Red Hat Enterprise Linux 7 Security Guide

(1)

Martin Prpič Tomáš Čapek Stephen Wadeley Yoana Ruseva Miroslav Svoboda Robert Krátký

Security Guide

A Guide to Securing Red Hat Enterprise Linux 7

(2)

(3)

A Guide to Securing Red Hat Enterprise Linux 7

Martin Prpič

Red Hat Customer Content Services mprpic@redhat.com

Tomáš Čapek

Red Hat Customer Content Services tcapek@redhat.com

Stephen Wadeley

Red Hat Customer Content Services swadeley@redhat.com

Yoana Ruseva

Red Hat Customer Content Services yruseva@redhat.com

Miroslav Svoboda

Red Hat Customer Content Services msvoboda@redhat.com

Robert Krátký

Red Hat Customer Content Services rkratky@redhat.com

(4)

This document is licensed by Red Hat under the Creative Commons Attribution-

ShareAlike 3.0 Unported License. If you distribute this document, or a modified version of it, you must provide attribution to Red Hat, Inc. and provide a link to the original. If the document is modified, all Red Hat trademarks must be removed.

Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.

Red Hat, Red Hat Enterprise Linux, the Shadowman logo, JBoss, MetaMatrix, Fedora, the Infinity Logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries.

Linux ® is the registered trademark of Linus Torvalds in the United States and other countries.

Java ® is a registered trademark of Oracle and/or its affiliates.

XFS ® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States and/or other countries.

MySQL ® is a registered trademark of MySQL AB in the United States, the European Union and other countries.

Node.js ® is an official trademark of Joyent. Red Hat Software Collections is not formally related to or endorsed by the official Joyent Node.js open source or commercial project.

The OpenStack ® Word Mark and OpenStack Logo are either registered trademarks/service marks or trademarks/service marks of the OpenStack Foundation, in the United States and other countries and are used with the OpenStack Foundation's permission. We are not affiliated with, endorsed or sponsored by the OpenStack Foundation, or the OpenStack community.

All other trademarks are the property of their respective owners.

Abstract

This book assists users and administrators in learning the processes and practices of securing workstations and servers against local and remote intrusion, exploitation, and malicious activity. Focused on Red Hat Enterprise Linux but detailing concepts and techniques valid for all Linux systems, this guide details the planning and the tools involved in creating a secured computing environment for the data center, workplace, and home. With proper administrative knowledge, vigilance, and tools, systems running Linux can be both fully functional and secured from most common intrusion and exploit methods.

(5)

. . . .

Chapter 1. Overview of Security Topics

Due to the incre as e d re liance on powe rful, ne tworke d compute rs to he lp run bus ine s s e s and ke e p track of our pe rs onal information, e ntire indus trie s have be e n forme d around the practice of ne twork and compute r s e curity. Ente rpris e s have s olicite d the knowle dge and s kills of s e curity e xpe rts to prope rly audit s ys te ms and tailor s olutions to fit the

ope rating re quire me nts of the ir organization. Be caus e mos t organizations are incre as ingly dynamic in nature , the ir worke rs are acce s s ing critical company IT re s ource s locally and re mote ly, he nce the ne e d for s e cure computing e nvironme nts has be come more

pronounce d.

Unfortunate ly, many organizations (as we ll as individual us e rs ) re gard s e curity as more of an afte rthought, a proce s s that is ove rlooke d in favor of incre as e d powe r, productivity, conve nie nce , e as e of us e , and budge tary conce rns . Prope r s e curity imple me ntation is ofte n e nacte d pos tmorte m — after an unauthorize d intrus ion has alre ady occurre d. Taking the corre ct me as ure s prior to conne cting a s ite to an untrus te d ne twork, s uch as the Inte rne t, is an e ffe ctive me ans of thwarting many atte mpts at intrus ion.

Note

This docume nt make s s e ve ral re fe re nce s to file s in the /lib dire ctory. Whe n us ing 64-bit s ys te ms , s ome of the file s me ntione d may ins te ad be locate d in /lib64.

1.1. What is Comput er Securit y?

Compute r s e curity is a ge ne ral te rm that cove rs a wide are a of computing and information proce s s ing. Indus trie s that de pe nd on compute r s ys te ms and ne tworks to conduct daily bus ine s s trans actions and acce s s critical information re gard the ir data as an important part of the ir ove rall as s e ts . Se ve ral te rms and me trics have e nte re d our daily bus ine s s vocabulary, s uch as total cos t of owne rs hip (TCO), re turn on inve s tme nt (ROI), and quality of s e rvice (QoS). Us ing the s e me trics , indus trie s can calculate as pe cts s uch as data inte grity and high-availability (HA) as part of the ir planning and proce s s manage me nt cos ts . In s ome indus trie s , s uch as e le ctronic comme rce , the availability and

trus tworthine s s of data can me an the diffe re nce be twe e n s ucce s s and failure .

1.1.1. St andardizing Securit y

Ente rpris e s in e ve ry indus try re ly on re gulations and rule s that are s e t by s tandards - making bodie s s uch as the Ame rican Me dical As s ociation (AMA) or the Ins titute of Ele ctrical and Ele ctronics Engine e rs (IEEE). The s ame ide als hold true for information s e curity. Many s e curity cons ultants and ve ndors agre e upon the s tandard s e curity mode l known as CIA, or Confidentiality, Integrity, and Availability. This thre e -tie re d mode l is a ge ne rally

acce pte d compone nt to as s e s s ing ris ks of s e ns itive information and e s tablis hing s e curity policy. The following de s cribe s the CIA mode l in furthe r de tail:

Confide ntiality — Se ns itive information mus t be available only to a s e t of pre -de fine d individuals . Unauthorize d trans mis s ion and us age of information s hould be re s tricte d.

For e xample , confide ntiality of information e ns ure s that a cus tome r's pe rs onal or financial information is not obtaine d by an unauthorize d individual for malicious purpos e s s uch as ide ntity the ft or cre dit fraud.

(8)

Inte grity — Information s hould not be alte re d in ways that re nde r it incomple te or

incorre ct. Unauthorize d us e rs s hould be re s tricte d from the ability to modify or de s troy s e ns itive information.

Availability — Information s hould be acce s s ible to authorize d us e rs any time that it is ne e de d. Availability is a warranty that information can be obtaine d with an agre e d-upon fre que ncy and time line s s . This is ofte n me as ure d in te rms of pe rce ntage s and agre e d to formally in Se rvice Le ve l Agre e me nts (SLAs ) us e d by ne twork s e rvice provide rs and the ir e nte rpris e clie nts .

1.2. Securit y Cont rols

Compute r s e curity is ofte n divide d into thre e dis tinct mas te r cate gorie s , commonly re fe rre d to as controls:

Phys ical Te chnical Adminis trative

The s e thre e broad cate gorie s de fine the main obje ctive s of prope r s e curity

imple me ntation. Within the s e controls are s ub-cate gorie s that furthe r de tail the controls and how to imple me nt the m.

1.2.1. Physical Cont rols

Phys ical control is the imple me ntation of s e curity me as ure s in a de fine d s tructure us e d to de te r or pre ve nt unauthorize d acce s s to s e ns itive mate rial. Example s of phys ical controls are :

Clos e d-circuit s urve illance came ras Motion or the rmal alarm s ys te ms Se curity guards

Picture IDs

Locke d and de ad-bolte d s te e l doors

Biome trics (include s finge rprint, voice , face , iris , handwriting, and othe r automate d me thods us e d to re cognize individuals )

1.2.2. T echnical Cont rols

Te chnical controls us e te chnology as a bas is for controlling the acce s s and us age of s e ns itive data throughout a phys ical s tructure and ove r a ne twork. Te chnical controls are far-re aching in s cope and e ncompas s s uch te chnologie s as :

Encryption Smart cards

Ne twork authe ntication Acce s s control lis ts (ACLs )

(9)

File inte grity auditing s oftware

1.2.3. Administ rat ive Cont rols

Adminis trative controls de fine the human factors of s e curity. The y involve all le ve ls of pe rs onne l within an organization and de te rmine which us e rs have acce s s to what re s ource s and information by s uch me ans as :

Training and aware ne s s

Dis as te r pre pare dne s s and re cove ry plans Pe rs onne l re cruitme nt and s e paration s trate gie s Pe rs onne l re gis tration and accounting

1.3. Vulnerabilit y Assessment

Give n time , re s ource s , and motivation, an attacke r can bre ak into ne arly any s ys te m. All of the s e curity proce dure s and te chnologie s curre ntly available cannot guarante e that any s ys te ms are comple te ly s afe from intrus ion. Route rs he lp s e cure gate ways to the Inte rne t. Fire walls he lp s e cure the e dge of the ne twork. Virtual Private Ne tworks s afe ly pas s data in an e ncrypte d s tre am. Intrus ion de te ction s ys te ms warn you of malicious activity. Howe ve r, the s ucce s s of e ach of the s e te chnologie s is de pe nde nt upon a numbe r of variable s , including:

The e xpe rtis e of the s taff re s pons ible for configuring, monitoring, and maintaining the te chnologie s .

The ability to patch and update s e rvice s and ke rne ls quickly and e fficie ntly.

The ability of thos e re s pons ible to ke e p cons tant vigilance ove r the ne twork.

Give n the dynamic s tate of data s ys te ms and te chnologie s , s e curing corporate re s ource s can be quite comple x. Due to this comple xity, it is ofte n difficult to find e xpe rt re s ource s for all of your s ys te ms . While it is pos s ible to have pe rs onne l knowle dge able in many are as of information s e curity at a high le ve l, it is difficult to re tain s taff who are e xpe rts in more than a fe w s ubje ct are as . This is mainly be caus e e ach s ubje ct are a of information s e curity re quire s cons tant atte ntion and focus . Information s e curity doe s not s tand s till.

A vulne rability as s e s s me nt is an inte rnal audit of your ne twork and s ys te m s e curity; the re s ults of which indicate the confide ntiality, inte grity, and availability of your ne twork (as e xplaine d in Se ction 1.1.1, “Standardizing Se curity”). Typically, vulne rability as s e s s me nt s tarts with a re connais s ance phas e , during which important data re garding the targe t s ys te ms and re s ource s is gathe re d. This phas e le ads to the s ys te m re adine s s phas e , whe re by the targe t is e s s e ntially che cke d for all known vulne rabilitie s . The re adine s s phas e culminate s in the re porting phas e , whe re the findings are clas s ifie d into cate gorie s of high, me dium, and low ris k; and me thods for improving the s e curity (or mitigating the ris k of vulne rability) of the targe t are dis cus s e d

If you we re to pe rform a vulne rability as s e s s me nt of your home , you would like ly che ck e ach door to your home to s e e if the y are clos e d and locke d. You would als o che ck e ve ry window, making s ure that the y clos e d comple te ly and latch corre ctly. This s ame conce pt applie s to s ys te ms , ne tworks , and e le ctronic data. Malicious us e rs are the thie ve s and vandals of your data. Focus on the ir tools , me ntality, and motivations , and you can the n re act s wiftly to the ir actions .

(10)

1.3.1. Defining Assessment and T est ing

Vulne rability as s e s s me nts may be broke n down into one of two type s : outside looking in and inside looking around.

Whe n pe rforming an outs ide -looking-in vulne rability as s e s s me nt, you are atte mpting to compromis e your s ys te ms from the outs ide . Be ing e xte rnal to your company provide s you with the cracke r's vie wpoint. You s e e what a cracke r s e e s — publicly-routable IP addre s s e s , s ys te ms on your DMZ, e xte rnal inte rface s of your fire wall, and more . DMZ s tands for "de militarize d zone ", which corre s ponds to a compute r or s mall s ubne twork that s its be twe e n a trus te d inte rnal ne twork, s uch as a corporate private LAN, and an untrus te d e xte rnal ne twork, s uch as the public Inte rne t. Typically, the DMZ contains de vice s

acce s s ible to Inte rne t traffic, s uch as We b (HTTP) s e rve rs , FTP s e rve rs , SMTP (e -mail) s e rve rs and DNS s e rve rs .

Whe n you pe rform an ins ide -looking-around vulne rability as s e s s me nt, you are at an advantage s ince you are inte rnal and your s tatus is e le vate d to trus te d. This is the vie wpoint you and your co-worke rs have once logge d on to your s ys te ms . You s e e print s e rve rs , file s e rve rs , databas e s , and othe r re s ource s .

The re are s triking dis tinctions be twe e n the two type s of vulne rability as s e s s me nts . Be ing inte rnal to your company give s you more privile ge s than an outs ide r. In mos t

organizations , s e curity is configure d to ke e p intrude rs out. Ve ry little is done to s e cure the inte rnals of the organization (s uch as de partme ntal fire walls , us e r-le ve l acce s s

controls , and authe ntication proce dure s for inte rnal re s ource s ). Typically, the re are many more re s ource s whe n looking around ins ide as mos t s ys te ms are inte rnal to a company.

Once you are outs ide the company, your s tatus is untrus te d. The s ys te ms and re s ource s available to you e xte rnally are us ually ve ry limite d.

Cons ide r the diffe re nce be twe e n vulne rability as s e s s me nts and penetration tests. Think of a vulne rability as s e s s me nt as the firs t s te p to a pe ne tration te s t. The information gle ane d from the as s e s s me nt is us e d for te s ting. Whe re as the as s e s s me nt is unde rtake n to che ck for hole s and pote ntial vulne rabilitie s , the pe ne tration te s ting actually atte mpts to e xploit the findings .

As s e s s ing ne twork infras tructure is a dynamic proce s s . Se curity, both information and phys ical, is dynamic. Pe rforming an as s e s s me nt s hows an ove rvie w, which can turn up fals e pos itive s and fals e ne gative s . A fals e pos itive is a re s ult, whe re the tool finds vulne rabilitie s which in re ality do not e xis t. A fals e ne gative is whe n it omits actual vulne rabilitie s .

Se curity adminis trators are only as good as the tools the y us e and the knowle dge the y re tain. Take any of the as s e s s me nt tools curre ntly available , run the m agains t your s ys te m, and it is almos t a guarante e that the re are s ome fals e pos itive s . Whe the r by program fault or us e r e rror, the re s ult is the s ame . The tool may find fals e pos itive s , or, e ve n wors e , fals e ne gative s .

Now that the diffe re nce be twe e n a vulne rability as s e s s me nt and a pe ne tration te s t is de fine d, take the findings of the as s e s s me nt and re vie w the m care fully be fore conducting a pe ne tration te s t as part of your ne w be s t practice s approach.

Warning

Do not atte mpt to e xploit vulne rabilitie s on production s ys te ms . Doing s o can have adve rs e e ffe cts on productivity and e fficie ncy of your s ys te ms and ne twork.

(11)

The following lis t e xamine s s ome of the be ne fits to pe rforming vulne rability as s e s s me nts . Cre ate s proactive focus on information s e curity.

Finds pote ntial e xploits be fore cracke rs find the m.

Re s ults in s ys te ms be ing ke pt up to date and patche d.

Promote s growth and aids in de ve loping s taff e xpe rtis e . Abate s financial los s and ne gative publicity.

1.3.2. Est ablishing a Met hodology for Vulnerabilit y Assessment

To aid in the s e le ction of tools for a vulne rability as s e s s me nt, it is he lpful to e s tablis h a vulne rability as s e s s me nt me thodology. Unfortunate ly, the re is no pre de fine d or indus try approve d me thodology at this time ; howe ve r, common s e ns e and be s t practice s can act as a s ufficie nt guide .

What is the target? Are we looking at one server, or are we looking at our entire network and everything within the network? Are we external or internal to the company? The

ans we rs to the s e que s tions are important as the y he lp de te rmine not only which tools to s e le ct but als o the manne r in which the y are us e d.

To le arn more about e s tablis hing me thodologie s , s e e the following we bs ite : https ://www.owas p.org/ — The Open Web Application Security Project

1.3.3. Vulnerabilit y Assessment T ools

An as s e s s me nt can s tart by us ing s ome form of an information-gathe ring tool. Whe n as s e s s ing the e ntire ne twork, map the layout firs t to find the hos ts that are running. Once locate d, e xamine e ach hos t individually. Focus ing on the s e hos ts re quire s anothe r s e t of tools . Knowing which tools to us e may be the mos t crucial s te p in finding vulne rabilitie s . Jus t as in any as pe ct of e ve ryday life , the re are many diffe re nt tools that pe rform the s ame job. This conce pt applie s to pe rforming vulne rability as s e s s me nts as we ll. The re are tools s pe cific to ope rating s ys te ms , applications , and e ve n ne tworks (bas e d on the protocols us e d). Some tools are fre e ; othe rs are not. Some tools are intuitive and e as y to us e , while othe rs are cryptic and poorly docume nte d but have fe ature s that othe r tools do not.

Finding the right tools may be a daunting tas k and, in the e nd, e xpe rie nce counts . If

pos s ible , s e t up a te s t lab and try out as many tools as you can, noting the s tre ngths and we akne s s e s of e ach. Re vie w the README file or man page for the tools . Additionally, look to the Inte rne t for more information, s uch as article s , s te p-by-s te p guide s , or e ve n mailing lis ts s pe cific to the tools .

The tools dis cus s e d be low are jus t a s mall s ampling of the available tools . 1.3.3.1. Scanning Hosts with Nmap

Nmap is a popular tool that can be us e d to de te rmine the layout of a ne twork. Nmap has be e n available for many ye ars and is probably the mos t ofte n us e d tool whe n gathe ring information. An e xce lle nt manual page is include d that provide s de taile d de s criptions of its options and us age . Adminis trators can us e Nmap on a ne twork to find hos t s ys te ms and ope n ports on thos e s ys te ms .

(12)

Nmap is a compe te nt firs t s te p in vulne rability as s e s s me nt. You can map out all the hos ts within your ne twork and e ve n pas s an option that allows Nmap to atte mpt to ide ntify the ope rating s ys te m running on a particular hos t. Nmap is a good foundation for e s tablis hing a policy of us ing s e cure s e rvice s and re s tricting unus e d s e rvice s .

To ins tall Nmap, run the yum install nmap command as the root us e r.

1.3.3.1.1. Using Nmap

Nmap can be run from a s he ll prompt by typing the nmap command followe d by the hos tname or IP addre s s of the machine to s can:

nmap <hostname>

For e xample , to s can a machine with hos tname foo.example.com, type the following at a s he ll prompt:

~]$ nmap foo.example.com

The re s ults of a bas ic s can (which could take up to a fe w minute s , de pe nding on whe re the hos t is locate d and othe r ne twork conditions ) look s imilar to the following:

Interesting ports on foo.example.com:

Not shown: 1710 filtered ports PORT STATE SERVICE

22/tcp open ssh 53/tcp open domain 80/tcp open http 113/tcp closed auth

Nmap te s ts the mos t common ne twork communication ports for lis te ning or waiting s e rvice s . This knowle dge can be he lpful to an adminis trator who wants to clos e unne ce s s ary or unus e d s e rvice s .

For more information about us ing Nmap, s e e the official home page at the following URL:

http://www.ins e cure .org/

1.3.3.2. Nessus

Nessus is a full-s e rvice s e curity s canne r. The plug-in archite cture of Nessus allows us e rs to cus tomize it for the ir s ys te ms and ne tworks . As with any s canne r, Nessus is only as good as the s ignature databas e it re lie s upon. Fortunate ly, Nessus is fre que ntly update d and fe ature s full re porting, hos t s canning, and re al-time vulne rability s e arche s . Re me mbe r that the re could be fals e pos itive s and fals e ne gative s , e ve n in a tool as powe rful and as fre que ntly update d as Nessus.

Note

The Nessus clie nt and s e rve r s oftware re quire s a s ubs cription to us e . It has be e n include d in this docume nt as a re fe re nce to us e rs who may be inte re s te d in us ing this popular application.

(13)

For more information about Nessus, s e e the official we bs ite at the following URL:

http://www.ne s s us .org/

1.3.3.3. OpenVAS

OpenVAS (Open Vulnerability Assessment System) is a s e t of tools and s e rvice s that can be us e d to s can for vulne rabilitie s and for a compre he ns ive vulne rability manage me nt.

The OpenVAS frame work offe rs a numbe r of we b-bas e d, de s ktop, and command line tools for controlling the various compone nts of the s olution. The core functionality of OpenVAS is provide d by a s e curity s canne r, which make s us e of ove r 33 thous and daily- update d Ne twork Vulne rability Te s ts (NVT). Unlike Nessus (s e e Se ction 1.3.3.2, “Ne s s us ”), OpenVAS doe s not re quire any s ubs cription.

For more information about Ope nVAS, s e e the official we bs ite at the following URL:

http://www.ope nvas .org/

1.3.3.4. Nikto

Nikt o is an e xce lle nt common gateway interface (CGI) s cript s canne r. Nikt o not only che cks for CGI vulne rabilitie s but doe s s o in an e vas ive manne r, s o as to e lude intrus ion- de te ction s ys te ms . It come s with thorough docume ntation which s hould be care fully

re vie we d prior to running the program. If you have we b s e rve rs s e rving CGI s cripts , Nikt o can be an e xce lle nt re s ource for che cking the s e curity of the s e s e rve rs . More information about Nikt o can be found at the following URL:

http://cirt.ne t/nikto2

1.4. Securit y T hreat s

1.4.1. T hreat s t o Net work Securit y

Bad practice s whe n configuring the following as pe cts of a ne twork can incre as e the ris k of an attack.

Insecure Architectures

A mis configure d ne twork is a primary e ntry point for unauthorize d us e rs . Le aving a trus t- bas e d, ope n local ne twork vulne rable to the highly-ins e cure Inte rne t is much like le aving a door ajar in a crime -ridde n ne ighborhood — nothing may happe n for an arbitrary amount of time , but s ome one e xploits the opportunity eventually.

Broadcast Networks

Sys te m adminis trators ofte n fail to re alize the importance of ne tworking hardware in the ir s e curity s che me s . Simple hardware , s uch as hubs and route rs , re lie s on the broadcas t or non-s witche d principle ; that is , whe ne ve r a node trans mits data acros s the ne twork to a re cipie nt node , the hub or route r s e nds a broadcas t of the data packe ts until the re cipie nt node re ce ive s and proce s s e s the data. This me thod is the mos t vulne rable to addre s s re s olution protocol (ARP) or me dia acce s s control (MAC) addre s s s poofing by both outs ide intrude rs and unauthorize d us e rs on local hos ts .

Centralized Servers

(14)

Anothe r pote ntial ne tworking pitfall is the us e of ce ntralize d computing. A common cos t- cutting me as ure for many bus ine s s e s is to cons olidate all s e rvice s to a s ingle powe rful machine . This can be conve nie nt as it is e as ie r to manage and cos ts cons ide rably le s s than multiple -s e rve r configurations . Howe ve r, a ce ntralize d s e rve r introduce s a s ingle point of failure on the ne twork. If the ce ntral s e rve r is compromis e d, it may re nde r the ne twork comple te ly us e le s s or wors e , prone to data manipulation or the ft. In the s e s ituations , a ce ntral s e rve r be come s an ope n door that allows acce s s to the e ntire ne twork.

1.4.2. T hreat s t o Server Securit y

Se rve r s e curity is as important as ne twork s e curity be caus e s e rve rs ofte n hold a gre at de al of an organization's vital information. If a s e rve r is compromis e d, all of its conte nts may be come available for the cracke r to s te al or manipulate at will. The following s e ctions de tail s ome of the main is s ue s .

Unused Services and Open Ports

A full ins tallation of Re d Hat Ente rpris e Linux 7 contains more than 1000 application and library package s . Howe ve r, mos t s e rve r adminis trators do not opt to ins tall e ve ry s ingle package in the dis tribution, pre fe rring ins te ad to ins tall a bas e ins tallation of package s , including s e ve ral s e rve r applications . Se e Se ction 2.3, “Ins talling the Minimum Amount of Package s Re quire d” for an e xplanation of the re as ons to limit the numbe r of ins talle d package s and for additional re s ource s .

A common occurre nce among s ys te m adminis trators is to ins tall the ope rating s ys te m without paying atte ntion to what programs are actually be ing ins talle d. This can be proble matic be caus e unne e de d s e rvice s may be ins talle d, configure d with the de fault s e ttings , and pos s ibly turne d on. This can caus e unwante d s e rvice s , s uch as Te lne t, DHCP, or DNS, to run on a s e rve r or works tation without the adminis trator re alizing it, which in turn can caus e unwante d traffic to the s e rve r or e ve n a pote ntial pathway into the s ys te m for cracke rs . Se e Se ction 4.3, “Se curing Se rvice s ” for information on clos ing ports and dis abling unus e d s e rvice s .

Unpatched Services

Mos t s e rve r applications that are include d in a de fault ins tallation are s olid, thoroughly te s te d pie ce s of s oftware . Having be e n in us e in production e nvironme nts for many ye ars , the ir code has be e n thoroughly re fine d and many of the bugs have be e n found and fixe d.

Howe ve r, the re is no s uch thing as pe rfe ct s oftware and the re is always room for furthe r re fine me nt. More ove r, ne we r s oftware is ofte n not as rigorous ly te s te d as one might e xpe ct, be caus e of its re ce nt arrival to production e nvironme nts or be caus e it may not be as popular as othe r s e rve r s oftware .

De ve lope rs and s ys te m adminis trators ofte n find e xploitable bugs in s e rve r applications and publis h the information on bug tracking and s e curity-re late d we bs ite s s uch as the Bugtraq mailing lis t (http://www.s e curityfocus .com) or the Compute r Eme rge ncy Re s pons e Te am (CERT) we bs ite (http://www.ce rt.org). Although the s e me chanis ms are an e ffe ctive way of ale rting the community to s e curity vulne rabilitie s , it is up to s ys te m adminis trators to patch the ir s ys te ms promptly. This is particularly true be caus e cracke rs have acce s s to the s e s ame vulne rability tracking s e rvice s and will us e the information to crack unpatche d s ys te ms whe ne ve r the y can. Good s ys te m adminis tration re quire s vigilance , cons tant bug tracking, and prope r s ys te m mainte nance to e ns ure a more s e cure computing

e nvironme nt.

(15)

Se e Chapte r 3, Keeping Your System Up-to-Date for more information about ke e ping a s ys te m up-to-date .

Inattentive Administration

Adminis trators who fail to patch the ir s ys te ms are one of the gre ate s t thre ats to s e rve r s e curity. According to the SysAdmin, Audit, Network, Security Institute (SANS), the primary caus e of compute r s e curity vulne rability is "as s igning untraine d pe ople to maintain

s e curity and providing ne ithe r the training nor the time to make it pos s ible to le arn and do the job." ⁠ This applie s as much to ine xpe rie nce d adminis trators as it doe s to

ove rconfide nt or amotivate d adminis trators .

Some adminis trators fail to patch the ir s e rve rs and works tations , while othe rs fail to watch log me s s age s from the s ys te m ke rne l or ne twork traffic. Anothe r common e rror is whe n de fault pas s words or ke ys to s e rvice s are le ft unchange d. For e xample , s ome databas e s have de fault adminis tration pas s words be caus e the databas e de ve lope rs as s ume that the s ys te m adminis trator change s the s e pas s words imme diate ly afte r ins tallation. If a databas e adminis trator fails to change this pas s word, e ve n an ine xpe rie nce d cracke r can us e a wide ly-known de fault pas s word to gain adminis trative privile ge s to the databas e . The s e are only a fe w e xample s of how inatte ntive adminis tration can le ad to

compromis e d s e rve rs .

Inherently Insecure Services

Eve n the mos t vigilant organization can fall victim to vulne rabilitie s if the ne twork s e rvice s the y choos e are inhe re ntly ins e cure . For ins tance , the re are many s e rvice s de ve lope d unde r the as s umption that the y are us e d ove r trus te d ne tworks ; howe ve r, this

as s umption fails as s oon as the s e rvice be come s available ove r the Inte rne t — which is its e lf inhe re ntly untrus te d.

One cate gory of ins e cure ne twork s e rvice s are thos e that re quire une ncrypte d

us e rname s and pas s words for authe ntication. Te lne t and FTP are two s uch s e rvice s . If packe t s niffing s oftware is monitoring traffic be twe e n the re mote us e r and s uch a s e rvice us e rname s and pas s words can be e as ily inte rce pte d.

Inhe re ntly, s uch s e rvice s can als o more e as ily fall pre y to what the s e curity indus try te rms the man-in-the-middle attack. In this type of attack, a cracke r re dire cts ne twork traffic by tricking a cracke d name s e rve r on the ne twork to point to his machine ins te ad of the inte nde d s e rve r. Once s ome one ope ns a re mote s e s s ion to the s e rve r, the attacke r's machine acts as an invis ible conduit, s itting quie tly be twe e n the re mote s e rvice and the uns us pe cting us e r capturing information. In this way a cracke r can gathe r adminis trative pas s words and raw data without the s e rve r or the us e r re alizing it.

Anothe r cate gory of ins e cure s e rvice s include ne twork file s ys te ms and information s e rvice s s uch as NFS or NIS, which are de ve lope d e xplicitly for LAN us age but are , unfortunate ly, e xte nde d to include WANs (for re mote us e rs ). NFS doe s not, by de fault, have any authe ntication or s e curity me chanis ms configure d to pre ve nt a cracke r from mounting the NFS s hare and acce s s ing anything containe d the re in. NIS, as we ll, has vital information that mus t be known by e ve ry compute r on a ne twork, including pas s words and file pe rmis s ions , within a plain te xt ASCII or DBM (ASCII-de rive d) databas e . A cracke r who gains acce s s to this databas e can the n acce s s e ve ry us e r account on a ne twork, including the adminis trator's account.

By de fault, Re d Hat Ente rpris e Linux 7 is re le as e d with all s uch s e rvice s turne d off.

Howe ve r, s ince adminis trators ofte n find the ms e lve s force d to us e the s e s e rvice s , care ful configuration is critical. Se e Se ction 4.3, “Se curing Se rvice s ” for more information about s e tting up s e rvice s in a s afe manne r.

[1]

(16)

1.4.3. T hreat s t o Workst at ion and Home PC Securit y

Works tations and home PCs may not be as prone to attack as ne tworks or s e rve rs , but s ince the y ofte n contain s e ns itive data, s uch as cre dit card information, the y are targe te d by s ys te m cracke rs . Works tations can als o be co-opte d without the us e r's knowle dge and us e d by attacke rs as "s lave " machine s in coordinate d attacks . For the s e re as ons , knowing the vulne rabilitie s of a works tation can s ave us e rs the he adache of re ins talling the

ope rating s ys te m, or wors e , re cove ring from data the ft.

Bad Passwords

Bad pas s words are one of the e as ie s t ways for an attacke r to gain acce s s to a s ys te m.

For more on how to avoid common pitfalls whe n cre ating a pas s word, s e e Se ction 4.1.1,

“Pas s word Se curity”.

Vulnerable Client Applications

Although an adminis trator may have a fully s e cure and patche d s e rve r, that doe s not me an re mote us e rs are s e cure whe n acce s s ing it. For ins tance , if the s e rve r offe rs Te lne t or FTP s e rvice s ove r a public ne twork, an attacke r can capture the plain te xt us e rname s and pas s words as the y pas s ove r the ne twork, and the n us e the account information to acce s s the re mote us e r's works tation.

Eve n whe n us ing s e cure protocols , s uch as SSH, a re mote us e r may be vulne rable to ce rtain attacks if the y do not ke e p the ir clie nt applications update d. For ins tance , v.1 SSH clie nts are vulne rable to an X-forwarding attack from malicious SSH s e rve rs . Once

conne cte d to the s e rve r, the attacke r can quie tly capture any ke ys troke s and mous e clicks made by the clie nt ove r the ne twork. This proble m was fixe d in the v.2 SSH protocol, but it is up to the us e r to ke e p track of what applications have s uch vulne rabilitie s and update the m as ne ce s s ary.

Se ction 4.1, “De s ktop Se curity” dis cus s e s in more de tail what s te ps adminis trators and home us e rs s hould take to limit the vulne rability of compute r works tations .

1.5. Common Exploit s and At t acks

Table 1.1, “Common Exploits ” de tails s ome of the mos t common e xploits and e ntry points us e d by intrude rs to acce s s organizational ne twork re s ource s . Ke y to the s e common e xploits are the e xplanations of how the y are pe rforme d and how adminis trators can prope rly s afe guard the ir ne twork agains t s uch attacks .

T able 1.1. Co mmo n Explo it s

Explo it Descript io n No t es

(17)

Null or De fault Pas s words

Le aving adminis trative pas s words blank or us ing a de fault pas s word s e t by the product ve ndor. This is mos t common in hardware s uch as route rs and fire walls , but s ome s e rvice s that run on Linux can contain de fault adminis trator pas s words as we ll (though Re d Hat Ente rpris e Linux 7 doe s not s hip with the m).

Commonly as s ociate d with ne tworking hardware s uch as route rs , fire walls , VPNs , and ne twork attache d s torage (NAS) appliance s .

Common in many le gacy ope rating s ys te ms , e s pe cially thos e that bundle s e rvice s (s uch as UNIX and Windows .)

Adminis trators s ome time s cre ate privile ge d us e r accounts in a rus h and le ave the pas s word null, cre ating a pe rfe ct e ntry point for malicious us e rs who dis cove r the account.

De fault Share d Ke ys

Se cure s e rvice s s ome time s package de fault s e curity ke ys for de ve lopme nt or e valuation te s ting purpos e s . If the s e ke ys are le ft unchange d and are place d in a production e nvironme nt on the Inte rne t, all us e rs with the s ame de fault ke ys have acce s s to that s hare d-ke y re s ource , and any s e ns itive information that it contains .

Mos t common in wire le s s acce s s points and pre configure d s e cure s e rve r appliance s .

IP Spoofing A re mote machine acts as a node on your local ne twork, finds

vulne rabilitie s with your s e rve rs , and ins talls a backdoor program or Trojan hors e to gain control ove r your ne twork re s ource s .

Spoofing is quite difficult as it involve s the attacke r pre dicting TCP/IP s e que nce numbe rs to coordinate a conne ction to targe t s ys te ms , but s e ve ral tools are available to as s is t cracke rs in pe rforming s uch a vulne rability.

De pe nds on targe t s ys te m running s e rvice s (s uch as rsh, telnet, FTP and othe rs ) that us e source-based authe ntication te chnique s , which are not

re comme nde d whe n compare d to PKI or othe r forms of e ncrypte d authe ntication us e d in ssh or SSL/TLS.

(18)

Eave s dropping Colle cting data that pas s e s be twe e n two active node s on a ne twork by e ave s dropping on the conne ction be twe e n the two node s .

This type of attack works mos tly with plain te xt trans mis s ion

protocols s uch as Te lne t, FTP, and HTTP trans fe rs .

Re mote attacke r mus t have

acce s s to a compromis e d s ys te m on a LAN in orde r to pe rform s uch an attack; us ually the cracke r has us e d an active attack (s uch as IP s poofing or man-in-the -middle ) to compromis e a s ys te m on the LAN.

Pre ve ntative me as ure s include s e rvice s with cryptographic ke y e xchange , one -time pas s words , or e ncrypte d authe ntication to

pre ve nt pas s word s nooping;

s trong e ncryption during trans mis s ion is als o advis e d.

(19)

Se rvice

Vulne rabilitie s

An attacke r finds a flaw or

loophole in a s e rvice run ove r the Inte rne t; through this vulne rability, the attacke r compromis e s the e ntire s ys te m and any data that it may hold, and could pos s ibly compromis e othe r s ys te ms on the ne twork.

HTTP-bas e d s e rvice s s uch as CGI are vulne rable to re mote

command e xe cution and e ve n inte ractive s he ll acce s s . Eve n if the HTTP s e rvice runs as a non- privile ge d us e r s uch as "nobody", information s uch as configuration file s and ne twork maps can be re ad, or the attacke r can s tart a de nial of s e rvice attack which drains s ys te m re s ource s or re nde rs it unavailable to othe r us e rs .

Se rvice s s ome time s can have vulne rabilitie s that go unnotice d during de ve lopme nt and te s ting;

the s e vulne rabilitie s (s uch as buffer overflows, whe re attacke rs cras h a s e rvice us ing arbitrary value s that fill the me mory buffe r of an application, giving the

attacke r an inte ractive command prompt from which the y may e xe cute arbitrary commands ) can give comple te adminis trative control to an attacke r.

Adminis trators s hould make s ure that s e rvice s do not run as the root us e r, and s hould s tay vigilant of patche s and e rrata update s for applications from ve ndors or s e curity organizations s uch as CERT and CVE.

(20)

Application Vulne rabilitie s

Attacke rs find faults in de s ktop and works tation applications (s uch as e mail clie nts ) and e xe cute arbitrary code , implant Trojan hors e s for future compromis e , or cras h s ys te ms . Furthe r

e xploitation can occur if the compromis e d works tation has adminis trative privile ge s on the re s t of the ne twork.

Works tations and de s ktops are more prone to e xploitation as worke rs do not have the e xpe rtis e or e xpe rie nce to

pre ve nt or de te ct a compromis e ; it is impe rative to inform

individuals of the ris ks the y are taking whe n the y ins tall

unauthorize d s oftware or ope n uns olicite d e mail attachme nts . Safe guards can be imple me nte d s uch that e mail clie nt s oftware doe s not automatically ope n or e xe cute attachme nts . Additionally, the automatic update of

works tation s oftware via Re d Hat Ne twork; or othe r s ys te m

manage me nt s e rvice s can

alle viate the burde ns of multi-s e at s e curity de ployme nts .

De nial of Se rvice (DoS) Attacks

Attacke r or group of attacke rs coordinate agains t an

organization's ne twork or s e rve r re s ource s by s e nding

unauthorize d packe ts to the targe t hos t (e ithe r s e rve r, route r, or works tation). This force s the re s ource to be come unavailable to le gitimate us e rs .

The mos t re porte d DoS cas e in the US occurre d in 2000. Se ve ral highly-trafficke d comme rcial and gove rnme nt s ite s we re re nde re d unavailable by a coordinate d ping flood attack us ing s e ve ral

compromis e d s ys te ms with high bandwidth conne ctions acting as zombies, or re dire cte d broadcas t node s .

Source packe ts are us ually forge d (as we ll as re broadcas t), making inve s tigation as to the true s ource of the attack difficult.

Advance s in ingre s s filte ring (IETF rfc2267) us ing iptables and Ne twork Intrus ion De te ction Sys te ms s uch as snort as s is t adminis trators in tracking down and pre ve nting dis tribute d DoS attacks .

[1] http://www.sans.org/security-resources/m istakes.php

(21)

Chapter 2. Security Tips for Installation

Se curity be gins with the firs t time you put that CD or DVD into your dis k drive to ins tall Re d Hat Ente rpris e Linux 7. Configuring your s ys te m s e cure ly from the be ginning make s it e as ie r to imple me nt additional s e curity s e ttings late r.

2.1. Securing BIOS

Pas s word prote ction for the BIOS (or BIOS e quivale nt) and the boot loade r can pre ve nt unauthorize d us e rs who have phys ical acce s s to s ys te ms from booting us ing re movable me dia or obtaining root privile ge s through s ingle us e r mode . The s e curity me as ure s you s hould take to prote ct agains t s uch attacks de pe nds both on the s e ns itivity of the

information on the works tation and the location of the machine .

For e xample , if a machine is us e d in a trade s how and contains no s e ns itive information, the n it may not be critical to pre ve nt s uch attacks . Howe ve r, if an e mploye e 's laptop with private , une ncrypte d SSH ke ys for the corporate ne twork is le ft unatte nde d at that s ame trade s how, it could le ad to a major s e curity bre ach with ramifications for the e ntire company.

If the works tation is locate d in a place whe re only authorize d or trus te d pe ople have acce s s , howe ve r, the n s e curing the BIOS or the boot loade r may not be ne ce s s ary.

2.1.1. BIOS Passwords

The two primary re as ons for pas s word prote cting the BIOS of a compute r are ⁠ :

1. Preventing Changes to BIOS Settings — If an intrude r has acce s s to the BIOS, the y can s e t it to boot from a CD-ROM or a flas h drive . This make s it pos s ible for the m to e nte r re s cue mode or s ingle us e r mode , which in turn allows the m to s tart arbitrary proce s s e s on the s ys te m or copy s e ns itive data.

2. Preventing System Booting — Some BIOSe s allow pas s word prote ction of the boot proce s s . Whe n activate d, an attacke r is force d to e nte r a pas s word be fore the BIOS launche s the boot loade r.

Be caus e the me thods for s e tting a BIOS pas s word vary be twe e n compute r manufacture rs , cons ult the compute r's manual for s pe cific ins tructions .

If you forge t the BIOS pas s word, it can e ithe r be re s e t with jumpe rs on the mothe rboard or by dis conne cting the CMOS batte ry. For this re as on, it is good practice to lock the

compute r cas e if pos s ible . Howe ve r, cons ult the manual for the compute r or mothe rboard be fore atte mpting to dis conne ct the CMOS batte ry.

2.1.1.1. Securing Non-BIOS-based Systems

Othe r s ys te ms and archite cture s us e diffe re nt programs to pe rform low-le ve l tas ks roughly e quivale nt to thos e of the BIOS on x86 s ys te ms . For e xample , the Unified Extensible Firmware Interface (UEFI) s he ll.

For ins tructions on pas s word prote cting BIOS-like programs , s e e the manufacture r's ins tructions .

2.2. Part it ioning t he Disk

[2]

(22)

Re d Hat re comme nds cre ating s e parate partitions for /boot,/, /tmp and /var/tmp. The re as ons for e ach are diffe re nt and we will addre s s e ach partition.

/boot

This partition is the firs t partition that is re ad by the s ys te m during boot up. The boot loade r and ke rne l image s that are us e d to boot your s ys te m into Re d Hat Ente rpris e Linux 7 are s tore d in this partition. This partition s hould not be e ncrypte d. If this partition is include d in / and that partition is e ncrypte d or othe rwis e be come s unavailable the n your s ys te m will not be able to boot.

/home

Whe n us e r data (/home) is s tore d in / ins te ad of in a s e parate partition, the partition can fill up caus ing the ope rating s ys te m to be come uns table . Als o, whe n upgrading your s ys te m to the ne xt ve rs ion of Re d Hat Ente rpris e Linux 7 it is a lot e as ie r whe n you can ke e p your data in the /home partition as it will not be

ove rwritte n during ins tallation. If the root partition (/) be come s corrupt your data could be los t fore ve r. By us ing a s e parate partition the re is s lightly more

prote ction agains t data los s . You can als o targe t this partition for fre que nt backups .

/tmp and /var/tmp

Both the /tmp and /var/tmp dire ctorie s are us e d to s tore data that doe s not ne e d to be s tore d for a long pe riod of time . Howe ve r, if a lot of data floods one of the s e dire ctorie s it can cons ume all of your s torage s pace . If this happe ns and the s e dire ctorie s are s tore d within / the n your s ys te m could be come uns table and cras h. For this re as on, moving the s e dire ctorie s into the ir own partitions is a good ide a.

Note

During the ins tallation proce s s , an option to e ncrypt partitions is pre s e nte d to you.

The us e r mus t s upply a pas s phras e . This pas s phras e will be us e d as a ke y to

unlock the bulk e ncryption ke y, which is us e d to s e cure the partition's data. For more information on LUKS, s e e Se ction 4.10.1, “Us ing LUKS Dis k Encryption”.

2.3. Inst alling t he Minimum Amount of Packages Required

It is be s t practice to ins tall only the package s you will us e be caus e e ach pie ce of s oftware on your compute r could pos s ibly contain a vulne rability. If you are ins talling from the DVD me dia, take the opportunity to s e le ct e xactly what package s you want to ins tall during the ins tallation. If you find you ne e d anothe r package , you can always add it to the s ys te m late r.

For more information about ins talling the Minimal install e nvironme nt, s e e the

Software Se le ction chapte r of the Re d Hat Ente rpris e Linux 7 Ins tallation Guide . A minimal ins tallation can als o be pe rforme d via a Kicks tart file us ing the --nobase option. For more information about Kicks tart ins tallations , s e e the Package Se le ction s e ction from the Re d Hat Ente rpris e Linux 7 Ins tallation Guide .

2.4. Post -inst allat ion Procedures

(23)

The following s te ps are the s e curity-re late d proce dure s that s hould be pe rforme d imme diate ly afte r ins tallation of Re d Hat Ente rpris e Linux.

1. Update your s ys te m. Run the following command as root:

~]# yum update

2. Eve n though the fire wall s e rvice , firewalld, is automatically e nable d with the ins tallation of Re d Hat Ente rpris e Linux, the re are s ce narios whe re it might be e xplicitly dis able d, for e xample in the kicks tart configuration. In s uch a cas e , it is re comme nde d to cons ide r re -e nabling the fire wall.

To s tart firewalld run the following commands as root:

~]# systemctl start firewalld

~]# systemctl enable firewalld

3. To e nhance s e curity, dis able s e rvice s you do not ne e d. For e xample , if the re are no printe rs ins talle d on your compute r, dis able the cups s e rvice us ing the following command:

~]# systemctl disable cups

To re vie w active s e rvice s , run the following command:

~]$ systemctl list-units | grep service

2.5. Addit ional Resources

For more information about ins tallation in ge ne ral, s e e the Re d Hat Ente rpris e Linux 7 Ins tallation Guide.

[2] Since system BIO Ses differ between m anufacturers, som e m ay not support password protection of either type, while others m ay support one type but not the other.

(24)

Chapter 3. Keeping Your System Up-to-Date

This chapte r de s cribe s the proce s s of ke e ping your s ys te m up-to-date , which involve s planning and configuring the way s e curity update s are ins talle d, applying change s

introduce d by ne wly update d package s , and us ing the Re d Hat Cus tome r Portal for ke e ping track of s e curity advis orie s .

3.1. Maint aining Inst alled Soft ware

As s e curity vulne rabilitie s are dis cove re d, the affe cte d s oftware mus t be update d in orde r to limit any pote ntial s e curity ris ks . If the s oftware is a part of a package within a Re d Hat Ente rpris e Linux dis tribution that is curre ntly s upporte d, Re d Hat is committe d to re le as ing update d package s that fix the vulne rabilitie s as s oon as pos s ible .

Ofte n, announce me nts about a give n s e curity e xploit are accompanie d with a patch (or s ource code ) that fixe s the proble m. This patch is the n applie d to the Re d Hat

Ente rpris e Linux package and te s te d and re le as e d as an e rratum update . Howe ve r, if an announce me nt doe s not include a patch, Re d Hat de ve lope rs firs t work with the maintaine r of the s oftware to fix the proble m. Once the proble m is fixe d, the package is te s te d and re le as e d as an e rratum update .

If an e rratum update is re le as e d for s oftware us e d on your s ys te m, it is highly

re comme nde d that you update the affe cte d package s as s oon as pos s ible to minimize the amount of time the s ys te m is pote ntially vulne rable .

3.1.1. Planning and Configuring Securit y Updat es

All s oftware contains bugs . Ofte n, the s e bugs can re s ult in a vulne rability that can e xpos e your s ys te m to malicious us e rs . Package s that have not be e n update d are a common caus e of compute r intrus ions . Imple me nt a plan for ins talling s e curity patche s in a time ly manne r to quickly e liminate dis cove re d vulne rabilitie s , s o the y cannot be e xploite d.

Te s t s e curity update s whe n the y be come available and s che dule the m for ins tallation.

Additional controls ne e d to be us e d to prote ct the s ys te m during the time be twe e n the re le as e of the update and its ins tallation on the s ys te m. The s e controls de pe nd on the e xact vulne rability, but may include additional fire wall rule s , the us e of e xte rnal fire walls , or change s in s oftware s e ttings .

Bugs in s upporte d package s are fixe d us ing the e rrata me chanis m. An e rratum cons is ts of one or more RPM package s accompanie d by a brie f e xplanation of the proble m that the particular e rratum de als with. All e rrata are dis tribute d to cus tome rs with active

s ubs criptions through the Red Hat Subscript io n Management s e rvice . Errata that addre s s s e curity is s ue s are calle d Red Hat Security Advisories.

For more information on working with s e curity e rrata, s e e Se ction 3.2.1, “Vie wing Se curity Advis orie s on the Cus tome r Portal”. For de taile d information about the Red Hat

Subscript io n Management s e rvice , including ins tructions on how to migrate from RHN Classic, s e e the docume ntation re late d to this s e rvice : Re d Hat Subs cription Manage me nt.

3.1.1.1. Using the Security Features of Yum

The Yum package manage r include s s e ve ral s e curity-re late d fe ature s that can be us e d to s e arch, lis t, dis play, and ins tall s e curity e rrata. The s e fe ature s als o make it pos s ible to us e Yum to ins tall nothing but s e curity update s .

(25)

To che ck for s e curity-re late d update s available for your s ys te m, run the following command as root:

~]# yum check-update --security

Loaded plugins: langpacks, product-id, subscription-manager

rhel-7-workstation-rpms/x86_64 | 3.4 kB 00:00:00 No packages needed for security; 0 packages available

Note that the above command runs in a non-inte ractive mode , s o it can be us e d in s cripts for automate d che cking whe the r the re are any update s available . The command re turns an e xit value of 100 whe n the re are any s e curity update s available and 0 whe n the re are not. On e ncounte ring an e rror, it re turns 1.

Analogous ly, us e the following command to only ins tall s e curity-re late d update s :

~]# yum update --security

Us e the updateinfo s ubcommand to dis play or act upon information provide d by re pos itorie s about available update s . The updateinfo s ubcommand its e lf acce pts a numbe r of commands , s ome of which pe rtain to s e curity-re late d us e s . Se e Table 3.1,

“Se curity-re late d commands us able with yum update info” for an ove rvie w of the s e commands .

T able 3.1. Securit y-relat ed co mmands usable wit h yum updat einf o

Co mmand Descript io n

advisory [advisories] Dis plays information about one or more advis orie s . Re place advisory with an advis ory numbe r or numbe rs .

cves Dis plays the s ubs e t of information that pe rtains to CVE (Common Vulnerabilities and Exposures).

security or sec Dis plays all s e curity-re late d information.

severity or sev severity_level

Dis plays information about s e curity-re le vant package s of the s upplie d severity_level.

3.1.2. Updat ing and Inst alling Packages

Whe n updating s oftware on a s ys te m, it is important to download the update from a

trus te d s ource . An attacke r can e as ily re build a package with the s ame ve rs ion numbe r as the one that is s uppos e d to fix the proble m but with a diffe re nt s e curity e xploit and

re le as e it on the Inte rne t. If this happe ns , us ing s e curity me as ure s , s uch as ve rifying file s agains t the original RPM, doe s not de te ct the e xploit. Thus , it is ve ry important to only download RPMs from trus te d s ource s , s uch as from Re d Hat, and to che ck the package s ignature s to ve rify the ir inte grity.

Se e the Yum chapte r of the Re d Hat Ente rpris e Linux 7 Sys te m Adminis trator's Guide for de taile d information on how to us e the Yum package manage r.

3.1.2.1. Verif ying Signed Packages

All Re d Hat Ente rpris e Linux package s are s igne d with the Re d Hat GPG ke y. GPG s tands for GNU Privacy Guard, or GnuPG, a fre e s oftware package us e d for e ns uring the authe nticity of dis tribute d file s . If the ve rification of a package s ignature fails , the package may be alte re d and the re fore cannot be trus te d.

(26)

The Yum package manage r allows for an automatic ve rification of all package s it ins tall or upgrade s . This fe ature is e nable d by de fault. To configure this option on your s ys te m, make s ure the gpgcheck configuration dire ctive is s e t to 1 in the /etc/yum.conf configuration file .

Us e the following command to manually ve rify package file s on your file s ys te m:

rpmkeys --checksig package_file.rpm

Se e the Product Signing (GPG) Ke ys article on the Re d Hat Cus tome r Portal for additional information about Re d Hat package -s igning practice s .

3.1.2.2. Installing Signed Packages

To ins tall ve rifie d package s (s e e Se ction 3.1.2.1, “Ve rifying Signe d Package s ” for information on how to ve rify package s ) from your file s ys te m, us e the yum install command as the root us e r as follows :

yum install package_file.rpm

Us e a s he ll glob to ins tall s e ve ral package s at once . For e xample , the following commands ins talls all .rpm package s in the curre nt dire ctory:

yum install *.rpm

Important

Be fore ins talling any s e curity e rrata, be s ure to re ad any s pe cial ins tructions containe d in the e rratum re port and e xe cute the m accordingly. Se e Se ction 3.1.3,

“Applying Change s Introduce d by Ins talle d Update s ” for ge ne ral ins tructions about applying change s made by e rrata update s .

3.1.3. Applying Changes Int roduced by Inst alled Updat es

Afte r downloading and ins talling s e curity e rrata and update s , it is important to halt the us age of the old s oftware and be gin us ing the ne w s oftware . How this is done de pe nds on the type of s oftware that has be e n update d. The following lis t ite mize s the ge ne ral

cate gorie s of s oftware and provide s ins tructions for us ing update d ve rs ions afte r a package upgrade .

Note

In ge ne ral, re booting the s ys te m is the s ure s t way to e ns ure that the late s t ve rs ion of a s oftware package is us e d; howe ve r, this option is not always re quire d, nor is it always available to the s ys te m adminis trator.

Applicat io ns

(27)

Us e r-s pace applications are any programs that can be initiate d by the us e r.

Typically, s uch applications are us e d only whe n the us e r, a s cript, or an automate d tas k utility launch the m.

Once s uch a us e r-s pace application is update d, halt any ins tance s of the application on the s ys te m, and launch the program again to us e the update d ve rs ion.

Kernel

The ke rne l is the core s oftware compone nt for the Re d Hat Ente rpris e Linux 7 ope rating s ys te m. It manage s acce s s to me mory, the proce s s or, and pe riphe rals , and it s che dule s all tas ks .

Be caus e of its ce ntral role , the ke rne l cannot be re s tarte d without als o re booting the compute r. The re fore , an update d ve rs ion of the ke rne l cannot be us e d until the s ys te m is re boote d.

KVM

Whe n the qemu-kvm and libvirt package s are update d, it is ne ce s s ary to s top all gue s t virtual machine s , re load re le vant virtualization module s (or re boot the hos t s ys te m), and re s tart the virtual machine s .

Us e the lsmod command to de te rmine which module s from the following are loade d: kvm, kvm-intel, or kvm-amd. The n us e the modprove -r command to re move and s ubs e que ntly the modprobe -a command to re load the affe cte d module s . Fox e xample :

~]# lsmod | grep kvm

kvm_intel 143031 0

kvm 460181 1 kvm_intel

~]# modprobe -r kvm-intel

~]# modprobe -r kvm

~]# modprobe -a kvm kvm-intel

Shared Libraries

Share d librarie s are units of code , s uch as glibc, that are us e d by a numbe r of applications and s e rvice s . Applications utilizing a s hare d library typically load the s hare d code whe n the application is initialize d, s o any applications us ing an update d library mus t be halte d and re launche d.

To de te rmine which running applications link agains t a particular library, us e the lsof command:

lsof library

For e xample , to de te rmine which running applications link agains t the libwrap.so.0 library, type :

~]# lsof /lib64/libwrap.so.0

COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME pulseaudi 12363 test mem REG 253,0 42520 34121785 /usr/lib64/libwrap.so.0.7.6

(28)

gnome-set 12365 test mem REG 253,0 42520 34121785 /usr/lib64/libwrap.so.0.7.6

gnome-she 12454 test mem REG 253,0 42520 34121785 /usr/lib64/libwrap.so.0.7.6

This command re turns a lis t of all the running programs that us e TCP wrappe rs for hos t-acce s s control. The re fore , any program lis te d mus t be halte d and

re launche d whe n the tcp_wrappers package is update d.

syst emd Services

s ys te md s e rvice s are pe rs is te nt s e rve r programs us ually launche d during the boot proce s s . Example s of s ys te md s e rvice s include sshd or vsftpd.

Be caus e the s e programs us ually pe rs is t in me mory as long as a machine is running, e ach update d s ys te md s e rvice mus t be halte d and re launche d afte r its package is upgrade d. This can be done as the root us e r us ing the systemctl command:

systemctl restart service_name

Re place service_name with the name of the s e rvice you wis h to re s tart, s uch as sshd.

Ot her So f t ware

Follow the ins tructions outline d by the re s ource s linke d be low to corre ctly update the following applications .

Red Hat Direct o ry Server — Se e the Release Notes for the ve rs ion of the Re d Hat Dire ctory Se rve r in que s tion at

https ://acce s s .re dhat.com/s ite /docume ntation/e n- US/Re d_Hat_Dire ctory_Se rve r/.

Red Hat Ent erprise Virt ualizat io n Manager — Se e the Installation Guide for the ve rs ion of the Re d Hat Ente rpris e Virtualization in que s tion at

https ://acce s s .re dhat.com/s ite /docume ntation/e n- US/Re d_Hat_Ente rpris e _Virtualization/.

3.2. Using t he Red Hat Cust omer Port al

The Re d Hat Cus tome r Portal at https ://acce s s .re dhat.com/ is the main cus tome r-orie nte d re s ource for official information re late d to Re d Hat products . You can us e it to find

docume ntation, manage your s ubs criptions , download products and update s , ope n s upport cas e s , and le arn about s e curity update s .

3.2.1. Viewing Securit y Advisories on t he Cust omer Port al

To vie w s e curity advis orie s (e rrata) re le vant to the s ys te ms for which you have active s ubs criptions , log into the Cus tome r Portal at https ://acce s s .re dhat.com/ and click on the Download Products & Updates button on the main page . Whe n you e nte r the Software

& Download Center page , continue by clicking on the Errata button to s e e a lis t of advis orie s pe rtine nt to your re gis te re d s ys te ms .

To brows e a lis t of all s e curity update s for all active Re d Hat products , go to Securit y → Securit y Updat es → Act ive Pro duct s us ing the navigation me nu at the top of the page .

(29)

Click on the e rratum code in the le ft part of the table to dis play more de taile d information about the individual advis orie s . The ne xt page contains not only a de s cription of the give n e rratum, including its caus e s , cons e que nce s , and re quire d fixe s , but als o a lis t of all package s that the particular e rratum update s along with ins tructions on how to apply the update s . The page als o include s links to re le vant re fe re nce s , s uch as re late d CVE.

3.2.2. Navigat ing CVE Cust omer Port al Pages

The CVE (Common Vulnerabilities and Exposures) proje ct, maintaine d by

The MITRE Corporation, is a lis t of s tandardize d name s for vulne rabilitie s and s e curity e xpos ure s . To brows e a lis t of CVE that pe rtain to Re d Hat products on the Cus tome r Portal, log into your account at https ://acce s s .re dhat.com/ and navigate to Securit y → Reso urces → CVE Dat abase us ing the navigation me nu at the top of the page . Click on the CVE code in the le ft part of the table to dis play more de taile d information about the individual vulne rabilitie s . The ne xt page contains not only a de s cription of the give n CVE but als o a lis t of affe cte d Re d Hat products along with links to re le vant Re d Hat e rrata.

3.2.3. Underst anding Issue Severit y Classificat ion

All s e curity is s ue s dis cove re d in Re d Hat products are as s igne d an impact rating by the Red Hat Security Response Team according to the s e ve rity of the proble m. The four-point s cale cons is ts of the following le ve ls : Low, Mode rate , Important, and Critical. In addition to that, e ve ry s e curity is s ue s is rate d us ing the Common Vulnerability Scoring System (CVSS) bas e s core s .

Toge the r, the s e ratings he lp you unde rs tand the impact of s e curity is s ue s , allowing you to s che dule and prioritize upgrade s trate gie s for your s ys te ms . Note that the ratings re fle ct the pote ntial ris k of a give n vulne rability, which is bas e d on a te chnical analys is of the bug, not the curre nt thre at le ve l. This me ans that the s e curity impact rating doe s not change if an e xploit is re le as e d for a particular flaw.

To s e e a de taile d de s cription of the individual le ve ls of s e ve rity ratings on the Cus tome r Portal, log into your account at https ://acce s s .re dhat.com/ and navigate to Securit y → Po licies → Severit y Rat ings us ing the navigation me nu at the top of the page .

3.3. Addit ional Resources

For more information about s e curity update s , ways of applying the m, the Re d Hat Cus tome r Portal, and re late d topics , s e e the re s ource s lis te d be low.

Inst alled Document at ion

yum(8) — The manual page for the Yum package manage r provide s information about the way Yum can be us e d to ins tall, update , and re move package s on your s ys te ms . rpmke ys (8) — The manual page for the rpmkeys utility de s cribe s the way this program can be us e d to ve rify the authe nticity of downloade d package s .

Online Document at ion

(30)

Re d Hat Ente rpris e Linux 7 Sys te m Adminis trator's Guide — The System Administrator's Guide for Re d Hat Ente rpris e Linux 7 docume nts the us e of the Yum and rpm programs that are us e d to ins tall, update , and re move package s on Re d Hat Ente rpris e Linux 7 s ys te ms .

Re d Hat Ente rpris e Linux 7 SELinux Us e r's and Adminis trator's Guide — The SELinux User's and Administrator's Guide for Re d Hat Ente rpris e Linux 7 docume nts the configuration of the SELinux mandatory access control me chanis m.

Red Hat Cust omer Port al

Re d Hat Cus tome r Portal — The main page of the Cus tome r Portal contains links to the mos t important re s ource s as we ll as update s about ne w conte nt available through the portal.

Se curity Contacts and Proce dure s — The place to find information about the Re d Hat Se curity Re s pons e Te am and ins tructions on whe n to contact it.

Re d Hat Se curity Blog — Article s about late s t s e curity-re late d is s ue s from Re d Hat s e curity profe s s ionals .

Red Hat Enterprise Linux 7 Security Guide

Martin Prpič Tomáš Čapek Stephen Wadeley Yoana Ruseva Miroslav Svoboda Robert Krátký

Security Guide

A Guide to Securing Red Hat Enterprise Linux 7

A Guide to Securing Red Hat Enterprise Linux 7

Abstract

Table of Contents

Chapter 1. Overview of Security Topics

Note

1.1. What is Comput er Securit y?

1.1.1. St andardizing Securit y

1.2. Securit y Cont rols

1.2.1. Physical Cont rols

1.2.2. T echnical Cont rols

1.2.3. Administ rat ive Cont rols

1.3. Vulnerabilit y Assessment

1.3.1. Defining Assessment and T est ing

Warning

1.3.2. Est ablishing a Met hodology for Vulnerabilit y Assessment

1.3.3. Vulnerabilit y Assessment T ools

Note

1.4. Securit y T hreat s

1.4.1. T hreat s t o Net work Securit y

1.4.2. T hreat s t o Server Securit y

1.4.3. T hreat s t o Workst at ion and Home PC Securit y

1.5. Common Exploit s and At t acks

Chapter 2. Security Tips for Installation

2.1. Securing BIOS

2.1.1. BIOS Passwords

2.2. Part it ioning t he Disk

Note

2.3. Inst alling t he Minimum Amount of Packages Required

2.4. Post -inst allat ion Procedures

2.5. Addit ional Resources

Chapter 3. Keeping Your System Up-to-Date

3.1. Maint aining Inst alled Soft ware

3.1.1. Planning and Configuring Securit y Updat es

3.1.2. Updat ing and Inst alling Packages

Important

3.1.3. Applying Changes Int roduced by Inst alled Updat es

Note

3.2. Using t he Red Hat Cust omer Port al

3.2.1. Viewing Securit y Advisories on t he Cust omer Port al

3.2.2. Navigat ing CVE Cust omer Port al Pages

3.2.3. Underst anding Issue Severit y Classificat ion

3.3. Addit ional Resources

Inst alled Document at ion

Online Document at ion

Red Hat Cust omer Port al

See Also