Red Hat Enterprise Linux 6

Security Guide

A Guide to Securing Red Hat Enterprise Linux


Robert Krátký

Red Hat Customer Content Services

Martin Prpič

Red Hat Customer Content Services

Tomáš Čapek

Red Hat Customer Content Services

Stephen Wadeley

Red Hat Customer Content Services

Yoana Ruseva

Red Hat Customer Content Services

Miroslav Svoboda

Red Hat Customer Content Services

Legal Notice

Copyright © 2016 Red Hat, Inc.
Based on the Fedora Security Guide (current version at, written by Johnray Fuller, Eric Christensen, Adam Ligas, and other Fedora Project contributors.
The text of and illustrations in this document are licensed by Red Hat under a Creative Commons Attribution–Share Alike 3.0 Unported license ("CC-BY-SA"). An explanation of CC-BY-SA is available at In accordance with CC-BY-SA, if you distribute this document or an adaptation of it, you must provide the URL for the original version.
Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.
Red Hat, Red Hat Enterprise Linux, the Shadowman logo, JBoss, MetaMatrix, Fedora, the Infinity Logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries.
Linux® is the registered trademark of Linus Torvalds in the United States and other countries.
Java® is a registered trademark of Oracle and/or its affiliates.
XFS® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States and/or other countries.
MySQL® is a registered trademark of MySQL AB in the United States, the European Union and other countries.
All other trademarks are the property of their respective owners.

1801 Varsity Drive
 RaleighNC 27606-2072 USA
 Phone: +1 919 754 3700
 Phone: 888 733 4281
 Fax: +1 919 754 3701


This book assists users and administrators in learning the processes and practices of securing workstations and servers against local and remote intrusion, exploitation and malicious activity.
Focused on Red Hat Enterprise Linux but detailing concepts and techniques valid for all Linux systems, this guide details the planning and the tools involved in creating a secured computing environment for the data center, workplace, and home.
With proper administrative knowledge, vigilance, and tools, systems running Linux can be both fully functional and secured from most common intrusion and exploit methods.
1. Security Overview
1.1. Introduction to Security
1.1.1. What is Computer Security?
1.1.2. SELinux
1.1.3. Security Controls
1.1.4. Conclusion
1.2. Vulnerability Assessment
1.2.1. Thinking Like the Enemy
1.2.2. Defining Assessment and Testing
1.2.3. Evaluating the Tools
1.3. Security Threats
1.3.1. Threats to Network Security
1.3.2. Threats to Server Security
1.3.3. Threats to Workstation and Home PC Security
1.4. Common Exploits and Attacks
1.5. Security Updates
1.5.1. Updating Packages
1.5.2. Verifying Signed Packages
1.5.3. Installing Signed Packages
1.5.4. Applying the Changes
2. Securing Your Network
2.1. Workstation Security
2.1.1. Evaluating Workstation Security
2.1.2. BIOS and Boot Loader Security
2.1.3. Password Security
2.1.4. Creating User Passwords Within an Organization
2.1.5. Locking Inactive Accounts
2.1.6. Customizing Access Control
2.1.7. Time-based Restriction of Access
2.1.8. Applying Account Limits
2.1.9. Administrative Controls
2.1.10. Session Locking
2.1.11. Available Network Services
2.1.12. Personal Firewalls
2.1.13. Security Enhanced Communication Tools
2.1.14. Enforcing Read-Only Mounting of Removable Media
2.2. Server Security
2.2.1. Securing Services With TCP Wrappers and xinetd
2.2.2. Securing Portmap
2.2.3. Securing NIS
2.2.4. Securing NFS
2.2.5. Securing the Apache HTTP Server
2.2.6. Securing FTP
2.2.7. Securing Postfix
2.2.8. Securing Sendmail
2.2.9. Verifying Which Ports Are Listening
2.2.10. Disable Source Routing
2.2.11. Reverse Path Forwarding
2.3. Single Sign-on (SSO)
2.4. Pluggable Authentication Modules (PAM)
2.5. Kerberos
2.6. TCP Wrappers and xinetd
2.6.1. TCP Wrappers
2.6.2. TCP Wrappers Configuration Files
2.6.3. xinetd
2.6.4. xinetd Configuration Files
2.6.5. Additional Resources
2.7. Securing Virtual Private Networks (VPNs)
2.7.1. IPsec VPN Using Libreswan
2.7.2. VPN Configurations Using Libreswan
2.7.3. Host-To-Host VPN Using Libreswan
2.7.4. Site-to-Site VPN Using Libreswan
2.7.5. Site-to-Site Single Tunnel VPN Using Libreswan
2.7.6. Subnet Extrusion Using Libreswan
2.7.7. Road Warrior Application Using Libreswan
2.7.8. Road Warrior Application Using Libreswan and XAUTH with X.509
2.7.9. Additional Resources
2.8. Firewalls
2.8.1. Netfilter and IPTables
2.8.2. Basic Firewall Configuration
2.8.3. Using IPTables
2.8.4. Common IPTables Filtering
2.8.5. FORWARD and NAT Rules
2.8.6. Malicious Software and Spoofed IP Addresses
2.8.7. IPTables and Connection Tracking
2.8.8. IPv6
2.8.9. IPTables
3. Encryption
3.1. Data at Rest
3.1.1. Full Disk Encryption
3.1.2. File-Based Encryption
3.1.3. LUKS Disk Encryption
3.2. Data in Motion
3.2.1. Virtual Private Networks
3.2.2. Secure Shell
3.3. OpenSSL Intel AES-NI Engine
3.4. Using the Random Number Generator
3.5. GNU Privacy Guard (GPG)
3.5.1. Creating GPG Keys in GNOME
3.5.2. Creating GPG Keys in KDE
3.5.3. Creating GPG Keys Using the Command Line
3.5.4. About Public Key Encryption
3.6. Using stunnel
3.6.1. Installing stunnel
3.6.2. Configuring stunnel as a TLS Wrapper
3.6.3. Starting, Stopping and Restarting stunnel
3.7. Hardening TLS Configuration
3.7.1. Choosing Algorithms to Enable
3.7.2. Using Implementations of TLS
3.7.3. Configuring Specific Applications
3.7.4. Additional Information
4. General Principles of Information Security
5. Secure Installation
5.1. Disk Partitions
5.2. Utilize LUKS Partition Encryption
6. Software Maintenance
6.1. Install Minimal Software
6.2. Plan and Configure Security Updates
6.3. Adjusting Automatic Updates
6.4. Install Signed Packages from Well Known Repositories
7. System Auditing
7.1. Audit System Architecture
7.2. Installing the audit Packages
7.3. Configuring the audit Service
7.3.1. Configuring auditd for a CAPP Environment
7.4. Starting the audit Service
7.5. Defining Audit Rules
7.5.1. Defining Audit Rules with the auditctl Utility
7.5.2. Defining Persistent Audit Rules and Controls in the /etc/audit/audit.rules File
7.6. Understanding Audit Log Files
7.7. Searching the Audit Log Files
7.8. Creating Audit Reports
7.9. Configuring PAM for Auditing
7.9.1. Configuring pam_tty_audit
7.10. Additional Resources
8. Compliance and Vulnerability Scanning with OpenSCAP
8.1. Security Compliance in Red Hat Enterprise Linux
8.2. Defining Compliance Policy
8.2.1. The XCCDF File Format
8.2.2. The OVAL File Format
8.2.3. The Data Stream Format
8.3. Using oscap
8.3.1. Installing oscap
8.3.2. Displaying SCAP Content
8.3.3. Scanning the System
8.3.4. Generating Reports and Guides
8.3.5. Validating SCAP Content
8.3.6. Using OpenSCAP to Remediate the System
8.4. Using OpenSCAP with Red Hat Satellite
8.5. Installing USGCB-Compliant System with Kickstart
8.6. Practical Examples
8.6.1. Auditing Security Vulnerabilities of Red Hat Products
8.6.2. Auditing System Settings with SCAP Security Guide
8.7. Additional Resources
9. Federal Standards and Regulations
9.1. Introduction
9.2. Federal Information Processing Standard (FIPS)
9.2.1. Enabling FIPS Mode
9.2.2. Enabling FIPS Mode for Applications Using NSS
9.3. National Industrial Security Program Operating Manual (NISPOM)
9.4. Payment Card Industry Data Security Standard (PCI DSS)
9.5. Security Technical Implementation Guide
10. References
A. Encryption Standards
A.1. Synchronous Encryption
A.1.1. Advanced Encryption Standard - AES
A.1.2. Data Encryption Standard - DES
A.2. Public-key Encryption
A.2.1. Diffie-Hellman
A.2.2. RSA
A.2.3. DSA
A.2.4. SSL/TLS
A.2.5. Cramer-Shoup Cryptosystem
A.2.6. ElGamal Encryption
B. Audit System Reference
B.1. Audit Event Fields
B.2. Audit Record Types
C. Revision History