Red Hat Enterprise Linux 7

Security Guide

A Guide to Securing Red Hat Enterprise Linux 7

Logo

Mirek Jahoda

Red Hat Customer Content Services

Ioanna Gkioka

Red Hat Customer Content Services

Robert Krátký

Red Hat Customer Content Services

Martin Prpič

Red Hat Customer Content Services

Tomáš Čapek

Red Hat Customer Content Services

Stephen Wadeley

Red Hat Customer Content Services

Yoana Ruseva

Red Hat Customer Content Services

Miroslav Svoboda

Red Hat Customer Content Services

Abstract

This book assists users and administrators in learning the processes and practices of securing workstations and servers against local and remote intrusion, exploitation, and malicious activity.
Focused on Red Hat Enterprise Linux but detailing concepts and techniques valid for all Linux systems, this guide details the planning and the tools involved in creating a secured computing environment for the data center, workplace, and home.
With proper administrative knowledge, vigilance, and tools, systems running Linux can be both fully functional and secured from most common intrusion and exploit methods.

Note

To expand your expertise, you might also be interested in the Red Hat Server Hardening (RH413) training course.
1. Overview of Security Topics
1.1. What is Computer Security?
1.1.1. Standardizing Security
1.2. Security Controls
1.2.1. Physical Controls
1.2.2. Technical Controls
1.2.3. Administrative Controls
1.3. Vulnerability Assessment
1.3.1. Defining Assessment and Testing
1.3.2. Establishing a Methodology for Vulnerability Assessment
1.3.3. Vulnerability Assessment Tools
1.4. Security Threats
1.4.1. Threats to Network Security
1.4.2. Threats to Server Security
1.4.3. Threats to Workstation and Home PC Security
1.5. Common Exploits and Attacks
2. Security Tips for Installation
2.1. Securing BIOS
2.1.1. BIOS Passwords
2.2. Partitioning the Disk
2.3. Installing the Minimum Amount of Packages Required
2.4. Restricting Network Connectivity During the Installation Process
2.5. Post-installation Procedures
2.6. Additional Resources
3. Keeping Your System Up-to-Date
3.1. Maintaining Installed Software
3.1.1. Planning and Configuring Security Updates
3.1.2. Updating and Installing Packages
3.1.3. Applying Changes Introduced by Installed Updates
3.2. Using the Red Hat Customer Portal
3.2.1. Viewing Security Advisories on the Customer Portal
3.2.2. Navigating CVE Customer Portal Pages
3.2.3. Understanding Issue Severity Classification
3.3. Additional Resources
4. Hardening Your System with Tools and Services
4.1. Desktop Security
4.1.1. Password Security
4.1.2. Account Locking
4.1.3. Session Locking
4.1.4. Enforcing Read-Only Mounting of Removable Media
4.2. Controlling Root Access
4.2.1. Disallowing Root Access
4.2.2. Allowing Root Access
4.2.3. Limiting Root Access
4.2.4. Enabling Automatic Logouts
4.2.5. Securing the Boot Loader
4.2.6. Protecting Hard and Symbolic Links
4.3. Securing Services
4.3.1. Risks To Services
4.3.2. Identifying and Configuring Services
4.3.3. Insecure Services
4.3.4. Securing rpcbind
4.3.5. Securing rpc.mountd
4.3.6. Securing NIS
4.3.7. Securing NFS
4.3.8. Securing the Apache HTTP Server
4.3.9. Securing FTP
4.3.10. Securing Postfix
4.3.11. Securing SSH
4.3.12. Securing PostgreSQL
4.3.13. Securing Docker
4.4. Securing Network Access
4.4.1. Securing Services With TCP Wrappers and xinetd
4.4.2. Verifying Which Ports Are Listening
4.4.3. Disabling Source Routing
4.5. Securing DNS Traffic with DNSSEC
4.5.1. Introduction to DNSSEC
4.5.2. Understanding DNSSEC
4.5.3. Understanding Dnssec-trigger
4.5.4. VPN Supplied Domains and Name Servers
4.5.5. Recommended Naming Practices
4.5.6. Understanding Trust Anchors
4.5.7. Installing DNSSEC
4.5.8. Using Dnssec-trigger
4.5.9. Using dig With DNSSEC
4.5.10. Setting up Hotspot Detection Infrastructure for Dnssec-trigger
4.5.11. Configuring DNSSEC Validation for Connection Supplied Domains
4.5.12. Additional Resources
4.6. Securing Virtual Private Networks (VPNs)
4.6.1. IPsec VPN Using Libreswan
4.6.2. VPN Configurations Using Libreswan
4.6.3. Host-To-Host VPN Using Libreswan
4.6.4. Site-to-Site VPN Using Libreswan
4.6.5. Site-to-Site Single Tunnel VPN Using Libreswan
4.6.6. Subnet Extrusion Using Libreswan
4.6.7. Road Warrior Application Using Libreswan
4.6.8. Road Warrior Application Using Libreswan and XAUTH with X.509
4.6.9. Additional Resources
4.7. Using OpenSSL
4.7.1. Creating and Managing Encryption Keys
4.7.2. Generating Certificates
4.7.3. Verifying Certificates
4.7.4. Encrypting and Decrypting a File
4.7.5. Generating Message Digests
4.7.6. Generating Password Hashes
4.7.7. Generating Random Data
4.7.8. Benchmarking Your System
4.7.9. Configuring OpenSSL
4.8. Using stunnel
4.8.1. Installing stunnel
4.8.2. Configuring stunnel as a TLS Wrapper
4.8.3. Starting, Stopping, and Restarting stunnel
4.9. Encryption
4.9.1. Using LUKS Disk Encryption
4.9.2. Creating GPG Keys
4.9.3. Using openCryptoki for Public-Key Cryptography
4.9.4. Using Smart Cards to Supply Credentials to OpenSSH
4.9.5. Trusted and Encrypted Keys
4.9.6. Using the Random Number Generator
4.10. Using Network-Bound Disk Encryption
4.10.1. Deploying a Tang server
4.10.2. Deploying an Encryption Client
4.10.3. Configuring Manual Enrollment
4.10.4. Configuring Automated Enrollment Using Kickstart
4.10.5. Deploying Virtual Machines in a NBDE Network
4.10.6. Building Automatically-enrollable VM Images for Cloud Environments
4.10.7. Additional Resources
4.11. Checking Integrity with AIDE
4.11.1. Installing AIDE
4.11.2. Performing Integrity Checks
4.11.3. Updating an AIDE Database
4.11.4. Additional Resources
4.12. Using USBGuard
4.12.1. Installing USBGuard
4.12.2. Creating a White List and a Black List
4.12.3. Using the Rule Language to Create Your Own Policy
4.12.4. Additional Resources
4.13. Hardening TLS Configuration
4.13.1. Choosing Algorithms to Enable
4.13.2. Using Implementations of TLS
4.13.3. Configuring Specific Applications
4.13.4. Additional Information
4.14. Using MACsec
5. Using Firewalls
5.1. Introduction to firewalld
5.1.1. Comparison of firewalld to system-config-firewall and iptables
5.1.2. Understanding Network Zones
5.1.3. Understanding Predefined Services
5.1.4. Understanding the Direct Interface
5.2. Installing firewalld
5.2.1. Stopping firewalld
5.2.2. Starting firewalld
5.2.3. Checking If firewalld Is Running
5.3. Configuring firewalld
5.3.1. Configuring firewalld Using The Graphical User Interface
5.3.2. Configuring IP Sets Using firewall-config
5.3.3. Configuring the Firewall Using the firewall-cmd Command-Line Tool
5.3.4. Viewing the Firewall Settings Using the Command-Line Interface (CLI)
5.3.5. Changing the Firewall Settings Using the Command-Line Interface (CLI)
5.3.6. Configuring the Firewall Using XML Files
5.3.7. Using the Direct Interface
5.3.8. Configuring Complex Firewall Rules with the "Rich Language" Syntax
5.3.9. Firewall Lockdown
5.3.10. Configuring Logging for Denied Packets
5.4. Using the iptables Service
5.4.1. iptables and IP Sets
5.5. Additional Resources
5.5.1. Installed Documentation
5.5.2. Online Documentation
6. System Auditing
6.1. Audit System Architecture
6.2. Installing the audit Packages
6.3. Configuring the audit Service
6.3.1. Configuring auditd for a Secure Environment
6.4. Starting the audit Service
6.5. Defining Audit Rules
6.5.1. Defining Audit Rules with auditctl
6.5.2. Defining Executable File Rules
6.5.3. Defining Persistent Audit Rules and Controls in the /etc/audit/audit.rules File
6.6. Understanding Audit Log Files
6.7. Searching the Audit Log Files
6.8. Creating Audit Reports
6.9. Additional Resources
7. Compliance and Vulnerability Scanning with OpenSCAP
7.1. Security Compliance in Red Hat Enterprise Linux
7.2. Defining Compliance Policy
7.2.1. The XCCDF File Format
7.2.2. The OVAL File Format
7.2.3. The Data Stream Format
7.3. Using SCAP Workbench
7.3.1. Installing SCAP Workbench
7.3.2. Running SCAP Workbench
7.3.3. Scanning the System
7.3.4. Customizing Security Profiles
7.3.5. Saving SCAP Content
7.3.6. Viewing Scan Results and Generating Scan Reports
7.4. Using oscap
7.4.1. Installing oscap
7.4.2. Displaying SCAP Content
7.4.3. Scanning the System
7.4.4. Generating Reports and Guides
7.4.5. Validating SCAP Content
7.4.6. Using OpenSCAP to Remediate the System
7.5. Using OpenSCAP with Docker
7.6. Using OpenSCAP with Atomic
7.7. Using OpenSCAP with Red Hat Satellite
7.8. Practical Examples
7.8.1. Auditing Security Vulnerabilities of Red Hat Products
7.8.2. Auditing System Settings with SCAP Security Guide
7.9. Additional Resources
8. Federal Standards and Regulations
8.1. Federal Information Processing Standard (FIPS)
8.1.1. Enabling FIPS Mode
8.2. National Industrial Security Program Operating Manual (NISPOM)
8.3. Payment Card Industry Data Security Standard (PCI DSS)
8.4. Security Technical Implementation Guide
A. Encryption Standards
A.1. Synchronous Encryption
A.1.1. Advanced Encryption Standard — AES
A.1.2. Data Encryption Standard — DES
A.2. Public-key Encryption
A.2.1. Diffie-Hellman
A.2.2. RSA
A.2.3. DSA
A.2.4. SSL/TLS
A.2.5. Cramer-Shoup Cryptosystem
A.2.6. ElGamal Encryption
B. Audit System Reference
B.1. Audit Event Fields
B.2. Audit Record Types
C. Revision History