Security Guide
1. Overview of Security Topics
Expand section "1. Overview of Security Topics" Collapse section "1. Overview of Security Topics"
1. 1.1. What is Computer Security?
  Expand section "1.1. What is Computer Security?" Collapse section "1.1. What is Computer Security?"
  1. 1.1.1. Standardizing Security
  2. 1.1.2. Cryptographic Software and Certifications
2. 1.2. Security Controls
  Expand section "1.2. Security Controls" Collapse section "1.2. Security Controls"
3. 1.3. Vulnerability Assessment
  Expand section "1.3. Vulnerability Assessment" Collapse section "1.3. Vulnerability Assessment"
  1. 1.3.1. Defining Assessment and Testing
  2. 1.3.2. Establishing a Methodology for Vulnerability Assessment
  3. 1.3.3. Vulnerability Assessment Tools
    
    Expand section "1.3.3. Vulnerability Assessment Tools" Collapse section "1.3.3. Vulnerability Assessment Tools"
    
    1.3.3.1. Scanning Hosts with Nmap
    
    Expand section "1.3.3.1. Scanning Hosts with Nmap" Collapse section "1.3.3.1. Scanning Hosts with Nmap"
    
    1.3.3.1.1. Using Nmap
    
    1.3.3.2. Nessus
    
    1.3.3.3. OpenVAS
    
    1.3.3.4. Nikto
4. 1.4. Security Threats
  Expand section "1.4. Security Threats" Collapse section "1.4. Security Threats"
5. 1.5. Common Exploits and Attacks
2. Security Tips for Installation
Expand section "2. Security Tips for Installation" Collapse section "2. Security Tips for Installation"
1. 2.1. Securing BIOS
  Expand section "2.1. Securing BIOS" Collapse section "2.1. Securing BIOS"
  1. 2.1.1. BIOS Passwords
    
    Expand section "2.1.1. BIOS Passwords" Collapse section "2.1.1. BIOS Passwords"
    
    2.1.1.1. Securing Non-BIOS-based Systems
2. 2.2. Partitioning the Disk
3. 2.3. Installing the Minimum Amount of Packages Required
4. 2.4. Restricting Network Connectivity During the Installation Process
5. 2.5. Post-installation Procedures
6. 2.6. Additional Resources
3. Keeping Your System Up-to-Date
Expand section "3. Keeping Your System Up-to-Date" Collapse section "3. Keeping Your System Up-to-Date"
1. 3.1. Maintaining Installed Software
  Expand section "3.1. Maintaining Installed Software" Collapse section "3.1. Maintaining Installed Software"
  1. 3.1.1. Planning and Configuring Security Updates
    
    Expand section "3.1.1. Planning and Configuring Security Updates" Collapse section "3.1.1. Planning and Configuring Security Updates"
    
    3.1.1.1. Using the Security Features of Yum
  2. 3.1.2. Updating and Installing Packages
    
    Expand section "3.1.2. Updating and Installing Packages" Collapse section "3.1.2. Updating and Installing Packages"
    
    3.1.2.1. Verifying Signed Packages
    
    3.1.2.2. Installing Signed Packages
  3. 3.1.3. Applying Changes Introduced by Installed Updates
2. 3.2. Using the Red Hat Customer Portal
  Expand section "3.2. Using the Red Hat Customer Portal" Collapse section "3.2. Using the Red Hat Customer Portal"
3. 3.3. Additional Resources
4. Hardening Your System with Tools and Services
Expand section "4. Hardening Your System with Tools and Services" Collapse section "4. Hardening Your System with Tools and Services"
1. 4.1. Desktop Security
  Expand section "4.1. Desktop Security" Collapse section "4.1. Desktop Security"
  1. 4.1.1. Password Security
    
    Expand section "4.1.1. Password Security" Collapse section "4.1.1. Password Security"
    
    4.1.1.1. Creating Strong Passwords
    
    4.1.1.2. Forcing Strong Passwords
    
    4.1.1.3. Configuring Password Aging
  2. 4.1.2. Account Locking
  3. 4.1.3. Session Locking
    
    Expand section "4.1.3. Session Locking" Collapse section "4.1.3. Session Locking"
    
    4.1.3.1. Locking Virtual Consoles Using vlock
  4. 4.1.4. Enforcing Read-Only Mounting of Removable Media
2. 4.2. Controlling Root Access
  Expand section "4.2. Controlling Root Access" Collapse section "4.2. Controlling Root Access"
  1. 4.2.1. Disallowing Root Access
  2. 4.2.2. Allowing Root Access
  3. 4.2.3. Limiting Root Access
  4. 4.2.4. Enabling Automatic Logouts
  5. 4.2.5. Securing the Boot Loader
    
    Expand section "4.2.5. Securing the Boot Loader" Collapse section "4.2.5. Securing the Boot Loader"
    
    4.2.5.1. Disabling Interactive Startup
  6. 4.2.6. Protecting Hard and Symbolic Links
3. 4.3. Securing Services
  Expand section "4.3. Securing Services" Collapse section "4.3. Securing Services"
  1. 4.3.1. Risks To Services
  2. 4.3.2. Identifying and Configuring Services
  3. 4.3.3. Insecure Services
  4. 4.3.4. Securing rpcbind
    
    Expand section "4.3.4. Securing rpcbind" Collapse section "4.3.4. Securing rpcbind"
    
    4.3.4.1. Protect rpcbind With TCP Wrappers
    
    4.3.4.2. Protect rpcbind With firewalld
  5. 4.3.5. Securing rpc.mountd
    
    Expand section "4.3.5. Securing rpc.mountd" Collapse section "4.3.5. Securing rpc.mountd"
    
    4.3.5.1. Protect rpc.mountd With TCP Wrappers
    
    4.3.5.2. Protect rpc.mountd With firewalld
  6. 4.3.6. Securing NIS
    
    Expand section "4.3.6. Securing NIS" Collapse section "4.3.6. Securing NIS"
    
    4.3.6.1. Carefully Plan the Network
    
    4.3.6.2. Use a Password-like NIS Domain Name and Hostname
    
    4.3.6.3. Edit the /var/yp/securenets File
    
    4.3.6.4. Assign Static Ports and Use Rich Language Rules
    
    4.3.6.5. Use Kerberos Authentication
  7. 4.3.7. Securing NFS
    
    Expand section "4.3.7. Securing NFS" Collapse section "4.3.7. Securing NFS"
    
    4.3.7.1. Carefully Plan the Network
    
    4.3.7.2. Securing NFS Mount Options
    
    Expand section "4.3.7.2. Securing NFS Mount Options" Collapse section "4.3.7.2. Securing NFS Mount Options"
    
    4.3.7.2.1. Review the NFS Server
    
    4.3.7.2.2. Review the NFS Client
    
    4.3.7.3. Beware of Syntax Errors
    
    4.3.7.4. Do Not Use the no_root_squash Option
    
    4.3.7.5. NFS Firewall Configuration
    
    4.3.7.6. Securing NFS with Red Hat Identity Management
  8. 4.3.8. Securing HTTP Servers
    
    Expand section "4.3.8. Securing HTTP Servers" Collapse section "4.3.8. Securing HTTP Servers"
    
    4.3.8.1. Securing the Apache HTTP Server
    
    4.3.8.2. Securing NGINX
  9. 4.3.9. Securing FTP
    
    Expand section "4.3.9. Securing FTP" Collapse section "4.3.9. Securing FTP"
    
    4.3.9.1. FTP Greeting Banner
    
    4.3.9.2. Anonymous Access
    
    Expand section "4.3.9.2. Anonymous Access" Collapse section "4.3.9.2. Anonymous Access"
    
    4.3.9.2.1. Anonymous Upload
    
    4.3.9.3. User Accounts
    
    Expand section "4.3.9.3. User Accounts" Collapse section "4.3.9.3. User Accounts"
    
    4.3.9.3.1. Restricting User Accounts
    
    4.3.9.4. Use TCP Wrappers To Control Access
  10. 4.3.10. Securing Postfix
    
    Expand section "4.3.10. Securing Postfix" Collapse section "4.3.10. Securing Postfix"
    
    4.3.10.1. Limiting a Denial of Service Attack
    
    4.3.10.2. NFS and Postfix
    
    4.3.10.3. Mail-only Users
    
    4.3.10.4. Disable Postfix Network Listening
    
    4.3.10.5. Configuring Postfix to Use SASL
  11. 4.3.11. Securing SSH
    
    Expand section "4.3.11. Securing SSH" Collapse section "4.3.11. Securing SSH"
    
    4.3.11.1. Cryptographic Login
    
    4.3.11.2. Multiple Authentication Methods
    
    4.3.11.3. Other Ways of Securing SSH
  12. 4.3.12. Securing PostgreSQL
  13. 4.3.13. Securing Docker
  14. 4.3.14. Securing memcached against DDoS Attacks
4. 4.4. Securing Network Access
  Expand section "4.4. Securing Network Access" Collapse section "4.4. Securing Network Access"
  1. 4.4.1. Securing Services With TCP Wrappers and xinetd
    
    Expand section "4.4.1. Securing Services With TCP Wrappers and xinetd" Collapse section "4.4.1. Securing Services With TCP Wrappers and xinetd"
    
    4.4.1.1. TCP Wrappers and Connection Banners
    
    4.4.1.2. TCP Wrappers and Attack Warnings
    
    4.4.1.3. TCP Wrappers and Enhanced Logging
  2. 4.4.2. Verifying Which Ports Are Listening
  3. 4.4.3. Disabling Source Routing
    
    Expand section "4.4.3. Disabling Source Routing" Collapse section "4.4.3. Disabling Source Routing"
    
    4.4.3.1. Reverse Path Forwarding
    
    4.4.3.2. Additional Resources
5. 4.5. Securing DNS Traffic with DNSSEC
  Expand section "4.5. Securing DNS Traffic with DNSSEC" Collapse section "4.5. Securing DNS Traffic with DNSSEC"
  1. 4.5.1. Introduction to DNSSEC
  2. 4.5.2. Understanding DNSSEC
  3. 4.5.3. Understanding Dnssec-trigger
  4. 4.5.4. VPN Supplied Domains and Name Servers
  5. 4.5.5. Recommended Naming Practices
  6. 4.5.6. Understanding Trust Anchors
  7. 4.5.7. Installing DNSSEC
    
    Expand section "4.5.7. Installing DNSSEC" Collapse section "4.5.7. Installing DNSSEC"
    
    4.5.7.1. Installing unbound
    
    4.5.7.2. Checking if unbound is Running
    
    4.5.7.3. Starting unbound
    
    4.5.7.4. Installing Dnssec-trigger
    
    4.5.7.5. Checking if the Dnssec-trigger Daemon is Running
  8. 4.5.8. Using Dnssec-trigger
  9. 4.5.9. Using dig With DNSSEC
  10. 4.5.10. Setting up Hotspot Detection Infrastructure for Dnssec-trigger
  11. 4.5.11. Configuring DNSSEC Validation for Connection Supplied Domains
    
    Expand section "4.5.11. Configuring DNSSEC Validation for Connection Supplied Domains" Collapse section "4.5.11. Configuring DNSSEC Validation for Connection Supplied Domains"
    
    4.5.11.1. Configuring DNSSEC Validation for Wi-Fi Supplied Domains
  12. 4.5.12. Additional Resources
    
    Expand section "4.5.12. Additional Resources" Collapse section "4.5.12. Additional Resources"
    
    4.5.12.1. Installed Documentation
    
    4.5.12.2. Online Documentation
6. 4.6. Securing Virtual Private Networks (VPNs) Using Libreswan
  Expand section "4.6. Securing Virtual Private Networks (VPNs) Using Libreswan" Collapse section "4.6. Securing Virtual Private Networks (VPNs) Using Libreswan"
  1. 4.6.1. Installing Libreswan
  2. 4.6.2. Creating VPN Configurations Using Libreswan
  3. 4.6.3. Creating Host-To-Host VPN Using Libreswan
    
    Expand section "4.6.3. Creating Host-To-Host VPN Using Libreswan" Collapse section "4.6.3. Creating Host-To-Host VPN Using Libreswan"
    
    4.6.3.1. Verifying Host-To-Host VPN Using Libreswan
  4. 4.6.4. Configuring Site-to-Site VPN Using Libreswan
    
    Expand section "4.6.4. Configuring Site-to-Site VPN Using Libreswan" Collapse section "4.6.4. Configuring Site-to-Site VPN Using Libreswan"
    
    4.6.4.1. Verifying Site-to-Site VPN Using Libreswan
  5. 4.6.5. Configuring Site-to-Site Single Tunnel VPN Using Libreswan
  6. 4.6.6. Configuring Subnet Extrusion Using Libreswan
  7. 4.6.7. Configuring IKEv2 Remote Access VPN Libreswan
  8. 4.6.8. Configuring IKEv1 Remote Access VPN Libreswan and XAUTH with X.509
  9. 4.6.9. Using the Protection against Quantum Computers
  10. 4.6.10. Additional Resources
    
    Expand section "4.6.10. Additional Resources" Collapse section "4.6.10. Additional Resources"
    
    4.6.10.1. Installed Documentation
    
    4.6.10.2. Online Documentation
7. 4.7. Using OpenSSL
  Expand section "4.7. Using OpenSSL" Collapse section "4.7. Using OpenSSL"
  1. 4.7.1. Creating and Managing Encryption Keys
  2. 4.7.2. Generating Certificates
    
    Expand section "4.7.2. Generating Certificates" Collapse section "4.7.2. Generating Certificates"
    
    4.7.2.1. Creating a Certificate Signing Request
    
    4.7.2.2. Creating a Self-signed Certificate
    
    4.7.2.3. Creating a Certificate Using a Makefile
  3. 4.7.3. Verifying Certificates
  4. 4.7.4. Encrypting and Decrypting a File
  5. 4.7.5. Generating Message Digests
  6. 4.7.6. Generating Password Hashes
  7. 4.7.7. Generating Random Data
  8. 4.7.8. Benchmarking Your System
  9. 4.7.9. Configuring OpenSSL
8. 4.8. Using stunnel
  Expand section "4.8. Using stunnel" Collapse section "4.8. Using stunnel"
9. 4.9. Encryption
  Expand section "4.9. Encryption" Collapse section "4.9. Encryption"
  1. 4.9.1. Using LUKS Disk Encryption
    
    Expand section "4.9.1. Using LUKS Disk Encryption" Collapse section "4.9.1. Using LUKS Disk Encryption"
    
    4.9.1.1. LUKS Implementation in Red Hat Enterprise Linux
    
    4.9.1.2. Manually Encrypting Directories
    
    4.9.1.3. Add a New Passphrase to an Existing Device
    
    4.9.1.4. Remove a Passphrase from an Existing Device
    
    4.9.1.5. Creating Encrypted Block Devices in Anaconda
    
    4.9.1.6. Additional Resources
  2. 4.9.2. Creating GPG Keys
    
    Expand section "4.9.2. Creating GPG Keys" Collapse section "4.9.2. Creating GPG Keys"
    
    4.9.2.1. Creating GPG Keys in GNOME
    
    4.9.2.2. Creating GPG Keys in KDE
    
    4.9.2.3. Creating GPG Keys Using the Command Line
    
    4.9.2.4. About Public Key Encryption
  3. 4.9.3. Using openCryptoki for Public-Key Cryptography
    
    Expand section "4.9.3. Using openCryptoki for Public-Key Cryptography" Collapse section "4.9.3. Using openCryptoki for Public-Key Cryptography"
    
    4.9.3.1. Installing openCryptoki and Starting the Service
    
    4.9.3.2. Configuring and Using openCryptoki
  4. 4.9.4. Using Smart Cards to Supply Credentials to OpenSSH
    
    Expand section "4.9.4. Using Smart Cards to Supply Credentials to OpenSSH" Collapse section "4.9.4. Using Smart Cards to Supply Credentials to OpenSSH"
    
    4.9.4.1. Retrieving a Public Key from a Card
    
    4.9.4.2. Storing a Public Key on a Server
    
    4.9.4.3. Authenticating to a Server with a Key on a Smart Card
    
    4.9.4.4. Using ssh-agent to Automate PIN Logging In
    
    4.9.4.5. Additional Resources
  5. 4.9.5. Trusted and Encrypted Keys
    
    Expand section "4.9.5. Trusted and Encrypted Keys" Collapse section "4.9.5. Trusted and Encrypted Keys"
    
    4.9.5.1. Working with keys
    
    4.9.5.2. Additional Resources
  6. 4.9.6. Using the Random Number Generator
10. 4.10. Configuring Automated Unlocking of Encrypted Volumes using Policy-Based Decryption
  Expand section "4.10. Configuring Automated Unlocking of Encrypted Volumes using Policy-Based Decryption" Collapse section "4.10. Configuring Automated Unlocking of Encrypted Volumes using Policy-Based Decryption"
  1. 4.10.1. Network-Bound Disk Encryption
  2. 4.10.2. Installing an Encryption Client - Clevis
  3. 4.10.3. Deploying a Tang Server with SELinux in Enforcing Mode
    
    Expand section "4.10.3. Deploying a Tang Server with SELinux in Enforcing Mode" Collapse section "4.10.3. Deploying a Tang Server with SELinux in Enforcing Mode"
    
    4.10.3.1. Deploying High-Availability Systems
  4. 4.10.4. Deploying an Encryption Client for an NBDE system with Tang
  5. 4.10.5. Deploying an Encryption Client with a TPM 2.0 Policy
  6. 4.10.6. Configuring Manual Enrollment of Root Volumes
  7. 4.10.7. Configuring Automated Enrollment Using Kickstart
  8. 4.10.8. Configuring Automated Unlocking of Removable Storage Devices
  9. 4.10.9. Configuring Automated Unlocking of Non-root Volumes at Boot Time
  10. 4.10.10. Deploying Virtual Machines in a NBDE Network
  11. 4.10.11. Building Automatically-enrollable VM Images for Cloud Environments using NBDE
  12. 4.10.12. Additional Resources
11. 4.11. Checking Integrity with AIDE
  Expand section "4.11. Checking Integrity with AIDE" Collapse section "4.11. Checking Integrity with AIDE"
12. 4.12. Using USBGuard
  Expand section "4.12. Using USBGuard" Collapse section "4.12. Using USBGuard"
13. 4.13. Hardening TLS Configuration
  Expand section "4.13. Hardening TLS Configuration" Collapse section "4.13. Hardening TLS Configuration"
  1. 4.13.1. Choosing Algorithms to Enable
  2. 4.13.2. Using Implementations of TLS
    
    Expand section "4.13.2. Using Implementations of TLS" Collapse section "4.13.2. Using Implementations of TLS"
    
    4.13.2.1. Working with Cipher Suites in OpenSSL
    
    4.13.2.2. Working with Cipher Suites in GnuTLS
  3. 4.13.3. Configuring Specific Applications
    
    Expand section "4.13.3. Configuring Specific Applications" Collapse section "4.13.3. Configuring Specific Applications"
    
    4.13.3.1. Configuring the Apache HTTP Server
    
    4.13.3.2. Configuring the Dovecot Mail Server
  4. 4.13.4. Additional Information
14. 4.14. Using Shared System Certificates
  Expand section "4.14. Using Shared System Certificates" Collapse section "4.14. Using Shared System Certificates"
15. 4.15. Using MACsec
16. 4.16. Removing Data Securely Using scrub
5. Using Firewalls
Expand section "5. Using Firewalls" Collapse section "5. Using Firewalls"
1. 5.1. Getting Started with firewalld
  Expand section "5.1. Getting Started with firewalld" Collapse section "5.1. Getting Started with firewalld"
2. 5.2. Installing the firewall-config GUI configuration tool
3. 5.3. Viewing the Current Status and Settings of firewalld
  Expand section "5.3. Viewing the Current Status and Settings of firewalld" Collapse section "5.3. Viewing the Current Status and Settings of firewalld"
  1. 5.3.1. Viewing the Current Status of firewalld
  2. 5.3.2. Viewing Current firewalld Settings
    
    Expand section "5.3.2. Viewing Current firewalld Settings" Collapse section "5.3.2. Viewing Current firewalld Settings"
    
    5.3.2.1. Viewing Allowed Services using GUI
    
    5.3.2.2. Viewing firewalld Settings using CLI
4. 5.4. Starting firewalld
5. 5.5. Stopping firewalld
6. 5.6. Controlling Traffic
  Expand section "5.6. Controlling Traffic" Collapse section "5.6. Controlling Traffic"
7. 5.7. Working with Zones
  Expand section "5.7. Working with Zones" Collapse section "5.7. Working with Zones"
8. 5.8. Using Zones to Manage Incoming Traffic Depending on Source
  Expand section "5.8. Using Zones to Manage Incoming Traffic Depending on Source" Collapse section "5.8. Using Zones to Manage Incoming Traffic Depending on Source"
9. 5.9. Port Forwarding
  Expand section "5.9. Port Forwarding" Collapse section "5.9. Port Forwarding"
  1. 5.9.1. Adding a Port to Redirect
  2. 5.9.2. Removing a Redirected Port
10. 5.10. Configuring IP Address Masquerading
11. 5.11. Managing ICMP Requests
  Expand section "5.11. Managing ICMP Requests" Collapse section "5.11. Managing ICMP Requests"
12. 5.12. Setting and Controlling IP sets using firewalld
  Expand section "5.12. Setting and Controlling IP sets using firewalld" Collapse section "5.12. Setting and Controlling IP sets using firewalld"
  1. 5.12.1. Configuring IP Set Options with the Command-Line Client
  2. 5.12.2. Configuring a Custom Service for an IP Set
13. 5.13. Setting and Controlling IP sets using iptables
14. 5.14. Using the Direct Interface
  Expand section "5.14. Using the Direct Interface" Collapse section "5.14. Using the Direct Interface"
15. 5.15. Configuring Complex Firewall Rules with the "Rich Language" Syntax
  Expand section "5.15. Configuring Complex Firewall Rules with the "Rich Language" Syntax" Collapse section "5.15. Configuring Complex Firewall Rules with the "Rich Language" Syntax"
  1. 5.15.1. Formatting of the Rich Language Commands
  2. 5.15.2. Understanding the Rich Rule Structure
  3. 5.15.3. Understanding the Rich Rule Command Options
  4. 5.15.4. Using the Rich Rule Log Command
    
    Expand section "5.15.4. Using the Rich Rule Log Command" Collapse section "5.15.4. Using the Rich Rule Log Command"
    
    5.15.4.1. Using the Rich Rule Log Command Example 1
    
    5.15.4.2. Using the Rich Rule Log Command Example 2
    
    5.15.4.3. Using the Rich Rule Log Command Example 3
    
    5.15.4.4. Using the Rich Rule Log Command Example 4
    
    5.15.4.5. Using the Rich Rule Log Command Example 5
    
    5.15.4.6. Using the Rich Rule Log Command Example 6
16. 5.16. Configuring Firewall Lockdown
  Expand section "5.16. Configuring Firewall Lockdown" Collapse section "5.16. Configuring Firewall Lockdown"
17. 5.17. Configuring Logging for Denied Packets
18. 5.18. Additional Resources
  Expand section "5.18. Additional Resources" Collapse section "5.18. Additional Resources"
  1. 5.18.1. Installed Documentation
  2. 5.18.2. Online Documentation
6. Getting Started with nftables
Expand section "6. Getting Started with nftables" Collapse section "6. Getting Started with nftables"
1. 6.1. Writing and executing nftables scripts
  Expand section "6.1. Writing and executing nftables scripts" Collapse section "6.1. Writing and executing nftables scripts"
2. 6.2. Creating and managing nftables tables, chains, and rules
  Expand section "6.2. Creating and managing nftables tables, chains, and rules" Collapse section "6.2. Creating and managing nftables tables, chains, and rules"
3. 6.3. Configuring NAT using nftables
  Expand section "6.3. Configuring NAT using nftables" Collapse section "6.3. Configuring NAT using nftables"
4. 6.4. Using sets in nftables commands
  Expand section "6.4. Using sets in nftables commands" Collapse section "6.4. Using sets in nftables commands"
5. 6.5. Using verdict maps in nftables commands
  Expand section "6.5. Using verdict maps in nftables commands" Collapse section "6.5. Using verdict maps in nftables commands"
6. 6.6. Configuring port forwarding using nftables
  Expand section "6.6. Configuring port forwarding using nftables" Collapse section "6.6. Configuring port forwarding using nftables"
  1. 6.6.1. Forwarding incoming packets to a different local port
  2. 6.6.2. Forwarding incoming packets on a specific local port to a different host
7. 6.7. Using nftables to limit the amount of connections
  Expand section "6.7. Using nftables to limit the amount of connections" Collapse section "6.7. Using nftables to limit the amount of connections"
8. 6.8. Debugging nftables rules
  Expand section "6.8. Debugging nftables rules" Collapse section "6.8. Debugging nftables rules"
7. System Auditing
Expand section "7. System Auditing" Collapse section "7. System Auditing"
1. 7.1. Audit System Architecture
2. 7.2. Installing the audit Packages
3. 7.3. Configuring the audit Service
  Expand section "7.3. Configuring the audit Service" Collapse section "7.3. Configuring the audit Service"
  1. 7.3.1. Configuring auditd for a Secure Environment
4. 7.4. Starting the audit Service
5. 7.5. Defining Audit Rules
  Expand section "7.5. Defining Audit Rules" Collapse section "7.5. Defining Audit Rules"
6. 7.6. Understanding Audit Log Files
7. 7.7. Searching the Audit Log Files
8. 7.8. Creating Audit Reports
9. 7.9. Additional Resources
8. Scanning the System for Configuration Compliance and Vulnerabilities
Expand section "8. Scanning the System for Configuration Compliance and Vulnerabilities" Collapse section "8. Scanning the System for Configuration Compliance and Vulnerabilities"
1. 8.1. Configuration Compliance Tools in RHEL
2. 8.2. Vulnerability Scanning
  Expand section "8.2. Vulnerability Scanning" Collapse section "8.2. Vulnerability Scanning"
3. 8.3. Configuration Compliance Scanning
  Expand section "8.3. Configuration Compliance Scanning" Collapse section "8.3. Configuration Compliance Scanning"
4. 8.4. Remediating the System to Align with a Specific Baseline
5. 8.5. Remediating the System to Align with a Specific Baseline Using the SSG Ansible Playbook
6. 8.6. Creating a Remediation Ansible Playbook to Align the System with a Specific Baseline
7. 8.7. Scanning the System with a Customized Profile Using SCAP Workbench
  Expand section "8.7. Scanning the System with a Customized Profile Using SCAP Workbench" Collapse section "8.7. Scanning the System with a Customized Profile Using SCAP Workbench"
8. 8.8. Deploying Systems That Are Compliant with a Security Profile Immediately after an Installation
  Expand section "8.8. Deploying Systems That Are Compliant with a Security Profile Immediately after an Installation" Collapse section "8.8. Deploying Systems That Are Compliant with a Security Profile Immediately after an Installation"
  1. 8.8.1. Deploying Baseline-Compliant RHEL Systems Using the Graphical Installation
  2. 8.8.2. Deploying Baseline-Compliant RHEL Systems Using Kickstart
9. 8.9. Scanning Containers and Container Images for Vulnerabilities
  Expand section "8.9. Scanning Containers and Container Images for Vulnerabilities" Collapse section "8.9. Scanning Containers and Container Images for Vulnerabilities"
  1. 8.9.1. Scanning Container Images and Containers for Vulnerabilities Using oscap-docker
  2. 8.9.2. Scanning Container Images and Containers for Vulnerabilities Using atomic scan
10. 8.10. Assessing Configuration Compliance of a Container or a Container Image with a Specific Baseline
11. 8.11. Scanning and Remediating Configuration Compliance of Container Images and Containers Using atomic scan
  Expand section "8.11. Scanning and Remediating Configuration Compliance of Container Images and Containers Using atomic scan" Collapse section "8.11. Scanning and Remediating Configuration Compliance of Container Images and Containers Using atomic scan"
  1. 8.11.1. Scanning for Configuration Compliance of Container Images and Containers Using atomic scan
  2. 8.11.2. Remediating Configuration Compliance of Container Images and Containers Using atomic scan
12. 8.12. SCAP Security Guide profiles supported in RHEL 7
13. 8.13. Related Information
9. Federal Standards and Regulations
Expand section "9. Federal Standards and Regulations" Collapse section "9. Federal Standards and Regulations"
1. 9.1. Federal Information Processing Standard (FIPS)
  Expand section "9.1. Federal Information Processing Standard (FIPS)" Collapse section "9.1. Federal Information Processing Standard (FIPS)"
  1. 9.1.1. Enabling FIPS Mode
2. 9.2. National Industrial Security Program Operating Manual (NISPOM)
3. 9.3. Payment Card Industry Data Security Standard (PCI DSS)
4. 9.4. Security Technical Implementation Guide
A. Encryption Standards
Expand section "A. Encryption Standards" Collapse section "A. Encryption Standards"
1. A.1. Synchronous Encryption
  Expand section "A.1. Synchronous Encryption" Collapse section "A.1. Synchronous Encryption"
  1. A.1.1. Advanced Encryption Standard — AES
    
    Expand section "A.1.1. Advanced Encryption Standard — AES" Collapse section "A.1.1. Advanced Encryption Standard — AES"
    
    A.1.1.1. AES History
  2. A.1.2. Data Encryption Standard — DES
    
    Expand section "A.1.2. Data Encryption Standard — DES" Collapse section "A.1.2. Data Encryption Standard — DES"
    
    A.1.2.1. DES History
2. A.2. Public-key Encryption
  Expand section "A.2. Public-key Encryption" Collapse section "A.2. Public-key Encryption"
  1. A.2.1. Diffie-Hellman
    
    Expand section "A.2.1. Diffie-Hellman" Collapse section "A.2.1. Diffie-Hellman"
    
    A.2.1.1. Diffie-Hellman History
  2. A.2.2. RSA
  3. A.2.3. DSA
  4. A.2.4. SSL/TLS
  5. A.2.5. Cramer-Shoup Cryptosystem
  6. A.2.6. ElGamal Encryption
B. Revision History
Legal Notice

Language:
Format:

Language:
Format:

Red Hat Training

A Red Hat training course is available for Red Hat Enterprise Linux

5.8. Using Zones to Manage Incoming Traffic Depending on Source

You can use zones to manage incoming traffic based on its source. That enables you to sort incoming traffic and route it through different zones to allow or disallow services that can be reached by that traffic.

If you add a source to a zone, the zone becomes active and any incoming traffic from that source will be directed through it. You can specify different settings for each zone, which is applied to the traffic from the given sources accordingly. You can use more zones even if you only have one network interface.

5.8.1. Adding a Source

To route incoming traffic into a specific source, add the source to that zone. The source can be an IP address or an IP mask in the Classless Inter-domain Routing (CIDR) notation.

To set the source in the current zone:
```
~]# firewall-cmd --add-source=<source>
```

To set the source IP address for a specific zone:

~]# firewall-cmd --zone=zone-name --add-source=<source>

The following procedure allows all incoming traffic from 192.168.2.15 in the trusted zone:

List all available zones:
```
~]# firewall-cmd --get-zones
```
Add the source IP to the trusted zone in the permanent mode:
```
~]# firewall-cmd --zone=trusted --add-source=192.168.2.15
```
Make the new settings persistent:
```
~]# firewall-cmd --runtime-to-permanent
```

5.8.2. Removing a Source

Removing a source from the zone cuts off the traffic coming from it.

List allowed sources for the required zone:

~]# firewall-cmd --zone=zone-name --list-sources

Remove the source from the zone permanently:

~]# firewall-cmd --zone=zone-name --remove-source=<source>

Make the new settings persistent:
```
~]# firewall-cmd --runtime-to-permanent
```

5.8.3. Adding a Source Port

To enable sorting the traffic based on a port of origin, specify a source port using the --add-source-port option. You can also combine this with the --add-source option to limit the traffic to a certain IP address or IP range.

To add a source port:

~]# firewall-cmd --zone=zone-name --add-source-port=<port-name>/<tcp|udp|sctp|dccp>

5.8.4. Removing a Source Port

By removing a source port you disable sorting the traffic based on a port of origin.

To remove a source port:

~]# firewall-cmd --zone=zone-name --remove-source-port=<port-name>/<tcp|udp|sctp|dccp>

5.8.5. Using Zones and Sources to Allow a Service for Only a Specific Domain

To allow traffic from a specific network to use a service on a machine, use zones and source. The following procedure allows only HTTP traffic from the 192.0.2.0/24 network while any other traffic is blocked.

Warning

When you configure this scenario, use a zone that has the default target. Using a zone that has the target set to ACCEPT is a security risk, because for traffic from 192.0.2.0/24, all network connections would be accepted.

List all available zones:

~]# firewall-cmd --get-zones
block dmz drop external home internal public trusted work

Add the IP range to the internal zone to route the traffic originating from the source through the zone:
```
~]# firewall-cmd --zone=internal --add-source=192.0.2.0/24
```

Add the http service to the internal zone:

~]# firewall-cmd --zone=internal --add-service=http

Make the new settings persistent:
```
~]# firewall-cmd --runtime-to-permanent
```

Check that the internal zone is active and that the service is allowed in it:

~]# firewall-cmd --zone=internal --list-all
internal (active)
  target: default
  icmp-block-inversion: no
  interfaces:
  sources: 192.0.2.0/24
  services: dhcpv6-client mdns samba-client ssh http
  ...

5.8.6. Configuring Traffic Accepted by a Zone Based on Protocol

You can allow incoming traffic to be accepted by a zone based on the protocol. All traffic using the specified protocol is accepted by a zone, in which you can apply further rules and filtering.

Adding a Protocol to a Zone

By adding a protocol to a certain zone, you allow all traffic with this protocol to be accepted by this zone.

To add a protocol to a zone:

~]# firewall-cmd --zone=zone-name --add-protocol=port-name/tcp|udp|sctp|dccp|igmp

Note

To receive multicast traffic, use the igmp value with the --add-protocol option.

Removing a Protocol from a Zone

By removing a protocol from a certain zone, you stop accepting all traffic based on this protocol by the zone.

To remove a protocol from a zone:

~]# firewall-cmd --zone=zone-name --remove-protocol=port-name/tcp|udp|sctp|dccp|igmp

Select Your Language

Infrastructure and Management

Cloud Computing

Storage

Runtimes

Integration and Automation

Red Hat Training

5.8. Using Zones to Manage Incoming Traffic Depending on Source

5.8.1. Adding a Source

5.8.2. Removing a Source

5.8.3. Adding a Source Port

5.8.4. Removing a Source Port

5.8.5. Using Zones and Sources to Allow a Service for Only a Specific Domain

5.8.6. Configuring Traffic Accepted by a Zone Based on Protocol

Adding a Protocol to a Zone

Removing a Protocol from a Zone

Language and Page Formatting Options

Red Hat Training

5.8. Using Zones to Manage Incoming Traffic Depending on Source

5.8.1. Adding a Source

5.8.2. Removing a Source

5.8.3. Adding a Source Port

5.8.4. Removing a Source Port

5.8.5. Using Zones and Sources to Allow a Service for Only a Specific Domain

5.8.6. Configuring Traffic Accepted by a Zone Based on Protocol

Adding a Protocol to a Zone

Removing a Protocol from a Zone