Enterprise Linux Server Hardening

Chapter 1. SECURITY CONCEPTS

Basic Security Principles

RHEL7 Default Install

Minimization – Discovery

Service Discovery

Hardening

Security Concepts

LAB TASKS

Removing Packages Using RPM

Firewall Configuration

Process Discovery

Operation of the setuid() and capset() System Calls

Operation of the chroot() System Call

Introduction to Troubleshooting Labs

Chapter 2. SCANNING, PROBING, AND MAPPING VULNERABILITIES

The Security Environment

Stealth Reconnaissance

The WHOIS database

Interrogating DNS

Discovering Hosts

Discovering Reachable Services

Reconnaissance with SNMP

Discovery of RPC Services

Enumerating NFS Shares

Nessus/OpenVAS Insecurity Scanner

Configuring OpenVAS

Intrusion Detection Systems

Snort Rules

Writing Snort Rules

LAB TASKS

NMAP

OpenVAS

Advanced nmap Options

Chapter 3. TRACKING SECURITY UPDATES AND SOFTWARE MAINTENANCE

Security Advisories

Managing Software

RPM Features

RPM Architecture

RPM Package Files

Working With RPMs

Querying and Verifying with RPM

Updating the Kernel RPM

Dealing With RPM & Yum Digest Changes

Using the Yum command

Using Yum history

Yum Plugins & RHN Subscription Manager

Yum Version Lock Plugin

Yum Repositories

LAB TASKS

Managing Software with RPM

Creating a Custom RPM Repository

Querying the RPM Database

Using Yum

Chapter 4. MANAGE THE FILESYSTEM

Partitioning Disks with fdisk & gdisk

Resizing a GPT Partition with gdisk

Partitioning Disks with parted

Non-Interactive Disk Partitioning with sfdisk

Filesystem Creation

Persistent Block Devices

Mounting Filesystems

Filesystem Maintenance

Swap

LAB TASKS

Creating and Managing Filesystems

Hot Adding Swap

Chapter 5. SECURING THE FILESYSTEM

Configuring Disk Quotas

Setting Quotas

Viewing and Monitoring Quotas

Filesystem Attributes

Filesystem Mount Options

GPG – GNU Privacy Guard

File Encryption with OpenSSL

File Encryption With encfs

Linux Unified Key Setup (LUKS)

LAB TASKS

Setting User Quotas

Securing Filesystems

Securing NFS

File Encryption with GPG

File Encryption With OpenSSL

LUKS-on-disk format Encrypted Filesystem

Chapter 6. MANAGE SPECIAL PERMISSIONS

File and Directory Permissions

File Creation Permissions with umask

SUID and SGID on files

SGID and Sticky Bit on Directories

Changing File Permissions

User Private Group Scheme

Chapter 7. MANAGE FILE ACCESS CONTROLS

File Access Control Lists

Manipulating FACLs

Viewing FACLs

Backing Up FACLs

LAB TASKS

Using Filesystem ACLs

Chapter 8. MONITOR FOR FILESYSTEM CHANGES

Host Intrusion Detection Systems

Using RPM as a HIDS

Introduction to AIDE

AIDE Installation

AIDE Policies

AIDE Usage

LAB TASKS

File Integrity Checking with RPM

File Integrity Checking with AIDE

Chapter 9. MANAGE USER ACCOUNTS

Approaches to Storing User Accounts

User and Group Concepts

User Administration

Modifying Accounts

Group Administration

RHEL DS Client Configuration

System Security Services Daemon (SSSD)

LAB TASKS

User Private Groups

Chapter 10. PASSWORD SECURITY AND PAM

Unix Passwords

Password Aging

Auditing Passwords

PAM Overview

PAM Module Types

PAM Order of Processing

PAM Control Statements

PAM Modules

pam_unix

pam_cracklib.so

pam_env.so

pam_xauth.so

pam_tally2.so

pam_wheel.so

pam_limits.so

pam_nologin.so

pam_deny.so

pam_warn.so

pam_securetty.so

pam_time.so

pam_access.so

pam_listfile.so

pam_lastlog.so

pam_console.so

LAB TASKS

John the Ripper

Cracklib

Using pam_listfile to Implement Arbitrary ACLs

Using pam_limits to Restrict Simultaneous Logins

Using pam_nologin to Restrict Logins

Using pam_access to Restrict Logins

su & pam

Chapter 11. USING FREEIPA FOR CENTRALIZED AUTHENTICATION

What Is FreeIPA?

FreeIPA Features

FreeIPA Installation

FreeIPA Client Installation

User, Group, And Host Management

User, Group, And Host Management

FreeIPA Active Directory Integration

Chapter 12. LOG FILE ADMINISTRATION

System Logging

systemd Journal

systemd Journal's journalctl

Secure Logging with Journal's Log Sealing

gnome-system-log

Rsyslog

/etc/rsyslog.conf

Log Management

Log Anomaly Detector

Sending logs from the shell

LAB TASKS

Using the systemd Journal

Setting up a Full Debug Logfile

Remote Syslog Configuration

Remote Rsyslog TLS Configuration

Chapter 13. ACCOUNTABILITY WITH KERNEL AUDITD

Accountability and Auditing

Simple Session Auditing

Simple Process Accounting & Command History

Kernel-Level Auditing

Configuring the Audit Daemon

Controlling Kernel Audit System

Creating Audit Rules

Searching Audit Logs

Generating Audit Log Reports

Audit Log Analysis

LAB TASKS

Auditing Login/Logout

Auditing File Access

Auditing Command Execution

Chapter 14. SECURING SERVICES

Xinetd

Xinetd Connection Limiting and Access Control

Xinetd: Resource limits, redirection, logging

TCP Wrappers

The /etc/hosts.allow & /etc/hosts.deny Files

/etc/hosts.{allow,deny} Shortcuts

Advanced TCP Wrappers

FirewallD

Netfilter: Stateful Packet Filter Firewall

Netfilter Concepts

Using the iptables Command

Netfilter Rule Syntax

Targets

Common match_specs

Extended Packet Matching Modules

Connection Tracking

LAB TASKS

Securing xinetd Services

Enforcing Security Policy with xinetd

Securing Services with TCP Wrappers

Securing Services with Netfilter

FirewallD

Troubleshooting Practice

Chapter 15. SELINUX

DAC vs. MAC

Shortcomings of Traditional Unix Security

SELinux Goals

SELinux Evolution

SELinux Modes

Gathering SELinux Information

SELinux Virtual Filesystem

SELinux Contexts

Managing Contexts

The SELinux Policy

Choosing an SELinux Policy

Policy Layout

Tuning and Adapting Policy

Booleans

Permissive Domains

Managing File Context Database

Managing Port Contexts

SELinux Policy Tools

Examining Policy

SELinux Troubleshooting

SELinux Troubleshooting Continued

LAB TASKS

Exploring SELinux Modes

SELinux File Contexts

SELinux Contexts in Action

Managing SELinux Booleans

Creating Policy with Audit2allow

Creating & Compiling Policy from Source