Chapter 6. Configuring basic system security
Computer security is the protection of computer systems and their hardware, software, information, and services from theft, damage, disruption, and misdirection. Ensuring computer security is an essential task, in particular in enterprises that process sensitive data and handle business transactions.
This section covers only the basic security features that you can configure after installation of the operating system.
6.1. Enabling the firewalld service
A firewall is a network security system that monitors and controls incoming and outgoing network traffic according to configured security rules. A firewall typically establishes a barrier between a trusted secure internal network and another outside network.
firewalld service, which provides a firewall in Red Hat Enterprise Linux, is automatically enabled during installation.
To enable the
firewalld service, follow this procedure.
Display the current status of
$ systemctl status firewalld ● firewalld.service - firewalld - dynamic firewall daemon Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled) Active: inactive (dead) ...
firewalldis not enabled and running, switch to the
rootuser, and start the
firewalldservice and enable to start it automatically after the system restarts:
# systemctl enable --now firewalld
firewalldis running and enabled:
$ systemctl status firewalld ● firewalld.service - firewalld - dynamic firewall daemon Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled) Active: active (running) ...
- Using and configuring firewalld
6.2. Managing firewall in the rhel 8 web console
To configure the
firewalld service in the web console, navigate to Networking → Firewall.
By default, the
firewalld service is enabled.
To enable or disable
firewalldin the web console, switch the Firewall toggle button.
Additionally, you can define more fine-grained access through the firewall to a service using the Add services… button.
6.3. Managing basic SELinux settings
Security-Enhanced Linux (SELinux) is an additional layer of system security that determines which processes can access which files, directories, and ports. These permissions are defined in SELinux policies. A policy is a set of rules that guide the SELinux security engine.
SELinux has two possible states:
When SELinux is enabled, it runs in one of the following modes:
In enforcing mode, SELinux enforces the loaded policies. SELinux denies access based on SELinux policy rules and enables only the interactions that are explicitly allowed. Enforcing mode is the safest SELinux mode and is the default mode after installation.
In permissive mode, SELinux does not enforce the loaded policies. SELinux does not deny access, but reports actions that break the rules to the
/var/log/audit/audit.log log. Permissive mode is the default mode during installation. Permissive mode is also useful in some specific cases, for example when troubleshooting problems.
6.4. Ensuring the required state of selinux
By default, SELinux operates in enforcing mode. However, in specific scenarios, you can set SELinux to permissive mode or even disable it.
Red Hat recommends to keep your system in enforcing mode. For debugging purposes, you can set SELinux to permissive mode.
Follow this procedure to change the state and mode of SELinux on your system.
Display the current SELinux mode:
To temporarily set SELinux:
To Enforcing mode:
# setenforce Enforcing
To Permissive mode:
# setenforce PermissiveNote
After reboot, SELinux mode is set to the value specified in the
To set SELinux mode to persist across reboots, modify the
SELINUXvariable in the
For example, to switch SELinux to enforcing mode:
# This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=enforcing ...Warning
Disabling SELinux reduces your system security. Avoid disabling SELinux using the
SELINUX=disabledoption in the
/etc/selinux/configfile because this can result in memory leaks and race conditions causing kernel panics. Instead, disable SELinux by adding the
selinux=0parameter to the kernel command line. For more information, see Changing SELinux modes at boot time.
6.5. Switching SELinux modes in the RHEL 8 web console
You can set SELinux mode through the RHEL 8 web console in the SELinux menu item.
By default, SELinux enforcing policy in the web console is on, and SELinux operates in enforcing mode. By turning it off, you switch SELinux to permissive mode. Note that this selection is automatically reverted on the next boot to the configuration defined in the
In the web console, use the Enforce policy toggle button in the SELinux menu item to turn SELinux enforcing policy on or off.