Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Security Guide
Robert Krtk
Tom apek
Miroslav Svoboda
Mirek Jahoda
Stephen Wadeley
Martin Prpi
Yoana Ruseva
Legal No tice
Copyright 2016 Red Hat, Inc.
This document is licensed by Red Hat under the Creative Commons AttributionShareAlike 3.0 Unported License. If you distribute this document, or a modified version
of it, you must provide attribution to Red Hat, Inc. and provide a link to the original. If
the document is modified, all Red Hat trademarks must be removed.
Red Hat, as the licensor of this document, waives the right to enforce, and agrees
not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable
law.
Red Hat, Red Hat Enterprise Linux, the Shadowman logo, JBoss, OpenShift, Fedora,
the Infinity logo, and RHCE are trademarks of Red Hat, Inc., registered in the United
States and other countries.
Linux is the registered trademark of Linus Torvalds in the United States and other
countries.
Java is a registered trademark of Oracle and/or its affiliates.
XFS is a trademark of Silicon Graphics International Corp. or its subsidiaries in the
United States and/or other countries.
MySQL is a registered trademark of MySQL AB in the United States, the European
Union and other countries.
Node.js is an official trademark of Joyent. Red Hat Software Collections is not
formally related to or endorsed by the official Joyent Node.js open source or
commercial project.
The OpenStack Word Mark and OpenStack logo are either registered
trademarks/service marks or trademarks/service marks of the OpenStack
Foundation, in the United States and other countries and are used with the
OpenStack Foundation's permission. We are not affiliated with, endorsed or
sponsored by the OpenStack Foundation, or the OpenStack community.
All other trademarks are the property of their respective owners.
Abstract
This book assists users and administrators in learning the processes and practices of
securing workstations and servers against local and remote intrusion, exploitation,
and malicious activity. Focused on Red Hat Enterprise Linux but detailing concepts
and techniques valid for all Linux systems, this guide details the planning and the
tools involved in creating a secured computing environment for the data center,
workplace, and home. With proper administrative knowledge, vigilance, and tools,
systems running Linux can be both fully functional and secured from most common
intrusion and exploit methods.
T able o f Co nt e nt s
T able o f Co ntents
. .hapt
C
. . . .e.r. 1.
. .O
. .ve
. .r.vie
. .w
. .o. f. Se
. . .c.ur
. .it. y. .T.o.pic
. . .s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3. . . . . . . . .
1 .1. What is C om puter Security?
3
1 .2. Security C ontrols
4
1 .3. Vulnerability Assessm ent
5
1 .4. Security Threats
9
1 .5. C om m on Exploits and Attacks
12
. .hapt
C
. . . .e.r. 2.
. . Se
..c
. ur
. . it
. .y. T
. .ips
. . .f .o.r.Ins
. . .t.allat
. . . .io. n
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17
..........
2.1. Securing BIO S
17
2.2. P artitioning the Disk
17
2.3. Installing the Minim um Am ount of P ackages Required
18
2.4. P ost-installation P rocedures
18
2.5. Additional Resources
19
. .hapt
C
. . . .e.r. 3.
. . Ke
..e
. .ping
. . . .Yo
. . ur
. . .Sys
. . .t.e.m
. .Up-t
. . . .o.-Dat
. . . .e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20
..........
3 .1. Maintaining Installed Software
20
3 .2. Using the Red Hat C ustom er P ortal
24
3 .3. Additional Resources
25
. .hapt
C
. . . .e.r. 4. .. Har
. . . de
. . .ning
. . . . Yo
. . ur
. . .Sys
. . .t.e.m
. .wit
. . .h. T. o
. .o.ls. .and
. . . Se
. . .r.vic
. . e. s. . . . . . . . . . . . . . . . . . . .27
..........
4 .1. Desktop Security
4 .2. C ontrolling Root Access
27
36
43
63
69
102
112
122
128
4 .10. Encryption
4 .11. Hardening TLS C onfiguration
131
146
. .hapt
C
. . . .e.r. 5.
. . Sys
. . . t. e. m
. . Audit
. . . . .ing
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .156
...........
U se C ases
5.1. Audit System Architecture
157
157
158
158
160
160
165
170
171
172
. .hapt
C
. . . .e.r. 6. .. Co
. . .mplianc
......e
. .and
. . . .Vulne
. . . . .r.abilit
....y
. .Sc
. .anning
. . . . . . .wit
. .h
. .O. pe
. . .nSCAP
. . . . . . . . . . . . . . . . .173
...........
6 .1. Security C om pliance in Red Hat Enterprise Linux
6 .2. Defining C om pliance P olicy
6 .3. Using SC AP Workbench
6 .4. Using oscap
173
173
182
189
197
198
199
199
Se c ur it y Guide
200
. .hapt
C
. . . .e.r. 7.
. . Fe
. . de
. . .r al
. . St
. . andar
. . . . . .ds
. . and
. . . .Re
. . gulat
. . . . .io
. .ns
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20
. .2. . . . . . . . .
7.1. Federal Inform ation P rocessing Standard (FIP S)
7.2. National Industrial Security P rogram O perating Manual (NISP O M)
7.3. P aym ent C ard Industry Data Security Standard (P C I DSS)
7.4. Security Technical Im plem entation Guide
202
204
204
205
. .ppe
A
. . .ndix
. . . . A.
. . Enc
. . . r. ypt
. . . io
. .n. .St
. .andar
. . . . .ds
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20
. .6. . . . . . . . .
A.1. Synchronous Encryption
A.2. P ublic-key Encryption
206
207
. .ppe
A
. . .ndix
. . . . B.
. . Audit
. . . . . .Sys
. . .t.e.m
. .Re
. .f.e.r.e.nc
. .e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .210
...........
B.1. Audit Event Fields
210
B.2. Audit Record Types
213
. .ppe
A
. . .ndix
. . . . C.
. . Re
. . .vis
. . io
. .n. His
. . . t. o. r. y. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .219
...........
No te
This docume nt make s s e ve ral re fe re nce s to file s in the /lib dire ctory. Whe n us ing
64-bit s ys te ms , s ome of the file s me ntione d may ins te ad be locate d in /lib64.
Se c ur it y Guide
Inte grity Information s hould not be alte re d in ways that re nde r it incomple te or
incorre ct. Unauthoriz e d us e rs s hould be re s tricte d from the ability to modify or de s troy
s e ns itive information.
Availability Information s hould be acce s s ible to authoriz e d us e rs any time that it is
ne e de d. Availability is a warranty that information can be obtaine d with an agre e d-upon
fre que ncy and time line s s . This is ofte n me as ure d in te rms of pe rce ntage s and agre e d
to formally in Se rvice Le ve l Agre e me nts (SLAs ) us e d by ne twork s e rvice provide rs and
the ir e nte rpris e clie nts .
Se c ur it y Guide
Warning
Do not atte mpt to e xploit vulne rabilitie s on production s ys te ms . Doing s o can have
adve rs e e ffe cts on productivity and e fficie ncy of your s ys te ms and ne twork.
The following lis t e xamine s s ome of the be ne fits to pe rforming vulne rability as s e s s me nts .
Cre ate s proactive focus on information s e curity.
Finds pote ntial e xploits be fore cracke rs find the m.
Re s ults in s ys te ms be ing ke pt up to date and patche d.
Promote s growth and aids in de ve loping s taff e xpe rtis e .
Abate s financial los s and ne gative publicity.
Se c ur it y Guide
Nmap is a compe te nt firs t s te p in vulne rability as s e s s me nt. You can map out all the hos ts
within your ne twork and e ve n pas s an option that allows Nmap to atte mpt to ide ntify the
ope rating s ys te m running on a particular hos t. Nmap is a good foundation for e s tablis hing
a policy of us ing s e cure s e rvice s and re s tricting unus e d s e rvice s .
To ins tall Nmap, run the yum install nmap command as the root us e r.
1.3.3.1.1. Using Nmap
Nmap can be run from a s he ll prompt by typing the nmap command followe d by the
hos tname or IP addre s s of the machine to s can:
nmap <hostname>
For e xample , to s can a machine with hos tname foo.example.com, type the following at a
s he ll prompt:
~]$ nmap foo.example.com
The re s ults of a bas ic s can (which could take up to a fe w minute s , de pe nding on whe re the
hos t is locate d and othe r ne twork conditions ) look s imilar to the following:
Interesting ports on foo.example.com:
Not shown: 1710 filtered ports
PORT
STATE SERVICE
22/tcp open
ssh
53/tcp open
domain
80/tcp open
http
113/tcp closed auth
Nmap te s ts the mos t common ne twork communication ports for lis te ning or waiting
s e rvice s . This knowle dge can be he lpful to an adminis trator who wants to clos e
unne ce s s ary or unus e d s e rvice s .
For more information about us ing Nmap, s e e the official home page at the following URL:
http://www.ins e cure .org/
1.3.3.2. Nessus
Nessus is a full-s e rvice s e curity s canne r. The plug-in archite cture of Nessus allows us e rs
to cus tomiz e it for the ir s ys te ms and ne tworks . As with any s canne r, Nessus is only as
good as the s ignature databas e it re lie s upon. Fortunate ly, Nessus is fre que ntly update d
and fe ature s full re porting, hos t s canning, and re al-time vulne rability s e arche s . Re me mbe r
that the re could be fals e pos itive s and fals e ne gative s , e ve n in a tool as powe rful and as
fre que ntly update d as Nessus.
No te
The Nessus clie nt and s e rve r s oftware re quire s a s ubs cription to us e . It has be e n
include d in this docume nt as a re fe re nce to us e rs who may be inte re s te d in us ing
this popular application.
For more information about Nessus, s e e the official we bs ite at the following URL:
http://www.ne s s us .org/
1.3.3.3. OpenVAS
OpenVAS (Open Vulnerability Assessment System) is a s e t of tools and s e rvice s that can
be us e d to s can for vulne rabilitie s and for a compre he ns ive vulne rability manage me nt.
The OpenVAS frame work offe rs a numbe r of we b-bas e d, de s ktop, and command line
tools for controlling the various compone nts of the s olution. The core functionality of
OpenVAS is provide d by a s e curity s canne r, which make s us e of ove r 33 thous and dailyupdate d Ne twork Vulne rability Te s ts (NVT). Unlike Nessus (s e e Se ction 1.3.3.2, Ne s s us ),
OpenVAS doe s not re quire any s ubs cription.
For more information about Ope nVAS, s e e the official we bs ite at the following URL:
http://www.ope nvas .org/
1.3.3.4. Nikt o
Nikt o is an e xce lle nt common gateway interface (CGI) s cript s canne r. Nikt o not only
che cks for CGI vulne rabilitie s but doe s s o in an e vas ive manne r, s o as to e lude intrus ionde te ction s ys te ms . It come s with thorough docume ntation which s hould be care fully
re vie we d prior to running the program. If you have we b s e rve rs s e rving CGI s cripts ,
Nikt o can be an e xce lle nt re s ource for che cking the s e curity of the s e s e rve rs .
More information about Nikt o can be found at the following URL:
http://cirt.ne t/nikto2
Se c ur it y Guide
Anothe r pote ntial ne tworking pitfall is the us e of ce ntraliz e d computing. A common cos tcutting me as ure for many bus ine s s e s is to cons olidate all s e rvice s to a s ingle powe rful
machine . This can be conve nie nt as it is e as ie r to manage and cos ts cons ide rably le s s
than multiple -s e rve r configurations . Howe ve r, a ce ntraliz e d s e rve r introduce s a s ingle
point of failure on the ne twork. If the ce ntral s e rve r is compromis e d, it may re nde r the
ne twork comple te ly us e le s s or wors e , prone to data manipulation or the ft. In the s e
s ituations , a ce ntral s e rve r be come s an ope n door that allows acce s s to the e ntire
ne twork.
10
Se e Chapte r 3, Keeping Your System Up-to-Date for more information about ke e ping a
s ys te m up-to-date .
11
Se c ur it y Guide
Bad Passwords
Bad pas s words are one of the e as ie s t ways for an attacke r to gain acce s s to a s ys te m.
For more on how to avoid common pitfalls whe n cre ating a pas s word, s e e Se ction 4.1.1,
Pas s word Se curity.
12
Descript io n
No t es
Explo it
Descript io n
No t es
Null or De fault
Pas s words
De fault Share d
Ke ys
IP Spoofing
13
Se c ur it y Guide
Explo it
Descript io n
No t es
Eave s dropping
14
Explo it
Descript io n
No t es
Se rvice
Vulne rabilitie s
15
Se c ur it y Guide
Explo it
Descript io n
No t es
Application
Vulne rabilitie s
De nial of
Se rvice (DoS)
Attacks
16
Se c ur it y Guide
Re d Hat re comme nds cre ating s e parate partitions for the /boot/, /, /home//tmp/, and
/var/tmp/ dire ctorie s . The re as ons for e ach are diffe re nt, and we will addre s s e ach
partition.
/boot
This partition is the firs t partition that is re ad by the s ys te m during boot up. The
boot loade r and ke rne l image s that are us e d to boot your s ys te m into Re d Hat
Ente rpris e Linux 7 are s tore d in this partition. This partition s hould not be
e ncrypte d. If this partition is include d in / and that partition is e ncrypte d or
othe rwis e be come s unavailable the n your s ys te m will not be able to boot.
/home
Whe n us e r data (/home) is s tore d in / ins te ad of in a s e parate partition, the
partition can fill up caus ing the ope rating s ys te m to be come uns table . Als o, whe n
upgrading your s ys te m to the ne xt ve rs ion of Re d Hat Ente rpris e Linux 7 it is a lot
e as ie r whe n you can ke e p your data in the /home partition as it will not be
ove rwritte n during ins tallation. If the root partition (/) be come s corrupt your data
could be los t fore ve r. By us ing a s e parate partition the re is s lightly more
prote ction agains t data los s . You can als o targe t this partition for fre que nt
backups .
/tmp and /var/tmp
Both the /tmp and /var/tmp dire ctorie s are us e d to s tore data that doe s not
ne e d to be s tore d for a long pe riod of time . Howe ve r, if a lot of data floods one of
the s e dire ctorie s it can cons ume all of your s torage s pace . If this happe ns and
the s e dire ctorie s are s tore d within / the n your s ys te m could be come uns table
and cras h. For this re as on, moving the s e dire ctorie s into the ir own partitions is a
good ide a.
No te
During the ins tallation proce s s , an option to e ncrypt partitions is pre s e nte d to you.
The us e r mus t s upply a pas s phras e . This pas s phras e will be us e d as a ke y to
unlock the bulk e ncryption ke y, which is us e d to s e cure the partition's data. For more
information on LUKS, s e e Se ction 4.10.1, Us ing LUKS Dis k Encryption.
The following s te ps are the s e curity-re late d proce dure s that s hould be pe rforme d
imme diate ly afte r ins tallation of Re d Hat Ente rpris e Linux.
1. Update your s ys te m. Run the following command as root:
~]# yum update
2. Eve n though the fire wall s e rvice , firewalld, is automatically e nable d with the
ins tallation of Re d Hat Ente rpris e Linux, the re are s ce narios whe re it might be
e xplicitly dis able d, for e xample in the kicks tart configuration. In s uch a cas e , it is
re comme nde d to cons ide r re -e nabling the fire wall.
To s tart firewalld run the following commands as root:
~]# systemctl start firewalld
~]# systemctl enable firewalld
3. To e nhance s e curity, dis able s e rvice s you do not ne e d. For e xample , if the re are
no printe rs ins talle d on your compute r, dis able the cups s e rvice us ing the following
command:
~]# systemctl disable cups
To re vie w active s e rvice s , run the following command:
~]$ systemctl list-units | grep service
[2] Since system BIO Ses differ between m anufacturers, som e m ay not support password
protection of either type, while others m ay support one type but not the other.
19
Se c ur it y Guide
20
To che ck for s e curity-re late d update s available for your s ys te m, run the following
command as root:
~]# yum check-update --security
Loaded plugins: langpacks, product-id, subscription-manager
rhel-7-workstation-rpms/x86_64
| 3.4 kB 00:00:00
No packages needed for security; 0 packages available
Note that the above command runs in a non-inte ractive mode , s o it can be us e d in s cripts
for automate d che cking whe the r the re are any update s available . The command re turns
an e xit value of 100 whe n the re are any s e curity update s available and 0 whe n the re are
not. On e ncounte ring an e rror, it re turns 1.
Analogous ly, us e the following command to only ins tall s e curity-re late d update s :
~]# yum update --security
Us e the updateinfo s ubcommand to dis play or act upon information provide d by
re pos itorie s about available update s . The updateinfo s ubcommand its e lf acce pts a
numbe r of commands , s ome of which pe rtain to s e curity-re late d us e s . Se e Table 3.1,
Se curity-re late d commands us able with yum update info for an ove rvie w of the s e
commands .
T able 3.1. Securit y-relat ed co mmands usable wit h yum updat einf o
Co mmand
Descript io n
advisory [advisories]
21
Se c ur it y Guide
The Yum package manage r allows for an automatic ve rification of all package s it ins talls or
upgrade s . This fe ature is e nable d by de fault. To configure this option on your s ys te m,
make s ure the gpgcheck configuration dire ctive is s e t to 1 in the /etc/yum.conf
configuration file .
Us e the following command to manually ve rify package file s on your file s ys te m:
rpmkeys --checksig package_file.rpm
Se e the Product Signing (GPG) Ke ys article on the Re d Hat Cus tome r Portal for additional
information about Re d Hat package -s igning practice s .
Impo rtant
Be fore ins talling any s e curity e rrata, be s ure to re ad any s pe cial ins tructions
containe d in the e rratum re port and e xe cute the m accordingly. Se e Se ction 3.1.3,
Applying Change s Introduce d by Ins talle d Update s for ge ne ral ins tructions about
applying change s made by e rrata update s .
No te
In ge ne ral, re booting the s ys te m is the s ure s t way to e ns ure that the late s t ve rs ion
of a s oftware package is us e d; howe ve r, this option is not always re quire d, nor is it
always available to the s ys te m adminis trator.
Applicat io ns
22
Us e r-s pace applications are any programs that can be initiate d by the us e r.
Typically, s uch applications are us e d only whe n the us e r, a s cript, or an
automate d tas k utility launch the m.
Once s uch a us e r-s pace application is update d, halt any ins tance s of the
application on the s ys te m, and launch the program again to us e the update d
ve rs ion.
Kernel
The ke rne l is the core s oftware compone nt for the Re d Hat Ente rpris e Linux 7
ope rating s ys te m. It manage s acce s s to me mory, the proce s s or, and pe riphe rals ,
and it s che dule s all tas ks .
Be caus e of its ce ntral role , the ke rne l cannot be re s tarte d without als o re booting
the compute r. The re fore , an update d ve rs ion of the ke rne l cannot be us e d until
the s ys te m is re boote d.
KVM
Whe n the qemu-kvm and libvirt package s are update d, it is ne ce s s ary to s top all
gue s t virtual machine s , re load re le vant virtualiz ation module s (or re boot the hos t
s ys te m), and re s tart the virtual machine s .
Us e the lsmod command to de te rmine which module s from the following are
loade d: kvm, kvm-intel, or kvm-amd. The n us e the modprobe -r command to
re move and s ubs e que ntly the modprobe -a command to re load the affe cte d
module s . Fox e xample :
~]# lsmod | grep kvm
kvm_intel
143031 0
kvm
460181 1 kvm_intel
~]# modprobe -r kvm-intel
~]# modprobe -r kvm
~]# modprobe -a kvm kvm-intel
Shared Libraries
Share d librarie s are units of code , s uch as glibc, that are us e d by a numbe r of
applications and s e rvice s . Applications utiliz ing a s hare d library typically load the
s hare d code whe n the application is initializ e d, s o any applications us ing an
update d library mus t be halte d and re launche d.
To de te rmine which running applications link agains t a particular library, us e the
lsof command:
lsof library
For e xample , to de te rmine which running applications link agains t the
libwrap.so.0 library, type :
~]# lsof /lib64/libwrap.so.0
COMMAND
PID USER FD
TYPE DEVICE SIZE/OFF
NODE NAME
pulseaudi 12363 test mem
REG 253,0
42520 34121785
/usr/lib64/libwrap.so.0.7.6
23
Se c ur it y Guide
253,0
42520 34121785
253,0
42520 34121785
This command re turns a lis t of all the running programs that us e TCP wrappe rs for
hos t-acce s s control. The re fore , any program lis te d mus t be halte d and
re launche d whe n the tcp_wrappers package is update d.
syst emd Services
s ys te md s e rvice s are pe rs is te nt s e rve r programs us ually launche d during the
boot proce s s . Example s of s ys te md s e rvice s include sshd or vsftpd.
Be caus e the s e programs us ually pe rs is t in me mory as long as a machine is
running, e ach update d s ys te md s e rvice mus t be halte d and re launche d afte r its
package is upgrade d. This can be done as the root us e r us ing the systemctl
command:
systemctl restart service_name
Re place service_name with the name of the s e rvice you want to re s tart, s uch as
sshd.
Ot her So f t ware
Follow the ins tructions outline d by the re s ource s linke d be low to corre ctly update
the following applications .
Red Hat Direct o ry Server Se e the Release Notes for the ve rs ion of the
Re d Hat Dire ctory Se rve r in que s tion at
https ://acce s s .re dhat.com/s ite /docume ntation/e nUS/Re d_Hat_Dire ctory_Se rve r/.
Red Hat Ent erprise Virt ualizat io n Manager Se e the Installation Guide
for the ve rs ion of the Re d Hat Ente rpris e Virtualiz ation in que s tion at
https ://acce s s .re dhat.com/s ite /docume ntation/e nUS/Re d_Hat_Ente rpris e _Virtualiz ation/.
24
Click on the e rratum code in the le ft part of the table to dis play more de taile d information
about the individual advis orie s . The ne xt page contains not only a de s cription of the give n
e rratum, including its caus e s , cons e que nce s , and re quire d fixe s , but als o a lis t of all
package s that the particular e rratum update s along with ins tructions on how to apply the
update s . The page als o include s links to re le vant re fe re nce s , s uch as re late d CVE.
25
Se c ur it y Guide
Re d Hat Ente rpris e Linux 7 Sys te m Adminis trator's Guide The System Administrator's
Guide for Re d Hat Ente rpris e Linux 7 docume nts the us e of the Yum and rpm commands
that are us e d to ins tall, update , and re move package s on Re d Hat Ente rpris e Linux 7
s ys te ms .
Re d Hat Ente rpris e Linux 7 SELinux Us e r's and Adminis trator's Guide The SELinux
User's and Administrator's Guide for Re d Hat Ente rpris e Linux 7 docume nts the
configuration of the SELinux mandatory access control me chanis m.
See Also
Chapte r 2, Security Tips for Installation de s cribe s how to configure your s ys te m
s e cure ly from the be ginning to make it e as ie r to imple me nt additional s e curity s e ttings
late r.
Se ction 4.10.2, Cre ating GPG Ke ys de s cribe s how to cre ate a s e t of pe rs onal GPG
ke ys to authe nticate your communications .
26
27
Se c ur it y Guide
If the s ys te m e nforce s the us e of uppe rcas e le tte rs , digits , or s pe cial characte rs , the
pas s phras e that follows the above re comme ndation can be modifie d in a s imple way, for
e xample by changing the firs t characte r to uppe rcas e and appe nding "1!". Note that s uch
a modification does not incre as e the s e curity of the pas s phras e s ignificantly.
Anothe r way to cre ate a pas s word yours e lf is us ing a pas s word ge ne rator. The pwmake
is a command-line tool for ge ne rating random pas s words that cons is t of all four groups of
characte rs uppe rcas e , lowe rcas e , digits and s pe cial characte rs . The utility allows you to
s pe cify the numbe r of e ntropy bits that are us e d to ge ne rate the pas s word. The e ntropy
is pulle d from /dev/urandom. The minimum numbe r of bits you can s pe cify is 56, which is
e nough for pas s words on s ys te ms and s e rvice s whe re brute force attacks are rare . 64
bits is ade quate for applications whe re the attacke r doe s not have dire ct acce s s to the
pas s word has h file . For s ituations whe n the attacke r might obtain the dire ct acce s s to the
pas s word has h or the pas s word is us e d as an e ncryption ke y, 80 to 128 bits s hould be
us e d. If you s pe cify an invalid numbe r of e ntropy bits , pwmake will us e the de fault of bits .
To cre ate a pas s word of 128 bits , run the following command:
pwmake 128
While the re are diffe re nt approache s to cre ating a s e cure pas s word, always avoid the
following bad practice s :
Us ing a s ingle dictionary word, a word in a fore ign language , an inve rte d word, or only
numbe rs .
Us ing le s s than 10 characte rs for a pas s word or pas s phras e .
Us ing a s e que nce of ke ys from the ke yboard layout.
Writing down your pas s words .
Us ing pe rs onal information in a pas s word, s uch as birth date s , annive rs arie s , family
me mbe r name s , or pe t name s .
Us ing the s ame pas s phras e or pas s word on multiple machine s .
While cre ating s e cure pas s words is impe rative , managing the m prope rly is als o important,
e s pe cially for s ys te m adminis trators within large r organiz ations . The following s e ction
de tails good practice s for cre ating and managing us e r pas s words within an organiz ation.
28
Whe n us e rs are as ke d to cre ate or change pas s words , the y can us e the passwd
command-line utility, which is PAM-aware (Pluggable Authentication Modules) and che cks to
s e e if the pas s word is too s hort or othe rwis e e as y to crack. This che cking is pe rforme d by
the pam_pwquality.so PAM module .
No te
In Re d Hat Ente rpris e Linux 7, the pam_pwquality PAM module re place d
pam_cracklib, which was us e d in Re d Hat Ente rpris e Linux 6 as a de fault module
for pas s word quality che cking. It us e s the s ame back e nd as pam_cracklib.
The pam_pwquality module is us e d to che ck a pas s word's s tre ngth agains t a s e t of rule s .
Its proce dure cons is ts of two s te ps : firs t it che cks if the provide d pas s word is found in a
dictionary. If not, it continue s with a numbe r of additional che cks . pam_pwquality is
s tacke d alongs ide othe r PAM module s in the password compone nt of the
/etc/pam.d/passwd file , and the cus tom s e t of rule s is s pe cifie d in the
/etc/security/pwquality.conf configuration file . For a comple te lis t of the s e che cks ,
s e e the pwquality.conf (8) manual page .
required
pam_pwquality.so retry=3
Options for the che cks are s pe cifie d one pe r line . For e xample , to re quire a pas s word
with a minimum le ngth of 8 characte rs , including all four clas s e s of characte rs , add the
following line s to the /etc/security/pwquality.conf file :
minlen = 8
minclass = 4
To s e t a pas s word s tre ngth-che ck for characte r s e que nce s and s ame cons e cutive
characte rs , add the following line s to /etc/security/pwquality.conf:
maxsequence = 3
maxrepeat = 3
In this e xample , the pas s word e nte re d cannot contain more than 3 characte rs in a
monotonic s e que nce , s uch as abcd, and more than 3 ide ntical cons e cutive characte rs ,
s uch as 1111.
No te
As the root us e r is the one who e nforce s the rule s for pas s word cre ation, the y can
s e t any pas s word for the ms e lve s or for a re gular us e r, de s pite the warning
me s s age s .
29
Se c ur it y Guide
Impo rtant
In Re d Hat Ente rpris e Linux 7, s hadow pas s words are e nable d by de fault. For more
information, s e e the Re d Hat Ente rpris e Linux 7 Sys te m Adminis trator's Guide .
The -M option of the chage command s pe cifie s the maximum numbe r of days the
pas s word is valid. For e xample , to s e t a us e r's pas s word to e xpire in 90 days , us e the
following command:
chage -M 90 username
In the above command, re place username with the name of the us e r. To dis able pas s word
e xpiration, us e the value of -1 afte r the -M option.
For more information on the options available with the chage command, s e e the table
be low.
T able 4.1. chage co mmand line o pt io ns
Opt io n
Descript io n
-d days
-E date
-I days
-l
-m days
-M days
-W days
30
You can als o us e the chage command in inte ractive mode to modify multiple pas s word
aging and account de tails . Us e the following command to e nte r inte ractive mode :
chage <username>
The following is a s ample inte ractive s e s s ion us ing this command:
~]# chage juan
Changing the aging information for juan
Enter the new value, or press ENTER for the default
Minimum Password Age [0]: 10
Maximum Password Age [99999]: 90
Last Password Change (YYYY-MM-DD) [2006-08-18]:
Password Expiration Warning [7]:
Password Inactive [-1]:
Account Expiration Date (YYYY-MM-DD) [1969-12-31]:
You can configure a pas s word to e xpire the firs t time a us e r logs in. This force s us e rs to
change pas s words imme diate ly.
1. Se t up an initial pas s word. To as s ign a de fault pas s word, run the following command
at a s he ll prompt as root:
passwd username
Warning
The passwd utility has the option to s e t a null pas s word. Us ing a null
pas s word, while conve nie nt, is a highly ins e cure practice , as any third party
can log in and acce s s the s ys te m us ing the ins e cure us e rname . Avoid us ing
null pas s words whe re ve r pos s ible . If it is not pos s ible , always make s ure that
the us e r is re ady to log in be fore unlocking an account with a null pas s word.
2. Force imme diate pas s word e xpiration by running the following command as root:
chage -d 0 username
This command s e ts the value for the date the pas s word was las t change d to the
e poch (January 1, 1970). This value force s imme diate pas s word e xpiration no
matte r what pas s word aging policy, if any, is in place .
Upon the initial log in, the us e r is now prompte d for a ne w pas s word.
31
Se c ur it y Guide
No te
The orde r of line s in the faile d atte mpt log file s is important. Any change in this
orde r can lock all us e r accounts , including the root us e r account whe n the
even_deny_root option is us e d.
Follow the s e s te ps to configure account locking:
1. To lock out any non-root us e r afte r thre e uns ucce s s ful atte mpts and unlock that
us e r afte r 10 minute s , add two line s to the auth s e ction of the
/etc/pam.d/system-auth and /etc/pam.d/password-auth file s . Afte r your e dits ,
the e ntire auth s e ction in both file s s hould look like this :
1 auth
required
2 auth
required
deny=3 unlock_time=600
3 auth
sufficient
4 auth
[default=die]
unlock_time=600
5 auth
requisite
quiet_success
6 auth
required
pam_env.so
pam_faillock.so preauth silent audit
pam_unix.so nullok try_first_pass
pam_faillock.so authfail audit deny=3
pam_succeed_if.so uid >= 1000
pam_deny.so
required
pam_faillock.so
3. To apply account locking for the root us e r as we ll, add the even_deny_root option
to the pam_faillock e ntrie s in the /etc/pam.d/system-auth and
/etc/pam.d/password-auth file s :
auth
required
pam_faillock.so preauth silent audit
deny=3 even_deny_root unlock_time=600
auth
sufficient
pam_unix.so nullok try_first_pass
auth
[default=die] pam_faillock.so authfail audit deny=3
even_deny_root unlock_time=600
account
required
pam_faillock.so
Whe n us e r john atte mpts to log in for the fourth time afte r failing to log in thre e time s
pre vious ly, his account is locke d upon the fourth atte mpt:
[yruseva@localhost ~]$ su - john
Account locked due to 3 failed logins
su: incorrect password
To pre ve nt the s ys te m from locking us e rs out e ve n afte r multiple faile d logins , add the
following line jus t above the line whe re pam_faillock is calle d for the firs t time in both
/etc/pam.d/system-auth and /etc/pam.d/password-auth. Als o re place user1, user2,
and user3 with the actual us e r name s .
32
33
Se c ur it y Guide
auth
required
deny=3 unlock_time=600
auth
include
auth
[default=die]
deny=3 unlock_time=600
account
account
required
include
pam_faillock.so
system-auth-ac
password
include
system-auth-ac
session
include
system-auth-ac
system-auth-ac
pam_faillock.so authfail silent audit
~]# vi /etc/pam.d/password-auth-local
The /etc/pam.d/password-auth-local file s hould contain the following line s :
auth
required
deny=3 unlock_time=600
auth
include
auth
[default=die]
deny=3 unlock_time=600
account
account
required
include
pam_faillock.so
password-auth-ac
password
include
password-auth-ac
session
include
password-auth-ac
password-auth-ac
pam_faillock.so authfail silent audit
34
No te
The main advantage of locking the s cre e n ins te ad of logging out is that a lock allows
the us e r's proce s s e s (s uch as file trans fe rs ) to continue running. Logging out would
s top the s e proce s s e s .
Impo rtant
The re are s e ve ral known is s ue s re le vant to the ve rs ion of vlock curre ntly available
for Re d Hat Ente rpris e Linux 7:
The program doe s not curre ntly allow unlocking cons ole s us ing the root
pas s word. Additional information can be found in BZ#895066.
Locking a cons ole doe s not cle ar the s cre e n and s crollback buffe r, allowing
anyone with phys ical acce s s to the works tation to vie w pre vious ly is s ue d
commands and any output dis playe d in the cons ole . Se e BZ#807369 for more
information.
35
Se c ur it y Guide
2011 /bin/su
No te
The s may be uppe r cas e or lowe r cas e . If it appe ars as uppe r cas e , it me ans that
the unde rlying pe rmis s ion bit has not be e n s e t.
For the s ys te m adminis trator of an organiz ation, howe ve r, choice s mus t be made as to
how much adminis trative acce s s us e rs within the organiz ation s hould have to the ir
machine s . Through a PAM module calle d pam_console.so, s ome activitie s normally
re s e rve d only for the root us e r, s uch as re booting and mounting re movable me dia, are
allowe d for the firs t us e r that logs in at the phys ical cons ole . Howe ve r, othe r important
36
s ys te m adminis tration tas ks , s uch as alte ring ne twork s e ttings , configuring a ne w mous e ,
or mounting ne twork de vice s , are not pos s ible without adminis trative privile ge s . As a
re s ult, s ys te m adminis trators mus t de cide how much acce s s the us e rs on the ir ne twork
s hould re ce ive .
Do es No t Af f ect
login
gdm
kdm
xdm
su
ssh
scp
sftp
sudo
FTP clie nts
Email clie nts
37
Se c ur it y Guide
Warning
A blank /etc/securetty file doe s not pre ve nt the root us e r from logging
in re mote ly us ing the Ope nSSH s uite of tools be caus e the cons ole is not
ope ne d until afte r authe ntication.
Do es No t Af f ect
login
gdm
kdm
xdm
Othe r ne twork s e rvice s that ope n a
tty
su
sudo
ssh
scp
sftp
38
Do es No t Af f ect
ssh
scp
sftp
39
Se c ur it y Guide
Ef f ect s
Do es No t Af f ect
login
gdm
kdm
xdm
ssh
scp
sftp
FTP clie nts
Email clie nts
Any PAM aware s e rvice s
40
Rathe r than comple te ly de nying acce s s to the root us e r, the adminis trator may want to
allow acce s s only via s e tuid programs , s uch as su or sudo. For more information on su and
sudo, s e e the Gaining Privile ge s chapte r in Re d Hat Ente rpris e Linux 7 Sys te m
Adminis trator's Guide , and the su(1) and sudo(8) man page s .
Warning
Prote cting acce s s to s ingle us e r mode with a pas s word by e diting the SINGLE
parame te r in the /etc/sysconfig/init file is not re comme nde d. An attacke r
can bypas s the pas s word by s pe cifying a cus tom initial command (us ing the
init= parame te r) on the ke rne l command line in GRUB 2. It is re comme nde d
to pas s word-prote ct the GRUB 2 boot loade r, as de s cribe d in the GRUB 2
Pas s word Prote ction chapte r in Re d Hat Ente rpris e Linux 7 Sys te m
Adminis trator's Guide .
2. Preventing Access to the GRUB 2 Console If the machine us e s GRUB 2 as its boot
loade r, an attacke r can us e the GRUB 2 e ditor inte rface to change its configuration
or to gathe r information us ing the cat command.
3. Preventing Access to Insecure Operating Systems If it is a dual-boot s ys te m, an
attacke r can s e le ct an ope rating s ys te m at boot time , for e xample DOS, which
ignore s acce s s controls and file pe rmis s ions .
41
Se c ur it y Guide
Re d Hat Ente rpris e Linux 7 s hips with the GRUB 2 boot loade r on the Inte l 64 and AMD64
platform. For a de taile d look at GRUB 2, s e e the Working With the GRUB 2 Boot Loade r
chapte r in Re d Hat Ente rpris e Linux 7 Sys te m Adminis trator's Guide .
42
No te
Note that in orde r to ove rride the de fault s ys te m s e ttings , the ne w configuration file
ne e ds to have the .conf e xte ns ion, and it ne e ds to be re ad after the de fault
s ys te m file (the file s are re ad in le xicographic orde r, the re fore s e ttings containe d in
a file with a highe r numbe r at the be ginning of the file name take pre ce de nce ).
Se e the s ys ctl.d(5) manual page for more de taile d information about the configuration of
ke rne l parame te rs at boot us ing the sysctl me chanis m.
43
Se c ur it y Guide
No te
The thre at of buffe r ove rflow vulne rabilitie s is mitigate d in Re d Hat
Ente rpris e Linux 7 by ExecShield, an e xe cutable me mory s e gme ntation and
prote ction te chnology s upporte d by x86-compatible uni- and multi-proce s s or ke rne ls .
Exe cShie ld re duce s the ris k of buffe r ove rflow by s e parating virtual me mory into
e xe cutable and non-e xe cutable s e gme nts . Any program code that trie s to e xe cute
outs ide of the e xe cutable s e gme nt (s uch as malicious code inje cte d from a buffe r
ove rflow e xploit) trigge rs a s e gme ntation fault and te rminate s .
Exe cs hie ld als o include s s upport for No eXecute (NX) te chnology on AMD64
platforms and Inte l 64 s ys te ms . The s e te chnologie s work in conjunction with
Exe cShie ld to pre ve nt malicious code from running in the e xe cutable portion of
virtual me mory with a granularity of 4KB of e xe cutable code , lowe ring the ris k of
attack from buffe r ove rflow e xploits .
Impo rtant
To limit e xpos ure to attacks ove r the ne twork, all s e rvice s that are unus e d s hould
be turne d off.
44
No te
Se curing rpcbind only affe cts NFSv2 and NFSv3 imple me ntations , s ince NFSv4 no
longe r re quire s it. If you plan to imple me nt an NFSv2 or NFSv3 s e rve r, the n rpcbind
is re quire d, and the following s e ction applie s .
If running RPC s e rvice s , follow the s e bas ic rule s .
45
Se c ur it y Guide
Furthe r, us e only IP addre s s e s whe n limiting acce s s to the s e rvice . Avoid us ing
hos tname s , as the y can be forge d by DNS pois oning and othe r me thods .
No te
Add --permanent to the firewalld rich language commands to make the s e ttings
pe rmane nt. Se e Se ction 4.5, Us ing Fire walls for more information about
imple me nting fire walls .
46
No te
Add --permanent to the firewalld rich language commands to make the s e ttings
pe rmane nt. Se e Se ction 4.5, Us ing Fire walls for more information about
imple me nting fire walls .
47
Se c ur it y Guide
No te
If Ke rbe ros is us e d, the /etc/shadow file is not s tore d within a NIS map.
To make acce s s to NIS maps harde r for an attacke r, cre ate a random s tring for the DNS
hos tname , s uch as o7hfawtgmhwg.domain.com. Similarly, cre ate a different randomiz e d
NIS domain name . This make s it much more difficult for an attacke r to acce s s the NIS
s e rve r.
192.168.0.0
Warning
Ne ve r s tart a NIS s e rve r for the firs t time without cre ating the /var/yp/securenets
file .
This te chnique doe s not provide prote ction from an IP s poofing attack, but it doe s at le as t
place limits on what ne tworks the NIS s e rve r s e rvice s .
48
family="ipv4" source
port port="834-835"
family="ipv4" source
port port="834-835"
This me ans that the s e rve r only allows conne ctions to ports 834 and 835 if the re que s ts
come from the 192.168.0.0/24 ne twork. The firs t rule is for TCP and the s e cond for UDP.
No te
Se e Se ction 4.5, Us ing Fire walls for more information about imple me nting fire walls
with iptable s commands .
Impo rtant
NFS traffic can be s e nt us ing TCP in all ve rs ions , it s hould be us e d with NFSv3,
rathe r than UDP, and is re quire d whe n us ing NFSv4. All ve rs ions of NFS s upport
Ke rbe ros us e r and group authe ntication, as part of the RPCSEC_GSS ke rne l module .
Information on rpcbind is s till include d, s ince Re d Hat Ente rpris e Linux 7 s upports
NFSv3 which utiliz e s rpcbind.
49
Se c ur it y Guide
The us e of the mount command in the /etc/fstab file is e xplaine d in the Us ing the mount
Command chapte r of the Re d Hat Ente rpris e Linux 7 Storage Adminis tration Guide . From a
s e curity adminis tration point of vie w it is worthwhile to note that the NFS mount options
can als o be s pe cifie d in /etc/nfsmount.conf, which can be us e d to s e t cus tom de fault
options .
4.3.7.2.1. Review t he NFS Server
Warning
Only e xport e ntire file s ys te ms . Exporting a s ubdire ctory of a file s ys te m can be a
s e curity is s ue . It is pos s ible in s ome cas e s for a clie nt to "bre ak out" of the
e xporte d part of the file s ys te m and ge t to une xporte d parts (s e e the s e ction on
s ubtre e che cking in the exports(5) man page .
Us e the ro option to e xport the file s ys te m as re ad-only whe ne ve r pos s ible to re duce the
numbe r of us e rs able to write to the mounte d file s ys te m. Only us e the rw option whe n
s pe cifically re quire d. Se e the man exports(5) page for more information. Allowing write
acce s s incre as e s the ris k from s ymlink attacks for e xample . This include s te mporary
dire ctorie s s uch as /tmp and /usr/tmp.
Whe re dire ctorie s mus t be mounte d with the rw option avoid making the m world-writable
whe ne ve r pos s ible to re duce ris k. Exporting home dire ctorie s is als o vie we d as a ris k as
s ome applications s tore pas s words in cle ar te xt or we akly e ncrypte d. This ris k is be ing
re duce d as application code is re vie we d and improve d. Some us e rs do not s e t pas s words
on the ir SSH ke ys s o this too me ans home dire ctorie s pre s e nt a ris k. Enforcing the us e of
pas s words or us ing Ke rbe ros would mitigate that ris k.
Re s trict e xports only to clie nts that ne e d acce s s . Us e the showmount -e command on an
NFS s e rve r to re vie w what the s e rve r is e xporting. Do not e xport anything that is not
s pe cifically re quire d.
Do not us e the no_root_squash option and re vie w e xis ting ins tallations to make s ure it is
not us e d. Se e Se ction 4.3.7.4, Do Not Us e the no_root_s quas h Option for more
information.
The secure option is the s e rve r-s ide e xport option us e d to re s trict e xports to re s e rve d
ports . By de fault, the s e rve r allows clie nt communication only from re s e rve d ports (ports
numbe re d le s s than 1024), be caus e traditionally clie nts have only allowe d trus te d code
(s uch as in-ke rne l NFS clie nts ) to us e thos e ports . Howe ve r, on many ne tworks it is not
difficult for anyone to be come root on s ome clie nt, s o it is rare ly s afe for the s e rve r to
as s ume that communication from a re s e rve d port is privile ge d. The re fore the re s triction
to re s e rve d ports is of limite d value ; it is be tte r to re ly on Ke rbe ros , fire walls , and
re s triction of e xports to particular clie nts .
Mos t clie nts s till do us e re s e rve d ports whe n pos s ible . Howe ve r, re s e rve d ports are a
limite d re s ource , s o clie nts (e s pe cially thos e with a large numbe r of NFS mounts ) may
choos e to us e highe r-numbe re d ports as we ll. Linux clie nts may do this us ing the
nore s vport mount option. If you want to allow this on an e xport, you may do s o with the
ins e cure e xport option.
It is good practice not to allow us e rs to login to a s e rve r. While re vie wing the above
s e ttings on an NFS s e rve r conduct a re vie w of who and what can acce s s the s e rve r.
4.3.7.2.2. Review t he NFS Client
50
Us e the nosuid option to dis allow the us e of a set uid program. The nosuid option
dis able s the set-user-identifier or set-group-identifier bits . This pre ve nts re mote
us e rs from gaining highe r privile ge s by running a s e tuid program. Us e this option on the
clie nt and the s e rve r s ide .
The noexec option dis able s all e xe cutable file s on the clie nt. Us e this to pre ve nt us e rs
from inadve rte ntly e xe cuting file s place d in the file s ys te m be ing s hare d. The nosuid and
noexec options are s tandard options for mos t, if not all, file s ys te ms .
Us e the nodev option to pre ve nt de vice -file s from be ing proce s s e d as a hardware
de vice by the clie nt.
The resvport option is a clie nt-s ide mount option and secure is the corre s ponding
s e rve r-s ide e xport option (s e e e xplanation above ). It re s tricts communication to a
"re s e rve d port". The re s e rve d or "we ll known" ports are re s e rve d for privile ge d us e rs
and proce s s e s s uch as the root us e r. Se tting this option caus e s the clie nt to us e a
re s e rve d s ource port to communicate with the s e rve r.
All ve rs ions of NFS now s upport mounting with Ke rbe ros authe ntication. The mount option
to e nable this is : sec=krb5.
NFSv4 s upports mounting with Ke rbe ros us ing krb5i for inte grity and krb5p for privacy
prote ction. The s e are us e d whe n mounting with sec=krb5, but ne e d to be configure d on
the NFS s e rve r. Se e the man page on e xports (man 5 exports) for more information.
The NFS man page (man 5 nfs) has a SECURITY CONSIDERATIONS s e ction which e xplains
the s e curity e nhance me nts in NFSv4 and contains all the NFS s pe cific mount options .
bob.example.com(rw)
The following line in the /etc/exports file , on the othe r hand, s hare s the s ame dire ctory
to the hos t bob.example.com with re ad-only pe rmis s ions and s hare s it to the world with
re ad/write pe rmis s ions due to a s ingle s pace characte r afte r the hos tname .
/tmp/nfs/
bob.example.com (rw)
It is good practice to che ck any configure d NFS s hare s by us ing the showmount command
to ve rify what is be ing s hare d:
showmount -e <hostname>
51
Se c ur it y Guide
If no_root_squash is us e d, re mote root us e rs are able to change any file on the s hare d
file s ys te m and le ave applications infe cte d by Trojans for othe r us e rs to inadve rte ntly
e xe cute .
52
This dire ctive is e nable d by de fault, but may not be de s irable . To pre ve nt vis itors
from brows ing file s on the s e rve r, re move this dire ctive .
UserDir
The UserDir dire ctive is dis able d by de fault be caus e it can confirm the pre s e nce
of a us e r account on the s ys te m. To e nable us e r dire ctory brows ing on the
s e rve r, us e the following dire ctive s :
UserDir enabled
UserDir disabled root
The s e dire ctive s activate us e r dire ctory brows ing for all us e r dire ctorie s othe r
than /root/. To add us e rs to the lis t of dis able d accounts , add a s pace -de limite d
lis t of us e rs on the UserDir disabled line .
ServerTokens
The ServerTokens dire ctive controls the s e rve r re s pons e he ade r fie ld which is
s e nt back to clie nts . It include s various information which can be cus tomiz e d us ing
the following parame te rs :
ServerTokens Full (de fault option) provide s all available information (OS
type and us e d module s ), for e xample :
Apache/2.0.41 (Unix) PHP/4.2.2 MyMod/1.2
ServerTokens Prod or ServerTokens ProductOnly provide s the following
information:
Apache
ServerTokens Major provide s the following information:
Apache/2
ServerTokens Minor provide s the following information:
Apache/2.0
ServerTokens Min or ServerTokens Minimal provide s the following
information:
Apache/2.0.41
ServerTokens OS provide s the following information:
Apache/2.0.41 (Unix)
It is re comme nde d to us e the ServerTokens Prod option s o that a pos s ible
attacke r doe s not gain any valuable information about your s ys te m.
53
Se c ur it y Guide
Impo rtant
Do not re move the IncludesNoExec dire ctive . By de fault, the Server-Side Includes
(SSI) module cannot e xe cute commands . It is re comme nde d that you do not change
this s e tting unle s s abs olute ly ne ce s s ary, as it could, pote ntially, e nable an attacke r
to e xe cute commands on the s ys te m.
Removing ht t pd Modules
In ce rtain s ce narios , it is be ne ficial to re move ce rtain httpd module s to limit the
functionality of the HTTP Se rve r. To do s o, s imply comme nt out the e ntire line which loads
the module you want to re move in the /etc/httpd/conf/httpd.conf file . For e xample , to
re move the proxy module , comme nt out the following line by pre pe nding it with a has h
s ign:
#LoadModule proxy_module modules/mod_proxy.so
Note that the /etc/httpd/conf.d/ dire ctory contains configuration file s which are us e d to
load module s as we ll.
ht t pd and SELinux
For information, s e e the The Apache HTTP Se rve r and SELinux chapte r from the Re d Hat
Ente rpris e Linux 7 SELinux Us e r's and Adminis trator's Guide .
4.3.9. Securing FT P
The File Transfer Protocol (FTP) is an olde r TCP protocol de s igne d to trans fe r file s ove r a
ne twork. Be caus e all trans actions with the s e rve r, including us e r authe ntication, are
une ncrypte d, it is cons ide re d an ins e cure protocol and s hould be care fully configure d.
Re d Hat Ente rpris e Linux 7 provide s two FTP s e rve rs :
Red Hat Co nt ent Accelerat o r (tux) A ke rne l-s pace We b s e rve r with FTP
capabilitie s .
vsftpd A s tandalone , s e curity orie nte d imple me ntation of the FTP s e rvice .
The following s e curity guide line s are for s e tting up the vsftpd FTP s e rvice .
54
No te
It is not ne ce s s ary to be gin e ach line of the file with 220 as s pe cifie d in
Se ction 4.4.1, Se curing Se rvice s With TCP Wrappe rs and xine td.
To re fe re nce this gre e ting banne r file for vsftpd, add the following dire ctive to the
/etc/vsftpd/vsftpd.conf file :
banner_file=/etc/banners/ftp.msg
It als o is pos s ible to s e nd additional banne rs to incoming conne ctions us ing TCP Wrappe rs
as de s cribe d in Se ction 4.4.1.1, TCP Wrappe rs and Conne ction Banne rs .
Warning
If e nabling anonymous acce s s to an FTP s e rve r, be aware of whe re s e ns itive data is
s tore d.
55
Se c ur it y Guide
56
value of the dire ctive s which are alre ady the re or you can add the dire ctive s you ne e d
with the value you want in the following format:
<directive> = <value>
. The following is a lis t of dire ctive s that can be us e d for limiting a de nial of s e rvice attack:
smtpd_client_connection_rate_limit The maximum numbe r of conne ction
atte mpts any clie nt is allowe d to make to this s e rvice pe r time unit (de s cribe d be low).
The de fault value is 0, which me ans a clie nt can make as many conne ctions pe r time
unit as Pos tfix can acce pt. By de fault, clie nts in trus te d ne tworks are e xclude d.
anvil_rate_time_unit This time unit is us e d for rate limit calculations . The de fault
value is 60 s e conds .
smtpd_client_event_limit_exceptions Clie nts that are e xclude d from the
conne ction and rate limit commands . By de fault, clie nts in trus te d ne tworks are
e xclude d.
smtpd_client_message_rate_limit The maximum numbe r of me s s age de live rie s
a clie nt is allowe d to re que s t pe r time unit (re gardle s s of whe the r or not Pos tfix
actually acce pts thos e me s s age s ).
default_process_limit The de fault maximum numbe r of Pos tfix child proce s s e s
that provide a give n s e rvice . This limit can be ove rrule d for s pe cific s e rvice s in the
master.cf file . By de fault the value is 100.
queue_minfree The minimum amount of fre e s pace in byte s in the que ue file
s ys te m that is ne e de d to re ce ive mail. This is curre ntly us e d by the Pos tfix SMTP
s e rve r to de cide if it will acce pt any mail at all. By de fault, the Pos tfix SMTP s e rve r
re je cts MAIL FROM commands whe n the amount of fre e s pace is le s s than 1.5 time s
the me s s age _s iz e _limit. To s pe cify a highe r minimum fre e s pace limit, s pe cify a
que ue _minfre e value that is at le as t 1.5 time s the me s s age _s iz e _limit. By de fault the
que ue _minfre e value is 0.
header_size_limit The maximum amount of me mory in byte s for s toring a
me s s age he ade r. If a he ade r is large r, the e xce s s is dis carde d. By de fault the value is
102400.
message_size_limit The maximum s iz e in byte s of a me s s age , including e nve lope
information. By de fault the value is 10240000.
No te
With NFSv4 us ing Ke rbe ros , this is not the cas e , s ince the SECRPC_GSS ke rne l
module doe s not utiliz e UID-bas e d authe ntication. Howe ve r, it is s till cons ide re d
good practice not to put the mail s pool dire ctory on NFS s hare d volume s .
57
Se c ur it y Guide
To he lp pre ve nt local us e r e xploits on the Pos tfix s e rve r, it is be s t for mail us e rs to only
acce s s the Pos tfix s e rve r us ing an e mail program. She ll accounts on the mail s e rve r
s hould not be allowe d and all us e r s he lls in the /etc/passwd file s hould be s e t to
/sbin/nologin (with the pos s ible e xce ption of the root us e r).
58
group = postfix
}
}
The above e xample as s ume s the us e of UNIX-domain s ocke ts for communication
be twe e n Po st f ix and Do veco t . It als o as s ume s de fault s e ttings of the Po st f ix
SMTP s e rve r, which include the mail que ue locate d in the /var/spool/postfix/
dire ctory, and the application running unde r the postfix us e r and group. In this
way, re ad and write pe rmis s ions are limite d to the postfix us e r and group.
Alte rnative ly, you can us e the following configuration to s e t up Do veco t to lis te n
for Po st f ix authe ntication re que s ts via TCP:
service auth {
inet_listener {
port = 12345
}
}
In the above e xample , re place 12345 with the numbe r of the port you want to us e .
2. Edit the /etc/dovecot/conf.d/10-auth.conf configuration file to ins truct
Do veco t to provide the Po st f ix SMTP s e rve r with the plain and login
authe ntication me chanis ms :
auth_mechanisms = plain login
Set t ing Up Po st f ix
In the cas e of Po st f ix, only the main configuration file , /etc/postfix/main.cf, ne e ds to
be modifie d. Add or e dit the following configuration dire ctive s :
1. Enable SMTP Authe ntication in the Po st f ix SMTP s e rve r:
smtpd_sasl_auth_enable = yes
2. Ins truct Po st f ix to us e the Do veco t SASL imple me ntation for SMTP Authe ntication:
smtpd_sasl_type = dovecot
3. Provide the authe ntication path re lative to the Po st f ix que ue dire ctory (note that
the us e of a re lative path e ns ure s that the configuration works re gardle s s of
whe the r the Po st f ix s e rve r runs in a chro o t or not):
smtpd_sasl_path = private/auth
This s te p as s ume s that you want to us e UNIX-domain s ocke ts for communication
be twe e n Po st f ix and Do veco t . To configure Po st f ix to look for Do veco t on a
diffe re nt machine in cas e you us e TCP s ocke ts for communication, us e configuration
value s s imilar to the following:
smtpd_sasl_path = inet:127.0.0.1:12345
59
Se c ur it y Guide
Impo rtant
This s e ction draws atte ntion to the mos t common ways of s e curing an SSH s e tup. By
no me ans s hould this lis t of s ugge s te d me as ure s be cons ide re d e xhaus tive or
de finitive . Se e sshd_config(5) for a de s cription of all configuration dire ctive s
available for modifying the be havior of the sshd dae mon and to ssh(1) for an
e xplanation of bas ic SSH conce pts .
60
61
Se c ur it y Guide
Pro t o co l Versio n
Eve n though the imple me ntation of the SSH protocol s upplie d with Re d Hat
Ente rpris e Linux 7 s upports both the SSH-1 and SSH-2 ve rs ions of the protocol, only the
latte r s hould be us e d whe ne ve r pos s ible . The SSH-2 ve rs ion contains a numbe r of
improve me nts ove r the olde r SSH-1, and the majority of advance d configuration options is
only available whe n us ing SSH-2.
Us e rs are e ncourage d to make us e of SSH-2 in orde r to maximiz e the e xte nt to which the
SSH protocol prote cts the authe ntication and communication for which it is us e d. The
ve rs ion or ve rs ions of the protocol s upporte d by the sshd dae mon can be s pe cifie d us ing
the Protocol configuration dire ctive in the /etc/ssh/sshd_config file . The de fault
s e tting is 2.
Key T ypes
While the ssh-keygen command ge ne rate s a pair of SSH-2 RSA ke ys by de fault, us ing the
-t option, it can be ins tructe d to ge ne rate DSA or ECDSA ke ys as we ll. The ECDSA (Elliptic
Curve Digital Signature Algorithm) offe rs be tte r pe rformance at the s ame e quivale nt
s ymme tric ke y le ngth. It als o ge ne rate s s horte r ke ys .
No n-Def ault Po rt
By de fault, the sshd dae mon lis te ns on TCP port 22. Changing the port re duce s the
e xpos ure of the s ys te m to attacks bas e d on automate d ne twork s canning, thus incre as ing
s e curity through obs curity. The port can be s pe cifie d us ing the Port dire ctive in the
/etc/ssh/sshd_config configuration file . Note als o that the de fault SELinux policy mus t
be change d to allow for the us e of a non-de fault port. You can do this by modifying the
ssh_port_t SELinux type by typing the following command as root:
~]# semanage -a -t ssh_port_t -p tcp port_number
In the above command, re place port_number with the ne w port numbe r s pe cifie d us ing the
Port dire ctive .
No Ro o t Lo gin
Provide d that your particular us e cas e doe s not re quire the pos s ibility of logging in as the
root us e r, you s hould cons ide r s e tting the PermitRootLogin configuration dire ctive to no
in the /etc/ssh/sshd_config file . By dis abling the pos s ibility of logging in as the root
us e r, the adminis trator can audit which us e r runs what privile ge d command afte r the y log
in as re gular us e rs and the n gain root rights .
62
all
all
trust
This can be proble matic whe n you us e laye re d applications that cre ate databas e us e rs
and no local us e rs . If you do not want to e xplicitly control all us e r name s on the s ys te m,
re move this line from the pg_hba.conf file .
63
Se c ur it y Guide
This e xample imple me nts a banne r for vsftpd. To be gin, cre ate a banne r file . It can be
anywhe re on the s ys te m, but it mus t have s ame name as the dae mon. For this e xample ,
the file is calle d /etc/banners/vsftpd and contains the following line s :
220-Hello, %c
220-All activity on ftp.example.com is logged.
220-Inappropriate use will result in your access privileges being
removed.
The %c toke n s upplie s a varie ty of clie nt information, s uch as the us e rname and
hos tname , or the us e rname and IP addre s s to make the conne ction e ve n more
intimidating.
For this banne r to be dis playe d to incoming conne ctions , add the following line to the
/etc/hosts.allow file :
vsftpd : ALL : banners /etc/banners/
No te
Be caus e the spawn dire ctive e xe cute s any s he ll command, it is a good ide a to
cre ate a s pe cial s cript to notify the adminis trator or e xe cute a chain of commands in
the e ve nt that a particular clie nt atte mpts to conne ct to the s e rve r.
64
State
LISTEN
LISTEN
LISTEN
LISTEN
LISTEN
LISTEN
LISTEN
LISTEN
LISTEN
7
You can us e the -l option of the netstat command to dis play only lis te ning s e rve r
s ocke ts :
~]# netstat -tlnw
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address
Foreign Address
tcp
0
0 0.0.0.0:111
0.0.0.0:*
tcp
0
0 192.168.124.1:53
0.0.0.0:*
tcp
0
0 0.0.0.0:22
0.0.0.0:*
tcp
0
0 127.0.0.1:631
0.0.0.0:*
tcp
0
0 127.0.0.1:25
0.0.0.0:*
tcp6
0
0 ::1:111
:::*
tcp6
0
0 :::22
:::*
tcp6
0
0 ::1:631
:::*
tcp6
0
0 ::1:25
:::*
raw6
0
0 :::58
:::*
State
LISTEN
LISTEN
LISTEN
LISTEN
LISTEN
LISTEN
LISTEN
LISTEN
LISTEN
7
65
Se c ur it y Guide
Note that at time of writing, the -l option doe s not lis t SCTP s e rve rs .
You can als o us e the ss utility for lis ting ope n ports in the lis te ning s tate . But at time of
writing, this way als o doe s not lis t SCTP s e rve rs .
~]# ss -tlw
Netid State
Address:Port
udp
UNCONN
tcp
LISTEN
tcp
LISTEN
tcp
LISTEN
tcp
LISTEN
tcp
LISTEN
tcp
LISTEN
tcp
LISTEN
tcp
LISTEN
tcp
LISTEN
0
128
5
128
128
100
128
128
128
100
Peer
:::ipv6-icmp
*:sunrpc
192.168.124.1:domain
*:ssh
127.0.0.1:ipp
127.0.0.1:smtp
::1:sunrpc
:::ssh
::1:ipp
::1:smtp
:::*
*:*
*:*
*:*
*:*
*:*
:::*
:::*
:::*
:::*
Re vie w the output of the command with the s e rvice s ne e de d on the s ys te m, turn off what
is not s pe cifically re quire d or authoriz e d, re pe at the che ck. Proce e d the n to make e xte rnal
che cks us ing the nmap tool from anothe r s ys te m conne cte d via the ne twork to the firs t
s ys te m. This can be us e d ve rify the rule s in f irewalld.
The following is an e xample of the command to be is s ue d from the cons ole of anothe r
s ys te m to de te rmine which ports are lis te ning for TCP conne ctions from the ne twork:
~]# nmap -sT -O 192.168.122.1
Se e the nmap(1) and s e rvice s (5) manual page s for more information.
66
Warning
Ethe rne t ne tworks provide additional ways to re dire ct traffic, s uch as ARP or MAC
addre s s s poofing, unauthoriz e d DHCP s e rve rs , and IPv6 route r or ne ighbor
adve rtis e me nts . In addition, unicas t traffic is occas ionally broadcas t, caus ing
information le aks . The s e we akne s s e s can only be addre s s e d by s pe cific
counte rme as ure s imple me nte d by the ne twork ope rator. Hos t-bas e d
counte rme as ure s are not fully e ffe ctive .
67
Se c ur it y Guide
but mos t hos ts s hould not ne e d to do this . Exce ptions are s uch applications that involve
s e nding traffic out ove r one link and re ce iving traffic ove r anothe r link from a diffe re nt
s e rvice provide r. For e xample , us ing le as e d line s in combination with xDSL or s ate llite
links with 3G mode ms . If s uch a s ce nario is applicable to you, the n turning off re ve rs e path
forwarding on the incoming inte rface is ne ce s s ary. In s hort, unle s s you know that it is
re quire d, it is be s t e nable d as it pre ve nts us e rs s poofing IP addre s s e s from local
s ubne ts and re duce s the opportunity for DDoS attacks .
No te
Re d Hat Ente rpris e Linux 7 de faults to us ing Strict Reverse Path Forwarding following
the Strict Re ve rs e Path re comme ndation from RFC 3704, Ingre s s Filte ring for
Multihome d Ne tworks ..
Warning
If forwarding is e nable d, the n Re ve rs e Path Forwarding s hould only be dis able d if
the re are othe r me ans for s ource -addre s s validation (s uch as ipt ables rule s for
e xample ).
rp_filter
Re ve rs e Path Forwarding is e nable d by me ans of the rp_filter dire ctive . The
sysctl utility can be us e d to make change s to the running s ys te m, and
pe rmane nt change s can be made by adding line s to the /etc/sysctl.conf file .
The rp_filter option is us e d to dire ct the ke rne l to s e le ct from one of thre e
mode s .
To make a te mporary global change , e nte r the following commands as root:
sysctl -w net.ipv4.conf.default.rp_filter=integer
sysctl -w net.ipv4.conf.all.rp_filter=integer
whe re integer is one of the following:
0 No s ource validation.
1 Strict mode as de fine d in RFC 3704.
2 Loos e mode as de fine d in RFC 3704.
The s e tting can be ove rridde n pe r ne twork inte rface us ing the
net.ipv4.conf.interface.rp_filter command as follows :
sysctl -w net.ipv4.conf.interface.rp_filter=integer
To make the s e s e ttings pe rs is te nt acros s re boots , modify the /etc/sysctl.conf
file . For e xample , to change the mode for all inte rface s , ope n the
/etc/sysctl.conf file with an e ditor running as the root us e r and add a line as
follows :
net.ipv4.conf.all.rp_filter=2
68
IPv6_rpfilter
In cas e of the IPv6 protocol the f irewalld dae mon applie s to Re ve rs e Path
Forwarding by de fault. The s e tting can be che cke d in the
/etc/firewalld/firewalld.conf file . You can change the f irewalld be havior
by s e tting the IPv6_rpfilter option.
If you ne e d a cus tom configuration of Re ve rs e Path Forwarding, you can pe rform it
without the f irewalld dae mon by us ing the ip6tables command as follows :
ip6tables -t raw -I PREROUTING -m rpfilter --invert -j DROP
This rule s hould be ins e rte d ne ar the be ginning of the raw/PREROUTING chain, s o
that it applie s to all traffic, in particular be fore the s tate ful matching rule s . For
more information about the iptables and ip6tables s e rvice s , s e e Se ction 4.5.4,
Us ing the iptable s Se rvice .
No te
To e xpand your e xpe rtis e , you might als o be inte re s te d in the Re d Hat Se rve r
Harde ning (RH413) training cours e .
69
Se c ur it y Guide
To us e the graphical f irewall-co nf ig tool, pre s s the Super ke y to e nte r the Activitie s
Ove rvie w, type firewall and the n pre s s Enter. The f irewall-co nf ig tool appe ars . You
will be prompte d for an adminis trator pas s word.
The f irewall-co nf ig tool has a drop-down s e le ction me nu labe le d Configuration. This
e nable s s e le cting be twe e n Runt ime and Permanent mode . Notice that if you s e le ct
Permanent , an additional row of icons will appe ar in the le ft hand corne r. The s e icons
only appe ar in pe rmane nt configuration mode be caus e a s e rvice 's parame te rs cannot be
change d in runtime mode .
The fire wall s e rvice provide d by firewalld is dynamic rathe r than s tatic be caus e
change s to the configuration can be made at anytime and are imme diate ly imple me nte d,
the re is no ne e d to s ave or apply the change s . No uninte nde d dis ruption of e xis ting
ne twork conne ctions occurs as no part of the fire wall has to be re loade d.
A command line clie nt, f irewall-cmd, is provide d. It can be us e d to make pe rmane nt and
non-pe rmane nt runtime change s as e xplaine d in man firewall-cmd(1). Pe rmane nt
change s ne e d to be made as e xplaine d in the firewalld(1) man page . Note that the
firewall-cmd command can be run by the root us e r and als o by an adminis trative us e r,
in othe r words , a me mbe r of the wheel group. In the latte r cas e the command will be
authoriz e d via the po lkit me chanis m.
The configuration for firewalld is s tore d in various XML file s in /usr/lib/firewalld/
and /etc/firewalld/. This allows a gre at de al of fle xibility as the file s can be e dite d,
writte n to, backe d up, us e d as te mplate s for othe r ins tallations and s o on.
Othe r applications can communicate with firewalld us ing D-bus .
4.5.1.1. Comparison of f irewalld t o syst em-conf ig-f irewall and ipt ables
The e s s e ntial diffe re nce s be twe e n firewalld and the ipt ables service are :
The ipt ables service s tore s configuration in /etc/sysconfig/iptables while
firewalld s tore s it in various XML file s in /usr/lib/firewalld/ and
/etc/firewalld/. Note that the /etc/sysconfig/iptables file doe s not e xis t as
firewalld is ins talle d by de fault on Re d Hat Ente rpris e Linux.
With the ipt ables service, e ve ry s ingle change me ans flus hing all the old rule s and
re ading all the ne w rule s from /etc/sysconfig/iptables while with firewalld the re
is no re -cre ating of all the rule s ; only the diffe re nce s are applie d. Cons e que ntly,
firewalld can change the s e ttings during runtime without e xis ting conne ctions be ing
los t.
Both us e ipt ables t o o l to talk to the ke rne l packe t filte r.
70
71
Se c ur it y Guide
Any incoming ne twork conne ctions are re je cte d with an icmp-hos t-prohibite d
me s s age for IPv4 and icmp6-adm-prohibite d for IPv6. Only ne twork conne ctions
initiate d from within the s ys te m are pos s ible .
public
For us e in public are as . You do not trus t the othe r compute rs on the ne twork to
not harm your compute r. Only s e le cte d incoming conne ctions are acce pte d.
external
For us e on e xte rnal ne tworks with mas que rading e nable d e s pe cially for route rs .
You do not trus t the othe r compute rs on the ne twork to not harm your compute r.
Only s e le cte d incoming conne ctions are acce pte d.
dmz
For compute rs in your de militariz e d z one that are publicly-acce s s ible with limite d
acce s s to your inte rnal ne twork. Only s e le cte d incoming conne ctions are
acce pte d.
work
For us e in work are as . You mos tly trus t the othe r compute rs on ne tworks to not
harm your compute r. Only s e le cte d incoming conne ctions are acce pte d.
home
For us e in home are as . You mos tly trus t the othe r compute rs on ne tworks to not
harm your compute r. Only s e le cte d incoming conne ctions are acce pte d.
internal
For us e on inte rnal ne tworks . You mos tly trus t the othe r compute rs on the
ne tworks to not harm your compute r. Only s e le cte d incoming conne ctions are
acce pte d.
trusted
All ne twork conne ctions are acce pte d.
It is pos s ible to de s ignate one of the s e z one s to be the de fault z one . Whe n inte rface
conne ctions are adde d to Net wo rkManager, the y are as s igne d to the de fault z one . On
ins tallation, the de fault z one in firewalld is s e t to be the public z one .
Cho o sing a Net wo rk Zo ne
The ne twork z one name s have be e n chos e n to be s e lf-e xplanatory and to allow us e rs to
quickly make a re as onable de cis ion. Howe ve r, a re vie w of the de fault configuration
s e ttings s hould be made and unne ce s s ary s e rvice s dis able d according to your ne e ds and
ris k as s e s s me nts .
72
of ports , may make adminis tration e as ie r. Se rvice configuration options and ge ne ric file
information are de s cribe d in the firewalld.service(5) man page . The s e rvice s are
s pe cifie d by me ans of individual XML configuration file s which are name d in the following
format: service-name.xml.
To vie w the lis t of s e rvice s us ing the graphical f irewall-co nf ig tool, pre s s the Super ke y
to e nte r the Activitie s Ove rvie w, type firewall and the n pre s s Enter. The f irewallco nf ig tool appe ars . You will be prompte d for an adminis trator pas s word. You can now
vie w the lis t of s e rvice s unde r the Services tab.
To lis t the de fault pre de fine d s e rvice s available us ing the command line , is s ue the
following command as root:
~]# ls /usr/lib/firewalld/services/
File s in /usr/lib/firewalld/services/ mus t not be e dite d. Only the file s in
/etc/firewalld/services/ s hould be e dite d.
To lis t the s ys te m or us e r cre ate d s e rvice s , is s ue the following command as root:
~]# ls /etc/firewalld/services/
Se rvice s can be adde d and re move d us ing the graphical f irewall-co nf ig tool and by
e diting the XML file s in /etc/firewalld/services/. If a s e rvice has not be e n adde d or
change d by the us e r, the n no corre s ponding XML file will be found in
/etc/firewalld/services/. The file s /usr/lib/firewalld/services/ can be us e d as
te mplate s if you want to add or change a s e rvice . As root, is s ue a command in the
following format:
~]# cp /usr/lib/firewalld/services/[service].xml
/etc/firewalld/services/[service].xml
You may the n e dit the ne wly cre ate d file . firewalld will pre fe r file s in
/etc/firewalld/services/ but will fall back to /usr/lib/firewalld/services/ s hould a
file be de le te d, but only afte r a re load.
73
Se c ur it y Guide
In Re d Hat Ente rpris e Linux 7 firewalld is ins talle d by de fault. If re quire d, to e ns ure that
it is , e nte r the following command as root:
~]# yum install firewalld
The graphical us e r inte rface configuration tool f irewall-co nf ig is ins talle d by de fault in
s ome ve rs ions of Re d Hat Ente rpris e Linux 7. If re quire d, to e ns ure that it is , e nte r the
following command as root:
~]# yum install firewall-config
St opping f irewalld
To s top firewalld, e nte r the following command as root:
~]# systemctl stop firewalld
To pre ve nt firewalld from s tarting automatically at s ys te m s tart, is s ue the following
command as root:
~]# systemctl disable firewalld
74
4.5.3.1. Conf iguring f irewalld Using T he Graphical User Int erf ace
4.5.3.1.1. St art T he graphical f irewall co nf igurat io n t o o l
To s tart the graphical f irewall-co nf ig tool, pre s s the Super ke y to e nte r the Activitie s
Ove rvie w, type firewall and the n pre s s Enter. The f irewall-co nf ig tool appe ars . You
will be prompte d for an adminis trator pas s word.
To s tart the graphical fire wall configuration tool us ing the command line , e nte r the
following command as root us e r:
~]# firewall-config
The Firewall Configuration window ope ns . Note , this command can be run as normal
us e r but you will the n be prompte d for an adminis trator pas s word from time to time .
75
Se c ur it y Guide
Look for the word Conne cte d in the lowe r le ft corne r. This indicate s that the f irewallco nf ig tool is conne cte d to the us e r s pace dae mon, firewalld. Note that the ICMP
Types, Direct Configuration, and Lockdown Whitelist tabs are only vis ible afte r be ing
s e le cte d from the View drop-down me nu.
4.5.3.1.2. Changing t he Firewall Set t ings
To imme diate ly change the curre nt fire wall s e ttings , e ns ure the curre nt vie w is s e t to
Runt ime. Alte rnative ly, to e dit the s e ttings to be applie d at the ne xt s ys te m s tart, or
fire wall re load, s e le ct Permanent from the drop-down lis t.
No te
Whe n making change s to the fire wall s e ttings in Runt ime mode , your s e le ction
take s imme diate e ffe ct whe n you s e t or cle ar the che ck box as s ociate d with the
s e rvice . You s hould ke e p this in mind whe n working on a s ys te m that may be in us e
by othe r us e rs .
Whe n making change s to the fire wall s e ttings in Permanent mode , your s e le ction
will only take e ffe ct whe n you re load the fire wall or the s ys te m re s tarts . You can
us e the re load icon be low the File me nu, or click the Opt io ns me nu and s e le ct
Reload Firewall.
You can s e le ct z one s in the le ft hand s ide column. You will notice the z one s have s ome
s e rvice s e nable d, you may ne e d to re s iz e the window or s croll to s e e the full lis t. You can
cus tomiz e the s e ttings by s e le cting and de s e le cting a s e rvice .
4.5.3.1.3. Add an Int erf ace t o a Zo ne
To add or re as s ign an inte rface of a conne ction to a z one , s tart f irewall-co nf ig, s e le ct
Opt io ns from the me nu bar, s e le ct Change Zones of Connections from the drop-down
me nu, the Connections lis t is dis playe d. Se le ct the conne ction to be re as s igne d. The
Select Zone for Connection window appe ars . Se le ct the ne w fire wall z one from the
drop-down me nu and click OK.
4.5.3.1.4. Set t he Def ault Zo ne
To s e t the de fault z one that ne w inte rface s will be as s igne d to, s tart f irewall-co nf ig,
s e le ct Opt io ns from the me nu bar, s e le ct Change Default Zone from the drop-down
me nu. The Default Zone window appe ars . Se le ct the z one form the lis t that you want to
be us e d as the de fault z one and click OK.
4.5.3.1.5. Co nf iguring Services
To e nable or dis able a pre de fine d or cus tom s e rvice , s tart the f irewall-co nf ig tool and
s e le ct the ne twork z one whos e s e rvice s are to be configure d. Se le ct the Services tab
and s e le ct the che ck box for e ach type of s e rvice you want to trus t. Cle ar the che ck box to
block a s e rvice .
To e dit a s e rvice , s tart the f irewall-co nf ig tool and the n s e le ct Permanent mode from
the drop-down s e le ction me nu labe le d Configuration. Additional icons and me nu buttons
appe ar at the bottom of the Services window. Se le ct the s e rvice you want to configure .
76
The Ports and Protocols tab e nable s adding, changing, and re moving of ports and
protocols for the s e le cte d s e rvice . The module s tab is for configuring Net f ilt er he lpe r
module s . The Destination tab e nable s limiting traffic to a particular de s tination addre s s
and Inte rne t Protocol (IPv4 or IPv6).
4.5.3.1.6. Open Po rt s in t he Firewall
To pe rmit traffic through the fire wall to a ce rtain port, s tart the f irewall-co nf ig tool and
s e le ct the ne twork z one whos e s e ttings you want to change . Se le ct the Ports tab and the
click the Add button on the right hand s ide . The Port and Protocol window ope ns .
Ente r the port numbe r or range of ports to pe rmit. Se le ct tcp or udp from the drop-down
lis t.
4.5.3.1.7. Enable IP Address Masquerading
To trans late IPv4 addre s s e s to a s ingle e xte rnal addre s s , s tart the f irewall-co nf ig tool
and s e le ct the ne twork z one whos e addre s s e s are to be trans late d. Se le ct the
Masquerading tab and s e le ct the che ck box to e nable the trans lation of IPv4 addre s s e s
to a s ingle addre s s .
4.5.3.1.8. Co nf igure Po rt Fo rwarding
To forward inbound ne twork traffic, or packe ts , for a s pe cific port to an inte rnal addre s s
or alte rnative port, firs t e nable IP addre s s mas que rading, the n s e le ct the Port
Forwarding tab.
Se le ct the protocol of the incoming traffic and the port or range of ports on the uppe r
s e ction of the window. The lowe r s e ction is for s e tting de tails about the de s tination.
To forward traffic to a local port (a port on the s ame s ys te m), s e le ct the Local
forwarding che ck box. Ente r the local port or range of ports for the traffic to be s e nt to.
To forward traffic to anothe r IPv4 addre s s , s e le ct the Forward to another port che ck
box. Ente r the de s tination IP addre s s and port or port range . The de fault is to s e nd to the
s ame port if the port fie ld is le ft e mpty. Click OK to apply the change s .
4.5.3.1.9. Co nf iguring t he ICMP Filt er
To e nable or dis able an ICMP filte r, s tart the f irewall-co nf ig tool and s e le ct the ne twork
z one whos e me s s age s are to be filte re d. Se le ct the ICMP Filter tab and s e le ct the
che ck box for e ach type of ICMP me s s age you want to filte r. Cle ar the che ck box to
dis able a filte r. This s e tting is pe r dire ction and the de fault allows e ve rything.
To e dit an ICMP type , s tart the f irewall-co nf ig tool and the n s e le ct Permanent mode
from the drop-down s e le ction me nu labe le d Configuration. Additional icons appe ar at the
bottom of the Services window.
77
Se c ur it y Guide
No te
In orde r to make a command pe rmane nt or pe rs is te nt, add the --permanent option
to all commands apart from the --direct commands (which are by the ir nature
te mporary). Note that this not only me ans the change will be pe rmane nt but that the
change will only take e ffe ct afte r fire wall re load, s e rvice re s tart, or afte r s ys te m
re boot. Se ttings made with f irewall-cmd without the --permanent option take
e ffe ct imme diate ly, but are only valid till ne xt fire wall re load, s ys te m boot, or
firewalld s e rvice re s tart. Re loading the fire wall doe s not in its e lf bre ak
conne ctions , but be aware you are dis carding te mporary change s by doing s o.
In orde r to make a command both pe rs is te nt and take e ffe ct imme diate ly, e nte r the
command twice , once with the --permanent and once without. This is be caus e a
fire wall re load take s more time than jus t re pe ating a command be caus e it has to
re load all configuration file s and re cre ate the whole fire wall configuration. While
re loading, the policy for built-in chains is s e t to DROP for s e curity re as ons and is
the n re s e t to ACCEPT at the e nd. Se rvice dis ruption is the re fore pos s ible during the
re load.
Impo rtant
The --permanent --add-interface option is s uppos e d to be us e d only for
inte rface s that are not manage d by the Net wo rkManager utility. This is be caus e
Net wo rkManager, or the le gacy ne twork s e rvice , adds inte rface s into z one s
automatically according to the ZONE= dire ctive in the ifcfg inte rface configuration
file . Se e the Re d Hat Ente rpris e Linux 7 Ne tworking Guide for information on
Net wo rkManager and working with ifcfg file s .
4.5.3.3. View t he Firewall Set t ings Using t he Command Line Int erf ace (CLI)
To ge t a te xt dis play of the s tate of firewalld, e nte r the following command:
~]$ firewall-cmd --state
To vie w the lis t of active z one s , with a lis t of the inte rface s curre ntly as s igne d to the m,
e nte r the following command:
~]$ firewall-cmd --get-active-zones
public
interfaces: em1
To find out the z one that an inte rface , for e xample e m1, is curre ntly as s igne d to, e nte r
the following command:
78
4.5.3.4. Change t he Firewall Set t ings Using t he Command Line Int erf ace
(CLI)
4.5.3.4.1. Dro p All Packet s (Panic Mo de)
To s tart dropping all incoming and outgoing packe ts , e nte r the following command as root:
~]# firewall-cmd --panic-on
All incoming and outgoing packe ts will be droppe d. Active conne ctions will be te rminate d
afte r a pe riod of inactivity; the time take n de pe nds on the individual s e s s ion time out
value s .
79
Se c ur it y Guide
To s tart pas s ing incoming and outgoing packe ts again, e nte r the following command as
root:
~]# firewall-cmd --panic-off
Afte r dis abling panic mode , e s tablis he d conne ctions might work again if panic mode was
e nable d for a s hort pe riod of time .
To find out if panic mode is e nable d or dis able d, e nte r the following command:
~]$ firewall-cmd --query-panic
Prints yes with e xit s tatus 0 if e nable d and no with e xit s tatus 1 othe rwis e .
4.5.3.4.2. Relo ad t he Firewall Using t he Co mmand Line Int erf ace (CLI)
To re load the fire wall without inte rrupting us e r conne ctions (without los ing s tate
information), e nte r the following command as root:
~]# firewall-cmd --reload
A fire wall re load involve s re loading all configuration file s and re cre ating the whole fire wall
configuration. While re loading, the policy for built-in chains is s e t to DROP for s e curity
re as ons and is the n re s e t to ACCEPT at the e nd. Se rvice dis ruption is the re fore pos s ible
during the re load.
To re load the fire wall and inte rrupt us e r conne ctions , dis carding s tate information, e nte r
the following command as root:
~]# firewall-cmd --complete-reload
This command s hould normally only be us e d in cas e of s e ve re fire wall proble ms . For
e xample , if the re are s tate information proble ms and no conne ction can be e s tablis he d
but the fire wall rule s are corre ct.
4.5.3.4.3. Add an Int erf ace t o a Zo ne Using t he Co mmand Line Int erf ace (CLI)
To add an inte rface to a z one (for e xample , to add e m1 to the public z one ), e nte r the
following command as root:
~]# firewall-cmd --zone=public --add-interface=em1
To make this s e tting pe rs is te nt, re pe at the commands adding the --permanent option.
4.5.3.4.4. Add an Int erf ace t o a Zo ne by Edit ing t he Int erf ace Co nf igurat io n
File
To add an inte rface to a z one by e diting the ifcfg-em1 configuration file (for e xample , to
add e m1 to the work z one ), add the following line to ifcfg-em1 as root:
ZONE=work
Note that if you omit the ZONE option, or us e ZONE=, or ZONE='', the n the de fault z one will
be us e d.
80
Net wo rkManager will automatically re conne ct and the z one will be s e t accordingly.
4.5.3.4.5. Co nf igure t he Def ault Zo ne by Edit ing t he f irewalld Co nf igurat io n
File
As root, ope n /etc/firewalld/firewalld.conf and e dit the file as follows :
# default zone
# The default zone used if an empty zone string is used.
# Default: public
DefaultZone=home
Re load the fire wall by e nte ring the following command as root:
~]# firewall-cmd --reload
This will re load the fire wall without los ing s tate information (TCP s e s s ions will not be
te rminate d), but s e rvice dis ruption is pos s ible during the re load.
4.5.3.4.6. Set t he Def ault Zo ne by Using t he Co mmand Line Int erf ace (CLI)
To s e t the de fault z one (to public, for e xample ), e nte r the following command as root:
~]# firewall-cmd --set-default-zone=public
This change will take imme diate e ffe ct and in this cas e it is not ne ce s s ary to re load the
fire wall.
4.5.3.4.7. Open Po rt s in t he Firewall Using t he Co mmand Line Int erf ace (CLI)
To lis t all ope n ports for a z one (dmz, for e xample ), e nte r the following command as root:
~]# firewall-cmd --zone=dmz --list-ports
Note that this will not s how ports ope ne d as a re s ult of the --add-services command.
To add a port to a z one (for e xample , to allow TCP traffic to port 8080 to the dmz z one ),
e nte r the following command as root:
~]# firewall-cmd --zone=dmz --add-port=8080/tcp
To make this s e tting pe rs is te nt, re pe at the command adding the --permanent option.
To add a range of ports to a z one (for e xample , to allow the ports from 5060 to 5061 to the
public z one , e nte r the following command as root:
~]# firewall-cmd --zone=public --add-port=5060-5061/udp
To make this s e tting pe rs is te nt, re pe at the command adding the --permanent option.
4.5.3.4.8. Add a Service t o a Zo ne Using t he Co mmand Line Int erf ace (CLI)
To add a s e rvice to a z one (for e xample , to allow SMTP to the work z one ), e nte r the
following command as root:
81
Se c ur it y Guide
public.xml
trusted.xml
work.xml
The s e file s mus t not be e dite d. The y are us e d by de fault if no e quivale nt file e xis ts in the
/etc/firewalld/zones/ dire ctory.
To vie w the z one file s that have be e n change d from the de fault, e nte r the following
command as root:
~]# ls /etc/firewalld/zones/
external.xml public.xml public.xml.old
In the e xample s hown above , the work z one file doe s not e xis t. To add the work z one file ,
e nte r the following command as root:
~]# cp /usr/lib/firewalld/zones/work.xml /etc/firewalld/zones/
You can now e dit the file in the /etc/firewalld/zones/ dire ctory. If you de le te the file ,
firewalld will fall back to us ing the de fault file in /usr/lib/firewalld/zones/.
To add a s e rvice to a z one (for e xample , to allow SMTP to the work z one ), add the following
line to the /etc/firewalld/zones/work.xml file as root:
<service name="smtp"/>
4.5.3.4.11. Remo ve a Service f ro m a Zo ne by Edit ing XML f iles
An e ditor running with root privile ge s is re quire d to e dit the XML z one file s . To vie w the
file s for pre vious ly configure d z one s , e nte r the following command as root:
~]# ls /etc/firewalld/zones/
external.xml public.xml work.xml
82
To re move a s e rvice from a z one (for e xample , to re move SMTP from the work z one ), us e
an e ditor with root privile ge s to e dit the /etc/firewalld/zones/work.xml file to re move
the following line :
<service name="smtp"/>
If no othe r change s have be e n made to the work.xml file , it can be re move d and
firewalld will us e the de fault /usr/lib/firewalld/zones/work.xml configuration file
afte r the ne xt re load or s ys te m boot.
4.5.3.4.12. Co nf igure IP Address Masquerading
To che ck if IP mas que rading is e nable d (for the external z one , for e xample ), e nte r the
following command as root:
~]# firewall-cmd --zone=external --query-masquerade
The command prints yes with e xit s tatus 0 if e nable d. It prints no with e xit s tatus 1
othe rwis e . If zone is omitte d, the de fault z one will be us e d.
To e nable IP mas que rading, e nte r the following command as root:
~]# firewall-cmd --zone=external --add-masquerade
To make this s e tting pe rs is te nt, re pe at the command adding the --permanent option.
To dis able IP mas que rading, e nte r the following command as root:
~]# firewall-cmd --zone=external --remove-masquerade
To make this s e tting pe rs is te nt, re pe at the command adding the --permanent option.
4.5.3.4.13. Co nf igure Po rt Fo rwarding Using t he Co mmand Line Int erf ace (CLI)
To forward inbound ne twork packe ts from one port to an alte rnative port or addre s s , firs t
e nable IP addre s s mas que rading for a z one (external, for e xample ), by e nte ring the
following command as root:
~]# firewall-cmd --zone=external --add-masquerade
To forward packe ts to a local port (a port on the s ame s ys te m), e nte r the following
command as root:
~]# firewall-cmd --zone=external --add-forwardport=port=22:proto=tcp:toport=3753
In this e xample , the packe ts inte nde d for port 22 are now forwarde d to port 3753. The
original de s tination port is s pe cifie d with the port option. This option can be a port or port
range , toge the r with a protocol. The protocol, if s pe cifie d, mus t be one of e ithe r tcp or
udp. The ne w local port (the port or range of ports to which the traffic is be ing forwarde d
to) is s pe cifie d with the toport option. To make this s e tting pe rs is te nt, re pe at the
commands adding the --permanent option.
83
Se c ur it y Guide
To forward packe ts to anothe r IPv4 addre s s , us ually an inte rnal addre s s , without changing
the de s tination port, e nte r the following command as root:
~]# firewall-cmd --zone=external --add-forwardport=port=22:proto=tcp:toaddr=192.0.2.55
In this e xample , the packe ts inte nde d for port 22 are now forwarde d to the s ame port at
the addre s s give n with the toaddr. The original de s tination port is s pe cifie d with the port
option. This option can be a port or port range , toge the r with a protocol. The protocol, if
s pe cifie d, mus t be one of e ithe r tcp or udp. The ne w de s tination port (the port or range of
ports to which the traffic is be ing forwarde d to) is s pe cifie d with the toport option. To
make this s e tting pe rs is te nt, re pe at the command adding the --permanent option.
To forward packe ts to anothe r port at anothe r IPv4 addre s s , us ually an inte rnal addre s s ,
e nte r the following command as root:
~]# firewall-cmd --zone=external /
--add-forward-port=port=22:proto=tcp:toport=2055:toaddr=192.0.2.55
In this e xample , the packe ts inte nde d for port 22 are now forwarde d to port 2055 at the
addre s s give n with the toaddr option. The original de s tination port is s pe cifie d with the
port option. This option can be a port or port range , toge the r with a protocol. The protocol,
if s pe cifie d, mus t be one of e ithe r tcp or udp. The ne w de s tination port, the port or range
of ports to which the traffic is be ing forwarde d to, is s pe cifie d with the toport option. To
make this s e tting pe rs is te nt, re pe at the command adding the --permanent option.
84
The dire ct inte rface mode is inte nde d for s e rvice s or applications to add s pe cific fire wall
rule s during runtime . The rule s can be made pe rmane nt by adding the --permanent
option us ing the firewall-cmd --permanent --direct command or by modifying
/etc/firewalld/direct.xml. Se e man firewalld.direct(5) for information on the
/etc/firewalld/direct.xml file .
4.5.3.6.1. Adding a Cust o m Rule Using t he Direct Int erf ace
To add a cus tom rule to the IN_public_allow chain, is s ue the following command as root:
~]# firewall-cmd --direct --add-rule ipv4 filter IN_public_allow \
0 -m tcp -p tcp --dport 666 -j ACCEPT
Add the --permanent option to make the s e tting pe rs is te nt.
4.5.3.6.2. Remo ving a Cust o m Rule Using t he Direct Int erf ace
To re move a cus tom rule from the IN_public_allow chain, is s ue the following command as
root:
~]# firewall-cmd --direct --remove-rule ipv4 filter IN_public_allow \
0 -m tcp -p tcp --dport 666 -j ACCEPT
Add the --permanent option to make the s e tting pe rs is te nt.
4.5.3.6.3. List ing Cust o m Rules Using t he Direct Int erf ace
To lis t the rule s in the IN_public_allow chain, is s ue the following command as root:
~]# firewall-cmd --direct --get-rules ipv4 filter IN_public_allow
Note that this command (the --get-rules option) only lis ts rule s pre vious ly adde d us ing
the --add-rule option. It doe s not lis t e xis ting ipt ables rule s adde d by othe r me ans .
85
Se c ur it y Guide
To re move a rule :
firewall-cmd [--zone=zone] --remove-rich-rule='rule'
This will re move a rich language rule rule for z one zone. This option can be s pe cifie d
multiple time s . If the z one is omitte d, the de fault z one is us e d.
To che ck if a rule is pre s e nt:
firewall-cmd [--zone=zone] --query-rich-rule='rule'
This will re turn whe the r a rich language rule rule has be e n adde d for the z one zone. The
command prints yes with e xit s tatus 0 if e nable d. It prints no with e xit s tatus 1 othe rwis e .
If the z one is omitte d, the de fault z one is us e d.
For information about the rich language re pre s e ntation us e d in the z one configuration
file s , s e e the fire walld.z one (5) man page .
4.5.3.7.2. Underst anding t he Rich Rule St ruct ure
The format or s tructure of the rich rule commands is as follows :
rule [family="rule family"]
[ source address="address" [invert="True"] ]
[ destination address="address" [invert="True"] ]
[ element ]
[ log [prefix="prefix text"] [level="log level"] [limit
value="rate/duration"] ]
[ audit ]
[ action ]
A rule is as s ociate d with a particular z one . A z one can have s e ve ral rule s . If s ome rule s
inte ract or contradict, the firs t rule that matche s the packe t applie s .
4.5.3.7.3. Underst anding t he Rich Rule Co mmand Opt io ns
family
If the rule family is provide d, e ithe r ipv4 or ipv6, it limits the rule to IPv4 or IPv6
re s pe ctive ly. If the rule family is not provide d, the rule is adde d for both IPv4 and
IPv6. If s ource or de s tination addre s s e s are us e d in a rule , the n the rule family
ne e ds to be provide d. This is als o the cas e for port forwarding.
So urce and Dest inat io n Addresses
source
By s pe cifying the s ource addre s s the origin of a conne ction atte mpt can be
limite d to the s ource addre s s . A s ource addre s s or addre s s range is e ithe r an IP
addre s s or a ne twork IP addre s s with a mas k for IPv4 or IPv6. The ne twork
family (IPv4 or IPv6) will be automatically dis cove re d. For IPv4, the mas k can be
a ne twork mas k or a plain numbe r. For IPv6 the mas k is a plain numbe r. The us e
of hos t name s is not s upporte d. It is pos s ible to inve rt the s e ns e of the s ource
addre s s command by adding invert="true" or invert="yes"; all but the s upplie d
addre s s will match.
86
destination
By s pe cifying the de s tination addre s s the targe t can be limite d to the de s tination
addre s s . The de s tination addre s s us e s the s ame s yntax as the s ource addre s s .
The us e of s ource and de s tination addre s s e s is optional and the us e of a
de s tination addre s s e s is not pos s ible with all e le me nts . This de pe nds on the us e
of de s tination addre s s e s , for e xample in s e rvice e ntrie s .
Element s
The e le me nt can be o nly o ne of the following e le me nt type s : service, port, protocol,
masquerade, icmp-block and forward-port.
service
The s e rvice e le me nt is one of the f irewalld provide d s e rvice s . To ge t a lis t of
the pre de fine d s e rvice s , is s ue the following command:
~]$ firewall-cmd --get-services
If a s e rvice provide s a de s tination addre s s , it will conflict with a de s tination
addre s s in the rule and will re s ult in an e rror. The s e rvice s us ing de s tination
addre s s e s inte rnally are mos tly s e rvice s us ing multicas t. The command take s
the following form:
service name=service_name
port
The port e le me nt can e ithe r be a s ingle port numbe r or a port range , for
e xample , 5060-5062, followe d by the protocol, e ithe r as tcp or udp. The
command take s the following form:
port port=number_or_range protocol=protocol
protocol
The protocol value can be e ithe r a protocol ID numbe r or a protocol name . For
allowe d protocol e ntrie s , s e e /etc/protocols. The command take s the following
form:
protocol value=protocol_name_or_ID
icmp-block
Us e this command to block one or more ICMP type s . The ICMP type is one of the
ICMP type s f irewalld s upports . To ge t a lis ting of s upporte d ICMP type s , is s ue
the following command:
~]$ firewall-cmd --get-icmptypes
Spe cifying an action is not allowe d he re . icmp-block us e s the action reject
inte rnally. The command take s the following form:
icmp-block name=icmptype_name
87
Se c ur it y Guide
masquerade
Turns on IP mas que rading in the rule . A s ource addre s s can be provide d to limit
mas que rading to this are a, but not a de s tination addre s s . Spe cifying an action is
not allowe d he re .
forward-port
Forward packe ts from a local port with protocol s pe cifie d as tcp or udp to e ithe r
anothe r port locally, to anothe r machine , or to anothe r port on anothe r machine .
The port and to-port can e ithe r be a s ingle port numbe r or a port range . The
de s tination addre s s is a s imple IP addre s s . Spe cifying an action is not allowe d
he re . The forward-port command us e s the action accept inte rnally. The
command take s the following form:
forward-port port=number_or_range protocol=protocol /
to-port=number_or_range to-addr=address
Lo gging
log
Log ne w conne ction atte mpts to the rule with ke rne l logging, for e xample in
s ys log. You can de fine a pre fix te xt that will be adde d to the log me s s age as a
pre fix. Log le ve l can be one of emerg, alert, crit, error, warning, notice, info
or debug. The us e of log is optional. It is pos s ible to limit logging as follows :
log [prefix=prefix text] [level=log level] limit
value=rate/duration
The rate is a natural pos itive numbe r [1, ..], the duration of s, m, h, d. s me ans
s e conds , m minute s , h hours and d days . The maximum limit value is 1/d which
me ans at maximum one log e ntry pe r day.
audit
Audit provide s an alte rnative way for logging us ing audit re cords s e nt to the
s e rvice auditd. The audit type can be one of ACCEPT, REJECT or DROP but it is not
s pe cifie d afte r the command audit as the audit type will be automatically
gathe re d from the rule action. Audit doe s not have its own parame te rs , but limit
can be adde d optionally. The us e of audit is optional.
Act io n
accept|reject|drop
An action can be one of accept, reject or drop. The rule can only contain an
e le me nt or a s ource . If the rule contains an e le me nt, the n ne w conne ctions
matching the e le me nt will be handle d with the action. If the rule contains a s ource ,
the n e ve rything from the s ource addre s s will be handle d with the action
s pe cifie d.
accept | reject [type=reject type] | drop
88
With accept all ne w conne ction atte mpts will be grante d. With reject the y will be
re je cte d and the ir s ource will ge t a re je ct me s s age . The re je ct type can be s e t to
us e anothe r value . With drop all packe ts will be droppe d imme diate ly and no
information is s e nt to the s ource .
4.5.3.7.4. Using t he Rich Rule Lo g Co mmand
Logging can be done with the Net f ilt er log targe t and als o with the audit targe t. A ne w
chain is adde d to all z one s with a name in the format zone_log, whe re zone is the z one
name . This is proce s s e d be fore the deny chain in orde r to have prope r orde ring. The
rule s or parts of the m are place d in s e parate chains , according to the action of the rule , as
follows :
zone_log
zone_deny
zone_allow
All logging rule s will be place d in the zone_log chain, which will be pars e d firs t. All reject
and drop rule s will be place d in the zone_de ny chain, which will be pars e d afte r the log
chain. All accept rule s will be place d in the zone_allow chain, which will be pars e d afte r
the deny chain. If a rule contains log and als o deny or allow actions , the parts of the rule
that s pe cify the s e actions are place d in the matching chains .
4.5.3.7.4.1. Using t he Rich Rule Lo g Co mmand Example 1
Enable ne w IPv4 and IPv6 conne ctions for authe ntication he ade r protocol AH:
rule protocol value="ah" accept
4.5.3.7.4.2. Using t he Rich Rule Lo g Co mmand Example 2
Allow ne w IPv4 and IPv6 conne ctions for protocol FTP and log 1 pe r minute us ing audit:
rule service name="ftp" log limit value="1/m" audit accept
4.5.3.7.4.3. Using t he Rich Rule Lo g Co mmand Example 3
Allow ne w IPv4 conne ctions from addre s s 192.168.0.0/24 for protocol TFTP and log 1 pe r
minute us ing s ys log:
rule family="ipv4" source address="192.168.0.0/24" service name="tftp"
log prefix="tftp" level="info" limit value="1/m" accept
4.5.3.7.4.4. Using t he Rich Rule Lo g Co mmand Example 4
Ne w IPv6 conne ctions from 1:2:3:4:6:: for protocol RADIUS are all re je cte d and logge d
at a rate of 3 pe r minute . Ne w IPv6 conne ctions from othe r s ource s are acce pte d:
rule family="ipv6" source address="1:2:3:4:6::" service name="radius"
log prefix="dns" level="info" limit value="3/m" reject
rule family="ipv6" service name="radius" accept
4.5.3.7.4.5. Using t he Rich Rule Lo g Co mmand Example 5
89
Se c ur it y Guide
Forward IPv6 packe ts re ce ive d from 1:2:3:4:6:: on port 4011 with protocol TCP to
1::2:3:4:7 on port 4012.
rule family="ipv6" source address="1:2:3:4:6::" forward-port toaddr="1::2:3:4:7" to-port="4012" protocol="tcp" port="4011"
4.5.3.7.4.6. Using t he Rich Rule Lo g Co mmand Example 6
White lis t a s ource addre s s to allow all conne ctions from this s ource .
rule family="ipv4" source address="192.168.2.2" accept
Se e the firewalld.richlanguage(5) man page for more e xample s .
90
Try to e nable the imaps s e rvice again in the de fault z one by e nte ring the following
command as an adminis trative us e r. You will be prompte d for the us e r pas s word:
~]$ firewall-cmd --add-service=imaps
This time the command s ucce e ds .
4.5.3.8.2. Co nf igure Lo ckdo wn wit h t he Co mmand Line Client
To que ry whe the r lockdown is e nable d, e nte r the following command as root:
~]# firewall-cmd --query-lockdown
Prints yes with e xit s tatus 0, if lockdown is e nable d, prints no with e xit s tatus 1 othe rwis e .
To e nable lockdown, e nte r the following command as root:
~]# firewall-cmd --lockdown-on
To dis able lockdown, e nte r the following command as root:
~]# firewall-cmd --lockdown-off
4.5.3.8.3. Co nf igure Lo ckdo wn Whit elist Opt io ns wit h t he Co mmand Line
The lockdown white lis t can contain commands , s e curity conte xts , us e rs and us e r IDs . If a
command e ntry on the white lis t e nds with an as te ris k *, the n all command line s s tarting
with that command will match. If the * is not the re the n the abs olute command including
argume nts mus t match.
The conte xt is the s e curity (SELinux) conte xt of a running application or s e rvice . To ge t the
conte xt of a running application us e the following command:
~]$ ps -e --context
That command re turns all running applications . Pipe the output through the grep tool to ge t
the application of inte re s t. For e xample :
~]$ ps -e --context | grep example_program
To lis t all command line s that are on the white lis t, e nte r the following command as root:
~]# firewall-cmd --list-lockdown-whitelist-commands
To add a command command to the white lis t, e nte r the following command as root:
~]# firewall-cmd --add-lockdown-whitelist-command='/usr/bin/python -Es
/usr/bin/command'
To re move a command command from the white lis t, e nte r the following command as root:
~]# firewall-cmd --remove-lockdown-whitelist-command='/usr/bin/python Es /usr/bin/command'
91
Se c ur it y Guide
To que ry whe the r the command command is on the white lis t, e nte r the following command
as root:
~]# firewall-cmd --query-lockdown-whitelist-command='/usr/bin/python -Es
/usr/bin/command'
Prints yes with e xit s tatus 0, if true , prints no with e xit s tatus 1 othe rwis e .
To lis t all s e curity conte xts that are on the white lis t, e nte r the following command as root:
~]# firewall-cmd --list-lockdown-whitelist-contexts
To add a conte xt context to the white lis t, e nte r the following command as root:
~]# firewall-cmd --add-lockdown-whitelist-context=context
Add the --permanent option to make it pe rs is te nt.
To re move a conte xt context from the white lis t, e nte r the following command as root:
~]# firewall-cmd --remove-lockdown-whitelist-context=context
Add the --permanent option to make it pe rs is te nt.
To que ry whe the r the conte xt context is on the white lis t, e nte r the following command as
root:
~]# firewall-cmd --query-lockdown-whitelist-context=context
Prints yes with e xit s tatus 0, if true , prints no with e xit s tatus 1 othe rwis e .
To lis t all us e r IDs that are on the white lis t, e nte r the following command as root:
~]# firewall-cmd --list-lockdown-whitelist-uids
To add a us e r ID uid to the white lis t, e nte r the following command as root:
~]# firewall-cmd --add-lockdown-whitelist-uid=uid
Add the --permanent option to make it pe rs is te nt.
To re move a us e r ID uid from the white lis t, e nte r the following command as root:
~]# firewall-cmd --remove-lockdown-whitelist-uid=uid
Add the --permanent option to make it pe rs is te nt.
To que ry whe the r the us e r ID uid is on the white lis t, e nte r the following command:
~]$ firewall-cmd --query-lockdown-whitelist-uid=uid
Prints yes with e xit s tatus 0, if true , prints no with e xit s tatus 1 othe rwis e .
To lis t all us e r name s that are on the white lis t, e nte r the following command as root:
92
93
Se c ur it y Guide
No te
In Re d Hat Ente rpris e Linux 7, all utilitie s are now place d in /usr/bin/ and the /bin/
dire ctory is s ym-linke d to the /usr/bin/ dire ctory. In othe r words , although the path
for firewall-cmd whe n run as root might re s olve to /bin/firewall-cmd,
/usr/bin/firewall-cmd can now be us e d. All ne w s cripts s hould us e the ne w
location but be aware that if s cripts that run as root have be e n writte n to us e the
/bin/firewall-cmd path the n that command path mus t be white lis te d in addition to
the /usr/bin/firewall-cmd path traditionally us e d only for non-root us e rs .
The * at the e nd of the name attribute of a command me ans that all commands
that s tart with this s tring will match. If the * is not the re the n the abs olute
command including argume nts mus t match.
94
ipset
ipset
ipset
ipset
95
Se c ur it y Guide
96
The set-name is a s uitable name chos e n by the us e r, the type-name is the name of the
data s tructure us e d to s tore the data compris ing the s e t. The format of the type-name is
as follows :
method:datatype[,datatype[,datatype]]
The allowe d me thods for s toring data are :
bitmap | hash | list
The allowe d data type s are :
ip | net | mac | port | iface
Whe n adding, de le ting, or te s ting e ntrie s in a s e t, the s ame comma s e parate d data s yntax
mus t be us e d for the data that make s up one e ntry, or e le me nt, in the s e t. For e xample :
ipset add set-name ipaddr,portnum,ipaddr
No te
A s e t cannot contain IPv4 and IPv6 addre s s e s at the s ame time . Whe n a s e t is
cre ate d it is bound to a family, inet for IPv4 or inet6 for IPv6, and the de fault is
inet.
The s e t type s have the following optional parame te rs in common. The y mus t be s pe cifie d
whe n the s e t is cre ate d in orde r for the m to be us e d:
timeout The value give n with the create command will be the de fault value for the
s e t cre ate d. If a value is give n with the add command, it will be the initial non-de fault
value for the e le me nt.
counters If the option is give n with the create command the n packe t and byte
counte rs are cre ate d for e ve ry e le me nt in the s e t. If no value is give n with the add
command the n the counte rs s tart from z e ro.
97
Se c ur it y Guide
comment If the option is give n with the create command the n a quote d s tring of te xt
can be pas s e d with the add command to docume nt the purpos e of the e le me nt be ing
adde d. Note that quotation marks are not allowe d within the s tring, and e s cape
characte rs will have no e ffe ct within IP s e t.
98
99
Se c ur it y Guide
References: 0
Members:
192.168.124.0
192.168.125.0
bit map:ip,mac
Store s an IPv4 addre s s and a MAC addre s s as a pair. It can s tore up to 65536
e ntrie s .
ipset create my-range bitmap:ip,mac range start_ipaddr-end_ipaddr
| ipaddr/prefix-length [timeout value ] [counters] [comment]
100
101
Se c ur it y Guide
102
lookup mus t be pe rforme d, unle s s you e nte r the IP addre s s dire ctly. The s e DNS lookups
are done ins e cure ly and are s ubje ct to man-in-the-middle attacks due to lack of
authe ntication. In othe r words , a DNS clie nt cannot have confide nce that the re plie s that
appe ar to come from a give n DNS name s e rve r are authe ntic and have not be e n tampe re d
with. More importantly, a re curs ive name s e rve r cannot be s ure that the re cords it obtains
from othe r name s e rve rs are ge nuine . The DNS protocol did not provide a me chanis m for
the clie nt to e ns ure it was not s ubje ct to a man-in-the -middle attack. DNSSEC was
introduce d to addre s s the lack of authe ntication and inte grity che cks whe n re s olving
domain name s us ing DNS. It doe s not addre s s the proble m of confide ntiality.
Publis hing DNSSEC information involve s digitally s igning DNS re s ource re cords as we ll as
dis tributing public ke ys in s uch a way as to e nable DNS re s olve rs to build a hie rarchical
chain of trus t. Digital s ignature s for all DNS re s ource re cords are ge ne rate d and adde d to
the z one as digital s ignature re s ource re cords (RRSIG). The public ke y of a z one is adde d
as a DNSKEY re s ource re cord. To build the hie rarchical chain, has he s of the DNSKEY are
publis he d in the pare nt z one as Delegation of Signing (DS) re s ource re cords . To facilitate
proof of non-e xis te nce , the NextSECure (NSEC) and NSEC3 re s ource re cords are us e d. In a
DNSSEC s igne d z one , e ach resource record set (RRs e t) has a corre s ponding RRSIG
re s ource re cord. Note that re cords us e d for de le gation to a child z one (NS and glue
re cords ) are not s igne d; the s e re cords appe ar in the child z one and are s igne d the re .
Proce s s ing DNSSEC information is done by re s olve rs that are configure d with the root
z one public ke y. Us ing this ke y, re s olve rs can ve rify the s ignature s us e d in the root z one .
For e xample , the root z one has s igne d the DS re cord for .com. The root z one als o s e rve s
NS and glue re cords for the .com name s e rve rs . The re s olve r follows this de le gation and
que rie s for the DNSKEY re cord of .com us ing the s e de le gate d name s e rve rs . The has h of
the DNSKEY re cord obtaine d s hould match the DS re cord in the root z one . If s o, the
re s olve r will trus t the obtaine d DNSKEY for .com. In the .com z one , the RRSIG re cords are
cre ate d by the .com DNSKEY. This proce s s is re pe ate d s imilarly for de le gations within
.com, s uch as redhat.com. Us ing this me thod, a validating DNS re s olve r only ne e ds to be
configure d with one root ke y while it colle cts many DNSKEYs from around the world during
its normal ope ration. If a cryptographic che ck fails , the re s olve r will re turn SERVFAIL to the
application.
DNSSEC has be e n de s igne d in s uch a way that it will be comple te ly invis ible to
applications not s upporting DNSSEC. If a non-DNSSEC application que rie s a DNSSEC
capable re s olve r, it will re ce ive the ans we r without any of the s e ne w re s ource re cord
type s s uch as RRSIG. Howe ve r, the DNSSEC capable re s olve r will s till pe rform all
cryptographic che cks , and will s till re turn a SERVFAIL e rror to the application if it de te cts
malicious DNS ans we rs . DNSSEC prote cts the inte grity of the data be twe e n DNS s e rve rs
(authoritative and re curs ive ), it doe s not provide s e curity be twe e n the application and the
re s olve r. The re fore , it is important that the applications are give n a s e cure trans port to
the ir re s olve r. The e as ie s t way to accomplis h that is to run a DNSSEC capable re s olve r on
localhost and us e 127.0.0.1 in /etc/resolv.conf. Alte rnative ly a VPN conne ction to a
re mote DNS s e rve r could be us e d.
103
Se c ur it y Guide
104
flus he d for all e ntrie s of the domain name re ce ive d, s o that que rie s for name s within the
domain name are fe tche d fre s h from the inte rnal name s e rve rs re ache d via the VPN.
Whe n the VPN tunne l is te rminate d, the unbound cache is flus he d again to e ns ure any
que rie s for the domain will re turn the public IP addre s s e s , and not the pre vious ly obtaine d
private IP addre s s e s . Se e Se ction 4.6.11, Configuring DNSSEC Validation for Conne ction
Supplie d Domains .
105
Se c ur it y Guide
The systemctl status command will re port unbound as Active: inactive (dead) if the
unbound s e rvice is not running.
106
107
Se c ur it y Guide
;whitehouse.gov.
IN A
;; ANSWER SECTION:
whitehouse.gov. 20 IN A 72.246.36.110
whitehouse.gov. 20 IN RRSIG A 7 2 20 20130825124016 20130822114016 8399
whitehouse.gov. BB8VHWEkIaKpaLprt3hq1GkjDROvkmjYTBxiGhuki/BJn3PoIGyrftxR
HH0377I0Lsybj/uZv5hL4UwWd/lw6Gn8GPikqhztAkgMxddMQ2IARP6p
wbMOKbSUuV6NGUT1WWwpbi+LelFMqQcAq3Se66iyH0Jem7HtgPEUE1Zc 3oI=
;;
;;
;;
;;
In addition to the A re cord, an RRSIG re cord is re turne d which contains the DNSSEC
s ignature , as we ll as the ince ption time and e xpiration time of the s ignature . The unbound
s e rve r indicate d that the data was DNSSEC authe nticate d by re turning the ad bit in the
flags: s e ction at the top.
If DNSSEC validation fails , the dig command would re turn a SERVFAIL e rror:
~]$ dig badsign-a.test.dnssec-tools.org
; <<>> DiG 9.9.3-rl.156.01-P1-RedHat-9.9.3-3.P1.el7 <<>> badsigna.test.dnssec-tools.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 1010
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;badsign-a.test.dnssec-tools.org. IN A
;;
;;
;;
;;
To re que s t more information about the failure , DNSSEC che cking can be dis able d by
s pe cifying the +cd option to the dig command:
~]$ dig +cd +dnssec badsign-a.test.dnssec-tools.org
; <<>> DiG 9.9.3-rl.156.01-P1-RedHat-9.9.3-3.P1.el7 <<>> +cd +dnssec
badsign-a.test.dnssec-tools.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26065
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;badsign-a.test.dnssec-tools.org. IN A
;; ANSWER SECTION:
108
badsign-a.test.dnssec-tools.org. 49 IN A 75.119.216.33
badsign-a.test.dnssec-tools.org. 49 IN RRSIG A 5 4 86400 20130919183720
20130820173720 19442 test.dnssec-tools.org.
E572dLKMvYB4cgTRyAHIKKEvdOP7tockQb7hXFNZKVbfXbZJOIDREJrr
zCgAfJ2hykfY0yJHAlnuQvM0s6xOnNBSvc2xLIybJdfTaN6kSR0YFdYZ
n2NpPctn2kUBn5UR1BJRin3Gqy20LZlZx2KD7cZBtieMsU/IunyhCSc0 kYw=
;;
;;
;;
;;
Ofte n, DNSSEC mis take s manife s t the ms e lve s by bad ince ption or e xpiration time ,
although in this e xample , the pe ople at www.dns s e c-tools .org have mangle d this RRSIG
s ignature on purpos e , which we would not be able to de te ct by looking at this output
manually. The e rror will s how in the output of systemctl status unbound and the
unbound dae mon logs the s e e rrors to syslo g as follows :
Aug 22 22:04:52 laptop unbound: [3065:0] info: validation failure
badsign-a.test.dnssec-tools.org. A IN
An e xample us ing unbound-host:
~]$ unbound-host -C /etc/unbound/unbound.conf -v whitehouse.gov
whitehouse.gov has address 184.25.196.110 (secure)
whitehouse.gov has IPv6 address 2600:1417:11:2:8800::fc4 (secure)
whitehouse.gov has IPv6 address 2600:1417:11:2:8000::fc4 (secure)
whitehouse.gov mail is handled by 105 mail1.eop.gov. (secure)
whitehouse.gov mail is handled by 110 mail5.eop.gov. (secure)
whitehouse.gov mail is handled by 105 mail4.eop.gov. (secure)
whitehouse.gov mail is handled by 110 mail6.eop.gov. (secure)
whitehouse.gov mail is handled by 105 mail2.eop.gov. (secure)
whitehouse.gov mail is handled by 105 mail3.eop.gov. (secure)
4.6.10. Set t ing up Hot spot Det ect ion Inf rast ruct ure f or Dnssect rigger
Whe n conne cting to a ne twork, dnssec-t rigger atte mpts to de te ct a Hots pot. A Hots pot is
ge ne rally a de vice that force s us e r inte raction with a we b page be fore the y can us e the
ne twork re s ource s . The de te ction is done by atte mpting to download a s pe cific fixe d we b
page with known conte nt. If the re is a Hots pot, the n the conte nt re ce ive d will not be as
e xpe cte d.
To s e t up a fixe d we b page with known conte nt that can be us e d by dnssec-t rigger to
de te ct a Hots pot, proce e d as follows :
1. Se t up a we b s e rve r on s ome machine that is publicly re achable on the Inte rne t.
Se e the We b Se rve rs chapte r in the Re d Hat Ente rpris e Linux 7 Sys te m
Adminis trator's Guide . .
2. Once you have the s e rve r running, publis h a s tatic page with known conte nt on it.
The page doe s not ne e d to be a valid HTML page . For e xample , you could us e a
plain-te xt file name d hotspot.txt that contains only the s tring OK. As s uming your
s e rve r is locate d at example.com and you publis he d your hotspot.txt file in the
109
Se c ur it y Guide
110
Warning
Turning o n the addition of Wi-Fi provide d domains as forward z one s into unbound
may have s e curity implications s uch as :
1. A Wi-Fi acce s s point can inte ntionally provide you a domain via DHCP for which
it doe s not have authority and route all your DNS que rie s to its DNS s e rve rs .
2. If you have the DNSSEC validation of forward z one s turne d o f f , the Wi-Fi
provide d DNS s e rve rs can s poof the IP addre s s for domain name s from the
provide d domain without you knowing it.
111
Se c ur it y Guide
This docume nt contains ge ne ral information about the unbound DNS s e rvice .
ht t p://www.nlnet labs.nl/pro ject s/dnssec-t rigger/
This docume nt contains ge ne ral information about dnssec-t rigger.
Impo rtant
IPsec, imple me nte d by Libreswan, is the only VPN te chnology re comme nd for us e
in Re d Hat Ente rpris e Linux 7. Do not us e any othe r VPN te chnology without
unde rs tanding the ris ks of doing s o.
112
113
Se c ur it y Guide
Raw RSA ke ys are commonly us e d for s tatic hos t-to-hos t or s ubne t-to-s ubne t IPsec
configurations . The hos ts are manually configure d with e ach othe r's public RSA ke y.
This me thod doe s not s cale we ll whe n doz e ns or more hos ts all ne e d to s e tup IPsec
tunne ls to e ach othe r.
X.509 ce rtificate s are commonly us e d for large s cale de ployme nts whe re the re are
many hos ts that ne e d to conne ct to a common IPsec gate way. A ce ntral certificate
authority (CA) is us e d to s ign RSA ce rtificate s for hos ts or us e rs . This ce ntral CA is
re s pons ible for re laying trus t, including the re vocations of individual hos ts or us e rs .
114
leftrsasigkey=0sAQOrlo+hOafUZDlCQmXFrje/oZm [...]
W2n417C/4urYHQkCvuIQ==
rightid=@east.example.com
right=192.1.2.45
rightrsasigkey=0sAQO3fwC6nSSGgt64DWiYZzuHbc4 [...] D/v8t5YTQ==
authby=rsasig
# load and initiate automatically
auto=start
You can us e the ide ntical configuration file on both le ft and right hos ts . The y will autode te ct if the y are le ft or right. If one of the hos ts is a mobile hos t, which implie s the IP
addre s s is not known in advance , the n on the mobile hos t us e %defaultroute as its IP
addre s s . This will pick up the dynamic IP addre s s automatically. On the s tatic hos t that
acce pts conne ctions from incoming mobile hos ts , s pe cify the mobile hos t us ing %any for
its IP addre s s .
Ens ure the leftrsasigkey value is obtaine d from the le ft hos t and the rightrsasigkey
value is obtaine d from the right hos t.
Re s tart ipsec to e ns ure it re ads the ne w configuration:
~]# systemctl restart ipsec
Is s ue the following command as root to load the IPsec tunne l:
~]# ipsec auto --add mytunnel
To bring up the tunne l, is s ue the following command as root, on the le ft or the right s ide :
~]# ipsec auto --up mytunnel
115
Se c ur it y Guide
No te
The t cpdump commands inte racts a little une xpe cte dly with IPsec. It only s e e s the
outgoing e ncrypte d packe t, not the outgoing plainte xt packe t. It doe s s e e the
e ncrypte d incoming packe t, as we ll as the de crypte d incoming packe t. If pos s ible ,
run t cpdump on a route r be twe e n the two machine s and not on one of the
e ndpoints its e lf.
116
W2n417C/4urYHQkCvuIQ==
rightid=@east.example.com
right=192.1.2.45
rightrsasigkey=0sAQO3fwC6nSSGgt64DWiYZzuHbc4 [...] D/v8t5YTQ==
authby=rsasig
To bring the tunne ls up, re s tart Libreswan or manually load and initiate all the
conne ctions us ing the following commands as root:
~]# ipsec auto --add mysubnet
~]# ipsec auto --add mysubnet6
~]# ipsec auto --add mytunnel
~]# ipsec auto --up mysubnet
104 "mysubnet" #1: STATE_MAIN_I1: initiate
003 "mysubnet" #1: received Vendor ID payload [Dead Peer Detection]
003 "mytunnel" #1: received Vendor ID payload [FRAGMENTATION]
106 "mysubnet" #1: STATE_MAIN_I2: sent MI2, expecting MR2
108 "mysubnet" #1: STATE_MAIN_I3: sent MI3, expecting MR3
003 "mysubnet" #1: received Vendor ID payload [CAN-IKEv2]
004 "mysubnet" #1: STATE_MAIN_I4: ISAKMP SA established
{auth=OAKLEY_RSA_SIG cipher=aes_128 prf=oakley_sha group=modp2048}
117 "mysubnet" #2: STATE_QUICK_I1: initiate
004 "mysubnet" #2: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel
mode {ESP=>0x9414a615 <0x1a8eb4ef xfrm=AES_128-HMAC_SHA1 NATOA=none
NATD=none DPD=none}
~]# ipsec auto --up mysubnet6
003 "mytunnel" #1: received Vendor ID payload [FRAGMENTATION]
117 "mysubnet" #2: STATE_QUICK_I1: initiate
004 "mysubnet" #2: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel
mode {ESP=>0x06fe2099 <0x75eaa862 xfrm=AES_128-HMAC_SHA1 NATOA=none
NATD=none DPD=none}
~]# ipsec auto --up mytunnel
104 "mytunnel" #1: STATE_MAIN_I1: initiate
003 "mytunnel" #1: received Vendor ID payload [Dead Peer Detection]
003 "mytunnel" #1: received Vendor ID payload [FRAGMENTATION]
106 "mytunnel" #1: STATE_MAIN_I2: sent MI2, expecting MR2
108 "mytunnel" #1: STATE_MAIN_I3: sent MI3, expecting MR3
003 "mytunnel" #1: received Vendor ID payload [CAN-IKEv2]
004 "mytunnel" #1: STATE_MAIN_I4: ISAKMP SA established
{auth=OAKLEY_RSA_SIG cipher=aes_128 prf=oakley_sha group=modp2048}
117 "mytunnel" #2: STATE_QUICK_I1: initiate
004 "mytunnel" #2: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel
mode {ESP=>0x9414a615 >0x1a8eb4ef xfrm=AES_128-HMAC_SHA1 NATOA=none
NATD=none DPD=none}
117
Se c ur it y Guide
Ve rifying that packe ts are be ing s e nt via the VPN tunne l is the s ame proce dure as
e xplaine d in Se ction 4.7.3.1, Ve rify Hos t-To-Hos t VPN Us ing Libre s wan.
118
right=10.11.12.13
rightid=@branch2
righsubnet=10.0.2.0/24
rightrsasigkey=0sAYYYY[...]
#
auto=start
authby=rsasigkey
At the branch1 office , we us e the s ame conne ction. Additionally, we us e a pas s -through
conne ction to e xclude our local LAN traffic from be ing s e nt through the tunne l:
conn branch1
left=1.2.3.4
leftid=@headoffice
leftsubnet=0.0.0.0/0
leftrsasigkey=0sA[...]
#
right=10.11.12.13
rightid=@branch2
righsubnet=10.0.1.0/24
rightrsasigkey=0sAYYYY[...]
#
auto=start
authby=rsasigkey
conn passthrough
left=1.2.3.4
right=0.0.0.0
leftsubnet=10.0.1.0/24
rightsubnet=10.0.1.0/24
authby=never
type=passthrough
auto=route
119
Se c ur it y Guide
4.7.8. Road Warrior Applicat ion Using Libreswan and XAUT H wit h X.509
Libreswan offe rs a me thod to native ly as s ign IP addre s s and DNS information to roaming
VPN clie nts as the conne ction is e s tablis he d by us ing the XAUTH IPsec e xte ns ion. XAUTH
can be de ploye d us ing PSK or X.509 ce rtificate s . De ploying us ing X.509 is more s e cure .
Clie nt ce rtificate s can be re voke d by a ce rtificate re vocation lis t or by Online Certificate
Status Protocol (OCSP). With X.509 ce rtificate s , individual clie nts cannot impe rs onate the
s e rve r. With a PSK, als o calle d Group Pas s word, this is the ore tically pos s ible .
XAUTH re quire s the VPN clie nt to additionally ide ntify its e lf with a us e r name and
pas s word. For One time Pas s words (OTP), s uch as Google Authe nticator or RSA Se cure ID
toke ns , the one -time toke n is appe nde d to the us e r pas s word.
The re are thre e pos s ible backe nds for XAUTH:
xauthby=pam
This us e s the configuration in /etc/pam.d/pluto to authe nticate the us e r. Pam
can be configure d to us e various backe nds by its e lf. It can us e the s ys te m
account us e r-pas s word s che me , an LDAP dire ctory, a RADIUS s e rve r or a cus tom
pas s word authe ntication module .
xauthby=file
This us e s the configuration file /etc/ipsec.d/passwd (not to be confus e d with
/etc/ipsec.d/nsspassword). The format of this file is s imilar to the Apache
.htpasswd file and the Apache htpasswd command can be us e d to cre ate
e ntrie s in this file . Howe ve r, afte r the us e r name and pas s word, a third column is
re quire d with the conne ction name of the IPsec conne ction us e d, for e xample
whe n us ing a conn remoteusers to offe r VPN to re move us e rs , a pas s word file
e ntry s hould look as follows :
user1:$apr1$MIwQ3DHb$1I69LzTnZhnCT2DPQmAOK.:remoteusers
120
NOTE: whe n us ing the htpasswd command, the conne ction name has to be
manually adde d afte r the user:password part on e ach line .
xauthby=alwaysok
The s e rve r will always pre te nd the XAUTH us e r and pas s word combination was
corre ct. The clie nt s till has to s pe cify a us e r name and a pas s word, although the
s e rve r ignore s the s e . This s hould only be us e d whe n us e rs are alre ady
ide ntifie d by X.509 ce rtificate s , or whe n te s ting the VPN without ne e ding an
XAUTH backe nd.
An e xample configuration with X.509 ce rtificate s :
conn xauth-rsa
auto=add
authby=rsasig
pfs=no
rekey=no
left=ServerIP
leftcert=vpn.example.com
#leftid=%fromcert
leftid=vpn.example.com
leftsendcert=always
leftsubnet=0.0.0.0/0
rightaddresspool=10.234.123.2-10.234.123.254
right=%any
rightrsasigkey=%cert
modecfgdns1=1.2.3.4
modecfgdns2=8.8.8.8
modecfgdomain=example.com
modecfgbanner="Authorized Access is allowed"
leftxauthserver=yes
rightxauthclient=yes
leftmodecfgserver=yes
rightmodecfgclient=yes
modecfgpull=yes
xauthby=pam
dpddelay=30
dpdtimeout=120
dpdaction=clear
ike_frag=yes
# for walled-garden on xauth failure
# xauthfail=soft
#leftupdown=/custom/_updown
Whe n xauthfail is s e t to s oft, ins te ad of hard, authe ntication failure s are ignore d, and
the VPN is s e tup as if the us e r authe nticate d prope rly. A cus tom updown s cript can be
us e d to che ck for the e nvironme nt variable XAUTH_FAILED. Such us e rs can the n be
re dire cte d, for e xample , us ing ipt ables DNAT, to a walle d garde n whe re the y can
contact the adminis trator or re ne w a paid s ubs cription to the s e rvice .
VPN clie nts us e the modecfgdomain value and the DNS e ntrie s to re dire ct que rie s for the
s pe cifie d domain to the s e s pe cifie d name s e rve rs . This allows roaming us e rs to acce s s
inte rnal-only re s ource s us ing the inte rnal DNS name s .
121
Se c ur it y Guide
122
123
Se c ur it y Guide
This will cre ate an X.509 ce rtificate calle d cert.csr e ncode d in the de fault privacyenhanced electronic mail (PEM) format. The name PEM is de rive d from Privacy
Enhance me nt for Inte rne t Ele ctronic Mail de s cribe d in RFC 1424. To ge ne rate a ce rtificate
file in the alte rnative DER format, us e the -outform DER command option.
Afte r is s uing the above command, you will be prompte d for information about you and the
organiz ation in orde r to cre ate a distinguished name (DN) for the ce rtificate . You will ne e d
the following information:
The two le tte r country code for your country
The full name of your s tate or province
City or Town
The name of your organiz ation
The name of the unit within your organiz ation
Your name or the hos t name of the s ys te m
Your e mail addre s s
The re q(1) man page de s cribe s the PKCS# 10 ce rtificate re que s t and ge ne rating utility.
De fault s e ttings us e d in the ce rtificate cre ating proce s s are containe d within the
/etc/pki/tls/openssl.cnf file . Se e man openssl.cnf(5) for more information.
124
othe r e rrors .
To ve rify multiple individual X.509 ce rtificate s in PEM format, is s ue a command in the
following format:
~]$ openssl verify cert1.pem cert2.pem
To ve rify a ce rtificate chain the le af ce rtificate mus t be in cert.pem and the inte rme diate
ce rtificate s which you do not trus t mus t be dire ctly concate nate d in untrusted.pem. The
trus te d root CA ce rtificate mus t be e ithe r among the de fault CA lis te d in
/etc/pki/tls/certs/ca-bundle.crt or in a cacert.pem file . The n, to ve rify the chain,
is s ue a command in the following format:
~]$ openssl verify -untrusted untrusted.pem -CAfile cacert.pem cert.pem
Se e man ve rify(1) for more information.
Impo rtant
Ve rification of s ignature s us ing the MD5 has h algorithm is dis able d in Re d Hat
Ente rpris e Linux 7 due to ins ufficie nt s tre ngth of this algorithm. Always us e s trong
algorithms s uch as SHA256.
125
Se c ur it y Guide
To ve rify a s igne d data file and to e xtract the data, is s ue a command as follows :
~]$ openssl pkeyutl -verifyrecover -in sig -inkey key.pem
To ve rify the s ignature , for e xample us ing a DSA ke y, is s ue a command as follows :
~]$ openssl pkeyutl -verify -in file -sigfile sig -inkey key.pem
The pke yutl(1) manual page de s cribe s the public ke y algorithm utility.
Impo rtant
The enc command doe s not prope rly s upport AEAD ciphe rs , and the ecb mode is not
cons ide re d s e cure . For be s t re s ults , do not us e othe r mode s than cbc, cfb, ofb, or
ctr.
126
127
Se c ur it y Guide
128
1. You ne e d a valid ce rtificate for st unnel re gardle s s of what s e rvice you us e it with.
If you do not have a s uitable ce rtificate , you can apply to a Certificate Authority to
obtain one , or you can cre ate a s e lf-s igne d ce rtificate .
Warning
Always us e ce rtificate s s igne d by a Ce rtificate Authority for s e rve rs running
in a production e nvironme nt. Se lf-s igne d ce rtificate s are only appropriate for
te s ting purpos e s or private ne tworks .
Se e Se ction 4.8.2.1, Cre ating a Ce rtificate Signing Re que s t for more information
about ce rtificate s grante d by a Ce rtificate Authority. On the othe r hand, to cre ate a
s e lf-s igne d ce rtificate for st unnel, e nte r the /etc/pki/tls/certs/ dire ctory and
type the following command as root:
certs]# make stunnel.pem
Ans we r all of the que s tions to comple te the proce s s .
2. Whe n you have a ce rtificate , cre ate a configuration file for st unnel. It is a te xt file
in which e ve ry line s pe cifie s an option or the be ginning of a s e rvice de finition. You
can als o ke e p comme nts and e mpty line s in the file to improve its le gibility, whe re
comme nts s tart with a s e micolon.
The stunnel RPM package contains the /etc/stunnel/ dire ctory, in which you can
s tore the configuration file . Although st unnel doe s not re quire any s pe cial format
of the file name or its e xte ns ion, us e /etc/stunnel/stunnel.conf. The following
conte nt configure s st unnel as a TLS wrappe r:
cert = /etc/pki/tls/certs/stunnel.pem
; Allow only TLS, thus avoiding SSL
sslVersion = TLSv1
chroot = /var/run/stunnel
setuid = nobody
setgid = nobody
pid = /stunnel.pid
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
[service_name]
accept = port
connect = port
TIMEOUTclose = 0
Alte rnative ly, you can avoid SSL by re placing the line containing sslVersion =
TLSv1 with the following line s :
options = NO_SSLv2
options = NO_SSLv3
The purpos e of the options is as follows :
cert the path to your ce rtificate
129
Se c ur it y Guide
sslVersion the ve rs ion of SSL; note that you can us e TLS he re e ve n though
SSL and TLS are two inde pe nde nt cryptographic protocols
chroot the change d root dire ctory in which the s tunne l proce s s runs , for
gre ate r s e curity
setuid, setgid the us e r and group that the st unnel proce s s runs as ; nobody
is a re s tricte d s ys te m account
pid the file in which st unnel s ave s its proce s s ID, re lative to chroot
socket local and re mote s ocke t options ; in this cas e , dis able Nagle's algorithm
to improve ne twork late ncy
[service_name] the be ginning of the s e rvice de finition; the options us e d
be low this line apply to the give n s e rvice only, whe re as the options above affe ct
st unnel globally
accept the port to lis te n on
connect the port to conne ct to; this mus t be the port that the s e rvice you are
s e curing us e s
TIMEOUTclose how many s e conds to wait for the close_notify ale rt from the
clie nt; 0 ins tructs st unnel not to wait at all
options Ope nSSL library options
130
Overview of LUKS
What LUKS do es
LUKS e ncrypts e ntire block de vice s and is the re fore we ll-s uite d for prote cting
the conte nts of mobile de vice s s uch as re movable s torage me dia or laptop
dis k drive s .
The unde rlying conte nts of the e ncrypte d block de vice are arbitrary. This
make s it us e ful for e ncrypting swap de vice s . This can als o be us e ful with
ce rtain databas e s that us e s pe cially formatte d block de vice s for data s torage .
LUKS us e s the e xis ting de vice mappe r ke rne l s ubs ys te m.
LUKS provide s pas s phras e s tre ngthe ning which prote cts agains t dictionary
attacks .
LUKS de vice s contain multiple ke y s lots , allowing us e rs to add backup ke ys or
pas s phras e s .
What LUKS do es not do :
LUKS is not we ll-s uite d for applications re quiring many (more than e ight) us e rs
to have dis tinct acce s s ke ys to the s ame de vice .
LUKS is not we ll-s uite d for applications re quiring file -le ve l e ncryption.
131
Se c ur it y Guide
is us e d to de crypt your partition. If you choos e to modify the de fault partition table you can
choos e which partitions you want to e ncrypt. This is s e t in the partition table s e ttings .
The de fault ciphe r us e d for LUKS (s e e cryptsetup --help) is ae s -cbc-e s s iv:s ha256
(ESSIV - Encrypte d Salt-Se ctor Initializ ation Ve ctor). Note that the ins tallation program,
Anaco nda, us e s by de fault XTS mode (ae s -xts -plain64). The de fault ke y s iz e for LUKS is
256 bits . The de fault ke y s iz e for LUKS with Anaco nda (XTS mode ) is 512 bits . Ciphe rs
that are available are :
AES - Advance d Encryption Standard - FIPS PUB 197
Twofis h (A 128-bit Block Ciphe r)
Se rpe nt
cas t5 - RFC 2144
cas t6 - RFC 2612
Warning
Following this proce dure will re move all data on the partition that you are e ncrypting.
You WILL los e all your information! Make s ure you backup your data to an e xte rnal
s ource be fore be ginning this proce dure !
1. Ente r runle ve l 1 by typing the following at a s he ll prompt as root:
telinit 1
2. Unmount your e xis ting /home:
umount /home
3. If the command in the pre vious s te p fails , us e fuser to find proce s s e s hogging
/home and kill the m:
fuser -mvk /home
4. Ve rify /home is no longe r mounte d:
grep home /proc/mounts
5. Fill your partition with random data:
shred -v --iterations=1 /dev/VG00/LV_home
This command proce e ds at the s e que ntial write s pe e d of your de vice and may take
s ome time to comple te . It is an important s te p to e ns ure no une ncrypte d data is
le ft on a us e d de vice , and to obfus cate the parts of the de vice that contain
e ncrypte d data as oppos e d to jus t random data.
132
133
Se c ur it y Guide
No te
Che cking the Encrypt System che ck box on the Automatic Partitioning s cre e n
and the n choos ing Create custom layout doe s not caus e any block de vice s to be
e ncrypte d automatically.
No te
You can us e kickstart to s e t a s e parate pas s phras e for e ach ne w e ncrypte d block
de vice .
134
HOWTO: Cre ating an e ncrypte d Phys ical Volume (PV) us ing a s e cond hard drive and
pvmove
Warning
If you forge t your pas s phras e , you will not be able to de crypt the data.
To find your GPG ke y ID, look in the Key ID column ne xt to the ne wly cre ate d ke y. In mos t
cas e s , if you are as ke d for the ke y ID, pre pe nd 0x to the ke y ID, as in 0x6789ABCD. You
s hould make a backup of your private ke y and s tore it s ome whe re s e cure .
135
Se c ur it y Guide
Warning
If you forge t your pas s phras e , you will not be able to de crypt the data.
To find your GPG ke y ID, look in the Key ID column ne xt to the ne wly cre ate d ke y. In mos t
cas e s , if you are as ke d for the ke y ID, pre pe nd 0x to the ke y ID, as in 0x6789ABCD. You
s hould make a backup of your private ke y and s tore it s ome whe re s e cure .
136
137
Se c ur it y Guide
Warning
If you forge t your pas s phras e , the ke y cannot be us e d and any data e ncrypte d us ing
that ke y will be los t.
138
Warning
Ke e p in mind that only fully trus te d us e rs s hould be as s igne d me mbe rs hip in the
pkcs11 group, as all me mbe rs of this group have the right to block othe r us e rs of
the o penCrypt o ki s e rvice from acce s s ing configure d PKCS#11 toke ns . All
me mbe rs of this group can als o e xe cute arbitrary code with the privile ge s of any
othe r us e rs of o penCrypt o ki.
139
Se c ur it y Guide
4.10.4.3. Aut hent icat ing t o a Server wit h a Key on a Smart Card
Ope nSSH can re ad your public ke y from a s mart card and pe rform ope rations with your
private ke y without e xpos ing the ke y its e lf. This me ans that the private ke y doe s not
le ave the card. To conne ct to a re mote s e rve r us ing your s mart card for authe ntication,
run the following command and e nte r the PIN prote cting your card:
[localhost ~]$ ssh -I /usr/lib64/pkcs11/opensc-pkcs11.so hostname
Enter PIN for 'Test (UserPIN)':
[hostname ~]$
Re place the hostname with the actual hos tname to which you want to conne ct.
To s ave unne ce s s ary typing ne xt time you conne ct to the re mote s e rve r, s tore the path
to the PKCS#11 library in your ~/.ssh/config file :
Host hostname
PKCS11Provider /usr/lib64/pkcs11/opensc-pkcs11.so
Conne ct by running the ssh command without any additional options :
[localhost ~]$ ssh hostname
Enter PIN for 'Test (UserPIN)':
[hostname ~]$
140
~]$ ssh-add -l
Could not open a connection to your authentication agent.
~]$ eval `ssh-agent`
To avoid writing your PIN e ve ry time you conne ct us ing this ke y, add the card to the age nt
by running the following command:
~]$ ssh-add -s /usr/lib64/pkcs11/opensc-pkcs11.so
Enter PIN for 'Test (UserPIN)':
Card added: /usr/lib64/pkcs11/opensc-pkcs11.so
To re move the card from ssh-agent, us e the following command:
~]$ ssh-add -e /usr/lib64/pkcs11/opensc-pkcs11.so
Card removed: /usr/lib64/pkcs11/opensc-pkcs11.so
141
Se c ur it y Guide
Prior to any ope rations with ke ys , re le vant ke rne l module s ne e d to be loade d. For trus te d
ke ys , it is the t rust ed module , and for e ncrypte d ke ys , it is the encrypt ed-keys module .
Us e the following command as the root us e r to load both of the s e module s at once :
~]# modprobe trusted encrypted-keys
Trus te d and e ncrypte d ke ys can be cre ate d, loade d, e xporte d, and update d us ing the
keyct l utility. For de taile d information about us ing keyct l, s e e ke yctl(1).
No te
In orde r to us e a TPM (s uch as for cre ating and s e aling trus te d ke ys ), it ne e ds to be
e nable d and active . This can be us ually achie ve d through a s e tting in the machine 's
BIOS or us ing the tpm_setactive command from the tpm-tools package of utilitie s .
Als o, the T ro uSers application ne e ds to be ins talle d (the trousers package ), and the
tcsd dae mon, which is a part of the T ro uSers s uite , running to communicate with
the TPM.
To cre ate a trus te d ke y us ing a TPM, e xe cute the keyctl command with the following
s yntax:
keyctl add trusted name "new keylength [options]" keyring
Us ing the above s yntax, an e xample command can be cons tructe d as follows :
~]$ keyctl add trusted kmk "new 32" @u
642500861
The above e xample cre ate s a trus te d ke y calle d kmk with the le ngth of 32 byte s (256 bits )
and place s it in the us e r ke yring (@u). The ke ys may have a le ngth of 32 to 128 byte s (256
to 1024 bits ). Us e the show s ubcommand to lis t the curre nt s tructure of the ke rne l
ke yrings :
~]$ keyctl show
Session Keyring
-3 --alswrv
97833714 --alswrv
642500861 --alswrv
500
500
500
500
-1
500
keyring: _ses
\_ keyring: _uid.1000
\_ trusted: kmk
The print s ubcommand outputs the e ncrypte d ke y to the s tandard output. To e xport the
ke y to a us e r-s pace blob, us e the pipe s ubcommand as follows :
~]$ keyctl pipe 642500861 > kmk.blob
To load the trus te d ke y from the us e r-s pace blob, us e the add command again with the
blob as an argume nt:
~]$ keyctl add trusted kmk "load `cat kmk.blob`" @u
268728824
The TPM-s e ale d trus te d ke y can the n be e mploye d to cre ate s e cure e ncrypte d ke ys . The
following command s yntax is us e d for ge ne rating e ncrypte d ke ys :
142
Impo rtant
Ke e p in mind that e ncrypte d ke ys that are not s e ale d by a mas te r trus te d ke y are
only as s e cure as the us e r mas te r ke y (random-numbe r ke y) us e d to e ncrypt the m.
The re fore , the mas te r us e r ke y s hould be loade d as s e cure ly as pos s ible and
pre fe rably e arly during the boot proce s s .
143
Se c ur it y Guide
https ://www.ke rne l.org/doc/Docume ntation/s e curity/ke ys -trus te d-e ncrypte d.txt The
official docume ntation about the trus te d and e ncrypte d ke ys fe ature of the Linux ke rne l.
See Also
Se ction A.1.1, Advance d Encryption Standard AES provide s a concis e de s cription of
the Advanced Encryption Standard.
Se ction A.2, Public-ke y Encryption de s cribe s the public-ke y cryptographic approach
and the various cryptographic protocols it us e s .
144
To che ck which s ource s of e ntropy are available in a give n s ys te m, e xe cute the following
command as root:
~]# rngd -v
Unable to open file: /dev/tpm0
Available entropy sources:
DRNG
If the re is not any TPM de vice pre s e nt, you will s e e only the Inte l Digital Random Numbe r
Ge ne rator (DRNG) as a s ource of e ntropy. To che ck if your CPU s upports the RDRAND
proce s s or ins truction, run the following command:
~]$ cat /proc/cpuinfo | grep rdrand
No te
For more information and s oftware code e xample s , s e e Inte l Digital Random Numbe r
Ge ne rator (DRNG) Software Imple me ntation Guide .
The rng-tools package als o contains the rngt est utility, which can be us e d to che ck the
randomne s s of data. To te s t the le ve l of randomne s s of the output of /dev/random, us e
the rngt est tool as follows :
~]$ cat /dev/random | rngtest -c 1000
rngtest 5
Copyright (c) 2004 by Henrique de Moraes Holschuh
This is free software; see the source for copying conditions. There is
NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR
PURPOSE.
rngtest: starting FIPS tests...
rngtest: bits received from input: 20000032
rngtest: FIPS 140-2 successes: 998
rngtest: FIPS 140-2 failures: 2
rngtest: FIPS 140-2(2001-10-10) Monobit: 0
rngtest: FIPS 140-2(2001-10-10) Poker: 0
rngtest: FIPS 140-2(2001-10-10) Runs: 0
rngtest: FIPS 140-2(2001-10-10) Long run: 2
rngtest: FIPS 140-2(2001-10-10) Continuous run: 0
rngtest: input channel speed: (min=1.171; avg=8.453; max=11.374)Mibits/s
rngtest: FIPS tests speed: (min=15.545; avg=143.126;
max=157.632)Mibits/s
rngtest: Program run time: 2390520 microseconds
A high numbe r of failure s s hown in the output of the rngt est tool indicate s that the
randomne s s of the te s te d data is ins ufficie nt and s hould not be re lie d upon. Se e the
rngte s t(1) manual page for a lis t of options available for the rngt est utility.
Re d Hat Ente rpris e Linux 7 introduce d the virt io RNG (Random Numbe r Ge ne rator) de vice
that provide s KVM virtual machine s with acce s s to e ntropy from the hos t machine . With
the re comme nde d s e tup, hwrng fe e ds into the e ntropy pool of the hos t Linux ke rne l
(through /dev/random), and QEMU will us e /dev/random as the s ource for e ntropy
re que s te d by gue s ts .
145
Se c ur it y Guide
146
No te
Ple as e note that curre ntly, the s e curity of all ve rs ions of TLS de pe nds on the us e of
TLS e xte ns ions , s pe cific ciphe rs (s e e be low), and othe r workarounds . All TLS
conne ction pe e rs ne e d to imple me nt s e cure re ne gotiation indication (RFC 5746),
mus t not s upport compre s s ion, and mus t imple me nt mitigating me as ure s for timing
attacks agains t CBC-mode ciphe rs (the Lucky Thirte e n attack). TLS v1.0 clie nts ne e d
to additionally imple me nt re cord s plitting (a workaround agains t the BEAST attack).
TLS v1.2 s upports Authenticated Encryption with Associated Data (AEAD) mode
ciphe rs like AES-GCM, AES-CCM, or Camellia-GCM, which have no known is s ue s . All
the me ntione d mitigations are imple me nte d in cryptographic librarie s include d in
Re d Hat Ente rpris e Linux.
Se e Table 4.6, Protocol Ve rs ions for a quick ove rvie w of protocol ve rs ions and
re comme nde d us age .
T able 4.6. Pro t o co l Versio ns
147
Se c ur it y Guide
Pro t o co l
Versio n
SSL v2
SSL v3
TLS v1.0
TLS v1.1
TLS v1.2
Some compone nts in Re d Hat Ente rpris e Linux are configure d to us e TLS v1.0 e ve n
though the y provide s upport for TLS v1.1 or e ve n v1.2. This is motivate d by an atte mpt
to achie ve the highe s t le ve l of inte rope rability with e xte rnal s e rvice s that may not s upport
the late s t ve rs ions of TLS. De pe nding on your inte rope rability re quire me nts , e nable the
highe s t available ve rs ion of TLS.
Impo rtant
SSL v3 is not re comme nde d for us e . Howe ve r, if, de s pite the fact that it is
cons ide re d ins e cure and uns uitable for ge ne ral us e , you abs olute ly mus t le ave
SSL v3 e nable d, s e e Se ction 4.9, Us ing s tunne l for ins tructions on how to us e
st unnel to s e cure ly e ncrypt communications e ve n whe n us ing s e rvice s that do not
s upport e ncryption or are only capable of us ing obs ole te and ins e cure mode s of
e ncryption.
Cipher Suit es
Mode rn, more s e cure cipher suites s hould be pre fe rre d to old, ins e cure one s . Always
dis able the us e of e NULL and aNULL ciphe r s uite s , which do not offe r any e ncryption or
authe ntication at all. If at all pos s ible , ciphe rs s uite s bas e d on RC4 or HMAC-MD5, which
have s e rious s hortcomings , s hould als o be dis able d. The s ame applie s to the s o-calle d
export ciphe r s uite s , which have be e n inte ntionally made we ake r, and thus are e as y to
bre ak.
While not imme diate ly ins e cure , ciphe r s uite s that offe r le s s than 128 bits of s e curity
s hould not be cons ide re d for the ir s hort us e ful life . Algorithms that us e 128 bit of s e curity
or more can be e xpe cte d to be unbre akable for at le as t s e ve ral ye ars , and are thus
s trongly re comme nde d. Note that while 3DES ciphe rs adve rtis e the us e of 168 bits , the y
actually offe r 112 bits of s e curity.
Always give pre fe re nce to ciphe r s uite s that s upport (perfect) forward secrecy (PFS), which
e ns ure s the confide ntiality of e ncrypte d data e ve n in cas e the s e rve r ke y is
compromis e d. This rule s out the fas t RSA ke y e xchange , but allows for the us e of ECDHE
and DHE. Of the two, ECDHE is the fas te r and the re fore the pre fe rre d choice .
You s hould als o give pre fe re nce to AEAD ciphe rs , s uch as AES-GCM, be fore CBC-mode
ciphe rs as the y are not vulne rable to padding oracle attacks . Additionally, in many cas e s ,
AES-GCM is fas te r than AES in CBC mode , e s pe cially whe n the hardware has cryptographic
acce le rators for AES.
148
Note als o that whe n us ing the ECDHE ke y e xchange with ECDSA ce rtificate s , the trans action
is e ve n fas te r than pure RSA ke y e xchange . To provide s upport for le gacy clie nts , you can
ins tall two pairs of ce rtificate s and ke ys on a s e rve r: one with ECDSA ke ys (for ne w clie nts )
and one with RSA ke ys (for le gacy one s ).
Warning
Ke e p in mind that the s e curity of your s ys te m is only as s trong as the we ake s t link
in the chain. For e xample , a s trong ciphe r alone doe s not guarante e good s e curity.
The ke ys and the ce rtificate s are jus t as important, as we ll as the has h functions
and ke ys us e d by the Certification Authority (CA) to s ign your ke ys .
Impo rtant
Be s ure to che ck your s e ttings following e ve ry update or upgrade of the TLS
imple me ntation you us e or the applications that utiliz e that imple me ntation. Ne w
ve rs ions may introduce ne w ciphe r s uite s that you do not want to have e nable d and
that your curre nt configuration doe s not dis able .
149
Se c ur it y Guide
150
The above command omits all ins e cure ciphe rs , give s pre fe re nce to ephemeral elliptic
curve Diffie-Hellman ke y e xchange and ECDSA ciphe rs , and omits RSA ke y e xchange
(thus e ns uring perfect forward secrecy).
Note that this is a rathe r s trict configuration, and it might be ne ce s s ary to re lax the
conditions in re al-world s ce narios to allow for a compatibility with a broade r range of
clie nts .
No te
The GnuT LS ins tallation on Re d Hat Ente rpris e Linux 7 offe rs optimal de fault
configuration value s that provide s ufficie nt s e curity for the majority of us e cas e s .
Unle s s you ne e d to s atis fy s pe cial s e curity re quire me nts , it is re comme nde d to us e
the s upplie d de faults .
Us e the gnutls-cli command with the -l (or --list) option to lis t all s upporte d ciphe r
s uite s :
~]$ gnutls-cli -l
To narrow the lis t of ciphe r s uite s dis playe d by the -l option, pas s one or more
parame te rs (re fe rre d to as priority strings and keywords in GnuT LS docume ntation) to the
--priority option. Se e the GnuT LS docume ntation at
http://www.gnutls .org/manual/gnutls .html#Priority-Strings for a lis t of all available priority
s trings . For e xample , is s ue the following command to ge t a lis t of ciphe r s uite s that offe r
at le as t 128 bits of s e curity:
~]$ gnutls-cli --priority SECURE128 -l
To obtain a lis t of ciphe r s uite s that s atis fy the re comme ndations outline d in
Se ction 4.11.1, Choos ing Algorithms to Enable , us e a command s imilar to the following:
~]$ gnutls-cli --priority SECURE256:+SECURE128:-VERS-TLS-ALL:+VERSTLS1.2:-RSA:-DHE-DSS:-CAMELLIA-128-CBC:-CAMELLIA-256-CBC -l
Cipher suites for SECURE256:+SECURE128:-VERS-TLS-ALL:+VERS-TLS1.2:-RSA:DHE-DSS:-CAMELLIA-128-CBC:-CAMELLIA-256-CBC
TLS_ECDHE_ECDSA_AES_256_GCM_SHA384
0xc0, 0x2c
TLS1.2
TLS_ECDHE_ECDSA_AES_256_CBC_SHA384
0xc0, 0x24
TLS1.2
TLS_ECDHE_ECDSA_AES_256_CBC_SHA1
0xc0, 0x0a
SSL3.0
TLS_ECDHE_ECDSA_AES_128_GCM_SHA256
0xc0, 0x2b
TLS1.2
TLS_ECDHE_ECDSA_AES_128_CBC_SHA256
0xc0, 0x23
TLS1.2
TLS_ECDHE_ECDSA_AES_128_CBC_SHA1
0xc0, 0x09
SSL3.0
151
Se c ur it y Guide
TLS_ECDHE_RSA_AES_256_GCM_SHA384
TLS1.2
TLS_ECDHE_RSA_AES_256_CBC_SHA1
SSL3.0
TLS_ECDHE_RSA_AES_128_GCM_SHA256
TLS1.2
TLS_ECDHE_RSA_AES_128_CBC_SHA256
TLS1.2
TLS_ECDHE_RSA_AES_128_CBC_SHA1
SSL3.0
TLS_DHE_RSA_AES_256_CBC_SHA256
TLS1.2
TLS_DHE_RSA_AES_256_CBC_SHA1
SSL3.0
TLS_DHE_RSA_AES_128_GCM_SHA256
TLS1.2
TLS_DHE_RSA_AES_128_CBC_SHA256
TLS1.2
TLS_DHE_RSA_AES_128_CBC_SHA1
SSL3.0
0xc0, 0x30
0xc0, 0x14
0xc0, 0x2f
0xc0, 0x27
0xc0, 0x13
0x00, 0x6b
0x00, 0x39
0x00, 0x9e
0x00, 0x67
0x00, 0x33
152
The mod_ssl package ins talls the /etc/httpd/conf.d/ssl.conf configuration file , which
can be us e d to modify the TLS-re late d s e ttings of the Apache HT T P Server. Similarly,
the mod_nss package ins talls the /etc/httpd/conf.d/nss.conf configuration file .
Ins tall the httpd-manual package to obtain comple te docume ntation for the Apache HT T P
Server, including TLS configuration. The dire ctive s available in the
/etc/httpd/conf.d/ssl.conf configuration file are de s cribe d in de tail in
/usr/share/httpd/manual/mod/mod_ssl.html. Example s of various s e ttings are in
/usr/share/httpd/manual/ssl/ssl_howto.html.
Whe n modifying the s e ttings in the /etc/httpd/conf.d/ssl.conf configuration file , be
s ure to cons ide r the following thre e dire ctive s at the minimum:
SSLProtocol
Us e this dire ctive to s pe cify the ve rs ion of TLS (or SSL) you want to allow.
SSLCipherSuite
Us e this dire ctive to s pe cify your pre fe rre d ciphe r s uite or dis able the one s you
want to dis allow.
SSLHonorCipherOrder
Uncomme nt and s e t this dire ctive to on to e ns ure that the conne cting clie nts
adhe re to the orde r of ciphe rs you s pe cifie d.
For e xample :
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite HIGH:!aNULL:!MD5
SSLHonorCipherOrder on
Note that the above configuration is the bare minimum, and it can be harde ne d
s ignificantly by following the re comme ndations outline d in Se ction 4.11.1, Choos ing
Algorithms to Enable .
To configure and us e the mo d_nss module , modify the /etc/httpd/conf.d/nss.conf
configuration file . The mo d_nss module is de rive d from mo d_ssl, and as s uch it s hare s
many fe ature s with it, not le as t the s tructure of the configuration file , and the dire ctive s
that are available . Note that the mo d_nss dire ctive s have a pre fix of NSS ins te ad of SSL.
Se e https ://git.fe dorahos te d.org/cgit/mod_ns s .git/plain/docs /mod_ns s .html for an ove rvie w
of information about mo d_nss, including a lis t of mo d_ssl configuration dire ctive s that are
not applicable to mo d_nss.
153
Se c ur it y Guide
Us e this dire ctive to s pe cify the ve rs ion of TLS (or SSL) you want to allow.
ssl_cipher_list
Us e this dire ctive to s pe cify your pre fe rre d ciphe r s uite s or dis able the one s you
want to dis allow.
ssl_prefer_server_ciphers
Uncomme nt and s e t this dire ctive to yes to e ns ure that the conne cting clie nts
adhe re to the orde r of ciphe rs you s pe cifie d.
For e xample :
ssl_protocols = !SSLv2 !SSLv3
ssl_cipher_list = HIGH:!aNULL:!MD5
ssl_prefer_server_ciphers = yes
Note that the above configuration is the bare minimum, and it can be harde ne d
s ignificantly by following the re comme ndations outline d in Se ction 4.11.1, Choos ing
Algorithms to Enable .
See Also
154
Se ction A.2.4, SSL/TLS provide s a concis e de s cription of the SSL and TLS protocols .
Se ction 4.8, Us ing Ope nSSL de s cribe s , among othe r things , how to us e OpenSSL to
cre ate and manage ke ys , ge ne rate ce rtificate s , and e ncrypt and de crypt file s .
155
Se c ur it y Guide
156
Use Cases
Wat ching f ile access
Audit can track whe the r a file or a dire ctory has be e n acce s s e d, modifie d,
e xe cute d, or the file 's attribute s have be e n change d. This is us e ful, for e xample ,
to de te ct acce s s to important file s and have an Audit trail available in cas e one of
the s e file s is corrupte d.
Mo nit o ring syst em calls
Audit can be configure d to ge ne rate a log e ntry e ve ry time a particular s ys te m
call is us e d. This can be us e d, for e xample , to track change s to the s ys te m time
by monitoring the settimeofday, clock_adjtime, and othe r time -re late d s ys te m
calls .
Reco rding co mmands run by a user
Be caus e Audit can track whe the r a file has be e n e xe cute d, a numbe r of rule s can
be de fine d to re cord e ve ry e xe cution of a particular command. For e xample , a
rule can be de fine d for e ve ry e xe cutable in the /bin dire ctory. The re s ulting log
e ntrie s can the n be s e arche d by us e r ID to ge ne rate an audit trail of e xe cute d
commands pe r us e r.
Reco rding securit y event s
The pam_faillock authe ntication module is capable of re cording faile d login
atte mpts . Audit can be s e t up to re cord faile d login atte mpts as we ll, and provide s
additional information about the us e r who atte mpte d to log in.
Searching f o r event s
Audit provide s the ausearch utility, which can be us e d to filte r the log e ntrie s
and provide a comple te audit trail bas e d on a numbe r of conditions .
Running summary repo rt s
The aurepo rt utility can be us e d to ge ne rate , among othe r things , daily re ports
of re corde d e ve nts . A s ys te m adminis trator can the n analyz e the s e re ports and
inve s tigate s us picious activity furthe rmore .
Mo nit o ring net wo rk access
The ipt ables and ebt ables utilitie s can be configure d to trigge r Audit e ve nts ,
allowing s ys te m adminis trators to monitor ne twork acce s s .
No te
Sys te m pe rformance may be affe cte d de pe nding on the amount of information that
is colle cte d by Audit.
157
Se c ur it y Guide
Once a s ys te m call pas s e s through one of the s e filte rs , it is s e nt through the exclude
filte r, which, bas e d on the Audit rule configuration, s e nds it to the Audit dae mon for furthe r
proce s s ing. Figure 5.1, Audit s ys te m archite cture illus trate s this proce s s .
5.3. Configuring t he
158
audit
Service
5.3. Configuring t he
audit
Service
The Audit dae mon can be configure d in the /etc/audit/auditd.conf configuration file .
This file cons is ts of configuration parame te rs that modify the be havior of the Audit
dae mon. Any e mpty line s or any te xt following a has h s ign (#) is ignore d. A comple te
lis ting of all configuration parame te rs and the ir e xplanation can be found in the
audit.conf(5) man page .
159
Se c ur it y Guide
audit
Service
Once auditd is prope rly configure d, s tart the s e rvice to colle ct Audit information and s tore
it in the log file s . Exe cute the following command as the root us e r to s tart auditd:
~]# service auditd start
No te
The service command is the only way to corre ctly inte ract with the auditd dae mon.
You ne e d to us e the service command s o that the auid value is prope rly re corde d.
You can us e the systemctl command only for two actions : enable and status.
Optionally, you can configure auditd to s tart at boot time us ing the following command as
the root us e r:
~]# systemctl enable auditd
A numbe r of othe r actions can be pe rforme d on auditd us ing the service auditd
action command, whe re action can be one of the following:
stop s tops auditd.
restart re s tarts auditd.
reload or force-reload re loads the configuration of audit d from the
/etc/audit/auditd.conf file .
rotate rotate s the log file s in the /var/log/audit/ dire ctory.
resume re s ume s logging of Audit e ve nts afte r it has be e n pre vious ly s us pe nde d, for
e xample , whe n the re is not e nough fre e s pace on the dis k partition that holds the Audit
log file s .
condrestart or try-restart re s tarts audit d only if it is alre ady running.
status dis plays the running s tatus of audit d.
160
No te
All commands which inte ract with the Audit s e rvice and the Audit log file s re quire
root privile ge s . Ens ure you e xe cute the s e commands as the root us e r.
The auditctl command allows you to control the bas ic functionality of the Audit s ys te m
and to de fine rule s that de cide which Audit e ve nts are logge d.
161
Se c ur it y Guide
-l
lis ts all curre ntly loade d Audit rule s , for e xample :
~]# auditctl -l
LIST_RULES: exit,always
change
LIST_RULES: exit,always
LIST_RULES: exit,always
LIST_RULES: exit,always
-D
de le te s all curre ntly loade d Audit rule s , for e xample :
~]# auditctl -D
No rules
162
To de fine a rule that logs the e xe cution of the /sbin/insmod command, which ins e rts a
module into the Linux ke rne l, e xe cute the following command:
~]# auditctl -w /sbin/insmod -p x -k module_insertion
163
Se c ur it y Guide
5.5.2. Def ining Persist ent Audit Rules and Cont rols in t he
/etc/audit/audit.rules File
To de fine Audit rule s that are pe rs is te nt acros s re boots , you mus t include the m in the
/etc/audit/audit.rules file . This file us e s the s ame auditctl command line s yntax to
s pe cify the rule s . Any e mpty line s or any te xt following a has h s ign (#) is ignore d.
The auditctl command can als o be us e d to re ad rule s from a s pe cifie d file with the -R
option, for e xample :
~]# auditctl -R /usr/share/doc/audit-version/stig.rules
164
165
Se c ur it y Guide
The above e ve nt cons is ts of thre e re cords (e ach s tarting with the type= ke yword), which
s hare the s ame time s tamp and s e rial numbe r. Each re cord cons is ts of s e ve ral
name=value pairs s e parate d by a white s pace or a comma. A de taile d analys is of the
above e ve nt follows :
First Record
type=SYSCALL
The type fie ld contains the type of the re cord. In this e xample , the SYSCALL value
s pe cifie s that this re cord was trigge re d by a s ys te m call to the ke rne l.
For a lis t of all pos s ible type value s and the ir e xplanations , re fe r to Se ction B.2,
Audit Re cord Type s .
msg=audit(1364481363.243:24287):
The msg fie ld re cords :
a time s tamp and a unique ID of the re cord in the form
audit(time_stamp:ID). Multiple re cords can s hare the s ame time s tamp and
ID if the y we re ge ne rate d as part of the s ame Audit e ve nt.
various e ve nt-s pe cific name=value pairs provide d by the ke rne l or us e r s pace
applications .
arch=c000003e
The arch fie ld contains information about the CPU archite cture of the s ys te m. The
value , c000003e, is e ncode d in he xade cimal notation. Whe n s e arching Audit
re cords with the ausearch command, us e the -i or --interpret option to
automatically conve rt he xade cimal value s into the ir human-re adable e quivale nts .
The c000003e value is inte rpre te d as x86_64.
syscall=2
The syscall fie ld re cords the type of the s ys te m call that was s e nt to the ke rne l.
The value , 2, can be matche d with its human-re adable e quivale nt in the
/usr/include/asm/unistd_64.h file . In this cas e , 2 is the open s ys te m call. Note
that the ausyscall utility allows you to conve rt s ys te m call numbe rs to the ir
human-re adable e quivale nts . Us e the ausyscall --dump command to dis play a
lis ting of all s ys te m calls along with the ir numbe rs . For more information, re fe r to
the aus ys call(8) man page .
success=no
The success fie ld re cords whe the r the s ys te m call re corde d in that particular
e ve nt s ucce e de d or faile d. In this cas e , the call did not s ucce e d.
exit=-13
The exit fie ld contains a value that s pe cifie s the e xit code re turne d by the
s ys te m call. This value varie s for diffe re nt s ys te m call. You can inte rpre t the
value to its human-re adable e quivale nt with the following command: ausearch -interpret --exit -13 (as s uming your Audit log contains an e ve nt that faile d
with e xit code -13).
a0=7fffd19c5592, a1=0, a2=7fffd19c5592, a3=a
166
The a0 to a3 fie lds re cord the firs t four argume nts , e ncode d in he xade cimal
notation, of the s ys te m call in this e ve nt. The s e argume nts de pe nd on the
s ys te m call that is us e d; the y can be inte rpre te d by the ausearch utility.
items=1
The items fie ld contains the numbe r of path re cords in the e ve nt.
ppid=2686
The ppid fie ld re cords the Pare nt Proce s s ID (PPID). In this cas e , 2686 was the
PPID of the bash proce s s .
pid=3538
The pid fie ld re cords the Proce s s ID (PID). In this cas e , 3538 was the PID of the
cat proce s s .
auid=500
The auid fie ld re cords the Audit us e r ID, that is the loginuid. This ID is as s igne d
to a us e r upon login and is inhe rite d by e ve ry proce s s e ve n whe n the us e r's
ide ntity change s (for e xample , by s witching us e r accounts with the su - john
command).
uid=500
The uid fie ld re cords the us e r ID of the us e r who s tarte d the analyz e d proce s s .
The us e r ID can be inte rpre te d into us e r name s with the following command:
ausearch -i --uid UID. In this cas e , 500 is the us e r ID of us e r shadowman.
gid=500
The gid fie ld re cords the group ID of the us e r who s tarte d the analyz e d proce s s .
euid=500
The euid fie ld re cords the e ffe ctive us e r ID of the us e r who s tarte d the analyz e d
proce s s .
suid=500
The suid fie ld re cords the s e t us e r ID of the us e r who s tarte d the analyz e d
proce s s .
fsuid=500
The fsuid fie ld re cords the file s ys te m us e r ID of the us e r who s tarte d the
analyz e d proce s s .
egid=500
The egid fie ld re cords the e ffe ctive group ID of the us e r who s tarte d the
analyz e d proce s s .
sgid=500
The sgid fie ld re cords the s e t group ID of the us e r who s tarte d the analyz e d
proce s s .
fsgid=500
167
Se c ur it y Guide
The fsgid fie ld re cords the file s ys te m group ID of the us e r who s tarte d the
analyz e d proce s s .
tty=pts0
The tty fie ld re cords the te rminal from which the analyz e d proce s s was invoke d.
ses=1
The ses fie ld re cords the s e s s ion ID of the s e s s ion from which the analyz e d
proce s s was invoke d.
comm="cat"
The comm fie ld re cords the command-line name of the command that was us e d to
invoke the analyz e d proce s s . In this cas e , the cat command was us e d to trigge r
this Audit e ve nt.
exe="/bin/cat"
The exe fie ld re cords the path to the e xe cutable that was us e d to invoke the
analyz e d proce s s .
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
The subj fie ld re cords the SELinux conte xt with which the analyz e d proce s s was
labe le d at the time of e xe cution.
key="sshd_config"
The key fie ld re cords the adminis trator-de fine d s tring as s ociate d with the rule
that ge ne rate d this e ve nt in the Audit log.
Second Record
type=CWD
In the s e cond re cord, the type fie ld value is CWD curre nt working dire ctory. This
type is us e d to re cord the working dire ctory from which the proce s s that invoke d
the s ys te m call s pe cifie d in the firs t re cord was e xe cute d.
The purpos e of this re cord is to re cord the curre nt proce s s 's location in cas e a
re lative path winds up be ing capture d in the as s ociate d PATH re cord. This way the
abs olute path can be re cons tructe d.
msg=audit(1364481363.243:24287)
The msg fie ld holds the s ame time s tamp and ID value as the value in the firs t
re cord.
cwd="/home/shadowman"
The cwd fie ld contains the path to the dire ctory in which the s ys te m call was
invoke d.
T hird Record
type=PATH
168
In the third re cord, the type fie ld value is PATH. An Audit e ve nt contains a PATHtype re cord for e ve ry path that is pas s e d to the s ys te m call as an argume nt. In
this Audit e ve nt, only one path (/etc/ssh/sshd_config) was us e d as an
argume nt.
msg=audit(1364481363.243:24287):
The msg fie ld holds the s ame time s tamp and ID value as the value in the firs t
and s e cond re cord.
item=0
The item fie ld indicate s which ite m, of the total numbe r of ite ms re fe re nce d in
the SYSCALL type re cord, the curre nt re cord is . This numbe r is z e ro-bas e d; a
value of 0 me ans it is the firs t ite m.
name="/etc/ssh/sshd_config"
The name fie ld re cords the full path of the file or dire ctory that was pas s e d to the
s ys te m call as an argume nt. In this cas e , it was the /etc/ssh/sshd_config file .
inode=409248
The inode fie ld contains the inode numbe r as s ociate d with the file or dire ctory
re corde d in this e ve nt. The following command dis plays the file or dire ctory that
is as s ociate d with the 409248 inode numbe r:
~]# find / -inum 409248 -print
/etc/ssh/sshd_config
dev=fd:00
The dev fie ld s pe cifie s the minor and major ID of the de vice that contains the file
or dire ctory re corde d in this e ve nt. In this cas e , the value re pre s e nts the
/dev/fd/0 de vice .
mode=0100600
The mode fie ld re cords the file or dire ctory pe rmis s ions , e ncode d in nume rical
notation. In this cas e , 0100600 can be inte rpre te d as -rw-------, me aning that
only the root us e r has re ad and write pe rmis s ions to the /etc/ssh/sshd_config
file .
ouid=0
The ouid fie ld re cords the obje ct owne r's us e r ID.
ogid=0
The ogid fie ld re cords the obje ct owne r's group ID.
rdev=00:00
The rdev fie ld contains a re corde d de vice ide ntifie r for s pe cial file s only. In this
cas e , it is not us e d as the re corde d file is a re gular file .
obj=system_u:object_r:etc_t:s0
The obj fie ld re cords the SELinux conte xt with which the re corde d file or dire ctory
169
Se c ur it y Guide
The obj fie ld re cords the SELinux conte xt with which the re corde d file or dire ctory
was labe le d at the time of e xe cution.
The Audit e ve nt analyz e d above contains only a s ubs e t of all pos s ible fie lds that an e ve nt
can contain. For a lis t of all e ve nt fie lds and the ir e xplanation, re fe r to Se ction B.1, Audit
Eve nt Fie lds . For a lis t of all e ve nt type s and the ir e xplanation, re fe r to Se ction B.2, Audit
Re cord Type s .
170
For a full lis ting of all ausearch options , re fe r to the aus e arch(8) man page .
For a full lis ting of all aureport options , re fe r to the aure port(8) man page .
171
Se c ur it y Guide
Online Sources
The Linux Audit Docume ntation Proje ct page : https ://github.com/linux-audit/auditdocume ntation/wiki.
Article Investigating kernel Return Codes with the Linux Audit System in the Hack In the
Box magaz ine : http://magaz ine .hackinthe box.org/is s ue s /HITB-Ez ine -Is s ue -005.pdf.
Manual Pages
audis pd.conf(5)
auditd.conf(5)
aus e arch-e xpre s s ion(5)
audit.rule s (7)
audis pd(8)
auditctl(8)
auditd(8)
aulas t(8)
aulas tlog(8)
aure port(8)
aus e arch(8)
aus ys call(8)
autrace (8)
auvirt(8)
172
173
Se c ur it y Guide
ne e ds . The policy te mplate s hould be chos e n on the bas is of its re le vancy to the company
e nvironme nt and the n the te mplate has to be adjus te d be caus e e ithe r the te mplate
contains build-in as s umptions which cannot be applie d to the organiz ation, or the te mplate
e xplicitly re quire s that ce rtain de cis ions have to be made .
Re d Hat Ente rpris e Linux auditing capabilitie s are bas e d on the Se curity Conte nt
Automation Protocol (SCAP) s tandard. SCAP is a s ynthe s is of inte rope rable s pe cifications
that s tandardiz e the format and nome nclature by which s oftware flaw and s e curity
configuration information is communicate d, both to machine s and humans . SCAP is a multipurpos e frame work of s pe cifications that s upports automate d configuration, vulne rability
and patch che cking, te chnical control compliance activitie s , and s e curity me as ure me nt.
In othe r words , SCAP is a ve ndor-ne utral way of e xpre s s ing s e curity policy, and as s uch it
is wide ly us e d in mode rn e nte rpris e s . SCAP s pe cifications cre ate an e cos ys te m whe re
the format of s e curity conte nt is we ll known and s tandardiz e d while the imple me ntation of
the s canne r or policy e ditor is not mandate d. Such a s tatus e nable s organiz ations to build
the ir s e curity policy (SCAP conte nt) once , no matte r how many s e curity ve ndors do the y
e mploy.
The late s t ve rs ion of SCAP include s s e ve ral unde rlying s tandards . The s e compone nts are
organiz e d into groups according to the ir function within SCAP as follows :
174
175
Se c ur it y Guide
176
<value selector="telnet_service">telnet-server</value>
<value selector="dhcp_servide">dhcpd</value>
<value selector="ftp_service">tftpd</value>
</Value>
<Rule id="xccdf_com.example.www_rule_1">
<title>The telnet-server Package Shall Not Be Installed </title>
<rationale>
Removing the telnet-server package decreases the risk
of the telnet services accidental (or intentional) activation
</rationale>
<fix platform="cpe:/o:redhat:enterprise_linux:6"
reboot="false"
disruption="low"
system="urn:xccdf:fix:script:sh">
yum -y remove
<sub idref="xccdf_com.example.www_value_1"/>
</fix>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions5">
<check-export value-id="xccdf_com.example.www_value_1"
export-name="oval:com.example.www:var:1"/>
<check-content-ref href="examplary.oval.xml"
name="oval:com.example.www:def:1"/>
</check>
<check system="http://open-scap.org/page/SCE">
<check-import import-name="stdout"/>
<check-content-ref href="telnet_server.sh"/>
</check>
</Rule>
</Group>
</Benchmark>
177
Se c ur it y Guide
OVAL s pe cification is ope n for public comme nts and contribution and various IT companie s
collaborate with the MITRE Corporation, fe de rally funde d not-for-profit organiz ation. The
OVAL s pe cification is continuous ly e volving and diffe re nt e ditions are dis tinguis he d by a
ve rs ion numbe r. The curre nt ve rs ion 5.10.1 was re le as e d in January 2012.
Like all othe r SCAP compone nts , OVAL is bas e d on XML. The OVAL s tandard de fine s
s e ve ral docume nt formats . Each of the m include s diffe re nt kind of information and s e rve s
a diffe re nt purpos e .
178
whe re namespace is a name s pace de fining the ide ntifie r, type is e ithe r def for de finitions
e le me nts , tst for te s ts e le me nts , obj for obje cts e le me nt, ste for s tate s e le me nts , and var
for variable s e le me nts , and ID is an inte ge r value of the ide ntifie r.
179
Se c ur it y Guide
version="1">
<!-- This object represents rpm package which owns /etc/redhatrelease file -->
<lin-def:behaviors nolinkto='true'
nomd5='true'
nosize='true'
nouser='true'
nogroup='true'
nomtime='true'
nomode='true'
nordev='true'
noconfigfiles='true'
noghostfiles='true' />
<lin-def:name operation="pattern match"/>
<lin-def:epoch operation="pattern match"/>
<lin-def:version operation="pattern match"/>
<lin-def:release operation="pattern match"/>
<lin-def:arch operation="pattern match"/>
<lin-def:filepath>/etc/redhat-release</lin-def:filepath>
</lin-def:rpmverifyfile_object>
</objects>
<states>
<lin-def:rpminfo_state id="oval:org.open-scap.cpe.rhel:ste:7"
version="1">
<lin-def:name operation="pattern match">^redhat-release</lindef:name>
<lin-def:version operation="pattern match">^7[^\d]</lindef:version>
</lin-def:rpminfo_state>
</states>
</oval_definitions>
<ds:data-stream-collection
xmlns:ds="http://scap.nist.gov/schema/scap/source/1.2"
xmlns:xlink="http://www.w3.org/1999/xlink"
xmlns:cat="urn:oasis:names:tc:entity:xmlns:xml:catalog"
id="scap_org.open-scap_collection_from_xccdf_ssg-rhel7-xccdf-
180
1.2.xml"
schematron-version="1.0">
<ds:data-stream id="scap_org.open-scap_datastream_from_xccdf_ssgrhel7-xccdf-1.2.xml"
scap-version="1.2" use-case="OTHER">
<ds:dictionaries>
<ds:component-ref id="scap_org.open-scap_cref_output--ssg-rhel7cpe-dictionary.xml"
xlink:href="#scap_org.open-scap_comp_output--ssg-rhel7-cpedictionary.xml">
<cat:catalog>
<cat:uri name="ssg-rhel7-cpe-oval.xml"
uri="#scap_org.open-scap_cref_output--ssg-rhel7-cpeoval.xml"/>
</cat:catalog>
</ds:component-ref>
</ds:dictionaries>
<ds:checklists>
<ds:component-ref id="scap_org.open-scap_cref_ssg-rhel7-xccdf1.2.xml"
xlink:href="#scap_org.open-scap_comp_ssg-rhel7-xccdf-1.2.xml">
<cat:catalog>
<cat:uri name="ssg-rhel7-oval.xml"
uri="#scap_org.open-scap_cref_ssg-rhel7-oval.xml"/>
</cat:catalog>
</ds:component-ref>
</ds:checklists>
<ds:checks>
<ds:component-ref id="scap_org.open-scap_cref_ssg-rhel7-oval.xml"
xlink:href="#scap_org.open-scap_comp_ssg-rhel7-oval.xml"/>
<ds:component-ref id="scap_org.open-scap_cref_output--ssg-rhel7cpe-oval.xml"
xlink:href="#scap_org.open-scap_comp_output--ssg-rhel7-cpeoval.xml"/>
<ds:component-ref id="scap_org.open-scap_cref_output--ssg-rhel7oval.xml"
xlink:href="#scap_org.open-scap_comp_output--ssg-rhel7oval.xml"/>
</ds:checks>
</ds:data-stream>
<ds:component id="scap_org.open-scap_comp_ssg-rhel7-oval.xml"
timestamp="2014-03-14T16:21:59">
<oval_definitions xmlns="http://oval.mitre.org/XMLSchema/ovaldefinitions-5"
xmlns:oval="http://oval.mitre.org/XMLSchema/oval-common-5"
xmlns:ind="http://oval.mitre.org/XMLSchema/oval-definitions5#independent"
xmlns:unix="http://oval.mitre.org/XMLSchema/oval-definitions5#unix"
xmlns:linux="http://oval.mitre.org/XMLSchema/oval-definitions5#linux"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common5
oval-common-schema.xsd
http://oval.mitre.org/XMLSchema/oval-definitions-5
181
Se c ur it y Guide
oval-definitions-schema.xsd
http://oval.mitre.org/XMLSchema/oval-definitions5#independent
independent-definitions-schema.xsd
http://oval.mitre.org/XMLSchema/oval-definitions-5#unix
unix-definitions-schema.xsd
http://oval.mitre.org/XMLSchema/oval-definitions-5#linux
linux-definitions-schema.xsd">
182
the GNOME Classic de s ktop e nvironme nt, pre s s the Super ke y to e nte r the Activities
Overview, type scap-workbench, and the n pre s s Enter. The Super ke y appe ars in a
varie ty of guis e s , de pe nding on the ke yboard and othe r hardware , but ofte n as e ithe r the
Windows or Command ke y, and typically to the le ft of the Spacebar ke y.
As s oon as you s tart the utility, the SCAP Workbench window appe ars . The SCAP
Workbench window cons is ts of s e ve ral inte ractive compone nts , which you s hould be come
familiar with be fore you s tart s canning your s ys te m:
Input f ile
This fie ld contains the full path to the chos e n s e curity policy. You can s e arch for
applicable SCAP conte nt on your s ys te m by clicking the Browse button.
Checklist
This combo box dis plays the name of the che cklis t that is to be applie d by the
s e le cte d s e curity policy. You can choos e a s pe cific che cklis t by clicking this combo
box if more than one che cklis t is available .
T ailo ring
This combo box informs you about the cus tomiz ation us e d for the give n s e curity
policy. You can s e le ct cus tom rule s that will be applie d for the s ys te m e valuation
by clicking this combo box. The de fault value is (no t ailo ring), which me ans that
the re will be no change s to the us e d s e curity policy. If you made any change s to
the s e le cte d s e curity profile , you can s ave thos e change s as an XML file by
clicking the Save Tailoring button.
Pro f ile
This combo box contains the name of the s e le cte d s e curity profile . You can s e le ct
the s e curity profile from a give n XCCDF or data-s tre am file by clicking this combo
box. To cre ate a ne w profile that inhe rits prope rtie s of the s e le cte d s e curity
profile , click the Customize button.
T arget
The two radio buttons e nable you to s e le ct whe the r the s ys te m to be e valuate d
is a local or re mote machine .
Select ed Rules
This fie ld dis plays a lis t of s e curity rule s that are s ubje ct of the s e curity policy.
Hove ring ove r a particular s e curity rule provide s de taile d information about that
rule .
Save co nt ent
This me nu allows you to s ave SCAP file s that have be e n s e le cte d in the Input
f ile and T ailo ring fie lds e ithe r to the s e le cte d dire ctory or as an RPM package .
St at us bar
This is a graphical bar that indicate s s tatus of an ope ration that is be ing
pe rforme d.
Online remediat io n
183
Se c ur it y Guide
This che ck box e nable s the re me diation fe ature during the s ys te m e valuation. If
you che ck this box, SCAP Workbe nch will atte mpt to corre ct s ys te m s e ttings that
would fail to match the s tate de fine d by the policy.
Scan
This button allows you to s tart the e valuation of the s pe cifie d s ys te m.
184
Warning
Se le cting a s e curity policy re s ults in the los s of any pre vious tailoring
change s that we re not s ave d. To re -apply the los t options , you have to
choos e the available profile and tailoring conte nt again. Note that your
pre vious cus tomiz ations may not be applicable with the ne w s e curity policy.
2. If the s e le cte d SCAP file is a data s tre am file that provide s more than one
che cklis t, you can s e le ct the particular che cklis t by clicking the Checklist combo
box.
Warning
Changing the che cklis t may re s ult in a s e le ction of a diffe re nt profile , and any
pre vious cus tomiz ations may not be applicable to the ne w che cklis t.
3. To us e a pre -arrange d a file with cus tomiz e d s e curity conte nt s pe cific to your us e
cas e , you can load this file by clicking on the T ailo ring combo box. You can als o
cre ate a cus tom tailoring file by alte ring an available s e curity profile . For more
information, s e e Se ction 6.3.4, Cus tomiz ing Se curity Profile s .
a. Se le ct the (no tailoring) option if you do not want to us e any
cus tomiz ation for the curre nt s ys te m e valuation. This is the de fault option if
no pre vious cus tomiz ation was s e le cte d.
b. Se le ct the (open tailoring file...) option to s e arch for the particular
tailoring file to be us e d for the curre nt s ys te m e valuation.
c. If you have pre vious ly us e d s ome tailoring file , SCAP Wo rkbench
re me mbe rs this file and adds it to the lis t. This s implifie s re pe titive
application of the s ame s can.
4. Se le ct a s uitable s e curity profile by clicking the Pro f ile combo box.
a. To modify the s e le cte d profile , click the Customize button. For more
information about profile cus tomiz ation, s e e Se ction 6.3.4, Cus tomiz ing
Se curity Profile s .
5. Se le ct e ithe r of two Target radio buttons to s can e ithe r a local or a re mote
machine .
a. If you have s e le cte d a re mote s ys te m, s pe cify it by e nte ring the us e r name ,
hos tname , and the port information as s hown in the following e xample . If you
have pre vious ly us e d the re mote s can, you can als o s e le ct a re mote
s ys te m from a lis t of re ce ntly s canne d machine s .
185
Se c ur it y Guide
Warning
If not us e d care fully, running the s ys te m e valuation with the re me diation
option e nable d could re nde r the s ys te m non-functional.
7. Click the Scan button to initiate the s ys te m s can.
186
You can e nable or dis able the s e e le me nts by s e le cting or de -s e le cting the re s pe ctive
che ck boxe s in the main fie ld of this window. The Tailoring window als o s upports undo
and redo functionality; you can undo or re do your s e le ctions by clicking the re s pe ctive
arrow icon in the top le ft corne r of the window.
You can als o change variable s that will late r be us e d for e valuation. Find the de s ire d ite m
in the Tailoring window, navigate to the right part and us e the Modify value fie ld.
187
Se c ur it y Guide
By s e le cting the Save as RPM option, you can ins truct SCAP Wo rkbench to cre ate an
RPM package containing the XCCDF or data s tre am file and tailoring file . This is us e ful for
dis tributing the de s ire d s e curity conte nt to s ys te ms that cannot be s canne d re mote ly, or
jus t for de live ring the conte nt for furthe r proce s s ing.
Warning
Clicking the Clear button pe rmane ntly re move s the s can re s ults .
You can dis play and furthe r proce s s the s can re s ults by clicking the Report button, which
ope ns the Evaluation Report window. This window contains the Save combo box and two
buttons , Open in Browser and Close.
188
To s tore the s can re s ults in the form of an XCCDF, ARF, or HTML file , click the Save combo
box. Choos e the HTML Report option to ge ne rate the s can re port in human-re adable form.
The XCCDF and ARF (data s tre am) formats are s uitable for furthe r automatic proce s s ing.
You can re pe ate dly choos e all thre e options .
If you pre fe r to vie w the s can re s ults imme diate ly without s aving the m, you can click the
Open in Browser button, which ope ns the s can re s ults in the form of a te mporary HTML
file in your de fault we b brows e r.
To le arn about all o scap fe ature s and the comple te lis t of its options , s e e the oscap(8)
manual page .
189
Se c ur it y Guide
190
filehash
environmentvariable
textfilecontent54
textfilecontent
variable
xmlfilecontent
environmentvariable58
filehash58
inetlisteningservers
rpminfo
partition
iflisteners
rpmverify
rpmverifyfile
rpmverifypackage
selinuxboolean
selinuxsecuritycontext
file
interface
password
process
runlevel
shadow
uname
xinetd
sysctl
process58
fileextendedattribute
routingtable
probe_filehash
probe_environmentvariable
probe_textfilecontent54
probe_textfilecontent
probe_variable
probe_xmlfilecontent
probe_environmentvariable58
probe_filehash58
probe_inetlisteningservers
probe_rpminfo
probe_partition
probe_iflisteners
probe_rpmverify
probe_rpmverifyfile
probe_rpmverifypackage
probe_selinuxboolean
probe_selinuxsecuritycontext
probe_file
probe_interface
probe_password
probe_process
probe_runlevel
probe_shadow
probe_uname
probe_xinetd
probe_sysctl
probe_process58
probe_fileextendedattribute
probe_routingtable
Be fore you can s tart us ing o scap e ffe ctive ly, you als o ne e d to ins tall or import s ome
s e curity conte nt on your s ys te m. For e xample , you can ins tall the SCAP Se curity Guide
(SSG) package , scap-security-guide, which contains the curre ntly mos t e volve d and
e laborate s e t of s e curity police s for Linux s ys te ms . To ins tall the SCAP Se curity Guide
package on your s ys te m, run the following command as root:
~]# yum install scap-security-guide
Afte r you ins tall scap-security-guide on your s ys te m, unle s s s pe cifie d othe rwis e , the SSG
s e curity conte nt is available unde r the /usr/share/xml/scap/ssg/content/ dire ctory,
and you can proce e d with othe r s e curity compliance ope rations .
To find othe r pos s ible s ource s of e xis ting SCAP conte nt that might s uit your ne e ds , s e e
Se ction 6.9, Additional Re s ource s .
Afte r ins talling the SCAP conte nt on your s ys te m, o scap can proce s s the conte nt whe n
s upplie d with the file path to the conte nt. The o scap utility s upports SCAP ve rs ion 1.2 and
is backward-compatible with SCAP ve rs ions 1.1 and 1.0, s o it can proce s s e arlie r ve rs ions
of SCAP conte nt without any s pe cial re quire me nts .
191
Se c ur it y Guide
us e the info module of o scap which pars e s the file and e xtracts re le vant information in
human-re adable format.
Run the following command to e xamine the inte rnal s tructure of a SCAP docume nt and
dis play us e ful information s uch as the docume nt type , s pe cification ve rs ion, a s tatus of
the docume nt, the date the docume nt was publis he d, and the date the docume nt was
copie d to a file s ys te m:
oscap info file
whe re file is the full path to the s e curity conte nt file be ing e xamine d. The following
e xample be tte r illus trate s the us age of the oscap info command:
192
the form of a s ingle OVAL or XCCDF file or multiple s e parate XML file s whe re e ach file
re pre s e nts a diffe re nt compone nt (XCCDF, OVAL, CPE, CVE, and othe rs ). The re s ult of a
s can can be printe d to both s tandard output and an XML file . The re s ult file can the n be
furthe r proce s s e d by o scap in orde r to ge ne rate a re port in a human-re adable format.
The following e xample s illus trate the mos t common us age of the command.
No te
The --profile command-line argume nt s e le cts the s e curity profile from the
give n XCCDF or data s tre am file . The lis t of available profile s can be obtaine d by
running the oscap info command. If the --profile command-line argume nt is
omitte d the de fault XCCDF profile is us e d as re quire d by SCAP s tandard. Note that
the de fault XCCDF profile may or may not be an appropriate s e curity policy.
193
Se c ur it y Guide
Example 6.10 . T ransf o rming an SSG OVAL Scan Result int o a Repo rt
To trans form a re s ult of an SSG OVAL s can into an HTML file , run the following command:
~]$ oscap oval generate report scan-oval-results.xml > ssg-scan-ovalreport.html
The re s ult re port is s tore d as the ssg-scan-oval-report.html file in the curre nt
dire ctory. This e xample as s ume s that you run the command from the s ame location
whe re the scan-oval-results.xml file is s tore d. Othe rwis e you ne e d to s pe cify the
fully-qualifie d path of the file that contains the s can re s ults .
Example 6.11. T ransf o rming an SSG XCCDF Scan Result int o a Repo rt
To trans form a re s ult of an SSG XCCDF s can into an HTML file , run the following
command:
~]$ oscap xccdf generate report scan-xccdf-results.xml > scan-xccdfreport.html
The re s ult re port is s tore d as the ssg-scan-xccdf-report.html file in the curre nt
dire ctory. Alte rnative ly, you can ge ne rate this re port in the time of the s can us ing the -report command-line argume nt:
194
195
Se c ur it y Guide
5. Whe ne ve r OpenSCAP e xe cute s a fix s cript, it imme diate lly e valuate s the OVAL
de finition again (to ve rify that the fix s cript has be e n applie d corre ctly). During this
s e cond run, if the OVAL e valuation re turns s ucce s s , the re s ult of the rule is fixed,
othe rwis e it is an error.
6. De taile d re s ults of the re me diation are s tore d in an output XCCDF file . It contains
two TestResult e le me nts . The firs t TestResult e le me nt re pre s e nts the s can
prior to the re me diation. The s e cond TestResult is de rive d from the firs t one and
contains re me diation re s ults .
The re are thre e mode s of ope ration of OpenSCAP with re gard to re me diation: online ,
offline , and re vie w.
196
The re vie w mode allows us e rs to s tore re me diation ins tructions to a file for furthe r
re vie w. The re me diation conte nt is not e xe cute d during this ope ration.
To ge ne rate re me diation ins tructions in the form of a s he ll s cript, run:
~]$ oscap xccdf generate fix --template urn:xccdf:fix:script:sh -profile xccdf_org.ssgproject.content_profile_rht-ccp --output myremediation-script.sh /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml
TAG
latest
IMAGE ID
197
Se c ur it y Guide
# docker ps
CONTAINER ID
5ef05eef4a01
sleepy_kirch
IMAGE
COMMAND
NAMES
registry.access.redhat.com/rhel7 "/bin/bash"
198
No te
A de taile d de s cription of the atomic command us age and containe rs is found in the
Product Docume ntation for Re d Hat Ente rpris e Linux Atomic Hos t. The Re d Hat
Cus tome r Portal als o provide s a guide to the Atomic command line inte rface (CLI).
199
Se c ur it y Guide
No te
Note that the s e OVAL de finitions are de s igne d to only cove r s oftware and update s
re le as e d by Re d Hat. You ne e d to provide additional de finitions in orde r to de te ct
the patch s tatus of third-party s oftware .
6.8.2. Audit ing Syst em Set t ings wit h SCAP Securit y Guide
The SCAP Se curity Guide (SSG) proje ct's package , scap-security-guide, contains the late s t
s e t of s e curity police s for Linux s ys te ms . To ins tall the SCAP Se curity Guide package on
your s ys te m, run the following command as root:
~]# yum install scap-security-guide
A part of scap-security-guide is als o a guidance for Re d Hat Ente rpris e Linux 7 s e ttings . To
ins pe ct the s e curity conte nt available with scap-security-guide, us e the oscap info
module :
~]$ oscap info /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml
The output of this command is an outline of the SSG docume nt and it contains available
configuration profile s . To audit your s ys te m s e ttings , choos e a s uitable profile and run the
appropriate e valuation command. For e xample , the following command is us e d to as s e s s
the give n s ys te m agains t a draft SCAP profile for Re d Hat Ce rtifie d Cloud Provide rs :
~]$ oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_rhtccp --results ssg-rhel7-xccdf-result.xml --report ssg-rhel7-report.html
/usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml
200
The Ope nSCAP proje ct page The home page to the Ope nSCAP proje ct provide s
de taile d information about the o scap utility and othe r compone nts and proje cts re late d
to SCAP.
The SCAP Workbe nch proje ct page The home page to the SCAP Workbe nch proje ct
provide s de taile d information about the scap-wo rkbench application.
The SCAP Se curity Guide (SSG) proje ct page The home page to the SSG proje ct that
provide s the late s t s e curity conte nt for Re d Hat Ente rpris e Linux.
National Ins titute of Standards and Te chnology (NIST) SCAP page This page
re pre s e nts a vas t colle ction of SCAP re late d mate rials , including SCAP publications ,
s pe cifications , and the SCAP Validation Program.
National Vulne rability Databas e (NVD) This page re pre s e nts the large s t re pos itory of
SCAP conte nt and othe r SCAP s tandards bas e d vulne rability manage me nt data.
Re d Hat OVAL conte nt re pos itory This is a re pos itory containing OVAL de finitions for
Re d Hat Ente rpris e Linux s ys te ms .
MITRE CVE This is a databas e of publicly known s e curity vulne rabilitie s provide d by
the MITRE corporation.
MITRE OVAL This page re pre s e nts an OVAL re late d proje ct provide d by the MITRE
corporation. Amongs t othe r OVAL re late d information, the s e page s contain the late s t
ve rs ion of the OVAL language and a huge re pos itory of OVAL conte nt, counting ove r 22
thous ands OVAL de finitions .
Re d Hat Sate llite docume ntation This s e t of guide s de s cribe s , amongs t othe r topics ,
how to maintain s ys te m s e curity on multiple s ys te ms by us ing Ope nSCAP.
201
Se c ur it y Guide
202
To make Re d Hat Ente rpris e Linux compliant with the Fe de ral Information Proce s s ing
Standard (FIPS) Publication 140-2 you ne e d to make s e ve ral change s to e ns ure that
accre dite d cryptographic module s are us e d. To turn your s ys te m (ke rne l and us e r s pace )
into FIPS mode , follow the s e s te ps :
1. For prope r ope ration of the in-module inte grity ve rification, the pre link has to be
dis able d. This can be done by s e tting configuring PRELINKING=no in the
/etc/sysconfig/prelink configuration file . Exis ting pre linking, if any, s hould be
undone on all s ys te m file s us ing the prelink -u -a command.
2. Ne xt, ins tall the dracut-fips package :
~]# yum install dracut-fips
3. Re cre ate the initramfs file :
~]# dracut -f
Warning
This ope ration will ove rwrite the e xis ting initramfs file .
4. Modify the ke rne l command line of the curre nt ke rne l in the grub.cfg file by adding
the following option to the GRUB_CMDLINE_LINUX ke y in the /etc/default/grub file
and the n re build the grub.cfg file :
fips=1
Change s to /etc/default/grub re quire re building the grub.cfg file as follows :
On BIOS-bas e d machine s , is s ue the following command as root:
~]# grub2-mkconfig -o /boot/grub2/grub.cfg
On UEFI-bas e d machine s , is s ue the following command as root:
~]# grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg
203
Se c ur it y Guide
No te
If /boot or /boot/efi re s ide on s e parate partitions , the ke rne l parame te r
boot=<partition of /boot or /boot/efi> mus t be adde d to the ke rne l
command line . You can ide ntify a partition by running the df /boot or df
/boot/efi command re s pe ctive ly:
~]$ df /boot
Filesystem
Mounted on
/dev/sda1
1K-blocks
495844
416464
12% /boot
To e ns ure that the boot= configuration option will work e ve n if de vice naming
change s be twe e n boots , ide ntify the unive rs ally unique ide ntifie r (UUID) of
the partition by running the following command:
~]$ blkid /dev/sda1
/dev/sda1: UUID="05c000f1-f899-467b-a4d9-d5ca4424c797"
TYPE="ext4"
For the e xample above , the following s tring ne e ds to be appe nde d to the
ke rne l command line :
boot=UUID=05c000f1-f899-467b-a4d9-d5ca4424c797
5. Re boot your s ys te m.
Should you re quire s trict FIPS compliance , the fips=1 ke rne l option ne e ds to be adde d to
the ke rne l command line during s ys te m ins tallation s o that ke y ge ne ration is done with
FIPS approve d algorithms and continuous monitoring te s ts in place . Us e rs s hould als o
e ns ure that the s ys te m has ple nty of e ntropy during the ins tallation proce s s by moving
the mous e around, or if no mous e is available , e ns uring that many ke ys troke s are type d.
The re comme nde d amount of ke ys troke s is 256 and more . Le s s than 256 ke ys troke s may
ge ne rate a non-unique ke y.
7.2. Nat ional Indust rial Securit y Program Operat ing Manual
(NISPOM)
The NISPOM (als o calle d DoD 5220.22-M), as a compone nt of the National Indus trial
Se curity Program (NISP), e s tablis he s a s e rie s of proce dure s and re quire me nts for all
gove rnme nt contractors with re gard to clas s ifie d information. The curre nt NISPOM is date d
Fe bruary 28, 2006, with incorporate d major change s from March 28, 2013. The NISPOM
docume nt can be downloade d from the following URL: http://www.nis pom.org/NISPOMdownload.html.
204
management, education, and awareness of the PCI Security Standards, including the Data
Security Standard (DSS).
You can download the PCI DSS s tandard from
https ://www.pcis e curitys tandards .org/s e curity_s tandards /pci_ds s .s html.
205
Se c ur it y Guide
206
207
Se c ur it y Guide
Although Diffie He llman ke y agre e me nt its e lf is an anonymous (non-authe nticate d) ke yagre e me nt protocol, it provide s the bas is for a varie ty of authe nticate d protocols , and is
us e d to provide pe rfe ct forward s e cre cy in Trans port Laye r Se curity's e phe me ral mode s
(re fe rre d to as EDH or DHE de pe nding on the ciphe r s uite ). [16]
U.S. Pate nt 4,200,770, now e xpire d, de s cribe s the algorithm and cre dits He llman, Diffie ,
and Me rkle as inve ntors . [17]
A.2.2. RSA
In cryptography, RSA (which s tands for Rive s t, Shamir and Adle man who firs t publicly
de s cribe d it) is an algorithm for public-ke y cryptography. It is the firs t algorithm known to
be s uitable for s igning as we ll as e ncryption, and was one of the firs t gre at advance s in
public ke y cryptography. RSA is wide ly us e d in e le ctronic comme rce protocols , and is
be lie ve d to be s e cure give n s ufficie ntly long ke ys and the us e of up-to-date
imple me ntations .
A.2.3. DSA
DSA (Digital Signature Algorithm) is a s tandard for digital s ignature s , a Unite d State s
fe de ral gove rnme nt s tandard for digital s ignature s . DSA is for s ignature s only and is not
an e ncryption algorithm. [18]
A.2.4. SSL/T LS
Trans port Laye r Se curity (TLS) and its pre de ce s s or, Se cure Socke ts Laye r (SSL), are
cryptographic protocols that provide s e curity for communications ove r ne tworks s uch as
the Inte rne t. TLS and SSL e ncrypt the s e gme nts of ne twork conne ctions at the Trans port
Laye r e nd-to-e nd.
Se ve ral ve rs ions of the protocols are in wide s pre ad us e in applications like we b brows ing,
e le ctronic mail, Inte rne t faxing, ins tant me s s aging and voice -ove r-IP (VoIP). [19]
208
209
Se c ur it y Guide
Explanat io n
acct
addr
arch
auid
capability
cap_fi
cap_fp
cap_pe
cap_pi
cap_pp
cgroup
cmd
comm
cwd
data
dev
210
Event Field
Explanat io n
devmajor
devminor
egid
euid
exe
exit
family
filetype
flags
fsgid
fsuid
gid
hostname
icmptype
id
inode
inode_gid
inode_uid
items
key
list
0
1
4
5
mode
msg
msgtype
name
user
task
exit
exclude
211
Se c ur it y Guide
Event Field
Explanat io n
new-disk
new-mem
new-vcpu
new-net
new_gid
oauid
ocomm
opid
oses
ouid
obj
obj_gid
obj_lev_high
obj_lev_low
obj_role
obj_uid
obj_user
ogid
old-disk
old-mem
old-vcpu
old-net
old_prom
ouid
path
perm
212
Event Field
Explanat io n
pid
ppid
prom
proto
res
result
saddr
sauid
ses
sgid
sig
subj
subj_clr
subj_role
subj_sen
subj_user
success
suid
syscall
terminal
tty
uid
vm
213
Se c ur it y Guide
Explanat io n
ADD_GROUP
ADD_USER
ANOM_ABEND [a]
ANOM_ACCESS_FS [a]
ANOM_ADD_ACCT [a]
ANOM_EXEC [a]
ANOM_LOGIN_ACCT [a]
ANOM_LOGIN_FAILURES [
ANOM_AMTU_FAIL [a]
ANOM_CRYPTO_FAIL [a]
ANOM_DEL_ACCT [a]
a]
ANOM_LOGIN_LOCATION [
a]
ANOM_LOGIN_SESSIONS [
a]
ANOM_LOGIN_TIME [a]
ANOM_MAX_DAC [a]
ANOM_MAX_MAC [a]
ANOM_MK_EXEC [a]
ANOM_MOD_ACCT [a]
ANOM_PROMISCUOUS [a]
ANOM_RBAC_FAIL [a]
ANOM_RBAC_INTEGRITY_
FAIL [a]
ANOM_ROOT_TRANS [a]
AVC
AVC_PATH
214
Event T ype
Explanat io n
BPRM_FCAPS
CAPSET
CHGRP_ID
CHUSER_ID
CONFIG_CHANGE
CRED_ACQ
CRED_DISP
CRED_REFR
CRYPTO_FAILURE_USER
CRYPTO_KEY_USER
CRYPTO_LOGIN
CRYPTO_LOGOUT
CRYPTO_PARAM_CHANGE_
USER
CRYPTO_REPLAY_USER
CRYPTO_SESSION
CRYPTO_TEST_USER
CWD
DAC_CHECK
DAEMON_ABORT
DAEMON_ACCEPT
DAEMON_CLOSE
DAEMON_CONFIG
DAEMON_END
DAEMON_RESUME
DAEMON_ROTATE
DAEMON_START
DEL_GROUP
DEL_USER
DEV_ALLOC
DEV_DEALLOC
EOE
EXECVE
FD_PAIR
FS_RELABEL
GRP_AUTH
215
Se c ur it y Guide
Event T ype
Explanat io n
INTEGRITY_DATA [b]
INTEGRITY_HASH [b]
INTEGRITY_METADATA [b]
INTEGRITY_PCR [b]
INTEGRITY_RULE [b]
INTEGRITY_STATUS [b]
IPC
IPC_SET_PERM
KERNEL
KERNEL_OTHER
LABEL_LEVEL_CHANGE
LABEL_OVERRIDE
LOGIN
MAC_CIPSOV4_ADD
MAC_CIPSOV4_DEL
MAC_CONFIG_CHANGE
MAC_IPSEC_EVENT
MAC_MAP_ADD
MAC_MAP_DEL
MAC_POLICY_LOAD
MAC_STATUS
MAC_UNLBL_ALLOW
MAC_UNLBL_STCADD
MAC_UNLBL_STCDEL
MMAP
MQ_GETSETATTR
216
Event T ype
Explanat io n
MQ_NOTIFY
MQ_OPEN
MQ_SENDRECV
NETFILTER_CFG
NETFILTER_PKT
OBJ_PID
PATH
RESP_ACCT_LOCK [c]
RESP_ACCT_LOCK_TIMED
[c]
RESP_ACCT_REMOTE [c]
ED [c]
RESP_ALERT [c]
RESP_ANOMALY [c]
RESP_EXEC [c]
RESP_HALT [c]
RESP_KILL_PROC [c]
RESP_SEBOOL [c]
RESP_SINGLE [c]
RESP_TERM_ACCESS [c]
RESP_TERM_LOCK [c]
ROLE_ASSIGN
RESP_ACCT_UNLOCK_TIM
ROLE_MODIFY
ROLE_REMOVE
SELINUX_ERR
SERVICE_START
SERVICE_STOP
SOCKADDR
SOCKETCALL
SYSCALL
SYSTEM_BOOT
SYSTEM_RUNLEVEL
SYSTEM_SHUTDOWN
TEST
TRUSTED_APP
217
Se c ur it y Guide
Event T ype
Explanat io n
TTY
USER_ACCT
USER_AUTH
USER_AVC
USER_CHAUTHTOK
USER_CMD
USER_END
USER_ERR
USER_LABELED_EXPORT
USER_LOGIN
USER_LOGOUT
USER_MAC_POLICY_LOAD
USER_MGMT
USER_ROLE_CHANGE
USER_SELINUX_ERR
USER_START
USER_TTY
USER_UNLABELED_EXPOR
T
USYS_CONFIG
VIRT_CONTROL
VIRT_MACHINE_ID
VIRT_RESOURCE
Trigge re d
de te cte d.
Trigge re d
s toppe d.
Trigge re d
Trigge re d
detection program .
[b] This event type is related to the Integrity Measurem ent Architecture (IMA), which functions
best with a Trusted P latform Module (TP M) chip.
[c] All Audit event types prepended with RESP are intended responses of an intrusion
detection system in case it detects m alicious activity on the system .
218
Mirek Jaho da
Revisio n 1-18
Mo n Jun 27 20 16
The Ope nSCAP-dae mon and Atomic Scan s e ction adde d.
Mirek Jaho da
Revisio n 1-17
Fri Jun 3 20 16
As ync re le as e with mis c. update s .
Mirek Jaho da
Revisio n 1-16
Pos t 7.2 GA fixe s .
Ro bert Krt k
T ue Jan 5 20 16
Revisio n 1-15
T ue No v 10 20 15
Ve rs ion for 7.2 GA re le as e .
Ro bert Krt k
Revisio n 1-14.18
Mo n No v 0 9 20 15
As ync re le as e with mis c. update s .
Ro bert Krt k
Revisio n 1-14.17
Wed Feb 18 20 15
Ve rs ion for 7.1 GA re le as e .
Ro bert Krt k
Revisio n 1-14.15
Fri Dec 0 6 20 14
Update to s ort orde r on the Re d Hat Cus tome r Portal.
Ro bert Krt k
Revisio n 1-14.13
T hu No v 27 20 14
Update s re fle cting the POODLE vuln.
Ro bert Krt k
Revisio n 1-14.12
T ue Jun 0 3 20 14
Ve rs ion for 7.0 GA re le as e .
T o m apek
219