Robert Krátký
Red Hat Customer Content Services rkratky@redhat.com
Mirek Jahoda
Red Hat Customer Content Services mjahoda@redhat.com
Martin Prpič
Red Hat Customer Content Services
Tomáš Čapek
Red Hat Customer Content Services
Stephen Wadeley
Red Hat Customer Content Services
Yoana Ruseva
Red Hat Customer Content Services
Miroslav Svoboda
Red Hat Customer Content Services

Copyright © 2016 Red Hat, Inc.
This document is licensed by Red Hat under the
. If you distribute this document, or a modified version of it, you must provide attribution to Red Hat, Inc. and provide a link to the original. If the document is modified, all Red Hat trademarks must be removed.
Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.
Red Hat, Red Hat Enterprise Linux, the Shadowman logo, JBoss, OpenShift, Fedora, the Infinity logo, and RHCE are trademarks of Red Hat, Inc., registered in the United
States and other countries.
Linux ® is the registered trademark of Linus Torvalds in the United States and other countries.
Java ® is a registered trademark of Oracle and/or its affiliates.
XFS ® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the
United States and/or other countries.
MySQL ® is a registered trademark of MySQL AB in the United States, the European
Union and other countries.
Node.js ® is an official trademark of Joyent. Red Hat Software Collections is not formally related to or endorsed by the official Joyent Node.js open source or commercial project.
The OpenStack ® Word Mark and OpenStack logo are either registered trademarks/service marks or trademarks/service marks of the OpenStack
Foundation, in the United States and other countries and are used with the
OpenStack Foundation's permission. We are not affiliated with, endorsed or sponsored by the OpenStack Foundation, or the OpenStack community.
All other trademarks are the property of their respective owners.
This book assists users and administrators in learning the processes and practices of securing workstations and servers against local and remote intrusion, exploitation, and malicious activity. Focused on Red Hat Enterprise Linux but detailing concepts and techniques valid for all Linux systems, this guide details the planning and the tools involved in creating a secured computing environment for the data center, workplace, and home. With proper administrative knowledge, vigilance, and tools, systems running Linux can be both fully functional and secured from most common intrusion and exploit methods.

⁠1.1. What is Com puter Security?
⁠1.2. Security Controls
⁠1.3. Vulnerability Assessm ent
⁠1.4. Security Threats
⁠1.5. Com m on Exploits and Attacks
⁠2.1. Securing BIO S
⁠2.2. Partitioning the Disk
⁠2.3. Installing the Minim um Am ount of Packages Required
⁠2.4. Post-installation Procedures
⁠2.5. Additional Resources
⁠3.1. Maintaining Installed Software
⁠3.2. Using the Red Hat Custom er Portal
⁠3.3. Additional Resources
⁠4.1. Desktop Security
⁠4.2. Controlling Root Access
⁠4.3. Securing Services
⁠4.4. Securing Network Access
⁠4.5. Using Firewalls
⁠4.6. Securing DNS Traffic with DNSSEC
⁠4.7. Securing Virtual Private Networks (VPNs)
⁠4.8. Using O penSSL
⁠4.9. Using stunnel
⁠4.10. Encryption
⁠4.11. Hardening TLS Configuration
⁠Use Cases
⁠5.1. Audit System Architecture
⁠5.2. Installing the audit Packages
⁠5.3. Configuring the audit Service
⁠5.4. Starting the audit Service
⁠5.5. Defining Audit Rules
⁠5.6. Understanding Audit Log Files
⁠5.7. Searching the Audit Log Files
⁠5.8. Creating Audit Reports
⁠5.9. Additional Resources
⁠6.1. Security Com pliance in Red Hat Enterprise Linux
⁠6.2. Defining Com pliance Policy
⁠6.3. Using SCAP Workbench
⁠6.4. Using oscap
⁠6.5. Using O penSCAP with Docker
⁠6.6. Using the O penSCAP-daem on and Atom ic Scan
⁠6.7. Using O penSCAP with Red Hat Satellite
⁠6.8. Practical Exam ples
T able o f Co nt e nt s
20
24
25
27
36
43
63
69
102
112
122
128
131
146
157
157
158
158
160
160
165
170
171
172
17
17
18
18
19
5
9
3
4
12
173
173
182
189
197
198
199
199
1

Se curit y Guide
⁠6.9. Additional Resources
⁠7.1. Federal Inform ation Processing Standard (FIPS)
⁠7.2. National Industrial Security Program O perating Manual (NISPO M)
⁠7.3. Paym ent Card Industry Data Security Standard (PCI DSS)
⁠7.4. Security Technical Im plem entation Guide
⁠A.1. Synchronous Encryption
⁠A.2. Public-key Encryption
⁠B.1. Audit Event Fields
⁠B.2. Audit Record Types
200
202
204
204
205
206
207
210
213
2

⁠Chapt e r 1. O ve rvie w o f Se curit y T o pics
Due to the incre as e d re liance on powe rful, ne tworke d compute rs to he lp run bus ine s s e s and ke e p track of our pe rs onal information, e ntire indus trie s have be e n forme d around the practice of ne twork and compute r s e curity. Ente rpris e s have s olicite d the knowle dge and s kills of s e curity e xpe rts to prope rly audit s ys te ms and tailor s olutions to fit the ope rating re quire me nts of the ir organization. Be caus e mos t organizations are incre as ingly dynamic in nature , the ir worke rs are acce s s ing critical company IT re s ource s locally and re mote ly, he nce the ne e d for s e cure computing e nvironme nts has be come more pronounce d.
Unfortunate ly, many organizations (as we ll as individual us e rs ) re gard s e curity as more of an afte rthought, a proce s s that is ove rlooke d in favor of incre as e d powe r, productivity, conve nie nce , e as e of us e , and budge tary conce rns . Prope r s e curity imple me ntation is ofte n e nacte d pos tmorte m — after an unauthorize d intrus ion has alre ady occurre d. Taking the corre ct me as ure s prior to conne cting a s ite to an untrus te d ne twork, s uch as the
Inte rne t, is an e ffe ctive me ans of thwarting many atte mpts at intrus ion.
Note
This docume nt make s s e ve ral re fe re nce s to file s in the /lib dire ctory. Whe n us ing
64-bit s ys te ms , s ome of the file s me ntione d may ins te ad be locate d in /lib64 .
Compute r s e curity is a ge ne ral te rm that cove rs a wide are a of computing and information proce s s ing. Indus trie s that de pe nd on compute r s ys te ms and ne tworks to conduct daily bus ine s s trans actions and acce s s critical information re gard the ir data as an important part of the ir ove rall as s e ts . Se ve ral te rms and me trics have e nte re d our daily bus ine s s vocabulary, s uch as total cos t of owne rs hip (TCO), re turn on inve s tme nt (ROI), and quality of s e rvice (QoS). Us ing the s e me trics , indus trie s can calculate as pe cts s uch as data inte grity and high-availability (HA) as part of the ir planning and proce s s manage me nt cos ts . In s ome indus trie s , s uch as e le ctronic comme rce , the availability and trus tworthine s s of data can me an the diffe re nce be twe e n s ucce s s and failure .
Ente rpris e s in e ve ry indus try re ly on re gulations and rule s that are s e t by s tandards making bodie s s uch as the Ame rican Me dical As s ociation (AMA) or the Ins titute of Ele ctrical and Ele ctronics Engine e rs (IEEE). The s ame ide als hold true for information s e curity. Many s e curity cons ultants and ve ndors agre e upon the s tandard s e curity mode l known as CIA, or Confidentiality, Integrity, and Availability. This thre e -tie re d mode l is a ge ne rally acce pte d compone nt to as s e s s ing ris ks of s e ns itive information and e s tablis hing s e curity policy. The following de s cribe s the CIA mode l in furthe r de tail:
Confide ntiality — Se ns itive information mus t be available only to a s e t of pre -de fine d individuals . Unauthorize d trans mis s ion and us age of information s hould be re s tricte d.
For e xample , confide ntiality of information e ns ure s that a cus tome r's pe rs onal or financial information is not obtaine d by an unauthorize d individual for malicious purpos e s s uch as ide ntity the ft or cre dit fraud.
3

Se curit y Guide
Inte grity — Information s hould not be alte re d in ways that re nde r it incomple te or incorre ct. Unauthorize d us e rs s hould be re s tricte d from the ability to modify or de s troy s e ns itive information.
Availability — Information s hould be acce s s ible to authorize d us e rs any time that it is ne e de d. Availability is a warranty that information can be obtaine d with an agre e d-upon fre que ncy and time line s s . This is ofte n me as ure d in te rms of pe rce ntage s and agre e d to formally in Se rvice Le ve l Agre e me nts (SLAs ) us e d by ne twork s e rvice provide rs and the ir e nte rpris e clie nts .
Compute r s e curity is ofte n divide d into thre e dis tinct mas te r cate gorie s , commonly re fe rre d to as controls:
Phys ical
Te chnical
Adminis trative
The s e thre e broad cate gorie s de fine the main obje ctive s of prope r s e curity imple me ntation. Within the s e controls are s ub-cate gorie s that furthe r de tail the controls and how to imple me nt the m.
Phys ical control is the imple me ntation of s e curity me as ure s in a de fine d s tructure us e d to de te r or pre ve nt unauthorize d acce s s to s e ns itive mate rial. Example s of phys ical controls are :
Clos e d-circuit s urve illance came ras
Motion or the rmal alarm s ys te ms
Se curity guards
Picture IDs
Locke d and de ad-bolte d s te e l doors
Biome trics (include s finge rprint, voice , face , iris , handwriting, and othe r automate d me thods us e d to re cognize individuals )
Te chnical controls us e te chnology as a bas is for controlling the acce s s and us age of s e ns itive data throughout a phys ical s tructure and ove r a ne twork. Te chnical controls are far-re aching in s cope and e ncompas s s uch te chnologie s as :
Encryption
Smart cards
Ne twork authe ntication
Acce s s control lis ts (ACLs )
4

⁠Chapt e r 1. O ve rvie w o f Se curit y T o pics
File inte grity auditing s oftware
Adminis trative controls de fine the human factors of s e curity. The y involve all le ve ls of pe rs onne l within an organization and de te rmine which us e rs have acce s s to what re s ource s and information by s uch me ans as :
Training and aware ne s s
Dis as te r pre pare dne s s and re cove ry plans
Pe rs onne l re cruitme nt and s e paration s trate gie s
Pe rs onne l re gis tration and accounting
Give n time , re s ource s , and motivation, an attacke r can bre ak into ne arly any s ys te m. All of the s e curity proce dure s and te chnologie s curre ntly available cannot guarante e that any s ys te ms are comple te ly s afe from intrus ion. Route rs he lp s e cure gate ways to the
Inte rne t. Fire walls he lp s e cure the e dge of the ne twork. Virtual Private Ne tworks s afe ly pas s data in an e ncrypte d s tre am. Intrus ion de te ction s ys te ms warn you of malicious activity. Howe ve r, the s ucce s s of e ach of the s e te chnologie s is de pe nde nt upon a numbe r of variable s , including:
The e xpe rtis e of the s taff re s pons ible for configuring, monitoring, and maintaining the te chnologie s .
The ability to patch and update s e rvice s and ke rne ls quickly and e fficie ntly.
The ability of thos e re s pons ible to ke e p cons tant vigilance ove r the ne twork.
Give n the dynamic s tate of data s ys te ms and te chnologie s , s e curing corporate re s ource s can be quite comple x. Due to this comple xity, it is ofte n difficult to find e xpe rt re s ource s for all of your s ys te ms . While it is pos s ible to have pe rs onne l knowle dge able in many are as of information s e curity at a high le ve l, it is difficult to re tain s taff who are e xpe rts in more than a fe w s ubje ct are as . This is mainly be caus e e ach s ubje ct are a of information s e curity re quire s cons tant atte ntion and focus . Information s e curity doe s not s tand s till.
A vulne rability as s e s s me nt is an inte rnal audit of your ne twork and s ys te m s e curity; the re s ults of which indicate the confide ntiality, inte grity, and availability of your ne twork (as e xplaine d in
Se ction 1.1.1, “Standardizing Se curity”
). Typically, vulne rability as s e s s me nt s tarts with a re connais s ance phas e , during which important data re garding the targe t s ys te ms and re s ource s is gathe re d. This phas e le ads to the s ys te m re adine s s phas e , whe re by the targe t is e s s e ntially che cke d for all known vulne rabilitie s . The re adine s s phas e culminate s in the re porting phas e , whe re the findings are clas s ifie d into cate gorie s of high, me dium, and low ris k; and me thods for improving the s e curity (or mitigating the ris k of vulne rability) of the targe t are dis cus s e d
If you we re to pe rform a vulne rability as s e s s me nt of your home , you would like ly che ck e ach door to your home to s e e if the y are clos e d and locke d. You would als o che ck e ve ry window, making s ure that the y clos e d comple te ly and latch corre ctly. This s ame conce pt applie s to s ys te ms , ne tworks , and e le ctronic data. Malicious us e rs are the thie ve s and vandals of your data. Focus on the ir tools , me ntality, and motivations , and you can the n re act s wiftly to the ir actions .
5

Se curit y Guide
Vulne rability as s e s s me nts may be broke n down into one of two type s : outside looking in and inside looking around.
Whe n pe rforming an outs ide -looking-in vulne rability as s e s s me nt, you are atte mpting to compromis e your s ys te ms from the outs ide . Be ing e xte rnal to your company provide s you with the cracke r's vie wpoint. You s e e what a cracke r s e e s — publicly-routable IP addre s s e s , s ys te ms on your DMZ, e xte rnal inte rface s of your fire wall, and more . DMZ s tands for "de militarize d zone ", which corre s ponds to a compute r or s mall s ubne twork that s its be twe e n a trus te d inte rnal ne twork, s uch as a corporate private LAN, and an untrus te d e xte rnal ne twork, s uch as the public Inte rne t. Typically, the DMZ contains de vice s acce s s ible to Inte rne t traffic, s uch as We b (HTTP) s e rve rs , FTP s e rve rs , SMTP (e -mail) s e rve rs and DNS s e rve rs .
Whe n you pe rform an ins ide -looking-around vulne rability as s e s s me nt, you are at an advantage s ince you are inte rnal and your s tatus is e le vate d to trus te d. This is the vie wpoint you and your co-worke rs have once logge d on to your s ys te ms . You s e e print s e rve rs , file s e rve rs , databas e s , and othe r re s ource s .
The re are s triking dis tinctions be twe e n the two type s of vulne rability as s e s s me nts . Be ing inte rnal to your company give s you more privile ge s than an outs ide r. In mos t organizations , s e curity is configure d to ke e p intrude rs out. Ve ry little is done to s e cure the inte rnals of the organization (s uch as de partme ntal fire walls , us e r-le ve l acce s s controls , and authe ntication proce dure s for inte rnal re s ource s ). Typically, the re are many more re s ource s whe n looking around ins ide as mos t s ys te ms are inte rnal to a company.
Once you are outs ide the company, your s tatus is untrus te d. The s ys te ms and re s ource s available to you e xte rnally are us ually ve ry limite d.
Cons ide r the diffe re nce be twe e n vulne rability as s e s s me nts and penetration tests. Think of a vulne rability as s e s s me nt as the firs t s te p to a pe ne tration te s t. The information gle ane d from the as s e s s me nt is us e d for te s ting. Whe re as the as s e s s me nt is unde rtake n to che ck for hole s and pote ntial vulne rabilitie s , the pe ne tration te s ting actually atte mpts to e xploit the findings .
As s e s s ing ne twork infras tructure is a dynamic proce s s . Se curity, both information and phys ical, is dynamic. Pe rforming an as s e s s me nt s hows an ove rvie w, which can turn up fals e pos itive s and fals e ne gative s . A fals e pos itive is a re s ult, whe re the tool finds vulne rabilitie s which in re ality do not e xis t. A fals e ne gative is whe n it omits actual vulne rabilitie s .
Se curity adminis trators are only as good as the tools the y us e and the knowle dge the y re tain. Take any of the as s e s s me nt tools curre ntly available , run the m agains t your s ys te m, and it is almos t a guarante e that the re are s ome fals e pos itive s . Whe the r by program fault or us e r e rror, the re s ult is the s ame . The tool may find fals e pos itive s , or, e ve n wors e , fals e ne gative s .
Now that the diffe re nce be twe e n a vulne rability as s e s s me nt and a pe ne tration te s t is de fine d, take the findings of the as s e s s me nt and re vie w the m care fully be fore conducting a pe ne tration te s t as part of your ne w be s t practice s approach.
Warning
Do not atte mpt to e xploit vulne rabilitie s on production s ys te ms . Doing s o can have adve rs e e ffe cts on productivity and e fficie ncy of your s ys te ms and ne twork.
6

⁠Chapt e r 1. O ve rvie w o f Se curit y T o pics
The following lis t e xamine s s ome of the be ne fits to pe rforming vulne rability as s e s s me nts .
Cre ate s proactive focus on information s e curity.
Finds pote ntial e xploits be fore cracke rs find the m.
Re s ults in s ys te ms be ing ke pt up to date and patche d.
Promote s growth and aids in de ve loping s taff e xpe rtis e .
Abate s financial los s and ne gative publicity.
To aid in the s e le ction of tools for a vulne rability as s e s s me nt, it is he lpful to e s tablis h a vulne rability as s e s s me nt me thodology. Unfortunate ly, the re is no pre de fine d or indus try approve d me thodology at this time ; howe ve r, common s e ns e and be s t practice s can act as a s ufficie nt guide .
What is the target? Are we looking at one server, or are we looking at our entire network
and everything within the network? Are we external or internal to the company? The ans we rs to the s e que s tions are important as the y he lp de te rmine not only which tools to s e le ct but als o the manne r in which the y are us e d.
To le arn more about e s tablis hing me thodologie s , s e e the following we bs ite : https ://www.owas p.org/ — The Open Web Application Security Project
An as s e s s me nt can s tart by us ing s ome form of an information-gathe ring tool. Whe n as s e s s ing the e ntire ne twork, map the layout firs t to find the hos ts that are running. Once locate d, e xamine e ach hos t individually. Focus ing on the s e hos ts re quire s anothe r s e t of tools . Knowing which tools to us e may be the mos t crucial s te p in finding vulne rabilitie s .
Jus t as in any as pe ct of e ve ryday life , the re are many diffe re nt tools that pe rform the s ame job. This conce pt applie s to pe rforming vulne rability as s e s s me nts as we ll. The re are tools s pe cific to ope rating s ys te ms , applications , and e ve n ne tworks (bas e d on the protocols us e d). Some tools are fre e ; othe rs are not. Some tools are intuitive and e as y to us e , while othe rs are cryptic and poorly docume nte d but have fe ature s that othe r tools do not.
Finding the right tools may be a daunting tas k and, in the e nd, e xpe rie nce counts . If pos s ible , s e t up a te s t lab and try out as many tools as you can, noting the s tre ngths and we akne s s e s of e ach. Re vie w the README file or man page for the tools . Additionally, look to the Inte rne t for more information, s uch as article s , s te p-by-s te p guide s , or e ve n mailing lis ts s pe cific to the tools .
The tools dis cus s e d be low are jus t a s mall s ampling of the available tools .
Nmap is a popular tool that can be us e d to de te rmine the layout of a ne twork. Nmap has be e n available for many ye ars and is probably the mos t ofte n us e d tool whe n gathe ring information. An e xce lle nt manual page is include d that provide s de taile d de s criptions of its options and us age . Adminis trators can us e Nmap on a ne twork to find hos t s ys te ms and ope n ports on thos e s ys te ms .
7

Se curit y Guide
Nmap is a compe te nt firs t s te p in vulne rability as s e s s me nt. You can map out all the hos ts within your ne twork and e ve n pas s an option that allows Nmap to atte mpt to ide ntify the ope rating s ys te m running on a particular hos t. Nmap is a good foundation for e s tablis hing a policy of us ing s e cure s e rvice s and re s tricting unus e d s e rvice s .
To ins tall Nmap, run the yum install nmap command as the root us e r.
1.3.3.1.1. Using Nmap
Nmap can be run from a s he ll prompt by typing the nmap command followe d by the hos tname or IP addre s s of the machine to s can:
nmap <hostname>
For e xample , to s can a machine with hos tname foo.example.com
, type the following at a s he ll prompt:
~]$ nmap foo.example.com
The re s ults of a bas ic s can (which could take up to a fe w minute s , de pe nding on whe re the hos t is locate d and othe r ne twork conditions ) look s imilar to the following:
Interesting ports on foo.example.com:
Not shown: 1710 filtered ports
PORT STATE SERVICE
22/tcp open ssh
53/tcp open domain
80/tcp open http
113/tcp closed auth
Nmap te s ts the mos t common ne twork communication ports for lis te ning or waiting s e rvice s . This knowle dge can be he lpful to an adminis trator who wants to clos e unne ce s s ary or unus e d s e rvice s .
For more information about us ing Nmap, s e e the official home page at the following URL: http://www.ins e cure .org/
Nessus is a full-s e rvice s e curity s canne r. The plug-in archite cture of Nessus allows us e rs to cus tomize it for the ir s ys te ms and ne tworks . As with any s canne r, Nessus is only as good as the s ignature databas e it re lie s upon. Fortunate ly, Nessus is fre que ntly update d and fe ature s full re porting, hos t s canning, and re al-time vulne rability s e arche s . Re me mbe r that the re could be fals e pos itive s and fals e ne gative s , e ve n in a tool as powe rful and as fre que ntly update d as Nessus.
Note
The Nessus clie nt and s e rve r s oftware re quire s a s ubs cription to us e . It has be e n include d in this docume nt as a re fe re nce to us e rs who may be inte re s te d in us ing this popular application.
8

⁠Chapt e r 1. O ve rvie w o f Se curit y T o pics
For more information about Nessus, s e e the official we bs ite at the following URL: http://www.ne s s us .org/
OpenVAS (Open Vulnerability Assessment System) is a s e t of tools and s e rvice s that can be us e d to s can for vulne rabilitie s and for a compre he ns ive vulne rability manage me nt.
The OpenVAS frame work offe rs a numbe r of we b-bas e d, de s ktop, and command line tools for controlling the various compone nts of the s olution. The core functionality of
OpenVAS is provide d by a s e curity s canne r, which make s us e of ove r 33 thous and dailyupdate d Ne twork Vulne rability Te s ts (NVT). Unlike Nessus (s e e
Se ction 1.3.3.2, “Ne s s us ” ),
OpenVAS doe s not re quire any s ubs cription.
For more information about Ope nVAS, s e e the official we bs ite at the following URL: http://www.ope nvas .org/
Nikt o is an e xce lle nt common gateway interface (CGI) s cript s canne r. Nikt o not only che cks for CGI vulne rabilitie s but doe s s o in an e vas ive manne r, s o as to e lude intrus ionde te ction s ys te ms . It come s with thorough docume ntation which s hould be care fully re vie we d prior to running the program. If you have we b s e rve rs s e rving CGI s cripts ,
Nikt o can be an e xce lle nt re s ource for che cking the s e curity of the s e s e rve rs .
More information about Nikt o can be found at the following URL: http://cirt.ne t/nikto2
Bad practice s whe n configuring the following as pe cts of a ne twork can incre as e the ris k of an attack.
A mis configure d ne twork is a primary e ntry point for unauthorize d us e rs . Le aving a trus tbas e d, ope n local ne twork vulne rable to the highly-ins e cure Inte rne t is much like le aving a door ajar in a crime -ridde n ne ighborhood — nothing may happe n for an arbitrary amount of time , but s ome one e xploits the opportunity eventually.
Sys te m adminis trators ofte n fail to re alize the importance of ne tworking hardware in the ir s e curity s che me s . Simple hardware , s uch as hubs and route rs , re lie s on the broadcas t or non-s witche d principle ; that is , whe ne ve r a node trans mits data acros s the ne twork to a re cipie nt node , the hub or route r s e nds a broadcas t of the data packe ts until the re cipie nt node re ce ive s and proce s s e s the data. This me thod is the mos t vulne rable to addre s s re s olution protocol (ARP) or me dia acce s s control (MAC) addre s s s poofing by both outs ide intrude rs and unauthorize d us e rs on local hos ts .
9

Se curit y Guide
Anothe r pote ntial ne tworking pitfall is the us e of ce ntralize d computing. A common cos tcutting me as ure for many bus ine s s e s is to cons olidate all s e rvice s to a s ingle powe rful machine . This can be conve nie nt as it is e as ie r to manage and cos ts cons ide rably le s s than multiple -s e rve r configurations . Howe ve r, a ce ntralize d s e rve r introduce s a s ingle point of failure on the ne twork. If the ce ntral s e rve r is compromis e d, it may re nde r the ne twork comple te ly us e le s s or wors e , prone to data manipulation or the ft. In the s e s ituations , a ce ntral s e rve r be come s an ope n door that allows acce s s to the e ntire ne twork.
Se rve r s e curity is as important as ne twork s e curity be caus e s e rve rs ofte n hold a gre at de al of an organization's vital information. If a s e rve r is compromis e d, all of its conte nts may be come available for the cracke r to s te al or manipulate at will. The following s e ctions de tail s ome of the main is s ue s .
A full ins tallation of Re d Hat Ente rpris e Linux 7 contains more than 1000 application and library package s . Howe ve r, mos t s e rve r adminis trators do not opt to ins tall e ve ry s ingle package in the dis tribution, pre fe rring ins te ad to ins tall a bas e ins tallation of package s ,
including s e ve ral s e rve r applications . Se e Se ction 2.3, “Ins talling the Minimum Amount of
Package s Re quire d” for an e xplanation of the re as ons to limit the numbe r of ins talle d
package s and for additional re s ource s .
A common occurre nce among s ys te m adminis trators is to ins tall the ope rating s ys te m without paying atte ntion to what programs are actually be ing ins talle d. This can be proble matic be caus e unne e de d s e rvice s may be ins talle d, configure d with the de fault s e ttings , and pos s ibly turne d on. This can caus e unwante d s e rvice s , s uch as Te lne t, DHCP, or DNS, to run on a s e rve r or works tation without the adminis trator re alizing it, which in turn can caus e unwante d traffic to the s e rve r or e ve n a pote ntial pathway into the s ys te m for cracke rs . Se e
Se ction 4.3, “Se curing Se rvice s ” for information on clos ing ports and
dis abling unus e d s e rvice s .
Mos t s e rve r applications that are include d in a de fault ins tallation are s olid, thoroughly te s te d pie ce s of s oftware . Having be e n in us e in production e nvironme nts for many ye ars , the ir code has be e n thoroughly re fine d and many of the bugs have be e n found and fixe d.
Howe ve r, the re is no s uch thing as pe rfe ct s oftware and the re is always room for furthe r re fine me nt. More ove r, ne we r s oftware is ofte n not as rigorous ly te s te d as one might e xpe ct, be caus e of its re ce nt arrival to production e nvironme nts or be caus e it may not be as popular as othe r s e rve r s oftware .
De ve lope rs and s ys te m adminis trators ofte n find e xploitable bugs in s e rve r applications and publis h the information on bug tracking and s e curity-re late d we bs ite s s uch as the
Bugtraq mailing lis t ( http://www.s e curityfocus .com
) or the Compute r Eme rge ncy Re s pons e
Te am (CERT) we bs ite ( http://www.ce rt.org
). Although the s e me chanis ms are an e ffe ctive way of ale rting the community to s e curity vulne rabilitie s , it is up to s ys te m adminis trators to patch the ir s ys te ms promptly. This is particularly true be caus e cracke rs have acce s s to the s e s ame vulne rability tracking s e rvice s and will us e the information to crack unpatche d s ys te ms whe ne ve r the y can. Good s ys te m adminis tration re quire s vigilance , cons tant bug tracking, and prope r s ys te m mainte nance to e ns ure a more s e cure computing e nvironme nt.
10

⁠Chapt e r 1. O ve rvie w o f Se curit y T o pics
Se e
Chapte r 3, Keeping Your System Up-to-Date for more information about ke e ping a
s ys te m up-to-date .
Adminis trators who fail to patch the ir s ys te ms are one of the gre ate s t thre ats to s e rve r s e curity. According to the SysAdmin, Audit, Network, Security Institute (SANS), the primary caus e of compute r s e curity vulne rability is "as s igning untraine d pe ople to maintain s e curity and providing ne ithe r the training nor the time to make it pos s ible to le arn and do the job." ⁠
[1]
This applie s as much to ine xpe rie nce d adminis trators as it doe s to ove rconfide nt or amotivate d adminis trators .
Some adminis trators fail to patch the ir s e rve rs and works tations , while othe rs fail to watch log me s s age s from the s ys te m ke rne l or ne twork traffic. Anothe r common e rror is whe n de fault pas s words or ke ys to s e rvice s are le ft unchange d. For e xample , s ome databas e s have de fault adminis tration pas s words be caus e the databas e de ve lope rs as s ume that the s ys te m adminis trator change s the s e pas s words imme diate ly afte r ins tallation. If a databas e adminis trator fails to change this pas s word, e ve n an ine xpe rie nce d cracke r can us e a wide ly-known de fault pas s word to gain adminis trative privile ge s to the databas e .
The s e are only a fe w e xample s of how inatte ntive adminis tration can le ad to compromis e d s e rve rs .
Eve n the mos t vigilant organization can fall victim to vulne rabilitie s if the ne twork s e rvice s the y choos e are inhe re ntly ins e cure . For ins tance , the re are many s e rvice s de ve lope d unde r the as s umption that the y are us e d ove r trus te d ne tworks ; howe ve r, this as s umption fails as s oon as the s e rvice be come s available ove r the Inte rne t — which is its e lf inhe re ntly untrus te d.
One cate gory of ins e cure ne twork s e rvice s are thos e that re quire une ncrypte d us e rname s and pas s words for authe ntication. Te lne t and FTP are two s uch s e rvice s . If packe t s niffing s oftware is monitoring traffic be twe e n the re mote us e r and s uch a s e rvice us e rname s and pas s words can be e as ily inte rce pte d.
Inhe re ntly, s uch s e rvice s can als o more e as ily fall pre y to what the s e curity indus try te rms the man-in-the-middle attack. In this type of attack, a cracke r re dire cts ne twork traffic by tricking a cracke d name s e rve r on the ne twork to point to his machine ins te ad of the inte nde d s e rve r. Once s ome one ope ns a re mote s e s s ion to the s e rve r, the attacke r's machine acts as an invis ible conduit, s itting quie tly be twe e n the re mote s e rvice and the uns us pe cting us e r capturing information. In this way a cracke r can gathe r adminis trative pas s words and raw data without the s e rve r or the us e r re alizing it.
Anothe r cate gory of ins e cure s e rvice s include ne twork file s ys te ms and information s e rvice s s uch as NFS or NIS, which are de ve lope d e xplicitly for LAN us age but are , unfortunate ly, e xte nde d to include WANs (for re mote us e rs ). NFS doe s not, by de fault, have any authe ntication or s e curity me chanis ms configure d to pre ve nt a cracke r from mounting the NFS s hare and acce s s ing anything containe d the re in. NIS, as we ll, has vital information that mus t be known by e ve ry compute r on a ne twork, including pas s words and file pe rmis s ions , within a plain te xt ASCII or DBM (ASCII-de rive d) databas e . A cracke r who gains acce s s to this databas e can the n acce s s e ve ry us e r account on a ne twork, including the adminis trator's account.
By de fault, Re d Hat Ente rpris e Linux 7 is re le as e d with all s uch s e rvice s turne d off.
Howe ve r, s ince adminis trators ofte n find the ms e lve s force d to us e the s e s e rvice s , care ful configuration is critical. Se e
Se ction 4.3, “Se curing Se rvice s ”
for more information about s e tting up s e rvice s in a s afe manne r.
11

Se curit y Guide
Works tations and home PCs may not be as prone to attack as ne tworks or s e rve rs , but s ince the y ofte n contain s e ns itive data, s uch as cre dit card information, the y are targe te d by s ys te m cracke rs . Works tations can als o be co-opte d without the us e r's knowle dge and us e d by attacke rs as "s lave " machine s in coordinate d attacks . For the s e re as ons , knowing the vulne rabilitie s of a works tation can s ave us e rs the he adache of re ins talling the ope rating s ys te m, or wors e , re cove ring from data the ft.
Bad pas s words are one of the e as ie s t ways for an attacke r to gain acce s s to a s ys te m.
For more on how to avoid common pitfalls whe n cre ating a pas s word, s e e Se ction 4.1.1,
“Pas s word Se curity” .
Although an adminis trator may have a fully s e cure and patche d s e rve r, that doe s not me an re mote us e rs are s e cure whe n acce s s ing it. For ins tance , if the s e rve r offe rs
Te lne t or FTP s e rvice s ove r a public ne twork, an attacke r can capture the plain te xt us e rname s and pas s words as the y pas s ove r the ne twork, and the n us e the account information to acce s s the re mote us e r's works tation.
Eve n whe n us ing s e cure protocols , s uch as SSH, a re mote us e r may be vulne rable to ce rtain attacks if the y do not ke e p the ir clie nt applications update d. For ins tance , v.1 SSH clie nts are vulne rable to an X-forwarding attack from malicious SSH s e rve rs . Once conne cte d to the s e rve r, the attacke r can quie tly capture any ke ys troke s and mous e clicks made by the clie nt ove r the ne twork. This proble m was fixe d in the v.2 SSH protocol, but it is up to the us e r to ke e p track of what applications have s uch vulne rabilitie s and update the m as ne ce s s ary.
Se ction 4.1, “De s ktop Se curity”
dis cus s e s in more de tail what s te ps adminis trators and home us e rs s hould take to limit the vulne rability of compute r works tations .
Table 1.1, “Common Exploits ” de tails s ome of the mos t common e xploits and e ntry points
us e d by intrude rs to acce s s organizational ne twork re s ource s . Ke y to the s e common e xploits are the e xplanations of how the y are pe rforme d and how adminis trators can prope rly s afe guard the ir ne twork agains t s uch attacks .
T able 1.1. Co mmo n Explo it s
Explo it Descript io n No t es
12

⁠Chapt e r 1. O ve rvie w o f Se curit y T o pics
Explo it
Null or De fault
Pas s words
Descript io n
Le aving adminis trative pas s words blank or us ing a de fault pas s word s e t by the product ve ndor. This is mos t common in hardware s uch as route rs and fire walls , but s ome s e rvice s that run on Linux can contain de fault adminis trator pas s words as we ll (though
Re d Hat Ente rpris e Linux 7 doe s not s hip with the m).
No t es
Commonly as s ociate d with ne tworking hardware s uch as route rs , fire walls , VPNs , and ne twork attache d s torage (NAS) appliance s .
Common in many le gacy ope rating s ys te ms , e s pe cially thos e that bundle s e rvice s (s uch as UNIX and Windows .)
Adminis trators s ome time s cre ate privile ge d us e r accounts in a rus h and le ave the pas s word null, cre ating a pe rfe ct e ntry point for malicious us e rs who dis cove r the account.
De fault Share d
Ke ys
IP Spoofing
Se cure s e rvice s s ome time s package de fault s e curity ke ys for de ve lopme nt or e valuation te s ting purpos e s . If the s e ke ys are le ft unchange d and are place d in a production e nvironme nt on the
Inte rne t, all us e rs with the s ame de fault ke ys have acce s s to that s hare d-ke y re s ource , and any s e ns itive information that it contains .
A re mote machine acts as a node on your local ne twork, finds vulne rabilitie s with your s e rve rs , and ins talls a backdoor program or
Trojan hors e to gain control ove r your ne twork re s ource s .
Mos t common in wire le s s acce s s points and pre configure d s e cure s e rve r appliance s .
Spoofing is quite difficult as it involve s the attacke r pre dicting
TCP/IP s e que nce numbe rs to coordinate a conne ction to targe t s ys te ms , but s e ve ral tools are available to as s is t cracke rs in pe rforming s uch a vulne rability.
De pe nds on targe t s ys te m running s e rvice s (s uch as rsh , telnet , FTP and othe rs ) that us e
source-based authe ntication te chnique s , which are not re comme nde d whe n compare d to
PKI or othe r forms of e ncrypte d authe ntication us e d in ssh or
SSL/TLS.
13

Se curit y Guide
Explo it Descript io n
Eave s dropping Colle cting data that pas s e s be twe e n two active node s on a ne twork by e ave s dropping on the conne ction be twe e n the two node s .
No t es
This type of attack works mos tly with plain te xt trans mis s ion protocols s uch as Te lne t, FTP, and
HTTP trans fe rs .
Re mote attacke r mus t have acce s s to a compromis e d s ys te m on a LAN in orde r to pe rform s uch an attack; us ually the cracke r has us e d an active attack (s uch as IP s poofing or man-in-the -middle ) to compromis e a s ys te m on the LAN.
Pre ve ntative me as ure s include s e rvice s with cryptographic ke y e xchange , one -time pas s words , or e ncrypte d authe ntication to pre ve nt pas s word s nooping; s trong e ncryption during trans mis s ion is als o advis e d.
14

⁠Chapt e r 1. O ve rvie w o f Se curit y T o pics
Explo it
Se rvice
Vulne rabilitie s
Descript io n
An attacke r finds a flaw or loophole in a s e rvice run ove r the
Inte rne t; through this vulne rability, the attacke r compromis e s the e ntire s ys te m and any data that it may hold, and could pos s ibly compromis e othe r s ys te ms on the ne twork.
No t es
HTTP-bas e d s e rvice s s uch as CGI are vulne rable to re mote command e xe cution and e ve n inte ractive s he ll acce s s . Eve n if the HTTP s e rvice runs as a nonprivile ge d us e r s uch as "nobody", information s uch as configuration file s and ne twork maps can be re ad, or the attacke r can s tart a de nial of s e rvice attack which drains s ys te m re s ource s or re nde rs it unavailable to othe r us e rs .
Se rvice s s ome time s can have vulne rabilitie s that go unnotice d during de ve lopme nt and te s ting; the s e vulne rabilitie s (s uch as
buffer overflows, whe re attacke rs cras h a s e rvice us ing arbitrary value s that fill the me mory buffe r of an application, giving the attacke r an inte ractive command prompt from which the y may e xe cute arbitrary commands ) can give comple te adminis trative control to an attacke r.
Adminis trators s hould make s ure that s e rvice s do not run as the root us e r, and s hould s tay vigilant of patche s and e rrata update s for applications from ve ndors or s e curity organizations s uch as
CERT and CVE.
15

Se curit y Guide
Explo it
Application
Vulne rabilitie s
De nial of
Se rvice (DoS)
Attacks
Descript io n
Attacke rs find faults in de s ktop and works tation applications (s uch as e mail clie nts ) and e xe cute arbitrary code , implant Trojan hors e s for future compromis e , or cras h s ys te ms . Furthe r e xploitation can occur if the compromis e d works tation has adminis trative privile ge s on the re s t of the ne twork.
No t es
Works tations and de s ktops are more prone to e xploitation as worke rs do not have the e xpe rtis e or e xpe rie nce to pre ve nt or de te ct a compromis e ; it is impe rative to inform individuals of the ris ks the y are taking whe n the y ins tall unauthorize d s oftware or ope n uns olicite d e mail attachme nts .
Safe guards can be imple me nte d s uch that e mail clie nt s oftware doe s not automatically ope n or e xe cute attachme nts . Additionally, the automatic update of works tation s oftware via Re d Hat
Ne twork; or othe r s ys te m manage me nt s e rvice s can alle viate the burde ns of multi-s e at s e curity de ployme nts .
Attacke r or group of attacke rs coordinate agains t an organization's ne twork or s e rve r re s ource s by s e nding unauthorize d packe ts to the targe t hos t (e ithe r s e rve r, route r, or works tation). This force s the re s ource to be come unavailable to le gitimate us e rs .
The mos t re porte d DoS cas e in the US occurre d in 2000. Se ve ral highly-trafficke d comme rcial and gove rnme nt s ite s we re re nde re d unavailable by a coordinate d ping flood attack us ing s e ve ral compromis e d s ys te ms with high bandwidth conne ctions acting as
zombies, or re dire cte d broadcas t node s .
Source packe ts are us ually forge d
(as we ll as re broadcas t), making inve s tigation as to the true s ource of the attack difficult.
Advance s in ingre s s filte ring (IETF rfc2267) us ing iptables and
Ne twork Intrus ion De te ction
Sys te ms s uch as snort as s is t adminis trators in tracking down and pre ve nting dis tribute d DoS attacks .
[1]
http://www.sans.org/security-resources/m istakes.php
16

⁠Chapt e r 2. Se curit y T ips f o r Inst allat io n
Se curity be gins with the firs t time you put that CD or DVD into your dis k drive to ins tall
Re d Hat Ente rpris e Linux 7. Configuring your s ys te m s e cure ly from the be ginning make s it e as ie r to imple me nt additional s e curity s e ttings late r.
Pas s word prote ction for the BIOS (or BIOS e quivale nt) and the boot loade r can pre ve nt unauthorize d us e rs who have phys ical acce s s to s ys te ms from booting us ing re movable me dia or obtaining root privile ge s through s ingle us e r mode . The s e curity me as ure s you s hould take to prote ct agains t s uch attacks de pe nds both on the s e ns itivity of the information on the works tation and the location of the machine .
For e xample , if a machine is us e d in a trade s how and contains no s e ns itive information, the n it may not be critical to pre ve nt s uch attacks . Howe ve r, if an e mploye e 's laptop with private , une ncrypte d SSH ke ys for the corporate ne twork is le ft unatte nde d at that s ame trade s how, it could le ad to a major s e curity bre ach with ramifications for the e ntire company.
If the works tation is locate d in a place whe re only authorize d or trus te d pe ople have acce s s , howe ve r, the n s e curing the BIOS or the boot loade r may not be ne ce s s ary.
The two primary re as ons for pas s word prote cting the BIOS of a compute r are ⁠
[2]
:
1. Preventing Changes to BIOS Settings — If an intrude r has acce s s to the BIOS, the y can s e t it to boot from a CD-ROM or a flas h drive . This make s it pos s ible for the m to e nte r re s cue mode or s ingle us e r mode , which in turn allows the m to s tart arbitrary proce s s e s on the s ys te m or copy s e ns itive data.
2. Preventing System Booting — Some BIOSe s allow pas s word prote ction of the boot proce s s . Whe n activate d, an attacke r is force d to e nte r a pas s word be fore the BIOS launche s the boot loade r.
Be caus e the me thods for s e tting a BIOS pas s word vary be twe e n compute r manufacture rs , cons ult the compute r's manual for s pe cific ins tructions .
If you forge t the BIOS pas s word, it can e ithe r be re s e t with jumpe rs on the mothe rboard or by dis conne cting the CMOS batte ry. For this re as on, it is good practice to lock the compute r cas e if pos s ible . Howe ve r, cons ult the manual for the compute r or mothe rboard be fore atte mpting to dis conne ct the CMOS batte ry.
Othe r s ys te ms and archite cture s us e diffe re nt programs to pe rform low-le ve l tas ks roughly e quivale nt to thos e of the BIOS on x86 s ys te ms . For e xample , the Unified
Extensible Firmware Interface (UEFI) s he ll.
For ins tructions on pas s word prote cting BIOS-like programs , s e e the manufacture r's ins tructions .
17

Se curit y Guide
Re d Hat re comme nds cre ating s e parate partitions for the /boot/ , / , /home//tmp/ , and
/var/tmp/ dire ctorie s . The re as ons for e ach are diffe re nt, and we will addre s s e ach partition.
/boot
This partition is the firs t partition that is re ad by the s ys te m during boot up. The boot loade r and ke rne l image s that are us e d to boot your s ys te m into Re d Hat
Ente rpris e Linux 7 are s tore d in this partition. This partition s hould not be e ncrypte d. If this partition is include d in / and that partition is e ncrypte d or othe rwis e be come s unavailable the n your s ys te m will not be able to boot.
/home
Whe n us e r data ( /home ) is s tore d in / ins te ad of in a s e parate partition, the partition can fill up caus ing the ope rating s ys te m to be come uns table . Als o, whe n upgrading your s ys te m to the ne xt ve rs ion of Re d Hat Ente rpris e Linux 7 it is a lot e as ie r whe n you can ke e p your data in the /home partition as it will not be ove rwritte n during ins tallation. If the root partition ( / ) be come s corrupt your data could be los t fore ve r. By us ing a s e parate partition the re is s lightly more prote ction agains t data los s . You can als o targe t this partition for fre que nt backups .
/tmp and /var/tmp
Both the /tmp and /var/tmp dire ctorie s are us e d to s tore data that doe s not ne e d to be s tore d for a long pe riod of time . Howe ve r, if a lot of data floods one of the s e dire ctorie s it can cons ume all of your s torage s pace . If this happe ns and the s e dire ctorie s are s tore d within / the n your s ys te m could be come uns table and cras h. For this re as on, moving the s e dire ctorie s into the ir own partitions is a good ide a.
Note
During the ins tallation proce s s , an option to e ncrypt partitions is pre s e nte d to you.
The us e r mus t s upply a pas s phras e . This pas s phras e will be us e d as a ke y to unlock the bulk e ncryption ke y, which is us e d to s e cure the partition's data. For more information on LUKS, s e e
Se ction 4.10.1, “Us ing LUKS Dis k Encryption”
.
It is be s t practice to ins tall only the package s you will us e be caus e e ach pie ce of s oftware on your compute r could pos s ibly contain a vulne rability. If you are ins talling from the DVD me dia, take the opportunity to s e le ct e xactly what package s you want to ins tall during the ins tallation. If you find you ne e d anothe r package , you can always add it to the s ys te m late r.
For more information about ins talling the Minimal install e nvironme nt, s e e the
Software Se le ction chapte r of the Re d Hat Ente rpris e Linux 7 Ins tallation Guide . A minimal ins tallation can als o be pe rforme d via a Kicks tart file us ing the --nobase option. For more information about Kicks tart ins tallations , s e e the Package Se le ction s e ction from the
Re d Hat Ente rpris e Linux 7 Ins tallation Guide .
18

⁠Chapt e r 2. Se curit y T ips f o r Inst allat io n
The following s te ps are the s e curity-re late d proce dure s that s hould be pe rforme d imme diate ly afte r ins tallation of Re d Hat Ente rpris e Linux.
1. Update your s ys te m. Run the following command as root:
~]# yum update
2. Eve n though the fire wall s e rvice , firewalld , is automatically e nable d with the ins tallation of Re d Hat Ente rpris e Linux, the re are s ce narios whe re it might be e xplicitly dis able d, for e xample in the kicks tart configuration. In s uch a cas e , it is re comme nde d to cons ide r re -e nabling the fire wall.
To s tart firewalld run the following commands as root:
~]# systemctl start firewalld
~]# systemctl enable firewalld
3. To e nhance s e curity, dis able s e rvice s you do not ne e d. For e xample , if the re are no printe rs ins talle d on your compute r, dis able the cups s e rvice us ing the following command:
~]# systemctl disable cups
To re vie w active s e rvice s , run the following command:
~]$ systemctl list-units | grep service
For more information about ins tallation in ge ne ral, s e e the Re d Hat Ente rpris e Linux 7
Ins tallation Guide .
[2] Since system BIO Ses differ between m anufacturers, som e m ay not support password
protection of either type, while others m ay support one type but not the other.
19

Se curit y Guide
This chapte r de s cribe s the proce s s of ke e ping your s ys te m up-to-date , which involve s planning and configuring the way s e curity update s are ins talle d, applying change s introduce d by ne wly update d package s , and us ing the Re d Hat Cus tome r Portal for ke e ping track of s e curity advis orie s .
As s e curity vulne rabilitie s are dis cove re d, the affe cte d s oftware mus t be update d in orde r to limit any pote ntial s e curity ris ks . If the s oftware is a part of a package within a Re d Hat
Ente rpris e Linux dis tribution that is curre ntly s upporte d, Re d Hat is committe d to re le as ing update d package s that fix the vulne rabilitie s as s oon as pos s ible .
Ofte n, announce me nts about a give n s e curity e xploit are accompanie d with a patch (or s ource code ) that fixe s the proble m. This patch is the n applie d to the Re d Hat
Ente rpris e Linux package and te s te d and re le as e d as an e rratum update . Howe ve r, if an announce me nt doe s not include a patch, Re d Hat de ve lope rs firs t work with the maintaine r of the s oftware to fix the proble m. Once the proble m is fixe d, the package is te s te d and re le as e d as an e rratum update .
If an e rratum update is re le as e d for s oftware us e d on your s ys te m, it is highly re comme nde d that you update the affe cte d package s as s oon as pos s ible to minimize the amount of time the s ys te m is pote ntially vulne rable .
All s oftware contains bugs . Ofte n, the s e bugs can re s ult in a vulne rability that can e xpos e your s ys te m to malicious us e rs . Package s that have not be e n update d are a common caus e of compute r intrus ions . Imple me nt a plan for ins talling s e curity patche s in a time ly manne r to quickly e liminate dis cove re d vulne rabilitie s , s o the y cannot be e xploite d.
Te s t s e curity update s whe n the y be come available and s che dule the m for ins tallation.
Additional controls ne e d to be us e d to prote ct the s ys te m during the time be twe e n the re le as e of the update and its ins tallation on the s ys te m. The s e controls de pe nd on the e xact vulne rability, but may include additional fire wall rule s , the us e of e xte rnal fire walls , or change s in s oftware s e ttings .
Bugs in s upporte d package s are fixe d us ing the e rrata me chanis m. An e rratum cons is ts of one or more RPM package s accompanie d by a brie f e xplanation of the proble m that the particular e rratum de als with. All e rrata are dis tribute d to cus tome rs with active s ubs criptions through the Red Hat Subscript io n Management s e rvice . Errata that addre s s s e curity is s ue s are calle d Red Hat Security Advisories.
For more information on working with s e curity e rrata, s e e Se ction 3.2.1, “Vie wing Se curity
Advis orie s on the Cus tome r Portal” . For de taile d information about the Red Hat
Subscript io n Management s e rvice , including ins tructions on how to migrate from RHN
Classic, s e e the docume ntation re late d to this s e rvice : Re d Hat Subs cription Manage me nt .
The Yum package manage r include s s e ve ral s e curity-re late d fe ature s that can be us e d to s e arch, lis t, dis play, and ins tall s e curity e rrata. The s e fe ature s als o make it pos s ible to us e Yum to ins tall nothing but s e curity update s .
20

⁠Chapt e r 3. Ke e ping Yo ur Syst e m Up-t o -Dat e
To che ck for s e curity-re late d update s available for your s ys te m, run the following command as root :
~]# yum check-update --security
Loaded plugins: langpacks, product-id, subscription-manager rhel-7-workstation-rpms/x86_64 | 3.4 kB 00:00:00
No packages needed for security; 0 packages available
Note that the above command runs in a non-inte ractive mode , s o it can be us e d in s cripts for automate d che cking whe the r the re are any update s available . The command re turns an e xit value of 100 whe n the re are any s e curity update s available and 0 whe n the re are not. On e ncounte ring an e rror, it re turns 1.
Analogous ly, us e the following command to only ins tall s e curity-re late d update s :
~]# yum update --security
Us e the updateinfo s ubcommand to dis play or act upon information provide d by re pos itorie s about available update s . The updateinfo s ubcommand its e lf acce pts a
numbe r of commands , s ome of which pe rtain to s e curity-re late d us e s . Se e Table 3.1,
“Se curity-re late d commands us able with yum update info” for an ove rvie w of the s e
commands .
T able 3.1. Securit y-relat ed co mmands usable wit h yum updat einf o
Co mmand advisory [advisories] cves security or sec severity [severity_level]
or sev [severity_level]
Descript io n
Dis plays information about one or more advis orie s .
Re place advisories with an advis ory numbe r or numbe rs .
Dis plays the s ubs e t of information that pe rtains to CVE
(Common Vulnerabilities and Exposures).
Dis plays all s e curity-re late d information.
Dis plays information about s e curity-re le vant package s of the s upplie d severity_level.
Whe n updating s oftware on a s ys te m, it is important to download the update from a trus te d s ource . An attacke r can e as ily re build a package with the s ame ve rs ion numbe r as the one that is s uppos e d to fix the proble m but with a diffe re nt s e curity e xploit and re le as e it on the Inte rne t. If this happe ns , us ing s e curity me as ure s , s uch as ve rifying file s agains t the original RPM, doe s not de te ct the e xploit. Thus , it is ve ry important to only download RPMs from trus te d s ource s , s uch as from Re d Hat, and to che ck the package s ignature s to ve rify the ir inte grity.
Se e the Yum chapte r of the Re d Hat Ente rpris e Linux 7 Sys te m Adminis trator's Guide for de taile d information on how to us e the Yum package manage r.
All Re d Hat Ente rpris e Linux package s are s igne d with the Re d Hat GPG ke y. GPG s tands for GNU Privacy Guard, or GnuPG, a fre e s oftware package us e d for e ns uring the authe nticity of dis tribute d file s . If the ve rification of a package s ignature fails , the package may be alte re d and the re fore cannot be trus te d.
21

Se curit y Guide
The Yum package manage r allows for an automatic ve rification of all package s it ins talls or upgrade s . This fe ature is e nable d by de fault. To configure this option on your s ys te m, make s ure the gpgcheck configuration dire ctive is s e t to 1 in the /etc/yum.conf
configuration file .
Us e the following command to manually ve rify package file s on your file s ys te m: rpmkeys --checksig package_file.rpm
Se e the Product Signing (GPG) Ke ys article on the Re d Hat Cus tome r Portal for additional information about Re d Hat package -s igning practice s .
To ins tall ve rifie d package s (s e e
Se ction 3.1.2.1, “Ve rifying Signe d Package s ”
for information on how to ve rify package s ) from your file s ys te m, us e the yum install command as the root us e r as follows : yum install package_file.rpm
Us e a s he ll glob to ins tall s e ve ral package s at once . For e xample , the following commands ins talls all .rpm
package s in the curre nt dire ctory: yum install *.rpm
Important
Be fore ins talling any s e curity e rrata, be s ure to re ad any s pe cial ins tructions
containe d in the e rratum re port and e xe cute the m accordingly. Se e Se ction 3.1.3,
“Applying Change s Introduce d by Ins talle d Update s ” for ge ne ral ins tructions about
applying change s made by e rrata update s .
Afte r downloading and ins talling s e curity e rrata and update s , it is important to halt the us age of the old s oftware and be gin us ing the ne w s oftware . How this is done de pe nds on the type of s oftware that has be e n update d. The following lis t ite mize s the ge ne ral cate gorie s of s oftware and provide s ins tructions for us ing update d ve rs ions afte r a package upgrade .
Note
In ge ne ral, re booting the s ys te m is the s ure s t way to e ns ure that the late s t ve rs ion of a s oftware package is us e d; howe ve r, this option is not always re quire d, nor is it always available to the s ys te m adminis trator.
Applicat io ns
22

⁠Chapt e r 3. Ke e ping Yo ur Syst e m Up-t o -Dat e
Us e r-s pace applications are any programs that can be initiate d by the us e r.
Typically, s uch applications are us e d only whe n the us e r, a s cript, or an automate d tas k utility launch the m.
Once s uch a us e r-s pace application is update d, halt any ins tance s of the application on the s ys te m, and launch the program again to us e the update d ve rs ion.
Kernel
The ke rne l is the core s oftware compone nt for the Re d Hat Ente rpris e Linux 7 ope rating s ys te m. It manage s acce s s to me mory, the proce s s or, and pe riphe rals , and it s che dule s all tas ks .
Be caus e of its ce ntral role , the ke rne l cannot be re s tarte d without als o re booting the compute r. The re fore , an update d ve rs ion of the ke rne l cannot be us e d until the s ys te m is re boote d.
KVM
Whe n the qemu-kvm and libvirt package s are update d, it is ne ce s s ary to s top all gue s t virtual machine s , re load re le vant virtualization module s (or re boot the hos t s ys te m), and re s tart the virtual machine s .
Us e the lsmod command to de te rmine which module s from the following are loade d: kvm , kvm-intel , or kvm-amd . The n us e the modprobe -r command to re move and s ubs e que ntly the modprobe -a command to re load the affe cte d module s . Fox e xample :
~]# lsmod | grep kvm kvm_intel 143031 0 kvm 460181 1 kvm_intel
~]# modprobe -r kvm-intel
~]# modprobe -r kvm
~]# modprobe -a kvm kvm-intel
Shared Libraries
Share d librarie s are units of code , s uch as glibc , that are us e d by a numbe r of applications and s e rvice s . Applications utilizing a s hare d library typically load the s hare d code whe n the application is initialize d, s o any applications us ing an update d library mus t be halte d and re launche d.
To de te rmine which running applications link agains t a particular library, us e the lsof command: lsof library
For e xample , to de te rmine which running applications link agains t the libwrap.so.0
library, type :
~]# lsof /lib64/libwrap.so.0
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME pulseaudi 12363 test mem REG 253,0 42520 34121785
/usr/lib64/libwrap.so.0.7.6
23

Se curit y Guide gnome-set 12365 test mem REG 253,0 42520 34121785
/usr/lib64/libwrap.so.0.7.6
gnome-she 12454 test mem REG 253,0 42520 34121785
/usr/lib64/libwrap.so.0.7.6
This command re turns a lis t of all the running programs that us e TCP wrappe rs for hos t-acce s s control. The re fore , any program lis te d mus t be halte d and re launche d whe n the tcp_wrappers package is update d.
syst emd Services s ys te md s e rvice s are pe rs is te nt s e rve r programs us ually launche d during the boot proce s s . Example s of s ys te md s e rvice s include sshd or vsftpd .
Be caus e the s e programs us ually pe rs is t in me mory as long as a machine is running, e ach update d s ys te md s e rvice mus t be halte d and re launche d afte r its package is upgrade d. This can be done as the root us e r us ing the systemctl command: systemctl restart service_name
Re place service_name with the name of the s e rvice you want to re s tart, s uch as sshd .
Ot her So f t ware
Follow the ins tructions outline d by the re s ource s linke d be low to corre ctly update the following applications .
Red Hat Direct o ry Server — Se e the Release Notes for the ve rs ion of the
Re d Hat Dire ctory Se rve r in que s tion at https ://acce s s .re dhat.com/s ite /docume ntation/e n-
US/Re d_Hat_Dire ctory_Se rve r/ .
Red Hat Ent erprise Virt ualizat io n Manager — Se e the Installation Guide for the ve rs ion of the Re d Hat Ente rpris e Virtualization in que s tion at https ://acce s s .re dhat.com/s ite /docume ntation/e n-
US/Re d_Hat_Ente rpris e _Virtualization/ .
The Re d Hat Cus tome r Portal at https ://acce s s .re dhat.com/ is the main cus tome r-orie nte d re s ource for official information re late d to Re d Hat products . You can us e it to find docume ntation, manage your s ubs criptions , download products and update s , ope n s upport cas e s , and le arn about s e curity update s .
To vie w s e curity advis orie s (e rrata) re le vant to the s ys te ms for which you have active s ubs criptions , log into the Cus tome r Portal at https ://acce s s .re dhat.com/ and click on the
Download Products & Updates button on the main page . Whe n you e nte r the Software
& Download Center page , continue by clicking on the Errata button to s e e a lis t of advis orie s pe rtine nt to your re gis te re d s ys te ms .
To brows e a lis t of all s e curity update s for all active Re d Hat products , go to Securit y →
Securit y Updat es → Act ive Pro duct s us ing the navigation me nu at the top of the page .
24

⁠Chapt e r 3. Ke e ping Yo ur Syst e m Up-t o -Dat e
Click on the e rratum code in the le ft part of the table to dis play more de taile d information about the individual advis orie s . The ne xt page contains not only a de s cription of the give n e rratum, including its caus e s , cons e que nce s , and re quire d fixe s , but als o a lis t of all package s that the particular e rratum update s along with ins tructions on how to apply the update s . The page als o include s links to re le vant re fe re nce s , s uch as re late d CVE.
The CVE (Common Vulnerabilities and Exposures) proje ct, maintaine d by
The MITRE Corporation, is a lis t of s tandardize d name s for vulne rabilitie s and s e curity e xpos ure s . To brows e a lis t of CVE that pe rtain to Re d Hat products on the Cus tome r
Portal, log into your account at https ://acce s s .re dhat.com/ and navigate to Securit y →
Reso urces → CVE Dat abase us ing the navigation me nu at the top of the page .
Click on the CVE code in the le ft part of the table to dis play more de taile d information about the individual vulne rabilitie s . The ne xt page contains not only a de s cription of the give n CVE but als o a lis t of affe cte d Re d Hat products along with links to re le vant Re d Hat e rrata.
All s e curity is s ue s dis cove re d in Re d Hat products are as s igne d an impact rating by
Red Hat Product Security according to the s e ve rity of the proble m. The four-point s cale cons is ts of the following le ve ls : Low, Mode rate , Important, and Critical. In addition to that, e ve ry s e curity is s ue is rate d us ing the Common Vulnerability Scoring System (CVSS) bas e s core s .
Toge the r, the s e ratings he lp you unde rs tand the impact of s e curity is s ue s , allowing you to s che dule and prioritize upgrade s trate gie s for your s ys te ms . Note that the ratings re fle ct the pote ntial ris k of a give n vulne rability, which is bas e d on a te chnical analys is of the bug, not the curre nt thre at le ve l. This me ans that the s e curity impact rating doe s not change if an e xploit is re le as e d for a particular flaw.
To s e e a de taile d de s cription of the individual le ve ls of s e ve rity ratings on the Cus tome r
Portal, vis it the Se ve rity Ratings page .
For more information about s e curity update s , ways of applying the m, the Re d Hat
Cus tome r Portal, and re late d topics , s e e the re s ource s lis te d be low.
yum(8) — The manual page for the Yum package manage r provide s information about the way Yum can be us e d to ins tall, update , and re move package s on your s ys te ms .
rpmke ys (8) — The manual page for the rpmkeys utility de s cribe s the way this program can be us e d to ve rify the authe nticity of downloade d package s .
25

Se curit y Guide
Re d Hat Ente rpris e Linux 7 Sys te m Adminis trator's Guide — The System Administrator's
Guide for Re d Hat Ente rpris e Linux 7 docume nts the us e of the Yum and rpm commands that are us e d to ins tall, update , and re move package s on Re d Hat Ente rpris e Linux 7 s ys te ms .
Re d Hat Ente rpris e Linux 7 SELinux Us e r's and Adminis trator's Guide — The SELinux
User's and Administrator's Guide for Re d Hat Ente rpris e Linux 7 docume nts the configuration of the SELinux mandatory access control me chanis m.
Re d Hat Cus tome r Portal, Se curity — The Se curity s e ction of the Cus tome r Portal contains links to the mos t important re s ource s , including the Re d Hat CVE databas e , and contacts for Re d Hat Product Se curity.
Re d Hat Se curity Blog — Article s about late s t s e curity-re late d is s ue s from Re d Hat s e curity profe s s ionals .
Chapte r 2, Security Tips for Installation de s cribe s how to configure your s ys te m
s e cure ly from the be ginning to make it e as ie r to imple me nt additional s e curity s e ttings late r.
Se ction 4.10.2, “Cre ating GPG Ke ys ” de s cribe s how to cre ate a s e t of pe rs onal GPG
ke ys to authe nticate your communications .
26

⁠Chapt e r 4. Harde ning Yo ur Syst e m wit h T o o ls and Se rvice s
Pas s words are the primary me thod that Re d Hat Ente rpris e Linux 7 us e s to ve rify a us e r's ide ntity. This is why pas s word s e curity is s o important for prote ction of the us e r, the works tation, and the ne twork.
For s e curity purpos e s , the ins tallation program configure s the s ys te m to us e Secure Hash
Algorithm 512 (SHA512) and s hadow pas s words . It is highly re comme nde d that you do not alte r the s e s e ttings .
If s hadow pas s words are de s e le cte d during ins tallation, all pas s words are s tore d as a one -way has h in the world-re adable /etc/passwd file , which make s the s ys te m vulne rable to offline pas s word cracking attacks . If an intrude r can gain acce s s to the machine as a re gular us e r, he can copy the /etc/passwd file to his own machine and run any numbe r of pas s word cracking programs agains t it. If the re is an ins e cure pas s word in the file , it is only a matte r of time be fore the pas s word cracke r dis cove rs it.
Shadow pas s words e liminate this type of attack by s toring the pas s word has he s in the file
/etc/shadow , which is re adable only by the root us e r.
This force s a pote ntial attacke r to atte mpt pas s word cracking re mote ly by logging into a ne twork s e rvice on the machine , s uch as SSH or FTP. This s ort of brute -force attack is much s lowe r and le ave s an obvious trail as hundre ds of faile d login atte mpts are writte n to s ys te m file s . Of cours e , if the cracke r s tarts an attack in the middle of the night on a s ys te m with we ak pas s words , the cracke r may have gaine d acce s s be fore dawn and e dite d the log file s to cove r his tracks .
In addition to format and s torage cons ide rations is the is s ue of conte nt. The s ingle mos t important thing a us e r can do to prote ct his account agains t a pas s word cracking attack is cre ate a s trong pas s word.
Whe n cre ating a s e cure pas s word, the us e r mus t re me mbe r that long pas s words are s tronge r than s hort and comple x one s . It is not a good ide a to cre ate a pas s word of jus t e ight characte rs , e ve n if it contains digits , s pe cial characte rs and uppe rcas e le tte rs .
Pas s word cracking tools , s uch as John The Rippe r, are optimize d for bre aking s uch pas s words , which are als o hard to re me mbe r by a pe rs on.
In information the ory, e ntropy is the le ve l of unce rtainty as s ociate d with a random variable and is pre s e nte d in bits . The highe r the e ntropy value , the more s e cure the pas s word is .
According to NIST SP 800-63-1, pas s words that are not pre s e nt in a dictionary compris e d of 50000 commonly s e le cte d pas s words s hould have at le as t 10 bits of e ntropy. As s uch, a pas s word that cons is ts of four random words contains around 40 bits of e ntropy. A long pas s word cons is ting of multiple words for adde d s e curity is als o calle d a passphrase, for e xample :
randomword1 randomword2 randomword3 randomword4
27

Se curit y Guide
If the s ys te m e nforce s the us e of uppe rcas e le tte rs , digits , or s pe cial characte rs , the pas s phras e that follows the above re comme ndation can be modifie d in a s imple way, for e xample by changing the firs t characte r to uppe rcas e and appe nding " 1!
". Note that s uch a modification does not incre as e the s e curity of the pas s phras e s ignificantly.
Anothe r way to cre ate a pas s word yours e lf is us ing a pas s word ge ne rator. The pwmake is a command-line tool for ge ne rating random pas s words that cons is t of all four groups of characte rs – uppe rcas e , lowe rcas e , digits and s pe cial characte rs . The utility allows you to s pe cify the numbe r of e ntropy bits that are us e d to ge ne rate the pas s word. The e ntropy is pulle d from /dev/urandom . The minimum numbe r of bits you can s pe cify is 56, which is e nough for pas s words on s ys te ms and s e rvice s whe re brute force attacks are rare . 64 bits is ade quate for applications whe re the attacke r doe s not have dire ct acce s s to the pas s word has h file . For s ituations whe n the attacke r might obtain the dire ct acce s s to the pas s word has h or the pas s word is us e d as an e ncryption ke y, 80 to 128 bits s hould be us e d. If you s pe cify an invalid numbe r of e ntropy bits , pwmake will us e the de fault of bits .
To cre ate a pas s word of 128 bits , run the following command: pwmake 128
While the re are diffe re nt approache s to cre ating a s e cure pas s word, always avoid the following bad practice s :
Us ing a s ingle dictionary word, a word in a fore ign language , an inve rte d word, or only numbe rs .
Us ing le s s than 10 characte rs for a pas s word or pas s phras e .
Us ing a s e que nce of ke ys from the ke yboard layout.
Writing down your pas s words .
Us ing pe rs onal information in a pas s word, s uch as birth date s , annive rs arie s , family me mbe r name s , or pe t name s .
Us ing the s ame pas s phras e or pas s word on multiple machine s .
While cre ating s e cure pas s words is impe rative , managing the m prope rly is als o important, e s pe cially for s ys te m adminis trators within large r organizations . The following s e ction de tails good practice s for cre ating and managing us e r pas s words within an organization.
If an organization has a large numbe r of us e rs , the s ys te m adminis trators have two bas ic options available to force the us e of s trong pas s words . The y can cre ate pas s words for the us e r, or the y can le t us e rs cre ate the ir own pas s words while ve rifying the pas s words are of ade quate s tre ngth.
Cre ating the pas s words for the us e rs e ns ure s that the pas s words are good, but it be come s a daunting tas k as the organization grows . It als o incre as e s the ris k of us e rs writing the ir pas s words down, thus e xpos ing the m.
For the s e re as ons , mos t s ys te m adminis trators pre fe r to have the us e rs cre ate the ir own pas s words , but active ly ve rify that the s e pas s words are s trong e nough. In s ome cas e s , adminis trators may force us e rs to change the ir pas s words pe riodically through pas s word aging.
28

⁠Chapt e r 4. Harde ning Yo ur Syst e m wit h T o o ls and Se rvice s
Whe n us e rs are as ke d to cre ate or change pas s words , the y can us e the passwd command-line utility, which is PAM-aware (Pluggable Authentication Modules) and che cks to s e e if the pas s word is too s hort or othe rwis e e as y to crack. This che cking is pe rforme d by the pam_pwquality.so
PAM module .
Note
In Re d Hat Ente rpris e Linux 7, the pam_pwquality PAM module re place d pam_cracklib , which was us e d in Re d Hat Ente rpris e Linux 6 as a de fault module for pas s word quality che cking. It us e s the s ame back e nd as pam_cracklib .
The pam_pwquality module is us e d to che ck a pas s word's s tre ngth agains t a s e t of rule s .
Its proce dure cons is ts of two s te ps : firs t it che cks if the provide d pas s word is found in a dictionary. If not, it continue s with a numbe r of additional che cks . pam_pwquality is s tacke d alongs ide othe r PAM module s in the password compone nt of the
/etc/pam.d/passwd file , and the cus tom s e t of rule s is s pe cifie d in the
/etc/security/pwquality.conf
configuration file . For a comple te lis t of the s e che cks , s e e the pwquality.conf (8) manual page .
Example 4.1. Co nf iguring passwo rd st rengt h-checking in pwquality.conf
To e nable us ing pam_quality , add the following line to the password s tack in the
/etc/pam.d/passwd file : password required pam_pwquality.so retry=3
Options for the che cks are s pe cifie d one pe r line . For e xample , to re quire a pas s word with a minimum le ngth of 8 characte rs , including all four clas s e s of characte rs , add the following line s to the /etc/security/pwquality.conf
file : minlen = 8 minclass = 4
To s e t a pas s word s tre ngth-che ck for characte r s e que nce s and s ame cons e cutive characte rs , add the following line s to /etc/security/pwquality.conf
: maxsequence = 3 maxrepeat = 3
In this e xample , the pas s word e nte re d cannot contain more than 3 characte rs in a monotonic s e que nce , s uch as abcd , and more than 3 ide ntical cons e cutive characte rs , s uch as 1111 .
Note
As the root us e r is the one who e nforce s the rule s for pas s word cre ation, the y can s e t any pas s word for the ms e lve s or for a re gular us e r, de s pite the warning me s s age s .
29

Se curit y Guide
Pas s word aging is anothe r te chnique us e d by s ys te m adminis trators to de fe nd agains t bad pas s words within an organization. Pas s word aging me ans that afte r a s pe cifie d pe riod
(us ually 90 days ), the us e r is prompte d to cre ate a ne w pas s word. The the ory be hind this is that if a us e r is force d to change his pas s word pe riodically, a cracke d pas s word is only us e ful to an intrude r for a limite d amount of time . The downs ide to pas s word aging, howe ve r, is that us e rs are more like ly to write the ir pas s words down.
To s pe cify pas s word aging unde r Re d Hat Ente rpris e Linux 7, make us e of the chage command.
Important
In Re d Hat Ente rpris e Linux 7, s hadow pas s words are e nable d by de fault. For more information, s e e the Re d Hat Ente rpris e Linux 7 Sys te m Adminis trator's Guide .
The -M option of the chage command s pe cifie s the maximum numbe r of days the pas s word is valid. For e xample , to s e t a us e r's pas s word to e xpire in 90 days , us e the following command:
chage -M 90 username
In the above command, re place username with the name of the us e r. To dis able pas s word e xpiration, us e the value of -1 afte r the -M option.
For more information on the options available with the chage command, s e e the table be low.
T able 4.1. chage co mmand line o pt io ns
Opt io n
-d days
-E
-I
-l
-m
-M
-W
date
days
days
days
days
Descript io n
Spe cifie s the numbe r of days s ince January 1, 1970 the pas s word was change d.
Spe cifie s the date on which the account is locke d, in the format YYYY-MM-DD. Ins te ad of the date , the numbe r of days s ince January 1, 1970 can als o be us e d.
Spe cifie s the numbe r of inactive days afte r the pas s word e xpiration be fore locking the account. If the value is 0 , the account is not locke d afte r the pas s word e xpire s .
Lis ts curre nt account aging s e ttings .
Spe cify the minimum numbe r of days afte r which the us e r mus t change pas s words . If the value is 0 , the pas s word doe s not e xpire .
Spe cify the maximum numbe r of days for which the pas s word is valid. Whe n the numbe r of days s pe cifie d by this option plus the numbe r of days s pe cifie d with the -d option is le s s than the curre nt day, the us e r mus t change pas s words be fore us ing the account.
Spe cifie s the numbe r of days be fore the pas s word e xpiration date to warn the us e r.
30

⁠Chapt e r 4. Harde ning Yo ur Syst e m wit h T o o ls and Se rvice s
You can als o us e the chage command in inte ractive mode to modify multiple pas s word aging and account de tails . Us e the following command to e nte r inte ractive mode :
chage <username>
The following is a s ample inte ractive s e s s ion us ing this command:
~]# chage juan
Changing the aging information for juan
Enter the new value, or press ENTER for the default
Minimum Password Age [0]: 10
Maximum Password Age [99999]: 90
Last Password Change (YYYY-MM-DD) [2006-08-18]:
Password Expiration Warning [7]:
Password Inactive [-1]:
Account Expiration Date (YYYY-MM-DD) [1969-12-31]:
You can configure a pas s word to e xpire the firs t time a us e r logs in. This force s us e rs to change pas s words imme diate ly.
1. Se t up an initial pas s word. To as s ign a de fault pas s word, run the following command at a s he ll prompt as root :
passwd username
Warning
The passwd utility has the option to s e t a null pas s word. Us ing a null pas s word, while conve nie nt, is a highly ins e cure practice , as any third party can log in and acce s s the s ys te m us ing the ins e cure us e rname . Avoid us ing null pas s words whe re ve r pos s ible . If it is not pos s ible , always make s ure that the us e r is re ady to log in be fore unlocking an account with a null pas s word.
2. Force imme diate pas s word e xpiration by running the following command as root :
chage -d 0 username
This command s e ts the value for the date the pas s word was las t change d to the e poch (January 1, 1970). This value force s imme diate pas s word e xpiration no matte r what pas s word aging policy, if any, is in place .
Upon the initial log in, the us e r is now prompte d for a ne w pas s word.
In Re d Hat Ente rpris e Linux 7, the pam_faillock PAM module allows s ys te m adminis trators to lock out us e r accounts afte r a s pe cifie d numbe r of faile d atte mpts .
Limiting us e r login atte mpts s e rve s mainly as a s e curity me as ure that aims to pre ve nt pos s ible brute force attacks targe te d to obtain a us e r's account pas s word.
With the pam_faillock module , faile d login atte mpts are s tore d in a s e parate file for e ach us e r in the /var/run/faillock dire ctory.
31

Se curit y Guide
Note
The orde r of line s in the faile d atte mpt log file s is important. Any change in this orde r can lock all us e r accounts , including the root us e r account whe n the even_deny_root option is us e d.
Follow the s e s te ps to configure account locking:
1. To lock out any non-root us e r afte r thre e uns ucce s s ful atte mpts and unlock that us e r afte r 10 minute s , add two line s to the auth s e ction of the
/etc/pam.d/system-auth and /etc/pam.d/password-auth file s . Afte r your e dits , the e ntire auth s e ction in both file s s hould look like this :
1 auth required pam_env.so
2 auth required pam_faillock.so preauth silent audit deny=3 unlock_time=600
3 auth sufficient pam_unix.so nullok try_first_pass
4 auth [default=die] pam_faillock.so authfail audit deny=3 unlock_time=600
5 auth requisite pam_succeed_if.so uid >= 1000 quiet_success
6 auth required pam_deny.so
Line s numbe r 2 and 4 have be e n adde d.
2. Add the following line to the account s e ction of both file s s pe cifie d in the pre vious s te p: account required pam_faillock.so
3. To apply account locking for the root us e r as we ll, add the even_deny_root option to the pam_faillock e ntrie s in the /etc/pam.d/system-auth and
/etc/pam.d/password-auth file s : auth required pam_faillock.so preauth silent audit deny=3 even_deny_root unlock_time=600 auth sufficient pam_unix.so nullok try_first_pass auth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root unlock_time=600 account required pam_faillock.so
Whe n us e r john atte mpts to log in for the fourth time afte r failing to log in thre e time s pre vious ly, his account is locke d upon the fourth atte mpt:
[yruseva@localhost ~]$ su - john
Account locked due to 3 failed logins su: incorrect password
To pre ve nt the s ys te m from locking us e rs out e ve n afte r multiple faile d logins , add the following line jus t above the line whe re pam_faillock is calle d for the firs t time in both
/etc/pam.d/system-auth and /etc/pam.d/password-auth . Als o re place user1 , user2 , and user3 with the actual us e r name s .
32

⁠Chapt e r 4. Harde ning Yo ur Syst e m wit h T o o ls and Se rvice s auth [success=1 default=ignore] pam_succeed_if.so user in user1:user2:user3
To vie w the numbe r of faile d atte mpts pe r us e r, run, as root , the following command:
[root@localhost ~]# faillock john:
When Type Source
Valid
2013-03-05 11:44:14 TTY pts/0
V
To unlock a us e r's account, run, as root , the following command:
faillock --user <username> --reset
Whe n modifying authe ntication configuration us ing the aut hco nf ig utility, the systemauth and password-auth file s are ove rwritte n with the s e ttings from the aut hco nf ig utility. This can be avoide d by cre ating s ymbolic links in place of the configuration file s , which aut hco nf ig re cognize s and doe s not ove rwrite . In orde r to us e cus tom s e ttings in the configuration file s and aut hco nf ig s imultane ous ly, configure account locking us ing the following s te ps :
1. Che ck whe the r the system-auth and password-auth file s are alre ady s ymbolic links pointing to system-auth-ac and password-auth-ac (this is the s ys te m de fault):
~]# ls -l /etc/pam.d/{password,system}-auth
If the output is s imilar to the following, the s ymbolic links are in place , and you can s kip to s te p numbe r 3: lrwxrwxrwx. 1 root root 16 24. Feb 09.29 /etc/pam.d/password-auth
-> password-auth-ac lrwxrwxrwx. 1 root root 28 24. Feb 09.29 /etc/pam.d/system-auth -> system-auth-ac
If the system-auth and password-auth file s are not s ymbolic links , continue with the ne xt s te p.
2. Re name the configuration file s :
~]# mv /etc/pam.d/system-auth /etc/pam.d/system-auth-ac
~]# mv /etc/pam.d/password-auth /etc/pam.d/password-auth-ac
3. Cre ate configuration file s with your cus tom s e ttings :
~]# vi /etc/pam.d/system-auth-local
The /etc/pam.d/system-auth-local file s hould contain the following line s :
33

Se curit y Guide auth required pam_faillock.so preauth silent audit deny=3 unlock_time=600 auth include system-auth-ac auth [default=die] pam_faillock.so authfail silent audit deny=3 unlock_time=600 account required pam_faillock.so
account include system-auth-ac password include system-auth-ac session include system-auth-ac
~]# vi /etc/pam.d/password-auth-local
The /etc/pam.d/password-auth-local file s hould contain the following line s : auth required pam_faillock.so preauth silent audit deny=3 unlock_time=600 auth include password-auth-ac auth [default=die] pam_faillock.so authfail silent audit deny=3 unlock_time=600 account required pam_faillock.so
account include password-auth-ac password include password-auth-ac session include password-auth-ac
4. Cre ate the following s ymbolic links :
~]# ln -sf /etc/pam.d/system-auth-local /etc/pam.d/system-auth
~]# ln -sf /etc/pam.d/password-auth-local /etc/pam.d/password-auth
For more information on various pam_faillock configuration options , s e e the pam_faillock(8) manual page .
Us e rs may ne e d to le ave the ir works tation unatte nde d for a numbe r of re as ons during e ve ryday ope ration. This could pre s e nt an opportunity for an attacke r to phys ically acce s s the machine , e s pe cially in e nvironme nts with ins ufficie nt phys ical s e curity me as ure s (s e e
Se ction 1.2.1, “Phys ical Controls ”
). Laptops are e s pe cially e xpos e d s ince the ir mobility inte rfe re s with phys ical s e curity. You can alle viate the s e ris ks by us ing s e s s ion locking fe ature s which pre ve nt acce s s to the s ys te m until a corre ct pas s word is e nte re d.
34

⁠Chapt e r 4. Harde ning Yo ur Syst e m wit h T o o ls and Se rvice s
Note
The main advantage of locking the s cre e n ins te ad of logging out is that a lock allows the us e r's proce s s e s (s uch as file trans fe rs ) to continue running. Logging out would s top the s e proce s s e s .
Us e rs may als o ne e d to lock a virtual cons ole . This can be done us ing a utility calle d vlock . To ins tall this utility, e xe cute the following command as root:
~]# yum install vlock
Afte r ins tallation, any cons ole s e s s ion can be locke d us ing the vlock command without any additional parame te rs . This locks the curre ntly active virtual cons ole s e s s ion while s till allowing acce s s to the othe rs . To pre ve nt acce s s to all virtual cons ole s on the works tation, e xe cute the following:
vlock -a
In this cas e , vlock locks the curre ntly active cons ole and the -a option pre ve nts s witching to othe r virtual cons ole s .
Se e the vlock(1) man page for additional information.
Important
The re are s e ve ral known is s ue s re le vant to the ve rs ion of vlock curre ntly available for Re d Hat Ente rpris e Linux 7:
The program doe s not curre ntly allow unlocking cons ole s us ing the root pas s word. Additional information can be found in BZ# 895066 .
Locking a cons ole doe s not cle ar the s cre e n and s crollback buffe r, allowing anyone with phys ical acce s s to the works tation to vie w pre vious ly is s ue d commands and any output dis playe d in the cons ole . Se e BZ# 807369 for more information.
To e nforce re ad-only mounting of re movable me dia (s uch as USB flas h dis ks ), the adminis trator can us e a udev rule to de te ct re movable me dia and configure the m to be mounte d re ad-only us ing the blo ckdev utility. This is s ufficie nt for e nforcing re ad-only mounting of phys ical me dia.
To force all re movable me dia to be mounte d re ad-only, cre ate a ne w udev configuration file name d, for e xample , 80-readonly-removables.rules
in the /etc/udev/rules.d/ dire ctory with the following conte nt:
35

Se curit y Guide
SUBSYSTEM=="block",ATTRS{removable}=="1",RUN{program}="/sbin/blockdev -setro %N"
The above udev rule e ns ure s that any ne wly conne cte d re movable block (s torage ) de vice is automatically configure d as re ad-only us ing the blockdev utility.
For the s e s e ttings to take e ffe ct, the ne w udev rule s ne e d to be applie d. The udev s e rvice automatically de te cts change s to its configuration file s , but ne w s e ttings are not applie d to alre ady e xis ting de vice s . Only ne wly conne cte d de vice s are affe cte d by the ne w s e ttings . The re fore , you ne e d to unmount and unplug all conne cte d re movable me dia to e ns ure that the ne w s e ttings are applie d to the m whe n the y are ne xt plugge d in.
To force udev to re -apply all rule s to alre ady e xis ting de vice s , run the following command as root :
~# udevadm trigger
Note that forcing udev to re -apply all rule s us ing the above command doe s not affe ct any s torage de vice s that are alre ady mounte d.
To force udev to re load all rule s (in cas e the ne w rule s are not automatically de te cte d for s ome re as on), us e the following command:
~# udevadm control --reload
Whe n adminis te ring a home machine , the us e r mus t pe rform s ome tas ks as the root us e r or by acquiring e ffe ctive root privile ge s via a setuid program, s uch as sudo or su . A s e tuid program is one that ope rate s with the us e r ID (UID) of the program's owne r rathe r than the us e r ope rating the program. Such programs are de note d by an s in the owne r s e ction of a long format lis ting, as in the following e xample :
~]$ ls -l /bin/su
-rwsr-xr-x. 1 root root 34904 Mar 10 2011 /bin/su
Note
The s may be uppe r cas e or lowe r cas e . If it appe ars as uppe r cas e , it me ans that the unde rlying pe rmis s ion bit has not be e n s e t.
For the s ys te m adminis trator of an organization, howe ve r, choice s mus t be made as to how much adminis trative acce s s us e rs within the organization s hould have to the ir machine s . Through a PAM module calle d pam_console.so
, s ome activitie s normally re s e rve d only for the root us e r, s uch as re booting and mounting re movable me dia, are allowe d for the firs t us e r that logs in at the phys ical cons ole . Howe ve r, othe r important
36

⁠Chapt e r 4. Harde ning Yo ur Syst e m wit h T o o ls and Se rvice s s ys te m adminis tration tas ks , s uch as alte ring ne twork s e ttings , configuring a ne w mous e , or mounting ne twork de vice s , are not pos s ible without adminis trative privile ge s . As a re s ult, s ys te m adminis trators mus t de cide how much acce s s the us e rs on the ir ne twork s hould re ce ive .
If an adminis trator is uncomfortable allowing us e rs to log in as root for the s e or othe r re as ons , the root pas s word s hould be ke pt s e cre t, and acce s s to runle ve l one or s ingle us e r mode s hould be dis allowe d through boot loade r pas s word prote ction (s e e
Se ction 4.2.5, “Se curing the Boot Loade r” for more information on this topic.)
The following are four diffe re nt ways that an adminis trator can furthe r e ns ure that root logins are dis allowe d:
Changing t he ro o t shell
To pre ve nt us e rs from logging in dire ctly as root , the s ys te m adminis trator can s e t the root account's s he ll to /sbin/nologin in the /etc/passwd file .
T able 4.2. Disabling t he Ro o t Shell
Ef f ect s
Pre ve nts acce s s to a root s he ll and logs any s uch atte mpts . The following programs are pre ve nte d from acce s s ing the root account: login gdm kdm xdm su ssh scp sftp
Do es No t Af f ect
Programs that do not re quire a s he ll, s uch as FTP clie nts , mail clie nts , and many s e tuid programs . The following programs are not pre ve nte d from acce s s ing the root account: sudo
FTP clie nts
Email clie nts
Disabling ro o t access via any co nso le device (t t y)
To furthe r limit acce s s to the root account, adminis trators can dis able root logins at the cons ole by e diting the /etc/securetty file . This file lis ts all de vice s the root us e r is allowe d to log into. If the file doe s not e xis t at all, the root us e r can log in through any communication de vice on the s ys te m, whe the r via the cons ole or a raw ne twork inte rface . This is dange rous , be caus e a us e r can log in to the ir machine as root via Te lne t, which trans mits the pas s word in plain te xt ove r the ne twork.
By de fault, Re d Hat Ente rpris e Linux 7's /etc/securetty file only allows the root us e r to log in at the cons ole phys ically attache d to the machine . To pre ve nt the root us e r from logging in, re move the conte nts of this file by typing the following command at a s he ll prompt as root : echo > /etc/securetty
To e nable securetty s upport in the KDM, GDM, and XDM login manage rs , add the following line :
37

Se curit y Guide auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
to the file s lis te d be low:
/etc/pam.d/gdm
/etc/pam.d/gdm-autologin
/etc/pam.d/gdm-fingerprint
/etc/pam.d/gdm-password
/etc/pam.d/gdm-smartcard
/etc/pam.d/kdm
/etc/pam.d/kdm-np
/etc/pam.d/xdm
Warning
A blank /etc/securetty file doe s not pre ve nt the root us e r from logging in re mote ly us ing the Ope nSSH s uite of tools be caus e the cons ole is not ope ne d until afte r authe ntication.
T able 4.3. Disabling Ro o t Lo gins
Ef f ect s
Pre ve nts acce s s to the root account via the cons ole or the ne twork. The following programs are pre ve nte d from acce s s ing the root account: login gdm kdm xdm
Othe r ne twork s e rvice s that ope n a tty
Do es No t Af f ect
Programs that do not log in as root , but pe rform adminis trative tas ks through s e tuid or othe r me chanis ms .
The following programs are not pre ve nte d from acce s s ing the root account: su sudo ssh scp sftp
Disabling ro o t SSH lo gins
To pre ve nt root logins via the SSH protocol, e dit the SSH dae mon's configuration file , /etc/ssh/sshd_config , and change the line that re ads :
#PermitRootLogin yes to re ad as follows :
PermitRootLogin no
38

⁠Chapt e r 4. Harde ning Yo ur Syst e m wit h T o o ls and Se rvice s
T able 4.4. Disabling Ro o t SSH Lo gins
Ef f ect s
Pre ve nts root acce s s via the
Ope nSSH s uite of tools . The following programs are pre ve nte d from acce s s ing the root account: ssh scp sftp
Do es No t Af f ect
Programs that are not part of the
Ope nSSH s uite of tools .
Using PAM t o limit ro o t access t o services
PAM, through the /lib/security/pam_listfile.so
module , allows gre at fle xibility in de nying s pe cific accounts . The adminis trator can us e this module to re fe re nce a lis t of us e rs who are not allowe d to log in. To limit root acce s s to a s ys te m s e rvice , e dit the file for the targe t s e rvice in the /etc/pam.d/ dire ctory and make s ure the pam_listfile.so
module is re quire d for authe ntication.
The following is an e xample of how the module is us e d for the vsftpd FTP s e rve r in the /etc/pam.d/vsftpd PAM configuration file (the \ characte r at the e nd of the firs t line is not ne ce s s ary if the dire ctive is on a s ingle line ): auth required /lib/security/pam_listfile.so item=user \ sense=deny file=/etc/vsftpd.ftpusers onerr=succeed
This ins tructs PAM to cons ult the /etc/vsftpd.ftpusers
file and de ny acce s s to the s e rvice for any lis te d us e r. The adminis trator can change the name of this file , and can ke e p s e parate lis ts for e ach s e rvice or us e one ce ntral lis t to de ny acce s s to multiple s e rvice s .
If the adminis trator wants to de ny acce s s to multiple s e rvice s , a s imilar line can be adde d to the PAM configuration file s , s uch as /etc/pam.d/pop and
/etc/pam.d/imap for mail clie nts , or /etc/pam.d/ssh for SSH clie nts .
For more information about PAM, s e e The Linux-PAM System Administrator's Guide, locate d in the /usr/share/doc/pam-<version>/html/ dire ctory.
T able 4.5. Disabling Ro o t Using PAM
39

Se curit y Guide
Ef f ect s
Pre ve nts root acce s s to ne twork s e rvice s that are PAM aware . The following s e rvice s are pre ve nte d from acce s s ing the root account: login gdm kdm xdm ssh scp sftp
FTP clie nts
Email clie nts
Any PAM aware s e rvice s
Do es No t Af f ect
Programs and s e rvice s that are not
PAM aware .
If the us e rs within an organization are trus te d and compute r-lite rate , the n allowing the m root acce s s may not be an is s ue . Allowing root acce s s by us e rs me ans that minor activitie s , like adding de vice s or configuring ne twork inte rface s , can be handle d by the individual us e rs , le aving s ys te m adminis trators fre e to de al with ne twork s e curity and othe r important is s ue s .
On the othe r hand, giving root acce s s to individual us e rs can le ad to the following is s ue s :
Machine Misconfiguration — Us e rs with root acce s s can mis configure the ir machine s and re quire as s is tance to re s olve is s ue s . Eve n wors e , the y might ope n up s e curity hole s without knowing it.
Running Insecure Services — Us e rs with root acce s s might run ins e cure s e rve rs on the ir machine , s uch as FTP or Te lne t, pote ntially putting us e rname s and pas s words at ris k. The s e s e rvice s trans mit this information ove r the ne twork in plain te xt.
Running Email Attachments As Root — Although rare , e mail virus e s that affe ct Linux do e xis t. A malicious program pos e s the gre ate s t thre at whe n run by the root us e r.
Keeping the audit trail intact — Be caus e the root account is ofte n s hare d by multiple us e rs , s o that multiple s ys te m adminis trators can maintain the s ys te m, it is impos s ible to figure out which of thos e us e rs was root at a give n time . Whe n us ing s e parate logins , the account a us e r logs in with, as we ll as a unique numbe r for s e s s ion tracking purpos e s , is put into the tas k s tructure , which is inhe rite d by e ve ry proce s s that the us e r s tarts . Whe n us ing concurre nt logins , the unique numbe r can be us e d to trace actions to s pe cific logins . Whe n an action ge ne rate s an audit e ve nt, it is re corde d with the login account and the s e s s ion as s ociate d with that unique numbe r. Us e the aulast command to vie w the s e logins and s e s s ions . The --proof option of the aulast command can be us e d s ugge s t a s pe cific ausearch que ry to is olate auditable e ve nts ge ne rate d by a particular s e s s ion. For more information about the Audit s ys te m, s e e
Chapte r 5, System Auditing .
40

⁠Chapt e r 4. Harde ning Yo ur Syst e m wit h T o o ls and Se rvice s
Rathe r than comple te ly de nying acce s s to the root us e r, the adminis trator may want to allow acce s s only via s e tuid programs , s uch as su or sudo . For more information on su and sudo , s e e the Gaining Privile ge s chapte r in Re d Hat Ente rpris e Linux 7 Sys te m
Adminis trator's Guide , and the su(1) and sudo(8) man page s .
Whe n the us e r is logge d in as root , an unatte nde d login s e s s ion may pos e a s ignificant s e curity ris k. To re duce this ris k, you can configure the s ys te m to automatically log out idle us e rs afte r a fixe d pe riod of time .
1. As root , add the following line at the be ginning of the /etc/profile file to make s ure the proce s s ing of this file cannot be inte rrupte d: trap "" 1 2 3 15
2. As root , ins e rt the following line s to the /etc/profile file to automatically log out afte r 120 s e conds : export TMOUT=120 readonly TMOUT
The TMOUT variable te rminate s the s he ll if the re is no activity for the s pe cifie d numbe r of s e conds (s e t to 120 in the above e xample ). You can change the limit according to the ne e ds of the particular ins tallation.
The primary re as ons for pas s word prote cting a Linux boot loade r are as follows :
1. Preventing Access to Single User Mode — If attacke rs can boot the s ys te m into s ingle us e r mode , the y are logge d in automatically as root without be ing prompte d for the root pas s word.
Warning
Prote cting acce s s to s ingle us e r mode with a pas s word by e diting the SINGLE parame te r in the /etc/sysconfig/init file is not re comme nde d. An attacke r can bypas s the pas s word by s pe cifying a cus tom initial command (us ing the init= parame te r) on the ke rne l command line in GRUB 2. It is re comme nde d to pas s word-prote ct the GRUB 2 boot loade r, as de s cribe d in the GRUB 2
Pas s word Prote ction chapte r in Re d Hat Ente rpris e Linux 7 Sys te m
Adminis trator's Guide .
2. Preventing Access to the GRUB 2 Console — If the machine us e s GRUB 2 as its boot loade r, an attacke r can us e the GRUB 2 e ditor inte rface to change its configuration or to gathe r information us ing the cat command.
3. Preventing Access to Insecure Operating Systems — If it is a dual-boot s ys te m, an attacke r can s e le ct an ope rating s ys te m at boot time , for e xample DOS, which ignore s acce s s controls and file pe rmis s ions .
41

Se curit y Guide
Re d Hat Ente rpris e Linux 7 s hips with the GRUB 2 boot loade r on the Inte l 64 and AMD64 platform. For a de taile d look at GRUB 2, s e e the Working With the GRUB 2 Boot Loade r chapte r in Re d Hat Ente rpris e Linux 7 Sys te m Adminis trator's Guide .
Pre s s ing the I ke y at the be ginning of the boot s e que nce allows you to s tart up your s ys te m inte ractive ly. During an inte ractive s tartup, the s ys te m prompts you to s tart up e ach s e rvice one by one . Howe ve r, this may allow an attacke r who gains phys ical acce s s to your s ys te m to dis able the s e curity-re late d s e rvice s and gain acce s s to the s ys te m.
To pre ve nt us e rs from s tarting up the s ys te m inte ractive ly, as root , dis able the PROMPT parame te r in the /etc/sysconfig/init file :
PROMPT=no
To pre ve nt malicious us e rs from e xploiting pote ntial vulne rabilitie s caus e d by unprote cte d hard and s ymbolic links , Re d Hat Ente rpris e Linux 7 include s a fe ature that only allows links to be cre ate d or followe d provide d ce rtain conditions are me t.
In cas e of hard links , one of the following ne e ds to be true :
The us e r owns the file to which the y link.
The us e r alre ady has re ad and write acce s s to the file to which the y link.
In cas e of s ymbolic links , proce s s e s are only pe rmitte d to follow links whe n outs ide of world-write able dire ctorie s with s ticky bits , or one of the following ne e ds to be true :
The proce s s following the s ymbolic link is the owne r of the s ymbolic link.
The owne r of the dire ctory is the s ame as the owne r of the s ymbolic link.
This prote ction is turne d on by de fault. It is controlle d by the following options in the
/usr/lib/sysctl.d/50-default.conf
file : fs.protected_hardlinks = 1 fs.protected_symlinks = 1
To ove rride the de fault s e ttings and dis able the prote ction, cre ate a ne w configuration file calle d, for e xample , 51-no-protect-links.conf
in the /etc/sysctl.d/ dire ctory with the following conte nt: fs.protected_hardlinks = 0 fs.protected_symlinks = 0
42

⁠Chapt e r 4. Harde ning Yo ur Syst e m wit h T o o ls and Se rvice s
Note
Note that in orde r to ove rride the de fault s ys te m s e ttings , the ne w configuration file ne e ds to have the .conf
e xte ns ion, and it ne e ds to be re ad after the de fault s ys te m file (the file s are re ad in le xicographic orde r, the re fore s e ttings containe d in a file with a highe r numbe r at the be ginning of the file name take pre ce de nce ).
Se e the s ys ctl.d(5) manual page for more de taile d information about the configuration of ke rne l parame te rs at boot us ing the sysctl me chanis m.
While us e r acce s s to adminis trative controls is an important is s ue for s ys te m adminis trators within an organization, monitoring which ne twork s e rvice s are active is of paramount importance to anyone who adminis te rs and ope rate s a Linux s ys te m.
Many s e rvice s unde r Re d Hat Ente rpris e Linux 7 are ne twork s e rve rs . If a ne twork s e rvice is running on a machine , the n a s e rve r application (calle d a daemon), is lis te ning for conne ctions on one or more ne twork ports . Each of the s e s e rve rs s hould be tre ate d as a pote ntial ave nue of attack.
Ne twork s e rvice s can pos e many ris ks for Linux s ys te ms . Be low is a lis t of s ome of the primary is s ue s :
Denial of Service Attacks (DoS) — By flooding a s e rvice with re que s ts , a de nial of s e rvice attack can re nde r a s ys te m unus able as it trie s to log and ans we r e ach re que s t.
Distributed Denial of Service Attack (DDoS) — A type of DoS attack which us e s multiple compromis e d machine s (ofte n numbe ring in the thous ands or more ) to dire ct a coordinate d attack on a s e rvice , flooding it with re que s ts and making it unus able .
Script Vulnerability Attacks — If a s e rve r is us ing s cripts to e xe cute s e rve r-s ide actions , as We b s e rve rs commonly do, an attacke r can targe t imprope rly writte n s cripts . The s e s cript vulne rability attacks can le ad to a buffe r ove rflow condition or allow the attacke r to alte r file s on the s ys te m.
Buffer Overflow Attacks — Se rvice s that want to lis te n on ports 1 through 1023 mus t s tart e ithe r with adminis trative privile ge s or the CAP_NET_BIND_SERVICE capability ne e ds to be s e t for the m. Once a proce s s is bound to a port and is lis te ning on it, the privile ge s or the capability are ofte n droppe d. If the privile ge s or the capability are not droppe d, and the application has an e xploitable buffe r ove rflow, an attacke r could gain acce s s to the s ys te m as the us e r running the dae mon. Be caus e e xploitable buffe r ove rflows e xis t, cracke rs us e automate d tools to ide ntify s ys te ms with vulne rabilitie s , and once the y have gaine d acce s s , the y us e automate d rootkits to maintain the ir acce s s to the s ys te m.
43

Se curit y Guide
Note
The thre at of buffe r ove rflow vulne rabilitie s is mitigate d in Re d Hat
Ente rpris e Linux 7 by ExecShield, an e xe cutable me mory s e gme ntation and prote ction te chnology s upporte d by x86-compatible uni- and multi-proce s s or ke rne ls .
Exe cShie ld re duce s the ris k of buffe r ove rflow by s e parating virtual me mory into e xe cutable and non-e xe cutable s e gme nts . Any program code that trie s to e xe cute outs ide of the e xe cutable s e gme nt (s uch as malicious code inje cte d from a buffe r ove rflow e xploit) trigge rs a s e gme ntation fault and te rminate s .
Exe cs hie ld als o include s s upport for No eXecute (NX) te chnology on AMD64 platforms and Inte l® 64 s ys te ms . The s e te chnologie s work in conjunction with
Exe cShie ld to pre ve nt malicious code from running in the e xe cutable portion of virtual me mory with a granularity of 4KB of e xe cutable code , lowe ring the ris k of attack from buffe r ove rflow e xploits .
Important
To limit e xpos ure to attacks ove r the ne twork, all s e rvice s that are unus e d s hould be turne d off.
To e nhance s e curity, mos t ne twork s e rvice s ins talle d with Re d Hat Ente rpris e Linux 7 are turne d off by de fault. The re are , howe ve r, s ome notable e xce ptions : cups — The de fault print s e rve r for Re d Hat Ente rpris e Linux 7.
cups-lpd — An alte rnative print s e rve r.
xinetd — A s upe r s e rve r that controls conne ctions to a range of s ubordinate s e rve rs , s uch as gssftp and telnet .
sshd — The Ope nSSH s e rve r, which is a s e cure re place me nt for Te lne t.
Whe n de te rmining whe the r to le ave the s e s e rvice s running, it is be s t to us e common s e ns e and avoid taking any ris ks . For e xample , if a printe r is not available , do not le ave cups running. The s ame is true for portreserve . If you do not mount NFSv3 volume s or us e NIS (the ypbind s e rvice ), the n rpcbind s hould be dis able d. Che cking which ne twork s e rvice s are available to s tart at boot time is not s ufficie nt. It is re comme nde d to als o
che ck which ports are ope n and lis te ning. Re fe r to Se ction 4.4.2, “Ve rifying Which Ports Are
Lis te ning” for more information.
Pote ntially, any ne twork s e rvice is ins e cure . This is why turning off unus e d s e rvice s is s o important. Exploits for s e rvice s are routine ly re ve ale d and patche d, making it ve ry important to re gularly update package s as s ociate d with any ne twork s e rvice . Se e
Chapte r 3, Keeping Your System Up-to-Date
for more information.
Some ne twork protocols are inhe re ntly more ins e cure than othe rs . The s e include any s e rvice s that:
44

⁠Chapt e r 4. Harde ning Yo ur Syst e m wit h T o o ls and Se rvice s
Transmit Usernames and Passwords Over a Network Unencrypted — Many olde r protocols , s uch as Te lne t and FTP, do not e ncrypt the authe ntication s e s s ion and s hould be avoide d whe ne ve r pos s ible .
Transmit Sensitive Data Over a Network Unencrypted — Many protocols trans mit data ove r the ne twork une ncrypte d. The s e protocols include Te lne t, FTP, HTTP, and SMTP.
Many ne twork file s ys te ms , s uch as NFS and SMB, als o trans mit information ove r the ne twork une ncrypte d. It is the us e r's re s pons ibility whe n us ing the s e protocols to limit what type of data is trans mitte d.
Example s of inhe re ntly ins e cure s e rvice s include rlogin , rsh , telnet , and vsftpd .
All re mote login and s he ll programs ( rlogin , rsh , and telnet ) s hould be avoide d in favor of SSH . Se e
Se ction 4.3.11, “Se curing SSH” for more information about
sshd .
FTP is not as inhe re ntly dange rous to the s e curity of the s ys te m as re mote s he lls , but
FTP s e rve rs mus t be care fully configure d and monitore d to avoid proble ms . Se e
Se ction 4.3.9, “Se curing FTP” for more information about s e curing
FTP s e rve rs .
Se rvice s that s hould be care fully imple me nte d and be hind a fire wall include : auth nfs-server smb and nbm (Samba) yppasswdd ypserv ypxfrd
More information on s e curing ne twork s e rvice s is available in Se ction 4.4, “Se curing
Ne twork Acce s s ” .
The rpcbind s e rvice is a dynamic port as s ignme nt dae mon for RPC s e rvice s s uch as NIS and NFS. It has we ak authe ntication me chanis ms and has the ability to as s ign a wide range of ports for the s e rvice s it controls . For the s e re as ons , it is difficult to s e cure .
Note
Se curing rpcbind only affe cts NFSv2 and NFSv3 imple me ntations , s ince NFSv4 no longe r re quire s it. If you plan to imple me nt an NFSv2 or NFSv3 s e rve r, the n rpcbind is re quire d, and the following s e ction applie s .
If running RPC s e rvice s , follow the s e bas ic rule s .
It is important to us e TCP Wrappe rs to limit which ne tworks or hos ts have acce s s to the rpcbind s e rvice s ince it has no built-in form of authe ntication.
45

Se curit y Guide
Furthe r, us e only IP addre s s e s whe n limiting acce s s to the s e rvice . Avoid us ing hos tname s , as the y can be forge d by DNS pois oning and othe r me thods .
To furthe r re s trict acce s s to the rpcbind s e rvice , it is a good ide a to add firewalld rule s to the s e rve r and re s trict acce s s to s pe cific ne tworks .
Be low are two e xample firewalld rich language commands . The firs t allows TCP conne ctions to the port 111 (us e d by the rpcbind s e rvice ) from the 192.168.0.0/24 ne twork. The s e cond allows TCP conne ctions to the s ame port from the localhos t. All othe r packe ts are droppe d.
~]# firewall-cmd --add-rich-rule='rule family="ipv4" port port="111" protocol="tcp" source address="192.168.0.0/24" invert="True" drop'
~]# firewall-cmd --add-rich-rule='rule family="ipv4" port port="111" protocol="tcp" source address="127.0.0.1" accept'
To s imilarly limit UDP traffic, us e the following command:
~]# firewall-cmd --add-rich-rule='rule family="ipv4" port port="111" protocol="udp" source address="192.168.0.0/24" invert="True" drop'
Note
Add --permanent to the firewalld rich language commands to make the s e ttings pe rmane nt. Se e
Se ction 4.5, “Us ing Fire walls ”
for more information about imple me nting fire walls .
The rpc.mountd
dae mon imple me nts the s e rve r s ide of the NFS MOUNT protocol, a protocol us e d by NFS ve rs ion 2 ( RFC 1904 ) and NFS ve rs ion 3 ( RFC 1813 ).
If running RPC s e rvice s , follow the s e bas ic rule s .
It is important to us e TCP Wrappe rs to limit which ne tworks or hos ts have acce s s to the rpc.mountd
s e rvice s ince it has no built-in form of authe ntication.
Furthe r, us e only IP addre s s e s whe n limiting acce s s to the s e rvice . Avoid us ing hos t name s , as the y can be forge d by DNS pois oning and othe r me thods .
To furthe r re s trict acce s s to the rpc.mountd
s e rvice , add firewalld rich language rule s to the s e rve r and re s trict acce s s to s pe cific ne tworks .
Be low are two e xample firewalld rich language commands . The firs t allows mountd conne ctions from the 192.168.0.0/24 ne twork. The s e cond allows mountd conne ctions from the local hos t. All othe r packe ts are droppe d.
46

⁠Chapt e r 4. Harde ning Yo ur Syst e m wit h T o o ls and Se rvice s
~]# firewall-cmd --add-rich-rule 'rule family="ipv4" source NOT address="192.168.0.0/24" service name="mountd" drop'
~]# firewall-cmd --add-rich-rule 'rule family="ipv4" source address="127.0.0.1" service name="mountd" accept'
Note
Add --permanent to the firewalld rich language commands to make the s e ttings pe rmane nt. Se e
Se ction 4.5, “Us ing Fire walls ”
for more information about imple me nting fire walls .
The Network Information Service (NIS) is an RPC s e rvice , calle d ypserv , which is us e d in conjunction with rpcbind and othe r re late d s e rvice s to dis tribute maps of us e rname s , pas s words , and othe r s e ns itive information to any compute r claiming to be within its domain.
A NIS s e rve r is compris e d of s e ve ral applications . The y include the following:
/usr/sbin/rpc.yppasswdd
— Als o calle d the yppasswdd s e rvice , this dae mon allows us e rs to change the ir NIS pas s words .
/usr/sbin/rpc.ypxfrd
— Als o calle d the ypxfrd s e rvice , this dae mon is re s pons ible for NIS map trans fe rs ove r the ne twork.
/usr/sbin/ypserv — This is the NIS s e rve r dae mon.
NIS is s ome what ins e cure by today's s tandards . It has no hos t authe ntication me chanis ms and trans mits all of its information ove r the ne twork une ncrypte d, including pas s word has he s . As a re s ult, e xtre me care mus t be take n whe n s e tting up a ne twork that us e s
NIS. This is furthe r complicate d by the fact that the de fault configuration of NIS is inhe re ntly ins e cure .
It is re comme nde d that anyone planning to imple me nt a NIS s e rve r firs t s e cure the rpcbind s e rvice as outline d in
Se ction 4.3.4, “Se curing rpcbind”
, the n addre s s the following is s ue s , s uch as ne twork planning.
Be caus e NIS trans mits s e ns itive information une ncrypte d ove r the ne twork, it is important the s e rvice be run be hind a fire wall and on a s e gme nte d and s e cure ne twork. Whe ne ve r
NIS information is trans mitte d ove r an ins e cure ne twork, it ris ks be ing inte rce pte d. Care ful ne twork de s ign can he lp pre ve nt s e ve re s e curity bre ache s .
Any machine within a NIS domain can us e commands to e xtract information from the s e rve r without authe ntication, as long as the us e r knows the NIS s e rve r's DNS hos tname and NIS domain name .
For ins tance , if s ome one e ithe r conne cts a laptop compute r into the ne twork or bre aks into the ne twork from outs ide (and manage s to s poof an inte rnal IP addre s s ), the following command re ve als the /etc/passwd map:
47

Se curit y Guide
ypcat -d <NIS_domain> -h <DNS_hostname> passwd
If this attacke r is a root us e r, the y can obtain the /etc/shadow file by typing the following command:
ypcat -d <NIS_domain> -h <DNS_hostname> shadow
Note
If Ke rbe ros is us e d, the /etc/shadow file is not s tore d within a NIS map.
To make acce s s to NIS maps harde r for an attacke r, cre ate a random s tring for the DNS hos tname , s uch as o7hfawtgmhwg.domain.com
. Similarly, cre ate a different randomize d
NIS domain name . This make s it much more difficult for an attacke r to acce s s the NIS s e rve r.
/var/yp/securenets
If the /var/yp/securenets file is blank or doe s not e xis t (as is the cas e afte r a de fault ins tallation), NIS lis te ns to all ne tworks . One of the firs t things to do is to put ne tmas k/ne twork pairs in the file s o that ypserv only re s ponds to re que s ts from the appropriate ne twork.
Be low is a s ample e ntry from a /var/yp/securenets file :
255.255.255.0 192.168.0.0
Warning
Ne ve r s tart a NIS s e rve r for the firs t time without cre ating the /var/yp/securenets file .
This te chnique doe s not provide prote ction from an IP s poofing attack, but it doe s at le as t place limits on what ne tworks the NIS s e rve r s e rvice s .
All of the s e rve rs re late d to NIS can be as s igne d s pe cific ports e xce pt for rpc.yppasswdd
— the dae mon that allows us e rs to change the ir login pas s words . As s igning ports to the othe r two NIS s e rve r dae mons , rpc.ypxfrd
and ypserv , allows for the cre ation of fire wall rule s to furthe r prote ct the NIS s e rve r dae mons from intrude rs .
To do this , add the following line s to /etc/sysconfig/network :
YPSERV_ARGS="-p 834"
YPXFRD_ARGS="-p 835"
The following rich language firewalld rule s can the n be us e d to e nforce which ne twork the s e rve r lis te ns to for the s e ports :
48

⁠Chapt e r 4. Harde ning Yo ur Syst e m wit h T o o ls and Se rvice s
~]# firewall-cmd --add-rich-rule='rule family="ipv4" source address="192.168.0.0/24" invert="True" port port="834-835" protocol="tcp" drop'
~]# firewall-cmd --add-rich-rule='rule family="ipv4" source address="192.168.0.0/24" invert="True" port port="834-835" protocol="udp" drop'
This me ans that the s e rve r only allows conne ctions to ports 834 and 835 if the re que s ts come from the 192.168.0.0/24 ne twork. The firs t rule is for TCP and the s e cond for UDP .
Note
Se e
Se ction 4.5, “Us ing Fire walls ”
for more information about imple me nting fire walls with iptable s commands .
One of the is s ue s to cons ide r whe n NIS is us e d for authe ntication is that whe ne ve r a us e r logs into a machine , a pas s word has h from the /etc/shadow map is s e nt ove r the ne twork. If an intrude r gains acce s s to a NIS domain and s niffs ne twork traffic, the y can colle ct us e rname s and pas s word has he s . With e nough time , a pas s word cracking program can gue s s we ak pas s words , and an attacke r can gain acce s s to a valid account on the ne twork.
Since Ke rbe ros us e s s e cre t-ke y cryptography, no pas s word has he s are e ve r s e nt ove r the ne twork, making the s ys te m far more s e cure . Se e the Authe ntication: Ke rbe ros KDC s e ction in the Linux Domain Ide ntity, Authe ntication, and Policy Guide for more information about Ke rbe ros .
Important
NFS traffic can be s e nt us ing TCP in all ve rs ions , it s hould be us e d with NFSv3, rathe r than UDP, and is re quire d whe n us ing NFSv4. All ve rs ions of NFS s upport
Ke rbe ros us e r and group authe ntication, as part of the RPCSEC_GSS ke rne l module .
Information on rpcbind is s till include d, s ince Re d Hat Ente rpris e Linux 7 s upports
NFSv3 which utilize s rpcbind .
NFSv2 and NFSv3 traditionally pas s e d data ins e cure ly. All ve rs ions of NFS now have the ability to authe nticate (and optionally e ncrypt) ordinary file s ys te m ope rations us ing
Ke rbe ros . Unde r NFSv4 all ope rations can us e Ke rbe ros ; unde r v2 or v3, file locking and mounting s till do not us e it. Whe n us ing NFSv4.0, de le gations may be turne d off if the clie nts are be hind NAT or a fire wall. For information on the us e of NFSv4.1 to allow de le gations to ope rate through NAT and fire walls , s e e the pNFS s e ction of the Re d Hat
Ente rpris e Linux 7 Storage Adminis tration Guide .
49

Se curit y Guide
The us e of the mount command in the /etc/fstab file is e xplaine d in the Us ing the mount
Command chapte r of the Re d Hat Ente rpris e Linux 7 Storage Adminis tration Guide . From a s e curity adminis tration point of vie w it is worthwhile to note that the NFS mount options can als o be s pe cifie d in /etc/nfsmount.conf
, which can be us e d to s e t cus tom de fault options .
4.3.7.2.1. Review t he NFS Server
Warning
Only e xport e ntire file s ys te ms . Exporting a s ubdire ctory of a file s ys te m can be a s e curity is s ue . It is pos s ible in s ome cas e s for a clie nt to "bre ak out" of the e xporte d part of the file s ys te m and ge t to une xporte d parts (s e e the s e ction on s ubtre e che cking in the exports(5) man page .
Us e the ro option to e xport the file s ys te m as re ad-only whe ne ve r pos s ible to re duce the numbe r of us e rs able to write to the mounte d file s ys te m. Only us e the rw option whe n s pe cifically re quire d. Se e the man exports(5) page for more information. Allowing write acce s s incre as e s the ris k from s ymlink attacks for e xample . This include s te mporary dire ctorie s s uch as /tmp and /usr/tmp .
Whe re dire ctorie s mus t be mounte d with the rw option avoid making the m world-writable whe ne ve r pos s ible to re duce ris k. Exporting home dire ctorie s is als o vie we d as a ris k as s ome applications s tore pas s words in cle ar te xt or we akly e ncrypte d. This ris k is be ing re duce d as application code is re vie we d and improve d. Some us e rs do not s e t pas s words on the ir SSH ke ys s o this too me ans home dire ctorie s pre s e nt a ris k. Enforcing the us e of pas s words or us ing Ke rbe ros would mitigate that ris k.
Re s trict e xports only to clie nts that ne e d acce s s . Us e the showmount -e command on an
NFS s e rve r to re vie w what the s e rve r is e xporting. Do not e xport anything that is not s pe cifically re quire d.
Do not us e the no_root_squash option and re vie w e xis ting ins tallations to make s ure it is not us e d. Se e
Se ction 4.3.7.4, “Do Not Us e the no_root_s quas h Option”
for more information.
The secure option is the s e rve r-s ide e xport option us e d to re s trict e xports to “re s e rve d” ports . By de fault, the s e rve r allows clie nt communication only from “re s e rve d” ports (ports numbe re d le s s than 1024), be caus e traditionally clie nts have only allowe d “trus te d” code
(s uch as in-ke rne l NFS clie nts ) to us e thos e ports . Howe ve r, on many ne tworks it is not difficult for anyone to be come root on s ome clie nt, s o it is rare ly s afe for the s e rve r to as s ume that communication from a re s e rve d port is privile ge d. The re fore the re s triction to re s e rve d ports is of limite d value ; it is be tte r to re ly on Ke rbe ros , fire walls , and re s triction of e xports to particular clie nts .
Mos t clie nts s till do us e re s e rve d ports whe n pos s ible . Howe ve r, re s e rve d ports are a limite d re s ource , s o clie nts (e s pe cially thos e with a large numbe r of NFS mounts ) may choos e to us e highe r-numbe re d ports as we ll. Linux clie nts may do this us ing the
“nore s vport” mount option. If you want to allow this on an e xport, you may do s o with the
“ins e cure ” e xport option.
It is good practice not to allow us e rs to login to a s e rve r. While re vie wing the above s e ttings on an NFS s e rve r conduct a re vie w of who and what can acce s s the s e rve r.
4.3.7.2.2. Review t he NFS Client
50

⁠Chapt e r 4. Harde ning Yo ur Syst e m wit h T o o ls and Se rvice s
Us e the nosuid option to dis allow the us e of a set uid program. The nosuid option dis able s the set-user-identifier or set-group-identifier bits . This pre ve nts re mote us e rs from gaining highe r privile ge s by running a s e tuid program. Us e this option on the clie nt and the s e rve r s ide .
The noexec option dis able s all e xe cutable file s on the clie nt. Us e this to pre ve nt us e rs from inadve rte ntly e xe cuting file s place d in the file s ys te m be ing s hare d. The nosuid and noexec options are s tandard options for mos t, if not all, file s ys te ms .
Us e the nodev option to pre ve nt “de vice -file s ” from be ing proce s s e d as a hardware de vice by the clie nt.
The resvport option is a clie nt-s ide mount option and secure is the corre s ponding s e rve r-s ide e xport option (s e e e xplanation above ). It re s tricts communication to a
"re s e rve d port". The re s e rve d or "we ll known" ports are re s e rve d for privile ge d us e rs and proce s s e s s uch as the root us e r. Se tting this option caus e s the clie nt to us e a re s e rve d s ource port to communicate with the s e rve r.
All ve rs ions of NFS now s upport mounting with Ke rbe ros authe ntication. The mount option to e nable this is : sec=krb5 .
NFSv4 s upports mounting with Ke rbe ros us ing krb5i for inte grity and krb5p for privacy prote ction. The s e are us e d whe n mounting with sec=krb5 , but ne e d to be configure d on the NFS s e rve r. Se e the man page on e xports ( man 5 exports ) for more information.
The NFS man page ( man 5 nfs ) has a “SECURITY CONSIDERATIONS” s e ction which e xplains the s e curity e nhance me nts in NFSv4 and contains all the NFS s pe cific mount options .
The NFS s e rve r de te rmine s which file s ys te ms to e xport and which hos ts to e xport the s e dire ctorie s to by cons ulting the /etc/exports file . Be care ful not to add e xtrane ous s pace s whe n e diting this file .
For ins tance , the following line in the /etc/exports file s hare s the dire ctory /tmp/nfs/ to the hos t bob.example.com
with re ad/write pe rmis s ions .
/tmp/nfs/ bob.example.com(rw)
The following line in the /etc/exports file , on the othe r hand, s hare s the s ame dire ctory to the hos t bob.example.com
with re ad-only pe rmis s ions and s hare s it to the world with re ad/write pe rmis s ions due to a s ingle s pace characte r afte r the hos tname .
/tmp/nfs/ bob.example.com (rw)
It is good practice to che ck any configure d NFS s hare s by us ing the showmount command to ve rify what is be ing s hare d:
showmount -e <hostname>
By de fault, NFS s hare s change the root us e r to the nfsnobody us e r, an unprivile ge d us e r account. This change s the owne r of all root-cre ate d file s to nfsnobody , which pre ve nts uploading of programs with the s e tuid bit s e t.
51

Se curit y Guide
If no_root_squash is us e d, re mote root us e rs are able to change any file on the s hare d file s ys te m and le ave applications infe cte d by Trojans for othe r us e rs to inadve rte ntly e xe cute .
NFSv4 is the de fault ve rs ion of NFS for Re d Hat Ente rpris e Linux 7 and it only re quire s port
2049 to be ope n for TCP. If us ing NFSv3 the n four additional ports are re quire d as e xplaine d be low.
Co nf iguring Po rt s f o r NFSv3
The ports us e d for NFS are as s igne d dynamically by rpcbind, which can caus e proble ms whe n cre ating fire wall rule s . To s implify this proce s s , us e the /etc/sysconfig/nfs file to s pe cify which ports are to be us e d:
MOUNTD_PORT — TCP and UDP port for mountd (rpc.mountd)
STATD_PORT — TCP and UDP port for s tatus (rpc.s tatd)
LOCKD_TCPPORT — TCP port for nlockmgr (rpc.lockd)
LOCKD_UDPPORT — UDP port nlockmgr (rpc.lockd)
Port numbe rs s pe cifie d mus t not be us e d by any othe r s e rvice . Configure your fire wall to allow the port numbe rs s pe cifie d, as we ll as TCP and UDP port 2049 (NFS).
Run the rpcinfo -p command on the NFS s e rve r to s e e which ports and RPC programs are be ing us e d.
The Apache HTTP Se rve r is one of the mos t s table and s e cure s e rvice s that s hips with
Re d Hat Ente rpris e Linux 7. A large numbe r of options and te chnique s are available to s e cure the Apache HTTP Se rve r — too nume rous to de lve into de e ply he re . The following s e ction brie fly e xplains good practice s whe n running the Apache HTTP Se rve r.
Always ve rify that any s cripts running on the s ys te m work as inte nde d before putting the m into production. Als o, e ns ure that only the root us e r has write pe rmis s ions to any dire ctory containing s cripts or CGIs . To do this , run the following commands as the root us e r:
chown root <directory_name>
chmod 755 <directory_name>
Sys te m adminis trators s hould be care ful whe n us ing the following configuration options
(configure d in /etc/httpd/conf/httpd.conf
):
FollowSymLinks
This dire ctive is e nable d by de fault, s o be s ure to us e caution whe n cre ating s ymbolic links to the docume nt root of the We b s e rve r. For ins tance , it is a bad ide a to provide a s ymbolic link to / .
Indexes
52

⁠Chapt e r 4. Harde ning Yo ur Syst e m wit h T o o ls and Se rvice s
This dire ctive is e nable d by de fault, but may not be de s irable . To pre ve nt vis itors from brows ing file s on the s e rve r, re move this dire ctive .
UserDir
The UserDir dire ctive is dis able d by de fault be caus e it can confirm the pre s e nce of a us e r account on the s ys te m. To e nable us e r dire ctory brows ing on the s e rve r, us e the following dire ctive s :
UserDir enabled
UserDir disabled root
The s e dire ctive s activate us e r dire ctory brows ing for all us e r dire ctorie s othe r than /root/ . To add us e rs to the lis t of dis able d accounts , add a s pace -de limite d lis t of us e rs on the UserDir disabled line .
ServerTokens
The ServerTokens dire ctive controls the s e rve r re s pons e he ade r fie ld which is s e nt back to clie nts . It include s various information which can be cus tomize d us ing the following parame te rs :
ServerTokens Full (de fault option) — provide s all available information (OS type and us e d module s ), for e xample :
Apache/2.0.41 (Unix) PHP/4.2.2 MyMod/1.2
ServerTokens Prod or ServerTokens ProductOnly — provide s the following information:
Apache
ServerTokens Major — provide s the following information:
Apache/2
ServerTokens Minor — provide s the following information:
Apache/2.0
ServerTokens Min or ServerTokens Minimal — provide s the following information:
Apache/2.0.41
ServerTokens OS — provide s the following information:
Apache/2.0.41 (Unix)
It is re comme nde d to us e the ServerTokens Prod option s o that a pos s ible attacke r doe s not gain any valuable information about your s ys te m.
53

Se curit y Guide
Important
Do not re move the IncludesNoExec dire ctive . By de fault, the Server-Side Includes
(SSI) module cannot e xe cute commands . It is re comme nde d that you do not change this s e tting unle s s abs olute ly ne ce s s ary, as it could, pote ntially, e nable an attacke r to e xe cute commands on the s ys te m.
In ce rtain s ce narios , it is be ne ficial to re move ce rtain httpd module s to limit the functionality of the HTTP Se rve r. To do s o, s imply comme nt out the e ntire line which loads the module you want to re move in the /etc/httpd/conf/httpd.conf
file . For e xample , to re move the proxy module , comme nt out the following line by pre pe nding it with a has h s ign:
#LoadModule proxy_module modules/mod_proxy.so
Note that the /etc/httpd/conf.d/ dire ctory contains configuration file s which are us e d to load module s as we ll.
For information, s e e the The Apache HTTP Se rve r and SELinux chapte r from the Re d Hat
Ente rpris e Linux 7 SELinux Us e r's and Adminis trator's Guide .
The File Transfer Protocol (FTP) is an olde r TCP protocol de s igne d to trans fe r file s ove r a ne twork. Be caus e all trans actions with the s e rve r, including us e r authe ntication, are une ncrypte d, it is cons ide re d an ins e cure protocol and s hould be care fully configure d.
Re d Hat Ente rpris e Linux 7 provide s two FTP s e rve rs :
Red Hat Co nt ent Accelerat o r ( tux ) — A ke rne l-s pace We b s e rve r with FTP capabilitie s .
vsftpd — A s tandalone , s e curity orie nte d imple me ntation of the FTP s e rvice .
The following s e curity guide line s are for s e tting up the vsftpd FTP s e rvice .
Be fore s ubmitting a us e rname and pas s word, all us e rs are pre s e nte d with a gre e ting banne r. By de fault, this banne r include s ve rs ion information us e ful to cracke rs trying to ide ntify we akne s s e s in a s ys te m.
To change the gre e ting banne r for vsftpd , add the following dire ctive to the
/etc/vsftpd/vsftpd.conf
file : ftpd_banner=<insert_greeting_here>
Re place <insert_greeting_here> in the above dire ctive with the te xt of the gre e ting me s s age .
54

⁠Chapt e r 4. Harde ning Yo ur Syst e m wit h T o o ls and Se rvice s
For mutli-line banne rs , it is be s t to us e a banne r file . To s implify manage me nt of multiple banne rs , place all banne rs in a ne w dire ctory calle d /etc/banners/ . The banne r file for
FTP conne ctions in this e xample is /etc/banners/ftp.msg
. Be low is an e xample of what s uch a file may look like :
######### Hello, all activity on ftp.example.com is logged. #########
Note
It is not ne ce s s ary to be gin e ach line of the file with 220 as s pe cifie d in
Se ction 4.4.1, “Se curing Se rvice s With TCP Wrappe rs and xine td” .
To re fe re nce this gre e ting banne r file for vsftpd , add the following dire ctive to the
/etc/vsftpd/vsftpd.conf
file : banner_file=/etc/banners/ftp.msg
It als o is pos s ible to s e nd additional banne rs to incoming conne ctions us ing TCP Wrappe rs as de s cribe d in
Se ction 4.4.1.1, “TCP Wrappe rs and Conne ction Banne rs ”
.
The pre s e nce of the /var/ftp/ dire ctory activate s the anonymous account.
The e as ie s t way to cre ate this dire ctory is to ins tall the vsftpd package . This package e s tablis he s a dire ctory tre e for anonymous us e rs and configure s the pe rmis s ions on dire ctorie s to re ad-only for anonymous us e rs .
By de fault the anonymous us e r cannot write to any dire ctorie s .
Warning
If e nabling anonymous acce s s to an FTP s e rve r, be aware of whe re s e ns itive data is s tore d.
4.3.9.2.1. Ano nymo us Uplo ad
To allow anonymous us e rs to upload file s , it is re comme nde d that a write -only dire ctory be cre ate d within /var/ftp/pub/ . To do this , run the following command as root:
~]# mkdir /var/ftp/pub/upload
Ne xt, change the pe rmis s ions s o that anonymous us e rs cannot vie w the conte nts of the dire ctory:
~]# chmod 730 /var/ftp/pub/upload
A long format lis ting of the dire ctory s hould look like this :
55

Se curit y Guide
~]# ls -ld /var/ftp/pub/upload drwx-wx---. 2 root ftp 4096 Nov 14 22:57 /var/ftp/pub/upload
Adminis trators who allow anonymous us e rs to re ad and write in dire ctorie s ofte n find that the ir s e rve rs be come a re pos itory of s tole n s oftware .
Additionally, unde r vsftpd , add the following line to the /etc/vsftpd/vsftpd.conf
file : anon_upload_enable=YES
Be caus e FTP trans mits une ncrypte d us e rname s and pas s words ove r ins e cure ne tworks for authe ntication, it is a good ide a to de ny s ys te m us e rs acce s s to the s e rve r from the ir us e r accounts .
To dis able all us e r accounts in vsftpd , add the following dire ctive to
/etc/vsftpd/vsftpd.conf
: local_enable=NO
4.3.9.3.1. Rest rict ing User Acco unt s
To dis able FTP acce s s for s pe cific accounts or s pe cific groups of accounts , s uch as the root us e r and thos e with sudo privile ge s , the e as ie s t way is to us e a PAM lis t file as de s cribe d in
Se ction 4.2.1, “Dis allowing Root Acce s s ” . The PAM configuration file for
vsftpd is /etc/pam.d/vsftpd .
It is als o pos s ible to dis able us e r accounts within e ach s e rvice dire ctly.
To dis able s pe cific us e r accounts in vsftpd , add the us e rname to /etc/vsftpd/ftpusers
Us e TCP Wrappe rs to control acce s s to e ithe r FTP dae mon as outline d in Se ction 4.4.1,
“Se curing Se rvice s With TCP Wrappe rs and xine td” .
Pos tfix is a Mail Trans fe r Age nt (MTA) that us e s the Simple Mail Trans fe r Protocol (SMTP) to de live r e le ctronic me s s age s be twe e n othe r MTAs and to e mail clie nts or de live ry age nts . Although many MTAs are capable of e ncrypting traffic be twe e n one anothe r, mos t do not, s o s e nding e mail ove r any public ne tworks is cons ide re d an inhe re ntly ins e cure form of communication. Pos tfix re place s Se ndmail as the de fault MTA in Re d Hat
Ente rpris e Linux 7.
It is re comme nde d that anyone planning to imple me nt a Pos tfix s e rve r addre s s the following is s ue s .
Be caus e of the nature of e mail, a de te rmine d attacke r can flood the s e rve r with mail fairly e as ily and caus e a de nial of s e rvice . The e ffe ctive ne s s of s uch attacks can be limite d by s e tting limits of the dire ctive s in the /etc/postfix/main.cf
file . You can change the
56

⁠Chapt e r 4. Harde ning Yo ur Syst e m wit h T o o ls and Se rvice s value of the dire ctive s which are alre ady the re or you can add the dire ctive s you ne e d with the value you want in the following format:
<directive> = <value>
. The following is a lis t of dire ctive s that can be us e d for limiting a de nial of s e rvice attack: smtpd_client_connection_rate_limit — The maximum numbe r of conne ction atte mpts any clie nt is allowe d to make to this s e rvice pe r time unit (de s cribe d be low).
The de fault value is 0, which me ans a clie nt can make as many conne ctions pe r time unit as Pos tfix can acce pt. By de fault, clie nts in trus te d ne tworks are e xclude d.
anvil_rate_time_unit — This time unit is us e d for rate limit calculations . The de fault value is 60 s e conds .
smtpd_client_event_limit_exceptions — Clie nts that are e xclude d from the conne ction and rate limit commands . By de fault, clie nts in trus te d ne tworks are e xclude d.
smtpd_client_message_rate_limit — The maximum numbe r of me s s age de live rie s a clie nt is allowe d to re que s t pe r time unit (re gardle s s of whe the r or not Pos tfix actually acce pts thos e me s s age s ).
default_process_limit — The de fault maximum numbe r of Pos tfix child proce s s e s that provide a give n s e rvice . This limit can be ove rrule d for s pe cific s e rvice s in the master.cf
file . By de fault the value is 100.
queue_minfree — The minimum amount of fre e s pace in byte s in the que ue file s ys te m that is ne e de d to re ce ive mail. This is curre ntly us e d by the Pos tfix SMTP s e rve r to de cide if it will acce pt any mail at all. By de fault, the Pos tfix SMTP s e rve r re je cts MAIL FROM commands whe n the amount of fre e s pace is le s s than 1.5 time s the me s s age _s ize _limit. To s pe cify a highe r minimum fre e s pace limit, s pe cify a que ue _minfre e value that is at le as t 1.5 time s the me s s age _s ize _limit. By de fault the que ue _minfre e value is 0.
header_size_limit — The maximum amount of me mory in byte s for s toring a me s s age he ade r. If a he ade r is large r, the e xce s s is dis carde d. By de fault the value is
102400.
message_size_limit — The maximum s ize in byte s of a me s s age , including e nve lope information. By de fault the value is 10240000.
Ne ve r put the mail s pool dire ctory, /var/spool/postfix/ , on an NFS s hare d volume .
Be caus e NFSv2 and NFSv3 do not maintain control ove r us e r and group IDs , two or more us e rs can have the s ame UID, and re ce ive and re ad e ach othe r's mail.
Note
With NFSv4 us ing Ke rbe ros , this is not the cas e , s ince the SECRPC_GSS ke rne l module doe s not utilize UID-bas e d authe ntication. Howe ve r, it is s till cons ide re d good practice not to put the mail s pool dire ctory on NFS s hare d volume s .
57

Se curit y Guide
To he lp pre ve nt local us e r e xploits on the Pos tfix s e rve r, it is be s t for mail us e rs to only acce s s the Pos tfix s e rve r us ing an e mail program. She ll accounts on the mail s e rve r s hould not be allowe d and all us e r s he lls in the /etc/passwd file s hould be s e t to
/sbin/nologin (with the pos s ible e xce ption of the root us e r).
By de fault, Pos tfix is s e t up to only lis te n to the local loopback addre s s . You can ve rify this by vie wing the file /etc/postfix/main.cf
.
Vie w the file /etc/postfix/main.cf
to e ns ure that only the following inet_interfaces line appe ars : inet_interfaces = localhost
This e ns ure s that Pos tfix only acce pts mail me s s age s (s uch as cron job re ports ) from the local s ys te m and not from the ne twork. This is the de fault s e tting and prote cts Pos tfix from a ne twork attack.
For re moval of the localhos t re s triction and allowing Pos tfix to lis te n on all inte rface s the inet_interfaces = all s e tting can be us e d.
The Re d Hat Ente rpris e Linux 7 ve rs ion of Po st f ix can us e the Do veco t or Cyrus SASL imple me ntations for SMTP Authentication (or SMTP AUTH). SMTP Authe ntication is an e xte ns ion of the Simple Mail Transfer Protocol . Whe n e nable d, SMTP clie nts are re quire d to authe nticate to the SMTP s e rve r us ing an authe ntication me thod s upporte d and acce pte d by both the s e rve r and the clie nt. This s e ction de s cribe s how to configure
Po st f ix to make us e of the Do veco t SASL imple me ntation.
To ins tall the Do veco t POP / IMAP s e rve r, and thus make the Do veco t SASL imple me ntation available on your s ys te m, is s ue the following command as the root us e r:
~]# yum install dovecot
The Po st f ix SMTP s e rve r can communicate with the Do veco t SASL imple me ntation us ing e ithe r a UNIX-domain socket or a TCP socket. The latte r me thod is only ne e de d in cas e the
Po st f ix and Do veco t applications are running on s e parate machine s . This guide give s pre fe re nce to the UNIX-domain s ocke t me thod, which affords be tte r privacy.
In orde r to ins truct Po st f ix to us e the Do veco t SASL imple me ntation, a numbe r of configuration change s ne e d to be pe rforme d for both applications . Follow the proce dure s be low to e ffe ct the s e change s .
Set t ing Up Do veco t
1. Modify the main Do veco t configuration file , /etc/dovecot/conf.d/10master.conf
, to include the following line s (the de fault configuration file alre ady include s mos t of the re le vant s e ction, and the line s jus t ne e d to be uncomme nte d): service auth {
unix_listener /var/spool/postfix/private/auth {
mode = 0660
user = postfix
58

⁠Chapt e r 4. Harde ning Yo ur Syst e m wit h T o o ls and Se rvice s
group = postfix
}
}
The above e xample as s ume s the us e of UNIX-domain s ocke ts for communication be twe e n Po st f ix and Do veco t . It als o as s ume s de fault s e ttings of the Po st f ix
SMTP s e rve r, which include the mail que ue locate d in the /var/spool/postfix/ dire ctory, and the application running unde r the postfix us e r and group. In this way, re ad and write pe rmis s ions are limite d to the postfix us e r and group.
Alte rnative ly, you can us e the following configuration to s e t up Do veco t to lis te n for Po st f ix authe ntication re que s ts via TCP : service auth {
inet_listener {
port = 12345
}
}
In the above e xample , re place 12345 with the numbe r of the port you want to us e .
2. Edit the /etc/dovecot/conf.d/10-auth.conf
configuration file to ins truct
Do veco t to provide the Po st f ix SMTP s e rve r with the plain and login authe ntication me chanis ms : auth_mechanisms = plain login
Set t ing Up Po st f ix
In the cas e of Po st f ix, only the main configuration file , /etc/postfix/main.cf
, ne e ds to be modifie d. Add or e dit the following configuration dire ctive s :
1. Enable SMTP Authe ntication in the Po st f ix SMTP s e rve r: smtpd_sasl_auth_enable = yes
2. Ins truct Po st f ix to us e the Do veco t SASL imple me ntation for SMTP Authe ntication: smtpd_sasl_type = dovecot
3. Provide the authe ntication path re lative to the Po st f ix que ue dire ctory (note that the us e of a re lative path e ns ure s that the configuration works re gardle s s of whe the r the Po st f ix s e rve r runs in a chro o t or not): smtpd_sasl_path = private/auth
This s te p as s ume s that you want to us e UNIX-domain s ocke ts for communication be twe e n Po st f ix and Do veco t . To configure Po st f ix to look for Do veco t on a diffe re nt machine in cas e you us e TCP s ocke ts for communication, us e configuration value s s imilar to the following: smtpd_sasl_path = inet:127.0.0.1:12345
59

Se curit y Guide
In the above e xample , 127.0.0.1
ne e ds to be s ubs titute d by the IP addre s s of the
Do veco t machine and 12345 by the port s pe cifie d in Do veco t 's
/etc/dovecot/conf.d/10-master.conf
configuration file .
4. Spe cify SASL me chanis ms that the Po st f ix SMTP s e rve r make s available to clie nts .
Note that diffe re nt me chanis ms can be s pe cifie d for e ncrypte d and une ncrypte d s e s s ions .
smtpd_sasl_security_options = noanonymous, noplaintext smtpd_sasl_tls_security_options = noanonymous
The above e xample s pe cifie s that during une ncrypte d s e s s ions , no anonymous authe ntication is allowe d and no me chanis ms that trans mit une ncrypte d us e rname s or pas s words are allowe d. For e ncrypte d s e s s ions (us ing TLS ), only non-anonymous authe ntication me chanis ms are allowe d.
Se e http://www.pos tfix.org/SASL_README.html#s mtpd_s as l_s e curity_options for a lis t of all s upporte d policie s for limiting allowe d SASL me chanis ms .
Addit io nal Reso urces
The following online re s ource s provide additional information us e ful for configuring
Po st f ix SMTP Authe ntication through SASL .
http://wiki2.dove cot.org/HowTo/Pos tfixAndDove cotSASL — Contains information on how to s e t up Po st f ix to us e the Do veco t SASL imple me ntation for SMTP Authe ntication.
http://www.pos tfix.org/SASL_README.html#s e rve r_s as l — Contains information on how to s e t up Po st f ix to us e e ithe r the Do veco t or Cyrus SASL imple me ntations for SMTP
Authe ntication.
Secure Shell (SSH) is a powe rful ne twork protocol us e d to communicate with anothe r s ys te m ove r a s e cure channe l. The trans mis s ions ove r SSH are e ncrypte d and prote cte d from inte rce ption. Se e the Ope nSSH chapte r of the Re d Hat Ente rpris e Linux 7 Sys te m
Adminis trator's Guide for ge ne ral information about the SSH protocol and about us ing the
SSH s e rvice in Re d Hat Ente rpris e Linux 7.
Important
This s e ction draws atte ntion to the mos t common ways of s e curing an SSH s e tup. By no me ans s hould this lis t of s ugge s te d me as ure s be cons ide re d e xhaus tive or de finitive . Se e sshd_config(5) for a de s cription of all configuration dire ctive s available for modifying the be havior of the sshd dae mon and to ssh(1) for an e xplanation of bas ic SSH conce pts .
SSH s upports the us e of cryptographic ke ys for logging in to compute rs . This is much more s e cure than us ing only a pas s word. If you combine this me thod with othe r authe ntication
me thods , it can be cons ide re d a multi-factor authe ntication. Se e Se ction 4.3.11.2, “Multiple
Authe ntication Me thods ” for more information about us ing multiple authe ntication me thods .
60

⁠Chapt e r 4. Harde ning Yo ur Syst e m wit h T o o ls and Se rvice s
In orde r to e nable the us e of cryptographic ke ys for authe ntication, the
PubkeyAuthentication configuration dire ctive in the /etc/ssh/sshd_config file ne e ds to be s e t to yes . Note that this is the de fault s e tting. Se t the PasswordAuthentication dire ctive to no to dis able the pos s ibility of us ing pas s words for logging in.
SSH ke ys can be ge ne rate d us ing the ssh-keygen command. If invoke d without additional argume nts , it cre ate s a 2048-bit RSA ke y s e t. The ke ys are s tore d, by de fault, in the
~/.ssh
dire ctory. You can utilize the -b s witch to modify the bit-s tre ngth of the ke y. Us ing
2048-bit ke ys is normally s ufficie nt. The Configuring Ope nSSH chapte r in the Re d Hat
Ente rpris e Linux 7 Sys te m Adminis trator's Guide include s de taile d information about ge ne rating ke y pairs .
You s hould s e e the two ke ys in your ~/.ssh
dire ctory. If you acce pte d the de faults whe n running the ssh-keygen command, the n the ge ne rate d file s are name d id_rsa and id_rsa.pub
and contain the private and public ke y re s pe ctive ly. You s hould always prote ct the private ke y from e xpos ure by making it unre adable by anyone e ls e but the file 's owne r. The public ke y, howe ve r, ne e ds to be trans fe rre d to the s ys te m you are going to log in to. You can us e the ssh-copy-id command to trans fe r the ke y to the s e rve r:
~]$ ssh-copy-id -i [user@]server
This command will als o automatically appe nd the public ke y to the
~/.ssh/authorized_keys file on the server. The sshd dae mon will che ck this file whe n you atte mpt to log in to the s e rve r.
Similarly to pas s words and any othe r authe ntication me chanis m, you s hould change your
SSH ke ys re gularly. Whe n you do, make s ure you re move any unus e d ke ys from the authorized_keys file .
Us ing multiple authe ntication me thods , or multi-factor authe ntication, incre as e s the le ve l of prote ction agains t unauthorize d acce s s , and as s uch s hould be cons ide re d whe n harde ning a s ys te m to pre ve nt it from be ing compromis e d. Us e rs atte mpting to log in to a s ys te m that us e s multi-factor authe ntication mus t s ucce s s fully comple te all s pe cifie d authe ntication me thods in orde r to be grante d acce s s .
Us e the AuthenticationMethods configuration dire ctive in the /etc/ssh/sshd_config file to s pe cify which authe ntication me thods are to be utilize d. Note that it is pos s ible to de fine more than one lis t of re quire d authe ntication me thods us ing this dire ctive . If that is the cas e , the us e r mus t comple te e ve ry me thod in at le as t one of the lis ts . The lis ts ne e d to be s e parate d by blank s pace s , and the individual authe ntication-me thod name s within the lis ts mus t be comma-s e parate d. For e xample :
AuthenticationMethods publickey,gssapi-with-mic publickey,keyboardinteractive
An sshd dae mon configure d us ing the above AuthenticationMethods dire ctive only grants acce s s if the us e r atte mpting to log in s ucce s s fully comple te s e ithe r publickey authe ntication followe d by gssapi-with-mic or by keyboard-interactive authe ntication.
Note that e ach of the re que s te d authe ntication me thods ne e ds to be e xplicitly e nable d us ing a corre s ponding configuration dire ctive (s uch as PubkeyAuthentication ) in the
/etc/ssh/sshd_config file . Se e the AUTHENTICATION s e ction of ssh(1) for a ge ne ral lis t of available authe ntication me thods .
61

Se curit y Guide
Pro t o co l Versio n
Eve n though the imple me ntation of the SSH protocol s upplie d with Re d Hat
Ente rpris e Linux 7 s upports both the SSH-1 and SSH-2 ve rs ions of the protocol, only the latte r s hould be us e d whe ne ve r pos s ible . The SSH-2 ve rs ion contains a numbe r of improve me nts ove r the olde r SSH-1, and the majority of advance d configuration options is only available whe n us ing SSH-2.
Us e rs are e ncourage d to make us e of SSH-2 in orde r to maximize the e xte nt to which the
SSH protocol prote cts the authe ntication and communication for which it is us e d. The ve rs ion or ve rs ions of the protocol s upporte d by the sshd dae mon can be s pe cifie d us ing the Protocol configuration dire ctive in the /etc/ssh/sshd_config file . The de fault s e tting is 2 .
Key T ypes
While the ssh-keygen command ge ne rate s a pair of SSH-2 RSA ke ys by de fault, us ing the
-t option, it can be ins tructe d to ge ne rate DSA or ECDSA ke ys as we ll. The ECDSA (Elliptic
Curve Digital Signature Algorithm) offe rs be tte r pe rformance at the s ame e quivale nt s ymme tric ke y le ngth. It als o ge ne rate s s horte r ke ys .
No n-Def ault Po rt
By de fault, the sshd dae mon lis te ns on TCP port 22 . Changing the port re duce s the e xpos ure of the s ys te m to attacks bas e d on automate d ne twork s canning, thus incre as ing s e curity through obs curity. The port can be s pe cifie d us ing the Port dire ctive in the
/etc/ssh/sshd_config configuration file . Note als o that the de fault SELinux policy mus t be change d to allow for the us e of a non-de fault port. You can do this by modifying the ssh_port_t SELinux type by typing the following command as root :
~]# semanage -a -t ssh_port_t -p tcp port_number
In the above command, re place port_number with the ne w port numbe r s pe cifie d us ing the
Port dire ctive .
No Ro o t Lo gin
Provide d that your particular us e cas e doe s not re quire the pos s ibility of logging in as the root us e r, you s hould cons ide r s e tting the PermitRootLogin configuration dire ctive to no in the /etc/ssh/sshd_config file . By dis abling the pos s ibility of logging in as the root us e r, the adminis trator can audit which us e r runs what privile ge d command afte r the y log in as re gular us e rs and the n gain root rights .
PostgreSQL is an Obje ct-Re lational databas e manage me nt s ys te m (DBMS). In Re d Hat
Ente rpris e Linux 7, the postgresql-server package provide s Po st greSQL. If it is not ins talle d, run the following command as the root us e r to ins tall it:
~]# yum install postgresql-server
Be fore you can s tart us ing Po st greSQL, you mus t initialize a databas e s torage are a on dis k. This is calle d a databas e clus te r. To initialize a databas e clus te r, us e the command initdb, which is ins talle d with Po st greSQL. The de s ire d file s ys te m location of your databas e clus te r is indicate d by the -D option. For e xample :
62

⁠Chapt e r 4. Harde ning Yo ur Syst e m wit h T o o ls and Se rvice s
~]$ initdb -D /home/postgresql/db1
The initdb command will atte mpt to cre ate the dire ctory you s pe cify if it doe s not alre ady e xis t. We us e the name /home/postgresql/db1 in this e xample . The /home/postgresql/db1 dire ctory contains all the data s tore d in the databas e and als o the clie nt authe ntication configuration file :
~]$ cat pg_hba.conf
# PostgreSQL Client Authentication Configuration File
# This file controls: which hosts are allowed to connect, how clients
# are authenticated, which PostgreSQL user names they can use, which
# databases they can access. Records take one of these forms:
#
# local DATABASE USER METHOD [OPTIONS]
# host DATABASE USER ADDRESS METHOD [OPTIONS]
# hostssl DATABASE USER ADDRESS METHOD [OPTIONS]
# hostnossl DATABASE USER ADDRESS METHOD [OPTIONS]
The following line in the pg_hba.conf
file allows any authe nticate d local us e rs to acce s s any databas e s with the ir us e r name s : local all all trust
This can be proble matic whe n you us e laye re d applications that cre ate databas e us e rs and no local us e rs . If you do not want to e xplicitly control all us e r name s on the s ys te m, re move this line from the pg_hba.conf
file .
Docker is an ope n s ource proje ct that automate s the de ployme nt of applications ins ide
Linux Containe rs , and provide s the capability to package an application with its runtime de pe nde ncie s into a containe r. To make your Do cker workflow more s e cure , vis it Re d Hat
Ente rpris e Linux Atomic Hos t 7 Containe r Se curity Guide .
TCP Wrappe rs are capable of much more than de nying acce s s to s e rvice s . This s e ction illus trate s how the y can be us e d to s e nd conne ction banne rs , warn of attacks from particular hos ts , and e nhance logging functionality. Se e the hos ts _options (5) man page for information about the TCP Wrappe r functionality and control language . Se e the xine td.conf(5) man page for the available flags , which act as options you can apply to a s e rvice .
Dis playing a s uitable banne r whe n us e rs conne ct to a s e rvice is a good way to le t pote ntial attacke rs know that the s ys te m adminis trator is be ing vigilant. You can als o control what information about the s ys te m is pre s e nte d to us e rs . To imple me nt a TCP
Wrappe rs banne r for a s e rvice , us e the banner option.
63

Se curit y Guide
This e xample imple me nts a banne r for vsftpd . To be gin, cre ate a banne r file . It can be anywhe re on the s ys te m, but it mus t have s ame name as the dae mon. For this e xample , the file is calle d /etc/banners/vsftpd and contains the following line s :
220-Hello, %c
220-All activity on ftp.example.com is logged.
220-Inappropriate use will result in your access privileges being removed.
The %c toke n s upplie s a varie ty of clie nt information, s uch as the us e rname and hos tname , or the us e rname and IP addre s s to make the conne ction e ve n more intimidating.
For this banne r to be dis playe d to incoming conne ctions , add the following line to the
/etc/hosts.allow
file : vsftpd : ALL : banners /etc/banners/
If a particular hos t or ne twork has be e n de te cte d attacking the s e rve r, TCP Wrappe rs can be us e d to warn the adminis trator of s ubs e que nt attacks from that hos t or ne twork us ing the spawn dire ctive .
In this e xample , as s ume that a cracke r from the 206.182.68.0/24 ne twork has be e n de te cte d atte mpting to attack the s e rve r. Place the following line in the /etc/hosts.deny
file to de ny any conne ction atte mpts from that ne twork, and to log the atte mpts to a s pe cial file :
ALL : 206.182.68.0 : spawn /bin/echo `date` %c %d >>
/var/log/intruder_alert
The %d toke n s upplie s the name of the s e rvice that the attacke r was trying to acce s s .
To allow the conne ction and log it, place the spawn dire ctive in the /etc/hosts.allow
file .
Note
Be caus e the spawn dire ctive e xe cute s any s he ll command, it is a good ide a to cre ate a s pe cial s cript to notify the adminis trator or e xe cute a chain of commands in the e ve nt that a particular clie nt atte mpts to conne ct to the s e rve r.
If ce rtain type s of conne ctions are of more conce rn than othe rs , the log le ve l can be e le vate d for that s e rvice us ing the severity option.
For this e xample , as s ume that anyone atte mpting to conne ct to port 23 (the Te lne t port) on an FTP s e rve r is a cracke r. To de note this , place an emerg flag in the log file s ins te ad of the de fault flag, info , and de ny the conne ction.
To do this , place the following line in /etc/hosts.deny
:
64

⁠Chapt e r 4. Harde ning Yo ur Syst e m wit h T o o ls and Se rvice s in.telnetd : ALL : severity emerg
This us e s the de fault authpriv logging facility, but e le vate s the priority from the de fault value of info to emerg , which pos ts log me s s age s dire ctly to the cons ole .
Unne ce s s ary ope n ports s hould be avoide d be caus e it incre as e s the attack s urface of your s ys te m. If you find une xpe cte d ope n ports in lis te ning s tate afte r the s ys te m has be e n in s e rvice , it might be a s ign of intrus ion, and it s hould be inve s tigate d.
Is s ue the following command as root to de te rmine which ports are lis te ning for conne ctions from the ne twork:
~]# netstat -pan -A inet,inet6 | grep -v ESTABLISHED
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
PID/Program name tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN
1/systemd tcp 0 0 192.168.124.1:53 0.0.0.0:* LISTEN
1975/dnsmasq tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
1362/sshd tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN
1355/cupsd tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN
1802/master tcp6 0 0 ::1:111 :::* LISTEN
1/systemd tcp6 0 0 :::22 :::* LISTEN
1362/sshd tcp6 0 0 ::1:631 :::* LISTEN
1355/cupsd tcp6 0 0 ::1:25 :::* LISTEN
1802/master raw6 0 0 :::58 :::* 7
791/NetworkManager
You can us e the -l option of the netstat command to dis play only lis te ning s e rve r s ocke ts :
~]# netstat -tlnw
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN tcp 0 0 192.168.124.1:53 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN tcp6 0 0 ::1:111 :::* LISTEN tcp6 0 0 :::22 :::* LISTEN tcp6 0 0 ::1:631 :::* LISTEN tcp6 0 0 ::1:25 :::* LISTEN raw6 0 0 :::58 :::* 7
65

Se curit y Guide
Note that at time of writing, the -l option doe s not lis t SCTP s e rve rs .
You can als o us e the ss utility for lis ting ope n ports in the lis te ning s tate . But at time of writing, this way als o doe s not lis t SCTP s e rve rs .
~]# ss -tlw
Netid State Recv-Q Send-Q Local Address:Port Peer
Address:Port udp UNCONN 0 0 :::ipv6-icmp :::* tcp LISTEN 0 128 *:sunrpc *:* tcp LISTEN 0 5 192.168.124.1:domain *:* tcp LISTEN 0 128 *:ssh *:* tcp LISTEN 0 128 127.0.0.1:ipp *:* tcp LISTEN 0 100 127.0.0.1:smtp *:* tcp LISTEN 0 128 ::1:sunrpc :::* tcp LISTEN 0 128 :::ssh :::* tcp LISTEN 0 128 ::1:ipp :::* tcp LISTEN 0 100 ::1:smtp :::*
Re vie w the output of the command with the s e rvice s ne e de d on the s ys te m, turn off what is not s pe cifically re quire d or authorize d, re pe at the che ck. Proce e d the n to make e xte rnal che cks us ing the nmap tool from anothe r s ys te m conne cte d via the ne twork to the firs t s ys te m. This can be us e d ve rify the rule s in f irewalld.
The following is an e xample of the command to be is s ue d from the cons ole of anothe r s ys te m to de te rmine which ports are lis te ning for TCP conne ctions from the ne twork:
~]# nmap -sT -O 192.168.122.1
Se e the nmap(1) and s e rvice s (5) manual page s for more information.
Source routing is an Inte rne t Protocol me chanis m that allows an IP packe t to carry information, a lis t of addre s s e s , that te lls a route r the path the packe t mus t take . The re is als o an option to re cord the hops as the route is trave rs e d. The lis t of hops take n, the
"route re cord", provide s the de s tination with a re turn path to the s ource . This allows the s ource (the s e nding hos t) to s pe cify the route , loos e ly or s trictly, ignoring the routing table s of s ome or all of the route rs . It can allow a us e r to re dire ct ne twork traffic for malicious purpos e s . The re fore , s ource -bas e d routing s hould be dis able d.
The accept_source_route option caus e s ne twork inte rface s to acce pt packe ts with the
Strict Source Route (SSR) or Loose Source Routing (LSR) option s e t. The acce ptance of s ource route d packe ts is controlle d by s ys ctl s e ttings . Is s ue the following command as root to drop packe ts with the SSR or LSR option s e t:
~]# /sbin/sysctl -w net.ipv4.conf.all.accept_source_route=0
Dis abling the forwarding of packe ts s hould als o be done in conjunction with the above whe n pos s ible (dis abling forwarding may inte rfe re with virtualization). Is s ue the commands lis te d be low as root:
The s e commands dis able forwarding of IPv4 and IPv6 packe ts on all inte rface s .
66

⁠Chapt e r 4. Harde ning Yo ur Syst e m wit h T o o ls and Se rvice s
~]# /sbin/sysctl -w net.ipv4.conf.all.forwarding=0
~]# /sbin/sysctl -w net.ipv6.conf.all.forwarding=0
The s e commands dis able forwarding of all multicas t packe ts on all inte rface s .
~]# /sbin/sysctl -w net.ipv4.conf.all.mc_forwarding=0
~]# /sbin/sysctl -w net.ipv6.conf.all.mc_forwarding=0
Acce pting ICMP re dire cts has fe w le gitimate us e s . Dis able the acce ptance and s e nding of
ICMP re dire cte d packe ts unle s s s pe cifically re quire d.
The s e commands dis able acce ptance of all ICMP re dire cte d packe ts on all inte rface s .
~]# /sbin/sysctl -w net.ipv4.conf.all.accept_redirects=0
~]# /sbin/sysctl -w net.ipv6.conf.all.accept_redirects=0
This command dis able s acce ptance of s e cure ICMP re dire cte d packe ts on all inte rface s .
~]# /sbin/sysctl -w net.ipv4.conf.all.secure_redirects=0
This command dis able s acce ptance of all IPv4 ICMP re dire cte d packe ts on all inte rface s .
~]# /sbin/sysctl -w net.ipv4.conf.all.send_redirects=0
The re is only a dire ctive to dis able s e nding of IPv4 re dire cte d packe ts . Se e RFC4294 for an e xplanation of “IPv6 Node Re quire me nts ” which re s ulte d in this diffe re nce be twe e n
IPv4 and IPv6.
In orde r to make the s e ttings pe rmane nt the y mus t be adde d to /etc/sysctl.conf
.
Se e the s ys ctl man page , sysctl(8) , for more information. Se e RFC791 for an e xplanation of the Inte rne t options re late d to s ource bas e d routing and its variants .
Warning
Ethe rne t ne tworks provide additional ways to re dire ct traffic, s uch as ARP or MAC addre s s s poofing, unauthorize d DHCP s e rve rs , and IPv6 route r or ne ighbor adve rtis e me nts . In addition, unicas t traffic is occas ionally broadcas t, caus ing information le aks . The s e we akne s s e s can only be addre s s e d by s pe cific counte rme as ure s imple me nte d by the ne twork ope rator. Hos t-bas e d counte rme as ure s are not fully e ffe ctive .
Re ve rs e Path Forwarding is us e d to pre ve nt packe ts that arrive d via one inte rface from le aving via a diffe re nt inte rface . Whe n outgoing route s and incoming route s are diffe re nt, it is s ome time s re fe rre d to as asymmetric routing. Route rs ofte n route packe ts this way,
67

Se curit y Guide but mos t hos ts s hould not ne e d to do this . Exce ptions are s uch applications that involve s e nding traffic out ove r one link and re ce iving traffic ove r anothe r link from a diffe re nt s e rvice provide r. For e xample , us ing le as e d line s in combination with xDSL or s ate llite links with 3G mode ms . If s uch a s ce nario is applicable to you, the n turning off re ve rs e path forwarding on the incoming inte rface is ne ce s s ary. In s hort, unle s s you know that it is re quire d, it is be s t e nable d as it pre ve nts us e rs s poofing IP addre s s e s from local s ubne ts and re duce s the opportunity for DDoS attacks .
Note
Re d Hat Ente rpris e Linux 7 de faults to us ing Strict Reverse Path Forwarding following the Strict Re ve rs e Path re comme ndation from RFC 3704, Ingre s s Filte ring for
Multihome d Ne tworks ..
68
Warning
If forwarding is e nable d, the n Re ve rs e Path Forwarding s hould only be dis able d if the re are othe r me ans for s ource -addre s s validation (s uch as ipt ables rule s for e xample ).
rp_filter
Re ve rs e Path Forwarding is e nable d by me ans of the rp_filter dire ctive . The sysctl utility can be us e d to make change s to the running s ys te m, and pe rmane nt change s can be made by adding line s to the /etc/sysctl.conf
file .
The rp_filter option is us e d to dire ct the ke rne l to s e le ct from one of thre e mode s .
To make a te mporary global change , e nte r the following commands as root : sysctl -w net.ipv4.conf.default.rp_filter=integer sysctl -w net.ipv4.conf.all.rp_filter=integer whe re integer is one of the following:
0 — No s ource validation.
1 — Strict mode as de fine d in RFC 3704.
2 — Loos e mode as de fine d in RFC 3704.
The s e tting can be ove rridde n pe r ne twork inte rface us ing the net.ipv4.conf.interface.rp_filter
command as follows : sysctl -w net.ipv4.conf.interface.rp_filter=integer
To make the s e s e ttings pe rs is te nt acros s re boots , modify the /etc/sysctl.conf
file . For e xample , to change the mode for all inte rface s , ope n the
/etc/sysctl.conf
file with an e ditor running as the root us e r and add a line as follows : net.ipv4.conf.all.rp_filter=2

⁠Chapt e r 4. Harde ning Yo ur Syst e m wit h T o o ls and Se rvice s
IPv6_rpfilter
In cas e of the IPv6 protocol the f irewalld dae mon applie s to Re ve rs e Path
Forwarding by de fault. The s e tting can be che cke d in the
/etc/firewalld/firewalld.conf
file . You can change the f irewalld be havior by s e tting the IPv6_rpfilter option.
If you ne e d a cus tom configuration of Re ve rs e Path Forwarding, you can pe rform it
without the f irewalld dae mon by us ing the ip6tables command as follows : ip6tables -t raw -I PREROUTING -m rpfilter --invert -j DROP
This rule s hould be ins e rte d ne ar the be ginning of the raw/PREROUTING chain, s o that it applie s to all traffic, in particular be fore the s tate ful matching rule s . For
more information about the iptables and ip6tables s e rvice s , s e e Se ction 4.5.4,
“Us ing the iptable s Se rvice ” .
The following are re s ource s which e xplain more about Re ve rs e Path Forwarding.
Inst alled Do cument at io n
/usr/share/doc/kernel-doc-version/Documentation/networking/ip-sysctl.txt
-
This file contains a comple te lis t of file s and options available in the
/proc/sys/net/ipv4/ dire ctory. Be fore acce s s ing the ke rne l docume ntation for the firs t time , e nte r the following command as root :
~]# yum install kernel-doc
Online Do cument at io n
Se e RFC 3704 for an e xplanation of Ingre s s Filte ring for Multihome d Ne tworks .
The dynamic fire wall dae mon firewalld provide s a dynamically manage d fire wall with s upport for ne twork “zone s ” to as s ign a le ve l of trus t to a ne twork and its as s ociate d conne ctions and inte rface s . It has s upport for IPv4 and IPv6 fire wall s e ttings . It s upports
Ethe rne t bridge s and has a s e paration of runtime and pe rmane nt configuration options . It als o has an inte rface for s e rvice s or applications to add fire wall rule s dire ctly.
Note
To e xpand your e xpe rtis e , you might als o be inte re s te d in the Re d Hat Se rve r
Harde ning (RH413) training cours e .
A graphical configuration tool, f irewall-co nf ig, is us e d to configure firewalld , which in turn us e s ipt ables t o o l to communicate with Net f ilt er in the ke rne l which imple me nts packe t filte ring.
69

Se curit y Guide
To us e the graphical f irewall-co nf ig tool, pre s s the Super ke y to e nte r the Activitie s
Ove rvie w, type firewall and the n pre s s Enter . The f irewall-co nf ig tool appe ars . You will be prompte d for an adminis trator pas s word.
The f irewall-co nf ig tool has a drop-down s e le ction me nu labe le d Configuration . This e nable s s e le cting be twe e n Runt ime and Permanent mode . Notice that if you s e le ct
Permanent , an additional row of icons will appe ar in the le ft hand corne r. The s e icons only appe ar in pe rmane nt configuration mode be caus e a s e rvice 's parame te rs cannot be change d in runtime mode .
The fire wall s e rvice provide d by firewalld is dynamic rathe r than s tatic be caus e change s to the configuration can be made at anytime and are imme diate ly imple me nte d, the re is no ne e d to s ave or apply the change s . No uninte nde d dis ruption of e xis ting ne twork conne ctions occurs as no part of the fire wall has to be re loade d.
A command line clie nt, f irewall-cmd, is provide d. It can be us e d to make pe rmane nt and non-pe rmane nt runtime change s as e xplaine d in man firewall-cmd(1) . Pe rmane nt change s ne e d to be made as e xplaine d in the firewalld(1) man page . Note that the firewall-cmd command can be run by the root us e r and als o by an adminis trative us e r, in othe r words , a me mbe r of the wheel group. In the latte r cas e the command will be authorize d via the po lkit me chanis m.
The configuration for firewalld is s tore d in various XML file s in /usr/lib/firewalld/ and /etc/firewalld/ . This allows a gre at de al of fle xibility as the file s can be e dite d, writte n to, backe d up, us e d as te mplate s for othe r ins tallations and s o on.
Othe r applications can communicate with firewalld us ing D-bus .
The e s s e ntial diffe re nce s be twe e n firewalld and the ipt ables service are :
The ipt ables service s tore s configuration in /etc/sysconfig/iptables while firewalld s tore s it in various XML file s in /usr/lib/firewalld/ and
/etc/firewalld/ . Note that the /etc/sysconfig/iptables file doe s not e xis t as firewalld is ins talle d by de fault on Re d Hat Ente rpris e Linux.
With the ipt ables service, e ve ry s ingle change me ans flus hing all the old rule s and re ading all the ne w rule s from /etc/sysconfig/iptables while with firewalld the re is no re -cre ating of all the rule s ; only the diffe re nce s are applie d. Cons e que ntly, firewalld can change the s e ttings during runtime without e xis ting conne ctions be ing los t.
Both us e ipt ables t o o l to talk to the ke rne l packe t filte r.
70

⁠Chapt e r 4. Harde ning Yo ur Syst e m wit h T o o ls and Se rvice s
Figure 4.1. T he Firewall St ack
Fire walls can be us e d to s e parate ne tworks into diffe re nt zone s bas e d on the le ve l of trus t the us e r has de cide d to place on the de vice s and traffic within that ne twork.
Net wo rkManager informs firewalld to which zone an inte rface be longs . An inte rface 's as s igne d zone can be change d by Net wo rkManager or via the f irewall-co nf ig tool which can ope n the re le vant Net wo rkManager window for you.
The zone s e ttings in /etc/firewalld/ are a range of pre s e t s e ttings which can be quickly applie d to a ne twork inte rface . The y are lis te d he re with a brie f e xplanation: drop
Any incoming ne twork packe ts are droppe d, the re is no re ply. Only outgoing ne twork conne ctions are pos s ible .
block
71

Se curit y Guide
Any incoming ne twork conne ctions are re je cte d with an icmp-hos t-prohibite d me s s age for IPv4 and icmp6-adm-prohibite d for IPv6 . Only ne twork conne ctions initiate d from within the s ys te m are pos s ible .
public
For us e in public are as . You do not trus t the othe r compute rs on the ne twork to not harm your compute r. Only s e le cte d incoming conne ctions are acce pte d.
external
For us e on e xte rnal ne tworks with mas que rading e nable d e s pe cially for route rs .
You do not trus t the othe r compute rs on the ne twork to not harm your compute r.
Only s e le cte d incoming conne ctions are acce pte d.
dmz
For compute rs in your de militarize d zone that are publicly-acce s s ible with limite d acce s s to your inte rnal ne twork. Only s e le cte d incoming conne ctions are acce pte d.
work
For us e in work are as . You mos tly trus t the othe r compute rs on ne tworks to not harm your compute r. Only s e le cte d incoming conne ctions are acce pte d.
home
For us e in home are as . You mos tly trus t the othe r compute rs on ne tworks to not harm your compute r. Only s e le cte d incoming conne ctions are acce pte d.
internal
For us e on inte rnal ne tworks . You mos tly trus t the othe r compute rs on the ne tworks to not harm your compute r. Only s e le cte d incoming conne ctions are acce pte d.
trusted
All ne twork conne ctions are acce pte d.
It is pos s ible to de s ignate one of the s e zone s to be the de fault zone . Whe n inte rface conne ctions are adde d to Net wo rkManager, the y are as s igne d to the de fault zone . On ins tallation, the de fault zone in firewalld is s e t to be the public zone .
Cho o sing a Net wo rk Zo ne
The ne twork zone name s have be e n chos e n to be s e lf-e xplanatory and to allow us e rs to quickly make a re as onable de cis ion. Howe ve r, a re vie w of the de fault configuration s e ttings s hould be made and unne ce s s ary s e rvice s dis able d according to your ne e ds and ris k as s e s s me nts .
A s e rvice can be a lis t of local ports and de s tinations as we ll as a lis t of fire wall he lpe r module s automatically loade d if a s e rvice is e nable d. The us e of pre de fine d s e rvice s make s it e as ie r for the us e r to e nable and dis able acce s s to a s e rvice . Us ing the pre de fine d s e rvice s , or cus tom de fine d s e rvice s , as oppos e d to ope ning ports or range s
72

⁠Chapt e r 4. Harde ning Yo ur Syst e m wit h T o o ls and Se rvice s of ports , may make adminis tration e as ie r. Se rvice configuration options and ge ne ric file information are de s cribe d in the firewalld.service(5) man page . The s e rvice s are s pe cifie d by me ans of individual XML configuration file s which are name d in the following format: service-name.xml
.
To vie w the lis t of s e rvice s us ing the graphical f irewall-co nf ig tool, pre s s the Super ke y to e nte r the Activitie s Ove rvie w, type firewall and the n pre s s Enter . The f irewall-
co nf ig tool appe ars . You will be prompte d for an adminis trator pas s word. You can now vie w the lis t of s e rvice s unde r the Services tab.
To lis t the de fault pre de fine d s e rvice s available us ing the command line , is s ue the following command as root :
~]# ls /usr/lib/firewalld/services/
File s in /usr/lib/firewalld/services/ mus t not be e dite d. Only the file s in
/etc/firewalld/services/ s hould be e dite d.
To lis t the s ys te m or us e r cre ate d s e rvice s , is s ue the following command as root :
~]# ls /etc/firewalld/services/
Se rvice s can be adde d and re move d us ing the graphical f irewall-co nf ig tool and by e diting the XML file s in /etc/firewalld/services/ . If a s e rvice has not be e n adde d or change d by the us e r, the n no corre s ponding XML file will be found in
/etc/firewalld/services/ . The file s /usr/lib/firewalld/services/ can be us e d as te mplate s if you want to add or change a s e rvice . As root , is s ue a command in the following format:
~]# cp /usr/lib/firewalld/services/[service].xml
/etc/firewalld/services/[service].xml
You may the n e dit the ne wly cre ate d file . firewalld will pre fe r file s in
/etc/firewalld/services/ but will fall back to /usr/lib/firewalld/services/ s hould a file be de le te d, but only afte r a re load.
firewalld has a s o calle d “dire ct inte rface ”, which e nable s dire ctly pas s ing rule s to
ipt ables, ip6t ables and ebt ables. It is inte nde d for us e by applications and not us e rs . It is dange rous to us e the dire ct inte rface if you are not ve ry familiar with ipt ables as you could inadve rte ntly caus e a bre ach in the fire wall. firewalld s till tracks what has be e n adde d, s o it is s till pos s ible to que ry firewalld and s e e the change s made by an application us ing the dire ct inte rface mode . The dire ct inte rface is us e d by adding the -direct option to the firewall-cmd command.
The dire ct inte rface mode is inte nde d for s e rvice s or applications to add s pe cific fire wall rule s during runtime . The rule s can be made pe rmane nt by adding the --permanent option us ing the firewall-cmd --permanent --direct command or by modifying
/etc/firewalld/direct.xml
. If the rule s are not made pe rmane nt the n the y ne e d to be applie d e ve ry time afte r re ce iving the s tart, re s tart, or re load me s s age from firewalld us ing D-BUS.
73

Se curit y Guide
In Re d Hat Ente rpris e Linux 7 firewalld is ins talle d by de fault. If re quire d, to e ns ure that it is , e nte r the following command as root :
~]# yum install firewalld
The graphical us e r inte rface configuration tool f irewall-co nf ig is ins talle d by de fault in s ome ve rs ions of Re d Hat Ente rpris e Linux 7. If re quire d, to e ns ure that it is , e nte r the following command as root :
~]# yum install firewall-config
To s top firewalld , e nte r the following command as root :
~]# systemctl stop firewalld
To pre ve nt firewalld from s tarting automatically at s ys te m s tart, is s ue the following command as root :
~]# systemctl disable firewalld
To s tart firewalld , e nte r the following command as root :
~]# systemctl start firewalld
To e ns ure firewalld s tarts automatically at s ys te m s tart, e nte r the following command as root :
~]# systemctl enable firewalld
To che ck if firewalld is running, e nte r the following command:
~]$ systemctl status firewalld firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled)
Active: active (running) since Sat 2013-04-06 22:56:59 CEST; 2 days ago
Main PID: 688 (firewalld)
CGroup: name=systemd:/system/firewalld.service
In addition, che ck if f irewall-cmd can conne ct to the dae mon by e nte ring the following command:
~]$ firewall-cmd --state running
74

⁠Chapt e r 4. Harde ning Yo ur Syst e m wit h T o o ls and Se rvice s
The fire wall s e rvice , imple me nte d by the dae mon firewalld , can be configure d us ing the graphical us e r inte rface tool f irewall-co nf ig, us ing the command line inte rface tool
f irewall-cmd, and by e diting XML configuration file s . The s e me thods will be de s cribe d in orde r.
4.5.3.1.1. St art T he graphical f irewall co nf igurat io n t o o l
To s tart the graphical f irewall-co nf ig tool, pre s s the Super ke y to e nte r the Activitie s
Ove rvie w, type firewall and the n pre s s Enter . The f irewall-co nf ig tool appe ars . You will be prompte d for an adminis trator pas s word.
To s tart the graphical fire wall configuration tool us ing the command line , e nte r the following command as root us e r:
~]# firewall-config
The Firewall Configuration window ope ns . Note , this command can be run as normal us e r but you will the n be prompte d for an adminis trator pas s word from time to time .
Figure 4.2. T he f irewall co nf igurat io n t o o l
75

Se curit y Guide
Look for the word “Conne cte d” in the lowe r le ft corne r. This indicate s that the f irewall-
co nf ig tool is conne cte d to the us e r s pace dae mon, firewalld . Note that the ICMP
Types , Direct Configuration , and Lockdown Whitelist tabs are only vis ible afte r be ing s e le cte d from the View drop-down me nu.
4.5.3.1.2. Changing t he Firewall Set t ings
To imme diate ly change the curre nt fire wall s e ttings , e ns ure the curre nt vie w is s e t to
Runt ime. Alte rnative ly, to e dit the s e ttings to be applie d at the ne xt s ys te m s tart, or fire wall re load, s e le ct Permanent from the drop-down lis t.
Note
Whe n making change s to the fire wall s e ttings in Runt ime mode , your s e le ction take s imme diate e ffe ct whe n you s e t or cle ar the che ck box as s ociate d with the s e rvice . You s hould ke e p this in mind whe n working on a s ys te m that may be in us e by othe r us e rs .
Whe n making change s to the fire wall s e ttings in Permanent mode , your s e le ction will only take e ffe ct whe n you re load the fire wall or the s ys te m re s tarts . You can us e the re load icon be low the File me nu, or click the Opt io ns me nu and s e le ct
Reload Firewall .
You can s e le ct zone s in the le ft hand s ide column. You will notice the zone s have s ome s e rvice s e nable d, you may ne e d to re s ize the window or s croll to s e e the full lis t. You can cus tomize the s e ttings by s e le cting and de s e le cting a s e rvice .
4.5.3.1.3. Add an Int erf ace t o a Zo ne
To add or re as s ign an inte rface of a conne ction to a zone , s tart f irewall-co nf ig, s e le ct
Opt io ns from the me nu bar, s e le ct Change Zones of Connections from the drop-down me nu, the Connections lis t is dis playe d. Se le ct the conne ction to be re as s igne d. The
Select Zone for Connection window appe ars . Se le ct the ne w fire wall zone from the drop-down me nu and click OK .
4.5.3.1.4. Set t he Def ault Zo ne
To s e t the de fault zone that ne w inte rface s will be as s igne d to, s tart f irewall-co nf ig, s e le ct Opt io ns from the me nu bar, s e le ct Change Default Zone from the drop-down me nu. The Default Zone window appe ars . Se le ct the zone form the lis t that you want to be us e d as the de fault zone and click OK .
4.5.3.1.5. Co nf iguring Services
To e nable or dis able a pre de fine d or cus tom s e rvice , s tart the f irewall-co nf ig tool and s e le ct the ne twork zone whos e s e rvice s are to be configure d. Se le ct the Services tab and s e le ct the che ck box for e ach type of s e rvice you want to trus t. Cle ar the che ck box to block a s e rvice .
To e dit a s e rvice , s tart the f irewall-co nf ig tool and the n s e le ct Permanent mode from the drop-down s e le ction me nu labe le d Configuration . Additional icons and me nu buttons appe ar at the bottom of the Services window. Se le ct the s e rvice you want to configure .
76

⁠Chapt e r 4. Harde ning Yo ur Syst e m wit h T o o ls and Se rvice s
The Ports and Protocols tab e nable s adding, changing, and re moving of ports and protocols for the s e le cte d s e rvice . The module s tab is for configuring Net f ilt er he lpe r module s . The Destination tab e nable s limiting traffic to a particular de s tination addre s s and Inte rne t Protocol ( IPv4 or IPv6 ).
4.5.3.1.6. Open Po rt s in t he Firewall
To pe rmit traffic through the fire wall to a ce rtain port, s tart the f irewall-co nf ig tool and s e le ct the ne twork zone whos e s e ttings you want to change . Se le ct the Ports tab and the click the Add button on the right hand s ide . The Port and Protocol window ope ns .
Ente r the port numbe r or range of ports to pe rmit. Se le ct tcp or udp from the drop-down lis t.
4.5.3.1.7. Enable IP Address Masquerading
To trans late IPv4 addre s s e s to a s ingle e xte rnal addre s s , s tart the f irewall-co nf ig tool and s e le ct the ne twork zone whos e addre s s e s are to be trans late d. Se le ct the
Masquerading tab and s e le ct the che ck box to e nable the trans lation of IPv4 addre s s e s to a s ingle addre s s .
4.5.3.1.8. Co nf igure Po rt Fo rwarding
To forward inbound ne twork traffic, or “packe ts ”, for a s pe cific port to an inte rnal addre s s or alte rnative port, firs t e nable IP addre s s mas que rading, the n s e le ct the Port
Forwarding tab.
Se le ct the protocol of the incoming traffic and the port or range of ports on the uppe r s e ction of the window. The lowe r s e ction is for s e tting de tails about the de s tination.
To forward traffic to a local port (a port on the s ame s ys te m), s e le ct the Local forwarding che ck box. Ente r the local port or range of ports for the traffic to be s e nt to.
To forward traffic to anothe r IPv4 addre s s , s e le ct the Forward to another port che ck box. Ente r the de s tination IP addre s s and port or port range . The de fault is to s e nd to the s ame port if the port fie ld is le ft e mpty. Click OK to apply the change s .
4.5.3.1.9. Co nf iguring t he ICMP Filt er
To e nable or dis able an ICMP filte r, s tart the f irewall-co nf ig tool and s e le ct the ne twork zone whos e me s s age s are to be filte re d. Se le ct the ICMP Filter tab and s e le ct the che ck box for e ach type of ICMP me s s age you want to filte r. Cle ar the che ck box to dis able a filte r. This s e tting is pe r dire ction and the de fault allows e ve rything.
To e dit an ICMP type , s tart the f irewall-co nf ig tool and the n s e le ct Permanent mode from the drop-down s e le ction me nu labe le d Configuration . Additional icons appe ar at the bottom of the Services window.
The command line tool f irewall-cmd is part of the firewalld application which is ins talle d by de fault. You can ve rify that it is ins talle d by che cking the ve rs ion or dis playing the he lp output. Ente r the following command to che ck the ve rs ion:
~]$ firewall-cmd --version
77

Se curit y Guide
Ente r the following command to vie w the he lp output:
~]$ firewall-cmd --help
We lis t a s e le ction of commands be low, for a full lis t s e e the man firewall-cmd(1) man page .
Note
In orde r to make a command pe rmane nt or pe rs is te nt, add the --permanent option to all commands apart from the --direct commands (which are by the ir nature te mporary). Note that this not only me ans the change will be pe rmane nt but that the change will only take e ffe ct afte r fire wall re load, s e rvice re s tart, or afte r s ys te m re boot. Se ttings made with f irewall-cmd without the --permanent option take e ffe ct imme diate ly, but are only valid till ne xt fire wall re load, s ys te m boot, or firewalld s e rvice re s tart. Re loading the fire wall doe s not in its e lf bre ak conne ctions , but be aware you are dis carding te mporary change s by doing s o.
In orde r to make a command both pe rs is te nt and take e ffe ct imme diate ly, e nte r the command twice , once with the --permanent and once without. This is be caus e a fire wall re load take s more time than jus t re pe ating a command be caus e it has to re load all configuration file s and re cre ate the whole fire wall configuration. While re loading, the policy for built-in chains is s e t to DROP for s e curity re as ons and is the n re s e t to ACCEPT at the e nd. Se rvice dis ruption is the re fore pos s ible during the re load.
Important
The --permanent --add-interface option is s uppos e d to be us e d only for inte rface s that are not manage d by the Net wo rkManager utility. This is be caus e
Net wo rkManager, or the le gacy ne twork s e rvice , adds inte rface s into zone s automatically according to the ZONE= dire ctive in the ifcfg inte rface configuration file . Se e the Re d Hat Ente rpris e Linux 7 Ne tworking Guide for information on
Net wo rkManager and working with ifcfg file s .
To ge t a te xt dis play of the s tate of firewalld , e nte r the following command:
~]$ firewall-cmd --state
To vie w the lis t of active zone s , with a lis t of the inte rface s curre ntly as s igne d to the m, e nte r the following command:
~]$ firewall-cmd --get-active-zones public
interfaces: em1
To find out the zone that an inte rface , for e xample e m1, is curre ntly as s igne d to, e nte r the following command:
78

⁠Chapt e r 4. Harde ning Yo ur Syst e m wit h T o o ls and Se rvice s
~]$ firewall-cmd --get-zone-of-interface=em1 public
To find out all the inte rface s as s igne d to a zone , for e xample the public zone , e nte r the following command as root :
~]# firewall-cmd --zone=public --list-interfaces em1 wlan0
This information is obtaine d from Net wo rkManager and only s hows inte rface s , not conne ctions .
To find out all the s e ttings of a zone , for e xample the public zone , e nte r the following command as root :
~]# firewall-cmd --zone=public --list-all public
interfaces:
services: mdns dhcpv6-client ssh
ports:
forward-ports:
icmp-blocks: source-quench
To vie w the lis t of s e rvice s curre ntly loade d, e nte r the following command as root :
~]# firewall-cmd --get-services cluster-suite pop3s bacula-client smtp ipp radius bacula ftp mdns samba dhcpv6-client dns openvpn imaps samba-client http https ntp vnc-server telnet libvirt ssh ipsec ipp-client amanda-client tftp-client nfs tftp libvirt-tls
This will lis t the name s of the pre de fine d s e rvice s loade d from
/usr/lib/firewalld/services/ as we ll as any cus tom s e rvice s that are curre ntly loade d. Note that the configuration file s the ms e lve s are name d service-name.xml
.
If cus tom s e rvice s have be e n cre ate d but not loade d, the y can be lis te d as follows :
~]# firewall-cmd --permanent --get-services
This will lis t all s e rvice s , including cus tom s e rvice s configure d in
/etc/firewalld/services/ , e ve n if the y are not ye t loade d.
4.5.3.4.1. Dro p All Packet s (Panic Mo de)
To s tart dropping all incoming and outgoing packe ts , e nte r the following command as root :
~]# firewall-cmd --panic-on
All incoming and outgoing packe ts will be droppe d. Active conne ctions will be te rminate d afte r a pe riod of inactivity; the time take n de pe nds on the individual s e s s ion time out value s .
79

Se curit y Guide
To s tart pas s ing incoming and outgoing packe ts again, e nte r the following command as root :
~]# firewall-cmd --panic-off
Afte r dis abling panic mode , e s tablis he d conne ctions might work again if panic mode was e nable d for a s hort pe riod of time .
To find out if panic mode is e nable d or dis able d, e nte r the following command:
~]$ firewall-cmd --query-panic
Prints yes with e xit s tatus 0 if e nable d and no with e xit s tatus 1 othe rwis e .
4.5.3.4.2. Relo ad t he Firewall Using t he Co mmand Line Int erf ace (CLI)
To re load the fire wall without inte rrupting us e r conne ctions (without los ing s tate information), e nte r the following command as root :
~]# firewall-cmd --reload
A fire wall re load involve s re loading all configuration file s and re cre ating the whole fire wall configuration. While re loading, the policy for built-in chains is s e t to DROP for s e curity re as ons and is the n re s e t to ACCEPT at the e nd. Se rvice dis ruption is the re fore pos s ible during the re load.
To re load the fire wall and inte rrupt us e r conne ctions , dis carding s tate information, e nte r the following command as root :
~]# firewall-cmd --complete-reload
This command s hould normally only be us e d in cas e of s e ve re fire wall proble ms . For e xample , if the re are s tate information proble ms and no conne ction can be e s tablis he d but the fire wall rule s are corre ct.
4.5.3.4.3. Add an Int erf ace t o a Zo ne Using t he Co mmand Line Int erf ace (CLI)
To add an inte rface to a zone (for e xample , to add e m1 to the public zone ), e nte r the following command as root :
~]# firewall-cmd --zone=public --add-interface=em1
To make this s e tting pe rs is te nt, re pe at the commands adding the --permanent option.
4.5.3.4.4. Add an Int erf ace t o a Zo ne by Edit ing t he Int erf ace Co nf igurat io n
File
To add an inte rface to a zone by e diting the ifcfg-em1 configuration file (for e xample , to add e m1 to the work zone ), add the following line to ifcfg-em1 as root :
ZONE=work
Note that if you omit the ZONE option, or us e ZONE= , or ZONE='' , the n the de fault zone will be us e d.
80

⁠Chapt e r 4. Harde ning Yo ur Syst e m wit h T o o ls and Se rvice s
Net wo rkManager will automatically re conne ct and the zone will be s e t accordingly.
4.5.3.4.5. Co nf igure t he Def ault Zo ne by Edit ing t he f irewalld Co nf igurat io n
File
As root , ope n /etc/firewalld/firewalld.conf
and e dit the file as follows :
# default zone
# The default zone used if an empty zone string is used.
# Default: public
DefaultZone=home
Re load the fire wall by e nte ring the following command as root :
~]# firewall-cmd --reload
This will re load the fire wall without los ing s tate information (TCP s e s s ions will not be te rminate d), but s e rvice dis ruption is pos s ible during the re load.
4.5.3.4.6. Set t he Def ault Zo ne by Using t he Co mmand Line Int erf ace (CLI)
To s e t the de fault zone (to public , for e xample ), e nte r the following command as root :
~]# firewall-cmd --set-default-zone=public
This change will take imme diate e ffe ct and in this cas e it is not ne ce s s ary to re load the fire wall.
4.5.3.4.7. Open Po rt s in t he Firewall Using t he Co mmand Line Int erf ace (CLI)
To lis t all ope n ports for a zone ( dmz , for e xample ), e nte r the following command as root :
~]# firewall-cmd --zone=dmz --list-ports
Note that this will not s how ports ope ne d as a re s ult of the --add-services command.
To add a port to a zone (for e xample , to allow TCP traffic to port 8080 to the dmz zone ), e nte r the following command as root :
~]# firewall-cmd --zone=dmz --add-port=8080/tcp
To make this s e tting pe rs is te nt, re pe at the command adding the --permanent option.
To add a range of ports to a zone (for e xample , to allow the ports from 5060 to 5061 to the public zone , e nte r the following command as root :
~]# firewall-cmd --zone=public --add-port=5060-5061/udp
To make this s e tting pe rs is te nt, re pe at the command adding the --permanent option.
4.5.3.4.8. Add a Service t o a Zo ne Using t he Co mmand Line Int erf ace (CLI)
To add a s e rvice to a zone (for e xample , to allow SMTP to the work zone ), e nte r the following command as root :
81

Se curit y Guide
~]# firewall-cmd --zone=work --add-service=smtp
To make this s e tting pe rs is te nt, re pe at the command adding the --permanent option.
4.5.3.4.9. Remo ve a Service f ro m a Zo ne Using t he Co mmand Line Int erf ace
(CLI)
To re move a s e rvice from a zone (for e xample , to re move SMTP from the work zone ), e nte r the following command as root :
~]# firewall-cmd --zone=work --remove-service=smtp
To make this change pe rs is te nt, re pe at the command adding the --permanent option. This change will not bre ak e s tablis he d conne ctions . If that is your inte ntion, you can us e the -complete-reload option, but this will bre ak all e s tablis he d conne ctions —not jus t for the s e rvice you have re move d.
4.5.3.4.10 . Add a Service t o a Zo ne by Edit ing XML Files
To vie w the de fault zone file s , e nte r the following command as root :
~]# ls /usr/lib/firewalld/zones/ block.xml drop.xml home.xml public.xml work.xml
dmz.xml external.xml internal.xml trusted.xml
The s e file s mus t not be e dite d. The y are us e d by de fault if no e quivale nt file e xis ts in the
/etc/firewalld/zones/ dire ctory.
To vie w the zone file s that have be e n change d from the de fault, e nte r the following command as root :
~]# ls /etc/firewalld/zones/ external.xml public.xml public.xml.old
In the e xample s hown above , the work zone file doe s not e xis t. To add the work zone file , e nte r the following command as root :
~]# cp /usr/lib/firewalld/zones/work.xml /etc/firewalld/zones/
You can now e dit the file in the /etc/firewalld/zones/ dire ctory. If you de le te the file , firewalld will fall back to us ing the de fault file in /usr/lib/firewalld/zones/ .
To add a s e rvice to a zone (for e xample , to allow SMTP to the work zone ), add the following line to the /etc/firewalld/zones/work.xml
file as root :
<service name="smtp"/>
4.5.3.4.11. Remo ve a Service f ro m a Zo ne by Edit ing XML f iles
An e ditor running with root privile ge s is re quire d to e dit the XML zone file s . To vie w the file s for pre vious ly configure d zone s , e nte r the following command as root :
~]# ls /etc/firewalld/zones/ external.xml public.xml work.xml
82

⁠Chapt e r 4. Harde ning Yo ur Syst e m wit h T o o ls and Se rvice s
To re move a s e rvice from a zone (for e xample , to re move SMTP from the work zone ), us e an e ditor with root privile ge s to e dit the /etc/firewalld/zones/work.xml
file to re move the following line :
<service name="smtp"/>
If no othe r change s have be e n made to the work.xml
file , it can be re move d and firewalld will us e the de fault /usr/lib/firewalld/zones/work.xml
configuration file afte r the ne xt re load or s ys te m boot.
4.5.3.4.12. Co nf igure IP Address Masquerading
To che ck if IP mas que rading is e nable d (for the external zone , for e xample ), e nte r the following command as root :
~]# firewall-cmd --zone=external --query-masquerade
The command prints yes with e xit s tatus 0 if e nable d. It prints no with e xit s tatus 1 othe rwis e . If zone is omitte d, the de fault zone will be us e d.
To e nable IP mas que rading, e nte r the following command as root :
~]# firewall-cmd --zone=external --add-masquerade
To make this s e tting pe rs is te nt, re pe at the command adding the --permanent option.
To dis able IP mas que rading, e nte r the following command as root :
~]# firewall-cmd --zone=external --remove-masquerade
To make this s e tting pe rs is te nt, re pe at the command adding the --permanent option.
4.5.3.4.13. Co nf igure Po rt Fo rwarding Using t he Co mmand Line Int erf ace (CLI)
To forward inbound ne twork packe ts from one port to an alte rnative port or addre s s , firs t e nable IP addre s s mas que rading for a zone ( external , for e xample ), by e nte ring the following command as root :
~]# firewall-cmd --zone=external --add-masquerade
To forward packe ts to a local port (a port on the s ame s ys te m), e nte r the following command as root :
~]# firewall-cmd --zone=external --add-forward- port=port=22:proto=tcp:toport=3753
In this e xample , the packe ts inte nde d for port 22 are now forwarde d to port 3753 . The original de s tination port is s pe cifie d with the port option. This option can be a port or port range , toge the r with a protocol. The protocol, if s pe cifie d, mus t be one of e ithe r tcp or udp . The ne w local port (the port or range of ports to which the traffic is be ing forwarde d to) is s pe cifie d with the toport option. To make this s e tting pe rs is te nt, re pe at the commands adding the --permanent option.
83

Se curit y Guide
To forward packe ts to anothe r IPv4 addre s s , us ually an inte rnal addre s s , without changing the de s tination port, e nte r the following command as root :
~]# firewall-cmd --zone=external --add-forward- port=port=22:proto=tcp:toaddr=192.0.2.55
In this e xample , the packe ts inte nde d for port 22 are now forwarde d to the s ame port at the addre s s give n with the toaddr . The original de s tination port is s pe cifie d with the port option. This option can be a port or port range , toge the r with a protocol. The protocol, if s pe cifie d, mus t be one of e ithe r tcp or udp . The ne w de s tination port (the port or range of ports to which the traffic is be ing forwarde d to) is s pe cifie d with the toport option. To make this s e tting pe rs is te nt, re pe at the command adding the --permanent option.
To forward packe ts to anothe r port at anothe r IPv4 addre s s , us ually an inte rnal addre s s , e nte r the following command as root :
~]# firewall-cmd --zone=external /
--add-forward-port=port=22:proto=tcp:toport=2055:toaddr=192.0.2.55
In this e xample , the packe ts inte nde d for port 22 are now forwarde d to port 2055 at the addre s s give n with the toaddr option. The original de s tination port is s pe cifie d with the port option. This option can be a port or port range , toge the r with a protocol. The protocol, if s pe cifie d, mus t be one of e ithe r tcp or udp . The ne w de s tination port, the port or range of ports to which the traffic is be ing forwarde d to, is s pe cifie d with the toport option. To make this s e tting pe rs is te nt, re pe at the command adding the --permanent option.
The configuration s e ttings for f irewalld are s tore d in XML file s in the /etc/firewalld/ dire ctory. Do not e dit the file s in the /usr/lib/firewalld/ dire ctory (the file s de fine the de fault s e ttings ). You will ne e d root us e r pe rmis s ions to vie w and e dit the XML file s . The
XML file s are e xplaine d in thre e man page s : firewalld.icmptype(5) man page — De s cribe s XML configuration file s for ICMP filte ring.
firewalld.service(5) man page — De s cribe s XML configuration file s for f irewalld
service.
firewalld.zone(5) man page — De s cribe s XML configuration file s for firewalld zone configuration.
The XML file s can be cre ate d and e dite d dire ctly or cre ate d indire ctly us ing the graphical and command line tools . Organizations can dis tribute the m in RPM file s which can make manage me nt and ve rs ion control e as ie r. Tools s uch as Puppet can dis tribute s uch configuration file s .
It is pos s ible to add and re move chains during runtime by us ing the --direct option with the f irewall-cmd tool. A fe w e xample s are pre s e nte d he re , s e e the firewall-cmd(1) man page for more information.
It is dange rous to us e the dire ct inte rface if you are not ve ry familiar with ipt ables as you could inadve rte ntly caus e a bre ach in the fire wall.
84

⁠Chapt e r 4. Harde ning Yo ur Syst e m wit h T o o ls and Se rvice s
The dire ct inte rface mode is inte nde d for s e rvice s or applications to add s pe cific fire wall rule s during runtime . The rule s can be made pe rmane nt by adding the --permanent option us ing the firewall-cmd --permanent --direct command or by modifying
/etc/firewalld/direct.xml
. Se e man firewalld.direct(5) for information on the
/etc/firewalld/direct.xml
file .
4.5.3.6.1. Adding a Cust o m Rule Using t he Direct Int erf ace
To add a cus tom rule to the “IN_public_allow” chain, is s ue the following command as root :
~]# firewall-cmd --direct --add-rule ipv4 filter IN_public_allow \
0 -m tcp -p tcp --dport 666 -j ACCEPT
Add the --permanent option to make the s e tting pe rs is te nt.
4.5.3.6.2. Remo ving a Cust o m Rule Using t he Direct Int erf ace
To re move a cus tom rule from the “IN_public_allow” chain, is s ue the following command as root :
~]# firewall-cmd --direct --remove-rule ipv4 filter IN_public_allow \
0 -m tcp -p tcp --dport 666 -j ACCEPT
Add the --permanent option to make the s e tting pe rs is te nt.
4.5.3.6.3. List ing Cust o m Rules Using t he Direct Int erf ace
To lis t the rule s in the “IN_public_allow” chain, is s ue the following command as root :
~]# firewall-cmd --direct --get-rules ipv4 filter IN_public_allow
Note that this command (the --get-rules option) only lis ts rule s pre vious ly adde d us ing the --add-rule option. It doe s not lis t e xis ting ipt ables rule s adde d by othe r me ans .
With the “rich language ” s yntax, comple x fire wall rule s can be cre ate d in a way that is e as ie r to unde rs tand than the dire ct-inte rface me thod. In addition, the s e ttings can be made pe rmane nt. The language us e s ke ywords with value s and is an abs tract re pre s e ntation of ipt ables rule s . Zone s can be configure d us ing this language , the curre nt configuration me thod will s till be s upporte d.
4.5.3.7.1. Fo rmat o f t he Rich Language Co mmands
All the commands in this s e ction ne e d to be run as root . The format of the command to add a rule is as follows : firewall-cmd [--zone=zone] --add-rich-rule='rule' [--timeout=timeval]
This will add a rich language rule rule for zone zone. This option can be s pe cifie d multiple time s . If the zone is omitte d, the de fault zone is us e d. If a time out is s upplie d, the rule or rule s only s tay active for the amount of time s pe cifie d and will be re move d automatically afte rwards . The time value can be followe d by s (s e conds ), m (minute s ), or h (hours ) to s pe cify the unit of time . The de fault is s e conds .
85

Se curit y Guide
To re move a rule : firewall-cmd [--zone=zone] --remove-rich-rule='rule'
This will re move a rich language rule rule for zone zone. This option can be s pe cifie d multiple time s . If the zone is omitte d, the de fault zone is us e d.
To che ck if a rule is pre s e nt: firewall-cmd [--zone=zone] --query-rich-rule='rule'
This will re turn whe the r a rich language rule rule has be e n adde d for the zone zone. The command prints yes with e xit s tatus 0 if e nable d. It prints no with e xit s tatus 1 othe rwis e .
If the zone is omitte d, the de fault zone is us e d.
For information about the rich language re pre s e ntation us e d in the zone configuration file s , s e e the fire walld.zone (5) man page .
4.5.3.7.2. Underst anding t he Rich Rule St ruct ure
The format or s tructure of the rich rule commands is as follows : rule [family="rule family"]
[ source address="address" [invert="True"] ]
[ destination address="address" [invert="True"] ]
[ element ]
[ log [prefix="prefix text"] [level="log level"] [limit value="rate/duration"] ]
[ audit ]
[ action ]
A rule is as s ociate d with a particular zone . A zone can have s e ve ral rule s . If s ome rule s inte ract or contradict, the firs t rule that matche s the packe t applie s .
4.5.3.7.3. Underst anding t he Rich Rule Co mmand Opt io ns family
If the rule family is provide d, e ithe r ipv4 or ipv6 , it limits the rule to IPv4 or IPv6 re s pe ctive ly. If the rule family is not provide d, the rule is adde d for both IPv4 and
IPv6 . If s ource or de s tination addre s s e s are us e d in a rule , the n the rule family ne e ds to be provide d. This is als o the cas e for port forwarding.
So urce and Dest inat io n Addresses source
By s pe cifying the s ource addre s s the origin of a conne ction atte mpt can be limite d to the s ource addre s s . A s ource addre s s or addre s s range is e ithe r an IP addre s s or a ne twork IP addre s s with a mas k for IPv4 or IPv6 . The ne twork family ( IPv4 or IPv6 ) will be automatically dis cove re d. For IPv4 , the mas k can be a ne twork mas k or a plain numbe r. For IPv6 the mas k is a plain numbe r. The us e of hos t name s is not s upporte d. It is pos s ible to inve rt the s e ns e of the s ource addre s s command by adding invert ="true" or invert ="yes"; all but the s upplie d addre s s will match.
86

⁠Chapt e r 4. Harde ning Yo ur Syst e m wit h T o o ls and Se rvice s destination
By s pe cifying the de s tination addre s s the targe t can be limite d to the de s tination addre s s . The de s tination addre s s us e s the s ame s yntax as the s ource addre s s .
The us e of s ource and de s tination addre s s e s is optional and the us e of a de s tination addre s s e s is not pos s ible with all e le me nts . This de pe nds on the us e of de s tination addre s s e s , for e xample in s e rvice e ntrie s .
Element s
The e le me nt can be o nly o ne of the following e le me nt type s : service , port , protocol , masquerade , icmp-block and forward-port .
service
The s e rvice e le me nt is one of the f irewalld provide d s e rvice s . To ge t a lis t of the pre de fine d s e rvice s , is s ue the following command:
~]$ firewall-cmd --get-services
If a s e rvice provide s a de s tination addre s s , it will conflict with a de s tination addre s s in the rule and will re s ult in an e rror. The s e rvice s us ing de s tination addre s s e s inte rnally are mos tly s e rvice s us ing multicas t. The command take s the following form: service name=service_name port
The port e le me nt can e ithe r be a s ingle port numbe r or a port range , for e xample , 5060-5062 , followe d by the protocol, e ithe r as tcp or udp . The command take s the following form: port port=number_or_range protocol=protocol protocol
The protocol value can be e ithe r a protocol ID numbe r or a protocol name . For allowe d protocol e ntrie s , s e e /etc/protocols . The command take s the following form: protocol value=protocol_name_or_ID icmp-block
Us e this command to block one or more ICMP type s . The ICMP type is one of the
ICMP type s f irewalld s upports . To ge t a lis ting of s upporte d ICMP type s , is s ue the following command:
~]$ firewall-cmd --get-icmptypes
Spe cifying an action is not allowe d he re . icmp-block us e s the action reject inte rnally. The command take s the following form: icmp-block name=icmptype_name
87

Se curit y Guide masquerade
Turns on IP mas que rading in the rule . A s ource addre s s can be provide d to limit mas que rading to this are a, but not a de s tination addre s s . Spe cifying an action is not allowe d he re .
forward-port
Forward packe ts from a local port with protocol s pe cifie d as tcp or udp to e ithe r anothe r port locally, to anothe r machine , or to anothe r port on anothe r machine .
The port and to-port can e ithe r be a s ingle port numbe r or a port range . The de s tination addre s s is a s imple IP addre s s . Spe cifying an action is not allowe d he re . The forward-port command us e s the action accept inte rnally. The command take s the following form: forward-port port=number_or_range protocol=protocol /
to-port=number_or_range to-addr=address
Lo gging log
Log ne w conne ction atte mpts to the rule with ke rne l logging, for e xample in s ys log. You can de fine a pre fix te xt that will be adde d to the log me s s age as a pre fix. Log le ve l can be one of emerg , alert , crit , error , warning , notice , info or debug . The us e of log is optional. It is pos s ible to limit logging as follows : log [prefix=prefix text] [level=log level] limit value=rate/duration
The rate is a natural pos itive numbe r [1, ..], the duration of s , m , h , d . s me ans s e conds , m minute s , h hours and d days . The maximum limit value is 1/d which me ans at maximum one log e ntry pe r day.
audit
Audit provide s an alte rnative way for logging us ing audit re cords s e nt to the s e rvice auditd . The audit type can be one of ACCEPT , REJECT or DROP but it is not s pe cifie d afte r the command audit as the audit type will be automatically gathe re d from the rule action. Audit doe s not have its own parame te rs , but limit can be adde d optionally. The us e of audit is optional.
Act io n accept|reject|drop
An action can be one of accept , reject or drop . The rule can only contain an e le me nt or a s ource . If the rule contains an e le me nt, the n ne w conne ctions matching the e le me nt will be handle d with the action. If the rule contains a s ource , the n e ve rything from the s ource addre s s will be handle d with the action s pe cifie d.
accept | reject [type=reject type] | drop
88

⁠Chapt e r 4. Harde ning Yo ur Syst e m wit h T o o ls and Se rvice s
With accept all ne w conne ction atte mpts will be grante d. With reject the y will be re je cte d and the ir s ource will ge t a re je ct me s s age . The re je ct type can be s e t to us e anothe r value . With drop all packe ts will be droppe d imme diate ly and no information is s e nt to the s ource .
4.5.3.7.4. Using t he Rich Rule Lo g Co mmand
Logging can be done with the Net f ilt er log targe t and als o with the audit targe t. A ne w chain is adde d to all zone s with a name in the format “zone_log”, whe re zone is the zone name . This is proce s s e d be fore the deny chain in orde r to have prope r orde ring. The rule s or parts of the m are place d in s e parate chains , according to the action of the rule , as follows :
zone_log
zone_deny
zone_allow
All logging rule s will be place d in the “zone_log” chain, which will be pars e d firs t. All reject and drop rule s will be place d in the “zone_de ny” chain, which will be pars e d afte r the log chain. All accept rule s will be place d in the “zone_allow” chain, which will be pars e d afte r the deny chain. If a rule contains log and als o deny or allow actions , the parts of the rule that s pe cify the s e actions are place d in the matching chains .
4.5.3.7.4.1. Using t he Rich Rule Lo g Co mmand Example 1
Enable ne w IPv4 and IPv6 conne ctions for authe ntication he ade r protocol AH : rule protocol value="ah" accept
4.5.3.7.4.2. Using t he Rich Rule Lo g Co mmand Example 2
Allow ne w IPv4 and IPv6 conne ctions for protocol FTP and log 1 pe r minute us ing audit: rule service name="ftp" log limit value="1/m" audit accept
4.5.3.7.4.3. Using t he Rich Rule Lo g Co mmand Example 3
Allow ne w IPv4 conne ctions from addre s s 192.168.0.0/24 for protocol TFTP and log 1 pe r minute us ing s ys log: rule family="ipv4" source address="192.168.0.0/24" service name="tftp" log prefix="tftp" level="info" limit value="1/m" accept
4.5.3.7.4.4. Using t he Rich Rule Lo g Co mmand Example 4
Ne w IPv6 conne ctions from 1:2:3:4:6:: for protocol RADIUS are all re je cte d and logge d at a rate of 3 pe r minute . Ne w IPv6 conne ctions from othe r s ource s are acce pte d: rule family="ipv6" source address="1:2:3:4:6::" service name="radius" log prefix="dns" level="info" limit value="3/m" reject rule family="ipv6" service name="radius" accept
4.5.3.7.4.5. Using t he Rich Rule Lo g Co mmand Example 5
89

Se curit y Guide
Forward IPv6 packe ts re ce ive d from 1:2:3:4:6:: on port 4011 with protocol TCP to
1::2:3:4:7 on port 4012.
rule family="ipv6" source address="1:2:3:4:6::" forward-port toaddr="1::2:3:4:7" to-port="4012" protocol="tcp" port="4011"
4.5.3.7.4.6. Using t he Rich Rule Lo g Co mmand Example 6
White lis t a s ource addre s s to allow all conne ctions from this s ource .
rule family="ipv4" source address="192.168.2.2" accept
Se e the firewalld.richlanguage(5) man page for more e xample s .
Local applications or s e rvice s are able to change the fire wall configuration if the y are running as root (for e xample , libvirt ). With this fe ature , the adminis trator can lock the fire wall configuration s o that e ithe r no applications , or only applications that are adde d to the lockdown white lis t, are able to re que s t fire wall change s . The lockdown s e ttings de fault to dis able d. If e nable d, the us e r can be s ure that the re are no unwante d configuration change s made to the fire wall by local applications or s e rvice s .
4.5.3.8.1. Co nf iguring Firewall Lo ckdo wn
Us ing an e ditor running as root , add the following line to the
/etc/firewalld/firewalld.conf
file as follows :
Lockdown=yes
Re load the fire wall us ing the following command as root :
~]# firewall-cmd --reload
Try to e nable the imaps s e rvice in the de fault zone us ing the following command as an adminis trative us e r (a us e r in the wheel group; us ually the firs t us e r on the s ys te m). You will be prompte d for the us e r pas s word:
~]$ firewall-cmd --add-service=imaps
Error: ACCESS_DENIED: lockdown is enabled
To e nable the us e of f irewall-cmd, is s ue the following command as root :
~]# firewall-cmd --add-lockdown-whitelist-command='/usr/bin/python -Es
/usr/bin/firewall-cmd*'
Add the --permanent option if you want to make it pe rs is te nt.
Re load the fire wall as root :
~]# firewall-cmd --reload
90

⁠Chapt e r 4. Harde ning Yo ur Syst e m wit h T o o ls and Se rvice s
Try to e nable the imaps s e rvice again in the de fault zone by e nte ring the following command as an adminis trative us e r. You will be prompte d for the us e r pas s word:
~]$ firewall-cmd --add-service=imaps
This time the command s ucce e ds .
4.5.3.8.2. Co nf igure Lo ckdo wn wit h t he Co mmand Line Client
To que ry whe the r lockdown is e nable d, e nte r the following command as root :
~]# firewall-cmd --query-lockdown
Prints yes with e xit s tatus 0 , if lockdown is e nable d, prints no with e xit s tatus 1 othe rwis e .
To e nable lockdown, e nte r the following command as root :
~]# firewall-cmd --lockdown-on
To dis able lockdown, e nte r the following command as root :
~]# firewall-cmd --lockdown-off
4.5.3.8.3. Co nf igure Lo ckdo wn Whit elist Opt io ns wit h t he Co mmand Line
The lockdown white lis t can contain commands , s e curity conte xts , us e rs and us e r IDs . If a command e ntry on the white lis t e nds with an as te ris k “*”, the n all command line s s tarting with that command will match. If the “*” is not the re the n the abs olute command including argume nts mus t match.
The conte xt is the s e curity (SELinux) conte xt of a running application or s e rvice . To ge t the conte xt of a running application us e the following command:
~]$ ps -e --context
That command re turns all running applications . Pipe the output through the grep tool to ge t the application of inte re s t. For e xample :
~]$ ps -e --context | grep example_program
To lis t all command line s that are on the white lis t, e nte r the following command as root :
~]# firewall-cmd --list-lockdown-whitelist-commands
To add a command command to the white lis t, e nte r the following command as root :
~]# firewall-cmd --add-lockdown-whitelist-command='/usr/bin/python -Es
/usr/bin/command'
To re move a command command from the white lis t, e nte r the following command as root :
~]# firewall-cmd --remove-lockdown-whitelist-command='/usr/bin/python -
Es /usr/bin/command'
91

Se curit y Guide
To que ry whe the r the command command is on the white lis t, e nte r the following command as root :
~]# firewall-cmd --query-lockdown-whitelist-command='/usr/bin/python -Es
/usr/bin/command'
Prints yes with e xit s tatus 0 , if true , prints no with e xit s tatus 1 othe rwis e .
To lis t all s e curity conte xts that are on the white lis t, e nte r the following command as root :
~]# firewall-cmd --list-lockdown-whitelist-contexts
To add a conte xt context to the white lis t, e nte r the following command as root :
~]# firewall-cmd --add-lockdown-whitelist-context=context
Add the --permanent option to make it pe rs is te nt.
To re move a conte xt context from the white lis t, e nte r the following command as root :
~]# firewall-cmd --remove-lockdown-whitelist-context=context
Add the --permanent option to make it pe rs is te nt.
To que ry whe the r the conte xt context is on the white lis t, e nte r the following command as root :
~]# firewall-cmd --query-lockdown-whitelist-context=context
Prints yes with e xit s tatus 0 , if true , prints no with e xit s tatus 1 othe rwis e .
To lis t all us e r IDs that are on the white lis t, e nte r the following command as root :
~]# firewall-cmd --list-lockdown-whitelist-uids
To add a us e r ID uid to the white lis t, e nte r the following command as root :
~]# firewall-cmd --add-lockdown-whitelist-uid=uid
Add the --permanent option to make it pe rs is te nt.
To re move a us e r ID uid from the white lis t, e nte r the following command as root :
~]# firewall-cmd --remove-lockdown-whitelist-uid=uid
Add the --permanent option to make it pe rs is te nt.
To que ry whe the r the us e r ID uid is on the white lis t, e nte r the following command:
~]$ firewall-cmd --query-lockdown-whitelist-uid=uid
Prints yes with e xit s tatus 0 , if true , prints no with e xit s tatus 1 othe rwis e .
To lis t all us e r name s that are on the white lis t, e nte r the following command as root :
92

⁠Chapt e r 4. Harde ning Yo ur Syst e m wit h T o o ls and Se rvice s
~]# firewall-cmd --list-lockdown-whitelist-users
To add a us e r name user to the white lis t, e nte r the following command as root :
~]# firewall-cmd --add-lockdown-whitelist-user=user
Add the --permanent option to make it pe rs is te nt.
To re move a us e r name user from the white lis t, e nte r the following command as root :
~]# firewall-cmd --remove-lockdown-whitelist-user=user
Add the --permanent option to make it pe rs is te nt.
To que ry whe the r the us e r name user is on the white lis t, e nte r the following command:
~]$ firewall-cmd --query-lockdown-whitelist-user=user
Prints yes with e xit s tatus 0 , if true , prints no with e xit s tatus 1 othe rwis e .
4.5.3.8.4. Co nf igure Lo ckdo wn Whit elist Opt io ns wit h Co nf igurat io n Files
The de fault white lis t configuration file contains the Net wo rkManager conte xt and the de fault conte xt of libvirt . Als o the us e r ID 0 is in the lis t.
<?xml version="1.0" encoding="utf-8"?>
<whitelist>
<selinux context="system_u:system_r:NetworkManager_t:s0"/>
<selinux context="system_u:system_r:virtd_t:s0-s0:c0.c1023"/>
<user id="0"/>
</whitelist>
He re follows an e xample white lis t configuration file e nabling all commands for the firewall-cmd utility, for a us e r calle d user whos e us e r ID is 815 :
<?xml version="1.0" encoding="utf-8"?>
<whitelist>
<command name="/usr/bin/python -Es /bin/firewall-cmd*"/>
<selinux context="system_u:system_r:NetworkManager_t:s0"/>
<user id="815"/>
<user name="user"/>
</whitelist>
In this e xample we have s hown both user id and user name but only one is re quire d.
Python is the inte rpre te r and the re fore pre pe nde d to the command line . You can als o us e a ve ry s pe cific command, for e xample :
/usr/bin/python /bin/firewall-cmd --lockdown-on
In that e xample only the --lockdown-on command will be allowe d.
93

Se curit y Guide
Note
In Re d Hat Ente rpris e Linux 7, all utilitie s are now place d in /usr/bin/ and the /bin/ dire ctory is s ym-linke d to the /usr/bin/ dire ctory. In othe r words , although the path for firewall-cmd whe n run as root might re s olve to /bin/firewall-cmd ,
/usr/bin/firewall-cmd can now be us e d. All ne w s cripts s hould us e the ne w location but be aware that if s cripts that run as root have be e n writte n to us e the
/bin/firewall-cmd path the n that command path mus t be white lis te d in addition to the /usr/bin/firewall-cmd path traditionally us e d only for nonroot us e rs .
The “*” at the e nd of the name attribute of a command me ans that all commands that s tart with this s tring will match. If the “*” is not the re the n the abs olute command including argume nts mus t match.
To us e the iptables and ip6tables s e rvice s ins te ad of firewalld , firs t dis able firewalld by running the following command as root :
~]# systemctl disable firewalld
~]# systemctl stop firewalld
The n ins tall the iptables-services package by e nte ring the following command as root :
~]# yum install iptables-services
The iptables-services package contains the iptables s e rvice and the ip6tables s e rvice .
The n, to s tart the iptables and ip6tables s e rvice s , run the following commands as root :
~]# systemctl start iptables
~]# systemctl start ip6tables
To e nable the s e rvice s to s tart on e ve ry s ys te m s tart, e nte r the following commands :
~]# systemctl enable iptables
~]# systemctl enable ip6tables
The ipset utility is us e d to adminis te r IP sets in the Linux ke rne l. An IP s e t is a frame work for s toring IP addre s s e s , port numbe rs , IP and MAC addre s s pairs , or IP addre s s and port numbe r pairs . The s e ts are inde xe d in s uch a way that ve ry fas t matching can be made agains t a s e t e ve n whe n the s e ts are ve ry large . IP s e ts e nable s imple r and more manage able configurations as we ll as providing pe rformance advantage s whe n us ing
ipt ables. The ipt ables matche s and targe ts re fe rring to s e ts cre ate re fe re nce s which prote ct the give n s e ts in the ke rne l. A s e t cannot be de s troye d while the re is a s ingle re fe re nce pointing to it.
The us e of ipset e nable s ipt ables commands , s uch as thos e be low, to be re place d by a s e t:
94

⁠Chapt e r 4. Harde ning Yo ur Syst e m wit h T o o ls and Se rvice s
~]# iptables -A INPUT -s 10.0.0.0/8 -j DROP
~]# iptables -A INPUT -s 172.16.0.0/12 -j DROP
~]# iptables -A INPUT -s 192.168.0.0/16 -j DROP
The s e t is cre ate d as follows :
~]# ipset create my-block-set hash:net
~]# ipset add my-block-set 10.0.0.0/8
~]# ipset add my-block-set 172.16.0.0/12
~]# ipset add my-block-set 192.168.0.0/16
The s e t is the n re fe re nce d in an ipt ables command as follows :
~]# iptables -A INPUT -m set --set my-block-set src -j DROP
If the s e t is us e d more than once a s aving in configuration time is made . If the s e t contains many e ntrie s a s aving in proce s s ing time is made .
4.5.4.1.1. Using IP Set s wit h f irewalld
To us e IP s e ts with f irewalld, a pe rmane nt dire ct rule is re quire d to re fe re nce the s e t, and a cus tom s e rvice mus t be cre ate d and s tarte d be fore f irewalld s tarts for e ve ry ipset . You can add pe rmane nt dire ct rule s with the /etc/firewalld/direct.xml
file .
Pro cedure 4.1. Co nf iguring a Cust o m Service f o r an IP Set
Configure a cus tom s e rvice to cre ate and load the IP s e t s tructure be fore f irewalld s tarts .
1. Us ing an e ditor running as root , cre ate a file as follows :
~]# vi /etc/systemd/system/ipset_name.service
[Unit]
Description=ipset_name
Before=firewalld.service
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/local/bin/ipset_name.sh start
ExecStop=/usr/local/bin/ipset_name.sh stop
[Install]
WantedBy=basic.target
2. Us e the IP s e t pe rmane ntly in f irewalld:
~]# vi /etc/firewalld/direct.xml
<?xml version="1.0" encoding="utf-8"?>
<direct>
<rule ipv="ipv4" table="filter" chain="INPUT" priority="0">-m set
--match-set <replaceable>ipset_name</replaceable> src -j
DROP</rule>
</direct>
95

Se curit y Guide
3. A f irewalld re load is re quire d to activate the change s :
~]# firewall-cmd --reload
This will re load the fire wall without los ing s tate information (TCP s e s s ions will not be te rminate d), but s e rvice dis ruption is pos s ible during the re load.
4.5.4.1.2. Inst alling ipset
To ins tall the ipset utility, is s ue the following command as root :
~]# yum install ipset
To s e e the us age me s s age :
~]$ ipset --help ipset v6.11
Usage: ipset [options] COMMAND output truncated
4.5.4.1.3. ipset Co mmands
The format of the ipset command is as follows : ipset [options] command [command-options]
Whe re command is one of: create | add | del | test | destroy | list | save | restore | flush | rename | swap | help | version | -
Allowe d options are :
-exist | -output [ plain | save | xml ] | -quiet | -resolve | -sorted |
-name | -terse
The create command is us e d to cre ate a ne w data s tructure to s tore a s e t of IP data. The add command adds ne w data to the s e t, the data adde d is re fe rre d to as an e le me nt of the s e t.
The -exist option s uppre s s e s e rror me s s age if the e le me nt alre ady e xis ts , and it has a s pe cial role in updating a time out value . To change a time out, us e the ipset add command and s pe cify all the data for the e le me nt again, changing only the time out value as re quire d, and us ing the -exist option.
The test option is for te s ting if the e le me nt alre ady e xis ts within a s e t.
The format of the create command is as follows : ipset create set-name type-name [create-options]
96

⁠Chapt e r 4. Harde ning Yo ur Syst e m wit h T o o ls and Se rvice s
The set-name is a s uitable name chos e n by the us e r, the type-name is the name of the data s tructure us e d to s tore the data compris ing the s e t. The format of the type-name is as follows : method:datatype[,datatype[,datatype]]
The allowe d me thods for s toring data are :
bitmap | hash | list
The allowe d data type s are : ip | net | mac | port | iface
Whe n adding, de le ting, or te s ting e ntrie s in a s e t, the s ame comma s e parate d data s yntax mus t be us e d for the data that make s up one e ntry, or e le me nt, in the s e t. For e xample : ipset add set-name ipaddr,portnum,ipaddr
Note
A s e t cannot contain IPv4 and IPv6 addre s s e s at the s ame time . Whe n a s e t is cre ate d it is bound to a family, inet for IPv4 or inet6 for IPv6 , and the de fault is inet .
Example 4.2. Creat e an IP Set
To cre ate an IP s e t cons is ting of a s ource IP addre s s , a port, and de s tination IP addre s s , is s ue a command as follows :
~]# ipset create my-set hash:ip,port,ip
Once the s e t is cre ate d, e ntrie s can be adde d as follows :
~]# ipset add my-set 192.168.1.2,80,192.168.2.2
~]# ipset add my-set 192.168.1.2,443,192.168.2.2
The s e t type s have the following optional parame te rs in common. The y mus t be s pe cifie d whe n the s e t is cre ate d in orde r for the m to be us e d: timeout — The value give n with the create command will be the de fault value for the s e t cre ate d. If a value is give n with the add command, it will be the initial non-de fault value for the e le me nt.
counters — If the option is give n with the create command the n packe t and byte counte rs are cre ate d for e ve ry e le me nt in the s e t. If no value is give n with the add command the n the counte rs s tart from ze ro.
97

Se curit y Guide comment — If the option is give n with the create command the n a quote d s tring of te xt can be pas s e d with the add command to docume nt the purpos e of the e le me nt be ing adde d. Note that quotation marks are not allowe d within the s tring, and e s cape characte rs will have no e ffe ct within IP s e t.
Example 4.3. List an IP Set
To lis t the conte nts of a s pe cific IP Se t, my-set , is s ue a command as follows :
~]# ipset list my-set
Name: my-set
Type: hash:ip,port,ip
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 8360
References: 0
Members:
192.168.1.2,tcp:80,192.168.2.2
192.168.1.2,tcp:443,192.168.2.2
Omit the s e t name to lis t all s e ts .
Example 4.4. T est t he Element s o f an IP Set
Lis ting the conte nts of large s e ts is time cons uming. You can te s t for the e xis te nce of an e le me nt as follows :
~]# ipset test my-set 192.168.1.2,80,192.168.2.2
192.168.1.2,tcp:80,192.168.2.2 is in set my-set.
4.5.4.1.4. IP Set T ypes bit map:ip
Store s an IPv4 hos t addre s s , a ne twork range , or an IPv4 ne twork addre s s e s with the pre fix-le ngth in CIDR notation if the netmask option is us e d whe n the s e t is cre ate d. It can optionally s tore a time out value , a counte r value , and a comme nt. It can s tore up to 65536 e ntrie s . The command to cre ate the bitmap:ip s e t has the following format: ipset create set-name range start_ipaddr-end_ipaddr
|ipaddr/prefix-length [netmask prefix-length] [timeout value]
[counters] [comment]
Example 4.5. Creat e an IP Set f o r a Range o f Addresses Using a Pref ix Lengt h
To cre ate an IP s e t for a range of addre s s e s us ing a pre fix le ngth, make us e of the bitmap:ip s e t type as follows :
~]# ipset create my-range bitmap:ip range 192.168.33.0/28
Once the s e t is cre ate d, e ntrie s can be adde d as follows :
98

⁠Chapt e r 4. Harde ning Yo ur Syst e m wit h T o o ls and Se rvice s
~]# ipset add my-range 192.168.33.1
Re vie w the me mbe rs of the lis t:
~]# ipset list my-range
Name: my-range
Type: bitmap:ip
Header: range 192.168.33.0-192.168.33.15
Size in memory: 84
References: 0
Members:
192.168.33.1
To add a range of addre s s e s :
~]# ipset add my-range 192.168.33.2-192.168.33.4
Re vie w the me mbe rs of the lis t:
~]# ipset list my-range
Name: my-range
Type: bitmap:ip
Header: range 192.168.33.0-192.168.33.15
Size in memory: 84
References: 0
Members:
192.168.33.1
192.168.33.2
192.168.33.3
192.168.33.4
Example 4.6. Creat e an IP Set f o r a Range o f Addresses Using a Net mask
To cre ate an IP s e t for a range of addre s s us ing a ne tmas k, make us e of the bitmap:ip s e t type as follows :
~]# ipset create my-big-range bitmap:ip range 192.168.124.0-
192.168.126.0 netmask 24
Once the s e t is cre ate d, e ntrie s can be adde d as follows :
~]# ipset add my-big-range 192.168.124.0
If you atte mpt to add an addre s s , the range containing that addre s s will be adde d:
~]# ipset add my-big-range 192.168.125.150
~]# ipset list my-big-range
Name: my-big-range
Type: bitmap:ip
Header: range 192.168.124.0-192.168.126.255 netmask 24
Size in memory: 84
99

Se curit y Guide
References: 0
Members:
192.168.124.0
192.168.125.0
bit map:ip,mac
Store s an IPv4 addre s s and a MAC addre s s as a pair. It can s tore up to 65536 e ntrie s .
ipset create my-range bitmap:ip,mac range start_ipaddr-end_ipaddr
| ipaddr/prefix-length [timeout value ] [counters] [comment]
Example 4.7. Creat e an IP Set f o r a Range o f IPv4 MAC Address Pairs
To cre ate an IP s e t for a range of IPv4 MAC addre s s pairs , make us e of the bitmap:ip,mac s e t type as follows :
~]# ipset create my-range bitmap:ip,mac range 192.168.1.0/24
It is not ne ce s s ary to s pe cify a MAC addre s s whe n cre ating the s e t.
Once the s e t is cre ate d, e ntrie s can be adde d as follows :
~]# ipset add my-range 192.168.1.1,12:34:56:78:9A:BC bit map:po rt
Store s a range of ports . It can s tore up to 65536 e ntrie s .
ipset create my-port-range bitmap:port range start_port-end_port
[timeout value ] [counters] [comment]
The s e t match and SET targe t ne tfilte r ke rne l module s inte rpre t the s tore d numbe rs as TCP or UDP port numbe rs . The protocol can optionally be s pe cifie d toge the r with the port. The proto only ne e ds to be s pe cifie d if a s e rvice name is us e d, and that name doe s not e xis t as a TCP s e rvice .
Example 4.8. Creat e an IP Set f o r a Range o f Po rt s
To cre ate an IP s e t for a range of ports , make us e of the bitmap:port s e t type as follows :
~]# ipset create my-permitted-port-range bitmap:port range 1024-49151
Once the s e t is cre ate d, e ntrie s can be adde d as follows :
~]# ipset add my-permitted-port-range 5060-5061 hash:ip
100

⁠Chapt e r 4. Harde ning Yo ur Syst e m wit h T o o ls and Se rvice s
Store s a hos t or ne twork addre s s in the form of a has h. By de fault, an addre s s s pe cifie d without a ne twork pre fix le ngth is a hos t addre s s . The all-ze ro IP addre s s cannot be s tore d.
ipset create my-addresses hash:ip [family[ inet | inet6 ]]
[hashsize value] [maxelem value ] [netmask prefix-length]
[timeout value ]
The inet family is the de fault, if family is omitte d addre s s e s will be inte rpre te d as IPv4 addre s s e s . The hashsize value is the initial has h s ize to us e and de faults to 1024 . The maxelem value is the maximum numbe r of e le me nts which can be s tore d in the s e t, it de faults to 65536 .
The net f ilt er tool s e arche s for a ne twork pre fix which is the mos t s pe cific, it trie s to find the s malle s t block of addre s s e s that match.
Example 4.9. Creat e an IP Set f o r IP Addresses
To cre ate an IP s e t for IP addre s s e s , make us e of the hash:ip s e t type as follows :
~]# ipset create my-addresses hash:ip
Once the s e t is cre ate d, e ntrie s can be adde d as follows :
~]# ipset add my-addresses 10.10.10.0
If additional options s uch as ne tmas k and time out are re quire d, the y mus t be s pe cifie d whe n the s e t is cre ate d. For e xample :
~]# ipset create my-busy-addresses hash:ip maxelem 24 netmask 28 timeout 100
The maxelem option re s tricts to total numbe r of e le me nts in the s e t, thus cons e rving me mory s pace .
The time out option me ans that e le me nts will only e xis t in the s e t for the numbe r of s e conds s pe cifie d. For e xample :
~]# ipset add my-busy-addresses 192.168.60.0 timeout 100
The following output s hows the time counting down:
~]# ipset list my-busy-addresses
Name: my-busy-addresses
Type: hash:ip
Header: family inet hashsize 1024 maxelem 24 netmask 28 timeout 100
Size in memory: 8300
References: 0
Members:
192.168.60.0 timeout 90
~]# ipset list my-busy-addresses
Name: my-busy-addresses
Type: hash:ip
Header: family inet hashsize 1024 maxelem 24 netmask 28 timeout 100
101

Se curit y Guide
Size in memory: 8300
References: 0
Members:
192.168.60.0 timeout 83
The e le me nt will be re move d from the s e t whe n the time out pe riod e nds .
Se e the ipset(8) manual page for more e xample s .
The following s ource s of information provide additional re s ource s re garding firewalld .
firewalld(1) man page — De s cribe s command options for firewalld .
firewalld.conf(5) man page — Contains information to configure firewalld .
firewall-cmd(1) man page — De s cribe s command options for the firewalld command line clie nt.
firewalld.icmptype(5) man page — De s cribe s XML configuration file s for ICMP filte ring.
firewalld.service(5) man page — De s cribe s XML configuration file s for f irewalld
service.
firewalld.zone(5) man page — De s cribe s XML configuration file s for firewalld zone configuration.
firewalld.direct(5) man page — De s cribe s the firewalld dire ct inte rface configuration file .
firewalld.lockdown-whitelist(5) man page — De s cribe s the firewalld lockdown white lis t configuration file .
firewall.richlanguage(5) man page — De s cribe s the firewalld rich language rule s yntax.
firewalld.zones(5) man page — Ge ne ral de s cription of what zone s are and how to configure the m.
DNSSEC is a s e t of Domain Name System Security Extensions (DNSSEC) that e nable s a DNS clie nt to authe nticate and che ck the inte grity of re s pons e s from a DNS name s e rve r in orde r to ve rify the ir origin and to de te rmine if the y have be e n tampe re d with in trans it.
For conne cting ove r the Inte rne t, a growing numbe r of we bs ite s now offe r the ability to conne ct s e cure ly us ing HTTPS . Howe ve r, be fore conne cting to an HTTPS we bs e rve r, a DNS
102

⁠Chapt e r 4. Harde ning Yo ur Syst e m wit h T o o ls and Se rvice s lookup mus t be pe rforme d, unle s s you e nte r the IP addre s s dire ctly. The s e DNS lookups are done ins e cure ly and are s ubje ct to man-in-the-middle attacks due to lack of authe ntication. In othe r words , a DNS clie nt cannot have confide nce that the re plie s that appe ar to come from a give n DNS name s e rve r are authe ntic and have not be e n tampe re d with. More importantly, a re curs ive name s e rve r cannot be s ure that the re cords it obtains from othe r name s e rve rs are ge nuine . The DNS protocol did not provide a me chanis m for the clie nt to e ns ure it was not s ubje ct to a man-in-the -middle attack. DNSSEC was introduce d to addre s s the lack of authe ntication and inte grity che cks whe n re s olving domain name s us ing DNS . It doe s not addre s s the proble m of confide ntiality.
Publis hing DNSSEC information involve s digitally s igning DNS re s ource re cords as we ll as dis tributing public ke ys in s uch a way as to e nable DNS re s olve rs to build a hie rarchical chain of trus t. Digital s ignature s for all DNS re s ource re cords are ge ne rate d and adde d to the zone as digital s ignature re s ource re cords (RRSIG). The public ke y of a zone is adde d as a DNSKEY re s ource re cord. To build the hie rarchical chain, has he s of the DNSKEY are publis he d in the pare nt zone as Delegation of Signing (DS) re s ource re cords . To facilitate proof of non-e xis te nce , the NextSECure (NSEC) and NSEC3 re s ource re cords are us e d. In a
DNSSEC s igne d zone , e ach resource record set (RRs e t) has a corre s ponding RRSIG re s ource re cord. Note that re cords us e d for de le gation to a child zone (NS and glue re cords ) are not s igne d; the s e re cords appe ar in the child zone and are s igne d the re .
Proce s s ing DNSSEC information is done by re s olve rs that are configure d with the root zone public ke y. Us ing this ke y, re s olve rs can ve rify the s ignature s us e d in the root zone .
For e xample , the root zone has s igne d the DS re cord for .com
. The root zone als o s e rve s
NS and glue re cords for the .com
name s e rve rs . The re s olve r follows this de le gation and que rie s for the DNSKEY re cord of .com
us ing the s e de le gate d name s e rve rs . The has h of the DNSKEY re cord obtaine d s hould match the DS re cord in the root zone . If s o, the re s olve r will trus t the obtaine d DNSKEY for .com
. In the .com
zone , the RRSIG re cords are cre ate d by the .com
DNSKEY. This proce s s is re pe ate d s imilarly for de le gations within
.com
, s uch as redhat.com
. Us ing this me thod, a validating DNS re s olve r only ne e ds to be configure d with one root ke y while it colle cts many DNSKEYs from around the world during its normal ope ration. If a cryptographic che ck fails , the re s olve r will re turn SERVFAIL to the application.
DNSSEC has be e n de s igne d in s uch a way that it will be comple te ly invis ible to applications not s upporting DNSSEC. If a non-DNSSEC application que rie s a DNSSEC capable re s olve r, it will re ce ive the ans we r without any of the s e ne w re s ource re cord type s s uch as RRSIG. Howe ve r, the DNSSEC capable re s olve r will s till pe rform all cryptographic che cks , and will s till re turn a SERVFAIL e rror to the application if it de te cts malicious DNS ans we rs . DNSSEC prote cts the inte grity of the data be twe e n DNS s e rve rs
(authoritative and re curs ive ), it doe s not provide s e curity be twe e n the application and the re s olve r. The re fore , it is important that the applications are give n a s e cure trans port to the ir re s olve r. The e as ie s t way to accomplis h that is to run a DNSSEC capable re s olve r on localhost and us e 127.0.0.1
in /etc/resolv.conf
. Alte rnative ly a VPN conne ction to a re mote DNS s e rve r could be us e d.
Wi-Fi Hots pots or VPNs re ly on “DNS lie s ”: Captive portals te nd to hijack DNS in orde r to re dire ct us e rs to a page whe re the y are re quire d to authe nticate (or pay) for the Wi-Fi s e rvice . Us e rs conne cting to a VPN ofte n ne e d to us e an “inte rnal only” DNS s e rve r in orde r to locate re s ource s that do not e xis t outs ide the corporate ne twork. This re quire s additional handling by s oftware . For e xample , dnssec-t rigger can be us e d to de te ct if a
Hots pot is hijacking the DNS que rie s and unbound can act as a proxy name s e rve r to handle the DNSSEC que rie s .
103

Se curit y Guide
To de ploy a DNSSEC capable re curs ive re s olve r, e ithe r BIND or unbound can be us e d.
Both e nable DNSSEC by de fault and are configure d with the DNSSEC root ke y. To e nable
DNSSEC on a s e rve r, e ithe r will work howe ve r the us e of unbound is pre fe rre d on mobile de vice s , s uch as note books , as it allows the local us e r to dynamically re configure the
DNSSEC ove rride s re quire d for Hots pots whe n us ing dnssec-t rigger, and for VPNs whe n us ing Libreswan. The unbound dae mon furthe r s upports the de ployme nt of DNSSEC e xce ptions lis te d in the etc/unbound/*.d/ dire ctorie s which can be us e ful to both s e rve rs and mobile de vice s .
Once unbound is ins talle d and configure d in /etc/resolv.conf
, all DNS que rie s from applications are proce s s e d by unbound . dnssec-t rigger only re configure s the unbound re s olve r whe n trigge re d to do s o. This mos tly applie s to roaming clie nt machine s , s uch as laptops , that conne ct to diffe re nt Wi-Fi ne tworks . The proce s s is as follows :
Net wo rkManager “trigge rs ” dnssec-t rigger whe n a ne w DNS s e rve r is obtaine d via
DHCP .
Dnssec-t rigger the n pe rforms a numbe r of te s ts agains t the s e rve r and de cide s whe the r or not it prope rly s upports DNSSEC.
If it doe s , the n dnssec-t rigger re configure s unbound to us e that DNS s e rve r as a forwarde r for all que rie s .
If the te s ts fail, dnssec-t rigger will ignore the ne w DNS s e rve r and try a fe w available fall-back me thods .
If it de te rmine s that an unre s tricte d port 53 ( UDP and TCP ) is available , it will te ll unbound to be come a full re curs ive DNS s e rve r without us ing any forwarde r.
If this is not pos s ible , for e xample be caus e port 53 is blocke d by a fire wall for e ve rything e xce pt re aching the ne twork's DNS s e rve r its e lf, it will try to us e DNS to port
80, or TLS e ncaps ulate d DNS to port 443. Se rve rs running DNS on port 80 and 443 can be configure d in /etc/dnssec-trigger/dnssec-trigger.conf
. Comme nte d out e xample s s hould be available in the de fault configuration file .
If the s e fall-back me thods als o fail, dnssec-t rigger offe rs to e ithe r ope rate ins e cure ly, which would bypas s DNSSEC comple te ly, or run in “cache only” mode whe re it will not atte mpt ne w DNS que rie s but will ans we r for e ve rything it alre ady has in the cache .
Wi-Fi Hots pots incre as ingly re dire ct us e rs to a s ign-on page be fore granting acce s s to the
Inte rne t. During the probing s e que nce outline d above , if a re dire ction is de te cte d, the us e r is prompte d to as k if a login is re quire d to gain Inte rne t acce s s . The dnssec-trigger
dae mon continue s to probe for DNSSEC re s olve rs e ve ry te n s e conds . Se e Se ction 4.6.8,
“Us ing Dns s e c-trigge r” for information on us ing the dnssec-t rigger graphical utility.
Some type s of VPN conne ctions can conve y a domain and a lis t of name s e rve rs to us e for that domain as part of the VPN tunne l s e tup. On Red Hat Ent erprise Linux, this is s upporte d by Net wo rkManager. This me ans that the combination of unbound , dnssec-
t rigger, and Net wo rkManager can prope rly s upport domains and name s e rve rs provide d by VPN s oftware . Once the VPN tunne l come s up, the local unbound cache is
104

⁠Chapt e r 4. Harde ning Yo ur Syst e m wit h T o o ls and Se rvice s flus he d for all e ntrie s of the domain name re ce ive d, s o that que rie s for name s within the domain name are fe tche d fre s h from the inte rnal name s e rve rs re ache d via the VPN.
Whe n the VPN tunne l is te rminate d, the unbound cache is flus he d again to e ns ure any que rie s for the domain will re turn the public IP addre s s e s , and not the pre vious ly obtaine d
private IP addre s s e s . Se e Se ction 4.6.11, “Configuring DNSSEC Validation for Conne ction
Supplie d Domains ” .
Re d Hat re comme nds that both s tatic and trans ie nt name s match the fully-qualified domain
name (FQDN) us e d for the machine in DNS , s uch as host.example.com
.
The Inte rne t Corporation for As s igne d Name s and Numbe rs (ICANN) s ome time s adds pre vious ly unre gis te re d Top-Le ve l Domains (s uch as .yourcompany
) to the public re gis te r.
The re fore , Re d Hat s trongly re comme nds that you do not us e a domain name that is not de le gate d to you, e ve n on a private ne twork, as this can re s ult in a domain name that re s olve s diffe re ntly de pe nding on ne twork configuration. As a re s ult, ne twork re s ource s can be come unavailable . Us ing domain name s that are not de le gate d to you als o make s
DNSSEC more difficult to de ploy and maintain, as domain name collis ions re quire manual configuration to e nable DNSSEC validation. Se e the ICANN FAQ on domain name collis ion for more information on this is s ue .
A trus t anchor cons is ts of a DNS name and public ke y (or has h of the public ke y) as s ociate d with that name . It is e xpre s s e d as a bas e 64 e ncode d ke y. It is s imilar to a ce rtificate in that it is a me ans of e xchanging information, including a public ke y, which can be us e d to ve rify and authe nticate DNS re cords . Se e RFC 4033 for a more comple te de finition of a trus t anchor.
In orde r to validate DNS us ing DNSSEC locally on a machine , it is ne ce s s ary to ins tall the
DNS re s olve r unbound (or bind ). It is only ne ce s s ary to ins tall dnssec-t rigger on mobile de vice s . For s e rve rs , unbound s hould be s ufficie nt although a forwarding configuration for the local domain might be re quire d de pe nding on whe re the s e rve r is locate d (LAN or
Inte rne t). dnssec-t rigger will curre ntly only he lp with the global public DNS zone .
Net wo rkManager, dhclient , and VPN applications can ofte n gathe r the domain lis t (and name s e rve r lis t as we ll) automatically, but not dnssec-t rigger nor unbo und.
To ins tall unbound run the following command as the root us e r:
~]# yum install unbound
To de te rmine whe the r the unbound dae mon is running, e nte r the following command:
~]$ systemctl status unbound
unbound.service - Unbound recursive Domain Name Server
Loaded: loaded (/usr/lib/systemd/system/unbound.service; disabled)
Active: active (running) since Wed 2013-03-13 01:19:30 CET; 6h ago
105

Se curit y Guide
The systemctl status command will re port unbound as Active: inactive (dead) if the unbound s e rvice is not running.
To s tart the unbound dae mon for the curre nt s e s s ion, run the following command as the root us e r:
~]# systemctl start unbound
Run the systemctl enable command to e ns ure that unbound s tarts up e ve ry time the s ys te m boots :
~]# systemctl enable unbound
The unbound dae mon allows configuration of local data or ove rride s us ing the following dire ctorie s :
The /etc/unbound/conf.d
dire ctory is us e d to add configurations for a s pe cific domain name . This is us e d to re dire ct que rie s for a domain name to a s pe cific DNS s e rve r. This is ofte n us e d for s ub-domains that only e xis t within a corporate WAN.
The /etc/unbound/keys.d
dire ctory is us e d to add trus t anchors for a s pe cific domain name . This is re quire d whe n an inte rnal-only name is DNSSEC s igne d, but the re is no publicly e xis ting DS re cord to build a path of trus t. Anothe r us e cas e is whe n an inte rnal ve rs ion of a domain is s igne d us ing a diffe re nt DNSKEY than the publicly available name outs ide the corporate WAN.
The /etc/unbound/local.d
dire ctory is us e d to add s pe cific DNS data as a local ove rride . This can be us e d to build blacklis ts or cre ate manual ove rride s . This data will be re turne d to clie nts by unbound , but it will not be marke d as DNSSEC s igne d.
Net wo rkManager, as we ll as s ome VPN s oftware , may change the configuration dynamically. The s e configuration dire ctorie s contain comme nte d out e xample e ntrie s . For furthe r information s e e the unbound.conf(5) man page .
The dnssec-t rigger application runs as a dae mon, dnssec-triggerd . To ins tall dnssec-
t rigger run the following command as the root us e r:
~]# yum install dnssec-trigger
To de te rmine whe the r dnssec-triggerd is running, e nte r the following command:
~]$ systemctl status dnssec-triggerd systemctl status dnssec-triggerd.service
dnssec-triggerd.service - Reconfigure local DNS(SEC) resolver on network change
Loaded: loaded (/usr/lib/systemd/system/dnssec-triggerd.service; enabled)
Active: active (running) since Wed 2013-03-13 06:10:44 CET; 1h 41min ago
106

⁠Chapt e r 4. Harde ning Yo ur Syst e m wit h T o o ls and Se rvice s
The systemctl status command will re port dnssec-triggerd as Active: inactive
(dead) if the dnssec-triggerd dae mon is not running. To s tart it for the curre nt s e s s ion run the following command as the root us e r:
~]# systemctl start dnssec-triggerd
Run the systemctl enable command to e ns ure that dnssec-triggerd s tarts up e ve ry time the s ys te m boots :
~]# systemctl enable dnssec-triggerd
The dnssec-t rigger application has a GNOME pane l utility for dis playing DNSSEC probe re s ults and for pe rforming DNSSEC probe re que s ts on de mand. To s tart the utility, pre s s the Super ke y to e nte r the Activitie s Ove rvie w, type DNSSEC and the n pre s s Enter . An icon re s e mbling a s hips anchor is adde d to the me s s age tray at the bottom of the s cre e n.
Pre s s the round blue notification icon in the bottom right of the s cre e n to re ve al it. Right click the anchor icon to dis play a pop-up me nu.
In normal ope rations unbo und is us e d locally as the name s e rve r, and resolv.conf
points to 127.0.0.1
. Whe n you click OK on the Hotspot Sign-On pane l this is change d.
The DNS s e rve rs are que rie d from Net wo rkManager and put in resolv.conf
. Now you can authe nticate on the Hots pot's s ign-on page . The anchor icon s hows a big re d e xclamation mark to warn you that DNS que rie s are be ing made ins e cure ly. Whe n authe nticate d, dnssec-t rigger s hould automatically de te ct this and s witch back to s e cure mode , although in s ome cas e s it cannot and the us e r has to do this manually by s e le cting
Reprobe .
Dnssec-t rigger doe s not normally re quire any us e r inte raction. Once s tarte d, it works in the background and if a proble m is e ncounte re d it notifie s the us e r by me ans of a pop-up te xt box. It als o informs unbound about change s to the resolv.conf
file .
To s e e whe the r DNSSEC is working, one can us e various command line tools . The be s t tool to us e is the dig command from the bind-utils package . Othe r tools that are us e ful are
drill from the ldns package and unbo und-ho st from the unbound package . The old DNS utilitie s nslo o kup and ho st are obs ole te and s hould not be us e d.
To s e nd a que ry re que s ting DNSSEC data us ing dig, the option +dnssec is adde d to the command, for e xample :
~]$ dig +dnssec whitehouse.gov
; <<>> DiG 9.9.3-rl.13207.22-P2-RedHat-9.9.3-4.P2.el7 <<>> +dnssec whitehouse.gov
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21388
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
107

Se curit y Guide
;whitehouse.gov. IN A
;; ANSWER SECTION: whitehouse.gov. 20 IN A 72.246.36.110
whitehouse.gov. 20 IN RRSIG A 7 2 20 20130825124016 20130822114016 8399 whitehouse.gov. BB8VHWEkIaKpaLprt3hq1GkjDROvkmjYTBxiGhuki/BJn3PoIGyrftxR
HH0377I0Lsybj/uZv5hL4UwWd/lw6Gn8GPikqhztAkgMxddMQ2IARP6p wbMOKbSUuV6NGUT1WWwpbi+LelFMqQcAq3Se66iyH0Jem7HtgPEUE1Zc 3oI=
;; Query time: 227 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Aug 22 22:01:52 EDT 2013
;; MSG SIZE rcvd: 233
In addition to the A re cord, an RRSIG re cord is re turne d which contains the DNSSEC s ignature , as we ll as the ince ption time and e xpiration time of the s ignature . The unbound s e rve r indicate d that the data was DNSSEC authe nticate d by re turning the ad bit in the flags: s e ction at the top.
If DNSSEC validation fails , the dig command would re turn a SERVFAIL e rror:
~]$ dig badsign-a.test.dnssec-tools.org
; <<>> DiG 9.9.3-rl.156.01-P1-RedHat-9.9.3-3.P1.el7 <<>> badsigna.test.dnssec-tools.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 1010
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;badsign-a.test.dnssec-tools.org. IN A
;; Query time: 1284 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Aug 22 22:04:52 EDT 2013
;; MSG SIZE rcvd: 60]
To re que s t more information about the failure , DNSSEC che cking can be dis able d by s pe cifying the +cd option to the dig command:
~]$ dig +cd +dnssec badsign-a.test.dnssec-tools.org
; <<>> DiG 9.9.3-rl.156.01-P1-RedHat-9.9.3-3.P1.el7 <<>> +cd +dnssec badsign-a.test.dnssec-tools.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26065
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;badsign-a.test.dnssec-tools.org. IN A
;; ANSWER SECTION:
108

⁠Chapt e r 4. Harde ning Yo ur Syst e m wit h T o o ls and Se rvice s badsign-a.test.dnssec-tools.org. 49 IN A 75.119.216.33
badsign-a.test.dnssec-tools.org. 49 IN RRSIG A 5 4 86400 20130919183720
20130820173720 19442 test.dnssec-tools.org.
E572dLKMvYB4cgTRyAHIKKEvdOP7tockQb7hXFNZKVbfXbZJOIDREJrr zCgAfJ2hykfY0yJHAlnuQvM0s6xOnNBSvc2xLIybJdfTaN6kSR0YFdYZ n2NpPctn2kUBn5UR1BJRin3Gqy20LZlZx2KD7cZBtieMsU/IunyhCSc0 kYw=
;; Query time: 1 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Aug 22 22:06:31 EDT 2013
;; MSG SIZE rcvd: 257
Ofte n, DNSSEC mis take s manife s t the ms e lve s by bad ince ption or e xpiration time , although in this e xample , the pe ople at www.dns s e c-tools .org
have mangle d this RRSIG s ignature on purpos e , which we would not be able to de te ct by looking at this output manually. The e rror will s how in the output of systemctl status unbound and the unbound dae mon logs the s e e rrors to syslo g as follows :
Aug 22 22:04:52 laptop unbound: [3065:0] info: validation failure badsign-a.test.dnssec-tools.org. A IN
An e xample us ing unbound-host :
~]$ unbound-host -C /etc/unbound/unbound.conf -v whitehouse.gov whitehouse.gov has address 184.25.196.110 (secure) whitehouse.gov has IPv6 address 2600:1417:11:2:8800::fc4 (secure) whitehouse.gov has IPv6 address 2600:1417:11:2:8000::fc4 (secure) whitehouse.gov mail is handled by 105 mail1.eop.gov. (secure) whitehouse.gov mail is handled by 110 mail5.eop.gov. (secure) whitehouse.gov mail is handled by 105 mail4.eop.gov. (secure) whitehouse.gov mail is handled by 110 mail6.eop.gov. (secure) whitehouse.gov mail is handled by 105 mail2.eop.gov. (secure) whitehouse.gov mail is handled by 105 mail3.eop.gov. (secure)
Whe n conne cting to a ne twork, dnssec-t rigger atte mpts to de te ct a Hots pot. A Hots pot is ge ne rally a de vice that force s us e r inte raction with a we b page be fore the y can us e the ne twork re s ource s . The de te ction is done by atte mpting to download a s pe cific fixe d we b page with known conte nt. If the re is a Hots pot, the n the conte nt re ce ive d will not be as e xpe cte d.
To s e t up a fixe d we b page with known conte nt that can be us e d by dnssec-t rigger to de te ct a Hots pot, proce e d as follows :
1. Se t up a we b s e rve r on s ome machine that is publicly re achable on the Inte rne t.
Se e the We b Se rve rs chapte r in the Re d Hat Ente rpris e Linux 7 Sys te m
Adminis trator's Guide . .
2. Once you have the s e rve r running, publis h a s tatic page with known conte nt on it.
The page doe s not ne e d to be a valid HTML page . For e xample , you could us e a plain-te xt file name d hotspot.txt
that contains only the s tring OK . As s uming your s e rve r is locate d at example.com
and you publis he d your hotspot.txt
file in the
109

Se curit y Guide we b s e rve r document_root/static/ s ub-dire ctory, the n the addre s s to your s tatic we b page would be example.com/static/hotspot.txt
. Se e the DocumentRoot dire ctive in the We b Se rve rs chapte r in the Re d Hat Ente rpris e Linux 7 Sys te m
Adminis trator's Guide .
3. Add the following line to the /etc/dnssec-trigger/dnssec-trigger.conf
file : url: "http://example.com/static/hotspot.txt OK"
This command adds a URL that is probe d via HTTP (port 80). The firs t part is the URL that will be re s olve d and the page that will be downloade d. The s e cond part of the command is the te xt s tring that the downloade d we bpage is e xpe cte d to contain.
For more information on the configuration options s e e the man page dnssectrigger.conf(8) .
By de fault, forward zone s with prope r name s e rve rs are automatically adde d into unbound by dnssec-t rigger for e ve ry domain provide d by any conne ction, e xce pt Wi-Fi conne ctions through Net wo rkManager. By de fault, all forward zone s adde d into unbound are DNSSEC validate d.
The de fault be havior for validating forward zone s can be alte re d, s o that all forward zone s will no t be DNSSEC validate d by de fault. To do this , change the validate_connection_provided_zones variable in the dnssec-t rigger configuration file
/etc/dnssec.conf
. As root us e r, ope n and e dit the line as follows : validate_connection_provided_zones=no
The change is not done for any e xis ting forward zone s , but only for future forward zone s .
The re fore if you want to dis able DNSSEC for the curre nt provide d domain, you ne e d to re conne ct.
Adding forward zone s for Wi-Fi provide d zone s can be e nable d. To do this , change the add_wifi_provided_zones variable in the dnssec-t rigger configuration file ,
/etc/dnssec.conf
. As root us e r, ope n and e dit the line as follows : add_wifi_provided_zones=yes
The change is not done for any e xis ting forward zone s , but only for future forward zone s .
The re fore , if you want to e nable DNSSEC for the curre nt Wi-Fi provide d domain, you ne e d to re conne ct (re s tart) the Wi-Fi conne ction.
110

⁠Chapt e r 4. Harde ning Yo ur Syst e m wit h T o o ls and Se rvice s
Warning
Turning o n the addition of Wi-Fi provide d domains as forward zone s into unbound may have s e curity implications s uch as :
1. A Wi-Fi acce s s point can inte ntionally provide you a domain via DHCP for which it doe s not have authority and route all your DNS que rie s to its DNS s e rve rs .
2. If you have the DNSSEC validation of forward zone s turne d o f f , the Wi-Fi provide d DNS s e rve rs can s poof the IP addre s s for domain name s from the provide d domain without you knowing it.
The following are re s ource s which e xplain more about DNSSEC.
dnssec-trigger(8) man page — De s cribe s command options for dnssec-triggerd ,
dnssec-t rigger-co nt ro l and dnssec-t rigger-panel.
dnssec-trigger.conf(8) man page — De s cribe s the configuration options for dnssec-triggerd .
unbound(8) man page — De s cribe s the command options for unbound , the DNS validating re s olve r.
unbound.conf(5) man page — Contains information on how to configure unbound .
resolv.conf(5) man page — Contains information that is re ad by the re s olve r routine s .
ht t p://t o o ls.iet f .o rg/ht ml/rf c40 33
RFC 4033 DNS Se curity Introduction and Re quire me nts .
ht t p://www.dnssec.net /
A we bs ite with links to many DNSSEC re s ource s .
ht t p://www.dnssec-deplo yment .o rg/
The DNSSEC De ployme nt Initiative , s pons ore d by the De partme nt for Home land
Se curity, contains a lot of DNSSEC information and has a mailing lis t to dis cus s
DNSSEC de ployme nt is s ue s .
ht t p://www.int ernet so ciet y.o rg/deplo y360 /dnssec/co mmunit y/
The Inte rne t Socie ty's “De ploy 360” initiative to s timulate and coordinate DNSSEC de ployme nt is a good re s ource for finding communitie s and DNSSEC activitie s worldwide .
ht t p://www.unbo und.net /
111

Se curit y Guide
This docume nt contains ge ne ral information about the unbound DNS s e rvice .
ht t p://www.nlnet labs.nl/pro ject s/dnssec-t rigger/
This docume nt contains ge ne ral information about dnssec-t rigger.
In Re d Hat Ente rpris e Linux 7, a Virtual Private Network (VPN) can be configure d us ing the
IPsec tunne ling protocol which is s upporte d by the Libreswan application. Libreswan is a fork of the Openswan application and e xample s in docume ntation s hould be inte rchange able . The Net wo rkManager IPsec plug-in is calle d NetworkManager-
libreswan. Us e rs of GNOME She ll s hould ins tall the NetworkManager-libreswan-gnome package , which has NetworkManager-libreswan as a de pe nde ncy. Note that the
NetworkManager-libreswan-gnome package is only available from the Optional channe l. Se e
Enabling Supple me ntary and Optional Re pos itorie s .
Libreswan is an ope n s ource , us e r s pace IPsec imple me ntation available in Re d Hat
Ente rpris e Linux 7. It us e s the Internet key exchange (IKE) protocol. IKE ve rs ion 1 and 2 are imple me nte d as a us e r-le ve l dae mon. Manual ke y e s tablis hme nt is als o pos s ible via ip xfrm commands , howe ve r this is not re comme nde d. Libreswan inte rface s with the
Linux ke rne l us ing ne tlink to trans fe r the e ncryption ke ys . Packe t e ncryption and de cryption happe n in the Linux ke rne l.
Libreswan us e s the network security services (NSS) cryptographic library, which is re quire d for Federal Information Processing Standard (FIPS) s e curity compliance .
Important
IPsec , imple me nte d by Libreswan, is the only VPN te chnology re comme nd for us e in Re d Hat Ente rpris e Linux 7. Do not us e any othe r VPN te chnology without unde rs tanding the ris ks of doing s o.
To ins tall Libreswan, is s ue the following command as root :
~]# yum install libreswan
To che ck that Libreswan is ins talle d, is s ue the following command:
~]$ yum info libreswan
Afte r a ne w ins tallation of Libreswan the NSS databas e s hould be initialize d as part of the ins tall proce s s . Howe ve r, s hould you ne e d to s tart a ne w databas e , firs t re move the old databas e as follows :
~]# rm /etc/ipsec.d/*db
The n, to initialize a ne w NSS databas e , is s ue the following command as root :
112

⁠Chapt e r 4. Harde ning Yo ur Syst e m wit h T o o ls and Se rvice s
~]# ipsec initnss
Initializing NSS database
See 'man pluto' if you want to protect the NSS database with a password
If you do not want to us e a pas s word for NSS, jus t pre s s Enter twice whe n prompte d for the pas s word. If you do e nte r a pas s word the n you will have to re -e nte r it e ve ry time
Libreswan is s tarte d, s uch as e ve ry time the s ys te m is boote d.
To s tart the ipsec dae mon provide d by Libreswan, is s ue the following command as root :
~]# systemctl start ipsec
To confirm that the dae mon is now running:
~]$ systemctl status ipsec ipsec.service - Internet Key Exchange (IKE) Protocol Daemon for IPsec
Loaded: loaded (/usr/lib/systemd/system/ipsec.service; disabled)
Active: active (running) since Wed 2013-08-21 12:14:12 CEST; 18s ago
To e ns ure that Libreswan will s tart whe n the s ys te m s tarts , is s ue the following command as root :
~]# systemctl enable ipsec
Configure any inte rme diate as we ll as hos t-bas e d fire walls to pe rmit the ipsec s e rvice .
Se e
Se ction 4.5, “Us ing Fire walls ”
for information on fire walls and allowing s pe cific s e rvice s to pas s through. Libreswan re quire s the fire wall to allow the following packe ts :
UDP port 500 for the Internet Key Exchange (IKE) protocol
UDP port 4500 for IKE NAT-Traversal
Protocol 50 for Encapsulated Security Payload (ESP) IPsec packe ts
Protocol 51 for Authenticated Header (AH) IPsec packe ts (uncommon)
We pre s e nt thre e e xample s of us ing Libreswan to s e t up an IPsec VPN. The firs t e xample is for conne cting two hos ts toge the r s o that the y may communicate s e cure ly.
The s e cond e xample is conne cting two s ite s toge the r to form one ne twork. The third e xample is s upporting roaming us e rs , known as road warriors in this conte xt.
Libreswan doe s not us e the te rms “s ource ” or “de s tination”. Ins te ad, it us e s the te rms
“le ft” and “right” to re fe r to e nd points (the hos ts ). This allows the s ame configuration to be us e d on both e nd points in mos t cas e s , although mos t adminis trators us e “le ft” for the local hos t and “right” for the re mote hos t.
The re are thre e commonly us e d me thods for authe ntication of e ndpoints :
Pre-Shared Keys (PSK) is the s imple s t authe ntication me thod. PSK's s hould cons is t of random characte rs and have a le ngth of at le as t 20 characte rs . Due to the dange rs of non-random and s hort PSKs , this me thod is not available whe n the s ys te m is running in
FIPS mode .
113

Se curit y Guide
Raw RSA ke ys are commonly us e d for s tatic hos t-to-hos t or s ubne t-to-s ubne t IPsec configurations . The hos ts are manually configure d with e ach othe r's public RSA ke y.
This me thod doe s not s cale we ll whe n doze ns or more hos ts all ne e d to s e tup IPsec tunne ls to e ach othe r.
X.509 ce rtificate s are commonly us e d for large s cale de ployme nts whe re the re are many hos ts that ne e d to conne ct to a common IPsec gate way. A ce ntral certificate
authority (CA) is us e d to s ign RSA ce rtificate s for hos ts or us e rs . This ce ntral CA is re s pons ible for re laying trus t, including the re vocations of individual hos ts or us e rs .
To configure Libreswan to cre ate a hos t-to-hos t IPsec VPN, be twe e n two hos ts re fe rre d to as “le ft” and “right”, e nte r the following commands as root on both of the hos ts (“le ft” and “right”) to cre ate ne w raw RSA ke y pairs :
~]# ipsec newhostkey --configdir /etc/ipsec.d \
--output /etc/ipsec.d/www.example.com.secrets
Generated RSA key pair using the NSS database
This ge ne rate s an RSA ke y pair for the hos t. The proce s s of ge ne rating RSA ke ys can take many minute s , e s pe cially on virtual machine s with low e ntropy.
To vie w the public ke y, is s ue the following command as root on e ithe r of the hos ts . For e xample , to vie w the public ke y on the “le ft” hos t, run:
~]# ipsec showhostkey --left ipsec showhostkey loading secrets from "/etc/ipsec.secrets" ipsec showhostkey loading secrets from
"/etc/ipsec.d/www.example.com.secrets" ipsec showhostkey loaded private key for keyid: PPK_RSA:AQOjAKLlL
# rsakey AQOjAKLlL
leftrsasigkey=0sAQOjAKLlL4a7YBv [...]
You will ne e d this ke y to add to the configuration file as e xplaine d be low.
The s e cre t part is s tore d in /etc/ipsec.d/*.db
file s , als o calle d the “NSS databas e ”.
To make a configuration file for this hos t-to-hos t tunne l, the line s leftrsasigkey= and rightrsasigkey= from above , are adde d to a cus tom configuration file place d in the
/etc/ipsec.d/ dire ctory. To e nable Libreswan to re ad the cus tom configurations file s , us e an e ditor running as root to e dit the main configuration file , /etc/ipsec.conf
, and e nable the following line by re moving the # comme nt characte r s o that it looks as follows : include /etc/ipsec.d/*.conf
Us ing an e ditor running as root , cre ate a file with a s uitable name in the following format:
/etc/ipsec.d/my_host-to-host.conf
Edit the file as follows : conn mytunnel
leftid=@west.example.com
left=192.1.2.23
114

⁠Chapt e r 4. Harde ning Yo ur Syst e m wit h T o o ls and Se rvice s
leftrsasigkey=0sAQOrlo+hOafUZDlCQmXFrje/oZm [...]
W2n417C/4urYHQkCvuIQ==
rightid=@east.example.com
right=192.1.2.45
rightrsasigkey=0sAQO3fwC6nSSGgt64DWiYZzuHbc4 [...] D/v8t5YTQ==
authby=rsasig
# load and initiate automatically
auto=start
You can us e the ide ntical configuration file on both le ft and right hos ts . The y will autode te ct if the y are “le ft” or “right”. If one of the hos ts is a mobile hos t, which implie s the IP addre s s is not known in advance , the n on the mobile hos t us e %defaultroute as its IP addre s s . This will pick up the dynamic IP addre s s automatically. On the s tatic hos t that acce pts conne ctions from incoming mobile hos ts , s pe cify the mobile hos t us ing %any for its IP addre s s .
Ens ure the leftrsasigkey value is obtaine d from the “le ft” hos t and the rightrsasigkey value is obtaine d from the “right” hos t.
Re s tart ipsec to e ns ure it re ads the ne w configuration:
~]# systemctl restart ipsec
Is s ue the following command as root to load the IPsec tunne l:
~]# ipsec auto --add mytunnel
To bring up the tunne l, is s ue the following command as root , on the le ft or the right s ide :
~]# ipsec auto --up mytunnel
The IKE ne gotiation take s place on UDP port 500. IPsec packe ts s how up as
Encapsulated Security Payload (ESP) packe ts . Whe n the VPN conne ction ne e ds to pas s through a NAT route r, the ESP packe ts are e ncaps ulate d in UDP packe ts on port 4500.
To ve rify that packe ts are be ing s e nt via the VPN tunne l, is s ue a command as root in the following format:
~]# tcpdump -n -i interface esp or udp port 500 or udp port 4500
00:32:32.632165 IP 192.1.2.45 > 192.1.2.23:
ESP(spi=0x63ad7e17,seq=0x1a), length 132
00:32:32.632592 IP 192.1.2.23 > 192.1.2.45:
ESP(spi=0x4841b647,seq=0x1a), length 132
00:32:32.632592 IP 192.0.2.254 > 192.0.1.254: ICMP echo reply, id 2489, seq 7, length 64
00:32:33.632221 IP 192.1.2.45 > 192.1.2.23:
ESP(spi=0x63ad7e17,seq=0x1b), length 132
00:32:33.632731 IP 192.1.2.23 > 192.1.2.45:
ESP(spi=0x4841b647,seq=0x1b), length 132
00:32:33.632731 IP 192.0.2.254 > 192.0.1.254: ICMP echo reply, id 2489, seq 8, length 64
00:32:34.632183 IP 192.1.2.45 > 192.1.2.23:
ESP(spi=0x63ad7e17,seq=0x1c), length 132
115

Se curit y Guide
00:32:34.632607 IP 192.1.2.23 > 192.1.2.45:
ESP(spi=0x4841b647,seq=0x1c), length 132
00:32:34.632607 IP 192.0.2.254 > 192.0.1.254: ICMP echo reply, id 2489, seq 9, length 64
00:32:35.632233 IP 192.1.2.45 > 192.1.2.23:
ESP(spi=0x63ad7e17,seq=0x1d), length 132
00:32:35.632685 IP 192.1.2.23 > 192.1.2.45:
ESP(spi=0x4841b647,seq=0x1d), length 132
00:32:35.632685 IP 192.0.2.254 > 192.0.1.254: ICMP echo reply, id 2489, seq 10, length 64
Whe re interface is the inte rface known to carry the traffic. To e nd the capture with
t cpdump, pre s s Ctrl + C .
Note
The t cpdump commands inte racts a little une xpe cte dly with IPsec . It only s e e s the outgoing e ncrypte d packe t, not the outgoing plainte xt packe t. It doe s s e e the e ncrypte d incoming packe t, as we ll as the de crypte d incoming packe t. If pos s ible , run t cpdump on a route r be twe e n the two machine s and not on one of the e ndpoints its e lf.
In orde r for Libreswan to cre ate a s ite -to-s ite IPsec VPN, joining toge the r two ne tworks , an IPsec tunne l is cre ate d be twe e n two hos ts , e ndpoints , which are configure d to pe rmit traffic from one or more s ubne ts to pas s through. The y can the re fore be thought of as gate ways to the re mote portion of the ne twork. The configuration of the s ite -to-s ite VPN only diffe rs from the hos t-to-hos t VPN in that one or more ne tworks or s ubne ts mus t be s pe cifie d in the configuration file .
To configure Libreswan to cre ate a s ite -to-s ite IPsec VPN, firs t configure a hos t-to-hos t
IPsec VPN as de s cribe d in
Se ction 4.7.3, “Hos t-To-Hos t VPN Us ing Libre s wan”
and the n copy or move the file to a file with a s uitable name , s uch as /etc/ipsec.d/my_site-tosite.conf
. Us ing an e ditor running as root , e dit the cus tom configuration file
/etc/ipsec.d/my_site-to-site.conf
as follows : conn mysubnet
also=mytunnel
leftsubnet=192.0.1.0/24
rightsubnet=192.0.2.0/24 conn mysubnet6
also=mytunnel
connaddrfamily=ipv6
leftsubnet=2001:db8:0:1::/64
rightsubnet=2001:db8:0:2::/64 conn mytunnel
auto=start
leftid=@west.example.com
left=192.1.2.23
leftrsasigkey=0sAQOrlo+hOafUZDlCQmXFrje/oZm [...]
116

⁠Chapt e r 4. Harde ning Yo ur Syst e m wit h T o o ls and Se rvice s
W2n417C/4urYHQkCvuIQ==
rightid=@east.example.com
right=192.1.2.45
rightrsasigkey=0sAQO3fwC6nSSGgt64DWiYZzuHbc4 [...] D/v8t5YTQ==
authby=rsasig
To bring the tunne ls up, re s tart Libreswan or manually load and initiate all the conne ctions us ing the following commands as root :
~]# ipsec auto --add mysubnet
~]# ipsec auto --add mysubnet6
~]# ipsec auto --add mytunnel
~]# ipsec auto --up mysubnet
104 "mysubnet" #1: STATE_MAIN_I1: initiate
003 "mysubnet" #1: received Vendor ID payload [Dead Peer Detection]
003 "mytunnel" #1: received Vendor ID payload [FRAGMENTATION]
106 "mysubnet" #1: STATE_MAIN_I2: sent MI2, expecting MR2
108 "mysubnet" #1: STATE_MAIN_I3: sent MI3, expecting MR3
003 "mysubnet" #1: received Vendor ID payload [CAN-IKEv2]
004 "mysubnet" #1: STATE_MAIN_I4: ISAKMP SA established
{auth=OAKLEY_RSA_SIG cipher=aes_128 prf=oakley_sha group=modp2048}
117 "mysubnet" #2: STATE_QUICK_I1: initiate
004 "mysubnet" #2: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0x9414a615 <0x1a8eb4ef xfrm=AES_128-HMAC_SHA1 NATOA=none
NATD=none DPD=none}
~]# ipsec auto --up mysubnet6
003 "mytunnel" #1: received Vendor ID payload [FRAGMENTATION]
117 "mysubnet" #2: STATE_QUICK_I1: initiate
004 "mysubnet" #2: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0x06fe2099 <0x75eaa862 xfrm=AES_128-HMAC_SHA1 NATOA=none
NATD=none DPD=none}
~]# ipsec auto --up mytunnel
104 "mytunnel" #1: STATE_MAIN_I1: initiate
003 "mytunnel" #1: received Vendor ID payload [Dead Peer Detection]
003 "mytunnel" #1: received Vendor ID payload [FRAGMENTATION]
106 "mytunnel" #1: STATE_MAIN_I2: sent MI2, expecting MR2
108 "mytunnel" #1: STATE_MAIN_I3: sent MI3, expecting MR3
003 "mytunnel" #1: received Vendor ID payload [CAN-IKEv2]
004 "mytunnel" #1: STATE_MAIN_I4: ISAKMP SA established
{auth=OAKLEY_RSA_SIG cipher=aes_128 prf=oakley_sha group=modp2048}
117 "mytunnel" #2: STATE_QUICK_I1: initiate
004 "mytunnel" #2: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0x9414a615 >0x1a8eb4ef xfrm=AES_128-HMAC_SHA1 NATOA=none
NATD=none DPD=none}
117

Se curit y Guide
Ve rifying that packe ts are be ing s e nt via the VPN tunne l is the s ame proce dure as e xplaine d in
Se ction 4.7.3.1, “Ve rify Hos t-To-Hos t VPN Us ing Libre s wan”
.
Ofte n, whe n a s ite -to-s ite tunne l is built, the gate ways ne e d to communicate with e ach othe r us ing the ir inte rnal IP addre s s e s ins te ad of the ir public IP addre s s e s . This can be accomplis he d us ing a s ingle tunne l. If the le ft hos t, with hos t name west , has inte rnal IP addre s s 192.0.1.254
and the right hos t, with hos t name east , has inte rnal IP addre s s
192.0.2.254
, the following configuration us ing a s ingle tunne l can be us e d: conn mysubnet
leftid=@west.example.com
leftrsasigkey=0sAQOrlo+hOafUZDlCQmXFrje/oZm [...]
W2n417C/4urYHQkCvuIQ==
left=192.1.2.23
leftsourceip=192.0.1.254
leftsubnet=192.0.1.0/24
rightid=@east.example.com
rightrsasigkey=0sAQO3fwC6nSSGgt64DWiYZzuHbc4 [...] D/v8t5YTQ==
right=192.1.2.45
rightsourceip=192.0.2.254
rightsubnet=192.0.2.0/24
auto=start
authby=rsasig
IPsec is ofte n de ploye d in a hub-and-s poke archite cture . Each le af node has an IP range that is part of a large r range . Le ave s communicate with e ach othe r via the hub. This is calle d subnet extrusion. In the e xample be low, we configure the he ad office with
10.0.0.0/8 and two branche s that us e a s malle r /24 s ubne t.
At the he ad office : conn branch1
left=1.2.3.4
leftid=@headoffice
leftsubnet=0.0.0.0/0
leftrsasigkey=0sA[...]
#
right=5.6.7.8
rightid=@branch1
righsubnet=10.0.1.0/24
rightrsasigkey=0sAXXXX[...]
#
auto=start
authby=rsasigkey conn branch2
left=1.2.3.4
leftid=@headoffice
leftsubnet=0.0.0.0/0
leftrsasigkey=0sA[...]
#
118

⁠Chapt e r 4. Harde ning Yo ur Syst e m wit h T o o ls and Se rvice s
right=10.11.12.13
rightid=@branch2
righsubnet=10.0.2.0/24
rightrsasigkey=0sAYYYY[...]
#
auto=start
authby=rsasigkey
At the “branch1” office , we us e the s ame conne ction. Additionally, we us e a pas s -through conne ction to e xclude our local LAN traffic from be ing s e nt through the tunne l: conn branch1
left=1.2.3.4
leftid=@headoffice
leftsubnet=0.0.0.0/0
leftrsasigkey=0sA[...]
#
right=10.11.12.13
rightid=@branch2
righsubnet=10.0.1.0/24
rightrsasigkey=0sAYYYY[...]
#
auto=start
authby=rsasigkey conn passthrough
left=1.2.3.4
right=0.0.0.0
leftsubnet=10.0.1.0/24
rightsubnet=10.0.1.0/24
authby=never
type=passthrough
auto=route
Road Warriors are trave ling us e rs with mobile clie nts with a dynamically as s igne d IP addre s s , s uch as laptops . The s e are authe nticate d us ing ce rtificate s .
On the s e rve r: conn roadwarriors
left=1.2.3.4
# if access to the LAN is given, enable this
#leftsubnet=10.10.0.0/16
leftcert=gw.example.com
leftid=%fromcert
right=%any
# trust our own Certificate Agency
rightca=%same
# allow clients to be behind a NAT router
rightsubnet=vhost:%priv,%no
authby=rsasigkey
# load connection, don't initiate
auto=add
119

Se curit y Guide
# kill vanished roadwarriors
dpddelay=30
dpdtimeout=120
dpdaction=%clear
On the mobile clie nt, the Road Warrior's de vice , we ne e d to us e a s light variation of the above configuration: conn roadwarriors
# pick up our dynamic IP
left=%defaultroute
leftcert=myname.example.com
leftid=%fromcert
# right can also be a DNS hostname
right=1.2.3.4
# if access to the remote LAN is required, enable this
#rightsubnet=10.10.0.0/16
# trust our own Certificate Agency
rightca=%same
authby=rsasigkey
# Initiate connection
auto=start
Libreswan offe rs a me thod to native ly as s ign IP addre s s and DNS information to roaming
VPN clie nts as the conne ction is e s tablis he d by us ing the XAUTH IPsec e xte ns ion. XAUTH can be de ploye d us ing PSK or X.509 ce rtificate s . De ploying us ing X.509 is more s e cure .
Clie nt ce rtificate s can be re voke d by a ce rtificate re vocation lis t or by Online Certificate
Status Protocol (OCSP). With X.509 ce rtificate s , individual clie nts cannot impe rs onate the s e rve r. With a PSK, als o calle d Group Pas s word, this is the ore tically pos s ible .
XAUTH re quire s the VPN clie nt to additionally ide ntify its e lf with a us e r name and pas s word. For One time Pas s words (OTP), s uch as Google Authe nticator or RSA Se cure ID toke ns , the one -time toke n is appe nde d to the us e r pas s word.
The re are thre e pos s ible backe nds for XAUTH: xauthby=pam
This us e s the configuration in /etc/pam.d/pluto to authe nticate the us e r. Pam can be configure d to us e various backe nds by its e lf. It can us e the s ys te m account us e r-pas s word s che me , an LDAP dire ctory, a RADIUS s e rve r or a cus tom pas s word authe ntication module .
xauthby=file
This us e s the configuration file /etc/ipsec.d/passwd (not to be confus e d with
/etc/ipsec.d/nsspassword ). The format of this file is s imilar to the Apache
.htpasswd
file and the Apache htpasswd command can be us e d to cre ate e ntrie s in this file . Howe ve r, afte r the us e r name and pas s word, a third column is re quire d with the conne ction name of the IPsec conne ction us e d, for e xample whe n us ing a conn remoteusers to offe r VPN to re move us e rs , a pas s word file e ntry s hould look as follows : user1:$apr1$MIwQ3DHb$1I69LzTnZhnCT2DPQmAOK.:remoteusers
120

⁠Chapt e r 4. Harde ning Yo ur Syst e m wit h T o o ls and Se rvice s
NOTE: whe n us ing the htpasswd command, the conne ction name has to be manually adde d afte r the user:password part on e ach line .
xauthby=alwaysok
The s e rve r will always pre te nd the XAUTH us e r and pas s word combination was corre ct. The clie nt s till has to s pe cify a us e r name and a pas s word, although the s e rve r ignore s the s e . This s hould only be us e d whe n us e rs are alre ady ide ntifie d by X.509 ce rtificate s , or whe n te s ting the VPN without ne e ding an
XAUTH backe nd.
An e xample configuration with X.509 ce rtificate s : conn xauth-rsa
auto=add
authby=rsasig
pfs=no
rekey=no
left=ServerIP
leftcert=vpn.example.com
#leftid=%fromcert
leftid=vpn.example.com
leftsendcert=always
leftsubnet=0.0.0.0/0
rightaddresspool=10.234.123.2-10.234.123.254
right=%any
rightrsasigkey=%cert
modecfgdns1=1.2.3.4
modecfgdns2=8.8.8.8
modecfgdomain=example.com
modecfgbanner="Authorized Access is allowed"
leftxauthserver=yes
rightxauthclient=yes
leftmodecfgserver=yes
rightmodecfgclient=yes
modecfgpull=yes
xauthby=pam
dpddelay=30
dpdtimeout=120
dpdaction=clear
ike_frag=yes
# for walled-garden on xauth failure
# xauthfail=soft
#leftupdown=/custom/_updown
Whe n xauthfail is s e t to s oft, ins te ad of hard, authe ntication failure s are ignore d, and the VPN is s e tup as if the us e r authe nticate d prope rly. A cus tom updown s cript can be us e d to che ck for the e nvironme nt variable XAUTH_FAILED . Such us e rs can the n be re dire cte d, for e xample , us ing ipt ables DNAT, to a “walle d garde n” whe re the y can contact the adminis trator or re ne w a paid s ubs cription to the s e rvice .
VPN clie nts us e the modecfgdomain value and the DNS e ntrie s to re dire ct que rie s for the s pe cifie d domain to the s e s pe cifie d name s e rve rs . This allows roaming us e rs to acce s s inte rnal-only re s ource s us ing the inte rnal DNS name s .
121

Se curit y Guide
If leftsubnet is not 0.0.0.0/0 , s plit tunne ling configuration re que s ts are s e nt automatically to the clie nt. For e xample , whe n us ing leftsubnet=10.0.0.0/8 , the VPN clie nt would only s e nd traffic for 10.0.0.0/8 through the VPN.
The following s ource s of information provide additional re s ource s re garding Libreswan and the ipsec dae mon.
ipsec(8) man page — De s cribe s command options for ipsec .
ipsec.conf(5) man page — Contains information on configuring ipsec .
ipsec.secrets(5) man page — De s cribe s the format of the ipsec.secrets
file .
ipsec_auto(8) man page — De s cribe s the us e of the aut o command line clie nt for manipulating Libreswan IPsec conne ctions e s tablis he d us ing automatic e xchange s of ke ys .
ipsec_rsasigkey(8) man page — De s cribe s the tool us e d to ge ne rate RSA s ignature ke ys .
/usr/share/doc/libreswan-version/README.nss
— De s cribe s the commands for us ing raw RSA ke ys and ce rtificate s with the NSS crypto library us e d with the
Libreswan pluto dae mon.
ht t ps://libreswan.o rg
The we bs ite of the ups tre am proje ct.
ht t p://www.mo zilla.o rg/pro ject s/securit y/pki/nss/
Ne twork Se curity Se rvice s (NSS) proje ct.
OpenSSL is a library that provide s cryptographic protocols to applications . The o penssl command line utility e nable s us ing the cryptographic functions from the s he ll. It include s an inte ractive mode .
The o penssl command line utility has a numbe r of ps e udo-commands to provide information on the commands that the ve rs ion of o penssl ins talle d on the s ys te m s upports . The ps e udo-commands list-standard-commands , list-message-digestcommands , and list-cipher-commands output a lis t of all s tandard commands , me s s age dige s t commands , or ciphe r commands , re s pe ctive ly, that are available in the pre s e nt
o penssl utility.
The ps e udo-commands list-cipher-algorithms and list-message-digestalgorithms lis t all ciphe r and me s s age dige s t name s . The ps e udo-command listpublic-key-algorithms lis ts all s upporte d public ke y algorithms . For e xample , to lis t the s upporte d public ke y algorithms , is s ue the following command:
122

⁠Chapt e r 4. Harde ning Yo ur Syst e m wit h T o o ls and Se rvice s
~]$ openssl list-public-key-algorithms
The ps e udo-command no-command-name te s ts whe the r a command-name of the s pe cifie d name is available . Inte nde d for us e in s he ll s cripts . Se e man ope ns s l(1) for more information.
With OpenSSL, public ke ys are de rive d from the corre s ponding private ke y. The re fore the firs t s te p, once having de cide d on the algorithm, is to ge ne rate the private ke y. In the s e e xample s the private ke y is re fe rre d to as privkey.pem. For e xample , to cre ate an RSA private ke y us ing de fault parame te rs , is s ue the following command:
~]$ openssl genpkey -algorithm RSA -out privkey.pem
The RSA algorithm s upports the following options : rsa_keygen_bits:numbits — The numbe r of bits in the ge ne rate d ke y. If not s pe cifie d
1024 is us e d.
rsa_keygen_pubexp:value — The RSA public e xpone nt value . This can be a large de cimal value , or a he xade cimal value if pre ce de d by 0x . The de fault value is 65537 .
For e xample , to cre ate a 2048 bit RSA private ke y us ing 3 as the public e xpone nt, is s ue the following command:
~]$ openssl genpkey -algorithm RSA -out privkey.pem -pkeyopt rsa_keygen_bits:2048 \ -pkeyopt rsa_keygen_pubexp:3
To e ncrypt the private ke y as it is output us ing 128 bit AES and the pas s phras e “he llo”, is s ue the following command:
~]$ openssl genpkey -algorithm RSA -out privkey.pem -aes-128-cbc -pass pass:hello
Se e man ge npke y(1) for more information on ge ne rating private ke ys .
To ge ne rate a ce rtificate us ing OpenSSL, it is ne ce s s ary to have a private ke y available .
In the s e e xample s the private ke y is re fe rre d to as privkey.pem. If you have not ye t ge ne rate d a private ke y, s e e
Se ction 4.8.1, “Cre ating and Managing Encryption Ke ys ”
To have a ce rtificate s igne d by a certificate authority (CA), it is ne ce s s ary to ge ne rate a ce rtificate and the n s e nd it to a CA for s igning. This is re fe rre d to as a ce rtificate s igning re que s t. Se e
Se ction 4.8.2.1, “Cre ating a Ce rtificate Signing Re que s t” for more information.
The alte rnative is to cre ate a s e lf-s igne d ce rtificate . Se e Se ction 4.8.2.2, “Cre ating a Se lfs igne d Ce rtificate ” for more information.
To cre ate a ce rtificate for s ubmis s ion to a CA, is s ue a command in the following format:
~]$ openssl req -new -key privkey.pem -out cert.csr
123

Se curit y Guide
This will cre ate an X.509 ce rtificate calle d cert.csr
e ncode d in the de fault privacy-
enhanced electronic mail (PEM) format. The name PEM is de rive d from “Privacy
Enhance me nt for Inte rne t Ele ctronic Mail” de s cribe d in RFC 1424 . To ge ne rate a ce rtificate file in the alte rnative DER format, us e the -outform DER command option.
Afte r is s uing the above command, you will be prompte d for information about you and the organization in orde r to cre ate a distinguished name (DN) for the ce rtificate . You will ne e d the following information:
The two le tte r country code for your country
The full name of your s tate or province
City or Town
The name of your organization
The name of the unit within your organization
Your name or the hos t name of the s ys te m
Your e mail addre s s
The re q(1) man page de s cribe s the PKCS# 10 ce rtificate re que s t and ge ne rating utility.
De fault s e ttings us e d in the ce rtificate cre ating proce s s are containe d within the
/etc/pki/tls/openssl.cnf
file . Se e man openssl.cnf(5) for more information.
To ge ne rate a s e lf-s igne d ce rtificate , valid for 366 days , is s ue a command in the following format:
~]$ openssl req -new -x509 -key privkey.pem -out selfcert.pem -days 366
The /etc/pki/tls/certs dire ctory contains a Makefile which can be us e d to cre ate ce rtificate s us ing the make command. To vie w the us age ins tructions , is s ue a command as follows :
~]$ make -f /etc/pki/tls/certs/Makefile
Alte rnative ly, change to the dire ctory and is s ue the make command as follows :
~]$ cd /etc/pki/tls/certs/
~]$ make
Se e the make (1) man page for more information.
A ce rtificate s igne d by a CA is re fe rre d to as a trus te d ce rtificate . A s e lf-s igne d ce rtificate is the re fore an untrus te d ce rtificate . The ve rify utility us e s the s ame SSL and S/MIME functions to ve rify a ce rtificate as is us e d by OpenSSL in normal ope ration. If an e rror is found it is re porte d and the n an atte mpt is made to continue te s ting in orde r to re port any
124

⁠Chapt e r 4. Harde ning Yo ur Syst e m wit h T o o ls and Se rvice s othe r e rrors .
To ve rify multiple individual X.509 ce rtificate s in PEM format, is s ue a command in the following format:
~]$ openssl verify cert1.pem cert2.pem
To ve rify a ce rtificate chain the le af ce rtificate mus t be in cert.pem
and the inte rme diate ce rtificate s which you do not trus t mus t be dire ctly concate nate d in untrusted.pem
. The trus te d root CA ce rtificate mus t be e ithe r among the de fault CA lis te d in
/etc/pki/tls/certs/ca-bundle.crt
or in a cacert.pem
file . The n, to ve rify the chain, is s ue a command in the following format:
~]$ openssl verify -untrusted untrusted.pem -CAfile cacert.pem cert.pem
Se e man ve rify(1) for more information.
Important
Ve rification of s ignature s us ing the MD5 has h algorithm is dis able d in Re d Hat
Ente rpris e Linux 7 due to ins ufficie nt s tre ngth of this algorithm. Always us e s trong algorithms s uch as SHA256.
For e ncrypting (and de crypting) file s with OpenSSL, e ithe r the pkeyutl or enc built-in commands can be us e d. With pkeyutl , RSA ke ys are us e d to pe rform the e ncrypting and de crypting, whe re as with enc , s ymme tric algorithms are us e d.
To e ncrypt a file calle d plaintext , is s ue a command as follows :
~]$ openssl pkeyutl -in plaintext -out cyphertext -inkey privkey.pem
The de fault format for ke ys and ce rtificate s is PEM. If re quire d, us e the -keyform DER option to s pe cify the DER ke y format.
To s pe cify a cryptographic e ngine , us e the -engine option as follows :
~]$ openssl pkeyutl -in plaintext -out cyphertext -inkey privkey.pem - engine id
Whe re id is the ID of the cryptographic e ngine . To che ck the availability of an e ngine , is s ue the following command:
~]$ openssl engine -t
To s ign a data file calle d plaintext, is s ue a command as follows :
~]$ openssl pkeyutl -sign -in plaintext -out sigtext -inkey privkey.pem
125

Se curit y Guide
To ve rify a s igne d data file and to e xtract the data, is s ue a command as follows :
~]$ openssl pkeyutl -verifyrecover -in sig -inkey key.pem
To ve rify the s ignature , for e xample us ing a DSA ke y, is s ue a command as follows :
~]$ openssl pkeyutl -verify -in file -sigfile sig -inkey key.pem
The pke yutl(1) manual page de s cribe s the public ke y algorithm utility.
To lis t available s ymme tric e ncryption algorithms , e xe cute the enc command with an uns upporte d option, s uch as -l :
~]$ openssl enc -l
To s pe cify an algorithm, us e its name as an option. For e xample , to us e the aes-128-cbc algorithm, us e the following s yntax: openssl enc -aes-128-cbc
To e ncrypt a file calle d plaintext us ing the aes-128-cbc algorithm, run the following command:
~]$ openssl enc -aes-128-cbc -in plaintext -out plaintext.aes-128-cbc
To de crypt the file obtaine d in the pre vious e xample , us e the -d option as in the following e xample :
~]$ openssl enc -aes-128-cbc -d -in plaintext.aes-128-cbc -out plaintext
Important
The enc command doe s not prope rly s upport AEAD ciphe rs , and the ecb mode is not cons ide re d s e cure . For be s t re s ults , do not us e othe r mode s than cbc , cfb , ofb , or ctr .
The dgst command produce s the me s s age dige s t of a s upplie d file or file s in he xade cimal form. The command can als o be us e d for digital s igning and ve rification. The me s s age dige s t command take s the following form: openssl dgst algorithm -out filename -sign private-key
126

⁠Chapt e r 4. Harde ning Yo ur Syst e m wit h T o o ls and Se rvice s
Whe re algorithm is one of md5|md4|md2|sha1|sha|mdc2|ripemd160|dss1 . At time of writing, the SHA1 algorithm is pre fe rre d. If you ne e d to s ign or ve rify us ing DSA, the n the dss1 option mus t be us e d toge the r with a file containing random data s pe cifie d by the rand option.
To produce a me s s age dige s t in the de fault He x format us ing the s ha1 algorithm, is s ue the following command:
~]$ openssl dgst sha1 -out digest-file
To digitally s ign the dige s t, us ing a private ke y privekey.pem, is s ue the following command:
~]$ openssl dgst sha1 -out digest-file -sign privkey.pem
Se e man dgs t(1) for more information.
The passwd command compute s the has h of a pas s word. To compute the has h of a pas s word on the command line , is s ue a command as follows :
~]$ openssl passwd password
The -crypt algorithm is us e d by de fault.
To compute the has h of a pas s word from s tandard input, us ing the MD5 bas e d BSD algorithm 1 , is s ue a command as follows :
~]$ openssl passwd -1 password
The -apr1 option s pe cifie s the Apache variant of the BSD algorithm.
To compute the has h of a pas s word s tore d in a file , and us ing a s alt xx , is s ue a command as follows :
~]$ openssl passwd -salt xx -in password-file
The pas s word is s e nt to s tandard output and the re is no -out option to s pe cify an output file . The -table will ge ne rate a table of pas s word has he s with the ir corre s ponding cle ar te xt pas s word.
Se e man s s lpas s wd(1) for more information and e xample s .
To ge ne rate a file containing random data, us ing a s e e d file , is s ue the following command:
~]$ openssl rand -out rand-file -rand seed-file
Multiple file s for s e e ding the random data proce s s can be s pe cifie d us ing the colon, : , as a lis t s e parator.
Se e man rand(1) for more information.
127

Se curit y Guide
To te s t the computational s pe e d of a s ys te m for a give n algorithm, is s ue a command in the following format:
~]$ openssl speed algorithm whe re algorithm is one of the s upporte d algorithms you inte nde d to us e . To lis t the available algorithms , type openssl speed and the n pre s s tab.
Ope nSSL has a configuration file /etc/pki/tls/openssl.cnf
, re fe rre d to as the mas te r configuration file , which is re ad by the Ope nSSL library. It is als o pos s ible to have individual configuration file s for e ach application. The configuration file contains a numbe r of s e ctions with s e ction name s as follows : [ section_name ] . Note the firs t part of the file , up until the firs t [ section_name ] , is re fe rre d to as the de fault s e ction. Whe n
Ope nSSL is s e arching for name s in the configuration file the name d s e ctions are s e arche d firs t. All Ope nSSL commands us e the mas te r Ope nSSL configuration file unle s s an option is us e d in the command to s pe cify an alte rnative configuration file . The configuration file is e xplaine d in de tail in the config(5) man page .
Two RFCs e xplain the conte nts of a ce rtificate file . The y are :
Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL)
Profile
Updates to the Internet X.509 Public Key Infrastructure Certificate and Certificate
Revocation List (CRL) Profile
The st unnel program is an e ncryption wrappe r be twe e n a clie nt and a s e rve r. It lis te ns on the port s pe cifie d in its configuration file , e ncrypts the communitation with the clie nt, and forwards the data to the original dae mon lis te ning on its us ual port. This way, you can s e cure any s e rvice that its e lf doe s not s upport any type of e ncryption, or improve the s e curity of a s e rvice that us e s a type of e ncryption that you want to avoid for s e curity re as ons , s uch as SSL ve rs ions 2 and 3, affe cte d by the POODLE SSL vulne rability (CVE-
2014-3566). Se e https ://acce s s .re dhat.com/s olutions /1234773 for de tails . CUPS is an e xample of a compone nt that doe s not provide a way to dis able SSL in its own configuration.
Ins tall the stunnel package by running the following command as root :
~]# yum install stunnel
To configure st unnel, follow the s e s te ps :
128

⁠Chapt e r 4. Harde ning Yo ur Syst e m wit h T o o ls and Se rvice s
1. You ne e d a valid ce rtificate for st unnel re gardle s s of what s e rvice you us e it with.
If you do not have a s uitable ce rtificate , you can apply to a Certificate Authority to obtain one , or you can cre ate a s e lf-s igne d ce rtificate .
Warning
Always us e ce rtificate s s igne d by a Ce rtificate Authority for s e rve rs running in a production e nvironme nt. Se lf-s igne d ce rtificate s are only appropriate for te s ting purpos e s or private ne tworks .
Se e
Se ction 4.8.2.1, “Cre ating a Ce rtificate Signing Re que s t” for more information
about ce rtificate s grante d by a Ce rtificate Authority. On the othe r hand, to cre ate a s e lf-s igne d ce rtificate for st unnel, e nte r the /etc/pki/tls/certs/ dire ctory and type the following command as root : certs]# make stunnel.pem
Ans we r all of the que s tions to comple te the proce s s .
2. Whe n you have a ce rtificate , cre ate a configuration file for st unnel. It is a te xt file in which e ve ry line s pe cifie s an option or the be ginning of a s e rvice de finition. You can als o ke e p comme nts and e mpty line s in the file to improve its le gibility, whe re comme nts s tart with a s e micolon.
The stunnel RPM package contains the /etc/stunnel/ dire ctory, in which you can s tore the configuration file . Although st unnel doe s not re quire any s pe cial format of the file name or its e xte ns ion, us e /etc/stunnel/stunnel.conf
. The following conte nt configure s st unnel as a TLS wrappe r: cert = /etc/pki/tls/certs/stunnel.pem
; Allow only TLS, thus avoiding SSL sslVersion = TLSv1 chroot = /var/run/stunnel setuid = nobody setgid = nobody pid = /stunnel.pid
socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1
[service_name] accept = port connect = port
TIMEOUTclose = 0
Alte rnative ly, you can avoid SSL by re placing the line containing sslVersion =
TLSv1 with the following line s : options = NO_SSLv2 options = NO_SSLv3
The purpos e of the options is as follows : cert — the path to your ce rtificate
129

Se curit y Guide sslVersion — the ve rs ion of SSL; note that you can us e TLS he re e ve n though
SSL and TLS are two inde pe nde nt cryptographic protocols chroot — the change d root dire ctory in which the s tunne l proce s s runs , for gre ate r s e curity setuid , setgid — the us e r and group that the st unnel proce s s runs as ; nobody is a re s tricte d s ys te m account pid — the file in which st unnel s ave s its proce s s ID, re lative to chroot socket — local and re mote s ocke t options ; in this cas e , dis able Nagle's algorithm to improve ne twork late ncy
[service_name] — the be ginning of the s e rvice de finition; the options us e d be low this line apply to the give n s e rvice only, whe re as the options above affe ct
st unnel globally accept — the port to lis te n on connect — the port to conne ct to; this mus t be the port that the s e rvice you are s e curing us e s
TIMEOUTclose — how many s e conds to wait for the close_notify ale rt from the clie nt; 0 ins tructs st unnel not to wait at all options — Ope nSSL library options
Example 4.10 . Securing CUPS
To configure s tunne l as a TLS wrappe r for CUPS, us e the following value s :
[cups] accept = 632 connect = 631
Ins te ad of 632 , you can us e any fre e port that you pre fe r. 631 is the port that
CUPS normally us e s .
3. Cre ate the chroot dire ctory and give the us e r s pe cifie d by the setuid option write acce s s to it. To do s o, run the following commands as root :
~]# mkdir /var/run/stunnel
~]# chown nobody:nobody /var/run/stunnel
This allows st unnel to cre ate the PID file .
4. If your s ys te m is us ing fire wall s e ttings that dis allow acce s s to the ne w port, change the m accordingly. Se e
Se ction 4.5.3.1.6, “Ope n Ports in the Fire wall” for
de tails .
5. Whe n you have cre ate d the configuration file and the chroot dire ctory, and whe n you are s ure that the s pe cifie d port is acce s s ible , you are re ady to s tart us ing
st unnel.
130

⁠Chapt e r 4. Harde ning Yo ur Syst e m wit h T o o ls and Se rvice s
To s tart st unnel, run the following command as root :
~]# stunnel /etc/stunnel/stunnel.conf
By de fault, st unnel us e s /var/log/secure to log its output.
To te rminate st unnel, kill the proce s s by running the following command as root :
~]# kill `cat /var/run/stunnel/stunnel.pid`
If you e dit the configuration file while st unnel is running, te rminate st unnel and s tart it again for your change s to take e ffe ct.
Linux Unifie d Ke y Se tup-on-dis k-format (or LUKS) allows you to e ncrypt partitions on your
Linux compute r. This is particularly important whe n it come s to mobile compute rs and re movable me dia. LUKS allows multiple us e r ke ys to de crypt a mas te r ke y, which is us e d for the bulk e ncryption of the partition.
What LUKS do es
LUKS e ncrypts e ntire block de vice s and is the re fore we ll-s uite d for prote cting the conte nts of mobile de vice s s uch as re movable s torage me dia or laptop dis k drive s .
The unde rlying conte nts of the e ncrypte d block de vice are arbitrary. This make s it us e ful for e ncrypting swap de vice s . This can als o be us e ful with ce rtain databas e s that us e s pe cially formatte d block de vice s for data s torage .
LUKS us e s the e xis ting de vice mappe r ke rne l s ubs ys te m.
LUKS provide s pas s phras e s tre ngthe ning which prote cts agains t dictionary attacks .
LUKS de vice s contain multiple ke y s lots , allowing us e rs to add backup ke ys or pas s phras e s .
What LUKS do es not do :
LUKS is not we ll-s uite d for applications re quiring many (more than e ight) us e rs to have dis tinct acce s s ke ys to the s ame de vice .
LUKS is not we ll-s uite d for applications re quiring file -le ve l e ncryption.
Re d Hat Ente rpris e Linux 7 utilize s LUKS to pe rform file s ys te m e ncryption. By de fault, the option to e ncrypt the file s ys te m is unche cke d during the ins tallation. If you s e le ct the option to e ncrypt your hard drive , you will be prompte d for a pas s phras e that will be as ke d e ve ry time you boot the compute r. This pas s phras e "unlocks " the bulk e ncryption ke y that
131

Se curit y Guide is us e d to de crypt your partition. If you choos e to modify the de fault partition table you can choos e which partitions you want to e ncrypt. This is s e t in the partition table s e ttings .
The de fault ciphe r us e d for LUKS (s e e cryptsetup --help ) is ae s -cbc-e s s iv:s ha256
(ESSIV - Encrypte d Salt-Se ctor Initialization Ve ctor). Note that the ins tallation program,
Anaco nda, us e s by de fault XTS mode (ae s -xts -plain64). The de fault ke y s ize for LUKS is
256 bits . The de fault ke y s ize for LUKS with Anaco nda (XTS mode ) is 512 bits . Ciphe rs that are available are :
AES - Advance d Encryption Standard - FIPS PUB 197
Twofis h (A 128-bit Block Ciphe r)
Se rpe nt cas t5 - RFC 2144 cas t6 - RFC 2612
Warning
Following this proce dure will re move all data on the partition that you are e ncrypting.
You WILL los e all your information! Make s ure you backup your data to an e xte rnal s ource be fore be ginning this proce dure !
1. Ente r runle ve l 1 by typing the following at a s he ll prompt as root: telinit 1
2. Unmount your e xis ting /home : umount /home
3. If the command in the pre vious s te p fails , us e fuser to find proce s s e s hogging
/home and kill the m: fuser -mvk /home
4. Ve rify /home is no longe r mounte d: grep home /proc/mounts
5. Fill your partition with random data: shred -v --iterations=1 /dev/VG00/LV_home
This command proce e ds at the s e que ntial write s pe e d of your de vice and may take s ome time to comple te . It is an important s te p to e ns ure no une ncrypte d data is le ft on a us e d de vice , and to obfus cate the parts of the de vice that contain e ncrypte d data as oppos e d to jus t random data.
132

⁠Chapt e r 4. Harde ning Yo ur Syst e m wit h T o o ls and Se rvice s
6. Initialize your partition: cryptsetup --verbose --verify-passphrase luksFormat
/dev/VG00/LV_home
7. Ope n the ne wly e ncrypte d de vice : cryptsetup luksOpen /dev/VG00/LV_home home
8. Make s ure the de vice is pre s e nt: ls -l /dev/mapper | grep home
9. Cre ate a file s ys te m: mkfs.ext3 /dev/mapper/home
10. Mount the file s ys te m: mount /dev/mapper/home /home
11. Make s ure the file s ys te m is vis ible : df -h | grep home
12. Add the following to the /etc/crypttab file : home /dev/VG00/LV_home none
13. Edit the /etc/fstab file , re moving the old e ntry for /home and adding the following line :
/dev/mapper/home /home ext3 defaults 1 2
14. Re s tore de fault SELinux s e curity conte xts :
/sbin/restorecon -v -R /home
15. Re boot the machine : shutdown -r now
16. The e ntry in the /etc/crypttab make s your compute r as k your luks pas s phras e on boot.
17. Log in as root and re s tore your backup.
You now have an e ncrypte d partition for all of your data to s afe ly re s t while the compute r is off.
133

Se curit y Guide
Us e the following command to add a ne w pas s phras e to an e xis ting de vice : cryptsetup luksAddKey device
Afte r be ing prompte d for any one of the e xis ting pas s pras e s for authe ntication, you will be prompte d to e nte r the ne w pas s phras e .
Us e the following command to re move a pas s phras e from an e xis ting de vice : cryptsetup luksRemoveKey device
You will be prompte d for the pas s phras e you want to re move and the n for any one of the re maining pas s phras e s for authe ntication.
You can cre ate e ncrypte d de vice s during s ys te m ins tallation. This allows you to e as ily configure a s ys te m with e ncrypte d partitions .
To e nable block de vice e ncryption, che ck the Encrypt System che ck box whe n s e le cting automatic partitioning or the Encrypt che ck box whe n cre ating an individual partition, s oftware RAID array, or logical volume . Afte r you finis h partitioning, you will be prompte d for an e ncryption pas s phras e . This pas s phras e will be re quire d to acce s s the e ncrypte d de vice s . If you have pre -e xis ting LUKS de vice s and provide d corre ct pas s phras e s for the m e arlie r in the ins tall proce s s the pas s phras e e ntry dialog will als o contain a che ck box. Che cking this che ck box indicate s that you would like the ne w pas s phras e to be adde d to an available s lot in e ach of the pre -e xis ting e ncrypte d block de vice s .
Note
Che cking the Encrypt System che ck box on the Automatic Partitioning s cre e n and the n choos ing Create custom layout doe s not caus e any block de vice s to be e ncrypte d automatically.
Note
You can us e kickstart to s e t a s e parate pas s phras e for e ach ne w e ncrypte d block de vice .
For additional information on LUKS or e ncrypting hard drive s unde r Re d Hat
Ente rpris e Linux 7 vis it one of the following links :
LUKS home page
LUKS/crypts e tup FAQ
LUKS - Linux Unifie d Ke y Se tup Wikipe dia article
134

⁠Chapt e r 4. Harde ning Yo ur Syst e m wit h T o o ls and Se rvice s
HOWTO: Cre ating an e ncrypte d Phys ical Volume (PV) us ing a s e cond hard drive and pvmove
GPG is us e d to ide ntify yours e lf and authe nticate your communications , including thos e with pe ople you do not know. GPG allows anyone re ading a GPG-s igne d e mail to ve rify its authe nticity. In othe r words , GPG allows s ome one to be re as onably ce rtain that communications s igne d by you actually are from you. GPG is us e ful be caus e it he lps pre ve nt third partie s from alte ring code or inte rce pting conve rs ations and alte ring the me s s age .
To cre ate a GPG Ke y in GNOME, follow the s e s te ps :
1. Ins tall the Seaho rse utility, which make s GPG ke y manage me nt e as ie r:
~]# yum install seahorse
2. To cre ate a ke y, from the Applicat io ns → Accesso ries me nu s e le ct Passwo rds
and Encrypt io n Keys, which s tarts the application Seaho rse.
3. From the File me nu s e le ct New and the n PGP Key . The n click Continue .
4. Type your full name , e mail addre s s , and an optional comme nt de s cribing who you are (for e xample : John C. Smith, jsmith@example.com
, Software Engine e r). Click
Create . A dialog is dis playe d as king for a pas s phras e for the ke y. Choos e a s trong pas s phras e but als o e as y to re me mbe r. Click OK and the ke y is cre ate d.
Warning
If you forge t your pas s phras e , you will not be able to de crypt the data.
To find your GPG ke y ID, look in the Key ID column ne xt to the ne wly cre ate d ke y. In mos t cas e s , if you are as ke d for the ke y ID, pre pe nd 0x to the ke y ID, as in 0x6789ABCD . You s hould make a backup of your private ke y and s tore it s ome whe re s e cure .
To cre ate a GPG Ke y in KDE, follow the s e s te ps :
1. Start the KGpg program from the main me nu by s e le cting Applicat io ns →
Ut ilit ies → Encrypt io n T o o l. If you have ne ve r us e d KGpg be fore , the program walks you through the proce s s of cre ating your own GPG ke ypair.
2. A dialog box appe ars prompting you to cre ate a ne w ke y pair. Ente r your name , e mail addre s s , and an optional comme nt. You can als o choos e an e xpiration time for your ke y, as we ll as the ke y s tre ngth (numbe r of bits ) and algorithms .
3. Ente r your pas s phras e in the ne xt dialog box. At this point, your ke y appe ars in the main KGpg window.
135

Se curit y Guide
Warning
If you forge t your pas s phras e , you will not be able to de crypt the data.
To find your GPG ke y ID, look in the Key ID column ne xt to the ne wly cre ate d ke y. In mos t cas e s , if you are as ke d for the ke y ID, pre pe nd 0x to the ke y ID, as in 0x6789ABCD . You s hould make a backup of your private ke y and s tore it s ome whe re s e cure .
1. Us e the following s he ll command:
~]$ gpg2 --gen-key
This command ge ne rate s a ke y pair that cons is ts of a public and a private ke y.
Othe r pe ople us e your public ke y to authe nticate and/or de crypt your communications . Dis tribute your public ke y as wide ly as pos s ible , e s pe cially to pe ople who you know will want to re ce ive authe ntic communications from you, s uch as a mailing lis t.
2. A s e rie s of prompts dire cts you through the proce s s . Pre s s the Enter ke y to as s ign a de fault value if de s ire d. The firs t prompt as ks you to s e le ct what kind of ke y you pre fe r:
Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
Your selection?
In almos t all cas e s , the de fault is the corre ct choice . An RSA/RSA ke y allows you not only to s ign communications , but als o to e ncrypt file s .
3. Choos e the ke y s ize :
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048)
Again, the de fault, 2048, is s ufficie nt for almos t all us e rs , and re pre s e nts an e xtre me ly s trong le ve l of s e curity.
4. Choos e whe n the ke y will e xpire . It is a good ide a to choos e an e xpiration date ins te ad of us ing the de fault, which is none . If, for e xample , the e mail addre s s on the ke y be come s invalid, an e xpiration date will re mind othe rs to s top us ing that public ke y.
Please specify how long the key should be valid.
0 = key does not expire d = key expires in n days w = key expires in n weeks
136

⁠Chapt e r 4. Harde ning Yo ur Syst e m wit h T o o ls and Se rvice s m = key expires in n months y = key expires in n years key is valid for? (0)
Ente ring a value of 1y, for e xample , make s the ke y valid for one ye ar. (You may change this e xpiration date afte r the ke y is ge ne rate d, if you change your mind.)
5. Be fore the gpg2 application as ks for s ignature information, the following prompt appe ars :
Is this correct (y/N)?
Ente r y to finis h the proce s s .
6. Ente r your name and e mail addre s s for your GPG ke y. Re me mbe r this proce s s is about authe nticating you as a re al individual. For this re as on, include your re al name . If you choos e a bogus e mail addre s s , it will be more difficult for othe rs to find your public ke y. This make s authe nticating your communications difficult. If you are us ing this GPG ke y for s e lf-introduction on a mailing lis t, for e xample , e nte r the e mail addre s s you us e on that lis t.
Us e the comme nt fie ld to include alias e s or othe r information. (Some pe ople us e diffe re nt ke ys for diffe re nt purpos e s and ide ntify e ach ke y with a comme nt, s uch as "Office " or "Ope n Source Proje cts .")
7. At the confirmation prompt, e nte r the le tte r O to continue if all e ntrie s are corre ct, or us e the othe r options to fix any proble ms . Finally, e nte r a pas s phras e for your s e cre t ke y. The gpg2 program as ks you to e nte r your pas s phras e twice to e ns ure you made no typing e rrors .
8. Finally, gpg2 ge ne rate s random data to make your ke y as unique as pos s ible .
Move your mous e , type random ke ys , or pe rform othe r tas ks on the s ys te m during this s te p to s pe e d up the proce s s . Once this s te p is finis he d, your ke ys are comple te and re ady to us e : pub 1024D/1B2AFA1C 2005-03-31 John Q. Doe <jqdoe@example.com>
Key fingerprint = 117C FE83 22EA B843 3E86 6486 4320 545E 1B2A
FA1C sub 1024g/CEA4B22E 2005-03-31 [expires: 2006-03-31]
9. The ke y finge rprint is a s horthand "s ignature " for your ke y. It allows you to confirm to othe rs that the y have re ce ive d your actual public ke y without any tampe ring. You do not ne e d to write this finge rprint down. To dis play the finge rprint at any time , us e this command, s ubs tituting your e mail addre s s :
~]$ gpg2 --fingerprint jqdoe@example.com
Your "GPG ke y ID" cons is ts of 8 he x digits ide ntifying the public ke y. In the e xample above , the GPG ke y ID is 1B2AFA1C . In mos t cas e s , if you are as ke d for the ke y ID, pre pe nd 0x to the ke y ID, as in 0x6789ABCD .
137

Se curit y Guide
Warning
If you forge t your pas s phras e , the ke y cannot be us e d and any data e ncrypte d us ing that ke y will be los t.
1. Wikipe dia - Public Ke y Cryptography
2. HowStuffWorks - Encryption
o penCrypt o ki is a Linux imple me ntation of PKCS#11, which is a Public-Key Cryptography
Standard that de fine s an application programming inte rface (API) to cryptographic de vice s calle d toke ns . Toke ns may be imple me nte d in hardware or s oftware . This chapte r provide s an ove rvie w of the way the o penCrypt o ki s ys te m is ins talle d, configure d, and us e d in Re d Hat Ente rpris e Linux 7.
To ins tall the bas ic o penCrypt o ki package s on your s ys te m, including a s oftware imple me ntation of a toke n for te s ting purpos e s , run the following command as root :
~]# yum install opencryptoki
De pe nding on the type of hardware toke ns you inte nd to us e , you may ne e d to ins tall additional package s that provide s upport for your s pe cific us e cas e . For e xample , to obtain s upport for Trusted Platform Module (TPM) de vice s , you ne e d to ins tall the opencryptoki-
tpmtok package .
Se e the Ins talling Package s s e ction of the Re d Hat Ente rpris e Linux 7 Sys te m
Adminis trator's Guide for ge ne ral information on how to ins tall package s us ing the Yum package manage r.
To e nable the o penCrypt o ki s e rvice , you ne e d to run the pkcsslotd dae mon. Start the dae mon for the curre nt s e s s ion by e xe cuting the following command as root :
~]# systemctl start pkcsslotd
To e ns ure that the s e rvice is automatically s tarte d at boot time , run the following command:
~]# systemctl enable pkcsslotd
Se e the Managing Se rvice s with s ys te md chapte r of the Re d Hat Ente rpris e Linux 7
Sys te m Adminis trator's Guide for more information on how to us e s ys te md targe ts to manage s e rvice s .
138

⁠Chapt e r 4. Harde ning Yo ur Syst e m wit h T o o ls and Se rvice s
Whe n s tarte d, the pkcsslotd dae mon re ads the
/etc/opencryptoki/opencryptoki.conf
configuration file , which it us e s to colle ct information about the toke ns configure d to work with the s ys te m and about the ir s lots .
The file de fine s the individual s lots us ing ke y-value pairs . Each s lot de finition can contain a de s cription, a s pe cification of the toke n library to be us e d, and an ID of the s lot's manufacture r. Optionally, the ve rs ion of the s lot's hardware and firmware may be de fine d.
Se e the ope ncryptoki.conf(5) manual page for a de s cription of the file 's format and for a more de taile d de s cription of the individual ke ys and the value s that can be as s igne d to the m.
To modify the be havior of the pkcsslotd dae mon at run time , us e the pkcsconf utility.
This tool allows you to s how and configure the s tate of the dae mon, as we ll as to lis t and modify the curre ntly configure d s lots and toke ns . For e xample , to dis play information about toke ns , is s ue the following command (note that all non-root us e rs that ne e d to communicate with the pkcsslotd dae mon mus t be a part of the pkcs11 s ys te m group):
~]$ pkcsconf -t
Se e the pkcs conf(1) manual page for a lis t of argume nts available with the pkcsconf tool.
Warning
Ke e p in mind that only fully trus te d us e rs s hould be as s igne d me mbe rs hip in the pkcs11 group, as all me mbe rs of this group have the right to block othe r us e rs of the o penCrypt o ki s e rvice from acce s s ing configure d PKCS#11 toke ns . All me mbe rs of this group can als o e xe cute arbitrary code with the privile ge s of any othe r us e rs of o penCrypt o ki.
The s mart card is a lightwe ight hardware s e curity module in a USB s tick, MicroSD, or
SmartCard form factor. It provide s a re mote ly manage able s e cure ke y s tore . In Re d Hat
Ente rpris e Linux 7, Ope nSSH s upports authe ntication us ing s mart cards .
To us e your s mart card with Ope nSSH, s tore the public ke y from the card to the
~/.ssh/authorized_keys file . Ins tall the PKCS#11 library provide d by the opensc package on the clie nt. PKCS#11 is a Public-Ke y Cryptography Standard that de fine s an application programming inte rface (API) to cryptographic de vice s calle d toke ns . Run the following command as root :
~]# yum install opensc
To us e s mart cards that are not s upporte d by opensc (CoolKe y and CAC), ins tall the
coolkey package by running the following command as root:
~]# yum install coolkey
To lis t the ke ys on your card, us e the ssh-keygen command. Spe cify the s hare d library
(Ope nSC in the following e xample ) with the -D dire ctive .
139

Se curit y Guide
~]$ ssh-keygen -D /usr/lib64/pkcs11/opensc-pkcs11.so
ssh-rsa AAAAB3NzaC1yc[...]+g4Mb9
To e nable authe ntication us ing a s mart card on a re mote s e rve r, trans fe r the public ke y to the re mote s e rve r. Do it by copying the re trie ve d s tring (ke y) and pas ting it to the re mote s he ll, or by s toring your ke y to a file ( smartcard.pub
in the following e xample ) and us ing the ssh-copy-id command:
~]$ SSH_COPY_ID_LEGACY=1 ssh-copy-id -i smartcard.pub user@hostname user@hostname's password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh user@hostname" and check to make sure that only the key(s) you wanted were added.
Storing a public ke y without a private ke y file re quire s to us e the SSH_COPY_ID_LEGACY=1 e nvironme nt variable .
Ope nSSH can re ad your public ke y from a s mart card and pe rform ope rations with your private ke y without e xpos ing the ke y its e lf. This me ans that the private ke y doe s not le ave the card. To conne ct to a re mote s e rve r us ing your s mart card for authe ntication, run the following command and e nte r the PIN prote cting your card:
[localhost ~]$ ssh -I /usr/lib64/pkcs11/opensc-pkcs11.so hostname
Enter PIN for 'Test (UserPIN)':
[hostname ~]$
Re place the hostname with the actual hos tname to which you want to conne ct.
To s ave unne ce s s ary typing ne xt time you conne ct to the re mote s e rve r, s tore the path to the PKCS#11 library in your ~/.ssh/config file :
Host hostname
PKCS11Provider /usr/lib64/pkcs11/opensc-pkcs11.so
Conne ct by running the ssh command without any additional options :
[localhost ~]$ ssh hostname
Enter PIN for 'Test (UserPIN)':
[hostname ~]$
ssh-agent
Se t up e nvironme ntal variable s to s tart us ing ssh-agent . You can s kip this s te p in mos t cas e s be caus e ssh-agent is alre ady running in a typical s e s s ion. Us e the following command to che ck whe the r you can conne ct to your authe ntication age nt:
140

⁠Chapt e r 4. Harde ning Yo ur Syst e m wit h T o o ls and Se rvice s
~]$ ssh-add -l
Could not open a connection to your authentication agent.
~]$ eval `ssh-agent`
To avoid writing your PIN e ve ry time you conne ct us ing this ke y, add the card to the age nt by running the following command:
~]$ ssh-add -s /usr/lib64/pkcs11/opensc-pkcs11.so
Enter PIN for 'Test (UserPIN)':
Card added: /usr/lib64/pkcs11/opensc-pkcs11.so
To re move the card from ssh-agent , us e the following command:
~]$ ssh-add -e /usr/lib64/pkcs11/opensc-pkcs11.so
Card removed: /usr/lib64/pkcs11/opensc-pkcs11.so
Se tting up your hardware or s oftware toke n is de s cribe d in the Smart Card s upport in Re d
Hat Ente rpris e Linux 7 article .
Trusted and encrypted keys are variable -le ngth s ymme tric ke ys ge ne rate d by the ke rne l that utilize the ke rne l ke yring s e rvice . The fact that the ke ys ne ve r appe ar in us e r s pace in an une ncrypte d form me ans that the ir inte grity can be ve rifie d, which in turn me ans that the y can be us e d, for e xample , by the e xte nde d ve rification module (EVM) to ve rify and confirm the inte grity of a running s ys te m. Us e r-le ve l programs can only e ve r acce s s the ke ys in the form of e ncrypte d blobs.
Trus te d ke ys ne e d a hardware compone nt: the Trusted Platform Module (TPM) chip, which is us e d to both cre ate and e ncrypt (seal) the ke ys . The TPM s e als the ke ys us ing a 2048bit RSA ke y calle d the storage root key (SRK).
In addition to that, trus te d ke ys may als o be s e ale d us ing a s pe cific s e t of the TPM's
platform configuration register (PCR) value s . The PCR contains a s e t of inte gritymanage me nt value s that re fle ct the BIOS, bootloade r, and ope rating s ys te m. This me ans that PCR-s e ale d ke ys can only be de crypte d by the TPM on the e xact s ame s ys te m on which the y we re e ncrypte d. Howe ve r, once a PCR-s e ale d trus te d ke y is loade d (adde d to a ke yring), and thus its as s ociate d PCR value s are ve rifie d, it can be update d with ne w (or future ) PCR value s , s o that a ne w ke rne l, for e xample , can be boote d. A s ingle ke y can als o be s ave d as multiple blobs , e ach with diffe re nt PCR value s .
Encrypte d ke ys do not re quire a TPM, as the y us e the ke rne l AES e ncryption, which make s the m fas te r than trus te d ke ys . Encrypte d ke ys are cre ate d us ing ke rne l-ge ne rate d random numbe rs and e ncrypte d by a master key whe n the y are e xporte d into us e r-s pace blobs . This mas te r ke y can be e ithe r a trus te d ke y or a us e r ke y, which is the ir main dis advantage — if the mas te r ke y is not a trus te d ke y, the e ncrypte d ke y is only as s e cure as the us e r ke y us e d to e ncrypt it.
141

Se curit y Guide
Prior to any ope rations with ke ys , re le vant ke rne l module s ne e d to be loade d. For trus te d ke ys , it is the t rust ed module , and for e ncrypte d ke ys , it is the encrypt ed-keys module .
Us e the following command as the root us e r to load both of the s e module s at once :
~]# modprobe trusted encrypted-keys
Trus te d and e ncrypte d ke ys can be cre ate d, loade d, e xporte d, and update d us ing the
keyct l utility. For de taile d information about us ing keyct l, s e e ke yctl(1).
Note
In orde r to us e a TPM (s uch as for cre ating and s e aling trus te d ke ys ), it ne e ds to be e nable d and active . This can be us ually achie ve d through a s e tting in the machine 's
BIOS or us ing the tpm_setactive command from the tpm-tools package of utilitie s .
Als o, the T ro uSers application ne e ds to be ins talle d (the trousers package ), and the tcsd dae mon, which is a part of the T ro uSers s uite , running to communicate with the TPM.
To cre ate a trus te d ke y us ing a TPM, e xe cute the keyctl command with the following s yntax: keyctl add trusted name "new keylength [options]" keyring
Us ing the above s yntax, an e xample command can be cons tructe d as follows :
~]$ keyctl add trusted kmk "new 32" @u
642500861
The above e xample cre ate s a trus te d ke y calle d kmk with the le ngth of 32 byte s (256 bits ) and place s it in the us e r ke yring ( @u ). The ke ys may have a le ngth of 32 to 128 byte s (256 to 1024 bits ). Us e the show s ubcommand to lis t the curre nt s tructure of the ke rne l ke yrings :
~]$ keyctl show
Session Keyring
-3 --alswrv 500 500 keyring: _ses
97833714 --alswrv 500 -1 \_ keyring: _uid.1000
642500861 --alswrv 500 500 \_ trusted: kmk
The print s ubcommand outputs the e ncrypte d ke y to the s tandard output. To e xport the ke y to a us e r-s pace blob, us e the pipe s ubcommand as follows :
~]$ keyctl pipe 642500861 > kmk.blob
To load the trus te d ke y from the us e r-s pace blob, us e the add command again with the blob as an argume nt:
~]$ keyctl add trusted kmk "load `cat kmk.blob`" @u
268728824
The TPM-s e ale d trus te d ke y can the n be e mploye d to cre ate s e cure e ncrypte d ke ys . The following command s yntax is us e d for ge ne rating e ncrypte d ke ys :
142

⁠Chapt e r 4. Harde ning Yo ur Syst e m wit h T o o ls and Se rvice s
~]$ keyctl add encrypted name "new [format] key-type:master-key-name
keylength" keyring
Bas e d on the above s yntax, a command for ge ne rating an e ncrypte d ke y us ing the alre ady cre ate d trus te d ke y can be cons tructe d as follows :
~]$ keyctl add encrypted encr-key "new trusted:kmk 32" @u
159771175
To cre ate an e ncrypte d ke y on s ys te ms whe re a TPM is not available , us e a random s e que nce of numbe rs to ge ne rate a us e r ke y, which is the n us e d to s e al the actual e ncrypte d ke ys .
~]$ keyctl add user kmk-user "`dd if=/dev/urandom bs=1 count=32
2>/dev/null`" @u
427069434
The n ge ne rate the e ncrypte d ke y us ing the random-numbe r us e r ke y:
~]$ keyctl add encrypted encr-key "new user:kmk-user 32" @u
1012412758
The list s ubcommand can be us e d to lis t all ke ys in the s pe cifie d ke rne l ke yring:
~]$ keyctl list @u
2 keys in keyring:
427069434: --alswrv 1000 1000 user: kmk-user
1012412758: --alswrv 1000 1000 encrypted: encr-key
Important
Ke e p in mind that e ncrypte d ke ys that are not s e ale d by a mas te r trus te d ke y are only as s e cure as the us e r mas te r ke y (random-numbe r ke y) us e d to e ncrypt the m.
The re fore , the mas te r us e r ke y s hould be loade d as s e cure ly as pos s ible and pre fe rably e arly during the boot proce s s .
The following offline and online re s ource s can be us e d to acquire additional information pe rtaining to the us e of trus te d and e ncrypte d ke ys .
ke yctl(1) — De s cribe s the us e of the keyct l utility and its s ubcommands .
Re d Hat Ente rpris e Linux 7 SELinux Us e r's and Adminis trator's Guide — The SELinux
User's and Administrator's Guide for Re d Hat Ente rpris e Linux 7 de s cribe s the bas ic principle s of SELinux and docume nts in de tail how to configure and us e SELinux with various s e rvice s , s uch as the Apache HT T P Server.
143

Se curit y Guide https ://www.ke rne l.org/doc/Docume ntation/s e curity/ke ys -trus te d-e ncrypte d.txt
— The official docume ntation about the trus te d and e ncrypte d ke ys fe ature of the Linux ke rne l.
Se ction A.1.1, “Advance d Encryption Standard — AES”
provide s a concis e de s cription of the Advanced Encryption Standard .
Se ction A.2, “Public-ke y Encryption”
de s cribe s the public-ke y cryptographic approach and the various cryptographic protocols it us e s .
In orde r to be able to ge ne rate s e cure cryptographic ke ys that cannot be e as ily broke n, a s ource of random numbe rs is re quire d. Ge ne rally, the more random the numbe rs are , the be tte r the chance of obtaining unique ke ys . Entropy for ge ne rating random numbe rs is us ually obtaine d from computing e nvironme ntal "nois e " or us ing a hardware random
number generator.
The rngd dae mon, which is a part of the rng-tools package , is capable of us ing both e nvironme ntal nois e and hardware random numbe r ge ne rators for e xtracting e ntropy. The dae mon che cks whe the r the data s upplie d by the s ource of randomne s s is s ufficie ntly random and the n s tore s it in the random-numbe r e ntropy pool of the ke rne l. The random numbe rs it ge ne rate s are made available through the /dev/random and /dev/urandom characte r de vice s .
The diffe re nce be twe e n /dev/random and /dev/urandom is that the forme r is a blocking de vice , which me ans it s tops s upplying numbe rs whe n it de te rmine s that the amount of e ntropy is ins ufficie nt for ge ne rating a prope rly random output. Conve rs e ly, /dev/urandom is a non-blocking s ource , which re us e s the e ntropy pool of the ke rne l and is thus able to provide an unlimite d s upply of ps e udo-random numbe rs , albe it with le s s e ntropy. As s uch,
/dev/urandom s hould not be us e d for cre ating long-te rm cryptographic ke ys .
To ins tall the rng-tools package , is s ue the following command as the root us e r:
~]# yum install rng-tools
To s tart the rngd dae mon, e xe cute the following command as root :
~]# systemctl start rngd
To que ry the s tatus of the dae mon, us e the following command:
~]# systemctl status rngd
To s tart the rngd dae mon with optional parame te rs , e xe cute it dire ctly. For e xample , to s pe cify an alte rnative s ource of random-numbe r input (othe r than /dev/hwrandom ), us e the following command:
~]# rngd --rng-device=/dev/hwrng
The above command s tarts the rngd dae mon with /dev/hwrng as the de vice from which random numbe rs are re ad. Similarly, you can us e the -o (or --random-device ) option to choos e the ke rne l de vice for random-numbe r output (othe r than the de fault /dev/random ).
Se e the rngd(8) manual page for a lis t of all available options .
144

⁠Chapt e r 4. Harde ning Yo ur Syst e m wit h T o o ls and Se rvice s
To che ck which s ource s of e ntropy are available in a give n s ys te m, e xe cute the following command as root :
~]# rngd -v
Unable to open file: /dev/tpm0
Available entropy sources:
DRNG
If the re is not any TPM de vice pre s e nt, you will s e e only the Inte l Digital Random Numbe r
Ge ne rator (DRNG) as a s ource of e ntropy. To che ck if your CPU s upports the RDRAND proce s s or ins truction, run the following command:
~]$ cat /proc/cpuinfo | grep rdrand
Note
For more information and s oftware code e xample s , s e e Inte l Digital Random Numbe r
Ge ne rator (DRNG) Software Imple me ntation Guide .
The rng-tools package als o contains the rngt est utility, which can be us e d to che ck the randomne s s of data. To te s t the le ve l of randomne s s of the output of /dev/random , us e the rngt est tool as follows :
~]$ cat /dev/random | rngtest -c 1000 rngtest 5
Copyright (c) 2004 by Henrique de Moraes Holschuh
This is free software; see the source for copying conditions. There is
NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR
PURPOSE.
rngtest: starting FIPS tests...
rngtest: bits received from input: 20000032 rngtest: FIPS 140-2 successes: 998 rngtest: FIPS 140-2 failures: 2 rngtest: FIPS 140-2(2001-10-10) Monobit: 0 rngtest: FIPS 140-2(2001-10-10) Poker: 0 rngtest: FIPS 140-2(2001-10-10) Runs: 0 rngtest: FIPS 140-2(2001-10-10) Long run: 2 rngtest: FIPS 140-2(2001-10-10) Continuous run: 0 rngtest: input channel speed: (min=1.171; avg=8.453; max=11.374)Mibits/s rngtest: FIPS tests speed: (min=15.545; avg=143.126; max=157.632)Mibits/s rngtest: Program run time: 2390520 microseconds
A high numbe r of failure s s hown in the output of the rngt est tool indicate s that the randomne s s of the te s te d data is ins ufficie nt and s hould not be re lie d upon. Se e the rngte s t(1) manual page for a lis t of options available for the rngt est utility.
Re d Hat Ente rpris e Linux 7 introduce d the virt io RNG (Random Numbe r Ge ne rator) de vice that provide s KVM virtual machine s with acce s s to e ntropy from the hos t machine . With the re comme nde d s e tup, hwrng fe e ds into the e ntropy pool of the hos t Linux ke rne l
(through /dev/random ), and QEMU will us e /dev/random as the s ource for e ntropy re que s te d by gue s ts .
145

Se curit y Guide
Figure 4.3. T he virt io RNG device
Pre vious ly, Re d Hat Ente rpris e Linux 7.0 and Re d Hat Ente rpris e Linux 6 gue s ts could make us e of the e ntropy from hos ts through the rngd us e rs pace dae mon. Se tting up the dae mon was a manual s te p for e ach Re d Hat Ente rpris e Linux ins tallation. With Re d Hat
Ente rpris e Linux 7.1, the manual s te p has be e n e liminate d, making the e ntire proce s s s e amle s s and automatic. The us e of rngd is now not re quire d and the gue s t ke rne l its e lf fe tche s e ntropy from the hos t whe n the available e ntropy falls be low a s pe cific thre s hold.
The gue s t ke rne l is the n in a pos ition to make random numbe rs available to applications as s oon as the y re que s t the m.
The Re d Hat Ente rpris e Linux ins talle r, Anaco nda, now provide s the virt io -rng module in its ins talle r image , making available hos t e ntropy during the Re d Hat Ente rpris e Linux ins tallation.
146

⁠Chapt e r 4. Harde ning Yo ur Syst e m wit h T o o ls and Se rvice s
TLS ( Transport Layer Security ) is a cryptographic protocol us e d to s e cure ne twork communications . Whe n harde ning s ys te m s e curity s e ttings by configuring pre fe rre d key-
exchange protocols, authentication methods, and encryption algorithms, it is ne ce s s ary to be ar in mind that the broade r the range of s upporte d clie nts , the lowe r the re s ulting s e curity. Conve rs e ly, s trict s e curity s e ttings le ad to a limite d compatibility with clie nts , which can re s ult in s ome us e rs be ing locke d out of the s ys te m. Be s ure to targe t the s tricte s t available configuration and only re lax it whe n it is re quire d for compatibility re as ons .
Note that the de fault s e ttings provide d by librarie s include d in Re d Hat Ente rpris e Linux 7 are s e cure e nough for mos t de ployme nts . The TLS imple me ntations us e s e cure algorithms whe re pos s ible while not pre ve nting conne ctions from or to le gacy clie nts or s e rve rs . Apply the harde ne d s e ttings de s cribe d in this s e ction in e nvironme nts with s trict s e curity re quire me nts whe re le gacy clie nts or s e rve rs that do not s upport s e cure algorithms or protocols are not e xpe cte d or allowe d to conne ct.
The re are s e ve ral compone nts that ne e d to be s e le cte d and configure d. Each of the following dire ctly influe nce s the robus tne s s of the re s ulting configuration (and, cons e que ntly, the le ve l of s upport in clie nts ) or the computational de mands that the s olution has on the s ys te m.
The late s t ve rs ion of TLS provide s the be s t s e curity me chanis m. Unle s s you have a compe lling re as on to include s upport for olde r ve rs ions of TLS (or e ve n SSL ), allow your s ys te ms to ne gotiate conne ctions us ing only the late s t ve rs ion of TLS .
Do not allow ne gotiation us ing SSL ve rs ion 2 or 3. Both of thos e ve rs ions have s e rious s e curity vulne rabilitie s . Only allow ne gotiation us ing TLS ve rs ion 1.0 or highe r. The curre nt ve rs ion of TLS , 1.2, s hould always be pre fe rre d.
Note
Ple as e note that curre ntly, the s e curity of all ve rs ions of TLS de pe nds on the us e of
TLS e xte ns ions , s pe cific ciphe rs (s e e be low), and othe r workarounds . All TLS conne ction pe e rs ne e d to imple me nt s e cure re ne gotiation indication ( RFC 5746 ), mus t not s upport compre s s ion, and mus t imple me nt mitigating me as ure s for timing attacks agains t CBC -mode ciphe rs (the Lucky Thirte e n attack). TLS v1.0
clie nts ne e d to additionally imple me nt re cord s plitting (a workaround agains t the BEAST attack).
TLS v1.2
s upports Authenticated Encryption with Associated Data (AEAD) mode ciphe rs like AES-GCM , AES-CCM , or Camellia-GCM , which have no known is s ue s . All the me ntione d mitigations are imple me nte d in cryptographic librarie s include d in
Re d Hat Ente rpris e Linux.
Se e
Table 4.6, “Protocol Ve rs ions ”
for a quick ove rvie w of protocol ve rs ions and re comme nde d us age .
T able 4.6. Pro t o co l Versio ns
147

Se curit y Guide
Pro t o co l
Versio n
SSL v2
SSL v3
TLS v1.0
TLS v1.1
Usage Reco mmendat io n
Do not us e . Has s e rious s e curity vulne rabilitie s .
Do not us e . Has s e rious s e curity vulne rabilitie s .
Us e for inte rope rability purpos e s whe re ne e de d. Has known is s ue s that cannot be mitigate d in a way that guarante e s inte rope rability, and thus mitigations are not e nable d by de fault. Doe s not s upport mode rn ciphe r s uite s .
Us e for inte rope rability purpos e s whe re ne e de d. Has no known is s ue s but re lie s on protocol fixe s that are include d in all the TLS imple me ntations in Re d Hat Ente rpris e Linux. Doe s not s upport mode rn ciphe r s uite s .
Re comme nde d ve rs ion. Supports the mode rn AEAD ciphe r s uite s .
TLS v1.2
Some compone nts in Re d Hat Ente rpris e Linux are configure d to us e TLS v1.0
e ve n though the y provide s upport for TLS v1.1
or e ve n v1.2
. This is motivate d by an atte mpt to achie ve the highe s t le ve l of inte rope rability with e xte rnal s e rvice s that may not s upport the late s t ve rs ions of TLS . De pe nding on your inte rope rability re quire me nts , e nable the highe s t available ve rs ion of TLS .
Important
SSL v3 is not re comme nde d for us e . Howe ve r, if, de s pite the fact that it is cons ide re d ins e cure and uns uitable for ge ne ral us e , you abs olute ly mus t le ave
SSL v3 e nable d, s e e
Se ction 4.9, “Us ing s tunne l”
for ins tructions on how to us e
st unnel to s e cure ly e ncrypt communications e ve n whe n us ing s e rvice s that do not s upport e ncryption or are only capable of us ing obs ole te and ins e cure mode s of e ncryption.
Mode rn, more s e cure cipher suites s hould be pre fe rre d to old, ins e cure one s . Always dis able the us e of e NULL and aNULL ciphe r s uite s , which do not offe r any e ncryption or authe ntication at all. If at all pos s ible , ciphe rs s uite s bas e d on RC4 or HMAC-MD5 , which have s e rious s hortcomings , s hould als o be dis able d. The s ame applie s to the s o-calle d
export ciphe r s uite s , which have be e n inte ntionally made we ake r, and thus are e as y to bre ak.
While not imme diate ly ins e cure , ciphe r s uite s that offe r le s s than 128 bits of s e curity s hould not be cons ide re d for the ir s hort us e ful life . Algorithms that us e 128 bit of s e curity or more can be e xpe cte d to be unbre akable for at le as t s e ve ral ye ars , and are thus s trongly re comme nde d. Note that while 3DES ciphe rs adve rtis e the us e of 168 bits , the y actually offe r 112 bits of s e curity.
Always give pre fe re nce to ciphe r s uite s that s upport (perfect) forward secrecy (PFS), which e ns ure s the confide ntiality of e ncrypte d data e ve n in cas e the s e rve r ke y is compromis e d. This rule s out the fas t RSA ke y e xchange , but allows for the us e of ECDHE and DHE . Of the two, ECDHE is the fas te r and the re fore the pre fe rre d choice .
You s hould als o give pre fe re nce to AEAD ciphe rs , s uch as AES-GCM , be fore CBC -mode ciphe rs as the y are not vulne rable to padding oracle attacks . Additionally, in many cas e s ,
AES-GCM is fas te r than AES in CBC mode , e s pe cially whe n the hardware has cryptographic acce le rators for AES .
148

⁠Chapt e r 4. Harde ning Yo ur Syst e m wit h T o o ls and Se rvice s
Note als o that whe n us ing the ECDHE ke y e xchange with ECDSA ce rtificate s , the trans action is e ve n fas te r than pure RSA ke y e xchange . To provide s upport for le gacy clie nts , you can ins tall two pairs of ce rtificate s and ke ys on a s e rve r: one with ECDSA ke ys (for ne w clie nts ) and one with RSA ke ys (for le gacy one s ).
Whe n us ing RSA ke ys , always pre fe r ke y le ngths of at le as t 3072 bits s igne d by at le as t
SHA-256, which is s ufficie ntly large for true 128 bits of s e curity.
Warning
Ke e p in mind that the s e curity of your s ys te m is only as s trong as the we ake s t link in the chain. For e xample , a s trong ciphe r alone doe s not guarante e good s e curity.
The ke ys and the ce rtificate s are jus t as important, as we ll as the has h functions and ke ys us e d by the Certification Authority (CA) to s ign your ke ys .
Re d Hat Ente rpris e Linux 7 is dis tribute d with s e ve ral full-fe ature d imple me ntations of TLS .
In this s e ction, the configuration of OpenSSL and GnuT LS is de s cribe d. Se e
Se ction 4.11.3, “Configuring Spe cific Applications ”
for ins tructions on how to configure TLS s upport in individual applications .
The available TLS imple me ntations offe r s upport for various cipher suites that de fine all the e le me nts that come toge the r whe n e s tablis hing and us ing TLS -s e cure d communications .
Us e the tools include d with the diffe re nt imple me ntations to lis t and s pe cify ciphe r s uite s that provide the be s t pos s ible s e curity for your us e cas e while cons ide ring the re comme ndations outline d in
Se ction 4.11.1, “Choos ing Algorithms to Enable ” . The
re s ulting ciphe r s uite s can the n be us e d to configure the way individual applications ne gotiate and s e cure conne ctions .
Important
Be s ure to che ck your s e ttings following e ve ry update or upgrade of the TLS imple me ntation you us e or the applications that utilize that imple me ntation. Ne w ve rs ions may introduce ne w ciphe r s uite s that you do not want to have e nable d and that your curre nt configuration doe s not dis able .
OpenSSL is a toolkit and a cryptography library that s upport the SSL and TLS protocols . On
Re d Hat Ente rpris e Linux 7, a configuration file is provide d at /etc/pki/tls/openssl.cnf
.
The format of this configuration file is de s cribe d in config(1). Se e als o Se ction 4.8.9,
“Configuring Ope nSSL” .
To ge t a lis t of all ciphe r s uite s s upporte d by your ins tallation of OpenSSL, us e the openssl command with the ciphers s ubcommand as follows :
149

Se curit y Guide
~]$ openssl ciphers -v 'ALL:COMPLEMENTOFALL'
Pas s othe r parame te rs (re fe rre d to as cipher strings and keywords in OpenSSL docume ntation) to the ciphers s ubcommand to narrow the output. Spe cial ke ywords can be us e d to only lis t s uite s that s atis fy a ce rtain condition. For e xample , to only lis t s uite s that are de fine d as be longing to the HIGH group, us e the following command:
~]$ openssl ciphers -v 'HIGH'
Se e the ciphe rs (1) manual page for a lis t of available ke ywords and ciphe r s trings .
To obtain a lis t of ciphe r s uite s that s atis fy the re comme ndations outline d in
Se ction 4.11.1, “Choos ing Algorithms to Enable ” , us e a command s imilar to the following:
~]$ openssl ciphers -v 'kEECDH+aECDSA+AES:kEECDH+AES+aRSA:kEDH+aRSA+AES'
| column -t
ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA
Enc=AESGCM(256) Mac=AEAD
ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(256)
Mac=SHA384
ECDHE-ECDSA-AES256-SHA SSLv3 Kx=ECDH Au=ECDSA Enc=AES(256)
Mac=SHA1
ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA
Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(128)
Mac=SHA256
ECDHE-ECDSA-AES128-SHA SSLv3 Kx=ECDH Au=ECDSA Enc=AES(128)
Mac=SHA1
ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA
Enc=AESGCM(256) Mac=AEAD
ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(256)
Mac=SHA384
ECDHE-RSA-AES256-SHA SSLv3 Kx=ECDH Au=RSA Enc=AES(256)
Mac=SHA1
ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=RSA
Enc=AESGCM(128) Mac=AEAD
ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(128)
Mac=SHA256
ECDHE-RSA-AES128-SHA SSLv3 Kx=ECDH Au=RSA Enc=AES(128)
Mac=SHA1
DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=RSA
Enc=AESGCM(256) Mac=AEAD
DHE-RSA-AES256-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(256)
Mac=SHA256
DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256)
Mac=SHA1
DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH Au=RSA
Enc=AESGCM(128) Mac=AEAD
DHE-RSA-AES128-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(128)
Mac=SHA256
DHE-RSA-AES128-SHA SSLv3 Kx=DH Au=RSA Enc=AES(128)
Mac=SHA1
150

⁠Chapt e r 4. Harde ning Yo ur Syst e m wit h T o o ls and Se rvice s
The above command omits all ins e cure ciphe rs , give s pre fe re nce to ephemeral elliptic curve Diffie-Hellman ke y e xchange and ECDSA ciphe rs , and omits RSA ke y e xchange
(thus e ns uring perfect forward secrecy).
Note that this is a rathe r s trict configuration, and it might be ne ce s s ary to re lax the conditions in re al-world s ce narios to allow for a compatibility with a broade r range of clie nts .
GnuT LS is a communications library that imple me nts the SSL and TLS protocols and re late d te chnologie s .
Note
The GnuT LS ins tallation on Re d Hat Ente rpris e Linux 7 offe rs optimal de fault configuration value s that provide s ufficie nt s e curity for the majority of us e cas e s .
Unle s s you ne e d to s atis fy s pe cial s e curity re quire me nts , it is re comme nde d to us e the s upplie d de faults .
Us e the gnutls-cli command with the -l (or --list ) option to lis t all s upporte d ciphe r s uite s :
~]$ gnutls-cli -l
To narrow the lis t of ciphe r s uite s dis playe d by the -l option, pas s one or more parame te rs (re fe rre d to as priority strings and keywords in GnuT LS docume ntation) to the
--priority option. Se e the GnuT LS docume ntation at http://www.gnutls .org/manual/gnutls .html#Priority-Strings for a lis t of all available priority s trings . For e xample , is s ue the following command to ge t a lis t of ciphe r s uite s that offe r at le as t 128 bits of s e curity:
~]$ gnutls-cli --priority SECURE128 -l
To obtain a lis t of ciphe r s uite s that s atis fy the re comme ndations outline d in
Se ction 4.11.1, “Choos ing Algorithms to Enable ” , us e a command s imilar to the following:
~]$ gnutls-cli --priority SECURE256:+SECURE128:-VERS-TLS-ALL:+VERS-
TLS1.2:-RSA:-DHE-DSS:-CAMELLIA-128-CBC:-CAMELLIA-256-CBC -l
Cipher suites for SECURE256:+SECURE128:-VERS-TLS-ALL:+VERS-TLS1.2:-RSA:-
DHE-DSS:-CAMELLIA-128-CBC:-CAMELLIA-256-CBC
TLS_ECDHE_ECDSA_AES_256_GCM_SHA384 0xc0, 0x2c
TLS1.2
TLS_ECDHE_ECDSA_AES_256_CBC_SHA384 0xc0, 0x24
TLS1.2
TLS_ECDHE_ECDSA_AES_256_CBC_SHA1 0xc0, 0x0a
SSL3.0
TLS_ECDHE_ECDSA_AES_128_GCM_SHA256 0xc0, 0x2b
TLS1.2
TLS_ECDHE_ECDSA_AES_128_CBC_SHA256 0xc0, 0x23
TLS1.2
TLS_ECDHE_ECDSA_AES_128_CBC_SHA1 0xc0, 0x09
SSL3.0
151

Se curit y Guide
TLS_ECDHE_RSA_AES_256_GCM_SHA384 0xc0, 0x30
TLS1.2
TLS_ECDHE_RSA_AES_256_CBC_SHA1 0xc0, 0x14
SSL3.0
TLS_ECDHE_RSA_AES_128_GCM_SHA256 0xc0, 0x2f
TLS1.2
TLS_ECDHE_RSA_AES_128_CBC_SHA256 0xc0, 0x27
TLS1.2
TLS_ECDHE_RSA_AES_128_CBC_SHA1 0xc0, 0x13
SSL3.0
TLS_DHE_RSA_AES_256_CBC_SHA256 0x00, 0x6b
TLS1.2
TLS_DHE_RSA_AES_256_CBC_SHA1 0x00, 0x39
SSL3.0
TLS_DHE_RSA_AES_128_GCM_SHA256 0x00, 0x9e
TLS1.2
TLS_DHE_RSA_AES_128_CBC_SHA256 0x00, 0x67
TLS1.2
TLS_DHE_RSA_AES_128_CBC_SHA1 0x00, 0x33
SSL3.0
Certificate types: CTYPE-X.509
Protocols: VERS-TLS1.2
Compression: COMP-NULL
Elliptic curves: CURVE-SECP384R1, CURVE-SECP521R1, CURVE-SECP256R1
PK-signatures: SIGN-RSA-SHA384, SIGN-ECDSA-SHA384, SIGN-RSA-SHA512,
SIGN-ECDSA-SHA512, SIGN-RSA-SHA256, SIGN-DSA-SHA256, SIGN-ECDSA-SHA256
The above command limits the output to ciphe rs with at le as t 128 bits of s e curity while giving pre fe re nce to the s tronge r one s . It als o forbids RSA ke y e xchange and DSS authe ntication.
Note that this is a rathe r s trict configuration, and it might be ne ce s s ary to re lax the conditions in re al-world s ce narios to allow for a compatibility with a broade r range of clie nts .
Diffe re nt applications provide the ir own configuration me chanis ms for TLS . This s e ction de s cribe s the TLS -re late d configuration file s e mploye d by the mos t commonly us e d s e rve r applications and offe rs e xample s of typical configurations .
Re gardle s s of the configuration you choos e to us e , always make s ure to mandate that your s e rve r application e nforce s server-side cipher order, s o that the ciphe r s uite to be us e d is de te rmine d by the orde r you configure .
The Apache HT T P Server can us e both OpenSSL and NSS librarie s for its TLS ne e ds .
De pe nding on your choice of the TLS library, you ne e d to ins tall e ithe r the mo d_ssl or the
mo d_nss module (provide d by e ponymous package s ). For e xample , to ins tall the package that provide s the OpenSSL mo d_ssl module , is s ue the following command as root:
~]# yum install mod_ssl
152

⁠Chapt e r 4. Harde ning Yo ur Syst e m wit h T o o ls and Se rvice s
The mod_ssl package ins talls the /etc/httpd/conf.d/ssl.conf
configuration file , which can be us e d to modify the TLS -re late d s e ttings of the Apache HT T P Server. Similarly, the mod_nss package ins talls the /etc/httpd/conf.d/nss.conf
configuration file .
Ins tall the httpd-manual package to obtain comple te docume ntation for the Apache HT T P
Server, including TLS configuration. The dire ctive s available in the
/etc/httpd/conf.d/ssl.conf
configuration file are de s cribe d in de tail in
/usr/share/httpd/manual/mod/mod_ssl.html
. Example s of various s e ttings are in
/usr/share/httpd/manual/ssl/ssl_howto.html
.
Whe n modifying the s e ttings in the /etc/httpd/conf.d/ssl.conf
configuration file , be s ure to cons ide r the following thre e dire ctive s at the minimum:
SSLProtocol
Us e this dire ctive to s pe cify the ve rs ion of TLS (or SSL ) you want to allow.
SSLCipherSuite
Us e this dire ctive to s pe cify your pre fe rre d ciphe r s uite or dis able the one s you want to dis allow.
SSLHonorCipherOrder
Uncomme nt and s e t this dire ctive to on to e ns ure that the conne cting clie nts adhe re to the orde r of ciphe rs you s pe cifie d.
For e xample :
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite HIGH:!aNULL:!MD5
SSLHonorCipherOrder on
Note that the above configuration is the bare minimum, and it can be harde ne d
s ignificantly by following the re comme ndations outline d in Se ction 4.11.1, “Choos ing
Algorithms to Enable ” .
To configure and us e the mo d_nss module , modify the /etc/httpd/conf.d/nss.conf
configuration file . The mo d_nss module is de rive d from mo d_ssl, and as s uch it s hare s many fe ature s with it, not le as t the s tructure of the configuration file , and the dire ctive s that are available . Note that the mo d_nss dire ctive s have a pre fix of NSS ins te ad of SSL .
Se e https ://git.fe dorahos te d.org/cgit/mod_ns s .git/plain/docs /mod_ns s .html
for an ove rvie w of information about mo d_nss, including a lis t of mo d_ssl configuration dire ctive s that are not applicable to mo d_nss.
To configure your ins tallation of the Do veco t mail s e rve r to us e TLS , modify the
/etc/dovecot/conf.d/10-ssl.conf
configuration file . You can find an e xplanation of s ome of the bas ic configuration dire ctive s available in that file in
/usr/share/doc/dovecot-2.2.10/wiki/SSL.DovecotConfiguration.txt
(this he lp file is ins talle d along with the s tandard ins tallation of Do veco t ).
Whe n modifying the s e ttings in the /etc/dovecot/conf.d/10-ssl.conf
configuration file , be s ure to cons ide r the following thre e dire ctive s at the minimum: ssl_protocols
153

Se curit y Guide
Us e this dire ctive to s pe cify the ve rs ion of TLS (or SSL ) you want to allow.
ssl_cipher_list
Us e this dire ctive to s pe cify your pre fe rre d ciphe r s uite s or dis able the one s you want to dis allow.
ssl_prefer_server_ciphers
Uncomme nt and s e t this dire ctive to yes to e ns ure that the conne cting clie nts adhe re to the orde r of ciphe rs you s pe cifie d.
For e xample : ssl_protocols = !SSLv2 !SSLv3
ssl_cipher_list = HIGH:!aNULL:!MD5
ssl_prefer_server_ciphers = yes
Note that the above configuration is the bare minimum, and it can be harde ne d
s ignificantly by following the re comme ndations outline d in Se ction 4.11.1, “Choos ing
Algorithms to Enable ” .
For more information about T LS configuration and re late d topics , s e e the re s ource s lis te d be low.
config(1) — De s cribe s the format of the /etc/ssl/openssl.conf
configuration file .
ciphe rs (1) — Include s a lis t of available OpenSSL ke ywords and ciphe r s trings .
/usr/share/httpd/manual/mod/mod_ssl.html
— Contains de taile d de s criptions of the dire ctive s available in the /etc/httpd/conf.d/ssl.conf
configuration file us e d by the
mo d_ssl module for the Apache HT T P Server.
/usr/share/httpd/manual/ssl/ssl_howto.html
— Contains practical e xample s of re al-world s e ttings in the /etc/httpd/conf.d/ssl.conf
configuration file us e d by the
mo d_ssl module for the Apache HT T P Server.
/usr/share/doc/dovecot-2.2.10/wiki/SSL.DovecotConfiguration.txt
— Explains s ome of the bas ic configuration dire ctive s available in the /etc/dovecot/conf.d/10ssl.conf
configuration file us e d by the Do veco t mail s e rve r.
Re d Hat Ente rpris e Linux 7 SELinux Us e r's and Adminis trator's Guide — The SELinux
User's and Administrator's Guide for Re d Hat Ente rpris e Linux 7 de s cribe s the bas ic principle s of SELinux and docume nts in de tail how to configure and us e SELinux with various s e rvice s , s uch as the Apache HT T P Server.
http://tools .ie tf.org/html/draft-ie tf-uta-tls -bcp-00 — Re comme ndations for s e cure us e of
TLS and DTLS .
154

⁠Chapt e r 4. Harde ning Yo ur Syst e m wit h T o o ls and Se rvice s
Se ction A.2.4, “SSL/TLS”
provide s a concis e de s cription of the SSL and TLS protocols .
Se ction 4.8, “Us ing Ope nSSL”
de s cribe s , among othe r things , how to us e OpenSSL to cre ate and manage ke ys , ge ne rate ce rtificate s , and e ncrypt and de crypt file s .
155

Se curit y Guide
The Linux Audit s ys te m provide s a way to track s e curity-re le vant information on your s ys te m. Bas e d on pre -configure d rule s , Audit ge ne rate s log e ntrie s to re cord as much information about the e ve nts that are happe ning on your s ys te m as pos s ible . This information is crucial for mis s ion-critical e nvironme nts to de te rmine the violator of the s e curity policy and the actions the y pe rforme d. Audit doe s not provide additional s e curity to your s ys te m; rathe r, it can be us e d to dis cove r violations of s e curity policie s us e d on your s ys te m. The s e violations can furthe r be pre ve nte d by additional s e curity me as ure s s uch as SELinux.
The following lis t s ummarize s s ome of the information that Audit is capable of re cording in its log file s :
Date and time , type , and outcome of an e ve nt.
Se ns itivity labe ls of s ubje cts and obje cts .
As s ociation of an e ve nt with the ide ntity of the us e r who trigge re d the e ve nt.
All modifications to Audit configuration and atte mpts to acce s s Audit log file s .
All us e s of authe ntication me chanis ms , s uch as SSH, Ke rbe ros , and othe rs .
Change s to any trus te d databas e , s uch as /etc/passwd .
Atte mpts to import or e xport information into or from the s ys te m.
Include or e xclude e ve nts bas e d on us e r ide ntity, s ubje ct and obje ct labe ls , and othe r attribute s .
The us e of the Audit s ys te m is als o a re quire me nt for a numbe r of s e curity-re late d ce rtifications . Audit is de s igne d to me e t or e xce e d the re quire me nts of the following ce rtifications or compliance guide s :
Controlle d Acce s s Prote ction Profile (CAPP)
Labe le d Se curity Prote ction Profile (LSPP)
Rule Se t Bas e Acce s s Control (RSBAC)
National Indus trial Se curity Program Ope rating Manual (NISPOM)
Fe de ral Information Se curity Manage me nt Act (FISMA)
Payme nt Card Indus try — Data Se curity Standard (PCI-DSS)
Se curity Te chnical Imple me ntation Guide s (STIG)
Audit has als o be e n:
Evaluate d by National Information As s urance Partne rs hip (NIAP) and Be s t Se curity
Indus trie s (BSI).
Ce rtifie d to LSPP/CAPP/RSBAC/EAL4+ on Re d Hat Ente rpris e Linux 5.
Ce rtifie d to Ope rating Sys te m Prote ction Profile / Evaluation As s urance Le ve l 4+
(OSPP/EAL4+) on Re d Hat Ente rpris e Linux 6.
156

⁠Chapt e r 5. Syst e m Audit ing
Wat ching f ile access
Audit can track whe the r a file or a dire ctory has be e n acce s s e d, modifie d, e xe cute d, or the file 's attribute s have be e n change d. This is us e ful, for e xample , to de te ct acce s s to important file s and have an Audit trail available in cas e one of the s e file s is corrupte d.
Mo nit o ring syst em calls
Audit can be configure d to ge ne rate a log e ntry e ve ry time a particular s ys te m call is us e d. This can be us e d, for e xample , to track change s to the s ys te m time by monitoring the settimeofday , clock_adjtime , and othe r time -re late d s ys te m calls .
Reco rding co mmands run by a user
Be caus e Audit can track whe the r a file has be e n e xe cute d, a numbe r of rule s can be de fine d to re cord e ve ry e xe cution of a particular command. For e xample , a rule can be de fine d for e ve ry e xe cutable in the /bin dire ctory. The re s ulting log e ntrie s can the n be s e arche d by us e r ID to ge ne rate an audit trail of e xe cute d commands pe r us e r.
Reco rding securit y event s
The pam_faillock authe ntication module is capable of re cording faile d login atte mpts . Audit can be s e t up to re cord faile d login atte mpts as we ll, and provide s additional information about the us e r who atte mpte d to log in.
Searching f o r event s
Audit provide s the ausearch utility, which can be us e d to filte r the log e ntrie s and provide a comple te audit trail bas e d on a numbe r of conditions .
Running summary repo rt s
The aurepo rt utility can be us e d to ge ne rate , among othe r things , daily re ports of re corde d e ve nts . A s ys te m adminis trator can the n analyze the s e re ports and inve s tigate s us picious activity furthe rmore .
Mo nit o ring net wo rk access
The ipt ables and ebt ables utilitie s can be configure d to trigge r Audit e ve nts , allowing s ys te m adminis trators to monitor ne twork acce s s .
Note
Sys te m pe rformance may be affe cte d de pe nding on the amount of information that is colle cte d by Audit.
The Audit s ys te m cons is ts of two main parts : the us e r-s pace applications and utilitie s , and the ke rne l-s ide s ys te m call proce s s ing. The ke rne l compone nt re ce ive s s ys te m calls from us e r-s pace applications and filte rs the m through one of the thre e filte rs : user, task, or exit.
157

Se curit y Guide
Once a s ys te m call pas s e s through one of the s e filte rs , it is s e nt through the exclude filte r, which, bas e d on the Audit rule configuration, s e nds it to the Audit dae mon for furthe r proce s s ing.
Figure 5.1, “Audit s ys te m archite cture ”
illus trate s this proce s s .
Figure 5.1. Audit syst em archit ect ure
The us e r-s pace Audit dae mon colle cts the information from the ke rne l and cre ate s log file e ntrie s in a log file . Othe r Audit us e r-s pace utilitie s inte ract with the Audit dae mon, the ke rne l Audit compone nt, or the Audit log file s :
audisp — the Audit dis patche r dae mon inte racts with the Audit dae mon and s e nds e ve nts to othe r applications for furthe r proce s s ing. The purpos e of this dae mon is to provide a plug-in me chanis m s o that re al-time analytical programs can inte ract with
Audit e ve nts .
audit ct l — the Audit control utility inte racts with the ke rne l Audit compone nt to control a numbe r of s e ttings and parame te rs of the e ve nt ge ne ration proce s s .
The re maining Audit utilitie s take the conte nts of the Audit log file s as input and ge ne rate output bas e d on us e r's re quire me nts . For e xample , the aurepo rt utility ge ne rate s a re port of all re corde d e ve nts .
In orde r to us e the Audit s ys te m, you mus t have the audit package s ins talle d on your s ys te m. The audit package s (audit and audit-libs) are ins talle d by de fault on Re d Hat
Ente rpris e Linux 7. If you do not have the s e package s ins talle d, e xe cute the following command as the root us e r to ins tall the m:
~]# yum install audit
audit
158

⁠Chapt e r 5. Syst e m Audit ing
audit
The Audit dae mon can be configure d in the /etc/audit/auditd.conf
configuration file .
This file cons is ts of configuration parame te rs that modify the be havior of the Audit dae mon. Any e mpty line s or any te xt following a has h s ign ( # ) is ignore d. A comple te lis ting of all configuration parame te rs and the ir e xplanation can be found in the audit.conf(5) man page .
auditd
The de fault auditd configuration s hould be s uitable for mos t e nvironme nts . Howe ve r, if your e nvironme nt has to me e t the crite ria s e t by the Controlled Access Protection Profile
(CAPP), which is a part of the Common Crite ria ce rtification, the Audit dae mon mus t be configure d with the following s e ttings :
The dire ctory that holds the Audit log file s (us ually /var/log/audit/ ) s hould re s ide on a s e parate partition. This pre ve nts othe r proce s s e s from cons uming s pace in this dire ctory, and provide s accurate de te ction of the re maining s pace for the Audit dae mon.
The max_log_file parame te r, which s pe cifie s the maximum s ize of a s ingle Audit log file , mus t be s e t to make full us e of the available s pace on the partition that holds the
Audit log file s .
The max_log_file_action parame te r, which de cide s what action is take n once the limit s e t in max_log_file is re ache d, s hould be s e t to keep_logs to pre ve nt Audit log file s from be ing ove rwritte n.
The space_left parame te r, which s pe cifie s the amount of fre e s pace le ft on the dis k for which an action that is s e t in the space_left_action parame te r is trigge re d, mus t be s e t to a numbe r that give s the adminis trator e nough time to re s pond and fre e up dis k s pace . The space_left value de pe nds on the rate at which the Audit log file s are ge ne rate d.
It is re comme nde d to s e t the space_left_action parame te r to email or exec with an appropriate notification me thod.
The admin_space_left parame te r, which s pe cifie s the abs olute minimum amount of fre e s pace for which an action that is s e t in the admin_space_left_action parame te r is trigge re d, mus t be s e t to a value that le ave s e nough s pace to log actions pe rforme d by the adminis trator.
The admin_space_left_action parame te r mus t be s e t to single to put the s ys te m into s ingle -us e r mode and allow the adminis trator to fre e up s ome dis k s pace .
The disk_full_action parame te r, which s pe cifie s an action that is trigge re d whe n no fre e s pace is available on the partition that holds the Audit log file s , mus t be s e t to halt or single . This e ns ure s that the s ys te m is e ithe r s hut down or ope rating in s ingle -us e r mode whe n Audit can no longe r log e ve nts .
The disk_error_action , which s pe cifie s an action that is trigge re d in cas e an e rror is de te cte d on the partition that holds the Audit log file s , mus t be s e t to syslog , single , or halt , de pe nding on your local s e curity policie s re garding the handling of hardware malfunctions .
The flush configuration parame te r mus t be s e t to sync or data . The s e parame te rs as s ure that all Audit e ve nt data is fully s ynchronize d with the log file s on the dis k.
The re maining configuration options s hould be s e t according to your local s e curity policy.
159

Se curit y Guide
audit
Once auditd is prope rly configure d, s tart the s e rvice to colle ct Audit information and s tore it in the log file s . Exe cute the following command as the root us e r to s tart auditd :
~]# service auditd start
Note
The service command is the only way to corre ctly inte ract with the auditd dae mon.
You ne e d to us e the service command s o that the auid value is prope rly re corde d.
You can us e the systemctl command only for two actions : enable and status .
Optionally, you can configure auditd to s tart at boot time us ing the following command as the root us e r:
~]# systemctl enable auditd
A numbe r of othe r actions can be pe rforme d on auditd us ing the service auditd action command, whe re action can be one of the following: stop — s tops auditd .
restart — re s tarts auditd .
reload or force-reload — re loads the configuration of audit d from the
/etc/audit/auditd.conf
file .
rotate — rotate s the log file s in the /var/log/audit/ dire ctory.
resume — re s ume s logging of Audit e ve nts afte r it has be e n pre vious ly s us pe nde d, for e xample , whe n the re is not e nough fre e s pace on the dis k partition that holds the Audit log file s .
condrestart or try-restart — re s tarts audit d only if it is alre ady running.
status — dis plays the running s tatus of audit d.
The Audit s ys te m ope rate s on a s e t of rule s that de fine what is to be capture d in the log file s . The re are thre e type s of Audit rule s that can be s pe cifie d:
Control rule s — allow the Audit s ys te m's be havior and s ome of its configuration to be modifie d.
File s ys te m rule s — als o known as file watche s , allow the auditing of acce s s to a particular file or a dire ctory.
Sys te m call rule s — allow logging of s ys te m calls that any s pe cifie d program make s .
Audit rule s can be s pe cifie d on the command line with the audit ct l utility (note that the s e rule s are not pe rs is te nt acros s re boots ), or writte n in the /etc/audit/audit.rules
file .
The following two s e ctions s ummarize both approache s to de fining Audit rule s .
160

⁠Chapt e r 5. Syst e m Audit ing
Note
All commands which inte ract with the Audit s e rvice and the Audit log file s re quire root privile ge s . Ens ure you e xe cute the s e commands as the root us e r.
The auditctl command allows you to control the bas ic functionality of the Audit s ys te m and to de fine rule s that de cide which Audit e ve nts are logge d.
The following are s ome of the control rule s that allow you to modify the be havior of the
Audit s ys te m:
-b s e ts the maximum amount of e xis ting Audit buffe rs in the ke rne l, for e xample :
~]# auditctl -b 8192
-f s e ts the action that is pe rforme d whe n a critical e rror is de te cte d, for e xample :
~]# auditctl -f 2
The above configuration trigge rs a ke rne l panic in cas e of a critical e rror.
-e e nable s and dis able s the Audit s ys te m or locks its configuration, for e xample :
~]# auditctl -e 2
The above command locks the Audit configuration.
-r s e ts the rate of ge ne rate d me s s age s pe r s e cond, for e xample :
~]# auditctl -r 0
The above configuration s e ts no rate limit on ge ne rate d me s s age s .
-s re ports the s tatus of the Audit s ys te m, for e xample :
~]# auditctl -s
AUDIT_STATUS: enabled=1 flag=2 pid=0 rate_limit=0 backlog_limit=8192 lost=259 backlog=0
161

Se curit y Guide
-l lis ts all curre ntly loade d Audit rule s , for e xample :
~]# auditctl -l
LIST_RULES: exit,always watch=/etc/localtime perm=wa key=timechange
LIST_RULES: exit,always watch=/etc/group perm=wa key=identity
LIST_RULES: exit,always watch=/etc/passwd perm=wa key=identity
LIST_RULES: exit,always watch=/etc/gshadow perm=wa key=identity
⋮
-D de le te s all curre ntly loade d Audit rule s , for e xample :
~]# auditctl -D
No rules
To de fine a file s ys te m rule , us e the following s yntax: auditctl -w path_to_file -p permissions -k key_name whe re :
path_to_file is the file or dire ctory that is audite d.
permissions are the pe rmis s ions that are logge d: r — re ad acce s s to a file or a dire ctory.
w — write acce s s to a file or a dire ctory.
x — e xe cute acce s s to a file or a dire ctory.
a — change in the file 's or dire ctory's attribute .
key_name is an optional s tring that he lps you ide ntify which rule or a s e t of rule s ge ne rate d a particular log e ntry.
Example 5.1. File Syst em Rules
To de fine a rule that logs all write acce s s to, and e ve ry attribute change of, the
/etc/passwd file , e xe cute the following command:
~]# auditctl -w /etc/passwd -p wa -k passwd_changes
Note that the s tring following the -k option is arbitrary.
To de fine a rule that logs all write acce s s to, and e ve ry attribute change of, all the file s in the /etc/selinux/ dire ctory, e xe cute the following command:
~]# auditctl -w /etc/selinux/ -p wa -k selinux_changes
162

⁠Chapt e r 5. Syst e m Audit ing
To de fine a rule that logs the e xe cution of the /sbin/insmod command, which ins e rts a module into the Linux ke rne l, e xe cute the following command:
~]# auditctl -w /sbin/insmod -p x -k module_insertion
To de fine a s ys te m call rule , us e the following s yntax: auditctl -a action,filter -S system_call -F field=value -k key_name whe re :
action and filter s pe cify whe n a ce rtain e ve nt is logge d. action can be e ithe r always or never . filter s pe cifie s which ke rne l rule -matching filte r is applie d to the e ve nt. The rule matching filte r can be one of the following: task , exit , user , and exclude . For more
information about the s e filte rs , re fe r to the be ginning of Se ction 5.1, “Audit Sys te m
Archite cture ” .
system_call s pe cifie s the s ys te m call by its name . A lis t of all s ys te m calls can be found in the /usr/include/asm/unistd_64.h
file . Se ve ral s ys te m calls can be groupe d into one rule , e ach s pe cifie d afte r the -S option.
field=value s pe cifie s additional options that furthe rmore modify the rule to match e ve nts bas e d on a s pe cifie d archite cture , group ID, proce s s ID, and othe rs . For a full lis ting of all available fie ld type s and the ir value s , re fe r to the auditctl(8) man page .
key_name is an optional s tring that he lps you ide ntify which rule or a s e t of rule s ge ne rate d a particular log e ntry.
Example 5.2. Syst em Call Rules
To de fine a rule that cre ate s a log e ntry e ve ry time the adjtimex or settimeofday s ys te m calls are us e d by a program, and the s ys te m us e s the 64-bit archite cture , e xe cute the following command:
~]# auditctl -a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time_change
To de fine a rule that cre ate s a log e ntry e ve ry time a file is de le te d or re name d by a s ys te m us e r whos e ID is 500 or large r (the -F auid!=4294967295 option is us e d to e xclude us e rs whos e login UID is not s e t), e xe cute the following command:
~]# auditctl -a always,exit -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete
It is als o pos s ible to de fine a file s ys te m rule us ing the s ys te m call rule s yntax. The following command cre ate s a rule for s ys te m calls that is analogous to the -w
/etc/shadow -p wa file s ys te m rule :
~]# auditctl -a always,exit -F path=/etc/shadow -F perm=wa
163

Se curit y Guide
/etc/audit/audit.rules
To de fine Audit rule s that are pe rs is te nt acros s re boots , you mus t include the m in the
/etc/audit/audit.rules
file . This file us e s the s ame auditctl command line s yntax to s pe cify the rule s . Any e mpty line s or any te xt following a has h s ign ( # ) is ignore d.
The auditctl command can als o be us e d to re ad rule s from a s pe cifie d file with the -R option, for e xample :
~]# auditctl -R /usr/share/doc/audit-version/stig.rules
A file can contain only the following control rule s that modify the be havior of the Audit s ys te m: -b , -D , -e , -f , and -r . For more information on the s e options , re fe r to
Se ction 5.5.1, “De fining Control Rule s ” .
Example 5.3. Co nt ro l rules in audit.rules
# Delete all previous rules
-D
# Set buffer size
-b 8192
# Make the configuration immutable -- reboot is required to change audit rules
-e 2
# Panic when a failure occurs
-f 2
# Generate at most 100 audit messages per second
-r 100
File s ys te m and s ys te m call rule s are de fine d us ing the auditctl s yntax. The e xample s in
Se ction 5.5.1, “De fining Audit Rule s with the audit ct l Utility”
can be re pre s e nte d with the following rule s file :
Example 5.4. File syst em and syst em call rules in audit.rules
-w /etc/passwd -p wa -k passwd_changes
-w /etc/selinux/ -p wa -k selinux_changes
-w /sbin/insmod -p x -k module_insertion
-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time_change
-a always,exit -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete
164

⁠Chapt e r 5. Syst e m Audit ing
In the /usr/share/doc/audit-version/ dire ctory, the audit package provide s a s e t of pre -configure d rule s file s according to various ce rtification s tandards : nispom.rules
— Audit rule configuration that me e ts the re quire me nts s pe cifie d in
Chapte r 8 of the National Indus trial Se curity Program Ope rating Manual.
capp.rules
— Audit rule configuration that me e ts the re quire me nts s e t by
Controlle d Acce s s Prote ction Profile (CAPP), which is a part of the Common Crite ria ce rtification.
lspp.rules
— Audit rule configuration that me e ts the re quire me nts s e t by
Labe le d Se curity Prote ction Profile (LSPP), which is a part of the Common Crite ria ce rtification.
stig.rules
— Audit rule configuration that me e ts the re quire me nts s e t by
Se curity Te chnical Imple me ntation Guide s (STIG).
To us e the s e configuration file s , cre ate a backup of your original
/etc/audit/audit.rules
file and copy the configuration file of your choice ove r the
/etc/audit/audit.rules
file :
~]# cp /etc/audit/audit.rules /etc/audit/audit.rules_backup
~]# cp /usr/share/doc/audit-version/stig.rules /etc/audit/audit.rules
By de fault, the Audit s ys te m s tore s log e ntrie s in the /var/log/audit/audit.log
file ; if log rotation is e nable d, rotate d audit.log
file s are s tore d in the s ame dire ctory.
The following Audit rule logs e ve ry atte mpt to re ad or modify the /etc/ssh/sshd_config file :
-w /etc/ssh/sshd_config -p warx -k sshd_config
If the auditd dae mon is running, running the following command cre ate s a ne w e ve nt in the Audit log file :
~]# cat /etc/ssh/sshd_config
This e ve nt in the audit.log
file looks as follows : type=SYSCALL msg=audit(1364481363.243:24287): arch=c000003e syscall=2 success=no exit=-13 a0=7fffd19c5592 a1=0 a2=7fffd19c4b50 a3=a items=1 ppid=2686 pid=3538 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=pts0 ses=1 comm="cat" exe="/bin/cat" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="sshd_config" type=CWD msg=audit(1364481363.243:24287): cwd="/home/shadowman" type=PATH msg=audit(1364481363.243:24287): item=0 name="/etc/ssh/sshd_config" inode=409248 dev=fd:00 mode=0100600 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:etc_t:s0
165

Se curit y Guide
The above e ve nt cons is ts of thre e re cords (e ach s tarting with the type= ke yword), which s hare the s ame time s tamp and s e rial numbe r. Each re cord cons is ts of s e ve ral
name=value pairs s e parate d by a white s pace or a comma. A de taile d analys is of the above e ve nt follows :
type=SYSCALL
The type fie ld contains the type of the re cord. In this e xample , the SYSCALL value s pe cifie s that this re cord was trigge re d by a s ys te m call to the ke rne l.
For a lis t of all pos s ible type value s and the ir e xplanations , re fe r to Se ction B.2,
“Audit Re cord Type s ” .
msg=audit(1364481363.243:24287):
The msg fie ld re cords : a time s tamp and a unique ID of the re cord in the form audit(time_stamp:ID) . Multiple re cords can s hare the s ame time s tamp and
ID if the y we re ge ne rate d as part of the s ame Audit e ve nt.
various e ve nt-s pe cific name=value pairs provide d by the ke rne l or us e r s pace applications .
arch=c000003e
The arch fie ld contains information about the CPU archite cture of the s ys te m. The value , c000003e , is e ncode d in he xade cimal notation. Whe n s e arching Audit re cords with the ausearch command, us e the -i or --interpret option to automatically conve rt he xade cimal value s into the ir human-re adable e quivale nts .
The c000003e value is inte rpre te d as x86_64 .
syscall=2
The syscall fie ld re cords the type of the s ys te m call that was s e nt to the ke rne l.
The value , 2 , can be matche d with its human-re adable e quivale nt in the
/usr/include/asm/unistd_64.h
file . In this cas e , 2 is the open s ys te m call. Note that the ausyscall utility allows you to conve rt s ys te m call numbe rs to the ir human-re adable e quivale nts . Us e the ausyscall --dump command to dis play a lis ting of all s ys te m calls along with the ir numbe rs . For more information, re fe r to the aus ys call(8) man page .
success=no
The success fie ld re cords whe the r the s ys te m call re corde d in that particular e ve nt s ucce e de d or faile d. In this cas e , the call did not s ucce e d.
exit=-13
The exit fie ld contains a value that s pe cifie s the e xit code re turne d by the s ys te m call. This value varie s for diffe re nt s ys te m call. You can inte rpre t the value to its human-re adable e quivale nt with the following command: ausearch -interpret --exit -13 (as s uming your Audit log contains an e ve nt that faile d with e xit code -13 ).
a0=7fffd19c5592 , a1=0 , a2=7fffd19c5592 , a3=a
166

⁠Chapt e r 5. Syst e m Audit ing
The a0 to a3 fie lds re cord the firs t four argume nts , e ncode d in he xade cimal notation, of the s ys te m call in this e ve nt. The s e argume nts de pe nd on the s ys te m call that is us e d; the y can be inte rpre te d by the ausearch utility.
items=1
The items fie ld contains the numbe r of path re cords in the e ve nt.
ppid=2686
The ppid fie ld re cords the Pare nt Proce s s ID (PPID). In this cas e , 2686 was the
PPID of the bash proce s s .
pid=3538
The pid fie ld re cords the Proce s s ID (PID). In this cas e , 3538 was the PID of the cat proce s s .
auid=500
The auid fie ld re cords the Audit us e r ID, that is the loginuid. This ID is as s igne d to a us e r upon login and is inhe rite d by e ve ry proce s s e ve n whe n the us e r's ide ntity change s (for e xample , by s witching us e r accounts with the su - john command).
uid=500
The uid fie ld re cords the us e r ID of the us e r who s tarte d the analyze d proce s s .
The us e r ID can be inte rpre te d into us e r name s with the following command: ausearch -i --uid UID . In this cas e , 500 is the us e r ID of us e r shadowman .
gid=500
The gid fie ld re cords the group ID of the us e r who s tarte d the analyze d proce s s .
euid=500
The euid fie ld re cords the e ffe ctive us e r ID of the us e r who s tarte d the analyze d proce s s .
suid=500
The suid fie ld re cords the s e t us e r ID of the us e r who s tarte d the analyze d proce s s .
fsuid=500
The fsuid fie ld re cords the file s ys te m us e r ID of the us e r who s tarte d the analyze d proce s s .
egid=500
The egid fie ld re cords the e ffe ctive group ID of the us e r who s tarte d the analyze d proce s s .
sgid=500
The sgid fie ld re cords the s e t group ID of the us e r who s tarte d the analyze d proce s s .
fsgid=500
167

Se curit y Guide
The fsgid fie ld re cords the file s ys te m group ID of the us e r who s tarte d the analyze d proce s s .
tty=pts0
The tty fie ld re cords the te rminal from which the analyze d proce s s was invoke d.
ses=1
The ses fie ld re cords the s e s s ion ID of the s e s s ion from which the analyze d proce s s was invoke d.
comm="cat"
The comm fie ld re cords the command-line name of the command that was us e d to invoke the analyze d proce s s . In this cas e , the cat command was us e d to trigge r this Audit e ve nt.
exe="/bin/cat"
The exe fie ld re cords the path to the e xe cutable that was us e d to invoke the analyze d proce s s .
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
The subj fie ld re cords the SELinux conte xt with which the analyze d proce s s was labe le d at the time of e xe cution.
key="sshd_config"
The key fie ld re cords the adminis trator-de fine d s tring as s ociate d with the rule that ge ne rate d this e ve nt in the Audit log.
type=CWD
In the s e cond re cord, the type fie ld value is CWD — curre nt working dire ctory. This type is us e d to re cord the working dire ctory from which the proce s s that invoke d the s ys te m call s pe cifie d in the firs t re cord was e xe cute d.
The purpos e of this re cord is to re cord the curre nt proce s s 's location in cas e a re lative path winds up be ing capture d in the as s ociate d PATH re cord. This way the abs olute path can be re cons tructe d.
msg=audit(1364481363.243:24287)
The msg fie ld holds the s ame time s tamp and ID value as the value in the firs t re cord.
cwd="/home/shadowman"
The cwd fie ld contains the path to the dire ctory in which the s ys te m call was invoke d.
type=PATH
168

⁠Chapt e r 5. Syst e m Audit ing
In the third re cord, the type fie ld value is PATH . An Audit e ve nt contains a PATH type re cord for e ve ry path that is pas s e d to the s ys te m call as an argume nt. In this Audit e ve nt, only one path ( /etc/ssh/sshd_config ) was us e d as an argume nt.
msg=audit(1364481363.243:24287):
The msg fie ld holds the s ame time s tamp and ID value as the value in the firs t and s e cond re cord.
item=0
The item fie ld indicate s which ite m, of the total numbe r of ite ms re fe re nce d in the SYSCALL type re cord, the curre nt re cord is . This numbe r is ze ro-bas e d; a value of 0 me ans it is the firs t ite m.
name="/etc/ssh/sshd_config"
The name fie ld re cords the full path of the file or dire ctory that was pas s e d to the s ys te m call as an argume nt. In this cas e , it was the /etc/ssh/sshd_config file .
inode=409248
The inode fie ld contains the inode numbe r as s ociate d with the file or dire ctory re corde d in this e ve nt. The following command dis plays the file or dire ctory that is as s ociate d with the 409248 inode numbe r:
~]# find / -inum 409248 -print
/etc/ssh/sshd_config dev=fd:00
The dev fie ld s pe cifie s the minor and major ID of the de vice that contains the file or dire ctory re corde d in this e ve nt. In this cas e , the value re pre s e nts the
/dev/fd/0 de vice .
mode=0100600
The mode fie ld re cords the file or dire ctory pe rmis s ions , e ncode d in nume rical notation. In this cas e , 0100600 can be inte rpre te d as -rw------, me aning that only the root us e r has re ad and write pe rmis s ions to the /etc/ssh/sshd_config file .
ouid=0
The ouid fie ld re cords the obje ct owne r's us e r ID.
ogid=0
The ogid fie ld re cords the obje ct owne r's group ID.
rdev=00:00
The rdev fie ld contains a re corde d de vice ide ntifie r for s pe cial file s only. In this cas e , it is not us e d as the re corde d file is a re gular file .
obj=system_u:object_r:etc_t:s0
The obj fie ld re cords the SELinux conte xt with which the re corde d file or dire ctory
169

Se curit y Guide
The obj fie ld re cords the SELinux conte xt with which the re corde d file or dire ctory was labe le d at the time of e xe cution.
The Audit e ve nt analyze d above contains only a s ubs e t of all pos s ible fie lds that an e ve nt
can contain. For a lis t of all e ve nt fie lds and the ir e xplanation, re fe r to Se ction B.1, “Audit
Eve nt Fie lds ” . For a lis t of all e ve nt type s and the ir e xplanation, re fe r to
Se ction B.2, “Audit
Re cord Type s ” .
Example 5.5. Addit io nal audit.log
event s
The following Audit e ve nt re cords a s ucce s s ful s tart of the auditd dae mon. The ver fie ld s hows the ve rs ion of the Audit dae mon that was s tarte d.
type=DAEMON_START msg=audit(1363713609.192:5426): auditd start, ver=2.2 format=raw kernel=2.6.32-358.2.1.el6.x86_64 auid=500 pid=4979 subj=unconfined_u:system_r:auditd_t:s0 res=success
The following Audit e ve nt re cords a faile d atte mpt of us e r with UID of 500 to log in as the root us e r.
type=USER_AUTH msg=audit(1364475353.159:24270): user pid=3280 uid=500 auid=500 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0s0:c0.c1023 msg='op=PAM:authentication acct="root" exe="/bin/su" hostname=? addr=? terminal=pts/0 res=failed'
The ausearch utility allows you to s e arch Audit log file s for s pe cific e ve nts . By de fault,
ausearch s e arche s the /var/log/audit/audit.log
file . You can s pe cify a diffe re nt file us ing the ausearch options -if file_name command. Supplying multiple options in one ausearch command is e quivale nt to us ing the AND ope rator.
Example 5.6. Using ausearch t o search Audit lo g f iles
To s e arch the /var/log/audit/audit.log
file for faile d login atte mpts , us e the following command:
~]# ausearch --message USER_LOGIN --success no --interpret
To s e arch for all account, group, and role change s , us e the following command:
~]# ausearch -m ADD_USER -m DEL_USER -m ADD_GROUP -m USER_CHAUTHTOK -m
DEL_GROUP -m CHGRP_ID -m ROLE_ASSIGN -m ROLE_REMOVE -i
To s e arch for all logge d actions pe rforme d by a ce rtain us e r, us ing the us e r's login ID
( auid ), us e the following command:
~]# ausearch -ua 500 -i
To s e arch for all faile d s ys te m calls from ye s te rday up until now, us e the following command:
170

⁠Chapt e r 5. Syst e m Audit ing
~]# ausearch --start yesterday --end now -m SYSCALL -sv no -i
For a full lis ting of all ausearch options , re fe r to the aus e arch(8) man page .
The aurepo rt utility allows you to ge ne rate s ummary and columnar re ports on the e ve nts re corde d in Audit log file s . By de fault, all audit.log
file s in the /var/log/audit/ dire ctory are que rie d to cre ate the re port. You can s pe cify a diffe re nt file to run the re port agains t us ing the aureport options -if file_name command.
Example 5.7. Using aureport t o generat e Audit repo rt s
To ge ne rate a re port for logge d e ve nts in the pas t thre e days e xcluding the curre nt e xample day, us e the following command:
~]# aureport --start 04/08/2013 00:00:00 --end 04/11/2013 00:00:00
To ge ne rate a re port of all e xe cutable file e ve nts , us e the following command:
~]# aureport -x
To ge ne rate a s ummary of the e xe cutable file e ve nt re port above , us e the following command:
~]# aureport -x --summary
To ge ne rate a s ummary re port of faile d e ve nts for all us e rs , us e the following command:
~]# aureport -u --failed --summary -i
To ge ne rate a s ummary re port of all faile d login atte mpts pe r e ach s ys te m us e r, us e the following command:
~]# aureport --login --summary -i
To ge ne rate a re port from an ausearch que ry that s e arche s all file acce s s e ve nts for us e r 500 , us e the following command:
~]# ausearch --start today --loginuid 500 --raw | aureport -f -- summary
To ge ne rate a re port of all Audit file s that are que rie d and the time range of e ve nts the y include , us e the following command:
~]# aureport -t
For a full lis ting of all aureport options , re fe r to the aure port(8) man page .
171

Se curit y Guide
For more information about the Audit s ys te m, re fe r to the following s ource s .
The Linux Audit Docume ntation Proje ct page : https ://github.com/linux-audit/auditdocume ntation/wiki .
Article Investigating kernel Return Codes with the Linux Audit System in the Hack In the
Box magazine : http://magazine .hackinthe box.org/is s ue s /HITB-Ezine -Is s ue -005.pdf
.
Docume ntation provide d by the audit package can be found in the
/usr/share/doc/audit-version/ dire ctory.
audis pd.conf(5) auditd.conf(5) aus e arch-e xpre s s ion(5) audit.rule s (7) audis pd(8) auditctl(8) auditd(8) aulas t(8) aulas tlog(8) aure port(8) aus e arch(8) aus ys call(8) autrace (8) auvirt(8)
172

⁠Chapt e r 6. Co mpliance and Vulne rabilit y Scanning wit h O pe nSCAP
A compliance audit is a proce s s of figuring out whe the r a give n obje ct follows all the rule s writte n out in a compliance policy. The compliance policy is de fine d by s e curity profe s s ionals who s pe cify de s ire d s e ttings , ofte n in the form of a che cklis t, that are to be us e d in the computing e nvironme nt.
The compliance policy can vary s ubs tantially acros s organizations and e ve n acros s diffe re nt s ys te ms within the s ame organization. Diffe re nce s among the s e policie s are bas e d on the purpos e of the s e s ys te ms and its importance for the organization. The cus tom s oftware s e ttings and de ployme nt characte ris tics als o rais e a ne e d for cus tom policy che cklis ts .
Re d Hat Ente rpris e Linux provide s tools that allow for fully automate d compliance audit.
The s e tools are bas e d on the Se curity Conte nt Automation Protocol (SCAP) s tandard and are de s igne d for automate d tailoring of compliance policie s .
Securit y Co mpliance T o o ls Suppo rt ed o n Red Hat Ent erprise Linux 7
SCAP Wo rkbench — The scap-workbench graphical utility is de s igne d to pe rform configuration and vulne rability s cans on a s ingle local or re mote s ys te m. It can be als o us e d to ge ne rate s e curity re ports bas e d on the s e s cans and e valuations .
OpenSCAP — The o scap command-line utility is de s igne d to pe rform configuration and vulne rability s cans on a local s ys te m, to validate s e curity compliance conte nt, and to ge ne rate re ports and guide s bas e d on the s e s cans and e valuations .
Script Check Engine (SCE) — SCE is an e xte ns ion to the SCAP protocol that allows adminis trators to write the ir s e curity conte nt us ing a s cripting language , s uch as Bas h,
Python, or Ruby. The SCE e xte ns ion is provide d in the openscap-engine-sce package .
SCAP Securit y Guide (SSG) — The scap-security-guide package provide s the late s t colle ction of s e curity policie s for Linux s ys te ms . The guidance cons is ts of a catalog of practical harde ning advice , linke d to gove rnme nt re quire me nts whe re applicable . The proje ct bridge s the gap be twe e n ge ne ralize d policy re quire me nts and s pe cific imple me ntation guide line s .
If you re quire pe rforming automate d compliance audits on multiple s ys te ms re mote ly, you
can utilize Ope nSCAP s olution for Re d Hat Sate llite . For more information s e e Se ction 6.7,
“Us ing Ope nSCAP with Re d Hat Sate llite ” and Se ction 6.9, “Additional Re s ource s ” .
The s e curity or compliance policy is rare ly writte n from s cratch. ISO 270 0 0 s tandard s e rie s , de rivative works , and othe r s ource s provide s e curity policy te mplate s and practice re comme ndations that s hould be he lpful to s tart with. Howe ve r, organizations building the irs information s e curity program ne e d to ame nd the policy te mplate s to align with the ir
173

Se curit y Guide ne e ds . The policy te mplate s hould be chos e n on the bas is of its re le vancy to the company e nvironme nt and the n the te mplate has to be adjus te d be caus e e ithe r the te mplate contains build-in as s umptions which cannot be applie d to the organization, or the te mplate e xplicitly re quire s that ce rtain de cis ions have to be made .
Re d Hat Ente rpris e Linux auditing capabilitie s are bas e d on the Se curity Conte nt
Automation Protocol (SCAP) s tandard. SCAP is a s ynthe s is of inte rope rable s pe cifications that s tandardize the format and nome nclature by which s oftware flaw and s e curity configuration information is communicate d, both to machine s and humans . SCAP is a multipurpos e frame work of s pe cifications that s upports automate d configuration, vulne rability and patch che cking, te chnical control compliance activitie s , and s e curity me as ure me nt.
In othe r words , SCAP is a ve ndor-ne utral way of e xpre s s ing s e curity policy, and as s uch it is wide ly us e d in mode rn e nte rpris e s . SCAP s pe cifications cre ate an e cos ys te m whe re the format of s e curity conte nt is we ll known and s tandardize d while the imple me ntation of the s canne r or policy e ditor is not mandate d. Such a s tatus e nable s organizations to build the ir s e curity policy (SCAP conte nt) once , no matte r how many s e curity ve ndors do the y e mploy.
The late s t ve rs ion of SCAP include s s e ve ral unde rlying s tandards . The s e compone nts are organize d into groups according to the ir function within SCAP as follows :
SCAP Co mpo nent s
Languages — This group cons is ts of SCAP language s that de fine s tandard vocabularie s and conve ntions for e xpre s s ing compliance policy.
The eXtensible Configuration Checklist Description Format (XCCDF) — A language de s igne d to e xpre s s , organize , and manage s e curity guidance .
Open Vulnerability and Assessment Language (OVAL) — A language de ve lope d to pe rform logical as s e rtion about the s tate of the s canne d s ys te m.
Open Checklist Interactive Language (OCIL) — A language de s igne d to provide a s tandard way to que ry us e rs and inte rpre t us e r re s pons e s to the give n que s tions .
Asset Identification (AI) — A language de ve lope d to provide a data mode l, me thods , and guidance for ide ntifying s e curity as s e ts .
Asset Reporting Format (ARF) — A language de s igne d to e xpre s s the trans port format of information about colle cte d s e curity as s e ts and the re lations hip be twe e n as s e ts and s e curity re ports .
Enumerations — This group include s SCAP s tandards that de fine naming format and an official lis t or dictionary of ite ms from ce rtain s e curity-re late d are as of inte re s t.
Common Configuration Enumeration (CCE) — An e nume ration of s e curity-re le vant configuration e le me nts for applications and ope rating s ys te ms .
Common Platform Enumeration (CPE) — A s tructure d naming s che me us e d to ide ntify information te chnology (IT) s ys te ms , platforms , and s oftware package s .
Common Vulnerabilities and Exposures (CVE) — A re fe re nce me thod to a colle ction of publicly known s oftware vulne rabilitie s and e xpos ure s .
Metrics — This group compris e s of frame works to ide ntify and e valuate s e curity ris ks .
Common Configuration Scoring System (CCSS) — A me tric s ys te m to e valuate
174

⁠Chapt e r 6. Co mpliance and Vulne rabilit y Scanning wit h O pe nSCAP s e curity-re le vant configuration e le me nts and as s ign the m s core s in orde r to he lp us e rs to prioritize appropriate re s pons e s te ps .
Common Vulnerability Scoring System (CVSS) — A me tric s ys te m to e valuate s oftware vulne rabilitie s and as s ign the m s core s in orde r to he lp us e rs prioritize the ir s e curity ris ks .
Integrity — An SCAP s pe cification to maintain inte grity of SCAP conte nt and s can re s ults .
Trust Model for Security Automation Data (TMSAD) — A s e t of re comme ndations e xplaining us age of e xis ting s pe cification to re pre s e nt s ignature s , has he s , ke y information, and ide ntity information in conte xt of an XML file within a s e curity automation domain.
Each of the SCAP compone nts has its own XML-bas e d docume nt format and its XML name s pace . A compliance policy e xpre s s e d in SCAP can e ithe r take a form of a s ingle OVAL de finition XML file , data s tre am file , s ingle zip archive , or a s e t of s e parate XML file s containing an XCCDF file that re pre s e nts a policy che cklis t.
The XCCDF language is de s igne d to s upport information inte rchange , docume nt ge ne ration, organizational and s ituational tailoring, automate d compliance te s ting, and compliance s coring. The language is mos tly de s criptive and doe s not contain any commands to pe rform s e curity s cans . Howe ve r, an XCCDF docume nt can re fe r to othe r
SCAP compone nts , and as s uch it can be us e d to craft a compliance policy that is portable among all the targe t platforms with the e xce ption of the re late d as s e s s me nt docume nts
(OVAL, OCIL).
The common way to re pre s e nt a compliance policy is a s e t of XML file s whe re one of the file s is an XCCDF che cklis t. This XCCDF file us ually points to the as s e s s me nt re s ource s , multiple OVAL, OCIL and the Script Che ck Engine (SCE) file s . Furthe rmore , the file s e t can contain a CPE dictionary file and an OVAL file de fining obje cts for this dictionary.
Be ing an XML-bas e d language , the XCCDF de fine s and us e s a vas t s e le ction of XML e le me nts and attribute s . The following lis t brie fly introduce s the main XCCDF e le me nts ; for more de tails about XCCDF, cons ult the NIST Inte rage ncy Re port 7275 Re vis ion 4 .
Main XML Element s o f t he XCCDF Do cument
<xccdf:Benchmark> — This is a root e le me nt that e nclos e s the whole XCCDF docume nt. It may als o contain che cklis t me tadata, s uch as a title , de s cription, lis t of authors , date of the late s t modification, and s tatus of the che cklis t acce ptance .
<xccdf:Rule> — This is a ke y e le me nt that re pre s e nts a che cklis t re quire me nt and holds its de s cription. It may contain child e le me nts that de fine actions ve rifying or e nforcing compliance with the give n rule or modify the rule its e lf.
<xccdf:Value> — This ke y e le me nt is us e d for e xpre s s ing prope rtie s of othe r XCCDF e le me nts within the be nchmark.
<xccdf:Group> — This e le me nt is us e d to organize an XCCDF docume nt to s tructure s with the s ame conte xt or re quire me nt domains by gathe ring the <xccdf:Rule> ,
<xccdf:Value> , and <xccdf:Group> e le me nts .
<xccdf:Profile> — This e le me nt s e rve s for a name d tailoring of the XCCDF
175

Se curit y Guide be nchmark. It allows the be nchmark to hold s e ve ral diffe re nt tailorings .
<xccdf:Profile> utilize s s e ve ral s e le ctor e le me nts , s uch as <xccdf:select> or
<xccdf:refine-rule> , to de te rmine which e le me nts are going to be modifie d and proce s s e d while it is in e ffe ct.
<xccdf:Tailoring> — This e le me nt allows de fining the be nchmark profile s outs ide the be nchmark, which is s ome time s de s irable for manual tailoring of the compliance policy.
<xccdf:TestResult> — This e le me nt s e rve s for ke e ping the s can re s ults for the give n be nchmark on the targe t s ys te m. Each <xccdf:TestResult> s hould re fe r to the profile that was us e d to de fine the compliance policy for the particular s can and it s hould als o contain important information about the targe t s ys te m that is re le vant for the s can.
<xccdf:rule-result> — This is a child e le me nt of <xccdf:TestResult> that is us e d to hold the re s ult of applying a s pe cific rule from the be nchmark to the targe t s ys te m.
<xccdf:fix> — This is a child e le me nt of <xccdf:Rule> that s e rve s for re me diation of the targe t s ys te m that is not compliant with the give n rule . It can contain a command or s cript that is run on the targe t s ys te m in orde r to bring the s ys te m into compliance the rule .
<xccdf:check> — This is a child e le me nt of <xccdf:Rule> that re fe rs to an e xte rnal s ource which de fine s how to e valuate the give n rule .
<xccdf:select> — This is a s e le ctor e le me nt that is us e d for including or e xcluding the chos e n rule s or groups of rule s from the policy.
<xccdf:set-value> — This is a s e le ctor e le me nt that is us e d for ove rwriting the curre nt value of the s pe cifie d <xccdf:Value> e le me nt without modifying any of its othe r prope rtie s .
<xccdf:refine-value> — This is a s e le ctor e le me nt that is us e d for s pe cifying cons traints of the particular <xccdf:Value> e le me nt during policy tailoring.
<xccdf:refine-rule> — This s e le ctor e le me nt allows ove rwriting prope rtie s of the s e le cte d rule s .
Example 6.1. An Example o f an XCCDF Do cument
<?xml version= "1.0" encoding= "UTF-8" ?>
<Benchmark xmlns= "http://checklists.nist.gov/xccdf/1.2"
id= "xccdf_com.example.www_benchmark_test" >
<status> incomplete </status>
<version> 0.1
</version>
<Profile id= "xccdf_com.example.www_profile_1" >
<title> Profile title is compulsory </title>
<select idref= "xccdf_com.example.www_group_1"
selected= "true" />
<select idref= "xccdf_com.example.www_rule_1"
selected= "true" />
<refine-value idref= "xccdf_com.example.www_value_1"
selector= "telnet service" />
</Profile>
<Group id= "xccdf_com.example.www_group_1" >
<Value id= "xccdf_com.example.www_value_1" >
176

⁠Chapt e r 6. Co mpliance and Vulne rabilit y Scanning wit h O pe nSCAP
<value selector= "telnet_service" > telnet-server </value>
<value selector= "dhcp_servide" > dhcpd </value>
<value selector= "ftp_service" > tftpd </value>
</Value>
<Rule id= "xccdf_com.example.www_rule_1" >
<title> The telnet-server Package Shall Not Be Installed </title>
<rationale>
Removing the telnet-server package decreases the risk
of the telnet service’s accidental (or intentional) activation
</rationale>
<fix platform= "cpe:/o:redhat:enterprise_linux:6"
reboot= "false"
disruption= "low"
system= "urn:xccdf:fix:script:sh" >
yum -y remove
<sub idref= "xccdf_com.example.www_value_1" />
</fix>
<check system= "http://oval.mitre.org/XMLSchema/oval-definitions-
5" >
<check-export value-id= "xccdf_com.example.www_value_1"
export-name= "oval:com.example.www:var:1" />
<check-content-ref href= "examplary.oval.xml"
name= "oval:com.example.www:def:1" />
</check>
<check system= "http://open-scap.org/page/SCE" >
<check-import import-name= "stdout" />
<check-content-ref href= "telnet_server.sh" />
</check>
</Rule>
</Group>
</Benchmark>
The Ope n Vulne rability As s e s s me nt Language (OVAL) is the e s s e ntial and olde s t compone nt of SCAP. The main goal of the OVAL s tandard is to e nable inte rope rability among s e curity products . That is achie ve d by s tandardization of the following thre e domains :
1. Re pre s e ntation of the targe t s ys te m configuration.
2. Analys is of the targe t s ys te m for the pre s e nce of a particular machine s tate .
3. Re porting the re s ults of the comparis on be twe e n the s pe cifie d machine s tate and the obs e rve d machine s tate .
Unlike othe r tools or cus tom s cripts , the OVAL language de s cribe s a de s ire d s tate of re s ource s in a de clarative manne r. The OVAL language code is ne ve r e xe cute d dire ctly, but by me ans of an OVAL inte rpre te r tool calle d scanner. The de clarative nature of OVAL e ns ure s that the s tate of the as s e s s e d s ys te m is not accide ntally modifie d, which is important be caus e s e curity s canne rs are ofte n run with the highe s t pos s ible privile ge s .
177

Se curit y Guide
OVAL s pe cification is ope n for public comme nts and contribution and various IT companie s collaborate with the MITRE Corporation, fe de rally funde d not-for-profit organization. The
OVAL s pe cification is continuous ly e volving and diffe re nt e ditions are dis tinguis he d by a ve rs ion numbe r. The curre nt ve rs ion 5.10.1 was re le as e d in January 2012.
Like all othe r SCAP compone nts , OVAL is bas e d on XML. The OVAL s tandard de fine s s e ve ral docume nt formats . Each of the m include s diffe re nt kind of information and s e rve s a diffe re nt purpos e .
T he OVAL Do cument Fo rmat s
The OVAL Definitions format is the mos t common OVAL file format that is us e d dire ctly for s ys te m s cans . The OVAL De finitions docume nt de s cribe s the de s ire d s tate of the targe t s ys te m.
The OVAL Variables format de fine s variable s us e d to ame nd the OVAL De finitions docume nt. The OVAL Variable s docume nt is typically us e d in conjunction with the OVAL
De finitions docume nt to tailor the s e curity conte nt for the targe t s ys te m at runtime .
The OVAL System Characteristics format holds information about the as s e s s e d s ys te m.
The OVAL Sys te m Characte ris tics docume nt is typically us e d to compare the actual s tate of the s ys te m agains t the e xpe cte d s tate de fine d by an OVAL De finitions docume nt.
The OVAL Results is the mos t compre he ns ive OVAL format that is us e d to re port re s ults of the s ys te m e valuation. The OVAL Re s ults docume nt typically contains copy of the e valuate d OVAL de finitions , bound OVAL variable s , OVAL s ys te m characte ris tics , and re s ults of te s ts that are compute d bas e d on comparis on of the s ys te m characte ris tics and the de finitions .
The OVAL Directives format is us e d to tailor ve rbos ity of an OVAL Re s ult docume nt by e ithe r including or e xcluding ce rtain de tails .
The OVAL Common Model format contains de finitions of cons tructs and e nume rations us e d in s e ve ral othe r OVAL s che me s . It is us e d to re us e OVAL de finitions in orde r to avoid duplications acros s multiple docume nts .
The OVAL De finitions docume nt cons is ts of a s e t of configuration re quire me nts whe re e ach re quire me nt is de fine d in the following five bas ic s e ctions : definitions, tests, objects,
states, and variables. The e le me nts within the de finitions s e ction de s cribe which of the te s ts s hall be fulfille d to s atis fy the give n de finition. The te s t e le me nts link obje cts and s tate s toge the r. During the s ys te m e valuation, a te s t is cons ide re d pas s e d whe n a re s ource of the as s e s s e d s ys te m that is de note d by the give n obje ct e le me nt corre s ponds with the give n s tate e le me nt. The variable s s e ction de fine s e xte rnal variable s which may be us e d to adjus t e le me nts from the s tate s s e ction. Be s ide s the s e s e ctions , the OVAL De finitions docume nt typically contains als o the generator and
signature s e ctions . The generator s e ction holds information about the docume nt origin and various additional information re late d to its conte nt.
Each e le me nt from the OVAL docume nt bas ic s e ctions is unambiguous ly ide ntifie d by an ide ntifie r in the following form: oval:namespace:type:ID
178

⁠Chapt e r 6. Co mpliance and Vulne rabilit y Scanning wit h O pe nSCAP whe re namespace is a name s pace de fining the ide ntifie r, type is e ithe r def for de finitions e le me nts , tst for te s ts e le me nts , obj for obje cts e le me nt, ste for s tate s e le me nts , and var for variable s e le me nts , and ID is an inte ge r value of the ide ntifie r.
Example 6.2. An Example o f an OVAL Def init io ns Do cument
<?xml version= "1.0" encoding= "utf-8" ?>
<oval_definitions
xmlns:lin-def= "http://oval.mitre.org/XMLSchema/oval-definitions-
5#linux"
xmlns:oval= "http://oval.mitre.org/XMLSchema/oval-common-5"
xmlns= "http://oval.mitre.org/XMLSchema/oval-definitions-5"
xmlns:xsi= "http://www.w3.org/2001/XMLSchema-instance" >
<generator>
<oval:product_name> vim </oval:product_name>
<oval:schema_version> 5.10.1
</oval:schema_version>
<oval:timestamp> 2012-11-22T15:00:00+01:00 </oval:timestamp>
</generator>
<definitions>
<definition class= "inventory"
id= "oval:org.open-scap.cpe.rhel:def:7"
version= "1" >
<metadata>
<title> Red Hat Enterprise Linux 7 </title>
<affected family= "unix" >
<platform> Red Hat Enterprise Linux 7 </platform>
</affected>
<reference ref_id= "cpe:/o:redhat:enterprise_linux:7"
source= "CPE" />
<description>
The operating system installed on the system is Red Hat
Enterprise Linux 7
</description>
</metadata>
<criteria>
<criterion comment= "Red Hat Enterprise Linux 7 is installed"
test_ref= "oval:org.open-scap.cpe.rhel:tst:7" />
</criteria>
</definition>
</definitions>
<tests>
<lin-def:rpminfo_test check_existence= "at_least_one_exists"
id= "oval:org.open-scap.cpe.rhel:tst:7"
version= "1"
check= "at least one"
comment= "redhat-release is version 7" >
<lin-def:object object_ref= "oval:org.open-scap.cpe.redhatrelease:obj:1" />
<lin-def:state state_ref= "oval:org.open-scap.cpe.rhel:ste:7" />
</lin-def:rpminfo_test>
</tests>
<objects>
<lin-def:rpmverifyfile_object id= "oval:org.open-scap.cpe.redhatrelease:obj:1"
179

Se curit y Guide
version= "1" >
<!-- This object represents rpm package which owns /etc/redhatrelease file -->
<lin-def:behaviors nolinkto= 'true'
nomd5= 'true'
nosize= 'true'
nouser= 'true'
nogroup= 'true'
nomtime= 'true'
nomode= 'true'
nordev= 'true'
noconfigfiles= 'true'
noghostfiles= 'true' />
<lin-def:name operation= "pattern match" />
<lin-def:epoch operation= "pattern match" />
<lin-def:version operation= "pattern match" />
<lin-def:release operation= "pattern match" />
<lin-def:arch operation= "pattern match" />
<lin-def:filepath> /etc/redhat-release </lin-def:filepath>
</lin-def:rpmverifyfile_object>
</objects>
<states>
<lin-def:rpminfo_state id= "oval:org.open-scap.cpe.rhel:ste:7"
version= "1" >
<lin-def:name operation= "pattern match" > ^redhat-release </lindef:name>
<lin-def:version operation= "pattern match" > ^7[^\d] </lindef:version>
</lin-def:rpminfo_state>
</states>
</oval_definitions>
SCAP data s tre am is a file format us e d s ince SCAP ve rs ion 1.2 and it re pre s e nts a bundle of XCCDF, OVAL, and othe r compone nt file s which can be us e d to de fine a compliance policy e xpre s s e d by an XCCDF che cklis t. It als o contains an inde x and catalog that allow s plitting the give n data s tre am into file s according to the SCAP compone nts .
The data s tre am us e s XML format that cons is ts of a he ade r forme d by a table of conte nts and a lis t of the <ds:component> e le me nts . Each of the s e e le me nts e ncompas s e s an
SCAP compone nt s uch as XCCDF, OVAL, CPE, and othe r. The data s tre am file may contain multiple compone nts of the s ame type , and thus cove ring all s e curity policie s ne e de d by your organization.
Example 6.3. An Example o f a Dat a St ream Header
<ds:data-stream-collection xmlns:ds= "http://scap.nist.gov/schema/scap/source/1.2"
xmlns:xlink= "http://www.w3.org/1999/xlink"
xmlns:cat= "urn:oasis:names:tc:entity:xmlns:xml:catalog"
id= "scap_org.open-scap_collection_from_xccdf_ssg-rhel7-xccdf-
180

⁠Chapt e r 6. Co mpliance and Vulne rabilit y Scanning wit h O pe nSCAP
1.2.xml"
schematron-version= "1.0" >
<ds:data-stream id= "scap_org.open-scap_datastream_from_xccdf_ssgrhel7-xccdf-1.2.xml"
scap-version= "1.2" use-case= "OTHER" >
<ds:dictionaries>
<ds:component-ref id= "scap_org.open-scap_cref_output--ssg-rhel7cpe-dictionary.xml"
xlink:href= "#scap_org.open-scap_comp_output--ssg-rhel7-cpedictionary.xml" >
<cat:catalog>
<cat:uri name= "ssg-rhel7-cpe-oval.xml"
uri= "#scap_org.open-scap_cref_output--ssg-rhel7-cpeoval.xml" />
</cat:catalog>
</ds:component-ref>
</ds:dictionaries>
<ds:checklists>
<ds:component-ref id= "scap_org.open-scap_cref_ssg-rhel7-xccdf-
1.2.xml"
xlink:href= "#scap_org.open-scap_comp_ssg-rhel7-xccdf-1.2.xml" >
<cat:catalog>
<cat:uri name= "ssg-rhel7-oval.xml"
uri= "#scap_org.open-scap_cref_ssg-rhel7-oval.xml" />
</cat:catalog>
</ds:component-ref>
</ds:checklists>
<ds:checks>
<ds:component-ref id= "scap_org.open-scap_cref_ssg-rhel7-oval.xml"
xlink:href= "#scap_org.open-scap_comp_ssg-rhel7-oval.xml" />
<ds:component-ref id= "scap_org.open-scap_cref_output--ssg-rhel7cpe-oval.xml"
xlink:href= "#scap_org.open-scap_comp_output--ssg-rhel7-cpeoval.xml" />
<ds:component-ref id= "scap_org.open-scap_cref_output--ssg-rhel7oval.xml"
xlink:href= "#scap_org.open-scap_comp_output--ssg-rhel7oval.xml" />
</ds:checks>
</ds:data-stream>
<ds:component id= "scap_org.open-scap_comp_ssg-rhel7-oval.xml"
timestamp= "2014-03-14T16:21:59" >
<oval_definitions xmlns= "http://oval.mitre.org/XMLSchema/ovaldefinitions-5"
xmlns:oval= "http://oval.mitre.org/XMLSchema/oval-common-5"
xmlns:ind= "http://oval.mitre.org/XMLSchema/oval-definitions-
5#independent"
xmlns:unix= "http://oval.mitre.org/XMLSchema/oval-definitions-
5#unix"
xmlns:linux= "http://oval.mitre.org/XMLSchema/oval-definitions-
5#linux"
xmlns:xsi= "http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation= "http://oval.mitre.org/XMLSchema/oval-common-
5
oval-common-schema.xsd
http://oval.mitre.org/XMLSchema/oval-definitions-5
181

Se curit y Guide
oval-definitions-schema.xsd
http://oval.mitre.org/XMLSchema/oval-definitions-
5#independent
independent-definitions-schema.xsd
http://oval.mitre.org/XMLSchema/oval-definitions-5#unix
unix-definitions-schema.xsd
http://oval.mitre.org/XMLSchema/oval-definitions-5#linux
linux-definitions-schema.xsd" >
SCAP Wo rkbench (scap-workbench) is a graphical utility that allows us e rs to pe rform configuration and vulne rability s cans on a s ingle local or a re mote s ys te m, pe rform re me diation of the s ys te m, and ge ne rate re ports bas e d on s can e valuations . Note that compare d with the o scap command-line utility, SCAP Wo rkbench has only limite d functionality. SCAP Wo rkbench can als o proce s s only s e curity conte nt in the form of
XCCDF and data-s tre am file s .
The following s e ctions e xplain how to ins tall, s tart, and utilize SCAP Workbe nch in orde r to pe rform s ys te m s cans , re me diation, s can cus tomization, and dis play re le vant e xample s for the s e tas ks .
To ins tall SCAP Wo rkbench on your s ys te m, run the following command as root :
~]# yum install scap-workbench
This command ins talls all package s re quire d by SCAP Workbe nch to function prope rly, including the scap-workbench package that provide s the utility its e lf. Note that re quire d de pe nde ncie s , s uch as the qt and openssh package s , will be automatically update d to the ne we s t available ve rs ion if the package s are alre ady ins talle d on your s ys te m.
Be fore you can s tart us ing SCAP Workbe nch e ffe ctive ly, you als o ne e d to ins tall or import s ome s e curity conte nt on your s ys te m. For e xample , you can ins tall the SCAP Se curity
Guide (SSG) package , scap-security-guide, which contains the curre ntly mos t e volve d and e laborate s e t of s e curity police s for Linux s ys te ms . To ins tall the SCAP Se curity Guide package on your s ys te m, run the following command as root:
~]# yum install scap-security-guide
Afte r you ins tall scap-security-guide on your s ys te m, unle s s s pe cifie d othe rwis e , the SSG s e curity conte nt is available unde r the /usr/share/xml/scap/ssg/content/ dire ctory, and you can proce e d with othe r s e curity compliance ope rations .
To find othe r pos s ible s ource s of e xis ting SCAP conte nt that might s uit your ne e ds , s e e
Se ction 6.9, “Additional Re s ource s ” .
Afte r a s ucce s s ful ins tallation of both, the SCAP Wo rkbench utility and SCAP conte nt, you can s tart us ing SCAP Wo rkbench on your s ys te ms . For running SCAP Wo rkbench from
182

⁠Chapt e r 6. Co mpliance and Vulne rabilit y Scanning wit h O pe nSCAP the GNOME Classic de s ktop e nvironme nt, pre s s the Super ke y to e nte r the Activities
Overview , type scap-workbench , and the n pre s s Enter . The Super ke y appe ars in a varie ty of guis e s , de pe nding on the ke yboard and othe r hardware , but ofte n as e ithe r the
Windows or Command ke y, and typically to the le ft of the Spacebar ke y.
As s oon as you s tart the utility, the SCAP Workbench window appe ars . The SCAP
Workbench window cons is ts of s e ve ral inte ractive compone nts , which you s hould be come familiar with be fore you s tart s canning your s ys te m:
Input f ile
This fie ld contains the full path to the chos e n s e curity policy. You can s e arch for applicable SCAP conte nt on your s ys te m by clicking the Browse button.
Checklist
This combo box dis plays the name of the che cklis t that is to be applie d by the s e le cte d s e curity policy. You can choos e a s pe cific che cklis t by clicking this combo box if more than one che cklis t is available .
T ailo ring
This combo box informs you about the cus tomization us e d for the give n s e curity policy. You can s e le ct cus tom rule s that will be applie d for the s ys te m e valuation by clicking this combo box. The de fault value is (no t ailo ring), which me ans that the re will be no change s to the us e d s e curity policy. If you made any change s to the s e le cte d s e curity profile , you can s ave thos e change s as an XML file by clicking the Save Tailoring button.
Pro f ile
This combo box contains the name of the s e le cte d s e curity profile . You can s e le ct the s e curity profile from a give n XCCDF or data-s tre am file by clicking this combo box. To cre ate a ne w profile that inhe rits prope rtie s of the s e le cte d s e curity profile , click the Customize button.
T arget
The two radio buttons e nable you to s e le ct whe the r the s ys te m to be e valuate d is a local or re mote machine .
Select ed Rules
This fie ld dis plays a lis t of s e curity rule s that are s ubje ct of the s e curity policy.
Hove ring ove r a particular s e curity rule provide s de taile d information about that rule .
Save co nt ent
This me nu allows you to s ave SCAP file s that have be e n s e le cte d in the Input
f ile and T ailo ring fie lds e ithe r to the s e le cte d dire ctory or as an RPM package .
St at us bar
This is a graphical bar that indicate s s tatus of an ope ration that is be ing pe rforme d.
Online remediat io n
183

Se curit y Guide
This che ck box e nable s the re me diation fe ature during the s ys te m e valuation. If you che ck this box, SCAP Workbe nch will atte mpt to corre ct s ys te m s e ttings that would fail to match the s tate de fine d by the policy.
Scan
This button allows you to s tart the e valuation of the s pe cifie d s ys te m.
Figure 6.1. SCAP Wo rkbench Windo w
The main functionality of SCAP Wo rkbench is to pe rform s e curity s cans on a s e le cte d s ys te m in accordance with the give n XCCDF or data s tre am file . To e valuate your s ys te m agains t the s e le cte d s e curity policy, follow the s e s te ps :
1. Se le ct a s e curity policy by us ing the Open content option in the File me nu and s e arch the re s pe ctive XCCDF, SCAP RPM or data s tre am file .
184

⁠Chapt e r 6. Co mpliance and Vulne rabilit y Scanning wit h O pe nSCAP
Warning
Se le cting a s e curity policy re s ults in the los s of any pre vious tailoring change s that we re not s ave d. To re -apply the los t options , you have to choos e the available profile and tailoring conte nt again. Note that your pre vious cus tomizations may not be applicable with the ne w s e curity policy.
2. If the s e le cte d SCAP file is a data s tre am file that provide s more than one che cklis t, you can s e le ct the particular che cklis t by clicking the Checklist combo box.
Warning
Changing the che cklis t may re s ult in a s e le ction of a diffe re nt profile , and any pre vious cus tomizations may not be applicable to the ne w che cklis t.
3. To us e a pre -arrange d a file with cus tomize d s e curity conte nt s pe cific to your us e cas e , you can load this file by clicking on the T ailo ring combo box. You can als o cre ate a cus tom tailoring file by alte ring an available s e curity profile . For more information, s e e
Se ction 6.3.4, “Cus tomizing Se curity Profile s ” .
a. Se le ct the (no tailoring) option if you do not want to us e any cus tomization for the curre nt s ys te m e valuation. This is the de fault option if no pre vious cus tomization was s e le cte d.
b. Se le ct the (open tailoring file...) option to s e arch for the particular tailoring file to be us e d for the curre nt s ys te m e valuation.
c. If you have pre vious ly us e d s ome tailoring file , SCAP Wo rkbench re me mbe rs this file and adds it to the lis t. This s implifie s re pe titive application of the s ame s can.
4. Se le ct a s uitable s e curity profile by clicking the Pro f ile combo box.
a. To modify the s e le cte d profile , click the Customize button. For more
information about profile cus tomization, s e e Se ction 6.3.4, “Cus tomizing
Se curity Profile s ” .
5. Se le ct e ithe r of two Target radio buttons to s can e ithe r a local or a re mote machine .
a. If you have s e le cte d a re mote s ys te m, s pe cify it by e nte ring the us e r name , hos tname , and the port information as s hown in the following e xample . If you have pre vious ly us e d the re mote s can, you can als o s e le ct a re mote s ys te m from a lis t of re ce ntly s canne d machine s .
185

Se curit y Guide
Figure 6.2. Specif ying a Remo t e Syst em
6. You can allow automatic corre ction of the s ys te m configuration by s e le cting the
Online remediation che ck box. With this option e nable d, SCAP Wo rkbench atte mpts to change the s ys te m configuration in accordance with the s e curity rule s applie d by the policy, s hould the re late d che cks fail during the s ys te m s can.
Warning
If not us e d care fully, running the s ys te m e valuation with the re me diation option e nable d could re nde r the s ys te m non-functional.
7. Click the Scan button to initiate the s ys te m s can.
Afte r s e le cting the s e curity profile that s uits your s e curity policy, you can furthe r adjus t it by clicking the Customize button. This will ope n the ne w Tailoring window that allows you to modify the curre ntly s e le cte d XCCDF profile without actually changing the re s pe ctive
XCCDF file .
Figure 6.3. Cust o mizing t he Select ed Securit y Pro f ile
The Tailoring window contains a comple te s e t of XCCDF e le me nts re le vant to the s e le cte d s e curity profile with de taile d information about e ach e le me nt and its functionality.
186

⁠Chapt e r 6. Co mpliance and Vulne rabilit y Scanning wit h O pe nSCAP
You can e nable or dis able the s e e le me nts by s e le cting or de -s e le cting the re s pe ctive che ck boxe s in the main fie ld of this window. The Tailoring window als o s upports undo and redo functionality; you can undo or re do your s e le ctions by clicking the re s pe ctive arrow icon in the top le ft corne r of the window.
You can als o change variable s that will late r be us e d for e valuation. Find the de s ire d ite m in the Tailoring window, navigate to the right part and us e the Modify value fie ld.
Figure 6.4. Set t ing a value f o r t he select ed it em in t he T ailo ring windo w
Afte r you have finis he d your profile cus tomizations , confirm the change s by clicking the
Confirm Tailoring button. Your change s are now in the me mory and do not pe rs is t if
SCAP Wo rkbench is clos e d or ce rtain change s , s uch as s e le cting a ne w SCAP conte nt or choos ing anothe r tailoring option, are made . To s tore your change s , click the Save
Tailoring button in the SCAP Workbench window. This action allows you to s ave your change s to the s e curity profile as an XCCDF tailoring file in the chos e n dire ctory. Note that this tailoring file can be furthe r s e le cte d with othe r profile s .
SCAP Wo rkbench als o allows you to s ave SCAP conte nt that is us e d with your s ys te m
e valuations . You can e ithe r s ave a tailoring file s e parate ly (s e e Se ction 6.3.4,
“Cus tomizing Se curity Profile s ” ) or you can s ave all s e curity conte nt at once by clicking the
Save content combo box and s e le cting e ithe r the Save into a directory or Save as
RPM options .
By s e le cting the Save into a directory option, SCAP Wo rkbench s ave s both the
XCCDF or data-s tre am file and the tailoring file to the s pe cifie d location. This can be us e ful as a backup s olution.
187

Se curit y Guide
By s e le cting the Save as RPM option, you can ins truct SCAP Wo rkbench to cre ate an
RPM package containing the XCCDF or data s tre am file and tailoring file . This is us e ful for dis tributing the de s ire d s e curity conte nt to s ys te ms that cannot be s canne d re mote ly, or jus t for de live ring the conte nt for furthe r proce s s ing.
Figure 6.5. Saving t he Current SCAP Co nt ent as an RPM Package
Afte r the s ys te m s can is finis he d, two ne w buttons , Clear and Report , will appe ar ins te ad of the Scan button.
Warning
Clicking the Clear button pe rmane ntly re move s the s can re s ults .
You can dis play and furthe r proce s s the s can re s ults by clicking the Report button, which ope ns the Evaluation Report window. This window contains the Save combo box and two buttons , Open in Browser and Close .
188

⁠Chapt e r 6. Co mpliance and Vulne rabilit y Scanning wit h O pe nSCAP
To s tore the s can re s ults in the form of an XCCDF, ARF, or HTML file , click the Save combo box. Choos e the HTML Report option to ge ne rate the s can re port in human-re adable form.
The XCCDF and ARF (data s tre am) formats are s uitable for furthe r automatic proce s s ing.
You can re pe ate dly choos e all thre e options .
If you pre fe r to vie w the s can re s ults imme diate ly without s aving the m, you can click the
Open in Browser button, which ope ns the s can re s ults in the form of a te mporary HTML file in your de fault we b brows e r.
The o scap command-line utility allows us e rs to s can the ir local s ys te ms , validate s e curity compliance conte nt, and ge ne rate re ports and guide s bas e d on the s e s cans and e valuations . This utility s e rve s as a front e nd to the Ope nSCAP library and groups its functionalitie s to module s (s ub-commands ) bas e d on the type of SCAP conte nt it proce s s e s .
The following s e ctions e xplain how to ins tall o scap and pe rform the mos t common ope rations . Example s are provide d to illus trate the s e tas ks . To le arn more about s pe cific s ub-commands , us e the --help option with an o scap command: oscap [options] module module_operation
[module_operation_options_and_arguments] --help whe re module re pre s e nts the type of SCAP conte nt that is be ing proce s s e d, and
module_operation is a s ub-command for the s pe cific ope ration on the SCAP conte nt.
Example 6.4. Get t ing Help o n a Specif ic o scap Operat io n
~]$ oscap ds sds-split --help oscap -> ds -> sds-split
Split given SourceDataStream into separate files
Usage: oscap [options] ds sds-split [options] SDS TARGET_DIRECTORY
SDS - Source data stream that will be split into multiple files.
TARGET_DIRECTORY - Directory of the resulting files.
Options:
--datastream-id <id> - ID of the datastream in the collection to use.
--xccdf-id <id> - ID of XCCDF in the datastream that should be evaluated.
To le arn about all o scap fe ature s and the comple te lis t of its options , s e e the oscap(8) manual page .
To ins tall o scap to your s ys te m, run the following command as root :
189

Se curit y Guide
~]# yum install openscap-scanner
This command allows you to ins tall all package s re quire d by o scap to function prope rly, including the openscap package . To be able to write your own s e curity conte nt, you s hould als o ins tall the openscap-engine-sce package , which provide s the Script Che ck Engine
(SCE). The SCE is an e xte ns ion of the SCAP protocol that allows conte nt authors to write the ir s e curity conte nt us ing a s cripting language , s uch as Bas h, Python, or Ruby. Note that the openscap-engine-sce package is only available from the Optional channe l. Se e Enabling
Supple me ntary and Optional Re pos itorie s .
Optionally, afte r ins talling o scap, you can che ck the capabilitie s of your ve rs ion of o scap, what s pe cifications it s upports , whe re the ce rtain o scap file s are s tore d, what kinds of
SCAP obje cts you can us e , and othe r us e ful information. To dis play this information, type the following command:
~]$ oscap -V
OpenSCAP command line tool (oscap) 1.0.4
Copyright 2009--2014 Red Hat Inc., Durham, North Carolina.
==== Supported specifications ====
XCCDF Version: 1.2
OVAL Version: 5.10.1
CPE Version: 2.3
CVSS Version: 2.0
CVE Version: 2.0
Asset Identification Version: 1.1
Asset Reporting Format Version: 1.1
==== Capabilities added by auto-loaded plugins ====
SCE Version: 1.0 (from libopenscap_sce.so.8)
==== Paths ====
Schema files: /usr/share/openscap/schemas
Schematron files: /usr/share/openscap/xsl
Default CPE files: /usr/share/openscap/cpe
Probes: /usr/libexec/openscap
==== Inbuilt CPE names ====
Red Hat Enterprise Linux - cpe:/o:redhat:enterprise_linux
Red Hat Enterprise Linux 5 - cpe:/o:redhat:enterprise_linux:5
Red Hat Enterprise Linux 6 - cpe:/o:redhat:enterprise_linux:6
Red Hat Enterprise Linux 7 - cpe:/o:redhat:enterprise_linux:7
Fedora 16 - cpe:/o:fedoraproject:fedora:16
Fedora 17 - cpe:/o:fedoraproject:fedora:17
Fedora 18 - cpe:/o:fedoraproject:fedora:18
Fedora 19 - cpe:/o:fedoraproject:fedora:19
Fedora 20 - cpe:/o:fedoraproject:fedora:20
Fedora 21 - cpe:/o:fedoraproject:fedora:21
Red Hat Enterprise Linux Optional Productivity Applications - cpe:/a:redhat:rhel_productivity
Red Hat Enterprise Linux Optional Productivity Applications 5 - cpe:/a:redhat:rhel_productivity:5
==== Supported OVAL objects and associated OpenSCAP probes ==== system_info probe_system_info family probe_family
190

⁠Chapt e r 6. Co mpliance and Vulne rabilit y Scanning wit h O pe nSCAP filehash probe_filehash environmentvariable probe_environmentvariable textfilecontent54 probe_textfilecontent54 textfilecontent probe_textfilecontent variable probe_variable xmlfilecontent probe_xmlfilecontent environmentvariable58 probe_environmentvariable58 filehash58 probe_filehash58 inetlisteningservers probe_inetlisteningservers rpminfo probe_rpminfo partition probe_partition iflisteners probe_iflisteners rpmverify probe_rpmverify rpmverifyfile probe_rpmverifyfile rpmverifypackage probe_rpmverifypackage selinuxboolean probe_selinuxboolean selinuxsecuritycontext probe_selinuxsecuritycontext file probe_file interface probe_interface password probe_password process probe_process runlevel probe_runlevel shadow probe_shadow uname probe_uname xinetd probe_xinetd sysctl probe_sysctl process58 probe_process58 fileextendedattribute probe_fileextendedattribute routingtable probe_routingtable
Be fore you can s tart us ing o scap e ffe ctive ly, you als o ne e d to ins tall or import s ome s e curity conte nt on your s ys te m. For e xample , you can ins tall the SCAP Se curity Guide
(SSG) package , scap-security-guide, which contains the curre ntly mos t e volve d and e laborate s e t of s e curity police s for Linux s ys te ms . To ins tall the SCAP Se curity Guide package on your s ys te m, run the following command as root:
~]# yum install scap-security-guide
Afte r you ins tall scap-security-guide on your s ys te m, unle s s s pe cifie d othe rwis e , the SSG s e curity conte nt is available unde r the /usr/share/xml/scap/ssg/content/ dire ctory, and you can proce e d with othe r s e curity compliance ope rations .
To find othe r pos s ible s ource s of e xis ting SCAP conte nt that might s uit your ne e ds , s e e
Se ction 6.9, “Additional Re s ource s ” .
Afte r ins talling the SCAP conte nt on your s ys te m, o scap can proce s s the conte nt whe n s upplie d with the file path to the conte nt. The o scap utility s upports SCAP ve rs ion 1.2 and is backward-compatible with SCAP ve rs ions 1.1 and 1.0, s o it can proce s s e arlie r ve rs ions of SCAP conte nt without any s pe cial re quire me nts .
SCAP s tandard de fine s nume rous file formats . The o scap utility can proce s s or cre ate file s conforming to many of the formats . In orde r to furthe r proce s s the give n file with
SCAP conte nt, you ne e d to unde rs tand how to us e o scap with the give n file type . If you are uns ure how to us e a particular file , you can e ithe r ope n and re ad the file , or you can
191

Se curit y Guide us e the info module of o scap which pars e s the file and e xtracts re le vant information in human-re adable format.
Run the following command to e xamine the inte rnal s tructure of a SCAP docume nt and dis play us e ful information s uch as the docume nt type , s pe cification ve rs ion, a s tatus of the docume nt, the date the docume nt was publis he d, and the date the docume nt was copie d to a file s ys te m:
oscap info file whe re file is the full path to the s e curity conte nt file be ing e xamine d. The following e xample be tte r illus trate s the us age of the oscap info command:
Example 6.5. Displaying Inf o rmat io n Abo ut SCAP Co nt ent
~]$ oscap info /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml
Document type: Source Data Stream
Imported: 2014-03-14T12:22:01
Stream: scap_org.open-scap_datastream_from_xccdf_ssg-rhel7-xccdf-
1.2.xml
Generated: (null)
Version: 1.2
Checklists:
Ref-Id: scap_org.open-scap_cref_ssg-rhel7-xccdf-1.2.xml
Profiles:
xccdf_org.ssgproject.content_profile_test
xccdf_org.ssgproject.content_profile_rht-ccp
xccdf_org.ssgproject.content_profile_common
xccdf_org.ssgproject.content_profile_stigrhel7-server-upstream
Referenced check files:
ssg-rhel7-oval.xml
system: http://oval.mitre.org/XMLSchema/oval-definitions-5
Checks:
Ref-Id: scap_org.open-scap_cref_ssg-rhel7-oval.xml
Ref-Id: scap_org.open-scap_cref_output--ssg-rhel7-cpe-oval.xml
Ref-Id: scap_org.open-scap_cref_output--ssg-rhel7-oval.xml
Dictionaries:
Ref-Id: scap_org.open-scap_cref_output--ssg-rhel7-cpedictionary.xml
The mos t important functionality of o scap is to pe rform configuration and vulne rability s cans of a local s ys te m. The following is a ge ne ral s yntax of the re s pe ctive command: oscap [options] module eval [module_operation_options_and_arguments]
The o scap utility can s can s ys te ms agains t the SCAP conte nt re pre s e nte d by both an
XCCDF (The e Xte ns ible Configuration Che cklis t De s cription Format) be nchmark and OVAL
(Ope n Vulne rability and As s e s s me nt Language ) de finitions . The s e curity policy can be in
192

⁠Chapt e r 6. Co mpliance and Vulne rabilit y Scanning wit h O pe nSCAP the form of a s ingle OVAL or XCCDF file or multiple s e parate XML file s whe re e ach file re pre s e nts a diffe re nt compone nt (XCCDF, OVAL, CPE, CVE, and othe rs ). The re s ult of a s can can be printe d to both s tandard output and an XML file . The re s ult file can the n be furthe r proce s s e d by o scap in orde r to ge ne rate a re port in a human-re adable format.
The following e xample s illus trate the mos t common us age of the command.
Example 6.6. Scanning t he Syst em Using t he SSG OVAL def init io ns
To s can your s ys te m agains t the SSG OVAL de finition file while e valuating all de finitions , run the following command:
~]$ oscap oval eval --results scan-oval-results.xml
/usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml
The re s ults of the s can are s tore d as the scan-oval-results.xml
file in the curre nt dire ctory.
Example 6.7. Scanning t he Syst em Using t he SSG OVAL def init io ns
To e valuate a particular OVAL de finition from the s e curity policy re pre s e nte d by the
SSG data s tre am file , run the following command:
~]$ oscap oval eval --id oval:ssg:def:100 --results scan-oval- results.xml /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml
The re s ults of the s can are s tore d as the scan-oval-results.xml
file in the curre nt dire ctory.
Example 6.8. Scanning t he Syst em Using t he SSG XCCDF benchmark
To pe rform the SSG XCCDF be nchmark for the xccdf_org.ssgproject.content_profile_rht-ccp profile on your s ys te m, run the following command:
~]$ oscap xccdf eval --profile
xccdf_org.ssgproject.content_profile_rht-ccp --results scan-xccdfresults.xml /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml
The re s ults of the s can are s tore d as the scan-xccdf-results.xml
file in the curre nt dire ctory.
Note
The --profile command-line argume nt s e le cts the s e curity profile from the give n XCCDF or data s tre am file . The lis t of available profile s can be obtaine d by running the oscap info command. If the --profile command-line argume nt is omitte d the de fault XCCDF profile is us e d as re quire d by SCAP s tandard. Note that the de fault XCCDF profile may or may not be an appropriate s e curity policy.
193

Se curit y Guide
Anothe r us e ful fe ature s of o scap is the ability to ge ne rate SCAP conte nt in a humanre adable format. The o scap utility allows you to trans form an XML file into the HTML or plain-te xt format. This fe ature is us e d to ge ne rate s e curity guide s and che cklis ts , which s e rve as a s ource of information, as we ll as guidance for s e cure s ys te m configuration.
The re s ults of s ys te m s cans can als o be trans forme d to we ll-re adable re s ult re ports . The ge ne ral command s yntax is the following: oscap module generate sub-module [specific_module/submodule_options_and_arguments] file whe re module is e ithe r xccdf or oval , sub-module is a type of the ge ne rate d docume nt, and file re pre s e nts an XCCDF or OVAL file .
The following are the mos t common e xample s of the command us age :
Example 6.9. Generat ing a Guide wit h a Checklist
To produce an SSG guide with a che cklis t for the xccdf_org.ssgproject.content_profile_rht-ccp profile , run the following command:
~]$ oscap xccdf generate guide --profile xccdf_org.ssgproject.content_profile_rht-ccp
/usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml > ssg-guidechecklist.html
The guide is s tore d as the ssg-guide-checklist.html
file in the curre nt dire ctory.
Example 6.10 . T ransf o rming an SSG OVAL Scan Result int o a Repo rt
To trans form a re s ult of an SSG OVAL s can into an HTML file , run the following command:
~]$ oscap oval generate report scan-oval-results.xml > ssg-scan-oval- report.html
The re s ult re port is s tore d as the ssg-scan-oval-report.html
file in the curre nt dire ctory. This e xample as s ume s that you run the command from the s ame location whe re the scan-oval-results.xml
file is s tore d. Othe rwis e you ne e d to s pe cify the fully-qualifie d path of the file that contains the s can re s ults .
Example 6.11. T ransf o rming an SSG XCCDF Scan Result int o a Repo rt
To trans form a re s ult of an SSG XCCDF s can into an HTML file , run the following command:
~]$ oscap xccdf generate report scan-xccdf-results.xml > scan-xccdf- report.html
The re s ult re port is s tore d as the ssg-scan-xccdf-report.html
file in the curre nt dire ctory. Alte rnative ly, you can ge ne rate this re port in the time of the s can us ing the -
-report command-line argume nt:
194

⁠Chapt e r 6. Co mpliance and Vulne rabilit y Scanning wit h O pe nSCAP
~]$ oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_rht-ccp --results scan-xccdfresults.xml --report scan-xccdf-report.html
/usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml
Be fore you s tart us ing a s e curity policy on your s ys te ms , you s hould firs t ve rify the policy in orde r to avoid any pos s ible s yntax or s e mantic e rrors in the policy. The o scap utility can be us e d to validate the s e curity conte nt agains t s tandard SCAP XML s che mas . The validation re s ults are printe d to the s tandard e rror s tre am (s tde rr). The ge ne ral s yntax of s uch a validation command is the following: oscap module validate [module_options_and_arguments] file whe re file is the full path to the file be ing validate d. The only e xce ption is the data s tre am module (ds ), which us e s the sds-validate ope ration ins te ad of validate . Note that all
SCAP compone nts within the give n data s tre am are validate d automatically and none of the compone nts is s pe cifie d s e parate ly, as can be s e e n in the following e xample :
~]$ oscap ds sds-validate /usr/share/xml/scap/ssg/content/ssg-rhel7- ds.xml
With ce rtain SCAP conte nt, s uch as OVAL s pe cification, you can als o pe rform a Sche matron validation. The Sche matron validation is s lowe r than the s tandard validation but provide s de e pe r analys is , and is thus able to de te ct more e rrors . The following SSG e xample s hows typical us age of the command:
~]$ oscap oval validate --schematron
/usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml
OpenSCAP allows to automatically re me diate s ys te ms that have be e n found in a noncompliant s tate . For s ys te m re me diation, an XCCDF file with ins tructions is re quire d. The
scap-security-guide package cons tains ce rtain re me diation ins tructions .
Sys te m re me diation cons is ts of the following s te ps :
1. OpenSCAP pe rforms a re gular XCCDF e valuation.
2. An as s e s s me nt of the re s ults is pe rforme d by e valuating the OVAL de finitions .
Each rule that has faile d is marke d as a candidate for re me diation.
3. OpenSCAP s e arche s for an appropriate fix e le me nt, re s olve s it, pre pare s the e nvironme nt, and e xe cute s the fix s cript.
4. Any output of the fix s cript is capture d by OpenSCAP and s tore d within the ruleresult e le me nt. The re turn value of the fix s cript is s tore d as we ll.
195

Se curit y Guide
5. Whe ne ve r OpenSCAP e xe cute s a fix s cript, it imme diate lly e valuate s the OVAL de finition again (to ve rify that the fix s cript has be e n applie d corre ctly). During this s e cond run, if the OVAL e valuation re turns s ucce s s , the re s ult of the rule is fixed , othe rwis e it is an error .
6. De taile d re s ults of the re me diation are s tore d in an output XCCDF file . It contains two TestResult e le me nts . The firs t TestResult e le me nt re pre s e nts the s can prior to the re me diation. The s e cond TestResult is de rive d from the firs t one and contains re me diation re s ults .
The re are thre e mode s of ope ration of OpenSCAP with re gard to re me diation: online , offline , and re vie w.
Online re me diation e xe cute s fix e le me nts at the time of s canning. Evaluation and re me diation are pe rforme d as a part of a s ingle command.
To e nable online re me diation, us e the --remediate command-line option. For e xample , to e xe cute online re me diation us ing the scap-security-guide package , run:
~]$ oscap xccdf eval --remediate --profile xccdf_org.ssgproject.content_profile_rht-ccp --results scan-xccdfresults.xml /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml
The output of this command cons is ts of two s e ctions . The firs t s e ction s hows the re s ult of the s can prior to the re me diation, and the s e cond s e ction s hows the re s ult of the s can afte r applying the re me diation. The s e cond part can contain only fixed and error re s ults .
The fixed re s ult indicate s that the s can pe rforme d afte r the re me diation pas s e d. The error re s ult indicate s that e ve n afte r applying the re me diation, the e valuation s till doe s not pas s .
Offline re me diation allows you to pos tpone fix e xe cution. In the firs t s te p, the s ys te m is only e valuate d, and the re s ults are s tore d in a TestResult e le me nt in an XCCDF file .
In the s e cond s te p, oscap e xe cute s the fix s cripts and ve rifie s the re s ult. It is s afe to s tore the re s ults into the input file , no data will be los t. During offline re me diation,
OpenSCAP cre ate s a ne w TestResult e le me nt that is bas e d on the input one and inhe rits all the data. The ne wly cre ate d TestResult diffe rs only in the rule-result e le me nts that have faile d. For thos e , re me diation is e xe cute d.
To pe rform offline re me diation us ing the scap-security-guide package , run:
~]$ oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_rht-ccp --results scan-xccdfresults.xml /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml
~]$ oscap xccdf remediate --results scan-xccdf-results.xml scan-xccdf- results.xml
196

⁠Chapt e r 6. Co mpliance and Vulne rabilit y Scanning wit h O pe nSCAP
The re vie w mode allows us e rs to s tore re me diation ins tructions to a file for furthe r re vie w. The re me diation conte nt is not e xe cute d during this ope ration.
To ge ne rate re me diation ins tructions in the form of a s he ll s cript, run:
~]$ oscap xccdf generate fix --template urn:xccdf:fix:script:sh -- profile xccdf_org.ssgproject.content_profile_rht-ccp --output myremediation-script.sh /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml
The oscap-docker command-line utility allows us e rs to us e the oscap program to s can the ir docke r-formatte d containe r image s and containe rs almos t in the s ame way as the ir local s ys te ms .
The following s e ction e xplains the ins tallation of oscap-docker and offe rs bas ic e xample s of us age . To le arn more about s ub-commands , us e the --help option with the oscapdocker or oscap commands .
To e nable the s canning of image s and containe rs , you ne e d to have the docker package ins talle d, too. Se e the Ge tting Docke r in Re d Hat Ente rpris e Linux 7 chapte r of the Getting
Started with Containers guide for ins tructions on ins talling Do cker.
Run the following command to ins tall oscap-docker :
# yum install openscap-utils
Example 6.12. Using o scap-do cker oscap-docker scan_target[-cve] target_identifier [oscap-arguments]
Whe re scan_target is an image or a containe r to s can, and target_identifier is the name or the ID of the targe t.
The s e cond of the following commands attache s a containe r image , de te rmine s the variant and ve rs ion of the ope rating s ys te m, downloads the CVE s tre am applicable to the give n s ys te m, and finally runs the vulne rability s can:
# docker images
REPOSITORY TAG IMAGE ID registry.access.redhat.com/rhel7 latest c453594215e4
# oscap-docker image-cve registry.access.redhat.com/rhel7
The s e cond of the following commands runs the OpenSCAP s can within a chroot e nvironme nt of a running containe r. The re s ults may diffe r from s canning of a containe r image due to de fine d mount points . We us e d the OVAL patch de finition com.redhat.rhsa-all.xml
in this e xample .
197

Se curit y Guide
# docker ps
CONTAINER ID IMAGE COMMAND NAMES
5ef05eef4a01 registry.access.redhat.com/rhel7 "/bin/bash" sleepy_kirch
# oscap-docker container 5ef05eef4a01 oval eval com.redhat.rhsa- all.xml
Be fore you de ploy a containe r image , us e the Ope nSCAP-dae mon and Atomic Scan to de te ct vulne rabilitie s in a containe r.
To ins tall the atomic command on your s ys te m for containe r manage me nt, run the following command as root:
# yum install atomic
Afte r the atomic command is ins talle d, you ne e d the OpenSCAP-daemo n to pe rform the s cans . You can ins tall it by running the following command as root:
# atomic install openscap
Once the OpenSCAP-daemo n is in place and running, you can is s ue atomic scan commands . Scan the containe rs and containe r image s by running the following command as root:
# atomic scan $ID
Whe re $ID is the ID of the containe r. If you want to s can all containe r image s and containe rs , us e the --all dire ctive .
Example 6.13. Scanning t he Co nt ainer Image wit h At o mic Scan
The following e xample of the atomic scan us age s hows how to s can a Re d Hat
Ente rpris e Linux image and the n lis t of all found vulne rabilitie s with --detail dire ctive .
# docker pull rhel7
Using default tag: latest c453594215e4: Download complete
# atomic scan c453594215e4
Container/Image Cri Imp Med Low
--------------- --- --- --- --c453594215e4 0 0 0 0
# atomic scan --detail c453594215e4 c453594215e4
OS : Red Hat Enterprise Linux Server release 7.2 (Maipo)
198

⁠Chapt e r 6. Co mpliance and Vulne rabilit y Scanning wit h O pe nSCAP
Note
A de taile d de s cription of the atomic command us age and containe rs is found in the
Product Docume ntation for Re d Hat Ente rpris e Linux Atomic Hos t . The Re d Hat
Cus tome r Portal als o provide s a guide to the Atomic command line inte rface (CLI) .
Whe n running multiple Re d Hat Ente rpris e Linux s ys te ms , it is important to ke e p all your s ys te ms compliant with your s e curity policy and pe rform s e curity s cans and e valuations re mote ly from one location. This can be achie ve d by us ing Re d Hat Sate llite 5.5 or late r with the spacewalk-oscap package ins talle d on your Sate llite clie nt. The package is available from the Red Hat Net wo rk T o o ls channe l. Se e How to e nable /dis able a re pos itory us ing Re d Hat Subs cription-Manage r?
This s olution s upports two me thods of pe rforming s e curity compliance s cans , vie wing and furthe r proce s s ing of the s can re s ults . You can e ithe r us e the OpenSCAP Satellite Web
Interface or run commands and s cripts from the Satellite API . For more information about this s olution to s e curity compliance , its re quire me nts and capabilitie s , s e e the Re d
Hat Sate llite docume ntation .
This s e ction de mons trate s practical us age of ce rtain s e curity conte nt provide d for Re d Hat products .
Re d Hat continuous ly provide s OVAL de finitions for the ir products . The s e de finitions allow for fully automate d audit of vulne rabilitie s in the ins talle d s oftware . To find out more information about this proje ct, s e e http://www.re dhat.com/s e curity/data/me trics / . To download the s e de finitions , run the following command:
~]$ wget http://www.redhat.com/security/data/oval/com.redhat.rhsa- all.xml
The us e rs of Re d Hat Sate llite 5 may find us e ful the XCCDF part of the patch de finitions .
To download the s e de finitions , run the following command:
~]$ wget http://www.redhat.com/security/data/metrics/com.redhat.rhsa- all.xccdf.xml
To audit s e curity vulne rabilitie s for the s oftware ins talle d on the s ys te m, run the following command:
~]$ oscap oval eval --results rhsa-results-oval.xml --report oval- report.html com.redhat.rhsa-all.xml
The o scap utility maps Re d Hat Se curity Advis orie s to CVE ide ntifie rs that are linke d to the National Vulne rability Databas e and re ports which s e curity advis orie s are not applie d.
199

Se curit y Guide
Note
Note that the s e OVAL de finitions are de s igne d to only cove r s oftware and update s re le as e d by Re d Hat. You ne e d to provide additional de finitions in orde r to de te ct the patch s tatus of third-party s oftware .
The SCAP Se curity Guide (SSG) proje ct's package , scap-security-guide, contains the late s t s e t of s e curity police s for Linux s ys te ms . To ins tall the SCAP Se curity Guide package on your s ys te m, run the following command as root:
~]# yum install scap-security-guide
A part of scap-security-guide is als o a guidance for Re d Hat Ente rpris e Linux 7 s e ttings . To ins pe ct the s e curity conte nt available with scap-security-guide, us e the oscap info module :
~]$ oscap info /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml
The output of this command is an outline of the SSG docume nt and it contains available configuration profile s . To audit your s ys te m s e ttings , choos e a s uitable profile and run the appropriate e valuation command. For e xample , the following command is us e d to as s e s s the give n s ys te m agains t a draft SCAP profile for Re d Hat Ce rtifie d Cloud Provide rs :
~]$ oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_rht- ccp --results ssg-rhel7-xccdf-result.xml --report ssg-rhel7-report.html
/usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml
For more information about various s e curity compliance fie lds of inte re s t, s e e the re s ource s be low.
os cap(8) — The manual page for the o scap command-line utility provide s a comple te lis t of available options and the ir us age e xplanation.
s cap-workbe nch(8) — The manual page for the SCAP Workbench application provide s a bas ic information about the application as we ll as s ome links to pote ntial s ource s of
SCAP conte nt.
s cap-s e curity-guide (8) — The manual page for scap-securit y-guide provide s furthe r docume ntation about the various available SCAP s e curity profile s . Example s how to utilize the provide d be nchmarks us ing the OpenSCAP utility are provide d as we ll.
200

⁠Chapt e r 6. Co mpliance and Vulne rabilit y Scanning wit h O pe nSCAP
The Ope nSCAP proje ct page — The home page to the Ope nSCAP proje ct provide s de taile d information about the o scap utility and othe r compone nts and proje cts re late d to SCAP.
The SCAP Workbe nch proje ct page — The home page to the SCAP Workbe nch proje ct provide s de taile d information about the scap-wo rkbench application.
The SCAP Se curity Guide (SSG) proje ct page — The home page to the SSG proje ct that provide s the late s t s e curity conte nt for Re d Hat Ente rpris e Linux.
National Ins titute of Standards and Te chnology (NIST) SCAP page — This page re pre s e nts a vas t colle ction of SCAP re late d mate rials , including SCAP publications , s pe cifications , and the SCAP Validation Program.
National Vulne rability Databas e (NVD) — This page re pre s e nts the large s t re pos itory of
SCAP conte nt and othe r SCAP s tandards bas e d vulne rability manage me nt data.
Re d Hat OVAL conte nt re pos itory — This is a re pos itory containing OVAL de finitions for
Re d Hat Ente rpris e Linux s ys te ms .
MITRE CVE — This is a databas e of publicly known s e curity vulne rabilitie s provide d by the MITRE corporation.
MITRE OVAL — This page re pre s e nts an OVAL re late d proje ct provide d by the MITRE corporation. Amongs t othe r OVAL re late d information, the s e page s contain the late s t ve rs ion of the OVAL language and a huge re pos itory of OVAL conte nt, counting ove r 22 thous ands OVAL de finitions .
Re d Hat Sate llite docume ntation — This s e t of guide s de s cribe s , amongs t othe r topics , how to maintain s ys te m s e curity on multiple s ys te ms by us ing Ope nSCAP.
201

Se curit y Guide
In orde r to maintain s e curity le ve ls , it is pos s ible for your organization to make e fforts to comply with fe de ral and indus try s e curity s pe cifications , s tandards and re gulations . This chapte r de s cribe s s ome of the s e s tandards and re gulations .
The Fe de ral Information Proce s s ing Standard (FIPS) Publication 140-2, is a compute r s e curity s tandard, de ve lope d by a U.S. Gove rnme nt and indus try working group to validate the quality of cryptographic module s . FIPS publications (including 140-2) can be found at the following URL: http://cs rc.nis t.gov/publications /Pubs FIPS.html
. Note that at the time of writing,
Publication 140-3 is at Draft s tatus , and may not re pre s e nt the comple te d s tandard. The
FIPS s tandard provide s four (4) s e curity levels, to e ns ure ade quate cove rage of diffe re nt indus trie s , imple me ntations of cryptographic module s and organizational s ize s and re quire me nts . The s e le ve ls are de s cribe d be low:
Le ve l 1 — Se curity Le ve l 1 provide s the lowe s t le ve l of s e curity. Bas ic s e curity re quire me nts are s pe cifie d for a cryptographic module (for e xample , at le as t one
Approve d algorithm or Approve d s e curity function s hall be us e d). No s pe cific phys ical s e curity me chanis ms are re quire d in a Se curity Le ve l 1 cryptographic module be yond the bas ic re quire me nt for production-grade compone nts . An e xample of a Se curity
Le ve l 1 cryptographic module is a pe rs onal compute r (PC) e ncryption board.
Le ve l 2 — Se curity Le ve l 2 e nhance s the phys ical s e curity me chanis ms of a Se curity
Le ve l 1 cryptographic module by adding the re quire me nt for tampe r-e vide nce , which include s the us e of tampe r-e vide nt coatings or s e als or for pick-re s is tant locks on re movable cove rs or doors of the module . Tampe r-e vide nt coatings or s e als are place d on a cryptographic module s o that the coating or s e al mus t be broke n to attain phys ical acce s s to the plainte xt cryptographic ke ys and critical s e curity parame te rs
(CSPs ) within the module . Tampe r-e vide nt s e als or pick-re s is tant locks are place d on cove rs or doors to prote ct agains t unauthorize d phys ical acce s s .
Le ve l 3 — In addition to the tampe r-e vide nt phys ical s e curity me chanis ms re quire d at
Se curity Le ve l 2, Se curity Le ve l 3 atte mpts to pre ve nt the intrude r from gaining acce s s to CSPs he ld within the cryptographic module . Phys ical s e curity me chanis ms re quire d at Se curity Le ve l 3 are inte nde d to have a high probability of de te cting and re s ponding to atte mpts at phys ical acce s s , us e or modification of the cryptographic module . The phys ical s e curity me chanis ms may include the us e of s trong e nclos ure s and tampe r de te ction/re s pons e circuitry that ze roe s all plainte xt CSPs whe n the re movable cove rs /doors of the cryptographic module are ope ne d.
Le ve l 4 — Se curity Le ve l 4 provide s the highe s t le ve l of s e curity de fine d in this s tandard. At this s e curity le ve l, the phys ical s e curity me chanis ms provide a comple te e nve lope of prote ction around the cryptographic module with the inte nt of de te cting and re s ponding to all unauthorize d atte mpts at phys ical acce s s . Pe ne tration of the cryptographic module e nclos ure from any dire ction has a ve ry high probability of be ing de te cte d, re s ulting in the imme diate ze roization of all plainte xt CSPs . Se curity Le ve l 4 cryptographic module s are us e ful for ope ration in phys ically unprote cte d e nvironme nts .
Se e the full FIPS 140-2 s tandard at http://cs rc.nis t.gov/publications /fips /fips 140-
2/fips 1402.pdf
for furthe r de tails on the s e le ve ls and the othe r s pe cifications of the FIPS s tandard.
202

⁠Chapt e r 7. Fe de ral St andards and Re gulat io ns
To make Re d Hat Ente rpris e Linux compliant with the Fe de ral Information Proce s s ing
Standard (FIPS) Publication 140-2 you ne e d to make s e ve ral change s to e ns ure that accre dite d cryptographic module s are us e d. To turn your s ys te m (ke rne l and us e r s pace ) into FIPS mode , follow the s e s te ps :
1. For prope r ope ration of the in-module inte grity ve rification, the pre link has to be dis able d. This can be done by s e tting configuring PRELINKING=no in the
/etc/sysconfig/prelink configuration file . Exis ting pre linking, if any, s hould be undone on all s ys te m file s us ing the prelink -u -a command.
2. Ne xt, ins tall the dracut-fips package :
~]# yum install dracut-fips
3. Re cre ate the initramfs file :
~]# dracut -f
Warning
This ope ration will ove rwrite the e xis ting initramfs file .
4. Modify the ke rne l command line of the curre nt ke rne l in the grub.cfg
file by adding the following option to the GRUB_CMDLINE_LINUX ke y in the /etc/default/grub file and the n re build the grub.cfg
file : fips=1
Change s to /etc/default/grub re quire re building the grub.cfg
file as follows :
On BIOS-bas e d machine s , is s ue the following command as root :
~]# grub2-mkconfig -o /boot/grub2/grub.cfg
On UEFI-bas e d machine s , is s ue the following command as root :
~]# grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg
203

Se curit y Guide
Note
If /boot or /boot/efi re s ide on s e parate partitions , the ke rne l parame te r boot=<partition of /boot or /boot/efi> mus t be adde d to the ke rne l command line . You can ide ntify a partition by running the df /boot or df
/boot/efi command re s pe ctive ly:
~]$ df /boot
Filesystem 1K-blocks Used Available Use%
Mounted on
/dev/sda1 495844 53780 416464 12% /boot
To e ns ure that the boot= configuration option will work e ve n if de vice naming change s be twe e n boots , ide ntify the unive rs ally unique ide ntifie r (UUID) of the partition by running the following command:
~]$ blkid /dev/sda1
/dev/sda1: UUID="05c000f1-f899-467b-a4d9-d5ca4424c797"
TYPE="ext4"
For the e xample above , the following s tring ne e ds to be appe nde d to the ke rne l command line : boot=UUID=05c000f1-f899-467b-a4d9-d5ca4424c797
5. Re boot your s ys te m.
Should you re quire s trict FIPS compliance , the fips=1 ke rne l option ne e ds to be adde d to the ke rne l command line during s ys te m ins tallation s o that ke y ge ne ration is done with
FIPS approve d algorithms and continuous monitoring te s ts in place . Us e rs s hould als o e ns ure that the s ys te m has ple nty of e ntropy during the ins tallation proce s s by moving the mous e around, or if no mous e is available , e ns uring that many ke ys troke s are type d.
The re comme nde d amount of ke ys troke s is 256 and more . Le s s than 256 ke ys troke s may ge ne rate a non-unique ke y.
The NISPOM (als o calle d DoD 5220.22-M), as a compone nt of the National Indus trial
Se curity Program (NISP), e s tablis he s a s e rie s of proce dure s and re quire me nts for all gove rnme nt contractors with re gard to clas s ifie d information. The curre nt NISPOM is date d
Fe bruary 28, 2006, with incorporate d major change s from March 28, 2013. The NISPOM docume nt can be downloade d from the following URL: http://www.nis pom.org/NISPOMdownload.html
.
From https ://www.pcis e curitys tandards .org/about/inde x.s html : The PCI Security Standards
Council is an open global forum, launched in 2006, that is responsible for the development,
204

⁠Chapt e r 7. Fe de ral St andards and Re gulat io ns management, education, and awareness of the PCI Security Standards, including the Data
Security Standard (DSS).
You can download the PCI DSS s tandard from https ://www.pcis e curitys tandards .org/s e curity_s tandards /pci_ds s .s html .
A Se curity Te chnical Imple me ntation Guide or STIG is a me thodology for s tandardize d s e cure ins tallation and mainte nance of compute r s oftware and hardware .
Se e the following URL for more information on STIG: http://ias e .dis a.mil/s tigs /Page s /inde x.as px .
205

Se curit y Guide
In cryptography, the Advance d Encryption Standard (AES) is an e ncryption s tandard adopte d by the U.S. Gove rnme nt. The s tandard compris e s thre e block ciphe rs , AES-128,
AES-192 and AES-256, adopte d from a large r colle ction originally publis he d as Rijndae l.
Each AES ciphe r has a 128-bit block s ize , with ke y s ize s of 128, 192 and 256 bits , re s pe ctive ly. The AES ciphe rs have be e n analyze d e xte ns ive ly and are now us e d
worldwide , as was the cas e with its pre de ce s s or, the Data Encryption Standard (DES). ⁠
[3]
AES was announce d by National Ins titute of Standards and Te chnology (NIST) as U.S. FIPS
PUB 197 (FIPS 197) on Nove mbe r 26, 2001 afte r a 5-ye ar s tandardization proce s s . Fifte e n compe ting de s igns we re pre s e nte d and e valuate d be fore Rijndae l was s e le cte d as the mos t s uitable . It be came e ffe ctive as a s tandard May 26, 2002. It is available in many diffe re nt e ncryption package s . AES is the firs t publicly acce s s ible and ope n ciphe r approve d by the NSA for top s e cre t information (s e e the Se curity s e ction in the Wikipe dia
article on AES). ⁠
[4]
The Rijndae l ciphe r was de ve lope d by two Be lgian cryptographe rs , Joan Dae me n and
Vince nt Rijme n, and s ubmitte d by the m to the AES s e le ction proce s s . Rijndae l is a portmante au of the name s of the two inve ntors . ⁠
[5]
The Data Encryption Standard (DES) is a block ciphe r (a form of s hare d s e cre t e ncryption) that was s e le cte d by the National Bure au of Standards as an official Fe de ral Information
Proce s s ing Standard (FIPS) for the Unite d State s in 1976 and which has s ubs e que ntly e njoye d wide s pre ad us e inte rnationally. It is bas e d on a s ymme tric-ke y algorithm that us e s a 56-bit ke y. The algorithm was initially controve rs ial with clas s ifie d de s ign e le me nts , a re lative ly s hort ke y le ngth, and s us picions about a National Se curity Age ncy
(NSA) backdoor. DES cons e que ntly came unde r inte ns e acade mic s crutiny which motivate d
the mode rn unde rs tanding of block ciphe rs and the ir cryptanalys is . ⁠
[6]
DES is now cons ide re d to be ins e cure for many applications . This is chie fly due to the 56bit ke y s ize be ing too s mall; in January, 1999, dis tribute d.ne t and the Ele ctronic Frontie r
Foundation collaborate d to publicly bre ak a DES ke y in 22 hours and 15 minute s . The re are als o s ome analytical re s ults which de mons trate the ore tical we akne s s e s in the ciphe r, although the y are unfe as ible to mount in practice . The algorithm is be lie ve d to be practically s e cure in the form of Triple DES, although the re are the ore tical attacks . In re ce nt ye ars , the ciphe r has be e n s upe rs e de d by the Advance d Encryption Standard
(AES). ⁠
[7]
In s ome docume ntation, a dis tinction is made be twe e n DES as a s tandard and DES the algorithm which is re fe rre d to as the DEA (the Data Encryption Algorithm). ⁠
[8]
206

⁠Appe ndix A. Encrypt io n St andards
Public-ke y cryptography is a cryptographic approach, e mploye d by many cryptographic algorithms and cryptos ys te ms , whos e dis tinguis hing characte ris tic is the us e of as ymme tric ke y algorithms ins te ad of or in addition to s ymme tric ke y algorithms . Us ing the te chnique s of public ke y-private ke y cryptography, many me thods of prote cting communications or authe nticating me s s age s forme rly unknown have be come practical.
The y do not re quire a s e cure initial e xchange of one or more s e cre t ke ys as is re quire d
whe n us ing s ymme tric ke y algorithms . It can als o be us e d to cre ate digital s ignature s . ⁠
[9]
Public ke y cryptography is a fundame ntal and wide ly us e d te chnology around the world, and is the approach which unde rlie s s uch Inte rne t s tandards as Trans port Laye r Se curity
(TLS) (s ucce s s or to SSL), PGP and GPG. ⁠
[10]
The dis tinguis hing te chnique us e d in public ke y cryptography is the us e of as ymme tric ke y algorithms , whe re the ke y us e d to e ncrypt a me s s age is not the s ame as the ke y us e d to de crypt it. Each us e r has a pair of cryptographic ke ys — a public ke y and a private ke y.
The private ke y is ke pt s e cre t, whils t the public ke y may be wide ly dis tribute d. Me s s age s are e ncrypte d with the re cipie nt's public ke y and can only be de crypte d with the corre s ponding private ke y. The ke ys are re late d mathe matically, but the private ke y cannot be fe as ibly (ie , in actual or proje cte d practice ) de rive d from the public ke y. It was the dis cove ry of s uch algorithms which re volutionize d the practice of cryptography
be ginning in the middle 1970s . ⁠
[11]
In contras t, Symme tric-ke y algorithms , variations of which have be e n us e d for s ome thous ands of ye ars , us e a s ingle s e cre t ke y s hare d by s e nde r and re ce ive r (which mus t als o be ke pt private , thus accounting for the ambiguity of the common te rminology) for both e ncryption and de cryption. To us e a s ymme tric e ncryption s che me , the s e nde r and re ce ive r mus t s e cure ly s hare a ke y in advance . ⁠
[12]
Be caus e s ymme tric ke y algorithms are ne arly always much le s s computationally inte ns ive , it is common to e xchange a ke y us ing a ke y-e xchange algorithm and trans mit data us ing that ke y and a s ymme tric ke y algorithm. PGP, and the SSL/TLS family of
s che me s do this , for ins tance , and are calle d hybrid cryptos ys te ms in cons e que nce . ⁠
[13]
Diffie –He llman ke y e xchange (D–H) is a cryptographic protocol that allows two partie s that have no prior knowle dge of e ach othe r to jointly e s tablis h a s hare d s e cre t ke y ove r an ins e cure communications channe l. This ke y can the n be us e d to e ncrypt s ubs e que nt communications us ing a s ymme tric ke y ciphe r. ⁠
[14]
The s che me was firs t publis he d by Whitfie ld Diffie and Martin He llman in 1976, although it late r e me rge d that it had be e n s e parate ly inve nte d a fe w ye ars e arlie r within GCHQ, the
Britis h s ignals inte llige nce age ncy, by Malcolm J. Williams on but was ke pt clas s ifie d. In
2002, He llman s ugge s te d the algorithm be calle d Diffie –He llman–Me rkle ke y e xchange in re cognition of Ralph Me rkle 's contribution to the inve ntion of public-ke y cryptography
(He llman, 2002). ⁠
[15]
207

Se curit y Guide
Although Diffie –He llman ke y agre e me nt its e lf is an anonymous (non-authe nticate d) ke yagre e me nt protocol, it provide s the bas is for a varie ty of authe nticate d protocols , and is us e d to provide pe rfe ct forward s e cre cy in Trans port Laye r Se curity's e phe me ral mode s
(re fe rre d to as EDH or DHE de pe nding on the ciphe r s uite ). ⁠
[16]
U.S. Pate nt 4,200,770, now e xpire d, de s cribe s the algorithm and cre dits He llman, Diffie , and Me rkle as inve ntors . ⁠
[17]
In cryptography, RSA (which s tands for Rive s t, Shamir and Adle man who firs t publicly de s cribe d it) is an algorithm for public-ke y cryptography. It is the firs t algorithm known to be s uitable for s igning as we ll as e ncryption, and was one of the firs t gre at advance s in public ke y cryptography. RSA is wide ly us e d in e le ctronic comme rce protocols , and is be lie ve d to be s e cure give n s ufficie ntly long ke ys and the us e of up-to-date imple me ntations .
DSA (Digital Signature Algorithm) is a s tandard for digital s ignature s , a Unite d State s fe de ral gove rnme nt s tandard for digital s ignature s . DSA is for s ignature s only and is not
an e ncryption algorithm. ⁠
[18]
Trans port Laye r Se curity (TLS) and its pre de ce s s or, Se cure Socke ts Laye r (SSL), are cryptographic protocols that provide s e curity for communications ove r ne tworks s uch as the Inte rne t. TLS and SSL e ncrypt the s e gme nts of ne twork conne ctions at the Trans port
Laye r e nd-to-e nd.
Se ve ral ve rs ions of the protocols are in wide s pre ad us e in applications like we b brows ing,
e le ctronic mail, Inte rne t faxing, ins tant me s s aging and voice -ove r-IP (VoIP). ⁠
[19]
The Crame r–Shoup s ys te m is an as ymme tric ke y e ncryption algorithm, and was the firs t e fficie nt s che me prove n to be s e cure agains t adaptive chos e n ciphe rte xt attack us ing s tandard cryptographic as s umptions . Its s e curity is bas e d on the computational intractability (wide ly as s ume d, but not prove d) of the de cis ional Diffie –He llman as s umption.
De ve lope d by Ronald Crame r and Victor Shoup in 1998, it is an e xte ns ion of the ElGamal cryptos ys te m. In contras t to ElGamal, which is e xtre me ly malle able , Crame r–Shoup adds additional e le me nts to e ns ure non-malle ability e ve n agains t a re s ource ful attacke r. This non-malle ability is achie ve d through the us e of a collis ion-re s is tant has h function and additional computations , re s ulting in a ciphe rte xt which is twice as large as in ElGamal.
[20]
In cryptography, the ElGamal e ncryption s ys te m is an as ymme tric ke y e ncryption algorithm for public-ke y cryptography which is bas e d on the Diffie -He llman ke y agre e me nt.
It was de s cribe d by Tahe r ElGamal in 1985. ElGamal e ncryption is us e d in the fre e GNU
Privacy Guard s oftware , re ce nt ve rs ions of PGP, and othe r cryptos ys te ms . ⁠
[21]
208

⁠Appe ndix A. Encrypt io n St andards
[3]
"Advanced Encryption Standard." Wikipedia. 14 Novem ber 2009 http://en.wikipedia.org/wiki/Advanced_Encryption_Standard
[4]
"Advanced Encryption Standard." Wikipedia. 14 Novem ber 2009 http://en.wikipedia.org/wiki/Advanced_Encryption_Standard
[5] "Advanced Encryption Standard." Wikipedia. 14 Novem ber 2009
http://en.wikipedia.org/wiki/Advanced_Encryption_Standard
[6]
"Data Encryption Standard." Wikipedia. 14 Novem ber 2009 http://en.wikipedia.org/wiki/Data_Encryption_Standard
[7] "Data Encryption Standard." Wikipedia. 14 Novem ber 2009
http://en.wikipedia.org/wiki/Data_Encryption_Standard
[8]
"Data Encryption Standard." Wikipedia. 14 Novem ber 2009 http://en.wikipedia.org/wiki/Data_Encryption_Standard
[9]
"Public-key Encryption." Wikipedia. 14 Novem ber 2009 http://en.wikipedia.org/wiki/Publickey_cryptography
[10]
"Public-key Encryption." Wikipedia. 14 Novem ber 2009 http://en.wikipedia.org/wiki/Publickey_cryptography
[11]
"Public-key Encryption." Wikipedia. 14 Novem ber 2009 http://en.wikipedia.org/wiki/Publickey_cryptography
[12] "Public-key Encryption." Wikipedia. 14 Novem ber 2009
http://en.wikipedia.org/wiki/Publickey_cryptography
[13]
"Public-key Encryption." Wikipedia. 14 Novem ber 2009 http://en.wikipedia.org/wiki/Publickey_cryptography
[14]
"Diffie-Hellm an." Wikipedia. 14 Novem ber 2009 http://en.wikipedia.org/wiki/Diffie-Hellm an
[15] "Diffie-Hellm an." Wikipedia. 14 Novem ber 2009
http://en.wikipedia.org/wiki/Diffie-Hellm an
[16]
"Diffie-Hellm an." Wikipedia. 14 Novem ber 2009 http://en.wikipedia.org/wiki/Diffie-Hellm an
[17] "Diffie-Hellm an." Wikipedia. 14 Novem ber 2009
http://en.wikipedia.org/wiki/Diffie-Hellm an
[18]
"DSA." Wikipedia. 24 February 2010 http://en.wikipedia.org/wiki/Digital_Signature_Algorithm
[19]
"TLS/SSL." Wikipedia. 24 February 2010 http://en.wikipedia.org/wiki/Transport_Layer_Security
[20] "Cram er-Shoup cryptosystem ." Wikipedia. 24 February 2010
http://en.wikipedia.org/wiki/Cram er–Shoup_cryptosystem
[21] "ElGam al encryption" Wikipedia. 24 February 2010
http://en.wikipedia.org/wiki/ElGam al_encryption
209

Se curit y Guide
Table B.1, “Eve nt Fie lds ”
lis ts all curre ntly-s upporte d Audit e ve nt fie lds . An e ve nt fie ld is the value pre ce ding the e qual s ign in the Audit log file s .
T able B.1. Event Fields
Event Field a0 , a1 , a2 , a3 acct addr arch auid capability cap_fi cap_fp cap_pe cap_pi cap_pp cgroup cmd comm cwd data dev
Explanat io n
Re cords the firs t four argume nts of the s ys te m call, e ncode d in he xade cimal notation.
Re cords a us e r's account name .
Re cords the IPv4 or IPv6 addre s s . This fie ld us ually follows a hostname fie ld and contains the addre s s the hos t name re s olve s to.
Re cords information about the CPU archite cture of the s ys te m, e ncode d in he xade cimal notation.
Re cords the Audit us e r ID. This ID is as s igne d to a us e r upon login and is inhe rite d by e ve ry proce s s e ve n whe n the us e r's ide ntity change s (for e xample , by s witching us e r accounts with su - john ).
Re cords the numbe r of bits that we re us e d to s e t a particular
Linux capability. For more information on Linux capabilitie s , re fe r to the capabilitie s (7) man page .
Re cords data re late d to the s e tting of an inhe rite d file s ys te m-bas e d capability.
Re cords data re late d to the s e tting of a pe rmitte d file s ys te mbas e d capability.
Re cords data re late d to the s e tting of an e ffe ctive proce s s bas e d capability.
Re cords data re late d to the s e tting of an inhe rite d proce s s bas e d capability.
Re cords data re late d to the s e tting of a pe rmitte d proce s s bas e d capability.
Re cords the path to the cgroup that contains the proce s s at the time the Audit e ve nt was ge ne rate d.
Re cords the e ntire command line that is e xe cute d. This is us e ful in cas e of s he ll inte rpre te rs whe re the exe fie ld re cords , for e xample , /bin/bash as the s he ll inte rpre te r and the cmd fie ld re cords the re s t of the command line that is e xe cute d, for e xample helloworld.sh --help .
Re cords the command that is e xe cute d. This is us e ful in cas e of s he ll inte rpre te rs whe re the exe fie ld re cords , for e xample ,
/bin/bash as the s he ll inte rpre te r and the comm fie ld re cords the name of the s cript that is e xe cute d, for e xample helloworld.sh
.
Re cords the path to the dire ctory in which a s ys te m call was invoke d.
Re cords data as s ociate d with TTY re cords .
Re cords the minor and major ID of the de vice that contains the file or dire ctory re corde d in an e ve nt.
210

Event Field devmajor devminor egid euid exe exit family filetype flags fsgid fsuid gid hostname icmptype id inode inode_gid inode_uid items key list mode msg msgtype name
⁠Appe ndix B. Audit Syst e m Re f e re nce
Explanat io n
Re cords the major de vice ID.
Re cords the minor de vice ID.
Re cords the e ffe ctive group ID of the us e r who s tarte d the analyze d proce s s .
Re cords the e ffe ctive us e r ID of the us e r who s tarte d the analyze d proce s s .
Re cords the path to the e xe cutable that was us e d to invoke the analyze d proce s s .
Re cords the e xit code re turne d by a s ys te m call. This value varie s by s ys te m call. You can inte rpre t the value to its human-re adable e quivale nt with the following command: ausearch --interpret --exit exit_code
Re cords the type of addre s s protocol that was us e d, e ithe r
IPv4 or IPv6.
Re cords the type of the file .
Re cords the file s ys te m name flags .
Re cords the file s ys te m group ID of the us e r who s tarte d the analyze d proce s s .
Re cords the file s ys te m us e r ID of the us e r who s tarte d the analyze d proce s s .
Re cords the group ID.
Re cords the hos t name .
Re cords the type of a Inte rne t Control Me s s age Protocol
(ICMP) package that is re ce ive d. Audit me s s age s containing this fie ld are us ually ge ne rate d by ipt ables.
Re cords the us e r ID of an account that was change d.
Re cords the inode numbe r as s ociate d with the file or dire ctory re corde d in an Audit e ve nt.
Re cords the group ID of the inode 's owne r.
Re cords the us e r ID of the inode 's owne r.
Re cords the numbe r of path re cords that are attache d to this re cord.
Re cords the us e r de fine d s tring as s ociate d with a rule that ge ne rate d a particular e ve nt in the Audit log.
Re cords the Audit rule lis t ID. The following is a lis t of known
IDs :
0 — user
1 — task
4 — exit
5 — exclude
Re cords the file or dire ctory pe rmis s ions , e ncode d in nume rical notation.
Re cords a time s tamp and a unique ID of a re cord, or various e ve nt-s pe cific <name>=<value> pairs provide d by the ke rne l or us e r s pace applications .
Re cords the me s s age type that is re turne d in cas e of a us e rbas e d AVC de nial. The me s s age type is de te rmine d by D-
Bus .
Re cords the full path of the file or dire ctory that was pas s e d to the s ys te m call as an argume nt.
211

Se curit y Guide
Event Field new-disk new-mem new-vcpu new-net new_gid oauid ocomm opid oses ouid obj obj_gid obj_lev_high obj_lev_low obj_role obj_uid obj_user ogid old-disk old-mem old-vcpu old-net old_prom ouid path perm
Explanat io n
Re cords the name of a ne w dis k re s ource that is as s igne d to a virtual machine .
Re cords the amount of a ne w me mory re s ource that is as s igne d to a virtual machine .
Re cords the numbe r of a ne w virtual CPU re s ource that is as s igne d to a virtual machine .
Re cords the MAC addre s s of a ne w ne twork inte rface re s ource that is as s igne d to a virtual machine .
Re cords a group ID that is as s igne d to a us e r.
Re cords the us e r ID of the us e r that has logge d in to acce s s the s ys te m (as oppos e d to, for e xample , us ing su ) and has s tarte d the targe t proce s s . This fie ld is e xclus ive to the re cord of type OBJ_PID .
Re cords the command that was us e d to s tart the targe t proce s s .This fie ld is e xclus ive to the re cord of type OBJ_PID .
Re cords the proce s s ID of the targe t proce s s . This fie ld is e xclus ive to the re cord of type OBJ_PID .
Re cords the s e s s ion ID of the targe t proce s s . This fie ld is e xclus ive to the re cord of type OBJ_PID .
Re cords the re al us e r ID of the targe t proce s s
Re cords the SELinux conte xt of an obje ct. An obje ct can be a file , a dire ctory, a s ocke t, or anything that is re ce iving the action of a s ubje ct.
Re cords the group ID of an obje ct.
Re cords the high SELinux le ve l of an obje ct.
Re cords the low SELinux le ve l of an obje ct.
Re cords the SELinux role of an obje ct.
Re cords the UID of an obje ct
Re cords the us e r that is as s ociate d with an obje ct.
Re cords the obje ct owne r's group ID.
Re cords the name of an old dis k re s ource whe n a ne w dis k re s ource is as s igne d to a virtual machine .
Re cords the amount of an old me mory re s ource whe n a ne w amount of me mory is as s igne d to a virtual machine .
Re cords the numbe r of an old virtual CPU re s ource whe n a ne w virtual CPU is as s igne d to a virtual machine .
Re cords the MAC addre s s of an old ne twork inte rface re s ource whe n a ne w ne twork inte rface is as s igne d to a virtual machine .
Re cords the pre vious value of the ne twork promis cuity flag.
Re cords the re al us e r ID of the us e r who s tarte d the targe t proce s s .
Re cords the full path of the file or dire ctory that was pas s e d to the s ys te m call as an argume nt in cas e of AVC-re late d
Audit e ve nts
Re cords the file pe rmis s ion that was us e d to ge ne rate an e ve nt (that is , re ad, write , e xe cute , or attribute change )
212

ppid prom proto res result saddr sauid ses sgid sig subj subj_clr subj_role subj_sen subj_user success suid syscall terminal tty uid vm
Event Field pid
⁠Appe ndix B. Audit Syst e m Re f e re nce
Explanat io n
The pid fie ld s e mantics de pe nd on the origin of the value in this fie ld.
In fie lds ge ne rate d from us e r-s pace , this fie ld holds a proce s s
ID.
In fie lds ge ne rate d by the ke rne l, this fie ld holds a thre ad ID.
The thre ad ID is e qual to proce s s ID for s ingle -thre ade d proce s s e s . Note that the value of this thre ad ID is diffe re nt from the value s of pthre ad_t IDs us e d in us e r-s pace . For more information, re fe r to the ge ttid(2) man page .
Re cords the Pare nt Proce s s ID (PID).
Re cords the ne twork promis cuity flag.
Re cords the ne tworking protocol that was us e d. This fie ld is s pe cific to Audit e ve nts ge ne rate d by ipt ables.
Re cords the re s ult of the ope ration that trigge re d the Audit e ve nt.
Re cords the re s ult of the ope ration that trigge re d the Audit e ve nt.
Re cords the s ocke t addre s s .
Re cords the s e nde r Audit login us e r ID. This ID is provide d by
D-Bus as the ke rne l is unable to s e e which us e r is s e nding the original auid .
Re cords the s e s s ion ID of the s e s s ion from which the analyze d proce s s was invoke d.
Re cords the s e t group ID of the us e r who s tarte d the analyze d proce s s .
Re cords the numbe r of a s ignal that caus e s a program to e nd abnormally. Us ually, this is a s ign of a s ys te m intrus ion.
Re cords the SELinux conte xt of a s ubje ct. A s ubje ct can be a proce s s , a us e r, or anything that is acting upon an obje ct.
Re cords the SELinux cle arance of a s ubje ct.
Re cords the SELinux role of a s ubje ct.
Re cords the SELinux s e ns itivity of a s ubje ct.
Re cords the us e r that is as s ociate d with a s ubje ct.
Re cords whe the r a s ys te m call was s ucce s s ful or faile d.
Re cords the s e t us e r ID of the us e r who s tarte d the analyze d proce s s .
Re cords the type of the s ys te m call that was s e nt to the ke rne l.
Re cords the te rminal name (without /dev/ ).
Re cords the name of the controlling te rminal. The value
(none) is us e d if the proce s s has no controlling te rminal.
Re cords the re al us e r ID of the us e r who s tarte d the analyze d proce s s .
Re cords the name of a virtual machine from which the Audit e ve nt originate d.
213

Se curit y Guide
Table B.2, “Re cord Type s ”
lis ts all curre ntly-s upporte d type s of Audit re cords . The e ve nt type is s pe cifie d in the type= fie ld at the be ginning of e ve ry Audit re cord.
T able B.2. Reco rd T ypes
Event T ype
ADD_GROUP
ADD_USER
ANOM_ABEND
⁠
[a]
ANOM_ACCESS_FS
ANOM_ADD_ACCT
[a]
[a]
ANOM_AMTU_FAIL
[a]
ANOM_CRYPTO_FAIL
ANOM_DEL_ACCT
[a]
[a]
Explanat io n
Trigge re d whe n a us e r-s pace group is adde d.
Trigge re d whe n a us e r-s pace us e r account is adde d.
Trigge re d whe n a proce s s e s e nds abnormally (with a s ignal that could caus e a core dump, if e nable d).
Trigge re d whe n a file or a dire ctory acce s s e nds abnormally.
Trigge re d whe n a us e r-s pace account addition e nds abnormally.
Trigge re d whe n a failure of the Abs tract Machine Te s t Utility
(AMTU) is de te cte d.
Trigge re d whe n a failure in the cryptographic s ys te m is de te cte d.
Trigge re d whe n a us e r-s pace account de le tion e nds abnormally.
Trigge re d whe n an e xe cution of a file e nds abnormally.
Trigge re d whe n an account login atte mpt e nds abnormally.
Trigge re d whe n the limit of faile d login atte mpts is re ache d.
ANOM_EXEC
[a]
ANOM_LOGIN_ACCT
[a]
ANOM_LOGIN_FAILURES
[ a]
ANOM_LOGIN_LOCATION
[ a]
ANOM_LOGIN_SESSIONS
[ a]
ANOM_LOGIN_TIME
[a]
ANOM_MAX_DAC
ANOM_MAX_MAC
ANOM_MK_EXEC
[a]
[a]
[a]
ANOM_MOD_ACCT
[a]
ANOM_PROMISCUOUS
ANOM_RBAC_FAIL
[a]
[a]
ANOM_RBAC_INTEGRITY_
FAIL
[a]
ANOM_ROOT_TRANS
[a]
AVC
AVC_PATH
Trigge re d whe n a login atte mpt is made from a forbidde n location.
Trigge re d whe n a login atte mpt re ache s the maximum amount of concurre nt s e s s ions .
Trigge re d whe n a login atte mpt is made at a time whe n it is pre ve nte d by, for e xample , pam_time .
Trigge re d whe n the maximum amount of Dis cre tionary Acce s s
Control (DAC) failure s is re ache d.
Trigge re d whe n the maximum amount of Mandatory Acce s s
Control (MAC) failure s is re ache d.
Trigge re d whe n a file is made e xe cutable .
Trigge re d whe n a us e r-s pace account modification e nds abnormally.
Trigge re d whe n a de vice e nable s or dis able s promis cuous mode .
Trigge re d whe n a Role -Bas e d Acce s s Control (RBAC) s e lf-te s t failure is de te cte d.
Trigge re d whe n a Role -Bas e d Acce s s Control (RBAC) file inte grity te s t failure is de te cte d.
Trigge re d whe n a us e r be come s root.
Trigge re d to re cord an SELinux pe rmis s ion che ck.
Trigge re d to re cord the dentry and vfsmount pair whe n an
SELinux pe rmis s ion che ck occurs .
214

⁠Appe ndix B. Audit Syst e m Re f e re nce
Event T ype
BPRM_FCAPS
CAPSET
CHGRP_ID
CHUSER_ID
CONFIG_CHANGE
CRED_ACQ
CRED_DISP
CRED_REFR
CRYPTO_FAILURE_USER
CRYPTO_KEY_USER
CRYPTO_LOGIN
CRYPTO_LOGOUT
CRYPTO_PARAM_CHANGE_
USER
CRYPTO_REPLAY_USER
CRYPTO_SESSION
CRYPTO_TEST_USER
CWD
DAC_CHECK
DAEMON_ABORT
DAEMON_ACCEPT
DAEMON_CLOSE
DAEMON_CONFIG
DAEMON_END
DAEMON_RESUME
DAEMON_ROTATE
DAEMON_START
DEL_GROUP
DEL_USER
DEV_ALLOC
DEV_DEALLOC
EOE
EXECVE
FD_PAIR
FS_RELABEL
GRP_AUTH
Explanat io n
Trigge re d whe n a us e r e xe cute s a program with a file s ys te m capability.
Trigge re d to re cord the capabilitie s be ing s e t for proce s s bas e d capabilitie s , for e xample , running as root to drop capabilitie s .
Trigge re d whe n a us e r-s pace group ID is change d.
Trigge re d whe n a us e r-s pace us e r ID is change d.
Trigge re d whe n the Audit s ys te m configuration is modifie d.
Trigge re d whe n a us e r acquire s us e r-s pace cre de ntials .
Trigge re d whe n a us e r dis pos e s of us e r-s pace cre de ntials .
Trigge re d whe n a us e r re fre s he s the ir us e r-s pace cre de ntials .
Trigge re d whe n a de crypt, e ncrypt, or randomize cryptographic ope ration fails .
Trigge re d to re cord the cryptographic ke y ide ntifie r us e d for cryptographic purpos e s .
Trigge re d whe n a cryptographic office r login atte mpt is de te cte d.
Trigge re d whe n a crypto office r logout atte mpt is de te cte d.
Trigge re d whe n a change in a cryptographic parame te r is de te cte d.
Trigge re d whe n a re play attack is de te cte d.
Trigge re d to re cord parame te rs s e t during a TLS s e s s ion e s tablis hme nt.
Trigge re d to re cord cryptographic te s t re s ults as re quire d by the FIPS-140 s tandard.
Trigge re d to re cord the curre nt working dire ctory.
Trigge re d to re cord DAC che ck re s ults .
Trigge re d whe n a dae mon is s toppe d due to an e rror.
Trigge re d whe n the auditd dae mon acce pts a re mote conne ction.
Trigge re d whe n the auditd dae mon clos e s a re mote conne ction.
Trigge re d whe n a dae mon configuration change is de te cte d.
Trigge re d whe n a dae mon is s ucce s s fully s toppe d.
Trigge re d whe n the auditd dae mon re s ume s logging.
Trigge re d whe n the auditd dae mon rotate s the Audit log file s .
Trigge re d whe n the auditd dae mon is s tarte d.
Trigge re d whe n a us e r-s pace group is de le te d
Trigge re d whe n a us e r-s pace us e r is de le te d
Trigge re d whe n a de vice is allocate d.
Trigge re d whe n a de vice is de allocate d.
Trigge re d to re cord the e nd of a multi-re cord e ve nt.
Trigge re d to re cord argume nts of the execve(2) s ys te m call.
Trigge re d to re cord the us e of the pipe and socketpair s ys te m calls .
Trigge re d whe n a file s ys te m re labe l ope ration is de te cte d.
Trigge re d whe n a group pas s word is us e d to authe nticate agains t a us e r-s pace group.
215

Se curit y Guide
Event T ype
INTEGRITY_DATA
⁠
INTEGRITY_HASH
[b]
INTEGRITY_METADATA
[b]
INTEGRITY_PCR
INTEGRITY_RULE
INTEGRITY_STATUS
[b]
IPC
IPC_SET_PERM
KERNEL
KERNEL_OTHER
LABEL_LEVEL_CHANGE
LABEL_OVERRIDE
LOGIN
[b]
MAC_POLICY_LOAD
MAC_STATUS
[b]
[b]
MAC_CIPSOV4_ADD
MAC_CIPSOV4_DEL
MAC_CONFIG_CHANGE
MAC_IPSEC_EVENT
MAC_MAP_ADD
MAC_MAP_DEL
MAC_UNLBL_ALLOW
MAC_UNLBL_STCADD
MAC_UNLBL_STCDEL
MMAP
MQ_GETSETATTR
Explanat io n
Trigge re d to re cord a data inte grity ve rification e ve nt run by the ke rne l.
Trigge re d to re cord a has h type inte grity ve rification e ve nt run by the ke rne l.
Trigge re d to re cord a me tadata inte grity ve rification e ve nt run by the ke rne l.
Trigge re d to re cord Platform Configuration Re gis te r (PCR) invalidation me s s age s .
Trigge re d to re cord a policy rule .
Trigge re d to re cord the s tatus of inte grity ve rification.
Trigge re d to re cord information about a Inte r-Proce s s
Communication obje ct re fe re nce d by a s ys te m call.
Trigge re d to re cord information about ne w value s s e t by an
IPC_SET control ope ration on an IPC obje ct.
Trigge re d to re cord the initialization of the Audit s ys te m.
Trigge re d to re cord information from third-party ke rne l module s .
Trigge re d whe n an obje ct's le ve l labe l is modifie d.
Trigge re d whe n an adminis trator ove rride s an obje ct's le ve l labe l.
Trigge re d to re cord re le vant login information whe n a us e r log in to acce s s the s ys te m.
Trigge re d whe n a Comme rcial Inte rne t Protocol Se curity
Option (CIPSO) us e r adds a ne w Domain of Inte rpre tation
(DOI). Adding DOIs is a part of the packe t labe ling capabilitie s of the ke rne l provide d by Ne tLabe l.
Trigge re d whe n a CIPSO us e r de le te s an e xis ting DOI. Adding
DOIs is a part of the packe t labe ling capabilitie s of the ke rne l provide d by Ne tLabe l.
Trigge re d whe n an SELinux Boole an value is change d.
Trigge re d to re cord information about an IPSe c e ve nt, whe n one is de te cte d, or whe n the IPSe c configuration change s .
Trigge re d whe n a ne w Linux Se curity Module (LSM) domain mapping is adde d. LSM domain mapping is a part of the packe t labe ling capabilitie s of the ke rne l provide d by Ne tLabe l.
Trigge re d whe n an e xis ting LSM domain mapping is adde d.
LSM domain mapping is a part of the packe t labe ling capabilitie s of the ke rne l provide d by Ne tLabe l.
Trigge re d whe n a SELinux policy file is loade d.
Trigge re d whe n the SELinux mode (e nforcing, pe rmis s ive , off) is change d.
Trigge re d whe n unlabe le d traffic is allowe d whe n us ing the packe t labe ling capabilitie s of the ke rne l provide d by Ne tLabe l.
Trigge re d whe n a s tatic labe l is adde d whe n us ing the packe t labe ling capabilitie s of the ke rne l provide d by Ne tLabe l.
Trigge re d whe n a s tatic labe l is de le te d whe n us ing the packe t labe ling capabilitie s of the ke rne l provide d by Ne tLabe l.
Trigge re d to re cord a file de s criptor and flags of the mmap(2) s ys te m call.
Trigge re d to re cord the mq_getattr(3) and mq_setattr(3) me s s age que ue attribute s .
216

⁠Appe ndix B. Audit Syst e m Re f e re nce
Event T ype
MQ_NOTIFY
MQ_OPEN
MQ_SENDRECV
NETFILTER_CFG
NETFILTER_PKT
OBJ_PID
PATH
RESP_ACCT_LOCK
⁠
[c]
RESP_ACCT_LOCK_TIMED
[c]
RESP_ACCT_REMOTE
[c]
RESP_ACCT_UNLOCK_TIM
ED
[c]
RESP_ALERT
[c]
RESP_ANOMALY
[c]
RESP_EXEC
[c]
RESP_HALT
RESP_KILL_PROC
RESP_SEBOOL
RESP_SINGLE
ROLE_MODIFY
ROLE_REMOVE
SELINUX_ERR
SOCKADDR
SOCKETCALL
SYSCALL
[c]
SYSTEM_BOOT
SYSTEM_RUNLEVEL
SYSTEM_SHUTDOWN
TEST
TRUSTED_APP
[c]
[c]
RESP_TERM_ACCESS
RESP_TERM_LOCK
ROLE_ASSIGN
SERVICE_START
SERVICE_STOP
[c]
[c]
[c]
Explanat io n
Trigge re d to re cord argume nts of the mq_notify(3) s ys te m call.
Trigge re d to re cord argume nts of the mq_open(3) s ys te m call.
Trigge re d to re cord argume nts of the mq_send(3) and mq_receive(3) s ys te m calls .
Trigge re d whe n Ne tfilte r chain modifications are de te cte d.
Trigge re d to re cord packe ts trave rs ing Ne tfilte r chains .
Trigge re d to re cord information about a proce s s to which a s ignal is s e nt.
Trigge re d to re cord file name path information.
Trigge re d whe n a us e r account is locke d.
Trigge re d whe n a us e r account is locke d for a s pe cifie d pe riod of time .
Trigge re d whe n a us e r account is locke d from a re mote s e s s ion.
Trigge re d whe n a us e r account is unlocke d afte r a configure d pe riod of time .
Trigge re d whe n an ale rt e mail is s e nt.
Trigge re d whe n an anomaly was not acte d upon.
Trigge re d whe n an intrus ion de te ction program re s ponds to a thre at originating from the e xe cution of a program.
Trigge re d whe n the s ys te m is s hut down.
Trigge re d whe n a proce s s is te rminate d.
Trigge re d whe n an SELinux Boole an value is s e t.
Trigge re d whe n the s ys te m is put into s ingle -us e r mode .
Trigge re d whe n a s e s s ion is te rminate d.
Trigge re d whe n a te rminal is locke d.
Trigge re d whe n an adminis trator as s igns a us e r to an SELinux role .
Trigge re d whe n an adminis trator modifie s an SELinux role .
Trigge re d whe n an adminis trator re move s a us e r from an
SELinux role .
Trigge re d whe n an inte rnal SELinux e rror is de te cte d.
Trigge re d whe n a s e rvice is s tarte d.
Trigge re d whe n a s e rvice is s toppe d.
Trigge re d to re cord a s ocke t addre s s .
Trigge re d to re cord argume nts of the sys_socketcall s ys te m call (us e d to multiple x many s ocke t-re late d s ys te m calls ).
Trigge re d to re cord a s ys te m call to the ke rne l.
Trigge re d whe n the s ys te m is boote d up.
Trigge re d whe n the s ys te m's run le ve l is change d.
Trigge re d whe n the s ys te m is s hut down.
Trigge re d to re cord the s ucce s s value of a te s t me s s age .
The re cord of this type can be us e d by third party application that re quire auditing.
217

Se curit y Guide
Event T ype Explanat io n
TTY Trigge re d whe n TTY input was s e nt to an adminis trative proce s s .
USER_ACCT
USER_AUTH
USER_AVC
USER_CHAUTHTOK
USER_CMD
USER_END
USER_ERR
USER_LABELED_EXPORT
USER_LOGIN
USER_LOGOUT
USER_MAC_POLICY_LOAD Trigge re d whe n a us e r-s pace dae mon loads an SELinux policy.
USER_MGMT Trigge re d to re cord us e r-s pace manage me nt data.
USER_ROLE_CHANGE
USER_SELINUX_ERR
Trigge re d whe n a us e r's SELinux role is change d.
Trigge re d whe n a us e r-s pace SELinux e rror is de te cte d.
USER_START
USER_TTY
USER_UNLABELED_EXPOR
T
USYS_CONFIG
VIRT_CONTROL
Trigge re d whe n a us e r-s pace us e r account is modifie d.
Trigge re d whe n a us e r-s pace authe ntication atte mpt is de te cte d.
Trigge re d whe n a us e r-s pace AVC me s s age is ge ne rate d.
Trigge re d whe n a us e r account attribute is modifie d.
Trigge re d whe n a us e r-s pace s he ll command is e xe cute d.
Trigge re d whe n a us e r-s pace s e s s ion is te rminate d.
Trigge re d whe n a us e r account s tate e rror is de te cte d.
Trigge re d whe n an obje ct is e xporte d with an SELinux labe l.
Trigge re d whe n a us e r logs in.
Trigge re d whe n a us e r logs out.
Trigge re d whe n a us e r-s pace s e s s ion is s tarte d.
Trigge re d whe n an e xplanatory me s s age about TTY input to an adminis trative proce s s is s e nt from us e r-s pace .
Trigge re d whe n an obje ct is e xporte d without SELinux labe l.
Trigge re d whe n a us e r-s pace s ys te m configuration change is de te cte d.
Trigge re d whe n a virtual machine is s tarte d, paus e d, or s toppe d.
VIRT_MACHINE_ID
VIRT_RESOURCE
Trigge re d to re cord the binding of a labe l to a virtual machine .
Trigge re d to re cord re s ource as s ignme nt of a virtual machine .
[a] All Audit event types prepended with
ANOM are intended to be processed by an intrusion detection program .
[b] This event type is related to the Integrity Measurem ent Architecture (IMA), which functions
best with a Trusted Platform Module (TPM) chip.
[c]
All Audit event types prepended with RESP are intended responses of an intrusion detection system in case it detects m alicious activity on the system .
218

⁠Appe ndix C. Re visio n Hist o ry
Revisio n 1-19 Mo n Jul 18 20 16
The Smart Cards s e ction adde d.
Mirek Jaho da
Revisio n 1-18 Mo n Jun 27 20 16
The Ope nSCAP-dae mon and Atomic Scan s e ction adde d.
Mirek Jaho da
Mirek Jaho da Revisio n 1-17 Fri Jun 3 20 16
As ync re le as e with mis c. update s .
Revisio n 1-16
Pos t 7.2 GA fixe s .
T ue Jan 5 20 16
Revisio n 1-15
Ve rs ion for 7.2 GA re le as e .
T ue No v 10 20 15
Revisio n 1-14.18
Mo n No v 0 9 20 15
As ync re le as e with mis c. update s .
Revisio n 1-14.17
Ve rs ion for 7.1 GA re le as e .
Wed Feb 18 20 15
Ro bert Krát ký
Ro bert Krát ký
Ro bert Krát ký
Ro bert Krát ký
Revisio n 1-14.15
Fri Dec 0 6 20 14
Update to s ort orde r on the Re d Hat Cus tome r Portal.
Revisio n 1-14.13
T hu No v 27 20 14
Update s re fle cting the POODLE vuln.
Revisio n 1-14.12
Ve rs ion for 7.0 GA re le as e .
T ue Jun 0 3 20 14
Ro bert Krát ký
Ro bert Krát ký
T o máš Čapek
219