Transcription
Red Hat Enterprise Linux 6Security GuideA Guide to Securing Red Hat Enterprise Linux
Security GuideRed Hat Enterprise Linux 6 Security GuideA Guide to Securing Red Hat Enterprise LinuxEdition 1.5AuthorCopyright 2010 Red Hat, Inc.The text of and illustrations in this document are licensed by Red Hat under a Creative CommonsAttribution–Share Alike 3.0 Unported license ("CC-BY-SA"). An explanation of CC-BY-SA is availableat http://creativecommons.org/licenses/by-sa/3.0/. In accordance with CC-BY-SA, if you distribute thisdocument or an adaptation of it, you must provide the URL for the original version.Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert,Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.Red Hat, Red Hat Enterprise Linux, the Shadowman logo, JBoss, MetaMatrix, Fedora, the InfinityLogo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries.Linux is the registered trademark of Linus Torvalds in the United States and other countries.Java is a registered trademark of Oracle and/or its affiliates.XFS is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United Statesand/or other countries.MySQL is a registered trademark of MySQL AB in the United States, the European Union and othercountries.All other trademarks are the property of their respective owners.1801 Varsity DriveRaleigh, NC 27606-2072 USAPhone: 1 919 754 3700Phone: 888 733 4281Fax: 1 919 754 3701The Red Hat Enterprise Linux Security Guide is designed to assist users and administrators inlearning the processes and practices of securing workstations and servers against local and remoteintrusion, exploitation and malicious activity.Focused on Red Hat Enterprise Linux but detailing concepts and techniques valid for all Linuxsystems, this guide details the planning and the tools involved in creating a secured computingenvironment for the data center, workplace, and home.With proper administrative knowledge, vigilance, and tools, systems running Linux can be both fullyfunctional and secured from most common intrusion and exploit methods.
Prefacevii1. Document Conventions . vii1.1. Typographic Conventions . vii1.2. Pull-quote Conventions . viii1.3. Notes and Warnings . ix2. We Need Feedback! . ix1. Security Overview11.1. Introduction to Security . 11.1.1. What is Computer Security? . 11.1.2. SELinux . 31.1.3. Security Controls . 31.1.4. Conclusion . 41.2. Vulnerability Assessment . 51.2.1. Thinking Like the Enemy . 51.2.2. Defining Assessment and Testing . 61.2.3. Evaluating the Tools . 71.3. Attackers and Vulnerabilities . 91.3.1. A Quick History of Hackers . 91.3.2. Threats to Network Security . 101.3.3. Threats to Server Security . 101.3.4. Threats to Workstation and Home PC Security . 121.4. Common Exploits and Attacks . 121.5. Security Updates . 151.5.1. Updating Packages . 151.5.2. Verifying Signed Packages . 161.5.3. Installing Signed Packages . 161.5.4. Applying the Changes . 172. Securing Your Network2.1. Workstation Security .2.1.1. Evaluating Workstation Security .2.1.2. BIOS and Boot Loader Security .2.1.3. Password Security .2.1.4. Administrative Controls .2.1.5. Available Network Services .2.1.6. Personal Firewalls .2.1.7. Security Enhanced Communication Tools .2.2. Server Security .2.2.1. Securing Services With TCP Wrappers and xinetd .2.2.2. Securing Portmap .2.2.3. Securing NIS .2.2.4. Securing NFS .2.2.5. Securing the Apache HTTP Server .2.2.6. Securing FTP .2.2.7. Securing Sendmail .2.2.8. Verifying Which Ports Are Listening .2.3. TCP Wrappers and xinetd .2.3.1. TCP Wrappers .2.3.2. TCP Wrappers Configuration Files .2.3.3. xinetd .2.3.4. xinetd Configuration Files .2.3.5. Additional Resources .2.4. Virtual Private Networks (VPNs) .2.4.1. How Does a VPN Work? 667iii
Security Guide2.4.2. Openswan .2.5. Firewalls .2.5.1. Netfilter and IPTables .2.5.2. Basic Firewall Configuration .2.5.3. Using IPTables .2.5.4. Common IPTables Filtering .2.5.5. FORWARD and NAT Rules .2.5.6. Malicious Software and Spoofed IP Addresses .2.5.7. IPTables and Connection Tracking .2.5.8. IPv6 .2.5.9. Additional Resources .2.6. IPTables .2.6.1. Packet Filtering .2.6.2. Command Options for IPTables .2.6.3. Saving IPTables Rules .2.6.4. IPTables Control Scripts .2.6.5. IPTables and IPv6 .2.6.6. Additional Resources .6769717174757679798080818183919294943. Encryption953.1. Data at Rest . 953.2. Full Disk Encryption . 953.3. File Based Encryption . 953.4. Data in Motion . 953.5. Virtual Private Networks . 963.6. Secure Shell . 963.7. OpenSSL PadLock Engine . 963.8. LUKS Disk Encryption . 973.8.1. LUKS Implementation in Red Hat Enterprise Linux . 973.8.2. Manually Encrypting Directories . 983.8.3. Step-by-Step Instructions . 983.8.4. What you have just accomplished. . 993.8.5. Links of Interest . 993.9. Using GNU Privacy Guard (GnuPG) . 993.9.1. Creating GPG Keys in GNOME . 993.9.2. Creating GPG Keys in KDE . 993.9.3. Creating GPG Keys Using the Command Line . 1003.9.4. About Public Key Encryption . 1014. General Principles of Information Security1034.1. Tips, Guides, and Tools . 1035. Secure Installation1055.1. Disk Partitions . 1055.2. Utilize LUKS Partition Encryption . 1056. Software Maintenance6.1. Install Minimal Software .6.2. Plan and Configure Security Updates .6.3. Adjusting Automatic Updates .6.4. Install Signed Packages from Well Known Repositories .1071071071071077. Federal Standards and Regulations7.1. Introduction .7.2. Federal Information Processing Standard (FIPS) .7.3. National Industrial Security Program Operating Manual (NISPOM) .109109109110iv
7.4. Payment Card Industry Data Security Standard (PCI DSS) . 1107.5. Security Technical Implementation Guide . 1108. References111A. Encryption StandardsA.1. Synchronous Encryption .A.1.1. Advanced Encryption Standard - AES .A.1.2. Data Encryption Standard - DES .A.2. Public-key Encryption .A.2.1. Diffie-Hellman .A.2.2. RSA .A.2.3. DSA .A.2.4. SSL/TLS .A.2.5. Cramer-Shoup Cryptosystem .A.2.6. ElGamal Encryption .113113113113114114115115115115116B. Revision History117v
vi
Preface1. Document ConventionsThis manual uses several conventions to highlight certain words and phrases and draw attention tospecific pieces of information.1In PDF and paper editions, this manual uses typefaces drawn from the Liberation Fonts set. TheLiberation Fonts set is also used in HTML editions if the set is installed on your system. If not,alternative but equivalent typefaces are displayed. Note: Red Hat Enterprise Linux 5 and later includesthe Liberation Fonts set by default.1.1. Typographic ConventionsFour typographic conventions are used to call attention to specific words and phrases. Theseconventions, and the circumstances they apply to, are as follows.Mono-spaced BoldUsed to highlight system input, including shell commands, file names and paths. Also used to highlightkeycaps and key combinations. For example:To see the contents of the file my next bestselling novel in your currentworking directory, enter the cat my next bestselling novel command at theshell prompt and press Enter to execute the command.The above includes a file name, a shell command and a keycap, all presented in mono-spaced boldand all distinguishable thanks to context.Key combinations can be distinguished from keycaps by the hyphen connecting each part of a keycombination. For example:Press Enter to execute the command.Press Ctrl Alt F2 to switch to the first virtual terminal. Press Ctrl Alt F1 toreturn to your X-Windows session.The first paragraph highlights the particular keycap to press. The second highlights two keycombinations (each a set of three keycaps with each set pressed simultaneously).If source code is discussed, class names, methods, functions, variable names and returned valuesmentioned within a paragraph will be presented as above, in mono-spaced bold. For example:File-related classes include filesystem for file systems, file for files, and dir fordirectories. Each class has its own associated set of permissions.Proportional BoldThis denotes words or phrases encountered on a system, including application names; dialog box text;labeled buttons; check-box and radio button labels; menu titles and sub-menu titles. For example:Choose System Preferences Mouse from the main menu bar to launch MousePreferences. In the Buttons tab, click the Left-handed mouse check box and i
PrefaceClose to switch the primary mouse button from the left to the right (making the mousesuitable for use in the left hand).To insert a special character into a gedit file, choose Applications Accessories Character Map from the main menu bar. Next, choose Search Find from theCharacter Map menu bar, type the name of the character in the Search field and clickNext. The character you sought will be highlighted in the Character Table. Doubleclick this highlighted character to place it in the Text to copy field and then click theCopy button. Now switch back to your document and choose Edit Paste from thegedit menu bar.The above text includes application names; system-wide menu names and items; application-specificmenu names; and buttons and text found within a GUI interface, all presented in proportional bold andall distinguishable by context.Mono-spaced Bold Italic or Proportional Bold ItalicWhether mono-spaced bold or proportional bold, the addition of italics indicates replaceable orvariable text. Italics denotes text you do not input literally or displayed text that changes depending oncircumstance. For example:To connect to a remote machine using ssh, type ssh username@domain.name ata shell prompt. If the remote machine is example.com and your username on thatmachine is john, type ssh john@example.com.The mount -o remount file-system command remounts the named filesystem. For example, to remount the /home file system, the command is mount -oremount /home.To see the version of a currently installed package, use the rpm -q packagecommand. It will return a result as follows: package-version-release.Note the words in bold italics above — username, domain.name, file-system, package, version andrelease. Each word is a placeholder, either for text you enter when issuing a command or for textdisplayed by the system.Aside from standard usage for presenting the title of a work, italics denotes the first use of a new andimportant term. For example:Publican is a DocBook publishing system.1.2. Pull-quote ConventionsTerminal output and source code listings are set off visually from the surrounding text.Output sent to a terminal is set in mono-spaced roman and presented thus:booksbooks agesmssnotesphotosscriptsstuffsvgssvnSource-code listings are also set in mono-spaced roman but add sy
In PDF and paper editions, this manual uses typefaces drawn from the Liberation Fonts1 set. The Liberation Fonts set is also used in HTML editions if the set is installed on your system. If not, alternative but equivalent typefaces are displayed. Note: Red Hat Enterprise Linux 5 and
