Follow Techotopia on Twitter

On-line Guides
All Guides
eBook Store
iOS / Android
Linux for Beginners
Office Productivity
Linux Installation
Linux Security
Linux Utilities
Linux Virtualization
Linux Kernel
System/Network Admin
Scripting Languages
Development Tools
Web Development
GUI Toolkits/Desktop
Mail Systems
Eclipse Documentation

How To Guides
General System Admin
Linux Security
Linux Filesystems
Web Servers
Graphics & Desktop
PC Hardware
Problem Solutions




NOTE: CentOS Enterprise Linux 5 is built from the Red Hat Enterprise Linux source code. Other than logo and name changes CentOS Enterprise Linux 5 is compatible with the equivalent Red Hat version. This document applies equally to both Red Hat and CentOS Enterprise Linux 5.

Security And Authentication

Whether system administrators need to secure their mission-critical systems, services, or data, Red Hat Enterprise Linux provides a range of tools and methods to serve as part of a comprehensive security strategy.

This chapter provides a general introduction to security, and from the perspective of Red Hat Enterprise Linux in particular. It provides conceptual information in the areas of security assessment, common exploits, and intrusion and incident response. It also provides conceptual and specific configuration information on how to use SELinux to harden Workstation, Server, VPN, firewall and other implementations.

This chapter assumes a basic knowledge of IT security, and consequently provides only minimal coverage of common security practices such as controlling physical access, sound account-keeping policies and procedures, auditing, etc. Where appropriate, reference is made to external resources for this and related information.

Table of Contents

41. Security Overview
41.1. Introduction to Security
41.1.1. What is Computer Security?
41.1.2. Security Controls
41.1.3. Conclusion
41.2. Vulnerability Assessment
41.2.1. Thinking Like the Enemy
41.2.2. Defining Assessment and Testing
41.2.3. Evaluating the Tools
41.3. Attackers and Vulnerabilities
41.3.1. A Quick History of Hackers
41.3.2. Threats to Network Security
41.3.3. Threats to Server Security
41.3.4. Threats to Workstation and Home PC Security
41.4. Common Exploits and Attacks
41.5. Security Updates
41.5.1. Updating Packages
42. Securing Your Network
42.1. Workstation Security
42.1.1. Evaluating Workstation Security
42.1.2. BIOS and Boot Loader Security
42.1.3. Password Security
42.1.4. Administrative Controls
42.1.5. Available Network Services
42.1.6. Personal Firewalls
42.1.7. Security Enhanced Communication Tools
42.2. Server Security
42.2.1. Securing Services With TCP Wrappers and xinetd
42.2.2. Securing Portmap
42.2.3. Securing NIS
42.2.4. Securing NFS
42.2.5. Securing the Apache HTTP Server
42.2.6. Securing FTP
42.2.7. Securing Sendmail
42.2.8. Verifying Which Ports Are Listening
42.3. Single Sign-on (SSO)
42.3.1. Introduction
42.3.2. Getting Started with your new Smart Card
42.3.3. How Smart Card Enrollment Works
42.3.4. How Smart Card Login Works
42.3.5. Configuring Firefox to use Kerberos for SSO
42.4. Pluggable Authentication Modules (PAM)
42.4.1. Advantages of PAM
42.4.2. PAM Configuration Files
42.4.3. PAM Configuration File Format
42.4.4. Sample PAM Configuration Files
42.4.5. Creating PAM Modules
42.4.6. PAM and Administrative Credential Caching
42.4.7. PAM and Device Ownership
42.4.8. Additional Resources
42.5. TCP Wrappers and xinetd
42.5.1. TCP Wrappers
42.5.2. TCP Wrappers Configuration Files
42.5.3. xinetd
42.5.4. xinetd Configuration Files
42.5.5. Additional Resources
42.6. Kerberos
42.6.1. What is Kerberos?
42.6.2. Kerberos Terminology
42.6.3. How Kerberos Works
42.6.4. Kerberos and PAM
42.6.5. Configuring a Kerberos 5 Server
42.6.6. Configuring a Kerberos 5 Client
42.6.7. Domain-to-Realm Mapping
42.6.8. Setting Up Secondary KDCs
42.6.9. Setting Up Cross Realm Authentication
42.6.10. Additional Resources
42.7. Virtual Private Networks (VPNs)
42.7.1. How Does a VPN Work?
42.7.2. VPNs and Red Hat Enterprise Linux
42.7.3. IPsec
42.7.4. Creating an IPsec Connection
42.7.5. IPsec Installation
42.7.6. IPsec Host-to-Host Configuration
42.7.7. IPsec Network-to-Network Configuration
42.7.8. Starting and Stopping an IPsec Connection
42.8. Firewalls
42.8.1. Netfilter and IPTables
42.8.2. Basic Firewall Configuration
42.8.3. Using IPTables
42.8.4. Common IPTables Filtering
42.8.5. FORWARD and NAT Rules
42.8.6. Malicious Software and Spoofed IP Addresses
42.8.7. IPTables and Connection Tracking
42.8.8. IPv6
42.8.9. Additional Resources
42.9. IPTables
42.9.1. Packet Filtering
42.9.2. Differences Between IPTables and IPChains
42.9.3. Command Options for IPTables
42.9.4. Saving IPTables Rules
42.9.5. IPTables Control Scripts
42.9.6. IPTables and IPv6
42.9.7. Additional Resources
43. Security and SELinux
43.1. Access Control Mechanisms (ACMs)
43.1.1. Discretionary Access Control (DAC)
43.1.2. Access Control Lists (ACLs)
43.1.3. Mandatory Access Control (MAC)
43.1.4. Role-based Access Control (RBAC)
43.1.5. Multi-Level Security (MLS)
43.1.6. Multi-Category Security (MCS)
43.2. Introduction to SELinux
43.2.1. SELinux Overview
43.2.2. Files Related to SELinux
43.2.3. Additional Resources
43.3. Brief Background and History of SELinux
43.4. Multi-Category Security (MCS)
43.4.1. Introduction
43.4.2. Applications for Multi-Category Security
43.4.3. SELinux Security Contexts
43.5. Getting Started with Multi-Category Security (MCS)
43.5.1. Introduction
43.5.2. Comparing SELinux and Standard Linux User Identities
43.5.3. Configuring Categories
43.5.4. Assigning Categories to Users
43.5.5. Assigning Categories to Files
43.6. Multi-Level Security (MLS)
43.6.1. Why Multi-Level?
43.6.2. Security Levels, Objects and Subjects
43.6.3. MLS Policy
43.6.4. LSPP Certification
43.7. SELinux Policy Overview
43.7.1. What is the SELinux Policy?
43.7.2. Where is the Policy?
43.7.3. The Role of Policy in the Boot Process
43.7.4. Object Classes and Permissions
43.8. Targeted Policy Overview
43.8.1. What is the Targeted Policy?
43.8.2. Files and Directories of the Targeted Policy
43.8.3. Understanding the Users and Roles in the Targeted Policy
44. Working With SELinux
44.1. End User Control of SELinux
44.1.1. Moving and Copying Files
44.1.2. Checking the Security Context of a Process, User, or File Object
44.1.3. Relabeling a File or Directory
44.1.4. Creating Archives That Retain Security Contexts
44.2. Administrator Control of SELinux
44.2.1. Viewing the Status of SELinux
44.2.2. Relabeling a File System
44.2.3. Managing NFS Home Directories
44.2.4. Granting Access to a Directory or a Tree
44.2.5. Backing Up and Restoring the System
44.2.6. Enabling or Disabling Enforcement
44.2.7. Enable or Disable SELinux
44.2.8. Changing the Policy
44.2.9. Specifying the Security Context of Entire File Systems
44.2.10. Changing the Security Category of a File or User
44.2.11. Running a Command in a Specific Security Context
44.2.12. Useful Commands for Scripts
44.2.13. Changing to a Different Role
44.2.14. When to Reboot
44.3. Analyst Control of SELinux
44.3.1. Enabling Kernel Auditing
44.3.2. Dumping and Viewing Logs
45. Customizing SELinux Policy
45.1. Introduction
45.1.1. Modular Policy
45.2. Building a Local Policy Module
45.2.1. Using audit2allow to Build a Local Policy Module
45.2.2. Analyzing the Type Enforcement (TE) File
45.2.3. Loading the Policy Package
46. References

  Published under the terms of the GNU General Public License Design by Interspire