ e d, s o any applications us ing an
update d library mus t be halte d and re launche d.
To de te rmine which running applications link agains t a particular library, us e the
lsof command:
lsof library
For e xample , to de te rmine which running applications link agains t the
libwrap.so.0 library, type :
~]# lsof /lib64/libwrap.so.0
COMMAND
PID USER FD
TYPE DEVICE SIZE/OFF
NODE NAME
pulseaudi 12363 test mem
REG 253,0
42520 34121785
/usr/lib64/libwrap.so.0.7.6

23

Se c ur it y Guide

gnome-set 12365 test mem


REG
/usr/lib64/libwrap.so.0.7.6
gnome-she 12454 test mem
REG
/usr/lib64/libwrap.so.0.7.6

253,0

42520 34121785

253,0

42520 34121785

This command re turns a lis t of all the running programs that us e TCP wrappe rs for
hos t-acce s s control. The re fore , any program lis te d mus t be halte d and
re launche d whe n the tcp_wrappers package is update d.
syst emd Services
s ys te md s e rvice s are pe rs is te nt s e rve r programs us ually launche d during the
boot proce s s . Example s of s ys te md s e rvice s include sshd or vsftpd.
Be caus e the s e programs us ually pe rs is t in me mory as long as a machine is
running, e ach update d s ys te md s e rvice mus t be halte d and re launche d afte r its
package is upgrade d. This can be done as the root us e r us ing the systemctl
command:
systemctl restart service_name
Re place service_name with the name of the s e rvice you want to re s tart, s uch as
sshd.
Ot her So f t ware
Follow the ins tructions outline d by the re s ource s linke d be low to corre ctly update
the following applications .
Red Hat Direct o ry Server Se e the Release Notes for the ve rs ion of the
Re d Hat Dire ctory Se rve r in que s tion at
https ://acce s s .re dhat.com/s ite /docume ntation/e nUS/Re d_Hat_Dire ctory_Se rve r/.
Red Hat Ent erprise Virt ualizat io n Manager Se e the Installation Guide
for the ve rs ion of the Re d Hat Ente rpris e Virtualiz ation in que s tion at
https ://acce s s .re dhat.com/s ite /docume ntation/e nUS/Re d_Hat_Ente rpris e _Virtualiz ation/.

3.2. Using t he Red Hat Cust omer Port al


The Re d Hat Cus tome r Portal at https ://acce s s .re dhat.com/ is the main cus tome r-orie nte d
re s ource for official information re late d to Re d Hat products . You can us e it to find
docume ntation, manage your s ubs criptions , download products and update s , ope n s upport
cas e s , and le arn about s e curity update s .

3.2.1. Viewing Securit y Advisories on t he Cust omer Port al


To vie w s e curity advis orie s (e rrata) re le vant to the s ys te ms for which you have active
s ubs criptions , log into the Cus tome r Portal at https ://acce s s .re dhat.com/ and click on the
Download Products & Updates button on the main page . Whe n you e nte r the Software
& Download Center page , continue by clicking on the Errata button to s e e a lis t of
advis orie s pe rtine nt to your re gis te re d s ys te ms .
To brows e a lis t of all s e curity update s for all active Re d Hat products , go to Securit y
Securit y Updat es Act ive Pro duct s us ing the navigation me nu at the top of the page .

24

C hapt e r 3. Ke e ping Yo ur Sys t e m Up-t o -Dat e

Click on the e rratum code in the le ft part of the table to dis play more de taile d information
about the individual advis orie s . The ne xt page contains not only a de s cription of the give n
e rratum, including its caus e s , cons e que nce s , and re quire d fixe s , but als o a lis t of all
package s that the particular e rratum update s along with ins tructions on how to apply the
update s . The page als o include s links to re le vant re fe re nce s , s uch as re late d CVE.

3.2.2. Navigat ing CVE Cust omer Port al Pages


The CVE (Common Vulnerabilities and Exposures) proje ct, maintaine d by
The MITRE Corporation, is a lis t of s tandardiz e d name s for vulne rabilitie s and s e curity
e xpos ure s . To brows e a lis t of CVE that pe rtain to Re d Hat products on the Cus tome r
Portal, log into your account at https ://acce s s .re dhat.com/ and navigate to Securit y
Reso urces CVE Dat abase us ing the navigation me nu at the top of the page .
Click on the CVE code in the le ft part of the table to dis play more de taile d information
about the individual vulne rabilitie s . The ne xt page contains not only a de s cription of the
give n CVE but als o a lis t of affe cte d Re d Hat products along with links to re le vant Re d Hat
e rrata.

3.2.3. Underst anding Issue Severit y Classif icat ion


All s e curity is s ue s dis cove re d in Re d Hat products are as s igne d an impact rating by
Red Hat Product Security according to the s e ve rity of the proble m. The four-point s cale
cons is ts of the following le ve ls : Low, Mode rate , Important, and Critical. In addition to that,
e ve ry s e curity is s ue is rate d us ing the Common Vulnerability Scoring System (CVSS) bas e
s core s .
Toge the r, the s e ratings he lp you unde rs tand the impact of s e curity is s ue s , allowing you to
s che dule and prioritiz e upgrade s trate gie s for your s ys te ms . Note that the ratings re fle ct
the pote ntial ris k of a give n vulne rability, which is bas e d on a te chnical analys is of the bug,
not the curre nt thre at le ve l. This me ans that the s e curity impact rating doe s not change if
an e xploit is re le as e d for a particular flaw.
To s e e a de taile d de s cription of the individual le ve ls of s e ve rity ratings on the Cus tome r
Portal, vis it the Se ve rity Ratings page .

3.3. Addit ional Resources


For more information about s e curity update s , ways of applying the m, the Re d Hat
Cus tome r Portal, and re late d topics , s e e the re s ource s lis te d be low.

Inst alled Document at ion


yum(8) The manual page for the Yum package manage r provide s information about
the way Yum can be us e d to ins tall, update , and re move package s on your s ys te ms .
rpmke ys (8) The manual page for the rpmkeys utility de s cribe s the way this program
can be us e d to ve rify the authe nticity of downloade d package s .

Online Document at ion

25

Se c ur it y Guide

Re d Hat Ente rpris e Linux 7 Sys te m Adminis trator's Guide The System Administrator's
Guide for Re d Hat Ente rpris e Linux 7 docume nts the us e of the Yum and rpm commands
that are us e d to ins tall, update , and re move package s on Re d Hat Ente rpris e Linux 7
s ys te ms .
Re d Hat Ente rpris e Linux 7 SELinux Us e r's and Adminis trator's Guide The SELinux
User's and Administrator's Guide for Re d Hat Ente rpris e Linux 7 docume nts the
configuration of the SELinux mandatory access control me chanis m.

Red Hat Cust omer Port al


Re d Hat Cus tome r Portal, Se curity The Se curity s e ction of the Cus tome r Portal
contains links to the mos t important re s ource s , including the Re d Hat CVE databas e , and
contacts for Re d Hat Product Se curity.
Re d Hat Se curity Blog Article s about late s t s e curity-re late d is s ue s from Re d Hat
s e curity profe s s ionals .

See Also
Chapte r 2, Security Tips for Installation de s cribe s how to configure your s ys te m
s e cure ly from the be ginning to make it e as ie r to imple me nt additional s e curity s e ttings
late r.
Se ction 4.10.2, Cre ating GPG Ke ys de s cribe s how to cre ate a s e t of pe rs onal GPG
ke ys to authe nticate your communications .

26

C hapt e r 4 . Har de ning Yo ur Sys t e m wit h T o o ls and Se r vic e s

Chapt er 4. Hardening Your Syst em wit h Tools and


Services
4.1. Deskt op Securit y
Pas s words are the primary me thod that Re d Hat Ente rpris e Linux 7 us e s to ve rify a us e r's
ide ntity. This is why pas s word s e curity is s o important for prote ction of the us e r, the
works tation, and the ne twork.
For s e curity purpos e s , the ins tallation program configure s the s ys te m to us e Secure Hash
Algorithm 512 (SHA512) and s hadow pas s words . It is highly re comme nde d that you do not
alte r the s e s e ttings .
If s hadow pas s words are de s e le cte d during ins tallation, all pas s words are s tore d as a
one -way has h in the world-re adable /etc/passwd file , which make s the s ys te m vulne rable
to offline pas s word cracking attacks . If an intrude r can gain acce s s to the machine as a
re gular us e r, he can copy the /etc/passwd file to his own machine and run any numbe r of
pas s word cracking programs agains t it. If the re is an ins e cure pas s word in the file , it is
only a matte r of time be fore the pas s word cracke r dis cove rs it.
Shadow pas s words e liminate this type of attack by s toring the pas s word has he s in the file
/etc/shadow, which is re adable only by the root us e r.
This force s a pote ntial attacke r to atte mpt pas s word cracking re mote ly by logging into a
ne twork s e rvice on the machine , s uch as SSH or FTP. This s ort of brute -force attack is
much s lowe r and le ave s an obvious trail as hundre ds of faile d login atte mpts are writte n
to s ys te m file s . Of cours e , if the cracke r s tarts an attack in the middle of the night on a
s ys te m with we ak pas s words , the cracke r may have gaine d acce s s be fore dawn and
e dite d the log file s to cove r his tracks .
In addition to format and s torage cons ide rations is the is s ue of conte nt. The s ingle mos t
important thing a us e r can do to prote ct his account agains t a pas s word cracking attack is
cre ate a s trong pas s word.

4.1.1. Password Securit y


4.1.1.1. Creat ing St rong Passwords
Whe n cre ating a s e cure pas s word, the us e r mus t re me mbe r that long pas s words are
s tronge r than s hort and comple x one s . It is not a good ide a to cre ate a pas s word of jus t
e ight characte rs , e ve n if it contains digits , s pe cial characte rs and uppe rcas e le tte rs .
Pas s word cracking tools , s uch as John The Rippe r, are optimiz e d for bre aking s uch
pas s words , which are als o hard to re me mbe r by a pe rs on.
In information the ory, e ntropy is the le ve l of unce rtainty as s ociate d with a random variable
and is pre s e nte d in bits . The highe r the e ntropy value , the more s e cure the pas s word is .
According to NIST SP 800-63-1, pas s words that are not pre s e nt in a dictionary compris e d
of 50000 commonly s e le cte d pas s words s hould have at le as t 10 bits of e ntropy. As s uch,
a pas s word that cons is ts of four random words contains around 40 bits of e ntropy. A long
pas s word cons is ting of multiple words for adde d s e curity is als o calle d a passphrase, for
e xample :
randomword1 randomword2 randomword3 randomword4

27

Se c ur it y Guide

If the s ys te m e nforce s the us e of uppe rcas e le tte rs , digits , or s pe cial characte rs , the
pas s phras e that follows the above re comme ndation can be modifie d in a s imple way, for
e xample by changing the firs t characte r to uppe rcas e and appe nding "1!". Note that s uch
a modification does not incre as e the s e curity of the pas s phras e s ignificantly.
Anothe r way to cre ate a pas s word yours e lf is us ing a pas s word ge ne rator. The pwmake
is a command-line tool for ge ne rating random pas s words that cons is t of all four groups of
characte rs uppe rcas e , lowe rcas e , digits and s pe cial characte rs . The utility allows you to
s pe cify the numbe r of e ntropy bits that are us e d to ge ne rate the pas s word. The e ntropy
is pulle d from /dev/urandom. The minimum numbe r of bits you can s pe cify is 56, which is
e nough for pas s words on s ys te ms and s e rvice s whe re brute force attacks are rare . 64
bits is ade quate for applications whe re the attacke r doe s not have dire ct acce s s to the
pas s word has h file . For s ituations whe n the attacke r might obtain the dire ct acce s s to the
pas s word has h or the pas s word is us e d as an e ncryption ke y, 80 to 128 bits s hould be
us e d. If you s pe cify an invalid numbe r of e ntropy bits , pwmake will us e the de fault of bits .
To cre ate a pas s word of 128 bits , run the following command:
pwmake 128
While the re are diffe re nt approache s to cre ating a s e cure pas s word, always avoid the
following bad practice s :
Us ing a s ingle dictionary word, a word in a fore ign language , an inve rte d word, or only
numbe rs .
Us ing le s s than 10 characte rs for a pas s word or pas s phras e .
Us ing a s e que nce of ke ys from the ke yboard layout.
Writing down your pas s words .
Us ing pe rs onal information in a pas s word, s uch as birth date s , annive rs arie s , family
me mbe r name s , or pe t name s .
Us ing the s ame pas s phras e or pas s word on multiple machine s .
While cre ating s e cure pas s words is impe rative , managing the m prope rly is als o important,
e s pe cially for s ys te m adminis trators within large r organiz ations . The following s e ction
de tails good practice s for cre ating and managing us e r pas s words within an organiz ation.

4.1.1.2. Forcing St rong Passwords


If an organiz ation has a large numbe r of us e rs , the s ys te m adminis trators have two bas ic
options available to force the us e of s trong pas s words . The y can cre ate pas s words for the
us e r, or the y can le t us e rs cre ate the ir own pas s words while ve rifying the pas s words are
of ade quate s tre ngth.
Cre ating the pas s words for the us e rs e ns ure s that the pas s words are good, but it
be come s a daunting tas k as the organiz ation grows . It als o incre as e s the ris k of us e rs
writing the ir pas s words down, thus e xpos ing the m.
For the s e re as ons , mos t s ys te m adminis trators pre fe r to have the us e rs cre ate the ir own
pas s words , but active ly ve rify that the s e pas s words are s trong e nough. In s ome cas e s ,
adminis trators may force us e rs to change the ir pas s words pe riodically through pas s word
aging.

28

C hapt e r 4 . Har de ning Yo ur Sys t e m wit h T o o ls and Se r vic e s

Whe n us e rs are as ke d to cre ate or change pas s words , the y can us e the passwd
command-line utility, which is PAM-aware (Pluggable Authentication Modules) and che cks to
s e e if the pas s word is too s hort or othe rwis e e as y to crack. This che cking is pe rforme d by
the pam_pwquality.so PAM module .

No te
In Re d Hat Ente rpris e Linux 7, the pam_pwquality PAM module re place d
pam_cracklib, which was us e d in Re d Hat Ente rpris e Linux 6 as a de fault module
for pas s word quality che cking. It us e s the s ame back e nd as pam_cracklib.
The pam_pwquality module is us e d to che ck a pas s word's s tre ngth agains t a s e t of rule s .
Its proce dure cons is ts of two s te ps : firs t it che cks if the provide d pas s word is found in a
dictionary. If not, it continue s with a numbe r of additional che cks . pam_pwquality is
s tacke d alongs ide othe r PAM module s in the password compone nt of the
/etc/pam.d/passwd file , and the cus tom s e t of rule s is s pe cifie d in the
/etc/security/pwquality.conf configuration file . For a comple te lis t of the s e che cks ,
s e e the pwquality.conf (8) manual page .

Example 4.1. Co nf iguring passwo rd st rengt h-checking in pwquality.conf


To e nable us ing pam_quality, add the following line to the password s tack in the
/etc/pam.d/passwd file :
password

required

pam_pwquality.so retry=3

Options for the che cks are s pe cifie d one pe r line . For e xample , to re quire a pas s word
with a minimum le ngth of 8 characte rs , including all four clas s e s of characte rs , add the
following line s to the /etc/security/pwquality.conf file :
minlen = 8
minclass = 4
To s e t a pas s word s tre ngth-che ck for characte r s e que nce s and s ame cons e cutive
characte rs , add the following line s to /etc/security/pwquality.conf:
maxsequence = 3
maxrepeat = 3
In this e xample , the pas s word e nte re d cannot contain more than 3 characte rs in a
monotonic s e que nce , s uch as abcd, and more than 3 ide ntical cons e cutive characte rs ,
s uch as 1111.

No te
As the root us e r is the one who e nforce s the rule s for pas s word cre ation, the y can
s e t any pas s word for the ms e lve s or for a re gular us e r, de s pite the warning
me s s age s .

29

Se c ur it y Guide

4.1.1.3. Conf iguring Password Aging


Pas s word aging is anothe r te chnique us e d by s ys te m adminis trators to de fe nd agains t
bad pas s words within an organiz ation. Pas s word aging me ans that afte r a s pe cifie d pe riod
(us ually 90 days ), the us e r is prompte d to cre ate a ne w pas s word. The the ory be hind this
is that if a us e r is force d to change his pas s word pe riodically, a cracke d pas s word is only
us e ful to an intrude r for a limite d amount of time . The downs ide to pas s word aging,
howe ve r, is that us e rs are more like ly to write the ir pas s words down.
To s pe cify pas s word aging unde r Re d Hat Ente rpris e Linux 7, make us e of the chage
command.

Impo rtant
In Re d Hat Ente rpris e Linux 7, s hadow pas s words are e nable d by de fault. For more
information, s e e the Re d Hat Ente rpris e Linux 7 Sys te m Adminis trator's Guide .
The -M option of the chage command s pe cifie s the maximum numbe r of days the
pas s word is valid. For e xample , to s e t a us e r's pas s word to e xpire in 90 days , us e the
following command:
chage -M 90 username
In the above command, re place username with the name of the us e r. To dis able pas s word
e xpiration, us e the value of -1 afte r the -M option.
For more information on the options available with the chage command, s e e the table
be low.
T able 4.1. chage co mmand line o pt io ns
Opt io n

Descript io n

-d days

Spe cifie s the numbe r of days s ince January 1, 1970 the


pas s word was change d.
Spe cifie s the date on which the account is locke d, in the
format YYYY-MM-DD. Ins te ad of the date , the numbe r of days
s ince January 1, 1970 can als o be us e d.
Spe cifie s the numbe r of inactive days afte r the pas s word
e xpiration be fore locking the account. If the value is 0, the
account is not locke d afte r the pas s word e xpire s .
Lis ts curre nt account aging s e ttings .
Spe cify the minimum numbe r of days afte r which the us e r
mus t change pas s words . If the value is 0, the pas s word doe s
not e xpire .
Spe cify the maximum numbe r of days for which the
pas s word is valid. Whe n the numbe r of days s pe cifie d by this
option plus the numbe r of days s pe cifie d with the -d option is
le s s than the curre nt day, the us e r mus t change pas s words
be fore us ing the account.
Spe cifie s the numbe r of days be fore the pas s word e xpiration
date to warn the us e r.

-E date

-I days

-l
-m days

-M days

-W days

30

C hapt e r 4 . Har de ning Yo ur Sys t e m wit h T o o ls and Se r vic e s

You can als o us e the chage command in inte ractive mode to modify multiple pas s word
aging and account de tails . Us e the following command to e nte r inte ractive mode :
chage <username>
The following is a s ample inte ractive s e s s ion us ing this command:
~]# chage juan
Changing the aging information for juan
Enter the new value, or press ENTER for the default
Minimum Password Age [0]: 10
Maximum Password Age [99999]: 90
Last Password Change (YYYY-MM-DD) [2006-08-18]:
Password Expiration Warning [7]:
Password Inactive [-1]:
Account Expiration Date (YYYY-MM-DD) [1969-12-31]:
You can configure a pas s word to e xpire the firs t time a us e r logs in. This force s us e rs to
change pas s words imme diate ly.
1. Se t up an initial pas s word. To as s ign a de fault pas s word, run the following command
at a s he ll prompt as root:
passwd username

Warning
The passwd utility has the option to s e t a null pas s word. Us ing a null
pas s word, while conve nie nt, is a highly ins e cure practice , as any third party
can log in and acce s s the s ys te m us ing the ins e cure us e rname . Avoid us ing
null pas s words whe re ve r pos s ible . If it is not pos s ible , always make s ure that
the us e r is re ady to log in be fore unlocking an account with a null pas s word.
2. Force imme diate pas s word e xpiration by running the following command as root:
chage -d 0 username
This command s e ts the value for the date the pas s word was las t change d to the
e poch (January 1, 1970). This value force s imme diate pas s word e xpiration no
matte r what pas s word aging policy, if any, is in place .
Upon the initial log in, the us e r is now prompte d for a ne w pas s word.

4.1.2. Account Locking


In Re d Hat Ente rpris e Linux 7, the pam_faillock PAM module allows s ys te m
adminis trators to lock out us e r accounts afte r a s pe cifie d numbe r of faile d atte mpts .
Limiting us e r login atte mpts s e rve s mainly as a s e curity me as ure that aims to pre ve nt
pos s ible brute force attacks targe te d to obtain a us e r's account pas s word.
With the pam_faillock module , faile d login atte mpts are s tore d in a s e parate file for e ach
us e r in the /var/run/faillock dire ctory.

31

Se c ur it y Guide

No te
The orde r of line s in the faile d atte mpt log file s is important. Any change in this
orde r can lock all us e r accounts , including the root us e r account whe n the
even_deny_root option is us e d.
Follow the s e s te ps to configure account locking:
1. To lock out any non-root us e r afte r thre e uns ucce s s ful atte mpts and unlock that
us e r afte r 10 minute s , add two line s to the auth s e ction of the
/etc/pam.d/system-auth and /etc/pam.d/password-auth file s . Afte r your e dits ,
the e ntire auth s e ction in both file s s hould look like this :
1 auth
required
2 auth
required
deny=3 unlock_time=600
3 auth
sufficient
4 auth
[default=die]
unlock_time=600
5 auth
requisite
quiet_success
6 auth
required

pam_env.so
pam_faillock.so preauth silent audit
pam_unix.so nullok try_first_pass
pam_faillock.so authfail audit deny=3
pam_succeed_if.so uid >= 1000
pam_deny.so

Line s numbe r 2 and 4 have be e n adde d.


2. Add the following line to the account s e ction of both file s s pe cifie d in the pre vious
s te p:
account

required

pam_faillock.so

3. To apply account locking for the root us e r as we ll, add the even_deny_root option
to the pam_faillock e ntrie s in the /etc/pam.d/system-auth and
/etc/pam.d/password-auth file s :
auth
required
pam_faillock.so preauth silent audit
deny=3 even_deny_root unlock_time=600
auth
sufficient
pam_unix.so nullok try_first_pass
auth
[default=die] pam_faillock.so authfail audit deny=3
even_deny_root unlock_time=600
account

required

pam_faillock.so

Whe n us e r john atte mpts to log in for the fourth time afte r failing to log in thre e time s
pre vious ly, his account is locke d upon the fourth atte mpt:
[yruseva@localhost ~]$ su - john
Account locked due to 3 failed logins
su: incorrect password
To pre ve nt the s ys te m from locking us e rs out e ve n afte r multiple faile d logins , add the
following line jus t above the line whe re pam_faillock is calle d for the firs t time in both
/etc/pam.d/system-auth and /etc/pam.d/password-auth. Als o re place user1, user2,
and user3 with the actual us e r name s .

32

C hapt e r 4 . Har de ning Yo ur Sys t e m wit h T o o ls and Se r vic e s

auth [success=1 default=ignore] pam_succeed_if.so user in


user1:user2:user3
To vie w the numbe r of faile d atte mpts pe r us e r, run, as root, the following command:
[root@localhost ~]# faillock
john:
When
Type Source
Valid
2013-03-05 11:44:14 TTY
pts/0
V
To unlock a us e r's account, run, as root, the following command:
faillock --user <username> --reset

Keeping Cust om Set t ings wit h aut hconf ig


Whe n modifying authe ntication configuration us ing the aut hco nf ig utility, the systemauth and password-auth file s are ove rwritte n with the s e ttings from the aut hco nf ig
utility. This can be avoide d by cre ating s ymbolic links in place of the configuration file s ,
which aut hco nf ig re cogniz e s and doe s not ove rwrite . In orde r to us e cus tom s e ttings in
the configuration file s and aut hco nf ig s imultane ous ly, configure account locking us ing the
following s te ps :
1. Che ck whe the r the system-auth and password-auth file s are alre ady s ymbolic
links pointing to system-auth-ac and password-auth-ac (this is the s ys te m
de fault):
~]# ls -l /etc/pam.d/{password,system}-auth
If the output is s imilar to the following, the s ymbolic links are in place , and you can
s kip to s te p numbe r 3:
lrwxrwxrwx. 1 root root 16 24. Feb 09.29 /etc/pam.d/password-auth
-> password-auth-ac
lrwxrwxrwx. 1 root root 28 24. Feb 09.29 /etc/pam.d/system-auth ->
system-auth-ac
If the system-auth and password-auth file s are not s ymbolic links , continue with
the ne xt s te p.
2. Re name the configuration file s :
~]# mv /etc/pam.d/system-auth /etc/pam.d/system-auth-ac
~]# mv /etc/pam.d/password-auth /etc/pam.d/password-auth-ac
3. Cre ate configuration file s with your cus tom s e ttings :
~]# vi /etc/pam.d/system-auth-local
The /etc/pam.d/system-auth-local file s hould contain the following line s :

33

Se c ur it y Guide

auth
required
deny=3 unlock_time=600
auth
include
auth
[default=die]
deny=3 unlock_time=600

pam_faillock.so preauth silent audit

account
account

required
include

pam_faillock.so
system-auth-ac

password

include

system-auth-ac

session

include

system-auth-ac

system-auth-ac
pam_faillock.so authfail silent audit

~]# vi /etc/pam.d/password-auth-local
The /etc/pam.d/password-auth-local file s hould contain the following line s :
auth
required
deny=3 unlock_time=600
auth
include
auth
[default=die]
deny=3 unlock_time=600

pam_faillock.so preauth silent audit

account
account

required
include

pam_faillock.so
password-auth-ac

password

include

password-auth-ac

session

include

password-auth-ac

password-auth-ac
pam_faillock.so authfail silent audit

4. Cre ate the following s ymbolic links :


~]# ln -sf /etc/pam.d/system-auth-local /etc/pam.d/system-auth
~]# ln -sf /etc/pam.d/password-auth-local /etc/pam.d/password-auth
For more information on various pam_faillock configuration options , s e e the
pam_faillock(8) manual page .

4.1.3. Session Locking


Us e rs may ne e d to le ave the ir works tation unatte nde d for a numbe r of re as ons during
e ve ryday ope ration. This could pre s e nt an opportunity for an attacke r to phys ically acce s s
the machine , e s pe cially in e nvironme nts with ins ufficie nt phys ical s e curity me as ure s (s e e
Se ction 1.2.1, Phys ical Controls ). Laptops are e s pe cially e xpos e d s ince the ir mobility
inte rfe re s with phys ical s e curity. You can alle viate the s e ris ks by us ing s e s s ion locking
fe ature s which pre ve nt acce s s to the s ys te m until a corre ct pas s word is e nte re d.

34

C hapt e r 4 . Har de ning Yo ur Sys t e m wit h T o o ls and Se r vic e s

No te
The main advantage of locking the s cre e n ins te ad of logging out is that a lock allows
the us e r's proce s s e s (s uch as file trans fe rs ) to continue running. Logging out would
s top the s e proce s s e s .

4.1.3.1. Locking Virt ual Consoles Using vlock


Us e rs may als o ne e d to lock a virtual cons ole . This can be done us ing a utility calle d
vlock. To ins tall this utility, e xe cute the following command as root:
~]# yum install vlock
Afte r ins tallation, any cons ole s e s s ion can be locke d us ing the vlock command without
any additional parame te rs . This locks the curre ntly active virtual cons ole s e s s ion while
s till allowing acce s s to the othe rs . To pre ve nt acce s s to all virtual cons ole s on the
works tation, e xe cute the following:
vlock -a
In this cas e , vlock locks the curre ntly active cons ole and the -a option pre ve nts s witching
to othe r virtual cons ole s .
Se e the vlock(1) man page for additional information.

Impo rtant
The re are s e ve ral known is s ue s re le vant to the ve rs ion of vlock curre ntly available
for Re d Hat Ente rpris e Linux 7:
The program doe s not curre ntly allow unlocking cons ole s us ing the root
pas s word. Additional information can be found in BZ#895066.
Locking a cons ole doe s not cle ar the s cre e n and s crollback buffe r, allowing
anyone with phys ical acce s s to the works tation to vie w pre vious ly is s ue d
commands and any output dis playe d in the cons ole . Se e BZ#807369 for more
information.

4.1.4. Enf orcing Read-Only Mount ing of Removable Media


To e nforce re ad-only mounting of re movable me dia (s uch as USB flas h dis ks ), the
adminis trator can us e a udev rule to de te ct re movable me dia and configure the m to be
mounte d re ad-only us ing the blo ckdev utility. This is s ufficie nt for e nforcing re ad-only
mounting of phys ical me dia.

Using blockdev t o Force Read-Only Mount ing of Removable Media


To force all re movable me dia to be mounte d re ad-only, cre ate a ne w udev configuration
file name d, for e xample , 80-readonly-removables.rules in the /etc/udev/rules.d/
dire ctory with the following conte nt:

35

Se c ur it y Guide

SUBSYSTEM=="block",ATTRS{removable}=="1",RUN{program}="/sbin/blockdev -setro %N"


The above udev rule e ns ure s that any ne wly conne cte d re movable block (s torage ) de vice
is automatically configure d as re ad-only us ing the blockdev utility.

Applying New udev Set t ings


For the s e s e ttings to take e ffe ct, the ne w udev rule s ne e d to be applie d. The udev
s e rvice automatically de te cts change s to its configuration file s , but ne w s e ttings are not
applie d to alre ady e xis ting de vice s . Only ne wly conne cte d de vice s are affe cte d by the
ne w s e ttings . The re fore , you ne e d to unmount and unplug all conne cte d re movable me dia
to e ns ure that the ne w s e ttings are applie d to the m whe n the y are ne xt plugge d in.
To force udev to re -apply all rule s to alre ady e xis ting de vice s , run the following command
as root:
~# udevadm trigger
Note that forcing udev to re -apply all rule s us ing the above command doe s not affe ct any
s torage de vice s that are alre ady mounte d.
To force udev to re load all rule s (in cas e the ne w rule s are not automatically de te cte d for
s ome re as on), us e the following command:
~# udevadm control --reload

4.2. Cont rolling Root Access


Whe n adminis te ring a home machine , the us e r mus t pe rform s ome tas ks as the root
us e r or by acquiring e ffe ctive root privile ge s via a setuid program, s uch as sudo or su. A
s e tuid program is one that ope rate s with the us e r ID (UID) of the program's owne r rathe r
than the us e r ope rating the program. Such programs are de note d by an s in the owne r
s e ction of a long format lis ting, as in the following e xample :
~]$ ls -l /bin/su
-rwsr-xr-x. 1 root root 34904 Mar 10

2011 /bin/su

No te
The s may be uppe r cas e or lowe r cas e . If it appe ars as uppe r cas e , it me ans that
the unde rlying pe rmis s ion bit has not be e n s e t.
For the s ys te m adminis trator of an organiz ation, howe ve r, choice s mus t be made as to
how much adminis trative acce s s us e rs within the organiz ation s hould have to the ir
machine s . Through a PAM module calle d pam_console.so, s ome activitie s normally
re s e rve d only for the root us e r, s uch as re booting and mounting re movable me dia, are
allowe d for the firs t us e r that logs in at the phys ical cons ole . Howe ve r, othe r important

36

C hapt e r 4 . Har de ning Yo ur Sys t e m wit h T o o ls and Se r vic e s

s ys te m adminis tration tas ks , s uch as alte ring ne twork s e ttings , configuring a ne w mous e ,
or mounting ne twork de vice s , are not pos s ible without adminis trative privile ge s . As a
re s ult, s ys te m adminis trators mus t de cide how much acce s s the us e rs on the ir ne twork
s hould re ce ive .

4.2.1. Disallowing Root Access


If an adminis trator is uncomfortable allowing us e rs to log in as root for the s e or othe r
re as ons , the root pas s word s hould be ke pt s e cre t, and acce s s to runle ve l one or s ingle
us e r mode s hould be dis allowe d through boot loade r pas s word prote ction (s e e
Se ction 4.2.5, Se curing the Boot Loade r for more information on this topic.)
The following are four diffe re nt ways that an adminis trator can furthe r e ns ure that root
logins are dis allowe d:
Changing t he ro o t shell
To pre ve nt us e rs from logging in dire ctly as root, the s ys te m adminis trator can
s e t the root account's s he ll to /sbin/nologin in the /etc/passwd file .
T able 4.2. Disabling t he Ro o t Shell
Ef f ect s

Do es No t Af f ect

Pre ve nts acce s s to a root s he ll and


logs any s uch atte mpts . The following
programs are pre ve nte d from
acce s s ing the root account:

Programs that do not re quire a s he ll,


s uch as FTP clie nts , mail clie nts , and
many s e tuid programs . The following
programs are not pre ve nte d from
acce s s ing the root account:

login
gdm
kdm
xdm
su
ssh
scp
sftp

sudo
FTP clie nts
Email clie nts

Disabling ro o t access via any co nso le device (t t y)


To furthe r limit acce s s to the root account, adminis trators can dis able root logins
at the cons ole by e diting the /etc/securetty file . This file lis ts all de vice s the
root us e r is allowe d to log into. If the file doe s not e xis t at all, the root us e r can
log in through any communication de vice on the s ys te m, whe the r via the cons ole
or a raw ne twork inte rface . This is dange rous , be caus e a us e r can log in to the ir
machine as root via Te lne t, which trans mits the pas s word in plain te xt ove r the
ne twork.
By de fault, Re d Hat Ente rpris e Linux 7's /etc/securetty file only allows the root
us e r to log in at the cons ole phys ically attache d to the machine . To pre ve nt the
root us e r from logging in, re move the conte nts of this file by typing the following
command at a s he ll prompt as root:
echo > /etc/securetty
To e nable securetty s upport in the KDM, GDM, and XDM login manage rs , add the
following line :

37

Se c ur it y Guide

auth [user_unknown=ignore success=ok ignore=ignore default=bad]


pam_securetty.so
to the file s lis te d be low:
/etc/pam.d/gdm
/etc/pam.d/gdm-autologin
/etc/pam.d/gdm-fingerprint
/etc/pam.d/gdm-password
/etc/pam.d/gdm-smartcard
/etc/pam.d/kdm
/etc/pam.d/kdm-np
/etc/pam.d/xdm

Warning
A blank /etc/securetty file doe s not pre ve nt the root us e r from logging
in re mote ly us ing the Ope nSSH s uite of tools be caus e the cons ole is not
ope ne d until afte r authe ntication.

T able 4.3. Disabling Ro o t Lo gins


Ef f ect s

Do es No t Af f ect

Pre ve nts acce s s to the root account


via the cons ole or the ne twork. The
following programs are pre ve nte d
from acce s s ing the root account:

Programs that do not log in as root,


but pe rform adminis trative tas ks
through s e tuid or othe r me chanis ms .
The following programs are not
pre ve nte d from acce s s ing the root
account:

login
gdm
kdm
xdm
Othe r ne twork s e rvice s that ope n a
tty

su
sudo
ssh
scp
sftp

Disabling ro o t SSH lo gins


To pre ve nt root logins via the SSH protocol, e dit the SSH dae mon's configuration
file , /etc/ssh/sshd_config, and change the line that re ads :
#PermitRootLogin yes
to re ad as follows :
PermitRootLogin no

38

C hapt e r 4 . Har de ning Yo ur Sys t e m wit h T o o ls and Se r vic e s

T able 4.4. Disabling Ro o t SSH Lo gins


Ef f ect s

Do es No t Af f ect

Pre ve nts root acce s s via the


Ope nSSH s uite of tools . The following
programs are pre ve nte d from
acce s s ing the root account:

Programs that are not part of the


Ope nSSH s uite of tools .

ssh
scp
sftp

Using PAM t o limit ro o t access t o services


PAM, through the /lib/security/pam_listfile.so module , allows gre at
fle xibility in de nying s pe cific accounts . The adminis trator can us e this module to
re fe re nce a lis t of us e rs who are not allowe d to log in. To limit root acce s s to a
s ys te m s e rvice , e dit the file for the targe t s e rvice in the /etc/pam.d/ dire ctory
and make s ure the pam_listfile.so module is re quire d for authe ntication.
The following is an e xample of how the module is us e d for the vsftpd FTP s e rve r
in the /etc/pam.d/vsftpd PAM configuration file (the \ characte r at the e nd of
the firs t line is not ne ce s s ary if the dire ctive is on a s ingle line ):
auth
required
/lib/security/pam_listfile.so
item=user \
sense=deny file=/etc/vsftpd.ftpusers onerr=succeed
This ins tructs PAM to cons ult the /etc/vsftpd.ftpusers file and de ny acce s s to
the s e rvice for any lis te d us e r. The adminis trator can change the name of this
file , and can ke e p s e parate lis ts for e ach s e rvice or us e one ce ntral lis t to de ny
acce s s to multiple s e rvice s .
If the adminis trator wants to de ny acce s s to multiple s e rvice s , a s imilar line can
be adde d to the PAM configuration file s , s uch as /etc/pam.d/pop and
/etc/pam.d/imap for mail clie nts , or /etc/pam.d/ssh for SSH clie nts .
For more information about PAM, s e e The Linux-PAM System Administrator's Guide,
locate d in the /usr/share/doc/pam-<version>/html/ dire ctory.
T able 4.5. Disabling Ro o t Using PAM

39

Se c ur it y Guide

Ef f ect s

Do es No t Af f ect

Pre ve nts root acce s s to ne twork


s e rvice s that are PAM aware . The
following s e rvice s are pre ve nte d from
acce s s ing the root account:

Programs and s e rvice s that are not


PAM aware .

login
gdm
kdm
xdm
ssh
scp
sftp
FTP clie nts
Email clie nts
Any PAM aware s e rvice s

4.2.2. Allowing Root Access


If the us e rs within an organiz ation are trus te d and compute r-lite rate , the n allowing the m
root acce s s may not be an is s ue . Allowing root acce s s by us e rs me ans that minor
activitie s , like adding de vice s or configuring ne twork inte rface s , can be handle d by the
individual us e rs , le aving s ys te m adminis trators fre e to de al with ne twork s e curity and
othe r important is s ue s .
On the othe r hand, giving root acce s s to individual us e rs can le ad to the following is s ue s :
Machine Misconfiguration Us e rs with root acce s s can mis configure the ir machine s
and re quire as s is tance to re s olve is s ue s . Eve n wors e , the y might ope n up s e curity
hole s without knowing it.
Running Insecure Services Us e rs with root acce s s might run ins e cure s e rve rs on
the ir machine , s uch as FTP or Te lne t, pote ntially putting us e rname s and pas s words at
ris k. The s e s e rvice s trans mit this information ove r the ne twork in plain te xt.
Running Email Attachments As Root Although rare , e mail virus e s that affe ct Linux do
e xis t. A malicious program pos e s the gre ate s t thre at whe n run by the root us e r.
Keeping the audit trail intact Be caus e the root account is ofte n s hare d by multiple
us e rs , s o that multiple s ys te m adminis trators can maintain the s ys te m, it is impos s ible
to figure out which of thos e us e rs was root at a give n time . Whe n us ing s e parate
logins , the account a us e r logs in with, as we ll as a unique numbe r for s e s s ion tracking
purpos e s , is put into the tas k s tructure , which is inhe rite d by e ve ry proce s s that the
us e r s tarts . Whe n us ing concurre nt logins , the unique numbe r can be us e d to trace
actions to s pe cific logins . Whe n an action ge ne rate s an audit e ve nt, it is re corde d with
the login account and the s e s s ion as s ociate d with that unique numbe r. Us e the aulast
command to vie w the s e logins and s e s s ions . The --proof option of the aulast
command can be us e d s ugge s t a s pe cific ausearch que ry to is olate auditable e ve nts
ge ne rate d by a particular s e s s ion. For more information about the Audit s ys te m, s e e
Chapte r 5, System Auditing.

4.2.3. Limit ing Root Access

40

C hapt e r 4 . Har de ning Yo ur Sys t e m wit h T o o ls and Se r vic e s

Rathe r than comple te ly de nying acce s s to the root us e r, the adminis trator may want to
allow acce s s only via s e tuid programs , s uch as su or sudo. For more information on su and
sudo, s e e the Gaining Privile ge s chapte r in Re d Hat Ente rpris e Linux 7 Sys te m
Adminis trator's Guide , and the su(1) and sudo(8) man page s .

4.2.4. Enabling Aut omat ic Logout s


Whe n the us e r is logge d in as root, an unatte nde d login s e s s ion may pos e a s ignificant
s e curity ris k. To re duce this ris k, you can configure the s ys te m to automatically log out
idle us e rs afte r a fixe d pe riod of time .
1. As root, add the following line at the be ginning of the /etc/profile file to make
s ure the proce s s ing of this file cannot be inte rrupte d:
trap "" 1 2 3 15
2. As root, ins e rt the following line s to the /etc/profile file to automatically log out
afte r 120 s e conds :
export TMOUT=120
readonly TMOUT
The TMOUT variable te rminate s the s he ll if the re is no activity for the s pe cifie d
numbe r of s e conds (s e t to 120 in the above e xample ). You can change the limit
according to the ne e ds of the particular ins tallation.

4.2.5. Securing t he Boot Loader


The primary re as ons for pas s word prote cting a Linux boot loade r are as follows :
1. Preventing Access to Single User Mode If attacke rs can boot the s ys te m into
s ingle us e r mode , the y are logge d in automatically as root without be ing prompte d
for the root pas s word.

Warning
Prote cting acce s s to s ingle us e r mode with a pas s word by e diting the SINGLE
parame te r in the /etc/sysconfig/init file is not re comme nde d. An attacke r
can bypas s the pas s word by s pe cifying a cus tom initial command (us ing the
init= parame te r) on the ke rne l command line in GRUB 2. It is re comme nde d
to pas s word-prote ct the GRUB 2 boot loade r, as de s cribe d in the GRUB 2
Pas s word Prote ction chapte r in Re d Hat Ente rpris e Linux 7 Sys te m
Adminis trator's Guide .
2. Preventing Access to the GRUB 2 Console If the machine us e s GRUB 2 as its boot
loade r, an attacke r can us e the GRUB 2 e ditor inte rface to change its configuration
or to gathe r information us ing the cat command.
3. Preventing Access to Insecure Operating Systems If it is a dual-boot s ys te m, an
attacke r can s e le ct an ope rating s ys te m at boot time , for e xample DOS, which
ignore s acce s s controls and file pe rmis s ions .

41

Se c ur it y Guide

Re d Hat Ente rpris e Linux 7 s hips with the GRUB 2 boot loade r on the Inte l 64 and AMD64
platform. For a de taile d look at GRUB 2, s e e the Working With the GRUB 2 Boot Loade r
chapte r in Re d Hat Ente rpris e Linux 7 Sys te m Adminis trator's Guide .

4.2.5.1. Disabling Int eract ive St art up


Pre s s ing the I ke y at the be ginning of the boot s e que nce allows you to s tart up your
s ys te m inte ractive ly. During an inte ractive s tartup, the s ys te m prompts you to s tart up
e ach s e rvice one by one . Howe ve r, this may allow an attacke r who gains phys ical acce s s
to your s ys te m to dis able the s e curity-re late d s e rvice s and gain acce s s to the s ys te m.
To pre ve nt us e rs from s tarting up the s ys te m inte ractive ly, as root, dis able the PROMPT
parame te r in the /etc/sysconfig/init file :
PROMPT=no

4.2.6. Prot ect ing Hard and Symbolic Links


To pre ve nt malicious us e rs from e xploiting pote ntial vulne rabilitie s caus e d by unprote cte d
hard and s ymbolic links , Re d Hat Ente rpris e Linux 7 include s a fe ature that only allows
links to be cre ate d or followe d provide d ce rtain conditions are me t.
In cas e of hard links , one of the following ne e ds to be true :
The us e r owns the file to which the y link.
The us e r alre ady has re ad and write acce s s to the file to which the y link.
In cas e of s ymbolic links , proce s s e s are only pe rmitte d to follow links whe n outs ide of
world-write able dire ctorie s with s ticky bits , or one of the following ne e ds to be true :
The proce s s following the s ymbolic link is the owne r of the s ymbolic link.
The owne r of the dire ctory is the s ame as the owne r of the s ymbolic link.
This prote ction is turne d on by de fault. It is controlle d by the following options in the
/usr/lib/sysctl.d/50-default.conf file :
fs.protected_hardlinks = 1
fs.protected_symlinks = 1
To ove rride the de fault s e ttings and dis able the prote ction, cre ate a ne w configuration file
calle d, for e xample , 51-no-protect-links.conf in the /etc/sysctl.d/ dire ctory with
the following conte nt:
fs.protected_hardlinks = 0
fs.protected_symlinks = 0

42

C hapt e r 4 . Har de ning Yo ur Sys t e m wit h T o o ls and Se r vic e s

No te
Note that in orde r to ove rride the de fault s ys te m s e ttings , the ne w configuration file
ne e ds to have the .conf e xte ns ion, and it ne e ds to be re ad after the de fault
s ys te m file (the file s are re ad in le xicographic orde r, the re fore s e ttings containe d in
a file with a highe r numbe r at the be ginning of the file name take pre ce de nce ).
Se e the s ys ctl.d(5) manual page for more de taile d information about the configuration of
ke rne l parame te rs at boot us ing the sysctl me chanis m.

4.3. Securing Services


While us e r acce s s to adminis trative controls is an important is s ue for s ys te m
adminis trators within an organiz ation, monitoring which ne twork s e rvice s are active is of
paramount importance to anyone who adminis te rs and ope rate s a Linux s ys te m.
Many s e rvice s unde r Re d Hat Ente rpris e Linux 7 are ne twork s e rve rs . If a ne twork s e rvice
is running on a machine , the n a s e rve r application (calle d a daemon), is lis te ning for
conne ctions on one or more ne twork ports . Each of the s e s e rve rs s hould be tre ate d as a
pote ntial ave nue of attack.

4.3.1. Risks T o Services


Ne twork s e rvice s can pos e many ris ks for Linux s ys te ms . Be low is a lis t of s ome of the
primary is s ue s :
Denial of Service Attacks (DoS) By flooding a s e rvice with re que s ts , a de nial of
s e rvice attack can re nde r a s ys te m unus able as it trie s to log and ans we r e ach
re que s t.
Distributed Denial of Service Attack (DDoS) A type of DoS attack which us e s multiple
compromis e d machine s (ofte n numbe ring in the thous ands or more ) to dire ct a
coordinate d attack on a s e rvice , flooding it with re que s ts and making it unus able .
Script Vulnerability Attacks If a s e rve r is us ing s cripts to e xe cute s e rve r-s ide actions ,
as We b s e rve rs commonly do, an attacke r can targe t imprope rly writte n s cripts . The s e
s cript vulne rability attacks can le ad to a buffe r ove rflow condition or allow the attacke r
to alte r file s on the s ys te m.
Buffer Overflow Attacks Se rvice s that want to lis te n on ports 1 through 1023 mus t
s tart e ithe r with adminis trative privile ge s or the CAP_NET_BIND_SERVICE capability
ne e ds to be s e t for the m. Once a proce s s is bound to a port and is lis te ning on it, the
privile ge s or the capability are ofte n droppe d. If the privile ge s or the capability are not
droppe d, and the application has an e xploitable buffe r ove rflow, an attacke r could gain
acce s s to the s ys te m as the us e r running the dae mon. Be caus e e xploitable buffe r
ove rflows e xis t, cracke rs us e automate d tools to ide ntify s ys te ms with vulne rabilitie s ,
and once the y have gaine d acce s s , the y us e automate d rootkits to maintain the ir
acce s s to the s ys te m.

43

Se c ur it y Guide

No te
The thre at of buffe r ove rflow vulne rabilitie s is mitigate d in Re d Hat
Ente rpris e Linux 7 by ExecShield, an e xe cutable me mory s e gme ntation and
prote ction te chnology s upporte d by x86-compatible uni- and multi-proce s s or ke rne ls .
Exe cShie ld re duce s the ris k of buffe r ove rflow by s e parating virtual me mory into
e xe cutable and non-e xe cutable s e gme nts . Any program code that trie s to e xe cute
outs ide of the e xe cutable s e gme nt (s uch as malicious code inje cte d from a buffe r
ove rflow e xploit) trigge rs a s e gme ntation fault and te rminate s .
Exe cs hie ld als o include s s upport for No eXecute (NX) te chnology on AMD64
platforms and Inte l 64 s ys te ms . The s e te chnologie s work in conjunction with
Exe cShie ld to pre ve nt malicious code from running in the e xe cutable portion of
virtual me mory with a granularity of 4KB of e xe cutable code , lowe ring the ris k of
attack from buffe r ove rflow e xploits .

Impo rtant
To limit e xpos ure to attacks ove r the ne twork, all s e rvice s that are unus e d s hould
be turne d off.

4.3.2. Ident if ying and Conf iguring Services


To e nhance s e curity, mos t ne twork s e rvice s ins talle d with Re d Hat Ente rpris e Linux 7 are
turne d off by de fault. The re are , howe ve r, s ome notable e xce ptions :
cups The de fault print s e rve r for Re d Hat Ente rpris e Linux 7.
cups-lpd An alte rnative print s e rve r.
xinetd A s upe r s e rve r that controls conne ctions to a range of s ubordinate s e rve rs ,
s uch as gssftp and telnet.
sshd The Ope nSSH s e rve r, which is a s e cure re place me nt for Te lne t.
Whe n de te rmining whe the r to le ave the s e s e rvice s running, it is be s t to us e common
s e ns e and avoid taking any ris ks . For e xample , if a printe r is not available , do not le ave
cups running. The s ame is true for portreserve. If you do not mount NFSv3 volume s or
us e NIS (the ypbind s e rvice ), the n rpcbind s hould be dis able d. Che cking which ne twork
s e rvice s are available to s tart at boot time is not s ufficie nt. It is re comme nde d to als o
che ck which ports are ope n and lis te ning. Re fe r to Se ction 4.4.2, Ve rifying Which Ports Are
Lis te ning for more information.

4.3.3. Insecure Services


Pote ntially, any ne twork s e rvice is ins e cure . This is why turning off unus e d s e rvice s is s o
important. Exploits for s e rvice s are routine ly re ve ale d and patche d, making it ve ry
important to re gularly update package s as s ociate d with any ne twork s e rvice . Se e
Chapte r 3, Keeping Your System Up-to-Date for more information.
Some ne twork protocols are inhe re ntly more ins e cure than othe rs . The s e include any
s e rvice s that:

44

C hapt e r 4 . Har de ning Yo ur Sys t e m wit h T o o ls and Se r vic e s

Transmit Usernames and Passwords Over a Network Unencrypted Many olde r


protocols , s uch as Te lne t and FTP, do not e ncrypt the authe ntication s e s s ion and s hould
be avoide d whe ne ve r pos s ible .
Transmit Sensitive Data Over a Network Unencrypted Many protocols trans mit data
ove r the ne twork une ncrypte d. The s e protocols include Te lne t, FTP, HTTP, and SMTP.
Many ne twork file s ys te ms , s uch as NFS and SMB, als o trans mit information ove r the
ne twork une ncrypte d. It is the us e r's re s pons ibility whe n us ing the s e protocols to limit
what type of data is trans mitte d.
Example s of inhe re ntly ins e cure s e rvice s include rlogin, rsh, telnet, and vsftpd.
All re mote login and s he ll programs (rlogin, rsh, and telnet) s hould be avoide d in favor
of SSH. Se e Se ction 4.3.11, Se curing SSH for more information about sshd.
FTP is not as inhe re ntly dange rous to the s e curity of the s ys te m as re mote s he lls , but
FTP s e rve rs mus t be care fully configure d and monitore d to avoid proble ms . Se e
Se ction 4.3.9, Se curing FTP for more information about s e curing FTP s e rve rs .
Se rvice s that s hould be care fully imple me nte d and be hind a fire wall include :
auth
nfs-server
smb and nbm (Samba)
yppasswdd
ypserv
ypxfrd
More information on s e curing ne twork s e rvice s is available in Se ction 4.4, Se curing
Ne twork Acce s s .

4.3.4. Securing rpcbind


The rpcbind s e rvice is a dynamic port as s ignme nt dae mon for RPC s e rvice s s uch as NIS
and NFS. It has we ak authe ntication me chanis ms and has the ability to as s ign a wide range
of ports for the s e rvice s it controls . For the s e re as ons , it is difficult to s e cure .

No te
Se curing rpcbind only affe cts NFSv2 and NFSv3 imple me ntations , s ince NFSv4 no
longe r re quire s it. If you plan to imple me nt an NFSv2 or NFSv3 s e rve r, the n rpcbind
is re quire d, and the following s e ction applie s .
If running RPC s e rvice s , follow the s e bas ic rule s .

4.3.4.1. Prot ect rpcbind Wit h T CP Wrappers


It is important to us e TCP Wrappe rs to limit which ne tworks or hos ts have acce s s to the
rpcbind s e rvice s ince it has no built-in form of authe ntication.

45

Se c ur it y Guide

Furthe r, us e only IP addre s s e s whe n limiting acce s s to the s e rvice . Avoid us ing
hos tname s , as the y can be forge d by DNS pois oning and othe r me thods .

4.3.4.2. Prot ect rpcbind Wit h f irewalld


To furthe r re s trict acce s s to the rpcbind s e rvice , it is a good ide a to add firewalld rule s
to the s e rve r and re s trict acce s s to s pe cific ne tworks .
Be low are two e xample firewalld rich language commands . The firs t allows TCP
conne ctions to the port 111 (us e d by the rpcbind s e rvice ) from the 192.168.0.0/24
ne twork. The s e cond allows TCP conne ctions to the s ame port from the localhos t. All othe r
packe ts are droppe d.
~]# firewall-cmd --add-rich-rule='rule family="ipv4" port port="111"
protocol="tcp" source address="192.168.0.0/24" invert="True" drop'
~]# firewall-cmd --add-rich-rule='rule family="ipv4" port port="111"
protocol="tcp" source address="127.0.0.1" accept'
To s imilarly limit UDP traffic, us e the following command:
~]# firewall-cmd --add-rich-rule='rule family="ipv4" port port="111"
protocol="udp" source address="192.168.0.0/24" invert="True" drop'

No te
Add --permanent to the firewalld rich language commands to make the s e ttings
pe rmane nt. Se e Se ction 4.5, Us ing Fire walls for more information about
imple me nting fire walls .

4.3.5. Securing rpc.mount d


The rpc.mountd dae mon imple me nts the s e rve r s ide of the NFS MOUNT protocol, a
protocol us e d by NFS ve rs ion 2 (RFC 1904) and NFS ve rs ion 3 (RFC 1813).
If running RPC s e rvice s , follow the s e bas ic rule s .

4.3.5.1. Prot ect rpc.mount d Wit h T CP Wrappers


It is important to us e TCP Wrappe rs to limit which ne tworks or hos ts have acce s s to the
rpc.mountd s e rvice s ince it has no built-in form of authe ntication.
Furthe r, us e only IP addre s s e s whe n limiting acce s s to the s e rvice . Avoid us ing hos t
name s , as the y can be forge d by DNS pois oning and othe r me thods .

4.3.5.2. Prot ect rpc.mount d Wit h f irewalld


To furthe r re s trict acce s s to the rpc.mountd s e rvice , add firewalld rich language rule s
to the s e rve r and re s trict acce s s to s pe cific ne tworks .
Be low are two e xample firewalld rich language commands . The firs t allows mountd
conne ctions from the 192.168.0.0/24 ne twork. The s e cond allows mountd conne ctions
from the local hos t. All othe r packe ts are droppe d.

46

C hapt e r 4 . Har de ning Yo ur Sys t e m wit h T o o ls and Se r vic e s

~]# firewall-cmd --add-rich-rule 'rule family="ipv4" source NOT


address="192.168.0.0/24" service name="mountd" drop'
~]# firewall-cmd --add-rich-rule 'rule family="ipv4" source
address="127.0.0.1" service name="mountd" accept'

No te
Add --permanent to the firewalld rich language commands to make the s e ttings
pe rmane nt. Se e Se ction 4.5, Us ing Fire walls for more information about
imple me nting fire walls .

4.3.6. Securing NIS


The Network Information Service (NIS) is an RPC s e rvice , calle d ypserv, which is us e d in
conjunction with rpcbind and othe r re late d s e rvice s to dis tribute maps of us e rname s ,
pas s words , and othe r s e ns itive information to any compute r claiming to be within its
domain.
A NIS s e rve r is compris e d of s e ve ral applications . The y include the following:
/usr/sbin/rpc.yppasswdd Als o calle d the yppasswdd s e rvice , this dae mon allows
us e rs to change the ir NIS pas s words .
/usr/sbin/rpc.ypxfrd Als o calle d the ypxfrd s e rvice , this dae mon is re s pons ible
for NIS map trans fe rs ove r the ne twork.
/usr/sbin/ypserv This is the NIS s e rve r dae mon.
NIS is s ome what ins e cure by today's s tandards . It has no hos t authe ntication me chanis ms
and trans mits all of its information ove r the ne twork une ncrypte d, including pas s word
has he s . As a re s ult, e xtre me care mus t be take n whe n s e tting up a ne twork that us e s
NIS. This is furthe r complicate d by the fact that the de fault configuration of NIS is
inhe re ntly ins e cure .
It is re comme nde d that anyone planning to imple me nt a NIS s e rve r firs t s e cure the
rpcbind s e rvice as outline d in Se ction 4.3.4, Se curing rpcbind, the n addre s s the
following is s ue s , s uch as ne twork planning.

4.3.6.1. Caref ully Plan t he Net work


Be caus e NIS trans mits s e ns itive information une ncrypte d ove r the ne twork, it is important
the s e rvice be run be hind a fire wall and on a s e gme nte d and s e cure ne twork. Whe ne ve r
NIS information is trans mitte d ove r an ins e cure ne twork, it ris ks be ing inte rce pte d. Care ful
ne twork de s ign can he lp pre ve nt s e ve re s e curity bre ache s .

4.3.6.2. Use a Password-like NIS Domain Name and Host name


Any machine within a NIS domain can us e commands to e xtract information from the
s e rve r without authe ntication, as long as the us e r knows the NIS s e rve r's DNS hos tname
and NIS domain name .
For ins tance , if s ome one e ithe r conne cts a laptop compute r into the ne twork or bre aks into
the ne twork from outs ide (and manage s to s poof an inte rnal IP addre s s ), the following
command re ve als the /etc/passwd map:

47

Se c ur it y Guide

ypcat -d <NIS_domain> -h <DNS_hostname> passwd


If this attacke r is a root us e r, the y can obtain the /etc/shadow file by typing the following
command:
ypcat -d <NIS_domain> -h <DNS_hostname> shadow

No te
If Ke rbe ros is us e d, the /etc/shadow file is not s tore d within a NIS map.
To make acce s s to NIS maps harde r for an attacke r, cre ate a random s tring for the DNS
hos tname , s uch as o7hfawtgmhwg.domain.com. Similarly, cre ate a different randomiz e d
NIS domain name . This make s it much more difficult for an attacke r to acce s s the NIS
s e rve r.

4.3.6.3. Edit t he /var/yp/securenets File


If the /var/yp/securenets file is blank or doe s not e xis t (as is the cas e afte r a de fault
ins tallation), NIS lis te ns to all ne tworks . One of the firs t things to do is to put
ne tmas k/ne twork pairs in the file s o that ypserv only re s ponds to re que s ts from the
appropriate ne twork.
Be low is a s ample e ntry from a /var/yp/securenets file :
255.255.255.0

192.168.0.0

Warning
Ne ve r s tart a NIS s e rve r for the firs t time without cre ating the /var/yp/securenets
file .
This te chnique doe s not provide prote ction from an IP s poofing attack, but it doe s at le as t
place limits on what ne tworks the NIS s e rve r s e rvice s .

4.3.6.4. Assign St at ic Port s and Use Rich Language Rules


All of the s e rve rs re late d to NIS can be as s igne d s pe cific ports e xce pt for rpc.yppasswdd
the dae mon that allows us e rs to change the ir login pas s words . As s igning ports to the
othe r two NIS s e rve r dae mons , rpc.ypxfrd and ypserv, allows for the cre ation of fire wall
rule s to furthe r prote ct the NIS s e rve r dae mons from intrude rs .
To do this , add the following line s to /etc/sysconfig/network:
YPSERV_ARGS="-p 834"
YPXFRD_ARGS="-p 835"
The following rich language firewalld rule s can the n be us e d to e nforce which ne twork
the s e rve r lis te ns to for the s e ports :

48

C hapt e r 4 . Har de ning Yo ur Sys t e m wit h T o o ls and Se r vic e s

~]# firewall-cmd --add-rich-rule='rule


address="192.168.0.0/24" invert="True"
protocol="tcp" drop'
~]# firewall-cmd --add-rich-rule='rule
address="192.168.0.0/24" invert="True"
protocol="udp" drop'

family="ipv4" source
port port="834-835"
family="ipv4" source
port port="834-835"

This me ans that the s e rve r only allows conne ctions to ports 834 and 835 if the re que s ts
come from the 192.168.0.0/24 ne twork. The firs t rule is for TCP and the s e cond for UDP.

No te
Se e Se ction 4.5, Us ing Fire walls for more information about imple me nting fire walls
with iptable s commands .

4.3.6.5. Use Kerberos Aut hent icat ion


One of the is s ue s to cons ide r whe n NIS is us e d for authe ntication is that whe ne ve r a us e r
logs into a machine , a pas s word has h from the /etc/shadow map is s e nt ove r the
ne twork. If an intrude r gains acce s s to a NIS domain and s niffs ne twork traffic, the y can
colle ct us e rname s and pas s word has he s . With e nough time , a pas s word cracking program
can gue s s we ak pas s words , and an attacke r can gain acce s s to a valid account on the
ne twork.
Since Ke rbe ros us e s s e cre t-ke y cryptography, no pas s word has he s are e ve r s e nt ove r
the ne twork, making the s ys te m far more s e cure . Se e the Authe ntication: Ke rbe ros KDC
s e ction in the Linux Domain Ide ntity, Authe ntication, and Policy Guide for more information
about Ke rbe ros .

4.3.7. Securing NFS

Impo rtant
NFS traffic can be s e nt us ing TCP in all ve rs ions , it s hould be us e d with NFSv3,
rathe r than UDP, and is re quire d whe n us ing NFSv4. All ve rs ions of NFS s upport
Ke rbe ros us e r and group authe ntication, as part of the RPCSEC_GSS ke rne l module .
Information on rpcbind is s till include d, s ince Re d Hat Ente rpris e Linux 7 s upports
NFSv3 which utiliz e s rpcbind.

4.3.7.1. Caref ully Plan t he Net work


NFSv2 and NFSv3 traditionally pas s e d data ins e cure ly. All ve rs ions of NFS now have the
ability to authe nticate (and optionally e ncrypt) ordinary file s ys te m ope rations us ing
Ke rbe ros . Unde r NFSv4 all ope rations can us e Ke rbe ros ; unde r v2 or v3, file locking and
mounting s till do not us e it. Whe n us ing NFSv4.0, de le gations may be turne d off if the
clie nts are be hind NAT or a fire wall. For information on the us e of NFSv4.1 to allow
de le gations to ope rate through NAT and fire walls , s e e the pNFS s e ction of the Re d Hat
Ente rpris e Linux 7 Storage Adminis tration Guide .

4.3.7.2. Securing NFS Mount Opt ions

49

Se c ur it y Guide

The us e of the mount command in the /etc/fstab file is e xplaine d in the Us ing the mount
Command chapte r of the Re d Hat Ente rpris e Linux 7 Storage Adminis tration Guide . From a
s e curity adminis tration point of vie w it is worthwhile to note that the NFS mount options
can als o be s pe cifie d in /etc/nfsmount.conf, which can be us e d to s e t cus tom de fault
options .
4.3.7.2.1. Review t he NFS Server

Warning
Only e xport e ntire file s ys te ms . Exporting a s ubdire ctory of a file s ys te m can be a
s e curity is s ue . It is pos s ible in s ome cas e s for a clie nt to "bre ak out" of the
e xporte d part of the file s ys te m and ge t to une xporte d parts (s e e the s e ction on
s ubtre e che cking in the exports(5) man page .
Us e the ro option to e xport the file s ys te m as re ad-only whe ne ve r pos s ible to re duce the
numbe r of us e rs able to write to the mounte d file s ys te m. Only us e the rw option whe n
s pe cifically re quire d. Se e the man exports(5) page for more information. Allowing write
acce s s incre as e s the ris k from s ymlink attacks for e xample . This include s te mporary
dire ctorie s s uch as /tmp and /usr/tmp.
Whe re dire ctorie s mus t be mounte d with the rw option avoid making the m world-writable
whe ne ve r pos s ible to re duce ris k. Exporting home dire ctorie s is als o vie we d as a ris k as
s ome applications s tore pas s words in cle ar te xt or we akly e ncrypte d. This ris k is be ing
re duce d as application code is re vie we d and improve d. Some us e rs do not s e t pas s words
on the ir SSH ke ys s o this too me ans home dire ctorie s pre s e nt a ris k. Enforcing the us e of
pas s words or us ing Ke rbe ros would mitigate that ris k.
Re s trict e xports only to clie nts that ne e d acce s s . Us e the showmount -e command on an
NFS s e rve r to re vie w what the s e rve r is e xporting. Do not e xport anything that is not
s pe cifically re quire d.
Do not us e the no_root_squash option and re vie w e xis ting ins tallations to make s ure it is
not us e d. Se e Se ction 4.3.7.4, Do Not Us e the no_root_s quas h Option for more
information.
The secure option is the s e rve r-s ide e xport option us e d to re s trict e xports to re s e rve d
ports . By de fault, the s e rve r allows clie nt communication only from re s e rve d ports (ports
numbe re d le s s than 1024), be caus e traditionally clie nts have only allowe d trus te d code
(s uch as in-ke rne l NFS clie nts ) to us e thos e ports . Howe ve r, on many ne tworks it is not
difficult for anyone to be come root on s ome clie nt, s o it is rare ly s afe for the s e rve r to
as s ume that communication from a re s e rve d port is privile ge d. The re fore the re s triction
to re s e rve d ports is of limite d value ; it is be tte r to re ly on Ke rbe ros , fire walls , and
re s triction of e xports to particular clie nts .
Mos t clie nts s till do us e re s e rve d ports whe n pos s ible . Howe ve r, re s e rve d ports are a
limite d re s ource , s o clie nts (e s pe cially thos e with a large numbe r of NFS mounts ) may
choos e to us e highe r-numbe re d ports as we ll. Linux clie nts may do this us ing the
nore s vport mount option. If you want to allow this on an e xport, you may do s o with the
ins e cure e xport option.
It is good practice not to allow us e rs to login to a s e rve r. While re vie wing the above
s e ttings on an NFS s e rve r conduct a re vie w of who and what can acce s s the s e rve r.
4.3.7.2.2. Review t he NFS Client

50

C hapt e r 4 . Har de ning Yo ur Sys t e m wit h T o o ls and Se r vic e s

Us e the nosuid option to dis allow the us e of a set uid program. The nosuid option
dis able s the set-user-identifier or set-group-identifier bits . This pre ve nts re mote
us e rs from gaining highe r privile ge s by running a s e tuid program. Us e this option on the
clie nt and the s e rve r s ide .
The noexec option dis able s all e xe cutable file s on the clie nt. Us e this to pre ve nt us e rs
from inadve rte ntly e xe cuting file s place d in the file s ys te m be ing s hare d. The nosuid and
noexec options are s tandard options for mos t, if not all, file s ys te ms .
Us e the nodev option to pre ve nt de vice -file s from be ing proce s s e d as a hardware
de vice by the clie nt.
The resvport option is a clie nt-s ide mount option and secure is the corre s ponding
s e rve r-s ide e xport option (s e e e xplanation above ). It re s tricts communication to a
"re s e rve d port". The re s e rve d or "we ll known" ports are re s e rve d for privile ge d us e rs
and proce s s e s s uch as the root us e r. Se tting this option caus e s the clie nt to us e a
re s e rve d s ource port to communicate with the s e rve r.
All ve rs ions of NFS now s upport mounting with Ke rbe ros authe ntication. The mount option
to e nable this is : sec=krb5.
NFSv4 s upports mounting with Ke rbe ros us ing krb5i for inte grity and krb5p for privacy
prote ction. The s e are us e d whe n mounting with sec=krb5, but ne e d to be configure d on
the NFS s e rve r. Se e the man page on e xports (man 5 exports) for more information.
The NFS man page (man 5 nfs) has a SECURITY CONSIDERATIONS s e ction which e xplains
the s e curity e nhance me nts in NFSv4 and contains all the NFS s pe cific mount options .

4.3.7.3. Beware of Synt ax Errors


The NFS s e rve r de te rmine s which file s ys te ms to e xport and which hos ts to e xport the s e
dire ctorie s to by cons ulting the /etc/exports file . Be care ful not to add e xtrane ous
s pace s whe n e diting this file .
For ins tance , the following line in the /etc/exports file s hare s the dire ctory /tmp/nfs/ to
the hos t bob.example.com with re ad/write pe rmis s ions .
/tmp/nfs/

bob.example.com(rw)

The following line in the /etc/exports file , on the othe r hand, s hare s the s ame dire ctory
to the hos t bob.example.com with re ad-only pe rmis s ions and s hare s it to the world with
re ad/write pe rmis s ions due to a s ingle s pace characte r afte r the hos tname .
/tmp/nfs/

bob.example.com (rw)

It is good practice to che ck any configure d NFS s hare s by us ing the showmount command
to ve rify what is be ing s hare d:
showmount -e <hostname>

4.3.7.4. Do Not Use t he no_root _squash Opt ion


By de fault, NFS s hare s change the root us e r to the nfsnobody us e r, an unprivile ge d us e r
account. This change s the owne r of all root-cre ate d file s to nfsnobody, which pre ve nts
uploading of programs with the s e tuid bit s e t.

51

Se c ur it y Guide

If no_root_squash is us e d, re mote root us e rs are able to change any file on the s hare d
file s ys te m and le ave applications infe cte d by Trojans for othe r us e rs to inadve rte ntly
e xe cute .

4.3.7.5. NFS Firewall Conf igurat ion


NFSv4 is the de fault ve rs ion of NFS for Re d Hat Ente rpris e Linux 7 and it only re quire s port
2049 to be ope n for TCP. If us ing NFSv3 the n four additional ports are re quire d as
e xplaine d be low.
Co nf iguring Po rt s f o r NFSv3
The ports us e d for NFS are as s igne d dynamically by rpcbind, which can caus e proble ms
whe n cre ating fire wall rule s . To s implify this proce s s , us e the /etc/sysconfig/nfs file to
s pe cify which ports are to be us e d:
MOUNTD_PORT TCP and UDP port for mountd (rpc.mountd)
STATD_PORT TCP and UDP port for s tatus (rpc.s tatd)
LOCKD_TCPPORT TCP port for nlockmgr (rpc.lockd)
LOCKD_UDPPORT UDP port nlockmgr (rpc.lockd)
Port numbe rs s pe cifie d mus t not be us e d by any othe r s e rvice . Configure your fire wall to
allow the port numbe rs s pe cifie d, as we ll as TCP and UDP port 2049 (NFS).
Run the rpcinfo -p command on the NFS s e rve r to s e e which ports and RPC programs
are be ing us e d.

4.3.8. Securing t he Apache HT T P Server


The Apache HTTP Se rve r is one of the mos t s table and s e cure s e rvice s that s hips with
Re d Hat Ente rpris e Linux 7. A large numbe r of options and te chnique s are available to
s e cure the Apache HTTP Se rve r too nume rous to de lve into de e ply he re . The following
s e ction brie fly e xplains good practice s whe n running the Apache HTTP Se rve r.
Always ve rify that any s cripts running on the s ys te m work as inte nde d before putting the m
into production. Als o, e ns ure that only the root us e r has write pe rmis s ions to any dire ctory
containing s cripts or CGIs . To do this , run the following commands as the root us e r:
chown root <directory_name>
chmod 755 <directory_name>
Sys te m adminis trators s hould be care ful whe n us ing the following configuration options
(configure d in /etc/httpd/conf/httpd.conf):
FollowSymLinks
This dire ctive is e nable d by de fault, s o be s ure to us e caution whe n cre ating
s ymbolic links to the docume nt root of the We b s e rve r. For ins tance , it is a bad
ide a to provide a s ymbolic link to /.
Indexes

52

C hapt e r 4 . Har de ning Yo ur Sys t e m wit h T o o ls and Se r vic e s

This dire ctive is e nable d by de fault, but may not be de s irable . To pre ve nt vis itors
from brows ing file s on the s e rve r, re move this dire ctive .
UserDir
The UserDir dire ctive is dis able d by de fault be caus e it can confirm the pre s e nce
of a us e r account on the s ys te m. To e nable us e r dire ctory brows ing on the
s e rve r, us e the following dire ctive s :
UserDir enabled
UserDir disabled root
The s e dire ctive s activate us e r dire ctory brows ing for all us e r dire ctorie s othe r
than /root/. To add us e rs to the lis t of dis able d accounts , add a s pace -de limite d
lis t of us e rs on the UserDir disabled line .
ServerTokens
The ServerTokens dire ctive controls the s e rve r re s pons e he ade r fie ld which is
s e nt back to clie nts . It include s various information which can be cus tomiz e d us ing
the following parame te rs :
ServerTokens Full (de fault option) provide s all available information (OS
type and us e d module s ), for e xample :
Apache/2.0.41 (Unix) PHP/4.2.2 MyMod/1.2
ServerTokens Prod or ServerTokens ProductOnly provide s the following
information:
Apache
ServerTokens Major provide s the following information:
Apache/2
ServerTokens Minor provide s the following information:
Apache/2.0
ServerTokens Min or ServerTokens Minimal provide s the following
information:
Apache/2.0.41
ServerTokens OS provide s the following information:
Apache/2.0.41 (Unix)
It is re comme nde d to us e the ServerTokens Prod option s o that a pos s ible
attacke r doe s not gain any valuable information about your s ys te m.

53

Se c ur it y Guide

Impo rtant
Do not re move the IncludesNoExec dire ctive . By de fault, the Server-Side Includes
(SSI) module cannot e xe cute commands . It is re comme nde d that you do not change
this s e tting unle s s abs olute ly ne ce s s ary, as it could, pote ntially, e nable an attacke r
to e xe cute commands on the s ys te m.

Removing ht t pd Modules
In ce rtain s ce narios , it is be ne ficial to re move ce rtain httpd module s to limit the
functionality of the HTTP Se rve r. To do s o, s imply comme nt out the e ntire line which loads
the module you want to re move in the /etc/httpd/conf/httpd.conf file . For e xample , to
re move the proxy module , comme nt out the following line by pre pe nding it with a has h
s ign:
#LoadModule proxy_module modules/mod_proxy.so
Note that the /etc/httpd/conf.d/ dire ctory contains configuration file s which are us e d to
load module s as we ll.

ht t pd and SELinux
For information, s e e the The Apache HTTP Se rve r and SELinux chapte r from the Re d Hat
Ente rpris e Linux 7 SELinux Us e r's and Adminis trator's Guide .

4.3.9. Securing FT P
The File Transfer Protocol (FTP) is an olde r TCP protocol de s igne d to trans fe r file s ove r a
ne twork. Be caus e all trans actions with the s e rve r, including us e r authe ntication, are
une ncrypte d, it is cons ide re d an ins e cure protocol and s hould be care fully configure d.
Re d Hat Ente rpris e Linux 7 provide s two FTP s e rve rs :
Red Hat Co nt ent Accelerat o r (tux) A ke rne l-s pace We b s e rve r with FTP
capabilitie s .
vsftpd A s tandalone , s e curity orie nte d imple me ntation of the FTP s e rvice .
The following s e curity guide line s are for s e tting up the vsftpd FTP s e rvice .

4.3.9.1. FT P Greet ing Banner


Be fore s ubmitting a us e rname and pas s word, all us e rs are pre s e nte d with a gre e ting
banne r. By de fault, this banne r include s ve rs ion information us e ful to cracke rs trying to
ide ntify we akne s s e s in a s ys te m.
To change the gre e ting banne r for vsftpd, add the following dire ctive to the
/etc/vsftpd/vsftpd.conf file :
ftpd_banner=<insert_greeting_here>
Re place <insert_greeting_here> in the above dire ctive with the te xt of the gre e ting
me s s age .

54

C hapt e r 4 . Har de ning Yo ur Sys t e m wit h T o o ls and Se r vic e s

For mutli-line banne rs , it is be s t to us e a banne r file . To s implify manage me nt of multiple


banne rs , place all banne rs in a ne w dire ctory calle d /etc/banners/. The banne r file for
FTP conne ctions in this e xample is /etc/banners/ftp.msg. Be low is an e xample of what
s uch a file may look like :
######### Hello, all activity on ftp.example.com is logged. #########

No te
It is not ne ce s s ary to be gin e ach line of the file with 220 as s pe cifie d in
Se ction 4.4.1, Se curing Se rvice s With TCP Wrappe rs and xine td.
To re fe re nce this gre e ting banne r file for vsftpd, add the following dire ctive to the
/etc/vsftpd/vsftpd.conf file :
banner_file=/etc/banners/ftp.msg
It als o is pos s ible to s e nd additional banne rs to incoming conne ctions us ing TCP Wrappe rs
as de s cribe d in Se ction 4.4.1.1, TCP Wrappe rs and Conne ction Banne rs .

4.3.9.2. Anonymous Access


The pre s e nce of the /var/ftp/ dire ctory activate s the anonymous account.
The e as ie s t way to cre ate this dire ctory is to ins tall the vsftpd package . This package
e s tablis he s a dire ctory tre e for anonymous us e rs and configure s the pe rmis s ions on
dire ctorie s to re ad-only for anonymous us e rs .
By de fault the anonymous us e r cannot write to any dire ctorie s .

Warning
If e nabling anonymous acce s s to an FTP s e rve r, be aware of whe re s e ns itive data is
s tore d.

4.3.9.2.1. Ano nymo us Uplo ad


To allow anonymous us e rs to upload file s , it is re comme nde d that a write -only dire ctory
be cre ate d within /var/ftp/pub/. To do this , run the following command as root:
~]# mkdir /var/ftp/pub/upload
Ne xt, change the pe rmis s ions s o that anonymous us e rs cannot vie w the conte nts of the
dire ctory:
~]# chmod 730 /var/ftp/pub/upload
A long format lis ting of the dire ctory s hould look like this :

55

Se c ur it y Guide

~]# ls -ld /var/ftp/pub/upload


drwx-wx---. 2 root ftp 4096 Nov 14 22:57 /var/ftp/pub/upload
Adminis trators who allow anonymous us e rs to re ad and write in dire ctorie s ofte n find that
the ir s e rve rs be come a re pos itory of s tole n s oftware .
Additionally, unde r vsftpd, add the following line to the /etc/vsftpd/vsftpd.conf file :
anon_upload_enable=YES

4.3.9.3. User Account s


Be caus e FTP trans mits une ncrypte d us e rname s and pas s words ove r ins e cure ne tworks
for authe ntication, it is a good ide a to de ny s ys te m us e rs acce s s to the s e rve r from the ir
us e r accounts .
To dis able all us e r accounts in vsftpd, add the following dire ctive to
/etc/vsftpd/vsftpd.conf:
local_enable=NO
4.3.9.3.1. Rest rict ing User Acco unt s
To dis able FTP acce s s for s pe cific accounts or s pe cific groups of accounts , s uch as the
root us e r and thos e with sudo privile ge s , the e as ie s t way is to us e a PAM lis t file as
de s cribe d in Se ction 4.2.1, Dis allowing Root Acce s s . The PAM configuration file for vsftpd
is /etc/pam.d/vsftpd.
It is als o pos s ible to dis able us e r accounts within e ach s e rvice dire ctly.
To dis able s pe cific us e r accounts in vsftpd, add the us e rname to /etc/vsftpd/ftpusers

4.3.9.4. Use T CP Wrappers T o Cont rol Access


Us e TCP Wrappe rs to control acce s s to e ithe r FTP dae mon as outline d in Se ction 4.4.1,
Se curing Se rvice s With TCP Wrappe rs and xine td.

4.3.10. Securing Post f ix


Pos tfix is a Mail Trans fe r Age nt (MTA) that us e s the Simple Mail Trans fe r Protocol (SMTP)
to de live r e le ctronic me s s age s be twe e n othe r MTAs and to e mail clie nts or de live ry
age nts . Although many MTAs are capable of e ncrypting traffic be twe e n one anothe r, mos t
do not, s o s e nding e mail ove r any public ne tworks is cons ide re d an inhe re ntly ins e cure
form of communication. Pos tfix re place s Se ndmail as the de fault MTA in Re d Hat
Ente rpris e Linux 7.
It is re comme nde d that anyone planning to imple me nt a Pos tfix s e rve r addre s s the
following is s ue s .

4.3.10.1. Limit ing a Denial of Service At t ack


Be caus e of the nature of e mail, a de te rmine d attacke r can flood the s e rve r with mail fairly
e as ily and caus e a de nial of s e rvice . The e ffe ctive ne s s of s uch attacks can be limite d by
s e tting limits of the dire ctive s in the /etc/postfix/main.cf file . You can change the

56

C hapt e r 4 . Har de ning Yo ur Sys t e m wit h T o o ls and Se r vic e s

value of the dire ctive s which are alre ady the re or you can add the dire ctive s you ne e d
with the value you want in the following format:
<directive> = <value>
. The following is a lis t of dire ctive s that can be us e d for limiting a de nial of s e rvice attack:
smtpd_client_connection_rate_limit The maximum numbe r of conne ction
atte mpts any clie nt is allowe d to make to this s e rvice pe r time unit (de s cribe d be low).
The de fault value is 0, which me ans a clie nt can make as many conne ctions pe r time
unit as Pos tfix can acce pt. By de fault, clie nts in trus te d ne tworks are e xclude d.
anvil_rate_time_unit This time unit is us e d for rate limit calculations . The de fault
value is 60 s e conds .
smtpd_client_event_limit_exceptions Clie nts that are e xclude d from the
conne ction and rate limit commands . By de fault, clie nts in trus te d ne tworks are
e xclude d.
smtpd_client_message_rate_limit The maximum numbe r of me s s age de live rie s
a clie nt is allowe d to re que s t pe r time unit (re gardle s s of whe the r or not Pos tfix
actually acce pts thos e me s s age s ).
default_process_limit The de fault maximum numbe r of Pos tfix child proce s s e s
that provide a give n s e rvice . This limit can be ove rrule d for s pe cific s e rvice s in the
master.cf file . By de fault the value is 100.
queue_minfree The minimum amount of fre e s pace in byte s in the que ue file
s ys te m that is ne e de d to re ce ive mail. This is curre ntly us e d by the Pos tfix SMTP
s e rve r to de cide if it will acce pt any mail at all. By de fault, the Pos tfix SMTP s e rve r
re je cts MAIL FROM commands whe n the amount of fre e s pace is le s s than 1.5 time s
the me s s age _s iz e _limit. To s pe cify a highe r minimum fre e s pace limit, s pe cify a
que ue _minfre e value that is at le as t 1.5 time s the me s s age _s iz e _limit. By de fault the
que ue _minfre e value is 0.
header_size_limit The maximum amount of me mory in byte s for s toring a
me s s age he ade r. If a he ade r is large r, the e xce s s is dis carde d. By de fault the value is
102400.
message_size_limit The maximum s iz e in byte s of a me s s age , including e nve lope
information. By de fault the value is 10240000.

4.3.10.2. NFS and Post f ix


Ne ve r put the mail s pool dire ctory, /var/spool/postfix/, on an NFS s hare d volume .
Be caus e NFSv2 and NFSv3 do not maintain control ove r us e r and group IDs , two or more
us e rs can have the s ame UID, and re ce ive and re ad e ach othe r's mail.

No te
With NFSv4 us ing Ke rbe ros , this is not the cas e , s ince the SECRPC_GSS ke rne l
module doe s not utiliz e UID-bas e d authe ntication. Howe ve r, it is s till cons ide re d
good practice not to put the mail s pool dire ctory on NFS s hare d volume s .

4.3.10.3. Mail-only Users

57

Se c ur it y Guide

To he lp pre ve nt local us e r e xploits on the Pos tfix s e rve r, it is be s t for mail us e rs to only
acce s s the Pos tfix s e rve r us ing an e mail program. She ll accounts on the mail s e rve r
s hould not be allowe d and all us e r s he lls in the /etc/passwd file s hould be s e t to
/sbin/nologin (with the pos s ible e xce ption of the root us e r).

4.3.10.4. Disable Post f ix Net work List ening


By de fault, Pos tfix is s e t up to only lis te n to the local loopback addre s s . You can ve rify this
by vie wing the file /etc/postfix/main.cf.
Vie w the file /etc/postfix/main.cf to e ns ure that only the following inet_interfaces
line appe ars :
inet_interfaces = localhost
This e ns ure s that Pos tfix only acce pts mail me s s age s (s uch as cron job re ports ) from the
local s ys te m and not from the ne twork. This is the de fault s e tting and prote cts Pos tfix
from a ne twork attack.
For re moval of the localhos t re s triction and allowing Pos tfix to lis te n on all inte rface s the
inet_interfaces = all s e tting can be us e d.

4.3.10.5. Conf iguring Post f ix t o Use SASL


The Re d Hat Ente rpris e Linux 7 ve rs ion of Po st f ix can us e the Do veco t or Cyrus SASL
imple me ntations for SMTP Authentication (or SMTP AUTH). SMTP Authe ntication is an
e xte ns ion of the Simple Mail Transfer Protocol. Whe n e nable d, SMTP clie nts are
re quire d to authe nticate to the SMTP s e rve r us ing an authe ntication me thod s upporte d and
acce pte d by both the s e rve r and the clie nt. This s e ction de s cribe s how to configure
Po st f ix to make us e of the Do veco t SASL imple me ntation.
To ins tall the Do veco t POP/IMAP s e rve r, and thus make the Do veco t SASL
imple me ntation available on your s ys te m, is s ue the following command as the root us e r:
~]# yum install dovecot
The Po st f ix SMTP s e rve r can communicate with the Do veco t SASL imple me ntation us ing
e ithe r a UNIX-domain socket or a TCP socket. The latte r me thod is only ne e de d in cas e the
Po st f ix and Do veco t applications are running on s e parate machine s . This guide give s
pre fe re nce to the UNIX-domain s ocke t me thod, which affords be tte r privacy.
In orde r to ins truct Po st f ix to us e the Do veco t SASL imple me ntation, a numbe r of
configuration change s ne e d to be pe rforme d for both applications . Follow the proce dure s
be low to e ffe ct the s e change s .
Set t ing Up Do veco t
1. Modify the main Do veco t configuration file , /etc/dovecot/conf.d/10master.conf, to include the following line s (the de fault configuration file alre ady
include s mos t of the re le vant s e ction, and the line s jus t ne e d to be uncomme nte d):
service auth {
unix_listener /var/spool/postfix/private/auth {
mode = 0660
user = postfix

58

C hapt e r 4 . Har de ning Yo ur Sys t e m wit h T o o ls and Se r vic e s

group = postfix
}
}
The above e xample as s ume s the us e of UNIX-domain s ocke ts for communication
be twe e n Po st f ix and Do veco t . It als o as s ume s de fault s e ttings of the Po st f ix
SMTP s e rve r, which include the mail que ue locate d in the /var/spool/postfix/
dire ctory, and the application running unde r the postfix us e r and group. In this
way, re ad and write pe rmis s ions are limite d to the postfix us e r and group.
Alte rnative ly, you can us e the following configuration to s e t up Do veco t to lis te n
for Po st f ix authe ntication re que s ts via TCP:
service auth {
inet_listener {
port = 12345
}
}
In the above e xample , re place 12345 with the numbe r of the port you want to us e .
2. Edit the /etc/dovecot/conf.d/10-auth.conf configuration file to ins truct
Do veco t to provide the Po st f ix SMTP s e rve r with the plain and login
authe ntication me chanis ms :
auth_mechanisms = plain login
Set t ing Up Po st f ix
In the cas e of Po st f ix, only the main configuration file , /etc/postfix/main.cf, ne e ds to
be modifie d. Add or e dit the following configuration dire ctive s :
1. Enable SMTP Authe ntication in the Po st f ix SMTP s e rve r:
smtpd_sasl_auth_enable = yes
2. Ins truct Po st f ix to us e the Do veco t SASL imple me ntation for SMTP Authe ntication:
smtpd_sasl_type = dovecot
3. Provide the authe ntication path re lative to the Po st f ix que ue dire ctory (note that
the us e of a re lative path e ns ure s that the configuration works re gardle s s of
whe the r the Po st f ix s e rve r runs in a chro o t or not):
smtpd_sasl_path = private/auth
This s te p as s ume s that you want to us e UNIX-domain s ocke ts for communication
be twe e n Po st f ix and Do veco t . To configure Po st f ix to look for Do veco t on a
diffe re nt machine in cas e you us e TCP s ocke ts for communication, us e configuration
value s s imilar to the following:
smtpd_sasl_path = inet:127.0.0.1:12345

59

Se c ur it y Guide

In the above e xample , 127.0.0.1 ne e ds to be s ubs titute d by the IP addre s s of the


Do veco t machine and 12345 by the port s pe cifie d in Do veco t 's
/etc/dovecot/conf.d/10-master.conf configuration file .
4. Spe cify SASL me chanis ms that the Po st f ix SMTP s e rve r make s available to clie nts .
Note that diffe re nt me chanis ms can be s pe cifie d for e ncrypte d and une ncrypte d
s e s s ions .
smtpd_sasl_security_options = noanonymous, noplaintext
smtpd_sasl_tls_security_options = noanonymous
The above e xample s pe cifie s that during une ncrypte d s e s s ions , no anonymous
authe ntication is allowe d and no me chanis ms that trans mit une ncrypte d us e rname s
or pas s words are allowe d. For e ncrypte d s e s s ions (us ing TLS), only non-anonymous
authe ntication me chanis ms are allowe d.
Se e http://www.pos tfix.org/SASL_README.html#s mtpd_s as l_s e curity_options for a
lis t of all s upporte d policie s for limiting allowe d SASL me chanis ms .
Addit io nal Reso urces
The following online re s ource s provide additional information us e ful for configuring
Po st f ix SMTP Authe ntication through SASL.
http://wiki2.dove cot.org/HowTo/Pos tfixAndDove cotSASL Contains information on how
to s e t up Po st f ix to us e the Do veco t SASL imple me ntation for SMTP Authe ntication.
http://www.pos tfix.org/SASL_README.html#s e rve r_s as l Contains information on how
to s e t up Po st f ix to us e e ithe r the Do veco t or Cyrus SASL imple me ntations for SMTP
Authe ntication.

4.3.11. Securing SSH


Secure Shell (SSH) is a powe rful ne twork protocol us e d to communicate with anothe r
s ys te m ove r a s e cure channe l. The trans mis s ions ove r SSH are e ncrypte d and prote cte d
from inte rce ption. Se e the Ope nSSH chapte r of the Re d Hat Ente rpris e Linux 7 Sys te m
Adminis trator's Guide for ge ne ral information about the SSH protocol and about us ing the
SSH s e rvice in Re d Hat Ente rpris e Linux 7.

Impo rtant
This s e ction draws atte ntion to the mos t common ways of s e curing an SSH s e tup. By
no me ans s hould this lis t of s ugge s te d me as ure s be cons ide re d e xhaus tive or
de finitive . Se e sshd_config(5) for a de s cription of all configuration dire ctive s
available for modifying the be havior of the sshd dae mon and to ssh(1) for an
e xplanation of bas ic SSH conce pts .

4.3.11.1. Crypt ographic Login


SSH s upports the us e of cryptographic ke ys for logging in to compute rs . This is much more
s e cure than us ing only a pas s word. If you combine this me thod with othe r authe ntication
me thods , it can be cons ide re d a multi-factor authe ntication. Se e Se ction 4.3.11.2, Multiple
Authe ntication Me thods for more information about us ing multiple authe ntication me thods .

60

C hapt e r 4 . Har de ning Yo ur Sys t e m wit h T o o ls and Se r vic e s

In orde r to e nable the us e of cryptographic ke ys for authe ntication, the


PubkeyAuthentication configuration dire ctive in the /etc/ssh/sshd_config file ne e ds
to be s e t to yes. Note that this is the de fault s e tting. Se t the PasswordAuthentication
dire ctive to no to dis able the pos s ibility of us ing pas s words for logging in.
SSH ke ys can be ge ne rate d us ing the ssh-keygen command. If invoke d without additional
argume nts , it cre ate s a 2048-bit RSA ke y s e t. The ke ys are s tore d, by de fault, in the
~/.ssh dire ctory. You can utiliz e the -b s witch to modify the bit-s tre ngth of the ke y. Us ing
2048-bit ke ys is normally s ufficie nt. The Configuring Ope nSSH chapte r in the Re d Hat
Ente rpris e Linux 7 Sys te m Adminis trator's Guide include s de taile d information about
ge ne rating ke y pairs .
You s hould s e e the two ke ys in your ~/.ssh dire ctory. If you acce pte d the de faults whe n
running the ssh-keygen command, the n the ge ne rate d file s are name d id_rsa and
id_rsa.pub and contain the private and public ke y re s pe ctive ly. You s hould always prote ct
the private ke y from e xpos ure by making it unre adable by anyone e ls e but the file 's
owne r. The public ke y, howe ve r, ne e ds to be trans fe rre d to the s ys te m you are going to
log in to. You can us e the ssh-copy-id command to trans fe r the ke y to the s e rve r:
~]$ ssh-copy-id -i [user@]server
This command will als o automatically appe nd the public ke y to the
~/.ssh/authorized_keys file on the server. The sshd dae mon will che ck this file whe n
you atte mpt to log in to the s e rve r.
Similarly to pas s words and any othe r authe ntication me chanis m, you s hould change your
SSH ke ys re gularly. Whe n you do, make s ure you re move any unus e d ke ys from the
authorized_keys file .

4.3.11.2. Mult iple Aut hent icat ion Met hods


Us ing multiple authe ntication me thods , or multi-factor authe ntication, incre as e s the le ve l of
prote ction agains t unauthoriz e d acce s s , and as s uch s hould be cons ide re d whe n
harde ning a s ys te m to pre ve nt it from be ing compromis e d. Us e rs atte mpting to log in to a
s ys te m that us e s multi-factor authe ntication mus t s ucce s s fully comple te all s pe cifie d
authe ntication me thods in orde r to be grante d acce s s .
Us e the AuthenticationMethods configuration dire ctive in the /etc/ssh/sshd_config
file to s pe cify which authe ntication me thods are to be utiliz e d. Note that it is pos s ible to
de fine more than one lis t of re quire d authe ntication me thods us ing this dire ctive . If that is
the cas e , the us e r mus t comple te e ve ry me thod in at le as t one of the lis ts . The lis ts ne e d
to be s e parate d by blank s pace s , and the individual authe ntication-me thod name s within
the lis ts mus t be comma-s e parate d. For e xample :
AuthenticationMethods publickey,gssapi-with-mic publickey,keyboardinteractive
An sshd dae mon configure d us ing the above AuthenticationMethods dire ctive only
grants acce s s if the us e r atte mpting to log in s ucce s s fully comple te s e ithe r publickey
authe ntication followe d by gssapi-with-mic or by keyboard-interactive authe ntication.
Note that e ach of the re que s te d authe ntication me thods ne e ds to be e xplicitly e nable d
us ing a corre s ponding configuration dire ctive (s uch as PubkeyAuthentication) in the
/etc/ssh/sshd_config file . Se e the AUTHENTICATION s e ction of ssh(1) for a ge ne ral lis t
of available authe ntication me thods .

4.3.11.3. Ot her Ways of Securing SSH

61

Se c ur it y Guide

Pro t o co l Versio n
Eve n though the imple me ntation of the SSH protocol s upplie d with Re d Hat
Ente rpris e Linux 7 s upports both the SSH-1 and SSH-2 ve rs ions of the protocol, only the
latte r s hould be us e d whe ne ve r pos s ible . The SSH-2 ve rs ion contains a numbe r of
improve me nts ove r the olde r SSH-1, and the majority of advance d configuration options is
only available whe n us ing SSH-2.
Us e rs are e ncourage d to make us e of SSH-2 in orde r to maximiz e the e xte nt to which the
SSH protocol prote cts the authe ntication and communication for which it is us e d. The
ve rs ion or ve rs ions of the protocol s upporte d by the sshd dae mon can be s pe cifie d us ing
the Protocol configuration dire ctive in the /etc/ssh/sshd_config file . The de fault
s e tting is 2.
Key T ypes
While the ssh-keygen command ge ne rate s a pair of SSH-2 RSA ke ys by de fault, us ing the
-t option, it can be ins tructe d to ge ne rate DSA or ECDSA ke ys as we ll. The ECDSA (Elliptic
Curve Digital Signature Algorithm) offe rs be tte r pe rformance at the s ame e quivale nt
s ymme tric ke y le ngth. It als o ge ne rate s s horte r ke ys .
No n-Def ault Po rt
By de fault, the sshd dae mon lis te ns on TCP port 22. Changing the port re duce s the
e xpos ure of the s ys te m to attacks bas e d on automate d ne twork s canning, thus incre as ing
s e curity through obs curity. The port can be s pe cifie d us ing the Port dire ctive in the
/etc/ssh/sshd_config configuration file . Note als o that the de fault SELinux policy mus t
be change d to allow for the us e of a non-de fault port. You can do this by modifying the
ssh_port_t SELinux type by typing the following command as root:
~]# semanage -a -t ssh_port_t -p tcp port_number
In the above command, re place port_number with the ne w port numbe r s pe cifie d us ing the
Port dire ctive .
No Ro o t Lo gin
Provide d that your particular us e cas e doe s not re quire the pos s ibility of logging in as the
root us e r, you s hould cons ide r s e tting the PermitRootLogin configuration dire ctive to no
in the /etc/ssh/sshd_config file . By dis abling the pos s ibility of logging in as the root
us e r, the adminis trator can audit which us e r runs what privile ge d command afte r the y log
in as re gular us e rs and the n gain root rights .

4.3.12. Securing Post greSQL


PostgreSQL is an Obje ct-Re lational databas e manage me nt s ys te m (DBMS). In Re d Hat
Ente rpris e Linux 7, the postgresql-server package provide s Po st greSQL. If it is not
ins talle d, run the following command as the root us e r to ins tall it:
~]# yum install postgresql-server
Be fore you can s tart us ing Po st greSQL, you mus t initializ e a databas e s torage are a on
dis k. This is calle d a databas e clus te r. To initializ e a databas e clus te r, us e the command
initdb, which is ins talle d with Po st greSQL. The de s ire d file s ys te m location of your
databas e clus te r is indicate d by the -D option. For e xample :

62

C hapt e r 4 . Har de ning Yo ur Sys t e m wit h T o o ls and Se r vic e s

~]$ initdb -D /home/postgresql/db1


The initdb command will atte mpt to cre ate the dire ctory you s pe cify if it doe s not alre ady
e xis t. We us e the name /home/postgresql/db1 in this e xample . The /home/postgresql/db1
dire ctory contains all the data s tore d in the databas e and als o the clie nt authe ntication
configuration file :
~]$ cat pg_hba.conf
# PostgreSQL Client Authentication Configuration File
# This file controls: which hosts are allowed to connect, how clients
# are authenticated, which PostgreSQL user names they can use, which
# databases they can access. Records take one of these forms:
#
# local
DATABASE USER METHOD [OPTIONS]
# host
DATABASE USER ADDRESS METHOD [OPTIONS]
# hostssl
DATABASE USER ADDRESS METHOD [OPTIONS]
# hostnossl DATABASE USER ADDRESS METHOD [OPTIONS]
The following line in the pg_hba.conf file allows any authe nticate d local us e rs to acce s s
any databas e s with the ir us e r name s :
local

all

all

trust

This can be proble matic whe n you us e laye re d applications that cre ate databas e us e rs
and no local us e rs . If you do not want to e xplicitly control all us e r name s on the s ys te m,
re move this line from the pg_hba.conf file .

4.3.13. Securing Docker


Docker is an ope n s ource proje ct that automate s the de ployme nt of applications ins ide
Linux Containe rs , and provide s the capability to package an application with its runtime
de pe nde ncie s into a containe r. To make your Do cker workflow more s e cure , vis it Re d Hat
Ente rpris e Linux Atomic Hos t 7 Containe r Se curity Guide .

4.4. Securing Net work Access


4.4.1. Securing Services Wit h T CP Wrappers and xinet d
TCP Wrappe rs are capable of much more than de nying acce s s to s e rvice s . This s e ction
illus trate s how the y can be us e d to s e nd conne ction banne rs , warn of attacks from
particular hos ts , and e nhance logging functionality. Se e the hos ts _options (5) man page for
information about the TCP Wrappe r functionality and control language . Se e the
xine td.conf(5) man page for the available flags , which act as options you can apply to a
s e rvice .

4.4.1.1. T CP Wrappers and Connect ion Banners


Dis playing a s uitable banne r whe n us e rs conne ct to a s e rvice is a good way to le t
pote ntial attacke rs know that the s ys te m adminis trator is be ing vigilant. You can als o
control what information about the s ys te m is pre s e nte d to us e rs . To imple me nt a TCP
Wrappe rs banne r for a s e rvice , us e the banner option.

63

Se c ur it y Guide

This e xample imple me nts a banne r for vsftpd. To be gin, cre ate a banne r file . It can be
anywhe re on the s ys te m, but it mus t have s ame name as the dae mon. For this e xample ,
the file is calle d /etc/banners/vsftpd and contains the following line s :
220-Hello, %c
220-All activity on ftp.example.com is logged.
220-Inappropriate use will result in your access privileges being
removed.
The %c toke n s upplie s a varie ty of clie nt information, s uch as the us e rname and
hos tname , or the us e rname and IP addre s s to make the conne ction e ve n more
intimidating.
For this banne r to be dis playe d to incoming conne ctions , add the following line to the
/etc/hosts.allow file :
vsftpd : ALL : banners /etc/banners/

4.4.1.2. T CP Wrappers and At t ack Warnings


If a particular hos t or ne twork has be e n de te cte d attacking the s e rve r, TCP Wrappe rs can
be us e d to warn the adminis trator of s ubs e que nt attacks from that hos t or ne twork us ing
the spawn dire ctive .
In this e xample , as s ume that a cracke r from the 206.182.68.0/24 ne twork has be e n
de te cte d atte mpting to attack the s e rve r. Place the following line in the /etc/hosts.deny
file to de ny any conne ction atte mpts from that ne twork, and to log the atte mpts to a
s pe cial file :
ALL : 206.182.68.0 : spawn /bin/echo `date` %c %d >>
/var/log/intruder_alert
The %d toke n s upplie s the name of the s e rvice that the attacke r was trying to acce s s .
To allow the conne ction and log it, place the spawn dire ctive in the /etc/hosts.allow file .

No te
Be caus e the spawn dire ctive e xe cute s any s he ll command, it is a good ide a to
cre ate a s pe cial s cript to notify the adminis trator or e xe cute a chain of commands in
the e ve nt that a particular clie nt atte mpts to conne ct to the s e rve r.

4.4.1.3. T CP Wrappers and Enhanced Logging


If ce rtain type s of conne ctions are of more conce rn than othe rs , the log le ve l can be
e le vate d for that s e rvice us ing the severity option.
For this e xample , as s ume that anyone atte mpting to conne ct to port 23 (the Te lne t port)
on an FTP s e rve r is a cracke r. To de note this , place an emerg flag in the log file s ins te ad
of the de fault flag, info, and de ny the conne ction.
To do this , place the following line in /etc/hosts.deny:

64

C hapt e r 4 . Har de ning Yo ur Sys t e m wit h T o o ls and Se r vic e s

in.telnetd : ALL : severity emerg


This us e s the de fault authpriv logging facility, but e le vate s the priority from the de fault
value of info to emerg, which pos ts log me s s age s dire ctly to the cons ole .

4.4.2. Verif ying Which Port s Are List ening


Unne ce s s ary ope n ports s hould be avoide d be caus e it incre as e s the attack s urface of
your s ys te m. If you find une xpe cte d ope n ports in lis te ning s tate afte r the s ys te m has
be e n in s e rvice , it might be a s ign of intrus ion, and it s hould be inve s tigate d.
Is s ue the following command as root to de te rmine which ports are lis te ning for
conne ctions from the ne twork:
~]# netstat -pan -A inet,inet6 | grep -v ESTABLISHED
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address
Foreign Address
PID/Program name
tcp
0
0 0.0.0.0:111
0.0.0.0:*
1/systemd
tcp
0
0 192.168.124.1:53
0.0.0.0:*
1975/dnsmasq
tcp
0
0 0.0.0.0:22
0.0.0.0:*
1362/sshd
tcp
0
0 127.0.0.1:631
0.0.0.0:*
1355/cupsd
tcp
0
0 127.0.0.1:25
0.0.0.0:*
1802/master
tcp6
0
0 ::1:111
:::*
1/systemd
tcp6
0
0 :::22
:::*
1362/sshd
tcp6
0
0 ::1:631
:::*
1355/cupsd
tcp6
0
0 ::1:25
:::*
1802/master
raw6
0
0 :::58
:::*
791/NetworkManager

State
LISTEN
LISTEN
LISTEN
LISTEN
LISTEN
LISTEN
LISTEN
LISTEN
LISTEN
7

You can us e the -l option of the netstat command to dis play only lis te ning s e rve r
s ocke ts :
~]# netstat -tlnw
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address
Foreign Address
tcp
0
0 0.0.0.0:111
0.0.0.0:*
tcp
0
0 192.168.124.1:53
0.0.0.0:*
tcp
0
0 0.0.0.0:22
0.0.0.0:*
tcp
0
0 127.0.0.1:631
0.0.0.0:*
tcp
0
0 127.0.0.1:25
0.0.0.0:*
tcp6
0
0 ::1:111
:::*
tcp6
0
0 :::22
:::*
tcp6
0
0 ::1:631
:::*
tcp6
0
0 ::1:25
:::*
raw6
0
0 :::58
:::*

State
LISTEN
LISTEN
LISTEN
LISTEN
LISTEN
LISTEN
LISTEN
LISTEN
LISTEN
7

65

Se c ur it y Guide

Note that at time of writing, the -l option doe s not lis t SCTP s e rve rs .
You can als o us e the ss utility for lis ting ope n ports in the lis te ning s tate . But at time of
writing, this way als o doe s not lis t SCTP s e rve rs .
~]# ss -tlw
Netid State
Address:Port
udp
UNCONN
tcp
LISTEN
tcp
LISTEN
tcp
LISTEN
tcp
LISTEN
tcp
LISTEN
tcp
LISTEN
tcp
LISTEN
tcp
LISTEN
tcp
LISTEN

Recv-Q Send-Q Local Address:Port


0
0
0
0
0
0
0
0
0
0

0
128
5
128
128
100
128
128
128
100

Peer

:::ipv6-icmp
*:sunrpc
192.168.124.1:domain
*:ssh
127.0.0.1:ipp
127.0.0.1:smtp
::1:sunrpc
:::ssh
::1:ipp
::1:smtp

:::*
*:*
*:*
*:*
*:*
*:*
:::*
:::*
:::*
:::*

Re vie w the output of the command with the s e rvice s ne e de d on the s ys te m, turn off what
is not s pe cifically re quire d or authoriz e d, re pe at the che ck. Proce e d the n to make e xte rnal
che cks us ing the nmap tool from anothe r s ys te m conne cte d via the ne twork to the firs t
s ys te m. This can be us e d ve rify the rule s in f irewalld.
The following is an e xample of the command to be is s ue d from the cons ole of anothe r
s ys te m to de te rmine which ports are lis te ning for TCP conne ctions from the ne twork:
~]# nmap -sT -O 192.168.122.1
Se e the nmap(1) and s e rvice s (5) manual page s for more information.

4.4.3. Disabling Source Rout ing


Source routing is an Inte rne t Protocol me chanis m that allows an IP packe t to carry
information, a lis t of addre s s e s , that te lls a route r the path the packe t mus t take . The re is
als o an option to re cord the hops as the route is trave rs e d. The lis t of hops take n, the
"route re cord", provide s the de s tination with a re turn path to the s ource . This allows the
s ource (the s e nding hos t) to s pe cify the route , loos e ly or s trictly, ignoring the routing
table s of s ome or all of the route rs . It can allow a us e r to re dire ct ne twork traffic for
malicious purpos e s . The re fore , s ource -bas e d routing s hould be dis able d.
The accept_source_route option caus e s ne twork inte rface s to acce pt packe ts with the
Strict Source Route (SSR) or Loose Source Routing (LSR) option s e t. The acce ptance of
s ource route d packe ts is controlle d by s ys ctl s e ttings . Is s ue the following command as
root to drop packe ts with the SSR or LSR option s e t:
~]# /sbin/sysctl -w net.ipv4.conf.all.accept_source_route=0
Dis abling the forwarding of packe ts s hould als o be done in conjunction with the above
whe n pos s ible (dis abling forwarding may inte rfe re with virtualiz ation). Is s ue the commands
lis te d be low as root:
The s e commands dis able forwarding of IPv4 and IPv6 packe ts on all inte rface s .

66

C hapt e r 4 . Har de ning Yo ur Sys t e m wit h T o o ls and Se r vic e s

~]# /sbin/sysctl -w net.ipv4.conf.all.forwarding=0


~]# /sbin/sysctl -w net.ipv6.conf.all.forwarding=0
The s e commands dis able forwarding of all multicas t packe ts on all inte rface s .
~]# /sbin/sysctl -w net.ipv4.conf.all.mc_forwarding=0
~]# /sbin/sysctl -w net.ipv6.conf.all.mc_forwarding=0
Acce pting ICMP re dire cts has fe w le gitimate us e s . Dis able the acce ptance and s e nding of
ICMP re dire cte d packe ts unle s s s pe cifically re quire d.
The s e commands dis able acce ptance of all ICMP re dire cte d packe ts on all inte rface s .
~]# /sbin/sysctl -w net.ipv4.conf.all.accept_redirects=0
~]# /sbin/sysctl -w net.ipv6.conf.all.accept_redirects=0
This command dis able s acce ptance of s e cure ICMP re dire cte d packe ts on all inte rface s .
~]# /sbin/sysctl -w net.ipv4.conf.all.secure_redirects=0
This command dis able s acce ptance of all IPv4 ICMP re dire cte d packe ts on all inte rface s .
~]# /sbin/sysctl -w net.ipv4.conf.all.send_redirects=0
The re is only a dire ctive to dis able s e nding of IPv4 re dire cte d packe ts . Se e RFC4294 for
an e xplanation of IPv6 Node Re quire me nts which re s ulte d in this diffe re nce be twe e n
IPv4 and IPv6.
In orde r to make the s e ttings pe rmane nt the y mus t be adde d to /etc/sysctl.conf.
Se e the s ys ctl man page , sysctl(8), for more information. Se e RFC791 for an e xplanation
of the Inte rne t options re late d to s ource bas e d routing and its variants .

Warning
Ethe rne t ne tworks provide additional ways to re dire ct traffic, s uch as ARP or MAC
addre s s s poofing, unauthoriz e d DHCP s e rve rs , and IPv6 route r or ne ighbor
adve rtis e me nts . In addition, unicas t traffic is occas ionally broadcas t, caus ing
information le aks . The s e we akne s s e s can only be addre s s e d by s pe cific
counte rme as ure s imple me nte d by the ne twork ope rator. Hos t-bas e d
counte rme as ure s are not fully e ffe ctive .

4.4.4. Reverse Pat h Forwarding


Re ve rs e Path Forwarding is us e d to pre ve nt packe ts that arrive d via one inte rface from
le aving via a diffe re nt inte rface . Whe n outgoing route s and incoming route s are diffe re nt,
it is s ome time s re fe rre d to as asymmetric routing. Route rs ofte n route packe ts this way,

67

Se c ur it y Guide

but mos t hos ts s hould not ne e d to do this . Exce ptions are s uch applications that involve
s e nding traffic out ove r one link and re ce iving traffic ove r anothe r link from a diffe re nt
s e rvice provide r. For e xample , us ing le as e d line s in combination with xDSL or s ate llite
links with 3G mode ms . If s uch a s ce nario is applicable to you, the n turning off re ve rs e path
forwarding on the incoming inte rface is ne ce s s ary. In s hort, unle s s you know that it is
re quire d, it is be s t e nable d as it pre ve nts us e rs s poofing IP addre s s e s from local
s ubne ts and re duce s the opportunity for DDoS attacks .

No te
Re d Hat Ente rpris e Linux 7 de faults to us ing Strict Reverse Path Forwarding following
the Strict Re ve rs e Path re comme ndation from RFC 3704, Ingre s s Filte ring for
Multihome d Ne tworks ..

Warning
If forwarding is e nable d, the n Re ve rs e Path Forwarding s hould only be dis able d if
the re are othe r me ans for s ource -addre s s validation (s uch as ipt ables rule s for
e xample ).
rp_filter
Re ve rs e Path Forwarding is e nable d by me ans of the rp_filter dire ctive . The
sysctl utility can be us e d to make change s to the running s ys te m, and
pe rmane nt change s can be made by adding line s to the /etc/sysctl.conf file .
The rp_filter option is us e d to dire ct the ke rne l to s e le ct from one of thre e
mode s .
To make a te mporary global change , e nte r the following commands as root:
sysctl -w net.ipv4.conf.default.rp_filter=integer
sysctl -w net.ipv4.conf.all.rp_filter=integer
whe re integer is one of the following:
0 No s ource validation.
1 Strict mode as de fine d in RFC 3704.
2 Loos e mode as de fine d in RFC 3704.
The s e tting can be ove rridde n pe r ne twork inte rface us ing the
net.ipv4.conf.interface.rp_filter command as follows :
sysctl -w net.ipv4.conf.interface.rp_filter=integer
To make the s e s e ttings pe rs is te nt acros s re boots , modify the /etc/sysctl.conf
file . For e xample , to change the mode for all inte rface s , ope n the
/etc/sysctl.conf file with an e ditor running as the root us e r and add a line as
follows :
net.ipv4.conf.all.rp_filter=2

68

C hapt e r 4 . Har de ning Yo ur Sys t e m wit h T o o ls and Se r vic e s

IPv6_rpfilter
In cas e of the IPv6 protocol the f irewalld dae mon applie s to Re ve rs e Path
Forwarding by de fault. The s e tting can be che cke d in the
/etc/firewalld/firewalld.conf file . You can change the f irewalld be havior
by s e tting the IPv6_rpfilter option.
If you ne e d a cus tom configuration of Re ve rs e Path Forwarding, you can pe rform it
without the f irewalld dae mon by us ing the ip6tables command as follows :
ip6tables -t raw -I PREROUTING -m rpfilter --invert -j DROP
This rule s hould be ins e rte d ne ar the be ginning of the raw/PREROUTING chain, s o
that it applie s to all traffic, in particular be fore the s tate ful matching rule s . For
more information about the iptables and ip6tables s e rvice s , s e e Se ction 4.5.4,
Us ing the iptable s Se rvice .

4.4.4.1. Addit ional Resources


The following are re s ource s which e xplain more about Re ve rs e Path Forwarding.
Inst alled Do cument at io n
/usr/share/doc/kernel-doc-version/Documentation/networking/ip-sysctl.txt This file contains a comple te lis t of file s and options available in the
/proc/sys/net/ipv4/ dire ctory. Be fore acce s s ing the ke rne l docume ntation for the
firs t time , e nte r the following command as root:
~]# yum install kernel-doc
Online Do cument at io n
Se e RFC 3704 for an e xplanation of Ingre s s Filte ring for Multihome d Ne tworks .

4.5. Using Firewalls


The dynamic fire wall dae mon firewalld provide s a dynamically manage d fire wall with
s upport for ne twork z one s to as s ign a le ve l of trus t to a ne twork and its as s ociate d
conne ctions and inte rface s . It has s upport for IPv4 and IPv6 fire wall s e ttings . It s upports
Ethe rne t bridge s and has a s e paration of runtime and pe rmane nt configuration options . It
als o has an inte rface for s e rvice s or applications to add fire wall rule s dire ctly.

No te
To e xpand your e xpe rtis e , you might als o be inte re s te d in the Re d Hat Se rve r
Harde ning (RH413) training cours e .

4.5.1. Int roduct ion t o f irewalld


A graphical configuration tool, f irewall-co nf ig, is us e d to configure firewalld, which in
turn us e s ipt ables t o o l to communicate with Net f ilt er in the ke rne l which imple me nts
packe t filte ring.

69

Se c ur it y Guide

To us e the graphical f irewall-co nf ig tool, pre s s the Super ke y to e nte r the Activitie s
Ove rvie w, type firewall and the n pre s s Enter. The f irewall-co nf ig tool appe ars . You
will be prompte d for an adminis trator pas s word.
The f irewall-co nf ig tool has a drop-down s e le ction me nu labe le d Configuration. This
e nable s s e le cting be twe e n Runt ime and Permanent mode . Notice that if you s e le ct
Permanent , an additional row of icons will appe ar in the le ft hand corne r. The s e icons
only appe ar in pe rmane nt configuration mode be caus e a s e rvice 's parame te rs cannot be
change d in runtime mode .
The fire wall s e rvice provide d by firewalld is dynamic rathe r than s tatic be caus e
change s to the configuration can be made at anytime and are imme diate ly imple me nte d,
the re is no ne e d to s ave or apply the change s . No uninte nde d dis ruption of e xis ting
ne twork conne ctions occurs as no part of the fire wall has to be re loade d.
A command line clie nt, f irewall-cmd, is provide d. It can be us e d to make pe rmane nt and
non-pe rmane nt runtime change s as e xplaine d in man firewall-cmd(1). Pe rmane nt
change s ne e d to be made as e xplaine d in the firewalld(1) man page . Note that the
firewall-cmd command can be run by the root us e r and als o by an adminis trative us e r,
in othe r words , a me mbe r of the wheel group. In the latte r cas e the command will be
authoriz e d via the po lkit me chanis m.
The configuration for firewalld is s tore d in various XML file s in /usr/lib/firewalld/
and /etc/firewalld/. This allows a gre at de al of fle xibility as the file s can be e dite d,
writte n to, backe d up, us e d as te mplate s for othe r ins tallations and s o on.
Othe r applications can communicate with firewalld us ing D-bus .

4.5.1.1. Comparison of f irewalld t o syst em-conf ig-f irewall and ipt ables
The e s s e ntial diffe re nce s be twe e n firewalld and the ipt ables service are :
The ipt ables service s tore s configuration in /etc/sysconfig/iptables while
firewalld s tore s it in various XML file s in /usr/lib/firewalld/ and
/etc/firewalld/. Note that the /etc/sysconfig/iptables file doe s not e xis t as
firewalld is ins talle d by de fault on Re d Hat Ente rpris e Linux.
With the ipt ables service, e ve ry s ingle change me ans flus hing all the old rule s and
re ading all the ne w rule s from /etc/sysconfig/iptables while with firewalld the re
is no re -cre ating of all the rule s ; only the diffe re nce s are applie d. Cons e que ntly,
firewalld can change the s e ttings during runtime without e xis ting conne ctions be ing
los t.
Both us e ipt ables t o o l to talk to the ke rne l packe t filte r.

70

C hapt e r 4 . Har de ning Yo ur Sys t e m wit h T o o ls and Se r vic e s

Figure 4.1. T he Firewall St ack

4.5.1.2. Underst anding Net work Zones


Fire walls can be us e d to s e parate ne tworks into diffe re nt z one s bas e d on the le ve l of
trus t the us e r has de cide d to place on the de vice s and traffic within that ne twork.
Net wo rkManager informs firewalld to which z one an inte rface be longs . An inte rface 's
as s igne d z one can be change d by Net wo rkManager or via the f irewall-co nf ig tool
which can ope n the re le vant Net wo rkManager window for you.
The z one s e ttings in /etc/firewalld/ are a range of pre s e t s e ttings which can be
quickly applie d to a ne twork inte rface . The y are lis te d he re with a brie f e xplanation:
drop
Any incoming ne twork packe ts are droppe d, the re is no re ply. Only outgoing
ne twork conne ctions are pos s ible .
block

71

Se c ur it y Guide

Any incoming ne twork conne ctions are re je cte d with an icmp-hos t-prohibite d
me s s age for IPv4 and icmp6-adm-prohibite d for IPv6. Only ne twork conne ctions
initiate d from within the s ys te m are pos s ible .
public
For us e in public are as . You do not trus t the othe r compute rs on the ne twork to
not harm your compute r. Only s e le cte d incoming conne ctions are acce pte d.
external
For us e on e xte rnal ne tworks with mas que rading e nable d e s pe cially for route rs .
You do not trus t the othe r compute rs on the ne twork to not harm your compute r.
Only s e le cte d incoming conne ctions are acce pte d.
dmz
For compute rs in your de militariz e d z one that are publicly-acce s s ible with limite d
acce s s to your inte rnal ne twork. Only s e le cte d incoming conne ctions are
acce pte d.
work
For us e in work are as . You mos tly trus t the othe r compute rs on ne tworks to not
harm your compute r. Only s e le cte d incoming conne ctions are acce pte d.
home
For us e in home are as . You mos tly trus t the othe r compute rs on ne tworks to not
harm your compute r. Only s e le cte d incoming conne ctions are acce pte d.
internal
For us e on inte rnal ne tworks . You mos tly trus t the othe r compute rs on the
ne tworks to not harm your compute r. Only s e le cte d incoming conne ctions are
acce pte d.
trusted
All ne twork conne ctions are acce pte d.
It is pos s ible to de s ignate one of the s e z one s to be the de fault z one . Whe n inte rface
conne ctions are adde d to Net wo rkManager, the y are as s igne d to the de fault z one . On
ins tallation, the de fault z one in firewalld is s e t to be the public z one .
Cho o sing a Net wo rk Zo ne
The ne twork z one name s have be e n chos e n to be s e lf-e xplanatory and to allow us e rs to
quickly make a re as onable de cis ion. Howe ve r, a re vie w of the de fault configuration
s e ttings s hould be made and unne ce s s ary s e rvice s dis able d according to your ne e ds and
ris k as s e s s me nts .

4.5.1.3. Underst anding Predef ined Services


A s e rvice can be a lis t of local ports and de s tinations as we ll as a lis t of fire wall he lpe r
module s automatically loade d if a s e rvice is e nable d. The us e of pre de fine d s e rvice s
make s it e as ie r for the us e r to e nable and dis able acce s s to a s e rvice . Us ing the
pre de fine d s e rvice s , or cus tom de fine d s e rvice s , as oppos e d to ope ning ports or range s

72

C hapt e r 4 . Har de ning Yo ur Sys t e m wit h T o o ls and Se r vic e s

of ports , may make adminis tration e as ie r. Se rvice configuration options and ge ne ric file
information are de s cribe d in the firewalld.service(5) man page . The s e rvice s are
s pe cifie d by me ans of individual XML configuration file s which are name d in the following
format: service-name.xml.
To vie w the lis t of s e rvice s us ing the graphical f irewall-co nf ig tool, pre s s the Super ke y
to e nte r the Activitie s Ove rvie w, type firewall and the n pre s s Enter. The f irewallco nf ig tool appe ars . You will be prompte d for an adminis trator pas s word. You can now
vie w the lis t of s e rvice s unde r the Services tab.
To lis t the de fault pre de fine d s e rvice s available us ing the command line , is s ue the
following command as root:
~]# ls /usr/lib/firewalld/services/
File s in /usr/lib/firewalld/services/ mus t not be e dite d. Only the file s in
/etc/firewalld/services/ s hould be e dite d.
To lis t the s ys te m or us e r cre ate d s e rvice s , is s ue the following command as root:
~]# ls /etc/firewalld/services/
Se rvice s can be adde d and re move d us ing the graphical f irewall-co nf ig tool and by
e diting the XML file s in /etc/firewalld/services/. If a s e rvice has not be e n adde d or
change d by the us e r, the n no corre s ponding XML file will be found in
/etc/firewalld/services/. The file s /usr/lib/firewalld/services/ can be us e d as
te mplate s if you want to add or change a s e rvice . As root, is s ue a command in the
following format:
~]# cp /usr/lib/firewalld/services/[service].xml
/etc/firewalld/services/[service].xml
You may the n e dit the ne wly cre ate d file . firewalld will pre fe r file s in
/etc/firewalld/services/ but will fall back to /usr/lib/firewalld/services/ s hould a
file be de le te d, but only afte r a re load.

4.5.1.4. Underst anding t he Direct Int erf ace


firewalld has a s o calle d dire ct inte rface , which e nable s dire ctly pas s ing rule s to
ipt ables, ip6t ables and ebt ables. It is inte nde d for us e by applications and not us e rs . It
is dange rous to us e the dire ct inte rface if you are not ve ry familiar with ipt ables as you
could inadve rte ntly caus e a bre ach in the fire wall. firewalld s till tracks what has be e n
adde d, s o it is s till pos s ible to que ry firewalld and s e e the change s made by an
application us ing the dire ct inte rface mode . The dire ct inte rface is us e d by adding the -direct option to the firewall-cmd command.
The dire ct inte rface mode is inte nde d for s e rvice s or applications to add s pe cific fire wall
rule s during runtime . The rule s can be made pe rmane nt by adding the --permanent
option us ing the firewall-cmd --permanent --direct command or by modifying
/etc/firewalld/direct.xml. If the rule s are not made pe rmane nt the n the y ne e d to be
applie d e ve ry time afte r re ce iving the s tart, re s tart, or re load me s s age from firewalld
us ing D-BUS.

4.5.2. Inst alling f irewalld

73

Se c ur it y Guide

In Re d Hat Ente rpris e Linux 7 firewalld is ins talle d by de fault. If re quire d, to e ns ure that
it is , e nte r the following command as root:
~]# yum install firewalld
The graphical us e r inte rface configuration tool f irewall-co nf ig is ins talle d by de fault in
s ome ve rs ions of Re d Hat Ente rpris e Linux 7. If re quire d, to e ns ure that it is , e nte r the
following command as root:
~]# yum install firewall-config

St opping f irewalld
To s top firewalld, e nte r the following command as root:
~]# systemctl stop firewalld
To pre ve nt firewalld from s tarting automatically at s ys te m s tart, is s ue the following
command as root:
~]# systemctl disable firewalld

St art ing f irewalld


To s tart firewalld, e nte r the following command as root:
~]# systemctl start firewalld
To e ns ure firewalld s tarts automatically at s ys te m s tart, e nte r the following command
as root:
~]# systemctl enable firewalld

Checking if f irewalld is Running


To che ck if firewalld is running, e nte r the following command:
~]$ systemctl status firewalld
firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled)
Active: active (running) since Sat 2013-04-06 22:56:59 CEST; 2 days
ago
Main PID: 688 (firewalld)
CGroup: name=systemd:/system/firewalld.service
In addition, che ck if f irewall-cmd can conne ct to the dae mon by e nte ring the following
command:
~]$ firewall-cmd --state
running

74

C hapt e r 4 . Har de ning Yo ur Sys t e m wit h T o o ls and Se r vic e s

4.5.3. Conf iguring f irewalld


The fire wall s e rvice , imple me nte d by the dae mon firewalld, can be configure d us ing the
graphical us e r inte rface tool f irewall-co nf ig, us ing the command line inte rface tool
f irewall-cmd, and by e diting XML configuration file s . The s e me thods will be de s cribe d in
orde r.

4.5.3.1. Conf iguring f irewalld Using T he Graphical User Int erf ace
4.5.3.1.1. St art T he graphical f irewall co nf igurat io n t o o l
To s tart the graphical f irewall-co nf ig tool, pre s s the Super ke y to e nte r the Activitie s
Ove rvie w, type firewall and the n pre s s Enter. The f irewall-co nf ig tool appe ars . You
will be prompte d for an adminis trator pas s word.
To s tart the graphical fire wall configuration tool us ing the command line , e nte r the
following command as root us e r:
~]# firewall-config
The Firewall Configuration window ope ns . Note , this command can be run as normal
us e r but you will the n be prompte d for an adminis trator pas s word from time to time .

Figure 4.2. T he f irewall co nf igurat io n t o o l

75

Se c ur it y Guide

Look for the word Conne cte d in the lowe r le ft corne r. This indicate s that the f irewallco nf ig tool is conne cte d to the us e r s pace dae mon, firewalld. Note that the ICMP
Types, Direct Configuration, and Lockdown Whitelist tabs are only vis ible afte r be ing
s e le cte d from the View drop-down me nu.
4.5.3.1.2. Changing t he Firewall Set t ings
To imme diate ly change the curre nt fire wall s e ttings , e ns ure the curre nt vie w is s e t to
Runt ime. Alte rnative ly, to e dit the s e ttings to be applie d at the ne xt s ys te m s tart, or
fire wall re load, s e le ct Permanent from the drop-down lis t.

No te
Whe n making change s to the fire wall s e ttings in Runt ime mode , your s e le ction
take s imme diate e ffe ct whe n you s e t or cle ar the che ck box as s ociate d with the
s e rvice . You s hould ke e p this in mind whe n working on a s ys te m that may be in us e
by othe r us e rs .
Whe n making change s to the fire wall s e ttings in Permanent mode , your s e le ction
will only take e ffe ct whe n you re load the fire wall or the s ys te m re s tarts . You can
us e the re load icon be low the File me nu, or click the Opt io ns me nu and s e le ct
Reload Firewall.

You can s e le ct z one s in the le ft hand s ide column. You will notice the z one s have s ome
s e rvice s e nable d, you may ne e d to re s iz e the window or s croll to s e e the full lis t. You can
cus tomiz e the s e ttings by s e le cting and de s e le cting a s e rvice .
4.5.3.1.3. Add an Int erf ace t o a Zo ne
To add or re as s ign an inte rface of a conne ction to a z one , s tart f irewall-co nf ig, s e le ct
Opt io ns from the me nu bar, s e le ct Change Zones of Connections from the drop-down
me nu, the Connections lis t is dis playe d. Se le ct the conne ction to be re as s igne d. The
Select Zone for Connection window appe ars . Se le ct the ne w fire wall z one from the
drop-down me nu and click OK.
4.5.3.1.4. Set t he Def ault Zo ne
To s e t the de fault z one that ne w inte rface s will be as s igne d to, s tart f irewall-co nf ig,
s e le ct Opt io ns from the me nu bar, s e le ct Change Default Zone from the drop-down
me nu. The Default Zone window appe ars . Se le ct the z one form the lis t that you want to
be us e d as the de fault z one and click OK.
4.5.3.1.5. Co nf iguring Services
To e nable or dis able a pre de fine d or cus tom s e rvice , s tart the f irewall-co nf ig tool and
s e le ct the ne twork z one whos e s e rvice s are to be configure d. Se le ct the Services tab
and s e le ct the che ck box for e ach type of s e rvice you want to trus t. Cle ar the che ck box to
block a s e rvice .
To e dit a s e rvice , s tart the f irewall-co nf ig tool and the n s e le ct Permanent mode from
the drop-down s e le ction me nu labe le d Configuration. Additional icons and me nu buttons
appe ar at the bottom of the Services window. Se le ct the s e rvice you want to configure .

76

C hapt e r 4 . Har de ning Yo ur Sys t e m wit h T o o ls and Se r vic e s

The Ports and Protocols tab e nable s adding, changing, and re moving of ports and
protocols for the s e le cte d s e rvice . The module s tab is for configuring Net f ilt er he lpe r
module s . The Destination tab e nable s limiting traffic to a particular de s tination addre s s
and Inte rne t Protocol (IPv4 or IPv6).
4.5.3.1.6. Open Po rt s in t he Firewall
To pe rmit traffic through the fire wall to a ce rtain port, s tart the f irewall-co nf ig tool and
s e le ct the ne twork z one whos e s e ttings you want to change . Se le ct the Ports tab and the
click the Add button on the right hand s ide . The Port and Protocol window ope ns .
Ente r the port numbe r or range of ports to pe rmit. Se le ct tcp or udp from the drop-down
lis t.
4.5.3.1.7. Enable IP Address Masquerading
To trans late IPv4 addre s s e s to a s ingle e xte rnal addre s s , s tart the f irewall-co nf ig tool
and s e le ct the ne twork z one whos e addre s s e s are to be trans late d. Se le ct the
Masquerading tab and s e le ct the che ck box to e nable the trans lation of IPv4 addre s s e s
to a s ingle addre s s .
4.5.3.1.8. Co nf igure Po rt Fo rwarding
To forward inbound ne twork traffic, or packe ts , for a s pe cific port to an inte rnal addre s s
or alte rnative port, firs t e nable IP addre s s mas que rading, the n s e le ct the Port
Forwarding tab.
Se le ct the protocol of the incoming traffic and the port or range of ports on the uppe r
s e ction of the window. The lowe r s e ction is for s e tting de tails about the de s tination.
To forward traffic to a local port (a port on the s ame s ys te m), s e le ct the Local
forwarding che ck box. Ente r the local port or range of ports for the traffic to be s e nt to.
To forward traffic to anothe r IPv4 addre s s , s e le ct the Forward to another port che ck
box. Ente r the de s tination IP addre s s and port or port range . The de fault is to s e nd to the
s ame port if the port fie ld is le ft e mpty. Click OK to apply the change s .
4.5.3.1.9. Co nf iguring t he ICMP Filt er
To e nable or dis able an ICMP filte r, s tart the f irewall-co nf ig tool and s e le ct the ne twork
z one whos e me s s age s are to be filte re d. Se le ct the ICMP Filter tab and s e le ct the
che ck box for e ach type of ICMP me s s age you want to filte r. Cle ar the che ck box to
dis able a filte r. This s e tting is pe r dire ction and the de fault allows e ve rything.
To e dit an ICMP type , s tart the f irewall-co nf ig tool and the n s e le ct Permanent mode
from the drop-down s e le ction me nu labe le d Configuration. Additional icons appe ar at the
bottom of the Services window.

4.5.3.2. Conf iguring t he Firewall Using t he Command Line T ool, f irewallcmd


The command line tool f irewall-cmd is part of the firewalld application which is
ins talle d by de fault. You can ve rify that it is ins talle d by che cking the ve rs ion or dis playing
the he lp output. Ente r the following command to che ck the ve rs ion:
~]$ firewall-cmd --version

77

Se c ur it y Guide

Ente r the following command to vie w the he lp output:


~]$ firewall-cmd --help
We lis t a s e le ction of commands be low, for a full lis t s e e the man firewall-cmd(1) man
page .

No te
In orde r to make a command pe rmane nt or pe rs is te nt, add the --permanent option
to all commands apart from the --direct commands (which are by the ir nature
te mporary). Note that this not only me ans the change will be pe rmane nt but that the
change will only take e ffe ct afte r fire wall re load, s e rvice re s tart, or afte r s ys te m
re boot. Se ttings made with f irewall-cmd without the --permanent option take
e ffe ct imme diate ly, but are only valid till ne xt fire wall re load, s ys te m boot, or
firewalld s e rvice re s tart. Re loading the fire wall doe s not in its e lf bre ak
conne ctions , but be aware you are dis carding te mporary change s by doing s o.
In orde r to make a command both pe rs is te nt and take e ffe ct imme diate ly, e nte r the
command twice , once with the --permanent and once without. This is be caus e a
fire wall re load take s more time than jus t re pe ating a command be caus e it has to
re load all configuration file s and re cre ate the whole fire wall configuration. While
re loading, the policy for built-in chains is s e t to DROP for s e curity re as ons and is
the n re s e t to ACCEPT at the e nd. Se rvice dis ruption is the re fore pos s ible during the
re load.

Impo rtant
The --permanent --add-interface option is s uppos e d to be us e d only for
inte rface s that are not manage d by the Net wo rkManager utility. This is be caus e
Net wo rkManager, or the le gacy ne twork s e rvice , adds inte rface s into z one s
automatically according to the ZONE= dire ctive in the ifcfg inte rface configuration
file . Se e the Re d Hat Ente rpris e Linux 7 Ne tworking Guide for information on
Net wo rkManager and working with ifcfg file s .

4.5.3.3. View t he Firewall Set t ings Using t he Command Line Int erf ace (CLI)
To ge t a te xt dis play of the s tate of firewalld, e nte r the following command:
~]$ firewall-cmd --state
To vie w the lis t of active z one s , with a lis t of the inte rface s curre ntly as s igne d to the m,
e nte r the following command:
~]$ firewall-cmd --get-active-zones
public
interfaces: em1
To find out the z one that an inte rface , for e xample e m1, is curre ntly as s igne d to, e nte r
the following command:

78

C hapt e r 4 . Har de ning Yo ur Sys t e m wit h T o o ls and Se r vic e s

~]$ firewall-cmd --get-zone-of-interface=em1


public
To find out all the inte rface s as s igne d to a z one , for e xample the public z one , e nte r the
following command as root:
~]# firewall-cmd --zone=public --list-interfaces
em1 wlan0
This information is obtaine d from Net wo rkManager and only s hows inte rface s , not
conne ctions .
To find out all the s e ttings of a z one , for e xample the public z one , e nte r the following
command as root:
~]# firewall-cmd --zone=public --list-all
public
interfaces:
services: mdns dhcpv6-client ssh
ports:
forward-ports:
icmp-blocks: source-quench
To vie w the lis t of s e rvice s curre ntly loade d, e nte r the following command as root:
~]# firewall-cmd --get-services
cluster-suite pop3s bacula-client smtp ipp radius bacula ftp mdns samba
dhcpv6-client dns openvpn imaps samba-client http https ntp vnc-server
telnet libvirt ssh ipsec ipp-client amanda-client tftp-client nfs tftp
libvirt-tls
This will lis t the name s of the pre de fine d s e rvice s loade d from
/usr/lib/firewalld/services/ as we ll as any cus tom s e rvice s that are curre ntly
loade d. Note that the configuration file s the ms e lve s are name d service-name.xml.
If cus tom s e rvice s have be e n cre ate d but not loade d, the y can be lis te d as follows :
~]# firewall-cmd --permanent --get-services
This will lis t all s e rvice s , including cus tom s e rvice s configure d in
/etc/firewalld/services/, e ve n if the y are not ye t loade d.

4.5.3.4. Change t he Firewall Set t ings Using t he Command Line Int erf ace
(CLI)
4.5.3.4.1. Dro p All Packet s (Panic Mo de)
To s tart dropping all incoming and outgoing packe ts , e nte r the following command as root:
~]# firewall-cmd --panic-on
All incoming and outgoing packe ts will be droppe d. Active conne ctions will be te rminate d
afte r a pe riod of inactivity; the time take n de pe nds on the individual s e s s ion time out
value s .

79

Se c ur it y Guide

To s tart pas s ing incoming and outgoing packe ts again, e nte r the following command as
root:
~]# firewall-cmd --panic-off
Afte r dis abling panic mode , e s tablis he d conne ctions might work again if panic mode was
e nable d for a s hort pe riod of time .
To find out if panic mode is e nable d or dis able d, e nte r the following command:
~]$ firewall-cmd --query-panic
Prints yes with e xit s tatus 0 if e nable d and no with e xit s tatus 1 othe rwis e .
4.5.3.4.2. Relo ad t he Firewall Using t he Co mmand Line Int erf ace (CLI)
To re load the fire wall without inte rrupting us e r conne ctions (without los ing s tate
information), e nte r the following command as root:
~]# firewall-cmd --reload
A fire wall re load involve s re loading all configuration file s and re cre ating the whole fire wall
configuration. While re loading, the policy for built-in chains is s e t to DROP for s e curity
re as ons and is the n re s e t to ACCEPT at the e nd. Se rvice dis ruption is the re fore pos s ible
during the re load.
To re load the fire wall and inte rrupt us e r conne ctions , dis carding s tate information, e nte r
the following command as root:
~]# firewall-cmd --complete-reload
This command s hould normally only be us e d in cas e of s e ve re fire wall proble ms . For
e xample , if the re are s tate information proble ms and no conne ction can be e s tablis he d
but the fire wall rule s are corre ct.
4.5.3.4.3. Add an Int erf ace t o a Zo ne Using t he Co mmand Line Int erf ace (CLI)
To add an inte rface to a z one (for e xample , to add e m1 to the public z one ), e nte r the
following command as root:
~]# firewall-cmd --zone=public --add-interface=em1
To make this s e tting pe rs is te nt, re pe at the commands adding the --permanent option.
4.5.3.4.4. Add an Int erf ace t o a Zo ne by Edit ing t he Int erf ace Co nf igurat io n
File
To add an inte rface to a z one by e diting the ifcfg-em1 configuration file (for e xample , to
add e m1 to the work z one ), add the following line to ifcfg-em1 as root:
ZONE=work
Note that if you omit the ZONE option, or us e ZONE=, or ZONE='', the n the de fault z one will
be us e d.

80

C hapt e r 4 . Har de ning Yo ur Sys t e m wit h T o o ls and Se r vic e s

Net wo rkManager will automatically re conne ct and the z one will be s e t accordingly.
4.5.3.4.5. Co nf igure t he Def ault Zo ne by Edit ing t he f irewalld Co nf igurat io n
File
As root, ope n /etc/firewalld/firewalld.conf and e dit the file as follows :
# default zone
# The default zone used if an empty zone string is used.
# Default: public
DefaultZone=home
Re load the fire wall by e nte ring the following command as root:
~]# firewall-cmd --reload
This will re load the fire wall without los ing s tate information (TCP s e s s ions will not be
te rminate d), but s e rvice dis ruption is pos s ible during the re load.
4.5.3.4.6. Set t he Def ault Zo ne by Using t he Co mmand Line Int erf ace (CLI)
To s e t the de fault z one (to public, for e xample ), e nte r the following command as root:
~]# firewall-cmd --set-default-zone=public
This change will take imme diate e ffe ct and in this cas e it is not ne ce s s ary to re load the
fire wall.
4.5.3.4.7. Open Po rt s in t he Firewall Using t he Co mmand Line Int erf ace (CLI)
To lis t all ope n ports for a z one (dmz, for e xample ), e nte r the following command as root:
~]# firewall-cmd --zone=dmz --list-ports
Note that this will not s how ports ope ne d as a re s ult of the --add-services command.
To add a port to a z one (for e xample , to allow TCP traffic to port 8080 to the dmz z one ),
e nte r the following command as root:
~]# firewall-cmd --zone=dmz --add-port=8080/tcp
To make this s e tting pe rs is te nt, re pe at the command adding the --permanent option.
To add a range of ports to a z one (for e xample , to allow the ports from 5060 to 5061 to the
public z one , e nte r the following command as root:
~]# firewall-cmd --zone=public --add-port=5060-5061/udp
To make this s e tting pe rs is te nt, re pe at the command adding the --permanent option.
4.5.3.4.8. Add a Service t o a Zo ne Using t he Co mmand Line Int erf ace (CLI)
To add a s e rvice to a z one (for e xample , to allow SMTP to the work z one ), e nte r the
following command as root:

81

Se c ur it y Guide

~]# firewall-cmd --zone=work --add-service=smtp


To make this s e tting pe rs is te nt, re pe at the command adding the --permanent option.
4.5.3.4.9. Remo ve a Service f ro m a Zo ne Using t he Co mmand Line Int erf ace
(CLI)
To re move a s e rvice from a z one (for e xample , to re move SMTP from the work z one ),
e nte r the following command as root:
~]# firewall-cmd --zone=work --remove-service=smtp
To make this change pe rs is te nt, re pe at the command adding the --permanent option. This
change will not bre ak e s tablis he d conne ctions . If that is your inte ntion, you can us e the -complete-reload option, but this will bre ak all e s tablis he d conne ctions not jus t for the
s e rvice you have re move d.
4.5.3.4.10 . Add a Service t o a Zo ne by Edit ing XML Files
To vie w the de fault z one file s , e nte r the following command as root:
~]# ls /usr/lib/firewalld/zones/
block.xml drop.xml
home.xml
dmz.xml
external.xml internal.xml

public.xml
trusted.xml

work.xml

The s e file s mus t not be e dite d. The y are us e d by de fault if no e quivale nt file e xis ts in the
/etc/firewalld/zones/ dire ctory.
To vie w the z one file s that have be e n change d from the de fault, e nte r the following
command as root:
~]# ls /etc/firewalld/zones/
external.xml public.xml public.xml.old
In the e xample s hown above , the work z one file doe s not e xis t. To add the work z one file ,
e nte r the following command as root:
~]# cp /usr/lib/firewalld/zones/work.xml /etc/firewalld/zones/
You can now e dit the file in the /etc/firewalld/zones/ dire ctory. If you de le te the file ,
firewalld will fall back to us ing the de fault file in /usr/lib/firewalld/zones/.
To add a s e rvice to a z one (for e xample , to allow SMTP to the work z one ), add the following
line to the /etc/firewalld/zones/work.xml file as root:
<service name="smtp"/>
4.5.3.4.11. Remo ve a Service f ro m a Zo ne by Edit ing XML f iles
An e ditor running with root privile ge s is re quire d to e dit the XML z one file s . To vie w the
file s for pre vious ly configure d z one s , e nte r the following command as root:
~]# ls /etc/firewalld/zones/
external.xml public.xml work.xml

82

C hapt e r 4 . Har de ning Yo ur Sys t e m wit h T o o ls and Se r vic e s

To re move a s e rvice from a z one (for e xample , to re move SMTP from the work z one ), us e
an e ditor with root privile ge s to e dit the /etc/firewalld/zones/work.xml file to re move
the following line :
<service name="smtp"/>
If no othe r change s have be e n made to the work.xml file , it can be re move d and
firewalld will us e the de fault /usr/lib/firewalld/zones/work.xml configuration file
afte r the ne xt re load or s ys te m boot.
4.5.3.4.12. Co nf igure IP Address Masquerading
To che ck if IP mas que rading is e nable d (for the external z one , for e xample ), e nte r the
following command as root:
~]# firewall-cmd --zone=external --query-masquerade
The command prints yes with e xit s tatus 0 if e nable d. It prints no with e xit s tatus 1
othe rwis e . If zone is omitte d, the de fault z one will be us e d.
To e nable IP mas que rading, e nte r the following command as root:
~]# firewall-cmd --zone=external --add-masquerade
To make this s e tting pe rs is te nt, re pe at the command adding the --permanent option.
To dis able IP mas que rading, e nte r the following command as root:
~]# firewall-cmd --zone=external --remove-masquerade
To make this s e tting pe rs is te nt, re pe at the command adding the --permanent option.
4.5.3.4.13. Co nf igure Po rt Fo rwarding Using t he Co mmand Line Int erf ace (CLI)
To forward inbound ne twork packe ts from one port to an alte rnative port or addre s s , firs t
e nable IP addre s s mas que rading for a z one (external, for e xample ), by e nte ring the
following command as root:
~]# firewall-cmd --zone=external --add-masquerade
To forward packe ts to a local port (a port on the s ame s ys te m), e nte r the following
command as root:
~]# firewall-cmd --zone=external --add-forwardport=port=22:proto=tcp:toport=3753
In this e xample , the packe ts inte nde d for port 22 are now forwarde d to port 3753. The
original de s tination port is s pe cifie d with the port option. This option can be a port or port
range , toge the r with a protocol. The protocol, if s pe cifie d, mus t be one of e ithe r tcp or
udp. The ne w local port (the port or range of ports to which the traffic is be ing forwarde d
to) is s pe cifie d with the toport option. To make this s e tting pe rs is te nt, re pe at the
commands adding the --permanent option.

83

Se c ur it y Guide

To forward packe ts to anothe r IPv4 addre s s , us ually an inte rnal addre s s , without changing
the de s tination port, e nte r the following command as root:
~]# firewall-cmd --zone=external --add-forwardport=port=22:proto=tcp:toaddr=192.0.2.55
In this e xample , the packe ts inte nde d for port 22 are now forwarde d to the s ame port at
the addre s s give n with the toaddr. The original de s tination port is s pe cifie d with the port
option. This option can be a port or port range , toge the r with a protocol. The protocol, if
s pe cifie d, mus t be one of e ithe r tcp or udp. The ne w de s tination port (the port or range of
ports to which the traffic is be ing forwarde d to) is s pe cifie d with the toport option. To
make this s e tting pe rs is te nt, re pe at the command adding the --permanent option.
To forward packe ts to anothe r port at anothe r IPv4 addre s s , us ually an inte rnal addre s s ,
e nte r the following command as root:
~]# firewall-cmd --zone=external /
--add-forward-port=port=22:proto=tcp:toport=2055:toaddr=192.0.2.55
In this e xample , the packe ts inte nde d for port 22 are now forwarde d to port 2055 at the
addre s s give n with the toaddr option. The original de s tination port is s pe cifie d with the
port option. This option can be a port or port range , toge the r with a protocol. The protocol,
if s pe cifie d, mus t be one of e ithe r tcp or udp. The ne w de s tination port, the port or range
of ports to which the traffic is be ing forwarde d to, is s pe cifie d with the toport option. To
make this s e tting pe rs is te nt, re pe at the command adding the --permanent option.

4.5.3.5. Conf iguring t he Firewall Using XML Files


The configuration s e ttings for f irewalld are s tore d in XML file s in the /etc/firewalld/
dire ctory. Do not e dit the file s in the /usr/lib/firewalld/ dire ctory (the file s de fine the
de fault s e ttings ). You will ne e d root us e r pe rmis s ions to vie w and e dit the XML file s . The
XML file s are e xplaine d in thre e man page s :
firewalld.icmptype(5) man page De s cribe s XML configuration file s for ICMP
filte ring.
firewalld.service(5) man page De s cribe s XML configuration file s for f irewalld
service.
firewalld.zone(5) man page De s cribe s XML configuration file s for firewalld z one
configuration.
The XML file s can be cre ate d and e dite d dire ctly or cre ate d indire ctly us ing the graphical
and command line tools . Organiz ations can dis tribute the m in RPM file s which can make
manage me nt and ve rs ion control e as ie r. Tools s uch as Puppet can dis tribute s uch
configuration file s .

4.5.3.6. Using t he Direct Int erf ace


It is pos s ible to add and re move chains during runtime by us ing the --direct option with
the f irewall-cmd tool. A fe w e xample s are pre s e nte d he re , s e e the firewall-cmd(1)
man page for more information.
It is dange rous to us e the dire ct inte rface if you are not ve ry familiar with ipt ables as
you could inadve rte ntly caus e a bre ach in the fire wall.

84

C hapt e r 4 . Har de ning Yo ur Sys t e m wit h T o o ls and Se r vic e s

The dire ct inte rface mode is inte nde d for s e rvice s or applications to add s pe cific fire wall
rule s during runtime . The rule s can be made pe rmane nt by adding the --permanent
option us ing the firewall-cmd --permanent --direct command or by modifying
/etc/firewalld/direct.xml. Se e man firewalld.direct(5) for information on the
/etc/firewalld/direct.xml file .
4.5.3.6.1. Adding a Cust o m Rule Using t he Direct Int erf ace
To add a cus tom rule to the IN_public_allow chain, is s ue the following command as root:
~]# firewall-cmd --direct --add-rule ipv4 filter IN_public_allow \
0 -m tcp -p tcp --dport 666 -j ACCEPT
Add the --permanent option to make the s e tting pe rs is te nt.
4.5.3.6.2. Remo ving a Cust o m Rule Using t he Direct Int erf ace
To re move a cus tom rule from the IN_public_allow chain, is s ue the following command as
root:
~]# firewall-cmd --direct --remove-rule ipv4 filter IN_public_allow \
0 -m tcp -p tcp --dport 666 -j ACCEPT
Add the --permanent option to make the s e tting pe rs is te nt.
4.5.3.6.3. List ing Cust o m Rules Using t he Direct Int erf ace
To lis t the rule s in the IN_public_allow chain, is s ue the following command as root:
~]# firewall-cmd --direct --get-rules ipv4 filter IN_public_allow
Note that this command (the --get-rules option) only lis ts rule s pre vious ly adde d us ing
the --add-rule option. It doe s not lis t e xis ting ipt ables rule s adde d by othe r me ans .

4.5.3.7. Conf iguring Complex Firewall Rules wit h t he "Rich Language"


Synt ax
With the rich language s yntax, comple x fire wall rule s can be cre ate d in a way that is
e as ie r to unde rs tand than the dire ct-inte rface me thod. In addition, the s e ttings can be
made pe rmane nt. The language us e s ke ywords with value s and is an abs tract
re pre s e ntation of ipt ables rule s . Zone s can be configure d us ing this language , the
curre nt configuration me thod will s till be s upporte d.
4.5.3.7.1. Fo rmat o f t he Rich Language Co mmands
All the commands in this s e ction ne e d to be run as root. The format of the command to
add a rule is as follows :
firewall-cmd [--zone=zone] --add-rich-rule='rule' [--timeout=timeval]
This will add a rich language rule rule for z one zone. This option can be s pe cifie d multiple
time s . If the z one is omitte d, the de fault z one is us e d. If a time out is s upplie d, the rule or
rule s only s tay active for the amount of time s pe cifie d and will be re move d automatically
afte rwards . The time value can be followe d by s (s e conds ), m (minute s ), or h (hours ) to
s pe cify the unit of time . The de fault is s e conds .

85

Se c ur it y Guide

To re move a rule :
firewall-cmd [--zone=zone] --remove-rich-rule='rule'
This will re move a rich language rule rule for z one zone. This option can be s pe cifie d
multiple time s . If the z one is omitte d, the de fault z one is us e d.
To che ck if a rule is pre s e nt:
firewall-cmd [--zone=zone] --query-rich-rule='rule'
This will re turn whe the r a rich language rule rule has be e n adde d for the z one zone. The
command prints yes with e xit s tatus 0 if e nable d. It prints no with e xit s tatus 1 othe rwis e .
If the z one is omitte d, the de fault z one is us e d.
For information about the rich language re pre s e ntation us e d in the z one configuration
file s , s e e the fire walld.z one (5) man page .
4.5.3.7.2. Underst anding t he Rich Rule St ruct ure
The format or s tructure of the rich rule commands is as follows :
rule [family="rule family"]
[ source address="address" [invert="True"] ]
[ destination address="address" [invert="True"] ]
[ element ]
[ log [prefix="prefix text"] [level="log level"] [limit
value="rate/duration"] ]
[ audit ]
[ action ]
A rule is as s ociate d with a particular z one . A z one can have s e ve ral rule s . If s ome rule s
inte ract or contradict, the firs t rule that matche s the packe t applie s .
4.5.3.7.3. Underst anding t he Rich Rule Co mmand Opt io ns
family
If the rule family is provide d, e ithe r ipv4 or ipv6, it limits the rule to IPv4 or IPv6
re s pe ctive ly. If the rule family is not provide d, the rule is adde d for both IPv4 and
IPv6. If s ource or de s tination addre s s e s are us e d in a rule , the n the rule family
ne e ds to be provide d. This is als o the cas e for port forwarding.
So urce and Dest inat io n Addresses
source
By s pe cifying the s ource addre s s the origin of a conne ction atte mpt can be
limite d to the s ource addre s s . A s ource addre s s or addre s s range is e ithe r an IP
addre s s or a ne twork IP addre s s with a mas k for IPv4 or IPv6. The ne twork
family (IPv4 or IPv6) will be automatically dis cove re d. For IPv4, the mas k can be
a ne twork mas k or a plain numbe r. For IPv6 the mas k is a plain numbe r. The us e
of hos t name s is not s upporte d. It is pos s ible to inve rt the s e ns e of the s ource
addre s s command by adding invert="true" or invert="yes"; all but the s upplie d
addre s s will match.

86

C hapt e r 4 . Har de ning Yo ur Sys t e m wit h T o o ls and Se r vic e s

destination
By s pe cifying the de s tination addre s s the targe t can be limite d to the de s tination
addre s s . The de s tination addre s s us e s the s ame s yntax as the s ource addre s s .
The us e of s ource and de s tination addre s s e s is optional and the us e of a
de s tination addre s s e s is not pos s ible with all e le me nts . This de pe nds on the us e
of de s tination addre s s e s , for e xample in s e rvice e ntrie s .
Element s
The e le me nt can be o nly o ne of the following e le me nt type s : service, port, protocol,
masquerade, icmp-block and forward-port.
service
The s e rvice e le me nt is one of the f irewalld provide d s e rvice s . To ge t a lis t of
the pre de fine d s e rvice s , is s ue the following command:
~]$ firewall-cmd --get-services
If a s e rvice provide s a de s tination addre s s , it will conflict with a de s tination
addre s s in the rule and will re s ult in an e rror. The s e rvice s us ing de s tination
addre s s e s inte rnally are mos tly s e rvice s us ing multicas t. The command take s
the following form:
service name=service_name
port
The port e le me nt can e ithe r be a s ingle port numbe r or a port range , for
e xample , 5060-5062, followe d by the protocol, e ithe r as tcp or udp. The
command take s the following form:
port port=number_or_range protocol=protocol
protocol
The protocol value can be e ithe r a protocol ID numbe r or a protocol name . For
allowe d protocol e ntrie s , s e e /etc/protocols. The command take s the following
form:
protocol value=protocol_name_or_ID
icmp-block
Us e this command to block one or more ICMP type s . The ICMP type is one of the
ICMP type s f irewalld s upports . To ge t a lis ting of s upporte d ICMP type s , is s ue
the following command:
~]$ firewall-cmd --get-icmptypes
Spe cifying an action is not allowe d he re . icmp-block us e s the action reject
inte rnally. The command take s the following form:
icmp-block name=icmptype_name

87

Se c ur it y Guide

masquerade
Turns on IP mas que rading in the rule . A s ource addre s s can be provide d to limit
mas que rading to this are a, but not a de s tination addre s s . Spe cifying an action is
not allowe d he re .
forward-port
Forward packe ts from a local port with protocol s pe cifie d as tcp or udp to e ithe r
anothe r port locally, to anothe r machine , or to anothe r port on anothe r machine .
The port and to-port can e ithe r be a s ingle port numbe r or a port range . The
de s tination addre s s is a s imple IP addre s s . Spe cifying an action is not allowe d
he re . The forward-port command us e s the action accept inte rnally. The
command take s the following form:
forward-port port=number_or_range protocol=protocol /
to-port=number_or_range to-addr=address
Lo gging
log
Log ne w conne ction atte mpts to the rule with ke rne l logging, for e xample in
s ys log. You can de fine a pre fix te xt that will be adde d to the log me s s age as a
pre fix. Log le ve l can be one of emerg, alert, crit, error, warning, notice, info
or debug. The us e of log is optional. It is pos s ible to limit logging as follows :
log [prefix=prefix text] [level=log level] limit
value=rate/duration
The rate is a natural pos itive numbe r [1, ..], the duration of s, m, h, d. s me ans
s e conds , m minute s , h hours and d days . The maximum limit value is 1/d which
me ans at maximum one log e ntry pe r day.
audit
Audit provide s an alte rnative way for logging us ing audit re cords s e nt to the
s e rvice auditd. The audit type can be one of ACCEPT, REJECT or DROP but it is not
s pe cifie d afte r the command audit as the audit type will be automatically
gathe re d from the rule action. Audit doe s not have its own parame te rs , but limit
can be adde d optionally. The us e of audit is optional.
Act io n
accept|reject|drop
An action can be one of accept, reject or drop. The rule can only contain an
e le me nt or a s ource . If the rule contains an e le me nt, the n ne w conne ctions
matching the e le me nt will be handle d with the action. If the rule contains a s ource ,
the n e ve rything from the s ource addre s s will be handle d with the action
s pe cifie d.
accept | reject [type=reject type] | drop

88

C hapt e r 4 . Har de ning Yo ur Sys t e m wit h T o o ls and Se r vic e s

With accept all ne w conne ction atte mpts will be grante d. With reject the y will be
re je cte d and the ir s ource will ge t a re je ct me s s age . The re je ct type can be s e t to
us e anothe r value . With drop all packe ts will be droppe d imme diate ly and no
information is s e nt to the s ource .
4.5.3.7.4. Using t he Rich Rule Lo g Co mmand
Logging can be done with the Net f ilt er log targe t and als o with the audit targe t. A ne w
chain is adde d to all z one s with a name in the format zone_log, whe re zone is the z one
name . This is proce s s e d be fore the deny chain in orde r to have prope r orde ring. The
rule s or parts of the m are place d in s e parate chains , according to the action of the rule , as
follows :
zone_log
zone_deny
zone_allow
All logging rule s will be place d in the zone_log chain, which will be pars e d firs t. All reject
and drop rule s will be place d in the zone_de ny chain, which will be pars e d afte r the log
chain. All accept rule s will be place d in the zone_allow chain, which will be pars e d afte r
the deny chain. If a rule contains log and als o deny or allow actions , the parts of the rule
that s pe cify the s e actions are place d in the matching chains .
4.5.3.7.4.1. Using t he Rich Rule Lo g Co mmand Example 1
Enable ne w IPv4 and IPv6 conne ctions for authe ntication he ade r protocol AH:
rule protocol value="ah" accept
4.5.3.7.4.2. Using t he Rich Rule Lo g Co mmand Example 2
Allow ne w IPv4 and IPv6 conne ctions for protocol FTP and log 1 pe r minute us ing audit:
rule service name="ftp" log limit value="1/m" audit accept
4.5.3.7.4.3. Using t he Rich Rule Lo g Co mmand Example 3
Allow ne w IPv4 conne ctions from addre s s 192.168.0.0/24 for protocol TFTP and log 1 pe r
minute us ing s ys log:
rule family="ipv4" source address="192.168.0.0/24" service name="tftp"
log prefix="tftp" level="info" limit value="1/m" accept
4.5.3.7.4.4. Using t he Rich Rule Lo g Co mmand Example 4
Ne w IPv6 conne ctions from 1:2:3:4:6:: for protocol RADIUS are all re je cte d and logge d
at a rate of 3 pe r minute . Ne w IPv6 conne ctions from othe r s ource s are acce pte d:
rule family="ipv6" source address="1:2:3:4:6::" service name="radius"
log prefix="dns" level="info" limit value="3/m" reject
rule family="ipv6" service name="radius" accept
4.5.3.7.4.5. Using t he Rich Rule Lo g Co mmand Example 5

89

Se c ur it y Guide

Forward IPv6 packe ts re ce ive d from 1:2:3:4:6:: on port 4011 with protocol TCP to
1::2:3:4:7 on port 4012.
rule family="ipv6" source address="1:2:3:4:6::" forward-port toaddr="1::2:3:4:7" to-port="4012" protocol="tcp" port="4011"
4.5.3.7.4.6. Using t he Rich Rule Lo g Co mmand Example 6
White lis t a s ource addre s s to allow all conne ctions from this s ource .
rule family="ipv4" source address="192.168.2.2" accept
Se e the firewalld.richlanguage(5) man page for more e xample s .

4.5.3.8. Firewall Lockdown


Local applications or s e rvice s are able to change the fire wall configuration if the y are
running as root (for e xample , libvirt ). With this fe ature , the adminis trator can lock the
fire wall configuration s o that e ithe r no applications , or only applications that are adde d to
the lockdown white lis t, are able to re que s t fire wall change s . The lockdown s e ttings de fault
to dis able d. If e nable d, the us e r can be s ure that the re are no unwante d configuration
change s made to the fire wall by local applications or s e rvice s .
4.5.3.8.1. Co nf iguring Firewall Lo ckdo wn
Us ing an e ditor running as root, add the following line to the
/etc/firewalld/firewalld.conf file as follows :
Lockdown=yes
Re load the fire wall us ing the following command as root:
~]# firewall-cmd --reload
Try to e nable the imaps s e rvice in the de fault z one us ing the following command as an
adminis trative us e r (a us e r in the wheel group; us ually the firs t us e r on the s ys te m). You
will be prompte d for the us e r pas s word:
~]$ firewall-cmd --add-service=imaps
Error: ACCESS_DENIED: lockdown is enabled
To e nable the us e of f irewall-cmd, is s ue the following command as root:
~]# firewall-cmd --add-lockdown-whitelist-command='/usr/bin/python -Es
/usr/bin/firewall-cmd*'
Add the --permanent option if you want to make it pe rs is te nt.
Re load the fire wall as root:
~]# firewall-cmd --reload

90

C hapt e r 4 . Har de ning Yo ur Sys t e m wit h T o o ls and Se r vic e s

Try to e nable the imaps s e rvice again in the de fault z one by e nte ring the following
command as an adminis trative us e r. You will be prompte d for the us e r pas s word:
~]$ firewall-cmd --add-service=imaps
This time the command s ucce e ds .
4.5.3.8.2. Co nf igure Lo ckdo wn wit h t he Co mmand Line Client
To que ry whe the r lockdown is e nable d, e nte r the following command as root:
~]# firewall-cmd --query-lockdown
Prints yes with e xit s tatus 0, if lockdown is e nable d, prints no with e xit s tatus 1 othe rwis e .
To e nable lockdown, e nte r the following command as root:
~]# firewall-cmd --lockdown-on
To dis able lockdown, e nte r the following command as root:
~]# firewall-cmd --lockdown-off
4.5.3.8.3. Co nf igure Lo ckdo wn Whit elist Opt io ns wit h t he Co mmand Line
The lockdown white lis t can contain commands , s e curity conte xts , us e rs and us e r IDs . If a
command e ntry on the white lis t e nds with an as te ris k *, the n all command line s s tarting
with that command will match. If the * is not the re the n the abs olute command including
argume nts mus t match.
The conte xt is the s e curity (SELinux) conte xt of a running application or s e rvice . To ge t the
conte xt of a running application us e the following command:
~]$ ps -e --context
That command re turns all running applications . Pipe the output through the grep tool to ge t
the application of inte re s t. For e xample :
~]$ ps -e --context | grep example_program
To lis t all command line s that are on the white lis t, e nte r the following command as root:
~]# firewall-cmd --list-lockdown-whitelist-commands
To add a command command to the white lis t, e nte r the following command as root:
~]# firewall-cmd --add-lockdown-whitelist-command='/usr/bin/python -Es
/usr/bin/command'
To re move a command command from the white lis t, e nte r the following command as root:
~]# firewall-cmd --remove-lockdown-whitelist-command='/usr/bin/python Es /usr/bin/command'

91

Se c ur it y Guide

To que ry whe the r the command command is on the white lis t, e nte r the following command
as root:
~]# firewall-cmd --query-lockdown-whitelist-command='/usr/bin/python -Es
/usr/bin/command'
Prints yes with e xit s tatus 0, if true , prints no with e xit s tatus 1 othe rwis e .
To lis t all s e curity conte xts that are on the white lis t, e nte r the following command as root:
~]# firewall-cmd --list-lockdown-whitelist-contexts
To add a conte xt context to the white lis t, e nte r the following command as root:
~]# firewall-cmd --add-lockdown-whitelist-context=context
Add the --permanent option to make it pe rs is te nt.
To re move a conte xt context from the white lis t, e nte r the following command as root:
~]# firewall-cmd --remove-lockdown-whitelist-context=context
Add the --permanent option to make it pe rs is te nt.
To que ry whe the r the conte xt context is on the white lis t, e nte r the following command as
root:
~]# firewall-cmd --query-lockdown-whitelist-context=context
Prints yes with e xit s tatus 0, if true , prints no with e xit s tatus 1 othe rwis e .
To lis t all us e r IDs that are on the white lis t, e nte r the following command as root:
~]# firewall-cmd --list-lockdown-whitelist-uids
To add a us e r ID uid to the white lis t, e nte r the following command as root:
~]# firewall-cmd --add-lockdown-whitelist-uid=uid
Add the --permanent option to make it pe rs is te nt.
To re move a us e r ID uid from the white lis t, e nte r the following command as root:
~]# firewall-cmd --remove-lockdown-whitelist-uid=uid
Add the --permanent option to make it pe rs is te nt.
To que ry whe the r the us e r ID uid is on the white lis t, e nte r the following command:
~]$ firewall-cmd --query-lockdown-whitelist-uid=uid
Prints yes with e xit s tatus 0, if true , prints no with e xit s tatus 1 othe rwis e .
To lis t all us e r name s that are on the white lis t, e nte r the following command as root:

92

C hapt e r 4 . Har de ning Yo ur Sys t e m wit h T o o ls and Se r vic e s

~]# firewall-cmd --list-lockdown-whitelist-users


To add a us e r name user to the white lis t, e nte r the following command as root:
~]# firewall-cmd --add-lockdown-whitelist-user=user
Add the --permanent option to make it pe rs is te nt.
To re move a us e r name user from the white lis t, e nte r the following command as root:
~]# firewall-cmd --remove-lockdown-whitelist-user=user
Add the --permanent option to make it pe rs is te nt.
To que ry whe the r the us e r name user is on the white lis t, e nte r the following command:
~]$ firewall-cmd --query-lockdown-whitelist-user=user
Prints yes with e xit s tatus 0, if true , prints no with e xit s tatus 1 othe rwis e .
4.5.3.8.4. Co nf igure Lo ckdo wn Whit elist Opt io ns wit h Co nf igurat io n Files
The de fault white lis t configuration file contains the Net wo rkManager conte xt and the
de fault conte xt of libvirt . Als o the us e r ID 0 is in the lis t.
<?xml version="1.0" encoding="utf-8"?>
<whitelist>
<selinux context="system_u:system_r:NetworkManager_t:s0"/>
<selinux context="system_u:system_r:virtd_t:s0-s0:c0.c1023"/>
<user id="0"/>
</whitelist>
He re follows an e xample white lis t configuration file e nabling all commands for the
firewall-cmd utility, for a us e r calle d user whos e us e r ID is 815:
<?xml version="1.0" encoding="utf-8"?>
<whitelist>
<command name="/usr/bin/python -Es /bin/firewall-cmd*"/>
<selinux context="system_u:system_r:NetworkManager_t:s0"/>
<user id="815"/>
<user name="user"/>
</whitelist>
In this e xample we have s hown both user id and user name but only one is re quire d.
Python is the inte rpre te r and the re fore pre pe nde d to the command line . You can als o us e
a ve ry s pe cific command, for e xample :
/usr/bin/python /bin/firewall-cmd --lockdown-on
In that e xample only the --lockdown-on command will be allowe d.

93

Se c ur it y Guide

No te
In Re d Hat Ente rpris e Linux 7, all utilitie s are now place d in /usr/bin/ and the /bin/
dire ctory is s ym-linke d to the /usr/bin/ dire ctory. In othe r words , although the path
for firewall-cmd whe n run as root might re s olve to /bin/firewall-cmd,
/usr/bin/firewall-cmd can now be us e d. All ne w s cripts s hould us e the ne w
location but be aware that if s cripts that run as root have be e n writte n to us e the
/bin/firewall-cmd path the n that command path mus t be white lis te d in addition to
the /usr/bin/firewall-cmd path traditionally us e d only for non-root us e rs .
The * at the e nd of the name attribute of a command me ans that all commands
that s tart with this s tring will match. If the * is not the re the n the abs olute
command including argume nts mus t match.

4.5.4. Using t he ipt ables Service


To us e the iptables and ip6tables s e rvice s ins te ad of firewalld, firs t dis able
firewalld by running the following command as root:
~]# systemctl disable firewalld
~]# systemctl stop firewalld
The n ins tall the iptables-services package by e nte ring the following command as root:
~]# yum install iptables-services
The iptables-services package contains the iptables s e rvice and the ip6tables s e rvice .
The n, to s tart the iptables and ip6tables s e rvice s , run the following commands as root:
~]# systemctl start iptables
~]# systemctl start ip6tables
To e nable the s e rvice s to s tart on e ve ry s ys te m s tart, e nte r the following commands :
~]# systemctl enable iptables
~]# systemctl enable ip6tables

4.5.4.1. IPT ables and IP Set s


The ipset utility is us e d to adminis te r IP sets in the Linux ke rne l. An IP s e t is a frame work
for s toring IP addre s s e s , port numbe rs , IP and MAC addre s s pairs , or IP addre s s and port
numbe r pairs . The s e ts are inde xe d in s uch a way that ve ry fas t matching can be made
agains t a s e t e ve n whe n the s e ts are ve ry large . IP s e ts e nable s imple r and more
manage able configurations as we ll as providing pe rformance advantage s whe n us ing
ipt ables. The ipt ables matche s and targe ts re fe rring to s e ts cre ate re fe re nce s which
prote ct the give n s e ts in the ke rne l. A s e t cannot be de s troye d while the re is a s ingle
re fe re nce pointing to it.
The us e of ipset e nable s ipt ables commands , s uch as thos e be low, to be re place d by a
s e t:

94

C hapt e r 4 . Har de ning Yo ur Sys t e m wit h T o o ls and Se r vic e s

~]# iptables -A INPUT -s 10.0.0.0/8 -j DROP


~]# iptables -A INPUT -s 172.16.0.0/12 -j DROP
~]# iptables -A INPUT -s 192.168.0.0/16 -j DROP
The s e t is cre ate d as follows :
~]#
~]#
~]#
~]#

ipset
ipset
ipset
ipset

create my-block-set hash:net


add my-block-set 10.0.0.0/8
add my-block-set 172.16.0.0/12
add my-block-set 192.168.0.0/16

The s e t is the n re fe re nce d in an ipt ables command as follows :


~]# iptables -A INPUT -m set --set my-block-set src -j DROP
If the s e t is us e d more than once a s aving in configuration time is made . If the s e t
contains many e ntrie s a s aving in proce s s ing time is made .
4.5.4.1.1. Using IP Set s wit h f irewalld
To us e IP s e ts with f irewalld, a pe rmane nt dire ct rule is re quire d to re fe re nce the s e t,
and a cus tom s e rvice mus t be cre ate d and s tarte d be fore f irewalld s tarts for e ve ry
ipset. You can add pe rmane nt dire ct rule s with the /etc/firewalld/direct.xml file .
Pro cedure 4.1. Co nf iguring a Cust o m Service f o r an IP Set
Configure a cus tom s e rvice to cre ate and load the IP s e t s tructure be fore f irewalld
s tarts .
1. Us ing an e ditor running as root, cre ate a file as follows :
~]# vi /etc/systemd/system/ipset_name.service
[Unit]
Description=ipset_name
Before=firewalld.service
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/local/bin/ipset_name.sh start
ExecStop=/usr/local/bin/ipset_name.sh stop
[Install]
WantedBy=basic.target
2. Us e the IP s e t pe rmane ntly in f irewalld:
~]# vi /etc/firewalld/direct.xml
<?xml version="1.0" encoding="utf-8"?>
<direct>
<rule ipv="ipv4" table="filter" chain="INPUT" priority="0">-m
set
--match-set <replaceable>ipset_name</replaceable> src -j
DROP</rule>
</direct>

95

Se c ur it y Guide

3. A f irewalld re load is re quire d to activate the change s :


~]# firewall-cmd --reload
This will re load the fire wall without los ing s tate information (TCP s e s s ions will not
be te rminate d), but s e rvice dis ruption is pos s ible during the re load.
4.5.4.1.2. Inst alling ipset
To ins tall the ipset utility, is s ue the following command as root:
~]# yum install ipset
To s e e the us age me s s age :
~]$ ipset --help
ipset v6.11
Usage: ipset [options] COMMAND
output truncated
4.5.4.1.3. ipset Co mmands
The format of the ipset command is as follows :
ipset [options] command [command-options]
Whe re command is one of:
create | add | del | test | destroy | list | save | restore | flush |
rename | swap | help | version | Allowe d options are :
-exist | -output [ plain | save | xml ] | -quiet | -resolve | -sorted |
-name | -terse
The create command is us e d to cre ate a ne w data s tructure to s tore a s e t of IP data. The
add command adds ne w data to the s e t, the data adde d is re fe rre d to as an e le me nt of
the s e t.
The -exist option s uppre s s e s e rror me s s age if the e le me nt alre ady e xis ts , and it has a
s pe cial role in updating a time out value . To change a time out, us e the ipset add
command and s pe cify all the data for the e le me nt again, changing only the time out value
as re quire d, and us ing the -exist option.
The test option is for te s ting if the e le me nt alre ady e xis ts within a s e t.
The format of the create command is as follows :
ipset create set-name type-name [create-options]

96

C hapt e r 4 . Har de ning Yo ur Sys t e m wit h T o o ls and Se r vic e s

The set-name is a s uitable name chos e n by the us e r, the type-name is the name of the
data s tructure us e d to s tore the data compris ing the s e t. The format of the type-name is
as follows :
method:datatype[,datatype[,datatype]]
The allowe d me thods for s toring data are :
bitmap | hash | list
The allowe d data type s are :
ip | net | mac | port | iface
Whe n adding, de le ting, or te s ting e ntrie s in a s e t, the s ame comma s e parate d data s yntax
mus t be us e d for the data that make s up one e ntry, or e le me nt, in the s e t. For e xample :
ipset add set-name ipaddr,portnum,ipaddr

No te
A s e t cannot contain IPv4 and IPv6 addre s s e s at the s ame time . Whe n a s e t is
cre ate d it is bound to a family, inet for IPv4 or inet6 for IPv6, and the de fault is
inet.

Example 4.2. Creat e an IP Set


To cre ate an IP s e t cons is ting of a s ource IP addre s s , a port, and de s tination IP addre s s ,
is s ue a command as follows :
~]# ipset create my-set hash:ip,port,ip
Once the s e t is cre ate d, e ntrie s can be adde d as follows :
~]# ipset add my-set 192.168.1.2,80,192.168.2.2
~]# ipset add my-set 192.168.1.2,443,192.168.2.2

The s e t type s have the following optional parame te rs in common. The y mus t be s pe cifie d
whe n the s e t is cre ate d in orde r for the m to be us e d:
timeout The value give n with the create command will be the de fault value for the
s e t cre ate d. If a value is give n with the add command, it will be the initial non-de fault
value for the e le me nt.
counters If the option is give n with the create command the n packe t and byte
counte rs are cre ate d for e ve ry e le me nt in the s e t. If no value is give n with the add
command the n the counte rs s tart from z e ro.

97

Se c ur it y Guide

comment If the option is give n with the create command the n a quote d s tring of te xt
can be pas s e d with the add command to docume nt the purpos e of the e le me nt be ing
adde d. Note that quotation marks are not allowe d within the s tring, and e s cape
characte rs will have no e ffe ct within IP s e t.

Example 4.3. List an IP Set


To lis t the conte nts of a s pe cific IP Se t, my-set, is s ue a command as follows :
~]# ipset list my-set
Name: my-set
Type: hash:ip,port,ip
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 8360
References: 0
Members:
192.168.1.2,tcp:80,192.168.2.2
192.168.1.2,tcp:443,192.168.2.2
Omit the s e t name to lis t all s e ts .

Example 4.4. T est t he Element s o f an IP Set


Lis ting the conte nts of large s e ts is time cons uming. You can te s t for the e xis te nce of
an e le me nt as follows :
~]# ipset test my-set 192.168.1.2,80,192.168.2.2
192.168.1.2,tcp:80,192.168.2.2 is in set my-set.

4.5.4.1.4. IP Set T ypes


bit map:ip
Store s an IPv4 hos t addre s s , a ne twork range , or an IPv4 ne twork addre s s e s with
the pre fix-le ngth in CIDR notation if the netmask option is us e d whe n the s e t is
cre ate d. It can optionally s tore a time out value , a counte r value , and a comme nt. It
can s tore up to 65536 e ntrie s . The command to cre ate the bitmap:ip s e t has the
following format:
ipset create set-name range start_ipaddr-end_ipaddr
|ipaddr/prefix-length [netmask prefix-length] [timeout value]
[counters] [comment]

Example 4.5. Creat e an IP Set f o r a Range o f Addresses Using a Pref ix Lengt h


To cre ate an IP s e t for a range of addre s s e s us ing a pre fix le ngth, make us e of the
bitmap:ip s e t type as follows :
~]# ipset create my-range bitmap:ip range 192.168.33.0/28
Once the s e t is cre ate d, e ntrie s can be adde d as follows :

98

C hapt e r 4 . Har de ning Yo ur Sys t e m wit h T o o ls and Se r vic e s

~]# ipset add my-range 192.168.33.1


Re vie w the me mbe rs of the lis t:
~]# ipset list my-range
Name: my-range
Type: bitmap:ip
Header: range 192.168.33.0-192.168.33.15
Size in memory: 84
References: 0
Members:
192.168.33.1
To add a range of addre s s e s :
~]# ipset add my-range 192.168.33.2-192.168.33.4
Re vie w the me mbe rs of the lis t:
~]# ipset list my-range
Name: my-range
Type: bitmap:ip
Header: range 192.168.33.0-192.168.33.15
Size in memory: 84
References: 0
Members:
192.168.33.1
192.168.33.2
192.168.33.3
192.168.33.4

Example 4.6. Creat e an IP Set f o r a Range o f Addresses Using a Net mask


To cre ate an IP s e t for a range of addre s s us ing a ne tmas k, make us e of the bitmap:ip
s e t type as follows :
~]# ipset create my-big-range bitmap:ip range 192.168.124.0192.168.126.0 netmask 24
Once the s e t is cre ate d, e ntrie s can be adde d as follows :
~]# ipset add my-big-range 192.168.124.0
If you atte mpt to add an addre s s , the range containing that addre s s will be adde d:
~]# ipset add my-big-range 192.168.125.150
~]# ipset list my-big-range
Name: my-big-range
Type: bitmap:ip
Header: range 192.168.124.0-192.168.126.255 netmask 24
Size in memory: 84

99

Se c ur it y Guide

References: 0
Members:
192.168.124.0
192.168.125.0
bit map:ip,mac
Store s an IPv4 addre s s and a MAC addre s s as a pair. It can s tore up to 65536
e ntrie s .
ipset create my-range bitmap:ip,mac range start_ipaddr-end_ipaddr
| ipaddr/prefix-length [timeout value ] [counters] [comment]

Example 4.7. Creat e an IP Set f o r a Range o f IPv4 MAC Address Pairs


To cre ate an IP s e t for a range of IPv4 MAC addre s s pairs , make us e of the
bitmap:ip,mac s e t type as follows :
~]# ipset create my-range bitmap:ip,mac range 192.168.1.0/24
It is not ne ce s s ary to s pe cify a MAC addre s s whe n cre ating the s e t.
Once the s e t is cre ate d, e ntrie s can be adde d as follows :
~]# ipset add my-range 192.168.1.1,12:34:56:78:9A:BC
bit map:po rt
Store s a range of ports . It can s tore up to 65536 e ntrie s .
ipset create my-port-range bitmap:port range start_port-end_port
[timeout value ] [counters] [comment]
The s e t match and SET targe t ne tfilte r ke rne l module s inte rpre t the s tore d
numbe rs as TCP or UDP port numbe rs . The protocol can optionally be s pe cifie d
toge the r with the port. The proto only ne e ds to be s pe cifie d if a s e rvice name is
us e d, and that name doe s not e xis t as a TCP s e rvice .

Example 4.8. Creat e an IP Set f o r a Range o f Po rt s


To cre ate an IP s e t for a range of ports , make us e of the bitmap:port s e t type as
follows :
~]# ipset create my-permitted-port-range bitmap:port range 1024-49151
Once the s e t is cre ate d, e ntrie s can be adde d as follows :
~]# ipset add my-permitted-port-range 5060-5061
hash:ip

100

C hapt e r 4 . Har de ning Yo ur Sys t e m wit h T o o ls and Se r vic e s

Store s a hos t or ne twork addre s s in the form of a has h. By de fault, an addre s s


s pe cifie d without a ne twork pre fix le ngth is a hos t addre s s . The all-z e ro IP
addre s s cannot be s tore d.
ipset create my-addresses hash:ip [family[ inet | inet6 ]]
[hashsize value] [maxelem value ] [netmask prefix-length]
[timeout value ]
The inet family is the de fault, if family is omitte d addre s s e s will be inte rpre te d
as IPv4 addre s s e s . The hashsize value is the initial has h s iz e to us e and
de faults to 1024. The maxelem value is the maximum numbe r of e le me nts which
can be s tore d in the s e t, it de faults to 65536.
The net f ilt er tool s e arche s for a ne twork pre fix which is the mos t s pe cific, it
trie s to find the s malle s t block of addre s s e s that match.

Example 4.9. Creat e an IP Set f o r IP Addresses


To cre ate an IP s e t for IP addre s s e s , make us e of the hash:ip s e t type as follows :
~]# ipset create my-addresses hash:ip
Once the s e t is cre ate d, e ntrie s can be adde d as follows :
~]# ipset add my-addresses 10.10.10.0
If additional options s uch as ne tmas k and time out are re quire d, the y mus t be s pe cifie d
whe n the s e t is cre ate d. For e xample :
~]# ipset create my-busy-addresses hash:ip maxelem 24 netmask 28
timeout 100
The maxelem option re s tricts to total numbe r of e le me nts in the s e t, thus cons e rving
me mory s pace .
The time out option me ans that e le me nts will only e xis t in the s e t for the numbe r of
s e conds s pe cifie d. For e xample :
~]# ipset add my-busy-addresses 192.168.60.0 timeout 100
The following output s hows the time counting down:
~]# ipset list my-busy-addresses
Name: my-busy-addresses
Type: hash:ip
Header: family inet hashsize 1024 maxelem 24 netmask 28 timeout 100
Size in memory: 8300
References: 0
Members:
192.168.60.0 timeout 90
~]# ipset list my-busy-addresses
Name: my-busy-addresses
Type: hash:ip
Header: family inet hashsize 1024 maxelem 24 netmask 28 timeout 100

101

Se c ur it y Guide

Size in memory: 8300


References: 0
Members:
192.168.60.0 timeout 83
The e le me nt will be re move d from the s e t whe n the time out pe riod e nds .
Se e the ipset(8) manual page for more e xample s .

4.5.5. Addit ional Resources


The following s ource s of information provide additional re s ource s re garding firewalld.

4.5.5.1. Inst alled Document at ion


firewalld(1) man page De s cribe s command options for firewalld.
firewalld.conf(5) man page Contains information to configure firewalld.
firewall-cmd(1) man page De s cribe s command options for the firewalld
command line clie nt.
firewalld.icmptype(5) man page De s cribe s XML configuration file s for ICMP
filte ring.
firewalld.service(5) man page De s cribe s XML configuration file s for f irewalld
service.
firewalld.zone(5) man page De s cribe s XML configuration file s for firewalld z one
configuration.
firewalld.direct(5) man page De s cribe s the firewalld dire ct inte rface
configuration file .
firewalld.lockdown-whitelist(5) man page De s cribe s the firewalld lockdown
white lis t configuration file .
firewall.richlanguage(5) man page De s cribe s the firewalld rich language rule
s yntax.
firewalld.zones(5) man page Ge ne ral de s cription of what z one s are and how to
configure the m.

4.6. Securing DNS T raffic wit h DNSSEC


4.6.1. Int roduct ion t o DNSSEC
DNSSEC is a s e t of Domain Name System Security Extensions (DNSSEC) that e nable s a DNS
clie nt to authe nticate and che ck the inte grity of re s pons e s from a DNS name s e rve r in
orde r to ve rify the ir origin and to de te rmine if the y have be e n tampe re d with in trans it.

4.6.2. Underst anding DNSSEC


For conne cting ove r the Inte rne t, a growing numbe r of we bs ite s now offe r the ability to
conne ct s e cure ly us ing HTTPS. Howe ve r, be fore conne cting to an HTTPS we bs e rve r, a DNS

102

C hapt e r 4 . Har de ning Yo ur Sys t e m wit h T o o ls and Se r vic e s

lookup mus t be pe rforme d, unle s s you e nte r the IP addre s s dire ctly. The s e DNS lookups
are done ins e cure ly and are s ubje ct to man-in-the-middle attacks due to lack of
authe ntication. In othe r words , a DNS clie nt cannot have confide nce that the re plie s that
appe ar to come from a give n DNS name s e rve r are authe ntic and have not be e n tampe re d
with. More importantly, a re curs ive name s e rve r cannot be s ure that the re cords it obtains
from othe r name s e rve rs are ge nuine . The DNS protocol did not provide a me chanis m for
the clie nt to e ns ure it was not s ubje ct to a man-in-the -middle attack. DNSSEC was
introduce d to addre s s the lack of authe ntication and inte grity che cks whe n re s olving
domain name s us ing DNS. It doe s not addre s s the proble m of confide ntiality.
Publis hing DNSSEC information involve s digitally s igning DNS re s ource re cords as we ll as
dis tributing public ke ys in s uch a way as to e nable DNS re s olve rs to build a hie rarchical
chain of trus t. Digital s ignature s for all DNS re s ource re cords are ge ne rate d and adde d to
the z one as digital s ignature re s ource re cords (RRSIG). The public ke y of a z one is adde d
as a DNSKEY re s ource re cord. To build the hie rarchical chain, has he s of the DNSKEY are
publis he d in the pare nt z one as Delegation of Signing (DS) re s ource re cords . To facilitate
proof of non-e xis te nce , the NextSECure (NSEC) and NSEC3 re s ource re cords are us e d. In a
DNSSEC s igne d z one , e ach resource record set (RRs e t) has a corre s ponding RRSIG
re s ource re cord. Note that re cords us e d for de le gation to a child z one (NS and glue
re cords ) are not s igne d; the s e re cords appe ar in the child z one and are s igne d the re .
Proce s s ing DNSSEC information is done by re s olve rs that are configure d with the root
z one public ke y. Us ing this ke y, re s olve rs can ve rify the s ignature s us e d in the root z one .
For e xample , the root z one has s igne d the DS re cord for .com. The root z one als o s e rve s
NS and glue re cords for the .com name s e rve rs . The re s olve r follows this de le gation and
que rie s for the DNSKEY re cord of .com us ing the s e de le gate d name s e rve rs . The has h of
the DNSKEY re cord obtaine d s hould match the DS re cord in the root z one . If s o, the
re s olve r will trus t the obtaine d DNSKEY for .com. In the .com z one , the RRSIG re cords are
cre ate d by the .com DNSKEY. This proce s s is re pe ate d s imilarly for de le gations within
.com, s uch as redhat.com. Us ing this me thod, a validating DNS re s olve r only ne e ds to be
configure d with one root ke y while it colle cts many DNSKEYs from around the world during
its normal ope ration. If a cryptographic che ck fails , the re s olve r will re turn SERVFAIL to the
application.
DNSSEC has be e n de s igne d in s uch a way that it will be comple te ly invis ible to
applications not s upporting DNSSEC. If a non-DNSSEC application que rie s a DNSSEC
capable re s olve r, it will re ce ive the ans we r without any of the s e ne w re s ource re cord
type s s uch as RRSIG. Howe ve r, the DNSSEC capable re s olve r will s till pe rform all
cryptographic che cks , and will s till re turn a SERVFAIL e rror to the application if it de te cts
malicious DNS ans we rs . DNSSEC prote cts the inte grity of the data be twe e n DNS s e rve rs
(authoritative and re curs ive ), it doe s not provide s e curity be twe e n the application and the
re s olve r. The re fore , it is important that the applications are give n a s e cure trans port to
the ir re s olve r. The e as ie s t way to accomplis h that is to run a DNSSEC capable re s olve r on
localhost and us e 127.0.0.1 in /etc/resolv.conf. Alte rnative ly a VPN conne ction to a
re mote DNS s e rve r could be us e d.

Underst anding t he Hot spot Problem


Wi-Fi Hots pots or VPNs re ly on DNS lie s : Captive portals te nd to hijack DNS in orde r to
re dire ct us e rs to a page whe re the y are re quire d to authe nticate (or pay) for the Wi-Fi
s e rvice . Us e rs conne cting to a VPN ofte n ne e d to us e an inte rnal only DNS s e rve r in
orde r to locate re s ource s that do not e xis t outs ide the corporate ne twork. This re quire s
additional handling by s oftware . For e xample , dnssec-t rigger can be us e d to de te ct if a
Hots pot is hijacking the DNS que rie s and unbound can act as a proxy name s e rve r to
handle the DNSSEC que rie s .

103

Se c ur it y Guide

Choosing a DNSSEC Capable Recursive Resolver


To de ploy a DNSSEC capable re curs ive re s olve r, e ithe r BIND or unbound can be us e d.
Both e nable DNSSEC by de fault and are configure d with the DNSSEC root ke y. To e nable
DNSSEC on a s e rve r, e ithe r will work howe ve r the us e of unbound is pre fe rre d on mobile
de vice s , s uch as note books , as it allows the local us e r to dynamically re configure the
DNSSEC ove rride s re quire d for Hots pots whe n us ing dnssec-t rigger, and for VPNs whe n
us ing Libreswan. The unbound dae mon furthe r s upports the de ployme nt of DNSSEC
e xce ptions lis te d in the etc/unbound/*.d/ dire ctorie s which can be us e ful to both
s e rve rs and mobile de vice s .

4.6.3. Underst anding Dnssec-t rigger


Once unbound is ins talle d and configure d in /etc/resolv.conf, all DNS que rie s from
applications are proce s s e d by unbound. dnssec-t rigger only re configure s the unbound
re s olve r whe n trigge re d to do s o. This mos tly applie s to roaming clie nt machine s , s uch as
laptops , that conne ct to diffe re nt Wi-Fi ne tworks . The proce s s is as follows :
Net wo rkManager trigge rs dnssec-t rigger whe n a ne w DNS s e rve r is obtaine d via
DHCP.
Dnssec-t rigger the n pe rforms a numbe r of te s ts agains t the s e rve r and de cide s
whe the r or not it prope rly s upports DNSSEC.
If it doe s , the n dnssec-t rigger re configure s unbound to us e that DNS s e rve r as a
forwarde r for all que rie s .
If the te s ts fail, dnssec-t rigger will ignore the ne w DNS s e rve r and try a fe w available
fall-back me thods .
If it de te rmine s that an unre s tricte d port 53 (UDP and TCP) is available , it will te ll
unbound to be come a full re curs ive DNS s e rve r without us ing any forwarde r.
If this is not pos s ible , for e xample be caus e port 53 is blocke d by a fire wall for
e ve rything e xce pt re aching the ne twork's DNS s e rve r its e lf, it will try to us e DNS to port
80, or TLS e ncaps ulate d DNS to port 443. Se rve rs running DNS on port 80 and 443 can
be configure d in /etc/dnssec-trigger/dnssec-trigger.conf. Comme nte d out
e xample s s hould be available in the de fault configuration file .
If the s e fall-back me thods als o fail, dnssec-t rigger offe rs to e ithe r ope rate
ins e cure ly, which would bypas s DNSSEC comple te ly, or run in cache only mode whe re
it will not atte mpt ne w DNS que rie s but will ans we r for e ve rything it alre ady has in the
cache .
Wi-Fi Hots pots incre as ingly re dire ct us e rs to a s ign-on page be fore granting acce s s to the
Inte rne t. During the probing s e que nce outline d above , if a re dire ction is de te cte d, the
us e r is prompte d to as k if a login is re quire d to gain Inte rne t acce s s . The dnssec-trigger
dae mon continue s to probe for DNSSEC re s olve rs e ve ry te n s e conds . Se e Se ction 4.6.8,
Us ing Dns s e c-trigge r for information on us ing the dnssec-t rigger graphical utility.

4.6.4. VPN Supplied Domains and Name Servers


Some type s of VPN conne ctions can conve y a domain and a lis t of name s e rve rs to us e for
that domain as part of the VPN tunne l s e tup. On Red Hat Ent erprise Linux, this is
s upporte d by Net wo rkManager. This me ans that the combination of unbound, dnssect rigger, and Net wo rkManager can prope rly s upport domains and name s e rve rs
provide d by VPN s oftware . Once the VPN tunne l come s up, the local unbound cache is

104

C hapt e r 4 . Har de ning Yo ur Sys t e m wit h T o o ls and Se r vic e s

flus he d for all e ntrie s of the domain name re ce ive d, s o that que rie s for name s within the
domain name are fe tche d fre s h from the inte rnal name s e rve rs re ache d via the VPN.
Whe n the VPN tunne l is te rminate d, the unbound cache is flus he d again to e ns ure any
que rie s for the domain will re turn the public IP addre s s e s , and not the pre vious ly obtaine d
private IP addre s s e s . Se e Se ction 4.6.11, Configuring DNSSEC Validation for Conne ction
Supplie d Domains .

4.6.5. Recommended Naming Pract ices


Re d Hat re comme nds that both s tatic and trans ie nt name s match the fully-qualified domain
name (FQDN) us e d for the machine in DNS, s uch as host.example.com.
The Inte rne t Corporation for As s igne d Name s and Numbe rs (ICANN) s ome time s adds
pre vious ly unre gis te re d Top-Le ve l Domains (s uch as .yourcompany) to the public re gis te r.
The re fore , Re d Hat s trongly re comme nds that you do not us e a domain name that is not
de le gate d to you, e ve n on a private ne twork, as this can re s ult in a domain name that
re s olve s diffe re ntly de pe nding on ne twork configuration. As a re s ult, ne twork re s ource s
can be come unavailable . Us ing domain name s that are not de le gate d to you als o make s
DNSSEC more difficult to de ploy and maintain, as domain name collis ions re quire manual
configuration to e nable DNSSEC validation. Se e the ICANN FAQ on domain name collis ion
for more information on this is s ue .

4.6.6. Underst anding T rust Anchors


A trus t anchor cons is ts of a DNS name and public ke y (or has h of the public ke y)
as s ociate d with that name . It is e xpre s s e d as a bas e 64 e ncode d ke y. It is s imilar to a
ce rtificate in that it is a me ans of e xchanging information, including a public ke y, which can
be us e d to ve rify and authe nticate DNS re cords . Se e RFC 4033 for a more comple te
de finition of a trus t anchor.

4.6.7. Inst alling DNSSEC


4.6.7.1. Inst alling unbound
In orde r to validate DNS us ing DNSSEC locally on a machine , it is ne ce s s ary to ins tall the
DNS re s olve r unbound (or bind ). It is only ne ce s s ary to ins tall dnssec-t rigger on mobile
de vice s . For s e rve rs , unbound s hould be s ufficie nt although a forwarding configuration for
the local domain might be re quire d de pe nding on whe re the s e rve r is locate d (LAN or
Inte rne t). dnssec-t rigger will curre ntly only he lp with the global public DNS z one .
Net wo rkManager, dhclient , and VPN applications can ofte n gathe r the domain lis t (and
name s e rve r lis t as we ll) automatically, but not dnssec-t rigger nor unbo und.
To ins tall unbound run the following command as the root us e r:
~]# yum install unbound

4.6.7.2. Checking if unbound is Running


To de te rmine whe the r the unbound dae mon is running, e nte r the following command:
~]$ systemctl status unbound
unbound.service - Unbound recursive Domain Name Server
Loaded: loaded (/usr/lib/systemd/system/unbound.service; disabled)
Active: active (running) since Wed 2013-03-13 01:19:30 CET; 6h ago

105

Se c ur it y Guide

The systemctl status command will re port unbound as Active: inactive (dead) if the
unbound s e rvice is not running.

4.6.7.3. St art ing unbound


To s tart the unbound dae mon for the curre nt s e s s ion, run the following command as the
root us e r:
~]# systemctl start unbound
Run the systemctl enable command to e ns ure that unbound s tarts up e ve ry time the
s ys te m boots :
~]# systemctl enable unbound
The unbound dae mon allows configuration of local data or ove rride s us ing the following
dire ctorie s :
The /etc/unbound/conf.d dire ctory is us e d to add configurations for a s pe cific domain
name . This is us e d to re dire ct que rie s for a domain name to a s pe cific DNS s e rve r. This
is ofte n us e d for s ub-domains that only e xis t within a corporate WAN.
The /etc/unbound/keys.d dire ctory is us e d to add trus t anchors for a s pe cific domain
name . This is re quire d whe n an inte rnal-only name is DNSSEC s igne d, but the re is no
publicly e xis ting DS re cord to build a path of trus t. Anothe r us e cas e is whe n an inte rnal
ve rs ion of a domain is s igne d us ing a diffe re nt DNSKEY than the publicly available
name outs ide the corporate WAN.
The /etc/unbound/local.d dire ctory is us e d to add s pe cific DNS data as a local
ove rride . This can be us e d to build blacklis ts or cre ate manual ove rride s . This data will
be re turne d to clie nts by unbound, but it will not be marke d as DNSSEC s igne d.
Net wo rkManager, as we ll as s ome VPN s oftware , may change the configuration
dynamically. The s e configuration dire ctorie s contain comme nte d out e xample e ntrie s . For
furthe r information s e e the unbound.conf(5) man page .

4.6.7.4. Inst alling Dnssec-t rigger


The dnssec-t rigger application runs as a dae mon, dnssec-triggerd. To ins tall dnssect rigger run the following command as the root us e r:
~]# yum install dnssec-trigger

4.6.7.5. Checking if t he Dnssec-t rigger Daemon is Running


To de te rmine whe the r dnssec-triggerd is running, e nte r the following command:
~]$ systemctl status dnssec-triggerd
systemctl status dnssec-triggerd.service
dnssec-triggerd.service - Reconfigure local DNS(SEC) resolver on network
change
Loaded: loaded (/usr/lib/systemd/system/dnssec-triggerd.service;
enabled)
Active: active (running) since Wed 2013-03-13 06:10:44 CET; 1h 41min
ago

106

C hapt e r 4 . Har de ning Yo ur Sys t e m wit h T o o ls and Se r vic e s

The systemctl status command will re port dnssec-triggerd as Active: inactive


(dead) if the dnssec-triggerd dae mon is not running. To s tart it for the curre nt s e s s ion
run the following command as the root us e r:
~]# systemctl start dnssec-triggerd
Run the systemctl enable command to e ns ure that dnssec-triggerd s tarts up e ve ry
time the s ys te m boots :
~]# systemctl enable dnssec-triggerd

4.6.8. Using Dnssec-t rigger


The dnssec-t rigger application has a GNOME pane l utility for dis playing DNSSEC probe
re s ults and for pe rforming DNSSEC probe re que s ts on de mand. To s tart the utility, pre s s
the Super ke y to e nte r the Activitie s Ove rvie w, type DNSSEC and the n pre s s Enter. An
icon re s e mbling a s hips anchor is adde d to the me s s age tray at the bottom of the s cre e n.
Pre s s the round blue notification icon in the bottom right of the s cre e n to re ve al it. Right
click the anchor icon to dis play a pop-up me nu.
In normal ope rations unbo und is us e d locally as the name s e rve r, and resolv.conf
points to 127.0.0.1. Whe n you click OK on the Hotspot Sign-On pane l this is change d.
The DNS s e rve rs are que rie d from Net wo rkManager and put in resolv.conf. Now you
can authe nticate on the Hots pot's s ign-on page . The anchor icon s hows a big re d
e xclamation mark to warn you that DNS que rie s are be ing made ins e cure ly. Whe n
authe nticate d, dnssec-t rigger s hould automatically de te ct this and s witch back to s e cure
mode , although in s ome cas e s it cannot and the us e r has to do this manually by s e le cting
Reprobe.
Dnssec-t rigger doe s not normally re quire any us e r inte raction. Once s tarte d, it works in
the background and if a proble m is e ncounte re d it notifie s the us e r by me ans of a pop-up
te xt box. It als o informs unbound about change s to the resolv.conf file .

4.6.9. Using dig Wit h DNSSEC


To s e e whe the r DNSSEC is working, one can us e various command line tools . The be s t
tool to us e is the dig command from the bind-utils package . Othe r tools that are us e ful are
drill from the ldns package and unbo und-ho st from the unbound package . The old DNS
utilitie s nslo o kup and ho st are obs ole te and s hould not be us e d.
To s e nd a que ry re que s ting DNSSEC data us ing dig, the option +dnssec is adde d to the
command, for e xample :
~]$ dig +dnssec whitehouse.gov
; <<>> DiG 9.9.3-rl.13207.22-P2-RedHat-9.9.3-4.P2.el7 <<>> +dnssec
whitehouse.gov
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21388
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:

107

Se c ur it y Guide

;whitehouse.gov.

IN A

;; ANSWER SECTION:
whitehouse.gov. 20 IN A 72.246.36.110
whitehouse.gov. 20 IN RRSIG A 7 2 20 20130825124016 20130822114016 8399
whitehouse.gov. BB8VHWEkIaKpaLprt3hq1GkjDROvkmjYTBxiGhuki/BJn3PoIGyrftxR
HH0377I0Lsybj/uZv5hL4UwWd/lw6Gn8GPikqhztAkgMxddMQ2IARP6p
wbMOKbSUuV6NGUT1WWwpbi+LelFMqQcAq3Se66iyH0Jem7HtgPEUE1Zc 3oI=
;;
;;
;;
;;

Query time: 227 msec


SERVER: 127.0.0.1#53(127.0.0.1)
WHEN: Thu Aug 22 22:01:52 EDT 2013
MSG SIZE rcvd: 233

In addition to the A re cord, an RRSIG re cord is re turne d which contains the DNSSEC
s ignature , as we ll as the ince ption time and e xpiration time of the s ignature . The unbound
s e rve r indicate d that the data was DNSSEC authe nticate d by re turning the ad bit in the
flags: s e ction at the top.
If DNSSEC validation fails , the dig command would re turn a SERVFAIL e rror:
~]$ dig badsign-a.test.dnssec-tools.org
; <<>> DiG 9.9.3-rl.156.01-P1-RedHat-9.9.3-3.P1.el7 <<>> badsigna.test.dnssec-tools.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 1010
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;badsign-a.test.dnssec-tools.org. IN A
;;
;;
;;
;;

Query time: 1284 msec


SERVER: 127.0.0.1#53(127.0.0.1)
WHEN: Thu Aug 22 22:04:52 EDT 2013
MSG SIZE rcvd: 60]

To re que s t more information about the failure , DNSSEC che cking can be dis able d by
s pe cifying the +cd option to the dig command:
~]$ dig +cd +dnssec badsign-a.test.dnssec-tools.org
; <<>> DiG 9.9.3-rl.156.01-P1-RedHat-9.9.3-3.P1.el7 <<>> +cd +dnssec
badsign-a.test.dnssec-tools.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26065
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;badsign-a.test.dnssec-tools.org. IN A
;; ANSWER SECTION:

108

C hapt e r 4 . Har de ning Yo ur Sys t e m wit h T o o ls and Se r vic e s

badsign-a.test.dnssec-tools.org. 49 IN A 75.119.216.33
badsign-a.test.dnssec-tools.org. 49 IN RRSIG A 5 4 86400 20130919183720
20130820173720 19442 test.dnssec-tools.org.
E572dLKMvYB4cgTRyAHIKKEvdOP7tockQb7hXFNZKVbfXbZJOIDREJrr
zCgAfJ2hykfY0yJHAlnuQvM0s6xOnNBSvc2xLIybJdfTaN6kSR0YFdYZ
n2NpPctn2kUBn5UR1BJRin3Gqy20LZlZx2KD7cZBtieMsU/IunyhCSc0 kYw=
;;
;;
;;
;;

Query time: 1 msec


SERVER: 127.0.0.1#53(127.0.0.1)
WHEN: Thu Aug 22 22:06:31 EDT 2013
MSG SIZE rcvd: 257

Ofte n, DNSSEC mis take s manife s t the ms e lve s by bad ince ption or e xpiration time ,
although in this e xample , the pe ople at www.dns s e c-tools .org have mangle d this RRSIG
s ignature on purpos e , which we would not be able to de te ct by looking at this output
manually. The e rror will s how in the output of systemctl status unbound and the
unbound dae mon logs the s e e rrors to syslo g as follows :
Aug 22 22:04:52 laptop unbound: [3065:0] info: validation failure
badsign-a.test.dnssec-tools.org. A IN
An e xample us ing unbound-host:
~]$ unbound-host -C /etc/unbound/unbound.conf -v whitehouse.gov
whitehouse.gov has address 184.25.196.110 (secure)
whitehouse.gov has IPv6 address 2600:1417:11:2:8800::fc4 (secure)
whitehouse.gov has IPv6 address 2600:1417:11:2:8000::fc4 (secure)
whitehouse.gov mail is handled by 105 mail1.eop.gov. (secure)
whitehouse.gov mail is handled by 110 mail5.eop.gov. (secure)
whitehouse.gov mail is handled by 105 mail4.eop.gov. (secure)
whitehouse.gov mail is handled by 110 mail6.eop.gov. (secure)
whitehouse.gov mail is handled by 105 mail2.eop.gov. (secure)
whitehouse.gov mail is handled by 105 mail3.eop.gov. (secure)

4.6.10. Set t ing up Hot spot Det ect ion Inf rast ruct ure f or Dnssect rigger
Whe n conne cting to a ne twork, dnssec-t rigger atte mpts to de te ct a Hots pot. A Hots pot is
ge ne rally a de vice that force s us e r inte raction with a we b page be fore the y can us e the
ne twork re s ource s . The de te ction is done by atte mpting to download a s pe cific fixe d we b
page with known conte nt. If the re is a Hots pot, the n the conte nt re ce ive d will not be as
e xpe cte d.
To s e t up a fixe d we b page with known conte nt that can be us e d by dnssec-t rigger to
de te ct a Hots pot, proce e d as follows :
1. Se t up a we b s e rve r on s ome machine that is publicly re achable on the Inte rne t.
Se e the We b Se rve rs chapte r in the Re d Hat Ente rpris e Linux 7 Sys te m
Adminis trator's Guide . .
2. Once you have the s e rve r running, publis h a s tatic page with known conte nt on it.
The page doe s not ne e d to be a valid HTML page . For e xample , you could us e a
plain-te xt file name d hotspot.txt that contains only the s tring OK. As s uming your
s e rve r is locate d at example.com and you publis he d your hotspot.txt file in the

109

Se c ur it y Guide

we b s e rve r document_root/static/ s ub-dire ctory, the n the addre s s to your s tatic


we b page would be example.com/static/hotspot.txt. Se e the DocumentRoot
dire ctive in the We b Se rve rs chapte r in the Re d Hat Ente rpris e Linux 7 Sys te m
Adminis trator's Guide .
3. Add the following line to the /etc/dnssec-trigger/dnssec-trigger.conf file :
url: "http://example.com/static/hotspot.txt OK"
This command adds a URL that is probe d via HTTP (port 80). The firs t part is the URL
that will be re s olve d and the page that will be downloade d. The s e cond part of the
command is the te xt s tring that the downloade d we bpage is e xpe cte d to contain.
For more information on the configuration options s e e the man page dnssectrigger.conf(8).

4.6.11. Conf iguring DNSSEC Validat ion f or Connect ion Supplied


Domains
By de fault, forward z one s with prope r name s e rve rs are automatically adde d into unbound
by dnssec-t rigger for e ve ry domain provide d by any conne ction, e xce pt Wi-Fi
conne ctions through Net wo rkManager. By de fault, all forward z one s adde d into unbound
are DNSSEC validate d.
The de fault be havior for validating forward z one s can be alte re d, s o that all forward z one s
will no t be DNSSEC validate d by de fault. To do this , change the
validate_connection_provided_zones variable in the dnssec-t rigger configuration file
/etc/dnssec.conf. As root us e r, ope n and e dit the line as follows :
validate_connection_provided_zones=no
The change is not done for any e xis ting forward z one s , but only for future forward z one s .
The re fore if you want to dis able DNSSEC for the curre nt provide d domain, you ne e d to
re conne ct.

4.6.11.1. Conf iguring DNSSEC Validat ion f or Wi-Fi Supplied Domains


Adding forward z one s for Wi-Fi provide d z one s can be e nable d. To do this , change the
add_wifi_provided_zones variable in the dnssec-t rigger configuration file ,
/etc/dnssec.conf. As root us e r, ope n and e dit the line as follows :
add_wifi_provided_zones=yes
The change is not done for any e xis ting forward z one s , but only for future forward z one s .
The re fore , if you want to e nable DNSSEC for the curre nt Wi-Fi provide d domain, you ne e d
to re conne ct (re s tart) the Wi-Fi conne ction.

110

C hapt e r 4 . Har de ning Yo ur Sys t e m wit h T o o ls and Se r vic e s

Warning
Turning o n the addition of Wi-Fi provide d domains as forward z one s into unbound
may have s e curity implications s uch as :
1. A Wi-Fi acce s s point can inte ntionally provide you a domain via DHCP for which
it doe s not have authority and route all your DNS que rie s to its DNS s e rve rs .
2. If you have the DNSSEC validation of forward z one s turne d o f f , the Wi-Fi
provide d DNS s e rve rs can s poof the IP addre s s for domain name s from the
provide d domain without you knowing it.

4.6.12. Addit ional Resources


The following are re s ource s which e xplain more about DNSSEC.

4.6.12.1. Inst alled Document at ion


dnssec-trigger(8) man page De s cribe s command options for dnssec-triggerd,
dnssec-t rigger-co nt ro l and dnssec-t rigger-panel.
dnssec-trigger.conf(8) man page De s cribe s the configuration options for
dnssec-triggerd.
unbound(8) man page De s cribe s the command options for unbound, the DNS
validating re s olve r.
unbound.conf(5) man page Contains information on how to configure unbound.
resolv.conf(5) man page Contains information that is re ad by the re s olve r
routine s .

4.6.12.2. Online Document at ion


ht t p://t o o ls.iet f .o rg/ht ml/rf c40 33
RFC 4033 DNS Se curity Introduction and Re quire me nts .
ht t p://www.dnssec.net /
A we bs ite with links to many DNSSEC re s ource s .
ht t p://www.dnssec-deplo yment .o rg/
The DNSSEC De ployme nt Initiative , s pons ore d by the De partme nt for Home land
Se curity, contains a lot of DNSSEC information and has a mailing lis t to dis cus s
DNSSEC de ployme nt is s ue s .
ht t p://www.int ernet so ciet y.o rg/deplo y360 /dnssec/co mmunit y/
The Inte rne t Socie ty's De ploy 360 initiative to s timulate and coordinate DNSSEC
de ployme nt is a good re s ource for finding communitie s and DNSSEC activitie s
worldwide .
ht t p://www.unbo und.net /

111

Se c ur it y Guide

This docume nt contains ge ne ral information about the unbound DNS s e rvice .
ht t p://www.nlnet labs.nl/pro ject s/dnssec-t rigger/
This docume nt contains ge ne ral information about dnssec-t rigger.

4.7. Securing Virt ual Privat e Net works (VPNs)


In Re d Hat Ente rpris e Linux 7, a Virtual Private Network (VPN) can be configure d us ing the
IPsec tunne ling protocol which is s upporte d by the Libreswan application. Libreswan is a
fork of the Openswan application and e xample s in docume ntation s hould be
inte rchange able . The Net wo rkManager IPsec plug-in is calle d NetworkManagerlibreswan. Us e rs of GNOME She ll s hould ins tall the NetworkManager-libreswan-gnome
package , which has NetworkManager-libreswan as a de pe nde ncy. Note that the
NetworkManager-libreswan-gnome package is only available from the Optional channe l. Se e
Enabling Supple me ntary and Optional Re pos itorie s .
Libreswan is an ope n s ource , us e r s pace IPsec imple me ntation available in Re d Hat
Ente rpris e Linux 7. It us e s the Internet key exchange (IKE) protocol. IKE ve rs ion 1 and 2
are imple me nte d as a us e r-le ve l dae mon. Manual ke y e s tablis hme nt is als o pos s ible via
ip xfrm commands , howe ve r this is not re comme nde d. Libreswan inte rface s with the
Linux ke rne l us ing ne tlink to trans fe r the e ncryption ke ys . Packe t e ncryption and
de cryption happe n in the Linux ke rne l.
Libreswan us e s the network security services (NSS) cryptographic library, which is
re quire d for Federal Information Processing Standard (FIPS) s e curity compliance .

Impo rtant
IPsec, imple me nte d by Libreswan, is the only VPN te chnology re comme nd for us e
in Re d Hat Ente rpris e Linux 7. Do not us e any othe r VPN te chnology without
unde rs tanding the ris ks of doing s o.

4.7.1. IPsec VPN Using Libreswan


To ins tall Libreswan, is s ue the following command as root:
~]# yum install libreswan
To che ck that Libreswan is ins talle d, is s ue the following command:
~]$ yum info libreswan
Afte r a ne w ins tallation of Libreswan the NSS databas e s hould be initializ e d as part of the
ins tall proce s s . Howe ve r, s hould you ne e d to s tart a ne w databas e , firs t re move the old
databas e as follows :
~]# rm /etc/ipsec.d/*db
The n, to initializ e a ne w NSS databas e , is s ue the following command as root:

112

C hapt e r 4 . Har de ning Yo ur Sys t e m wit h T o o ls and Se r vic e s

~]# ipsec initnss


Initializing NSS database
See 'man pluto' if you want to protect the NSS database with a password
If you do not want to us e a pas s word for NSS, jus t pre s s Enter twice whe n prompte d for
the pas s word. If you do e nte r a pas s word the n you will have to re -e nte r it e ve ry time
Libreswan is s tarte d, s uch as e ve ry time the s ys te m is boote d.
To s tart the ipsec dae mon provide d by Libreswan, is s ue the following command as root:
~]# systemctl start ipsec
To confirm that the dae mon is now running:
~]$ systemctl status ipsec
ipsec.service - Internet Key Exchange (IKE) Protocol Daemon for IPsec
Loaded: loaded (/usr/lib/systemd/system/ipsec.service; disabled)
Active: active (running) since Wed 2013-08-21 12:14:12 CEST; 18s ago
To e ns ure that Libreswan will s tart whe n the s ys te m s tarts , is s ue the following command
as root:
~]# systemctl enable ipsec
Configure any inte rme diate as we ll as hos t-bas e d fire walls to pe rmit the ipsec s e rvice .
Se e Se ction 4.5, Us ing Fire walls for information on fire walls and allowing s pe cific
s e rvice s to pas s through. Libreswan re quire s the fire wall to allow the following packe ts :
UDP port 500 for the Internet Key Exchange (IKE) protocol
UDP port 4500 for IKE NAT-Traversal
Protocol 50 for Encapsulated Security Payload (ESP) IPsec packe ts
Protocol 51 for Authenticated Header (AH) IPsec packe ts (uncommon)
We pre s e nt thre e e xample s of us ing Libreswan to s e t up an IPsec VPN. The firs t
e xample is for conne cting two hos ts toge the r s o that the y may communicate s e cure ly.
The s e cond e xample is conne cting two s ite s toge the r to form one ne twork. The third
e xample is s upporting roaming us e rs , known as road warriors in this conte xt.

4.7.2. VPN Conf igurat ions Using Libreswan


Libreswan doe s not us e the te rms s ource or de s tination. Ins te ad, it us e s the te rms
le ft and right to re fe r to e nd points (the hos ts ). This allows the s ame configuration to
be us e d on both e nd points in mos t cas e s , although mos t adminis trators us e le ft for the
local hos t and right for the re mote hos t.
The re are thre e commonly us e d me thods for authe ntication of e ndpoints :
Pre-Shared Keys (PSK) is the s imple s t authe ntication me thod. PSK's s hould cons is t of
random characte rs and have a le ngth of at le as t 20 characte rs . Due to the dange rs of
non-random and s hort PSKs , this me thod is not available whe n the s ys te m is running in
FIPS mode .

113

Se c ur it y Guide

Raw RSA ke ys are commonly us e d for s tatic hos t-to-hos t or s ubne t-to-s ubne t IPsec
configurations . The hos ts are manually configure d with e ach othe r's public RSA ke y.
This me thod doe s not s cale we ll whe n doz e ns or more hos ts all ne e d to s e tup IPsec
tunne ls to e ach othe r.
X.509 ce rtificate s are commonly us e d for large s cale de ployme nts whe re the re are
many hos ts that ne e d to conne ct to a common IPsec gate way. A ce ntral certificate
authority (CA) is us e d to s ign RSA ce rtificate s for hos ts or us e rs . This ce ntral CA is
re s pons ible for re laying trus t, including the re vocations of individual hos ts or us e rs .

4.7.3. Host -T o-Host VPN Using Libreswan


To configure Libreswan to cre ate a hos t-to-hos t IPsec VPN, be twe e n two hos ts re fe rre d
to as le ft and right, e nte r the following commands as root on both of the hos ts (le ft
and right) to cre ate ne w raw RSA ke y pairs :
~]# ipsec newhostkey --configdir /etc/ipsec.d \
--output /etc/ipsec.d/www.example.com.secrets
Generated RSA key pair using the NSS database
This ge ne rate s an RSA ke y pair for the hos t. The proce s s of ge ne rating RSA ke ys can take
many minute s , e s pe cially on virtual machine s with low e ntropy.
To vie w the public ke y, is s ue the following command as root on e ithe r of the hos ts . For
e xample , to vie w the public ke y on the le ft hos t, run:
~]# ipsec showhostkey --left
ipsec showhostkey loading secrets from "/etc/ipsec.secrets"
ipsec showhostkey loading secrets from
"/etc/ipsec.d/www.example.com.secrets"
ipsec showhostkey loaded private key for keyid: PPK_RSA:AQOjAKLlL
# rsakey AQOjAKLlL
leftrsasigkey=0sAQOjAKLlL4a7YBv [...]
You will ne e d this ke y to add to the configuration file as e xplaine d be low.
The s e cre t part is s tore d in /etc/ipsec.d/*.db file s , als o calle d the NSS databas e .
To make a configuration file for this hos t-to-hos t tunne l, the line s leftrsasigkey= and
rightrsasigkey= from above , are adde d to a cus tom configuration file place d in the
/etc/ipsec.d/ dire ctory. To e nable Libreswan to re ad the cus tom configurations file s ,
us e an e ditor running as root to e dit the main configuration file , /etc/ipsec.conf, and
e nable the following line by re moving the # comme nt characte r s o that it looks as follows :
include /etc/ipsec.d/*.conf
Us ing an e ditor running as root, cre ate a file with a s uitable name in the following format:
/etc/ipsec.d/my_host-to-host.conf
Edit the file as follows :
conn mytunnel
leftid=@west.example.com
left=192.1.2.23

114

C hapt e r 4 . Har de ning Yo ur Sys t e m wit h T o o ls and Se r vic e s

leftrsasigkey=0sAQOrlo+hOafUZDlCQmXFrje/oZm [...]
W2n417C/4urYHQkCvuIQ==
rightid=@east.example.com
right=192.1.2.45
rightrsasigkey=0sAQO3fwC6nSSGgt64DWiYZzuHbc4 [...] D/v8t5YTQ==
authby=rsasig
# load and initiate automatically
auto=start
You can us e the ide ntical configuration file on both le ft and right hos ts . The y will autode te ct if the y are le ft or right. If one of the hos ts is a mobile hos t, which implie s the IP
addre s s is not known in advance , the n on the mobile hos t us e %defaultroute as its IP
addre s s . This will pick up the dynamic IP addre s s automatically. On the s tatic hos t that
acce pts conne ctions from incoming mobile hos ts , s pe cify the mobile hos t us ing %any for
its IP addre s s .
Ens ure the leftrsasigkey value is obtaine d from the le ft hos t and the rightrsasigkey
value is obtaine d from the right hos t.
Re s tart ipsec to e ns ure it re ads the ne w configuration:
~]# systemctl restart ipsec
Is s ue the following command as root to load the IPsec tunne l:
~]# ipsec auto --add mytunnel
To bring up the tunne l, is s ue the following command as root, on the le ft or the right s ide :
~]# ipsec auto --up mytunnel

4.7.3.1. Verif y Host -T o-Host VPN Using Libreswan


The IKE ne gotiation take s place on UDP port 500. IPsec packe ts s how up as
Encapsulated Security Payload (ESP) packe ts . Whe n the VPN conne ction ne e ds to pas s
through a NAT route r, the ESP packe ts are e ncaps ulate d in UDP packe ts on port 4500.
To ve rify that packe ts are be ing s e nt via the VPN tunne l, is s ue a command as root in the
following format:
~]# tcpdump -n -i interface esp or udp port 500 or udp port 4500
00:32:32.632165 IP 192.1.2.45 > 192.1.2.23:
ESP(spi=0x63ad7e17,seq=0x1a), length 132
00:32:32.632592 IP 192.1.2.23 > 192.1.2.45:
ESP(spi=0x4841b647,seq=0x1a), length 132
00:32:32.632592 IP 192.0.2.254 > 192.0.1.254: ICMP echo reply, id 2489,
seq 7, length 64
00:32:33.632221 IP 192.1.2.45 > 192.1.2.23:
ESP(spi=0x63ad7e17,seq=0x1b), length 132
00:32:33.632731 IP 192.1.2.23 > 192.1.2.45:
ESP(spi=0x4841b647,seq=0x1b), length 132
00:32:33.632731 IP 192.0.2.254 > 192.0.1.254: ICMP echo reply, id 2489,
seq 8, length 64
00:32:34.632183 IP 192.1.2.45 > 192.1.2.23:
ESP(spi=0x63ad7e17,seq=0x1c), length 132

115

Se c ur it y Guide

00:32:34.632607 IP 192.1.2.23 > 192.1.2.45:


ESP(spi=0x4841b647,seq=0x1c), length 132
00:32:34.632607 IP 192.0.2.254 > 192.0.1.254: ICMP echo reply, id 2489,
seq 9, length 64
00:32:35.632233 IP 192.1.2.45 > 192.1.2.23:
ESP(spi=0x63ad7e17,seq=0x1d), length 132
00:32:35.632685 IP 192.1.2.23 > 192.1.2.45:
ESP(spi=0x4841b647,seq=0x1d), length 132
00:32:35.632685 IP 192.0.2.254 > 192.0.1.254: ICMP echo reply, id 2489,
seq 10, length 64
Whe re interface is the inte rface known to carry the traffic. To e nd the capture with
t cpdump, pre s s Ctrl+C.

No te
The t cpdump commands inte racts a little une xpe cte dly with IPsec. It only s e e s the
outgoing e ncrypte d packe t, not the outgoing plainte xt packe t. It doe s s e e the
e ncrypte d incoming packe t, as we ll as the de crypte d incoming packe t. If pos s ible ,
run t cpdump on a route r be twe e n the two machine s and not on one of the
e ndpoints its e lf.

4.7.4. Sit e-t o-Sit e VPN Using Libreswan


In orde r for Libreswan to cre ate a s ite -to-s ite IPsec VPN, joining toge the r two ne tworks ,
an IPsec tunne l is cre ate d be twe e n two hos ts , e ndpoints , which are configure d to pe rmit
traffic from one or more s ubne ts to pas s through. The y can the re fore be thought of as
gate ways to the re mote portion of the ne twork. The configuration of the s ite -to-s ite VPN
only diffe rs from the hos t-to-hos t VPN in that one or more ne tworks or s ubne ts mus t be
s pe cifie d in the configuration file .
To configure Libreswan to cre ate a s ite -to-s ite IPsec VPN, firs t configure a hos t-to-hos t
IPsec VPN as de s cribe d in Se ction 4.7.3, Hos t-To-Hos t VPN Us ing Libre s wan and the n
copy or move the file to a file with a s uitable name , s uch as /etc/ipsec.d/my_site-tosite.conf. Us ing an e ditor running as root, e dit the cus tom configuration file
/etc/ipsec.d/my_site-to-site.conf as follows :
conn mysubnet
also=mytunnel
leftsubnet=192.0.1.0/24
rightsubnet=192.0.2.0/24
conn mysubnet6
also=mytunnel
connaddrfamily=ipv6
leftsubnet=2001:db8:0:1::/64
rightsubnet=2001:db8:0:2::/64
conn mytunnel
auto=start
leftid=@west.example.com
left=192.1.2.23
leftrsasigkey=0sAQOrlo+hOafUZDlCQmXFrje/oZm [...]

116

C hapt e r 4 . Har de ning Yo ur Sys t e m wit h T o o ls and Se r vic e s

W2n417C/4urYHQkCvuIQ==
rightid=@east.example.com
right=192.1.2.45
rightrsasigkey=0sAQO3fwC6nSSGgt64DWiYZzuHbc4 [...] D/v8t5YTQ==
authby=rsasig
To bring the tunne ls up, re s tart Libreswan or manually load and initiate all the
conne ctions us ing the following commands as root:
~]# ipsec auto --add mysubnet
~]# ipsec auto --add mysubnet6
~]# ipsec auto --add mytunnel
~]# ipsec auto --up mysubnet
104 "mysubnet" #1: STATE_MAIN_I1: initiate
003 "mysubnet" #1: received Vendor ID payload [Dead Peer Detection]
003 "mytunnel" #1: received Vendor ID payload [FRAGMENTATION]
106 "mysubnet" #1: STATE_MAIN_I2: sent MI2, expecting MR2
108 "mysubnet" #1: STATE_MAIN_I3: sent MI3, expecting MR3
003 "mysubnet" #1: received Vendor ID payload [CAN-IKEv2]
004 "mysubnet" #1: STATE_MAIN_I4: ISAKMP SA established
{auth=OAKLEY_RSA_SIG cipher=aes_128 prf=oakley_sha group=modp2048}
117 "mysubnet" #2: STATE_QUICK_I1: initiate
004 "mysubnet" #2: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel
mode {ESP=>0x9414a615 <0x1a8eb4ef xfrm=AES_128-HMAC_SHA1 NATOA=none
NATD=none DPD=none}
~]# ipsec auto --up mysubnet6
003 "mytunnel" #1: received Vendor ID payload [FRAGMENTATION]
117 "mysubnet" #2: STATE_QUICK_I1: initiate
004 "mysubnet" #2: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel
mode {ESP=>0x06fe2099 <0x75eaa862 xfrm=AES_128-HMAC_SHA1 NATOA=none
NATD=none DPD=none}
~]# ipsec auto --up mytunnel
104 "mytunnel" #1: STATE_MAIN_I1: initiate
003 "mytunnel" #1: received Vendor ID payload [Dead Peer Detection]
003 "mytunnel" #1: received Vendor ID payload [FRAGMENTATION]
106 "mytunnel" #1: STATE_MAIN_I2: sent MI2, expecting MR2
108 "mytunnel" #1: STATE_MAIN_I3: sent MI3, expecting MR3
003 "mytunnel" #1: received Vendor ID payload [CAN-IKEv2]
004 "mytunnel" #1: STATE_MAIN_I4: ISAKMP SA established
{auth=OAKLEY_RSA_SIG cipher=aes_128 prf=oakley_sha group=modp2048}
117 "mytunnel" #2: STATE_QUICK_I1: initiate
004 "mytunnel" #2: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel
mode {ESP=>0x9414a615 >0x1a8eb4ef xfrm=AES_128-HMAC_SHA1 NATOA=none
NATD=none DPD=none}

4.7.4.1. Verif y Sit e-t o-Sit e VPN Using Libreswan

117

Se c ur it y Guide

Ve rifying that packe ts are be ing s e nt via the VPN tunne l is the s ame proce dure as
e xplaine d in Se ction 4.7.3.1, Ve rify Hos t-To-Hos t VPN Us ing Libre s wan.

4.7.5. Sit e-t o-Sit e Single T unnel VPN Using Libreswan


Ofte n, whe n a s ite -to-s ite tunne l is built, the gate ways ne e d to communicate with e ach
othe r us ing the ir inte rnal IP addre s s e s ins te ad of the ir public IP addre s s e s . This can be
accomplis he d us ing a s ingle tunne l. If the le ft hos t, with hos t name west, has inte rnal IP
addre s s 192.0.1.254 and the right hos t, with hos t name east, has inte rnal IP addre s s
192.0.2.254, the following configuration us ing a s ingle tunne l can be us e d:
conn mysubnet
leftid=@west.example.com
leftrsasigkey=0sAQOrlo+hOafUZDlCQmXFrje/oZm [...]
W2n417C/4urYHQkCvuIQ==
left=192.1.2.23
leftsourceip=192.0.1.254
leftsubnet=192.0.1.0/24
rightid=@east.example.com
rightrsasigkey=0sAQO3fwC6nSSGgt64DWiYZzuHbc4 [...] D/v8t5YTQ==
right=192.1.2.45
rightsourceip=192.0.2.254
rightsubnet=192.0.2.0/24
auto=start
authby=rsasig

4.7.6. Subnet Ext rusion Using Libreswan


IPsec is ofte n de ploye d in a hub-and-s poke archite cture . Each le af node has an IP range
that is part of a large r range . Le ave s communicate with e ach othe r via the hub. This is
calle d subnet extrusion. In the e xample be low, we configure the he ad office with
10.0.0.0/8 and two branche s that us e a s malle r /24 s ubne t.
At the he ad office :
conn branch1
left=1.2.3.4
leftid=@headoffice
leftsubnet=0.0.0.0/0
leftrsasigkey=0sA[...]
#
right=5.6.7.8
rightid=@branch1
righsubnet=10.0.1.0/24
rightrsasigkey=0sAXXXX[...]
#
auto=start
authby=rsasigkey
conn branch2
left=1.2.3.4
leftid=@headoffice
leftsubnet=0.0.0.0/0
leftrsasigkey=0sA[...]
#

118

C hapt e r 4 . Har de ning Yo ur Sys t e m wit h T o o ls and Se r vic e s

right=10.11.12.13
rightid=@branch2
righsubnet=10.0.2.0/24
rightrsasigkey=0sAYYYY[...]
#
auto=start
authby=rsasigkey
At the branch1 office , we us e the s ame conne ction. Additionally, we us e a pas s -through
conne ction to e xclude our local LAN traffic from be ing s e nt through the tunne l:
conn branch1
left=1.2.3.4
leftid=@headoffice
leftsubnet=0.0.0.0/0
leftrsasigkey=0sA[...]
#
right=10.11.12.13
rightid=@branch2
righsubnet=10.0.1.0/24
rightrsasigkey=0sAYYYY[...]
#
auto=start
authby=rsasigkey
conn passthrough
left=1.2.3.4
right=0.0.0.0
leftsubnet=10.0.1.0/24
rightsubnet=10.0.1.0/24
authby=never
type=passthrough
auto=route

4.7.7. Road Warrior Applicat ion Using Libreswan


Road Warriors are trave ling us e rs with mobile clie nts with a dynamically as s igne d IP
addre s s , s uch as laptops . The s e are authe nticate d us ing ce rtificate s .
On the s e rve r:
conn roadwarriors
left=1.2.3.4
# if access to the LAN is given, enable this
#leftsubnet=10.10.0.0/16
leftcert=gw.example.com
leftid=%fromcert
right=%any
# trust our own Certificate Agency
rightca=%same
# allow clients to be behind a NAT router
rightsubnet=vhost:%priv,%no
authby=rsasigkey
# load connection, don't initiate
auto=add

119

Se c ur it y Guide

# kill vanished roadwarriors


dpddelay=30
dpdtimeout=120
dpdaction=%clear
On the mobile clie nt, the Road Warrior's de vice , we ne e d to us e a s light variation of the
above configuration:
conn roadwarriors
# pick up our dynamic IP
left=%defaultroute
leftcert=myname.example.com
leftid=%fromcert
# right can also be a DNS hostname
right=1.2.3.4
# if access to the remote LAN is required, enable this
#rightsubnet=10.10.0.0/16
# trust our own Certificate Agency
rightca=%same
authby=rsasigkey
# Initiate connection
auto=start

4.7.8. Road Warrior Applicat ion Using Libreswan and XAUT H wit h X.509
Libreswan offe rs a me thod to native ly as s ign IP addre s s and DNS information to roaming
VPN clie nts as the conne ction is e s tablis he d by us ing the XAUTH IPsec e xte ns ion. XAUTH
can be de ploye d us ing PSK or X.509 ce rtificate s . De ploying us ing X.509 is more s e cure .
Clie nt ce rtificate s can be re voke d by a ce rtificate re vocation lis t or by Online Certificate
Status Protocol (OCSP). With X.509 ce rtificate s , individual clie nts cannot impe rs onate the
s e rve r. With a PSK, als o calle d Group Pas s word, this is the ore tically pos s ible .
XAUTH re quire s the VPN clie nt to additionally ide ntify its e lf with a us e r name and
pas s word. For One time Pas s words (OTP), s uch as Google Authe nticator or RSA Se cure ID
toke ns , the one -time toke n is appe nde d to the us e r pas s word.
The re are thre e pos s ible backe nds for XAUTH:
xauthby=pam
This us e s the configuration in /etc/pam.d/pluto to authe nticate the us e r. Pam
can be configure d to us e various backe nds by its e lf. It can us e the s ys te m
account us e r-pas s word s che me , an LDAP dire ctory, a RADIUS s e rve r or a cus tom
pas s word authe ntication module .
xauthby=file
This us e s the configuration file /etc/ipsec.d/passwd (not to be confus e d with
/etc/ipsec.d/nsspassword). The format of this file is s imilar to the Apache
.htpasswd file and the Apache htpasswd command can be us e d to cre ate
e ntrie s in this file . Howe ve r, afte r the us e r name and pas s word, a third column is
re quire d with the conne ction name of the IPsec conne ction us e d, for e xample
whe n us ing a conn remoteusers to offe r VPN to re move us e rs , a pas s word file
e ntry s hould look as follows :
user1:$apr1$MIwQ3DHb$1I69LzTnZhnCT2DPQmAOK.:remoteusers

120

C hapt e r 4 . Har de ning Yo ur Sys t e m wit h T o o ls and Se r vic e s

NOTE: whe n us ing the htpasswd command, the conne ction name has to be
manually adde d afte r the user:password part on e ach line .
xauthby=alwaysok
The s e rve r will always pre te nd the XAUTH us e r and pas s word combination was
corre ct. The clie nt s till has to s pe cify a us e r name and a pas s word, although the
s e rve r ignore s the s e . This s hould only be us e d whe n us e rs are alre ady
ide ntifie d by X.509 ce rtificate s , or whe n te s ting the VPN without ne e ding an
XAUTH backe nd.
An e xample configuration with X.509 ce rtificate s :
conn xauth-rsa
auto=add
authby=rsasig
pfs=no
rekey=no
left=ServerIP
leftcert=vpn.example.com
#leftid=%fromcert
leftid=vpn.example.com
leftsendcert=always
leftsubnet=0.0.0.0/0
rightaddresspool=10.234.123.2-10.234.123.254
right=%any
rightrsasigkey=%cert
modecfgdns1=1.2.3.4
modecfgdns2=8.8.8.8
modecfgdomain=example.com
modecfgbanner="Authorized Access is allowed"
leftxauthserver=yes
rightxauthclient=yes
leftmodecfgserver=yes
rightmodecfgclient=yes
modecfgpull=yes
xauthby=pam
dpddelay=30
dpdtimeout=120
dpdaction=clear
ike_frag=yes
# for walled-garden on xauth failure
# xauthfail=soft
#leftupdown=/custom/_updown
Whe n xauthfail is s e t to s oft, ins te ad of hard, authe ntication failure s are ignore d, and
the VPN is s e tup as if the us e r authe nticate d prope rly. A cus tom updown s cript can be
us e d to che ck for the e nvironme nt variable XAUTH_FAILED. Such us e rs can the n be
re dire cte d, for e xample , us ing ipt ables DNAT, to a walle d garde n whe re the y can
contact the adminis trator or re ne w a paid s ubs cription to the s e rvice .
VPN clie nts us e the modecfgdomain value and the DNS e ntrie s to re dire ct que rie s for the
s pe cifie d domain to the s e s pe cifie d name s e rve rs . This allows roaming us e rs to acce s s
inte rnal-only re s ource s us ing the inte rnal DNS name s .

121

Se c ur it y Guide

If leftsubnet is not 0.0.0.0/0, s plit tunne ling configuration re que s ts are s e nt


automatically to the clie nt. For e xample , whe n us ing leftsubnet=10.0.0.0/8, the VPN
clie nt would only s e nd traffic for 10.0.0.0/8 through the VPN.

4.7.9. Addit ional Resources


The following s ource s of information provide additional re s ource s re garding Libreswan
and the ipsec dae mon.

4.7.9.1. Inst alled Document at ion


ipsec(8) man page De s cribe s command options for ipsec.
ipsec.conf(5) man page Contains information on configuring ipsec.
ipsec.secrets(5) man page De s cribe s the format of the ipsec.secrets file .
ipsec_auto(8) man page De s cribe s the us e of the aut o command line clie nt for
manipulating Libreswan IPsec conne ctions e s tablis he d us ing automatic e xchange s of
ke ys .
ipsec_rsasigkey(8) man page De s cribe s the tool us e d to ge ne rate RSA s ignature
ke ys .
/usr/share/doc/libreswan-version/README.nss De s cribe s the commands for
us ing raw RSA ke ys and ce rtificate s with the NSS crypto library us e d with the
Libreswan pluto dae mon.

4.7.9.2. Online Document at ion


ht t ps://libreswan.o rg
The we bs ite of the ups tre am proje ct.
ht t p://www.mo zilla.o rg/pro ject s/securit y/pki/nss/
Ne twork Se curity Se rvice s (NSS) proje ct.

4.8. Using OpenSSL


OpenSSL is a library that provide s cryptographic protocols to applications . The o penssl
command line utility e nable s us ing the cryptographic functions from the s he ll. It include s
an inte ractive mode .
The o penssl command line utility has a numbe r of ps e udo-commands to provide
information on the commands that the ve rs ion of o penssl ins talle d on the s ys te m
s upports . The ps e udo-commands list-standard-commands, list-message-digestcommands, and list-cipher-commands output a lis t of all s tandard commands , me s s age
dige s t commands , or ciphe r commands , re s pe ctive ly, that are available in the pre s e nt
o penssl utility.
The ps e udo-commands list-cipher-algorithms and list-message-digestalgorithms lis t all ciphe r and me s s age dige s t name s . The ps e udo-command listpublic-key-algorithms lis ts all s upporte d public ke y algorithms . For e xample , to lis t the
s upporte d public ke y algorithms , is s ue the following command:

122

C hapt e r 4 . Har de ning Yo ur Sys t e m wit h T o o ls and Se r vic e s

~]$ openssl list-public-key-algorithms


The ps e udo-command no-command-name te s ts whe the r a command-name of the s pe cifie d
name is available . Inte nde d for us e in s he ll s cripts . Se e man ope ns s l(1) for more
information.

4.8.1. Creat ing and Managing Encrypt ion Keys


With OpenSSL, public ke ys are de rive d from the corre s ponding private ke y. The re fore the
firs t s te p, once having de cide d on the algorithm, is to ge ne rate the private ke y. In the s e
e xample s the private ke y is re fe rre d to as privkey.pem. For e xample , to cre ate an RSA
private ke y us ing de fault parame te rs , is s ue the following command:
~]$ openssl genpkey -algorithm RSA -out privkey.pem
The RSA algorithm s upports the following options :
rsa_keygen_bits:numbits The numbe r of bits in the ge ne rate d ke y. If not s pe cifie d
1024 is us e d.
rsa_keygen_pubexp:value The RSA public e xpone nt value . This can be a large
de cimal value , or a he xade cimal value if pre ce de d by 0x. The de fault value is 65537.
For e xample , to cre ate a 2048 bit RSA private ke y us ing 3 as the public e xpone nt, is s ue
the following command:
~]$ openssl genpkey -algorithm RSA -out privkey.pem -pkeyopt
rsa_keygen_bits:2048 \ -pkeyopt rsa_keygen_pubexp:3
To e ncrypt the private ke y as it is output us ing 128 bit AES and the pas s phras e he llo,
is s ue the following command:
~]$ openssl genpkey -algorithm RSA -out privkey.pem -aes-128-cbc -pass
pass:hello
Se e man ge npke y(1) for more information on ge ne rating private ke ys .

4.8.2. Generat ing Cert if icat es


To ge ne rate a ce rtificate us ing OpenSSL, it is ne ce s s ary to have a private ke y available .
In the s e e xample s the private ke y is re fe rre d to as privkey.pem. If you have not ye t
ge ne rate d a private ke y, s e e Se ction 4.8.1, Cre ating and Managing Encryption Ke ys
To have a ce rtificate s igne d by a certificate authority (CA), it is ne ce s s ary to ge ne rate a
ce rtificate and the n s e nd it to a CA for s igning. This is re fe rre d to as a ce rtificate s igning
re que s t. Se e Se ction 4.8.2.1, Cre ating a Ce rtificate Signing Re que s t for more information.
The alte rnative is to cre ate a s e lf-s igne d ce rtificate . Se e Se ction 4.8.2.2, Cre ating a Se lfs igne d Ce rtificate for more information.

4.8.2.1. Creat ing a Cert if icat e Signing Request


To cre ate a ce rtificate for s ubmis s ion to a CA, is s ue a command in the following format:
~]$ openssl req -new -key privkey.pem -out cert.csr

123

Se c ur it y Guide

This will cre ate an X.509 ce rtificate calle d cert.csr e ncode d in the de fault privacyenhanced electronic mail (PEM) format. The name PEM is de rive d from Privacy
Enhance me nt for Inte rne t Ele ctronic Mail de s cribe d in RFC 1424. To ge ne rate a ce rtificate
file in the alte rnative DER format, us e the -outform DER command option.
Afte r is s uing the above command, you will be prompte d for information about you and the
organiz ation in orde r to cre ate a distinguished name (DN) for the ce rtificate . You will ne e d
the following information:
The two le tte r country code for your country
The full name of your s tate or province
City or Town
The name of your organiz ation
The name of the unit within your organiz ation
Your name or the hos t name of the s ys te m
Your e mail addre s s
The re q(1) man page de s cribe s the PKCS# 10 ce rtificate re que s t and ge ne rating utility.
De fault s e ttings us e d in the ce rtificate cre ating proce s s are containe d within the
/etc/pki/tls/openssl.cnf file . Se e man openssl.cnf(5) for more information.

4.8.2.2. Creat ing a Self -signed Cert if icat e


To ge ne rate a s e lf-s igne d ce rtificate , valid for 366 days , is s ue a command in the following
format:
~]$ openssl req -new -x509 -key privkey.pem -out selfcert.pem -days 366

4.8.2.3. Creat ing a Cert if icat e Using a Makef ile


The /etc/pki/tls/certs dire ctory contains a Makefile which can be us e d to cre ate
ce rtificate s us ing the make command. To vie w the us age ins tructions , is s ue a command as
follows :
~]$ make -f /etc/pki/tls/certs/Makefile
Alte rnative ly, change to the dire ctory and is s ue the make command as follows :
~]$ cd /etc/pki/tls/certs/
~]$ make
Se e the make (1) man page for more information.

4.8.3. Verif ying Cert if icat es


A ce rtificate s igne d by a CA is re fe rre d to as a trus te d ce rtificate . A s e lf-s igne d ce rtificate
is the re fore an untrus te d ce rtificate . The ve rify utility us e s the s ame SSL and S/MIME
functions to ve rify a ce rtificate as is us e d by OpenSSL in normal ope ration. If an e rror is
found it is re porte d and the n an atte mpt is made to continue te s ting in orde r to re port any

124

C hapt e r 4 . Har de ning Yo ur Sys t e m wit h T o o ls and Se r vic e s

othe r e rrors .
To ve rify multiple individual X.509 ce rtificate s in PEM format, is s ue a command in the
following format:
~]$ openssl verify cert1.pem cert2.pem
To ve rify a ce rtificate chain the le af ce rtificate mus t be in cert.pem and the inte rme diate
ce rtificate s which you do not trus t mus t be dire ctly concate nate d in untrusted.pem. The
trus te d root CA ce rtificate mus t be e ithe r among the de fault CA lis te d in
/etc/pki/tls/certs/ca-bundle.crt or in a cacert.pem file . The n, to ve rify the chain,
is s ue a command in the following format:
~]$ openssl verify -untrusted untrusted.pem -CAfile cacert.pem cert.pem
Se e man ve rify(1) for more information.

Impo rtant
Ve rification of s ignature s us ing the MD5 has h algorithm is dis able d in Re d Hat
Ente rpris e Linux 7 due to ins ufficie nt s tre ngth of this algorithm. Always us e s trong
algorithms s uch as SHA256.

4.8.4. Encrypt ing and Decrypt ing a File


For e ncrypting (and de crypting) file s with OpenSSL, e ithe r the pkeyutl or enc built-in
commands can be us e d. With pkeyutl, RSA ke ys are us e d to pe rform the e ncrypting and
de crypting, whe re as with enc, s ymme tric algorithms are us e d.

Using RSA Keys


To e ncrypt a file calle d plaintext, is s ue a command as follows :
~]$ openssl pkeyutl -in plaintext -out cyphertext -inkey privkey.pem
The de fault format for ke ys and ce rtificate s is PEM. If re quire d, us e the -keyform DER
option to s pe cify the DER ke y format.
To s pe cify a cryptographic e ngine , us e the -engine option as follows :
~]$ openssl pkeyutl -in plaintext -out cyphertext -inkey privkey.pem engine id
Whe re id is the ID of the cryptographic e ngine . To che ck the availability of an e ngine ,
is s ue the following command:
~]$ openssl engine -t
To s ign a data file calle d plaintext, is s ue a command as follows :
~]$ openssl pkeyutl -sign -in plaintext -out sigtext -inkey privkey.pem

125

Se c ur it y Guide

To ve rify a s igne d data file and to e xtract the data, is s ue a command as follows :
~]$ openssl pkeyutl -verifyrecover -in sig -inkey key.pem
To ve rify the s ignature , for e xample us ing a DSA ke y, is s ue a command as follows :
~]$ openssl pkeyutl -verify -in file -sigfile sig -inkey key.pem
The pke yutl(1) manual page de s cribe s the public ke y algorithm utility.

Using Symmet ric Algorit hms


To lis t available s ymme tric e ncryption algorithms , e xe cute the enc command with an
uns upporte d option, s uch as -l:
~]$ openssl enc -l
To s pe cify an algorithm, us e its name as an option. For e xample , to us e the aes-128-cbc
algorithm, us e the following s yntax:
openssl enc -aes-128-cbc
To e ncrypt a file calle d plaintext us ing the aes-128-cbc algorithm, run the following
command:
~]$ openssl enc -aes-128-cbc -in plaintext -out plaintext.aes-128-cbc
To de crypt the file obtaine d in the pre vious e xample , us e the -d option as in the following
e xample :
~]$ openssl enc -aes-128-cbc -d -in plaintext.aes-128-cbc -out
plaintext

Impo rtant
The enc command doe s not prope rly s upport AEAD ciphe rs , and the ecb mode is not
cons ide re d s e cure . For be s t re s ults , do not us e othe r mode s than cbc, cfb, ofb, or
ctr.

4.8.5. Generat ing Message Digest s


The dgst command produce s the me s s age dige s t of a s upplie d file or file s in
he xade cimal form. The command can als o be us e d for digital s igning and ve rification. The
me s s age dige s t command take s the following form:
openssl dgst algorithm -out filename -sign private-key

126

C hapt e r 4 . Har de ning Yo ur Sys t e m wit h T o o ls and Se r vic e s

Whe re algorithm is one of md5|md4|md2|sha1|sha|mdc2|ripemd160|dss1. At time of


writing, the SHA1 algorithm is pre fe rre d. If you ne e d to s ign or ve rify us ing DSA, the n the
dss1 option mus t be us e d toge the r with a file containing random data s pe cifie d by the rand option.
To produce a me s s age dige s t in the de fault He x format us ing the s ha1 algorithm, is s ue
the following command:
~]$ openssl dgst sha1 -out digest-file
To digitally s ign the dige s t, us ing a private ke y privekey.pem, is s ue the following
command:
~]$ openssl dgst sha1 -out digest-file -sign privkey.pem
Se e man dgs t(1) for more information.

4.8.6. Generat ing Password Hashes


The passwd command compute s the has h of a pas s word. To compute the has h of a
pas s word on the command line , is s ue a command as follows :
~]$ openssl passwd password
The -crypt algorithm is us e d by de fault.
To compute the has h of a pas s word from s tandard input, us ing the MD5 bas e d BSD
algorithm 1, is s ue a command as follows :
~]$ openssl passwd -1 password
The -apr1 option s pe cifie s the Apache variant of the BSD algorithm.
To compute the has h of a pas s word s tore d in a file , and us ing a s alt xx, is s ue a command
as follows :
~]$ openssl passwd -salt xx -in password-file
The pas s word is s e nt to s tandard output and the re is no -out option to s pe cify an output
file . The -table will ge ne rate a table of pas s word has he s with the ir corre s ponding cle ar
te xt pas s word.
Se e man s s lpas s wd(1) for more information and e xample s .

4.8.7. Generat ing Random Dat a


To ge ne rate a file containing random data, us ing a s e e d file , is s ue the following command:
~]$ openssl rand -out rand-file -rand seed-file
Multiple file s for s e e ding the random data proce s s can be s pe cifie d us ing the colon, :, as
a lis t s e parator.
Se e man rand(1) for more information.

127

Se c ur it y Guide

4.8.8. Benchmarking Your Syst em


To te s t the computational s pe e d of a s ys te m for a give n algorithm, is s ue a command in
the following format:
~]$ openssl speed algorithm
whe re algorithm is one of the s upporte d algorithms you inte nde d to us e . To lis t the
available algorithms , type openssl speed and the n pre s s tab.

4.8.9. Conf iguring OpenSSL


Ope nSSL has a configuration file /etc/pki/tls/openssl.cnf, re fe rre d to as the mas te r
configuration file , which is re ad by the Ope nSSL library. It is als o pos s ible to have
individual configuration file s for e ach application. The configuration file contains a numbe r
of s e ctions with s e ction name s as follows : [ section_name ]. Note the firs t part of the
file , up until the firs t [ section_name ], is re fe rre d to as the de fault s e ction. Whe n
Ope nSSL is s e arching for name s in the configuration file the name d s e ctions are
s e arche d firs t. All Ope nSSL commands us e the mas te r Ope nSSL configuration file unle s s
an option is us e d in the command to s pe cify an alte rnative configuration file . The
configuration file is e xplaine d in de tail in the config(5) man page .
Two RFCs e xplain the conte nts of a ce rtificate file . The y are :
Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL)
Profile
Updates to the Internet X.509 Public Key Infrastructure Certificate and Certificate
Revocation List (CRL) Profile

4.9. Using st unnel


The st unnel program is an e ncryption wrappe r be twe e n a clie nt and a s e rve r. It lis te ns
on the port s pe cifie d in its configuration file , e ncrypts the communitation with the clie nt,
and forwards the data to the original dae mon lis te ning on its us ual port. This way, you can
s e cure any s e rvice that its e lf doe s not s upport any type of e ncryption, or improve the
s e curity of a s e rvice that us e s a type of e ncryption that you want to avoid for s e curity
re as ons , s uch as SSL ve rs ions 2 and 3, affe cte d by the POODLE SSL vulne rability (CVE2014-3566). Se e https ://acce s s .re dhat.com/s olutions /1234773 for de tails . CUPS is an
e xample of a compone nt that doe s not provide a way to dis able SSL in its own
configuration.

4.9.1. Inst alling st unnel


Ins tall the stunnel package by running the following command as root:
~]# yum install stunnel

4.9.2. Conf iguring st unnel as a T LS Wrapper


To configure st unnel, follow the s e s te ps :

128

C hapt e r 4 . Har de ning Yo ur Sys t e m wit h T o o ls and Se r vic e s

1. You ne e d a valid ce rtificate for st unnel re gardle s s of what s e rvice you us e it with.
If you do not have a s uitable ce rtificate , you can apply to a Certificate Authority to
obtain one , or you can cre ate a s e lf-s igne d ce rtificate .

Warning
Always us e ce rtificate s s igne d by a Ce rtificate Authority for s e rve rs running
in a production e nvironme nt. Se lf-s igne d ce rtificate s are only appropriate for
te s ting purpos e s or private ne tworks .
Se e Se ction 4.8.2.1, Cre ating a Ce rtificate Signing Re que s t for more information
about ce rtificate s grante d by a Ce rtificate Authority. On the othe r hand, to cre ate a
s e lf-s igne d ce rtificate for st unnel, e nte r the /etc/pki/tls/certs/ dire ctory and
type the following command as root:
certs]# make stunnel.pem
Ans we r all of the que s tions to comple te the proce s s .
2. Whe n you have a ce rtificate , cre ate a configuration file for st unnel. It is a te xt file
in which e ve ry line s pe cifie s an option or the be ginning of a s e rvice de finition. You
can als o ke e p comme nts and e mpty line s in the file to improve its le gibility, whe re
comme nts s tart with a s e micolon.
The stunnel RPM package contains the /etc/stunnel/ dire ctory, in which you can
s tore the configuration file . Although st unnel doe s not re quire any s pe cial format
of the file name or its e xte ns ion, us e /etc/stunnel/stunnel.conf. The following
conte nt configure s st unnel as a TLS wrappe r:
cert = /etc/pki/tls/certs/stunnel.pem
; Allow only TLS, thus avoiding SSL
sslVersion = TLSv1
chroot = /var/run/stunnel
setuid = nobody
setgid = nobody
pid = /stunnel.pid
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
[service_name]
accept = port
connect = port
TIMEOUTclose = 0
Alte rnative ly, you can avoid SSL by re placing the line containing sslVersion =
TLSv1 with the following line s :
options = NO_SSLv2
options = NO_SSLv3
The purpos e of the options is as follows :
cert the path to your ce rtificate

129

Se c ur it y Guide

sslVersion the ve rs ion of SSL; note that you can us e TLS he re e ve n though
SSL and TLS are two inde pe nde nt cryptographic protocols
chroot the change d root dire ctory in which the s tunne l proce s s runs , for
gre ate r s e curity
setuid, setgid the us e r and group that the st unnel proce s s runs as ; nobody
is a re s tricte d s ys te m account
pid the file in which st unnel s ave s its proce s s ID, re lative to chroot
socket local and re mote s ocke t options ; in this cas e , dis able Nagle's algorithm
to improve ne twork late ncy
[service_name] the be ginning of the s e rvice de finition; the options us e d
be low this line apply to the give n s e rvice only, whe re as the options above affe ct
st unnel globally
accept the port to lis te n on
connect the port to conne ct to; this mus t be the port that the s e rvice you are
s e curing us e s
TIMEOUTclose how many s e conds to wait for the close_notify ale rt from the
clie nt; 0 ins tructs st unnel not to wait at all
options Ope nSSL library options

Example 4.10 . Securing CUPS


To configure s tunne l as a TLS wrappe r for CUPS, us e the following value s :
[cups]
accept = 632
connect = 631
Ins te ad of 632, you can us e any fre e port that you pre fe r. 631 is the port that
CUPS normally us e s .
3. Cre ate the chroot dire ctory and give the us e r s pe cifie d by the setuid option write
acce s s to it. To do s o, run the following commands as root:
~]# mkdir /var/run/stunnel
~]# chown nobody:nobody /var/run/stunnel
This allows st unnel to cre ate the PID file .
4. If your s ys te m is us ing fire wall s e ttings that dis allow acce s s to the ne w port,
change the m accordingly. Se e Se ction 4.5.3.1.6, Ope n Ports in the Fire wall for
de tails .
5. Whe n you have cre ate d the configuration file and the chroot dire ctory, and whe n
you are s ure that the s pe cifie d port is acce s s ible , you are re ady to s tart us ing
st unnel.

4.9.3. St art ing, St opping, and Rest art ing st unnel

130

C hapt e r 4 . Har de ning Yo ur Sys t e m wit h T o o ls and Se r vic e s

To s tart st unnel, run the following command as root:


~]# stunnel /etc/stunnel/stunnel.conf
By de fault, st unnel us e s /var/log/secure to log its output.
To te rminate st unnel, kill the proce s s by running the following command as root:
~]# kill `cat /var/run/stunnel/stunnel.pid`
If you e dit the configuration file while st unnel is running, te rminate st unnel and s tart it
again for your change s to take e ffe ct.

4.10. Encrypt ion


4.10.1. Using LUKS Disk Encrypt ion
Linux Unifie d Ke y Se tup-on-dis k-format (or LUKS) allows you to e ncrypt partitions on your
Linux compute r. This is particularly important whe n it come s to mobile compute rs and
re movable me dia. LUKS allows multiple us e r ke ys to de crypt a mas te r ke y, which is us e d
for the bulk e ncryption of the partition.

Overview of LUKS
What LUKS do es
LUKS e ncrypts e ntire block de vice s and is the re fore we ll-s uite d for prote cting
the conte nts of mobile de vice s s uch as re movable s torage me dia or laptop
dis k drive s .
The unde rlying conte nts of the e ncrypte d block de vice are arbitrary. This
make s it us e ful for e ncrypting swap de vice s . This can als o be us e ful with
ce rtain databas e s that us e s pe cially formatte d block de vice s for data s torage .
LUKS us e s the e xis ting de vice mappe r ke rne l s ubs ys te m.
LUKS provide s pas s phras e s tre ngthe ning which prote cts agains t dictionary
attacks .
LUKS de vice s contain multiple ke y s lots , allowing us e rs to add backup ke ys or
pas s phras e s .
What LUKS do es not do :
LUKS is not we ll-s uite d for applications re quiring many (more than e ight) us e rs
to have dis tinct acce s s ke ys to the s ame de vice .
LUKS is not we ll-s uite d for applications re quiring file -le ve l e ncryption.

4.10.1.1. LUKS Implement at ion in Red Hat Ent erprise Linux


Re d Hat Ente rpris e Linux 7 utiliz e s LUKS to pe rform file s ys te m e ncryption. By de fault, the
option to e ncrypt the file s ys te m is unche cke d during the ins tallation. If you s e le ct the
option to e ncrypt your hard drive , you will be prompte d for a pas s phras e that will be as ke d
e ve ry time you boot the compute r. This pas s phras e "unlocks " the bulk e ncryption ke y that

131

Se c ur it y Guide

is us e d to de crypt your partition. If you choos e to modify the de fault partition table you can
choos e which partitions you want to e ncrypt. This is s e t in the partition table s e ttings .
The de fault ciphe r us e d for LUKS (s e e cryptsetup --help) is ae s -cbc-e s s iv:s ha256
(ESSIV - Encrypte d Salt-Se ctor Initializ ation Ve ctor). Note that the ins tallation program,
Anaco nda, us e s by de fault XTS mode (ae s -xts -plain64). The de fault ke y s iz e for LUKS is
256 bits . The de fault ke y s iz e for LUKS with Anaco nda (XTS mode ) is 512 bits . Ciphe rs
that are available are :
AES - Advance d Encryption Standard - FIPS PUB 197
Twofis h (A 128-bit Block Ciphe r)
Se rpe nt
cas t5 - RFC 2144
cas t6 - RFC 2612

4.10.1.2. Manually Encrypt ing Direct ories

Warning
Following this proce dure will re move all data on the partition that you are e ncrypting.
You WILL los e all your information! Make s ure you backup your data to an e xte rnal
s ource be fore be ginning this proce dure !
1. Ente r runle ve l 1 by typing the following at a s he ll prompt as root:
telinit 1
2. Unmount your e xis ting /home:
umount /home
3. If the command in the pre vious s te p fails , us e fuser to find proce s s e s hogging
/home and kill the m:
fuser -mvk /home
4. Ve rify /home is no longe r mounte d:
grep home /proc/mounts
5. Fill your partition with random data:
shred -v --iterations=1 /dev/VG00/LV_home
This command proce e ds at the s e que ntial write s pe e d of your de vice and may take
s ome time to comple te . It is an important s te p to e ns ure no une ncrypte d data is
le ft on a us e d de vice , and to obfus cate the parts of the de vice that contain
e ncrypte d data as oppos e d to jus t random data.

132

C hapt e r 4 . Har de ning Yo ur Sys t e m wit h T o o ls and Se r vic e s

6. Initializ e your partition:


cryptsetup --verbose --verify-passphrase luksFormat
/dev/VG00/LV_home
7. Ope n the ne wly e ncrypte d de vice :
cryptsetup luksOpen /dev/VG00/LV_home home
8. Make s ure the de vice is pre s e nt:
ls -l /dev/mapper | grep home
9. Cre ate a file s ys te m:
mkfs.ext3 /dev/mapper/home
10. Mount the file s ys te m:
mount /dev/mapper/home /home
11. Make s ure the file s ys te m is vis ible :
df -h | grep home
12. Add the following to the /etc/crypttab file :
home /dev/VG00/LV_home none
13. Edit the /etc/fstab file , re moving the old e ntry for /home and adding the following
line :
/dev/mapper/home /home ext3 defaults 1 2
14. Re s tore de fault SELinux s e curity conte xts :
/sbin/restorecon -v -R /home
15. Re boot the machine :
shutdown -r now
16. The e ntry in the /etc/crypttab make s your compute r as k your luks pas s phras e
on boot.
17. Log in as root and re s tore your backup.
You now have an e ncrypte d partition for all of your data to s afe ly re s t while the compute r
is off.

4.10.1.3. Add a New Passphrase t o an Exist ing Device

133

Se c ur it y Guide

Us e the following command to add a ne w pas s phras e to an e xis ting de vice :


cryptsetup luksAddKey device
Afte r be ing prompte d for any one of the e xis ting pas s pras e s for authe ntication, you will be
prompte d to e nte r the ne w pas s phras e .

4.10.1.4. Remove a Passphrase f rom an Exist ing Device


Us e the following command to re move a pas s phras e from an e xis ting de vice :
cryptsetup luksRemoveKey device
You will be prompte d for the pas s phras e you want to re move and the n for any one of the
re maining pas s phras e s for authe ntication.

4.10.1.5. Creat ing Encrypt ed Block Devices in Anaconda


You can cre ate e ncrypte d de vice s during s ys te m ins tallation. This allows you to e as ily
configure a s ys te m with e ncrypte d partitions .
To e nable block de vice e ncryption, che ck the Encrypt System che ck box whe n s e le cting
automatic partitioning or the Encrypt che ck box whe n cre ating an individual partition,
s oftware RAID array, or logical volume . Afte r you finis h partitioning, you will be prompte d
for an e ncryption pas s phras e . This pas s phras e will be re quire d to acce s s the e ncrypte d
de vice s . If you have pre -e xis ting LUKS de vice s and provide d corre ct pas s phras e s for
the m e arlie r in the ins tall proce s s the pas s phras e e ntry dialog will als o contain a che ck
box. Che cking this che ck box indicate s that you would like the ne w pas s phras e to be
adde d to an available s lot in e ach of the pre -e xis ting e ncrypte d block de vice s .

No te
Che cking the Encrypt System che ck box on the Automatic Partitioning s cre e n
and the n choos ing Create custom layout doe s not caus e any block de vice s to be
e ncrypte d automatically.

No te
You can us e kickstart to s e t a s e parate pas s phras e for e ach ne w e ncrypte d block
de vice .

4.10.1.6. Addit ional Resources


For additional information on LUKS or e ncrypting hard drive s unde r Re d Hat
Ente rpris e Linux 7 vis it one of the following links :
LUKS home page
LUKS/crypts e tup FAQ
LUKS - Linux Unifie d Ke y Se tup Wikipe dia article

134

C hapt e r 4 . Har de ning Yo ur Sys t e m wit h T o o ls and Se r vic e s

HOWTO: Cre ating an e ncrypte d Phys ical Volume (PV) us ing a s e cond hard drive and
pvmove

4.10.2. Creat ing GPG Keys


GPG is us e d to ide ntify yours e lf and authe nticate your communications , including thos e
with pe ople you do not know. GPG allows anyone re ading a GPG-s igne d e mail to ve rify its
authe nticity. In othe r words , GPG allows s ome one to be re as onably ce rtain that
communications s igne d by you actually are from you. GPG is us e ful be caus e it he lps
pre ve nt third partie s from alte ring code or inte rce pting conve rs ations and alte ring the
me s s age .

4.10.2.1. Creat ing GPG Keys in GNOME


To cre ate a GPG Ke y in GNOME, follow the s e s te ps :
1. Ins tall the Seaho rse utility, which make s GPG ke y manage me nt e as ie r:
~]# yum install seahorse
2. To cre ate a ke y, from the Applicat io ns Accesso ries me nu s e le ct Passwo rds
and Encrypt io n Keys, which s tarts the application Seaho rse.
3. From the File me nu s e le ct New and the n PGP Key. The n click Continue.
4. Type your full name , e mail addre s s , and an optional comme nt de s cribing who you
are (for e xample : John C. Smith, jsmith@example.com, Software Engine e r). Click
Create. A dialog is dis playe d as king for a pas s phras e for the ke y. Choos e a s trong
pas s phras e but als o e as y to re me mbe r. Click OK and the ke y is cre ate d.

Warning
If you forge t your pas s phras e , you will not be able to de crypt the data.
To find your GPG ke y ID, look in the Key ID column ne xt to the ne wly cre ate d ke y. In mos t
cas e s , if you are as ke d for the ke y ID, pre pe nd 0x to the ke y ID, as in 0x6789ABCD. You
s hould make a backup of your private ke y and s tore it s ome whe re s e cure .

4.10.2.2. Creat ing GPG Keys in KDE


To cre ate a GPG Ke y in KDE, follow the s e s te ps :
1. Start the KGpg program from the main me nu by s e le cting Applicat io ns
Ut ilit ies Encrypt io n T o o l. If you have ne ve r us e d KGpg be fore , the program
walks you through the proce s s of cre ating your own GPG ke ypair.
2. A dialog box appe ars prompting you to cre ate a ne w ke y pair. Ente r your name ,
e mail addre s s , and an optional comme nt. You can als o choos e an e xpiration time
for your ke y, as we ll as the ke y s tre ngth (numbe r of bits ) and algorithms .
3. Ente r your pas s phras e in the ne xt dialog box. At this point, your ke y appe ars in the
main KGpg window.

135

Se c ur it y Guide

Warning
If you forge t your pas s phras e , you will not be able to de crypt the data.
To find your GPG ke y ID, look in the Key ID column ne xt to the ne wly cre ate d ke y. In mos t
cas e s , if you are as ke d for the ke y ID, pre pe nd 0x to the ke y ID, as in 0x6789ABCD. You
s hould make a backup of your private ke y and s tore it s ome whe re s e cure .

4.10.2.3. Creat ing GPG Keys Using t he Command Line


1. Us e the following s he ll command:
~]$ gpg2 --gen-key
This command ge ne rate s a ke y pair that cons is ts of a public and a private ke y.
Othe r pe ople us e your public ke y to authe nticate and/or de crypt your
communications . Dis tribute your public ke y as wide ly as pos s ible , e s pe cially to
pe ople who you know will want to re ce ive authe ntic communications from you, s uch
as a mailing lis t.
2. A s e rie s of prompts dire cts you through the proce s s . Pre s s the Enter ke y to
as s ign a de fault value if de s ire d. The firs t prompt as ks you to s e le ct what kind of
ke y you pre fe r:
Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
Your selection?
In almos t all cas e s , the de fault is the corre ct choice . An RSA/RSA ke y allows you not
only to s ign communications , but als o to e ncrypt file s .
3. Choos e the ke y s iz e :
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048)
Again, the de fault, 2048, is s ufficie nt for almos t all us e rs , and re pre s e nts an
e xtre me ly s trong le ve l of s e curity.
4. Choos e whe n the ke y will e xpire . It is a good ide a to choos e an e xpiration date
ins te ad of us ing the de fault, which is none. If, for e xample , the e mail addre s s on
the ke y be come s invalid, an e xpiration date will re mind othe rs to s top us ing that
public ke y.
Please specify how long the key should be valid.
0 = key does not expire
d = key expires in n days
w = key expires in n weeks

136

C hapt e r 4 . Har de ning Yo ur Sys t e m wit h T o o ls and Se r vic e s

m = key expires in n months


y = key expires in n years
key is valid for? (0)
Ente ring a value of 1y, for e xample , make s the ke y valid for one ye ar. (You may
change this e xpiration date afte r the ke y is ge ne rate d, if you change your mind.)
5. Be fore the gpg2 application as ks for s ignature information, the following prompt
appe ars :
Is this correct (y/N)?
Ente r y to finis h the proce s s .
6. Ente r your name and e mail addre s s for your GPG ke y. Re me mbe r this proce s s is
about authe nticating you as a re al individual. For this re as on, include your re al
name . If you choos e a bogus e mail addre s s , it will be more difficult for othe rs to
find your public ke y. This make s authe nticating your communications difficult. If you
are us ing this GPG ke y for s e lf-introduction on a mailing lis t, for e xample , e nte r the
e mail addre s s you us e on that lis t.
Us e the comme nt fie ld to include alias e s or othe r information. (Some pe ople us e
diffe re nt ke ys for diffe re nt purpos e s and ide ntify e ach ke y with a comme nt, s uch
as "Office " or "Ope n Source Proje cts .")
7. At the confirmation prompt, e nte r the le tte r O to continue if all e ntrie s are corre ct,
or us e the othe r options to fix any proble ms . Finally, e nte r a pas s phras e for your
s e cre t ke y. The gpg2 program as ks you to e nte r your pas s phras e twice to e ns ure
you made no typing e rrors .
8. Finally, gpg2 ge ne rate s random data to make your ke y as unique as pos s ible .
Move your mous e , type random ke ys , or pe rform othe r tas ks on the s ys te m during
this s te p to s pe e d up the proce s s . Once this s te p is finis he d, your ke ys are
comple te and re ady to us e :
pub 1024D/1B2AFA1C 2005-03-31 John Q. Doe <jqdoe@example.com>
Key fingerprint = 117C FE83 22EA B843 3E86 6486 4320 545E 1B2A
FA1C
sub 1024g/CEA4B22E 2005-03-31 [expires: 2006-03-31]
9. The ke y finge rprint is a s horthand "s ignature " for your ke y. It allows you to confirm
to othe rs that the y have re ce ive d your actual public ke y without any tampe ring. You
do not ne e d to write this finge rprint down. To dis play the finge rprint at any time ,
us e this command, s ubs tituting your e mail addre s s :
~]$ gpg2 --fingerprint jqdoe@example.com
Your "GPG ke y ID" cons is ts of 8 he x digits ide ntifying the public ke y. In the e xample
above , the GPG ke y ID is 1B2AFA1C. In mos t cas e s , if you are as ke d for the ke y ID,
pre pe nd 0x to the ke y ID, as in 0x6789ABCD.

137

Se c ur it y Guide

Warning
If you forge t your pas s phras e , the ke y cannot be us e d and any data e ncrypte d us ing
that ke y will be los t.

4.10.2.4. About Public Key Encrypt ion


1. Wikipe dia - Public Ke y Cryptography
2. HowStuffWorks - Encryption

4.10.3. Using openCrypt oki f or Public-Key Crypt ography


o penCrypt o ki is a Linux imple me ntation of PKCS#11, which is a Public-Key Cryptography
Standard that de fine s an application programming inte rface (API) to cryptographic de vice s
calle d toke ns . Toke ns may be imple me nte d in hardware or s oftware . This chapte r
provide s an ove rvie w of the way the o penCrypt o ki s ys te m is ins talle d, configure d, and
us e d in Re d Hat Ente rpris e Linux 7.

4.10.3.1. Inst alling openCrypt oki and St art ing t he Service


To ins tall the bas ic o penCrypt o ki package s on your s ys te m, including a s oftware
imple me ntation of a toke n for te s ting purpos e s , run the following command as root:
~]# yum install opencryptoki
De pe nding on the type of hardware toke ns you inte nd to us e , you may ne e d to ins tall
additional package s that provide s upport for your s pe cific us e cas e . For e xample , to obtain
s upport for Trusted Platform Module (TPM) de vice s , you ne e d to ins tall the opencryptokitpmtok package .
Se e the Ins talling Package s s e ction of the Re d Hat Ente rpris e Linux 7 Sys te m
Adminis trator's Guide for ge ne ral information on how to ins tall package s us ing the Yum
package manage r.
To e nable the o penCrypt o ki s e rvice , you ne e d to run the pkcsslotd dae mon. Start the
dae mon for the curre nt s e s s ion by e xe cuting the following command as root:
~]# systemctl start pkcsslotd
To e ns ure that the s e rvice is automatically s tarte d at boot time , run the following
command:
~]# systemctl enable pkcsslotd
Se e the Managing Se rvice s with s ys te md chapte r of the Re d Hat Ente rpris e Linux 7
Sys te m Adminis trator's Guide for more information on how to us e s ys te md targe ts to
manage s e rvice s .

4.10.3.2. Conf iguring and Using openCrypt oki

138

C hapt e r 4 . Har de ning Yo ur Sys t e m wit h T o o ls and Se r vic e s

Whe n s tarte d, the pkcsslotd dae mon re ads the


/etc/opencryptoki/opencryptoki.conf configuration file , which it us e s to colle ct
information about the toke ns configure d to work with the s ys te m and about the ir s lots .
The file de fine s the individual s lots us ing ke y-value pairs . Each s lot de finition can contain a
de s cription, a s pe cification of the toke n library to be us e d, and an ID of the s lot's
manufacture r. Optionally, the ve rs ion of the s lot's hardware and firmware may be de fine d.
Se e the ope ncryptoki.conf(5) manual page for a de s cription of the file 's format and for a
more de taile d de s cription of the individual ke ys and the value s that can be as s igne d to
the m.
To modify the be havior of the pkcsslotd dae mon at run time , us e the pkcsconf utility.
This tool allows you to s how and configure the s tate of the dae mon, as we ll as to lis t and
modify the curre ntly configure d s lots and toke ns . For e xample , to dis play information about
toke ns , is s ue the following command (note that all non-root us e rs that ne e d to
communicate with the pkcsslotd dae mon mus t be a part of the pkcs11 s ys te m group):
~]$ pkcsconf -t
Se e the pkcs conf(1) manual page for a lis t of argume nts available with the pkcsconf tool.

Warning
Ke e p in mind that only fully trus te d us e rs s hould be as s igne d me mbe rs hip in the
pkcs11 group, as all me mbe rs of this group have the right to block othe r us e rs of
the o penCrypt o ki s e rvice from acce s s ing configure d PKCS#11 toke ns . All
me mbe rs of this group can als o e xe cute arbitrary code with the privile ge s of any
othe r us e rs of o penCrypt o ki.

4.10.4. Using Smart Cards t o Supply Credent ials t o OpenSSH


The s mart card is a lightwe ight hardware s e curity module in a USB s tick, MicroSD, or
SmartCard form factor. It provide s a re mote ly manage able s e cure ke y s tore . In Re d Hat
Ente rpris e Linux 7, Ope nSSH s upports authe ntication us ing s mart cards .
To us e your s mart card with Ope nSSH, s tore the public ke y from the card to the
~/.ssh/authorized_keys file . Ins tall the PKCS#11 library provide d by the opensc package
on the clie nt. PKCS#11 is a Public-Ke y Cryptography Standard that de fine s an application
programming inte rface (API) to cryptographic de vice s calle d toke ns . Run the following
command as root:
~]# yum install opensc
To us e s mart cards that are not s upporte d by opensc (CoolKe y and CAC), ins tall the
coolkey package by running the following command as root:
~]# yum install coolkey

4.10.4.1. Ret rieving a Public Key f rom a Card


To lis t the ke ys on your card, us e the ssh-keygen command. Spe cify the s hare d library
(Ope nSC in the following e xample ) with the -D dire ctive .

139

Se c ur it y Guide

~]$ ssh-keygen -D /usr/lib64/pkcs11/opensc-pkcs11.so


ssh-rsa AAAAB3NzaC1yc[...]+g4Mb9

4.10.4.2. St oring a Public Key on a Server


To e nable authe ntication us ing a s mart card on a re mote s e rve r, trans fe r the public ke y to
the re mote s e rve r. Do it by copying the re trie ve d s tring (ke y) and pas ting it to the re mote
s he ll, or by s toring your ke y to a file (smartcard.pub in the following e xample ) and us ing
the ssh-copy-id command:
~]$ SSH_COPY_ID_LEGACY=1 ssh-copy-id -i smartcard.pub user@hostname
user@hostname's password:
Number of key(s) added: 1
Now try logging into the machine, with:
"ssh user@hostname"
and check to make sure that only the key(s) you wanted were added.
Storing a public ke y without a private ke y file re quire s to us e the SSH_COPY_ID_LEGACY=1
e nvironme nt variable .

4.10.4.3. Aut hent icat ing t o a Server wit h a Key on a Smart Card
Ope nSSH can re ad your public ke y from a s mart card and pe rform ope rations with your
private ke y without e xpos ing the ke y its e lf. This me ans that the private ke y doe s not
le ave the card. To conne ct to a re mote s e rve r us ing your s mart card for authe ntication,
run the following command and e nte r the PIN prote cting your card:
[localhost ~]$ ssh -I /usr/lib64/pkcs11/opensc-pkcs11.so hostname
Enter PIN for 'Test (UserPIN)':
[hostname ~]$
Re place the hostname with the actual hos tname to which you want to conne ct.
To s ave unne ce s s ary typing ne xt time you conne ct to the re mote s e rve r, s tore the path
to the PKCS#11 library in your ~/.ssh/config file :
Host hostname
PKCS11Provider /usr/lib64/pkcs11/opensc-pkcs11.so
Conne ct by running the ssh command without any additional options :
[localhost ~]$ ssh hostname
Enter PIN for 'Test (UserPIN)':
[hostname ~]$

4.10.4.4. Using ssh-agent t o Aut omat e PIN Logging In


Se t up e nvironme ntal variable s to s tart us ing ssh-agent. You can s kip this s te p in mos t
cas e s be caus e ssh-agent is alre ady running in a typical s e s s ion. Us e the following
command to che ck whe the r you can conne ct to your authe ntication age nt:

140

C hapt e r 4 . Har de ning Yo ur Sys t e m wit h T o o ls and Se r vic e s

~]$ ssh-add -l
Could not open a connection to your authentication agent.
~]$ eval `ssh-agent`
To avoid writing your PIN e ve ry time you conne ct us ing this ke y, add the card to the age nt
by running the following command:
~]$ ssh-add -s /usr/lib64/pkcs11/opensc-pkcs11.so
Enter PIN for 'Test (UserPIN)':
Card added: /usr/lib64/pkcs11/opensc-pkcs11.so
To re move the card from ssh-agent, us e the following command:
~]$ ssh-add -e /usr/lib64/pkcs11/opensc-pkcs11.so
Card removed: /usr/lib64/pkcs11/opensc-pkcs11.so

4.10.4.5. Addit ional Resources


Se tting up your hardware or s oftware toke n is de s cribe d in the Smart Card s upport in Re d
Hat Ente rpris e Linux 7 article .

4.10.5. T rust ed and Encrypt ed Keys


Trusted and encrypted keys are variable -le ngth s ymme tric ke ys ge ne rate d by the ke rne l
that utiliz e the ke rne l ke yring s e rvice . The fact that the ke ys ne ve r appe ar in us e r s pace
in an une ncrypte d form me ans that the ir inte grity can be ve rifie d, which in turn me ans that
the y can be us e d, for e xample , by the e xte nde d ve rification module (EVM) to ve rify and
confirm the inte grity of a running s ys te m. Us e r-le ve l programs can only e ve r acce s s the
ke ys in the form of e ncrypte d blobs.
Trus te d ke ys ne e d a hardware compone nt: the Trusted Platform Module (TPM) chip, which
is us e d to both cre ate and e ncrypt (seal) the ke ys . The TPM s e als the ke ys us ing a 2048bit RSA ke y calle d the storage root key (SRK).
In addition to that, trus te d ke ys may als o be s e ale d us ing a s pe cific s e t of the TPM's
platform configuration register (PCR) value s . The PCR contains a s e t of inte gritymanage me nt value s that re fle ct the BIOS, bootloade r, and ope rating s ys te m. This me ans
that PCR-s e ale d ke ys can only be de crypte d by the TPM on the e xact s ame s ys te m on
which the y we re e ncrypte d. Howe ve r, once a PCR-s e ale d trus te d ke y is loade d (adde d to
a ke yring), and thus its as s ociate d PCR value s are ve rifie d, it can be update d with ne w (or
future ) PCR value s , s o that a ne w ke rne l, for e xample , can be boote d. A s ingle ke y can
als o be s ave d as multiple blobs , e ach with diffe re nt PCR value s .
Encrypte d ke ys do not re quire a TPM, as the y us e the ke rne l AES e ncryption, which make s
the m fas te r than trus te d ke ys . Encrypte d ke ys are cre ate d us ing ke rne l-ge ne rate d
random numbe rs and e ncrypte d by a master key whe n the y are e xporte d into us e r-s pace
blobs . This mas te r ke y can be e ithe r a trus te d ke y or a us e r ke y, which is the ir main
dis advantage if the mas te r ke y is not a trus te d ke y, the e ncrypte d ke y is only as
s e cure as the us e r ke y us e d to e ncrypt it.

4.10.5.1. Working wit h Keys

141

Se c ur it y Guide

Prior to any ope rations with ke ys , re le vant ke rne l module s ne e d to be loade d. For trus te d
ke ys , it is the t rust ed module , and for e ncrypte d ke ys , it is the encrypt ed-keys module .
Us e the following command as the root us e r to load both of the s e module s at once :
~]# modprobe trusted encrypted-keys
Trus te d and e ncrypte d ke ys can be cre ate d, loade d, e xporte d, and update d us ing the
keyct l utility. For de taile d information about us ing keyct l, s e e ke yctl(1).

No te
In orde r to us e a TPM (s uch as for cre ating and s e aling trus te d ke ys ), it ne e ds to be
e nable d and active . This can be us ually achie ve d through a s e tting in the machine 's
BIOS or us ing the tpm_setactive command from the tpm-tools package of utilitie s .
Als o, the T ro uSers application ne e ds to be ins talle d (the trousers package ), and the
tcsd dae mon, which is a part of the T ro uSers s uite , running to communicate with
the TPM.
To cre ate a trus te d ke y us ing a TPM, e xe cute the keyctl command with the following
s yntax:
keyctl add trusted name "new keylength [options]" keyring
Us ing the above s yntax, an e xample command can be cons tructe d as follows :
~]$ keyctl add trusted kmk "new 32" @u
642500861
The above e xample cre ate s a trus te d ke y calle d kmk with the le ngth of 32 byte s (256 bits )
and place s it in the us e r ke yring (@u). The ke ys may have a le ngth of 32 to 128 byte s (256
to 1024 bits ). Us e the show s ubcommand to lis t the curre nt s tructure of the ke rne l
ke yrings :
~]$ keyctl show
Session Keyring
-3 --alswrv
97833714 --alswrv
642500861 --alswrv

500
500
500

500
-1
500

keyring: _ses
\_ keyring: _uid.1000
\_ trusted: kmk

The print s ubcommand outputs the e ncrypte d ke y to the s tandard output. To e xport the
ke y to a us e r-s pace blob, us e the pipe s ubcommand as follows :
~]$ keyctl pipe 642500861 > kmk.blob
To load the trus te d ke y from the us e r-s pace blob, us e the add command again with the
blob as an argume nt:
~]$ keyctl add trusted kmk "load `cat kmk.blob`" @u
268728824
The TPM-s e ale d trus te d ke y can the n be e mploye d to cre ate s e cure e ncrypte d ke ys . The
following command s yntax is us e d for ge ne rating e ncrypte d ke ys :

142

C hapt e r 4 . Har de ning Yo ur Sys t e m wit h T o o ls and Se r vic e s

~]$ keyctl add encrypted name "new [format] key-type:master-key-name


keylength" keyring
Bas e d on the above s yntax, a command for ge ne rating an e ncrypte d ke y us ing the
alre ady cre ate d trus te d ke y can be cons tructe d as follows :
~]$ keyctl add encrypted encr-key "new trusted:kmk 32" @u
159771175
To cre ate an e ncrypte d ke y on s ys te ms whe re a TPM is not available , us e a random
s e que nce of numbe rs to ge ne rate a us e r ke y, which is the n us e d to s e al the actual
e ncrypte d ke ys .
~]$ keyctl add user kmk-user "`dd if=/dev/urandom bs=1 count=32
2>/dev/null`" @u
427069434
The n ge ne rate the e ncrypte d ke y us ing the random-numbe r us e r ke y:
~]$ keyctl add encrypted encr-key "new user:kmk-user 32" @u
1012412758
The list s ubcommand can be us e d to lis t all ke ys in the s pe cifie d ke rne l ke yring:
~]$ keyctl list @u
2 keys in keyring:
427069434: --alswrv 1000 1000 user: kmk-user
1012412758: --alswrv 1000 1000 encrypted: encr-key

Impo rtant
Ke e p in mind that e ncrypte d ke ys that are not s e ale d by a mas te r trus te d ke y are
only as s e cure as the us e r mas te r ke y (random-numbe r ke y) us e d to e ncrypt the m.
The re fore , the mas te r us e r ke y s hould be loade d as s e cure ly as pos s ible and
pre fe rably e arly during the boot proce s s .

4.10.5.2. Addit ional Resources


The following offline and online re s ource s can be us e d to acquire additional information
pe rtaining to the us e of trus te d and e ncrypte d ke ys .

Inst alled Document at ion


ke yctl(1) De s cribe s the us e of the keyct l utility and its s ubcommands .

Online Document at ion


Re d Hat Ente rpris e Linux 7 SELinux Us e r's and Adminis trator's Guide The SELinux
User's and Administrator's Guide for Re d Hat Ente rpris e Linux 7 de s cribe s the bas ic
principle s of SELinux and docume nts in de tail how to configure and us e SELinux with
various s e rvice s , s uch as the Apache HT T P Server.

143

Se c ur it y Guide

https ://www.ke rne l.org/doc/Docume ntation/s e curity/ke ys -trus te d-e ncrypte d.txt The
official docume ntation about the trus te d and e ncrypte d ke ys fe ature of the Linux ke rne l.

See Also
Se ction A.1.1, Advance d Encryption Standard AES provide s a concis e de s cription of
the Advanced Encryption Standard.
Se ction A.2, Public-ke y Encryption de s cribe s the public-ke y cryptographic approach
and the various cryptographic protocols it us e s .

4.10.6. Using t he Random Number Generat or


In orde r to be able to ge ne rate s e cure cryptographic ke ys that cannot be e as ily broke n, a
s ource of random numbe rs is re quire d. Ge ne rally, the more random the numbe rs are , the
be tte r the chance of obtaining unique ke ys . Entropy for ge ne rating random numbe rs is
us ually obtaine d from computing e nvironme ntal "nois e " or us ing a hardware random
number generator.
The rngd dae mon, which is a part of the rng-tools package , is capable of us ing both
e nvironme ntal nois e and hardware random numbe r ge ne rators for e xtracting e ntropy. The
dae mon che cks whe the r the data s upplie d by the s ource of randomne s s is s ufficie ntly
random and the n s tore s it in the random-numbe r e ntropy pool of the ke rne l. The random
numbe rs it ge ne rate s are made available through the /dev/random and /dev/urandom
characte r de vice s .
The diffe re nce be twe e n /dev/random and /dev/urandom is that the forme r is a blocking
de vice , which me ans it s tops s upplying numbe rs whe n it de te rmine s that the amount of
e ntropy is ins ufficie nt for ge ne rating a prope rly random output. Conve rs e ly, /dev/urandom
is a non-blocking s ource , which re us e s the e ntropy pool of the ke rne l and is thus able to
provide an unlimite d s upply of ps e udo-random numbe rs , albe it with le s s e ntropy. As s uch,
/dev/urandom s hould not be us e d for cre ating long-te rm cryptographic ke ys .
To ins tall the rng-tools package , is s ue the following command as the root us e r:
~]# yum install rng-tools
To s tart the rngd dae mon, e xe cute the following command as root:
~]# systemctl start rngd
To que ry the s tatus of the dae mon, us e the following command:
~]# systemctl status rngd
To s tart the rngd dae mon with optional parame te rs , e xe cute it dire ctly. For e xample , to
s pe cify an alte rnative s ource of random-numbe r input (othe r than /dev/hwrandom), us e
the following command:
~]# rngd --rng-device=/dev/hwrng
The above command s tarts the rngd dae mon with /dev/hwrng as the de vice from which
random numbe rs are re ad. Similarly, you can us e the -o (or --random-device) option to
choos e the ke rne l de vice for random-numbe r output (othe r than the de fault /dev/random).
Se e the rngd(8) manual page for a lis t of all available options .

144

C hapt e r 4 . Har de ning Yo ur Sys t e m wit h T o o ls and Se r vic e s

To che ck which s ource s of e ntropy are available in a give n s ys te m, e xe cute the following
command as root:
~]# rngd -v
Unable to open file: /dev/tpm0
Available entropy sources:
DRNG
If the re is not any TPM de vice pre s e nt, you will s e e only the Inte l Digital Random Numbe r
Ge ne rator (DRNG) as a s ource of e ntropy. To che ck if your CPU s upports the RDRAND
proce s s or ins truction, run the following command:
~]$ cat /proc/cpuinfo | grep rdrand

No te
For more information and s oftware code e xample s , s e e Inte l Digital Random Numbe r
Ge ne rator (DRNG) Software Imple me ntation Guide .
The rng-tools package als o contains the rngt est utility, which can be us e d to che ck the
randomne s s of data. To te s t the le ve l of randomne s s of the output of /dev/random, us e
the rngt est tool as follows :
~]$ cat /dev/random | rngtest -c 1000
rngtest 5
Copyright (c) 2004 by Henrique de Moraes Holschuh
This is free software; see the source for copying conditions. There is
NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR
PURPOSE.
rngtest: starting FIPS tests...
rngtest: bits received from input: 20000032
rngtest: FIPS 140-2 successes: 998
rngtest: FIPS 140-2 failures: 2
rngtest: FIPS 140-2(2001-10-10) Monobit: 0
rngtest: FIPS 140-2(2001-10-10) Poker: 0
rngtest: FIPS 140-2(2001-10-10) Runs: 0
rngtest: FIPS 140-2(2001-10-10) Long run: 2
rngtest: FIPS 140-2(2001-10-10) Continuous run: 0
rngtest: input channel speed: (min=1.171; avg=8.453; max=11.374)Mibits/s
rngtest: FIPS tests speed: (min=15.545; avg=143.126;
max=157.632)Mibits/s
rngtest: Program run time: 2390520 microseconds
A high numbe r of failure s s hown in the output of the rngt est tool indicate s that the
randomne s s of the te s te d data is ins ufficie nt and s hould not be re lie d upon. Se e the
rngte s t(1) manual page for a lis t of options available for the rngt est utility.
Re d Hat Ente rpris e Linux 7 introduce d the virt io RNG (Random Numbe r Ge ne rator) de vice
that provide s KVM virtual machine s with acce s s to e ntropy from the hos t machine . With
the re comme nde d s e tup, hwrng fe e ds into the e ntropy pool of the hos t Linux ke rne l
(through /dev/random), and QEMU will us e /dev/random as the s ource for e ntropy
re que s te d by gue s ts .

145

Se c ur it y Guide

Figure 4.3. T he virt io RNG device


Pre vious ly, Re d Hat Ente rpris e Linux 7.0 and Re d Hat Ente rpris e Linux 6 gue s ts could
make us e of the e ntropy from hos ts through the rngd us e rs pace dae mon. Se tting up the
dae mon was a manual s te p for e ach Re d Hat Ente rpris e Linux ins tallation. With Re d Hat
Ente rpris e Linux 7.1, the manual s te p has be e n e liminate d, making the e ntire proce s s
s e amle s s and automatic. The us e of rngd is now not re quire d and the gue s t ke rne l its e lf
fe tche s e ntropy from the hos t whe n the available e ntropy falls be low a s pe cific thre s hold.
The gue s t ke rne l is the n in a pos ition to make random numbe rs available to applications
as s oon as the y re que s t the m.
The Re d Hat Ente rpris e Linux ins talle r, Anaco nda, now provide s the virt io -rng module in
its ins talle r image , making available hos t e ntropy during the Re d Hat Ente rpris e Linux
ins tallation.

4.11. Hardening T LS Configurat ion

146

C hapt e r 4 . Har de ning Yo ur Sys t e m wit h T o o ls and Se r vic e s

TLS (Transport Layer Security) is a cryptographic protocol us e d to s e cure ne twork


communications . Whe n harde ning s ys te m s e curity s e ttings by configuring pre fe rre d keyexchange protocols, authentication methods, and encryption algorithms, it is ne ce s s ary to
be ar in mind that the broade r the range of s upporte d clie nts , the lowe r the re s ulting
s e curity. Conve rs e ly, s trict s e curity s e ttings le ad to a limite d compatibility with clie nts ,
which can re s ult in s ome us e rs be ing locke d out of the s ys te m. Be s ure to targe t the
s tricte s t available configuration and only re lax it whe n it is re quire d for compatibility
re as ons .
Note that the de fault s e ttings provide d by librarie s include d in Re d Hat Ente rpris e Linux 7
are s e cure e nough for mos t de ployme nts . The TLS imple me ntations us e s e cure
algorithms whe re pos s ible while not pre ve nting conne ctions from or to le gacy clie nts or
s e rve rs . Apply the harde ne d s e ttings de s cribe d in this s e ction in e nvironme nts with s trict
s e curity re quire me nts whe re le gacy clie nts or s e rve rs that do not s upport s e cure
algorithms or protocols are not e xpe cte d or allowe d to conne ct.

4.11.1. Choosing Algorit hms t o Enable


The re are s e ve ral compone nts that ne e d to be s e le cte d and configure d. Each of the
following dire ctly influe nce s the robus tne s s of the re s ulting configuration (and,
cons e que ntly, the le ve l of s upport in clie nts ) or the computational de mands that the
s olution has on the s ys te m.

Prot ocol Versions


The late s t ve rs ion of TLS provide s the be s t s e curity me chanis m. Unle s s you have a
compe lling re as on to include s upport for olde r ve rs ions of TLS (or e ve n SSL), allow your
s ys te ms to ne gotiate conne ctions us ing only the late s t ve rs ion of TLS.
Do not allow ne gotiation us ing SSL ve rs ion 2 or 3. Both of thos e ve rs ions have s e rious
s e curity vulne rabilitie s . Only allow ne gotiation us ing TLS ve rs ion 1.0 or highe r. The curre nt
ve rs ion of TLS, 1.2, s hould always be pre fe rre d.

No te
Ple as e note that curre ntly, the s e curity of all ve rs ions of TLS de pe nds on the us e of
TLS e xte ns ions , s pe cific ciphe rs (s e e be low), and othe r workarounds . All TLS
conne ction pe e rs ne e d to imple me nt s e cure re ne gotiation indication (RFC 5746),
mus t not s upport compre s s ion, and mus t imple me nt mitigating me as ure s for timing
attacks agains t CBC-mode ciphe rs (the Lucky Thirte e n attack). TLS v1.0 clie nts ne e d
to additionally imple me nt re cord s plitting (a workaround agains t the BEAST attack).
TLS v1.2 s upports Authenticated Encryption with Associated Data (AEAD) mode
ciphe rs like AES-GCM, AES-CCM, or Camellia-GCM, which have no known is s ue s . All
the me ntione d mitigations are imple me nte d in cryptographic librarie s include d in
Re d Hat Ente rpris e Linux.
Se e Table 4.6, Protocol Ve rs ions for a quick ove rvie w of protocol ve rs ions and
re comme nde d us age .
T able 4.6. Pro t o co l Versio ns

147

Se c ur it y Guide

Pro t o co l
Versio n

Usage Reco mmendat io n

SSL v2
SSL v3
TLS v1.0

Do not us e . Has s e rious s e curity vulne rabilitie s .


Do not us e . Has s e rious s e curity vulne rabilitie s .
Us e for inte rope rability purpos e s whe re ne e de d. Has known is s ue s that
cannot be mitigate d in a way that guarante e s inte rope rability, and thus
mitigations are not e nable d by de fault. Doe s not s upport mode rn ciphe r
s uite s .
Us e for inte rope rability purpos e s whe re ne e de d. Has no known is s ue s
but re lie s on protocol fixe s that are include d in all the TLS
imple me ntations in Re d Hat Ente rpris e Linux. Doe s not s upport mode rn
ciphe r s uite s .
Re comme nde d ve rs ion. Supports the mode rn AEAD ciphe r s uite s .

TLS v1.1

TLS v1.2

Some compone nts in Re d Hat Ente rpris e Linux are configure d to us e TLS v1.0 e ve n
though the y provide s upport for TLS v1.1 or e ve n v1.2. This is motivate d by an atte mpt
to achie ve the highe s t le ve l of inte rope rability with e xte rnal s e rvice s that may not s upport
the late s t ve rs ions of TLS. De pe nding on your inte rope rability re quire me nts , e nable the
highe s t available ve rs ion of TLS.

Impo rtant
SSL v3 is not re comme nde d for us e . Howe ve r, if, de s pite the fact that it is
cons ide re d ins e cure and uns uitable for ge ne ral us e , you abs olute ly mus t le ave
SSL v3 e nable d, s e e Se ction 4.9, Us ing s tunne l for ins tructions on how to us e
st unnel to s e cure ly e ncrypt communications e ve n whe n us ing s e rvice s that do not
s upport e ncryption or are only capable of us ing obs ole te and ins e cure mode s of
e ncryption.

Cipher Suit es
Mode rn, more s e cure cipher suites s hould be pre fe rre d to old, ins e cure one s . Always
dis able the us e of e NULL and aNULL ciphe r s uite s , which do not offe r any e ncryption or
authe ntication at all. If at all pos s ible , ciphe rs s uite s bas e d on RC4 or HMAC-MD5, which
have s e rious s hortcomings , s hould als o be dis able d. The s ame applie s to the s o-calle d
export ciphe r s uite s , which have be e n inte ntionally made we ake r, and thus are e as y to
bre ak.
While not imme diate ly ins e cure , ciphe r s uite s that offe r le s s than 128 bits of s e curity
s hould not be cons ide re d for the ir s hort us e ful life . Algorithms that us e 128 bit of s e curity
or more can be e xpe cte d to be unbre akable for at le as t s e ve ral ye ars , and are thus
s trongly re comme nde d. Note that while 3DES ciphe rs adve rtis e the us e of 168 bits , the y
actually offe r 112 bits of s e curity.
Always give pre fe re nce to ciphe r s uite s that s upport (perfect) forward secrecy (PFS), which
e ns ure s the confide ntiality of e ncrypte d data e ve n in cas e the s e rve r ke y is
compromis e d. This rule s out the fas t RSA ke y e xchange , but allows for the us e of ECDHE
and DHE. Of the two, ECDHE is the fas te r and the re fore the pre fe rre d choice .
You s hould als o give pre fe re nce to AEAD ciphe rs , s uch as AES-GCM, be fore CBC-mode
ciphe rs as the y are not vulne rable to padding oracle attacks . Additionally, in many cas e s ,
AES-GCM is fas te r than AES in CBC mode , e s pe cially whe n the hardware has cryptographic
acce le rators for AES.

148

C hapt e r 4 . Har de ning Yo ur Sys t e m wit h T o o ls and Se r vic e s

Note als o that whe n us ing the ECDHE ke y e xchange with ECDSA ce rtificate s , the trans action
is e ve n fas te r than pure RSA ke y e xchange . To provide s upport for le gacy clie nts , you can
ins tall two pairs of ce rtificate s and ke ys on a s e rve r: one with ECDSA ke ys (for ne w clie nts )
and one with RSA ke ys (for le gacy one s ).

Public Key Lengt h


Whe n us ing RSA ke ys , always pre fe r ke y le ngths of at le as t 3072 bits s igne d by at le as t
SHA-256, which is s ufficie ntly large for true 128 bits of s e curity.

Warning
Ke e p in mind that the s e curity of your s ys te m is only as s trong as the we ake s t link
in the chain. For e xample , a s trong ciphe r alone doe s not guarante e good s e curity.
The ke ys and the ce rtificate s are jus t as important, as we ll as the has h functions
and ke ys us e d by the Certification Authority (CA) to s ign your ke ys .

4.11.2. Using Implement at ions of T LS


Re d Hat Ente rpris e Linux 7 is dis tribute d with s e ve ral full-fe ature d imple me ntations of TLS.
In this s e ction, the configuration of OpenSSL and GnuT LS is de s cribe d. Se e
Se ction 4.11.3, Configuring Spe cific Applications for ins tructions on how to configure TLS
s upport in individual applications .
The available TLS imple me ntations offe r s upport for various cipher suites that de fine all
the e le me nts that come toge the r whe n e s tablis hing and us ing TLS-s e cure d
communications .
Us e the tools include d with the diffe re nt imple me ntations to lis t and s pe cify ciphe r s uite s
that provide the be s t pos s ible s e curity for your us e cas e while cons ide ring the
re comme ndations outline d in Se ction 4.11.1, Choos ing Algorithms to Enable . The
re s ulting ciphe r s uite s can the n be us e d to configure the way individual applications
ne gotiate and s e cure conne ctions .

Impo rtant
Be s ure to che ck your s e ttings following e ve ry update or upgrade of the TLS
imple me ntation you us e or the applications that utiliz e that imple me ntation. Ne w
ve rs ions may introduce ne w ciphe r s uite s that you do not want to have e nable d and
that your curre nt configuration doe s not dis able .

4.11.2.1. Working wit h Cipher Suit es in OpenSSL


OpenSSL is a toolkit and a cryptography library that s upport the SSL and TLS protocols . On
Re d Hat Ente rpris e Linux 7, a configuration file is provide d at /etc/pki/tls/openssl.cnf.
The format of this configuration file is de s cribe d in config(1). Se e als o Se ction 4.8.9,
Configuring Ope nSSL.
To ge t a lis t of all ciphe r s uite s s upporte d by your ins tallation of OpenSSL, us e the
openssl command with the ciphers s ubcommand as follows :

149

Se c ur it y Guide

~]$ openssl ciphers -v 'ALL:COMPLEMENTOFALL'


Pas s othe r parame te rs (re fe rre d to as cipher strings and keywords in OpenSSL
docume ntation) to the ciphers s ubcommand to narrow the output. Spe cial ke ywords can
be us e d to only lis t s uite s that s atis fy a ce rtain condition. For e xample , to only lis t s uite s
that are de fine d as be longing to the HIGH group, us e the following command:
~]$ openssl ciphers -v 'HIGH'
Se e the ciphe rs (1) manual page for a lis t of available ke ywords and ciphe r s trings .
To obtain a lis t of ciphe r s uite s that s atis fy the re comme ndations outline d in
Se ction 4.11.1, Choos ing Algorithms to Enable , us e a command s imilar to the following:
~]$ openssl ciphers -v 'kEECDH+aECDSA+AES:kEECDH+AES+aRSA:kEDH+aRSA+AES'
| column -t
ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA
Enc=AESGCM(256) Mac=AEAD
ECDHE-ECDSA-AES256-SHA384
TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(256)
Mac=SHA384
ECDHE-ECDSA-AES256-SHA
SSLv3
Kx=ECDH Au=ECDSA Enc=AES(256)
Mac=SHA1
ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA
Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-AES128-SHA256
TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(128)
Mac=SHA256
ECDHE-ECDSA-AES128-SHA
SSLv3
Kx=ECDH Au=ECDSA Enc=AES(128)
Mac=SHA1
ECDHE-RSA-AES256-GCM-SHA384
TLSv1.2 Kx=ECDH Au=RSA
Enc=AESGCM(256) Mac=AEAD
ECDHE-RSA-AES256-SHA384
TLSv1.2 Kx=ECDH Au=RSA
Enc=AES(256)
Mac=SHA384
ECDHE-RSA-AES256-SHA
SSLv3
Kx=ECDH Au=RSA
Enc=AES(256)
Mac=SHA1
ECDHE-RSA-AES128-GCM-SHA256
TLSv1.2 Kx=ECDH Au=RSA
Enc=AESGCM(128) Mac=AEAD
ECDHE-RSA-AES128-SHA256
TLSv1.2 Kx=ECDH Au=RSA
Enc=AES(128)
Mac=SHA256
ECDHE-RSA-AES128-SHA
SSLv3
Kx=ECDH Au=RSA
Enc=AES(128)
Mac=SHA1
DHE-RSA-AES256-GCM-SHA384
TLSv1.2 Kx=DH
Au=RSA
Enc=AESGCM(256) Mac=AEAD
DHE-RSA-AES256-SHA256
TLSv1.2 Kx=DH
Au=RSA
Enc=AES(256)
Mac=SHA256
DHE-RSA-AES256-SHA
SSLv3
Kx=DH
Au=RSA
Enc=AES(256)
Mac=SHA1
DHE-RSA-AES128-GCM-SHA256
TLSv1.2 Kx=DH
Au=RSA
Enc=AESGCM(128) Mac=AEAD
DHE-RSA-AES128-SHA256
TLSv1.2 Kx=DH
Au=RSA
Enc=AES(128)
Mac=SHA256
DHE-RSA-AES128-SHA
SSLv3
Kx=DH
Au=RSA
Enc=AES(128)
Mac=SHA1

150

C hapt e r 4 . Har de ning Yo ur Sys t e m wit h T o o ls and Se r vic e s

The above command omits all ins e cure ciphe rs , give s pre fe re nce to ephemeral elliptic
curve Diffie-Hellman ke y e xchange and ECDSA ciphe rs , and omits RSA ke y e xchange
(thus e ns uring perfect forward secrecy).
Note that this is a rathe r s trict configuration, and it might be ne ce s s ary to re lax the
conditions in re al-world s ce narios to allow for a compatibility with a broade r range of
clie nts .

4.11.2.2. Working wit h Cipher Suit es in GnuT LS


GnuT LS is a communications library that imple me nts the SSL and TLS protocols and
re late d te chnologie s .

No te
The GnuT LS ins tallation on Re d Hat Ente rpris e Linux 7 offe rs optimal de fault
configuration value s that provide s ufficie nt s e curity for the majority of us e cas e s .
Unle s s you ne e d to s atis fy s pe cial s e curity re quire me nts , it is re comme nde d to us e
the s upplie d de faults .
Us e the gnutls-cli command with the -l (or --list) option to lis t all s upporte d ciphe r
s uite s :
~]$ gnutls-cli -l
To narrow the lis t of ciphe r s uite s dis playe d by the -l option, pas s one or more
parame te rs (re fe rre d to as priority strings and keywords in GnuT LS docume ntation) to the
--priority option. Se e the GnuT LS docume ntation at
http://www.gnutls .org/manual/gnutls .html#Priority-Strings for a lis t of all available priority
s trings . For e xample , is s ue the following command to ge t a lis t of ciphe r s uite s that offe r
at le as t 128 bits of s e curity:
~]$ gnutls-cli --priority SECURE128 -l
To obtain a lis t of ciphe r s uite s that s atis fy the re comme ndations outline d in
Se ction 4.11.1, Choos ing Algorithms to Enable , us e a command s imilar to the following:
~]$ gnutls-cli --priority SECURE256:+SECURE128:-VERS-TLS-ALL:+VERSTLS1.2:-RSA:-DHE-DSS:-CAMELLIA-128-CBC:-CAMELLIA-256-CBC -l
Cipher suites for SECURE256:+SECURE128:-VERS-TLS-ALL:+VERS-TLS1.2:-RSA:DHE-DSS:-CAMELLIA-128-CBC:-CAMELLIA-256-CBC
TLS_ECDHE_ECDSA_AES_256_GCM_SHA384
0xc0, 0x2c
TLS1.2
TLS_ECDHE_ECDSA_AES_256_CBC_SHA384
0xc0, 0x24
TLS1.2
TLS_ECDHE_ECDSA_AES_256_CBC_SHA1
0xc0, 0x0a
SSL3.0
TLS_ECDHE_ECDSA_AES_128_GCM_SHA256
0xc0, 0x2b
TLS1.2
TLS_ECDHE_ECDSA_AES_128_CBC_SHA256
0xc0, 0x23
TLS1.2
TLS_ECDHE_ECDSA_AES_128_CBC_SHA1
0xc0, 0x09
SSL3.0

151

Se c ur it y Guide

TLS_ECDHE_RSA_AES_256_GCM_SHA384
TLS1.2
TLS_ECDHE_RSA_AES_256_CBC_SHA1
SSL3.0
TLS_ECDHE_RSA_AES_128_GCM_SHA256
TLS1.2
TLS_ECDHE_RSA_AES_128_CBC_SHA256
TLS1.2
TLS_ECDHE_RSA_AES_128_CBC_SHA1
SSL3.0
TLS_DHE_RSA_AES_256_CBC_SHA256
TLS1.2
TLS_DHE_RSA_AES_256_CBC_SHA1
SSL3.0
TLS_DHE_RSA_AES_128_GCM_SHA256
TLS1.2
TLS_DHE_RSA_AES_128_CBC_SHA256
TLS1.2
TLS_DHE_RSA_AES_128_CBC_SHA1
SSL3.0

0xc0, 0x30
0xc0, 0x14
0xc0, 0x2f
0xc0, 0x27
0xc0, 0x13
0x00, 0x6b
0x00, 0x39
0x00, 0x9e
0x00, 0x67
0x00, 0x33

Certificate types: CTYPE-X.509


Protocols: VERS-TLS1.2
Compression: COMP-NULL
Elliptic curves: CURVE-SECP384R1, CURVE-SECP521R1, CURVE-SECP256R1
PK-signatures: SIGN-RSA-SHA384, SIGN-ECDSA-SHA384, SIGN-RSA-SHA512,
SIGN-ECDSA-SHA512, SIGN-RSA-SHA256, SIGN-DSA-SHA256, SIGN-ECDSA-SHA256
The above command limits the output to ciphe rs with at le as t 128 bits of s e curity while
giving pre fe re nce to the s tronge r one s . It als o forbids RSA ke y e xchange and DSS
authe ntication.
Note that this is a rathe r s trict configuration, and it might be ne ce s s ary to re lax the
conditions in re al-world s ce narios to allow for a compatibility with a broade r range of
clie nts .

4.11.3. Conf iguring Specif ic Applicat ions


Diffe re nt applications provide the ir own configuration me chanis ms for TLS. This s e ction
de s cribe s the TLS-re late d configuration file s e mploye d by the mos t commonly us e d
s e rve r applications and offe rs e xample s of typical configurations .
Re gardle s s of the configuration you choos e to us e , always make s ure to mandate that
your s e rve r application e nforce s server-side cipher order, s o that the ciphe r s uite to be
us e d is de te rmine d by the orde r you configure .

4.11.3.1. Conf iguring t he Apache HT T P Server


The Apache HT T P Server can us e both OpenSSL and NSS librarie s for its TLS ne e ds .
De pe nding on your choice of the TLS library, you ne e d to ins tall e ithe r the mo d_ssl or the
mo d_nss module (provide d by e ponymous package s ). For e xample , to ins tall the package
that provide s the OpenSSL mo d_ssl module , is s ue the following command as root:
~]# yum install mod_ssl

152

C hapt e r 4 . Har de ning Yo ur Sys t e m wit h T o o ls and Se r vic e s

The mod_ssl package ins talls the /etc/httpd/conf.d/ssl.conf configuration file , which
can be us e d to modify the TLS-re late d s e ttings of the Apache HT T P Server. Similarly,
the mod_nss package ins talls the /etc/httpd/conf.d/nss.conf configuration file .
Ins tall the httpd-manual package to obtain comple te docume ntation for the Apache HT T P
Server, including TLS configuration. The dire ctive s available in the
/etc/httpd/conf.d/ssl.conf configuration file are de s cribe d in de tail in
/usr/share/httpd/manual/mod/mod_ssl.html. Example s of various s e ttings are in
/usr/share/httpd/manual/ssl/ssl_howto.html.
Whe n modifying the s e ttings in the /etc/httpd/conf.d/ssl.conf configuration file , be
s ure to cons ide r the following thre e dire ctive s at the minimum:
SSLProtocol
Us e this dire ctive to s pe cify the ve rs ion of TLS (or SSL) you want to allow.
SSLCipherSuite
Us e this dire ctive to s pe cify your pre fe rre d ciphe r s uite or dis able the one s you
want to dis allow.
SSLHonorCipherOrder
Uncomme nt and s e t this dire ctive to on to e ns ure that the conne cting clie nts
adhe re to the orde r of ciphe rs you s pe cifie d.
For e xample :
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite HIGH:!aNULL:!MD5
SSLHonorCipherOrder on
Note that the above configuration is the bare minimum, and it can be harde ne d
s ignificantly by following the re comme ndations outline d in Se ction 4.11.1, Choos ing
Algorithms to Enable .
To configure and us e the mo d_nss module , modify the /etc/httpd/conf.d/nss.conf
configuration file . The mo d_nss module is de rive d from mo d_ssl, and as s uch it s hare s
many fe ature s with it, not le as t the s tructure of the configuration file , and the dire ctive s
that are available . Note that the mo d_nss dire ctive s have a pre fix of NSS ins te ad of SSL.
Se e https ://git.fe dorahos te d.org/cgit/mod_ns s .git/plain/docs /mod_ns s .html for an ove rvie w
of information about mo d_nss, including a lis t of mo d_ssl configuration dire ctive s that are
not applicable to mo d_nss.

4.11.3.2. Conf iguring t he Dovecot Mail Server


To configure your ins tallation of the Do veco t mail s e rve r to us e TLS, modify the
/etc/dovecot/conf.d/10-ssl.conf configuration file . You can find an e xplanation of
s ome of the bas ic configuration dire ctive s available in that file in
/usr/share/doc/dovecot-2.2.10/wiki/SSL.DovecotConfiguration.txt (this he lp file
is ins talle d along with the s tandard ins tallation of Do veco t ).
Whe n modifying the s e ttings in the /etc/dovecot/conf.d/10-ssl.conf configuration file ,
be s ure to cons ide r the following thre e dire ctive s at the minimum:
ssl_protocols

153

Se c ur it y Guide

Us e this dire ctive to s pe cify the ve rs ion of TLS (or SSL) you want to allow.
ssl_cipher_list
Us e this dire ctive to s pe cify your pre fe rre d ciphe r s uite s or dis able the one s you
want to dis allow.
ssl_prefer_server_ciphers
Uncomme nt and s e t this dire ctive to yes to e ns ure that the conne cting clie nts
adhe re to the orde r of ciphe rs you s pe cifie d.
For e xample :
ssl_protocols = !SSLv2 !SSLv3
ssl_cipher_list = HIGH:!aNULL:!MD5
ssl_prefer_server_ciphers = yes
Note that the above configuration is the bare minimum, and it can be harde ne d
s ignificantly by following the re comme ndations outline d in Se ction 4.11.1, Choos ing
Algorithms to Enable .

4.11.4. Addit ional Inf ormat ion


For more information about T LS configuration and re late d topics , s e e the re s ource s lis te d
be low.

Inst alled Document at ion


config(1) De s cribe s the format of the /etc/ssl/openssl.conf configuration file .
ciphe rs (1) Include s a lis t of available OpenSSL ke ywords and ciphe r s trings .
/usr/share/httpd/manual/mod/mod_ssl.html Contains de taile d de s criptions of the
dire ctive s available in the /etc/httpd/conf.d/ssl.conf configuration file us e d by the
mo d_ssl module for the Apache HT T P Server.
/usr/share/httpd/manual/ssl/ssl_howto.html Contains practical e xample s of
re al-world s e ttings in the /etc/httpd/conf.d/ssl.conf configuration file us e d by the
mo d_ssl module for the Apache HT T P Server.
/usr/share/doc/dovecot-2.2.10/wiki/SSL.DovecotConfiguration.txt Explains
s ome of the bas ic configuration dire ctive s available in the /etc/dovecot/conf.d/10ssl.conf configuration file us e d by the Do veco t mail s e rve r.

Online Document at ion


Re d Hat Ente rpris e Linux 7 SELinux Us e r's and Adminis trator's Guide The SELinux
User's and Administrator's Guide for Re d Hat Ente rpris e Linux 7 de s cribe s the bas ic
principle s of SELinux and docume nts in de tail how to configure and us e SELinux with
various s e rvice s , s uch as the Apache HT T P Server.
http://tools .ie tf.org/html/draft-ie tf-uta-tls -bcp-00 Re comme ndations for s e cure us e of
TLS and DTLS.

See Also

154

C hapt e r 4 . Har de ning Yo ur Sys t e m wit h T o o ls and Se r vic e s

Se ction A.2.4, SSL/TLS provide s a concis e de s cription of the SSL and TLS protocols .
Se ction 4.8, Us ing Ope nSSL de s cribe s , among othe r things , how to us e OpenSSL to
cre ate and manage ke ys , ge ne rate ce rtificate s , and e ncrypt and de crypt file s .

155

Se c ur it y Guide

Chapt er 5. Syst em Audit ing


The Linux Audit s ys te m provide s a way to track s e curity-re le vant information on your
s ys te m. Bas e d on pre -configure d rule s , Audit ge ne rate s log e ntrie s to re cord as much
information about the e ve nts that are happe ning on your s ys te m as pos s ible . This
information is crucial for mis s ion-critical e nvironme nts to de te rmine the violator of the
s e curity policy and the actions the y pe rforme d. Audit doe s not provide additional s e curity
to your s ys te m; rathe r, it can be us e d to dis cove r violations of s e curity policie s us e d on
your s ys te m. The s e violations can furthe r be pre ve nte d by additional s e curity me as ure s
s uch as SELinux.
The following lis t s ummariz e s s ome of the information that Audit is capable of re cording in
its log file s :
Date and time , type , and outcome of an e ve nt.
Se ns itivity labe ls of s ubje cts and obje cts .
As s ociation of an e ve nt with the ide ntity of the us e r who trigge re d the e ve nt.
All modifications to Audit configuration and atte mpts to acce s s Audit log file s .
All us e s of authe ntication me chanis ms , s uch as SSH, Ke rbe ros , and othe rs .
Change s to any trus te d databas e , s uch as /etc/passwd.
Atte mpts to import or e xport information into or from the s ys te m.
Include or e xclude e ve nts bas e d on us e r ide ntity, s ubje ct and obje ct labe ls , and othe r
attribute s .
The us e of the Audit s ys te m is als o a re quire me nt for a numbe r of s e curity-re late d
ce rtifications . Audit is de s igne d to me e t or e xce e d the re quire me nts of the following
ce rtifications or compliance guide s :
Controlle d Acce s s Prote ction Profile (CAPP)
Labe le d Se curity Prote ction Profile (LSPP)
Rule Se t Bas e Acce s s Control (RSBAC)
National Indus trial Se curity Program Ope rating Manual (NISPOM)
Fe de ral Information Se curity Manage me nt Act (FISMA)
Payme nt Card Indus try Data Se curity Standard (PCI-DSS)
Se curity Te chnical Imple me ntation Guide s (STIG)
Audit has als o be e n:
Evaluate d by National Information As s urance Partne rs hip (NIAP) and Be s t Se curity
Indus trie s (BSI).
Ce rtifie d to LSPP/CAPP/RSBAC/EAL4+ on Re d Hat Ente rpris e Linux 5.
Ce rtifie d to Ope rating Sys te m Prote ction Profile / Evaluation As s urance Le ve l 4+
(OSPP/EAL4+) on Re d Hat Ente rpris e Linux 6.

156

C hapt e r 5. Sys t e m Audit ing

Use Cases
Wat ching f ile access
Audit can track whe the r a file or a dire ctory has be e n acce s s e d, modifie d,
e xe cute d, or the file 's attribute s have be e n change d. This is us e ful, for e xample ,
to de te ct acce s s to important file s and have an Audit trail available in cas e one of
the s e file s is corrupte d.
Mo nit o ring syst em calls
Audit can be configure d to ge ne rate a log e ntry e ve ry time a particular s ys te m
call is us e d. This can be us e d, for e xample , to track change s to the s ys te m time
by monitoring the settimeofday, clock_adjtime, and othe r time -re late d s ys te m
calls .
Reco rding co mmands run by a user
Be caus e Audit can track whe the r a file has be e n e xe cute d, a numbe r of rule s can
be de fine d to re cord e ve ry e xe cution of a particular command. For e xample , a
rule can be de fine d for e ve ry e xe cutable in the /bin dire ctory. The re s ulting log
e ntrie s can the n be s e arche d by us e r ID to ge ne rate an audit trail of e xe cute d
commands pe r us e r.
Reco rding securit y event s
The pam_faillock authe ntication module is capable of re cording faile d login
atte mpts . Audit can be s e t up to re cord faile d login atte mpts as we ll, and provide s
additional information about the us e r who atte mpte d to log in.
Searching f o r event s
Audit provide s the ausearch utility, which can be us e d to filte r the log e ntrie s
and provide a comple te audit trail bas e d on a numbe r of conditions .
Running summary repo rt s
The aurepo rt utility can be us e d to ge ne rate , among othe r things , daily re ports
of re corde d e ve nts . A s ys te m adminis trator can the n analyz e the s e re ports and
inve s tigate s us picious activity furthe rmore .
Mo nit o ring net wo rk access
The ipt ables and ebt ables utilitie s can be configure d to trigge r Audit e ve nts ,
allowing s ys te m adminis trators to monitor ne twork acce s s .

No te
Sys te m pe rformance may be affe cte d de pe nding on the amount of information that
is colle cte d by Audit.

5.1. Audit Syst em Archit ect ure


The Audit s ys te m cons is ts of two main parts : the us e r-s pace applications and utilitie s , and
the ke rne l-s ide s ys te m call proce s s ing. The ke rne l compone nt re ce ive s s ys te m calls from
us e r-s pace applications and filte rs the m through one of the thre e filte rs : user, task, or exit.

157

Se c ur it y Guide

Once a s ys te m call pas s e s through one of the s e filte rs , it is s e nt through the exclude
filte r, which, bas e d on the Audit rule configuration, s e nds it to the Audit dae mon for furthe r
proce s s ing. Figure 5.1, Audit s ys te m archite cture illus trate s this proce s s .

Figure 5.1. Audit syst em archit ect ure


The us e r-s pace Audit dae mon colle cts the information from the ke rne l and cre ate s log file
e ntrie s in a log file . Othe r Audit us e r-s pace utilitie s inte ract with the Audit dae mon, the
ke rne l Audit compone nt, or the Audit log file s :
audisp the Audit dis patche r dae mon inte racts with the Audit dae mon and s e nds
e ve nts to othe r applications for furthe r proce s s ing. The purpos e of this dae mon is to
provide a plug-in me chanis m s o that re al-time analytical programs can inte ract with
Audit e ve nts .
audit ct l the Audit control utility inte racts with the ke rne l Audit compone nt to control
a numbe r of s e ttings and parame te rs of the e ve nt ge ne ration proce s s .
The re maining Audit utilitie s take the conte nts of the Audit log file s as input and
ge ne rate output bas e d on us e r's re quire me nts . For e xample , the aurepo rt utility
ge ne rate s a re port of all re corde d e ve nts .

5.2. Inst alling t he audit Packages


In orde r to us e the Audit s ys te m, you mus t have the audit package s ins talle d on your
s ys te m. The audit package s (audit and audit-libs) are ins talle d by de fault on Re d Hat
Ente rpris e Linux 7. If you do not have the s e package s ins talle d, e xe cute the following
command as the root us e r to ins tall the m:
~]# yum install audit

5.3. Configuring t he
158

audit

Service

C hapt e r 5. Sys t e m Audit ing

5.3. Configuring t he

audit

Service

The Audit dae mon can be configure d in the /etc/audit/auditd.conf configuration file .
This file cons is ts of configuration parame te rs that modify the be havior of the Audit
dae mon. Any e mpty line s or any te xt following a has h s ign (#) is ignore d. A comple te
lis ting of all configuration parame te rs and the ir e xplanation can be found in the
audit.conf(5) man page .

5.3.1. Conf iguring auditd f or a CAPP Environment


The de fault auditd configuration s hould be s uitable for mos t e nvironme nts . Howe ve r, if
your e nvironme nt has to me e t the crite ria s e t by the Controlled Access Protection Profile
(CAPP), which is a part of the Common Crite ria ce rtification, the Audit dae mon mus t be
configure d with the following s e ttings :
The dire ctory that holds the Audit log file s (us ually /var/log/audit/) s hould re s ide on
a s e parate partition. This pre ve nts othe r proce s s e s from cons uming s pace in this
dire ctory, and provide s accurate de te ction of the re maining s pace for the Audit
dae mon.
The max_log_file parame te r, which s pe cifie s the maximum s iz e of a s ingle Audit log
file , mus t be s e t to make full us e of the available s pace on the partition that holds the
Audit log file s .
The max_log_file_action parame te r, which de cide s what action is take n once the
limit s e t in max_log_file is re ache d, s hould be s e t to keep_logs to pre ve nt Audit log
file s from be ing ove rwritte n.
The space_left parame te r, which s pe cifie s the amount of fre e s pace le ft on the dis k
for which an action that is s e t in the space_left_action parame te r is trigge re d, mus t
be s e t to a numbe r that give s the adminis trator e nough time to re s pond and fre e up
dis k s pace . The space_left value de pe nds on the rate at which the Audit log file s are
ge ne rate d.
It is re comme nde d to s e t the space_left_action parame te r to email or exec with an
appropriate notification me thod.
The admin_space_left parame te r, which s pe cifie s the abs olute minimum amount of
fre e s pace for which an action that is s e t in the admin_space_left_action parame te r
is trigge re d, mus t be s e t to a value that le ave s e nough s pace to log actions pe rforme d
by the adminis trator.
The admin_space_left_action parame te r mus t be s e t to single to put the s ys te m
into s ingle -us e r mode and allow the adminis trator to fre e up s ome dis k s pace .
The disk_full_action parame te r, which s pe cifie s an action that is trigge re d whe n no
fre e s pace is available on the partition that holds the Audit log file s , mus t be s e t to
halt or single. This e ns ure s that the s ys te m is e ithe r s hut down or ope rating in
s ingle -us e r mode whe n Audit can no longe r log e ve nts .
The disk_error_action, which s pe cifie s an action that is trigge re d in cas e an e rror is
de te cte d on the partition that holds the Audit log file s , mus t be s e t to syslog, single,
or halt, de pe nding on your local s e curity policie s re garding the handling of hardware
malfunctions .
The flush configuration parame te r mus t be s e t to sync or data. The s e parame te rs
as s ure that all Audit e ve nt data is fully s ynchroniz e d with the log file s on the dis k.
The re maining configuration options s hould be s e t according to your local s e curity policy.

159

Se c ur it y Guide

5.4. St art ing t he

audit

Service

Once auditd is prope rly configure d, s tart the s e rvice to colle ct Audit information and s tore
it in the log file s . Exe cute the following command as the root us e r to s tart auditd:
~]# service auditd start

No te
The service command is the only way to corre ctly inte ract with the auditd dae mon.
You ne e d to us e the service command s o that the auid value is prope rly re corde d.
You can us e the systemctl command only for two actions : enable and status.
Optionally, you can configure auditd to s tart at boot time us ing the following command as
the root us e r:
~]# systemctl enable auditd
A numbe r of othe r actions can be pe rforme d on auditd us ing the service auditd
action command, whe re action can be one of the following:
stop s tops auditd.
restart re s tarts auditd.
reload or force-reload re loads the configuration of audit d from the
/etc/audit/auditd.conf file .
rotate rotate s the log file s in the /var/log/audit/ dire ctory.
resume re s ume s logging of Audit e ve nts afte r it has be e n pre vious ly s us pe nde d, for
e xample , whe n the re is not e nough fre e s pace on the dis k partition that holds the Audit
log file s .
condrestart or try-restart re s tarts audit d only if it is alre ady running.
status dis plays the running s tatus of audit d.

5.5. Defining Audit Rules


The Audit s ys te m ope rate s on a s e t of rule s that de fine what is to be capture d in the log
file s . The re are thre e type s of Audit rule s that can be s pe cifie d:
Control rule s allow the Audit s ys te m's be havior and s ome of its configuration to be
modifie d.
File s ys te m rule s als o known as file watche s , allow the auditing of acce s s to a
particular file or a dire ctory.
Sys te m call rule s allow logging of s ys te m calls that any s pe cifie d program make s .
Audit rule s can be s pe cifie d on the command line with the audit ct l utility (note that the s e
rule s are not pe rs is te nt acros s re boots ), or writte n in the /etc/audit/audit.rules file .
The following two s e ctions s ummariz e both approache s to de fining Audit rule s .

160

C hapt e r 5. Sys t e m Audit ing

5.5.1. Def ining Audit Rules wit h t he audit ct l Ut ilit y

No te
All commands which inte ract with the Audit s e rvice and the Audit log file s re quire
root privile ge s . Ens ure you e xe cute the s e commands as the root us e r.
The auditctl command allows you to control the bas ic functionality of the Audit s ys te m
and to de fine rule s that de cide which Audit e ve nts are logge d.

Def ining Cont rol Rules


The following are s ome of the control rule s that allow you to modify the be havior of the
Audit s ys te m:
-b
s e ts the maximum amount of e xis ting Audit buffe rs in the ke rne l, for e xample :
~]# auditctl -b 8192
-f
s e ts the action that is pe rforme d whe n a critical e rror is de te cte d, for e xample :
~]# auditctl -f 2
The above configuration trigge rs a ke rne l panic in cas e of a critical e rror.
-e
e nable s and dis able s the Audit s ys te m or locks its configuration, for e xample :
~]# auditctl -e 2
The above command locks the Audit configuration.
-r
s e ts the rate of ge ne rate d me s s age s pe r s e cond, for e xample :
~]# auditctl -r 0
The above configuration s e ts no rate limit on ge ne rate d me s s age s .
-s
re ports the s tatus of the Audit s ys te m, for e xample :
~]# auditctl -s
AUDIT_STATUS: enabled=1 flag=2 pid=0 rate_limit=0
backlog_limit=8192 lost=259 backlog=0

161

Se c ur it y Guide

-l
lis ts all curre ntly loade d Audit rule s , for e xample :
~]# auditctl -l
LIST_RULES: exit,always
change
LIST_RULES: exit,always
LIST_RULES: exit,always
LIST_RULES: exit,always

watch=/etc/localtime perm=wa key=timewatch=/etc/group perm=wa key=identity


watch=/etc/passwd perm=wa key=identity
watch=/etc/gshadow perm=wa key=identity

-D
de le te s all curre ntly loade d Audit rule s , for e xample :
~]# auditctl -D
No rules

Def ining File Syst em Rules


To de fine a file s ys te m rule , us e the following s yntax:
auditctl -w path_to_file -p permissions -k key_name
whe re :
path_to_file is the file or dire ctory that is audite d.
permissions are the pe rmis s ions that are logge d:
r re ad acce s s to a file or a dire ctory.
w write acce s s to a file or a dire ctory.
x e xe cute acce s s to a file or a dire ctory.
a change in the file 's or dire ctory's attribute .
key_name is an optional s tring that he lps you ide ntify which rule or a s e t of rule s
ge ne rate d a particular log e ntry.

Example 5.1. File Syst em Rules


To de fine a rule that logs all write acce s s to, and e ve ry attribute change of, the
/etc/passwd file , e xe cute the following command:
~]# auditctl -w /etc/passwd -p wa -k passwd_changes
Note that the s tring following the -k option is arbitrary.
To de fine a rule that logs all write acce s s to, and e ve ry attribute change of, all the file s
in the /etc/selinux/ dire ctory, e xe cute the following command:
~]# auditctl -w /etc/selinux/ -p wa -k selinux_changes

162

C hapt e r 5. Sys t e m Audit ing

To de fine a rule that logs the e xe cution of the /sbin/insmod command, which ins e rts a
module into the Linux ke rne l, e xe cute the following command:
~]# auditctl -w /sbin/insmod -p x -k module_insertion

Def ining Syst em Call Rules


To de fine a s ys te m call rule , us e the following s yntax:
auditctl -a action,filter -S system_call -F field=value -k key_name
whe re :
action and filter s pe cify whe n a ce rtain e ve nt is logge d. action can be e ithe r always or
never. filter s pe cifie s which ke rne l rule -matching filte r is applie d to the e ve nt. The rule matching filte r can be one of the following: task, exit, user, and exclude. For more
information about the s e filte rs , re fe r to the be ginning of Se ction 5.1, Audit Sys te m
Archite cture .
system_call s pe cifie s the s ys te m call by its name . A lis t of all s ys te m calls can be
found in the /usr/include/asm/unistd_64.h file . Se ve ral s ys te m calls can be
groupe d into one rule , e ach s pe cifie d afte r the -S option.
field=value s pe cifie s additional options that furthe rmore modify the rule to match
e ve nts bas e d on a s pe cifie d archite cture , group ID, proce s s ID, and othe rs . For a full
lis ting of all available fie ld type s and the ir value s , re fe r to the auditctl(8) man page .
key_name is an optional s tring that he lps you ide ntify which rule or a s e t of rule s
ge ne rate d a particular log e ntry.

Example 5.2. Syst em Call Rules


To de fine a rule that cre ate s a log e ntry e ve ry time the adjtimex or settimeofday
s ys te m calls are us e d by a program, and the s ys te m us e s the 64-bit archite cture ,
e xe cute the following command:
~]# auditctl -a always,exit -F arch=b64 -S adjtimex -S settimeofday -k
time_change
To de fine a rule that cre ate s a log e ntry e ve ry time a file is de le te d or re name d by a
s ys te m us e r whos e ID is 500 or large r (the -F auid!=4294967295 option is us e d to
e xclude us e rs whos e login UID is not s e t), e xe cute the following command:
~]# auditctl -a always,exit -S unlink -S unlinkat -S rename -S
renameat -F auid>=500 -F auid!=4294967295 -k delete
It is als o pos s ible to de fine a file s ys te m rule us ing the s ys te m call rule s yntax. The
following command cre ate s a rule for s ys te m calls that is analogous to the -w
/etc/shadow -p wa file s ys te m rule :
~]# auditctl -a always,exit -F path=/etc/shadow -F perm=wa

163

Se c ur it y Guide

5.5.2. Def ining Persist ent Audit Rules and Cont rols in t he
/etc/audit/audit.rules File
To de fine Audit rule s that are pe rs is te nt acros s re boots , you mus t include the m in the
/etc/audit/audit.rules file . This file us e s the s ame auditctl command line s yntax to
s pe cify the rule s . Any e mpty line s or any te xt following a has h s ign (#) is ignore d.
The auditctl command can als o be us e d to re ad rule s from a s pe cifie d file with the -R
option, for e xample :
~]# auditctl -R /usr/share/doc/audit-version/stig.rules

Def ining Cont rol Rules


A file can contain only the following control rule s that modify the be havior of the Audit
s ys te m: -b, -D, -e, -f, and -r. For more information on the s e options , re fe r to
Se ction 5.5.1, De fining Control Rule s .

Example 5.3. Co nt ro l rules in audit.rules


# Delete all previous rules
-D
# Set buffer size
-b 8192
# Make the configuration immutable -- reboot is required to change
audit rules
-e 2
# Panic when a failure occurs
-f 2
# Generate at most 100 audit messages per second
-r 100

Def ining File Syst em and Syst em Call Rules


File s ys te m and s ys te m call rule s are de fine d us ing the auditctl s yntax. The e xample s
in Se ction 5.5.1, De fining Audit Rule s with the audit ct l Utility can be re pre s e nte d with
the following rule s file :

Example 5.4. File syst em and syst em call rules in audit.rules


-w /etc/passwd -p wa -k passwd_changes
-w /etc/selinux/ -p wa -k selinux_changes
-w /sbin/insmod -p x -k module_insertion
-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time_change
-a always,exit -S unlink -S unlinkat -S rename -S renameat -F
auid>=500 -F auid!=4294967295 -k delete

164

C hapt e r 5. Sys t e m Audit ing

Preconf igured Rules Files


In the /usr/share/doc/audit-version/ dire ctory, the audit package provide s a s e t of
pre -configure d rule s file s according to various ce rtification s tandards :
nispom.rules Audit rule configuration that me e ts the re quire me nts s pe cifie d in
Chapte r 8 of the National Indus trial Se curity Program Ope rating Manual.
capp.rules Audit rule configuration that me e ts the re quire me nts s e t by
Controlle d Acce s s Prote ction Profile (CAPP), which is a part of the Common Crite ria
ce rtification.
lspp.rules Audit rule configuration that me e ts the re quire me nts s e t by
Labe le d Se curity Prote ction Profile (LSPP), which is a part of the Common Crite ria
ce rtification.
stig.rules Audit rule configuration that me e ts the re quire me nts s e t by
Se curity Te chnical Imple me ntation Guide s (STIG).
To us e the s e configuration file s , cre ate a backup of your original
/etc/audit/audit.rules file and copy the configuration file of your choice ove r the
/etc/audit/audit.rules file :
~]# cp /etc/audit/audit.rules /etc/audit/audit.rules_backup
~]# cp /usr/share/doc/audit-version/stig.rules /etc/audit/audit.rules

5.6. Underst anding Audit Log Files


By de fault, the Audit s ys te m s tore s log e ntrie s in the /var/log/audit/audit.log file ; if
log rotation is e nable d, rotate d audit.log file s are s tore d in the s ame dire ctory.
The following Audit rule logs e ve ry atte mpt to re ad or modify the /etc/ssh/sshd_config
file :
-w /etc/ssh/sshd_config -p warx -k sshd_config
If the auditd dae mon is running, running the following command cre ate s a ne w e ve nt in
the Audit log file :
~]# cat /etc/ssh/sshd_config
This e ve nt in the audit.log file looks as follows :
type=SYSCALL msg=audit(1364481363.243:24287): arch=c000003e syscall=2
success=no exit=-13 a0=7fffd19c5592 a1=0 a2=7fffd19c4b50 a3=a items=1
ppid=2686 pid=3538 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500
egid=500 sgid=500 fsgid=500 tty=pts0 ses=1 comm="cat" exe="/bin/cat"
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
key="sshd_config"
type=CWD msg=audit(1364481363.243:24287): cwd="/home/shadowman"
type=PATH msg=audit(1364481363.243:24287): item=0
name="/etc/ssh/sshd_config" inode=409248 dev=fd:00 mode=0100600 ouid=0
ogid=0 rdev=00:00 obj=system_u:object_r:etc_t:s0

165

Se c ur it y Guide

The above e ve nt cons is ts of thre e re cords (e ach s tarting with the type= ke yword), which
s hare the s ame time s tamp and s e rial numbe r. Each re cord cons is ts of s e ve ral
name=value pairs s e parate d by a white s pace or a comma. A de taile d analys is of the
above e ve nt follows :

First Record
type=SYSCALL
The type fie ld contains the type of the re cord. In this e xample , the SYSCALL value
s pe cifie s that this re cord was trigge re d by a s ys te m call to the ke rne l.
For a lis t of all pos s ible type value s and the ir e xplanations , re fe r to Se ction B.2,
Audit Re cord Type s .
msg=audit(1364481363.243:24287):
The msg fie ld re cords :
a time s tamp and a unique ID of the re cord in the form
audit(time_stamp:ID). Multiple re cords can s hare the s ame time s tamp and
ID if the y we re ge ne rate d as part of the s ame Audit e ve nt.
various e ve nt-s pe cific name=value pairs provide d by the ke rne l or us e r s pace
applications .
arch=c000003e
The arch fie ld contains information about the CPU archite cture of the s ys te m. The
value , c000003e, is e ncode d in he xade cimal notation. Whe n s e arching Audit
re cords with the ausearch command, us e the -i or --interpret option to
automatically conve rt he xade cimal value s into the ir human-re adable e quivale nts .
The c000003e value is inte rpre te d as x86_64.
syscall=2
The syscall fie ld re cords the type of the s ys te m call that was s e nt to the ke rne l.
The value , 2, can be matche d with its human-re adable e quivale nt in the
/usr/include/asm/unistd_64.h file . In this cas e , 2 is the open s ys te m call. Note
that the ausyscall utility allows you to conve rt s ys te m call numbe rs to the ir
human-re adable e quivale nts . Us e the ausyscall --dump command to dis play a
lis ting of all s ys te m calls along with the ir numbe rs . For more information, re fe r to
the aus ys call(8) man page .
success=no
The success fie ld re cords whe the r the s ys te m call re corde d in that particular
e ve nt s ucce e de d or faile d. In this cas e , the call did not s ucce e d.
exit=-13
The exit fie ld contains a value that s pe cifie s the e xit code re turne d by the
s ys te m call. This value varie s for diffe re nt s ys te m call. You can inte rpre t the
value to its human-re adable e quivale nt with the following command: ausearch -interpret --exit -13 (as s uming your Audit log contains an e ve nt that faile d
with e xit code -13).
a0=7fffd19c5592, a1=0, a2=7fffd19c5592, a3=a

166

C hapt e r 5. Sys t e m Audit ing

The a0 to a3 fie lds re cord the firs t four argume nts , e ncode d in he xade cimal
notation, of the s ys te m call in this e ve nt. The s e argume nts de pe nd on the
s ys te m call that is us e d; the y can be inte rpre te d by the ausearch utility.
items=1
The items fie ld contains the numbe r of path re cords in the e ve nt.
ppid=2686
The ppid fie ld re cords the Pare nt Proce s s ID (PPID). In this cas e , 2686 was the
PPID of the bash proce s s .
pid=3538
The pid fie ld re cords the Proce s s ID (PID). In this cas e , 3538 was the PID of the
cat proce s s .
auid=500
The auid fie ld re cords the Audit us e r ID, that is the loginuid. This ID is as s igne d
to a us e r upon login and is inhe rite d by e ve ry proce s s e ve n whe n the us e r's
ide ntity change s (for e xample , by s witching us e r accounts with the su - john
command).
uid=500
The uid fie ld re cords the us e r ID of the us e r who s tarte d the analyz e d proce s s .
The us e r ID can be inte rpre te d into us e r name s with the following command:
ausearch -i --uid UID. In this cas e , 500 is the us e r ID of us e r shadowman.
gid=500
The gid fie ld re cords the group ID of the us e r who s tarte d the analyz e d proce s s .
euid=500
The euid fie ld re cords the e ffe ctive us e r ID of the us e r who s tarte d the analyz e d
proce s s .
suid=500
The suid fie ld re cords the s e t us e r ID of the us e r who s tarte d the analyz e d
proce s s .
fsuid=500
The fsuid fie ld re cords the file s ys te m us e r ID of the us e r who s tarte d the
analyz e d proce s s .
egid=500
The egid fie ld re cords the e ffe ctive group ID of the us e r who s tarte d the
analyz e d proce s s .
sgid=500
The sgid fie ld re cords the s e t group ID of the us e r who s tarte d the analyz e d
proce s s .
fsgid=500

167

Se c ur it y Guide

The fsgid fie ld re cords the file s ys te m group ID of the us e r who s tarte d the
analyz e d proce s s .
tty=pts0
The tty fie ld re cords the te rminal from which the analyz e d proce s s was invoke d.
ses=1
The ses fie ld re cords the s e s s ion ID of the s e s s ion from which the analyz e d
proce s s was invoke d.
comm="cat"
The comm fie ld re cords the command-line name of the command that was us e d to
invoke the analyz e d proce s s . In this cas e , the cat command was us e d to trigge r
this Audit e ve nt.
exe="/bin/cat"
The exe fie ld re cords the path to the e xe cutable that was us e d to invoke the
analyz e d proce s s .
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
The subj fie ld re cords the SELinux conte xt with which the analyz e d proce s s was
labe le d at the time of e xe cution.
key="sshd_config"
The key fie ld re cords the adminis trator-de fine d s tring as s ociate d with the rule
that ge ne rate d this e ve nt in the Audit log.

Second Record
type=CWD
In the s e cond re cord, the type fie ld value is CWD curre nt working dire ctory. This
type is us e d to re cord the working dire ctory from which the proce s s that invoke d
the s ys te m call s pe cifie d in the firs t re cord was e xe cute d.
The purpos e of this re cord is to re cord the curre nt proce s s 's location in cas e a
re lative path winds up be ing capture d in the as s ociate d PATH re cord. This way the
abs olute path can be re cons tructe d.
msg=audit(1364481363.243:24287)
The msg fie ld holds the s ame time s tamp and ID value as the value in the firs t
re cord.
cwd="/home/shadowman"
The cwd fie ld contains the path to the dire ctory in which the s ys te m call was
invoke d.

T hird Record
type=PATH

168

C hapt e r 5. Sys t e m Audit ing

In the third re cord, the type fie ld value is PATH. An Audit e ve nt contains a PATHtype re cord for e ve ry path that is pas s e d to the s ys te m call as an argume nt. In
this Audit e ve nt, only one path (/etc/ssh/sshd_config) was us e d as an
argume nt.
msg=audit(1364481363.243:24287):
The msg fie ld holds the s ame time s tamp and ID value as the value in the firs t
and s e cond re cord.
item=0
The item fie ld indicate s which ite m, of the total numbe r of ite ms re fe re nce d in
the SYSCALL type re cord, the curre nt re cord is . This numbe r is z e ro-bas e d; a
value of 0 me ans it is the firs t ite m.
name="/etc/ssh/sshd_config"
The name fie ld re cords the full path of the file or dire ctory that was pas s e d to the
s ys te m call as an argume nt. In this cas e , it was the /etc/ssh/sshd_config file .
inode=409248
The inode fie ld contains the inode numbe r as s ociate d with the file or dire ctory
re corde d in this e ve nt. The following command dis plays the file or dire ctory that
is as s ociate d with the 409248 inode numbe r:
~]# find / -inum 409248 -print
/etc/ssh/sshd_config
dev=fd:00
The dev fie ld s pe cifie s the minor and major ID of the de vice that contains the file
or dire ctory re corde d in this e ve nt. In this cas e , the value re pre s e nts the
/dev/fd/0 de vice .
mode=0100600
The mode fie ld re cords the file or dire ctory pe rmis s ions , e ncode d in nume rical
notation. In this cas e , 0100600 can be inte rpre te d as -rw-------, me aning that
only the root us e r has re ad and write pe rmis s ions to the /etc/ssh/sshd_config
file .
ouid=0
The ouid fie ld re cords the obje ct owne r's us e r ID.
ogid=0
The ogid fie ld re cords the obje ct owne r's group ID.
rdev=00:00
The rdev fie ld contains a re corde d de vice ide ntifie r for s pe cial file s only. In this
cas e , it is not us e d as the re corde d file is a re gular file .
obj=system_u:object_r:etc_t:s0

The obj fie ld re cords the SELinux conte xt with which the re corde d file or dire ctory

169

Se c ur it y Guide

The obj fie ld re cords the SELinux conte xt with which the re corde d file or dire ctory
was labe le d at the time of e xe cution.
The Audit e ve nt analyz e d above contains only a s ubs e t of all pos s ible fie lds that an e ve nt
can contain. For a lis t of all e ve nt fie lds and the ir e xplanation, re fe r to Se ction B.1, Audit
Eve nt Fie lds . For a lis t of all e ve nt type s and the ir e xplanation, re fe r to Se ction B.2, Audit
Re cord Type s .

Example 5.5. Addit io nal audit.log event s


The following Audit e ve nt re cords a s ucce s s ful s tart of the auditd dae mon. The ver
fie ld s hows the ve rs ion of the Audit dae mon that was s tarte d.
type=DAEMON_START msg=audit(1363713609.192:5426): auditd start,
ver=2.2 format=raw kernel=2.6.32-358.2.1.el6.x86_64 auid=500 pid=4979
subj=unconfined_u:system_r:auditd_t:s0 res=success
The following Audit e ve nt re cords a faile d atte mpt of us e r with UID of 500 to log in as
the root us e r.
type=USER_AUTH msg=audit(1364475353.159:24270): user pid=3280 uid=500
auid=500 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0s0:c0.c1023 msg='op=PAM:authentication acct="root" exe="/bin/su"
hostname=? addr=? terminal=pts/0 res=failed'

5.7. Searching t he Audit Log Files


The ausearch utility allows you to s e arch Audit log file s for s pe cific e ve nts . By de fault,
ausearch s e arche s the /var/log/audit/audit.log file . You can s pe cify a diffe re nt file
us ing the ausearch options -if file_name command. Supplying multiple options in one
ausearch command is e quivale nt to us ing the AND ope rator.

Example 5.6. Using ausearch t o search Audit lo g f iles


To s e arch the /var/log/audit/audit.log file for faile d login atte mpts , us e the
following command:
~]# ausearch --message USER_LOGIN --success no --interpret
To s e arch for all account, group, and role change s , us e the following command:
~]# ausearch -m ADD_USER -m DEL_USER -m ADD_GROUP -m USER_CHAUTHTOK -m
DEL_GROUP -m CHGRP_ID -m ROLE_ASSIGN -m ROLE_REMOVE -i
To s e arch for all logge d actions pe rforme d by a ce rtain us e r, us ing the us e r's login ID
(auid), us e the following command:
~]# ausearch -ua 500 -i
To s e arch for all faile d s ys te m calls from ye s te rday up until now, us e the following
command:

170

C hapt e r 5. Sys t e m Audit ing

~]# ausearch --start yesterday --end now -m SYSCALL -sv no -i

For a full lis ting of all ausearch options , re fe r to the aus e arch(8) man page .

5.8. Creat ing Audit Report s


The aurepo rt utility allows you to ge ne rate s ummary and columnar re ports on the
e ve nts re corde d in Audit log file s . By de fault, all audit.log file s in the /var/log/audit/
dire ctory are que rie d to cre ate the re port. You can s pe cify a diffe re nt file to run the re port
agains t us ing the aureport options -if file_name command.

Example 5.7. Using aureport t o generat e Audit repo rt s


To ge ne rate a re port for logge d e ve nts in the pas t thre e days e xcluding the curre nt
e xample day, us e the following command:
~]# aureport --start 04/08/2013 00:00:00 --end 04/11/2013 00:00:00
To ge ne rate a re port of all e xe cutable file e ve nts , us e the following command:
~]# aureport -x
To ge ne rate a s ummary of the e xe cutable file e ve nt re port above , us e the following
command:
~]# aureport -x --summary
To ge ne rate a s ummary re port of faile d e ve nts for all us e rs , us e the following
command:
~]# aureport -u --failed --summary -i
To ge ne rate a s ummary re port of all faile d login atte mpts pe r e ach s ys te m us e r, us e
the following command:
~]# aureport --login --summary -i
To ge ne rate a re port from an ausearch que ry that s e arche s all file acce s s e ve nts for
us e r 500, us e the following command:
~]# ausearch --start today --loginuid 500 --raw | aureport -f -summary
To ge ne rate a re port of all Audit file s that are que rie d and the time range of e ve nts
the y include , us e the following command:
~]# aureport -t

For a full lis ting of all aureport options , re fe r to the aure port(8) man page .

171

Se c ur it y Guide

5.9. Addit ional Resources


For more information about the Audit s ys te m, re fe r to the following s ource s .

Online Sources
The Linux Audit Docume ntation Proje ct page : https ://github.com/linux-audit/auditdocume ntation/wiki.
Article Investigating kernel Return Codes with the Linux Audit System in the Hack In the
Box magaz ine : http://magaz ine .hackinthe box.org/is s ue s /HITB-Ez ine -Is s ue -005.pdf.

Inst alled Document at ion


Docume ntation provide d by the audit package can be found in the
/usr/share/doc/audit-version/ dire ctory.

Manual Pages
audis pd.conf(5)
auditd.conf(5)
aus e arch-e xpre s s ion(5)
audit.rule s (7)
audis pd(8)
auditctl(8)
auditd(8)
aulas t(8)
aulas tlog(8)
aure port(8)
aus e arch(8)
aus ys call(8)
autrace (8)
auvirt(8)

172

C hapt e r 6 . Co mplianc e and Vulne r abilit y Sc anning wit h O pe nSCAP

Chapt er 6. Compliance and Vulnerabilit y Scanning wit h


OpenSCAP
6.1. Securit y Compliance in Red Hat Ent erprise Linux
A compliance audit is a proce s s of figuring out whe the r a give n obje ct follows all the rule s
writte n out in a compliance policy. The compliance policy is de fine d by s e curity
profe s s ionals who s pe cify de s ire d s e ttings , ofte n in the form of a che cklis t, that are to be
us e d in the computing e nvironme nt.
The compliance policy can vary s ubs tantially acros s organiz ations and e ve n acros s
diffe re nt s ys te ms within the s ame organiz ation. Diffe re nce s among the s e policie s are
bas e d on the purpos e of the s e s ys te ms and its importance for the organiz ation. The
cus tom s oftware s e ttings and de ployme nt characte ris tics als o rais e a ne e d for cus tom
policy che cklis ts .
Re d Hat Ente rpris e Linux provide s tools that allow for fully automate d compliance audit.
The s e tools are bas e d on the Se curity Conte nt Automation Protocol (SCAP) s tandard and
are de s igne d for automate d tailoring of compliance policie s .

Securit y Co mpliance T o o ls Suppo rt ed o n Red Hat Ent erprise Linux 7


SCAP Wo rkbench The scap-workbench graphical utility is de s igne d to pe rform
configuration and vulne rability s cans on a s ingle local or re mote s ys te m. It can be als o
us e d to ge ne rate s e curity re ports bas e d on the s e s cans and e valuations .
OpenSCAP The o scap command-line utility is de s igne d to pe rform configuration and
vulne rability s cans on a local s ys te m, to validate s e curity compliance conte nt, and to
ge ne rate re ports and guide s bas e d on the s e s cans and e valuations .
Script Check Engine (SCE) SCE is an e xte ns ion to the SCAP protocol that allows
adminis trators to write the ir s e curity conte nt us ing a s cripting language , s uch as Bas h,
Python, or Ruby. The SCE e xte ns ion is provide d in the openscap-engine-sce package .
SCAP Securit y Guide (SSG) The scap-security-guide package provide s the late s t
colle ction of s e curity policie s for Linux s ys te ms . The guidance cons is ts of a catalog of
practical harde ning advice , linke d to gove rnme nt re quire me nts whe re applicable . The
proje ct bridge s the gap be twe e n ge ne raliz e d policy re quire me nts and s pe cific
imple me ntation guide line s .
If you re quire pe rforming automate d compliance audits on multiple s ys te ms re mote ly, you
can utiliz e Ope nSCAP s olution for Re d Hat Sate llite . For more information s e e Se ction 6.7,
Us ing Ope nSCAP with Re d Hat Sate llite and Se ction 6.9, Additional Re s ource s .

6.2. Defining Compliance Policy


The s e curity or compliance policy is rare ly writte n from s cratch. ISO 270 0 0 s tandard
s e rie s , de rivative works , and othe r s ource s provide s e curity policy te mplate s and practice
re comme ndations that s hould be he lpful to s tart with. Howe ve r, organiz ations building
the irs information s e curity program ne e d to ame nd the policy te mplate s to align with the ir

173

Se c ur it y Guide

ne e ds . The policy te mplate s hould be chos e n on the bas is of its re le vancy to the company
e nvironme nt and the n the te mplate has to be adjus te d be caus e e ithe r the te mplate
contains build-in as s umptions which cannot be applie d to the organiz ation, or the te mplate
e xplicitly re quire s that ce rtain de cis ions have to be made .
Re d Hat Ente rpris e Linux auditing capabilitie s are bas e d on the Se curity Conte nt
Automation Protocol (SCAP) s tandard. SCAP is a s ynthe s is of inte rope rable s pe cifications
that s tandardiz e the format and nome nclature by which s oftware flaw and s e curity
configuration information is communicate d, both to machine s and humans . SCAP is a multipurpos e frame work of s pe cifications that s upports automate d configuration, vulne rability
and patch che cking, te chnical control compliance activitie s , and s e curity me as ure me nt.
In othe r words , SCAP is a ve ndor-ne utral way of e xpre s s ing s e curity policy, and as s uch it
is wide ly us e d in mode rn e nte rpris e s . SCAP s pe cifications cre ate an e cos ys te m whe re
the format of s e curity conte nt is we ll known and s tandardiz e d while the imple me ntation of
the s canne r or policy e ditor is not mandate d. Such a s tatus e nable s organiz ations to build
the ir s e curity policy (SCAP conte nt) once , no matte r how many s e curity ve ndors do the y
e mploy.
The late s t ve rs ion of SCAP include s s e ve ral unde rlying s tandards . The s e compone nts are
organiz e d into groups according to the ir function within SCAP as follows :

SCAP Co mpo nent s


Languages This group cons is ts of SCAP language s that de fine s tandard vocabularie s
and conve ntions for e xpre s s ing compliance policy.
The eXtensible Configuration Checklist Description Format (XCCDF) A language
de s igne d to e xpre s s , organiz e , and manage s e curity guidance .
Open Vulnerability and Assessment Language (OVAL) A language de ve lope d to
pe rform logical as s e rtion about the s tate of the s canne d s ys te m.
Open Checklist Interactive Language (OCIL) A language de s igne d to provide a
s tandard way to que ry us e rs and inte rpre t us e r re s pons e s to the give n que s tions .
Asset Identification (AI) A language de ve lope d to provide a data mode l, me thods ,
and guidance for ide ntifying s e curity as s e ts .
Asset Reporting Format (ARF) A language de s igne d to e xpre s s the trans port
format of information about colle cte d s e curity as s e ts and the re lations hip be twe e n
as s e ts and s e curity re ports .
Enumerations This group include s SCAP s tandards that de fine naming format and an
official lis t or dictionary of ite ms from ce rtain s e curity-re late d are as of inte re s t.
Common Configuration Enumeration (CCE) An e nume ration of s e curity-re le vant
configuration e le me nts for applications and ope rating s ys te ms .
Common Platform Enumeration (CPE) A s tructure d naming s che me us e d to ide ntify
information te chnology (IT) s ys te ms , platforms , and s oftware package s .
Common Vulnerabilities and Exposures (CVE) A re fe re nce me thod to a colle ction of
publicly known s oftware vulne rabilitie s and e xpos ure s .
Metrics This group compris e s of frame works to ide ntify and e valuate s e curity ris ks .
Common Configuration Scoring System (CCSS) A me tric s ys te m to e valuate

174

C hapt e r 6 . Co mplianc e and Vulne r abilit y Sc anning wit h O pe nSCAP

s e curity-re le vant configuration e le me nts and as s ign the m s core s in orde r to he lp


us e rs to prioritiz e appropriate re s pons e s te ps .
Common Vulnerability Scoring System (CVSS) A me tric s ys te m to e valuate
s oftware vulne rabilitie s and as s ign the m s core s in orde r to he lp us e rs prioritiz e
the ir s e curity ris ks .
Integrity An SCAP s pe cification to maintain inte grity of SCAP conte nt and s can re s ults .
Trust Model for Security Automation Data (TMSAD) A s e t of re comme ndations
e xplaining us age of e xis ting s pe cification to re pre s e nt s ignature s , has he s , ke y
information, and ide ntity information in conte xt of an XML file within a s e curity
automation domain.
Each of the SCAP compone nts has its own XML-bas e d docume nt format and its XML name
s pace . A compliance policy e xpre s s e d in SCAP can e ithe r take a form of a s ingle OVAL
de finition XML file , data s tre am file , s ingle z ip archive , or a s e t of s e parate XML file s
containing an XCCDF file that re pre s e nts a policy che cklis t.

6.2.1. T he XCCDF File Format


The XCCDF language is de s igne d to s upport information inte rchange , docume nt
ge ne ration, organiz ational and s ituational tailoring, automate d compliance te s ting, and
compliance s coring. The language is mos tly de s criptive and doe s not contain any
commands to pe rform s e curity s cans . Howe ve r, an XCCDF docume nt can re fe r to othe r
SCAP compone nts , and as s uch it can be us e d to craft a compliance policy that is portable
among all the targe t platforms with the e xce ption of the re late d as s e s s me nt docume nts
(OVAL, OCIL).
The common way to re pre s e nt a compliance policy is a s e t of XML file s whe re one of the
file s is an XCCDF che cklis t. This XCCDF file us ually points to the as s e s s me nt re s ource s ,
multiple OVAL, OCIL and the Script Che ck Engine (SCE) file s . Furthe rmore , the file s e t can
contain a CPE dictionary file and an OVAL file de fining obje cts for this dictionary.
Be ing an XML-bas e d language , the XCCDF de fine s and us e s a vas t s e le ction of XML
e le me nts and attribute s . The following lis t brie fly introduce s the main XCCDF e le me nts ;
for more de tails about XCCDF, cons ult the NIST Inte rage ncy Re port 7275 Re vis ion 4.

Main XML Element s o f t he XCCDF Do cument


<xccdf:Benchmark> This is a root e le me nt that e nclos e s the whole XCCDF
docume nt. It may als o contain che cklis t me tadata, s uch as a title , de s cription, lis t of
authors , date of the late s t modification, and s tatus of the che cklis t acce ptance .
<xccdf:Rule> This is a ke y e le me nt that re pre s e nts a che cklis t re quire me nt and
holds its de s cription. It may contain child e le me nts that de fine actions ve rifying or
e nforcing compliance with the give n rule or modify the rule its e lf.
<xccdf:Value> This ke y e le me nt is us e d for e xpre s s ing prope rtie s of othe r XCCDF
e le me nts within the be nchmark.
<xccdf:Group> This e le me nt is us e d to organiz e an XCCDF docume nt to s tructure s
with the s ame conte xt or re quire me nt domains by gathe ring the <xccdf:Rule>,
<xccdf:Value>, and <xccdf:Group> e le me nts .
<xccdf:Profile> This e le me nt s e rve s for a name d tailoring of the XCCDF

175

Se c ur it y Guide

be nchmark. It allows the be nchmark to hold s e ve ral diffe re nt tailorings .


<xccdf:Profile> utiliz e s s e ve ral s e le ctor e le me nts , s uch as <xccdf:select> or
<xccdf:refine-rule>, to de te rmine which e le me nts are going to be modifie d and
proce s s e d while it is in e ffe ct.
<xccdf:Tailoring> This e le me nt allows de fining the be nchmark profile s outs ide the
be nchmark, which is s ome time s de s irable for manual tailoring of the compliance policy.
<xccdf:TestResult> This e le me nt s e rve s for ke e ping the s can re s ults for the
give n be nchmark on the targe t s ys te m. Each <xccdf:TestResult> s hould re fe r to the
profile that was us e d to de fine the compliance policy for the particular s can and it
s hould als o contain important information about the targe t s ys te m that is re le vant for
the s can.
<xccdf:rule-result> This is a child e le me nt of <xccdf:TestResult> that is us e d
to hold the re s ult of applying a s pe cific rule from the be nchmark to the targe t s ys te m.
<xccdf:fix> This is a child e le me nt of <xccdf:Rule> that s e rve s for re me diation of
the targe t s ys te m that is not compliant with the give n rule . It can contain a command or
s cript that is run on the targe t s ys te m in orde r to bring the s ys te m into compliance the
rule .
<xccdf:check> This is a child e le me nt of <xccdf:Rule> that re fe rs to an e xte rnal
s ource which de fine s how to e valuate the give n rule .
<xccdf:select> This is a s e le ctor e le me nt that is us e d for including or e xcluding
the chos e n rule s or groups of rule s from the policy.
<xccdf:set-value> This is a s e le ctor e le me nt that is us e d for ove rwriting the
curre nt value of the s pe cifie d <xccdf:Value> e le me nt without modifying any of its
othe r prope rtie s .
<xccdf:refine-value> This is a s e le ctor e le me nt that is us e d for s pe cifying
cons traints of the particular <xccdf:Value> e le me nt during policy tailoring.
<xccdf:refine-rule> This s e le ctor e le me nt allows ove rwriting prope rtie s of the
s e le cte d rule s .

Example 6.1. An Example o f an XCCDF Do cument

<?xml version="1.0" encoding="UTF-8"?>


<Benchmark xmlns="http://checklists.nist.gov/xccdf/1.2"
id="xccdf_com.example.www_benchmark_test">
<status>incomplete</status>
<version>0.1</version>
<Profile id="xccdf_com.example.www_profile_1">
<title>Profile title is compulsory</title>
<select idref="xccdf_com.example.www_group_1"
selected="true"/>
<select idref="xccdf_com.example.www_rule_1"
selected="true"/>
<refine-value idref="xccdf_com.example.www_value_1"
selector="telnet service"/>
</Profile>
<Group id="xccdf_com.example.www_group_1">
<Value id="xccdf_com.example.www_value_1">

176

C hapt e r 6 . Co mplianc e and Vulne r abilit y Sc anning wit h O pe nSCAP

<value selector="telnet_service">telnet-server</value>
<value selector="dhcp_servide">dhcpd</value>
<value selector="ftp_service">tftpd</value>
</Value>
<Rule id="xccdf_com.example.www_rule_1">
<title>The telnet-server Package Shall Not Be Installed </title>
<rationale>
Removing the telnet-server package decreases the risk
of the telnet services accidental (or intentional) activation
</rationale>
<fix platform="cpe:/o:redhat:enterprise_linux:6"
reboot="false"
disruption="low"
system="urn:xccdf:fix:script:sh">
yum -y remove
<sub idref="xccdf_com.example.www_value_1"/>
</fix>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions5">
<check-export value-id="xccdf_com.example.www_value_1"
export-name="oval:com.example.www:var:1"/>
<check-content-ref href="examplary.oval.xml"
name="oval:com.example.www:def:1"/>
</check>
<check system="http://open-scap.org/page/SCE">
<check-import import-name="stdout"/>
<check-content-ref href="telnet_server.sh"/>
</check>
</Rule>
</Group>
</Benchmark>

6.2.2. T he OVAL File Format


The Ope n Vulne rability As s e s s me nt Language (OVAL) is the e s s e ntial and olde s t
compone nt of SCAP. The main goal of the OVAL s tandard is to e nable inte rope rability
among s e curity products . That is achie ve d by s tandardiz ation of the following thre e
domains :

1. Re pre s e ntation of the targe t s ys te m configuration.


2. Analys is of the targe t s ys te m for the pre s e nce of a particular machine s tate .
3. Re porting the re s ults of the comparis on be twe e n the s pe cifie d machine s tate and
the obs e rve d machine s tate .
Unlike othe r tools or cus tom s cripts , the OVAL language de s cribe s a de s ire d s tate of
re s ource s in a de clarative manne r. The OVAL language code is ne ve r e xe cute d dire ctly,
but by me ans of an OVAL inte rpre te r tool calle d scanner. The de clarative nature of OVAL
e ns ure s that the s tate of the as s e s s e d s ys te m is not accide ntally modifie d, which is
important be caus e s e curity s canne rs are ofte n run with the highe s t pos s ible privile ge s .

177

Se c ur it y Guide

OVAL s pe cification is ope n for public comme nts and contribution and various IT companie s
collaborate with the MITRE Corporation, fe de rally funde d not-for-profit organiz ation. The
OVAL s pe cification is continuous ly e volving and diffe re nt e ditions are dis tinguis he d by a
ve rs ion numbe r. The curre nt ve rs ion 5.10.1 was re le as e d in January 2012.
Like all othe r SCAP compone nts , OVAL is bas e d on XML. The OVAL s tandard de fine s
s e ve ral docume nt formats . Each of the m include s diffe re nt kind of information and s e rve s
a diffe re nt purpos e .

T he OVAL Do cument Fo rmat s


The OVAL Definitions format is the mos t common OVAL file format that is us e d dire ctly
for s ys te m s cans . The OVAL De finitions docume nt de s cribe s the de s ire d s tate of the
targe t s ys te m.
The OVAL Variables format de fine s variable s us e d to ame nd the OVAL De finitions
docume nt. The OVAL Variable s docume nt is typically us e d in conjunction with the OVAL
De finitions docume nt to tailor the s e curity conte nt for the targe t s ys te m at runtime .
The OVAL System Characteristics format holds information about the as s e s s e d s ys te m.
The OVAL Sys te m Characte ris tics docume nt is typically us e d to compare the actual
s tate of the s ys te m agains t the e xpe cte d s tate de fine d by an OVAL De finitions
docume nt.
The OVAL Results is the mos t compre he ns ive OVAL format that is us e d to re port
re s ults of the s ys te m e valuation. The OVAL Re s ults docume nt typically contains copy of
the e valuate d OVAL de finitions , bound OVAL variable s , OVAL s ys te m characte ris tics ,
and re s ults of te s ts that are compute d bas e d on comparis on of the s ys te m
characte ris tics and the de finitions .
The OVAL Directives format is us e d to tailor ve rbos ity of an OVAL Re s ult docume nt by
e ithe r including or e xcluding ce rtain de tails .
The OVAL Common Model format contains de finitions of cons tructs and e nume rations
us e d in s e ve ral othe r OVAL s che me s . It is us e d to re us e OVAL de finitions in orde r to
avoid duplications acros s multiple docume nts .
The OVAL De finitions docume nt cons is ts of a s e t of configuration re quire me nts whe re
e ach re quire me nt is de fine d in the following five bas ic s e ctions : definitions, tests, objects,
states, and variables. The e le me nts within the de finitions s e ction de s cribe which of the
te s ts s hall be fulfille d to s atis fy the give n de finition. The te s t e le me nts link obje cts and
s tate s toge the r. During the s ys te m e valuation, a te s t is cons ide re d pas s e d whe n a
re s ource of the as s e s s e d s ys te m that is de note d by the give n obje ct e le me nt
corre s ponds with the give n s tate e le me nt. The variable s s e ction de fine s e xte rnal
variable s which may be us e d to adjus t e le me nts from the s tate s s e ction. Be s ide s the s e
s e ctions , the OVAL De finitions docume nt typically contains als o the generator and
signature s e ctions . The generator s e ction holds information about the docume nt origin and
various additional information re late d to its conte nt.
Each e le me nt from the OVAL docume nt bas ic s e ctions is unambiguous ly ide ntifie d by an
ide ntifie r in the following form:
oval:namespace:type:ID

178

C hapt e r 6 . Co mplianc e and Vulne r abilit y Sc anning wit h O pe nSCAP

whe re namespace is a name s pace de fining the ide ntifie r, type is e ithe r def for de finitions
e le me nts , tst for te s ts e le me nts , obj for obje cts e le me nt, ste for s tate s e le me nts , and var
for variable s e le me nts , and ID is an inte ge r value of the ide ntifie r.

Example 6.2. An Example o f an OVAL Def init io ns Do cument

<?xml version="1.0" encoding="utf-8"?>


<oval_definitions
xmlns:lin-def="http://oval.mitre.org/XMLSchema/oval-definitions5#linux"
xmlns:oval="http://oval.mitre.org/XMLSchema/oval-common-5"
xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<generator>
<oval:product_name>vim</oval:product_name>
<oval:schema_version>5.10.1</oval:schema_version>
<oval:timestamp>2012-11-22T15:00:00+01:00</oval:timestamp>
</generator>
<definitions>
<definition class="inventory"
id="oval:org.open-scap.cpe.rhel:def:7"
version="1">
<metadata>
<title>Red Hat Enterprise Linux 7</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="cpe:/o:redhat:enterprise_linux:7"
source="CPE"/>
<description>
The operating system installed on the system is Red Hat
Enterprise Linux 7
</description>
</metadata>
<criteria>
<criterion comment="Red Hat Enterprise Linux 7 is installed"
test_ref="oval:org.open-scap.cpe.rhel:tst:7"/>
</criteria>
</definition>
</definitions>
<tests>
<lin-def:rpminfo_test check_existence="at_least_one_exists"
id="oval:org.open-scap.cpe.rhel:tst:7"
version="1"
check="at least one"
comment="redhat-release is version 7">
<lin-def:object object_ref="oval:org.open-scap.cpe.redhatrelease:obj:1"/>
<lin-def:state state_ref="oval:org.open-scap.cpe.rhel:ste:7"/>
</lin-def:rpminfo_test>
</tests>
<objects>
<lin-def:rpmverifyfile_object id="oval:org.open-scap.cpe.redhatrelease:obj:1"

179

Se c ur it y Guide

version="1">
<!-- This object represents rpm package which owns /etc/redhatrelease file -->
<lin-def:behaviors nolinkto='true'
nomd5='true'
nosize='true'
nouser='true'
nogroup='true'
nomtime='true'
nomode='true'
nordev='true'
noconfigfiles='true'
noghostfiles='true' />
<lin-def:name operation="pattern match"/>
<lin-def:epoch operation="pattern match"/>
<lin-def:version operation="pattern match"/>
<lin-def:release operation="pattern match"/>
<lin-def:arch operation="pattern match"/>
<lin-def:filepath>/etc/redhat-release</lin-def:filepath>
</lin-def:rpmverifyfile_object>
</objects>
<states>
<lin-def:rpminfo_state id="oval:org.open-scap.cpe.rhel:ste:7"
version="1">
<lin-def:name operation="pattern match">^redhat-release</lindef:name>
<lin-def:version operation="pattern match">^7[^\d]</lindef:version>
</lin-def:rpminfo_state>
</states>
</oval_definitions>

6.2.3. T he Dat a St ream Format


SCAP data s tre am is a file format us e d s ince SCAP ve rs ion 1.2 and it re pre s e nts a bundle
of XCCDF, OVAL, and othe r compone nt file s which can be us e d to de fine a compliance
policy e xpre s s e d by an XCCDF che cklis t. It als o contains an inde x and catalog that allow
s plitting the give n data s tre am into file s according to the SCAP compone nts .
The data s tre am us e s XML format that cons is ts of a he ade r forme d by a table of conte nts
and a lis t of the <ds:component> e le me nts . Each of the s e e le me nts e ncompas s e s an
SCAP compone nt s uch as XCCDF, OVAL, CPE, and othe r. The data s tre am file may contain
multiple compone nts of the s ame type , and thus cove ring all s e curity policie s ne e de d by
your organiz ation.

Example 6.3. An Example o f a Dat a St ream Header

<ds:data-stream-collection
xmlns:ds="http://scap.nist.gov/schema/scap/source/1.2"
xmlns:xlink="http://www.w3.org/1999/xlink"
xmlns:cat="urn:oasis:names:tc:entity:xmlns:xml:catalog"
id="scap_org.open-scap_collection_from_xccdf_ssg-rhel7-xccdf-

180

C hapt e r 6 . Co mplianc e and Vulne r abilit y Sc anning wit h O pe nSCAP

1.2.xml"
schematron-version="1.0">
<ds:data-stream id="scap_org.open-scap_datastream_from_xccdf_ssgrhel7-xccdf-1.2.xml"
scap-version="1.2" use-case="OTHER">
<ds:dictionaries>
<ds:component-ref id="scap_org.open-scap_cref_output--ssg-rhel7cpe-dictionary.xml"
xlink:href="#scap_org.open-scap_comp_output--ssg-rhel7-cpedictionary.xml">
<cat:catalog>
<cat:uri name="ssg-rhel7-cpe-oval.xml"
uri="#scap_org.open-scap_cref_output--ssg-rhel7-cpeoval.xml"/>
</cat:catalog>
</ds:component-ref>
</ds:dictionaries>
<ds:checklists>
<ds:component-ref id="scap_org.open-scap_cref_ssg-rhel7-xccdf1.2.xml"
xlink:href="#scap_org.open-scap_comp_ssg-rhel7-xccdf-1.2.xml">
<cat:catalog>
<cat:uri name="ssg-rhel7-oval.xml"
uri="#scap_org.open-scap_cref_ssg-rhel7-oval.xml"/>
</cat:catalog>
</ds:component-ref>
</ds:checklists>
<ds:checks>
<ds:component-ref id="scap_org.open-scap_cref_ssg-rhel7-oval.xml"
xlink:href="#scap_org.open-scap_comp_ssg-rhel7-oval.xml"/>
<ds:component-ref id="scap_org.open-scap_cref_output--ssg-rhel7cpe-oval.xml"
xlink:href="#scap_org.open-scap_comp_output--ssg-rhel7-cpeoval.xml"/>
<ds:component-ref id="scap_org.open-scap_cref_output--ssg-rhel7oval.xml"
xlink:href="#scap_org.open-scap_comp_output--ssg-rhel7oval.xml"/>
</ds:checks>
</ds:data-stream>
<ds:component id="scap_org.open-scap_comp_ssg-rhel7-oval.xml"
timestamp="2014-03-14T16:21:59">
<oval_definitions xmlns="http://oval.mitre.org/XMLSchema/ovaldefinitions-5"
xmlns:oval="http://oval.mitre.org/XMLSchema/oval-common-5"
xmlns:ind="http://oval.mitre.org/XMLSchema/oval-definitions5#independent"
xmlns:unix="http://oval.mitre.org/XMLSchema/oval-definitions5#unix"
xmlns:linux="http://oval.mitre.org/XMLSchema/oval-definitions5#linux"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common5
oval-common-schema.xsd
http://oval.mitre.org/XMLSchema/oval-definitions-5

181

Se c ur it y Guide

oval-definitions-schema.xsd
http://oval.mitre.org/XMLSchema/oval-definitions5#independent
independent-definitions-schema.xsd
http://oval.mitre.org/XMLSchema/oval-definitions-5#unix
unix-definitions-schema.xsd
http://oval.mitre.org/XMLSchema/oval-definitions-5#linux
linux-definitions-schema.xsd">

6.3. Using SCAP Workbench


SCAP Wo rkbench (scap-workbench) is a graphical utility that allows us e rs to pe rform
configuration and vulne rability s cans on a s ingle local or a re mote s ys te m, pe rform
re me diation of the s ys te m, and ge ne rate re ports bas e d on s can e valuations . Note that
compare d with the o scap command-line utility, SCAP Wo rkbench has only limite d
functionality. SCAP Wo rkbench can als o proce s s only s e curity conte nt in the form of
XCCDF and data-s tre am file s .
The following s e ctions e xplain how to ins tall, s tart, and utiliz e SCAP Workbe nch in orde r to
pe rform s ys te m s cans , re me diation, s can cus tomiz ation, and dis play re le vant e xample s
for the s e tas ks .

6.3.1. Inst alling SCAP Workbench


To ins tall SCAP Wo rkbench on your s ys te m, run the following command as root:
~]# yum install scap-workbench
This command ins talls all package s re quire d by SCAP Workbe nch to function prope rly,
including the scap-workbench package that provide s the utility its e lf. Note that re quire d
de pe nde ncie s , s uch as the qt and openssh package s , will be automatically update d to the
ne we s t available ve rs ion if the package s are alre ady ins talle d on your s ys te m.
Be fore you can s tart us ing SCAP Workbe nch e ffe ctive ly, you als o ne e d to ins tall or import
s ome s e curity conte nt on your s ys te m. For e xample , you can ins tall the SCAP Se curity
Guide (SSG) package , scap-security-guide, which contains the curre ntly mos t e volve d and
e laborate s e t of s e curity police s for Linux s ys te ms . To ins tall the SCAP Se curity Guide
package on your s ys te m, run the following command as root:
~]# yum install scap-security-guide
Afte r you ins tall scap-security-guide on your s ys te m, unle s s s pe cifie d othe rwis e , the SSG
s e curity conte nt is available unde r the /usr/share/xml/scap/ssg/content/ dire ctory,
and you can proce e d with othe r s e curity compliance ope rations .
To find othe r pos s ible s ource s of e xis ting SCAP conte nt that might s uit your ne e ds , s e e
Se ction 6.9, Additional Re s ource s .

6.3.2. Running SCAP Workbench


Afte r a s ucce s s ful ins tallation of both, the SCAP Wo rkbench utility and SCAP conte nt, you
can s tart us ing SCAP Wo rkbench on your s ys te ms . For running SCAP Wo rkbench from

182

C hapt e r 6 . Co mplianc e and Vulne r abilit y Sc anning wit h O pe nSCAP

the GNOME Classic de s ktop e nvironme nt, pre s s the Super ke y to e nte r the Activities
Overview, type scap-workbench, and the n pre s s Enter. The Super ke y appe ars in a
varie ty of guis e s , de pe nding on the ke yboard and othe r hardware , but ofte n as e ithe r the
Windows or Command ke y, and typically to the le ft of the Spacebar ke y.
As s oon as you s tart the utility, the SCAP Workbench window appe ars . The SCAP
Workbench window cons is ts of s e ve ral inte ractive compone nts , which you s hould be come
familiar with be fore you s tart s canning your s ys te m:
Input f ile
This fie ld contains the full path to the chos e n s e curity policy. You can s e arch for
applicable SCAP conte nt on your s ys te m by clicking the Browse button.
Checklist
This combo box dis plays the name of the che cklis t that is to be applie d by the
s e le cte d s e curity policy. You can choos e a s pe cific che cklis t by clicking this combo
box if more than one che cklis t is available .
T ailo ring
This combo box informs you about the cus tomiz ation us e d for the give n s e curity
policy. You can s e le ct cus tom rule s that will be applie d for the s ys te m e valuation
by clicking this combo box. The de fault value is (no t ailo ring), which me ans that
the re will be no change s to the us e d s e curity policy. If you made any change s to
the s e le cte d s e curity profile , you can s ave thos e change s as an XML file by
clicking the Save Tailoring button.
Pro f ile
This combo box contains the name of the s e le cte d s e curity profile . You can s e le ct
the s e curity profile from a give n XCCDF or data-s tre am file by clicking this combo
box. To cre ate a ne w profile that inhe rits prope rtie s of the s e le cte d s e curity
profile , click the Customize button.
T arget
The two radio buttons e nable you to s e le ct whe the r the s ys te m to be e valuate d
is a local or re mote machine .
Select ed Rules
This fie ld dis plays a lis t of s e curity rule s that are s ubje ct of the s e curity policy.
Hove ring ove r a particular s e curity rule provide s de taile d information about that
rule .
Save co nt ent
This me nu allows you to s ave SCAP file s that have be e n s e le cte d in the Input
f ile and T ailo ring fie lds e ithe r to the s e le cte d dire ctory or as an RPM package .
St at us bar
This is a graphical bar that indicate s s tatus of an ope ration that is be ing
pe rforme d.
Online remediat io n

183

Se c ur it y Guide

This che ck box e nable s the re me diation fe ature during the s ys te m e valuation. If
you che ck this box, SCAP Workbe nch will atte mpt to corre ct s ys te m s e ttings that
would fail to match the s tate de fine d by the policy.
Scan
This button allows you to s tart the e valuation of the s pe cifie d s ys te m.

Figure 6.1. SCAP Wo rkbench Windo w

6.3.3. Scanning t he Syst em


The main functionality of SCAP Wo rkbench is to pe rform s e curity s cans on a s e le cte d
s ys te m in accordance with the give n XCCDF or data s tre am file . To e valuate your s ys te m
agains t the s e le cte d s e curity policy, follow the s e s te ps :
1. Se le ct a s e curity policy by us ing the Open content option in the File me nu and
s e arch the re s pe ctive XCCDF, SCAP RPM or data s tre am file .

184

C hapt e r 6 . Co mplianc e and Vulne r abilit y Sc anning wit h O pe nSCAP

Warning
Se le cting a s e curity policy re s ults in the los s of any pre vious tailoring
change s that we re not s ave d. To re -apply the los t options , you have to
choos e the available profile and tailoring conte nt again. Note that your
pre vious cus tomiz ations may not be applicable with the ne w s e curity policy.
2. If the s e le cte d SCAP file is a data s tre am file that provide s more than one
che cklis t, you can s e le ct the particular che cklis t by clicking the Checklist combo
box.

Warning
Changing the che cklis t may re s ult in a s e le ction of a diffe re nt profile , and any
pre vious cus tomiz ations may not be applicable to the ne w che cklis t.
3. To us e a pre -arrange d a file with cus tomiz e d s e curity conte nt s pe cific to your us e
cas e , you can load this file by clicking on the T ailo ring combo box. You can als o
cre ate a cus tom tailoring file by alte ring an available s e curity profile . For more
information, s e e Se ction 6.3.4, Cus tomiz ing Se curity Profile s .
a. Se le ct the (no tailoring) option if you do not want to us e any
cus tomiz ation for the curre nt s ys te m e valuation. This is the de fault option if
no pre vious cus tomiz ation was s e le cte d.
b. Se le ct the (open tailoring file...) option to s e arch for the particular
tailoring file to be us e d for the curre nt s ys te m e valuation.
c. If you have pre vious ly us e d s ome tailoring file , SCAP Wo rkbench
re me mbe rs this file and adds it to the lis t. This s implifie s re pe titive
application of the s ame s can.
4. Se le ct a s uitable s e curity profile by clicking the Pro f ile combo box.
a. To modify the s e le cte d profile , click the Customize button. For more
information about profile cus tomiz ation, s e e Se ction 6.3.4, Cus tomiz ing
Se curity Profile s .
5. Se le ct e ithe r of two Target radio buttons to s can e ithe r a local or a re mote
machine .
a. If you have s e le cte d a re mote s ys te m, s pe cify it by e nte ring the us e r name ,
hos tname , and the port information as s hown in the following e xample . If you
have pre vious ly us e d the re mote s can, you can als o s e le ct a re mote
s ys te m from a lis t of re ce ntly s canne d machine s .

185

Se c ur it y Guide

Figure 6.2. Specif ying a Remo t e Syst em


6. You can allow automatic corre ction of the s ys te m configuration by s e le cting the
Online remediation che ck box. With this option e nable d, SCAP Wo rkbench
atte mpts to change the s ys te m configuration in accordance with the s e curity rule s
applie d by the policy, s hould the re late d che cks fail during the s ys te m s can.

Warning
If not us e d care fully, running the s ys te m e valuation with the re me diation
option e nable d could re nde r the s ys te m non-functional.
7. Click the Scan button to initiate the s ys te m s can.

6.3.4. Cust omizing Securit y Prof iles


Afte r s e le cting the s e curity profile that s uits your s e curity policy, you can furthe r adjus t it
by clicking the Customize button. This will ope n the ne w Tailoring window that allows you to
modify the curre ntly s e le cte d XCCDF profile without actually changing the re s pe ctive
XCCDF file .

Figure 6.3. Cust o mizing t he Select ed Securit y Pro f ile


The Tailoring window contains a comple te s e t of XCCDF e le me nts re le vant to the
s e le cte d s e curity profile with de taile d information about e ach e le me nt and its functionality.

186

C hapt e r 6 . Co mplianc e and Vulne r abilit y Sc anning wit h O pe nSCAP

You can e nable or dis able the s e e le me nts by s e le cting or de -s e le cting the re s pe ctive
che ck boxe s in the main fie ld of this window. The Tailoring window als o s upports undo
and redo functionality; you can undo or re do your s e le ctions by clicking the re s pe ctive
arrow icon in the top le ft corne r of the window.
You can als o change variable s that will late r be us e d for e valuation. Find the de s ire d ite m
in the Tailoring window, navigate to the right part and us e the Modify value fie ld.

Figure 6.4. Set t ing a value f o r t he select ed it em in t he T ailo ring windo w


Afte r you have finis he d your profile cus tomiz ations , confirm the change s by clicking the
Confirm Tailoring button. Your change s are now in the me mory and do not pe rs is t if
SCAP Wo rkbench is clos e d or ce rtain change s , s uch as s e le cting a ne w SCAP conte nt or
choos ing anothe r tailoring option, are made . To s tore your change s , click the Save
Tailoring button in the SCAP Workbench window. This action allows you to s ave your
change s to the s e curity profile as an XCCDF tailoring file in the chos e n dire ctory. Note that
this tailoring file can be furthe r s e le cte d with othe r profile s .

6.3.5. Saving SCAP Cont ent


SCAP Wo rkbench als o allows you to s ave SCAP conte nt that is us e d with your s ys te m
e valuations . You can e ithe r s ave a tailoring file s e parate ly (s e e Se ction 6.3.4,
Cus tomiz ing Se curity Profile s ) or you can s ave all s e curity conte nt at once by clicking the
Save content combo box and s e le cting e ithe r the Save into a directory or Save as
RPM options .
By s e le cting the Save into a directory option, SCAP Wo rkbench s ave s both the
XCCDF or data-s tre am file and the tailoring file to the s pe cifie d location. This can be us e ful
as a backup s olution.

187

Se c ur it y Guide

By s e le cting the Save as RPM option, you can ins truct SCAP Wo rkbench to cre ate an
RPM package containing the XCCDF or data s tre am file and tailoring file . This is us e ful for
dis tributing the de s ire d s e curity conte nt to s ys te ms that cannot be s canne d re mote ly, or
jus t for de live ring the conte nt for furthe r proce s s ing.

Figure 6.5. Saving t he Current SCAP Co nt ent as an RPM Package

6.3.6. Viewing Scan Result s and Generat ing Scan Report s


Afte r the s ys te m s can is finis he d, two ne w buttons , Clear and Report, will appe ar ins te ad
of the Scan button.

Warning
Clicking the Clear button pe rmane ntly re move s the s can re s ults .
You can dis play and furthe r proce s s the s can re s ults by clicking the Report button, which
ope ns the Evaluation Report window. This window contains the Save combo box and two
buttons , Open in Browser and Close.

188

C hapt e r 6 . Co mplianc e and Vulne r abilit y Sc anning wit h O pe nSCAP

To s tore the s can re s ults in the form of an XCCDF, ARF, or HTML file , click the Save combo
box. Choos e the HTML Report option to ge ne rate the s can re port in human-re adable form.
The XCCDF and ARF (data s tre am) formats are s uitable for furthe r automatic proce s s ing.
You can re pe ate dly choos e all thre e options .
If you pre fe r to vie w the s can re s ults imme diate ly without s aving the m, you can click the
Open in Browser button, which ope ns the s can re s ults in the form of a te mporary HTML
file in your de fault we b brows e r.

6.4. Using oscap


The o scap command-line utility allows us e rs to s can the ir local s ys te ms , validate s e curity
compliance conte nt, and ge ne rate re ports and guide s bas e d on the s e s cans and
e valuations . This utility s e rve s as a front e nd to the Ope nSCAP library and groups its
functionalitie s to module s (s ub-commands ) bas e d on the type of SCAP conte nt it
proce s s e s .
The following s e ctions e xplain how to ins tall o scap and pe rform the mos t common
ope rations . Example s are provide d to illus trate the s e tas ks . To le arn more about s pe cific
s ub-commands , us e the --help option with an o scap command:
oscap [options] module module_operation
[module_operation_options_and_arguments] --help
whe re module re pre s e nts the type of SCAP conte nt that is be ing proce s s e d, and
module_operation is a s ub-command for the s pe cific ope ration on the SCAP conte nt.

Example 6.4. Get t ing Help o n a Specif ic o scap Operat io n


~]$ oscap ds sds-split --help
oscap -> ds -> sds-split
Split given SourceDataStream into separate files
Usage: oscap [options] ds sds-split [options] SDS TARGET_DIRECTORY
SDS - Source data stream that will be split into multiple files.
TARGET_DIRECTORY - Directory of the resulting files.
Options:
--datastream-id <id>
collection to use.
--xccdf-id <id>
should be evaluated.

- ID of the datastream in the


- ID of XCCDF in the datastream that

To le arn about all o scap fe ature s and the comple te lis t of its options , s e e the oscap(8)
manual page .

6.4.1. Inst alling oscap


To ins tall o scap to your s ys te m, run the following command as root:

189

Se c ur it y Guide

~]# yum install openscap-scanner


This command allows you to ins tall all package s re quire d by o scap to function prope rly,
including the openscap package . To be able to write your own s e curity conte nt, you s hould
als o ins tall the openscap-engine-sce package , which provide s the Script Che ck Engine
(SCE). The SCE is an e xte ns ion of the SCAP protocol that allows conte nt authors to write
the ir s e curity conte nt us ing a s cripting language , s uch as Bas h, Python, or Ruby. Note that
the openscap-engine-sce package is only available from the Optional channe l. Se e Enabling
Supple me ntary and Optional Re pos itorie s .
Optionally, afte r ins talling o scap, you can che ck the capabilitie s of your ve rs ion of o scap,
what s pe cifications it s upports , whe re the ce rtain o scap file s are s tore d, what kinds of
SCAP obje cts you can us e , and othe r us e ful information. To dis play this information, type
the following command:
~]$ oscap -V
OpenSCAP command line tool (oscap) 1.0.4
Copyright 2009--2014 Red Hat Inc., Durham, North Carolina.
==== Supported specifications ====
XCCDF Version: 1.2
OVAL Version: 5.10.1
CPE Version: 2.3
CVSS Version: 2.0
CVE Version: 2.0
Asset Identification Version: 1.1
Asset Reporting Format Version: 1.1
==== Capabilities added by auto-loaded plugins ====
SCE Version: 1.0 (from libopenscap_sce.so.8)
==== Paths ====
Schema files: /usr/share/openscap/schemas
Schematron files: /usr/share/openscap/xsl
Default CPE files: /usr/share/openscap/cpe
Probes: /usr/libexec/openscap
==== Inbuilt CPE names ====
Red Hat Enterprise Linux - cpe:/o:redhat:enterprise_linux
Red Hat Enterprise Linux 5 - cpe:/o:redhat:enterprise_linux:5
Red Hat Enterprise Linux 6 - cpe:/o:redhat:enterprise_linux:6
Red Hat Enterprise Linux 7 - cpe:/o:redhat:enterprise_linux:7
Fedora 16 - cpe:/o:fedoraproject:fedora:16
Fedora 17 - cpe:/o:fedoraproject:fedora:17
Fedora 18 - cpe:/o:fedoraproject:fedora:18
Fedora 19 - cpe:/o:fedoraproject:fedora:19
Fedora 20 - cpe:/o:fedoraproject:fedora:20
Fedora 21 - cpe:/o:fedoraproject:fedora:21
Red Hat Enterprise Linux Optional Productivity Applications cpe:/a:redhat:rhel_productivity
Red Hat Enterprise Linux Optional Productivity Applications 5 cpe:/a:redhat:rhel_productivity:5
==== Supported OVAL objects and associated OpenSCAP probes ====
system_info
probe_system_info
family
probe_family

190

C hapt e r 6 . Co mplianc e and Vulne r abilit y Sc anning wit h O pe nSCAP

filehash
environmentvariable
textfilecontent54
textfilecontent
variable
xmlfilecontent
environmentvariable58
filehash58
inetlisteningservers
rpminfo
partition
iflisteners
rpmverify
rpmverifyfile
rpmverifypackage
selinuxboolean
selinuxsecuritycontext
file
interface
password
process
runlevel
shadow
uname
xinetd
sysctl
process58
fileextendedattribute
routingtable

probe_filehash
probe_environmentvariable
probe_textfilecontent54
probe_textfilecontent
probe_variable
probe_xmlfilecontent
probe_environmentvariable58
probe_filehash58
probe_inetlisteningservers
probe_rpminfo
probe_partition
probe_iflisteners
probe_rpmverify
probe_rpmverifyfile
probe_rpmverifypackage
probe_selinuxboolean
probe_selinuxsecuritycontext
probe_file
probe_interface
probe_password
probe_process
probe_runlevel
probe_shadow
probe_uname
probe_xinetd
probe_sysctl
probe_process58
probe_fileextendedattribute
probe_routingtable

Be fore you can s tart us ing o scap e ffe ctive ly, you als o ne e d to ins tall or import s ome
s e curity conte nt on your s ys te m. For e xample , you can ins tall the SCAP Se curity Guide
(SSG) package , scap-security-guide, which contains the curre ntly mos t e volve d and
e laborate s e t of s e curity police s for Linux s ys te ms . To ins tall the SCAP Se curity Guide
package on your s ys te m, run the following command as root:
~]# yum install scap-security-guide
Afte r you ins tall scap-security-guide on your s ys te m, unle s s s pe cifie d othe rwis e , the SSG
s e curity conte nt is available unde r the /usr/share/xml/scap/ssg/content/ dire ctory,
and you can proce e d with othe r s e curity compliance ope rations .
To find othe r pos s ible s ource s of e xis ting SCAP conte nt that might s uit your ne e ds , s e e
Se ction 6.9, Additional Re s ource s .
Afte r ins talling the SCAP conte nt on your s ys te m, o scap can proce s s the conte nt whe n
s upplie d with the file path to the conte nt. The o scap utility s upports SCAP ve rs ion 1.2 and
is backward-compatible with SCAP ve rs ions 1.1 and 1.0, s o it can proce s s e arlie r ve rs ions
of SCAP conte nt without any s pe cial re quire me nts .

6.4.2. Displaying SCAP Cont ent


SCAP s tandard de fine s nume rous file formats . The o scap utility can proce s s or cre ate
file s conforming to many of the formats . In orde r to furthe r proce s s the give n file with
SCAP conte nt, you ne e d to unde rs tand how to us e o scap with the give n file type . If you
are uns ure how to us e a particular file , you can e ithe r ope n and re ad the file , or you can

191

Se c ur it y Guide

us e the info module of o scap which pars e s the file and e xtracts re le vant information in
human-re adable format.
Run the following command to e xamine the inte rnal s tructure of a SCAP docume nt and
dis play us e ful information s uch as the docume nt type , s pe cification ve rs ion, a s tatus of
the docume nt, the date the docume nt was publis he d, and the date the docume nt was
copie d to a file s ys te m:
oscap info file
whe re file is the full path to the s e curity conte nt file be ing e xamine d. The following
e xample be tte r illus trate s the us age of the oscap info command:

Example 6.5. Displaying Inf o rmat io n Abo ut SCAP Co nt ent


~]$ oscap info /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml
Document type: Source Data Stream
Imported: 2014-03-14T12:22:01
Stream: scap_org.open-scap_datastream_from_xccdf_ssg-rhel7-xccdf1.2.xml
Generated: (null)
Version: 1.2
Checklists:
Ref-Id: scap_org.open-scap_cref_ssg-rhel7-xccdf-1.2.xml
Profiles:
xccdf_org.ssgproject.content_profile_test
xccdf_org.ssgproject.content_profile_rht-ccp
xccdf_org.ssgproject.content_profile_common
xccdf_org.ssgproject.content_profile_stigrhel7-server-upstream
Referenced check files:
ssg-rhel7-oval.xml
system:
http://oval.mitre.org/XMLSchema/oval-definitions-5
Checks:
Ref-Id: scap_org.open-scap_cref_ssg-rhel7-oval.xml
Ref-Id: scap_org.open-scap_cref_output--ssg-rhel7-cpe-oval.xml
Ref-Id: scap_org.open-scap_cref_output--ssg-rhel7-oval.xml
Dictionaries:
Ref-Id: scap_org.open-scap_cref_output--ssg-rhel7-cpedictionary.xml

6.4.3. Scanning t he Syst em


The mos t important functionality of o scap is to pe rform configuration and vulne rability
s cans of a local s ys te m. The following is a ge ne ral s yntax of the re s pe ctive command:
oscap [options] module eval [module_operation_options_and_arguments]
The o scap utility can s can s ys te ms agains t the SCAP conte nt re pre s e nte d by both an
XCCDF (The e Xte ns ible Configuration Che cklis t De s cription Format) be nchmark and OVAL
(Ope n Vulne rability and As s e s s me nt Language ) de finitions . The s e curity policy can be in

192

C hapt e r 6 . Co mplianc e and Vulne r abilit y Sc anning wit h O pe nSCAP

the form of a s ingle OVAL or XCCDF file or multiple s e parate XML file s whe re e ach file
re pre s e nts a diffe re nt compone nt (XCCDF, OVAL, CPE, CVE, and othe rs ). The re s ult of a
s can can be printe d to both s tandard output and an XML file . The re s ult file can the n be
furthe r proce s s e d by o scap in orde r to ge ne rate a re port in a human-re adable format.
The following e xample s illus trate the mos t common us age of the command.

Example 6.6. Scanning t he Syst em Using t he SSG OVAL def init io ns


To s can your s ys te m agains t the SSG OVAL de finition file while e valuating all de finitions ,
run the following command:
~]$ oscap oval eval --results scan-oval-results.xml
/usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml
The re s ults of the s can are s tore d as the scan-oval-results.xml file in the curre nt
dire ctory.

Example 6.7. Scanning t he Syst em Using t he SSG OVAL def init io ns


To e valuate a particular OVAL de finition from the s e curity policy re pre s e nte d by the
SSG data s tre am file , run the following command:
~]$ oscap oval eval --id oval:ssg:def:100 --results scan-ovalresults.xml /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml
The re s ults of the s can are s tore d as the scan-oval-results.xml file in the curre nt
dire ctory.

Example 6.8. Scanning t he Syst em Using t he SSG XCCDF benchmark


To pe rform the SSG XCCDF be nchmark for the
xccdf_org.ssgproject.content_profile_rht-ccp profile on your s ys te m, run the
following command:
~]$ oscap xccdf eval --profile
xccdf_org.ssgproject.content_profile_rht-ccp --results scan-xccdfresults.xml /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml
The re s ults of the s can are s tore d as the scan-xccdf-results.xml file in the curre nt
dire ctory.

No te
The --profile command-line argume nt s e le cts the s e curity profile from the
give n XCCDF or data s tre am file . The lis t of available profile s can be obtaine d by
running the oscap info command. If the --profile command-line argume nt is
omitte d the de fault XCCDF profile is us e d as re quire d by SCAP s tandard. Note that
the de fault XCCDF profile may or may not be an appropriate s e curity policy.

193

Se c ur it y Guide

6.4.4. Generat ing Report s and Guides


Anothe r us e ful fe ature s of o scap is the ability to ge ne rate SCAP conte nt in a humanre adable format. The o scap utility allows you to trans form an XML file into the HTML or
plain-te xt format. This fe ature is us e d to ge ne rate s e curity guide s and che cklis ts , which
s e rve as a s ource of information, as we ll as guidance for s e cure s ys te m configuration.
The re s ults of s ys te m s cans can als o be trans forme d to we ll-re adable re s ult re ports . The
ge ne ral command s yntax is the following:
oscap module generate sub-module [specific_module/submodule_options_and_arguments] file
whe re module is e ithe r xccdf or oval, sub-module is a type of the ge ne rate d docume nt,
and file re pre s e nts an XCCDF or OVAL file .
The following are the mos t common e xample s of the command us age :

Example 6.9. Generat ing a Guide wit h a Checklist


To produce an SSG guide with a che cklis t for the
xccdf_org.ssgproject.content_profile_rht-ccp profile , run the following command:
~]$ oscap xccdf generate guide --profile
xccdf_org.ssgproject.content_profile_rht-ccp
/usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml > ssg-guidechecklist.html
The guide is s tore d as the ssg-guide-checklist.html file in the curre nt dire ctory.

Example 6.10 . T ransf o rming an SSG OVAL Scan Result int o a Repo rt
To trans form a re s ult of an SSG OVAL s can into an HTML file , run the following command:
~]$ oscap oval generate report scan-oval-results.xml > ssg-scan-ovalreport.html
The re s ult re port is s tore d as the ssg-scan-oval-report.html file in the curre nt
dire ctory. This e xample as s ume s that you run the command from the s ame location
whe re the scan-oval-results.xml file is s tore d. Othe rwis e you ne e d to s pe cify the
fully-qualifie d path of the file that contains the s can re s ults .

Example 6.11. T ransf o rming an SSG XCCDF Scan Result int o a Repo rt
To trans form a re s ult of an SSG XCCDF s can into an HTML file , run the following
command:
~]$ oscap xccdf generate report scan-xccdf-results.xml > scan-xccdfreport.html
The re s ult re port is s tore d as the ssg-scan-xccdf-report.html file in the curre nt
dire ctory. Alte rnative ly, you can ge ne rate this re port in the time of the s can us ing the -report command-line argume nt:

194

C hapt e r 6 . Co mplianc e and Vulne r abilit y Sc anning wit h O pe nSCAP

~]$ oscap xccdf eval --profile


xccdf_org.ssgproject.content_profile_rht-ccp --results scan-xccdfresults.xml --report scan-xccdf-report.html
/usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml

6.4.5. Validat ing SCAP Cont ent


Be fore you s tart us ing a s e curity policy on your s ys te ms , you s hould firs t ve rify the policy
in orde r to avoid any pos s ible s yntax or s e mantic e rrors in the policy. The o scap utility
can be us e d to validate the s e curity conte nt agains t s tandard SCAP XML s che mas . The
validation re s ults are printe d to the s tandard e rror s tre am (s tde rr). The ge ne ral s yntax of
s uch a validation command is the following:
oscap module validate [module_options_and_arguments] file
whe re file is the full path to the file be ing validate d. The only e xce ption is the data s tre am
module (ds ), which us e s the sds-validate ope ration ins te ad of validate. Note that all
SCAP compone nts within the give n data s tre am are validate d automatically and none of
the compone nts is s pe cifie d s e parate ly, as can be s e e n in the following e xample :
~]$ oscap ds sds-validate /usr/share/xml/scap/ssg/content/ssg-rhel7ds.xml
With ce rtain SCAP conte nt, s uch as OVAL s pe cification, you can als o pe rform a Sche matron
validation. The Sche matron validation is s lowe r than the s tandard validation but provide s
de e pe r analys is , and is thus able to de te ct more e rrors . The following SSG e xample
s hows typical us age of the command:
~]$ oscap oval validate --schematron
/usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml

6.4.6. Using OpenSCAP t o Remediat e t he Syst em


OpenSCAP allows to automatically re me diate s ys te ms that have be e n found in a noncompliant s tate . For s ys te m re me diation, an XCCDF file with ins tructions is re quire d. The
scap-security-guide package cons tains ce rtain re me diation ins tructions .
Sys te m re me diation cons is ts of the following s te ps :
1. OpenSCAP pe rforms a re gular XCCDF e valuation.
2. An as s e s s me nt of the re s ults is pe rforme d by e valuating the OVAL de finitions .
Each rule that has faile d is marke d as a candidate for re me diation.
3. OpenSCAP s e arche s for an appropriate fix e le me nt, re s olve s it, pre pare s the
e nvironme nt, and e xe cute s the fix s cript.
4. Any output of the fix s cript is capture d by OpenSCAP and s tore d within the ruleresult e le me nt. The re turn value of the fix s cript is s tore d as we ll.

195

Se c ur it y Guide

5. Whe ne ve r OpenSCAP e xe cute s a fix s cript, it imme diate lly e valuate s the OVAL
de finition again (to ve rify that the fix s cript has be e n applie d corre ctly). During this
s e cond run, if the OVAL e valuation re turns s ucce s s , the re s ult of the rule is fixed,
othe rwis e it is an error.
6. De taile d re s ults of the re me diation are s tore d in an output XCCDF file . It contains
two TestResult e le me nts . The firs t TestResult e le me nt re pre s e nts the s can
prior to the re me diation. The s e cond TestResult is de rive d from the firs t one and
contains re me diation re s ults .
The re are thre e mode s of ope ration of OpenSCAP with re gard to re me diation: online ,
offline , and re vie w.

6.4.6.1. OpenSCAP Online Remediat ion


Online re me diation e xe cute s fix e le me nts at the time of s canning. Evaluation and
re me diation are pe rforme d as a part of a s ingle command.
To e nable online re me diation, us e the --remediate command-line option. For e xample , to
e xe cute online re me diation us ing the scap-security-guide package , run:
~]$ oscap xccdf eval --remediate --profile
xccdf_org.ssgproject.content_profile_rht-ccp --results scan-xccdfresults.xml /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml
The output of this command cons is ts of two s e ctions . The firs t s e ction s hows the re s ult of
the s can prior to the re me diation, and the s e cond s e ction s hows the re s ult of the s can
afte r applying the re me diation. The s e cond part can contain only fixed and error re s ults .
The fixed re s ult indicate s that the s can pe rforme d afte r the re me diation pas s e d. The
error re s ult indicate s that e ve n afte r applying the re me diation, the e valuation s till doe s
not pas s .

6.4.6.2. OpenSCAP Of f line Remediat ion


Offline re me diation allows you to pos tpone fix e xe cution. In the firs t s te p, the s ys te m is
only e valuate d, and the re s ults are s tore d in a TestResult e le me nt in an XCCDF file .
In the s e cond s te p, oscap e xe cute s the fix s cripts and ve rifie s the re s ult. It is s afe to
s tore the re s ults into the input file , no data will be los t. During offline re me diation,
OpenSCAP cre ate s a ne w TestResult e le me nt that is bas e d on the input one and
inhe rits all the data. The ne wly cre ate d TestResult diffe rs only in the rule-result
e le me nts that have faile d. For thos e , re me diation is e xe cute d.
To pe rform offline re me diation us ing the scap-security-guide package , run:
~]$ oscap xccdf eval --profile
xccdf_org.ssgproject.content_profile_rht-ccp --results scan-xccdfresults.xml /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml
~]$ oscap xccdf remediate --results scan-xccdf-results.xml scan-xccdfresults.xml

6.4.6.3. OpenSCAP Remediat ion Review

196

C hapt e r 6 . Co mplianc e and Vulne r abilit y Sc anning wit h O pe nSCAP

The re vie w mode allows us e rs to s tore re me diation ins tructions to a file for furthe r
re vie w. The re me diation conte nt is not e xe cute d during this ope ration.
To ge ne rate re me diation ins tructions in the form of a s he ll s cript, run:
~]$ oscap xccdf generate fix --template urn:xccdf:fix:script:sh -profile xccdf_org.ssgproject.content_profile_rht-ccp --output myremediation-script.sh /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml

6.5. Using OpenSCAP wit h Docker


The oscap-docker command-line utility allows us e rs to us e the oscap program to s can
the ir docke r-formatte d containe r image s and containe rs almos t in the s ame way as the ir
local s ys te ms .
The following s e ction e xplains the ins tallation of oscap-docker and offe rs bas ic e xample s
of us age . To le arn more about s ub-commands , us e the --help option with the oscapdocker or oscap commands .
To e nable the s canning of image s and containe rs , you ne e d to have the docker package
ins talle d, too. Se e the Ge tting Docke r in Re d Hat Ente rpris e Linux 7 chapte r of the Getting
Started with Containers guide for ins tructions on ins talling Do cker.
Run the following command to ins tall oscap-docker:
# yum install openscap-utils

Example 6.12. Using o scap-do cker


oscap-docker scan_target[-cve] target_identifier [oscap-arguments]
Whe re scan_target is an image or a containe r to s can, and target_identifier is the name
or the ID of the targe t.
The s e cond of the following commands attache s a containe r image , de te rmine s the
variant and ve rs ion of the ope rating s ys te m, downloads the CVE s tre am applicable to
the give n s ys te m, and finally runs the vulne rability s can:
# docker images
REPOSITORY
registry.access.redhat.com/rhel7
c453594215e4

TAG
latest

IMAGE ID

# oscap-docker image-cve registry.access.redhat.com/rhel7


The s e cond of the following commands runs the OpenSCAP s can within a chroot
e nvironme nt of a running containe r. The re s ults may diffe r from s canning of a containe r
image due to de fine d mount points . We us e d the OVAL patch de finition
com.redhat.rhsa-all.xml in this e xample .

197

Se c ur it y Guide

# docker ps
CONTAINER ID
5ef05eef4a01
sleepy_kirch

IMAGE
COMMAND
NAMES
registry.access.redhat.com/rhel7 "/bin/bash"

# oscap-docker container 5ef05eef4a01 oval eval com.redhat.rhsaall.xml

6.6. Using t he OpenSCAP-daemon and At omic Scan


Be fore you de ploy a containe r image , us e the Ope nSCAP-dae mon and Atomic Scan to
de te ct vulne rabilitie s in a containe r.
To ins tall the atomic command on your s ys te m for containe r manage me nt, run the
following command as root:
# yum install atomic
Afte r the atomic command is ins talle d, you ne e d the OpenSCAP-daemo n to pe rform the
s cans . You can ins tall it by running the following command as root:
# atomic install openscap
Once the OpenSCAP-daemo n is in place and running, you can is s ue atomic scan
commands . Scan the containe rs and containe r image s by running the following command
as root:
# atomic scan $ID
Whe re $ID is the ID of the containe r. If you want to s can all containe r image s and
containe rs , us e the --all dire ctive .

Example 6.13. Scanning t he Co nt ainer Image wit h At o mic Scan


The following e xample of the atomic scan us age s hows how to s can a Re d Hat
Ente rpris e Linux image and the n lis t of all found vulne rabilitie s with --detail dire ctive .
# docker pull rhel7
Using default tag: latest
c453594215e4: Download complete
# atomic scan c453594215e4
Container/Image
Cri
Imp
Med
Low
----------------------c453594215e4
0
0
0
0
# atomic scan --detail c453594215e4
c453594215e4
OS
: Red Hat Enterprise Linux Server release 7.2 (Maipo)

198

C hapt e r 6 . Co mplianc e and Vulne r abilit y Sc anning wit h O pe nSCAP

No te
A de taile d de s cription of the atomic command us age and containe rs is found in the
Product Docume ntation for Re d Hat Ente rpris e Linux Atomic Hos t. The Re d Hat
Cus tome r Portal als o provide s a guide to the Atomic command line inte rface (CLI).

6.7. Using OpenSCAP wit h Red Hat Sat ellit e


Whe n running multiple Re d Hat Ente rpris e Linux s ys te ms , it is important to ke e p all your
s ys te ms compliant with your s e curity policy and pe rform s e curity s cans and e valuations
re mote ly from one location. This can be achie ve d by us ing Re d Hat Sate llite 5.5 or late r
with the spacewalk-oscap package ins talle d on your Sate llite clie nt. The package is
available from the Red Hat Net wo rk T o o ls channe l. Se e How to e nable /dis able a
re pos itory us ing Re d Hat Subs cription-Manage r?
This s olution s upports two me thods of pe rforming s e curity compliance s cans , vie wing and
furthe r proce s s ing of the s can re s ults . You can e ithe r us e the OpenSCAP Satellite Web
Interface or run commands and s cripts from the Satellite API. For more information
about this s olution to s e curity compliance , its re quire me nts and capabilitie s , s e e the Re d
Hat Sate llite docume ntation.

6.8. Pract ical Examples


This s e ction de mons trate s practical us age of ce rtain s e curity conte nt provide d for Re d Hat
products .

6.8.1. Audit ing Securit y Vulnerabilit ies of Red Hat Product s


Re d Hat continuous ly provide s OVAL de finitions for the ir products . The s e de finitions allow
for fully automate d audit of vulne rabilitie s in the ins talle d s oftware . To find out more
information about this proje ct, s e e http://www.re dhat.com/s e curity/data/me trics /. To
download the s e de finitions , run the following command:
~]$ wget http://www.redhat.com/security/data/oval/com.redhat.rhsaall.xml
The us e rs of Re d Hat Sate llite 5 may find us e ful the XCCDF part of the patch de finitions .
To download the s e de finitions , run the following command:
~]$ wget http://www.redhat.com/security/data/metrics/com.redhat.rhsaall.xccdf.xml
To audit s e curity vulne rabilitie s for the s oftware ins talle d on the s ys te m, run the following
command:
~]$ oscap oval eval --results rhsa-results-oval.xml --report ovalreport.html com.redhat.rhsa-all.xml
The o scap utility maps Re d Hat Se curity Advis orie s to CVE ide ntifie rs that are linke d to
the National Vulne rability Databas e and re ports which s e curity advis orie s are not applie d.

199

Se c ur it y Guide

No te
Note that the s e OVAL de finitions are de s igne d to only cove r s oftware and update s
re le as e d by Re d Hat. You ne e d to provide additional de finitions in orde r to de te ct
the patch s tatus of third-party s oftware .

6.8.2. Audit ing Syst em Set t ings wit h SCAP Securit y Guide
The SCAP Se curity Guide (SSG) proje ct's package , scap-security-guide, contains the late s t
s e t of s e curity police s for Linux s ys te ms . To ins tall the SCAP Se curity Guide package on
your s ys te m, run the following command as root:
~]# yum install scap-security-guide
A part of scap-security-guide is als o a guidance for Re d Hat Ente rpris e Linux 7 s e ttings . To
ins pe ct the s e curity conte nt available with scap-security-guide, us e the oscap info
module :
~]$ oscap info /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml
The output of this command is an outline of the SSG docume nt and it contains available
configuration profile s . To audit your s ys te m s e ttings , choos e a s uitable profile and run the
appropriate e valuation command. For e xample , the following command is us e d to as s e s s
the give n s ys te m agains t a draft SCAP profile for Re d Hat Ce rtifie d Cloud Provide rs :
~]$ oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_rhtccp --results ssg-rhel7-xccdf-result.xml --report ssg-rhel7-report.html
/usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml

6.9. Addit ional Resources


For more information about various s e curity compliance fie lds of inte re s t, s e e the
re s ource s be low.

Inst alled Document at ion


os cap(8) The manual page for the o scap command-line utility provide s a comple te
lis t of available options and the ir us age e xplanation.
s cap-workbe nch(8) The manual page for the SCAP Workbench application provide s a
bas ic information about the application as we ll as s ome links to pote ntial s ource s of
SCAP conte nt.
s cap-s e curity-guide (8) The manual page for scap-securit y-guide provide s furthe r
docume ntation about the various available SCAP s e curity profile s . Example s how to
utiliz e the provide d be nchmarks us ing the OpenSCAP utility are provide d as we ll.

Online Document at ion

200

C hapt e r 6 . Co mplianc e and Vulne r abilit y Sc anning wit h O pe nSCAP

The Ope nSCAP proje ct page The home page to the Ope nSCAP proje ct provide s
de taile d information about the o scap utility and othe r compone nts and proje cts re late d
to SCAP.
The SCAP Workbe nch proje ct page The home page to the SCAP Workbe nch proje ct
provide s de taile d information about the scap-wo rkbench application.
The SCAP Se curity Guide (SSG) proje ct page The home page to the SSG proje ct that
provide s the late s t s e curity conte nt for Re d Hat Ente rpris e Linux.
National Ins titute of Standards and Te chnology (NIST) SCAP page This page
re pre s e nts a vas t colle ction of SCAP re late d mate rials , including SCAP publications ,
s pe cifications , and the SCAP Validation Program.
National Vulne rability Databas e (NVD) This page re pre s e nts the large s t re pos itory of
SCAP conte nt and othe r SCAP s tandards bas e d vulne rability manage me nt data.
Re d Hat OVAL conte nt re pos itory This is a re pos itory containing OVAL de finitions for
Re d Hat Ente rpris e Linux s ys te ms .
MITRE CVE This is a databas e of publicly known s e curity vulne rabilitie s provide d by
the MITRE corporation.
MITRE OVAL This page re pre s e nts an OVAL re late d proje ct provide d by the MITRE
corporation. Amongs t othe r OVAL re late d information, the s e page s contain the late s t
ve rs ion of the OVAL language and a huge re pos itory of OVAL conte nt, counting ove r 22
thous ands OVAL de finitions .
Re d Hat Sate llite docume ntation This s e t of guide s de s cribe s , amongs t othe r topics ,
how to maintain s ys te m s e curity on multiple s ys te ms by us ing Ope nSCAP.

201

Se c ur it y Guide

Chapt er 7. Federal St andards and Regulat ions


In orde r to maintain s e curity le ve ls , it is pos s ible for your organiz ation to make e fforts to
comply with fe de ral and indus try s e curity s pe cifications , s tandards and re gulations . This
chapte r de s cribe s s ome of the s e s tandards and re gulations .

7.1. Federal Informat ion Processing St andard (FIPS)


The Fe de ral Information Proce s s ing Standard (FIPS) Publication 140-2, is a compute r
s e curity s tandard, de ve lope d by a U.S. Gove rnme nt and indus try working group to validate
the quality of cryptographic module s . FIPS publications (including 140-2) can be found at the
following URL: http://cs rc.nis t.gov/publications /Pubs FIPS.html. Note that at the time of writing,
Publication 140-3 is at Draft s tatus , and may not re pre s e nt the comple te d s tandard. The
FIPS s tandard provide s four (4) s e curity levels, to e ns ure ade quate cove rage of diffe re nt
indus trie s , imple me ntations of cryptographic module s and organiz ational s iz e s and
re quire me nts . The s e le ve ls are de s cribe d be low:
Le ve l 1 Se curity Le ve l 1 provide s the lowe s t le ve l of s e curity. Bas ic s e curity
re quire me nts are s pe cifie d for a cryptographic module (for e xample , at le as t one
Approve d algorithm or Approve d s e curity function s hall be us e d). No s pe cific phys ical
s e curity me chanis ms are re quire d in a Se curity Le ve l 1 cryptographic module be yond
the bas ic re quire me nt for production-grade compone nts . An e xample of a Se curity
Le ve l 1 cryptographic module is a pe rs onal compute r (PC) e ncryption board.
Le ve l 2 Se curity Le ve l 2 e nhance s the phys ical s e curity me chanis ms of a Se curity
Le ve l 1 cryptographic module by adding the re quire me nt for tampe r-e vide nce , which
include s the us e of tampe r-e vide nt coatings or s e als or for pick-re s is tant locks on
re movable cove rs or doors of the module . Tampe r-e vide nt coatings or s e als are
place d on a cryptographic module s o that the coating or s e al mus t be broke n to attain
phys ical acce s s to the plainte xt cryptographic ke ys and critical s e curity parame te rs
(CSPs ) within the module . Tampe r-e vide nt s e als or pick-re s is tant locks are place d on
cove rs or doors to prote ct agains t unauthoriz e d phys ical acce s s .
Le ve l 3 In addition to the tampe r-e vide nt phys ical s e curity me chanis ms re quire d at
Se curity Le ve l 2, Se curity Le ve l 3 atte mpts to pre ve nt the intrude r from gaining acce s s
to CSPs he ld within the cryptographic module . Phys ical s e curity me chanis ms re quire d
at Se curity Le ve l 3 are inte nde d to have a high probability of de te cting and re s ponding
to atte mpts at phys ical acce s s , us e or modification of the cryptographic module . The
phys ical s e curity me chanis ms may include the us e of s trong e nclos ure s and tampe r
de te ction/re s pons e circuitry that z e roe s all plainte xt CSPs whe n the re movable
cove rs /doors of the cryptographic module are ope ne d.
Le ve l 4 Se curity Le ve l 4 provide s the highe s t le ve l of s e curity de fine d in this
s tandard. At this s e curity le ve l, the phys ical s e curity me chanis ms provide a comple te
e nve lope of prote ction around the cryptographic module with the inte nt of de te cting and
re s ponding to all unauthoriz e d atte mpts at phys ical acce s s . Pe ne tration of the
cryptographic module e nclos ure from any dire ction has a ve ry high probability of be ing
de te cte d, re s ulting in the imme diate z e roiz ation of all plainte xt CSPs . Se curity Le ve l 4
cryptographic module s are us e ful for ope ration in phys ically unprote cte d e nvironme nts .
Se e the full FIPS 140-2 s tandard at http://cs rc.nis t.gov/publications /fips /fips 1402/fips 1402.pdf for furthe r de tails on the s e le ve ls and the othe r s pe cifications of the FIPS
s tandard.

7.1.1. Enabling FIPS Mode

202

C hapt e r 7. Fe de r al St andar ds and Re gulat io ns

To make Re d Hat Ente rpris e Linux compliant with the Fe de ral Information Proce s s ing
Standard (FIPS) Publication 140-2 you ne e d to make s e ve ral change s to e ns ure that
accre dite d cryptographic module s are us e d. To turn your s ys te m (ke rne l and us e r s pace )
into FIPS mode , follow the s e s te ps :
1. For prope r ope ration of the in-module inte grity ve rification, the pre link has to be
dis able d. This can be done by s e tting configuring PRELINKING=no in the
/etc/sysconfig/prelink configuration file . Exis ting pre linking, if any, s hould be
undone on all s ys te m file s us ing the prelink -u -a command.
2. Ne xt, ins tall the dracut-fips package :
~]# yum install dracut-fips
3. Re cre ate the initramfs file :
~]# dracut -f

Warning
This ope ration will ove rwrite the e xis ting initramfs file .
4. Modify the ke rne l command line of the curre nt ke rne l in the grub.cfg file by adding
the following option to the GRUB_CMDLINE_LINUX ke y in the /etc/default/grub file
and the n re build the grub.cfg file :
fips=1
Change s to /etc/default/grub re quire re building the grub.cfg file as follows :
On BIOS-bas e d machine s , is s ue the following command as root:
~]# grub2-mkconfig -o /boot/grub2/grub.cfg
On UEFI-bas e d machine s , is s ue the following command as root:
~]# grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg

203

Se c ur it y Guide

No te
If /boot or /boot/efi re s ide on s e parate partitions , the ke rne l parame te r
boot=<partition of /boot or /boot/efi> mus t be adde d to the ke rne l
command line . You can ide ntify a partition by running the df /boot or df
/boot/efi command re s pe ctive ly:
~]$ df /boot
Filesystem
Mounted on
/dev/sda1

1K-blocks
495844

Used Available Use%


53780

416464

12% /boot

To e ns ure that the boot= configuration option will work e ve n if de vice naming
change s be twe e n boots , ide ntify the unive rs ally unique ide ntifie r (UUID) of
the partition by running the following command:
~]$ blkid /dev/sda1
/dev/sda1: UUID="05c000f1-f899-467b-a4d9-d5ca4424c797"
TYPE="ext4"
For the e xample above , the following s tring ne e ds to be appe nde d to the
ke rne l command line :
boot=UUID=05c000f1-f899-467b-a4d9-d5ca4424c797

5. Re boot your s ys te m.
Should you re quire s trict FIPS compliance , the fips=1 ke rne l option ne e ds to be adde d to
the ke rne l command line during s ys te m ins tallation s o that ke y ge ne ration is done with
FIPS approve d algorithms and continuous monitoring te s ts in place . Us e rs s hould als o
e ns ure that the s ys te m has ple nty of e ntropy during the ins tallation proce s s by moving
the mous e around, or if no mous e is available , e ns uring that many ke ys troke s are type d.
The re comme nde d amount of ke ys troke s is 256 and more . Le s s than 256 ke ys troke s may
ge ne rate a non-unique ke y.

7.2. Nat ional Indust rial Securit y Program Operat ing Manual
(NISPOM)
The NISPOM (als o calle d DoD 5220.22-M), as a compone nt of the National Indus trial
Se curity Program (NISP), e s tablis he s a s e rie s of proce dure s and re quire me nts for all
gove rnme nt contractors with re gard to clas s ifie d information. The curre nt NISPOM is date d
Fe bruary 28, 2006, with incorporate d major change s from March 28, 2013. The NISPOM
docume nt can be downloade d from the following URL: http://www.nis pom.org/NISPOMdownload.html.

7.3. Payment Card Indust ry Dat a Securit y St andard (PCI


DSS)
From https ://www.pcis e curitys tandards .org/about/inde x.s html: The PCI Security Standards
Council is an open global forum, launched in 2006, that is responsible for the development,

204

C hapt e r 7. Fe de r al St andar ds and Re gulat io ns

management, education, and awareness of the PCI Security Standards, including the Data
Security Standard (DSS).
You can download the PCI DSS s tandard from
https ://www.pcis e curitys tandards .org/s e curity_s tandards /pci_ds s .s html.

7.4. Securit y T echnical Implement at ion Guide


A Se curity Te chnical Imple me ntation Guide or STIG is a me thodology for s tandardiz e d
s e cure ins tallation and mainte nance of compute r s oftware and hardware .
Se e the following URL for more information on STIG:
http://ias e .dis a.mil/s tigs /Page s /inde x.as px.

205

Se c ur it y Guide

Appendix A. Encrypt ion St andards


A.1. Synchronous Encrypt ion
A.1.1. Advanced Encrypt ion St andard AES
In cryptography, the Advance d Encryption Standard (AES) is an e ncryption s tandard
adopte d by the U.S. Gove rnme nt. The s tandard compris e s thre e block ciphe rs , AES-128,
AES-192 and AES-256, adopte d from a large r colle ction originally publis he d as Rijndae l.
Each AES ciphe r has a 128-bit block s iz e , with ke y s iz e s of 128, 192 and 256 bits ,
re s pe ctive ly. The AES ciphe rs have be e n analyz e d e xte ns ive ly and are now us e d
worldwide , as was the cas e with its pre de ce s s or, the Data Encryption Standard (DES). [3]

A.1.1.1. AES Hist ory


AES was announce d by National Ins titute of Standards and Te chnology (NIST) as U.S. FIPS
PUB 197 (FIPS 197) on Nove mbe r 26, 2001 afte r a 5-ye ar s tandardiz ation proce s s . Fifte e n
compe ting de s igns we re pre s e nte d and e valuate d be fore Rijndae l was s e le cte d as the
mos t s uitable . It be came e ffe ctive as a s tandard May 26, 2002. It is available in many
diffe re nt e ncryption package s . AES is the firs t publicly acce s s ible and ope n ciphe r
approve d by the NSA for top s e cre t information (s e e the Se curity s e ction in the Wikipe dia
article on AES). [4]
The Rijndae l ciphe r was de ve lope d by two Be lgian cryptographe rs , Joan Dae me n and
Vince nt Rijme n, and s ubmitte d by the m to the AES s e le ction proce s s . Rijndae l is a
portmante au of the name s of the two inve ntors . [5]

A.1.2. Dat a Encrypt ion St andard DES


The Data Encryption Standard (DES) is a block ciphe r (a form of s hare d s e cre t e ncryption)
that was s e le cte d by the National Bure au of Standards as an official Fe de ral Information
Proce s s ing Standard (FIPS) for the Unite d State s in 1976 and which has s ubs e que ntly
e njoye d wide s pre ad us e inte rnationally. It is bas e d on a s ymme tric-ke y algorithm that
us e s a 56-bit ke y. The algorithm was initially controve rs ial with clas s ifie d de s ign
e le me nts , a re lative ly s hort ke y le ngth, and s us picions about a National Se curity Age ncy
(NSA) backdoor. DES cons e que ntly came unde r inte ns e acade mic s crutiny which motivate d
the mode rn unde rs tanding of block ciphe rs and the ir cryptanalys is . [6]

A.1.2.1. DES Hist ory


DES is now cons ide re d to be ins e cure for many applications . This is chie fly due to the 56bit ke y s iz e be ing too s mall; in January, 1999, dis tribute d.ne t and the Ele ctronic Frontie r
Foundation collaborate d to publicly bre ak a DES ke y in 22 hours and 15 minute s . The re are
als o s ome analytical re s ults which de mons trate the ore tical we akne s s e s in the ciphe r,
although the y are unfe as ible to mount in practice . The algorithm is be lie ve d to be
practically s e cure in the form of Triple DES, although the re are the ore tical attacks . In
re ce nt ye ars , the ciphe r has be e n s upe rs e de d by the Advance d Encryption Standard
(AES). [7]
In s ome docume ntation, a dis tinction is made be twe e n DES as a s tandard and DES the
algorithm which is re fe rre d to as the DEA (the Data Encryption Algorithm). [8]

206

A ppe ndix A. Enc r ypt io n St andar ds

A.2. Public-key Encrypt ion


Public-ke y cryptography is a cryptographic approach, e mploye d by many cryptographic
algorithms and cryptos ys te ms , whos e dis tinguis hing characte ris tic is the us e of
as ymme tric ke y algorithms ins te ad of or in addition to s ymme tric ke y algorithms . Us ing
the te chnique s of public ke y-private ke y cryptography, many me thods of prote cting
communications or authe nticating me s s age s forme rly unknown have be come practical.
The y do not re quire a s e cure initial e xchange of one or more s e cre t ke ys as is re quire d
whe n us ing s ymme tric ke y algorithms . It can als o be us e d to cre ate digital s ignature s . [9]
Public ke y cryptography is a fundame ntal and wide ly us e d te chnology around the world,
and is the approach which unde rlie s s uch Inte rne t s tandards as Trans port Laye r Se curity
(TLS) (s ucce s s or to SSL), PGP and GPG. [10]
The dis tinguis hing te chnique us e d in public ke y cryptography is the us e of as ymme tric ke y
algorithms , whe re the ke y us e d to e ncrypt a me s s age is not the s ame as the ke y us e d to
de crypt it. Each us e r has a pair of cryptographic ke ys a public ke y and a private ke y.
The private ke y is ke pt s e cre t, whils t the public ke y may be wide ly dis tribute d. Me s s age s
are e ncrypte d with the re cipie nt's public ke y and can only be de crypte d with the
corre s ponding private ke y. The ke ys are re late d mathe matically, but the private ke y
cannot be fe as ibly (ie , in actual or proje cte d practice ) de rive d from the public ke y. It was
the dis cove ry of s uch algorithms which re volutioniz e d the practice of cryptography
be ginning in the middle 1970s . [11]
In contras t, Symme tric-ke y algorithms , variations of which have be e n us e d for s ome
thous ands of ye ars , us e a s ingle s e cre t ke y s hare d by s e nde r and re ce ive r (which mus t
als o be ke pt private , thus accounting for the ambiguity of the common te rminology) for
both e ncryption and de cryption. To us e a s ymme tric e ncryption s che me , the s e nde r and
re ce ive r mus t s e cure ly s hare a ke y in advance . [12]
Be caus e s ymme tric ke y algorithms are ne arly always much le s s computationally
inte ns ive , it is common to e xchange a ke y us ing a ke y-e xchange algorithm and trans mit
data us ing that ke y and a s ymme tric ke y algorithm. PGP, and the SSL/TLS family of
s che me s do this , for ins tance , and are calle d hybrid cryptos ys te ms in cons e que nce . [13]

A.2.1. Dif f ie-Hellman


Diffie He llman ke y e xchange (DH) is a cryptographic protocol that allows two partie s that
have no prior knowle dge of e ach othe r to jointly e s tablis h a s hare d s e cre t ke y ove r an
ins e cure communications channe l. This ke y can the n be us e d to e ncrypt s ubs e que nt
communications us ing a s ymme tric ke y ciphe r. [14]

A.2.1.1. Dif f ie-Hellman Hist ory


The s che me was firs t publis he d by Whitfie ld Diffie and Martin He llman in 1976, although it
late r e me rge d that it had be e n s e parate ly inve nte d a fe w ye ars e arlie r within GCHQ, the
Britis h s ignals inte llige nce age ncy, by Malcolm J. Williams on but was ke pt clas s ifie d. In
2002, He llman s ugge s te d the algorithm be calle d Diffie He llmanMe rkle ke y e xchange in
re cognition of Ralph Me rkle 's contribution to the inve ntion of public-ke y cryptography
(He llman, 2002). [15]

207

Se c ur it y Guide

Although Diffie He llman ke y agre e me nt its e lf is an anonymous (non-authe nticate d) ke yagre e me nt protocol, it provide s the bas is for a varie ty of authe nticate d protocols , and is
us e d to provide pe rfe ct forward s e cre cy in Trans port Laye r Se curity's e phe me ral mode s
(re fe rre d to as EDH or DHE de pe nding on the ciphe r s uite ). [16]
U.S. Pate nt 4,200,770, now e xpire d, de s cribe s the algorithm and cre dits He llman, Diffie ,
and Me rkle as inve ntors . [17]

A.2.2. RSA
In cryptography, RSA (which s tands for Rive s t, Shamir and Adle man who firs t publicly
de s cribe d it) is an algorithm for public-ke y cryptography. It is the firs t algorithm known to
be s uitable for s igning as we ll as e ncryption, and was one of the firs t gre at advance s in
public ke y cryptography. RSA is wide ly us e d in e le ctronic comme rce protocols , and is
be lie ve d to be s e cure give n s ufficie ntly long ke ys and the us e of up-to-date
imple me ntations .

A.2.3. DSA
DSA (Digital Signature Algorithm) is a s tandard for digital s ignature s , a Unite d State s
fe de ral gove rnme nt s tandard for digital s ignature s . DSA is for s ignature s only and is not
an e ncryption algorithm. [18]

A.2.4. SSL/T LS
Trans port Laye r Se curity (TLS) and its pre de ce s s or, Se cure Socke ts Laye r (SSL), are
cryptographic protocols that provide s e curity for communications ove r ne tworks s uch as
the Inte rne t. TLS and SSL e ncrypt the s e gme nts of ne twork conne ctions at the Trans port
Laye r e nd-to-e nd.
Se ve ral ve rs ions of the protocols are in wide s pre ad us e in applications like we b brows ing,
e le ctronic mail, Inte rne t faxing, ins tant me s s aging and voice -ove r-IP (VoIP). [19]

A.2.5. Cramer-Shoup Crypt osyst em


The Crame rShoup s ys te m is an as ymme tric ke y e ncryption algorithm, and was the firs t
e fficie nt s che me prove n to be s e cure agains t adaptive chos e n ciphe rte xt attack us ing
s tandard cryptographic as s umptions . Its s e curity is bas e d on the computational
intractability (wide ly as s ume d, but not prove d) of the de cis ional Diffie He llman as s umption.
De ve lope d by Ronald Crame r and Victor Shoup in 1998, it is an e xte ns ion of the ElGamal
cryptos ys te m. In contras t to ElGamal, which is e xtre me ly malle able , Crame rShoup adds
additional e le me nts to e ns ure non-malle ability e ve n agains t a re s ource ful attacke r. This
non-malle ability is achie ve d through the us e of a collis ion-re s is tant has h function and
additional computations , re s ulting in a ciphe rte xt which is twice as large as in ElGamal.
[20]

A.2.6. ElGamal Encrypt ion


In cryptography, the ElGamal e ncryption s ys te m is an as ymme tric ke y e ncryption
algorithm for public-ke y cryptography which is bas e d on the Diffie -He llman ke y agre e me nt.
It was de s cribe d by Tahe r ElGamal in 1985. ElGamal e ncryption is us e d in the fre e GNU
Privacy Guard s oftware , re ce nt ve rs ions of PGP, and othe r cryptos ys te ms . [21]

208

A ppe ndix A. Enc r ypt io n St andar ds

[3] "Advanced Encryption Standard." Wikipedia. 14 Novem ber 2009


http://en.wikipedia.org/wiki/Advanced_Encryption_Standard
[4] "Advanced Encryption Standard." Wikipedia. 14 Novem ber 2009
http://en.wikipedia.org/wiki/Advanced_Encryption_Standard
[5] "Advanced Encryption Standard." Wikipedia. 14 Novem ber 2009
http://en.wikipedia.org/wiki/Advanced_Encryption_Standard
[6] "Data Encryption Standard." Wikipedia. 14 Novem ber 2009
http://en.wikipedia.org/wiki/Data_Encryption_Standard
[7] "Data Encryption Standard." Wikipedia. 14 Novem ber 2009
http://en.wikipedia.org/wiki/Data_Encryption_Standard
[8] "Data Encryption Standard." Wikipedia. 14 Novem ber 2009
http://en.wikipedia.org/wiki/Data_Encryption_Standard
[9] "P ublic-key Encryption." Wikipedia. 14 Novem ber 2009 http://en.wikipedia.org/wiki/P ublickey_cryptography
[10] "P ublic-key Encryption." Wikipedia. 14 Novem ber 2009 http://en.wikipedia.org/wiki/P ublickey_cryptography
[11] "P ublic-key Encryption." Wikipedia. 14 Novem ber 2009 http://en.wikipedia.org/wiki/P ublickey_cryptography
[12] "P ublic-key Encryption." Wikipedia. 14 Novem ber 2009 http://en.wikipedia.org/wiki/P ublickey_cryptography
[13] "P ublic-key Encryption." Wikipedia. 14 Novem ber 2009 http://en.wikipedia.org/wiki/P ublickey_cryptography
[14] "Diffie-Hellm an." Wikipedia. 14 Novem ber 2009 http://en.wikipedia.org/wiki/Diffie-Hellm an
[15] "Diffie-Hellm an." Wikipedia. 14 Novem ber 2009 http://en.wikipedia.org/wiki/Diffie-Hellm an
[16] "Diffie-Hellm an." Wikipedia. 14 Novem ber 2009 http://en.wikipedia.org/wiki/Diffie-Hellm an
[17] "Diffie-Hellm an." Wikipedia. 14 Novem ber 2009 http://en.wikipedia.org/wiki/Diffie-Hellm an
[18] "DSA." Wikipedia. 24 February 2010 http://en.wikipedia.org/wiki/Digital_Signature_Algorithm
[19] "TLS/SSL." Wikipedia. 24 February 2010 http://en.wikipedia.org/wiki/Transport_Layer_Security
[20] "C ram er-Shoup cryptosystem ." Wikipedia. 24 February 2010
http://en.wikipedia.org/wiki/C ram erShoup_cryptosystem
[21] "ElGam al encryption" Wikipedia. 24 February 2010
http://en.wikipedia.org/wiki/ElGam al_encryption

209

Se c ur it y Guide

Appendix B. Audit Syst em Reference


B.1. Audit Event Fields
Table B.1, Eve nt Fie lds lis ts all curre ntly-s upporte d Audit e ve nt fie lds . An e ve nt fie ld is
the value pre ce ding the e qual s ign in the Audit log file s .
T able B.1. Event Fields
Event Field

Explanat io n

a0, a1, a2, a3

Re cords the firs t four argume nts of the s ys te m call, e ncode d


in he xade cimal notation.
Re cords a us e r's account name .
Re cords the IPv4 or IPv6 addre s s . This fie ld us ually follows a
hostname fie ld and contains the addre s s the hos t name
re s olve s to.
Re cords information about the CPU archite cture of the s ys te m,
e ncode d in he xade cimal notation.
Re cords the Audit us e r ID. This ID is as s igne d to a us e r upon
login and is inhe rite d by e ve ry proce s s e ve n whe n the us e r's
ide ntity change s (for e xample , by s witching us e r accounts with
su - john).
Re cords the numbe r of bits that we re us e d to s e t a particular
Linux capability. For more information on Linux capabilitie s ,
re fe r to the capabilitie s (7) man page .
Re cords data re late d to the s e tting of an inhe rite d file
s ys te m-bas e d capability.
Re cords data re late d to the s e tting of a pe rmitte d file s ys te mbas e d capability.
Re cords data re late d to the s e tting of an e ffe ctive proce s s bas e d capability.
Re cords data re late d to the s e tting of an inhe rite d proce s s bas e d capability.
Re cords data re late d to the s e tting of a pe rmitte d proce s s bas e d capability.
Re cords the path to the cgroup that contains the proce s s at
the time the Audit e ve nt was ge ne rate d.
Re cords the e ntire command line that is e xe cute d. This is
us e ful in cas e of s he ll inte rpre te rs whe re the exe fie ld
re cords , for e xample , /bin/bash as the s he ll inte rpre te r and
the cmd fie ld re cords the re s t of the command line that is
e xe cute d, for e xample helloworld.sh --help.
Re cords the command that is e xe cute d. This is us e ful in cas e
of s he ll inte rpre te rs whe re the exe fie ld re cords , for e xample ,
/bin/bash as the s he ll inte rpre te r and the comm fie ld re cords
the name of the s cript that is e xe cute d, for e xample
helloworld.sh.
Re cords the path to the dire ctory in which a s ys te m call was
invoke d.
Re cords data as s ociate d with TTY re cords .
Re cords the minor and major ID of the de vice that contains
the file or dire ctory re corde d in an e ve nt.

acct
addr

arch
auid

capability

cap_fi
cap_fp
cap_pe
cap_pi
cap_pp
cgroup
cmd

comm

cwd
data
dev

210

A ppe ndix B. Audit Sys t e m Re f e r e nc e

Event Field

Explanat io n

devmajor
devminor
egid

Re cords the major de vice ID.


Re cords the minor de vice ID.
Re cords the e ffe ctive group ID of the us e r who s tarte d the
analyz e d proce s s .
Re cords the e ffe ctive us e r ID of the us e r who s tarte d the
analyz e d proce s s .
Re cords the path to the e xe cutable that was us e d to invoke
the analyz e d proce s s .
Re cords the e xit code re turne d by a s ys te m call. This value
varie s by s ys te m call. You can inte rpre t the value to its
human-re adable e quivale nt with the following command:
ausearch --interpret --exit exit_code
Re cords the type of addre s s protocol that was us e d, e ithe r
IPv4 or IPv6.
Re cords the type of the file .
Re cords the file s ys te m name flags .
Re cords the file s ys te m group ID of the us e r who s tarte d the
analyz e d proce s s .
Re cords the file s ys te m us e r ID of the us e r who s tarte d the
analyz e d proce s s .
Re cords the group ID.
Re cords the hos t name .
Re cords the type of a Inte rne t Control Me s s age Protocol
(ICMP) package that is re ce ive d. Audit me s s age s containing
this fie ld are us ually ge ne rate d by ipt ables.
Re cords the us e r ID of an account that was change d.
Re cords the inode numbe r as s ociate d with the file or dire ctory
re corde d in an Audit e ve nt.
Re cords the group ID of the inode 's owne r.
Re cords the us e r ID of the inode 's owne r.
Re cords the numbe r of path re cords that are attache d to this
re cord.
Re cords the us e r de fine d s tring as s ociate d with a rule that
ge ne rate d a particular e ve nt in the Audit log.
Re cords the Audit rule lis t ID. The following is a lis t of known
IDs :

euid
exe
exit

family
filetype
flags
fsgid
fsuid
gid
hostname
icmptype

id
inode
inode_gid
inode_uid
items
key
list

0
1
4
5
mode
msg

msgtype

name

user
task
exit
exclude

Re cords the file or dire ctory pe rmis s ions , e ncode d in


nume rical notation.
Re cords a time s tamp and a unique ID of a re cord, or various
e ve nt-s pe cific <name>=<value> pairs provide d by the ke rne l
or us e r s pace applications .
Re cords the me s s age type that is re turne d in cas e of a us e rbas e d AVC de nial. The me s s age type is de te rmine d by DBus .
Re cords the full path of the file or dire ctory that was pas s e d
to the s ys te m call as an argume nt.

211

Se c ur it y Guide

Event Field

Explanat io n

new-disk

Re cords the name of a ne w dis k re s ource that is as s igne d to


a virtual machine .
Re cords the amount of a ne w me mory re s ource that is
as s igne d to a virtual machine .
Re cords the numbe r of a ne w virtual CPU re s ource that is
as s igne d to a virtual machine .
Re cords the MAC addre s s of a ne w ne twork inte rface
re s ource that is as s igne d to a virtual machine .
Re cords a group ID that is as s igne d to a us e r.
Re cords the us e r ID of the us e r that has logge d in to acce s s
the s ys te m (as oppos e d to, for e xample , us ing su) and has
s tarte d the targe t proce s s . This fie ld is e xclus ive to the
re cord of type OBJ_PID.
Re cords the command that was us e d to s tart the targe t
proce s s .This fie ld is e xclus ive to the re cord of type OBJ_PID.
Re cords the proce s s ID of the targe t proce s s . This fie ld is
e xclus ive to the re cord of type OBJ_PID.
Re cords the s e s s ion ID of the targe t proce s s . This fie ld is
e xclus ive to the re cord of type OBJ_PID.
Re cords the re al us e r ID of the targe t proce s s
Re cords the SELinux conte xt of an obje ct. An obje ct can be a
file , a dire ctory, a s ocke t, or anything that is re ce iving the
action of a s ubje ct.
Re cords the group ID of an obje ct.
Re cords the high SELinux le ve l of an obje ct.
Re cords the low SELinux le ve l of an obje ct.
Re cords the SELinux role of an obje ct.
Re cords the UID of an obje ct
Re cords the us e r that is as s ociate d with an obje ct.
Re cords the obje ct owne r's group ID.
Re cords the name of an old dis k re s ource whe n a ne w dis k
re s ource is as s igne d to a virtual machine .
Re cords the amount of an old me mory re s ource whe n a ne w
amount of me mory is as s igne d to a virtual machine .
Re cords the numbe r of an old virtual CPU re s ource whe n a
ne w virtual CPU is as s igne d to a virtual machine .
Re cords the MAC addre s s of an old ne twork inte rface
re s ource whe n a ne w ne twork inte rface is as s igne d to a
virtual machine .
Re cords the pre vious value of the ne twork promis cuity flag.
Re cords the re al us e r ID of the us e r who s tarte d the targe t
proce s s .
Re cords the full path of the file or dire ctory that was pas s e d
to the s ys te m call as an argume nt in cas e of AVC-re late d
Audit e ve nts
Re cords the file pe rmis s ion that was us e d to ge ne rate an
e ve nt (that is , re ad, write , e xe cute , or attribute change )

new-mem
new-vcpu
new-net
new_gid
oauid

ocomm
opid
oses
ouid
obj

obj_gid
obj_lev_high
obj_lev_low
obj_role
obj_uid
obj_user
ogid
old-disk
old-mem
old-vcpu
old-net

old_prom
ouid
path

perm

212

A ppe ndix B. Audit Sys t e m Re f e r e nc e

Event Field

Explanat io n

pid

The pid fie ld s e mantics de pe nd on the origin of the value in


this fie ld.
In fie lds ge ne rate d from us e r-s pace , this fie ld holds a proce s s
ID.
In fie lds ge ne rate d by the ke rne l, this fie ld holds a thre ad ID.
The thre ad ID is e qual to proce s s ID for s ingle -thre ade d
proce s s e s . Note that the value of this thre ad ID is diffe re nt
from the value s of pthre ad_t IDs us e d in us e r-s pace . For
more information, re fe r to the ge ttid(2) man page .

ppid
prom
proto
res
result
saddr
sauid

ses
sgid
sig
subj
subj_clr
subj_role
subj_sen
subj_user
success
suid
syscall
terminal
tty
uid
vm

Re cords the Pare nt Proce s s ID (PID).


Re cords the ne twork promis cuity flag.
Re cords the ne tworking protocol that was us e d. This fie ld is
s pe cific to Audit e ve nts ge ne rate d by ipt ables.
Re cords the re s ult of the ope ration that trigge re d the Audit
e ve nt.
Re cords the re s ult of the ope ration that trigge re d the Audit
e ve nt.
Re cords the s ocke t addre s s .
Re cords the s e nde r Audit login us e r ID. This ID is provide d by
D-Bus as the ke rne l is unable to s e e which us e r is s e nding
the original auid.
Re cords the s e s s ion ID of the s e s s ion from which the
analyz e d proce s s was invoke d.
Re cords the s e t group ID of the us e r who s tarte d the
analyz e d proce s s .
Re cords the numbe r of a s ignal that caus e s a program to e nd
abnormally. Us ually, this is a s ign of a s ys te m intrus ion.
Re cords the SELinux conte xt of a s ubje ct. A s ubje ct can be a
proce s s , a us e r, or anything that is acting upon an obje ct.
Re cords the SELinux cle arance of a s ubje ct.
Re cords the SELinux role of a s ubje ct.
Re cords the SELinux s e ns itivity of a s ubje ct.
Re cords the us e r that is as s ociate d with a s ubje ct.
Re cords whe the r a s ys te m call was s ucce s s ful or faile d.
Re cords the s e t us e r ID of the us e r who s tarte d the analyz e d
proce s s .
Re cords the type of the s ys te m call that was s e nt to the
ke rne l.
Re cords the te rminal name (without /dev/).
Re cords the name of the controlling te rminal. The value
(none) is us e d if the proce s s has no controlling te rminal.
Re cords the re al us e r ID of the us e r who s tarte d the analyz e d
proce s s .
Re cords the name of a virtual machine from which the Audit
e ve nt originate d.

213

Se c ur it y Guide

B.2. Audit Record T ypes


Table B.2, Re cord Type s lis ts all curre ntly-s upporte d type s of Audit re cords . The e ve nt
type is s pe cifie d in the type= fie ld at the be ginning of e ve ry Audit re cord.
T able B.2. Reco rd T ypes
Event T ype

Explanat io n

ADD_GROUP
ADD_USER

Trigge re d whe n a us e r-s pace group is adde d.


Trigge re d whe n a us e r-s pace us e r account is adde d.
Trigge re d whe n a proce s s e s e nds abnormally (with a s ignal
that could caus e a core dump, if e nable d).
Trigge re d whe n a file or a dire ctory acce s s e nds abnormally.

ANOM_ABEND [a]
ANOM_ACCESS_FS [a]
ANOM_ADD_ACCT [a]

ANOM_EXEC [a]

Trigge re d whe n a us e r-s pace account addition e nds


abnormally.
Trigge re d whe n a failure of the Abs tract Machine Te s t Utility
(AMTU) is de te cte d.
Trigge re d whe n a failure in the cryptographic s ys te m is
de te cte d.
Trigge re d whe n a us e r-s pace account de le tion e nds
abnormally.
Trigge re d whe n an e xe cution of a file e nds abnormally.

ANOM_LOGIN_ACCT [a]

Trigge re d whe n an account login atte mpt e nds abnormally.

ANOM_LOGIN_FAILURES [

Trigge re d whe n the limit of faile d login atte mpts is re ache d.

ANOM_AMTU_FAIL [a]
ANOM_CRYPTO_FAIL [a]
ANOM_DEL_ACCT [a]

a]

ANOM_LOGIN_LOCATION [
a]

ANOM_LOGIN_SESSIONS [
a]

ANOM_LOGIN_TIME [a]
ANOM_MAX_DAC [a]
ANOM_MAX_MAC [a]
ANOM_MK_EXEC [a]
ANOM_MOD_ACCT [a]
ANOM_PROMISCUOUS [a]
ANOM_RBAC_FAIL [a]
ANOM_RBAC_INTEGRITY_
FAIL [a]
ANOM_ROOT_TRANS [a]
AVC
AVC_PATH

214

Trigge re d whe n a login atte mpt is made from a forbidde n


location.
Trigge re d whe n a login atte mpt re ache s the maximum amount
of concurre nt s e s s ions .
Trigge re d whe n a login atte mpt is made at a time whe n it is
pre ve nte d by, for e xample , pam_time.
Trigge re d whe n the maximum amount of Dis cre tionary Acce s s
Control (DAC) failure s is re ache d.
Trigge re d whe n the maximum amount of Mandatory Acce s s
Control (MAC) failure s is re ache d.
Trigge re d whe n a file is made e xe cutable .
Trigge re d whe n a us e r-s pace account modification e nds
abnormally.
Trigge re d whe n a de vice e nable s or dis able s promis cuous
mode .
Trigge re d whe n a Role -Bas e d Acce s s Control (RBAC) s e lf-te s t
failure is de te cte d.
Trigge re d whe n a Role -Bas e d Acce s s Control (RBAC) file
inte grity te s t failure is de te cte d.
Trigge re d whe n a us e r be come s root.
Trigge re d to re cord an SELinux pe rmis s ion che ck.
Trigge re d to re cord the dentry and vfsmount pair whe n an
SELinux pe rmis s ion che ck occurs .

A ppe ndix B. Audit Sys t e m Re f e r e nc e

Event T ype

Explanat io n

BPRM_FCAPS

Trigge re d whe n a us e r e xe cute s a program with a file s ys te m


capability.
Trigge re d to re cord the capabilitie s be ing s e t for proce s s bas e d capabilitie s , for e xample , running as root to drop
capabilitie s .
Trigge re d whe n a us e r-s pace group ID is change d.
Trigge re d whe n a us e r-s pace us e r ID is change d.
Trigge re d whe n the Audit s ys te m configuration is modifie d.
Trigge re d whe n a us e r acquire s us e r-s pace cre de ntials .
Trigge re d whe n a us e r dis pos e s of us e r-s pace cre de ntials .
Trigge re d whe n a us e r re fre s he s the ir us e r-s pace
cre de ntials .
Trigge re d whe n a de crypt, e ncrypt, or randomiz e
cryptographic ope ration fails .
Trigge re d to re cord the cryptographic ke y ide ntifie r us e d for
cryptographic purpos e s .
Trigge re d whe n a cryptographic office r login atte mpt is
de te cte d.
Trigge re d whe n a crypto office r logout atte mpt is de te cte d.
Trigge re d whe n a change in a cryptographic parame te r is
de te cte d.
Trigge re d whe n a re play attack is de te cte d.
Trigge re d to re cord parame te rs s e t during a TLS s e s s ion
e s tablis hme nt.
Trigge re d to re cord cryptographic te s t re s ults as re quire d by
the FIPS-140 s tandard.
Trigge re d to re cord the curre nt working dire ctory.
Trigge re d to re cord DAC che ck re s ults .
Trigge re d whe n a dae mon is s toppe d due to an e rror.
Trigge re d whe n the auditd dae mon acce pts a re mote
conne ction.
Trigge re d whe n the auditd dae mon clos e s a re mote
conne ction.
Trigge re d whe n a dae mon configuration change is de te cte d.
Trigge re d whe n a dae mon is s ucce s s fully s toppe d.
Trigge re d whe n the auditd dae mon re s ume s logging.
Trigge re d whe n the auditd dae mon rotate s the Audit log
file s .
Trigge re d whe n the auditd dae mon is s tarte d.
Trigge re d whe n a us e r-s pace group is de le te d
Trigge re d whe n a us e r-s pace us e r is de le te d
Trigge re d whe n a de vice is allocate d.
Trigge re d whe n a de vice is de allocate d.
Trigge re d to re cord the e nd of a multi-re cord e ve nt.
Trigge re d to re cord argume nts of the execve(2) s ys te m call.
Trigge re d to re cord the us e of the pipe and socketpair
s ys te m calls .
Trigge re d whe n a file s ys te m re labe l ope ration is de te cte d.
Trigge re d whe n a group pas s word is us e d to authe nticate
agains t a us e r-s pace group.

CAPSET

CHGRP_ID
CHUSER_ID
CONFIG_CHANGE
CRED_ACQ
CRED_DISP
CRED_REFR
CRYPTO_FAILURE_USER
CRYPTO_KEY_USER
CRYPTO_LOGIN
CRYPTO_LOGOUT
CRYPTO_PARAM_CHANGE_
USER
CRYPTO_REPLAY_USER
CRYPTO_SESSION
CRYPTO_TEST_USER
CWD
DAC_CHECK
DAEMON_ABORT
DAEMON_ACCEPT
DAEMON_CLOSE
DAEMON_CONFIG
DAEMON_END
DAEMON_RESUME
DAEMON_ROTATE
DAEMON_START
DEL_GROUP
DEL_USER
DEV_ALLOC
DEV_DEALLOC
EOE
EXECVE
FD_PAIR
FS_RELABEL
GRP_AUTH

215

Se c ur it y Guide

Event T ype

Explanat io n

INTEGRITY_DATA [b]

Trigge re d to re cord a data inte grity ve rification e ve nt run by


the ke rne l.
Trigge re d to re cord a has h type inte grity ve rification e ve nt
run by the ke rne l.
Trigge re d to re cord a me tadata inte grity ve rification e ve nt run
by the ke rne l.
Trigge re d to re cord Platform Configuration Re gis te r (PCR)
invalidation me s s age s .
Trigge re d to re cord a policy rule .

INTEGRITY_HASH [b]
INTEGRITY_METADATA [b]
INTEGRITY_PCR [b]
INTEGRITY_RULE [b]
INTEGRITY_STATUS [b]
IPC
IPC_SET_PERM
KERNEL
KERNEL_OTHER
LABEL_LEVEL_CHANGE
LABEL_OVERRIDE
LOGIN
MAC_CIPSOV4_ADD

MAC_CIPSOV4_DEL

MAC_CONFIG_CHANGE
MAC_IPSEC_EVENT
MAC_MAP_ADD

MAC_MAP_DEL

MAC_POLICY_LOAD
MAC_STATUS
MAC_UNLBL_ALLOW
MAC_UNLBL_STCADD
MAC_UNLBL_STCDEL
MMAP
MQ_GETSETATTR

216

Trigge re d to re cord the s tatus of inte grity ve rification.


Trigge re d to re cord information about a Inte r-Proce s s
Communication obje ct re fe re nce d by a s ys te m call.
Trigge re d to re cord information about ne w value s s e t by an
IPC_SET control ope ration on an IPC obje ct.
Trigge re d to re cord the initializ ation of the Audit s ys te m.
Trigge re d to re cord information from third-party ke rne l
module s .
Trigge re d whe n an obje ct's le ve l labe l is modifie d.
Trigge re d whe n an adminis trator ove rride s an obje ct's le ve l
labe l.
Trigge re d to re cord re le vant login information whe n a us e r log
in to acce s s the s ys te m.
Trigge re d whe n a Comme rcial Inte rne t Protocol Se curity
Option (CIPSO) us e r adds a ne w Domain of Inte rpre tation
(DOI). Adding DOIs is a part of the packe t labe ling capabilitie s
of the ke rne l provide d by Ne tLabe l.
Trigge re d whe n a CIPSO us e r de le te s an e xis ting DOI. Adding
DOIs is a part of the packe t labe ling capabilitie s of the ke rne l
provide d by Ne tLabe l.
Trigge re d whe n an SELinux Boole an value is change d.
Trigge re d to re cord information about an IPSe c e ve nt, whe n
one is de te cte d, or whe n the IPSe c configuration change s .
Trigge re d whe n a ne w Linux Se curity Module (LSM) domain
mapping is adde d. LSM domain mapping is a part of the packe t
labe ling capabilitie s of the ke rne l provide d by Ne tLabe l.
Trigge re d whe n an e xis ting LSM domain mapping is adde d.
LSM domain mapping is a part of the packe t labe ling
capabilitie s of the ke rne l provide d by Ne tLabe l.
Trigge re d whe n a SELinux policy file is loade d.
Trigge re d whe n the SELinux mode (e nforcing, pe rmis s ive , off)
is change d.
Trigge re d whe n unlabe le d traffic is allowe d whe n us ing the
packe t labe ling capabilitie s of the ke rne l provide d by Ne tLabe l.
Trigge re d whe n a s tatic labe l is adde d whe n us ing the packe t
labe ling capabilitie s of the ke rne l provide d by Ne tLabe l.
Trigge re d whe n a s tatic labe l is de le te d whe n us ing the
packe t labe ling capabilitie s of the ke rne l provide d by Ne tLabe l.
Trigge re d to re cord a file de s criptor and flags of the mmap(2)
s ys te m call.
Trigge re d to re cord the mq_getattr(3) and mq_setattr(3)
me s s age que ue attribute s .

A ppe ndix B. Audit Sys t e m Re f e r e nc e

Event T ype

Explanat io n

MQ_NOTIFY

Trigge re d to re cord argume nts of the mq_notify(3) s ys te m


call.
Trigge re d to re cord argume nts of the mq_open(3) s ys te m
call.
Trigge re d to re cord argume nts of the mq_send(3) and
mq_receive(3) s ys te m calls .
Trigge re d whe n Ne tfilte r chain modifications are de te cte d.
Trigge re d to re cord packe ts trave rs ing Ne tfilte r chains .
Trigge re d to re cord information about a proce s s to which a
s ignal is s e nt.
Trigge re d to re cord file name path information.
Trigge re d whe n a us e r account is locke d.

MQ_OPEN
MQ_SENDRECV
NETFILTER_CFG
NETFILTER_PKT
OBJ_PID
PATH
RESP_ACCT_LOCK [c]
RESP_ACCT_LOCK_TIMED
[c]

RESP_ACCT_REMOTE [c]

Trigge re d whe n a us e r account is locke d for a s pe cifie d pe riod


of time .

ED [c]

Trigge re d whe n a us e r account is locke d from a re mote


s e s s ion.
Trigge re d whe n a us e r account is unlocke d afte r a configure d
pe riod of time .

RESP_ALERT [c]

Trigge re d whe n an ale rt e mail is s e nt.

RESP_ANOMALY [c]

Trigge re d whe n an anomaly was not acte d upon.

RESP_EXEC [c]
RESP_HALT [c]

Trigge re d whe n an intrus ion de te ction program re s ponds to a


thre at originating from the e xe cution of a program.
Trigge re d whe n the s ys te m is s hut down.

RESP_KILL_PROC [c]

Trigge re d whe n a proce s s is te rminate d.

RESP_SEBOOL [c]

Trigge re d whe n an SELinux Boole an value is s e t.

RESP_SINGLE [c]

Trigge re d whe n the s ys te m is put into s ingle -us e r mode .

RESP_TERM_ACCESS [c]

Trigge re d whe n a s e s s ion is te rminate d.

RESP_TERM_LOCK [c]
ROLE_ASSIGN

Trigge re d whe n a te rminal is locke d.

RESP_ACCT_UNLOCK_TIM

ROLE_MODIFY
ROLE_REMOVE
SELINUX_ERR
SERVICE_START
SERVICE_STOP
SOCKADDR
SOCKETCALL

SYSCALL
SYSTEM_BOOT
SYSTEM_RUNLEVEL
SYSTEM_SHUTDOWN
TEST
TRUSTED_APP

Trigge re d whe n an adminis trator as s igns a us e r to an SELinux


role .
Trigge re d whe n an adminis trator modifie s an SELinux role .
Trigge re d whe n an adminis trator re move s a us e r from an
SELinux role .
Trigge re d whe n an inte rnal SELinux e rror is de te cte d.
Trigge re d whe n a s e rvice is s tarte d.
Trigge re d whe n a s e rvice is s toppe d.
Trigge re d to re cord a s ocke t addre s s .
Trigge re d to re cord argume nts of the sys_socketcall
s ys te m call (us e d to multiple x many s ocke t-re late d s ys te m
calls ).
Trigge re d to re cord a s ys te m call to the ke rne l.
Trigge re d whe n the s ys te m is boote d up.
Trigge re d whe n the s ys te m's run le ve l is change d.
Trigge re d whe n the s ys te m is s hut down.
Trigge re d to re cord the s ucce s s value of a te s t me s s age .
The re cord of this type can be us e d by third party application
that re quire auditing.

217

Se c ur it y Guide

Event T ype

Explanat io n

TTY

Trigge re d whe n TTY input was s e nt to an adminis trative


proce s s .
Trigge re d whe n a us e r-s pace us e r account is modifie d.
Trigge re d whe n a us e r-s pace authe ntication atte mpt is
de te cte d.
Trigge re d whe n a us e r-s pace AVC me s s age is ge ne rate d.
Trigge re d whe n a us e r account attribute is modifie d.
Trigge re d whe n a us e r-s pace s he ll command is e xe cute d.
Trigge re d whe n a us e r-s pace s e s s ion is te rminate d.
Trigge re d whe n a us e r account s tate e rror is de te cte d.
Trigge re d whe n an obje ct is e xporte d with an SELinux labe l.
Trigge re d whe n a us e r logs in.
Trigge re d whe n a us e r logs out.
Trigge re d whe n a us e r-s pace dae mon loads an SELinux policy.
Trigge re d to re cord us e r-s pace manage me nt data.
Trigge re d whe n a us e r's SELinux role is change d.
Trigge re d whe n a us e r-s pace SELinux e rror is de te cte d.
Trigge re d whe n a us e r-s pace s e s s ion is s tarte d.
Trigge re d whe n an e xplanatory me s s age about TTY input to
an adminis trative proce s s is s e nt from us e r-s pace .
Trigge re d whe n an obje ct is e xporte d without SELinux labe l.

USER_ACCT
USER_AUTH
USER_AVC
USER_CHAUTHTOK
USER_CMD
USER_END
USER_ERR
USER_LABELED_EXPORT
USER_LOGIN
USER_LOGOUT
USER_MAC_POLICY_LOAD
USER_MGMT
USER_ROLE_CHANGE
USER_SELINUX_ERR
USER_START
USER_TTY
USER_UNLABELED_EXPOR
T
USYS_CONFIG
VIRT_CONTROL
VIRT_MACHINE_ID
VIRT_RESOURCE

Trigge re d
de te cte d.
Trigge re d
s toppe d.
Trigge re d
Trigge re d

whe n a us e r-s pace s ys te m configuration change is


whe n a virtual machine is s tarte d, paus e d, or

to re cord the binding of a labe l to a virtual machine .


to re cord re s ource as s ignme nt of a virtual machine .
[a] All Audit event types prepended with ANOM are intended to be processed by an intrusion

detection program .
[b] This event type is related to the Integrity Measurem ent Architecture (IMA), which functions
best with a Trusted P latform Module (TP M) chip.
[c] All Audit event types prepended with RESP are intended responses of an intrusion
detection system in case it detects m alicious activity on the system .

218

A ppe ndix C. Re vis io n His t o r y

Appendix C. Revision Hist ory


Revisio n 1-19
Mo n Jul 18 20 16
The Smart Cards s e ction adde d.

Mirek Jaho da

Revisio n 1-18
Mo n Jun 27 20 16
The Ope nSCAP-dae mon and Atomic Scan s e ction adde d.

Mirek Jaho da

Revisio n 1-17
Fri Jun 3 20 16
As ync re le as e with mis c. update s .

Mirek Jaho da

Revisio n 1-16
Pos t 7.2 GA fixe s .

Ro bert Krt k

T ue Jan 5 20 16

Revisio n 1-15
T ue No v 10 20 15
Ve rs ion for 7.2 GA re le as e .

Ro bert Krt k

Revisio n 1-14.18
Mo n No v 0 9 20 15
As ync re le as e with mis c. update s .

Ro bert Krt k

Revisio n 1-14.17
Wed Feb 18 20 15
Ve rs ion for 7.1 GA re le as e .

Ro bert Krt k

Revisio n 1-14.15
Fri Dec 0 6 20 14
Update to s ort orde r on the Re d Hat Cus tome r Portal.

Ro bert Krt k

Revisio n 1-14.13
T hu No v 27 20 14
Update s re fle cting the POODLE vuln.

Ro bert Krt k

Revisio n 1-14.12
T ue Jun 0 3 20 14
Ve rs ion for 7.0 GA re le as e .

T o m apek

219