Red Hat Enterprise Linux 7 Security Guide

Table of Contents
CHAPTER 1. OVERVIEW OF SECURITY TOPICS
1.1. WHAT IS COMPUTER SECURITY?
1.1.1. Standardizing Security
1.1.2. Cryptographic Software and Certifications
1.2. SECURITY CONTROLS
1.2.1. Physical Controls
1.2.2. Technical Controls
1.2.3. Administrative Controls
1.3. VULNERABILITY ASSESSMENT
1.3.1. Defining Assessment and Testing
1.3.2. Establishing a Methodology for Vulnerability Assessment
1.3.3. Vulnerability Assessment Tools
1.3.3.1. Scanning Hosts with Nmap
1.3.3.2. Nessus
1.3.3.3. OpenVAS
1.3.3.4. Nikto
1.4. SECURITY THREATS
1.4.1. Threats to Network Security
Insecure Architectures
Broadcast Networks
Centralized Servers
1.4.2. Threats to Server Security
Unused Services and Open Ports
Unpatched Services
Inattentive Administration
Inherently Insecure Services
1.4.3. Threats to Workstation and Home PC Security
Bad Passwords
Vulnerable Client Applications
1.5. COMMON EXPLOITS AND ATTACKS
CHAPTER 2. SECURITY TIPS FOR INSTALLATION
2.1. SECURING BIOS
2.1.1. BIOS Passwords
2.1.1.1. Securing Non-BIOS-based Systems
2.2. PARTITIONING THE DISK
2.3. INSTALLING THE MINIMUM AMOUNT OF PACKAGES REQUIRED
2.4. RESTRICTING NETWORK CONNECTIVITY DURING THE INSTALLATION PROCESS
2.5. POST-INSTALLATION PROCEDURES
2.6. ADDITIONAL RESOURCES
CHAPTER 3. KEEPING YOUR SYSTEM UP-TO-DATE
3.1. MAINTAINING INSTALLED SOFTWARE
3.1.1. Planning and Configuring Security Updates
3.1.1.1. Using the Security Features of Yum
3.1.2. Updating and Installing Packages
3.1.2.1. Verifying Signed Packages
3.1.2.2. Installing Signed Packages
3.1.3. Applying Changes Introduced by Installed Updates
3.2. USING THE RED HAT CUSTOMER PORTAL
3.2.1. Viewing Security Advisories on the Customer Portal
3.2.2. Navigating CVE Customer Portal Pages
3.2.3. Understanding Issue Severity Classification
3.3. ADDITIONAL RESOURCES
Installed Documentation
Online Documentation
Red Hat Customer Portal
See Also
CHAPTER 4. HARDENING YOUR SYSTEM WITH TOOLS AND SERVICES
4.1. DESKTOP SECURITY
4.1.1. Password Security
4.1.1.1. Creating Strong Passwords
4.1.1.2. Forcing Strong Passwords
4.1.1.3. Configuring Password Aging
4.1.2. Account Locking
Keeping Custom Settings with authconfig
4.1.3. Session Locking
4.1.3.1. Locking Virtual Consoles Using vlock
4.1.4. Enforcing Read-Only Mounting of Removable Media
Using blockdev to Force Read-Only Mounting of Removable Media
Applying New udev Settings
4.2. CONTROLLING ROOT ACCESS
4.2.1. Disallowing Root Access
4.2.2. Allowing Root Access
4.2.3. Limiting Root Access
4.2.4. Enabling Automatic Logouts
4.2.5. Securing the Boot Loader
4.2.5.1. Disabling Interactive Startup
4.2.6. Protecting Hard and Symbolic Links
4.3. SECURING SERVICES
4.3.1. Risks To Services
4.3.2. Identifying and Configuring Services
4.3.3. Insecure Services
4.3.4. Securing rpcbind
4.3.4.1. Protect rpcbind With TCP Wrappers
4.3.4.2. Protect rpcbind With firewalld
4.3.5. Securing rpc.mountd
4.3.5.1. Protect rpc.mountd With TCP Wrappers
4.3.5.2. Protect rpc.mountd With firewalld
4.3.6. Securing NIS
4.3.6.1. Carefully Plan the Network
4.3.6.2. Use a Password-like NIS Domain Name and Hostname
4.3.6.3. Edit the /var/yp/securenets File
4.3.6.4. Assign Static Ports and Use Rich Language Rules
4.3.6.5. Use Kerberos Authentication
4.3.7. Securing NFS
4.3.7.1. Carefully Plan the Network
4.3.7.2. Securing NFS Mount Options
4.3.7.3. Beware of Syntax Errors
4.3.7.4. Do Not Use the no_root_squash Option
4.3.7.5. NFS Firewall Configuration
4.3.7.6. Securing NFS with Red Hat Identity Management
4.3.8. Securing HTTP Servers
4.3.8.1. Securing the Apache HTTP Server
4.3.8.2. Securing NGINX
4.3.9. Securing FTP
4.3.9.1. FTP Greeting Banner
4.3.9.2. Anonymous Access
4.3.9.3. User Accounts
4.3.9.4. Use TCP Wrappers To Control Access
4.3.10. Securing Postfix
4.3.10.1. Limiting a Denial of Service Attack
4.3.10.2. NFS and Postfix
4.3.10.3. Mail-only Users
4.3.10.4. Disable Postfix Network Listening
4.3.10.5. Configuring Postfix to Use SASL
4.3.11. Securing SSH
4.3.11.1. Cryptographic Login
4.3.11.2. Multiple Authentication Methods
4.3.11.3. Other Ways of Securing SSH
4.3.12. Securing PostgreSQL
4.3.13. Securing Docker
4.4. SECURING NETWORK ACCESS
4.4.1. Securing Services With TCP Wrappers and xinetd
4.4.1.1. TCP Wrappers and Connection Banners
4.4.1.2. TCP Wrappers and Attack Warnings
4.4.1.3. TCP Wrappers and Enhanced Logging
4.4.2. Verifying Which Ports Are Listening
Using netstat for Open Ports Scan
Using ss for Open Ports Scan
Using netstat and ss to Scan for Open SCTP Ports
4.4.3. Disabling Source Routing
4.4.3.1. Reverse Path Forwarding
4.4.3.2. Additional Resources
4.5. SECURING DNS TRAFFIC WITH DNSSEC
4.5.1. Introduction to DNSSEC
4.5.2. Understanding DNSSEC
Understanding the Hotspot Problem
Choosing a DNSSEC Capable Recursive Resolver
4.5.3. Understanding Dnssec-trigger
4.5.4. VPN Supplied Domains and Name Servers
4.5.5. Recommended Naming Practices
4.5.6. Understanding Trust Anchors
4.5.7. Installing DNSSEC
4.5.7.1. Installing unbound
4.5.7.2. Checking if unbound is Running
4.5.7.3. Starting unbound
4.5.7.4. Installing Dnssec-trigger
4.5.7.5. Checking if the Dnssec-trigger Daemon is Running
4.5.8. Using Dnssec-trigger
4.5.9. Using dig With DNSSEC
4.5.10. Setting up Hotspot Detection Infrastructure for Dnssec-trigger
4.5.11. Configuring DNSSEC Validation for Connection Supplied Domains
4.5.11.1. Configuring DNSSEC Validation for Wi-Fi Supplied Domains
4.5.12. Additional Resources
4.5.12.1. Installed Documentation
4.5.12.2. Online Documentation
4.6. SECURING VIRTUAL PRIVATE NETWORKS (VPNS) USING LIBRESWAN
4.6.1. Installing Libreswan
4.6.2. Creating VPN Configurations Using Libreswan
4.6.3. Creating Host-To-Host VPN Using Libreswan
4.6.3.1. Verifying Host-To-Host VPN Using Libreswan
4.6.4. Configuring Site-to-Site VPN Using Libreswan
4.6.4.1. Verifying Site-to-Site VPN Using Libreswan
4.6.5. Configuring Site-to-Site Single Tunnel VPN Using Libreswan
4.6.6. Configuring Subnet Extrusion Using Libreswan
4.6.7. Configuring IKEv2 Remote Access VPN Libreswan
4.6.8. Configuring IKEv1 Remote Access VPN Libreswan and XAUTH with X.509
4.6.9. Using the Protection against Quantum Computers
4.6.10. Additional Resources
4.6.10.1. Installed Documentation
4.6.10.2. Online Documentation
4.7. USING OPENSSL
4.7.1. Creating and Managing Encryption Keys
4.7.2. Generating Certificates
4.7.2.1. Creating a Certificate Signing Request
4.7.2.2. Creating a Self-signed Certificate
4.7.2.3. Creating a Certificate Using a Makefile
4.7.3. Verifying Certificates
4.7.4. Encrypting and Decrypting a File
Using RSA Keys
Using Symmetric Algorithms
4.7.5. Generating Message Digests
4.7.6. Generating Password Hashes
4.7.7. Generating Random Data
4.7.8. Benchmarking Your System
4.7.9. Configuring OpenSSL
4.8. USING STUNNEL
4.8.1. Installing stunnel
4.8.2. Configuring stunnel as a TLS Wrapper
4.8.3. Starting, Stopping, and Restarting stunnel
4.9. ENCRYPTION
4.9.1. Using LUKS Disk Encryption
Overview of LUKS
4.9.1.1. LUKS Implementation in Red Hat Enterprise Linux
4.9.1.2. Manually Encrypting Directories
4.9.1.3. Add a New Passphrase to an Existing Device
4.9.1.4. Remove a Passphrase from an Existing Device
4.9.1.5. Creating Encrypted Block Devices in Anaconda
4.9.1.6. Additional Resources
4.9.2. Creating GPG Keys
4.9.2.1. Creating GPG Keys in GNOME
4.9.2.2. Creating GPG Keys in KDE
4.9.2.3. Creating GPG Keys Using the Command Line
4.9.2.4. About Public Key Encryption
4.9.3. Using openCryptoki for Public-Key Cryptography
4.9.3.1. Installing openCryptoki and Starting the Service
4.9.3.2. Configuring and Using openCryptoki
4.9.4. Using Smart Cards to Supply Credentials to OpenSSH
4.9.4.1. Retrieving a Public Key from a Card
4.9.4.2. Storing a Public Key on a Server
4.9.4.3. Authenticating to a Server with a Key on a Smart Card
4.9.4.4. Using ssh-agent to Automate PIN Logging In
4.9.4.5. Additional Resources
4.9.5. Trusted and Encrypted Keys
4.9.5.1. Working with Keys
4.9.5.2. Additional Resources
Installed Documentation
Online Documentation
See Also
4.9.6. Using the Random Number Generator
4.10. USING NETWORK-BOUND DISK ENCRYPTION
4.10.1. Deploying a Tang server
4.10.1.1. Deploying High-Availability Systems
4.10.2. Deploying an Encryption Client
4.10.3. Configuring Manual Enrollment of Root Volumes
4.10.4. Configuring Automated Enrollment Using Kickstart
4.10.5. Configuring Automated Unlocking of Removable Storage Devices
4.10.6. Configuring Automated Unlocking of Non-root Volumes at Boot Time
4.10.7. Deploying Virtual Machines in a NBDE Network
4.10.8. Building Automatically-enrollable VM Images for Cloud Environments
4.10.9. Additional Resources
4.11. CHECKING INTEGRITY WITH AIDE
4.11.1. Installing AIDE
4.11.2. Performing Integrity Checks
4.11.3. Updating an AIDE Database
4.11.4. Additional Resources
4.12. USING USBGUARD
4.12.1. Installing USBGuard
4.12.2. Creating a White List and a Black List
4.12.3. Using the Rule Language to Create Your Own Policy
4.12.4. Additional Resources
4.13. HARDENING TLS CONFIGURATION
4.13.1. Choosing Algorithms to Enable
Protocol Versions
Cipher Suites
Public Key Length
4.13.2. Using Implementations of TLS
4.13.2.1. Working with Cipher Suites in OpenSSL
4.13.2.2. Working with Cipher Suites in GnuTLS
4.13.3. Configuring Specific Applications
4.13.3.1. Configuring the Apache HTTP Server
4.13.3.2. Configuring the Dovecot Mail Server
4.13.4. Additional Information
Installed Documentation
Online Documentation
See Also
4.14. USING SHARED SYSTEM CERTIFICATES
4.14.1. Using a System-wide Trust Store
4.14.2. Adding New Certificates
4.14.3. Managing Trusted System Certificates
4.14.4. Additional Resources
4.15. USING MACSEC
4.16. REMOVING DATA SECURELY USING SCRUB
CHAPTER 5. USING FIREWALLS
5.1. GETTING STARTED WITH FIREWALLD
5.1.1. Zones
5.1.2. Predefined Services
5.1.3. Runtime and Permanent Settings
5.1.4. Modifying Settings in Runtime and Permanent Configuration using CLI
5.2. INSTALLING THE FIREWALL-CONFIG GUI CONFIGURATION TOOL
5.3. VIEWING THE CURRENT STATUS AND SETTINGS OF FIREWALLD
5.3.1. Viewing the Current Status of firewalld
5.3.2. Viewing Current firewalld Settings
5.3.2.1. Viewing Allowed Services using GUI
5.3.2.2. Viewing firewalld Settings using CLI
5.4. STARTING FIREWALLD
5.5. STOPPING FIREWALLD
5.6. CONTROLLING TRAFFIC
5.6.1. Predefined Services
5.6.2. Disabling All Traffic in Case of Emergency using CLI
5.6.3. Controlling Traffic with Predefined Services using CLI
5.6.4. Controlling Traffic with Predefined Services using GUI
5.6.5. Adding New Services
5.6.6. Controlling Ports using CLI
Opening a Port
Closing a Port
5.6.7. Opening Ports using GUI
5.6.8. Controlling Traffic with Protocols using GUI
5.6.9. Opening Source Ports using GUI
5.7. WORKING WITH ZONES
5.7.1. Listing Zones
5.7.2. Modifying firewalld Settings for a Certain Zone
5.7.3. Changing the Default Zone
5.7.4. Assigning a Network Interface to a Zone
5.7.5. Assigning a Default Zone to a Network Connection
5.7.6. Creating a New Zone
5.7.7. Creating a New Zone using a Configuration File
5.7.8. Using Zone Targets to Set Default Behavior for Incoming Traffic
5.8. USING ZONES TO MANAGE INCOMING TRAFFIC DEPENDING ON SOURCE
5.8.1. Adding a Source
5.8.2. Removing a Source
5.8.3. Adding a Source Port
5.8.4. Removing a Source Port
5.8.5. Using Zones and Sources to Allow a Service for Only a Specific Domain
5.8.6. Configuring Traffic Accepted by a Zone Based on Protocol
Adding a Protocol to a Zone
Removing a Protocol from a Zone
5.9. PORT FORWARDING
5.9.1. Adding a Port to Redirect
5.9.2. Removing a Redirected Port
5.10. CONFIGURING IP ADDRESS MASQUERADING
5.11. MANAGING ICMP REQUESTS
5.11.1. Listing ICMP Requests
5.11.2. Blocking or Unblocking ICMP Requests
5.11.3. Blocking ICMP Requests without Providing any Information at All
5.11.4. Configuring the ICMP Filter using GUI
5.12. SETTING AND CONTROLLING IP SETS USING FIREWALLD
5.12.1. Configuring IP Set Options with the Command-Line Client
5.12.2. Configuring a Custom Service for an IP Set
5.13. SETTING AND CONTROLLING IP SETS USING IPTABLES
5.14. USING THE DIRECT INTERFACE
5.14.1. Adding a Rule using the Direct Interface
5.14.2. Removing a Rule using the Direct Interface
5.14.3. Listing Rules using the Direct Interface
5.15. CONFIGURING COMPLEX FIREWALL RULES WITH THE "RICH LANGUAGE" SYNTAX
5.15.1. Formatting of the Rich Language Commands
5.15.2. Understanding the Rich Rule Structure
5.15.3. Understanding the Rich Rule Command Options
Source and Destination Addresses
Elements
Logging
Action
5.15.4. Using the Rich Rule Log Command
5.15.4.1. Using the Rich Rule Log Command Example 1
5.15.4.2. Using the Rich Rule Log Command Example 2
5.15.4.3. Using the Rich Rule Log Command Example 3
5.15.4.4. Using the Rich Rule Log Command Example 4
5.15.4.5. Using the Rich Rule Log Command Example 5
5.15.4.6. Using the Rich Rule Log Command Example 6
5.16. CONFIGURING FIREWALL LOCKDOWN
5.16.1. Configuring Lockdown with the Command-Line Client
5.16.2. Configuring Lockdown Whitelist Options with the Command-Line Client
5.16.3. Configuring Lockdown Whitelist Options with Configuration Files
5.17. CONFIGURING LOGGING FOR DENIED PACKETS
5.18. ADDITIONAL RESOURCES
5.18.1. Installed Documentation
5.18.2. Online Documentation
CHAPTER 6. SYSTEM AUDITING
Use Cases
6.1. AUDIT SYSTEM ARCHITECTURE
6.2. INSTALLING THE AUDIT PACKAGES
6.3. CONFIGURING THE AUDIT SERVICE
6.3.1. Configuring auditd for a Secure Environment
6.4. STARTING THE AUDIT SERVICE
6.5. DEFINING AUDIT RULES
6.5.1. Defining Audit Rules with auditctl
Defining Control Rules
Defining File System Rules
Defining System Call Rules
6.5.2. Defining Executable File Rules
6.5.3. Defining Persistent Audit Rules and Controls in the /etc/audit/audit.rules File
Defining Control Rules
Defining File System and System Call Rules
Preconfigured Rules Files
Using augenrules to Define Persistent Rules
6.6. UNDERSTANDING AUDIT LOG FILES
First Record
Second Record
Third Record
Fourth Record
6.7. SEARCHING THE AUDIT LOG FILES
6.8. CREATING AUDIT REPORTS
6.9. ADDITIONAL RESOURCES
Online Sources
Installed Documentation
Manual Pages
CHAPTER 7. COMPLIANCE AND VULNERABILITY SCANNING WITH OPENSCAP
7.1. SECURITY COMPLIANCE IN RED HAT ENTERPRISE LINUX
7.2. DEFINING COMPLIANCE POLICY
7.2.1. The XCCDF File Format
7.2.2. The OVAL File Format
7.2.3. The Data Stream Format
7.3. USING SCAP WORKBENCH
7.3.1. Installing SCAP Workbench
7.3.2. Running SCAP Workbench
7.3.3. Scanning the System
7.3.4. Customizing Security Profiles
7.3.5. Saving SCAP Content
7.3.6. Viewing Scan Results and Generating Scan Reports and Remediations
7.4. USING OSCAP
7.4.1. Installing oscap
7.4.2. Displaying SCAP Content
7.4.3. Scanning the System
7.4.4. Generating Reports and Guides
7.4.5. Validating SCAP Content
7.4.6. Using OpenSCAP to Remediate the System
7.4.6.1. OpenSCAP Online Remediation
7.4.6.2. OpenSCAP Offline Remediation
7.4.6.3. OpenSCAP Remediation Review
7.4.7. Exporting XCCDF Results for the DISA STIG Viewer
7.5. USING OPENSCAP WITH DOCKER
7.5.1. Scanning Docker-formatted Images and Containers for Vulnerabilities
7.5.2. Scanning Configuration Compliance of Docker-formatted Images and Containers
7.6. USING OPENSCAP WITH THE ATOMIC SCAN COMMAND
atomic scan and OpenSCAP Scanner Image
7.6.1. Scanning Docker-formatted Images and Containers for Vulnerabilities Using atomic scan
7.6.2. Scanning and Remediating Configuration Compliance of Docker-formatted Images and Containers Using atomic scan
Scanning for Configuration Compliance of Docker-formatted Images and Containers Using atomic scan
Remediating Configuration Compliance of Docker-formatted Images and Containers Using atomic scan
7.7. USING OPENSCAP WITH ANSIBLE
Filtering Tasks
Customizing Playbooks
7.8. USING OPENSCAP WITH RED HAT SATELLITE
7.9. PRACTICAL EXAMPLES
7.9.1. Auditing Security Vulnerabilities of Red Hat Products
7.9.2. Auditing System Settings with SCAP Security Guide
7.10. ADDITIONAL RESOURCES
Installed Documentation
Online Documentation
CHAPTER 8. FEDERAL STANDARDS AND REGULATIONS
8.1. FEDERAL INFORMATION PROCESSING STANDARD (FIPS)
8.1.1. Enabling FIPS Mode
During the System Installation
After the System Installation
Enabling FIPS Mode in a Container
8.2. NATIONAL INDUSTRIAL SECURITY PROGRAM OPERATING MANUAL (NISPOM)
8.3. PAYMENT CARD INDUSTRY DATA SECURITY STANDARD (PCI DSS)
8.4. SECURITY TECHNICAL IMPLEMENTATION GUIDE
APPENDIX A. ENCRYPTION STANDARDS
A.1. SYNCHRONOUS ENCRYPTION
A.1.1. Advanced Encryption Standard — AES
A.1.1.1. AES History
A.1.2. Data Encryption Standard — DES
A.1.2.1. DES History
A.2. PUBLIC-KEY ENCRYPTION
A.2.1. Diffie-Hellman
A.2.1.1. Diffie-Hellman History
A.2.2. RSA
A.2.3. DSA
A.2.4. SSL/TLS
A.2.5. Cramer-Shoup Cryptosystem
A.2.6. ElGamal Encryption
APPENDIX B. AUDIT SYSTEM REFERENCE
B.1. AUDIT EVENT FIELDS
B.2. AUDIT RECORD TYPES
APPENDIX C. REVISION HISTORY