Novell LINUX ENTERPRISE DESKTOP 11 Скачать руководство пользователя страница 85 | Manualshive

Страница: 85 / 450

Novell LINUX ENTERPRISE DESKTOP 11 Скачать руководство пользователя страница 85

1

The Windows domain controller providing both LDAP and KDC (Key Distribu-
tion Center) services is located.

2

A machine account for the joining client is created in the directory service.

3

An initial ticket granting ticket (TGT) is obtained for the client and stored in its
local Kerberos credential cache. The client needs this TGT to get further tickets
allowing it to contact other services, like contacting the directory server for LDAP
queries.

4

NSS and PAM configurations are adjusted to enable the client to authenticate
against the domain controller.

During client boot, the winbind daemon is started and retrieves the initial Kerberos
ticket for the machine account. winbindd automatically refreshes the machine's ticket
to keep it valid. To keep track of the current account policies, winbindd periodically
queries the domain controller.

5.2.2 Domain Login and User Homes

The login managers of GNOME and KDE (GDM and KDM) have been extended to
allow the handling of AD domain login. Users can choose to log in to the primary domain
the machine has joined or to one of the trusted domains with which the domain controller
of the primary domain has established a trust relationship.

User authentication is mediated by a number of PAM modules as described in

Sec-

tion 5.2, “Background Information for Linux AD Support”

(page 68). The

pam

_winbind

module used to authenticate clients against Active Directory or NT4 domains

is fully aware of Windows error conditions that might prohibit a user's login. The
Windows error codes are translated into appropriate user-readable error messages that
PAM gives at login through any of the supported methods (GDM, KDM, console, and
SSH):

Password has expired

The user sees a message stating that the password has expired and needs to be
changed. The system prompts directly for a new password and informs the user if
the new password does not comply with corporate password policies, for example,
the password is too short, too simple, or already in the history. If a user's password
change fails, the reason is shown and a new password prompt is given.

Active Directory Support

71

«
...
83
84
85
86
87
...
»

Содержание LINUX ENTERPRISE DESKTOP 11

Страница 1: ...SUSE Linux Enterprise Server www novell com 11 March 17 2009 Security Guide...

Страница 2: ...at this manual specifically for the printed format is reproduced and or distributed for noncommercial use only The express authorization of Novell Inc must be obtained prior to any other use of any ma...

Страница 3: ...AM Configuration File 18 2 2 The PAM Configuration of sshd 20 2 3 Configuration of PAM Modules 22 2 4 Configuring PAM Using pam config 24 2 5 For More Information 26 3 Using NIS 27 3 1 Configuring NIS...

Страница 4: ...y 82 6 2 How Kerberos Works 83 6 3 Users View of Kerberos 86 6 4 Installing and Administering Kerberos 87 6 5 For More Information 108 7 Using the Fingerprint Reader 109 7 1 Supported Applications and...

Страница 5: ...ing Certificates 152 13 Intrusion Detection with AIDE 153 13 1 Setting Up a AIDE Database 153 13 2 Local AIDE Checks 156 13 3 System Independent Checking 157 13 4 For More Information 158 Part III Net...

Страница 6: ...d Information on AppArmor Profiling 218 19 Getting Started 219 19 1 Installing Novell AppArmor 220 19 2 Enabling and Disabling Novell AppArmor 220 19 3 Choosing the Applications to Profile 221 19 4 Bu...

Страница 7: ...om Log Entries 281 23 6 Managing Novell AppArmor and Security Event Status 283 24 Building Profiles from the Command Line 287 24 1 Checking the AppArmor Module Status 287 24 2 Building AppArmor Profil...

Страница 8: ...387 30 5 Understanding the Audit Logs and Generating Reports 391 30 6 Querying the Audit Daemon Logs with ausearch 403 30 7 Analyzing Processes with autrace 407 30 8 Visualizing Audit Data 408 31 Set...

Страница 9: ...32 7 Managing Audit Event Records Using Keys 433 33 Useful Resources 435...

Страница 10: ......

Страница 11: ...mentation resources This includes additional documentation that is available on the system as well as documen tation available on the Internet For an overview of the documentation available for your p...

Страница 12: ...Administration Guide Provides information about how to manage storage devices on a SUSE Linux En terprise Server In addition to the comprehensive manuals several quick start guides are available Inst...

Страница 13: ...se use the User Comments feature at the bottom of each page of the online documentation and enter your comments there 3 Documentation Conventions The following typographical conventions are used in th...

Страница 14: ...ph is only relevant for the specified architectures The arrows mark the beginning and the end of the text block Dancing Penguins Chapter Penguins Another Manual This is a reference to a chapter in ano...

Страница 15: ...nteed Data security was already an important issue even before computers could be linked through networks Just like today the most im portant concern was the ability to keep data available in spite of...

Страница 16: ...ioning known bits and pieces to win the confidence of that person by using clever rhetoric The victim could be led to reveal gradually more information maybe without even becoming aware of it Among ha...

Страница 17: ...ns or the identity of another This is a general rule to be observed but it is especially true for the user root who holds the supreme power on the system root can take on the identity of any other loc...

Страница 18: ...the following safe password TNotRbUE9 In contrast passwords like beerbud dy or jasmine76 are easily guessed even by someone who has only some casual knowledge about you 1 1 3 The Boot Procedure Confi...

Страница 19: ...issions such as world writable directories or for files the setuser ID bit programs with the setuser ID bit set do not run with the permissions of the user that has launched it but with the permission...

Страница 20: ...been given to a local account Many of the bugs that have been reported can also be exploited over a network link Accordingly buffer overflows and format string bugs should be classified as being relev...

Страница 21: ...f UNIX operating systems can make use of this feature in an impressive way With X it is basically no problem to log in at a remote host and start a graphical program that is then sent over the network...

Страница 22: ...e found in Chapter 14 SSH Secure Network Op erations page 161 WARNING If you do not consider the host where you log in to be a secure host do not use X forwarding With X forwarding enabled an attacker...

Страница 23: ...r who puts himself between the communicating hosts is called a man in the middle attack What almost all types of man in the middle attacks have in common is that the victim is usually not aware that t...

Страница 24: ...e of the trust relationships among hosts to disguise itself as one of the trusted hosts Usually the attacker analyzes some packets received from the server to get the necessary information The attacke...

Страница 25: ...o discuss any security issues of interest Subscribe to it on the same Web page bugtraq securityfocus com is one of the best known security mailing lists worldwide Reading this list which receives betw...

Страница 26: ...t An excellent program for this job is nmap which not only checks out the ports of your machine but also draws some conclusions as to which services are waiting behind them However port scanning may b...

Страница 27: ...is is not exactly a trivial task In the end only you can know which entries are unusual and which are not Use tcp_wrapper to restrict access to the individual services running on your machine so you h...

Страница 28: ...problem and the version number of the package concerned SUSE will try to send a reply as soon as possible You are encouraged to pgp encrypt your e mail messages SUSE s pgp key is ID 3D25D3D9 1999 03...

Страница 29: ...Part I Authentication...

Страница 30: ......

Страница 31: ...prone One way to avoid these drawbacks is to separate applications from the authentication mechanism and delegate authentication to centrally managed modules Whenever a newly required authentication...

Страница 32: ...a PAM configuration file contains a maximum of four columns Type of module Control flag Module path Options PAM modules are processed as stacks Different types of modules have different pur poses for...

Страница 33: ...o further modules are processed In case of success other modules are subsequently processed just like any modules with the required flag The requisite flag can be used as a basic filter checking for t...

Страница 34: ...include common account password include common password session required pam_loginuid so session include common session Enable the following line to get resmgr support for ssh sessions see usr share...

Страница 35: ...n has succeeded Given that all modules of the stack have the required control flag they must all be processed successfully before sshd receives a message about the positive result If one of the module...

Страница 36: ...5 Default Configuration for the session Section session required pam_limits so session required pam_unix2 so session optional pam_umask so As the final step the modules of the session type bundled in...

Страница 37: ...ple 2 6 pam_env conf REMOTEHOST DEFAULT localhost OVERRIDE PAM_RHOST DISPLAY DEFAULT REMOTEHOST 0 0 OVERRIDE DISPLAY The first line sets the value of the REMOTEHOST variable to localhost which is used...

Страница 38: ...nfig The pam config tool helps you configure the global PAM configuration files under etc pam d common pc as well as several selected application configurations For a list of supported modules use the...

Страница 39: ...e options for the queried PAM module 5 Remove the debug options Finally remove the debug option from your setup when you are entirely satisfied with the performance of it The pam config delete ldap de...

Страница 40: ...lain text The Linux PAM Module Writers Manual This document summarizes the topic from the developer s point of view with in formation about how to write standard compliant PAM modules It is available...

Страница 41: ...etc group across networks NIS can also be used for other purposes making the contents of files like etc hosts or etc services available for example but this is beyond the scope of this introduction P...

Страница 42: ...If you need just one NIS server in your network or if this server is to act as the master for further NIS slave servers select Install and Set Up NIS Master Server YaST installs the required packages...

Страница 43: ...users can also change their names and address settings with the command ypchfn SHELL allows users to change their default shell with the command ypchsh for example to switch from bash to sh The new s...

Страница 44: ...ck OK to confirm your settings and return to the previous screen Figure 3 3 Changing the Directory and Synchronizing Files for a NIS Server 4 If you previously enabled Active Slave NIS Server Exists e...

Страница 45: ...ton Specify from which networks requests can be sent to the NIS server Normally this is your internal network In this case there should be the following two entries 255 0 0 0 127 0 0 0 0 0 0 0 0 0 0 0...

Страница 46: ...ed as follows 1 Start YaST Network Services NIS Server 2 Select Install and Set Up NIS Slave Server and click Next TIP If NIS server software is already installed on your machine initiate the creation...

Страница 47: ...T module NIS Client to configure a workstation to use NIS Select whether the host has a static IP address or receives one issued by DHCP DHCP can also provide the NIS domain and the NIS server For inf...

Страница 48: ...g By checking Broken Server the client is enabled to receive replies from a server communicating through an unprivileged port For further information see man ypbind After you have made your settings c...

Страница 49: ...rver keeps the data in a directory and distributes it to all clients using a certain protocol The data is structured in a way that allows a wide range of applications to access it That way it is not n...

Страница 50: ...x system administrator traditionally uses the NIS service for name resolution and data distribution in a network The configuration data contained in the files in etc and the directories group hosts ma...

Страница 51: ...n LDAP directory tree and provides the basic terminology used in an LDAP context Skip this introductory section if you already have some LDAP background knowledge and just want to learn how to set up...

Страница 52: ...The object class deter mines what attributes the concerned object must or can be assigned The Schema therefore must contain definitions of all object classes and attributes used in the desired applica...

Страница 53: ...2 DESC RFC2256 organizational unit this object belongs to 3 SUP name 4 objectclass 2 5 6 5 NAME organizationalUnit 5 DESC RFC2256 an organizational unit 6 SUP top STRUCTURAL 7 MUST ou 8 MAY userPasswo...

Страница 54: ...ject class is not subordinate to another object class Line 7 starting with MUST lists all attribute types that must be used in conjunction with an object of the type organizationalUnit Line 8 starting...

Страница 55: ...Figure 4 2 YaST LDAP Server Configuration LDAP A Directory Service 41...

Страница 56: ...d as follows 1 Log in as root 2 Start YaST and select Network Services LDAP Server to invoke the configura tion wizard 3 Configure the Global Settings of your LDAP server you can change these settings...

Страница 57: ...4 page 45 5 Confirm Basic Database Settings with entering an LDAP Administrator Password and then clicking Next see Figure 4 2 YaST LDAP Server Configuration page 41 6 Check the LDAP Server Configurat...

Страница 58: ...nd When Credentials Not Empty Normally the LDAP server denies any authentication attempts with empty credentials DN or password Enabling this option however makes it pos sible to connect with a passwo...

Страница 59: ...not been created during installation go for Launch CA Management Module first for more information see Sec tion 17 2 YaST Modules for CA Management page 202 Add Schema files to be included in the serv...

Страница 60: ...the left part of the dialog 2 Click Add Database to add the new database 3 Enter the requested data Base DN Enter the base DN of your LDAP server Administrator DN Enter the DN of the administrator in...

Страница 61: ...i ronment is sensitive to security issues because the Locked Account error message provides security sensitive information that can be exploited by a potential attacker 4d Enter the DN of the default...

Страница 62: ...you opt for Only Accept Checked Passwords only those pass words that pass the quality tests are accepted as valid 4 Configure the password aging policies 4a Determine the minimum password age the time...

Страница 63: ...n the dymanic configuration of OpenLDAP see the OpenLDAP Administration Guide 4 4 Configuring an LDAP Client with YaST YaST includes a module to set up LDAP based user management If you did not enable...

Страница 64: ...trol Center in the installed system Figure 4 6 YaST LDAP Client Configuration To authenticate users of your machine against an OpenLDAP server and enable user management via OpenLDAP proceed as follow...

Страница 65: ...f the LDAP server still uses LDAPv2 explicitly enable the use of this protocol version by selecting LDAP Version 2 6 Select Start Automounter to mount remote directories on your client such as a remot...

Страница 66: ...base DN enter these different naming contexts in User Map Password Map and Group Map 1b Specify the password change protocol The standard method to use whenever a password is changed is crypt meaning...

Страница 67: ...Directories on This Machine 2e Use the Password Policy section to select add delete or modify the password policy settings to use The configuration of password policies with YaST is part of the LDAP...

Страница 68: ...tion Figure 4 8 YaST Module Configuration page 54 allows the creation of new modules selection and modification of existing configuration modules and design and modification of templates for such modu...

Страница 69: ...ressing Edit and entering the new value Rename a module by simply changing the cn attribute of the module Clicking Delete deletes the currently selected module 5 After you click OK the new module is a...

Страница 70: ...ault values for an attribute can be created from other attributes by using a variable instead of an absolute value For example when creating a new user cn sn givenName is created automatically from th...

Страница 71: ...a Specify username login and password in the User Data tab 3b Check the Details tab for the group membership login shell and home di rectory of the new user If necessary change the default to values t...

Страница 72: ...m of user administration offers LDAP Options This gives the pos sibility to apply LDAP search filters to the set of available users or go to the module for the configuration of LDAP users and groups b...

Страница 73: ...to read and write the data stored on the server Alternatively choose Anonymous Access and do not provide the password to gain read access to the directory The LDAP Tree tab displays the content of the...

Страница 74: ...fi guration anymore YaST uses OpenLDAP s dynamic configuration database back config to store the LDAP server s configuration For details about the dy namic configuration backend please see the slapd c...

Страница 75: ...tration Guide can be used to have the server started and stopped automatically on boot and halt of the system It is also possible to create the corresponding links to the start and stop scripts with t...

Страница 76: ...example The organizational unit development devel dn ou devel dc example dc com objectClass organizationalUnit ou devel The organizational unit documentation doc dn ou doc dc example dc com objectCla...

Страница 77: ...bjectClass inetOrgPerson cn Tux Linux givenName Tux sn Linux mail tux example com uid tux telephoneNumber 49 1234 567 8 An LDIF file can contain an arbitrary number of objects It is possible to pass e...

Страница 78: ...g with the syntax in the order presented below dn cn Tux Linux ou devel dc example dc com changetype modify replace telephoneNumber telephoneNumber 49 1234 567 10 Find detailed information about ldapm...

Страница 79: ...Linux ou devel dc example dc com 4 9 For More Information More complex subjects like SASL configuration or establishment of a replicating LDAP server that distributes the workload among multiple slav...

Страница 80: ...html Understanding LDAP A detailed general introduction to the basic principles of LDAP http www redbooks ibm com redbooks pdfs sg244986 pdf Printed literature about LDAP LDAP System Administration by...

Страница 81: ...ndows environ ment 5 1 Integrating Linux and AD Environments With a Linux client configured as an Active Directory client that is joined to an existing Active Directory domain benefit from various fea...

Страница 82: ...ssages and accept your input You can even use the Linux passwd command to set Windows passwords Single Sign On through Kerberized Applications Many applications of both desktops are Kerberos enabled k...

Страница 83: ...pam_mkhomedir pam_unix2 To communicate with the directory service the client needs to share at least two proto cols with the server LDAP LDAP is a protocol optimized for managing directory information...

Страница 84: ...for AD users is done by the pam_winbind module The creation of user homes for the AD users on the Linux client is handled by pam _mkhomedir The pam_winbind module directly interacts with winbindd To...

Страница 85: ...the handling of AD domain login Users can choose to log in to the primary domain the machine has joined or to one of the trusted domains with which the domain controller of the primary domain has esta...

Страница 86: ...ux Enterprise Server machine is not in that list a message appears that this user cannot log in from this workstation Invalid logon hours When a user is only allowed to log in during working hours and...

Страница 87: ...chine extensive caching was integrated into the winbind daemon The winbind daemon enforces password policies even in the offline state It tracks the number of failed login attempts and reacts accordin...

Страница 88: ...e details about using active directory for time synchronization see Joining an AD Domain page 75 DHCP If your client uses dynamic network configuration with DHCP configure DHCP to provide the same IP...

Страница 89: ...ot and start YaST 2 Start Network Services Windows Domain Membership 3 Enter the domain to join at Domain or Workgroup in the Windows Domain Membership screen see Figure 5 2 Determining Windows Domain...

Страница 90: ...ve a network connection 7 Select Expert Settings if you want to change the UID and GID ranges for the Samba users and groups Let DHCP retrieve the WINS server only if you need it This is the case when...

Страница 91: ...irectory and you have a valid Windows user identity you can log in to your machine using the AD credentials Login is supported for both desktop environments GNOME and KDE the console SSH and any other...

Страница 92: ...login of each AD authenticated user This allows you to benefit from the AD support of SUSE Linux Enterprise Server while still having a completely capable Linux machine at your disposal 5 4 2 Console...

Страница 93: ...c cessfully satisfied Feedback about the password status is given both through the display managers and the console GDM and KDM provide feedback about password expiration and prompt for new passwords...

Страница 94: ...nd confirm the new password 6 Leave the dialog with Close to apply your settings To change your Windows password from the KDE desktop proceed as follows 1 Select Personal Settings from the main menu 2...

Страница 95: ...ity for each desired service and make sure that no one can take the identity of someone else Make sure that each network server also proves its identity Otherwise an attacker might be able to imperson...

Страница 96: ...e client s name the workstation s IP address and the current workstation s time all encrypted with the session key only known to the client and the server from which it is re questing a service An aut...

Страница 97: ...client s identity Kerberos keeps a database of all its users and their private keys To ensure Kerberos is worth all the trust put in it run both the authentication and ticket granting server on a dedi...

Страница 98: ...e ticket used to obtain other tickets does not expire your workstation can prove your identity 6 2 2 Requesting a Service To request a service from any server in the network the client application nee...

Страница 99: ...r s authenticity and they both start cooperating 6 2 4 Ticket Granting Contacting All Servers Tickets are designed to be used for one server at a time This implies that you have to get a new ticket ea...

Страница 100: ...5 Because SUSE Linux Enterprise Server uses the MIT implementation of Kerberos 5 find useful infor mation and guidance in the MIT documentation See Section 6 5 For More Information page 108 6 3 Users...

Страница 101: ...justed to the new situation Simply copying tickets between workstations is not sufficient because the ticket contains workstation specific information the IP address XDM GDM and KDM offer Kerberos sup...

Страница 102: ...9 Enabling PAM Support for Kerberos page 103 To configure SSH or LDAP with Kerberos authentication proceed as outlined in Section 6 4 10 Configuring SSH for Kerberos Authentication page 104 and Sectio...

Страница 103: ...e routing between the two subnets 192 168 1 0 24 and 192 168 2 0 24 Refer to Section Configuring Routing Chapter 18 Basic Networking Administration Guide for more information on configuring routing wi...

Страница 104: ...g Up the KDC Hardware The first thing required to use Kerberos is a machine that acts as the key distribution center or KDC for short This machine holds the entire Kerberos user database with password...

Страница 105: ...o its tickets A server receiving a ticket with a time stamp that differs from the current time rejects the ticket Kerberos allows a certain leeway when comparing time stamps However computer clocks ca...

Страница 106: ...b kerberos krb5kdc kdc conf must be adjusted for your scenario These files contain all information on the KDC 3 Create the Kerberos Database Kerberos keeps a database of all principal identifiers and...

Страница 107: ...dom page When you make tape backups of the Kerberos database var lib kerberos krb5kdc principal do not back up the stash file which is in var lib kerberos krb5kdc k5 EXAMPLE COM Otherwise everyone abl...

Страница 108: ...e basically completely different accounts with similar names Starting the KDC Start the KDC daemon and the kadmin daemon To start the daemons manually enter rckrb5kdc start and rckadmind start Also ma...

Страница 109: ...issues OpenSSH support time synchronization and extended PAM configurations 4 To configure a static Kerberos client proceed as follows 4a Set Default Domain Default Realm and KDC Server Address to the...

Страница 110: ...authenticate with the SSH server Exclude a range of user accounts from using Kerberos authentication by providing a value for the Minimum UID that a user of this feature must have For instance you may...

Страница 111: ...C services using DNS records With static configuration add the hostnames of your KDC server to krb5 conf and update the file whenever you move the KDC or reconfigure your realm in other ways DNS based...

Страница 112: ...the default realm for Kerberos applications If you have several realms just add additional statements to the realms section Also add a statement to this file that tells applications how to map hostnam...

Страница 113: ...rt of load balancing among servers of equal priority You probably do not need any of this so it is okay to set these to zero MIT Kerberos currently looks up the following names when looking for servic...

Страница 114: ...ration server which principals are allowed to do what Do this by editing the file var lib kerberos krb5kdc kadm5 acl The ACL access control list file allows you to specify privileges with a fine degre...

Страница 115: ...bc mode with CRC 32 no salt Attributes Policy none kadmin modify_principal maxlife 8 hours newbie Principal newbie EXAMPLE COM modified kadmin getprinc joe Principal newbie EXAMPLE COM Expiration date...

Страница 116: ...ors are Service Service Descriptor Telnet RSH SSH host NFSv4 with Kerberos support nfs HTTP with Kerberos authentication HTTP IMAP imap POP3 pop LDAP ldap Service principals are similar to user princi...

Страница 117: ...le etc krb5 keytab This file is owned by the superuser so you must be root to execute the next command in the kadmin shell kadmin ktadd host jupiter example com Entry for principal host jupiter exampl...

Страница 118: ...y anymore but relies on GSSAPI the General Security Services API This is a programming interface that is not specific to Kerberos it was designed to hide the peculiarities of the underlying authentica...

Страница 119: ...ntation is cyrus sasl which supports a number of different authen tication flavors Kerberos authentication is performed through GSSAPI General Secu rity Services API By default the SASL plug in for GS...

Страница 120: ...p example com EXAMPLE COM Then on the shell run chown ldap ldap etc openldap ldap keytab chmod 600 etc openldap ldap keytab To tell OpenLDAP to use a different keytab file change the following variabl...

Страница 121: ...of their LDAP user record Assuming you have a schema where the LDAP entry of user joe is located at uid joe ou people dc example dc com set up the following access controls in etc openldap slapd conf...

Страница 122: ...tory structure or a schema in which the username is not part of the DN you can even use search expressions to map the SASL DN to the user DN 6 5 For More Information The official site of the MIT Kerbe...

Страница 123: ...rint wiki Supported_devices If the hardware check detects the fingerprint reader integrated with your laptop or connected to your system the packages libfprint pam_fp and yast2 fingerprint reader are...

Страница 124: ...PAM is configured accordingly Usually this is done automatically during installation of the packages when the hardware check detects a supported fingerprint reader If not manually enable the fingerpri...

Страница 125: ...ot entry and register a fingerprint for root as described above 7 After you have registered fingerprints for the desired users click Finish to close the administration dialog and to save the changes A...

Страница 126: ......

Страница 127: ...Part II Local Security...

Страница 128: ......

Страница 129: ...y Overview displays a comprehensive list of the most important security settings for your system The security status of each entry in the list is clearly visible A green check mark indicates a secure...

Страница 130: ...affect all the settings available in the Local Security module Each configuration can be modified to your needs using the dialogs available from the right pane Choose between the following sets Home W...

Страница 131: ...be used Check New Passwords By activating this option a warning will be issued if new passwords appear in a dictionary or if they are proper names proper nouns Test for Complicated Passwords When thi...

Страница 132: ...ecify how Ctrl Alt Del will be interpreted 8 5 Login Settings This dialog lets you configure security related login settings Delay after Incorrect Login Attempt In order to make it difficult to guess...

Страница 133: ...or standalone machines This settings allows regular users for example to read most system files See the file etc permissions easy for the complete configuration The Secure file permissions are designe...

Страница 134: ...e trojan horse current directory ls is executed when entering ls In order to start a program in the current directory the command must be prefixed with When activating these options the current direct...

Страница 135: ...no or needs authentication Unlike classical privilege authorization programs such as sudo PolicyKit does not grant root permissions to an entire process following the least privilege concept 9 1 Avai...

Страница 136: ...er PolicyKit gives depends on the policy defined for this process It can be yes no or authentication needed By default a policy contains implicit privileges which automatically apply to all users It i...

Страница 137: ...only once 9 2 2 Explicit Privileges Explicit privileges can be granted to specific users They can either be granted without limitations or when using constraints limited to an active session and or a...

Страница 138: ...pressing Alt F2 and entering polkit gnome authorization TIP Using the Authorizations tool in non GNOME environments Authorizations is a GNOME tool and therefore not installed when the GNOME desktop en...

Страница 139: ...ers or Block users In both cases choose a user and a Constraint Users with a UID of less than 1000 are only shown when Show System Users is checked To delete an authorization choose it from the list a...

Страница 140: ...for a given action to the defaults However polkit action always operates on the upstream defaults so it is not possible to list or restore the defaults shipped with SUSE Linux Enterprise Server Refer...

Страница 141: ...e run the command polkit action The following values are valid for the session parameters yes grant privilege no block auth_self user needs to authenticate with own password every time the privilege i...

Страница 142: ...tended Regular Expressions are allowed as attribute values user USER Specify one or more login names Separate multiple names by the symbol action policy Specify a policy by it s unique identifier To g...

Страница 143: ...te file A statement granting the user tux the privilege to update packages via PackageKit without having to authorize Withdraw privileges for all PolicyKit related policies from the users tux and wilb...

Страница 144: ...owever set_polkit_default_privs will only reset policies that are set to the upstream defaults To reset all policies to the upstream defaults first and then apply the SUSE Linux Enterprise Server defa...

Страница 145: ...hapter follows these two standards as well They can be viewed at http wt xpilot org publications posix 1e 10 1 Traditional File Permissions Find detailed information about the traditional file permiss...

Страница 146: ...the group to which the direc tory belongs Consider the following example directory drwxrws 2 tux archive 48 Nov 19 17 12 backup You can see the s that denotes that the setgid bit is set for the group...

Страница 147: ...realized without implementing complex permission models on the application level The advantages of ACLs are evident if you want to replace a Windows server with a Linux server Some of the connected wo...

Страница 148: ...h named group entry defines the permissions of the group specified in the entry s qualifier field Only the named user and named group entries have a qualifier field that is not empty The other entry d...

Страница 149: ...CL ACL Entries Compared to Permission Bits page 136 and Figure 10 2 Extended ACL ACL Entries Compared to Permission Bits page 136 illustrate the two cases of a minimum ACL and an extended ACL The figu...

Страница 150: ...d to the mask entry This is shown in Figure 10 2 Extended ACL ACL Entries Compared to Permission Bits page 136 Figure 10 2 Extended ACL ACL Entries Compared to Permission Bits This mapping approach en...

Страница 151: ...This gives information like file mydir owner tux group project3 user rwx group r x other The first three output lines display the name owner and owning group of the directory The next three lines cont...

Страница 152: ...that there is an ex tended ACL for this item According to the output of the ls command the permissions for the mask entry include write access Traditionally such permission bits would mean that the ow...

Страница 153: ...ault ACL affects both subdirectories and files Effects of a Default ACL There are two ways in which the permissions of a directory s default ACL are passed to the files and subdirectories A subdirecto...

Страница 154: ...s rwx mask rwx other default user rwx default group r x default group mascots r x default mask r x default other getfacl returns both the access ACL and the default ACL The default ACL is formed by al...

Страница 155: ...wn to its subordinate objects is also the same 3 Use touch to create a file in the mydir directory for example touch mydir myfile ls l mydir myfile then shows rw r tux project3 mydir myfile The output...

Страница 156: ...s randomly selected from the suitable entries with the required permissions It is irrelevant which of the entries triggers the final result access granted Likewise if none of the suitable group entrie...

Страница 157: ...there are currently no backup applica tions that preserve ACLs 10 6 For More Information Detailed information about ACLs is available at http acl bestbits at Also see the man pages for getfacl 1 acl 5...

Страница 158: ......

Страница 159: ...encryption Encrypting a Hard Disk Partition You can create an encrypted partition with YaST during installation or in an already installed system Refer to Section 11 1 1 Creating an Encrypted Partiti...

Страница 160: ...system from being compromised After the encrypted medium is successfully mounted everybody with appropriate permissions has access to it However encrypted media are useful in case of loss or theft of...

Страница 161: ...the Encrypt file system check box 6 If the encrypted file system should only be mounted when necessary enable Do Not Mount at System Start up in the Fstab Options 7 Click OK You will be prompted for...

Страница 162: ...of the procedure is the same as described in Section 11 1 1 Creating an En crypted Partition during Installation page 147 11 1 3 Creating an Encrypted File as a Container Instead of using a partition...

Страница 163: ...file system other than FAT change the ownership explicitly for users other than root to enable these users to read or write files on the device 11 2 Using Encrypted Home Directories To protect data in...

Страница 164: ...because these may contain temporary images of critical data You can encrypt swap tmp and var tmp with the YaST partitioner as de scribed in Section 11 1 1 Creating an Encrypted Partition during Insta...

Страница 165: ...oment Other applications that use certificates as well are not covered but may be in the future If you have such an application you can continue to use its private separate configuration 12 1 Activati...

Страница 166: ...ficate into the certificate store do the following 1 Start Firefox 2 Open the dialog from Edit Preferences Change to Advanced Encryption and click on View Certificates 3 Import your certificate depend...

Страница 167: ...lay changes in configuration files and you will have to do some filtering to detect important changes An additional problem to the method with rpm is that an intelligent attacker will modify rpm itsel...

Страница 168: ...he respective checking options are used in the files section Important options include the following Table 13 1 Important AIDE Checking Options Description Option Check for the file permissions of the...

Страница 169: ...similar to the selection with but defines which files not to use A configuration that checks for all files in sbin with the options defined in Binlib but omits the directory sbin conf d would look lik...

Страница 170: ...ne with the command mv var lib aide aide db new var lib aide aide db After any configuration change you always have to reinitialize the AIDE database and subsequently move the newly generated database...

Страница 171: ...IDE binary from a trusted source This excludes the risk that some attacker also modified the aide binary to hide his traces To accomplish this task aide must be run from a rescue system that is indepe...

Страница 172: ...g architecture rpm Replace ftp_server version_string and architecture with the values used on your system 4 Restart the server that should go through an AIDE check with the Rescue system from your DVD...

Страница 173: ...Part III Network Security...

Страница 174: ......

Страница 175: ...unprotected communication channels like the traditional FTP protocol and some remote copying programs The SSH suite provides the necessary protection by encrypting the authentication strings usually...

Страница 176: ...e program output is displayed on the local terminal of the host jupiter ssh otherplanet uptime mkdir tmp Password 1 21pm up 2 17 9 users load average 0 15 0 04 0 02 Quotation marks are necessary here...

Страница 177: ...running in the background listening for connections on TCP IP port 22 The daemon generates three key pairs when starting for the first time Each key pair consists of a private and a public key Therefo...

Страница 178: ...t the session key using its private keys This initial connection phase can be watched closely by turning on the verbose debugging option v of the SSH client The client stores all public host keys in s...

Страница 179: ...it to ssh authorized_keys You will be asked to authenticate yourself with your passphrase the next time you establish a connection If this does not occur verify the location and contents of these fil...

Страница 180: ...with this method cannot be intercepted by unautho rized individuals By adding the option A the ssh agent authentication mechanism is carried over to the next machine This way you can work from differ...

Страница 181: ...Multiple ports are allowed To add a new port click Add enter the port number and click OK To delete port select it in the table click Delete and confirm 2 On the General tab select the features the ss...

Страница 182: ...pecifies whether pure RSA authentication is allowed This option applies to SSH protocol version 1 only Public Key Authentication specifies whether public key authentication is allowed This option appl...

Страница 183: ...5 1 Packet Filtering with iptables The components netfilter and iptables are responsible for the filtering and manipulation of network packets as well as for network address translation NAT The filter...

Страница 184: ...tself POSTROUTING This chain is applied to all outgoing packets Figure 15 1 iptables A Packet s Possible Paths page 171 illustrates the paths along which a network packet may travel on a given system...

Страница 185: ...ssible Paths Routing Routing in the local system Processes outgoing packet incoming packet filter nat mangle POSTROUTING PREROUTING nat mangle FORWARD mangle filter INPUT mangle filter OUTPUT nat mang...

Страница 186: ...oadcast address and the netmask are the same for all local hosts Failing to do so prevents packets from being routed properly As mentioned whenever one of the LAN hosts sends a packet destined for an...

Страница 187: ...re intended to compromise a CGI program on your Web server the packet filter would still let them through A more effective but more complex mechanism is the combination of several types of systems suc...

Страница 188: ...tarized Zone DMZ While hosts located in this zone can be reached both from the external and the in ternal network they cannot access the internal network themselves This setup can be used to put an ad...

Страница 189: ...ed directly from the tree structure on the left side Start Up Set the start up behavior in this dialog In a default installation SuSEfirewall2 is started automatically You can also start and stop the...

Страница 190: ...each other and so generate many packets that are not accepted IPsec Support Configure whether the IPsec service should be available to the external network in this dialog Configure which packets are t...

Страница 191: ...to to use the in terface that corresponds to the default route FW_DEV_INT firewall masquerading The device linked to the internal private network such as eth0 Leave this blank if there is no internal...

Страница 192: ...lable to the outside The services that use UDP include include DNS servers IPsec TFTP DHCP and others In that case enter the UDP ports to use FW_SERVICES_ACCEPT_EXT firewall List services to allow fro...

Страница 193: ...net for example from an external host to see whether the connection is actually denied After that review var log messages where you should see something like this Mar 15 13 21 38 linux kernel SFW2 INe...

Страница 194: ......

Страница 195: ...PN and some relevant terminology 16 1 1 Scenarios with VPN There are many packages and even more combinations that enable the setting up and building of a VPN connection This chapter focuses on OpenVP...

Страница 196: ...ows file shares across the VPN without setting up a Samba or WINS server Bridged VPN is also needed if you want to use non IP protocols such as IPX or applications relying on network broadcasts Howeve...

Страница 197: ...Figure 16 2 Scenario 2 Figure 16 3 Scenario 3 Configuring VPN Server 183...

Страница 198: ...el A tunnel can use a so called tun or tap device They are virtual network kernel drivers which implement the transmission of ethernet frames or ip frames packets tun device A tun device simulates a p...

Страница 199: ...to your needs but make sure you select adresses which are not used to minimize problems with IP address or subnet conflicts WARNING Use It Only For Testing This scenario is only useful for testing and...

Страница 200: ...e that will later become your VPN client 2 Create the file etc openvpn server conf with the following content remote IP_OF_SERVER dev tun ifconfig 10 23 8 2 10 23 8 1 secret secret key Replace the pla...

Страница 201: ...for the server and each client and a master certificate authority CA The general overview of this process involves these steps which are explained in the following subsections 1 Build your public key...

Страница 202: ...n easy ca 3 Edit the default values in the file vars Change the variables KEY_COUNTRY KEY_PROVINCE KEY_CITY KEY_ORG and KEY_EMAIL 4 Initialize the PKI source vars clean all build ca 5 Enter the respec...

Страница 203: ...allowed to connect to the VPN server Make sure you use a different name other than client and an appropriate Common Name because this parameter has to be unique for each client After this procedure t...

Страница 204: ...proto udp dev tun0 Security ca ssl ca crt cert ssl server crt key ssl server key dh ssl dh1024 pem server 10 8 0 0 255 255 255 0 ifconfig pool persist var run openvpn ipp txt Privleges user nobody gro...

Страница 205: ...a good idea to run the OpenVPN daemon with reduced privileges For this reason the group and user nobody is used Several other configurations see comment in the original configuration from usr share d...

Страница 206: ...ings as on the server Replace the placeholder IP_OR_HOSTNAME with the respective hostname or IP address of your VPN server After the hostname the port of the server is given You can have multiple line...

Страница 207: ...installed the package NetworkManager openvpn kde4 and have resolved all dependencies 2 Right click on a widget of your panel and select Panel Options Add Wid gets 3 Select Networks 4 Right click on t...

Страница 208: ...have finished this step you are reverted back to the Network Settings dialog 9 Finish with Ok 10 Enable the connection with your Network manager applet 16 4 2 GNOME To setup a OpenVPN connection in G...

Страница 209: ...ou have selected Password with Certificates TLS Username The password for the user only available when you have selected Password with Certificates TLS Password etc openvpn ssl client1 crt User Certif...

Страница 210: ......

Страница 211: ...modules for certification which offer basic management functions for digital X 509 certificates The following sections explain the basics of digital certi fication and how to use YaST to create and a...

Страница 212: ...l of certificates An infras tructure of this kind is generally referred to as a public key infrastructure or PKI One familiar PKI is the OpenPGP standard in which users publish their certificates them...

Страница 213: ...to be able to evaluate an extension if it is identified as critical If an application does not recognize a critical extension it must reject the certificate Some extensions are only useful for a spec...

Страница 214: ...d using a certificate revocation list CRL These lists are supplied by the CA to public CRL distribution points CDPs at regular intervals The CDP can optionally be named as an extension in the certific...

Страница 215: ...age 35 Chapter 28 The Apache HTTP Server Administration Guide contains information about the HTTP server 17 1 5 Proprietary PKI YaST contains modules for the basic management of X 509 certificates Thi...

Страница 216: ...eating a Root CA The first step when setting up a PKI is to create a root CA Do the following 1 Start YaST and go to Security and Users CA Management 2 Click Create Root CA 3 Enter the basic data for...

Страница 217: ...using the CA when creating a sub CA or generating certificates The text fields have the following meaning Key Length Key Length contains a meaningful default and does not generally need to be changed...

Страница 218: ...2 Changing Password If you need to change your password for your CA proceed as follows 1 Start YaST and open the CA module 2 Select the required root CA and click Enter CA 3 Enter the password if you...

Страница 219: ...ormation in the tab Description see Figure 17 2 Figure 17 2 YaST CA Module Using a CA 4 Click Advanced and select Create SubCA This opens the same dialog as for creating a root CA 5 Proceed as describ...

Страница 220: ...d for e mail signature the e mail address of the sender the private key owner should be contained in the certificate to enable the e mail program to assign the correct certifi cate For certificate ass...

Страница 221: ...nwanted certificates do the following 1 Start YaST and open the CA module 2 Select the required root CA and click Enter CA 3 Enter the password if entering a CA the first time YaST displays the CA key...

Страница 222: ...icate These settings have been given rational defaults for every certificate type and do not normally need to be changed However it may be that you have special requirements for these extensions In th...

Страница 223: ...int Already existing CAs and certificates remain unchanged 17 2 6 Creating CRLs If compromised or otherwise unwanted certificates should be excluded from further use they must first be revoked The pro...

Страница 224: ...s you must publish this CRL NOTE Applications that evaluate CRLs reject every certificate if CRL is not available or expired As a PKI provider it is your duty always to create and publish a new CRL be...

Страница 225: ...eparate tree with the attribute caCertificate Exporting a Certificate to LDAP Enter the CA containing the certificate to export then select Certificates Select the required certificate from the certif...

Страница 226: ...or selecting the required output format and entering the password and filename The certificate is stored at the required location after clicking OK For CRLs click Export select Export to file choose t...

Страница 227: ...in the file system This op tion can also be used to import certificates from a transport medium such as a USB stick To import a common server certificate do the following 1 Start YaST and open Common...

Страница 228: ......

Страница 229: ...Part IV Confining Privileges with Novell AppArmor...

Страница 230: ......

Страница 231: ...secures applications by enforcing good application behavior without relying on attack signatures so it can prevent attacks even if they are exploiting previously unknown vulnerabilities Novell AppArm...

Страница 232: ...be used only for scientific background and not for technical documentation Defcon Capture the Flag Defending Vulnerable Code from Intense Attack by Crispin Cowan Seth Arnold Steve Beattie Chris Wright...

Страница 233: ...19 4 Building and Modifying Profiles page 222 Check the results and adjust the profiles when necessary 3 Keep track of what is happening on your system by running AppArmor reports and dealing with sec...

Страница 234: ...any fresh installation of SUSE Linux Enterprise Server There are two ways of toggling the status of AppArmor Using YaST System Services Runlevel Disable or enable AppArmor by removing or adding its bo...

Страница 235: ...abling it Toggle the status of AppArmor in a running system by using the AppArmor Control Panel These changes take effect as soon as you apply them and survive a reboot of the system To toggle AppArmo...

Страница 236: ...he the right applications to profile refer to Section 20 2 Determining Programs to Immunize page 230 19 4 Building and Modifying Profiles Novell AppArmor on SUSE Linux Enterprise Server ships with a p...

Страница 237: ...lobbing 4 Depending on the complexity of your application it might be necessary to repeat Step 2 page 223 and Step 3 page 223 Confine the application exercise it under the confined conditions and proc...

Страница 238: ...ofiles with YaST page 265 and Chapter 24 Building Profiles from the Command Line page 287 19 5 Configuring Novell AppArmor Event Notification and Reports Set up event notification in Novell AppArmor s...

Страница 239: ...eed as follows 1 Start YaST Select Novell AppArmor AppArmor Reports 2 Select the type of report to examine or configure from Executive Security Sum mary Applications Audit and Security Incident Report...

Страница 240: ...efinition can also be addressed using the Update Profile Wizard To update your profile set proceed as follows 1 Start YaST and choose Novell AppArmor Update Profile Wizard 2 Adjust access or execute r...

Страница 241: ...ll AppArmor is referred to as immunizing Administrators only need to care about the applications that are vulnerable to attacks and generate profiles for these Hardening a system thus comes down to bu...

Страница 242: ...rvers largely do not permit users to log in but instead provide a variety of network services for users such as Web mail file and print servers Novell AppArmor controls the access given to network ser...

Страница 243: ...riggered during the application s execution After the profile has been generated it is loaded and put into enforce mode Refer to Section aa genprof Generating Profiles page 297 for detailed informatio...

Страница 244: ...he viola tions only but still permit them use complain mode Enforce toggles with complain mode 20 2 Determining Programs to Immunize Now that you have familiarized yourself with AppArmor start selecti...

Страница 245: ...cp program to copy a file Because cp does not have its own profile it inherits the profile of the parent shell script so can copy any files that the parent shell script s profile can read and write 2...

Страница 246: ...not confined NOTE If you create a new profile you must restart the program that has been profiled to have it be effectively confined by AppArmor Below is a sample aa unconfined output 2325 sbin portm...

Страница 247: ...confine desktop applications the aa unconfined command supports a paranoid option which reports all processes running and the corresponding App Armor profiles that might or might not be associated wi...

Страница 248: ...es that there be a dedicated profile for my_hit_counter pl If my_hit_counter pl does not have a dedicated profile associated with it the rule should say srv www cgi bin my_hit_counter pl rix to cause...

Страница 249: ...e Chapter 27 Managing Profiled Applications page 329 For mod_perl and mod_php scripts this is the name of the Perl script or the PHP page requested For example adding this subprofile allows the localt...

Страница 250: ...de profiles for as many of those programs as possible If you provide profiles for all programs with open network ports an attacker cannot get to the file system on your machine without passing through...

Страница 251: ...ed range of activities changes AppArmor offers intuitive tools to handle profile updates or modifications You are ready to build Novell AppArmor profiles after you select the programs to profile To do...

Страница 252: ...ion s resource limits For help determining the programs to profile refer to Section 20 2 Determining Pro grams to Immunize page 230 To start building AppArmor profiles with YaST proceed to Chapter 23...

Страница 253: ...obar r foo s hat bar bar15 lib ld so mr usr bin bar px var spool rwl This loads a file containing variable definitions The normalized path to the program that is confined The curly braces serve as a c...

Страница 254: ...er to Section 21 7 7 Owner Conditional Rules page 251 for more information 12 This entry defines a transition to the local profile usr bin foobar Find a comprehensive overview of the available execute...

Страница 255: ...children profiles embedded inside of a parent profile used to provide tighter or alternate confine ment for a subtask of an application 21 2 1 Standard Profiles The default AppArmor profile is attach...

Страница 256: ...Local profiles provide a convenient way to provide specialized confinement for utility programs launched by a confined application They are specified just like standard profiles except they are embedd...

Страница 257: ...restrict the opening of new resources and will even limit some of the resources opened before the switch Specifically memory resources will still be available while capability and file resources as lo...

Страница 258: ...es 21 3 1 Abstractions Abstractions are includes that are grouped by common application tasks These tasks include access to authentication mechanisms access to name service routines common graphics re...

Страница 259: ...dress type and family The following illustrates the network access rule syntax network domain type protocol Supported domains inet ax25 ipx appletalk netrom bridge x25 inet6 rose netbeui security key...

Страница 260: ...21 6 Paths and Globbing AppArmor explicitly distinguishes directory path names from file path names Use a trailing for any directory path that needs to be explicitly distinguished some random example...

Страница 261: ...c abc Example a rule that matches home 01 plan allows a program to access plan files for users in both home0 and home1 Substitutes for the single character a b or c a c Expands to one rule to match ab...

Страница 262: ...chrooted applications CHROOT_BASE var lib dev log w CHROOT_BASE var log w NOTE With the current AppArmor tools variables can only be used when manually editing and maintaining a profile 21 6 2 Alias...

Страница 263: ...d other interpreted content and determines if an executing process can core dump 21 7 2 Write Mode w Allows the program to have write access to the resource Files must have this permission if they are...

Страница 264: ...issions as the link created with the exception that the desti nation does not need link access 21 7 6 Link Pair The link mode grants permission to create links to arbitrary files provided the link has...

Страница 265: ...h a deny rule Such a reject will also not show up in the audit logs when denied keeping the log files lean If this is not desired prepend the deny entry with the keyword audit It is also possible to u...

Страница 266: ...r domain transition If there is no profile defined the access is denied WARNING Using the Discrete Profile Execute Mode px does not scrub the environment of variables such as LD_PRELOAD As a result th...

Страница 267: ...armor 7 man page WARNING Using Unconstrained Execute Mode ux Use ux only in very special cases It enables the designated child processes to be run without any AppArmor protection ux does not scrub the...

Страница 268: ...te exploit attempts AppArmor uses this mode to limit which files a well behaved program or all programs on architectures that enforce non executable memory access controls may use as libraries to limi...

Страница 269: ...ransitions The px and cx transitions specify a hard dependency if the specified profile does not exist the exec will fail With the inheritance fallback the execution will succeed but inherit the curre...

Страница 270: ...LD_AUDIT LD_DEBUG LD_DEBUG_OUTPUT LD_DYNAMIC_WEAK LD_LIBRARY_PATH LD_ORIGIN_PATH LD_PRELOAD LD_PROFILE LD_SHOW_AUXV LD_USE_LOAD_BIAS LOCALDOMAIN LOCPATH MALLOC_TRACE NLSPATH RESOLV_HOST_CONF RES_OPTI...

Страница 271: ...profile has the ability to further reduce the applications rlimits AppArmor s rlimit rules will also provide mediation of setting an applications hard limits should it try to raise them The applicatio...

Страница 272: ...e with a text editor The tools will still work with profiles containing rlimit rules and will not remove them so it is safe to use the tools to update profiles containing them 21 10 Auditing Rules App...

Страница 273: ...pability rule allows to apply capabilities to multiple programs running under a specific profile by using ix transitions For security reasons set capability rules will not be inherited so once a progr...

Страница 274: ......

Страница 275: ...vell and other AppArmor users as well as uploading your own Find the profile repository at http apparmor opensuse org 22 1 Using the Local Repository The AppArmor tools both YaST and aa genprof and aa...

Страница 276: ...f necessary 22 2 1 Setting up Profile Repository Support Once properly configured both the YaST and the command line tools support the use of an external profile repository The initial configuration t...

Страница 277: ...to be able to upload your own profiles enabled is set to yes while upload is set to no repository enabled yes upload yes user tux pass XXXXX Once initially configured through the AppArmor tools the c...

Страница 278: ...has been changed or that a new one has been created If your system is configured to upload profiles to the repository you are prompted to provide a ChangeLog to document your changes before the change...

Страница 279: ...faces have differing appearances they offer the same functionality in similar ways Another alternative is to use AppArmor commands which can control AppArmor from a terminal window or through remote c...

Страница 280: ...an application on your system without the help of the wizard For detailed steps refer to Section 23 2 Manually Adding a Profile page 275 Edit Profile Edits an existing Novell AppArmor profile on your...

Страница 281: ...profiling tools aa genprof generate profile and aa logprof update profiles from learning mode log file For more information about these tools refer to Section 24 6 3 Summary of Profiling Tools page 29...

Страница 282: ...r in the local profile repository see Section 22 1 Using the Local Repository page 261 or in the external profile repository see Section 22 2 Using the External Repository page 262 or whether it does...

Страница 283: ...load in a next step In case you want to postpone the decision select Ask Me Later and proceed directly to Step 7 page 269 6b Provide username and password for your account on the profile repository se...

Страница 284: ...ecute permissions for an entry Each of these cases results in a series of questions that you must answer to add the resource to the profile or to add the program to the profile For an ex ample of each...

Страница 285: ...ing Mode Exception Controlling Access to Specific Resources Select the option that satisfies the request for access which could be a suggested include a particular globbed version of the path or the a...

Страница 286: ...to Section 21 7 File Permission Access Modes page 249 Deny Click Deny to prevent the program from accessing the specified paths Glob Clicking this modifies the directory path using wild cards to incl...

Страница 287: ...for an Entry From the following options select the one that satisfies the request for access For detailed information about the options available refer to Section 21 7 File Permission Access Modes pa...

Страница 288: ...g all rule changes entered so far and modifying all profiles 11 Repeat the previous steps if you need to execute more functionality of the application When you are done click Finish Choose to apply yo...

Страница 289: ...basic empty profile appears in the AppArmor Profile Dialog window 4 In AppArmor Profile Dialog add edit or delete AppArmor profile entries by clicking the corresponding buttons and referring to Sectio...

Страница 290: ...rofile to edit 3 Click Next The AppArmor Profile Dialog window displays the profile 4 In the AppArmor Profile Dialog window add edit or delete Novell AppArmor profile entries by clicking the correspon...

Страница 291: ...e profile set with rcapparmor reload 23 3 1 Adding an Entry The Add Entry option can be found in Section 23 2 Manually Adding a Profile page 275 or Section 23 3 Editing Profiles page 275 When you sele...

Страница 292: ...OK For globbing information refer to Section 21 6 Paths and Globbing page 246 For file access permission information refer to Section 21 7 File Permission Access Modes page 249 Network Rule In the po...

Страница 293: ...1e page 245 for more information about capabilities When finished making your selections click OK Include In the pop up window browse to the files to use as includes Includes are directives that pull...

Страница 294: ...25 Profiling Your Web Applications Using ChangeHat page 315 23 3 2 Editing an Entry When you select Edit Entry the file browser pop up window opens From here edit the selected entry In the pop up wind...

Страница 295: ...rmor Delete Profile 2 Select the profile to delete 3 Click Next 4 In the pop up that opens click Yes to delete the profile and reload the AppArmor profile set 23 5 Updating Profiles from Log Entries T...

Страница 296: ...1 Adding a Profile Using the Wizard page 267 1 Start YaST and select Novell AppArmor Update Profile Wizard Running Update Profile Wizard aa logprof parses the learning mode log files This generates a...

Страница 297: ...ur NOTE For event notification to work you must set up a mail server on your system that can send outgoing mail using the single mail transfer protocol SMTP such as postfix or exim To configure event...

Страница 298: ...art YaST and select Novell AppArmor AppArmor Control Panel 2 Enable AppArmor by checking Enable AppArmor or disable AppArmor by des electing it 3 Click Done in the AppArmor Configuration window 4 Clic...

Страница 299: ...AppArmor Control Panel 2 In the Configure Profile Modes section select Configure 3 Select the profile for which to change the mode 4 Select Toggle Mode to set this profile to complain mode or to enfor...

Страница 300: ......

Страница 301: ...rmation Before starting to manage your profiles using the AppArmor command line tools check out the general introduction to AppArmor given in Chapter 20 Immunizing Programs page 227 and Chapter 21 Pro...

Страница 302: ...ts the module in the running state If the module is already running start reports a warning and takes no action rcapparmor stop Stops the AppArmor module if it is running by removing all profiles from...

Страница 303: ...e etc apparmor d di rectory as plain text files For a detailed description of the syntax of these files refer to Chapter 21 Profile Components and Syntax page 237 All files in the etc apparmor d direc...

Страница 304: ...erminal window 2 Enter the root password when prompted 3 Go to the profile directory with cd etc apparmor d 4 Enter ls to view all profiles currently installed 5 Open the profile to edit in a text edi...

Страница 305: ...ng small applications that have a finite run time such as user client applications like mail clients For more information refer to Sec tion 24 6 1 Stand Alone Profiling page 292 Systemic Profiling A m...

Страница 306: ...se behavior continues after rebooting or a large number of programs all at once Build an AppArmor profile for a group of applications as follows 1 Create profiles for the individual programs that make...

Страница 307: ...ogprof is aa logprof d path to profiles f path to logfile Refer to Section aa logprof Scanning the System Log page 306 for more information about using aa logprof 5 Repeat Step 3 page 293 and Step 4 p...

Страница 308: ...confined by AppArmor The minimum aa autodep approximate profile has at least a base include directive which contains basic profile entries needed by most programs For certain types of programs aa aut...

Страница 309: ...programs and run the aa autodep for each one If the programs are in your path aa autodep finds them for you If they are not in your path the standard Linux command find might be helpful in finding you...

Страница 310: ...tance aa complain usr sbin finds profiles associ ated with all of the programs in usr sbin and puts them into complain mode aa complain etc apparmor d puts all of the profiles in etc apparmor d into c...

Страница 311: ...bove commands activates the enforce mode for the profiles and programs listed If you do not enter the program or profile names you are prompted to enter one path to profiles overrides the default loca...

Страница 312: ...ling Tools page 294 3 Puts the profile for this program into learning or complain mode so that profile violations are logged but are permitted to proceed A log event looks like this see var log audit...

Страница 313: ...re it was marked when aa genprof was started and reloads the profile If system events exist in the log AppArmor parses the learning mode log files This generates a series of questions that you must an...

Страница 314: ...herit P rofile U nconfined D eny Abo r t F inish Inherit ix The child inherits the parent s profile running with the same access controls as the parent This mode is useful when a confined program need...

Страница 315: ...means that the data mapped in it can be executed You are prompted to include this permission if it is requested during a profiling run Deny Prevents the program from accessing the specified directory...

Страница 316: ...u can give the program access to directory paths or files that are also required by other programs Using includes can reduce the size of a profile It is good practice to select includes when suggested...

Страница 317: ...h or create a general rule using wild cards that match a broader set of paths To select any of the offered paths enter the number that is printed in front of the path then decide how to proceed with t...

Страница 318: ...rofile for usr bin opera V iew Profile U se Profile C reate New Profile Abo r t F inish 2 If you want to just use this profile hit U Use Profile and follow the profile generation procedure outlined ab...

Страница 319: ...mine whether you want to use the profile downloaded from the server or whether you would just like to review it Profile usr bin opera 1 novell V iew Profile U se Profile C reate New Profile Abo r t F...

Страница 320: ...e exists for the child process the default selection is px If one does not exist the profile defaults to ix Child processes with separate profiles have aa autodep run on them and are loaded into AppAr...

Страница 321: ...resents a numbered list of AppArmor rules that can be added by pressing the number of the item on the list By default aa logprof looks for profiles in etc apparmor d and scans the log in var log messa...

Страница 322: ...ation about this refer to Section 21 7 File Per mission Access Modes page 249 Deny Prevents the program from accessing the specified directory path entries AppArmor then continues to the next event Ne...

Страница 323: ...the tree even though vsftpd on SUSE Linux Enterprise Server serves FTP files from srv ftp by default This is because httpd2 prefork uses chroot and for the portion of the code inside the chroot jail...

Страница 324: ...for usr bin mail turns out to be usr bin nail which is not a typographical error The program usr bin less appears to be a simple one for scrolling through text that is more than one screen long and t...

Страница 325: ...efault selection is profile If a profile does not exist the default is inherit The inherit option or ix is described in Section 21 7 File Permission Access Modes page 249 The profile option indicates...

Страница 326: ...he proc file system This program is susceptible to the following race conditions An unlinked executable is mishandled A process that dies between netstat 8 and further checks is mishandled NOTE This p...

Страница 327: ...the root so profiles are easier to manage For example the profile for the program usr sbin ntpd is named usr sbin ntpd etc apparmor d abstractions Location of abstractions etc apparmor d program chunk...

Страница 328: ......

Страница 329: ...ons are the Apache Web server and Tomcat A profile can have an arbitrary number of subprofiles but there are only two levels a subprofile cannot have further sub subprofiles A subprofile is written as...

Страница 330: ...es a mod_apparmor module package apache2 mod apparmor for the Apache program only included in SUSE Linux Enterprise Server This module makes the Apache Web server ChangeHat aware Install it along with...

Страница 331: ...ng or otherwise does not represent a significant security risk safely select Use Default Hat to process this URI in the default hat which is the default security profile This example creates a new hat...

Страница 332: ...ched data in your browser refresh the page To do this click the browser Refresh button to make sure that Apache processes the re quest for the phpsysinfo URI 6 Click Scan System Log for Entries to Add...

Страница 333: ...ofile option a new profile is created for the program if one does not already exist NOTE Security Considerations Selecting Unconfined can create a significant security hole and should be done with cau...

Страница 334: ...ase r etc ld so cache r etc lsb release r etc lsb release d r lib ld 2 6 1 so ixr proc r sbin lspci ixr srv www htdocs phpsysinfo r sys bus pci r sys bus scsi devices r sys devices r usr bin cut ixr u...

Страница 335: ...files page 275 or when you add a new profile using Manually Add Profile for instructions refer to Section 23 2 Manually Adding a Profile page 275 you are given the option of adding hats subprofiles to...

Страница 336: ...n text configuration files The main configuration file is usually httpd conf When you compile Apache you can indicate the location of this file Directives can be placed in any of these configuration f...

Страница 337: ...location or directory hat as specified by the AAHatName keyword 2 A hat named by the entire URI path 3 A default server hat as specified by the AADefaultHatName keyword 4 DEFAULT_URI if none of those...

Страница 338: ...ownloading the tarball install it into srv www htdocs phpsysinfo 2 Create etc apache2 conf d phpsysinfo conf and add the following text to it Location phpsysinfo AAHatName phpsysinfo Location The foll...

Страница 339: ...sb ids r var log apache2 access_log w var run utmp kr 3 Reload Novell AppArmor profiles by entering rcapparmor restart at a terminal window as root 4 Restart Apache by entering rcapache2 restart at a...

Страница 340: ......

Страница 341: ...r may not installed by default you may need to install it using YaST or zypper Details about how to set up and configure pam_apparmor can be found in usr share doc packages pam_apparmor README after t...

Страница 342: ......

Страница 343: ...ues 27 1 Monitoring Your Secured Applications Applications that are confined by Novell AppArmor security profiles generate messages when applications execute in unexpected ways or outside of their spe...

Страница 344: ...3 for details 27 2 Configuring Security Event Notification Security event notification is a Novell AppArmor feature that informs you when systemic Novell AppArmor activity occurs Activate it by select...

Страница 345: ...ion aa logprof Scanning the System Log page 306 uses to interpret profiles For example type APPARMOR_DENIED msg audit 1189428793 218 2880 operation file_permission requested_mask w denied_mask w fsuid...

Страница 346: ...type select the lowest severity level for which a notification should be sent Security events are logged and the notifications are sent at the time indicated by the interval when events are equal to...

Страница 347: ...lity by enhancing the way users can view security event data The reporting tool performs the following Creates on demand reports Exports reports Schedules periodic reports for archiving E mails period...

Страница 348: ...For more details refer to Section Ap plication Audit Report page 339 Security Incident Report A report that displays application security for a single host It reports policy viola tions for locally c...

Страница 349: ...ted report type If you select a secu rity incident report it can be further filtered in various ways For Run Now instructions proceed to Section 27 3 2 Run Now Running On Demand Reports page 344 Add C...

Страница 350: ...the location of a collection of reports from one or more systems including the ability to filter by date or names of programs accessed and display them all together in one report 1 From the AppArmor...

Страница 351: ...file listed in the Report field then select View 5 For Application Audit and Executive Security Summary reports proceed to Step 9 page 339 6 The Report Configuration Dialog opens for Security Inciden...

Страница 352: ...vel and above are then included in the reports Detail A source to which the profile has denied access This includes capabilities and files You can use this field to report the resources to which profi...

Страница 353: ...to the following sections for detailed information about each type of report For the application audit report refer to Section Application Audit Report page 339 For the security incident report refer...

Страница 354: ...ath of the executing process Profile The absolute name of the security profile that is applied to the process PID A number that uniquely identifies one specific process or running program this number...

Страница 355: ...o types of security events are defined as follows Policy Exceptions When an application requests a resource that is not defined within its profile a se curity event is triggered A report is generated...

Страница 356: ...the security profile that is applied to the process PID A number that uniquely identifies one specific process or running program this number is valid only during the lifetime of that process Severit...

Страница 357: ...ng of one or more high level reports from one or more ma chines This report can provide a single view of security events on multiple machines if each machine s data is copied to the report archive dir...

Страница 358: ...ell AppArmor event logs without waiting for scheduled events If you need help navigating to the main report screen see Section 27 3 Configuring Reports page 333 Perform the following steps to run a re...

Страница 359: ...rofile You can use this to see what is confined by a specific profile PID Number A number that uniquely identifies one specific process or running program this number is valid only during the lifetime...

Страница 360: ...audit report refer to Section Application Audit Report page 339 For the security incident report refer to Section Security Incident Report page 341 For the executive summary report refer to Section Ex...

Страница 361: ...ields with the following filtering information as necessary Report Name Specify the name of the report Use names that easily distinguish different reports Day of Month Select any day of the month to a...

Страница 362: ...nt information Export Type This option enables you to export a CSV comma separated values or HTML file The CSV file separates pieces of data in the log entries with commas using a standard data format...

Страница 363: ...il A source to which the profile has denied access This includes capabilities and files You can use this field to create a report of resources to which profiles prevent access Severity Select the lowe...

Страница 364: ...chedule Reports window select the report to edit This example assumes that you have selected a security incident report 2 Click Edit to edit the security incident report The first page of the Edit Sch...

Страница 365: ...rt Type This option enables you to export a CSV comma separated values or HTML file The CSV file separates pieces of data in the log entries with commas using a standard data format for importing into...

Страница 366: ...Detail A source to which the profile has denied access This includes capabilities and files You can use this field to create a report of resources to which profiles prevent access Severity Select the...

Страница 367: ...ktop Monitor applet is one example of an application that gathers AppArmor events via dbus To configure audit to use the dbus dispatcher just set the dispatcher in your audit configuration in etc audi...

Страница 368: ...Profiles In a production environment you should plan on maintaining profiles for all of the de ployed applications The security policies are an integral part of your deployment You should plan on tak...

Страница 369: ...e the profile to fit your needs You have several options that depend on your company s software deployment strategy You can deploy your patches and upgrades into a test or production environment The f...

Страница 370: ...For detailed instructions refer to Section aa logprof Scanning the System Log page 306 Run the YaST Update Profile Wizard to learn the new behavior high security risk as all accesses are allowed and...

Страница 371: ...ovell AppArmor following the instructions in this chapter 28 1 Updating Novell AppArmor Online Updates for Novell AppArmor packages are provided in the same way as any other update for SUSE Linux Ente...

Страница 372: ...mats 5 Games 6 High level concepts 7 Administrator commands 8 The section numbers are used to distinguish man pages from each other For example exit 2 describes the exit system call while exit 3 descr...

Страница 373: ...rge novell com mailto apparmor general forge novell com This is a mailing list for end users of AppArmor It is a good place for questions about how to use AppArmor to protect your applications apparmo...

Страница 374: ...oo closely restricted by AppArmor update your profile to properly handle your use case of the application Do this with the Update Profile Profile Wizard in YaST as described in Section 23 5 Updating P...

Страница 375: ...rk Access Control page 245 might cause application misbehavior or even stop applications from working If you notice a network related application behaving strangely check the log file under var log au...

Страница 376: ...the directory but not give access to files or directories under the directory e g proc net dir foo would be matched by the asterisk but as foo is a file or directory under dir it cannot be accessed p...

Страница 377: ...cond rule would match nothing in the old profile syntax but matches directories only in the new syntax The last rule matches explicitly matches a file called bar under proc net foo Using the old synta...

Страница 378: ...t possible to confine KDE applications to the same extent as any other application due to the way KDE manages its processes If you want to confine KDE applications choose one of the following approach...

Страница 379: ...apparmor or make configuration changes to Apache you should profile Apache again to catch any additional rules that need to be added to the profile 28 4 5 Why are the Reports not Sent by E Mail When t...

Страница 380: ...aa logprof f path_to_logfile 28 4 8 How to Spot and fix AppArmor Syntax Errors Manually editing Novell AppArmor profiles can introduce syntax errors If you attempt to start or restart AppArmor with s...

Страница 381: ...help us keep the quality high Whenever you encounter a bug in AppArmor file a bug report against this product 1 Use your Web browser to go to https bugzilla novell com index cgi 2 Enter the account d...

Страница 382: ...been reported yet select New from the top navigation bar and proceed to the Enter Bug page 6 Select the product against which to file the bug In your case this would be your product s release Click S...

Страница 383: ...ivity that signals a possible virus or hacker attack Intrusion detection systems might use attack signatures to distinguish between le gitimate and potentially malicious activity By not relying on att...

Страница 384: ...ging system available for anyone to use It works on Red Hat Linux SUSE Linux Enterprise Server and other Linux and UNIX systems It is capable of installing uninstalling verifying querying and updating...

Страница 385: ...rk that leaves it open to attack Characteristics of computer systems that allow an individual to keep it from correctly operating or that allows unauthorized users to take control of the system Design...

Страница 386: ......

Страница 387: ...Part V The Linux Audit Framework...

Страница 388: ......

Страница 389: ...of any IT product they intend to deploy in mission critical setups Common Criteria security evaluations have two sets of evaluation requirements func tional and assurance requirements Functional requi...

Страница 390: ...t enables you to do the following Associate Users with Processes Audit maps processes to the user ID that started them This makes it possible for the administrator or security officer to exactly trace...

Страница 391: ...e audit logs Prevent Audit Data Loss If the kernel runs out of memory the audit daemon s backlog is exceeded or its rate limit is exceeded audit can trigger a shutdown of the system to keep events fro...

Страница 392: ...hile dashed arrows rep resent lines of control between components auditd The audit daemon is responsible for writing the audit messages to disk that were generated through the audit kernel interface a...

Страница 393: ...esults For more information about aureport refer to Section 30 5 Understanding the Audit Logs and Generating Reports page 391 ausearch The ausearch utility can search the audit log file for certain ev...

Страница 394: ...file determines how the audit system functions once the daemon has been started For most use cases the default settings shipped with SUSE Linux Enterprise Server should suffice For CAPP environments m...

Страница 395: ...iterally or by the groups ID NOTE CAPP Environment In a CAPP environment have the audit log reside on its own partition By doing so you can be sure that the space detection of the audit daemon is accu...

Страница 396: ...g its start The audit daemon relays the audit messages to the application specified in dispatcher This appli cation must be a highly trusted one because it needs to run as root disp_qos determines whe...

Страница 397: ...emaining disk space that triggers a configurable action by the audit daemon The action is specified in space_left_action Possible values for this parameter are ignore syslog email exec suspend single...

Страница 398: ...ace_left_action NOTE CAPP Environment Set admin_space_left to a value that would just allow the administra tor s actions to be recorded The action should be set to single disk_full_action Specify whic...

Страница 399: ...after which this will happen with tcp_client_max_idle Keep in mind that this setting is valid for all clients and therefore should be higher than any individual client heartbeat setting preferably by...

Страница 400: ...tl s or change the status flag with auditctl eflag a status messages including information on each of the above mentioned parameters is output The following example highlights the typical audit status...

Страница 401: ...individually from the shell using auditctl or batch read from a file using auditctl R This second method is used by the init scripts to load rules from the file etc audit audit rules after the audit...

Страница 402: ...e failure flag to use See Table 30 1 Audit Status Flags page 386 for possible values Specify the maximum number of messages per second that may be issued by the kernel See Table 30 1 Audit Status Flag...

Страница 403: ...he k option allows you to specify a key to use to filter the audit logs for this particular event later e g with ausearch You may use the same key on different rules in order to be able to group rules...

Страница 404: ...AND operator meaning that this rule applies to all tasks that carry the audit ID of 501 have changed to run as root and have wheel as the group A process is given an audit ID on user login This ID is...

Страница 405: ...Listing Rules with auditctl l LIST_RULES exit always watch etc perm rx LIST_RULES exit always watch etc passwd perm rwxa key fk_passwd LIST_RULES exit always watch etc shadow perm rwxa LIST_RULES entr...

Страница 406: ...e three messages to the log All of them are closely linked together and you would not be able to make sense of one of them without the others The first message reveals the following information type T...

Страница 407: ...mple this is the file descriptor number This varies by system call a0 to a3 The first four arguments to the system call in numeric form The values of these are totally system call dependent In this ex...

Страница 408: ...process egid sgid fsgid Effective group ID set group ID and file system group ID of the user that started the process tty The terminal from which the application is started In this case a pseudotermin...

Страница 409: ...path argument such as a cp or mv command an additional PATH event would have been logged for the second path argument name Refers to the pathname passed as an argument to the less or open call inode R...

Страница 410: ...cred acct root exe usr sbin sshd hostname jupiter example com addr 192 168 2 100 terminal dev pts 0 res success type LOGIN msg audit 1234877011 799 7734 login pid 26125 uid 0 old auid 4294967295 new a...

Страница 411: ...e When the audit logs have moved to another machine or when you want to analyze the logs of a number of machines on your local machine without wanting to connect to each of these individually move the...

Страница 412: ...into a human readable text format add the i option to your aureport command Create a Rough Summary Report If you are just interested in the current audit statistics events logins processes etc run au...

Страница 413: ...roups or roles 0 Number of logins 6 Number of failed logins 0 Number of authentications 7 Number of failed authentications 0 Number of users 1 Number of terminals 7 Number of host names 3 Number of ex...

Страница 414: ...4 21 15 7719 USER_AUTH 1 yes 7 17 02 09 14 21 15 7720 USER_ACCT 1 yes 8 17 02 09 14 21 15 7721 CRED_ACQ 1 yes 9 17 02 09 14 21 15 7722 LOGIN 0 yes 10 17 02 09 14 21 15 7723 USER_START 0 yes 11 17 02 0...

Страница 415: ...ble the terminal it is run in the host exe cuting it the audit ID and event number aureport x Executable Report date time exe term host auid event 1 13 02 09 15 08 26 usr sbin sshd sshd 192 168 2 100...

Страница 416: ...elated events including date time audit ID host and terminal used name of the executable success or failure of the attempt and an event ID aureport l i Login Report date time auid host term exe succes...

Страница 417: ...ne and adjust the date format to your locale specified in etc sysconfig audit under AUDITD_LANG default is en_US Specify the end date and time with the te option Any event that has a time stamp equal...

Страница 418: ...h of these individually move the logs to a local file and have ausearch search them locally ausearch option if myfile Convert Numeric Results into Text Some information such as user IDs are printed in...

Страница 419: ...SYSCALL and USER_LOGIN Running ausearch m without a message type displays a list of all message types Search by Login ID To view records associated with a particular login user ID use the ausearch ul...

Страница 420: ...process ID with the ausearch p pid com mand for example ausearch p 13368 for all records related to this process ID Search by Event or System Call Success Value View records containing a certain syste...

Страница 421: ...searches to a certain time frame The ts option is used to specify the start date and time and the te option is used to specify the end date and time These options can be combined with any of the above...

Страница 422: ...ort output is formatted in columns and thus easily available to any sed perl or awk scripts that users might connect to the audit framework to visualize the audit data The visualization scripts see Se...

Страница 423: ...d your au report output might contain an additional data column for AM PM on time stamps To avoid having this confuse your scripts precede your script calls with LC_ALL C to reset the locale and use t...

Страница 424: ...ion script and transformed into a bar chart aureport e i summary mkbar events Figure 30 3 Bar Chart Common Event Types For background information about the visualization of audit data refer to the Web...

Страница 425: ...libs and optionally audit libs python To use the log visualization as described in Section 31 6 Configuring Log Visualization page 420 install gnuplot and graphviz from the SUSE Linux Enterprise Serv...

Страница 426: ...you want to use it Check the following rules of thumb to determine which use case best applies to you and your requirements If you require a full security audit for CAPP EAL certification enable full...

Страница 427: ...tion SUSPEND disk_error_action SUSPEND tcp_listen_port tcp_listen_queue 5 tcp_client_ports 1024 65535 tcp_client_max_idle 0 The default settings work reasonably well for many setups Some values such a...

Страница 428: ...ditd conf configuration parameters 31 3 Enabling Audit for System Calls A standard SUSE Linux Enterprise Server system has auditd running by default There are different levels of auditing activity ava...

Страница 429: ...ze various system calls in detail if a broad analysis of your system is required A very detailed example configuration that includes most of the rules that are needed in a CAPP compliant environment i...

Страница 430: ...data or data corruption Directory watches produce less verbose output than separate file watches for the files under these directories To get detailed logging for your system configuration in etc sys...

Страница 431: ...vents do you want to monitor by generating regular reports Select the appropriate aureport command lines as described in Section 30 5 2 Generating Custom Audit Reports page 397 What do you want to do...

Страница 432: ...Number of failed syscalls 994 Number of anomaly events 0 Number of responses to anomaly events 0 Number of crypto events 0 Number of keys 2 Number of process IDs 1238 Number of events 5435 2 Run a sum...

Страница 433: ...NE 38 usr lib locale en_GB UTF 8 LC_ADDRESS 38 usr lib locale en_GB UTF 8 LC_NAME 38 usr lib locale en_GB UTF 8 LC_PAPER 38 usr lib locale en_GB UTF 8 LC_MESSAGES 38 usr lib locale en_GB UTF 8 LC_MONE...

Страница 434: ...ty pts2 ses 1166 comm vim exe bin vim normal key null TIP Focusing on a Certain Time Frame If you are interested in events during a particular period of time trim down the reports by using start and e...

Страница 435: ...example commands could look like the following Create a Summary of Events aureport e i summary mkbar events Create a Summary of File Events aureport f i summary mkbar files Create a Summary of Login E...

Страница 436: ...s LC_ALL C aureport s i awk 0 9 print 4 6 sort uniq mkgraph syscall_vs_com System Calls versus Files LC_ALL C aureport s i awk 0 9 print 5 4 sort uniq mkgraph syscall_vs_file Graphs can also be combin...

Страница 437: ...Configuration Parameters page 424 Watches on audit log files and configuration files see Section 32 2 Adding Watches on Audit Log Files and Configuration Files page 425 Monitoring operations on file s...

Страница 438: ...asic Audit Configuration Parameters D b 8192 f 2 Delete any preexisting rules before starting to define new ones Set the number of buffers to take the audit messages Depending on the level of audit lo...

Страница 439: ...Files and Configuration Files Adding watches on your audit configuration files and the log files themselves ensures that you can track any attempt to tamper with the configuration files or detect any...

Страница 440: ...s Auditing system calls results in a high logging activity This activity in turn puts a heavy load on the kernel With a kernel less responsive than usual the system s backlog and rate limits might be...

Страница 441: ...special device files Enable an audit context for any mount or umount operation For the x64_64 archi tecture disable the umount rule For the ia64 architecture disable the umount2 rule 32 4 Monitoring S...

Страница 442: ...etc cron weekly p wa w etc crontab p wa w var spool cron root w etc group p wa w etc passwd p wa w etc shadow w etc login defs p wa w etc securetty w var log faillog w var log lastlog w etc hosts p wa...

Страница 443: ...inittab and the etc init d directory Enable per file watches if you are interested in file events Set watches and labels for any changes to the linker configuration in etc ld so conf Set watches and...

Страница 444: ...k tracking on the ia64 architecture comment the first rule and enable the second one Add an audit context to the umask system call Track attempts to change the system time adjtimex can be used to skew...

Страница 445: ...the system call mode is 4 R_OK This rule filters for all access calls testing for sufficient write permissions to a file or file system object accessed by a user or process Audit the access system cal...

Страница 446: ...g is set to filter for a0 5 as the first argument to socketcall which translates to the accept system call if you check usr include linux net h 64 bit platforms like x86_64 and ia64 do not use multipl...

Страница 447: ...ing on ipc system calls For these platforms comment the first four rules and add the plain system call rules without argument filtering Audit system calls related to IPC SYSV shared memory In this cas...

Страница 448: ...above rule now comes down to the following ausearch k CFG_audit rules time Thu Feb 19 09 09 54 2009 type PATH msg audit 1235030994 032 8649 item 3 name audit rules inode 370603 dev 08 06 mode 0100640...

Страница 449: ...able and very detailed information auditd 8 The Linux Audit daemon auditd conf 5 The Linux Audit daemon configuration file auditctl 8 A utility to assist controlling the kernel s audit system autrace...

Страница 450: ...ample rules files for different scenarios capp rules Controlled Access Protection Profile CAPP lspp rules Labeled Security Protection Profile LSPP nispom rules National Industrial Security Program Ope...

Отзывы:

Нет отзывов