Red Hat Enterprise Linux 6 Security Guide

Table of Contents
Preface
	1. Document Conventions
		1.1. Typographic Conventions
		1.2. Pull-quote Conventions
		1.3. Notes and Warnings
	2. We Need Feedback!
Chapter 1. Security Overview
	1.1. Introduction to Security
		1.1.1. What is Computer Security?
			1.1.1.1. How did Computer Security come about?
			1.1.1.2. Security Today
			1.1.1.3. Standardizing Security
		1.1.2. SELinux
		1.1.3. Security Controls
			1.1.3.1. Physical Controls
			1.1.3.2. Technical Controls
			1.1.3.3. Administrative Controls
		1.1.4. Conclusion
	1.2. Vulnerability Assessment
		1.2.1. Thinking Like the Enemy
		1.2.2. Defining Assessment and Testing
			1.2.2.1. Establishing a Methodology
		1.2.3. Evaluating the Tools
			1.2.3.1. Scanning Hosts with Nmap
			1.2.3.2. Nessus
			1.2.3.3. Nikto
			1.2.3.4. Anticipating Your Future Needs
	1.3. Attackers and Vulnerabilities
		1.3.1. A Quick History of Hackers
			1.3.1.1. Shades of Gray
		1.3.2. Threats to Network Security
			1.3.2.1. Insecure Architectures
		1.3.3. Threats to Server Security
			1.3.3.1. Unused Services and Open Ports
			1.3.3.2. Unpatched Services
			1.3.3.3. Inattentive Administration
			1.3.3.4. Inherently Insecure Services
		1.3.4. Threats to Workstation and Home PC Security
			1.3.4.1. Bad Passwords
			1.3.4.2. Vulnerable Client Applications
	1.4. Common Exploits and Attacks
	1.5. Security Updates
		1.5.1. Updating Packages
		1.5.2. Verifying Signed Packages
		1.5.3. Installing Signed Packages
		1.5.4. Applying the Changes
Chapter 2. Securing Your Network
	2.1. Workstation Security
		2.1.1. Evaluating Workstation Security
		2.1.2. BIOS and Boot Loader Security
			2.1.2.1. BIOS Passwords
			2.1.2.2. Boot Loader Passwords
		2.1.3. Password Security
			2.1.3.1. Creating Strong Passwords
			2.1.3.2. Creating User Passwords Within an Organization
		2.1.4. Locking Inactive Accounts
		2.1.5. Customizing Access Control
		2.1.6. Time-based Restriction of Access
		2.1.7. Applying Account Limits
		2.1.8. Administrative Controls
			2.1.8.1. Allowing Root Access
			2.1.8.2. Disallowing Root Access
			2.1.8.3. Enabling Automatic Logouts
			2.1.8.4. Limiting Root Access
			2.1.8.5. Account Locking
		2.1.9. Session Locking
			2.1.9.1. Locking GNOME Using gnome-screensaver-command
			2.1.9.2. Locking Virtual Consoles Using vlock
		2.1.10. Available Network Services
			2.1.10.1. Risks To Services
			2.1.10.2. Identifying and Configuring Services
			2.1.10.3. Insecure Services
		2.1.11. Personal Firewalls
		2.1.12. Security Enhanced Communication Tools
	2.2. Server Security
		2.2.1. Securing Services With TCP Wrappers and xinetd
			2.2.1.1. Enhancing Security With TCP Wrappers
			2.2.1.2. Enhancing Security With xinetd
		2.2.2. Securing Portmap
			2.2.2.1. Protect portmap With TCP Wrappers
			2.2.2.2. Protect portmap With iptables
		2.2.3. Securing NIS
			2.2.3.1. Carefully Plan the Network
			2.2.3.2. Use a Password-like NIS Domain Name and Hostname
			2.2.3.3. Edit the /var/yp/securenets File
			2.2.3.4. Assign Static Ports and Use iptables Rules
			2.2.3.5. Use Kerberos Authentication
		2.2.4. Securing NFS
			2.2.4.1. Carefully Plan the Network
			2.2.4.2. Securing NFS Mount Options
			2.2.4.3. Beware of Syntax Errors
			2.2.4.4. Do Not Use the no_root_squash Option
			2.2.4.5. NFS Firewall Configuration
		2.2.5. Securing the Apache HTTP Server
			Removing httpd Modules
			httpd and SELinux
		2.2.6. Securing FTP
			2.2.6.1. FTP Greeting Banner
			2.2.6.2. Anonymous Access
			2.2.6.3. User Accounts
			2.2.6.4. Use TCP Wrappers To Control Access
		2.2.7. Securing Postfix
			2.2.7.1. Limiting a Denial of Service Attack
			2.2.7.2. NFS and Postfix
			2.2.7.3. Mail-only Users
			2.2.7.4. Disable Postfix Network Listening
		2.2.8. Securing Sendmail
			2.2.8.1. Limiting a Denial of Service Attack
			2.2.8.2. NFS and Sendmail
			2.2.8.3. Mail-only Users
			2.2.8.4. Disable Sendmail Network Listening
		2.2.9. Verifying Which Ports Are Listening
		2.2.10. Disable Source Routing
		2.2.11. Reverse Path Filtering
			2.2.11.1. Additional Resources
	2.3. Single Sign-on (SSO)
	2.4. Pluggable Authentication Modules (PAM)
	2.5. Kerberos
	2.6. TCP Wrappers and xinetd
		2.6.1. TCP Wrappers
			2.6.1.1. Advantages of TCP Wrappers
		2.6.2. TCP Wrappers Configuration Files
			2.6.2.1. Formatting Access Rules
			2.6.2.2. Option Fields
		2.6.3. xinetd
		2.6.4. xinetd Configuration Files
			2.6.4.1. The /etc/xinetd.conf File
			2.6.4.2. The /etc/xinetd.d/ Directory
			2.6.4.3. Altering xinetd Configuration Files
		2.6.5. Additional Resources
			2.6.5.1. Installed TCP Wrappers Documentation
			2.6.5.2. Useful TCP Wrappers Websites
			2.6.5.3. Related Books
	2.7. Virtual Private Networks (VPNs)
		2.7.1. How Does a VPN Work?
		2.7.2. Openswan
			2.7.2.1. Overview
			2.7.2.2. Configuration
			2.7.2.3. Commands
		2.7.3. IPsec VPN Using Openswan
			Checking if Openswan is Installed
			Installing Openswan
		2.7.4. VPN Configurations Using Openswan
		2.7.5. Host-To-Host VPN Using Openswan
			2.7.5.1. Verify Host-To-Host VPN Using Openswan
		2.7.6. Site-to-Site VPN Using Openswan
			2.7.6.1. Verify Site-to-Site VPN Using Openswan
		2.7.7. Site-to-Site Single Tunnel VPN Using Openswan
		2.7.8. Subnet Extrusion Using Openswan
		2.7.9. Road Warrior Application Using Openswan
		2.7.10. Additional Resources
			2.7.10.1. Installed Documentation
			2.7.10.2. Useful Websites
	2.8. Firewalls
		2.8.1. Netfilter and IPTables
			2.8.1.1. IPTables Overview
		2.8.2. Basic Firewall Configuration
			2.8.2.1. Firewall Configuration Tool
			2.8.2.2. Enabling and Disabling the Firewall
			2.8.2.3. Trusted Services
			2.8.2.4. Other Ports
			2.8.2.5. Saving the Settings
			2.8.2.6. Activating the IPTables Service
		2.8.3. Using IPTables
			2.8.3.1. IPTables Command Syntax
			2.8.3.2. Basic Firewall Policies
			2.8.3.3. Saving and Restoring IPTables Rules
		2.8.4. Common IPTables Filtering
		2.8.5. FORWARD and NAT Rules
			2.8.5.1. Postrouting and IP Masquerading
			2.8.5.2. Prerouting
			2.8.5.3. DMZs and IPTables
		2.8.6. Malicious Software and Spoofed IP Addresses
		2.8.7. IPTables and Connection Tracking
		2.8.8. IPv6
		2.8.9. IPTables
			2.8.9.1. Packet Filtering
			2.8.9.2. Command Options for IPTables
			2.8.9.3. Saving IPTables Rules
			2.8.9.4. IPTables Control Scripts
			2.8.9.5. IPTables and IPv6
			2.8.9.6. Additional Resources
Chapter 3. Encryption
	3.1. Data at Rest
		3.1.1. Full Disk Encryption
		3.1.2. File Based Encryption
	3.2. Data in Motion
		3.2.1. Virtual Private Networks
		3.2.2. Secure Shell
			3.2.2.1. SSH Cryptographic Login
		3.2.3. OpenSSL Intel AES-NI Engine
		3.2.4. LUKS Disk Encryption
			Overview of LUKS
			3.2.4.1. LUKS Implementation in Red Hat Enterprise Linux
			3.2.4.2. Manually Encrypting Directories
			3.2.4.3. Add a new passphrase to an existing device
			3.2.4.4. Remove a passphrase from an existing device
			3.2.4.5. Creating Encrypted Block Devices in Anaconda
			3.2.4.6. Additional Resources
		3.2.5. Using GNU Privacy Guard (GnuPG)
			3.2.5.1. Creating GPG Keys in GNOME
			3.2.5.2. Creating GPG Keys in KDE
			3.2.5.3. Creating GPG Keys Using the Command Line
			3.2.5.4. About Public Key Encryption
Chapter 4. General Principles of Information Security
	4.1. Tips, Guides, and Tools
Chapter 5. Secure Installation
	5.1. Disk Partitions
	5.2. Utilize LUKS Partition Encryption
Chapter 6. Software Maintenance
	6.1. Install Minimal Software
	6.2. Plan and Configure Security Updates
	6.3. Adjusting Automatic Updates
	6.4. Install Signed Packages from Well Known Repositories
Chapter 7. System Auditing
	Use Cases
	7.1. Audit System Architecture
	7.2. Installing the audit Packages
	7.3. Configuring the audit Service
		7.3.1. Configuring auditd for a CAPP Environment
	7.4. Starting the audit Service
	7.5. Defining Audit Rules
		7.5.1. Defining Audit Rules with the auditctl Utility
		Defining Control Rules
		Defining File System Rules
		Defining System Call Rules
		7.5.2. Defining Persistent Audit Rules and Controls in the /etc/audit/audit.rules File
		Defining Control Rules
		Defining File System and System Call Rules
		Preconfigured Rules Files
	7.6. Understanding Audit Log Files
		First Record
		Second Record
		Third Record
	7.7. Searching the Audit Log Files
	7.8. Creating Audit Reports
	7.9. Additional Resources
		Online Sources
		Installed Documentation
		Manual Pages
Chapter 8. Compliance and Vulnerability Scanning
	8.1. SCAP Introduction
	8.2. Using OpenSCAP
	8.3. How to Acquire SCAP Content
Chapter 9. Federal Standards and Regulations
	9.1. Introduction
	9.2. Federal Information Processing Standard (FIPS)
		9.2.1. Enabling FIPS Mode
	9.3. National Industrial Security Program Operating Manual (NISPOM)
	9.4. Payment Card Industry Data Security Standard (PCI DSS)
	9.5. Security Technical Implementation Guide
Chapter 10. References
Encryption Standards
	A.1. Synchronous Encryption
		A.1.1. Advanced Encryption Standard - AES
			A.1.1.1. AES History
		A.1.2.  Data Encryption Standard - DES
			A.1.2.1. DES History
	A.2. Public-key Encryption
		A.2.1. Diffie-Hellman
			A.2.1.1. Diffie-Hellman History
		A.2.2. RSA
		A.2.3. DSA
		A.2.4. SSL/TLS
		A.2.5. Cramer-Shoup Cryptosystem
		A.2.6. ElGamal Encryption
Audit System Reference
	B.1. Audit Event Fields
	B.2. Audit Record Types
Revision History