Security Guide Red Hat Enterprise Linux 7

Red%20Hat%20Enterprise%20Linux%207%20Security%20Guide

User Manual:

Open the PDF directly: View PDF PDF.
Page Count: 238

DownloadSecurity Guide Red Hat Enterprise Linux 7
Open PDF In BrowserView PDF
Red Hat Enterprise Linux 7
Security Guide

A Guide to Securing Red Hat Enterprise Linux 7

Mirek Jahoda
Tomáš Čapek
Miroslav Svoboda

Robert Krátký
Stephen Wadeley

Martin Prpič
Yoana Ruseva

Red Hat Enterprise Linux 7 Security Guide

A Guide to Securing Red Hat Enterprise Linux 7
Mirek Jahoda
Red Hat Customer Content Services
mjahoda@redhat.com
Robert Krátký
Red Hat Customer Content Services
Martin Prpič
Red Hat Customer Content Services
Tomáš Čapek
Red Hat Customer Content Services
Stephen Wadeley
Red Hat Customer Content Services
Yoana Ruseva
Red Hat Customer Content Services
Miroslav Svoboda
Red Hat Customer Content Services

Legal No tice
Copyright © 2017 Red Hat, Inc.
This document is licensed by Red Hat under the Creative Commons AttributionShareAlike 3.0 Unported License. If you distribute this document, or a modified version
of it, you must provide attribution to Red Hat, Inc. and provide a link to the original. If
the document is modified, all Red Hat trademarks must be removed.
Red Hat, as the licensor of this document, waives the right to enforce, and agrees
not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable
law.
Red Hat, Red Hat Enterprise Linux, the Shadowman logo, JBoss, OpenShift, Fedora,
the Infinity logo, and RHCE are trademarks of Red Hat, Inc., registered in the United
States and other countries.
Linux ® is the registered trademark of Linus Torvalds in the United States and other
countries.
Java ® is a registered trademark of Oracle and/or its affiliates.
XFS ® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the
United States and/or other countries.
MySQL ® is a registered trademark of MySQL AB in the United States, the European
Union and other countries.
Node.js ® is an official trademark of Joyent. Red Hat Software Collections is not
formally related to or endorsed by the official Joyent Node.js open source or
commercial project.
The OpenStack ® Word Mark and OpenStack logo are either registered
trademarks/service marks or trademarks/service marks of the OpenStack
Foundation, in the United States and other countries and are used with the
OpenStack Foundation's permission. We are not affiliated with, endorsed or
sponsored by the OpenStack Foundation, or the OpenStack community.
All other trademarks are the property of their respective owners.

Abstract
This book assists users and administrators in learning the processes and practices of
securing workstations and servers against local and remote intrusion, exploitation,
and malicious activity. Focused on Red Hat Enterprise Linux but detailing concepts
and techniques valid for all Linux systems, this guide details the planning and the
tools involved in creating a secured computing environment for the data center,
workplace, and home. With proper administrative knowledge, vigilance, and tools,
systems running Linux can be both fully functional and secured from most common
intrusion and exploit methods.

T able o f Co nt e nt s

T able o f Co ntents

. .hapt
⁠C
. . . .e.r. 1.
. .O
. .ve
. .r.vie
. .w
. .o. f. Se
. . .c.ur
. .it. y. .T.o.pic
. . .s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3. . . . . . . . .
⁠1 .1. What is C om puter Security?
3
⁠1 .2. Security C ontrols
4
⁠1 .3. Vulnerability Assessm ent
5
⁠1 .4. Security Threats
9
⁠1 .5. C om m on Exploits and Attacks
12

. .hapt
⁠C
. . . .e.r. 2.
. . Se
..c
. ur
. . it
. .y. T
. .ips
. . .f .o.r.Ins
. . .t.allat
. . . .io. n
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17
..........
⁠2.1. Securing BIO S
17
⁠2.2. P artitioning the Disk
17
⁠2.3. Installing the Minim um Am ount of P ackages Required
18
⁠2.4. Restricting Network C onnectivity During the Installation P rocess
19
⁠2.5. P ost-installation P rocedures
19
⁠2.6. Additional Resources

19

. .hapt
⁠C
. . . .e.r. 3.
. . Ke
..e
. .ping
. . . .Yo
. . ur
. . .Sys
. . .t.e.m
. .Up-t
. . . .o.-Dat
. . . .e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21
..........
⁠3 .1. Maintaining Installed Software
21
⁠3 .2. Using the Red Hat C ustom er P ortal
25
⁠3 .3. Additional Resources
26

. .hapt
⁠C
. . . .e.r. 4. .. Har
. . . de
. . .ning
. . . . Yo
. . ur
. . .Sys
. . .t.e.m
. .wit
. . .h. T. o
. .o.ls. .and
. . . Se
. . .r.vic
. . e. s. . . . . . . . . . . . . . . . . . . .28
..........
⁠4 .1. Desktop Security
28
⁠4 .2. C ontrolling Root Access
37
⁠4 .3. Securing Services
44
⁠4 .4. Securing Network Access
64
⁠4 .5. Using Firewalls
70
⁠4 .6. Securing DNS Traffic with DNSSEC
114
⁠4 .7. Securing Virtual P rivate Networks (VP Ns)
123
⁠4 .8. Using O penSSL
134
⁠4 .9. Using stunnel
140
⁠4 .10. Encryption
142
⁠4 .11. Hardening TLS C onfiguration
158
⁠4 .12. Using MAC sec (IEEE 802.1AE)
167

. .hapt
⁠C
. . . .e.r. 5.
. . Sys
. . . t. e. m
. . Audit
. . . . .ing
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16
. .8. . . . . . . . .
⁠U se C ases
169
⁠5.1. Audit System Architecture
170
⁠5.2. Installing the audit P ackages
171
⁠5.3. C onfiguring the audit Service
171
⁠5.4. Starting the audit Service
172
⁠5.5. Defining Audit Rules
173
⁠5.6. Understanding Audit Log Files
179
⁠5.7. Searching the Audit Log Files
184
⁠5.8. C reating Audit Reports
184
⁠5.9. Additional Resources
185

. .hapt
⁠C
. . . .e.r. 6. .. Co
. . .mplianc
......e
. .and
. . . .Vulne
. . . . .r.abilit
....y
. .Sc
. .anning
. . . . . . .wit
. .h
. .O. pe
. . .nSCAP
. . . . . . . . . . . . . . . . .18
. .7. . . . . . . . .
⁠6 .1. Security C om pliance in Red Hat Enterprise Linux
187
⁠6 .2. Defining C om pliance P olicy
187
⁠6 .3. Using SC AP Workbench
196
⁠6 .4. Using oscap
203
⁠6 .5. Using O penSC AP with Docker
211
⁠6 .6. Using O penSC AP with Atom ic
212

1

Se c ur it y Guide

⁠6 .7. Using O penSC AP with Red Hat Satellite

214

⁠6 .8. P ractical Exam ples

215

⁠6 .9. Additional Resources

216

. .hapt
⁠C
. . . .e.r. 7.
. . Fe
. . de
. . .r al
. . St
. . andar
. . . . . .ds
. . and
. . . .Re
. . gulat
. . . . .io
. .ns
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .218
...........
⁠7.1. Federal Inform ation P rocessing Standard (FIP S)
⁠7.2. National Industrial Security P rogram O perating Manual (NISP O M)
⁠7.3. P aym ent C ard Industry Data Security Standard (P C I DSS)
⁠7.4. Security Technical Im plem entation Guide

218
220
220
220

. .ppe
⁠A
. . .ndix
. . . . A.
. . Enc
. . . r. ypt
. . . io
. .n. .St
. .andar
. . . . .ds
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .221
...........
⁠A.1. Synchronous Encryption
221
⁠A.2. P ublic-key Encryption
222

. .ppe
⁠A
. . .ndix
. . . . B.
. . Audit
. . . . . .Sys
. . .t.e.m
. .Re
. .f.e.r.e.nc
. .e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .225
...........
⁠B.1. Audit Event Fields
225
⁠B.2. Audit Record Types
228

. .ppe
⁠A
. . .ndix
. . . . C.
. . Re
. . .vis
. . io
. .n. His
. . . t. o. r. y. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .234
...........

2

⁠C hapt e r 1. O ve r vie w o f Se c ur it y T o pic s

Chapt er 1. Overview of Securit y Topics
Due to the incre as e d re liance on powe rful, ne tworke d compute rs to he lp run bus ine s s e s
and ke e p track of our pe rs onal information, e ntire indus trie s have be e n forme d around
the practice of ne twork and compute r s e curity. Ente rpris e s have s olicite d the knowle dge
and s kills of s e curity e xpe rts to prope rly audit s ys te ms and tailor s olutions to fit the
ope rating re quire me nts of the ir organiz ation. Be caus e mos t organiz ations are incre as ingly
dynamic in nature , the ir worke rs are acce s s ing critical company IT re s ource s locally and
re mote ly, he nce the ne e d for s e cure computing e nvironme nts has be come more
pronounce d.
Unfortunate ly, many organiz ations (as we ll as individual us e rs ) re gard s e curity as more of
an afte rthought, a proce s s that is ove rlooke d in favor of incre as e d powe r, productivity,
conve nie nce , e as e of us e , and budge tary conce rns . Prope r s e curity imple me ntation is
ofte n e nacte d pos tmorte m — after an unauthoriz e d intrus ion has alre ady occurre d. Taking
the corre ct me as ure s prior to conne cting a s ite to an untrus te d ne twork, s uch as the
Inte rne t, is an e ffe ctive me ans of thwarting many atte mpts at intrus ion.

No te
This docume nt make s s e ve ral re fe re nce s to file s in the /lib dire ctory. Whe n us ing
64-bit s ys te ms , s ome of the file s me ntione d may ins te ad be locate d in /lib64.

1.1. What is Comput er Securit y?
Compute r s e curity is a ge ne ral te rm that cove rs a wide are a of computing and information
proce s s ing. Indus trie s that de pe nd on compute r s ys te ms and ne tworks to conduct daily
bus ine s s trans actions and acce s s critical information re gard the ir data as an important
part of the ir ove rall as s e ts . Se ve ral te rms and me trics have e nte re d our daily bus ine s s
vocabulary, s uch as total cos t of owne rs hip (TCO), re turn on inve s tme nt (ROI), and quality
of s e rvice (QoS). Us ing the s e me trics , indus trie s can calculate as pe cts s uch as data
inte grity and high-availability (HA) as part of the ir planning and proce s s manage me nt
cos ts . In s ome indus trie s , s uch as e le ctronic comme rce , the availability and
trus tworthine s s of data can me an the diffe re nce be twe e n s ucce s s and failure .

1.1.1. St andardizing Securit y
Ente rpris e s in e ve ry indus try re ly on re gulations and rule s that are s e t by s tandards making bodie s s uch as the Ame rican Me dical As s ociation (AMA) or the Ins titute of Ele ctrical
and Ele ctronics Engine e rs (IEEE). The s ame ide als hold true for information s e curity. Many
s e curity cons ultants and ve ndors agre e upon the s tandard s e curity mode l known as CIA,
or Confidentiality, Integrity, and Availability. This thre e -tie re d mode l is a ge ne rally
acce pte d compone nt to as s e s s ing ris ks of s e ns itive information and e s tablis hing s e curity
policy. The following de s cribe s the CIA mode l in furthe r de tail:
Confide ntiality — Se ns itive information mus t be available only to a s e t of pre -de fine d
individuals . Unauthoriz e d trans mis s ion and us age of information s hould be re s tricte d.
For e xample , confide ntiality of information e ns ure s that a cus tome r's pe rs onal or
financial information is not obtaine d by an unauthoriz e d individual for malicious
purpos e s s uch as ide ntity the ft or cre dit fraud.

3

Se c ur it y Guide

Inte grity — Information s hould not be alte re d in ways that re nde r it incomple te or
incorre ct. Unauthoriz e d us e rs s hould be re s tricte d from the ability to modify or de s troy
s e ns itive information.
Availability — Information s hould be acce s s ible to authoriz e d us e rs any time that it is
ne e de d. Availability is a warranty that information can be obtaine d with an agre e d-upon
fre que ncy and time line s s . This is ofte n me as ure d in te rms of pe rce ntage s and agre e d
to formally in Se rvice Le ve l Agre e me nts (SLAs ) us e d by ne twork s e rvice provide rs and
the ir e nte rpris e clie nts .

1.2. Securit y Cont rols
Compute r s e curity is ofte n divide d into thre e dis tinct mas te r cate gorie s , commonly
re fe rre d to as controls:
Phys ical
Te chnical
Adminis trative
The s e thre e broad cate gorie s de fine the main obje ctive s of prope r s e curity
imple me ntation. Within the s e controls are s ub-cate gorie s that furthe r de tail the controls
and how to imple me nt the m.

1.2.1. Physical Cont rols
Phys ical control is the imple me ntation of s e curity me as ure s in a de fine d s tructure us e d to
de te r or pre ve nt unauthoriz e d acce s s to s e ns itive mate rial. Example s of phys ical controls
are :
Clos e d-circuit s urve illance came ras
Motion or the rmal alarm s ys te ms
Se curity guards
Picture IDs
Locke d and de ad-bolte d s te e l doors
Biome trics (include s finge rprint, voice , face , iris , handwriting, and othe r automate d
me thods us e d to re cogniz e individuals )

1.2.2. T echnical Cont rols
Te chnical controls us e te chnology as a bas is for controlling the acce s s and us age of
s e ns itive data throughout a phys ical s tructure and ove r a ne twork. Te chnical controls are
far-re aching in s cope and e ncompas s s uch te chnologie s as :
Encryption
Smart cards
Ne twork authe ntication
Acce s s control lis ts (ACLs )

4

⁠C hapt e r 1. O ve r vie w o f Se c ur it y T o pic s

File inte grity auditing s oftware

1.2.3. Administ rat ive Cont rols
Adminis trative controls de fine the human factors of s e curity. The y involve all le ve ls of
pe rs onne l within an organiz ation and de te rmine which us e rs have acce s s to what
re s ource s and information by s uch me ans as :
Training and aware ne s s
Dis as te r pre pare dne s s and re cove ry plans
Pe rs onne l re cruitme nt and s e paration s trate gie s
Pe rs onne l re gis tration and accounting

1.3. Vulnerabilit y Assessment
Give n time , re s ource s , and motivation, an attacke r can bre ak into ne arly any s ys te m. All of
the s e curity proce dure s and te chnologie s curre ntly available cannot guarante e that any
s ys te ms are comple te ly s afe from intrus ion. Route rs he lp s e cure gate ways to the
Inte rne t. Fire walls he lp s e cure the e dge of the ne twork. Virtual Private Ne tworks s afe ly
pas s data in an e ncrypte d s tre am. Intrus ion de te ction s ys te ms warn you of malicious
activity. Howe ve r, the s ucce s s of e ach of the s e te chnologie s is de pe nde nt upon a numbe r
of variable s , including:
The e xpe rtis e of the s taff re s pons ible for configuring, monitoring, and maintaining the
te chnologie s .
The ability to patch and update s e rvice s and ke rne ls quickly and e fficie ntly.
The ability of thos e re s pons ible to ke e p cons tant vigilance ove r the ne twork.
Give n the dynamic s tate of data s ys te ms and te chnologie s , s e curing corporate re s ource s
can be quite comple x. Due to this comple xity, it is ofte n difficult to find e xpe rt re s ource s
for all of your s ys te ms . While it is pos s ible to have pe rs onne l knowle dge able in many
are as of information s e curity at a high le ve l, it is difficult to re tain s taff who are e xpe rts in
more than a fe w s ubje ct are as . This is mainly be caus e e ach s ubje ct are a of information
s e curity re quire s cons tant atte ntion and focus . Information s e curity doe s not s tand s till.
A vulne rability as s e s s me nt is an inte rnal audit of your ne twork and s ys te m s e curity; the
re s ults of which indicate the confide ntiality, inte grity, and availability of your ne twork (as
e xplaine d in Se ction 1.1.1, “Standardiz ing Se curity”). Typically, vulne rability as s e s s me nt
s tarts with a re connais s ance phas e , during which important data re garding the targe t
s ys te ms and re s ource s is gathe re d. This phas e le ads to the s ys te m re adine s s phas e ,
whe re by the targe t is e s s e ntially che cke d for all known vulne rabilitie s . The re adine s s
phas e culminate s in the re porting phas e , whe re the findings are clas s ifie d into cate gorie s
of high, me dium, and low ris k; and me thods for improving the s e curity (or mitigating the
ris k of vulne rability) of the targe t are dis cus s e d
If you we re to pe rform a vulne rability as s e s s me nt of your home , you would like ly che ck
e ach door to your home to s e e if the y are clos e d and locke d. You would als o che ck e ve ry
window, making s ure that the y clos e d comple te ly and latch corre ctly. This s ame conce pt
applie s to s ys te ms , ne tworks , and e le ctronic data. Malicious us e rs are the thie ve s and
vandals of your data. Focus on the ir tools , me ntality, and motivations , and you can the n
re act s wiftly to the ir actions .

1.3.1. Def ining Assessment and T est ing

5

Se c ur it y Guide

1.3.1. Def ining Assessment and T est ing
Vulne rability as s e s s me nts may be broke n down into one of two type s : outside looking in
and inside looking around.
Whe n pe rforming an outs ide -looking-in vulne rability as s e s s me nt, you are atte mpting to
compromis e your s ys te ms from the outs ide . Be ing e xte rnal to your company provide s
you with the cracke r's vie wpoint. You s e e what a cracke r s e e s — publicly-routable IP
addre s s e s , s ys te ms on your DMZ, e xte rnal inte rface s of your fire wall, and more . DMZ
s tands for "de militariz e d z one ", which corre s ponds to a compute r or s mall s ubne twork that
s its be twe e n a trus te d inte rnal ne twork, s uch as a corporate private LAN, and an untrus te d
e xte rnal ne twork, s uch as the public Inte rne t. Typically, the DMZ contains de vice s
acce s s ible to Inte rne t traffic, s uch as We b (HTTP) s e rve rs , FTP s e rve rs , SMTP (e -mail)
s e rve rs and DNS s e rve rs .
Whe n you pe rform an ins ide -looking-around vulne rability as s e s s me nt, you are at an
advantage s ince you are inte rnal and your s tatus is e le vate d to trus te d. This is the
vie wpoint you and your co-worke rs have once logge d on to your s ys te ms . You s e e print
s e rve rs , file s e rve rs , databas e s , and othe r re s ource s .
The re are s triking dis tinctions be twe e n the two type s of vulne rability as s e s s me nts . Be ing
inte rnal to your company give s you more privile ge s than an outs ide r. In mos t
organiz ations , s e curity is configure d to ke e p intrude rs out. Ve ry little is done to s e cure
the inte rnals of the organiz ation (s uch as de partme ntal fire walls , us e r-le ve l acce s s
controls , and authe ntication proce dure s for inte rnal re s ource s ). Typically, the re are many
more re s ource s whe n looking around ins ide as mos t s ys te ms are inte rnal to a company.
Once you are outs ide the company, your s tatus is untrus te d. The s ys te ms and re s ource s
available to you e xte rnally are us ually ve ry limite d.
Cons ide r the diffe re nce be twe e n vulne rability as s e s s me nts and penetration tests. Think of
a vulne rability as s e s s me nt as the firs t s te p to a pe ne tration te s t. The information gle ane d
from the as s e s s me nt is us e d for te s ting. Whe re as the as s e s s me nt is unde rtake n to
che ck for hole s and pote ntial vulne rabilitie s , the pe ne tration te s ting actually atte mpts to
e xploit the findings .
As s e s s ing ne twork infras tructure is a dynamic proce s s . Se curity, both information and
phys ical, is dynamic. Pe rforming an as s e s s me nt s hows an ove rvie w, which can turn up
fals e pos itive s and fals e ne gative s . A fals e pos itive is a re s ult, whe re the tool finds
vulne rabilitie s which in re ality do not e xis t. A fals e ne gative is whe n it omits actual
vulne rabilitie s .
Se curity adminis trators are only as good as the tools the y us e and the knowle dge the y
re tain. Take any of the as s e s s me nt tools curre ntly available , run the m agains t your
s ys te m, and it is almos t a guarante e that the re are s ome fals e pos itive s . Whe the r by
program fault or us e r e rror, the re s ult is the s ame . The tool may find fals e pos itive s , or,
e ve n wors e , fals e ne gative s .
Now that the diffe re nce be twe e n a vulne rability as s e s s me nt and a pe ne tration te s t is
de fine d, take the findings of the as s e s s me nt and re vie w the m care fully be fore conducting
a pe ne tration te s t as part of your ne w be s t practice s approach.

Warning
Do not atte mpt to e xploit vulne rabilitie s on production s ys te ms . Doing s o can have
adve rs e e ffe cts on productivity and e fficie ncy of your s ys te ms and ne twork.

6

⁠C hapt e r 1. O ve r vie w o f Se c ur it y T o pic s

The following lis t e xamine s s ome of the be ne fits to pe rforming vulne rability as s e s s me nts .
Cre ate s proactive focus on information s e curity.
Finds pote ntial e xploits be fore cracke rs find the m.
Re s ults in s ys te ms be ing ke pt up to date and patche d.
Promote s growth and aids in de ve loping s taff e xpe rtis e .
Abate s financial los s and ne gative publicity.

1.3.2. Est ablishing a Met hodology f or Vulnerabilit y Assessment
To aid in the s e le ction of tools for a vulne rability as s e s s me nt, it is he lpful to e s tablis h a
vulne rability as s e s s me nt me thodology. Unfortunate ly, the re is no pre de fine d or indus try
approve d me thodology at this time ; howe ve r, common s e ns e and be s t practice s can act
as a s ufficie nt guide .
What is the target? Are we looking at one server, or are we looking at our entire network
and everything within the network? Are we external or internal to the company? The
ans we rs to the s e que s tions are important as the y he lp de te rmine not only which tools to
s e le ct but als o the manne r in which the y are us e d.
To le arn more about e s tablis hing me thodologie s , s e e the following we bs ite :
https ://www.owas p.org/ — The Open Web Application Security Project

1.3.3. Vulnerabilit y Assessment T ools
An as s e s s me nt can s tart by us ing s ome form of an information-gathe ring tool. Whe n
as s e s s ing the e ntire ne twork, map the layout firs t to find the hos ts that are running. Once
locate d, e xamine e ach hos t individually. Focus ing on the s e hos ts re quire s anothe r s e t of
tools . Knowing which tools to us e may be the mos t crucial s te p in finding vulne rabilitie s .
Jus t as in any as pe ct of e ve ryday life , the re are many diffe re nt tools that pe rform the
s ame job. This conce pt applie s to pe rforming vulne rability as s e s s me nts as we ll. The re
are tools s pe cific to ope rating s ys te ms , applications , and e ve n ne tworks (bas e d on the
protocols us e d). Some tools are fre e ; othe rs are not. Some tools are intuitive and e as y to
us e , while othe rs are cryptic and poorly docume nte d but have fe ature s that othe r tools do
not.
Finding the right tools may be a daunting tas k and, in the e nd, e xpe rie nce counts . If
pos s ible , s e t up a te s t lab and try out as many tools as you can, noting the s tre ngths and
we akne s s e s of e ach. Re vie w the README file or man page for the tools . Additionally, look
to the Inte rne t for more information, s uch as article s , s te p-by-s te p guide s , or e ve n mailing
lis ts s pe cific to the tools .
The tools dis cus s e d be low are jus t a s mall s ampling of the available tools .

1.3.3.1. Scanning Host s wit h Nmap
Nmap is a popular tool that can be us e d to de te rmine the layout of a ne twork. Nmap has
be e n available for many ye ars and is probably the mos t ofte n us e d tool whe n gathe ring
information. An e xce lle nt manual page is include d that provide s de taile d de s criptions of its
options and us age . Adminis trators can us e Nmap on a ne twork to find hos t s ys te ms and
ope n ports on thos e s ys te ms .

7

Se c ur it y Guide

Nmap is a compe te nt firs t s te p in vulne rability as s e s s me nt. You can map out all the hos ts
within your ne twork and e ve n pas s an option that allows Nmap to atte mpt to ide ntify the
ope rating s ys te m running on a particular hos t. Nmap is a good foundation for e s tablis hing
a policy of us ing s e cure s e rvice s and re s tricting unus e d s e rvice s .
To ins tall Nmap, run the yum install nmap command as the root us e r.
1.3.3.1.1. Using Nmap
Nmap can be run from a s he ll prompt by typing the nmap command followe d by the hos t
name or IP addre s s of the machine to s can:
nmap 
For e xample , to s can a machine with hos t name foo.example.com, type the following at a
s he ll prompt:
~]$ nmap foo.example.com
The re s ults of a bas ic s can (which could take up to a fe w minute s , de pe nding on whe re the
hos t is locate d and othe r ne twork conditions ) look s imilar to the following:
Interesting ports on foo.example.com:
Not shown: 1710 filtered ports
PORT
STATE SERVICE
22/tcp open
ssh
53/tcp open
domain
80/tcp open
http
113/tcp closed auth
Nmap te s ts the mos t common ne twork communication ports for lis te ning or waiting
s e rvice s . This knowle dge can be he lpful to an adminis trator who wants to clos e
unne ce s s ary or unus e d s e rvice s .
For more information about us ing Nmap, s e e the official home page at the following URL:
http://www.ins e cure .org/

1.3.3.2. Nessus
Nessus is a full-s e rvice s e curity s canne r. The plug-in archite cture of Nessus allows us e rs
to cus tomiz e it for the ir s ys te ms and ne tworks . As with any s canne r, Nessus is only as
good as the s ignature databas e it re lie s upon. Fortunate ly, Nessus is fre que ntly update d
and fe ature s full re porting, hos t s canning, and re al-time vulne rability s e arche s . Re me mbe r
that the re could be fals e pos itive s and fals e ne gative s , e ve n in a tool as powe rful and as
fre que ntly update d as Nessus.

No te
The Nessus clie nt and s e rve r s oftware re quire s a s ubs cription to us e . It has be e n
include d in this docume nt as a re fe re nce to us e rs who may be inte re s te d in us ing
this popular application.

8

⁠C hapt e r 1. O ve r vie w o f Se c ur it y T o pic s

For more information about Nessus, s e e the official we bs ite at the following URL:
http://www.ne s s us .org/

1.3.3.3. OpenVAS
OpenVAS (Open Vulnerability Assessment System) is a s e t of tools and s e rvice s that can
be us e d to s can for vulne rabilitie s and for a compre he ns ive vulne rability manage me nt.
The OpenVAS frame work offe rs a numbe r of we b-bas e d, de s ktop, and command line
tools for controlling the various compone nts of the s olution. The core functionality of
OpenVAS is provide d by a s e curity s canne r, which make s us e of ove r 33 thous and dailyupdate d Ne twork Vulne rability Te s ts (NVT). Unlike Nessus (s e e Se ction 1.3.3.2, “Nessus”),
OpenVAS doe s not re quire any s ubs cription.
For more information about Ope nVAS, s e e the official we bs ite at the following URL:
http://www.ope nvas .org/

1.3.3.4. Nikt o
Nikt o is an e xce lle nt common gateway interface (CGI) s cript s canne r. Nikt o not only
che cks for CGI vulne rabilitie s but doe s s o in an e vas ive manne r, s o as to e lude intrus ionde te ction s ys te ms . It come s with thorough docume ntation which s hould be care fully
re vie we d prior to running the program. If you have we b s e rve rs s e rving CGI s cripts ,
Nikt o can be an e xce lle nt re s ource for che cking the s e curity of the s e s e rve rs .
More information about Nikt o can be found at the following URL:
http://cirt.ne t/nikto2

1.4. Securit y T hreat s
1.4.1. T hreat s t o Net work Securit y
Bad practice s whe n configuring the following as pe cts of a ne twork can incre as e the ris k of
an attack.

Insecure Archit ect ures
A mis configure d ne twork is a primary e ntry point for unauthoriz e d us e rs . Le aving a trus tbas e d, ope n local ne twork vulne rable to the highly-ins e cure Inte rne t is much like le aving a
door ajar in a crime -ridde n ne ighborhood — nothing may happe n for an arbitrary amount of
time , but s ome one e xploits the opportunity eventually.

Broadcast Net works
Sys te m adminis trators ofte n fail to re aliz e the importance of ne tworking hardware in the ir
s e curity s che me s . Simple hardware , s uch as hubs and route rs , re lie s on the broadcas t or
non-s witche d principle ; that is , whe ne ve r a node trans mits data acros s the ne twork to a
re cipie nt node , the hub or route r s e nds a broadcas t of the data packe ts until the re cipie nt
node re ce ive s and proce s s e s the data. This me thod is the mos t vulne rable to addre s s
re s olution protocol (ARP) or me dia acce s s control (MAC) addre s s s poofing by both outs ide
intrude rs and unauthoriz e d us e rs on local hos ts .

Cent ralized Servers

9

Se c ur it y Guide

Anothe r pote ntial ne tworking pitfall is the us e of ce ntraliz e d computing. A common cos tcutting me as ure for many bus ine s s e s is to cons olidate all s e rvice s to a s ingle powe rful
machine . This can be conve nie nt as it is e as ie r to manage and cos ts cons ide rably le s s
than multiple -s e rve r configurations . Howe ve r, a ce ntraliz e d s e rve r introduce s a s ingle
point of failure on the ne twork. If the ce ntral s e rve r is compromis e d, it may re nde r the
ne twork comple te ly us e le s s or wors e , prone to data manipulation or the ft. In the s e
s ituations , a ce ntral s e rve r be come s an ope n door that allows acce s s to the e ntire
ne twork.

1.4.2. T hreat s t o Server Securit y
Se rve r s e curity is as important as ne twork s e curity be caus e s e rve rs ofte n hold a gre at
de al of an organiz ation's vital information. If a s e rve r is compromis e d, all of its conte nts
may be come available for the cracke r to s te al or manipulate at will. The following s e ctions
de tail s ome of the main is s ue s .

Unused Services and Open Port s
A full ins tallation of Re d Hat Ente rpris e Linux 7 contains more than 1000 application and
library package s . Howe ve r, mos t s e rve r adminis trators do not opt to ins tall e ve ry s ingle
package in the dis tribution, pre fe rring ins te ad to ins tall a bas e ins tallation of package s ,
including s e ve ral s e rve r applications . Se e Se ction 2.3, “Ins talling the Minimum Amount of
Package s Re quire d” for an e xplanation of the re as ons to limit the numbe r of ins talle d
package s and for additional re s ource s .
A common occurre nce among s ys te m adminis trators is to ins tall the ope rating s ys te m
without paying atte ntion to what programs are actually be ing ins talle d. This can be
proble matic be caus e unne e de d s e rvice s may be ins talle d, configure d with the de fault
s e ttings , and pos s ibly turne d on. This can caus e unwante d s e rvice s , s uch as Te lne t, DHCP,
or DNS, to run on a s e rve r or works tation without the adminis trator re aliz ing it, which in
turn can caus e unwante d traffic to the s e rve r or e ve n a pote ntial pathway into the s ys te m
for cracke rs . Se e Se ction 4.3, “Se curing Se rvice s ” for information on clos ing ports and
dis abling unus e d s e rvice s .

Unpat ched Services
Mos t s e rve r applications that are include d in a de fault ins tallation are s olid, thoroughly
te s te d pie ce s of s oftware . Having be e n in us e in production e nvironme nts for many ye ars ,
the ir code has be e n thoroughly re fine d and many of the bugs have be e n found and fixe d.
Howe ve r, the re is no s uch thing as pe rfe ct s oftware and the re is always room for furthe r
re fine me nt. More ove r, ne we r s oftware is ofte n not as rigorous ly te s te d as one might
e xpe ct, be caus e of its re ce nt arrival to production e nvironme nts or be caus e it may not be
as popular as othe r s e rve r s oftware .
De ve lope rs and s ys te m adminis trators ofte n find e xploitable bugs in s e rve r applications
and publis h the information on bug tracking and s e curity-re late d we bs ite s s uch as the
Bugtraq mailing lis t (http://www.s e curityfocus .com) or the Compute r Eme rge ncy Re s pons e
Te am (CERT) we bs ite (http://www.ce rt.org). Although the s e me chanis ms are an e ffe ctive
way of ale rting the community to s e curity vulne rabilitie s , it is up to s ys te m adminis trators
to patch the ir s ys te ms promptly. This is particularly true be caus e cracke rs have acce s s to
the s e s ame vulne rability tracking s e rvice s and will us e the information to crack unpatche d
s ys te ms whe ne ve r the y can. Good s ys te m adminis tration re quire s vigilance , cons tant bug
tracking, and prope r s ys te m mainte nance to e ns ure a more s e cure computing
e nvironme nt.

10

⁠C hapt e r 1. O ve r vie w o f Se c ur it y T o pic s

Se e Chapte r 3, Keeping Your System Up-to-Date for more information about ke e ping a
s ys te m up-to-date .

Inat t ent ive Administ rat ion
Adminis trators who fail to patch the ir s ys te ms are one of the gre ate s t thre ats to s e rve r
s e curity. According to the SysAdmin, Audit, Network, Security Institute (SANS), the primary
caus e of compute r s e curity vulne rability is "as s igning untraine d pe ople to maintain
s e curity and providing ne ithe r the training nor the time to make it pos s ible to le arn and do
the job." ⁠ [1] This applie s as much to ine xpe rie nce d adminis trators as it doe s to
ove rconfide nt or amotivate d adminis trators .
Some adminis trators fail to patch the ir s e rve rs and works tations , while othe rs fail to watch
log me s s age s from the s ys te m ke rne l or ne twork traffic. Anothe r common e rror is whe n
de fault pas s words or ke ys to s e rvice s are le ft unchange d. For e xample , s ome databas e s
have de fault adminis tration pas s words be caus e the databas e de ve lope rs as s ume that
the s ys te m adminis trator change s the s e pas s words imme diate ly afte r ins tallation. If a
databas e adminis trator fails to change this pas s word, e ve n an ine xpe rie nce d cracke r can
us e a wide ly-known de fault pas s word to gain adminis trative privile ge s to the databas e .
The s e are only a fe w e xample s of how inatte ntive adminis tration can le ad to
compromis e d s e rve rs .

Inherent ly Insecure Services
Eve n the mos t vigilant organiz ation can fall victim to vulne rabilitie s if the ne twork s e rvice s
the y choos e are inhe re ntly ins e cure . For ins tance , the re are many s e rvice s de ve lope d
unde r the as s umption that the y are us e d ove r trus te d ne tworks ; howe ve r, this
as s umption fails as s oon as the s e rvice be come s available ove r the Inte rne t — which is
its e lf inhe re ntly untrus te d.
One cate gory of ins e cure ne twork s e rvice s are thos e that re quire une ncrypte d
us e rname s and pas s words for authe ntication. Te lne t and FTP are two s uch s e rvice s . If
packe t s niffing s oftware is monitoring traffic be twe e n the re mote us e r and s uch a s e rvice
us e rname s and pas s words can be e as ily inte rce pte d.
Inhe re ntly, s uch s e rvice s can als o more e as ily fall pre y to what the s e curity indus try
te rms the man-in-the-middle attack. In this type of attack, a cracke r re dire cts ne twork
traffic by tricking a cracke d name s e rve r on the ne twork to point to his machine ins te ad of
the inte nde d s e rve r. Once s ome one ope ns a re mote s e s s ion to the s e rve r, the attacke r's
machine acts as an invis ible conduit, s itting quie tly be twe e n the re mote s e rvice and the
uns us pe cting us e r capturing information. In this way a cracke r can gathe r adminis trative
pas s words and raw data without the s e rve r or the us e r re aliz ing it.
Anothe r cate gory of ins e cure s e rvice s include ne twork file s ys te ms and information
s e rvice s s uch as NFS or NIS, which are de ve lope d e xplicitly for LAN us age but are ,
unfortunate ly, e xte nde d to include WANs (for re mote us e rs ). NFS doe s not, by de fault,
have any authe ntication or s e curity me chanis ms configure d to pre ve nt a cracke r from
mounting the NFS s hare and acce s s ing anything containe d the re in. NIS, as we ll, has vital
information that mus t be known by e ve ry compute r on a ne twork, including pas s words and
file pe rmis s ions , within a plain te xt ASCII or DBM (ASCII-de rive d) databas e . A cracke r who
gains acce s s to this databas e can the n acce s s e ve ry us e r account on a ne twork, including
the adminis trator's account.
By de fault, Re d Hat Ente rpris e Linux 7 is re le as e d with all s uch s e rvice s turne d off.
Howe ve r, s ince adminis trators ofte n find the ms e lve s force d to us e the s e s e rvice s ,
care ful configuration is critical. Se e Se ction 4.3, “Se curing Se rvice s ” for more information
about s e tting up s e rvice s in a s afe manne r.

11

Se c ur it y Guide

1.4.3. T hreat s t o Workst at ion and Home PC Securit y
Works tations and home PCs may not be as prone to attack as ne tworks or s e rve rs , but
s ince the y ofte n contain s e ns itive data, s uch as cre dit card information, the y are targe te d
by s ys te m cracke rs . Works tations can als o be co-opte d without the us e r's knowle dge and
us e d by attacke rs as "s lave " machine s in coordinate d attacks . For the s e re as ons , knowing
the vulne rabilitie s of a works tation can s ave us e rs the he adache of re ins talling the
ope rating s ys te m, or wors e , re cove ring from data the ft.

Bad Passwords
Bad pas s words are one of the e as ie s t ways for an attacke r to gain acce s s to a s ys te m.
For more on how to avoid common pitfalls whe n cre ating a pas s word, s e e Se ction 4.1.1,
“Pas s word Se curity”.

Vulnerable Client Applicat ions
Although an adminis trator may have a fully s e cure and patche d s e rve r, that doe s not
me an re mote us e rs are s e cure whe n acce s s ing it. For ins tance , if the s e rve r offe rs
Te lne t or FTP s e rvice s ove r a public ne twork, an attacke r can capture the plain te xt
us e rname s and pas s words as the y pas s ove r the ne twork, and the n us e the account
information to acce s s the re mote us e r's works tation.
Eve n whe n us ing s e cure protocols , s uch as SSH, a re mote us e r may be vulne rable to
ce rtain attacks if the y do not ke e p the ir clie nt applications update d. For ins tance , v.1 SSH
clie nts are vulne rable to an X-forwarding attack from malicious SSH s e rve rs . Once
conne cte d to the s e rve r, the attacke r can quie tly capture any ke ys troke s and mous e
clicks made by the clie nt ove r the ne twork. This proble m was fixe d in the v.2 SSH protocol,
but it is up to the us e r to ke e p track of what applications have s uch vulne rabilitie s and
update the m as ne ce s s ary.
Se ction 4.1, “De s ktop Se curity” dis cus s e s in more de tail what s te ps adminis trators and
home us e rs s hould take to limit the vulne rability of compute r works tations .

1.5. Common Exploit s and At t acks
Table 1.1, “Common Exploits ” de tails s ome of the mos t common e xploits and e ntry points
us e d by intrude rs to acce s s organiz ational ne twork re s ource s . Ke y to the s e common
e xploits are the e xplanations of how the y are pe rforme d and how adminis trators can
prope rly s afe guard the ir ne twork agains t s uch attacks .
T able 1.1. Co mmo n Explo it s
Explo it

12

Descript io n

No t es

⁠C hapt e r 1. O ve r vie w o f Se c ur it y T o pic s

Explo it

Descript io n

No t es

Null or De fault
Pas s words

Le aving adminis trative pas s words
blank or us ing a de fault pas s word
s e t by the product ve ndor. This is
mos t common in hardware s uch
as route rs and fire walls , but s ome
s e rvice s that run on Linux can
contain de fault adminis trator
pas s words as we ll (though
Re d Hat Ente rpris e Linux 7 doe s
not s hip with the m).

Commonly as s ociate d with
ne tworking hardware s uch as
route rs , fire walls , VPNs , and
ne twork attache d s torage (NAS)
appliance s .
Common in many le gacy ope rating
s ys te ms , e s pe cially thos e that
bundle s e rvice s (s uch as UNIX
and Windows .)
Adminis trators s ome time s cre ate
privile ge d us e r accounts in a rus h
and le ave the pas s word null,
cre ating a pe rfe ct e ntry point for
malicious us e rs who dis cove r the
account.

De fault Share d
Ke ys

IP Spoofing

Se cure s e rvice s s ome time s
package de fault s e curity ke ys for
de ve lopme nt or e valuation te s ting
purpos e s . If the s e ke ys are le ft
unchange d and are place d in a
production e nvironme nt on the
Inte rne t, all us e rs with the s ame
de fault ke ys have acce s s to that
s hare d-ke y re s ource , and any
s e ns itive information that it
contains .
A re mote machine acts as a node
on your local ne twork, finds
vulne rabilitie s with your s e rve rs ,
and ins talls a backdoor program or
Trojan hors e to gain control ove r
your ne twork re s ource s .

Mos t common in wire le s s acce s s
points and pre configure d s e cure
s e rve r appliance s .

Spoofing is quite difficult as it
involve s the attacke r pre dicting
TCP/IP s e que nce numbe rs to
coordinate a conne ction to targe t
s ys te ms , but s e ve ral tools are
available to as s is t cracke rs in
pe rforming s uch a vulne rability.
De pe nds on targe t s ys te m
running s e rvice s (s uch as rsh,
telnet, FTP and othe rs ) that us e
source-based authe ntication
te chnique s , which are not
re comme nde d whe n compare d to
PKI or othe r forms of e ncrypte d
authe ntication us e d in ssh or
SSL/TLS.

13

Se c ur it y Guide

Explo it

Descript io n

No t es

Eave s dropping

Colle cting data that pas s e s
be twe e n two active node s on a
ne twork by e ave s dropping on the
conne ction be twe e n the two
node s .

This type of attack works mos tly
with plain te xt trans mis s ion
protocols s uch as Te lne t, FTP, and
HTTP trans fe rs .
Re mote attacke r mus t have
acce s s to a compromis e d s ys te m
on a LAN in orde r to pe rform s uch
an attack; us ually the cracke r has
us e d an active attack (s uch as IP
s poofing or man-in-the -middle ) to
compromis e a s ys te m on the LAN.
Pre ve ntative me as ure s include
s e rvice s with cryptographic ke y
e xchange , one -time pas s words , or
e ncrypte d authe ntication to
pre ve nt pas s word s nooping;
s trong e ncryption during
trans mis s ion is als o advis e d.

14

⁠C hapt e r 1. O ve r vie w o f Se c ur it y T o pic s

Explo it

Descript io n

No t es

Se rvice
Vulne rabilitie s

An attacke r finds a flaw or
loophole in a s e rvice run ove r the
Inte rne t; through this vulne rability,
the attacke r compromis e s the
e ntire s ys te m and any data that it
may hold, and could pos s ibly
compromis e othe r s ys te ms on
the ne twork.

HTTP-bas e d s e rvice s s uch as CGI
are vulne rable to re mote
command e xe cution and e ve n
inte ractive s he ll acce s s . Eve n if
the HTTP s e rvice runs as a nonprivile ge d us e r s uch as "nobody",
information s uch as configuration
file s and ne twork maps can be
re ad, or the attacke r can s tart a
de nial of s e rvice attack which
drains s ys te m re s ource s or
re nde rs it unavailable to othe r
us e rs .
Se rvice s s ome time s can have
vulne rabilitie s that go unnotice d
during de ve lopme nt and te s ting;
the s e vulne rabilitie s (s uch as
buffer overflows, whe re attacke rs
cras h a s e rvice us ing arbitrary
value s that fill the me mory buffe r
of an application, giving the
attacke r an inte ractive command
prompt from which the y may
e xe cute arbitrary commands ) can
give comple te adminis trative
control to an attacke r.
Adminis trators s hould make s ure
that s e rvice s do not run as the
root us e r, and s hould s tay vigilant
of patche s and e rrata update s for
applications from ve ndors or
s e curity organiz ations s uch as
CERT and CVE.

15

Se c ur it y Guide

Explo it

Descript io n

No t es

Application
Vulne rabilitie s

Attacke rs find faults in de s ktop
and works tation applications (s uch
as e mail clie nts ) and e xe cute
arbitrary code , implant Trojan
hors e s for future compromis e , or
cras h s ys te ms . Furthe r
e xploitation can occur if the
compromis e d works tation has
adminis trative privile ge s on the
re s t of the ne twork.

Works tations and de s ktops are
more prone to e xploitation as
worke rs do not have the
e xpe rtis e or e xpe rie nce to
pre ve nt or de te ct a compromis e ;
it is impe rative to inform
individuals of the ris ks the y are
taking whe n the y ins tall
unauthoriz e d s oftware or ope n
uns olicite d e mail attachme nts .
Safe guards can be imple me nte d
s uch that e mail clie nt s oftware
doe s not automatically ope n or
e xe cute attachme nts . Additionally,
the automatic update of
works tation s oftware us ing Re d
Hat Ne twork; or othe r s ys te m
manage me nt s e rvice s can
alle viate the burde ns of multi-s e at
s e curity de ployme nts .

De nial of
Se rvice (DoS)
Attacks

Attacke r or group of attacke rs
coordinate agains t an
organiz ation's ne twork or s e rve r
re s ource s by s e nding
unauthoriz e d packe ts to the targe t
hos t (e ithe r s e rve r, route r, or
works tation). This force s the
re s ource to be come unavailable
to le gitimate us e rs .

The mos t re porte d DoS cas e in
the US occurre d in 2000. Se ve ral
highly-trafficke d comme rcial and
gove rnme nt s ite s we re re nde re d
unavailable by a coordinate d ping
flood attack us ing s e ve ral
compromis e d s ys te ms with high
bandwidth conne ctions acting as
zombies, or re dire cte d broadcas t
node s .
Source packe ts are us ually forge d
(as we ll as re broadcas t), making
inve s tigation as to the true s ource
of the attack difficult.
Advance s in ingre s s filte ring (IETF
rfc2267) us ing iptables and
Ne twork Intrus ion De te ction
Sys te ms s uch as snort as s is t
adminis trators in tracking down
and pre ve nting dis tribute d DoS
attacks .

[1] http://www.sans.org/security-resources/m istakes.php

16

⁠C hapt e r 2. Se c ur it y T ips f o r Ins t allat io n

Chapt er 2. Securit y Tips for Inst allat ion
Se curity be gins with the firs t time you put that CD or DVD into your dis k drive to ins tall
Re d Hat Ente rpris e Linux 7. Configuring your s ys te m s e cure ly from the be ginning make s it
e as ie r to imple me nt additional s e curity s e ttings late r.

2.1. Securing BIOS
Pas s word prote ction for the BIOS (or BIOS e quivale nt) and the boot loade r can pre ve nt
unauthoriz e d us e rs who have phys ical acce s s to s ys te ms from booting us ing re movable
me dia or obtaining root privile ge s through s ingle us e r mode . The s e curity me as ure s you
s hould take to prote ct agains t s uch attacks de pe nds both on the s e ns itivity of the
information on the works tation and the location of the machine .
For e xample , if a machine is us e d in a trade s how and contains no s e ns itive information,
the n it may not be critical to pre ve nt s uch attacks . Howe ve r, if an e mploye e 's laptop with
private , une ncrypte d SSH ke ys for the corporate ne twork is le ft unatte nde d at that s ame
trade s how, it could le ad to a major s e curity bre ach with ramifications for the e ntire
company.
If the works tation is locate d in a place whe re only authoriz e d or trus te d pe ople have
acce s s , howe ve r, the n s e curing the BIOS or the boot loade r may not be ne ce s s ary.

2.1.1. BIOS Passwords
The two primary re as ons for pas s word prote cting the BIOS of a compute r are ⁠ [2] :
1. Preventing Changes to BIOS Settings — If an intrude r has acce s s to the BIOS, the y
can s e t it to boot from a CD-ROM or a flas h drive . This make s it pos s ible for the m to
e nte r re s cue mode or s ingle us e r mode , which in turn allows the m to s tart arbitrary
proce s s e s on the s ys te m or copy s e ns itive data.
2. Preventing System Booting — Some BIOSe s allow pas s word prote ction of the boot
proce s s . Whe n activate d, an attacke r is force d to e nte r a pas s word be fore the BIOS
launche s the boot loade r.
Be caus e the me thods for s e tting a BIOS pas s word vary be twe e n compute r
manufacture rs , cons ult the compute r's manual for s pe cific ins tructions .
If you forge t the BIOS pas s word, it can e ithe r be re s e t with jumpe rs on the mothe rboard
or by dis conne cting the CMOS batte ry. For this re as on, it is good practice to lock the
compute r cas e if pos s ible . Howe ve r, cons ult the manual for the compute r or mothe rboard
be fore atte mpting to dis conne ct the CMOS batte ry.

2.1.1.1. Securing Non-BIOS-based Syst ems
Othe r s ys te ms and archite cture s us e diffe re nt programs to pe rform low-le ve l tas ks
roughly e quivale nt to thos e of the BIOS on x86 s ys te ms . For e xample , the Unified
Extensible Firmware Interface (UEFI) s he ll.
For ins tructions on pas s word prote cting BIOS-like programs , s e e the manufacture r's
ins tructions .

2.2. Part it ioning t he Disk
17

Se c ur it y Guide

Re d Hat re comme nds cre ating s e parate partitions for the /boot, /, /home/tmp, and
/var/tmp/ dire ctorie s . The re as ons for e ach are diffe re nt, and we will addre s s e ach
partition.
/boot
This partition is the firs t partition that is re ad by the s ys te m during boot up. The
boot loade r and ke rne l image s that are us e d to boot your s ys te m into Re d Hat
Ente rpris e Linux 7 are s tore d in this partition. This partition s hould not be
e ncrypte d. If this partition is include d in / and that partition is e ncrypte d or
othe rwis e be come s unavailable the n your s ys te m will not be able to boot.
/home
Whe n us e r data (/home) is s tore d in / ins te ad of in a s e parate partition, the
partition can fill up caus ing the ope rating s ys te m to be come uns table . Als o, whe n
upgrading your s ys te m to the ne xt ve rs ion of Re d Hat Ente rpris e Linux 7 it is a lot
e as ie r whe n you can ke e p your data in the /home partition as it will not be
ove rwritte n during ins tallation. If the root partition (/) be come s corrupt your data
could be los t fore ve r. By us ing a s e parate partition the re is s lightly more
prote ction agains t data los s . You can als o targe t this partition for fre que nt
backups .
/tmp and /var/tmp/
Both the /tmp and /var/tmp/ dire ctorie s are us e d to s tore data that doe s not
ne e d to be s tore d for a long pe riod of time . Howe ve r, if a lot of data floods one of
the s e dire ctorie s it can cons ume all of your s torage s pace . If this happe ns and
the s e dire ctorie s are s tore d within / the n your s ys te m could be come uns table
and cras h. For this re as on, moving the s e dire ctorie s into the ir own partitions is a
good ide a.

No te
During the ins tallation proce s s , an option to e ncrypt partitions is pre s e nte d to you.
The us e r mus t s upply a pas s phras e . This pas s phras e will be us e d as a ke y to
unlock the bulk e ncryption ke y, which is us e d to s e cure the partition's data. For more
information on LUKS, s e e Se ction 4.10.1, “Us ing LUKS Dis k Encryption”.

2.3. Inst alling t he Minimum Amount of Packages Required
It is be s t practice to ins tall only the package s you will us e be caus e e ach pie ce of s oftware
on your compute r could pos s ibly contain a vulne rability. If you are ins talling from the DVD
me dia, take the opportunity to s e le ct e xactly what package s you want to ins tall during the
ins tallation. If you find you ne e d anothe r package , you can always add it to the s ys te m
late r.
For more information about ins talling the Minimal install e nvironme nt, s e e the
Software Se le ction chapte r of the Re d Hat Ente rpris e Linux 7 Ins tallation Guide . A minimal
ins tallation can als o be pe rforme d by a Kicks tart file us ing the --nobase option. For more
information about Kicks tart ins tallations , s e e the Package Se le ction s e ction from the
Re d Hat Ente rpris e Linux 7 Ins tallation Guide .

18

⁠C hapt e r 2. Se c ur it y T ips f o r Ins t allat io n

2.4. Rest rict ing Net work Connect ivit y During t he
Inst allat ion Process
Whe n ins talling Re d Hat Ente rpris e Linux, the ins tallation me dium re pre s e nts a s naps hot
of the s ys te m at a particular time . Be caus e of this , it may not be up-to-date with the late s t
s e curity fixe s and may be vulne rable to ce rtain is s ue s that we re fixe d only afte r the
s ys te m provide d by the ins tallation me dium was re le as e d.
Whe n ins talling a pote ntially vulne rable ope rating s ys te m, always limit e xpos ure only to
the clos e s t ne ce s s ary ne twork z one . The s afe s t choice is the “no ne twork” z one , which
me ans to le ave your machine dis conne cte d during the ins tallation proce s s . In s ome
cas e s , a LAN or intrane t conne ction is s ufficie nt while the Inte rne t conne ction is the
ris kie s t. To follow the be s t s e curity practice s , choos e the clos e s t z one with your
re pos itory while ins talling Re d Hat Ente rpris e Linux from a ne twork.
For more information about configuring ne twork conne ctivity, s e e the Ne twork & Hos tname
chapte r of the Re d Hat Ente rpris e Linux 7 Ins tallation Guide .

2.5. Post -inst allat ion Procedures
The following s te ps are the s e curity-re late d proce dure s that s hould be pe rforme d
imme diate ly afte r ins tallation of Re d Hat Ente rpris e Linux.
1. Update your s ys te m. e nte r the following command as root:
~]# yum update
2. Eve n though the fire wall s e rvice , firewalld, is automatically e nable d with the
ins tallation of Re d Hat Ente rpris e Linux, the re are s ce narios whe re it might be
e xplicitly dis able d, for e xample in the kicks tart configuration. In s uch a cas e , it is
re comme nde d to cons ide r re -e nabling the fire wall.
To s tart firewalld e nte r the following commands as root:
~]# systemctl start firewalld
~]# systemctl enable firewalld
3. To e nhance s e curity, dis able s e rvice s you do not ne e d. For e xample , if the re are
no printe rs ins talle d on your compute r, dis able the cups s e rvice us ing the following
command:
~]# systemctl disable cups
To re vie w active s e rvice s , e nte r the following command:
~]$ systemctl list-units | grep service

2.6. Addit ional Resources
For more information about ins tallation in ge ne ral, s e e the Re d Hat Ente rpris e Linux 7
Ins tallation Guide .

19

Se c ur it y Guide

[2] Since system BIO Ses differ between m anufacturers, som e m ay not support password
protection of either type, while others m ay support one type but not the other.

20

⁠C hapt e r 3. Ke e ping Yo ur Sys t e m Up-t o -Dat e

Chapt er 3. Keeping Your Syst em Up-t o-Dat e
This chapte r de s cribe s the proce s s of ke e ping your s ys te m up-to-date , which involve s
planning and configuring the way s e curity update s are ins talle d, applying change s
introduce d by ne wly update d package s , and us ing the Re d Hat Cus tome r Portal for ke e ping
track of s e curity advis orie s .

3.1. Maint aining Inst alled Soft ware
As s e curity vulne rabilitie s are dis cove re d, the affe cte d s oftware mus t be update d in orde r
to limit any pote ntial s e curity ris ks . If the s oftware is a part of a package within a Re d Hat
Ente rpris e Linux dis tribution that is curre ntly s upporte d, Re d Hat is committe d to re le as ing
update d package s that fix the vulne rabilitie s as s oon as pos s ible .
Ofte n, announce me nts about a give n s e curity e xploit are accompanie d with a patch (or
s ource code ) that fixe s the proble m. This patch is the n applie d to the Re d Hat
Ente rpris e Linux package and te s te d and re le as e d as an e rratum update . Howe ve r, if an
announce me nt doe s not include a patch, Re d Hat de ve lope rs firs t work with the maintaine r
of the s oftware to fix the proble m. Once the proble m is fixe d, the package is te s te d and
re le as e d as an e rratum update .
If an e rratum update is re le as e d for s oftware us e d on your s ys te m, it is highly
re comme nde d that you update the affe cte d package s as s oon as pos s ible to minimiz e the
amount of time the s ys te m is pote ntially vulne rable .

3.1.1. Planning and Conf iguring Securit y Updat es
All s oftware contains bugs . Ofte n, the s e bugs can re s ult in a vulne rability that can e xpos e
your s ys te m to malicious us e rs . Package s that have not be e n update d are a common
caus e of compute r intrus ions . Imple me nt a plan for ins talling s e curity patche s in a time ly
manne r to quickly e liminate dis cove re d vulne rabilitie s , s o the y cannot be e xploite d.
Te s t s e curity update s whe n the y be come available and s che dule the m for ins tallation.
Additional controls ne e d to be us e d to prote ct the s ys te m during the time be twe e n the
re le as e of the update and its ins tallation on the s ys te m. The s e controls de pe nd on the
e xact vulne rability, but may include additional fire wall rule s , the us e of e xte rnal fire walls ,
or change s in s oftware s e ttings .
Bugs in s upporte d package s are fixe d us ing the e rrata me chanis m. An e rratum cons is ts of
one or more RPM package s accompanie d by a brie f e xplanation of the proble m that the
particular e rratum de als with. All e rrata are dis tribute d to cus tome rs with active
s ubs criptions through the Red Hat Subscript io n Management s e rvice . Errata that
addre s s s e curity is s ue s are calle d Red Hat Security Advisories.
For more information on working with s e curity e rrata, s e e Se ction 3.2.1, “Vie wing Se curity
Advis orie s on the Cus tome r Portal”. For de taile d information about the Red Hat
Subscript io n Management s e rvice , including ins tructions on how to migrate from RHN
Classic, s e e the docume ntation re late d to this s e rvice : Re d Hat Subs cription Manage me nt.

3.1.1.1. Using t he Securit y Feat ures of Yum
The Yum package manage r include s s e ve ral s e curity-re late d fe ature s that can be us e d to
s e arch, lis t, dis play, and ins tall s e curity e rrata. The s e fe ature s als o make it pos s ible to
us e Yum to ins tall nothing but s e curity update s .

21

Se c ur it y Guide

To che ck for s e curity-re late d update s available for your s ys te m, e nte r the following
command as root:
~]# yum check-update --security
Loaded plugins: langpacks, product-id, subscription-manager
rhel-7-workstation-rpms/x86_64
| 3.4 kB 00:00:00
No packages needed for security; 0 packages available
Note that the above command runs in a non-inte ractive mode , s o it can be us e d in s cripts
for automate d che cking whe the r the re are any update s available . The command re turns
an e xit value of 100 whe n the re are any s e curity update s available and 0 whe n the re are
not. On e ncounte ring an e rror, it re turns 1.
Analogous ly, us e the following command to only ins tall s e curity-re late d update s :
~]# yum update --security
Us e the updateinfo s ubcommand to dis play or act upon information provide d by
re pos itorie s about available update s . The updateinfo s ubcommand its e lf acce pts a
numbe r of commands , s ome of which pe rtain to s e curity-re late d us e s . Se e Table 3.1,
“Se curity-re late d commands us able with yum update info” for an ove rvie w of the s e
commands .
T able 3.1. Securit y-relat ed co mmands usable wit h yum updat einf o
Co mmand

Descript io n

advisory [advisories]

Dis plays information about one or more advis orie s .
Re place advisories with an advis ory numbe r or
numbe rs .
cves
Dis plays the s ubs e t of information that pe rtains to CVE
(Common Vulnerabilities and Exposures).
security or sec
Dis plays all s e curity-re late d information.
severity [severity_level] Dis plays information about s e curity-re le vant package s
or sev [severity_level]
of the s upplie d severity_level.

3.1.2. Updat ing and Inst alling Packages
Whe n updating s oftware on a s ys te m, it is important to download the update from a
trus te d s ource . An attacke r can e as ily re build a package with the s ame ve rs ion numbe r as
the one that is s uppos e d to fix the proble m but with a diffe re nt s e curity e xploit and
re le as e it on the Inte rne t. If this happe ns , us ing s e curity me as ure s , s uch as ve rifying file s
agains t the original RPM, doe s not de te ct the e xploit. Thus , it is ve ry important to only
download RPMs from trus te d s ource s , s uch as from Re d Hat, and to che ck the package
s ignature s to ve rify the ir inte grity.
Se e the Yum chapte r of the Re d Hat Ente rpris e Linux 7 Sys te m Adminis trator's Guide for
de taile d information on how to us e the Yum package manage r.

3.1.2.1. Verif ying Signed Packages
All Re d Hat Ente rpris e Linux package s are s igne d with the Re d Hat GPG ke y. GPG s tands
for GNU Privacy Guard, or GnuPG, a fre e s oftware package us e d for e ns uring the
authe nticity of dis tribute d file s . If the ve rification of a package s ignature fails , the package
may be alte re d and the re fore cannot be trus te d.

22

⁠C hapt e r 3. Ke e ping Yo ur Sys t e m Up-t o -Dat e

The Yum package manage r allows for an automatic ve rification of all package s it ins talls or
upgrade s . This fe ature is e nable d by de fault. To configure this option on your s ys te m,
make s ure the gpgcheck configuration dire ctive is s e t to 1 in the /etc/yum.conf
configuration file .
Us e the following command to manually ve rify package file s on your file s ys te m:
rpmkeys --checksig package_file.rpm
Se e the Product Signing (GPG) Ke ys article on the Re d Hat Cus tome r Portal for additional
information about Re d Hat package -s igning practice s .

3.1.2.2. Inst alling Signed Packages
To ins tall ve rifie d package s (s e e Se ction 3.1.2.1, “Ve rifying Signe d Package s ” for
information on how to ve rify package s ) from your file s ys te m, us e the yum install
command as the root us e r as follows :
yum install package_file.rpm
Us e a s he ll glob to ins tall s e ve ral package s at once . For e xample , the following commands
ins talls all .rpm package s in the curre nt dire ctory:
yum install *.rpm

Impo rtant
Be fore ins talling any s e curity e rrata, be s ure to re ad any s pe cial ins tructions
containe d in the e rratum re port and e xe cute the m accordingly. Se e Se ction 3.1.3,
“Applying Change s Introduce d by Ins talle d Update s ” for ge ne ral ins tructions about
applying change s made by e rrata update s .

3.1.3. Applying Changes Int roduced by Inst alled Updat es
Afte r downloading and ins talling s e curity e rrata and update s , it is important to halt the
us age of the old s oftware and be gin us ing the ne w s oftware . How this is done de pe nds on
the type of s oftware that has be e n update d. The following lis t ite miz e s the ge ne ral
cate gorie s of s oftware and provide s ins tructions for us ing update d ve rs ions afte r a
package upgrade .

No te
In ge ne ral, re booting the s ys te m is the s ure s t way to e ns ure that the late s t ve rs ion
of a s oftware package is us e d; howe ve r, this option is not always re quire d, nor is it
always available to the s ys te m adminis trator.
Applicat io ns

23

Se c ur it y Guide

Us e r-s pace applications are any programs that can be initiate d by the us e r.
Typically, s uch applications are us e d only whe n the us e r, a s cript, or an
automate d tas k utility launch the m.
Once s uch a us e r-s pace application is update d, halt any ins tance s of the
application on the s ys te m, and launch the program again to us e the update d
ve rs ion.
Kernel
The ke rne l is the core s oftware compone nt for the Re d Hat Ente rpris e Linux 7
ope rating s ys te m. It manage s acce s s to me mory, the proce s s or, and pe riphe rals ,
and it s che dule s all tas ks .
Be caus e of its ce ntral role , the ke rne l cannot be re s tarte d without als o re booting
the compute r. The re fore , an update d ve rs ion of the ke rne l cannot be us e d until
the s ys te m is re boote d.
KVM
Whe n the qemu-kvm and libvirt package s are update d, it is ne ce s s ary to s top all
gue s t virtual machine s , re load re le vant virtualiz ation module s (or re boot the hos t
s ys te m), and re s tart the virtual machine s .
Us e the lsmod command to de te rmine which module s from the following are
loade d: kvm, kvm-intel, or kvm-amd. The n us e the modprobe -r command to
re move and s ubs e que ntly the modprobe -a command to re load the affe cte d
module s . Fox e xample :
~]# lsmod | grep kvm
kvm_intel
143031 0
kvm
460181 1 kvm_intel
~]# modprobe -r kvm-intel
~]# modprobe -r kvm
~]# modprobe -a kvm kvm-intel
Shared Libraries
Share d librarie s are units of code , s uch as glibc, that are us e d by a numbe r of
applications and s e rvice s . Applications utiliz ing a s hare d library typically load the
s hare d code whe n the application is initializ e d, s o any applications us ing an
update d library mus t be halte d and re launche d.
To de te rmine which running applications link agains t a particular library, us e the
lsof command:
lsof library
For e xample , to de te rmine which running applications link agains t the
libwrap.so.0 library, type :
~]# lsof /lib64/libwrap.so.0
COMMAND
PID USER FD
TYPE DEVICE SIZE/OFF
NODE NAME
pulseaudi 12363 test mem
REG 253,0
42520 34121785
/usr/lib64/libwrap.so.0.7.6

24

⁠C hapt e r 3. Ke e ping Yo ur Sys t e m Up-t o -Dat e

gnome-set 12365 test mem
REG
/usr/lib64/libwrap.so.0.7.6
gnome-she 12454 test mem
REG
/usr/lib64/libwrap.so.0.7.6

253,0

42520 34121785

253,0

42520 34121785

This command re turns a lis t of all the running programs that us e TCP wrappe rs for
hos t-acce s s control. The re fore , any program lis te d mus t be halte d and
re launche d whe n the tcp_wrappers package is update d.
syst emd Services
s ys te md s e rvice s are pe rs is te nt s e rve r programs us ually launche d during the
boot proce s s . Example s of s ys te md s e rvice s include sshd or vsftpd.
Be caus e the s e programs us ually pe rs is t in me mory as long as a machine is
running, e ach update d s ys te md s e rvice mus t be halte d and re launche d afte r its
package is upgrade d. This can be done as the root us e r us ing the systemctl
command:
systemctl restart service_name
Re place service_name with the name of the s e rvice you want to re s tart, s uch as
sshd.
Ot her So f t ware
Follow the ins tructions outline d by the re s ource s linke d be low to corre ctly update
the following applications .
Red Hat Direct o ry Server — Se e the Release Notes for the ve rs ion of the
Re d Hat Dire ctory Se rve r in que s tion at
https ://acce s s .re dhat.com/s ite /docume ntation/e nUS/Re d_Hat_Dire ctory_Se rve r/.
Red Hat Ent erprise Virt ualizat io n Manager — Se e the Installation Guide
for the ve rs ion of the Re d Hat Ente rpris e Virtualiz ation in que s tion at
https ://acce s s .re dhat.com/s ite /docume ntation/e nUS/Re d_Hat_Ente rpris e _Virtualiz ation/.

3.2. Using t he Red Hat Cust omer Port al
The Re d Hat Cus tome r Portal at https ://acce s s .re dhat.com/ is the main cus tome r-orie nte d
re s ource for official information re late d to Re d Hat products . You can us e it to find
docume ntation, manage your s ubs criptions , download products and update s , ope n s upport
cas e s , and le arn about s e curity update s .

3.2.1. Viewing Securit y Advisories on t he Cust omer Port al
To vie w s e curity advis orie s (e rrata) re le vant to the s ys te ms for which you have active
s ubs criptions , log into the Cus tome r Portal at https ://acce s s .re dhat.com/ and click on the
Download Products & Updates button on the main page . Whe n you e nte r the Software
& Download Center page , continue by clicking on the Errata button to s e e a lis t of
advis orie s pe rtine nt to your re gis te re d s ys te ms .
To brows e a lis t of all s e curity update s for all active Re d Hat products , go to Securit y →
Securit y Updat es → Act ive Pro duct s us ing the navigation me nu at the top of the page .

25

Se c ur it y Guide

Click on the e rratum code in the le ft part of the table to dis play more de taile d information
about the individual advis orie s . The ne xt page contains not only a de s cription of the give n
e rratum, including its caus e s , cons e que nce s , and re quire d fixe s , but als o a lis t of all
package s that the particular e rratum update s along with ins tructions on how to apply the
update s . The page als o include s links to re le vant re fe re nce s , s uch as re late d CVE.

3.2.2. Navigat ing CVE Cust omer Port al Pages
The CVE (Common Vulnerabilities and Exposures) proje ct, maintaine d by
The MITRE Corporation, is a lis t of s tandardiz e d name s for vulne rabilitie s and s e curity
e xpos ure s . To brows e a lis t of CVE that pe rtain to Re d Hat products on the Cus tome r
Portal, log into your account at https ://acce s s .re dhat.com/ and navigate to Securit y →
Reso urces → CVE Dat abase us ing the navigation me nu at the top of the page .
Click on the CVE code in the le ft part of the table to dis play more de taile d information
about the individual vulne rabilitie s . The ne xt page contains not only a de s cription of the
give n CVE but als o a lis t of affe cte d Re d Hat products along with links to re le vant Re d Hat
e rrata.

3.2.3. Underst anding Issue Severit y Classif icat ion
All s e curity is s ue s dis cove re d in Re d Hat products are as s igne d an impact rating by
Red Hat Product Security according to the s e ve rity of the proble m. The four-point s cale
cons is ts of the following le ve ls : Low, Mode rate , Important, and Critical. In addition to that,
e ve ry s e curity is s ue is rate d us ing the Common Vulnerability Scoring System (CVSS) bas e
s core s .
Toge the r, the s e ratings he lp you unde rs tand the impact of s e curity is s ue s , allowing you to
s che dule and prioritiz e upgrade s trate gie s for your s ys te ms . Note that the ratings re fle ct
the pote ntial ris k of a give n vulne rability, which is bas e d on a te chnical analys is of the bug,
not the curre nt thre at le ve l. This me ans that the s e curity impact rating doe s not change if
an e xploit is re le as e d for a particular flaw.
To s e e a de taile d de s cription of the individual le ve ls of s e ve rity ratings on the Cus tome r
Portal, vis it the Se ve rity Ratings page .

3.3. Addit ional Resources
For more information about s e curity update s , ways of applying the m, the Re d Hat
Cus tome r Portal, and re late d topics , s e e the re s ource s lis te d be low.

Inst alled Document at ion
yum(8) — The manual page for the Yum package manage r provide s information about
the way Yum can be us e d to ins tall, update , and re move package s on your s ys te ms .
rpmke ys (8) — The manual page for the rpmkeys utility de s cribe s the way this program
can be us e d to ve rify the authe nticity of downloade d package s .

Online Document at ion

26

⁠C hapt e r 3. Ke e ping Yo ur Sys t e m Up-t o -Dat e

Re d Hat Ente rpris e Linux 7 Sys te m Adminis trator's Guide — The System Administrator's
Guide for Re d Hat Ente rpris e Linux 7 docume nts the us e of the Yum and rpm commands
that are us e d to ins tall, update , and re move package s on Re d Hat Ente rpris e Linux 7
s ys te ms .
Re d Hat Ente rpris e Linux 7 SELinux Us e r's and Adminis trator's Guide — The SELinux
User's and Administrator's Guide for Re d Hat Ente rpris e Linux 7 docume nts the
configuration of the SELinux mandatory access control me chanis m.

Red Hat Cust omer Port al
Re d Hat Cus tome r Portal, Se curity — The Se curity s e ction of the Cus tome r Portal
contains links to the mos t important re s ource s , including the Re d Hat CVE databas e , and
contacts for Re d Hat Product Se curity.
Re d Hat Se curity Blog — Article s about late s t s e curity-re late d is s ue s from Re d Hat
s e curity profe s s ionals .

See Also
Chapte r 2, Security Tips for Installation de s cribe s how to configure your s ys te m
s e cure ly from the be ginning to make it e as ie r to imple me nt additional s e curity s e ttings
late r.
Se ction 4.10.2, “Cre ating GPG Ke ys ” de s cribe s how to cre ate a s e t of pe rs onal GPG
ke ys to authe nticate your communications .

27

Se c ur it y Guide

Chapt er 4. Hardening Your Syst em wit h Tools and
Services
4.1. Deskt op Securit y
Re d Hat Ente rpris e Linux 7 offe rs s e ve ral ways for harde ning the de s ktop agains t attacks
and pre ve nting unauthoriz e d acce s s e s . This s e ction de s cribe s re comme nde d practice s
for us e r pas s words , s e s s ion and account locking, and s afe handling of re movable me dia.

4.1.1. Password Securit y
Pas s words are the primary me thod that Re d Hat Ente rpris e Linux 7 us e s to ve rify a us e r's
ide ntity. This is why pas s word s e curity is s o important for prote ction of the us e r, the
works tation, and the ne twork.
For s e curity purpos e s , the ins tallation program configure s the s ys te m to us e Secure Hash
Algorithm 512 (SHA512) and s hadow pas s words . It is highly re comme nde d that you do not
alte r the s e s e ttings .
If s hadow pas s words are de s e le cte d during ins tallation, all pas s words are s tore d as a
one -way has h in the world-re adable /etc/passwd file , which make s the s ys te m vulne rable
to offline pas s word cracking attacks . If an intrude r can gain acce s s to the machine as a
re gular us e r, he can copy the /etc/passwd file to his own machine and run any numbe r of
pas s word cracking programs agains t it. If the re is an ins e cure pas s word in the file , it is
only a matte r of time be fore the pas s word cracke r dis cove rs it.
Shadow pas s words e liminate this type of attack by s toring the pas s word has he s in the file
/etc/shadow, which is re adable only by the root us e r.
This force s a pote ntial attacke r to atte mpt pas s word cracking re mote ly by logging into a
ne twork s e rvice on the machine , s uch as SSH or FTP. This s ort of brute -force attack is
much s lowe r and le ave s an obvious trail as hundre ds of faile d login atte mpts are writte n
to s ys te m file s . Of cours e , if the cracke r s tarts an attack in the middle of the night on a
s ys te m with we ak pas s words , the cracke r may have gaine d acce s s be fore dawn and
e dite d the log file s to cove r his tracks .
In addition to format and s torage cons ide rations is the is s ue of conte nt. The s ingle mos t
important thing a us e r can do to prote ct his account agains t a pas s word cracking attack is
cre ate a s trong pas s word.

No te
Re d Hat re comme nds us ing a ce ntral authe ntication s olution, s uch as Re d Hat
Ide ntity Manage me nt (IdM). Us ing a ce ntral s olution is pre fe rre d ove r us ing local
pas s words . For de tails , s e e :
Introduction to Re d Hat Ide ntity Manage me nt
De fining Pas s word Policie s

4.1.1.1. Creat ing St rong Passwords
Whe n cre ating a s e cure pas s word, the us e r mus t re me mbe r that long pas s words are

28

⁠C hapt e r 4 . Har de ning Yo ur Sys t e m wit h T o o ls and Se r vic e s

s tronge r than s hort and comple x one s . It is not a good ide a to cre ate a pas s word of jus t
e ight characte rs , e ve n if it contains digits , s pe cial characte rs and uppe rcas e le tte rs .
Pas s word cracking tools , s uch as John The Rippe r, are optimiz e d for bre aking s uch
pas s words , which are als o hard to re me mbe r by a pe rs on.
In information the ory, e ntropy is the le ve l of unce rtainty as s ociate d with a random variable
and is pre s e nte d in bits . The highe r the e ntropy value , the more s e cure the pas s word is .
According to NIST SP 800-63-1, pas s words that are not pre s e nt in a dictionary compris e d
of 50000 commonly s e le cte d pas s words s hould have at le as t 10 bits of e ntropy. As s uch,
a pas s word that cons is ts of four random words contains around 40 bits of e ntropy. A long
pas s word cons is ting of multiple words for adde d s e curity is als o calle d a passphrase, for
e xample :
randomword1 randomword2 randomword3 randomword4
If the s ys te m e nforce s the us e of uppe rcas e le tte rs , digits , or s pe cial characte rs , the
pas s phras e that follows the above re comme ndation can be modifie d in a s imple way, for
e xample by changing the firs t characte r to uppe rcas e and appe nding "1!". Note that s uch
a modification does not incre as e the s e curity of the pas s phras e s ignificantly.
Anothe r way to cre ate a pas s word yours e lf is us ing a pas s word ge ne rator. The pwmake
is a command-line tool for ge ne rating random pas s words that cons is t of all four groups of
characte rs – uppe rcas e , lowe rcas e , digits and s pe cial characte rs . The utility allows you to
s pe cify the numbe r of e ntropy bits that are us e d to ge ne rate the pas s word. The e ntropy
is pulle d from /dev/urandom. The minimum numbe r of bits you can s pe cify is 56, which is
e nough for pas s words on s ys te ms and s e rvice s whe re brute force attacks are rare . 64
bits is ade quate for applications whe re the attacke r doe s not have dire ct acce s s to the
pas s word has h file . For s ituations whe n the attacke r might obtain the dire ct acce s s to the
pas s word has h or the pas s word is us e d as an e ncryption ke y, 80 to 128 bits s hould be
us e d. If you s pe cify an invalid numbe r of e ntropy bits , pwmake will us e the de fault of bits .
To cre ate a pas s word of 128 bits , e nte r the following command:
pwmake 128
While the re are diffe re nt approache s to cre ating a s e cure pas s word, always avoid the
following bad practice s :
Us ing a s ingle dictionary word, a word in a fore ign language , an inve rte d word, or only
numbe rs .
Us ing le s s than 10 characte rs for a pas s word or pas s phras e .
Us ing a s e que nce of ke ys from the ke yboard layout.
Writing down your pas s words .
Us ing pe rs onal information in a pas s word, s uch as birth date s , annive rs arie s , family
me mbe r name s , or pe t name s .
Us ing the s ame pas s phras e or pas s word on multiple machine s .
While cre ating s e cure pas s words is impe rative , managing the m prope rly is als o important,
e s pe cially for s ys te m adminis trators within large r organiz ations . The following s e ction
de tails good practice s for cre ating and managing us e r pas s words within an organiz ation.

4.1.1.2. Forcing St rong Passwords

29

Se c ur it y Guide

If an organiz ation has a large numbe r of us e rs , the s ys te m adminis trators have two bas ic
options available to force the us e of s trong pas s words . The y can cre ate pas s words for the
us e r, or the y can le t us e rs cre ate the ir own pas s words while ve rifying the pas s words are
of ade quate s tre ngth.
Cre ating the pas s words for the us e rs e ns ure s that the pas s words are good, but it
be come s a daunting tas k as the organiz ation grows . It als o incre as e s the ris k of us e rs
writing the ir pas s words down, thus e xpos ing the m.
For the s e re as ons , mos t s ys te m adminis trators pre fe r to have the us e rs cre ate the ir own
pas s words , but active ly ve rify that the s e pas s words are s trong e nough. In s ome cas e s ,
adminis trators may force us e rs to change the ir pas s words pe riodically through pas s word
aging.
Whe n us e rs are as ke d to cre ate or change pas s words , the y can us e the passwd
command-line utility, which is PAM-aware (Pluggable Authentication Modules) and che cks to
s e e if the pas s word is too s hort or othe rwis e e as y to crack. This che cking is pe rforme d by
the pam_pwquality.so PAM module .

No te
In Re d Hat Ente rpris e Linux 7, the pam_pwquality PAM module re place d
pam_cracklib, which was us e d in Re d Hat Ente rpris e Linux 6 as a de fault module
for pas s word quality che cking. It us e s the s ame back e nd as pam_cracklib.
The pam_pwquality module is us e d to che ck a pas s word's s tre ngth agains t a s e t of rule s .
Its proce dure cons is ts of two s te ps : firs t it che cks if the provide d pas s word is found in a
dictionary. If not, it continue s with a numbe r of additional che cks . pam_pwquality is
s tacke d alongs ide othe r PAM module s in the password compone nt of the
/etc/pam.d/passwd file , and the cus tom s e t of rule s is s pe cifie d in the
/etc/security/pwquality.conf configuration file . For a comple te lis t of the s e che cks ,
s e e the pwquality.conf (8) manual page .

Example 4.1. Co nf iguring passwo rd st rengt h-checking in pwquality.conf
To e nable us ing pam_quality, add the following line to the password s tack in the
/etc/pam.d/passwd file :
password

required

pam_pwquality.so retry=3

Options for the che cks are s pe cifie d one pe r line . For e xample , to re quire a pas s word
with a minimum le ngth of 8 characte rs , including all four clas s e s of characte rs , add the
following line s to the /etc/security/pwquality.conf file :
minlen = 8
minclass = 4
To s e t a pas s word s tre ngth-che ck for characte r s e que nce s and s ame cons e cutive
characte rs , add the following line s to /etc/security/pwquality.conf:
maxsequence = 3
maxrepeat = 3

30

⁠C hapt e r 4 . Har de ning Yo ur Sys t e m wit h T o o ls and Se r vic e s

In this e xample , the pas s word e nte re d cannot contain more than 3 characte rs in a
monotonic s e que nce , s uch as abcd, and more than 3 ide ntical cons e cutive characte rs ,
s uch as 1111.

No te
As the root us e r is the one who e nforce s the rule s for pas s word cre ation, the y can
s e t any pas s word for the ms e lve s or for a re gular us e r, de s pite the warning
me s s age s .

4.1.1.3. Conf iguring Password Aging
Pas s word aging is anothe r te chnique us e d by s ys te m adminis trators to de fe nd agains t
bad pas s words within an organiz ation. Pas s word aging me ans that afte r a s pe cifie d pe riod
(us ually 90 days ), the us e r is prompte d to cre ate a ne w pas s word. The the ory be hind this
is that if a us e r is force d to change his pas s word pe riodically, a cracke d pas s word is only
us e ful to an intrude r for a limite d amount of time . The downs ide to pas s word aging,
howe ve r, is that us e rs are more like ly to write the ir pas s words down.
To s pe cify pas s word aging unde r Re d Hat Ente rpris e Linux 7, make us e of the chage
command.

Impo rtant
In Re d Hat Ente rpris e Linux 7, s hadow pas s words are e nable d by de fault. For more
information, s e e the Re d Hat Ente rpris e Linux 7 Sys te m Adminis trator's Guide .
The -M option of the chage command s pe cifie s the maximum numbe r of days the
pas s word is valid. For e xample , to s e t a us e r's pas s word to e xpire in 90 days , us e the
following command:
chage -M 90 username
In the above command, re place username with the name of the us e r. To dis able pas s word
e xpiration, us e the value of -1 afte r the -M option.
For more information on the options available with the chage command, s e e the table
be low.
T able 4.1. chage co mmand line o pt io ns
Opt io n

Descript io n

-d days

Spe cifie s the numbe r of days s ince January 1, 1970 the
pas s word was change d.
Spe cifie s the date on which the account is locke d, in the
format YYYY-MM-DD. Ins te ad of the date , the numbe r of days
s ince January 1, 1970 can als o be us e d.
Spe cifie s the numbe r of inactive days afte r the pas s word
e xpiration be fore locking the account. If the value is 0, the
account is not locke d afte r the pas s word e xpire s .

-E date

-I days

31

Se c ur it y Guide

Opt io n

Descript io n

-l
-m days

Lis ts curre nt account aging s e ttings .
Spe cify the minimum numbe r of days afte r which the us e r
mus t change pas s words . If the value is 0, the pas s word doe s
not e xpire .
Spe cify the maximum numbe r of days for which the
pas s word is valid. Whe n the numbe r of days s pe cifie d by this
option plus the numbe r of days s pe cifie d with the -d option is
le s s than the curre nt day, the us e r mus t change pas s words
be fore us ing the account.
Spe cifie s the numbe r of days be fore the pas s word e xpiration
date to warn the us e r.

-M days

-W days

You can als o us e the chage command in inte ractive mode to modify multiple pas s word
aging and account de tails . Us e the following command to e nte r inte ractive mode :
chage 
The following is a s ample inte ractive s e s s ion us ing this command:
~]# chage juan
Changing the aging information for juan
Enter the new value, or press ENTER for the default
Minimum Password Age [0]: 10
Maximum Password Age [99999]: 90
Last Password Change (YYYY-MM-DD) [2006-08-18]:
Password Expiration Warning [7]:
Password Inactive [-1]:
Account Expiration Date (YYYY-MM-DD) [1969-12-31]:
You can configure a pas s word to e xpire the firs t time a us e r logs in. This force s us e rs to
change pas s words imme diate ly.
1. Se t up an initial pas s word. To as s ign a de fault pas s word, e nte r the following
command at a s he ll prompt as root:
passwd username

Warning
The passwd utility has the option to s e t a null pas s word. Us ing a null
pas s word, while conve nie nt, is a highly ins e cure practice , as any third party
can log in and acce s s the s ys te m us ing the ins e cure us e r name . Avoid us ing
null pas s words whe re ve r pos s ible . If it is not pos s ible , always make s ure that
the us e r is re ady to log in be fore unlocking an account with a null pas s word.
2. Force imme diate pas s word e xpiration by running the following command as root:
chage -d 0 username
This command s e ts the value for the date the pas s word was las t change d to the
e poch (January 1, 1970). This value force s imme diate pas s word e xpiration no

32

⁠C hapt e r 4 . Har de ning Yo ur Sys t e m wit h T o o ls and Se r vic e s

matte r what pas s word aging policy, if any, is in place .
Upon the initial log in, the us e r is now prompte d for a ne w pas s word.

4.1.2. Account Locking
In Re d Hat Ente rpris e Linux 7, the pam_faillock PAM module allows s ys te m
adminis trators to lock out us e r accounts afte r a s pe cifie d numbe r of faile d atte mpts .
Limiting us e r login atte mpts s e rve s mainly as a s e curity me as ure that aims to pre ve nt
pos s ible brute force attacks targe te d to obtain a us e r's account pas s word.
With the pam_faillock module , faile d login atte mpts are s tore d in a s e parate file for e ach
us e r in the /var/run/faillock dire ctory.

No te
The orde r of line s in the faile d atte mpt log file s is important. Any change in this
orde r can lock all us e r accounts , including the root us e r account whe n the
even_deny_root option is us e d.
Follow the s e s te ps to configure account locking:
1. To lock out any non-root us e r afte r thre e uns ucce s s ful atte mpts and unlock that
us e r afte r 10 minute s , add two line s to the auth s e ction of the
/etc/pam.d/system-auth and /etc/pam.d/password-auth file s . Afte r your e dits ,
the e ntire auth s e ction in both file s s hould look like this :
1 auth
required
2 auth
required
deny=3 unlock_time=600
3 auth
sufficient
4 auth
[default=die]
unlock_time=600
5 auth
requisite
quiet_success
6 auth
required

pam_env.so
pam_faillock.so preauth silent audit
pam_unix.so nullok try_first_pass
pam_faillock.so authfail audit deny=3
pam_succeed_if.so uid >= 1000
pam_deny.so

Line s numbe r 2 and 4 have be e n adde d.
2. Add the following line to the account s e ction of both file s s pe cifie d in the pre vious
s te p:
account

required

pam_faillock.so

3. To apply account locking for the root us e r as we ll, add the even_deny_root option
to the pam_faillock e ntrie s in the /etc/pam.d/system-auth and
/etc/pam.d/password-auth file s :
auth
required
pam_faillock.so preauth silent audit
deny=3 even_deny_root unlock_time=600
auth
sufficient
pam_unix.so nullok try_first_pass
auth
[default=die] pam_faillock.so authfail audit deny=3

33

Se c ur it y Guide

even_deny_root unlock_time=600
account

required

pam_faillock.so

Whe n us e r john atte mpts to log in for the fourth time afte r failing to log in thre e time s
pre vious ly, his account is locke d upon the fourth atte mpt:
[yruseva@localhost ~]$ su - john
Account locked due to 3 failed logins
su: incorrect password
To pre ve nt the s ys te m from locking us e rs out e ve n afte r multiple faile d logins , add the
following line jus t above the line whe re pam_faillock is calle d for the firs t time in both
/etc/pam.d/system-auth and /etc/pam.d/password-auth. Als o re place user1, user2,
and user3 with the actual us e r name s .
auth [success=1 default=ignore] pam_succeed_if.so user in
user1:user2:user3
To vie w the numbe r of faile d atte mpts pe r us e r, run, as root, the following command:
[root@localhost ~]# faillock
john:
When
Type Source
Valid
2013-03-05 11:44:14 TTY
pts/0
V
To unlock a us e r's account, run, as root, the following command:
faillock --user  --reset

Keeping Cust om Set t ings wit h aut hconf ig
Whe n modifying authe ntication configuration us ing the aut hco nf ig utility, the systemauth and password-auth file s are ove rwritte n with the s e ttings from the aut hco nf ig
utility. This can be avoide d by cre ating s ymbolic links in place of the configuration file s ,
which aut hco nf ig re cogniz e s and doe s not ove rwrite . In orde r to us e cus tom s e ttings in
the configuration file s and aut hco nf ig s imultane ous ly, configure account locking us ing the
following s te ps :
1. Che ck whe the r the system-auth and password-auth file s are alre ady s ymbolic
links pointing to system-auth-ac and password-auth-ac (this is the s ys te m
de fault):
~]# ls -l /etc/pam.d/{password,system}-auth
If the output is s imilar to the following, the s ymbolic links are in place , and you can
s kip to s te p numbe r 3:

34

⁠C hapt e r 4 . Har de ning Yo ur Sys t e m wit h T o o ls and Se r vic e s

lrwxrwxrwx. 1 root root 16 24. Feb 09.29 /etc/pam.d/password-auth
-> password-auth-ac
lrwxrwxrwx. 1 root root 28 24. Feb 09.29 /etc/pam.d/system-auth ->
system-auth-ac
If the system-auth and password-auth file s are not s ymbolic links , continue with
the ne xt s te p.
2. Re name the configuration file s :
~]# mv /etc/pam.d/system-auth /etc/pam.d/system-auth-ac
~]# mv /etc/pam.d/password-auth /etc/pam.d/password-auth-ac
3. Cre ate configuration file s with your cus tom s e ttings :
~]# vi /etc/pam.d/system-auth-local
The /etc/pam.d/system-auth-local file s hould contain the following line s :
auth
required
deny=3 unlock_time=600
auth
include
auth
[default=die]
deny=3 unlock_time=600

pam_faillock.so preauth silent audit

account
account

required
include

pam_faillock.so
system-auth-ac

password

include

system-auth-ac

session

include

system-auth-ac

system-auth-ac
pam_faillock.so authfail silent audit

~]# vi /etc/pam.d/password-auth-local
The /etc/pam.d/password-auth-local file s hould contain the following line s :
auth
required
deny=3 unlock_time=600
auth
include
auth
[default=die]
deny=3 unlock_time=600

pam_faillock.so preauth silent audit

account
account

required
include

pam_faillock.so
password-auth-ac

password

include

password-auth-ac

session

include

password-auth-ac

password-auth-ac
pam_faillock.so authfail silent audit

4. Cre ate the following s ymbolic links :
~]# ln -sf /etc/pam.d/system-auth-local /etc/pam.d/system-auth
~]# ln -sf /etc/pam.d/password-auth-local /etc/pam.d/password-auth

35

Se c ur it y Guide

For more information on various pam_faillock configuration options , s e e the
pam_faillock(8) manual page .

4.1.3. Session Locking
Us e rs may ne e d to le ave the ir works tation unatte nde d for a numbe r of re as ons during
e ve ryday ope ration. This could pre s e nt an opportunity for an attacke r to phys ically acce s s
the machine , e s pe cially in e nvironme nts with ins ufficie nt phys ical s e curity me as ure s (s e e
Se ction 1.2.1, “Phys ical Controls ”). Laptops are e s pe cially e xpos e d s ince the ir mobility
inte rfe re s with phys ical s e curity. You can alle viate the s e ris ks by us ing s e s s ion locking
fe ature s which pre ve nt acce s s to the s ys te m until a corre ct pas s word is e nte re d.

No te
The main advantage of locking the s cre e n ins te ad of logging out is that a lock allows
the us e r's proce s s e s (s uch as file trans fe rs ) to continue running. Logging out would
s top the s e proce s s e s .

4.1.3.1. Locking Virt ual Consoles Using vlock
Us e rs may als o ne e d to lock a virtual cons ole . This can be done us ing a utility calle d
vlock. To ins tall this utility, e xe cute the following command as root:
~]# yum install vlock
Afte r ins tallation, any cons ole s e s s ion can be locke d us ing the vlock command without
any additional parame te rs . This locks the curre ntly active virtual cons ole s e s s ion while
s till allowing acce s s to the othe rs . To pre ve nt acce s s to all virtual cons ole s on the
works tation, e xe cute the following:
vlock -a
In this cas e , vlock locks the curre ntly active cons ole and the -a option pre ve nts s witching
to othe r virtual cons ole s .
Se e the vlock(1) man page for additional information.

Impo rtant
The re are s e ve ral known is s ue s re le vant to the ve rs ion of vlock curre ntly available
for Re d Hat Ente rpris e Linux 7:
The program doe s not curre ntly allow unlocking cons ole s us ing the root
pas s word. Additional information can be found in BZ#895066.
Locking a cons ole doe s not cle ar the s cre e n and s crollback buffe r, allowing
anyone with phys ical acce s s to the works tation to vie w pre vious ly is s ue d
commands and any output dis playe d in the cons ole . Se e BZ#807369 for more
information.

4.1.4. Enf orcing Read-Only Mount ing of Removable Media

36

⁠C hapt e r 4 . Har de ning Yo ur Sys t e m wit h T o o ls and Se r vic e s

4.1.4. Enf orcing Read-Only Mount ing of Removable Media
To e nforce re ad-only mounting of re movable me dia (s uch as USB flas h dis ks ), the
adminis trator can us e a udev rule to de te ct re movable me dia and configure the m to be
mounte d re ad-only us ing the blo ckdev utility. This is s ufficie nt for e nforcing re ad-only
mounting of phys ical me dia.

Using blockdev t o Force Read-Only Mount ing of Removable Media
To force all re movable me dia to be mounte d re ad-only, cre ate a ne w udev configuration
file name d, for e xample , 80-readonly-removables.rules in the /etc/udev/rules.d/
dire ctory with the following conte nt:
SUBSYSTEM=="block",ATTRS{removable}=="1",RUN{program}="/sbin/blockdev -setro %N"
The above udev rule e ns ure s that any ne wly conne cte d re movable block (s torage ) de vice
is automatically configure d as re ad-only us ing the blockdev utility.

Applying New udev Set t ings
For the s e s e ttings to take e ffe ct, the ne w udev rule s ne e d to be applie d. The udev
s e rvice automatically de te cts change s to its configuration file s , but ne w s e ttings are not
applie d to alre ady e xis ting de vice s . Only ne wly conne cte d de vice s are affe cte d by the
ne w s e ttings . The re fore , you ne e d to unmount and unplug all conne cte d re movable me dia
to e ns ure that the ne w s e ttings are applie d to the m whe n the y are ne xt plugge d in.
To force udev to re -apply all rule s to alre ady e xis ting de vice s , e nte r the following
command as root:
~# udevadm trigger
Note that forcing udev to re -apply all rule s us ing the above command doe s not affe ct any
s torage de vice s that are alre ady mounte d.
To force udev to re load all rule s (in cas e the ne w rule s are not automatically de te cte d for
s ome re as on), us e the following command:
~# udevadm control --reload

4.2. Cont rolling Root Access
Whe n adminis te ring a home machine , the us e r mus t pe rform s ome tas ks as the root
us e r or by acquiring e ffe ctive root privile ge s us ing a setuid program, s uch as sudo or su.
A s e tuid program is one that ope rate s with the us e r ID (UID) of the program's owne r
rathe r than the us e r ope rating the program. Such programs are de note d by an s in the
owne r s e ction of a long format lis ting, as in the following e xample :
~]$ ls -l /bin/su
-rwsr-xr-x. 1 root root 34904 Mar 10

2011 /bin/su

37

Se c ur it y Guide

No te
The s may be uppe r cas e or lowe r cas e . If it appe ars as uppe r cas e , it me ans that
the unde rlying pe rmis s ion bit has not be e n s e t.
For the s ys te m adminis trator of an organiz ation, howe ve r, choice s mus t be made as to
how much adminis trative acce s s us e rs within the organiz ation s hould have to the ir
machine s . Through a PAM module calle d pam_console.so, s ome activitie s normally
re s e rve d only for the root us e r, s uch as re booting and mounting re movable me dia, are
allowe d for the firs t us e r that logs in at the phys ical cons ole . Howe ve r, othe r important
s ys te m adminis tration tas ks , s uch as alte ring ne twork s e ttings , configuring a ne w mous e ,
or mounting ne twork de vice s , are not pos s ible without adminis trative privile ge s . As a
re s ult, s ys te m adminis trators mus t de cide how much acce s s the us e rs on the ir ne twork
s hould re ce ive .

4.2.1. Disallowing Root Access
If an adminis trator is uncomfortable allowing us e rs to log in as root for the s e or othe r
re as ons , the root pas s word s hould be ke pt s e cre t, and acce s s to runle ve l one or s ingle
us e r mode s hould be dis allowe d through boot loade r pas s word prote ction (s e e
Se ction 4.2.5, “Se curing the Boot Loade r” for more information on this topic.)
The following are four diffe re nt ways that an adminis trator can furthe r e ns ure that root
logins are dis allowe d:
Changing t he ro o t shell
To pre ve nt us e rs from logging in dire ctly as root, the s ys te m adminis trator can
s e t the root account's s he ll to /sbin/nologin in the /etc/passwd file .
T able 4.2. Disabling t he Ro o t Shell
Ef f ect s

Do es No t Af f ect

Pre ve nts acce s s to a root s he ll and
logs any s uch atte mpts . The following
programs are pre ve nte d from
acce s s ing the root account:

Programs that do not re quire a s he ll,
s uch as FTP clie nts , mail clie nts , and
many s e tuid programs . The following
programs are not pre ve nte d from
acce s s ing the root account:

login
gdm
kdm
xdm
su
ssh
scp
sftp

sudo
FTP clie nts
Email clie nts

Disabling ro o t access using any co nso le device (t t y)
To furthe r limit acce s s to the root account, adminis trators can dis able root logins
at the cons ole by e diting the /etc/securetty file . This file lis ts all de vice s the
root us e r is allowe d to log into. If the file doe s not e xis t at all, the root us e r can
log in through any communication de vice on the s ys te m, whe the r through the

38

⁠C hapt e r 4 . Har de ning Yo ur Sys t e m wit h T o o ls and Se r vic e s

cons ole or a raw ne twork inte rface . This is dange rous , be caus e a us e r can log in
to the ir machine as root us ing Te lne t, which trans mits the pas s word in plain te xt
ove r the ne twork.
By de fault, Re d Hat Ente rpris e Linux 7's /etc/securetty file only allows the root
us e r to log in at the cons ole phys ically attache d to the machine . To pre ve nt the
root us e r from logging in, re move the conte nts of this file by typing the following
command at a s he ll prompt as root:
echo > /etc/securetty
To e nable securetty s upport in the KDM, GDM, and XDM login manage rs , add the
following line :
auth [user_unknown=ignore success=ok ignore=ignore default=bad]
pam_securetty.so
to the file s lis te d be low:
/etc/pam.d/gdm
/etc/pam.d/gdm-autologin
/etc/pam.d/gdm-fingerprint
/etc/pam.d/gdm-password
/etc/pam.d/gdm-smartcard
/etc/pam.d/kdm
/etc/pam.d/kdm-np
/etc/pam.d/xdm

Warning
A blank /etc/securetty file doe s not pre ve nt the root us e r from logging
in re mote ly us ing the Ope nSSH s uite of tools be caus e the cons ole is not
ope ne d until afte r authe ntication.

T able 4.3. Disabling Ro o t Lo gins

39

Se c ur it y Guide

Ef f ect s

Do es No t Af f ect

Pre ve nts acce s s to the root account
us ing the cons ole or the ne twork. The
following programs are pre ve nte d
from acce s s ing the root account:

Programs that do not log in as root,
but pe rform adminis trative tas ks
through s e tuid or othe r me chanis ms .
The following programs are not
pre ve nte d from acce s s ing the root
account:

login
gdm
kdm
xdm
Othe r ne twork s e rvice s that ope n a
tty

su
sudo
ssh
scp
sftp

Disabling ro o t SSH lo gins
To pre ve nt root logins through the SSH protocol, e dit the SSH dae mon's
configuration file , /etc/ssh/sshd_config, and change the line that re ads :
#PermitRootLogin yes
to re ad as follows :
PermitRootLogin no
T able 4.4. Disabling Ro o t SSH Lo gins
Ef f ect s

Do es No t Af f ect

Pre ve nts root acce s s us ing the
Ope nSSH s uite of tools . The following
programs are pre ve nte d from
acce s s ing the root account:

Programs that are not part of the
Ope nSSH s uite of tools .

ssh
scp
sftp
Using PAM t o limit ro o t access t o services
PAM, through the /lib/security/pam_listfile.so module , allows gre at
fle xibility in de nying s pe cific accounts . The adminis trator can us e this module to
re fe re nce a lis t of us e rs who are not allowe d to log in. To limit root acce s s to a
s ys te m s e rvice , e dit the file for the targe t s e rvice in the /etc/pam.d/ dire ctory
and make s ure the pam_listfile.so module is re quire d for authe ntication.
The following is an e xample of how the module is us e d for the vsftpd FTP s e rve r
in the /etc/pam.d/vsftpd PAM configuration file (the \ characte r at the e nd of
the firs t line is not ne ce s s ary if the dire ctive is on a s ingle line ):
auth
required
/lib/security/pam_listfile.so
item=user \
sense=deny file=/etc/vsftpd.ftpusers onerr=succeed

40

⁠C hapt e r 4 . Har de ning Yo ur Sys t e m wit h T o o ls and Se r vic e s

This ins tructs PAM to cons ult the /etc/vsftpd.ftpusers file and de ny acce s s to
the s e rvice for any lis te d us e r. The adminis trator can change the name of this
file , and can ke e p s e parate lis ts for e ach s e rvice or us e one ce ntral lis t to de ny
acce s s to multiple s e rvice s .
If the adminis trator wants to de ny acce s s to multiple s e rvice s , a s imilar line can
be adde d to the PAM configuration file s , s uch as /etc/pam.d/pop and
/etc/pam.d/imap for mail clie nts , or /etc/pam.d/ssh for SSH clie nts .
For more information about PAM, s e e The Linux-PAM System Administrator's Guide,
locate d in the /usr/share/doc/pam-/html/ dire ctory.
T able 4.5. Disabling Ro o t Using PAM
Ef f ect s

Do es No t Af f ect

Pre ve nts root acce s s to ne twork
s e rvice s that are PAM aware . The
following s e rvice s are pre ve nte d from
acce s s ing the root account:

Programs and s e rvice s that are not
PAM aware .

login
gdm
kdm
xdm
ssh
scp
sftp
FTP clie nts
Email clie nts
Any PAM aware s e rvice s

4.2.2. Allowing Root Access
If the us e rs within an organiz ation are trus te d and compute r-lite rate , the n allowing the m
root acce s s may not be an is s ue . Allowing root acce s s by us e rs me ans that minor
activitie s , like adding de vice s or configuring ne twork inte rface s , can be handle d by the
individual us e rs , le aving s ys te m adminis trators fre e to de al with ne twork s e curity and
othe r important is s ue s .
On the othe r hand, giving root acce s s to individual us e rs can le ad to the following is s ue s :
Machine Misconfiguration — Us e rs with root acce s s can mis configure the ir machine s
and re quire as s is tance to re s olve is s ue s . Eve n wors e , the y might ope n up s e curity
hole s without knowing it.
Running Insecure Services — Us e rs with root acce s s might run ins e cure s e rve rs on
the ir machine , s uch as FTP or Te lne t, pote ntially putting us e rname s and pas s words at
ris k. The s e s e rvice s trans mit this information ove r the ne twork in plain te xt.
Running Email Attachments As Root — Although rare , e mail virus e s that affe ct Linux do
e xis t. A malicious program pos e s the gre ate s t thre at whe n run by the root us e r.
Keeping the audit trail intact — Be caus e the root account is ofte n s hare d by multiple
us e rs , s o that multiple s ys te m adminis trators can maintain the s ys te m, it is impos s ible
to figure out which of thos e us e rs was root at a give n time . Whe n us ing s e parate
logins , the account a us e r logs in with, as we ll as a unique numbe r for s e s s ion tracking

41

Se c ur it y Guide

purpos e s , is put into the tas k s tructure , which is inhe rite d by e ve ry proce s s that the
us e r s tarts . Whe n us ing concurre nt logins , the unique numbe r can be us e d to trace
actions to s pe cific logins . Whe n an action ge ne rate s an audit e ve nt, it is re corde d with
the login account and the s e s s ion as s ociate d with that unique numbe r. Us e the aulast
command to vie w the s e logins and s e s s ions . The --proof option of the aulast
command can be us e d s ugge s t a s pe cific ausearch que ry to is olate auditable e ve nts
ge ne rate d by a particular s e s s ion. For more information about the Audit s ys te m, s e e
Chapte r 5, System Auditing.

4.2.3. Limit ing Root Access
Rathe r than comple te ly de nying acce s s to the root us e r, the adminis trator may want to
allow acce s s only through s e tuid programs , s uch as su or sudo. For more information on
su and sudo, s e e the Gaining Privile ge s chapte r in Re d Hat Ente rpris e Linux 7 Sys te m
Adminis trator's Guide , and the su(1) and sudo(8) man page s .

4.2.4. Enabling Aut omat ic Logout s
Whe n the us e r is logge d in as root, an unatte nde d login s e s s ion may pos e a s ignificant
s e curity ris k. To re duce this ris k, you can configure the s ys te m to automatically log out
idle us e rs afte r a fixe d pe riod of time .
1. As root, add the following line at the be ginning of the /etc/profile file to make
s ure the proce s s ing of this file cannot be inte rrupte d:
trap "" 1 2 3 15
2. As root, ins e rt the following line s to the /etc/profile file to automatically log out
afte r 120 s e conds :
export TMOUT=120
readonly TMOUT
The TMOUT variable te rminate s the s he ll if the re is no activity for the s pe cifie d
numbe r of s e conds (s e t to 120 in the above e xample ). You can change the limit
according to the ne e ds of the particular ins tallation.

4.2.5. Securing t he Boot Loader
The primary re as ons for pas s word prote cting a Linux boot loade r are as follows :
1. Preventing Access to Single User Mode — If attacke rs can boot the s ys te m into
s ingle us e r mode , the y are logge d in automatically as root without be ing prompte d
for the root pas s word.

42

⁠C hapt e r 4 . Har de ning Yo ur Sys t e m wit h T o o ls and Se r vic e s

Warning
Prote cting acce s s to s ingle us e r mode with a pas s word by e diting the SINGLE
parame te r in the /etc/sysconfig/init file is not re comme nde d. An attacke r
can bypas s the pas s word by s pe cifying a cus tom initial command (us ing the
init= parame te r) on the ke rne l command line in GRUB 2. It is re comme nde d
to pas s word-prote ct the GRUB 2 boot loade r, as de s cribe d in the Prote cting
GRUB 2 with a Pas s word chapte r in Re d Hat Ente rpris e Linux 7 Sys te m
Adminis trator's Guide .
2. Preventing Access to the GRUB 2 Console — If the machine us e s GRUB 2 as its boot
loade r, an attacke r can us e the GRUB 2 e ditor inte rface to change its configuration
or to gathe r information us ing the cat command.
3. Preventing Access to Insecure Operating Systems — If it is a dual-boot s ys te m, an
attacke r can s e le ct an ope rating s ys te m at boot time , for e xample DOS, which
ignore s acce s s controls and file pe rmis s ions .
Re d Hat Ente rpris e Linux 7 include s the GRUB 2 boot loade r on the Inte l 64 and AMD64
platform. For a de taile d look at GRUB 2, s e e the Working With the GRUB 2 Boot Loade r
chapte r in Re d Hat Ente rpris e Linux 7 Sys te m Adminis trator's Guide .

4.2.5.1. Disabling Int eract ive St art up
Pre s s ing the I ke y at the be ginning of the boot s e que nce allows you to s tart up your
s ys te m inte ractive ly. During an inte ractive s tartup, the s ys te m prompts you to s tart up
e ach s e rvice one by one . Howe ve r, this may allow an attacke r who gains phys ical acce s s
to your s ys te m to dis able the s e curity-re late d s e rvice s and gain acce s s to the s ys te m.
To pre ve nt us e rs from s tarting up the s ys te m inte ractive ly, as root, dis able the PROMPT
parame te r in the /etc/sysconfig/init file :
PROMPT=no

4.2.6. Prot ect ing Hard and Symbolic Links
To pre ve nt malicious us e rs from e xploiting pote ntial vulne rabilitie s caus e d by unprote cte d
hard and s ymbolic links , Re d Hat Ente rpris e Linux 7 include s a fe ature that only allows
links to be cre ate d or followe d provide d ce rtain conditions are me t.
In cas e of hard links , one of the following ne e ds to be true :
The us e r owns the file to which the y link.
The us e r alre ady has re ad and write acce s s to the file to which the y link.
In cas e of s ymbolic links , proce s s e s are only pe rmitte d to follow links whe n outs ide of
world-write able dire ctorie s with s ticky bits , or one of the following ne e ds to be true :
The proce s s following the s ymbolic link is the owne r of the s ymbolic link.
The owne r of the dire ctory is the s ame as the owne r of the s ymbolic link.
This prote ction is turne d on by de fault. It is controlle d by the following options in the
/usr/lib/sysctl.d/50-default.conf file :

43

Se c ur it y Guide

fs.protected_hardlinks = 1
fs.protected_symlinks = 1
To ove rride the de fault s e ttings and dis able the prote ction, cre ate a ne w configuration file
calle d, for e xample , 51-no-protect-links.conf in the /etc/sysctl.d/ dire ctory with
the following conte nt:
fs.protected_hardlinks = 0
fs.protected_symlinks = 0

No te
Note that in orde r to ove rride the de fault s ys te m s e ttings , the ne w configuration file
ne e ds to have the .conf e xte ns ion, and it ne e ds to be re ad after the de fault
s ys te m file (the file s are re ad in le xicographic orde r, the re fore s e ttings containe d in
a file with a highe r numbe r at the be ginning of the file name take pre ce de nce ).
Se e the s ys ctl.d(5) manual page for more de taile d information about the configuration of
ke rne l parame te rs at boot us ing the sysctl me chanis m.

4.3. Securing Services
While us e r acce s s to adminis trative controls is an important is s ue for s ys te m
adminis trators within an organiz ation, monitoring which ne twork s e rvice s are active is of
paramount importance to anyone who adminis te rs and ope rate s a Linux s ys te m.
Many s e rvice s unde r Re d Hat Ente rpris e Linux 7 are ne twork s e rve rs . If a ne twork s e rvice
is running on a machine , the n a s e rve r application (calle d a daemon), is lis te ning for
conne ctions on one or more ne twork ports . Each of the s e s e rve rs s hould be tre ate d as a
pote ntial ave nue of attack.

4.3.1. Risks T o Services
Ne twork s e rvice s can pos e many ris ks for Linux s ys te ms . Be low is a lis t of s ome of the
primary is s ue s :
Denial of Service Attacks (DoS) — By flooding a s e rvice with re que s ts , a de nial of
s e rvice attack can re nde r a s ys te m unus able as it trie s to log and ans we r e ach
re que s t.
Distributed Denial of Service Attack (DDoS) — A type of DoS attack which us e s multiple
compromis e d machine s (ofte n numbe ring in the thous ands or more ) to dire ct a
coordinate d attack on a s e rvice , flooding it with re que s ts and making it unus able .
Script Vulnerability Attacks — If a s e rve r is us ing s cripts to e xe cute s e rve r-s ide actions ,
as We b s e rve rs commonly do, an attacke r can targe t imprope rly writte n s cripts . The s e
s cript vulne rability attacks can le ad to a buffe r ove rflow condition or allow the attacke r
to alte r file s on the s ys te m.
Buffer Overflow Attacks — Se rvice s that want to lis te n on ports 1 through 1023 mus t
s tart e ithe r with adminis trative privile ge s or the CAP_NET_BIND_SERVICE capability
ne e ds to be s e t for the m. Once a proce s s is bound to a port and is lis te ning on it, the
privile ge s or the capability are ofte n droppe d. If the privile ge s or the capability are not

44

⁠C hapt e r 4 . Har de ning Yo ur Sys t e m wit h T o o ls and Se r vic e s

droppe d, and the application has an e xploitable buffe r ove rflow, an attacke r could gain
acce s s to the s ys te m as the us e r running the dae mon. Be caus e e xploitable buffe r
ove rflows e xis t, cracke rs us e automate d tools to ide ntify s ys te ms with vulne rabilitie s ,
and once the y have gaine d acce s s , the y us e automate d rootkits to maintain the ir
acce s s to the s ys te m.

No te
The thre at of buffe r ove rflow vulne rabilitie s is mitigate d in Re d Hat
Ente rpris e Linux 7 by ExecShield, an e xe cutable me mory s e gme ntation and
prote ction te chnology s upporte d by x86-compatible uni- and multi-proce s s or ke rne ls .
Exe cShie ld re duce s the ris k of buffe r ove rflow by s e parating virtual me mory into
e xe cutable and non-e xe cutable s e gme nts . Any program code that trie s to e xe cute
outs ide of the e xe cutable s e gme nt (s uch as malicious code inje cte d from a buffe r
ove rflow e xploit) trigge rs a s e gme ntation fault and te rminate s .
Exe cs hie ld als o include s s upport for No eXecute (NX) te chnology on AMD64
platforms and Inte l® 64 s ys te ms . The s e te chnologie s work in conjunction with
Exe cShie ld to pre ve nt malicious code from running in the e xe cutable portion of
virtual me mory with a granularity of 4KB of e xe cutable code , lowe ring the ris k of
attack from buffe r ove rflow e xploits .

Impo rtant
To limit e xpos ure to attacks ove r the ne twork, all s e rvice s that are unus e d s hould
be turne d off.

4.3.2. Ident if ying and Conf iguring Services
To e nhance s e curity, mos t ne twork s e rvice s ins talle d with Re d Hat Ente rpris e Linux 7 are
turne d off by de fault. The re are , howe ve r, s ome notable e xce ptions :
cups — The de fault print s e rve r for Re d Hat Ente rpris e Linux 7.
cups-lpd — An alte rnative print s e rve r.
xinetd — A s upe r s e rve r that controls conne ctions to a range of s ubordinate s e rve rs ,
s uch as gssftp and telnet.
sshd — The Ope nSSH s e rve r, which is a s e cure re place me nt for Te lne t.
Whe n de te rmining whe the r to le ave the s e s e rvice s running, it is be s t to us e common
s e ns e and avoid taking any ris ks . For e xample , if a printe r is not available , do not le ave
cups running. The s ame is true for portreserve. If you do not mount NFSv3 volume s or
us e NIS (the ypbind s e rvice ), the n rpcbind s hould be dis able d. Che cking which ne twork
s e rvice s are available to s tart at boot time is not s ufficie nt. It is re comme nde d to als o
che ck which ports are ope n and lis te ning. Re fe r to Se ction 4.4.2, “Ve rifying Which Ports Are
Lis te ning” for more information.

4.3.3. Insecure Services

45

Se c ur it y Guide

Pote ntially, any ne twork s e rvice is ins e cure . This is why turning off unus e d s e rvice s is s o
important. Exploits for s e rvice s are routine ly re ve ale d and patche d, making it ve ry
important to re gularly update package s as s ociate d with any ne twork s e rvice . Se e
Chapte r 3, Keeping Your System Up-to-Date for more information.
Some ne twork protocols are inhe re ntly more ins e cure than othe rs . The s e include any
s e rvice s that:
Transmit Usernames and Passwords Over a Network Unencrypted — Many olde r
protocols , s uch as Te lne t and FTP, do not e ncrypt the authe ntication s e s s ion and s hould
be avoide d whe ne ve r pos s ible .
Transmit Sensitive Data Over a Network Unencrypted — Many protocols trans mit data
ove r the ne twork une ncrypte d. The s e protocols include Te lne t, FTP, HTTP, and SMTP.
Many ne twork file s ys te ms , s uch as NFS and SMB, als o trans mit information ove r the
ne twork une ncrypte d. It is the us e r's re s pons ibility whe n us ing the s e protocols to limit
what type of data is trans mitte d.
Example s of inhe re ntly ins e cure s e rvice s include rlogin, rsh, telnet, and vsftpd.
All re mote login and s he ll programs (rlogin, rsh, and telnet) s hould be avoide d in favor
of SSH. Se e Se ction 4.3.11, “Se curing SSH” for more information about sshd.
FTP is not as inhe re ntly dange rous to the s e curity of the s ys te m as re mote s he lls , but
FTP s e rve rs mus t be care fully configure d and monitore d to avoid proble ms . Se e
Se ction 4.3.9, “Se curing FTP” for more information about s e curing FTP s e rve rs .
Se rvice s that s hould be care fully imple me nte d and be hind a fire wall include :
auth
nfs-server
smb and nbm (Samba)
yppasswdd
ypserv
ypxfrd
More information on s e curing ne twork s e rvice s is available in Se ction 4.4, “Se curing
Ne twork Acce s s ”.

4.3.4. Securing rpcbind
The rpcbind s e rvice is a dynamic port as s ignme nt dae mon for RPC s e rvice s s uch as NIS
and NFS. It has we ak authe ntication me chanis ms and has the ability to as s ign a wide range
of ports for the s e rvice s it controls . For the s e re as ons , it is difficult to s e cure .

No te
Se curing rpcbind only affe cts NFSv2 and NFSv3 imple me ntations , s ince NFSv4 no
longe r re quire s it. If you plan to imple me nt an NFSv2 or NFSv3 s e rve r, the n rpcbind
is re quire d, and the following s e ction applie s .
If running RPC s e rvice s , follow the s e bas ic rule s .

46

⁠C hapt e r 4 . Har de ning Yo ur Sys t e m wit h T o o ls and Se r vic e s

4.3.4.1. Prot ect rpcbind Wit h T CP Wrappers
It is important to us e TCP Wrappe rs to limit which ne tworks or hos ts have acce s s to the
rpcbind s e rvice s ince it has no built-in form of authe ntication.
Furthe r, us e only IP addre s s e s whe n limiting acce s s to the s e rvice . Avoid us ing hos t
name s , as the y can be forge d by DNS pois oning and othe r me thods .

4.3.4.2. Prot ect rpcbind Wit h f irewalld
To furthe r re s trict acce s s to the rpcbind s e rvice , it is a good ide a to add firewalld rule s
to the s e rve r and re s trict acce s s to s pe cific ne tworks .
Be low are two e xample firewalld rich language commands . The firs t allows TCP
conne ctions to the port 111 (us e d by the rpcbind s e rvice ) from the 192.168.0.0/24
ne twork. The s e cond allows TCP conne ctions to the s ame port from the localhos t. All othe r
packe ts are droppe d.
~]# firewall-cmd --add-rich-rule='rule family="ipv4" port port="111"
protocol="tcp" source address="192.168.0.0/24" invert="True" drop'
~]# firewall-cmd --add-rich-rule='rule family="ipv4" port port="111"
protocol="tcp" source address="127.0.0.1" accept'
To s imilarly limit UDP traffic, us e the following command:
~]# firewall-cmd --add-rich-rule='rule family="ipv4" port port="111"
protocol="udp" source address="192.168.0.0/24" invert="True" drop'

No te
Add --permanent to the firewalld rich language commands to make the s e ttings
pe rmane nt. Se e Se ction 4.5, “Us ing Fire walls ” for more information about
imple me nting fire walls .

4.3.5. Securing rpc.mount d
The rpc.mountd dae mon imple me nts the s e rve r s ide of the NFS MOUNT protocol, a
protocol us e d by NFS ve rs ion 2 (RFC 1904) and NFS ve rs ion 3 (RFC 1813).
If running RPC s e rvice s , follow the s e bas ic rule s .

4.3.5.1. Prot ect rpc.mount d Wit h T CP Wrappers
It is important to us e TCP Wrappe rs to limit which ne tworks or hos ts have acce s s to the
rpc.mountd s e rvice s ince it has no built-in form of authe ntication.
Furthe r, us e only IP addre s s e s whe n limiting acce s s to the s e rvice . Avoid us ing hos t
name s , as the y can be forge d by DNS pois oning and othe r me thods .

4.3.5.2. Prot ect rpc.mount d Wit h f irewalld
To furthe r re s trict acce s s to the rpc.mountd s e rvice , add firewalld rich language rule s
to the s e rve r and re s trict acce s s to s pe cific ne tworks .

47

Se c ur it y Guide

Be low are two e xample firewalld rich language commands . The firs t allows mountd
conne ctions from the 192.168.0.0/24 ne twork. The s e cond allows mountd conne ctions
from the local hos t. All othe r packe ts are droppe d.
~]# firewall-cmd --add-rich-rule 'rule family="ipv4" source NOT
address="192.168.0.0/24" service name="mountd" drop'
~]# firewall-cmd --add-rich-rule 'rule family="ipv4" source
address="127.0.0.1" service name="mountd" accept'

No te
Add --permanent to the firewalld rich language commands to make the s e ttings
pe rmane nt. Se e Se ction 4.5, “Us ing Fire walls ” for more information about
imple me nting fire walls .

4.3.6. Securing NIS
The Network Information Service (NIS) is an RPC s e rvice , calle d ypserv, which is us e d in
conjunction with rpcbind and othe r re late d s e rvice s to dis tribute maps of us e r name s ,
pas s words , and othe r s e ns itive information to any compute r claiming to be within its
domain.
A NIS s e rve r is compris e d of s e ve ral applications . The y include the following:
/usr/sbin/rpc.yppasswdd — Als o calle d the yppasswdd s e rvice , this dae mon allows
us e rs to change the ir NIS pas s words .
/usr/sbin/rpc.ypxfrd — Als o calle d the ypxfrd s e rvice , this dae mon is re s pons ible
for NIS map trans fe rs ove r the ne twork.
/usr/sbin/ypserv — This is the NIS s e rve r dae mon.
NIS is s ome what ins e cure by today's s tandards . It has no hos t authe ntication me chanis ms
and trans mits all of its information ove r the ne twork une ncrypte d, including pas s word
has he s . As a re s ult, e xtre me care mus t be take n whe n s e tting up a ne twork that us e s
NIS. This is furthe r complicate d by the fact that the de fault configuration of NIS is
inhe re ntly ins e cure .
It is re comme nde d that anyone planning to imple me nt a NIS s e rve r firs t s e cure the
rpcbind s e rvice as outline d in Se ction 4.3.4, “Se curing rpcbind”, the n addre s s the
following is s ue s , s uch as ne twork planning.

4.3.6.1. Caref ully Plan t he Net work
Be caus e NIS trans mits s e ns itive information une ncrypte d ove r the ne twork, it is important
the s e rvice be run be hind a fire wall and on a s e gme nte d and s e cure ne twork. Whe ne ve r
NIS information is trans mitte d ove r an ins e cure ne twork, it ris ks be ing inte rce pte d. Care ful
ne twork de s ign can he lp pre ve nt s e ve re s e curity bre ache s .

4.3.6.2. Use a Password-like NIS Domain Name and Host name
Any machine within a NIS domain can us e commands to e xtract information from the
s e rve r without authe ntication, as long as the us e r knows the NIS s e rve r's DNS hos t name
and NIS domain name .

48

⁠C hapt e r 4 . Har de ning Yo ur Sys t e m wit h T o o ls and Se r vic e s

For ins tance , if s ome one e ithe r conne cts a laptop compute r into the ne twork or bre aks into
the ne twork from outs ide (and manage s to s poof an inte rnal IP addre s s ), the following
command re ve als the /etc/passwd map:
ypcat -d  -h  passwd
If this attacke r is a root us e r, the y can obtain the /etc/shadow file by typing the following
command:
ypcat -d  -h  shadow

No te
If Ke rbe ros is us e d, the /etc/shadow file is not s tore d within a NIS map.
To make acce s s to NIS maps harde r for an attacke r, cre ate a random s tring for the DNS
hos t name , s uch as o7hfawtgmhwg.domain.com. Similarly, cre ate a different randomiz e d
NIS domain name . This make s it much more difficult for an attacke r to acce s s the NIS
s e rve r.

4.3.6.3. Edit t he /var/yp/securenets File
If the /var/yp/securenets file is blank or doe s not e xis t (as is the cas e afte r a de fault
ins tallation), NIS lis te ns to all ne tworks . One of the firs t things to do is to put
ne tmas k/ne twork pairs in the file s o that ypserv only re s ponds to re que s ts from the
appropriate ne twork.
Be low is a s ample e ntry from a /var/yp/securenets file :
255.255.255.0

192.168.0.0

Warning
Ne ve r s tart a NIS s e rve r for the firs t time without cre ating the /var/yp/securenets
file .
This te chnique doe s not provide prote ction from an IP s poofing attack, but it doe s at le as t
place limits on what ne tworks the NIS s e rve r s e rvice s .

4.3.6.4. Assign St at ic Port s and Use Rich Language Rules
All of the s e rve rs re late d to NIS can be as s igne d s pe cific ports e xce pt for rpc.yppasswdd
— the dae mon that allows us e rs to change the ir login pas s words . As s igning ports to the
othe r two NIS s e rve r dae mons , rpc.ypxfrd and ypserv, allows for the cre ation of fire wall
rule s to furthe r prote ct the NIS s e rve r dae mons from intrude rs .
To do this , add the following line s to /etc/sysconfig/network:
YPSERV_ARGS="-p 834"
YPXFRD_ARGS="-p 835"

49

Se c ur it y Guide

The following rich language firewalld rule s can the n be us e d to e nforce which ne twork
the s e rve r lis te ns to for the s e ports :
~]# firewall-cmd --add-rich-rule='rule
address="192.168.0.0/24" invert="True"
protocol="tcp" drop'
~]# firewall-cmd --add-rich-rule='rule
address="192.168.0.0/24" invert="True"
protocol="udp" drop'

family="ipv4" source
port port="834-835"
family="ipv4" source
port port="834-835"

This me ans that the s e rve r only allows conne ctions to ports 834 and 835 if the re que s ts
come from the 192.168.0.0/24 ne twork. The firs t rule is for TCP and the s e cond for UDP.

No te
Se e Se ction 4.5, “Us ing Fire walls ” for more information about imple me nting fire walls
with iptable s commands .

4.3.6.5. Use Kerberos Aut hent icat ion
One of the is s ue s to cons ide r whe n NIS is us e d for authe ntication is that whe ne ve r a us e r
logs into a machine , a pas s word has h from the /etc/shadow map is s e nt ove r the
ne twork. If an intrude r gains acce s s to a NIS domain and s niffs ne twork traffic, the y can
colle ct us e r name s and pas s word has he s . With e nough time , a pas s word cracking program
can gue s s we ak pas s words , and an attacke r can gain acce s s to a valid account on the
ne twork.
Since Ke rbe ros us e s s e cre t-ke y cryptography, no pas s word has he s are e ve r s e nt ove r
the ne twork, making the s ys te m far more s e cure . Se e the Logging into IdM Us ing
Ke rbe ros s e ction in the Linux Domain Ide ntity, Authe ntication, and Policy Guide for more
information about Ke rbe ros .

4.3.7. Securing NFS

Impo rtant
NFS traffic can be s e nt us ing TCP in all ve rs ions , it s hould be us e d with NFSv3,
rathe r than UDP, and is re quire d whe n us ing NFSv4. All ve rs ions of NFS s upport
Ke rbe ros us e r and group authe ntication, as part of the RPCSEC_GSS ke rne l module .
Information on rpcbind is s till include d, s ince Re d Hat Ente rpris e Linux 7 s upports
NFSv3 which utiliz e s rpcbind.

4.3.7.1. Caref ully Plan t he Net work
NFSv2 and NFSv3 traditionally pas s e d data ins e cure ly. All ve rs ions of NFS now have the
ability to authe nticate (and optionally e ncrypt) ordinary file s ys te m ope rations us ing
Ke rbe ros . Unde r NFSv4 all ope rations can us e Ke rbe ros ; unde r v2 or v3, file locking and
mounting s till do not us e it. Whe n us ing NFSv4.0, de le gations may be turne d off if the
clie nts are be hind NAT or a fire wall. For information on the us e of NFSv4.1 to allow
de le gations to ope rate through NAT and fire walls , s e e the pNFS s e ction of the Re d Hat
Ente rpris e Linux 7 Storage Adminis tration Guide .

50

⁠C hapt e r 4 . Har de ning Yo ur Sys t e m wit h T o o ls and Se r vic e s

4.3.7.2. Securing NFS Mount Opt ions
The us e of the mount command in the /etc/fstab file is e xplaine d in the Us ing the mount
Command chapte r of the Re d Hat Ente rpris e Linux 7 Storage Adminis tration Guide . From a
s e curity adminis tration point of vie w it is worthwhile to note that the NFS mount options
can als o be s pe cifie d in /etc/nfsmount.conf, which can be us e d to s e t cus tom de fault
options .
4.3.7.2.1. Review t he NFS Server

Warning
Only e xport e ntire file s ys te ms . Exporting a s ubdire ctory of a file s ys te m can be a
s e curity is s ue . It is pos s ible in s ome cas e s for a clie nt to "bre ak out" of the
e xporte d part of the file s ys te m and ge t to une xporte d parts (s e e the s e ction on
s ubtre e che cking in the exports(5) man page .
Us e the ro option to e xport the file s ys te m as re ad-only whe ne ve r pos s ible to re duce the
numbe r of us e rs able to write to the mounte d file s ys te m. Only us e the rw option whe n
s pe cifically re quire d. Se e the man exports(5) page for more information. Allowing write
acce s s incre as e s the ris k from s ymlink attacks for e xample . This include s te mporary
dire ctorie s s uch as /tmp and /usr/tmp.
Whe re dire ctorie s mus t be mounte d with the rw option avoid making the m world-writable
whe ne ve r pos s ible to re duce ris k. Exporting home dire ctorie s is als o vie we d as a ris k as
s ome applications s tore pas s words in cle ar te xt or we akly e ncrypte d. This ris k is be ing
re duce d as application code is re vie we d and improve d. Some us e rs do not s e t pas s words
on the ir SSH ke ys s o this too me ans home dire ctorie s pre s e nt a ris k. Enforcing the us e of
pas s words or us ing Ke rbe ros would mitigate that ris k.
Re s trict e xports only to clie nts that ne e d acce s s . Us e the showmount -e command on an
NFS s e rve r to re vie w what the s e rve r is e xporting. Do not e xport anything that is not
s pe cifically re quire d.
Do not us e the no_root_squash option and re vie w e xis ting ins tallations to make s ure it is
not us e d. Se e Se ction 4.3.7.4, “Do Not Us e the no_root_s quas h Option” for more
information.
The secure option is the s e rve r-s ide e xport option us e d to re s trict e xports to “re s e rve d”
ports . By de fault, the s e rve r allows clie nt communication only from “re s e rve d” ports (ports
numbe re d le s s than 1024), be caus e traditionally clie nts have only allowe d “trus te d” code
(s uch as in-ke rne l NFS clie nts ) to us e thos e ports . Howe ve r, on many ne tworks it is not
difficult for anyone to be come root on s ome clie nt, s o it is rare ly s afe for the s e rve r to
as s ume that communication from a re s e rve d port is privile ge d. The re fore the re s triction
to re s e rve d ports is of limite d value ; it is be tte r to re ly on Ke rbe ros , fire walls , and
re s triction of e xports to particular clie nts .
Mos t clie nts s till do us e re s e rve d ports whe n pos s ible . Howe ve r, re s e rve d ports are a
limite d re s ource , s o clie nts (e s pe cially thos e with a large numbe r of NFS mounts ) may
choos e to us e highe r-numbe re d ports as we ll. Linux clie nts may do this us ing the
“nore s vport” mount option. If you want to allow this on an e xport, you may do s o with the
“ins e cure ” e xport option.
It is good practice not to allow us e rs to login to a s e rve r. While re vie wing the above
s e ttings on an NFS s e rve r conduct a re vie w of who and what can acce s s the s e rve r.

51

Se c ur it y Guide

4.3.7.2.2. Review t he NFS Client
Us e the nosuid option to dis allow the us e of a set uid program. The nosuid option
dis able s the set-user-identifier or set-group-identifier bits . This pre ve nts re mote
us e rs from gaining highe r privile ge s by running a s e tuid program. Us e this option on the
clie nt and the s e rve r s ide .
The noexec option dis able s all e xe cutable file s on the clie nt. Us e this to pre ve nt us e rs
from inadve rte ntly e xe cuting file s place d in the file s ys te m be ing s hare d. The nosuid and
noexec options are s tandard options for mos t, if not all, file s ys te ms .
Us e the nodev option to pre ve nt “de vice -file s ” from be ing proce s s e d as a hardware
de vice by the clie nt.
The resvport option is a clie nt-s ide mount option and secure is the corre s ponding
s e rve r-s ide e xport option (s e e e xplanation above ). It re s tricts communication to a
"re s e rve d port". The re s e rve d or "we ll known" ports are re s e rve d for privile ge d us e rs
and proce s s e s s uch as the root us e r. Se tting this option caus e s the clie nt to us e a
re s e rve d s ource port to communicate with the s e rve r.
All ve rs ions of NFS now s upport mounting with Ke rbe ros authe ntication. The mount option
to e nable this is : sec=krb5.
NFSv4 s upports mounting with Ke rbe ros us ing krb5i for inte grity and krb5p for privacy
prote ction. The s e are us e d whe n mounting with sec=krb5, but ne e d to be configure d on
the NFS s e rve r. Se e the man page on e xports (man 5 exports) for more information.
The NFS man page (man 5 nfs) has a “SECURITY CONSIDERATIONS” s e ction which e xplains
the s e curity e nhance me nts in NFSv4 and contains all the NFS s pe cific mount options .

4.3.7.3. Beware of Synt ax Errors
The NFS s e rve r de te rmine s which file s ys te ms to e xport and which hos ts to e xport the s e
dire ctorie s to by cons ulting the /etc/exports file . Be care ful not to add e xtrane ous
s pace s whe n e diting this file .
For ins tance , the following line in the /etc/exports file s hare s the dire ctory /tmp/nfs/ to
the hos t bob.example.com with re ad/write pe rmis s ions .
/tmp/nfs/

bob.example.com(rw)

The following line in the /etc/exports file , on the othe r hand, s hare s the s ame dire ctory
to the hos t bob.example.com with re ad-only pe rmis s ions and s hare s it to the world with
re ad/write pe rmis s ions due to a s ingle s pace characte r afte r the hos t name .
/tmp/nfs/

bob.example.com (rw)

It is good practice to che ck any configure d NFS s hare s by us ing the showmount command
to ve rify what is be ing s hare d:
showmount -e 

4.3.7.4. Do Not Use t he no_root _squash Opt ion

52

⁠C hapt e r 4 . Har de ning Yo ur Sys t e m wit h T o o ls and Se r vic e s

By de fault, NFS s hare s change the root us e r to the nfsnobody us e r, an unprivile ge d us e r
account. This change s the owne r of all root-cre ate d file s to nfsnobody, which pre ve nts
uploading of programs with the s e tuid bit s e t.
If no_root_squash is us e d, re mote root us e rs are able to change any file on the s hare d
file s ys te m and le ave applications infe cte d by Trojans for othe r us e rs to inadve rte ntly
e xe cute .

4.3.7.5. NFS Firewall Conf igurat ion
NFSv4 is the de fault ve rs ion of NFS for Re d Hat Ente rpris e Linux 7 and it only re quire s port
2049 to be ope n for TCP. If us ing NFSv3 the n four additional ports are re quire d as
e xplaine d be low.
Co nf iguring Po rt s f o r NFSv3
The ports us e d for NFS are as s igne d dynamically by rpcbind, which can caus e proble ms
whe n cre ating fire wall rule s . To s implify this proce s s , us e the /etc/sysconfig/nfs file to
s pe cify which ports are to be us e d:
MOUNTD_PORT — TCP and UDP port for mountd (rpc.mountd)
STATD_PORT — TCP and UDP port for s tatus (rpc.s tatd)
LOCKD_TCPPORT — TCP port for nlockmgr (rpc.lockd)
LOCKD_UDPPORT — UDP port nlockmgr (rpc.lockd)
Port numbe rs s pe cifie d mus t not be us e d by any othe r s e rvice . Configure your fire wall to
allow the port numbe rs s pe cifie d, as we ll as TCP and UDP port 2049 (NFS).
Run the rpcinfo -p command on the NFS s e rve r to s e e which ports and RPC programs
are be ing us e d.

4.3.7.6. Secure NFS wit h Red Hat ident it y Management
Ke rbe ros -aware NFS s e tup can be gre atly s implifie d in an e nvironme nt that is us ing
Re d Hat Ide ntity Manage me nt which is include d in Re d Hat Ente rpris e Linux.
Follow the Re d Hat Ente rpris e Linux 7 Linux Domain Ide ntity, Authe ntication, and Policy
Guide , in particular Se tting up a Ke rbe ros -aware NFS Se rve r to le arn how to s e cure NFS
with Ke rbe ros whe n us ing Re d Hat Ide ntity Manage me nt.

4.3.8. Securing t he Apache HT T P Server
The Apache HTTP Se rve r is one of the mos t s table and s e cure s e rvice s in Re d Hat
Ente rpris e Linux 7. A large numbe r of options and te chnique s are available to s e cure the
Apache HTTP Se rve r — too nume rous to de lve into de e ply he re . The following s e ction
brie fly e xplains good practice s whe n running the Apache HTTP Se rve r.
Always ve rify that any s cripts running on the s ys te m work as inte nde d before putting the m
into production. Als o, e ns ure that only the root us e r has write pe rmis s ions to any dire ctory
containing s cripts or CGIs . To do this , e nte r the following commands as the root us e r:
chown root 
chmod 755 

53

Se c ur it y Guide

Sys te m adminis trators s hould be care ful whe n us ing the following configuration options
(configure d in /etc/httpd/conf/httpd.conf):
FollowSymLinks
This dire ctive is e nable d by de fault, s o be s ure to us e caution whe n cre ating
s ymbolic links to the docume nt root of the We b s e rve r. For ins tance , it is a bad
ide a to provide a s ymbolic link to /.
Indexes
This dire ctive is e nable d by de fault, but may not be de s irable . To pre ve nt vis itors
from brows ing file s on the s e rve r, re move this dire ctive .
UserDir
The UserDir dire ctive is dis able d by de fault be caus e it can confirm the pre s e nce
of a us e r account on the s ys te m. To e nable us e r dire ctory brows ing on the
s e rve r, us e the following dire ctive s :
UserDir enabled
UserDir disabled root
The s e dire ctive s activate us e r dire ctory brows ing for all us e r dire ctorie s othe r
than /root/. To add us e rs to the lis t of dis able d accounts , add a s pace -de limite d
lis t of us e rs on the UserDir disabled line .
ServerTokens
The ServerTokens dire ctive controls the s e rve r re s pons e he ade r fie ld which is
s e nt back to clie nts . It include s various information which can be cus tomiz e d us ing
the following parame te rs :
ServerTokens Full (de fault option) — provide s all available information (OS
type and us e d module s ), for e xample :
Apache/2.0.41 (Unix) PHP/4.2.2 MyMod/1.2
ServerTokens Prod or ServerTokens ProductOnly — provide s the following
information:
Apache
ServerTokens Major — provide s the following information:
Apache/2
ServerTokens Minor — provide s the following information:
Apache/2.0
ServerTokens Min or ServerTokens Minimal — provide s the following
information:
Apache/2.0.41

54

⁠C hapt e r 4 . Har de ning Yo ur Sys t e m wit h T o o ls and Se r vic e s

ServerTokens OS — provide s the following information:
Apache/2.0.41 (Unix)
It is re comme nde d to us e the ServerTokens Prod option s o that a pos s ible
attacke r doe s not gain any valuable information about your s ys te m.

Impo rtant
Do not re move the IncludesNoExec dire ctive . By de fault, the Server-Side Includes
(SSI) module cannot e xe cute commands . It is re comme nde d that you do not change
this s e tting unle s s abs olute ly ne ce s s ary, as it could, pote ntially, e nable an attacke r
to e xe cute commands on the s ys te m.

Removing ht t pd Modules
In ce rtain s ce narios , it is be ne ficial to re move ce rtain httpd module s to limit the
functionality of the HTTP Se rve r. To do s o, s imply comme nt out the e ntire line which loads
the module you want to re move in the /etc/httpd/conf/httpd.conf file . For e xample , to
re move the proxy module , comme nt out the following line by pre pe nding it with a has h
s ign:
#LoadModule proxy_module modules/mod_proxy.so
Note that the /etc/httpd/conf.d/ dire ctory contains configuration file s which are us e d to
load module s as we ll.

ht t pd and SELinux
For information, s e e the The Apache HTTP Se rve r and SELinux chapte r from the Re d Hat
Ente rpris e Linux 7 SELinux Us e r's and Adminis trator's Guide .

4.3.9. Securing FT P
The File Transfer Protocol (FTP) is an olde r TCP protocol de s igne d to trans fe r file s ove r a
ne twork. Be caus e all trans actions with the s e rve r, including us e r authe ntication, are
une ncrypte d, it is cons ide re d an ins e cure protocol and s hould be care fully configure d.
Re d Hat Ente rpris e Linux 7 provide s two FTP s e rve rs :
Red Hat Co nt ent Accelerat o r (tux) — A ke rne l-s pace We b s e rve r with FTP
capabilitie s .
vsftpd — A s tandalone , s e curity orie nte d imple me ntation of the FTP s e rvice .
The following s e curity guide line s are for s e tting up the vsftpd FTP s e rvice .

4.3.9.1. FT P Greet ing Banner
Be fore s ubmitting a us e r name and pas s word, all us e rs are pre s e nte d with a gre e ting
banne r. By de fault, this banne r include s ve rs ion information us e ful to cracke rs trying to
ide ntify we akne s s e s in a s ys te m.

55

Se c ur it y Guide

To change the gre e ting banne r for vsftpd, add the following dire ctive to the
/etc/vsftpd/vsftpd.conf file :
ftpd_banner=
Re place  in the above dire ctive with the te xt of the gre e ting
me s s age .
For mutli-line banne rs , it is be s t to us e a banne r file . To s implify manage me nt of multiple
banne rs , place all banne rs in a ne w dire ctory calle d /etc/banners/. The banne r file for
FTP conne ctions in this e xample is /etc/banners/ftp.msg. Be low is an e xample of what
s uch a file may look like :
######### Hello, all activity on ftp.example.com is logged. #########

No te
It is not ne ce s s ary to be gin e ach line of the file with 220 as s pe cifie d in
Se ction 4.4.1, “Se curing Se rvice s With TCP Wrappe rs and xine td”.
To re fe re nce this gre e ting banne r file for vsftpd, add the following dire ctive to the
/etc/vsftpd/vsftpd.conf file :
banner_file=/etc/banners/ftp.msg
It als o is pos s ible to s e nd additional banne rs to incoming conne ctions us ing TCP Wrappe rs
as de s cribe d in Se ction 4.4.1.1, “TCP Wrappe rs and Conne ction Banne rs ”.

4.3.9.2. Anonymous Access
The pre s e nce of the /var/ftp/ dire ctory activate s the anonymous account.
The e as ie s t way to cre ate this dire ctory is to ins tall the vsftpd package . This package
e s tablis he s a dire ctory tre e for anonymous us e rs and configure s the pe rmis s ions on
dire ctorie s to re ad-only for anonymous us e rs .
By de fault the anonymous us e r cannot write to any dire ctorie s .

Warning
If e nabling anonymous acce s s to an FTP s e rve r, be aware of whe re s e ns itive data is
s tore d.

4.3.9.2.1. Ano nymo us Uplo ad
To allow anonymous us e rs to upload file s , it is re comme nde d that a write -only dire ctory
be cre ate d within /var/ftp/pub/. To do this , e nte r the following command as root:
~]# mkdir /var/ftp/pub/upload

56

⁠C hapt e r 4 . Har de ning Yo ur Sys t e m wit h T o o ls and Se r vic e s

Ne xt, change the pe rmis s ions s o that anonymous us e rs cannot vie w the conte nts of the
dire ctory:
~]# chmod 730 /var/ftp/pub/upload
A long format lis ting of the dire ctory s hould look like this :
~]# ls -ld /var/ftp/pub/upload
drwx-wx---. 2 root ftp 4096 Nov 14 22:57 /var/ftp/pub/upload
Adminis trators who allow anonymous us e rs to re ad and write in dire ctorie s ofte n find that
the ir s e rve rs be come a re pos itory of s tole n s oftware .
Additionally, unde r vsftpd, add the following line to the /etc/vsftpd/vsftpd.conf file :
anon_upload_enable=YES

4.3.9.3. User Account s
Be caus e FTP trans mits une ncrypte d us e r name s and pas s words ove r ins e cure ne tworks
for authe ntication, it is a good ide a to de ny s ys te m us e rs acce s s to the s e rve r from the ir
us e r accounts .
To dis able all us e r accounts in vsftpd, add the following dire ctive to
/etc/vsftpd/vsftpd.conf:
local_enable=NO
4.3.9.3.1. Rest rict ing User Acco unt s
To dis able FTP acce s s for s pe cific accounts or s pe cific groups of accounts , s uch as the
root us e r and thos e with sudo privile ge s , the e as ie s t way is to us e a PAM lis t file as
de s cribe d in Se ction 4.2.1, “Dis allowing Root Acce s s ”. The PAM configuration file for vsftpd
is /etc/pam.d/vsftpd.
It is als o pos s ible to dis able us e r accounts within e ach s e rvice dire ctly.
To dis able s pe cific us e r accounts in vsftpd, add the us e r name to
/etc/vsftpd/ftpusers

4.3.9.4. Use T CP Wrappers T o Cont rol Access
Us e TCP Wrappe rs to control acce s s to e ithe r FTP dae mon as outline d in Se ction 4.4.1,
“Se curing Se rvice s With TCP Wrappe rs and xine td”.

4.3.10. Securing Post f ix
Pos tfix is a Mail Trans fe r Age nt (MTA) that us e s the Simple Mail Trans fe r Protocol (SMTP)
to de live r e le ctronic me s s age s be twe e n othe r MTAs and to e mail clie nts or de live ry
age nts . Although many MTAs are capable of e ncrypting traffic be twe e n one anothe r, mos t
do not, s o s e nding e mail ove r any public ne tworks is cons ide re d an inhe re ntly ins e cure
form of communication. Pos tfix re place s Se ndmail as the de fault MTA in Re d Hat
Ente rpris e Linux 7.

57

Se c ur it y Guide

It is re comme nde d that anyone planning to imple me nt a Pos tfix s e rve r addre s s the
following is s ue s .

4.3.10.1. Limit ing a Denial of Service At t ack
Be caus e of the nature of e mail, a de te rmine d attacke r can flood the s e rve r with mail fairly
e as ily and caus e a de nial of s e rvice . The e ffe ctive ne s s of s uch attacks can be limite d by
s e tting limits of the dire ctive s in the /etc/postfix/main.cf file . You can change the
value of the dire ctive s which are alre ady the re or you can add the dire ctive s you ne e d
with the value you want in the following format:
 = 
. The following is a lis t of dire ctive s that can be us e d for limiting a de nial of s e rvice attack:
smtpd_client_connection_rate_limit — The maximum numbe r of conne ction
atte mpts any clie nt is allowe d to make to this s e rvice pe r time unit (de s cribe d be low).
The de fault value is 0, which me ans a clie nt can make as many conne ctions pe r time
unit as Pos tfix can acce pt. By de fault, clie nts in trus te d ne tworks are e xclude d.
anvil_rate_time_unit — This time unit is us e d for rate limit calculations . The de fault
value is 60 s e conds .
smtpd_client_event_limit_exceptions — Clie nts that are e xclude d from the
conne ction and rate limit commands . By de fault, clie nts in trus te d ne tworks are
e xclude d.
smtpd_client_message_rate_limit — The maximum numbe r of me s s age de live rie s
a clie nt is allowe d to re que s t pe r time unit (re gardle s s of whe the r or not Pos tfix
actually acce pts thos e me s s age s ).
default_process_limit — The de fault maximum numbe r of Pos tfix child proce s s e s
that provide a give n s e rvice . This limit can be ove rrule d for s pe cific s e rvice s in the
master.cf file . By de fault the value is 100.
queue_minfree — The minimum amount of fre e s pace in byte s in the que ue file
s ys te m that is ne e de d to re ce ive mail. This is curre ntly us e d by the Pos tfix SMTP
s e rve r to de cide if it will acce pt any mail at all. By de fault, the Pos tfix SMTP s e rve r
re je cts MAIL FROM commands whe n the amount of fre e s pace is le s s than 1.5 time s
the me s s age _s iz e _limit. To s pe cify a highe r minimum fre e s pace limit, s pe cify a
que ue _minfre e value that is at le as t 1.5 time s the me s s age _s iz e _limit. By de fault the
que ue _minfre e value is 0.
header_size_limit — The maximum amount of me mory in byte s for s toring a
me s s age he ade r. If a he ade r is large r, the e xce s s is dis carde d. By de fault the value is
102400.
message_size_limit — The maximum s iz e in byte s of a me s s age , including e nve lope
information. By de fault the value is 10240000.

4.3.10.2. NFS and Post f ix
Ne ve r put the mail s pool dire ctory, /var/spool/postfix/, on an NFS s hare d volume .
Be caus e NFSv2 and NFSv3 do not maintain control ove r us e r and group IDs , two or more
us e rs can have the s ame UID, and re ce ive and re ad e ach othe r's mail.

58

⁠C hapt e r 4 . Har de ning Yo ur Sys t e m wit h T o o ls and Se r vic e s

No te
With NFSv4 us ing Ke rbe ros , this is not the cas e , s ince the SECRPC_GSS ke rne l
module doe s not utiliz e UID-bas e d authe ntication. Howe ve r, it is s till cons ide re d
good practice not to put the mail s pool dire ctory on NFS s hare d volume s .

4.3.10.3. Mail-only Users
To he lp pre ve nt local us e r e xploits on the Pos tfix s e rve r, it is be s t for mail us e rs to only
acce s s the Pos tfix s e rve r us ing an e mail program. She ll accounts on the mail s e rve r
s hould not be allowe d and all us e r s he lls in the /etc/passwd file s hould be s e t to
/sbin/nologin (with the pos s ible e xce ption of the root us e r).

4.3.10.4. Disable Post f ix Net work List ening
By de fault, Pos tfix is s e t up to only lis te n to the local loopback addre s s . You can ve rify this
by vie wing the file /etc/postfix/main.cf.
Vie w the file /etc/postfix/main.cf to e ns ure that only the following inet_interfaces
line appe ars :
inet_interfaces = localhost
This e ns ure s that Pos tfix only acce pts mail me s s age s (s uch as cron job re ports ) from the
local s ys te m and not from the ne twork. This is the de fault s e tting and prote cts Pos tfix
from a ne twork attack.
For re moval of the localhos t re s triction and allowing Pos tfix to lis te n on all inte rface s the
inet_interfaces = all s e tting can be us e d.

4.3.10.5. Conf iguring Post f ix t o Use SASL
The Re d Hat Ente rpris e Linux 7 ve rs ion of Po st f ix can us e the Do veco t or Cyrus SASL
imple me ntations for SMTP Authentication (or SMTP AUTH). SMTP Authe ntication is an
e xte ns ion of the Simple Mail Transfer Protocol. Whe n e nable d, SMTP clie nts are
re quire d to authe nticate to the SMTP s e rve r us ing an authe ntication me thod s upporte d and
acce pte d by both the s e rve r and the clie nt. This s e ction de s cribe s how to configure
Po st f ix to make us e of the Do veco t SASL imple me ntation.
To ins tall the Do veco t POP/IMAP s e rve r, and thus make the Do veco t SASL
imple me ntation available on your s ys te m, is s ue the following command as the root us e r:
~]# yum install dovecot
The Po st f ix SMTP s e rve r can communicate with the Do veco t SASL imple me ntation us ing
e ithe r a UNIX-domain socket or a TCP socket. The latte r me thod is only ne e de d in cas e the
Po st f ix and Do veco t applications are running on s e parate machine s . This guide give s
pre fe re nce to the UNIX-domain s ocke t me thod, which affords be tte r privacy.
In orde r to ins truct Po st f ix to us e the Do veco t SASL imple me ntation, a numbe r of
configuration change s ne e d to be pe rforme d for both applications . Follow the proce dure s
be low to e ffe ct the s e change s .

59

Se c ur it y Guide

Set t ing Up Do veco t
1. Modify the main Do veco t configuration file , /etc/dovecot/conf.d/10master.conf, to include the following line s (the de fault configuration file alre ady
include s mos t of the re le vant s e ction, and the line s jus t ne e d to be uncomme nte d):
service auth {
unix_listener /var/spool/postfix/private/auth {
mode = 0660
user = postfix
group = postfix
}
}
The above e xample as s ume s the us e of UNIX-domain s ocke ts for communication
be twe e n Po st f ix and Do veco t . It als o as s ume s de fault s e ttings of the Po st f ix
SMTP s e rve r, which include the mail que ue locate d in the /var/spool/postfix/
dire ctory, and the application running unde r the postfix us e r and group. In this
way, re ad and write pe rmis s ions are limite d to the postfix us e r and group.
Alte rnative ly, you can us e the following configuration to s e t up Do veco t to lis te n
for Po st f ix authe ntication re que s ts through TCP:
service auth {
inet_listener {
port = 12345
}
}
In the above e xample , re place 12345 with the numbe r of the port you want to us e .
2. Edit the /etc/dovecot/conf.d/10-auth.conf configuration file to ins truct
Do veco t to provide the Po st f ix SMTP s e rve r with the plain and login
authe ntication me chanis ms :
auth_mechanisms = plain login
Set t ing Up Po st f ix
In the cas e of Po st f ix, only the main configuration file , /etc/postfix/main.cf, ne e ds to
be modifie d. Add or e dit the following configuration dire ctive s :
1. Enable SMTP Authe ntication in the Po st f ix SMTP s e rve r:
smtpd_sasl_auth_enable = yes
2. Ins truct Po st f ix to us e the Do veco t SASL imple me ntation for SMTP Authe ntication:
smtpd_sasl_type = dovecot
3. Provide the authe ntication path re lative to the Po st f ix que ue dire ctory (note that
the us e of a re lative path e ns ure s that the configuration works re gardle s s of
whe the r the Po st f ix s e rve r runs in a chro o t or not):
smtpd_sasl_path = private/auth

60

⁠C hapt e r 4 . Har de ning Yo ur Sys t e m wit h T o o ls and Se r vic e s

This s te p as s ume s that you want to us e UNIX-domain s ocke ts for communication
be twe e n Po st f ix and Do veco t . To configure Po st f ix to look for Do veco t on a
diffe re nt machine in cas e you us e TCP s ocke ts for communication, us e configuration
value s s imilar to the following:
smtpd_sasl_path = inet:127.0.0.1:12345
In the above e xample , 127.0.0.1 ne e ds to be s ubs titute d by the IP addre s s of the
Do veco t machine and 12345 by the port s pe cifie d in Do veco t 's
/etc/dovecot/conf.d/10-master.conf configuration file .
4. Spe cify SASL me chanis ms that the Po st f ix SMTP s e rve r make s available to clie nts .
Note that diffe re nt me chanis ms can be s pe cifie d for e ncrypte d and une ncrypte d
s e s s ions .
smtpd_sasl_security_options = noanonymous, noplaintext
smtpd_sasl_tls_security_options = noanonymous
The above e xample s pe cifie s that during une ncrypte d s e s s ions , no anonymous
authe ntication is allowe d and no me chanis ms that trans mit une ncrypte d us e r
name s or pas s words are allowe d. For e ncrypte d s e s s ions (us ing TLS), only nonanonymous authe ntication me chanis ms are allowe d.
Se e http://www.pos tfix.org/SASL_README.html#s mtpd_s as l_s e curity_options for a
lis t of all s upporte d policie s for limiting allowe d SASL me chanis ms .
Addit io nal Reso urces
The following online re s ource s provide additional information us e ful for configuring
Po st f ix SMTP Authe ntication through SASL.
http://wiki2.dove cot.org/HowTo/Pos tfixAndDove cotSASL — Contains information on how
to s e t up Po st f ix to us e the Do veco t SASL imple me ntation for SMTP Authe ntication.
http://www.pos tfix.org/SASL_README.html#s e rve r_s as l — Contains information on how
to s e t up Po st f ix to us e e ithe r the Do veco t or Cyrus SASL imple me ntations for SMTP
Authe ntication.

4.3.11. Securing SSH
Secure Shell (SSH) is a powe rful ne twork protocol us e d to communicate with anothe r
s ys te m ove r a s e cure channe l. The trans mis s ions ove r SSH are e ncrypte d and prote cte d
from inte rce ption. Se e the Ope nSSH chapte r of the Re d Hat Ente rpris e Linux 7 Sys te m
Adminis trator's Guide for ge ne ral information about the SSH protocol and about us ing the
SSH s e rvice in Re d Hat Ente rpris e Linux 7.

61

Se c ur it y Guide

Impo rtant
This s e ction draws atte ntion to the mos t common ways of s e curing an SSH s e tup. By
no me ans s hould this lis t of s ugge s te d me as ure s be cons ide re d e xhaus tive or
de finitive . Se e sshd_config(5) for a de s cription of all configuration dire ctive s
available for modifying the be havior of the sshd dae mon and to ssh(1) for an
e xplanation of bas ic SSH conce pts .

4.3.11.1. Crypt ographic Login
SSH s upports the us e of cryptographic ke ys for logging in to compute rs . This is much more
s e cure than us ing only a pas s word. If you combine this me thod with othe r authe ntication
me thods , it can be cons ide re d a multi-factor authe ntication. Se e Se ction 4.3.11.2, “Multiple
Authe ntication Me thods ” for more information about us ing multiple authe ntication me thods .
In orde r to e nable the us e of cryptographic ke ys for authe ntication, the
PubkeyAuthentication configuration dire ctive in the /etc/ssh/sshd_config file ne e ds
to be s e t to yes. Note that this is the de fault s e tting. Se t the PasswordAuthentication
dire ctive to no to dis able the pos s ibility of us ing pas s words for logging in.
SSH ke ys can be ge ne rate d us ing the ssh-keygen command. If invoke d without additional
argume nts , it cre ate s a 2048-bit RSA ke y s e t. The ke ys are s tore d, by de fault, in the
~/.ssh/ dire ctory. You can utiliz e the -b s witch to modify the bit-s tre ngth of the ke y. Us ing
2048-bit ke ys is normally s ufficie nt. The Configuring Ope nSSH chapte r in the Re d Hat
Ente rpris e Linux 7 Sys te m Adminis trator's Guide include s de taile d information about
ge ne rating ke y pairs .
You s hould s e e the two ke ys in your ~/.ssh/ dire ctory. If you acce pte d the de faults whe n
running the ssh-keygen command, the n the ge ne rate d file s are name d id_rsa and
id_rsa.pub and contain the private and public ke y re s pe ctive ly. You s hould always prote ct
the private ke y from e xpos ure by making it unre adable by anyone e ls e but the file 's
owne r. The public ke y, howe ve r, ne e ds to be trans fe rre d to the s ys te m you are going to
log in to. You can us e the ssh-copy-id command to trans fe r the ke y to the s e rve r:
~]$ ssh-copy-id -i [user@]server
This command will als o automatically appe nd the public ke y to the
~/.ssh/authorized_keys file on the server. The sshd dae mon will che ck this file whe n
you atte mpt to log in to the s e rve r.
Similarly to pas s words and any othe r authe ntication me chanis m, you s hould change your
SSH ke ys re gularly. Whe n you do, make s ure you re move any unus e d ke ys from the
authorized_keys file .

4.3.11.2. Mult iple Aut hent icat ion Met hods
Us ing multiple authe ntication me thods , or multi-factor authe ntication, incre as e s the le ve l of
prote ction agains t unauthoriz e d acce s s , and as s uch s hould be cons ide re d whe n
harde ning a s ys te m to pre ve nt it from be ing compromis e d. Us e rs atte mpting to log in to a
s ys te m that us e s multi-factor authe ntication mus t s ucce s s fully comple te all s pe cifie d
authe ntication me thods in orde r to be grante d acce s s .
Us e the AuthenticationMethods configuration dire ctive in the /etc/ssh/sshd_config
file to s pe cify which authe ntication me thods are to be utiliz e d. Note that it is pos s ible to

62

⁠C hapt e r 4 . Har de ning Yo ur Sys t e m wit h T o o ls and Se r vic e s

de fine more than one lis t of re quire d authe ntication me thods us ing this dire ctive . If that is
the cas e , the us e r mus t comple te e ve ry me thod in at le as t one of the lis ts . The lis ts ne e d
to be s e parate d by blank s pace s , and the individual authe ntication-me thod name s within
the lis ts mus t be comma-s e parate d. For e xample :
AuthenticationMethods publickey,gssapi-with-mic publickey,keyboardinteractive
An sshd dae mon configure d us ing the above AuthenticationMethods dire ctive only
grants acce s s if the us e r atte mpting to log in s ucce s s fully comple te s e ithe r publickey
authe ntication followe d by gssapi-with-mic or by keyboard-interactive authe ntication.
Note that e ach of the re que s te d authe ntication me thods ne e ds to be e xplicitly e nable d
us ing a corre s ponding configuration dire ctive (s uch as PubkeyAuthentication) in the
/etc/ssh/sshd_config file . Se e the AUTHENTICATION s e ction of ssh(1) for a ge ne ral lis t
of available authe ntication me thods .

4.3.11.3. Ot her Ways of Securing SSH
Pro t o co l Versio n
Eve n though the imple me ntation of the SSH protocol s upplie d with Re d Hat
Ente rpris e Linux 7 s upports both the SSH-1 and SSH-2 ve rs ions of the protocol, only the
latte r s hould be us e d whe ne ve r pos s ible . The SSH-2 ve rs ion contains a numbe r of
improve me nts ove r the olde r SSH-1, and the majority of advance d configuration options is
only available whe n us ing SSH-2.
Us e rs are e ncourage d to make us e of SSH-2 in orde r to maximiz e the e xte nt to which the
SSH protocol prote cts the authe ntication and communication for which it is us e d. The
ve rs ion or ve rs ions of the protocol s upporte d by the sshd dae mon can be s pe cifie d us ing
the Protocol configuration dire ctive in the /etc/ssh/sshd_config file . The de fault
s e tting is 2.
Key T ypes
While the ssh-keygen command ge ne rate s a pair of SSH-2 RSA ke ys by de fault, us ing the
-t option, it can be ins tructe d to ge ne rate DSA or ECDSA ke ys as we ll. The ECDSA (Elliptic
Curve Digital Signature Algorithm) offe rs be tte r pe rformance at the s ame e quivale nt
s ymme tric ke y le ngth. It als o ge ne rate s s horte r ke ys .
No n-Def ault Po rt
By de fault, the sshd dae mon lis te ns on TCP port 22. Changing the port re duce s the
e xpos ure of the s ys te m to attacks bas e d on automate d ne twork s canning, thus incre as ing
s e curity through obs curity. The port can be s pe cifie d us ing the Port dire ctive in the
/etc/ssh/sshd_config configuration file . Note als o that the de fault SELinux policy mus t
be change d to allow for the us e of a non-de fault port. You can do this by modifying the
ssh_port_t SELinux type by typing the following command as root:
~]# semanage -a -t ssh_port_t -p tcp port_number
In the above command, re place port_number with the ne w port numbe r s pe cifie d us ing the
Port dire ctive .
No Ro o t Lo gin
Provide d that your particular us e cas e doe s not re quire the pos s ibility of logging in as the

63

Se c ur it y Guide

root us e r, you s hould cons ide r s e tting the PermitRootLogin configuration dire ctive to no
in the /etc/ssh/sshd_config file . By dis abling the pos s ibility of logging in as the root
us e r, the adminis trator can audit which us e r runs what privile ge d command afte r the y log
in as re gular us e rs and the n gain root rights .

4.3.12. Securing Post greSQL
PostgreSQL is an Obje ct-Re lational databas e manage me nt s ys te m (DBMS). In Re d Hat
Ente rpris e Linux 7, the postgresql-server package provide s Po st greSQL. If it is not
ins talle d, e nte r the following command as the root us e r to ins tall it:
~]# yum install postgresql-server
Be fore you can s tart us ing Po st greSQL, you mus t initializ e a databas e s torage are a on
dis k. This is calle d a databas e clus te r. To initializ e a databas e clus te r, us e the command
initdb, which is ins talle d with Po st greSQL. The de s ire d file s ys te m location of your
databas e clus te r is indicate d by the -D option. For e xample :
~]$ initdb -D /home/postgresql/db1
The initdb command will atte mpt to cre ate the dire ctory you s pe cify if it doe s not alre ady
e xis t. We us e the name /home/postgresql/db1 in this e xample . The /home/postgresql/db1
dire ctory contains all the data s tore d in the databas e and als o the clie nt authe ntication
configuration file :
~]$ cat pg_hba.conf
# PostgreSQL Client Authentication Configuration File
# This file controls: which hosts are allowed to connect, how clients
# are authenticated, which PostgreSQL user names they can use, which
# databases they can access. Records take one of these forms:
#
# local
DATABASE USER METHOD [OPTIONS]
# host
DATABASE USER ADDRESS METHOD [OPTIONS]
# hostssl
DATABASE USER ADDRESS METHOD [OPTIONS]
# hostnossl DATABASE USER ADDRESS METHOD [OPTIONS]
The following line in the pg_hba.conf file allows any authe nticate d local us e rs to acce s s
any databas e s with the ir us e r name s :
local

all

all

trust

This can be proble matic whe n you us e laye re d applications that cre ate databas e us e rs
and no local us e rs . If you do not want to e xplicitly control all us e r name s on the s ys te m,
re move this line from the pg_hba.conf file .

4.3.13. Securing Docker
Docker is an ope n s ource proje ct that automate s the de ployme nt of applications ins ide
Linux Containe rs , and provide s the capability to package an application with its runtime
de pe nde ncie s into a containe r. To make your Do cker workflow more s e cure , vis it Re d Hat
Ente rpris e Linux Atomic Hos t 7 Containe r Se curity Guide .

4.4. Securing Net work Access
64

⁠C hapt e r 4 . Har de ning Yo ur Sys t e m wit h T o o ls and Se r vic e s

4.4.1. Securing Services Wit h T CP Wrappers and xinet d
TCP Wrappe rs are capable of much more than de nying acce s s to s e rvice s . This s e ction
illus trate s how the y can be us e d to s e nd conne ction banne rs , warn of attacks from
particular hos ts , and e nhance logging functionality. Se e the hos ts _options (5) man page for
information about the TCP Wrappe r functionality and control language . Se e the
xine td.conf(5) man page for the available flags , which act as options you can apply to a
s e rvice .

4.4.1.1. T CP Wrappers and Connect ion Banners
Dis playing a s uitable banne r whe n us e rs conne ct to a s e rvice is a good way to le t
pote ntial attacke rs know that the s ys te m adminis trator is be ing vigilant. You can als o
control what information about the s ys te m is pre s e nte d to us e rs . To imple me nt a TCP
Wrappe rs banne r for a s e rvice , us e the banner option.
This e xample imple me nts a banne r for vsftpd. To be gin, cre ate a banne r file . It can be
anywhe re on the s ys te m, but it mus t have s ame name as the dae mon. For this e xample ,
the file is calle d /etc/banners/vsftpd and contains the following line s :
220-Hello, %c
220-All activity on ftp.example.com is logged.
220-Inappropriate use will result in your access privileges being
removed.
The %c toke n s upplie s a varie ty of clie nt information, s uch as the us e r name and hos t
name , or the us e r name and IP addre s s to make the conne ction e ve n more intimidating.
For this banne r to be dis playe d to incoming conne ctions , add the following line to the
/etc/hosts.allow file :
vsftpd : ALL : banners /etc/banners/

4.4.1.2. T CP Wrappers and At t ack Warnings
If a particular hos t or ne twork has be e n de te cte d attacking the s e rve r, TCP Wrappe rs can
be us e d to warn the adminis trator of s ubs e que nt attacks from that hos t or ne twork us ing
the spawn dire ctive .
In this e xample , as s ume that a cracke r from the 206.182.68.0/24 ne twork has be e n
de te cte d atte mpting to attack the s e rve r. Place the following line in the /etc/hosts.deny
file to de ny any conne ction atte mpts from that ne twork, and to log the atte mpts to a
s pe cial file :
ALL : 206.182.68.0 : spawn /bin/echo `date` %c %d >>
/var/log/intruder_alert
The %d toke n s upplie s the name of the s e rvice that the attacke r was trying to acce s s .
To allow the conne ction and log it, place the spawn dire ctive in the /etc/hosts.allow file .

65

Se c ur it y Guide

No te
Be caus e the spawn dire ctive e xe cute s any s he ll command, it is a good ide a to
cre ate a s pe cial s cript to notify the adminis trator or e xe cute a chain of commands in
the e ve nt that a particular clie nt atte mpts to conne ct to the s e rve r.

4.4.1.3. T CP Wrappers and Enhanced Logging
If ce rtain type s of conne ctions are of more conce rn than othe rs , the log le ve l can be
e le vate d for that s e rvice us ing the severity option.
For this e xample , as s ume that anyone atte mpting to conne ct to port 23 (the Te lne t port)
on an FTP s e rve r is a cracke r. To de note this , place an emerg flag in the log file s ins te ad
of the de fault flag, info, and de ny the conne ction.
To do this , place the following line in /etc/hosts.deny:
in.telnetd : ALL : severity emerg
This us e s the de fault authpriv logging facility, but e le vate s the priority from the de fault
value of info to emerg, which pos ts log me s s age s dire ctly to the cons ole .

4.4.2. Verif ying Which Port s Are List ening
Unne ce s s ary ope n ports s hould be avoide d be caus e it incre as e s the attack s urface of
your s ys te m. If you find une xpe cte d ope n ports in lis te ning s tate afte r the s ys te m has
be e n in s e rvice , it might be a s ign of intrus ion, and it s hould be inve s tigate d.
Is s ue the following command as root to de te rmine which ports are lis te ning for
conne ctions from the ne twork:
~]# netstat -pan -A inet,inet6 | grep -v ESTABLISHED
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address
Foreign Address
PID/Program name
tcp
0
0 0.0.0.0:111
0.0.0.0:*
1/systemd
tcp
0
0 192.168.124.1:53
0.0.0.0:*
1975/dnsmasq
tcp
0
0 0.0.0.0:22
0.0.0.0:*
1362/sshd
tcp
0
0 127.0.0.1:631
0.0.0.0:*
1355/cupsd
tcp
0
0 127.0.0.1:25
0.0.0.0:*
1802/master
tcp6
0
0 ::1:111
:::*
1/systemd
tcp6
0
0 :::22
:::*
1362/sshd
tcp6
0
0 ::1:631
:::*
1355/cupsd

66

State
LISTEN
LISTEN
LISTEN
LISTEN
LISTEN
LISTEN
LISTEN
LISTEN

⁠C hapt e r 4 . Har de ning Yo ur Sys t e m wit h T o o ls and Se r vic e s

tcp6
0
0 ::1:25
1802/master
raw6
0
0 :::58
791/NetworkManager

:::*

LISTEN

:::*

7

You can us e the -l option of the netstat command to dis play only lis te ning s e rve r
s ocke ts :
~]# netstat -tlnw
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address
Foreign Address
tcp
0
0 0.0.0.0:111
0.0.0.0:*
tcp
0
0 192.168.124.1:53
0.0.0.0:*
tcp
0
0 0.0.0.0:22
0.0.0.0:*
tcp
0
0 127.0.0.1:631
0.0.0.0:*
tcp
0
0 127.0.0.1:25
0.0.0.0:*
tcp6
0
0 ::1:111
:::*
tcp6
0
0 :::22
:::*
tcp6
0
0 ::1:631
:::*
tcp6
0
0 ::1:25
:::*
raw6
0
0 :::58
:::*

State
LISTEN
LISTEN
LISTEN
LISTEN
LISTEN
LISTEN
LISTEN
LISTEN
LISTEN
7

Note that at time of writing, the -l option doe s not lis t SCTP s e rve rs .
You can als o us e the ss utility for lis ting ope n ports in the lis te ning s tate . But at time of
writing, this way als o doe s not lis t SCTP s e rve rs .
~]# ss -tlw
Netid State
Address:Port
udp
UNCONN
tcp
LISTEN
tcp
LISTEN
tcp
LISTEN
tcp
LISTEN
tcp
LISTEN
tcp
LISTEN
tcp
LISTEN
tcp
LISTEN
tcp
LISTEN

Recv-Q Send-Q Local Address:Port
0
0
0
0
0
0
0
0
0
0

0
128
5
128
128
100
128
128
128
100

:::ipv6-icmp
*:sunrpc
192.168.124.1:domain
*:ssh
127.0.0.1:ipp
127.0.0.1:smtp
::1:sunrpc
:::ssh
::1:ipp
::1:smtp

Peer
:::*
*:*
*:*
*:*
*:*
*:*
:::*
:::*
:::*
:::*

Re vie w the output of the command with the s e rvice s ne e de d on the s ys te m, turn off what
is not s pe cifically re quire d or authoriz e d, re pe at the che ck. Proce e d the n to make e xte rnal
che cks us ing the nmap tool from anothe r s ys te m conne cte d through the ne twork to the
firs t s ys te m. This can be us e d ve rify the rule s in f irewalld.
The following is an e xample of the command to be is s ue d from the cons ole of anothe r
s ys te m to de te rmine which ports are lis te ning for TCP conne ctions from the ne twork:
~]# nmap -sT -O 192.168.122.1
Se e the nmap(1) and s e rvice s (5) manual page s for more information.

4.4.3. Disabling Source Rout ing

67

Se c ur it y Guide

Source routing is an Inte rne t Protocol me chanis m that allows an IP packe t to carry
information, a lis t of addre s s e s , that te lls a route r the path the packe t mus t take . The re is
als o an option to re cord the hops as the route is trave rs e d. The lis t of hops take n, the
"route re cord", provide s the de s tination with a re turn path to the s ource . This allows the
s ource (the s e nding hos t) to s pe cify the route , loos e ly or s trictly, ignoring the routing
table s of s ome or all of the route rs . It can allow a us e r to re dire ct ne twork traffic for
malicious purpos e s . The re fore , s ource -bas e d routing s hould be dis able d.
The accept_source_route option caus e s ne twork inte rface s to acce pt packe ts with the
Strict Source Route (SSR) or Loose Source Routing (LSR) option s e t. The acce ptance of
s ource route d packe ts is controlle d by s ys ctl s e ttings . Is s ue the following command as
root to drop packe ts with the SSR or LSR option s e t:
~]# /sbin/sysctl -w net.ipv4.conf.all.accept_source_route=0
Dis abling the forwarding of packe ts s hould als o be done in conjunction with the above
whe n pos s ible (dis abling forwarding may inte rfe re with virtualiz ation). Is s ue the commands
lis te d be low as root:
The s e commands dis able forwarding of IPv4 and IPv6 packe ts on all inte rface s .
~]# /sbin/sysctl -w net.ipv4.conf.all.forwarding=0
~]# /sbin/sysctl -w net.ipv6.conf.all.forwarding=0
The s e commands dis able forwarding of all multicas t packe ts on all inte rface s .
~]# /sbin/sysctl -w net.ipv4.conf.all.mc_forwarding=0
~]# /sbin/sysctl -w net.ipv6.conf.all.mc_forwarding=0
Acce pting ICMP re dire cts has fe w le gitimate us e s . Dis able the acce ptance and s e nding of
ICMP re dire cte d packe ts unle s s s pe cifically re quire d.
The s e commands dis able acce ptance of all ICMP re dire cte d packe ts on all inte rface s .
~]# /sbin/sysctl -w net.ipv4.conf.all.accept_redirects=0
~]# /sbin/sysctl -w net.ipv6.conf.all.accept_redirects=0
This command dis able s acce ptance of s e cure ICMP re dire cte d packe ts on all inte rface s .
~]# /sbin/sysctl -w net.ipv4.conf.all.secure_redirects=0
This command dis able s acce ptance of all IPv4 ICMP re dire cte d packe ts on all inte rface s .
~]# /sbin/sysctl -w net.ipv4.conf.all.send_redirects=0
The re is only a dire ctive to dis able s e nding of IPv4 re dire cte d packe ts . Se e RFC4294 for
an e xplanation of “IPv6 Node Re quire me nts ” which re s ulte d in this diffe re nce be twe e n
IPv4 and IPv6.
In orde r to make the s e ttings pe rmane nt the y mus t be adde d to /etc/sysctl.conf.

68

⁠C hapt e r 4 . Har de ning Yo ur Sys t e m wit h T o o ls and Se r vic e s

Se e the s ys ctl man page , sysctl(8), for more information. Se e RFC791 for an e xplanation
of the Inte rne t options re late d to s ource bas e d routing and its variants .

Warning
Ethe rne t ne tworks provide additional ways to re dire ct traffic, s uch as ARP or MAC
addre s s s poofing, unauthoriz e d DHCP s e rve rs , and IPv6 route r or ne ighbor
adve rtis e me nts . In addition, unicas t traffic is occas ionally broadcas t, caus ing
information le aks . The s e we akne s s e s can only be addre s s e d by s pe cific
counte rme as ure s imple me nte d by the ne twork ope rator. Hos t-bas e d
counte rme as ure s are not fully e ffe ctive .

4.4.4. Reverse Pat h Forwarding
Re ve rs e Path Forwarding is us e d to pre ve nt packe ts that arrive d through one inte rface
from le aving through a diffe re nt inte rface . Whe n outgoing route s and incoming route s are
diffe re nt, it is s ome time s re fe rre d to as asymmetric routing. Route rs ofte n route packe ts
this way, but mos t hos ts s hould not ne e d to do this . Exce ptions are s uch applications that
involve s e nding traffic out ove r one link and re ce iving traffic ove r anothe r link from a
diffe re nt s e rvice provide r. For e xample , us ing le as e d line s in combination with xDSL or
s ate llite links with 3G mode ms . If s uch a s ce nario is applicable to you, the n turning off
re ve rs e path forwarding on the incoming inte rface is ne ce s s ary. In s hort, unle s s you know
that it is re quire d, it is be s t e nable d as it pre ve nts us e rs s poofing IP addre s s e s from
local s ubne ts and re duce s the opportunity for DDoS attacks .

No te
Re d Hat Ente rpris e Linux 7 de faults to us ing Strict Reverse Path Forwarding following
the Strict Re ve rs e Path re comme ndation from RFC 3704, Ingre s s Filte ring for
Multihome d Ne tworks ..

Warning
If forwarding is e nable d, the n Re ve rs e Path Forwarding s hould only be dis able d if
the re are othe r me ans for s ource -addre s s validation (s uch as ipt ables rule s for
e xample ).
rp_filter
Re ve rs e Path Forwarding is e nable d by me ans of the rp_filter dire ctive . The
sysctl utility can be us e d to make change s to the running s ys te m, and
pe rmane nt change s can be made by adding line s to the /etc/sysctl.conf file .
The rp_filter option is us e d to dire ct the ke rne l to s e le ct from one of thre e
mode s .
To make a te mporary global change , e nte r the following commands as root:
sysctl -w net.ipv4.conf.default.rp_filter=integer
sysctl -w net.ipv4.conf.all.rp_filter=integer

69

Se c ur it y Guide

whe re integer is one of the following:
0 — No s ource validation.
1 — Strict mode as de fine d in RFC 3704.
2 — Loos e mode as de fine d in RFC 3704.
The s e tting can be ove rridde n pe r ne twork inte rface us ing the
net.ipv4.conf.interface.rp_filter command as follows :
sysctl -w net.ipv4.conf.interface.rp_filter=integer
To make the s e s e ttings pe rs is te nt acros s re boots , modify the /etc/sysctl.conf
file . For e xample , to change the mode for all inte rface s , ope n the
/etc/sysctl.conf file with an e ditor running as the root us e r and add a line as
follows :
net.ipv4.conf.all.rp_filter=2
IPv6_rpfilter
In cas e of the IPv6 protocol the f irewalld dae mon applie s to Re ve rs e Path
Forwarding by de fault. The s e tting can be che cke d in the
/etc/firewalld/firewalld.conf file . You can change the f irewalld be havior
by s e tting the IPv6_rpfilter option.
If you ne e d a cus tom configuration of Re ve rs e Path Forwarding, you can pe rform it
without the f irewalld dae mon by us ing the ip6tables command as follows :
ip6tables -t raw -I PREROUTING -m rpfilter --invert -j DROP
This rule s hould be ins e rte d ne ar the be ginning of the raw/PREROUTING chain, s o
that it applie s to all traffic, in particular be fore the s tate ful matching rule s . For
more information about the iptables and ip6tables s e rvice s , s e e Se ction 4.5.4,
“Us ing the iptable s Se rvice ”.

4.4.4.1. Addit ional Resources
The following are re s ource s which e xplain more about Re ve rs e Path Forwarding.
Inst alled Do cument at io n
/usr/share/doc/kernel-doc-version/Documentation/networking/ip-sysctl.txt This file contains a comple te lis t of file s and options available in the
/proc/sys/net/ipv4/ dire ctory. Be fore acce s s ing the ke rne l docume ntation for the
firs t time , e nte r the following command as root:
~]# yum install kernel-doc
Online Do cument at io n
Se e RFC 3704 for an e xplanation of Ingre s s Filte ring for Multihome d Ne tworks .

4.5. Using Firewalls
70

⁠C hapt e r 4 . Har de ning Yo ur Sys t e m wit h T o o ls and Se r vic e s

The firewalld dae mon provide s a dynamically manage d fire wall with s upport for ne twork
“z one s ” to as s ign a le ve l of trus t to a ne twork and its as s ociate d conne ctions and
inte rface s . It has s upport for IPv4 and IPv6 fire wall s e ttings . It s upports Ethe rne t bridge s
and IP s e t and has a s e paration of runtime and pe rmane nt configuration options . It als o
has an inte rface for s e rvice s or applications to add fire wall rule s dire ctly. The comple te
communication with firewalld is done us ing D-Bus.

No te
To e xpand your e xpe rtis e , you might als o be inte re s te d in the Re d Hat Se rve r
Harde ning (RH413) training cours e .

4.5.1. Int roduct ion t o f irewalld
The fire wall dae mon us e s the re s tore commands of ipt ables, ip6t ables, and ebt ables
by de fault to s pe e d up all fire wall actions that are changing the rule s e t. The normal
commands are us e d if the configuration s e tting IndividualCalls is s e t to yes in the
firewalld.conf file or if the rule s cannot be applie d with the re s tore commands as a
fallback s olution. Us ing the normal commands re s ults in s ignificant s low down.
To us e the graphical f irewall-co nf ig tool, pre s s the Super ke y to e nte r the Activitie s
Ove rvie w, type firewall, and pre s s Enter. The f irewall-co nf ig tool appe ars . You will
be prompte d for an adminis trator pas s word.
The s ide bar on the le ft s hows the Act ive Bindings of the active z one s . The s e are
groupe d by Co nnect io ns, which are handle d by Ne tworkManage r, Int erf aces, and
So urces.
The f irewall-co nf ig tool has a drop-down s e le ction me nu labe le d Configuration. This
e nable s s e le cting be twe e n Runt ime and Permanent mode . Notice that if you s e le ct
Permanent , an additional row of icons appe ars in the le ft-hand corne r. The s e icons only
appe ar in pe rmane nt configuration mode be caus e a s e rvice 's parame te rs cannot be
change d in Runt ime mode . This s e tting doe s not affe ct the Act ive Bindings s ide bar.
The fire wall s e rvice provide d by firewalld is dynamic rathe r than s tatic be caus e
change s to the configuration can be made anytime and are imme diate ly s e t live . The re is
no ne e d to s ave or apply the change s . No uninte nde d dis ruption of e xis ting ne twork
conne ctions occurs as no part of the fire wall has to be re loade d.
A command-line clie nt, f irewall-cmd, is provide d. It can be us e d to make pe rmane nt and
non-pe rmane nt runtime change s as e xplaine d in man firewall-cmd(1). Pe rmane nt
change s ne e d to be made as e xplaine d in the firewalld(1) man page . Note that the
firewall-cmd command can be run by the root us e r and als o by an adminis trative us e r,
in othe r words , a me mbe r of the wheel group. In the latte r cas e , the command will be
authoriz e d through the po lkit me chanis m.
The command-line clie nt firewall-offline-cmd can only be us e d by the root us e r to
alte r the pe rmane nt e nvironme nt. It is not talking to firewalld, but it is us ing a part of the
firewalld core and the I/O backe nds to alte r the configuration. It is not re comme nde d to
us e this tool while firewalld is active . It could be us e d, but change s done with the
firewall-offline-cmd are not applie d imme diate ly to firewalld. The change s are
applie d to the pe rmane nt e nvironme nt afte r firewalld was able to de te ct file change s in
the file s ys te m. For e xample , the firewall-offline-cmd command is us e d while
ins talling to s e t up the fire wall. It can als o be us e d in the pos t-ins tallation s tage to alte r
the fire wall configuration be fore the fre s hly ins talle d s ys te m has be e n boote d.

71

Se c ur it y Guide

The f irewall-applet application is able to quickly launch the Net wo rkManager
configuration tab for the ne twork conne ction in us e . You can make change s to the as s igne d
fire wall z one us ing the General tab. This apple t is not ins talle d by de fault in Re d Hat
Ente rpris e Linux.
The configuration for firewalld is s tore d in various XML file s in /usr/lib/firewalld/
and /etc/firewalld/. This allows a gre at de al of fle xibility as the file s can be e dite d,
writte n to, backe d up, us e d as te mplate s for othe r ins tallations , and s o on. The
configuration in /usr/lib/firewalld/ is the de fault and als o the fallback configuration,
while the configuration in /etc/firewalld/ is the s ys te m s pe cific configuration.
All applications communicate with firewalld us ing the D-Bus inte rface .

4.5.1.1. Comparison of f irewalld t o syst em-conf ig-f irewall and ipt ables
The e s s e ntial diffe re nce s be twe e n firewalld and the ipt ables (and ip6t ables)
s e rvice s are :
The ipt ables service s tore s configuration in /etc/sysconfig/iptables and
/etc/sysconfig/ip6tables, while firewalld s tore s it in various XML file s in
/usr/lib/firewalld/ and /etc/firewalld/. Note that the
/etc/sysconfig/iptables file doe s not e xis t as firewalld is ins talle d by de fault on
Re d Hat Ente rpris e Linux.
With the ipt ables service, e ve ry s ingle change me ans flus hing all the old rule s and
re ading all the ne w rule s from /etc/sysconfig/iptables, while with firewalld the re
is no re cre ating of all the rule s . Only the diffe re nce s are applie d. Cons e que ntly,
firewalld can change the s e ttings during runtime without e xis ting conne ctions be ing
los t.
Both us e ipt ables t o o l to talk to the ke rne l packe t filte r.

No te
⁠f irewalld is not able to import fire wall s e ttings from the
/etc/sysconfig/ip*tables file s . To import lo kkit or syst em-co nf ig-f irewall
s e ttings , us e the f irewall-o f f line-cmd and the /etc/sysconfig/system-configfirewall file . Cus tom rule s file s cannot be importe d to ⁠f irewalld. The importe d
s e ttings are applie d to the de fault z one .

72

⁠C hapt e r 4 . Har de ning Yo ur Sys t e m wit h T o o ls and Se r vic e s

Figure 4.1. T he Firewall St ack

4.5.1.2. Underst anding Net work Zones
firewalld can be us e d to s e parate ne tworks into diffe re nt z one s bas e d on the le ve l of
trus t the us e r has de cide d to place on the inte rface s and traffic within that ne twork.
Net wo rkManager informs firewalld to which z one an inte rface be longs . An inte rface 's
as s igne d z one can be change d by Net wo rkManager or via the f irewall-co nf ig tool,
which can ope n the re le vant Net wo rkManager window for you. You can als o us e the
firewall-cmd command-line tool. If an inte rface is controlle d by Net wo rkManager and
the us e r change s the z one of the inte rface us ing firewall-cmd, firewall-offline-cmd,
or f irewall-co nf ig, the n this re que s t is forwarde d to Net wo rkManager and is not
handle d by ⁠f irewalld.
The z one s e ttings in /etc/firewalld/ are a range of pre s e t s e ttings , which can be
quickly applie d to a ne twork inte rface . The y are lis te d be low with a brie f e xplanation.
drop
Any incoming ne twork packe ts are droppe d; the re is no re ply. Only outgoing
ne twork conne ctions are pos s ible .

73

Se c ur it y Guide

block
Any incoming ne twork conne ctions are re je cte d with an icmp-hos t-prohibite d
me s s age for IPv4 and icmp6-adm-prohibite d for IPv6. Only ne twork conne ctions
initiate d from within the s ys te m are pos s ible .
public
For us e in public are as . You do not trus t the othe r compute rs on the ne twork to
not harm your compute r. Only s e le cte d incoming conne ctions are acce pte d.
external
For us e on e xte rnal ne tworks with mas que rading e nable d, e s pe cially for route rs .
You do not trus t the othe r compute rs on the ne twork to not harm your compute r.
Only s e le cte d incoming conne ctions are acce pte d.
dmz
For compute rs in your de militariz e d z one that are publicly-acce s s ible with limite d
acce s s to your inte rnal ne twork. Only s e le cte d incoming conne ctions are
acce pte d.
work
For us e in work are as . You mos tly trus t the othe r compute rs on ne tworks to not
harm your compute r. Only s e le cte d incoming conne ctions are acce pte d.
home
For us e in home are as . You mos tly trus t the othe r compute rs on ne tworks to not
harm your compute r. Only s e le cte d incoming conne ctions are acce pte d.
internal
For us e on inte rnal ne tworks . You mos tly trus t the othe r compute rs on the
ne tworks to not harm your compute r. Only s e le cte d incoming conne ctions are
acce pte d.
trusted
All ne twork conne ctions are acce pte d.
It is pos s ible to de s ignate one of the s e z one s to be the de fault z one . Whe n inte rface
conne ctions are adde d to Net wo rkManager, the y are as s igne d to the de fault z one . On
ins tallation, the de fault z one in firewalld is s e t to be the public z one .
Cho o sing a Net wo rk Zo ne
The ne twork z one name s have be e n chos e n to be s e lf-e xplanatory and to allow us e rs to
quickly make a re as onable de cis ion. A re vie w of the de fault configuration s e ttings s hould
be made and unne ce s s ary s e rvice s dis able d according to your ne e ds and ris k
as s e s s me nts .
The z one name s and s e ttings are propos als and can be change d according to the ne e ds .
A built-in z one cannot be re move d, but it is pos s ible to re ve rt the z one configuration back
to the initial de faults by loading the z one de faults e ithe r in the pe rmane nt configuration of
f irewall-co nf ig or firewall-cmd.

4.5.1.3. Underst anding Predef ined Services

74

⁠C hapt e r 4 . Har de ning Yo ur Sys t e m wit h T o o ls and Se r vic e s

A s e rvice can be a lis t of local ports , protocols , s ource ports , and de s tinations as we ll as a
lis t of fire wall he lpe r module s automatically loade d if a s e rvice is e nable d. The us e of
pre de fine d s e rvice s make s it e as ie r for the us e r to e nable and dis able acce s s to a
s e rvice . Us ing the pre de fine d s e rvice s or cus tom-de fine d s e rvice s , as oppos e d to
ope ning ports or range s of ports , may make adminis tration e as ie r. Se rvice configuration
options and ge ne ric file information are de s cribe d in the firewalld.service(5) man
page . The s e rvice s are s pe cifie d by me ans of individual XML configuration file s , which are
name d in the following format: service-name.xml. Protocol name s are pre fe rre d ove r
s e rvice or application name s in firewalld.
To vie w the lis t of s e rvice s us ing the graphical f irewall-co nf ig tool, pre s s the Super ke y
to e nte r the Activitie s Ove rvie w, type firewall, and pre s s Enter. The f irewall-co nf ig
tool appe ars . You will be prompte d for an adminis trator pas s word. You can now vie w the
lis t of s e rvice s unde r the Services tab.
To lis t all s e rvice s available on the s ys te m, e nte r the following command:
~]$ firewall-cmd --get-services
To ge t the s e ttings of a s e rvice , us e the following command:
~]$ firewall-cmd --info-service=service-name
To lis t only the de fault pre de fine d s e rvice s available us ing the command-line , e nte r the
following command:
~]$ ls /usr/lib/firewalld/services/

No te
The root us e r is not ne e de d to lis t file s in /usr/lib/firewalld. Make s ure to
change the attribute s accordingly afte r an addition of cus tom private file s .
File s in /usr/lib/firewalld/services/ mus t not be e dite d. Only the file s in
/etc/firewalld/services/ s hould be e dite d.
To lis t the s ys te m or us e r-cre ate d s e rvice s , e nte r the following command as root:
~]# ls /etc/firewalld/services/
Se rvice s can be adde d and re move d us ing the graphical f irewall-co nf ig tool, firewallcmd, and firewall-offline-cmd. Alte rnative ly, you can e dit the XML file s in
/etc/firewalld/services/. If a s e rvice has not be e n adde d or change d by the us e r,
the n no corre s ponding XML file will be found in /etc/firewalld/services/. The file s
/usr/lib/firewalld/services/ can be us e d as te mplate s if you want to add or change
a s e rvice .
To add a ne w s e rvice in a te rminal, us e firewall-cmd, or firewall-offline-cmd in cas e
of not active firewalld. e nte r the following command to add a ne w and e mpty s e rvice :
~]$ firewall-cmd --permanent --new-service=service-name
To add a ne w s e rvice us ing a local file , us e the following command:

75

Se c ur it y Guide

~]$ firewall-cmd --permanent --new-service-from-file=service-name.xml
You can change the s e rvice name with the additional --name=service-name option.
As s oon as s e rvice s e ttings are change d, an update d copy of the s e rvice is place d into
/etc/firewalld/services/.
As root, you can e nte r the following command to copy a s e rvice manually:
~]# cp /usr/lib/firewalld/services/service-name.xml
/etc/firewalld/services/service-name.xml
firewalld loads file s from /usr/lib/firewalld/services in the firs t place . If file s are
place d in /etc/firewalld/services and the y are valid, the n the s e will ove rride the
matching file s from /usr/lib/firewalld/services. The ove rride n file s in
/usr/lib/firewalld/services will be us e d as s oon as the matching file s in
/etc/firewalld/services have be e n re move d or if firewalld has be e n as ke d to load
the de faults of the s e rvice s . This applie s to the pe rmane nt e nvironme nt only. A re load is
ne e de d to ge t the s e fallbacks als o in the runtime e nvironme nt.

4.5.1.4. Underst anding t he Direct Int erf ace
firewalld has direct interface, which e nable s dire ctly pas s ing rule s to ipt ables,
ip6t ables and ebt ables. It is primarily inte nde d for us e by applications . It is not
re comme nde d and it is dange rous to us e the dire ct inte rface if you are not ve ry familiar
with ipt ables, as you could inadve rte ntly caus e a bre ach in the fire wall. As long as the
tracke d inte rface parts are us e d, it is s till pos s ible to que ry firewalld and s e e the
change s made by an application us ing this mode . The untracke d pas s through mode is only
inte nde d for s e rvice s that comple te ly take care of the own rule s e t, s uch as libvirt and
docker. The dire ct inte rface is us e d by adding the --direct option to the firewall-cmd
command.
The dire ct inte rface mode is inte nde d for s e rvice s or applications to add s pe cific fire wall
rule s during runtime . The rule s can be made pe rmane nt by adding the --permanent
option us ing the firewall-cmd --permanent --direct command or by modifying
/etc/firewalld/direct.xml. If the rule s are not made pe rmane nt, the n the y ne e d to be
applie d e ve ry time afte r re ce iving the s tart, re s tart, or re load me s s age from firewalld
us ing D-Bus. With the dire ct inte rface , it is pos s ible to add chains , rule s , and tracke d and
untracke d pas s through rule s . You can als o us e dire ct rule s in z one -s pe cific chains .

4.5.2. Inst alling f irewalld
In Re d Hat Ente rpris e Linux 7, firewalld is ins talle d by de fault. If re quire d, to e ns ure that
it is , e nte r the following command as root:
~]# yum install firewalld
The graphical us e r inte rface configuration tool f irewall-co nf ig is ins talle d by de fault in
s ome ve rs ions of Re d Hat Ente rpris e Linux 7. If re quire d, e nte r the following command as
root to e ns ure f irewall-co nf ig is ins talle d:
~]# yum install firewall-config
To ins tall the optional firewall-applet, e nte r the following command as root:

76

⁠C hapt e r 4 . Har de ning Yo ur Sys t e m wit h T o o ls and Se r vic e s

~]# yum install firewall-applet
The apple t is vis ible in the pane l of the de s ktop with the ne xt login. The us e of the apple t
in GNOME is limite d according to the GNOME rule s for apple ts .

4.5.2.1. St opping f irewalld
To s top firewalld, e nte r the following command as root:
~]# systemctl stop firewalld
To pre ve nt firewalld from s tarting automatically at s ys te m s tart, e nte r the following
command as root:
~]# systemctl disable firewalld
To make s ure fire walld is not s tarte d by acce s s ing the firewalld D-Bus inte rface and
als o if othe r s e rvice s re quire firewalld, e nte r the following command as root:
~]# systemctl mask firewalld

4.5.2.2. St art ing f irewalld
To s tart firewalld, e nte r the following command as root:
~]# systemctl unmask firewalld
~]# systemctl start firewalld
To e ns ure firewalld s tarts automatically at s ys te m s tart, e nte r the following command
as root:
~]# systemctl enable firewalld

4.5.2.3. Checking if f irewalld is Running
To che ck if firewalld is running, e nte r the following command:
~]$ systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled;
vendor preset: enabled)
Active: active (running) since Tue 2016-10-11 09:15:58 CEST; 2 days
ago
Docs: man:firewalld(1)
Main PID: 721 (firewalld)
CGroup: /system.slice/firewalld.service
└─721 /usr/bin/python -Es /usr/sbin/firewalld --nofork -nopid
Oct 11 09:15:57 localhost.localdomain systemd[1]: Starting firewalld -

77

Se c ur it y Guide

dynami...
Oct 11 09:15:58 localhost.localdomain systemd[1]: Started firewalld dynamic...
Hint: Some lines were ellipsized, use -l to show in full.
In addition, che ck if f irewall-cmd can conne ct to the dae mon by e nte ring the following
command:
~]$ firewall-cmd --state
running

4.5.3. Conf iguring f irewalld
The fire wall s e rvice , imple me nte d by the firewalld dae mon, can be configure d us ing the
f irewall-co nf ig graphical us e r inte rface tool, us ing the f irewall-cmd and f irewallo f f line-cmd command-line inte rface tools , and by e diting XML configuration file s . The s e
me thods will be de s cribe d in orde r.

4.5.3.1. Conf iguring f irewalld Using T he Graphical User Int erf ace
4.5.3.1.1. St art ing t he Graphical Firewall Co nf igurat io n T o o l
To s tart the graphical f irewall-co nf ig tool, pre s s the Super ke y to e nte r the Activitie s
Ove rvie w, type firewall, and pre s s Enter. The f irewall-co nf ig tool appe ars . You will
be prompte d for an adminis trator pas s word.
To s tart the graphical fire wall configuration tool us ing the command-line , e nte r the
following command:
~]$ firewall-config
The Firewall Configuration window ope ns . Note that this command can be run as a
normal us e r, but you will be prompte d occas ionally for an adminis trator pas s word.

78

⁠C hapt e r 4 . Har de ning Yo ur Sys t e m wit h T o o ls and Se r vic e s

Figure 4.2. T he Firewall Co nf igurat io n T o o l
Look for the “Conne ction to fire walld e s tablis he d” me s s age in the lowe r-le ft corne r. This
indicate s that the f irewall-co nf ig tool is conne cte d to firewalld. Note that the ICMP
Types, IPSets, Direct Configuration, and Lockdown Whitelist tabs are only vis ible
afte r be ing s e le cte d from the View drop-down me nu. The Active Bindings s ide bar on
the le ft is vis ible by de fault.
4.5.3.1.2. Changing t he Firewall Set t ings
To imme diate ly change the curre nt fire wall s e ttings , e ns ure the curre nt vie w is s e t to
Runt ime. Alte rnative ly, to e dit the s e ttings to be applie d at the ne xt s ys te m s tart or
fire wall re load, s e le ct Permanent from the drop-down lis t.

79

Se c ur it y Guide

No te
Whe n making change s to the fire wall s e ttings in Runt ime mode , your s e le ction
take s imme diate e ffe ct whe n you s e t or cle ar the che ck box as s ociate d with the
s e rvice . You s hould ke e p this in mind whe n working on a s ys te m that may be in us e
by othe r us e rs .
Whe n making change s to the fire wall s e ttings in Permanent mode , your s e le ction
will only take e ffe ct whe n you re load the fire wall or the s ys te m re s tarts . Click the
Opt io ns me nu and s e le ct Reload Firewall.

You can s e le ct z one s in the le ft-hand s ide column. You will notice the z one s have s ome
s e rvice s e nable d; you may ne e d to re s iz e the window or s croll to s e e the full lis t. You can
cus tomiz e the s e ttings by s e le cting and de s e le cting a s e rvice .
4.5.3.1.3. Adding an Int erf ace t o a Zo ne
To add a conne ction (the inte rface s us e d by a conne ction) to a z one , s tart f irewallco nf ig. Click on the z one in the z one lis t on the le ft and s e le ct the Interfaces tab on the
right. Click on the Add button to ris e a ne w dialog to add the inte rface .
To change the z one s e tting for an inte rface , double -click the prope r conne ction or
inte rface in the Active Bindings s ide bar. Se le ct the ne w fire wall z one from the dropdown me nu in the following dialog and confirm by clicking OK.
Alte rnative ly, to add or re as s ign an inte rface of a conne ction to a z one , s tart f irewallco nf ig, s e le ct Opt io ns from the me nu bar, and s e le ct Change Zones of Connections
from the drop-down me nu. The Connections, Interface, and Source lis t dis plays . Se le ct
the conne ction to be re as s igne d. The Select Zone for Connection window appe ars .
Se le ct the ne w fire wall z one from the drop-down me nu and click OK.
For conne ctions handle d by Net wo rkManager, the re que s t to change the z one is
forwarde d to Net wo rkManager. The z one inte rface s e tting will not be s ave d in
firewalld.
You can als o us e the f irewall-cmd command-line tool or the f irewall-applet apple t to
change the z one for a conne ction, inte rface , and s ource .
The conne ctions without s pe cific z one s e ttings are automatically bound to the de fault
z one . A change of the de fault z one cons e que ntly applie s to the z one bindings of all s uch
conne ctions .
4.5.3.1.4. Set t ing t he Def ault Zo ne
To s e t the de fault z one that ne w inte rface s will be as s igne d to, s tart f irewall-co nf ig,
s e le ct Opt io ns from the me nu bar, and s e le ct Change Default Zone from the drop-down
me nu. The Default Zone window appe ars . Se le ct the z one from the lis t that you want to
be us e d as the de fault z one and click OK. Alte rnative ly, e nte r the following command:
~]$ firewall-cmd --set-default-zone=zone-name
4.5.3.1.5. Co nf iguring Services

80

⁠C hapt e r 4 . Har de ning Yo ur Sys t e m wit h T o o ls and Se r vic e s

To e nable or dis able a pre de fine d or cus tom s e rvice , s tart the f irewall-co nf ig tool and
s e le ct the ne twork z one whos e s e rvice s are to be configure d. Se le ct the Services tab
and s e le ct the che ck box for e ach type of s e rvice you want to trus t. Cle ar the che ck box to
block a s e rvice .
To e dit a s e rvice , s tart the f irewall-co nf ig tool and s e le ct Permanent mode from the
drop-down s e le ction me nu labe le d Configuration. Additional icons and me nu buttons
appe ar at the bottom of the Services window. Se le ct the s e rvice you want to configure .
The Ports, Protocols, and Source Port tabs e nable s adding, changing, and re moving of
ports , protocols , and s ource port for the s e le cte d s e rvice . The module s tab is for
configuring Net f ilt er he lpe r module s . The Destination tab e nable s limiting traffic to a
particular de s tination addre s s and Inte rne t Protocol (IPv4 or IPv6).

No te
It is not pos s ible to alte r s e rvice s e ttings in Runt ime mode .

4.5.3.1.6. Opening Po rt s in t he Firewall
To pe rmit traffic through the fire wall to a ce rtain port, s tart the f irewall-co nf ig tool and
s e le ct the ne twork z one whos e s e ttings you want to change . Se le ct the Ports tab and
click the Add button on the right-hand s ide . The Port and Protocol window ope ns .
Ente r the port numbe r or range of ports to pe rmit. Se le ct tcp or udp from the drop-down
lis t.
4.5.3.1.7. Opening Pro t o co ls in t he Firewall
To pe rmit traffic through the fire wall us ing a ce rtain protocol, s tart the f irewall-co nf ig
tool and s e le ct the ne twork z one whos e s e ttings you want to change . Se le ct the
Protocols tab and click the Add button on the right-hand s ide . The Protocol window
ope ns .
Eithe r s e le ct a protocol from the drop-down lis t or s e le ct the Other Protocol che ck box
and e nte r the protocol in the fie ld.
4.5.3.1.8. Opening So urce Po rt s in t he Firewall
To pe rmit traffic through the fire wall from a ce rtain port, s tart the fire wall-config tool and
s e le ct the ne twork z one whos e s e ttings you want to change . Se le ct the Source Port tab
and click the Add button on the right-hand s ide . The Source Port window ope ns .
Ente r the port numbe r or range of ports to pe rmit. Se le ct tcp or udp from the drop-down
lis t.
4.5.3.1.9. Enabling IPv4 Address Masquerading
To trans late IPv4 addre s s e s to a s ingle e xte rnal addre s s , s tart the f irewall-co nf ig tool
and s e le ct the ne twork z one whos e addre s s e s are to be trans late d. Se le ct the
Masquerading tab and s e le ct the che ck box to e nable the trans lation of IPv4 addre s s e s
to a s ingle addre s s .

81

Se c ur it y Guide

No te
To e nable mas que rading for IPv6, us e a rich rule .

4.5.3.1.10 . Co nf iguring Po rt Fo rwarding
To forward inbound ne twork traffic, or “packe ts ”, for a s pe cific port to an inte rnal addre s s
or alte rnative port, firs t e nable IP addre s s mas que rading, the n s e le ct the Port
Forwarding tab.
Se le ct the protocol of the incoming traffic and the port or range of ports on the uppe r
s e ction of the window. The lowe r s e ction is for s e tting de tails about the de s tination.
To forward traffic to a local port (a port on the s ame s ys te m), s e le ct the Local
forwarding che ck box. Ente r the local port or range of ports for the traffic to be s e nt to.
To forward traffic to anothe r IPv4 addre s s , s e le ct the Forward to another port che ck
box. Ente r the de s tination IP addre s s and port or port range . The de fault is to s e nd to the
s ame port if the port fie ld is le ft e mpty. Click OK to apply the change s .
4.5.3.1.11. Co nf iguring t he ICMP Filt er
To e nable or dis able an ICMP filte r, s tart the f irewall-co nf ig tool and s e le ct the ne twork
z one whos e me s s age s are to be filte re d. Se le ct the ICMP Filter tab and s e le ct the
che ck box for e ach type of ICMP me s s age you want to filte r. Cle ar the che ck box to
dis able a filte r. This s e tting is pe r dire ction and the de fault allows e ve rything.
To e dit an ICMP type , s tart the f irewall-co nf ig tool and s e le ct Permanent mode from
the drop-down s e le ction me nu labe le d Configuration. Additional icons appe ar at the
bottom of the Services window. Se le ct Yes in the following dialog to e nable mas que rading
and to make forwarding to anothe r machine working.
To e nable inve rting the ICMP Filter, click the Invert Filter che ck box on the right.
Only marke d ICMP type s are now acce pte d, all othe r are re je cte d. In a z one us ing the
DROP targe t, the y are droppe d.
4.5.3.1.12. Co nf iguring Rich Rules
To e nable or dis able a rich rule , s tart the f irewall-co nf ig tool and s e le ct the ne twork
z one whos e s e rvice s are to be configure d. Se le ct the Rich Rules tab and click the Add
button on the right-hand s ide . The Rich Rule window appe ars .
Se le ct the Family the rule s hould be adde d to, le ave it at ipv4 and ipv6 to add a rule for
IPv4 and IPv6. Enable the Element che ck box if you want to s e le ct a service, port,
protocol, icmp-block, forward-port, source port or if you want to e nable masquerade
in the rule . For all e le me nts e xce pt masquerade, it is ne e de d to click on the button on the
right. The Service window appe ars to s e le ct the s e tting of the e le me nt.
With the Action che ck box, you can e nable a cus tom action for the rule like accept,
reject, drop, or mark. If the rule Family is s e t to e ithe r ipv4 or ipv6, you can e nable the
with the Type che ck box to s e le ct an alte rnative re je ct type from the drop-down me nu that
matche s the rule Family. Additionally, you can s e t a limit for this action by e nabling the
With limit che ck box.

82

⁠C hapt e r 4 . Har de ning Yo ur Sys t e m wit h T o o ls and Se r vic e s

In the Source s e ction, you can s e le ct a s ource match for this rule . This can be an IP
addre s s or range , a MAC addre s s or an IP s e t. With the inverted che ck box, you can
ne gate this match. The IP addre s s is only s e le ctable if the Family is e ithe r ipv4 or ipv6.
With the Destination addre s s , you can s e le ct an IP addre s s matching the s e le cte d
Family. It is s e le ctable only if the Family is e ithe r ipv4 or ipv6.
To e nable logging to the s ys te m log with the rule , us e the Log che ck box. It is ne ce s s ary
to s e le ct a logging pre fix in the Prefix te xt fie ld. Ple as e s e le ct the log Level. It can be
emergency, alert, critical, error, warning, notice, info or debug. With the optional
limit, the amount of log me s s age s in the s ys te m log can be s e le cte d. If logging is e nable d
the rule will be duplicate d to be able to log.
To e nable logging us ing the Linux Audit s ys te m, us e the Audit che ck box. Se e the
Sys te m Auditing chapte r for more information.
If the rule is comple te and the OK button is active , you can add the rule . If the button is not
active , the re is a tooltip that s hows what is mis s ing or not appropriate .
4.5.3.1.13. Co nf iguring So urces
To add a s ource to a z one , s tart f irewall-co nf ig. Click on a z one in the z one lis t on the
le ft and s e le ct the Sources tab on the right. With clicking the Add button, the re will be a
ne w dialog to add the s ource . A s ource can e ithe r be an IP addre s s or range , a MAC
addre s s or an ipset. Se le ct the type in the drop-down me nu on the le ft and click the
button on the right to s e le ct or e nte r the s e tting.
4.5.3.1.14. Co nf iguring IP Set s
To configure IP s e ts , s tart the f irewall-co nf ig tool and s e le ct the IPSets tab. Se le ct an
IP s e t from the lis t on the le ft to change the runtime s e ttings of an IP s e t that has be e n
cre ate d with firewalld alre ady.
To add ne w IP s e ts or to change bas e IP s e t s e ttings , s witch to Permanent mode .
Additional icons and me nu buttons appe ar at the bottom of the IPSets window. Se le ct the
IP s e t you want to configure . The e ntrie s tab on the right s hows the e ntrie s that are part
of the IP s e t. The re are no e ntrie s lis te d for IP s e ts that us e a time out, as the e ntrie s are
ke pt and handle d in ke rne l s pace .
With the Add button, you can add s ingle e ntrie s , but als o e ntrie s from a file . With Remove
you can re move the s e le cte d e ntry, all e ntrie s and als o e ntrie s from a file . The file s hould
contain an e ntry pe r line . Line s s tarting with a has h or s e micolon are ignore d. Als o e mpty
line s .
Afte r clicking on the + button to add a ne w IP s e t, a ne w window appe ars to configure the
bas e IP s e t s e ttings . The re are thre e s e ttings that ne e d to be configure d for an IP s e t:
Name, Type, and Family. Name can contain all alphanume ric characte rs and additionally ‘-’,
‘-’, ‘:’, and ‘.’. The maximum name le ngth is 32 characte rs . Type can be : hash:ip,
hash:net, and hash:mac. Bitmap type s are not s upporte d by firewalld as the y can be
only us e d with IPv4. Combine d type s are not s upporte d, too.
To have a s imple and fas t IP addre s s or ne twork s e t, us e the hash:net type . The
hash:ip type e xpands all range s and ne twork s e gme nts inte rnally and re ache s the has h
limit s oon.
For the s e type s , it is als o ne ce s s ary to de fine Family. This can be e ithe r inet for IPv4 or
inet6 for IPv6.
To s tore MAC addre s s e s in an IP s e t us e hash:mac - Family is not s e le ctable in this cas e .

83

Se c ur it y Guide

To de fine a life time of the adde d e ntrie s for us e with e xte rnal s e rvice s like fail2ban, us e
the Timeout s e tting. Note that firewalld is not able to s how the te mporarily s tore d
e ntrie s with a time out. Us e the ipset command for s uch e ntrie s .
To de fine the initial has h s iz e for an IP s e t, us e the Hashsize s e tting. Limit the maximum
numbe r of e le me nts that can be s tore d in an IP s e t by us ing the Maxelem fie ld.
You can us e the cre ate d IP s e t as a s ource in a z one , in a rich rule , and als o in a dire ct
rule . For more information on IP s e ts and the s e ttings , s e e Se ction 4.5.4, “Us ing the
iptable s Se rvice ”.

4.5.3.2. Conf iguring t he Firewall Using t he f irewall-cmd Command-Line
T ool
The f irewall-cmd command-line tool is part of the firewalld application that is ins talle d
by de fault. You can ve rify that it is ins talle d by che cking the ve rs ion or dis playing the he lp
output. Ente r the following command to che ck the ve rs ion:
~]$ firewall-cmd --version
Ente r the following command to vie w the he lp output:
~]$ firewall-cmd --help
We lis t a s e le ction of commands be low; for a full lis t s e e the firewall-cmd(1) man page .

No te
To make a command pe rmane nt or pe rs is te nt, add the --permanent option to all
commands apart from the --direct commands (which are by the ir nature
te mporary). Note that this not only me ans the change will be pe rmane nt, but that the
change will only take e ffe ct afte r firewalld re load, s e rvice re s tart, or afte r s ys te m
re boot. Se ttings made with f irewall-cmd without the --permanent option take
e ffe ct imme diate ly but are only valid till ne xt fire wall re load, s ys te m boot, or
firewalld s e rvice re s tart. Re loading the firewalld doe s not in its e lf bre ak
conne ctions , but be aware you are dis carding te mporary change s by doing s o.
To make a command both pe rs is te nt and take e ffe ct imme diate ly, e nte r the
command twice : once with the --permanent and once without. This is be caus e a
firewalld re load take s more time than jus t re pe ating a command be caus e it has to
re load all configuration file s and re cre ate the whole fire wall configuration. While
re loading, the policy for built-in chains is s e t to DROP for s e curity re as ons and is
the n re s e t to ACCEPT at the e nd. Se rvice dis ruption is pos s ible during the re load.

84

⁠C hapt e r 4 . Har de ning Yo ur Sys t e m wit h T o o ls and Se r vic e s

Figure 4.3. T he f irewalld Archit ect ure

Impo rtant
All options to change the z one binding for inte rface s that are unde r control of
Net wo rkManager are forwarde d to Net wo rkManager. The s e change s are not
applie d to the firewalld configuration if the re que s t for Net wo rkManager
s ucce e ds . This is als o the cas e with the --permanent option.
For inte rface s that are not unde r control of Net wo rkManager, the change applie s
to the firewalld configuration. If the re is an ifcfg file that us e s this inte rface , the n
the ZONE= s e tting in this ifcfg file is adapte d to make s ure that the configuration in
firewalld and the ifcfg file is cons is te nt. If the re is more than one ifcfg file
us ing this inte rface the n the firs t one is us e d.
Se e the Re d Hat Ente rpris e Linux 7 Ne tworking Guide for information on
Net wo rkManager and working with ifcfg file s .
For configuration s e ttings s uch as the de fault z one , the re is no diffe re nce be twe e n
the runtime and pe rmane nt e nvironme nt whe n us ing the command-line and GUI
tools .

4.5.3.3. Viewing t he Firewall Set t ings Using t he Command-Line Int erf ace
(CLI)
To ge t a te xt dis play of the s tate of firewalld, e nte r the following command:
~]$ firewall-cmd --state
To vie w the lis t of active z one s with a lis t of the inte rface s curre ntly as s igne d to the m,
e nte r the following command:
~]$ firewall-cmd --get-active-zones
public
interfaces: em1

85

Se c ur it y Guide

To find out the z one that an inte rface , for e xample , e m1, is curre ntly as s igne d to, e nte r
the following command:
~]$ firewall-cmd --get-zone-of-interface=em1
public
To find out all the inte rface s as s igne d to a z one , for e xample , the public z one , e nte r the
following command as root:
~]# firewall-cmd --zone=public --list-interfaces
em1 wlan0
This information is obtaine d from Net wo rkManager and only s hows inte rface s , not
conne ctions .
To find out all the s e ttings of a z one , for e xample , the public z one , e nte r the following
command as root:
~]# firewall-cmd --zone=public --list-all
public
interfaces:
services: mdns dhcpv6-client ssh
ports:
forward-ports:
icmp-blocks: source-quench
To vie w the z one information, us e the --info-zone option. To ge t the ve rbos e output with
the de s cription and s hort de s cription, us e the additional -v option.
~]# firewall-cmd --info-zone=public
public (active)
target: default
icmp-block-inversion: no
interfaces: em1
sources:
services: dhcpv6-client mdns ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
To vie w the lis t of s e rvice s curre ntly loade d, e nte r the following command as root:
~]# firewall-cmd --get-services
cluster-suite pop3s bacula-client smtp ipp radius bacula ftp mdns samba
dhcpv6-client dns openvpn imaps samba-client http https ntp vnc-server
telnet libvirt ssh ipsec ipp-client amanda-client tftp-client nfs tftp
libvirt-tls

86

⁠C hapt e r 4 . Har de ning Yo ur Sys t e m wit h T o o ls and Se r vic e s

This lis ts the name s of the pre de fine d s e rvice s loade d from
/usr/lib/firewalld/services/ as we ll as any cus tom s e rvice s that are curre ntly
loade d. Note that the configuration file s the ms e lve s are name d service-name.xml.
To lis t the cus tom s e rvice s that have be e n cre ate d but not loade d, us e the following
command as root:
~]# firewall-cmd --permanent --get-services
This lis ts all s e rvice s , including cus tom s e rvice s configure d in
/etc/firewalld/services/, e ve n if the y are not ye t loade d.
To s how the s e ttings of the ftp s e rvice , us e the following command as root:
~]# firewall-cmd --info-service=ftp
ftp
ports: 21/tcp
protocols:
source-ports:
modules: nf_conntrack_ftp
destination:
To vie w the s e ttings in pe rmane nt configuration mode , us e the --permanent option.

4.5.3.4. Changing t he Firewall Set t ings Using t he Command-Line Int erf ace
(CLI)
4.5.3.4.1. Dro pping All Packet s (Panic Mo de)
To s tart dropping all incoming and outgoing packe ts , e nte r the following command as root:
~]# firewall-cmd --panic-on
All incoming and outgoing packe ts will be droppe d. Active conne ctions will be te rminate d
afte r a pe riod of inactivity; the time take n de pe nds on the individual s e s s ion time out
value s .
To s tart pas s ing incoming and outgoing packe ts again, e nte r the following command as
root:
~]# firewall-cmd --panic-off
Afte r dis abling panic mode , e s tablis he d conne ctions might work again if panic mode was
e nable d for a s hort pe riod of time .
To find out if panic mode is e nable d or dis able d, e nte r the following command:
~]$ firewall-cmd --query-panic
The command prints yes with e xit s tatus 0 if e nable d. It prints no with e xit s tatus 1
othe rwis e .
4.5.3.4.2. Relo ading t he Firewall Using t he Co mmand-Line Int erf ace (CLI)

87

Se c ur it y Guide

To re load the fire wall without inte rrupting us e r conne ctions (without los ing s tate
information), e nte r the following command:
~]$ firewall-cmd --reload
A fire wall re load involve s re loading all configuration file s and re cre ating the whole fire wall
configuration. While re loading, the policy for built-in chains is s e t to DROP for s e curity
re as ons and is the n re s e t to ACCEPT at the e nd. Se rvice dis ruption is the re fore pos s ible
during the re load. Alte rnative ly as the root us e r, s e nd the SIGHUP s ignal to re load the
fire wall.
To re load the fire wall and inte rrupt us e r conne ctions , dis carding s tate information, e nte r
the following command as root:
~]# firewall-cmd --complete-reload
This command s hould normally only be us e d in cas e of s e ve re fire wall proble ms . For
e xample , us e this command if the re are s tate information proble ms and no conne ction can
be e s tablis he d but the fire wall rule s are corre ct.
4.5.3.4.3. Add an Int erf ace t o a Zo ne Using t he Co mmand-Line Int erf ace (CLI)
To add an inte rface to a z one (for e xample , to add e m1 to the public z one ), e nte r the
following command as root:
~]# firewall-cmd --zone=public --add-interface=em1
To make this s e tting pe rs is te nt, re pe at the commands adding the --permanent option.
4.5.3.4.4. Add an Int erf ace t o a Zo ne by Edit ing t he Int erf ace Co nf igurat io n
File
To add an inte rface to a z one by e diting the ifcfg-em1 configuration file (for e xample , to
add e m1 to the work z one ), add the following line to ifcfg-em1 as root:
ZONE=work
Note that if you omit the ZONE option, or us e ZONE=, or ZONE='', the n the de fault z one will
be us e d.
Net wo rkManager will automatically re conne ct and the z one will be s e t accordingly.
4.5.3.4.5. Co nf iguring t he Def ault Zo ne by Edit ing t he f irewalld Co nf igurat io n
File
As root, ope n /etc/firewalld/firewalld.conf and e dit the file as follows :
# default zone
# The default zone used if an empty zone string is used.
# Default: public
DefaultZone=home
Re load the fire wall by e nte ring the following command as root:
~]# firewall-cmd --reload

88

⁠C hapt e r 4 . Har de ning Yo ur Sys t e m wit h T o o ls and Se r vic e s

This will re load the fire wall without los ing s tate information (that is , TCP s e s s ions will not
be te rminate d), but s e rvice dis ruption is pos s ible during the re load.
4.5.3.4.6. Set t ing t he Def ault Zo ne by Using t he Co mmand-Line Int erf ace (CLI)
To s e t the de fault z one (for e xample , to public), e nte r the following command as root:
~]# firewall-cmd --set-default-zone=public
This change will take e ffe ct imme diate ly; in this cas e , it is not ne ce s s ary to re load the
fire wall.
4.5.3.4.7. Opening Po rt s in t he Firewall Using t he Co mmand-Line Int erf ace (CLI)
To lis t all ope n ports for a z one (for e xample , dmz), e nte r the following command as root:
~]# firewall-cmd --zone=dmz --list-ports
Note that this will not s how ports ope ne d as a re s ult of the --add-services command.
To add a port to a z one (for e xample , to allow TCP traffic to port 8080 to the dmz z one ),
e nte r the following command as root:
~]# firewall-cmd --zone=dmz --add-port=8080/tcp
To make this s e tting pe rs is te nt, re pe at the command adding the --permanent option.
To add a range of ports to a z one (for e xample , to allow the ports from 5060 to 5061 to the
public z one , e nte r the following command as root:
~]# firewall-cmd --zone=public --add-port=5060-5061/udp
To make this s e tting pe rs is te nt, re pe at the command adding the --permanent option.
4.5.3.4.8. Opening Pro t o co ls Using t he Co mmand Line Int erf ace (CLI)
To lis t all ope n ports for a z one (dmz , for e xample ), e nte r the following command as root:
~]# firewall-cmd --zone=dmz --list-protocols
Note that this command doe s not s how protocols ope ne d as a re s ult of the firewall-cmd
--add-services command.
To add a protocol to a z one (for e xample , to allow ESP traffic to the dmz z one ), e nte r the
following command as root:
~]# firewall-cmd --zone=dmz --add-protocol=esp
To make this s e tting pe rs is te nt, add the --permanent option.
4.5.3.4.9. Opening So urce Po rt s Using t he Co mmand Line Int erf ace (CLI)

89

Se c ur it y Guide

To lis t all ope n s ource ports for a z one (for e xample , the dmz z one ), e nte r the following
command as root:
~]# firewall-cmd --zone=dmz --list-source-ports
Note that this command doe s not s how s ource ports ope ne d as a re s ult of the firewallcmd --add-services command.
To add a s ource port to a z one (for e xample , to allow TCP traffic from port 8080 to the
dmz z one ), us e the following command as root:
~]# firewall-cmd --zone=dmz --add-source-port=8080/tcp
To add a range of s ource ports to a z one (for e xample , to allow the ports from 5060 to
5061 to the public z one ), e nte r the following command as root:
~]# firewall-cmd --zone=public --add-source-port=5060-5061/udp
To make the s e ttings pe rs is te nt, add the --permanent option.
4.5.3.4.10 . Adding a Service t o a Zo ne Using t he Co mmand-Line Int erf ace (CLI)
To add a s e rvice to a z one (for e xample , to allow SMTP to the work z one ), e nte r the
following command as root:
~]# firewall-cmd --zone=work --add-service=smtp
To make this s e tting pe rs is te nt, re pe at the command adding the --permanent option.
4.5.3.4.11. Remo ving a Service f ro m a Zo ne Using t he Co mmand-Line Int erf ace
(CLI)
To re move a s e rvice from a z one (for e xample , to re move SMTP from the work z one ),
e nte r the following command as root:
~]# firewall-cmd --zone=work --remove-service=smtp
To make this change pe rs is te nt, re pe at the command adding the --permanent option. This
change will not bre ak e s tablis he d conne ctions . If that is your inte ntion, you can us e the -complete-reload option, but this will bre ak all e s tablis he d conne ctions — not jus t for the
s e rvice you have re move d.
4.5.3.4.12. Adding a Service t o a Zo ne by Edit ing XML Files
To vie w the de fault z one file s , e nte r the following command as root:
~]# ls /usr/lib/firewalld/zones/
block.xml drop.xml
home.xml
dmz.xml
external.xml internal.xml

public.xml
trusted.xml

work.xml

The s e file s mus t not be e dite d. The y are us e d by de fault if no e quivale nt file e xis ts in the
/etc/firewalld/zones/ dire ctory.

90

⁠C hapt e r 4 . Har de ning Yo ur Sys t e m wit h T o o ls and Se r vic e s

To vie w the z one file s that have be e n change d from the de fault, e nte r the following
command as root:
~]# ls /etc/firewalld/zones/
external.xml public.xml public.xml.old
In the e xample s hown above , the work z one file doe s not e xis t. To add the work z one file ,
e nte r the following command as root:
~]# cp /usr/lib/firewalld/zones/work.xml /etc/firewalld/zones/
You can now e dit the file in the /etc/firewalld/zones/ dire ctory. If you de le te the file ,
firewalld will fall back to us ing the de fault file in /usr/lib/firewalld/zones/.
To add a s e rvice to a z one (for e xample , to allow SMTP to the work z one ), add the following
line to the /etc/firewalld/zones/work.xml file as root:

4.5.3.4.13. Remo ving a Service f ro m a Zo ne by Edit ing XML f iles
An e ditor running with root privile ge s is re quire d to e dit the XML z one file s . To vie w the
file s for pre vious ly configure d z one s , e nte r the following command as root:
~]# ls /etc/firewalld/zones/
external.xml public.xml work.xml
To re move a s e rvice from a z one (for e xample , to re move SMTP from the work z one ), us e
an e ditor with root privile ge s to e dit the /etc/firewalld/zones/work.xml file to re move
the following line :

If no othe r change s have be e n made to the work.xml file , it can be re move d and
firewalld will us e the de fault /usr/lib/firewalld/zones/work.xml configuration file
afte r the ne xt re load or s ys te m boot.
4.5.3.4.14. Co nf iguring IP Address Masquerading
To che ck if IP mas que rading is e nable d (for e xample , for the external z one ), e nte r the
following command as root:
~]# firewall-cmd --zone=external --query-masquerade
The command prints yes with e xit s tatus 0 if e nable d. It prints no with e xit s tatus 1
othe rwis e . If zone is omitte d, the de fault z one will be us e d.
To e nable IP mas que rading, e nte r the following command as root:
~]# firewall-cmd --zone=external --add-masquerade
To make this s e tting pe rs is te nt, re pe at the command adding the --permanent option.
To dis able IP mas que rading, e nte r the following command as root:

91

Se c ur it y Guide

~]# firewall-cmd --zone=external --remove-masquerade
To make this s e tting pe rs is te nt, re pe at the command adding the --permanent option.
4.5.3.4.15. Co nf iguring Po rt Fo rwarding Using t he Co mmand-Line Int erf ace
(CLI)
To forward inbound ne twork packe ts from one port to an alte rnative port or addre s s , firs t
e nable IP addre s s mas que rading for a z one (for e xample , external), by e nte ring the
following command as root:
~]# firewall-cmd --zone=external --add-masquerade
To forward packe ts to a local port (a port on the s ame s ys te m), e nte r the following
command as root:
~]# firewall-cmd --zone=external --add-forwardport=port=22:proto=tcp:toport=3753
In this e xample , the packe ts inte nde d for port 22 are now forwarde d to port 3753. The
original de s tination port is s pe cifie d with the port option. This option can be a port or port
range , toge the r with a protocol. The protocol, if s pe cifie d, mus t be one of e ithe r tcp or
udp. The ne w local port (the port or range of ports to which the traffic is be ing forwarde d
to) is s pe cifie d with the toport option. To make this s e tting pe rs is te nt, re pe at the
commands adding the --permanent option.
To forward packe ts to anothe r IPv4 addre s s , us ually an inte rnal addre s s , without changing
the de s tination port, e nte r the following command as root:
~]# firewall-cmd --zone=external --add-forwardport=port=22:proto=tcp:toaddr=192.0.2.55
In this e xample , the packe ts inte nde d for port 22 are now forwarde d to the s ame port at
the addre s s give n with the toaddr. The original de s tination port is s pe cifie d with the port
option. This option can be a port or port range , toge the r with a protocol. The protocol, if
s pe cifie d, mus t be one of e ithe r tcp or udp. The ne w de s tination port (the port or range of
ports to which the traffic is be ing forwarde d to) is s pe cifie d with the toport option. To
make this s e tting pe rs is te nt, re pe at the command adding the --permanent option.
To forward packe ts to anothe r port at anothe r IPv4 addre s s , us ually an inte rnal addre s s ,
e nte r the following command as root:
~]# firewall-cmd --zone=external \
--add-forward-port=port=22:proto=tcp:toport=2055:toaddr=192.0.2.55
In this e xample , the packe ts inte nde d for port 22 are now forwarde d to port 2055 at the
addre s s give n with the toaddr option. The original de s tination port is s pe cifie d with the
port option. This option can be a port or port range , toge the r with a protocol. The protocol,
if s pe cifie d, mus t be one of e ithe r tcp or udp. The ne w de s tination port, the port or range
of ports to which the traffic is be ing forwarde d to, is s pe cifie d with the toport option. To
make this s e tting pe rs is te nt, re pe at the command adding the --permanent option.

4.5.3.5. Conf iguring t he Firewall Using XML Files

92

⁠C hapt e r 4 . Har de ning Yo ur Sys t e m wit h T o o ls and Se r vic e s

The configuration s e ttings for f irewalld are s tore d in XML file s in the /etc/firewalld/
dire ctory. Do not e dit the file s in the /usr/lib/firewalld/ dire ctory (the file s de fine the
de fault s e ttings ). You will ne e d root us e r pe rmis s ions to vie w and e dit the XML file s . The
XML file s are e xplaine d in thre e man page s :
firewalld.icmptype(5) man page — De s cribe s XML configuration file s for ICMP
filte ring.
firewalld.service(5) man page — De s cribe s XML configuration file s for f irewalld
service.
firewalld.zone(5) man page — De s cribe s XML configuration file s for firewalld z one
configuration.
The XML file s can be cre ate d and e dite d dire ctly or cre ate d indire ctly us ing the graphical
and command-line tools . Organiz ations can dis tribute the m in RPM file s , which can make
manage me nt and ve rs ion control e as ie r. Tools like Puppet can dis tribute s uch
configuration file s .

4.5.3.6. Using t he Direct Int erf ace
It is pos s ible to add and re move chains during runtime by us ing the --direct option with
the f irewall-cmd tool. A fe w e xample s are pre s e nte d he re . Se e the firewall-cmd(1)
man page for more information.
It is dange rous to us e the dire ct inte rface if you are not ve ry familiar with ipt ables as
you could inadve rte ntly caus e a bre ach in the fire wall.
The dire ct inte rface mode is inte nde d for s e rvice s or applications to add s pe cific fire wall
rule s during runtime . The rule s can be made pe rmane nt by adding the --permanent
option us ing the firewall-cmd --permanent --direct command or by modifying
/etc/firewalld/direct.xml. Se e man firewalld.direct(5) for information on the
/etc/firewalld/direct.xml file .
4.5.3.6.1. Adding a Rule Using t he Direct Int erf ace
To add a rule to the “IN_public_allow” chain, e nte r the following command as root:
~]# firewall-cmd --direct --add-rule ipv4 filter IN_public_allow \
0 -m tcp -p tcp --dport 666 -j ACCEPT
Add the --permanent option to make the s e tting pe rs is te nt.
4.5.3.6.2. Remo ving a Rule Using t he Direct Int erf ace
To re move a rule from the “IN_public_allow” chain, e nte r the following command as root:
~]# firewall-cmd --direct --remove-rule ipv4 filter IN_public_allow \
0 -m tcp -p tcp --dport 666 -j ACCEPT
Add the --permanent option to make the s e tting pe rs is te nt.
4.5.3.6.3. List ing Rules Using t he Direct Int erf ace
To lis t the rule s in the “IN_public_allow” chain, e nte r the following command as root:

93

Se c ur it y Guide

~]# firewall-cmd --direct --get-rules ipv4 filter IN_public_allow
Note that this command (the --get-rules option) only lis ts rule s pre vious ly adde d us ing
the --add-rule option. It doe s not lis t e xis ting ipt ables rule s adde d by othe r me ans .

4.5.3.7. Conf iguring Complex Firewall Rules wit h t he "Rich Language"
Synt ax
With the “rich language ” s yntax, comple x fire wall rule s can be cre ate d in a way that is
e as ie r to unde rs tand than the dire ct-inte rface me thod. In addition, the s e ttings can be
made pe rmane nt. The language us e s ke ywords with value s and is an abs tract
re pre s e ntation of ipt ables rule s . Zone s can be configure d us ing this language ; the
curre nt configuration me thod will s till be s upporte d.
4.5.3.7.1. Fo rmat t ing o f t he Rich Language Co mmands
All the commands in this s e ction ne e d to be run as root. The format of the command to
add a rule is as follows :
firewall-cmd [--zone=zone] --add-rich-rule='rule' [--timeout=timeval]
This will add a rich language rule rule for z one zone. This option can be s pe cifie d multiple
time s . If the z one is omitte d, the de fault z one is us e d. If a time out is s upplie d, the rule or
rule s only s tay active for the amount of time s pe cifie d and will be re move d automatically
afte rwards . The time value can be followe d by s (s e conds ), m (minute s ), or h (hours ) to
s pe cify the unit of time . The de fault is s e conds .
To re move a rule :
firewall-cmd [--zone=zone] --remove-rich-rule='rule'
This will re move a rich language rule rule for z one zone. This option can be s pe cifie d
multiple time s . If the z one is omitte d, the de fault z one is us e d.
To che ck if a rule is pre s e nt:
firewall-cmd [--zone=zone] --query-rich-rule='rule'
This will re turn whe the r a rich language rule rule has be e n adde d for the z one zone. The
command prints yes with e xit s tatus 0 if e nable d. It prints no with e xit s tatus 1 othe rwis e .
If the z one is omitte d, the de fault z one is us e d.
For information about the rich language re pre s e ntation us e d in the z one configuration
file s , s e e the fire walld.z one (5) man page .
4.5.3.7.2. Underst anding t he Rich Rule St ruct ure
The format or s tructure of the rich rule commands is as follows :
rule [family="rule family"]
[ source [NOT] [address="address"] [mac="mac-address"]
[ipset="ipset"] ]
[ destination [NOT] address="address" ]
[ element ]

94

⁠C hapt e r 4 . Har de ning Yo ur Sys t e m wit h T o o ls and Se r vic e s

[ log [prefix="prefix text"] [level="log level"] [limit
value="rate/duration"] ]
[ audit ]
[ action ]

No te
The s tructure of the rich rule in the file us e s the NOT ke yword to inve rt the s e ns e of
the s ource and de s tination addre s s commands , but the command line us e s the
invert="true" option.
A rule is as s ociate d with a particular z one . A z one can have s e ve ral rule s . If s ome rule s
inte ract or contradict, the firs t rule that matche s the packe t applie s .
4.5.3.7.3. Underst anding t he Rich Rule Co mmand Opt io ns
family
If the rule family is provide d, e ithe r ipv4 or ipv6, it limits the rule to IPv4 or
IPv6, re s pe ctive ly. If the rule family is not provide d, the rule is adde d for both
IPv4 and IPv6. If s ource or de s tination addre s s e s are us e d in a rule , the n the
rule family ne e ds to be provide d. This is als o the cas e for port forwarding.
So urce and Dest inat io n Addresses
source
By s pe cifying the s ource addre s s , the origin of a conne ction atte mpt can be
limite d to the s ource addre s s . A s ource addre s s or addre s s range is e ithe r an IP
addre s s or a ne twork IP addre s s with a mas k for IPv4 or IPv6. For IPv4, the
mas k can be a ne twork mas k or a plain numbe r. For IPv6, the mas k is a plain
numbe r. The us e of hos t name s is not s upporte d. It is pos s ible to inve rt the
s e ns e of the s ource addre s s command by adding the NOT ke yword; all but the
s upplie d addre s s matche s .
A MAC addre s s and als o an IP s e t with type hash:mac can be adde d for IPv4 and
IPv6 if no family is s pe cifie d for the rule . Othe r IP s e ts ne e d to match the
family s e tting of the rule .
destination
By s pe cifying the de s tination addre s s , the targe t can be limite d to the de s tination
addre s s . The de s tination addre s s us e s the s ame s yntax as the s ource addre s s
for IP addre s s or addre s s range s . The us e of s ource and de s tination addre s s e s
is optional, and the us e of a de s tination addre s s e s is not pos s ible with all
e le me nts . This de pe nds on the us e of de s tination addre s s e s , for e xample , in
s e rvice e ntrie s . You can combine destination and action.
Element s
The e le me nt can be o nly o ne of the following e le me nt type s : service, port, protocol,
masquerade, icmp-block, forward-port, and source-port.
service
The service e le me nt is one of the f irewalld provide d s e rvice s . To ge t a lis t of

95

Se c ur it y Guide

The service e le me nt is one of the f irewalld provide d s e rvice s . To ge t a lis t of
the pre de fine d s e rvice s , e nte r the following command:
~]$ firewall-cmd --get-services
If a s e rvice provide s a de s tination addre s s , it will conflict with a de s tination
addre s s in the rule and will re s ult in an e rror. The s e rvice s us ing de s tination
addre s s e s inte rnally are mos tly s e rvice s us ing multicas t. The command take s
the following form:
service name=service_name
port
The port e le me nt can e ithe r be a s ingle port numbe r or a port range , for
e xample , 5060-5062, followe d by the protocol, e ithe r as tcp or udp. The
command take s the following form:
port port=number_or_range protocol=protocol
protocol
The protocol value can be e ithe r a protocol ID numbe r or a protocol name . For
allowe d protocol e ntrie s , s e e /etc/protocols. The command take s the
following form:
protocol value=protocol_name_or_ID
icmp-block
Us e this command to block one or more ICMP type s . The ICMP type is one of the
ICMP type s f irewalld s upports . To ge t a lis ting of s upporte d ICMP type s , e nte r
the following command:
~]$ firewall-cmd --get-icmptypes
Spe cifying an action is not allowe d he re . icmp-block us e s the action reject
inte rnally. The command take s the following form:
icmp-block name=icmptype_name
masquerade
Turns on IP mas que rading in the rule . A s ource addre s s can be provide d to limit
mas que rading to this are a, but not a de s tination addre s s . Spe cifying an action is
not allowe d he re .
forward-port
Forward packe ts from a local port with protocol s pe cifie d as tcp or udp to e ithe r
anothe r port locally, to anothe r machine , or to anothe r port on anothe r machine .
The port and to-port can e ithe r be a s ingle port numbe r or a port range . The
de s tination addre s s is a s imple IP addre s s . Spe cifying an action is not allowe d
he re . The forward-port command us e s the action accept inte rnally. The
command take s the following form:

96

⁠C hapt e r 4 . Har de ning Yo ur Sys t e m wit h T o o ls and Se r vic e s

forward-port port=number_or_range protocol=protocol /
to-port=number_or_range to-addr=address
source-port
Matche s the s ource port of the packe t - the port that is us e d on the origin of a
conne ction atte mpt. To match a port on curre nt machine , us e the port e le me nt.
The source-port e le me nt can e ithe r be a s ingle port numbe r or a port range (for
e xample , 5060-5062) followe d by the protocol as tcp or udp. The command take s
the following form:
source-port port=number_or_range protocol=protocol
Lo gging
log
Log ne w conne ction atte mpts to the rule with ke rne l logging, for e xample , in
s ys log. You can de fine a pre fix te xt that will be adde d to the log me s s age as a
pre fix. Log le ve l can be one of emerg, alert, crit, error, warning, notice, info,
or debug. The us e of log is optional. It is pos s ible to limit logging as follows :
log [prefix=prefix text] [level=log level] limit
value=rate/duration
The rate is a natural pos itive numbe r [1, ..], with the duration of s, m, h, d. s me ans
s e conds , m me ans minute s , h me ans hours , and d days . The maximum limit value
is 1/d, which me ans at maximum one log e ntry pe r day.
audit
Audit provide s an alte rnative way for logging us ing audit re cords s e nt to the
s e rvice auditd. The audit type can be one of ACCEPT, REJECT, or DROP, but it is
not s pe cifie d afte r the command audit as the audit type will be automatically
gathe re d from the rule action. Audit doe s not have its own parame te rs , but limit
can be adde d optionally. The us e of audit is optional.
Act io n
accept|reject|drop|mark
An action can be one of accept, reject, drop, or mark. The rule can only contain
an e le me nt or a s ource . If the rule contains an e le me nt, the n ne w conne ctions
matching the e le me nt will be handle d with the action. If the rule contains a s ource ,
the n e ve rything from the s ource addre s s will be handle d with the action
s pe cifie d.
accept | reject [type=reject type] | drop | mark
set="mark[/mask]"
With accept, all ne w conne ction atte mpts will be grante d. With reject, the y will
be re je cte d and the ir s ource will ge t a re je ct me s s age . The re je ct type can be
s e t to us e anothe r value . With drop, all packe ts will be droppe d imme diate ly and
no information is s e nt to the s ource . With mark all packe ts will be marke d with the
give n mark and the optional mask.

97

Se c ur it y Guide

4.5.3.7.4. Using t he Rich Rule Lo g Co mmand
Logging can be done with the Net f ilt er log targe t and als o with the audit targe t. A ne w
chain is adde d to all z one s with a name in the format “zone_log”, whe re zone is the z one
name . This is proce s s e d be fore the deny chain to have the prope r orde ring. The rule s or
parts of the m are place d in s e parate chains , according to the action of the rule , as follows :
zone_log
zone_deny
zone_allow
All logging rule s will be place d in the “zone_log” chain, which will be pars e d firs t. All reject
and drop rule s will be place d in the “zone_de ny” chain, which will be pars e d afte r the log
chain. All accept rule s will be place d in the “zone_allow” chain, which will be pars e d afte r
the deny chain. If a rule contains log and als o deny or allow actions , the parts of the rule
that s pe cify the s e actions are place d in the matching chains .
4.5.3.7.4.1. Using t he Rich Rule Lo g Co mmand Example 1
Enable ne w IPv4 and IPv6 conne ctions for authe ntication he ade r protocol AH:
rule protocol value="ah" accept
4.5.3.7.4.2. Using t he Rich Rule Lo g Co mmand Example 2
Allow ne w IPv4 and IPv6 conne ctions for protocol FTP and log 1 pe r minute us ing audit:
rule service name="ftp" log limit value="1/m" audit accept
4.5.3.7.4.3. Using t he Rich Rule Lo g Co mmand Example 3
Allow ne w IPv4 conne ctions from addre s s 192.168.0.0/24 for protocol TFTP and log 1 pe r
minute us ing s ys log:
rule family="ipv4" source address="192.168.0.0/24" service name="tftp"
log prefix="tftp" level="info" limit value="1/m" accept
4.5.3.7.4.4. Using t he Rich Rule Lo g Co mmand Example 4
Ne w IPv6 conne ctions from 1:2:3:4:6:: for protocol RADIUS are all re je cte d and logge d
at a rate of 3 pe r minute . Ne w IPv6 conne ctions from othe r s ource s are acce pte d:
rule family="ipv6" source address="1:2:3:4:6::" service name="radius"
log prefix="dns" level="info" limit value="3/m" reject
rule family="ipv6" service name="radius" accept
4.5.3.7.4.5. Using t he Rich Rule Lo g Co mmand Example 5
Forward IPv6 packe ts re ce ive d from 1:2:3:4:6:: on port 4011 with protocol TCP to
1::2:3:4:7 on port 4012.
rule family="ipv6" source address="1:2:3:4:6::" forward-port toaddr="1::2:3:4:7" to-port="4012" protocol="tcp" port="4011"

98

⁠C hapt e r 4 . Har de ning Yo ur Sys t e m wit h T o o ls and Se r vic e s

4.5.3.7.4.6. Using t he Rich Rule Lo g Co mmand Example 6
White lis t a s ource addre s s to allow all conne ctions from this s ource .
rule family="ipv4" source address="192.168.2.2" accept
Se e the firewalld.richlanguage(5) man page for more e xample s .

4.5.3.8. Firewall Lockdown
Local applications or s e rvice s are able to change the fire wall configuration if the y are
running as root (for e xample , libvirt ). With this fe ature , the adminis trator can lock the
fire wall configuration s o that e ithe r no applications or only applications that are adde d to
the lockdown white lis t are able to re que s t fire wall change s . The lockdown s e ttings de fault
to dis able d. If e nable d, the us e r can be s ure that the re are no unwante d configuration
change s made to the fire wall by local applications or s e rvice s .
4.5.3.8.1. Co nf iguring Firewall Lo ckdo wn
Us ing an e ditor running as root, add the following line to the
/etc/firewalld/firewalld.conf file as follows :
Lockdown=yes
Re load the fire wall us ing the following command as root:
~]# firewall-cmd --reload
Try to e nable the imaps s e rvice in the de fault z one us ing the following command as an
adminis trative us e r (a us e r in the wheel group; us ually the firs t us e r on the s ys te m). You
will be prompte d for the us e r pas s word:
~]$ firewall-cmd --add-service=imaps
Error: ACCESS_DENIED: lockdown is enabled
To e nable the us e of f irewall-cmd, e nte r the following command as root:
~]# firewall-cmd --add-lockdown-whitelist-command='/usr/bin/python -Es
/usr/bin/firewall-cmd*'
Add the --permanent option if you want to make it pe rs is te nt.
Re load the fire wall as root:
~]# firewall-cmd --reload
Try to e nable the imaps s e rvice again in the de fault z one by e nte ring the following
command as an adminis trative us e r. You will be prompte d for the us e r pas s word:
~]$ firewall-cmd --add-service=imaps
This time the command s ucce e ds .

99

Se c ur it y Guide

4.5.3.8.2. Co nf iguring IP Set o pt io ns wit h t he Co mmand-Line Client
IP s e ts can be us e d in firewalld z one s as s ource s and als o as s ource s in rich rule s . It is
als o pos s ible to us e the IP s e ts cre ate d with firewalld in a dire ct rule .
To lis t the IP s e ts known to firewalld in the pe rmane nt e nvironme nt, us e the following
command as root:
~]# firewall-cmd --permanent --get-ipsets
To add a ne w IP s e t, us e the following command us ing the pe rmane nt e nvironme nt as
root:
~]# firewall-cmd --permanent --new-ipset=test --type=hash:net
success
The pre vious command cre ate s a ne w IP s e t with the name test and the hash:net type
for IPv4. To cre ate an IP s e t for us e with IPv6, add the --option=family=inet6 option.
To make the ne w s e tting e ffe ctive in the runtime e nvironme nt, re load firewalld. Lis t the
ne w IP s e t with the following command as root:
~]# firewall-cmd --permanent --get-ipsets
test
To ge t more information about the IP s e t, us e the following command as root:
~]# firewall-cmd --permanent --info-ipset=test
test
type: hash:net
options:
entries:
Note that the IP s e t doe s not have any e ntrie s at the mome nt. To add an e ntry to the test
IP s e t, us e the following command as root:
~]# firewall-cmd --permanent --ipset=test --add-entry=192.168.0.1
success
The pre vious command adds the IP addre s s 192.168.0.1 to the IP s e t. To ge t the lis t of
curre nt e ntrie s in the IP s e t, us e the following command as root:
~]# firewall-cmd --permanent --ipset=test --get-entries
192.168.0.1
Ge ne rate a file containing a lis t of IP addre s s e s , for e xample :
~]# cat > iplist.txt <





Following is an e xample white lis t configuration file e nabling all commands for the
firewall-cmd utility, for a us e r calle d user whos e us e r ID is 815:







This e xample s hows both user id and user name, but only one option is re quire d. Python
is the inte rpre te r and is pre pe nde d to the command line . You can als o us e a s pe cific
command, for e xample :
/usr/bin/python /bin/firewall-cmd --lockdown-on
In that e xample only the --lockdown-on command will be allowe d.

No te
In Re d Hat Ente rpris e Linux 7, all utilitie s are place d in the /usr/bin/ dire ctory and
the /bin/ dire ctory is s ym-linke d to the /usr/bin/ dire ctory. In othe r words ,
although the path for firewall-cmd whe n run as root might re s olve to
/bin/firewall-cmd, /usr/bin/firewall-cmd can now be us e d. All ne w s cripts
s hould us e the ne w location. But be aware that if s cripts that run as root have be e n
writte n to us e the /bin/firewall-cmd path, the n that command path mus t be
white lis te d in addition to the /usr/bin/firewall-cmd path traditionally us e d only for
non-root us e rs .
The “*” at the e nd of the name attribute of a command me ans that all commands
that s tart with this s tring will match. If the “*” is not the re the n the abs olute
command including argume nts mus t match.

4.5.3.9. Conf iguring Logging f or Denied Packet s

104

⁠C hapt e r 4 . Har de ning Yo ur Sys t e m wit h T o o ls and Se r vic e s

With the LogDenied option in the firewalld, it is pos s ible to add a s imple logging
me chanis m for de nie d packe ts . The s e are the packe ts that are re je cte d or droppe d. To
change the s e tting of the logging, e dit the /etc/firewalld/firewalld.conf file or us e
the command-line or GUI configuration tool.
If LogDenied is e nable d, logging rule s are adde d right be fore the re je ct and drop rule s in
the INPUT, FORWARD and OUTPUT chains for the de fault rule s and als o the final re je ct and
drop rule s in z one s . The pos s ible value s for this s e tting are : all, unicast, broadcast,
multicast, and off. The de fault s e tting is off. With the unicast, broadcast, and
multicast s e tting, the pkttype match is us e d to match the link-laye r packe t type . With
all, all packe ts are logge d.
To lis t the actual LogDenied s e tting with fire wall-cmd, us e the following command as root:
~]# firewall-cmd --get-log-denied
off
To change the LogDenied s e tting, us e the following command as root:
~]# firewall-cmd --set-log-denied=all
success
To change the LogDenied s e tting with the firewalld GUI configuration tool, s tart
f irewall-co nf ig, click the Options me nu and s e le ct Change Lo g Denied me nuite m. The
LogDenied window appe ars . Se le ct the ne w LogDenied s e tting from the drop-down me nu
and click OK.

4.5.4. Using t he ipt ables Service
To us e the iptables and ip6tables s e rvice s ins te ad of firewalld, firs t dis able
firewalld by running the following command as root:
~]# systemctl disable firewalld
~]# systemctl stop firewalld
The n ins tall the iptables-services package by e nte ring the following command as root:
~]# yum install iptables-services
The iptables-services package contains the iptables s e rvice and the ip6tables s e rvice .
The n, to s tart the iptables and ip6tables s e rvice s , e nte r the following commands as
root:
~]# systemctl start iptables
~]# systemctl start ip6tables
To e nable the s e rvice s to s tart on e ve ry s ys te m s tart, e nte r the following commands :
~]# systemctl enable iptables
~]# systemctl enable ip6tables

4.5.4.1. IPT ables and IP Set s

105

Se c ur it y Guide

The ipset utility is us e d to adminis te r IP sets in the Linux ke rne l. An IP s e t is a frame work
for s toring IP addre s s e s , port numbe rs , IP and MAC addre s s pairs , or IP addre s s and port
numbe r pairs . The s e ts are inde xe d in s uch a way that ve ry fas t matching can be made
agains t a s e t e ve n whe n the s e ts are ve ry large . IP s e ts e nable s imple r and more
manage able configurations as we ll as providing pe rformance advantage s whe n us ing
ipt ables. The ipt ables matche s and targe ts re fe rring to s e ts cre ate re fe re nce s which
prote ct the give n s e ts in the ke rne l. A s e t cannot be de s troye d while the re is a s ingle
re fe re nce pointing to it.
The us e of ipset e nable s ipt ables commands , s uch as thos e be low, to be re place d by a
s e t:
~]# iptables -A INPUT -s 10.0.0.0/8 -j DROP
~]# iptables -A INPUT -s 172.16.0.0/12 -j DROP
~]# iptables -A INPUT -s 192.168.0.0/16 -j DROP
The s e t is cre ate d as follows :
~]#
~]#
~]#
~]#

ipset
ipset
ipset
ipset

create my-block-set hash:net
add my-block-set 10.0.0.0/8
add my-block-set 172.16.0.0/12
add my-block-set 192.168.0.0/16

The s e t is the n re fe re nce d in an ipt ables command as follows :
~]# iptables -A INPUT -m set --set my-block-set src -j DROP
If the s e t is us e d more than once a s aving in configuration time is made . If the s e t
contains many e ntrie s a s aving in proce s s ing time is made .
4.5.4.1.1. Using IP Set s wit h f irewalld
To us e IP s e ts with f irewalld, a pe rmane nt dire ct rule is re quire d to re fe re nce the s e t,
and a cus tom s e rvice mus t be cre ate d and s tarte d be fore f irewalld s tarts for e ve ry
ipset. You can add pe rmane nt dire ct rule s with the /etc/firewalld/direct.xml file .
Pro cedure 4.1. Co nf iguring a Cust o m Service f o r an IP Set
Configure a cus tom s e rvice to cre ate and load the IP s e t s tructure be fore f irewalld
s tarts .
1. Us ing an e ditor running as root, cre ate a file as follows :
~]# vi /etc/systemd/system/ipset_name.service
[Unit]
Description=ipset_name
Before=firewalld.service
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/local/bin/ipset_name.sh start

106

⁠C hapt e r 4 . Har de ning Yo ur Sys t e m wit h T o o ls and Se r vic e s

ExecStop=/usr/local/bin/ipset_name.sh stop
[Install]
WantedBy=basic.target
2. Us e the IP s e t pe rmane ntly in f irewalld:
~]# vi /etc/firewalld/direct.xml


-m
set
--match-set ipset_name src -j
DROP

3. A f irewalld re load is re quire d to activate the change s :
~]# firewall-cmd --reload
This will re load the fire wall without los ing s tate information (TCP s e s s ions will not
be te rminate d), but s e rvice dis ruption is pos s ible during the re load.
4.5.4.1.2. Inst alling ipset
To ins tall the ipset utility, e nte r the following command as root:
~]# yum install ipset
To s e e the us age me s s age :
~]$ ipset --help
ipset v6.11
Usage: ipset [options] COMMAND
output truncated
4.5.4.1.3. ipset Co mmands
The format of the ipset command is as follows :
ipset [options] command [command-options]
Whe re command is one of:
create | add | del | test | destroy | list | save | restore | flush |
rename | swap | help | version | Allowe d options are :
-exist | -output [ plain | save | xml ] | -quiet | -resolve | -sorted |
-name | -terse

107

Se c ur it y Guide

The create command is us e d to cre ate a ne w data s tructure to s tore a s e t of IP data. The
add command adds ne w data to the s e t, the data adde d is re fe rre d to as an e le me nt of
the s e t.
The -exist option s uppre s s e s e rror me s s age if the e le me nt alre ady e xis ts , and it has a
s pe cial role in updating a time out value . To change a time out, us e the ipset add
command and s pe cify all the data for the e le me nt again, changing only the time out value
as re quire d, and us ing the -exist option.
The test option is for te s ting if the e le me nt alre ady e xis ts within a s e t.
The format of the create command is as follows :
ipset create set-name type-name [create-options]
The set-name is a s uitable name chos e n by the us e r, the type-name is the name of the
data s tructure us e d to s tore the data compris ing the s e t. The format of the type-name is
as follows :
method:datatype[,datatype[,datatype]]
The allowe d me thods for s toring data are :
bitmap | hash | list
The allowe d data type s are :
ip | net | mac | port | iface
Whe n adding, de le ting, or te s ting e ntrie s in a s e t, the s ame comma s e parate d data s yntax
mus t be us e d for the data that make s up one e ntry, or e le me nt, in the s e t. For e xample :
ipset add set-name ipaddr,portnum,ipaddr

No te
A s e t cannot contain IPv4 and IPv6 addre s s e s at the s ame time . Whe n a s e t is
cre ate d it is bound to a family, inet for IPv4 or inet6 for IPv6, and the de fault is
inet.

Example 4.2. Creat e an IP Set
To cre ate an IP s e t cons is ting of a s ource IP addre s s , a port, and de s tination IP addre s s ,
run a command as follows :
~]# ipset create my-set hash:ip,port,ip
Once the s e t is cre ate d, e ntrie s can be adde d as follows :
~]# ipset add my-set 192.168.1.2,80,192.168.2.2
~]# ipset add my-set 192.168.1.2,443,192.168.2.2

108

⁠C hapt e r 4 . Har de ning Yo ur Sys t e m wit h T o o ls and Se r vic e s

The s e t type s have the following optional parame te rs in common. The y mus t be s pe cifie d
whe n the s e t is cre ate d in orde r for the m to be us e d:
timeout — The value give n with the create command will be the de fault value for the
s e t cre ate d. If a value is give n with the add command, it will be the initial non-de fault
value for the e le me nt.
counters — If the option is give n with the create command the n packe t and byte
counte rs are cre ate d for e ve ry e le me nt in the s e t. If no value is give n with the add
command the n the counte rs s tart from z e ro.
comment — If the option is give n with the create command the n a quote d s tring of te xt
can be pas s e d with the add command to docume nt the purpos e of the e le me nt be ing
adde d. Note that quotation marks are not allowe d within the s tring, and e s cape
characte rs will have no e ffe ct within IP s e t.

Example 4.3. List an IP Set
To lis t the conte nts of a s pe cific IP Se t, my-set, run a command as follows :
~]# ipset list my-set
Name: my-set
Type: hash:ip,port,ip
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 8360
References: 0
Members:
192.168.1.2,tcp:80,192.168.2.2
192.168.1.2,tcp:443,192.168.2.2
Omit the s e t name to lis t all s e ts .

Example 4.4. T est t he Element s o f an IP Set
Lis ting the conte nts of large s e ts is time cons uming. You can te s t for the e xis te nce of
an e le me nt as follows :
~]# ipset test my-set 192.168.1.2,80,192.168.2.2
192.168.1.2,tcp:80,192.168.2.2 is in set my-set.

4.5.4.1.4. IP Set T ypes
bit map:ip
Store s an IPv4 hos t addre s s , a ne twork range , or an IPv4 ne twork addre s s e s with
the pre fix-le ngth in CIDR notation if the netmask option is us e d whe n the s e t is
cre ate d. It can optionally s tore a time out value , a counte r value , and a comme nt. It
can s tore up to 65536 e ntrie s . The command to cre ate the bitmap:ip s e t has the
following format:

109

Se c ur it y Guide

ipset create set-name range start_ipaddr-end_ipaddr
|ipaddr/prefix-length [netmask prefix-length] [timeout value]
[counters] [comment]

Example 4.5. Creat e an IP Set f o r a Range o f Addresses Using a Pref ix Lengt h
To cre ate an IP s e t for a range of addre s s e s us ing a pre fix le ngth, make us e of the
bitmap:ip s e t type as follows :
~]# ipset create my-range bitmap:ip range 192.168.33.0/28
Once the s e t is cre ate d, e ntrie s can be adde d as follows :
~]# ipset add my-range 192.168.33.1
Re vie w the me mbe rs of the lis t:
~]# ipset list my-range
Name: my-range
Type: bitmap:ip
Header: range 192.168.33.0-192.168.33.15
Size in memory: 84
References: 0
Members:
192.168.33.1
To add a range of addre s s e s :
~]# ipset add my-range 192.168.33.2-192.168.33.4
Re vie w the me mbe rs of the lis t:
~]# ipset list my-range
Name: my-range
Type: bitmap:ip
Header: range 192.168.33.0-192.168.33.15
Size in memory: 84
References: 0
Members:
192.168.33.1
192.168.33.2
192.168.33.3
192.168.33.4

Example 4.6. Creat e an IP Set f o r a Range o f Addresses Using a Net mask
To cre ate an IP s e t for a range of addre s s us ing a ne tmas k, make us e of the bitmap:ip
s e t type as follows :
~]# ipset create my-big-range bitmap:ip range 192.168.124.0192.168.126.0 netmask 24

110

⁠C hapt e r 4 . Har de ning Yo ur Sys t e m wit h T o o ls and Se r vic e s

Once the s e t is cre ate d, e ntrie s can be adde d as follows :
~]# ipset add my-big-range 192.168.124.0
If you atte mpt to add an addre s s , the range containing that addre s s will be adde d:
~]# ipset add my-big-range 192.168.125.150
~]# ipset list my-big-range
Name: my-big-range
Type: bitmap:ip
Header: range 192.168.124.0-192.168.126.255 netmask 24
Size in memory: 84
References: 0
Members:
192.168.124.0
192.168.125.0
bit map:ip,mac
Store s an IPv4 addre s s and a MAC addre s s as a pair. It can s tore up to 65536
e ntrie s .
ipset create my-range bitmap:ip,mac range start_ipaddr-end_ipaddr
| ipaddr/prefix-length [timeout value ] [counters] [comment]

Example 4.7. Creat e an IP Set f o r a Range o f IPv4 MAC Address Pairs
To cre ate an IP s e t for a range of IPv4 MAC addre s s pairs , make us e of the
bitmap:ip,mac s e t type as follows :
~]# ipset create my-range bitmap:ip,mac range 192.168.1.0/24
It is not ne ce s s ary to s pe cify a MAC addre s s whe n cre ating the s e t.
Once the s e t is cre ate d, e ntrie s can be adde d as follows :
~]# ipset add my-range 192.168.1.1,12:34:56:78:9A:BC
bit map:po rt
Store s a range of ports . It can s tore up to 65536 e ntrie s .
ipset create my-port-range bitmap:port range start_port-end_port
[timeout value ] [counters] [comment]
The s e t match and SET targe t ne tfilte r ke rne l module s inte rpre t the s tore d
numbe rs as TCP or UDP port numbe rs . The protocol can optionally be s pe cifie d
toge the r with the port. The proto only ne e ds to be s pe cifie d if a s e rvice name is
us e d, and that name doe s not e xis t as a TCP s e rvice .

Example 4.8. Creat e an IP Set f o r a Range o f Po rt s

111

Se c ur it y Guide

To cre ate an IP s e t for a range of ports , make us e of the bitmap:port s e t type as
follows :
~]# ipset create my-permitted-port-range bitmap:port range 1024-49151
Once the s e t is cre ate d, e ntrie s can be adde d as follows :
~]# ipset add my-permitted-port-range 5060-5061
hash:ip
Store s a hos t or ne twork addre s s in the form of a has h. By de fault, an addre s s
s pe cifie d without a ne twork pre fix le ngth is a hos t addre s s . The all-z e ro IP
addre s s cannot be s tore d.
ipset create my-addresses hash:ip [family[ inet | inet6 ]]
[hashsize value] [maxelem value ] [netmask prefix-length]
[timeout value ]
The inet family is the de fault, if family is omitte d addre s s e s will be inte rpre te d
as IPv4 addre s s e s . The hashsize value is the initial has h s iz e to us e and
de faults to 1024. The maxelem value is the maximum numbe r of e le me nts which
can be s tore d in the s e t, it de faults to 65536.
The net f ilt er tool s e arche s for a ne twork pre fix which is the mos t s pe cific, it
trie s to find the s malle s t block of addre s s e s that match.

Example 4.9. Creat e an IP Set f o r IP Addresses
To cre ate an IP s e t for IP addre s s e s , make us e of the hash:ip s e t type as follows :
~]# ipset create my-addresses hash:ip
Once the s e t is cre ate d, e ntrie s can be adde d as follows :
~]# ipset add my-addresses 10.10.10.0
If additional options s uch as ne tmas k and time out are re quire d, the y mus t be s pe cifie d
whe n the s e t is cre ate d. For e xample :
~]# ipset create my-busy-addresses hash:ip maxelem 24 netmask 28
timeout 100
The maxelem option re s tricts to total numbe r of e le me nts in the s e t, thus cons e rving
me mory s pace .
The time out option me ans that e le me nts will only e xis t in the s e t for the numbe r of
s e conds s pe cifie d. For e xample :
~]# ipset add my-busy-addresses 192.168.60.0 timeout 100
The following output s hows the time counting down:

112

⁠C hapt e r 4 . Har de ning Yo ur Sys t e m wit h T o o ls and Se r vic e s

~]# ipset list my-busy-addresses
Name: my-busy-addresses
Type: hash:ip
Header: family inet hashsize 1024 maxelem 24 netmask 28 timeout 100
Size in memory: 8300
References: 0
Members:
192.168.60.0 timeout 90
~]# ipset list my-busy-addresses
Name: my-busy-addresses
Type: hash:ip
Header: family inet hashsize 1024 maxelem 24 netmask 28 timeout 100
Size in memory: 8300
References: 0
Members:
192.168.60.0 timeout 83
The e le me nt will be re move d from the s e t whe n the time out pe riod e nds .
Se e the ipset(8) manual page for more e xample s .

4.5.5. Addit ional Resources
The following s ource s of information provide additional re s ource s re garding firewalld.

4.5.5.1. Inst alled Document at ion
firewalld(1) man page — De s cribe s command options for firewalld.
firewalld.conf(5) man page — Contains information to configure firewalld.
firewalld-applet(1) man page — De s cribe s s e ttings for the f irewall-applet tool.
firewall-cmd(1) man page — De s cribe s command options for the firewalld
command-line clie nt.
firewall-config(1) man page — De s cribe s s e ttings for the f irewall-co nf ig tool.
firewall-offline-cmd(1) man page — De s cribe s command options for the
firewalld offline command-line clie nt.
firewalld.icmptype(5) man page — De s cribe s XML configuration file s for ICMP
filte ring.
firewalld.ipset(5) man page — De s cribe s XML configuration file s for the firewalld
IP s e ts .
firewalld.service(5) man page — De s cribe s XML configuration file s for f irewalld
service.
firewalld.zone(5) man page — De s cribe s XML configuration file s for firewalld z one
configuration.
firewalld.direct(5) man page — De s cribe s the firewalld dire ct inte rface
configuration file .

113

Se c ur it y Guide

firewalld.lockdown-whitelist(5) man page — De s cribe s the firewalld lockdown
white lis t configuration file .
firewall.richlanguage(5) man page — De s cribe s the firewalld rich language rule
s yntax.
firewalld.zones(5) man page — Ge ne ral de s cription of what z one s are and how to
configure the m.
firewalld.dbus(5) man page — De s cribe s the D-Bus inte rface of firewalld.

4.5.5.2. Online Document at ion
http://www.fire walld.org/ — firewalld home page .

4.6. Securing DNS T raffic wit h DNSSEC
4.6.1. Int roduct ion t o DNSSEC
DNSSEC is a s e t of Domain Name System Security Extensions (DNSSEC) that e nable s a DNS
clie nt to authe nticate and che ck the inte grity of re s pons e s from a DNS name s e rve r in
orde r to ve rify the ir origin and to de te rmine if the y have be e n tampe re d with in trans it.

4.6.2. Underst anding DNSSEC
For conne cting ove r the Inte rne t, a growing numbe r of we bs ite s now offe r the ability to
conne ct s e cure ly us ing HTTPS. Howe ve r, be fore conne cting to an HTTPS we bs e rve r, a DNS
lookup mus t be pe rforme d, unle s s you e nte r the IP addre s s dire ctly. The s e DNS lookups
are done ins e cure ly and are s ubje ct to man-in-the-middle attacks due to lack of
authe ntication. In othe r words , a DNS clie nt cannot have confide nce that the re plie s that
appe ar to come from a give n DNS name s e rve r are authe ntic and have not be e n tampe re d
with. More importantly, a re curs ive name s e rve r cannot be s ure that the re cords it obtains
from othe r name s e rve rs are ge nuine . The DNS protocol did not provide a me chanis m for
the clie nt to e ns ure it was not s ubje ct to a man-in-the -middle attack. DNSSEC was
introduce d to addre s s the lack of authe ntication and inte grity che cks whe n re s olving
domain name s us ing DNS. It doe s not addre s s the proble m of confide ntiality.
Publis hing DNSSEC information involve s digitally s igning DNS re s ource re cords as we ll as
dis tributing public ke ys in s uch a way as to e nable DNS re s olve rs to build a hie rarchical
chain of trus t. Digital s ignature s for all DNS re s ource re cords are ge ne rate d and adde d to
the z one as digital s ignature re s ource re cords (RRSIG). The public ke y of a z one is adde d
as a DNSKEY re s ource re cord. To build the hie rarchical chain, has he s of the DNSKEY are
publis he d in the pare nt z one as Delegation of Signing (DS) re s ource re cords . To facilitate
proof of non-e xis te nce , the NextSECure (NSEC) and NSEC3 re s ource re cords are us e d. In a
DNSSEC s igne d z one , e ach resource record set (RRs e t) has a corre s ponding RRSIG
re s ource re cord. Note that re cords us e d for de le gation to a child z one (NS and glue
re cords ) are not s igne d; the s e re cords appe ar in the child z one and are s igne d the re .
Proce s s ing DNSSEC information is done by re s olve rs that are configure d with the root
z one public ke y. Us ing this ke y, re s olve rs can ve rify the s ignature s us e d in the root z one .
For e xample , the root z one has s igne d the DS re cord for .com. The root z one als o s e rve s
NS and glue re cords for the .com name s e rve rs . The re s olve r follows this de le gation and
que rie s for the DNSKEY re cord of .com us ing the s e de le gate d name s e rve rs . The has h of
the DNSKEY re cord obtaine d s hould match the DS re cord in the root z one . If s o, the
re s olve r will trus t the obtaine d DNSKEY for .com. In the .com z one , the RRSIG re cords are

114

⁠C hapt e r 4 . Har de ning Yo ur Sys t e m wit h T o o ls and Se r vic e s

cre ate d by the .com DNSKEY. This proce s s is re pe ate d s imilarly for de le gations within
.com, s uch as redhat.com. Us ing this me thod, a validating DNS re s olve r only ne e ds to be
configure d with one root ke y while it colle cts many DNSKEYs from around the world during
its normal ope ration. If a cryptographic che ck fails , the re s olve r will re turn SERVFAIL to the
application.
DNSSEC has be e n de s igne d in s uch a way that it will be comple te ly invis ible to
applications not s upporting DNSSEC. If a non-DNSSEC application que rie s a DNSSEC
capable re s olve r, it will re ce ive the ans we r without any of the s e ne w re s ource re cord
type s s uch as RRSIG. Howe ve r, the DNSSEC capable re s olve r will s till pe rform all
cryptographic che cks , and will s till re turn a SERVFAIL e rror to the application if it de te cts
malicious DNS ans we rs . DNSSEC prote cts the inte grity of the data be twe e n DNS s e rve rs
(authoritative and re curs ive ), it doe s not provide s e curity be twe e n the application and the
re s olve r. The re fore , it is important that the applications are give n a s e cure trans port to
the ir re s olve r. The e as ie s t way to accomplis h that is to run a DNSSEC capable re s olve r on
localhost and us e 127.0.0.1 in /etc/resolv.conf. Alte rnative ly a VPN conne ction to a
re mote DNS s e rve r could be us e d.

Underst anding t he Hot spot Problem
Wi-Fi Hots pots or VPNs re ly on “DNS lie s ”: Captive portals te nd to hijack DNS in orde r to
re dire ct us e rs to a page whe re the y are re quire d to authe nticate (or pay) for the Wi-Fi
s e rvice . Us e rs conne cting to a VPN ofte n ne e d to us e an “inte rnal only” DNS s e rve r in
orde r to locate re s ource s that do not e xis t outs ide the corporate ne twork. This re quire s
additional handling by s oftware . For e xample , dnssec-t rigger can be us e d to de te ct if a
Hots pot is hijacking the DNS que rie s and unbound can act as a proxy name s e rve r to
handle the DNSSEC que rie s .

Choosing a DNSSEC Capable Recursive Resolver
To de ploy a DNSSEC capable re curs ive re s olve r, e ithe r BIND or unbound can be us e d.
Both e nable DNSSEC by de fault and are configure d with the DNSSEC root ke y. To e nable
DNSSEC on a s e rve r, e ithe r will work howe ve r the us e of unbound is pre fe rre d on mobile
de vice s , s uch as note books , as it allows the local us e r to dynamically re configure the
DNSSEC ove rride s re quire d for Hots pots whe n us ing dnssec-t rigger, and for VPNs whe n
us ing Libreswan. The unbound dae mon furthe r s upports the de ployme nt of DNSSEC
e xce ptions lis te d in the etc/unbound/*.d/ dire ctorie s which can be us e ful to both
s e rve rs and mobile de vice s .

4.6.3. Underst anding Dnssec-t rigger
Once unbound is ins talle d and configure d in /etc/resolv.conf, all DNS que rie s from
applications are proce s s e d by unbound. dnssec-t rigger only re configure s the unbound
re s olve r whe n trigge re d to do s o. This mos tly applie s to roaming clie nt machine s , s uch as
laptops , that conne ct to diffe re nt Wi-Fi ne tworks . The proce s s is as follows :
Net wo rkManager “trigge rs ” dnssec-t rigger whe n a ne w DNS s e rve r is obtaine d
through DHCP.
Dnssec-t rigger the n pe rforms a numbe r of te s ts agains t the s e rve r and de cide s
whe the r or not it prope rly s upports DNSSEC.
If it doe s , the n dnssec-t rigger re configure s unbound to us e that DNS s e rve r as a
forwarde r for all que rie s .

115

Se c ur it y Guide

If the te s ts fail, dnssec-t rigger will ignore the ne w DNS s e rve r and try a fe w available
fall-back me thods .
If it de te rmine s that an unre s tricte d port 53 (UDP and TCP) is available , it will te ll
unbound to be come a full re curs ive DNS s e rve r without us ing any forwarde r.
If this is not pos s ible , for e xample be caus e port 53 is blocke d by a fire wall for
e ve rything e xce pt re aching the ne twork's DNS s e rve r its e lf, it will try to us e DNS to port
80, or TLS e ncaps ulate d DNS to port 443. Se rve rs running DNS on port 80 and 443 can
be configure d in /etc/dnssec-trigger/dnssec-trigger.conf. Comme nte d out
e xample s s hould be available in the de fault configuration file .
If the s e fall-back me thods als o fail, dnssec-t rigger offe rs to e ithe r ope rate
ins e cure ly, which would bypas s DNSSEC comple te ly, or run in “cache only” mode whe re
it will not atte mpt ne w DNS que rie s but will ans we r for e ve rything it alre ady has in the
cache .
Wi-Fi Hots pots incre as ingly re dire ct us e rs to a s ign-on page be fore granting acce s s to the
Inte rne t. During the probing s e que nce outline d above , if a re dire ction is de te cte d, the
us e r is prompte d to as k if a login is re quire d to gain Inte rne t acce s s . The dnssec-trigger
dae mon continue s to probe for DNSSEC re s olve rs e ve ry te n s e conds . Se e Se ction 4.6.8,
“Us ing Dns s e c-trigge r” for information on us ing the dnssec-t rigger graphical utility.

4.6.4. VPN Supplied Domains and Name Servers
Some type s of VPN conne ctions can conve y a domain and a lis t of name s e rve rs to us e for
that domain as part of the VPN tunne l s e tup. On Red Hat Ent erprise Linux, this is
s upporte d by Net wo rkManager. This me ans that the combination of unbound, dnssect rigger, and Net wo rkManager can prope rly s upport domains and name s e rve rs
provide d by VPN s oftware . Once the VPN tunne l come s up, the local unbound cache is
flus he d for all e ntrie s of the domain name re ce ive d, s o that que rie s for name s within the
domain name are fe tche d fre s h from the inte rnal name s e rve rs re ache d us ing the VPN.
Whe n the VPN tunne l is te rminate d, the unbound cache is flus he d again to e ns ure any
que rie s for the domain will re turn the public IP addre s s e s , and not the pre vious ly obtaine d
private IP addre s s e s . Se e Se ction 4.6.11, “Configuring DNSSEC Validation for Conne ction
Supplie d Domains ”.

4.6.5. Recommended Naming Pract ices
Re d Hat re comme nds that both s tatic and trans ie nt name s match the fully-qualified domain
name (FQDN) us e d for the machine in DNS, s uch as host.example.com.
The Inte rne t Corporation for As s igne d Name s and Numbe rs (ICANN) s ome time s adds
pre vious ly unre gis te re d Top-Le ve l Domains (s uch as .yourcompany) to the public re gis te r.
The re fore , Re d Hat s trongly re comme nds that you do not us e a domain name that is not
de le gate d to you, e ve n on a private ne twork, as this can re s ult in a domain name that
re s olve s diffe re ntly de pe nding on ne twork configuration. As a re s ult, ne twork re s ource s
can be come unavailable . Us ing domain name s that are not de le gate d to you als o make s
DNSSEC more difficult to de ploy and maintain, as domain name collis ions re quire manual
configuration to e nable DNSSEC validation. Se e the ICANN FAQ on domain name collis ion
for more information on this is s ue .

4.6.6. Underst anding T rust Anchors

116

⁠C hapt e r 4 . Har de ning Yo ur Sys t e m wit h T o o ls and Se r vic e s

In a hie rarchical cryptographic s ys te m, a trust anchor is an authoritative e ntity which is
as s ume d to be trus tworthy. For e xample , in X.509 archite cture , a root ce rtificate is a trus t
anchor from which a chain of trus t is de rive d. The trus t anchor mus t be put in the
pos s e s s ion of the trus ting party be fore hand to make path validation pos s ible .
In the conte xt of DNSSEC, a trus t anchor cons is ts of a DNS name and public ke y (or has h of
the public ke y) as s ociate d with that name . It is e xpre s s e d as a bas e 64 e ncode d ke y. It is
s imilar to a ce rtificate in that it is a me ans of e xchanging information, including a public
ke y, which can be us e d to ve rify and authe nticate DNS re cords . RFC 4033 de fine s a trus t
anchor as a configure d DNSKEY RR or DS RR has h of a DNSKEY RR. A validating s e curityaware re s olve r us e s this public ke y or has h as a s tarting point for building the
authe ntication chain to a s igne d DNS re s pons e . In ge ne ral, a validating re s olve r will have
to obtain the initial value s of its trus t anchors through s ome s e cure or trus te d me ans
outs ide the DNS protocol. Pre s e nce of a trus t anchor als o implie s that the re s olve r s hould
e xpe ct the z one to which the trus t anchor points to be s igne d.

4.6.7. Inst alling DNSSEC
4.6.7.1. Inst alling unbound
In orde r to validate DNS us ing DNSSEC locally on a machine , it is ne ce s s ary to ins tall the
DNS re s olve r unbound (or bind ). It is only ne ce s s ary to ins tall dnssec-t rigger on mobile
de vice s . For s e rve rs , unbound s hould be s ufficie nt although a forwarding configuration for
the local domain might be re quire d de pe nding on whe re the s e rve r is locate d (LAN or
Inte rne t). dnssec-t rigger will curre ntly only he lp with the global public DNS z one .
Net wo rkManager, dhclient , and VPN applications can ofte n gathe r the domain lis t (and
name s e rve r lis t as we ll) automatically, but not dnssec-t rigger nor unbo und.
To ins tall unbound e nte r the following command as the root us e r:
~]# yum install unbound

4.6.7.2. Checking if unbound is Running
To de te rmine whe the r the unbound dae mon is running, e nte r the following command:
~]$ systemctl status unbound
unbound.service - Unbound recursive Domain Name Server
Loaded: loaded (/usr/lib/systemd/system/unbound.service; disabled)
Active: active (running) since Wed 2013-03-13 01:19:30 CET; 6h ago
The systemctl status command will re port unbound as Active: inactive (dead) if the
unbound s e rvice is not running.

4.6.7.3. St art ing unbound
To s tart the unbound dae mon for the curre nt s e s s ion, e nte r the following command as the
root us e r:
~]# systemctl start unbound
Run the systemctl enable command to e ns ure that unbound s tarts up e ve ry time the
s ys te m boots :

117

Se c ur it y Guide

~]# systemctl enable unbound
The unbound dae mon allows configuration of local data or ove rride s us ing the following
dire ctorie s :
The /etc/unbound/conf.d dire ctory is us e d to add configurations for a s pe cific domain
name . This is us e d to re dire ct que rie s for a domain name to a s pe cific DNS s e rve r. This
is ofte n us e d for s ub-domains that only e xis t within a corporate WAN.
The /etc/unbound/keys.d dire ctory is us e d to add trus t anchors for a s pe cific domain
name . This is re quire d whe n an inte rnal-only name is DNSSEC s igne d, but the re is no
publicly e xis ting DS re cord to build a path of trus t. Anothe r us e cas e is whe n an inte rnal
ve rs ion of a domain is s igne d us ing a diffe re nt DNSKEY than the publicly available
name outs ide the corporate WAN.
The /etc/unbound/local.d dire ctory is us e d to add s pe cific DNS data as a local
ove rride . This can be us e d to build blacklis ts or cre ate manual ove rride s . This data will
be re turne d to clie nts by unbound, but it will not be marke d as DNSSEC s igne d.
Net wo rkManager, as we ll as s ome VPN s oftware , may change the configuration
dynamically. The s e configuration dire ctorie s contain comme nte d out e xample e ntrie s . For
furthe r information s e e the unbound.conf(5) man page .

4.6.7.4. Inst alling Dnssec-t rigger
The dnssec-t rigger application runs as a dae mon, dnssec-triggerd. To ins tall dnssect rigger e nte r the following command as the root us e r:
~]# yum install dnssec-trigger

4.6.7.5. Checking if t he Dnssec-t rigger Daemon is Running
To de te rmine whe the r dnssec-triggerd is running, e nte r the following command:
~]$ systemctl status dnssec-triggerd
systemctl status dnssec-triggerd.service
dnssec-triggerd.service - Reconfigure local DNS(SEC) resolver on network
change
Loaded: loaded (/usr/lib/systemd/system/dnssec-triggerd.service;
enabled)
Active: active (running) since Wed 2013-03-13 06:10:44 CET; 1h 41min
ago
The systemctl status command will re port dnssec-triggerd as Active: inactive
(dead) if the dnssec-triggerd dae mon is not running. To s tart it for the curre nt s e s s ion
e nte r the following command as the root us e r:
~]# systemctl start dnssec-triggerd
Run the systemctl enable command to e ns ure that dnssec-triggerd s tarts up e ve ry
time the s ys te m boots :
~]# systemctl enable dnssec-triggerd

118

⁠C hapt e r 4 . Har de ning Yo ur Sys t e m wit h T o o ls and Se r vic e s

4.6.8. Using Dnssec-t rigger
The dnssec-t rigger application has a GNOME pane l utility for dis playing DNSSEC probe
re s ults and for pe rforming DNSSEC probe re que s ts on de mand. To s tart the utility, pre s s
the Super ke y to e nte r the Activitie s Ove rvie w, type DNSSEC and the n pre s s Enter. An
icon re s e mbling a s hips anchor is adde d to the me s s age tray at the bottom of the s cre e n.
Pre s s the round blue notification icon in the bottom right of the s cre e n to re ve al it. Right
click the anchor icon to dis play a pop-up me nu.
In normal ope rations unbo und is us e d locally as the name s e rve r, and resolv.conf
points to 127.0.0.1. Whe n you click OK on the Hotspot Sign-On pane l this is change d.
The DNS s e rve rs are que rie d from Net wo rkManager and put in resolv.conf. Now you
can authe nticate on the Hots pot's s ign-on page . The anchor icon s hows a big re d
e xclamation mark to warn you that DNS que rie s are be ing made ins e cure ly. Whe n
authe nticate d, dnssec-t rigger s hould automatically de te ct this and s witch back to s e cure
mode , although in s ome cas e s it cannot and the us e r has to do this manually by s e le cting
Reprobe.
Dnssec-t rigger doe s not normally re quire any us e r inte raction. Once s tarte d, it works in
the background and if a proble m is e ncounte re d it notifie s the us e r by me ans of a pop-up
te xt box. It als o informs unbound about change s to the resolv.conf file .

4.6.9. Using dig Wit h DNSSEC
To s e e whe the r DNSSEC is working, one can us e various command line tools . The be s t
tool to us e is the dig command from the bind-utils package . Othe r tools that are us e ful are
drill from the ldns package and unbo und-ho st from the unbound package . The old DNS
utilitie s nslo o kup and ho st are obs ole te and s hould not be us e d.
To s e nd a que ry re que s ting DNSSEC data us ing dig, the option +dnssec is adde d to the
command, for e xample :
~]$ dig +dnssec whitehouse.gov
; <<>> DiG 9.9.3-rl.13207.22-P2-RedHat-9.9.3-4.P2.el7 <<>> +dnssec
whitehouse.gov
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21388
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;whitehouse.gov.
IN A
;; ANSWER SECTION:
whitehouse.gov. 20 IN A 72.246.36.110
whitehouse.gov. 20 IN RRSIG A 7 2 20 20130825124016 20130822114016 8399
whitehouse.gov. BB8VHWEkIaKpaLprt3hq1GkjDROvkmjYTBxiGhuki/BJn3PoIGyrftxR
HH0377I0Lsybj/uZv5hL4UwWd/lw6Gn8GPikqhztAkgMxddMQ2IARP6p
wbMOKbSUuV6NGUT1WWwpbi+LelFMqQcAq3Se66iyH0Jem7HtgPEUE1Zc 3oI=
;;
;;
;;
;;

Query time: 227 msec
SERVER: 127.0.0.1#53(127.0.0.1)
WHEN: Thu Aug 22 22:01:52 EDT 2013
MSG SIZE rcvd: 233

119

Se c ur it y Guide

In addition to the A re cord, an RRSIG re cord is re turne d which contains the DNSSEC
s ignature , as we ll as the ince ption time and e xpiration time of the s ignature . The unbound
s e rve r indicate d that the data was DNSSEC authe nticate d by re turning the ad bit in the
flags: s e ction at the top.
If DNSSEC validation fails , the dig command would re turn a SERVFAIL e rror:
~]$ dig badsign-a.test.dnssec-tools.org
; <<>> DiG 9.9.3-rl.156.01-P1-RedHat-9.9.3-3.P1.el7 <<>> badsigna.test.dnssec-tools.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 1010
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;badsign-a.test.dnssec-tools.org. IN A
;;
;;
;;
;;

Query time: 1284 msec
SERVER: 127.0.0.1#53(127.0.0.1)
WHEN: Thu Aug 22 22:04:52 EDT 2013
MSG SIZE rcvd: 60]

To re que s t more information about the failure , DNSSEC che cking can be dis able d by
s pe cifying the +cd option to the dig command:
~]$ dig +cd +dnssec badsign-a.test.dnssec-tools.org
; <<>> DiG 9.9.3-rl.156.01-P1-RedHat-9.9.3-3.P1.el7 <<>> +cd +dnssec
badsign-a.test.dnssec-tools.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26065
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;badsign-a.test.dnssec-tools.org. IN A
;; ANSWER SECTION:
badsign-a.test.dnssec-tools.org. 49 IN A 75.119.216.33
badsign-a.test.dnssec-tools.org. 49 IN RRSIG A 5 4 86400 20130919183720
20130820173720 19442 test.dnssec-tools.org.
E572dLKMvYB4cgTRyAHIKKEvdOP7tockQb7hXFNZKVbfXbZJOIDREJrr
zCgAfJ2hykfY0yJHAlnuQvM0s6xOnNBSvc2xLIybJdfTaN6kSR0YFdYZ
n2NpPctn2kUBn5UR1BJRin3Gqy20LZlZx2KD7cZBtieMsU/IunyhCSc0 kYw=
;;
;;
;;
;;

Query time: 1 msec
SERVER: 127.0.0.1#53(127.0.0.1)
WHEN: Thu Aug 22 22:06:31 EDT 2013
MSG SIZE rcvd: 257

Ofte n, DNSSEC mis take s manife s t the ms e lve s by bad ince ption or e xpiration time ,
although in this e xample , the pe ople at www.dns s e c-tools .org have mangle d this RRSIG

120

⁠C hapt e r 4 . Har de ning Yo ur Sys t e m wit h T o o ls and Se r vic e s

s ignature on purpos e , which we would not be able to de te ct by looking at this output
manually. The e rror will s how in the output of systemctl status unbound and the
unbound dae mon logs the s e e rrors to syslo g as follows :
Aug 22 22:04:52 laptop unbound: [3065:0] info: validation failure
badsign-a.test.dnssec-tools.org. A IN
An e xample us ing unbound-host:
~]$ unbound-host -C /etc/unbound/unbound.conf -v whitehouse.gov
whitehouse.gov has address 184.25.196.110 (secure)
whitehouse.gov has IPv6 address 2600:1417:11:2:8800::fc4 (secure)
whitehouse.gov has IPv6 address 2600:1417:11:2:8000::fc4 (secure)
whitehouse.gov mail is handled by 105 mail1.eop.gov. (secure)
whitehouse.gov mail is handled by 110 mail5.eop.gov. (secure)
whitehouse.gov mail is handled by 105 mail4.eop.gov. (secure)
whitehouse.gov mail is handled by 110 mail6.eop.gov. (secure)
whitehouse.gov mail is handled by 105 mail2.eop.gov. (secure)
whitehouse.gov mail is handled by 105 mail3.eop.gov. (secure)

4.6.10. Set t ing up Hot spot Det ect ion Inf rast ruct ure f or Dnssect rigger
Whe n conne cting to a ne twork, dnssec-t rigger atte mpts to de te ct a Hots pot. A Hots pot is
ge ne rally a de vice that force s us e r inte raction with a we b page be fore the y can us e the
ne twork re s ource s . The de te ction is done by atte mpting to download a s pe cific fixe d we b
page with known conte nt. If the re is a Hots pot, the n the conte nt re ce ive d will not be as
e xpe cte d.
To s e t up a fixe d we b page with known conte nt that can be us e d by dnssec-t rigger to
de te ct a Hots pot, proce e d as follows :
1. Se t up a we b s e rve r on s ome machine that is publicly re achable on the Inte rne t.
Se e the We b Se rve rs chapte r in the Re d Hat Ente rpris e Linux 7 Sys te m
Adminis trator's Guide . .
2. Once you have the s e rve r running, publis h a s tatic page with known conte nt on it.
The page doe s not ne e d to be a valid HTML page . For e xample , you could us e a
plain-te xt file name d hotspot.txt that contains only the s tring OK. As s uming your
s e rve r is locate d at example.com and you publis he d your hotspot.txt file in the
we b s e rve r document_root/static/ s ub-dire ctory, the n the addre s s to your s tatic
we b page would be example.com/static/hotspot.txt. Se e the DocumentRoot
dire ctive in the We b Se rve rs chapte r in the Re d Hat Ente rpris e Linux 7 Sys te m
Adminis trator's Guide .
3. Add the following line to the /etc/dnssec-trigger/dnssec-trigger.conf file :
url: "http://example.com/static/hotspot.txt OK"
This command adds a URL that is probe d us ing HTTP (port 80). The firs t part is the
URL that will be re s olve d and the page that will be downloade d. The s e cond part of
the command is the te xt s tring that the downloade d we bpage is e xpe cte d to
contain.

121

Se c ur it y Guide

For more information on the configuration options s e e the man page dnssectrigger.conf(8).

4.6.11. Conf iguring DNSSEC Validat ion f or Connect ion Supplied
Domains
By de fault, forward z one s with prope r name s e rve rs are automatically adde d into unbound
by dnssec-t rigger for e ve ry domain provide d by any conne ction, e xce pt Wi-Fi
conne ctions through Net wo rkManager. By de fault, all forward z one s adde d into unbound
are DNSSEC validate d.
The de fault be havior for validating forward z one s can be alte re d, s o that all forward z one s
will no t be DNSSEC validate d by de fault. To do this , change the
validate_connection_provided_zones variable in the dnssec-t rigger configuration file
/etc/dnssec.conf. As root us e r, ope n and e dit the line as follows :
validate_connection_provided_zones=no
The change is not done for any e xis ting forward z one s , but only for future forward z one s .
The re fore if you want to dis able DNSSEC for the curre nt provide d domain, you ne e d to
re conne ct.

4.6.11.1. Conf iguring DNSSEC Validat ion f or Wi-Fi Supplied Domains
Adding forward z one s for Wi-Fi provide d z one s can be e nable d. To do this , change the
add_wifi_provided_zones variable in the dnssec-t rigger configuration file ,
/etc/dnssec.conf. As root us e r, ope n and e dit the line as follows :
add_wifi_provided_zones=yes
The change is not done for any e xis ting forward z one s , but only for future forward z one s .
The re fore , if you want to e nable DNSSEC for the curre nt Wi-Fi provide d domain, you ne e d
to re conne ct (re s tart) the Wi-Fi conne ction.

Warning
Turning o n the addition of Wi-Fi provide d domains as forward z one s into unbound
may have s e curity implications s uch as :
1. A Wi-Fi acce s s point can inte ntionally provide you a domain through DHCP for
which it doe s not have authority and route all your DNS que rie s to its DNS
s e rve rs .
2. If you have the DNSSEC validation of forward z one s turne d o f f , the Wi-Fi
provide d DNS s e rve rs can s poof the IP addre s s for domain name s from the
provide d domain without you knowing it.

4.6.12. Addit ional Resources
The following are re s ource s which e xplain more about DNSSEC.

4.6.12.1. Inst alled Document at ion

122

⁠C hapt e r 4 . Har de ning Yo ur Sys t e m wit h T o o ls and Se r vic e s

dnssec-trigger(8) man page — De s cribe s command options for dnssec-triggerd,
dnssec-t rigger-co nt ro l and dnssec-t rigger-panel.
dnssec-trigger.conf(8) man page — De s cribe s the configuration options for
dnssec-triggerd.
unbound(8) man page — De s cribe s the command options for unbound, the DNS
validating re s olve r.
unbound.conf(5) man page — Contains information on how to configure unbound.
resolv.conf(5) man page — Contains information that is re ad by the re s olve r
routine s .

4.6.12.2. Online Document at ion
ht t p://t o o ls.iet f .o rg/ht ml/rf c40 33
RFC 4033 DNS Se curity Introduction and Re quire me nts .
ht t p://www.dnssec.net /
A we bs ite with links to many DNSSEC re s ource s .
ht t p://www.dnssec-deplo yment .o rg/
The DNSSEC De ployme nt Initiative , s pons ore d by the De partme nt for Home land
Se curity, contains a lot of DNSSEC information and has a mailing lis t to dis cus s
DNSSEC de ployme nt is s ue s .
ht t p://www.int ernet so ciet y.o rg/deplo y360 /dnssec/co mmunit y/
The Inte rne t Socie ty's “De ploy 360” initiative to s timulate and coordinate DNSSEC
de ployme nt is a good re s ource for finding communitie s and DNSSEC activitie s
worldwide .
ht t p://www.unbo und.net /
This docume nt contains ge ne ral information about the unbound DNS s e rvice .
ht t p://www.nlnet labs.nl/pro ject s/dnssec-t rigger/
This docume nt contains ge ne ral information about dnssec-t rigger.

4.7. Securing Virt ual Privat e Net works (VPNs)
In Re d Hat Ente rpris e Linux 7, a Virtual Private Network (VPN) can be configure d us ing the
IPsec tunne ling protocol which is s upporte d by the Libreswan application. Libreswan is a
fork of the Openswan application and e xample s in docume ntation s hould be
inte rchange able . The Net wo rkManager IPsec plug-in is calle d NetworkManagerlibreswan. Us e rs of GNOME She ll s hould ins tall the NetworkManager-libreswan-gnome
package , which has NetworkManager-libreswan as a de pe nde ncy. Note that the
NetworkManager-libreswan-gnome package is only available from the Optional channe l. Se e
Enabling Supple me ntary and Optional Re pos itorie s .
Libreswan is an ope n s ource , us e r s pace IPsec imple me ntation available in Re d Hat
Ente rpris e Linux 7. It us e s the Internet key exchange (IKE) protocol. IKE ve rs ion 1 and 2
are imple me nte d as a us e r-le ve l dae mon. Manual ke y e s tablis hme nt is als o pos s ible

123

Se c ur it y Guide

through ip xfrm commands , howe ve r this is not re comme nde d. Libreswan inte rface s
with the Linux ke rne l us ing ne tlink to trans fe r the e ncryption ke ys . Packe t e ncryption and
de cryption happe n in the Linux ke rne l.
Libreswan us e s the network security services (NSS) cryptographic library, which is
re quire d for Federal Information Processing Standard (FIPS) s e curity compliance .

Impo rtant
IPsec, imple me nte d by Libreswan, is the only VPN te chnology re comme nd for us e
in Re d Hat Ente rpris e Linux 7. Do not us e any othe r VPN te chnology without
unde rs tanding the ris ks of doing s o.

4.7.1. IPsec VPN Using Libreswan
To ins tall Libreswan, is s ue the following command as root:
~]# yum install libreswan
To che ck that Libreswan is ins talle d, is s ue the following command:
~]$ yum info libreswan
Afte r a ne w ins tallation of Libreswan the NSS databas e s hould be initializ e d as part of the
ins tall proce s s . Howe ve r, s hould you ne e d to s tart a ne w databas e , firs t re move the old
databas e as follows :
~]# rm /etc/ipsec.d/*db
The n, to initializ e a ne w NSS databas e , is s ue the following command as root:
~]# ipsec initnss
Initializing NSS database
See 'man pluto' if you want to protect the NSS database with a password
If you do not want to us e a pas s word for NSS, jus t pre s s Enter twice whe n prompte d for
the pas s word. If you do e nte r a pas s word the n you will have to re -e nte r it e ve ry time
Libreswan is s tarte d, s uch as e ve ry time the s ys te m is boote d.
To s tart the ipsec dae mon provide d by Libreswan, is s ue the following command as root:
~]# systemctl start ipsec
To confirm that the dae mon is now running:
~]$ systemctl status ipsec
ipsec.service - Internet Key Exchange (IKE) Protocol Daemon for IPsec
Loaded: loaded (/usr/lib/systemd/system/ipsec.service; disabled)
Active: active (running) since Wed 2013-08-21 12:14:12 CEST; 18s ago

124

⁠C hapt e r 4 . Har de ning Yo ur Sys t e m wit h T o o ls and Se r vic e s

To e ns ure that Libreswan will s tart whe n the s ys te m s tarts , is s ue the following command
as root:
~]# systemctl enable ipsec
Configure any inte rme diate as we ll as hos t-bas e d fire walls to pe rmit the ipsec s e rvice .
Se e Se ction 4.5, “Us ing Fire walls ” for information on fire walls and allowing s pe cific
s e rvice s to pas s through. Libreswan re quire s the fire wall to allow the following packe ts :
UDP port 500 for the Internet Key Exchange (IKE) protocol
UDP port 4500 for IKE NAT-Traversal
Protocol 50 for Encapsulated Security Payload (ESP) IPsec packe ts
Protocol 51 for Authenticated Header (AH) IPsec packe ts (uncommon)
We pre s e nt thre e e xample s of us ing Libreswan to s e t up an IPsec VPN. The firs t
e xample is for conne cting two hos ts toge the r s o that the y may communicate s e cure ly.
The s e cond e xample is conne cting two s ite s toge the r to form one ne twork. The third
e xample is s upporting roaming us e rs , known as road warriors in this conte xt.

4.7.2. VPN Conf igurat ions Using Libreswan
Libreswan doe s not us e the te rms “s ource ” or “de s tination”. Ins te ad, it us e s the te rms
“le ft” and “right” to re fe r to e nd points (the hos ts ). This allows the s ame configuration to
be us e d on both e nd points in mos t cas e s , although mos t adminis trators us e “le ft” for the
local hos t and “right” for the re mote hos t.
The re are thre e commonly us e d me thods for authe ntication of e ndpoints :
Pre-Shared Keys (PSK) is the s imple s t authe ntication me thod. PSK's s hould cons is t of
random characte rs and have a le ngth of at le as t 20 characte rs . Due to the dange rs of
non-random and s hort PSKs , this me thod is not available whe n the s ys te m is running in
FIPS mode .
Raw RSA ke ys are commonly us e d for s tatic hos t-to-hos t or s ubne t-to-s ubne t IPsec
configurations . The hos ts are manually configure d with e ach othe r's public RSA ke y.
This me thod doe s not s cale we ll whe n doz e ns or more hos ts all ne e d to s e tup IPsec
tunne ls to e ach othe r.
X.509 ce rtificate s are commonly us e d for large s cale de ployme nts whe re the re are
many hos ts that ne e d to conne ct to a common IPsec gate way. A ce ntral certificate
authority (CA) is us e d to s ign RSA ce rtificate s for hos ts or us e rs . This ce ntral CA is
re s pons ible for re laying trus t, including the re vocations of individual hos ts or us e rs .

4.7.3. Host -T o-Host VPN Using Libreswan
To configure Libreswan to cre ate a hos t-to-hos t IPsec VPN, be twe e n two hos ts re fe rre d
to as “le ft” and “right”, e nte r the following commands as root on both of the hos ts (“le ft”
and “right”) to cre ate ne w raw RSA ke y pairs :
~]# ipsec newhostkey --configdir /etc/ipsec.d \
--output /etc/ipsec.d/www.example.com.secrets
Generated RSA key pair using the NSS database

125

Se c ur it y Guide

This ge ne rate s an RSA ke y pair for the hos t. The proce s s of ge ne rating RSA ke ys can take
many minute s , e s pe cially on virtual machine s with low e ntropy.
To vie w the public ke y, is s ue the following command as root on e ithe r of the hos ts . For
e xample , to vie w the public ke y on the “le ft” hos t, run:
~]# ipsec showhostkey --left
ipsec showhostkey loading secrets from "/etc/ipsec.secrets"
ipsec showhostkey loading secrets from
"/etc/ipsec.d/www.example.com.secrets"
ipsec showhostkey loaded private key for keyid: PPK_RSA:AQOjAKLlL
# rsakey AQOjAKLlL
leftrsasigkey=0sAQOjAKLlL4a7YBv [...]
You will ne e d this ke y to add to the configuration file as e xplaine d be low.
The s e cre t part is s tore d in /etc/ipsec.d/*.db file s , als o calle d the “NSS databas e ”.
To make a configuration file for this hos t-to-hos t tunne l, the line s leftrsasigkey= and
rightrsasigkey= from above , are adde d to a cus tom configuration file place d in the
/etc/ipsec.d/ dire ctory. To e nable Libreswan to re ad the cus tom configurations file s ,
us e an e ditor running as root to e dit the main configuration file , /etc/ipsec.conf, and
e nable the following line by re moving the # comme nt characte r s o that it looks as follows :
include /etc/ipsec.d/*.conf
Us ing an e ditor running as root, cre ate a file with a s uitable name in the following format:
/etc/ipsec.d/my_host-to-host.conf
Edit the file as follows :
conn mytunnel
leftid=@west.example.com
left=192.1.2.23
leftrsasigkey=0sAQOrlo+hOafUZDlCQmXFrje/oZm [...]
W2n417C/4urYHQkCvuIQ==
rightid=@east.example.com
right=192.1.2.45
rightrsasigkey=0sAQO3fwC6nSSGgt64DWiYZzuHbc4 [...] D/v8t5YTQ==
authby=rsasig
# load and initiate automatically
auto=start
You can us e the ide ntical configuration file on both le ft and right hos ts . The y will autode te ct if the y are “le ft” or “right”. If one of the hos ts is a mobile hos t, which implie s the IP
addre s s is not known in advance , the n on the mobile hos t us e %defaultroute as its IP
addre s s . This will pick up the dynamic IP addre s s automatically. On the s tatic hos t that
acce pts conne ctions from incoming mobile hos ts , s pe cify the mobile hos t us ing %any for
its IP addre s s .
Ens ure the leftrsasigkey value is obtaine d from the “le ft” hos t and the rightrsasigkey
value is obtaine d from the “right” hos t.
Re s tart ipsec to e ns ure it re ads the ne w configuration:

126

⁠C hapt e r 4 . Har de ning Yo ur Sys t e m wit h T o o ls and Se r vic e s

~]# systemctl restart ipsec
Is s ue the following command as root to load the IPsec tunne l:
~]# ipsec auto --add mytunnel
To ope n the tunne l, is s ue the following command as root, on the le ft or the right s ide :
~]# ipsec auto --up mytunnel

4.7.3.1. Verif y Host -T o-Host VPN Using Libreswan
The IKE ne gotiation take s place on UDP port 500. IPsec packe ts s how up as
Encapsulated Security Payload (ESP) packe ts . Whe n the VPN conne ction ne e ds to pas s
through a NAT route r, the ESP packe ts are e ncaps ulate d in UDP packe ts on port 4500.
To ve rify that packe ts are be ing s e nt through the VPN tunne l, is s ue a command as root in
the following format:
~]# tcpdump -n -i interface esp or udp port 500 or
00:32:32.632165 IP 192.1.2.45 > 192.1.2.23:
ESP(spi=0x63ad7e17,seq=0x1a), length 132
00:32:32.632592 IP 192.1.2.23 > 192.1.2.45:
ESP(spi=0x4841b647,seq=0x1a), length 132
00:32:32.632592 IP 192.0.2.254 > 192.0.1.254: ICMP
seq 7, length 64
00:32:33.632221 IP 192.1.2.45 > 192.1.2.23:
ESP(spi=0x63ad7e17,seq=0x1b), length 132
00:32:33.632731 IP 192.1.2.23 > 192.1.2.45:
ESP(spi=0x4841b647,seq=0x1b), length 132
00:32:33.632731 IP 192.0.2.254 > 192.0.1.254: ICMP
seq 8, length 64
00:32:34.632183 IP 192.1.2.45 > 192.1.2.23:
ESP(spi=0x63ad7e17,seq=0x1c), length 132
00:32:34.632607 IP 192.1.2.23 > 192.1.2.45:
ESP(spi=0x4841b647,seq=0x1c), length 132
00:32:34.632607 IP 192.0.2.254 > 192.0.1.254: ICMP
seq 9, length 64
00:32:35.632233 IP 192.1.2.45 > 192.1.2.23:
ESP(spi=0x63ad7e17,seq=0x1d), length 132
00:32:35.632685 IP 192.1.2.23 > 192.1.2.45:
ESP(spi=0x4841b647,seq=0x1d), length 132
00:32:35.632685 IP 192.0.2.254 > 192.0.1.254: ICMP
seq 10, length 64

udp port 4500

echo reply, id 2489,

echo reply, id 2489,

echo reply, id 2489,

echo reply, id 2489,

Whe re interface is the inte rface known to carry the traffic. To e nd the capture with
t cpdump, pre s s Ctrl+C.

127

Se c ur it y Guide

No te
The t cpdump commands inte racts a little une xpe cte dly with IPsec. It only s e e s the
outgoing e ncrypte d packe t, not the outgoing plainte xt packe t. It doe s s e e the
e ncrypte d incoming packe t, as we ll as the de crypte d incoming packe t. If pos s ible ,
run t cpdump on a route r be twe e n the two machine s and not on one of the
e ndpoints its e lf.

4.7.4. Sit e-t o-Sit e VPN Using Libreswan
In orde r for Libreswan to cre ate a s ite -to-s ite IPsec VPN, joining toge the r two ne tworks ,
an IPsec tunne l is cre ate d be twe e n two hos ts , e ndpoints , which are configure d to pe rmit
traffic from one or more s ubne ts to pas s through. The y can the re fore be thought of as
gate ways to the re mote portion of the ne twork. The configuration of the s ite -to-s ite VPN
only diffe rs from the hos t-to-hos t VPN in that one or more ne tworks or s ubne ts mus t be
s pe cifie d in the configuration file .
To configure Libreswan to cre ate a s ite -to-s ite IPsec VPN, firs t configure a hos t-to-hos t
IPsec VPN as de s cribe d in Se ction 4.7.3, “Hos t-To-Hos t VPN Us ing Libre s wan” and the n
copy or move the file to a file with a s uitable name , s uch as /etc/ipsec.d/my_site-tosite.conf. Us ing an e ditor running as root, e dit the cus tom configuration file
/etc/ipsec.d/my_site-to-site.conf as follows :
conn mysubnet
also=mytunnel
leftsubnet=192.0.1.0/24
rightsubnet=192.0.2.0/24
conn mysubnet6
also=mytunnel
connaddrfamily=ipv6
leftsubnet=2001:db8:0:1::/64
rightsubnet=2001:db8:0:2::/64
conn mytunnel
auto=start
leftid=@west.example.com
left=192.1.2.23
leftrsasigkey=0sAQOrlo+hOafUZDlCQmXFrje/oZm [...]
W2n417C/4urYHQkCvuIQ==
rightid=@east.example.com
right=192.1.2.45
rightrsasigkey=0sAQO3fwC6nSSGgt64DWiYZzuHbc4 [...] D/v8t5YTQ==
authby=rsasig
To bring the tunne ls up, re s tart Libreswan or manually load and initiate all the
conne ctions us ing the following commands as root:
~]# ipsec auto --add mysubnet
~]# ipsec auto --add mysubnet6

128

⁠C hapt e r 4 . Har de ning Yo ur Sys t e m wit h T o o ls and Se r vic e s

~]# ipsec auto --add mytunnel
~]# ipsec auto --up mysubnet
104 "mysubnet" #1: STATE_MAIN_I1: initiate
003 "mysubnet" #1: received Vendor ID payload [Dead Peer Detection]
003 "mytunnel" #1: received Vendor ID payload [FRAGMENTATION]
106 "mysubnet" #1: STATE_MAIN_I2: sent MI2, expecting MR2
108 "mysubnet" #1: STATE_MAIN_I3: sent MI3, expecting MR3
003 "mysubnet" #1: received Vendor ID payload [CAN-IKEv2]
004 "mysubnet" #1: STATE_MAIN_I4: ISAKMP SA established
{auth=OAKLEY_RSA_SIG cipher=aes_128 prf=oakley_sha group=modp2048}
117 "mysubnet" #2: STATE_QUICK_I1: initiate
004 "mysubnet" #2: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel
mode {ESP=>0x9414a615 <0x1a8eb4ef xfrm=AES_128-HMAC_SHA1 NATOA=none
NATD=none DPD=none}
~]# ipsec auto --up mysubnet6
003 "mytunnel" #1: received Vendor ID payload [FRAGMENTATION]
117 "mysubnet" #2: STATE_QUICK_I1: initiate
004 "mysubnet" #2: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel
mode {ESP=>0x06fe2099 <0x75eaa862 xfrm=AES_128-HMAC_SHA1 NATOA=none
NATD=none DPD=none}
~]# ipsec auto --up mytunnel
104 "mytunnel" #1: STATE_MAIN_I1: initiate
003 "mytunnel" #1: received Vendor ID payload [Dead Peer Detection]
003 "mytunnel" #1: received Vendor ID payload [FRAGMENTATION]
106 "mytunnel" #1: STATE_MAIN_I2: sent MI2, expecting MR2
108 "mytunnel" #1: STATE_MAIN_I3: sent MI3, expecting MR3
003 "mytunnel" #1: received Vendor ID payload [CAN-IKEv2]
004 "mytunnel" #1: STATE_MAIN_I4: ISAKMP SA established
{auth=OAKLEY_RSA_SIG cipher=aes_128 prf=oakley_sha group=modp2048}
117 "mytunnel" #2: STATE_QUICK_I1: initiate
004 "mytunnel" #2: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel
mode {ESP=>0x9414a615 >0x1a8eb4ef xfrm=AES_128-HMAC_SHA1 NATOA=none
NATD=none DPD=none}

4.7.4.1. Verif y Sit e-t o-Sit e VPN Using Libreswan
Ve rifying that packe ts are be ing s e nt through the VPN tunne l is the s ame proce dure as
e xplaine d in Se ction 4.7.3.1, “Ve rify Hos t-To-Hos t VPN Us ing Libre s wan”.

4.7.5. Sit e-t o-Sit e Single T unnel VPN Using Libreswan
Ofte n, whe n a s ite -to-s ite tunne l is built, the gate ways ne e d to communicate with e ach
othe r us ing the ir inte rnal IP addre s s e s ins te ad of the ir public IP addre s s e s . This can be
accomplis he d us ing a s ingle tunne l. If the le ft hos t, with hos t name west, has inte rnal IP
addre s s 192.0.1.254 and the right hos t, with hos t name east, has inte rnal IP addre s s
192.0.2.254, the following configuration us ing a s ingle tunne l can be us e d:
conn mysubnet
leftid=@west.example.com
leftrsasigkey=0sAQOrlo+hOafUZDlCQmXFrje/oZm [...]

129

Se c ur it y Guide

W2n417C/4urYHQkCvuIQ==
left=192.1.2.23
leftsourceip=192.0.1.254
leftsubnet=192.0.1.0/24
rightid=@east.example.com
rightrsasigkey=0sAQO3fwC6nSSGgt64DWiYZzuHbc4 [...] D/v8t5YTQ==
right=192.1.2.45
rightsourceip=192.0.2.254
rightsubnet=192.0.2.0/24
auto=start
authby=rsasig

4.7.6. Subnet Ext rusion Using Libreswan
IPsec is ofte n de ploye d in a hub-and-s poke archite cture . Each le af node has an IP range
that is part of a large r range . Le ave s communicate with e ach othe r through the hub. This
is calle d subnet extrusion. In the e xample be low, we configure the he ad office with
10.0.0.0/8 and two branche s that us e a s malle r /24 s ubne t.
At the he ad office :
conn branch1
left=1.2.3.4
leftid=@headoffice
leftsubnet=0.0.0.0/0
leftrsasigkey=0sA[...]
#
right=5.6.7.8
rightid=@branch1
rightsubnet=10.0.1.0/24
rightrsasigkey=0sAXXXX[...]
#
auto=start
authby=rsasig
conn branch2
left=1.2.3.4
leftid=@headoffice
leftsubnet=0.0.0.0/0
leftrsasigkey=0sA[...]
#
right=10.11.12.13
rightid=@branch2
rightsubnet=10.0.2.0/24
rightrsasigkey=0sAYYYY[...]
#
auto=start
authby=rsasig
At the “branch1” office , we us e the s ame conne ction. Additionally, we us e a pas s -through
conne ction to e xclude our local LAN traffic from be ing s e nt through the tunne l:
conn branch1
left=1.2.3.4
leftid=@headoffice

130

⁠C hapt e r 4 . Har de ning Yo ur Sys t e m wit h T o o ls and Se r vic e s

leftsubnet=0.0.0.0/0
leftrsasigkey=0sA[...]
#
right=10.11.12.13
rightid=@branch2
rightsubnet=10.0.1.0/24
rightrsasigkey=0sAYYYY[...]
#
auto=start
authby=rsasig
conn passthrough
left=1.2.3.4
right=0.0.0.0
leftsubnet=10.0.1.0/24
rightsubnet=10.0.1.0/24
authby=never
type=passthrough
auto=route

4.7.7. Road Warrior Applicat ion Using Libreswan
Road Warriors are trave ling us e rs with mobile clie nts with a dynamically as s igne d IP
addre s s , s uch as laptops . The s e are authe nticate d us ing ce rtificate s .
On the s e rve r:
conn roadwarriors
left=1.2.3.4
# if access to the LAN is given, enable this
#leftsubnet=10.10.0.0/16
leftcert=gw.example.com
leftid=%fromcert
right=%any
# trust our own Certificate Agency
rightca=%same
# allow clients to be behind a NAT router
rightsubnet=vhost:%priv,%no
authby=rsasig
# load connection, don't initiate
auto=add
# kill vanished roadwarriors
dpddelay=30
dpdtimeout=120
dpdaction=%clear
On the mobile clie nt, the Road Warrior's de vice , we ne e d to us e a s light variation of the
above configuration:
conn roadwarriors
# pick up our dynamic IP
left=%defaultroute
leftcert=myname.example.com
leftid=%fromcert
# right can also be a DNS hostname

131

Se c ur it y Guide

right=1.2.3.4
# if access to the remote LAN is required, enable this
#rightsubnet=10.10.0.0/16
# trust our own Certificate Agency
rightca=%same
authby=rsasig
# Initiate connection
auto=start

4.7.8. Road Warrior Applicat ion Using Libreswan and XAUT H wit h X.509
Libreswan offe rs a me thod to native ly as s ign IP addre s s and DNS information to roaming
VPN clie nts as the conne ction is e s tablis he d by us ing the XAUTH IPsec e xte ns ion. XAUTH
can be de ploye d us ing PSK or X.509 ce rtificate s . De ploying us ing X.509 is more s e cure .
Clie nt ce rtificate s can be re voke d by a ce rtificate re vocation lis t or by Online Certificate
Status Protocol (OCSP). With X.509 ce rtificate s , individual clie nts cannot impe rs onate the
s e rve r. With a PSK, als o calle d Group Pas s word, this is the ore tically pos s ible .
XAUTH re quire s the VPN clie nt to additionally ide ntify its e lf with a us e r name and
pas s word. For One time Pas s words (OTP), s uch as Google Authe nticator or RSA Se cure ID
toke ns , the one -time toke n is appe nde d to the us e r pas s word.
The re are thre e pos s ible back e nds for XAUTH:
xauthby=pam
This us e s the configuration in /etc/pam.d/pluto to authe nticate the us e r. Pam
can be configure d to us e various back e nds by its e lf. It can us e the s ys te m
account us e r-pas s word s che me , an LDAP dire ctory, a RADIUS s e rve r or a cus tom
pas s word authe ntication module .
xauthby=file
This us e s the configuration file /etc/ipsec.d/passwd (not to be confus e d with
/etc/ipsec.d/nsspassword). The format of this file is s imilar to the Apache
.htpasswd file and the Apache htpasswd command can be us e d to cre ate
e ntrie s in this file . Howe ve r, afte r the us e r name and pas s word, a third column is
re quire d with the conne ction name of the IPsec conne ction us e d, for e xample
whe n us ing a conn remoteusers to offe r VPN to re move us e rs , a pas s word file
e ntry s hould look as follows :
user1:$apr1$MIwQ3DHb$1I69LzTnZhnCT2DPQmAOK.:remoteusers
NOTE: whe n us ing the htpasswd command, the conne ction name has to be
manually adde d afte r the user:password part on e ach line .
xauthby=alwaysok
The s e rve r will always pre te nd the XAUTH us e r and pas s word combination was
corre ct. The clie nt s till has to s pe cify a us e r name and a pas s word, although the
s e rve r ignore s the s e . This s hould only be us e d whe n us e rs are alre ady
ide ntifie d by X.509 ce rtificate s , or whe n te s ting the VPN without ne e ding an
XAUTH back e nd.
An e xample configuration with X.509 ce rtificate s :
conn xauth-rsa

132

⁠C hapt e r 4 . Har de ning Yo ur Sys t e m wit h T o o ls and Se r vic e s

auto=add
authby=rsasig
pfs=no
rekey=no
left=ServerIP
leftcert=vpn.example.com
#leftid=%fromcert
leftid=vpn.example.com
leftsendcert=always
leftsubnet=0.0.0.0/0
rightaddresspool=10.234.123.2-10.234.123.254
right=%any
rightrsasigkey=%cert
modecfgdns1=1.2.3.4
modecfgdns2=8.8.8.8
modecfgdomain=example.com
modecfgbanner="Authorized Access is allowed"
leftxauthserver=yes
rightxauthclient=yes
leftmodecfgserver=yes
rightmodecfgclient=yes
modecfgpull=yes
xauthby=pam
dpddelay=30
dpdtimeout=120
dpdaction=clear
ike_frag=yes
# for walled-garden on xauth failure
# xauthfail=soft
#leftupdown=/custom/_updown
Whe n xauthfail is s e t to s oft, ins te ad of hard, authe ntication failure s are ignore d, and
the VPN is s e tup as if the us e r authe nticate d prope rly. A cus tom updown s cript can be
us e d to che ck for the e nvironme nt variable XAUTH_FAILED. Such us e rs can the n be
re dire cte d, for e xample , us ing ipt ables DNAT, to a “walle d garde n” whe re the y can
contact the adminis trator or re ne w a paid s ubs cription to the s e rvice .
VPN clie nts us e the modecfgdomain value and the DNS e ntrie s to re dire ct que rie s for the
s pe cifie d domain to the s e s pe cifie d name s e rve rs . This allows roaming us e rs to acce s s
inte rnal-only re s ource s us ing the inte rnal DNS name s .
If leftsubnet is not 0.0.0.0/0, s plit tunne ling configuration re que s ts are s e nt
automatically to the clie nt. For e xample , whe n us ing leftsubnet=10.0.0.0/8, the VPN
clie nt would only s e nd traffic for 10.0.0.0/8 through the VPN.

4.7.9. Addit ional Resources
The following s ource s of information provide additional re s ource s re garding Libreswan
and the ipsec dae mon.

4.7.9.1. Inst alled Document at ion
ipsec(8) man page — De s cribe s command options for ipsec.
ipsec.conf(5) man page — Contains information on configuring ipsec.

133

Se c ur it y Guide

ipsec.secrets(5) man page — De s cribe s the format of the ipsec.secrets file .
ipsec_auto(8) man page — De s cribe s the us e of the aut o command line clie nt for
manipulating Libreswan IPsec conne ctions e s tablis he d us ing automatic e xchange s of
ke ys .
ipsec_rsasigkey(8) man page — De s cribe s the tool us e d to ge ne rate RSA s ignature
ke ys .
/usr/share/doc/libreswan-version/README.nss — De s cribe s the commands for
us ing raw RSA ke ys and ce rtificate s with the NSS crypto library us e d with the
Libreswan pluto dae mon.

4.7.9.2. Online Document at ion
ht t ps://libreswan.o rg
The we bs ite of the ups tre am proje ct.
ht t p://www.mo zilla.o rg/pro ject s/securit y/pki/nss/
Ne twork Se curity Se rvice s (NSS) proje ct.

4.8. Using OpenSSL
OpenSSL is a library that provide s cryptographic protocols to applications . The o penssl
command line utility e nable s us ing the cryptographic functions from the s he ll. It include s
an inte ractive mode .
The o penssl command line utility has a numbe r of ps e udo-commands to provide
information on the commands that the ve rs ion of o penssl ins talle d on the s ys te m
s upports . The ps e udo-commands list-standard-commands, list-message-digestcommands, and list-cipher-commands output a lis t of all s tandard commands , me s s age
dige s t commands , or ciphe r commands , re s pe ctive ly, that are available in the pre s e nt
o penssl utility.
The ps e udo-commands list-cipher-algorithms and list-message-digestalgorithms lis t all ciphe r and me s s age dige s t name s . The ps e udo-command listpublic-key-algorithms lis ts all s upporte d public ke y algorithms . For e xample , to lis t the
s upporte d public ke y algorithms , is s ue the following command:
~]$ openssl list-public-key-algorithms
The ps e udo-command no-command-name te s ts whe the r a command-name of the s pe cifie d
name is available . Inte nde d for us e in s he ll s cripts . Se e man ope ns s l(1) for more
information.

4.8.1. Creat ing and Managing Encrypt ion Keys
With OpenSSL, public ke ys are de rive d from the corre s ponding private ke y. The re fore the
firs t s te p, once having de cide d on the algorithm, is to ge ne rate the private ke y. In the s e
e xample s the private ke y is re fe rre d to as privkey.pem. For e xample , to cre ate an RSA
private ke y us ing de fault parame te rs , is s ue the following command:
~]$ openssl genpkey -algorithm RSA -out privkey.pem

134

⁠C hapt e r 4 . Har de ning Yo ur Sys t e m wit h T o o ls and Se r vic e s

The RSA algorithm s upports the following options :
rsa_keygen_bits:numbits — The numbe r of bits in the ge ne rate d ke y. If not s pe cifie d
1024 is us e d.
rsa_keygen_pubexp:value — The RSA public e xpone nt value . This can be a large
de cimal value , or a he xade cimal value if pre ce de d by 0x. The de fault value is 65537.
For e xample , to cre ate a 2048 bit RSA private ke y us ing 3 as the public e xpone nt, is s ue
the following command:
~]$ openssl genpkey -algorithm RSA -out privkey.pem -pkeyopt
rsa_keygen_bits:2048 \ -pkeyopt rsa_keygen_pubexp:3
To e ncrypt the private ke y as it is output us ing 128 bit AES and the pas s phras e “he llo”,
is s ue the following command:
~]$ openssl genpkey -algorithm RSA -out privkey.pem -aes-128-cbc -pass
pass:hello
Se e man ge npke y(1) for more information on ge ne rating private ke ys .

4.8.2. Generat ing Cert if icat es
To ge ne rate a ce rtificate us ing OpenSSL, it is ne ce s s ary to have a private ke y available .
In the s e e xample s the private ke y is re fe rre d to as privkey.pem. If you have not ye t
ge ne rate d a private ke y, s e e Se ction 4.8.1, “Cre ating and Managing Encryption Ke ys ”
To have a ce rtificate s igne d by a certificate authority (CA), it is ne ce s s ary to ge ne rate a
ce rtificate and the n s e nd it to a CA for s igning. This is re fe rre d to as a ce rtificate s igning
re que s t. Se e Se ction 4.8.2.1, “Cre ating a Ce rtificate Signing Re que s t” for more information.
The alte rnative is to cre ate a s e lf-s igne d ce rtificate . Se e Se ction 4.8.2.2, “Cre ating a Se lfs igne d Ce rtificate ” for more information.

4.8.2.1. Creat ing a Cert if icat e Signing Request
To cre ate a ce rtificate for s ubmis s ion to a CA, is s ue a command in the following format:
~]$ openssl req -new -key privkey.pem -out cert.csr
This will cre ate an X.509 ce rtificate calle d cert.csr e ncode d in the de fault privacyenhanced electronic mail (PEM) format. The name PEM is de rive d from “Privacy
Enhance me nt for Inte rne t Ele ctronic Mail” de s cribe d in RFC 1424. To ge ne rate a ce rtificate
file in the alte rnative DER format, us e the -outform DER command option.
Afte r is s uing the above command, you will be prompte d for information about you and the
organiz ation in orde r to cre ate a distinguished name (DN) for the ce rtificate . You will ne e d
the following information:
The two le tte r country code for your country
The full name of your s tate or province
City or Town
The name of your organiz ation

135

Se c ur it y Guide

The name of the unit within your organiz ation
Your name or the hos t name of the s ys te m
Your e mail addre s s
The re q(1) man page de s cribe s the PKCS# 10 ce rtificate re que s t and ge ne rating utility.
De fault s e ttings us e d in the ce rtificate cre ating proce s s are containe d within the
/etc/pki/tls/openssl.cnf file . Se e man openssl.cnf(5) for more information.

4.8.2.2. Creat ing a Self -signed Cert if icat e
To ge ne rate a s e lf-s igne d ce rtificate , valid for 366 days , is s ue a command in the following
format:
~]$ openssl req -new -x509 -key privkey.pem -out selfcert.pem -days 366

4.8.2.3. Creat ing a Cert if icat e Using a Makef ile
The /etc/pki/tls/certs/ dire ctory contains a Makefile which can be us e d to cre ate
ce rtificate s us ing the make command. To vie w the us age ins tructions , is s ue a command as
follows :
~]$ make -f /etc/pki/tls/certs/Makefile
Alte rnative ly, change to the dire ctory and is s ue the make command as follows :
~]$ cd /etc/pki/tls/certs/
~]$ make
Se e the make (1) man page for more information.

4.8.3. Verif ying Cert if icat es
A ce rtificate s igne d by a CA is re fe rre d to as a trus te d ce rtificate . A s e lf-s igne d ce rtificate
is the re fore an untrus te d ce rtificate . The ve rify utility us e s the s ame SSL and S/MIME
functions to ve rify a ce rtificate as is us e d by OpenSSL in normal ope ration. If an e rror is
found it is re porte d and the n an atte mpt is made to continue te s ting in orde r to re port any
othe r e rrors .
To ve rify multiple individual X.509 ce rtificate s in PEM format, is s ue a command in the
following format:
~]$ openssl verify cert1.pem cert2.pem
To ve rify a ce rtificate chain the le af ce rtificate mus t be in cert.pem and the inte rme diate
ce rtificate s which you do not trus t mus t be dire ctly concate nate d in untrusted.pem. The
trus te d root CA ce rtificate mus t be e ithe r among the de fault CA lis te d in
/etc/pki/tls/certs/ca-bundle.crt or in a cacert.pem file . The n, to ve rify the chain,
is s ue a command in the following format:
~]$ openssl verify -untrusted untrusted.pem -CAfile cacert.pem cert.pem
Se e man ve rify(1) for more information.

136

⁠C hapt e r 4 . Har de ning Yo ur Sys t e m wit h T o o ls and Se r vic e s

Impo rtant
Ve rification of s ignature s us ing the MD5 has h algorithm is dis able d in Re d Hat
Ente rpris e Linux 7 due to ins ufficie nt s tre ngth of this algorithm. Always us e s trong
algorithms s uch as SHA256.

4.8.4. Encrypt ing and Decrypt ing a File
For e ncrypting (and de crypting) file s with OpenSSL, e ithe r the pkeyutl or enc built-in
commands can be us e d. With pkeyutl, RSA ke ys are us e d to pe rform the e ncrypting and
de crypting, whe re as with enc, s ymme tric algorithms are us e d.

Using RSA Keys
To e ncrypt a file calle d plaintext, is s ue a command as follows :
~]$ openssl pkeyutl -in plaintext -out cyphertext -inkey privkey.pem
The de fault format for ke ys and ce rtificate s is PEM. If re quire d, us e the -keyform DER
option to s pe cify the DER ke y format.
To s pe cify a cryptographic e ngine , us e the -engine option as follows :
~]$ openssl pkeyutl -in plaintext -out cyphertext -inkey privkey.pem engine id
Whe re id is the ID of the cryptographic e ngine . To che ck the availability of an e ngine ,
is s ue the following command:
~]$ openssl engine -t
To s ign a data file calle d plaintext, is s ue a command as follows :
~]$ openssl pkeyutl -sign -in plaintext -out sigtext -inkey privkey.pem
To ve rify a s igne d data file and to e xtract the data, is s ue a command as follows :
~]$ openssl pkeyutl -verifyrecover -in sig -inkey key.pem
To ve rify the s ignature , for e xample us ing a DSA ke y, is s ue a command as follows :
~]$ openssl pkeyutl -verify -in file -sigfile sig -inkey key.pem
The pke yutl(1) manual page de s cribe s the public ke y algorithm utility.

Using Symmet ric Algorit hms
To lis t available s ymme tric e ncryption algorithms , e xe cute the enc command with an
uns upporte d option, s uch as -l:
~]$ openssl enc -l

137

Se c ur it y Guide

To s pe cify an algorithm, us e its name as an option. For e xample , to us e the aes-128-cbc
algorithm, us e the following s yntax:
openssl enc -aes-128-cbc
To e ncrypt a file calle d plaintext us ing the aes-128-cbc algorithm, e nte r the following
command:
~]$ openssl enc -aes-128-cbc -in plaintext -out plaintext.aes-128-cbc
To de crypt the file obtaine d in the pre vious e xample , us e the -d option as in the following
e xample :
~]$ openssl enc -aes-128-cbc -d -in plaintext.aes-128-cbc -out
plaintext

Impo rtant
The enc command doe s not prope rly s upport AEAD ciphe rs , and the ecb mode is not
cons ide re d s e cure . For be s t re s ults , do not us e othe r mode s than cbc, cfb, ofb, or
ctr.

4.8.5. Generat ing Message Digest s
The dgst command produce s the me s s age dige s t of a s upplie d file or file s in
he xade cimal form. The command can als o be us e d for digital s igning and ve rification. The
me s s age dige s t command take s the following form:
openssl dgst algorithm -out filename -sign private-key
Whe re algorithm is one of md5|md4|md2|sha1|sha|mdc2|ripemd160|dss1. At time of
writing, the SHA1 algorithm is pre fe rre d. If you ne e d to s ign or ve rify us ing DSA, the n the
dss1 option mus t be us e d toge the r with a file containing random data s pe cifie d by the rand option.
To produce a me s s age dige s t in the de fault He x format us ing the s ha1 algorithm, is s ue
the following command:
~]$ openssl dgst sha1 -out digest-file
To digitally s ign the dige s t, us ing a private ke y privekey.pem, is s ue the following
command:
~]$ openssl dgst sha1 -out digest-file -sign privkey.pem
Se e man dgs t(1) for more information.

4.8.6. Generat ing Password Hashes

138

⁠C hapt e r 4 . Har de ning Yo ur Sys t e m wit h T o o ls and Se r vic e s

The passwd command compute s the has h of a pas s word. To compute the has h of a
pas s word on the command line , is s ue a command as follows :
~]$ openssl passwd password
The -crypt algorithm is us e d by de fault.
To compute the has h of a pas s word from s tandard input, us ing the MD5 bas e d BSD
algorithm 1, is s ue a command as follows :
~]$ openssl passwd -1 password
The -apr1 option s pe cifie s the Apache variant of the BSD algorithm.
To compute the has h of a pas s word s tore d in a file , and us ing a s alt xx, is s ue a command
as follows :
~]$ openssl passwd -salt xx -in password-file
The pas s word is s e nt to s tandard output and the re is no -out option to s pe cify an output
file . The -table will ge ne rate a table of pas s word has he s with the ir corre s ponding cle ar
te xt pas s word.
Se e man s s lpas s wd(1) for more information and e xample s .

4.8.7. Generat ing Random Dat a
To ge ne rate a file containing random data, us ing a s e e d file , is s ue the following command:
~]$ openssl rand -out rand-file -rand seed-file
Multiple file s for s e e ding the random data proce s s can be s pe cifie d us ing the colon, :, as
a lis t s e parator.
Se e man rand(1) for more information.

4.8.8. Benchmarking Your Syst em
To te s t the computational s pe e d of a s ys te m for a give n algorithm, is s ue a command in
the following format:
~]$ openssl speed algorithm
whe re algorithm is one of the s upporte d algorithms you inte nde d to us e . To lis t the
available algorithms , type openssl speed and the n pre s s tab.

4.8.9. Conf iguring OpenSSL
Ope nSSL has a configuration file /etc/pki/tls/openssl.cnf, re fe rre d to as the mas te r
configuration file , which is re ad by the Ope nSSL library. It is als o pos s ible to have
individual configuration file s for e ach application. The configuration file contains a numbe r
of s e ctions with s e ction name s as follows : [ section_name ]. Note the firs t part of the
file , up until the firs t [ section_name ], is re fe rre d to as the de fault s e ction. Whe n

139

Se c ur it y Guide

Ope nSSL is s e arching for name s in the configuration file the name d s e ctions are
s e arche d firs t. All Ope nSSL commands us e the mas te r Ope nSSL configuration file unle s s
an option is us e d in the command to s pe cify an alte rnative configuration file . The
configuration file is e xplaine d in de tail in the config(5) man page .
Two RFCs e xplain the conte nts of a ce rtificate file . The y are :
Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL)
Profile
Updates to the Internet X.509 Public Key Infrastructure Certificate and Certificate
Revocation List (CRL) Profile

4.9. Using st unnel
The st unnel program is an e ncryption wrappe r be twe e n a clie nt and a s e rve r. It lis te ns
on the port s pe cifie d in its configuration file , e ncrypts the communitation with the clie nt,
and forwards the data to the original dae mon lis te ning on its us ual port. This way, you can
s e cure any s e rvice that its e lf doe s not s upport any type of e ncryption, or improve the
s e curity of a s e rvice that us e s a type of e ncryption that you want to avoid for s e curity
re as ons , s uch as SSL ve rs ions 2 and 3, affe cte d by the POODLE SSL vulne rability (CVE2014-3566). Se e https ://acce s s .re dhat.com/s olutions /1234773 for de tails . CUPS is an
e xample of a compone nt that doe s not provide a way to dis able SSL in its own
configuration.

4.9.1. Inst alling st unnel
Ins tall the stunnel package by running the following command as root:
~]# yum install stunnel

4.9.2. Conf iguring st unnel as a T LS Wrapper
To configure st unnel, follow the s e s te ps :
1. You ne e d a valid ce rtificate for st unnel re gardle s s of what s e rvice you us e it with.
If you do not have a s uitable ce rtificate , you can apply to a Certificate Authority to
obtain one , or you can cre ate a s e lf-s igne d ce rtificate .

Warning
Always us e ce rtificate s s igne d by a Ce rtificate Authority for s e rve rs running
in a production e nvironme nt. Se lf-s igne d ce rtificate s are only appropriate for
te s ting purpos e s or private ne tworks .
Se e Se ction 4.8.2.1, “Cre ating a Ce rtificate Signing Re que s t” for more information
about ce rtificate s grante d by a Ce rtificate Authority. On the othe r hand, to cre ate a
s e lf-s igne d ce rtificate for st unnel, e nte r the /etc/pki/tls/certs/ dire ctory and
type the following command as root:
certs]# make stunnel.pem

140

⁠C hapt e r 4 . Har de ning Yo ur Sys t e m wit h T o o ls and Se r vic e s

Ans we r all of the que s tions to comple te the proce s s .
2. Whe n you have a ce rtificate , cre ate a configuration file for st unnel. It is a te xt file
in which e ve ry line s pe cifie s an option or the be ginning of a s e rvice de finition. You
can als o ke e p comme nts and e mpty line s in the file to improve its le gibility, whe re
comme nts s tart with a s e micolon.
The stunnel RPM package contains the /etc/stunnel/ dire ctory, in which you can
s tore the configuration file . Although st unnel doe s not re quire any s pe cial format
of the file name or its e xte ns ion, us e /etc/stunnel/stunnel.conf. The following
conte nt configure s st unnel as a TLS wrappe r:
cert = /etc/pki/tls/certs/stunnel.pem
; Allow only TLS, thus avoiding SSL
sslVersion = TLSv1
chroot = /var/run/stunnel
setuid = nobody
setgid = nobody
pid = /stunnel.pid
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
[service_name]
accept = port
connect = port
TIMEOUTclose = 0
Alte rnative ly, you can avoid SSL by re placing the line containing sslVersion =
TLSv1 with the following line s :
options = NO_SSLv2
options = NO_SSLv3
The purpos e of the options is as follows :
cert — the path to your ce rtificate
sslVersion — the ve rs ion of SSL; note that you can us e TLS he re e ve n though
SSL and TLS are two inde pe nde nt cryptographic protocols
chroot — the change d root dire ctory in which the s tunne l proce s s runs , for
gre ate r s e curity
setuid, setgid — the us e r and group that the st unnel proce s s runs as ; nobody
is a re s tricte d s ys te m account
pid — the file in which st unnel s ave s its proce s s ID, re lative to chroot
socket — local and re mote s ocke t options ; in this cas e , dis able Nagle's algorithm
to improve ne twork late ncy
[service_name] — the be ginning of the s e rvice de finition; the options us e d
be low this line apply to the give n s e rvice only, whe re as the options above affe ct
st unnel globally
accept — the port to lis te n on

141

Se c ur it y Guide

connect — the port to conne ct to; this mus t be the port that the s e rvice you are
s e curing us e s
TIMEOUTclose — how many s e conds to wait for the close_notify ale rt from the
clie nt; 0 ins tructs st unnel not to wait at all
options — Ope nSSL library options

Example 4.10 . Securing CUPS
To configure s tunne l as a TLS wrappe r for CUPS, us e the following value s :
[cups]
accept = 632
connect = 631
Ins te ad of 632, you can us e any fre e port that you pre fe r. 631 is the port that
CUPS normally us e s .
3. Cre ate the chroot dire ctory and give the us e r s pe cifie d by the setuid option write
acce s s to it. To do s o, e nte r the following commands as root:
~]# mkdir /var/run/stunnel
~]# chown nobody:nobody /var/run/stunnel
This allows st unnel to cre ate the PID file .
4. If your s ys te m is us ing fire wall s e ttings that dis allow acce s s to the ne w port,
change the m accordingly. Se e Se ction 4.5.3.1.6, “Ope ning Ports in the Fire wall” for
de tails .
5. Whe n you have cre ate d the configuration file and the chroot dire ctory, and whe n
you are s ure that the s pe cifie d port is acce s s ible , you are re ady to s tart us ing
st unnel.

4.9.3. St art ing, St opping, and Rest art ing st unnel
To s tart st unnel, e nte r the following command as root:
~]# stunnel /etc/stunnel/stunnel.conf
By de fault, st unnel us e s /var/log/secure to log its output.
To te rminate st unnel, kill the proce s s by running the following command as root:
~]# kill `cat /var/run/stunnel/stunnel.pid`
If you e dit the configuration file while st unnel is running, te rminate st unnel and s tart it
again for your change s to take e ffe ct.

4.10. Encrypt ion

142

⁠C hapt e r 4 . Har de ning Yo ur Sys t e m wit h T o o ls and Se r vic e s

4.10.1. Using LUKS Disk Encrypt ion
Linux Unifie d Ke y Se tup-on-dis k-format (or LUKS) allows you to e ncrypt partitions on your
Linux compute r. This is particularly important whe n it come s to mobile compute rs and
re movable me dia. LUKS allows multiple us e r ke ys to de crypt a mas te r ke y, which is us e d
for the bulk e ncryption of the partition.

Overview of LUKS
What LUKS do es
LUKS e ncrypts e ntire block de vice s and is the re fore we ll-s uite d for prote cting
the conte nts of mobile de vice s s uch as re movable s torage me dia or laptop
dis k drive s .
The unde rlying conte nts of the e ncrypte d block de vice are arbitrary. This
make s it us e ful for e ncrypting swap de vice s . This can als o be us e ful with
ce rtain databas e s that us e s pe cially formatte d block de vice s for data s torage .
LUKS us e s the e xis ting de vice mappe r ke rne l s ubs ys te m.
LUKS provide s pas s phras e s tre ngthe ning which prote cts agains t dictionary
attacks .
LUKS de vice s contain multiple ke y s lots , allowing us e rs to add backup ke ys or
pas s phras e s .
What LUKS do es not do :
LUKS is not we ll-s uite d for applications re quiring many (more than e ight) us e rs
to have dis tinct acce s s ke ys to the s ame de vice .
LUKS is not we ll-s uite d for applications re quiring file -le ve l e ncryption.

4.10.1.1. LUKS Implement at ion in Red Hat Ent erprise Linux
Re d Hat Ente rpris e Linux 7 utiliz e s LUKS to pe rform file s ys te m e ncryption. By de fault, the
option to e ncrypt the file s ys te m is unche cke d during the ins tallation. If you s e le ct the
option to e ncrypt your hard drive , you will be prompte d for a pas s phras e that will be as ke d
e ve ry time you boot the compute r. This pas s phras e "unlocks " the bulk e ncryption ke y that
is us e d to de crypt your partition. If you choos e to modify the de fault partition table you can
choos e which partitions you want to e ncrypt. This is s e t in the partition table s e ttings .
The de fault ciphe r us e d for LUKS (s e e cryptsetup --help) is ae s -cbc-e s s iv:s ha256
(ESSIV - Encrypte d Salt-Se ctor Initializ ation Ve ctor). Note that the ins tallation program,
Anaco nda, us e s by de fault XTS mode (ae s -xts -plain64). The de fault ke y s iz e for LUKS is
256 bits . The de fault ke y s iz e for LUKS with Anaco nda (XTS mode ) is 512 bits . Ciphe rs
that are available are :
AES - Advance d Encryption Standard - FIPS PUB 197
Twofis h (A 128-bit Block Ciphe r)
Se rpe nt
cas t5 - RFC 2144
cas t6 - RFC 2612

143

Se c ur it y Guide

4.10.1.2. Manually Encrypt ing Direct ories

Warning
Following this proce dure will re move all data on the partition that you are e ncrypting.
You WILL los e all your information! Make s ure you backup your data to an e xte rnal
s ource be fore be ginning this proce dure !
1. Ente r runle ve l 1 by typing the following at a s he ll prompt as root:
telinit 1
2. Unmount your e xis ting /home:
umount /home
3. If the command in the pre vious s te p fails , us e fuser to find proce s s e s hogging
/home and kill the m:
fuser -mvk /home
4. Ve rify /home is no longe r mounte d:
grep home /proc/mounts
5. Fill your partition with random data:
shred -v --iterations=1 /dev/VG00/LV_home
This command proce e ds at the s e que ntial write s pe e d of your de vice and may take
s ome time to comple te . It is an important s te p to e ns ure no une ncrypte d data is
le ft on a us e d de vice , and to obfus cate the parts of the de vice that contain
e ncrypte d data as oppos e d to jus t random data.
6. Initializ e your partition:
cryptsetup --verbose --verify-passphrase luksFormat
/dev/VG00/LV_home
7. Ope n the ne wly e ncrypte d de vice :
cryptsetup luksOpen /dev/VG00/LV_home home
8. Make s ure the de vice is pre s e nt:
ls -l /dev/mapper | grep home
9. Cre ate a file s ys te m:
mkfs.ext3 /dev/mapper/home

144

⁠C hapt e r 4 . Har de ning Yo ur Sys t e m wit h T o o ls and Se r vic e s

10. Mount the file s ys te m:
mount /dev/mapper/home /home
11. Make s ure the file s ys te m is vis ible :
df -h | grep home
12. Add the following to the /etc/crypttab file :
home /dev/VG00/LV_home none
13. Edit the /etc/fstab file , re moving the old e ntry for /home and adding the following
line :
/dev/mapper/home /home ext3 defaults 1 2
14. Re s tore de fault SELinux s e curity conte xts :
/sbin/restorecon -v -R /home
15. Re boot the machine :
shutdown -r now
16. The e ntry in the /etc/crypttab make s your compute r as k your luks pas s phras e
on boot.
17. Log in as root and re s tore your backup.
You now have an e ncrypte d partition for all of your data to s afe ly re s t while the compute r
is off.

4.10.1.3. Add a New Passphrase t o an Exist ing Device
Us e the following command to add a ne w pas s phras e to an e xis ting de vice :
cryptsetup luksAddKey device
Afte r be ing prompte d for any one of the e xis ting pas s pras e s for authe ntication, you will be
prompte d to e nte r the ne w pas s phras e .

4.10.1.4. Remove a Passphrase f rom an Exist ing Device
Us e the following command to re move a pas s phras e from an e xis ting de vice :
cryptsetup luksRemoveKey device
You will be prompte d for the pas s phras e you want to re move and the n for any one of the
re maining pas s phras e s for authe ntication.

4.10.1.5. Creat ing Encrypt ed Block Devices in Anaconda

145

Se c ur it y Guide

You can cre ate e ncrypte d de vice s during s ys te m ins tallation. This allows you to e as ily
configure a s ys te m with e ncrypte d partitions .
To e nable block de vice e ncryption, che ck the Encrypt System che ck box whe n s e le cting
automatic partitioning or the Encrypt che ck box whe n cre ating an individual partition,
s oftware RAID array, or logical volume . Afte r you finis h partitioning, you will be prompte d
for an e ncryption pas s phras e . This pas s phras e will be re quire d to acce s s the e ncrypte d
de vice s . If you have pre -e xis ting LUKS de vice s and provide d corre ct pas s phras e s for
the m e arlie r in the ins tall proce s s the pas s phras e e ntry dialog will als o contain a che ck
box. Che cking this che ck box indicate s that you would like the ne w pas s phras e to be
adde d to an available s lot in e ach of the pre -e xis ting e ncrypte d block de vice s .

No te
Che cking the Encrypt System che ck box on the Automatic Partitioning s cre e n
and the n choos ing Create custom layout doe s not caus e any block de vice s to be
e ncrypte d automatically.

No te
You can us e kickstart to s e t a s e parate pas s phras e for e ach ne w e ncrypte d block
de vice .

4.10.1.6. Addit ional Resources
For additional information on LUKS or e ncrypting hard drive s unde r Re d Hat
Ente rpris e Linux 7 vis it one of the following links :
LUKS home page
LUKS/crypts e tup FAQ
LUKS - Linux Unifie d Ke y Se tup Wikipe dia article
HOWTO: Cre ating an e ncrypte d Phys ical Volume (PV) us ing a s e cond hard drive and
pvmove

4.10.2. Creat ing GPG Keys
GPG is us e d to ide ntify yours e lf and authe nticate your communications , including thos e
with pe ople you do not know. GPG allows anyone re ading a GPG-s igne d e mail to ve rify its
authe nticity. In othe r words , GPG allows s ome one to be re as onably ce rtain that
communications s igne d by you actually are from you. GPG is us e ful be caus e it he lps
pre ve nt third partie s from alte ring code or inte rce pting conve rs ations and alte ring the
me s s age .

4.10.2.1. Creat ing GPG Keys in GNOME
To cre ate a GPG Ke y in GNOME, follow the s e s te ps :
1. Ins tall the Seaho rse utility, which make s GPG ke y manage me nt e as ie r:

146

⁠C hapt e r 4 . Har de ning Yo ur Sys t e m wit h T o o ls and Se r vic e s

~]# yum install seahorse
2. To cre ate a ke y, from the Applicat io ns → Accesso ries me nu s e le ct Passwo rds
and Encrypt io n Keys, which s tarts the application Seaho rse.
3. From the File me nu s e le ct New and the n PGP Key. The n click Continue.
4. Type your full name , e mail addre s s , and an optional comme nt de s cribing who you
are (for e xample : John C. Smith, jsmith@example.com, Software Engine e r). Click
Create. A dialog is dis playe d as king for a pas s phras e for the ke y. Choos e a s trong
pas s phras e but als o e as y to re me mbe r. Click OK and the ke y is cre ate d.

Warning
If you forge t your pas s phras e , you will not be able to de crypt the data.
To find your GPG ke y ID, look in the Key ID column ne xt to the ne wly cre ate d ke y. In mos t
cas e s , if you are as ke d for the ke y ID, pre pe nd 0x to the ke y ID, as in 0x6789ABCD. You
s hould make a backup of your private ke y and s tore it s ome whe re s e cure .

4.10.2.2. Creat ing GPG Keys in KDE
To cre ate a GPG Ke y in KDE, follow the s e s te ps :
1. Start the KGpg program from the main me nu by s e le cting Applicat io ns →
Ut ilit ies → Encrypt io n T o o l. If you have ne ve r us e d KGpg be fore , the program
walks you through the proce s s of cre ating your own GPG ke ypair.
2. A dialog box appe ars prompting you to cre ate a ne w ke y pair. Ente r your name ,
e mail addre s s , and an optional comme nt. You can als o choos e an e xpiration time
for your ke y, as we ll as the ke y s tre ngth (numbe r of bits ) and algorithms .
3. Ente r your pas s phras e in the ne xt dialog box. At this point, your ke y appe ars in the
main KGpg window.

Warning
If you forge t your pas s phras e , you will not be able to de crypt the data.
To find your GPG ke y ID, look in the Key ID column ne xt to the ne wly cre ate d ke y. In mos t
cas e s , if you are as ke d for the ke y ID, pre pe nd 0x to the ke y ID, as in 0x6789ABCD. You
s hould make a backup of your private ke y and s tore it s ome whe re s e cure .

4.10.2.3. Creat ing GPG Keys Using t he Command Line
1. Us e the following s he ll command:
~]$ gpg2 --gen-key

147

Se c ur it y Guide

This command ge ne rate s a ke y pair that cons is ts of a public and a private ke y.
Othe r pe ople us e your public ke y to authe nticate and de crypt your communications .
Dis tribute your public ke y as wide ly as pos s ible , e s pe cially to pe ople who you know
will want to re ce ive authe ntic communications from you, s uch as a mailing lis t.
2. A s e rie s of prompts dire cts you through the proce s s . Pre s s the Enter ke y to
as s ign a de fault value if de s ire d. The firs t prompt as ks you to s e le ct what kind of
ke y you pre fe r:
Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
Your selection?
In almos t all cas e s , the de fault is the corre ct choice . An RSA/RSA ke y allows you not
only to s ign communications , but als o to e ncrypt file s .
3. Choos e the ke y s iz e :
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048)
Again, the de fault, 2048, is s ufficie nt for almos t all us e rs , and re pre s e nts an
e xtre me ly s trong le ve l of s e curity.
4. Choos e whe n the ke y will e xpire . It is a good ide a to choos e an e xpiration date
ins te ad of us ing the de fault, which is none. If, for e xample , the e mail addre s s on
the ke y be come s invalid, an e xpiration date will re mind othe rs to s top us ing that
public ke y.
Please specify how long the key should be valid.
0 = key does not expire
d = key expires in n days
w = key expires in n weeks
m = key expires in n months
y = key expires in n years
key is valid for? (0)
Ente ring a value of 1y, for e xample , make s the ke y valid for one ye ar. (You may
change this e xpiration date afte r the ke y is ge ne rate d, if you change your mind.)
5. Be fore the gpg2 application as ks for s ignature information, the following prompt
appe ars :
Is this correct (y/N)?
Ente r y to finis h the proce s s .
6. Ente r your name and e mail addre s s for your GPG ke y. Re me mbe r this proce s s is
about authe nticating you as a re al individual. For this re as on, include your re al
name . If you choos e a bogus e mail addre s s , it will be more difficult for othe rs to
find your public ke y. This make s authe nticating your communications difficult. If you
are us ing this GPG ke y for s e lf-introduction on a mailing lis t, for e xample , e nte r the
e mail addre s s you us e on that lis t.

148

⁠C hapt e r 4 . Har de ning Yo ur Sys t e m wit h T o o ls and Se r vic e s

Us e the comme nt fie ld to include alias e s or othe r information. (Some pe ople us e
diffe re nt ke ys for diffe re nt purpos e s and ide ntify e ach ke y with a comme nt, s uch
as "Office " or "Ope n Source Proje cts .")
7. At the confirmation prompt, e nte r the le tte r O to continue if all e ntrie s are corre ct,
or us e the othe r options to fix any proble ms . Finally, e nte r a pas s phras e for your
s e cre t ke y. The gpg2 program as ks you to e nte r your pas s phras e twice to e ns ure
you made no typing e rrors .
8. Finally, gpg2 ge ne rate s random data to make your ke y as unique as pos s ible .
Move your mous e , type random ke ys , or pe rform othe r tas ks on the s ys te m during
this s te p to s pe e d up the proce s s . Once this s te p is finis he d, your ke ys are
comple te and re ady to us e :
pub 1024D/1B2AFA1C 2005-03-31 John Q. Doe 
Key fingerprint = 117C FE83 22EA B843 3E86 6486 4320 545E 1B2A
FA1C
sub 1024g/CEA4B22E 2005-03-31 [expires: 2006-03-31]
9. The ke y finge rprint is a s horthand "s ignature " for your ke y. It allows you to confirm
to othe rs that the y have re ce ive d your actual public ke y without any tampe ring. You
do not ne e d to write this finge rprint down. To dis play the finge rprint at any time ,
us e this command, s ubs tituting your e mail addre s s :
~]$ gpg2 --fingerprint jqdoe@example.com
Your "GPG ke y ID" cons is ts of 8 he x digits ide ntifying the public ke y. In the e xample
above , the GPG ke y ID is 1B2AFA1C. In mos t cas e s , if you are as ke d for the ke y ID,
pre pe nd 0x to the ke y ID, as in 0x6789ABCD.

Warning
If you forge t your pas s phras e , the ke y cannot be us e d and any data e ncrypte d us ing
that ke y will be los t.

4.10.2.4. About Public Key Encrypt ion
1. Wikipe dia - Public Ke y Cryptography
2. HowStuffWorks - Encryption

4.10.3. Using openCrypt oki f or Public-Key Crypt ography
o penCrypt o ki is a Linux imple me ntation of PKCS#11, which is a Public-Key Cryptography
Standard that de fine s an application programming inte rface (API) to cryptographic de vice s
calle d toke ns . Toke ns may be imple me nte d in hardware or s oftware . This chapte r
provide s an ove rvie w of the way the o penCrypt o ki s ys te m is ins talle d, configure d, and
us e d in Re d Hat Ente rpris e Linux 7.

4.10.3.1. Inst alling openCrypt oki and St art ing t he Service
To ins tall the bas ic o penCrypt o ki package s on your s ys te m, including a s oftware
imple me ntation of a toke n for te s ting purpos e s , e nte r the following command as root:

149

Se c ur it y Guide

~]# yum install opencryptoki
De pe nding on the type of hardware toke ns you inte nd to us e , you may ne e d to ins tall
additional package s that provide s upport for your s pe cific us e cas e . For e xample , to obtain
s upport for Trusted Platform Module (TPM) de vice s , you ne e d to ins tall the opencryptokitpmtok package .
Se e the Ins talling Package s s e ction of the Re d Hat Ente rpris e Linux 7 Sys te m
Adminis trator's Guide for ge ne ral information on how to ins tall package s us ing the Yum
package manage r.
To e nable the o penCrypt o ki s e rvice , you ne e d to run the pkcsslotd dae mon. Start the
dae mon for the curre nt s e s s ion by e xe cuting the following command as root:
~]# systemctl start pkcsslotd
To e ns ure that the s e rvice is automatically s tarte d at boot time , e nte r the following
command:
~]# systemctl enable pkcsslotd
Se e the Managing Se rvice s with s ys te md chapte r of the Re d Hat Ente rpris e Linux 7
Sys te m Adminis trator's Guide for more information on how to us e s ys te md targe ts to
manage s e rvice s .

4.10.3.2. Conf iguring and Using openCrypt oki
Whe n s tarte d, the pkcsslotd dae mon re ads the
/etc/opencryptoki/opencryptoki.conf configuration file , which it us e s to colle ct
information about the toke ns configure d to work with the s ys te m and about the ir s lots .
The file de fine s the individual s lots us ing ke y-value pairs . Each s lot de finition can contain a
de s cription, a s pe cification of the toke n library to be us e d, and an ID of the s lot's
manufacture r. Optionally, the ve rs ion of the s lot's hardware and firmware may be de fine d.
Se e the ope ncryptoki.conf(5) manual page for a de s cription of the file 's format and for a
more de taile d de s cription of the individual ke ys and the value s that can be as s igne d to
the m.
To modify the be havior of the pkcsslotd dae mon at run time , us e the pkcsconf utility.
This tool allows you to s how and configure the s tate of the dae mon, as we ll as to lis t and
modify the curre ntly configure d s lots and toke ns . For e xample , to dis play information about
toke ns , is s ue the following command (note that all non-root us e rs that ne e d to
communicate with the pkcsslotd dae mon mus t be a part of the pkcs11 s ys te m group):
~]$ pkcsconf -t
Se e the pkcs conf(1) manual page for a lis t of argume nts available with the pkcsconf tool.

150

⁠C hapt e r 4 . Har de ning Yo ur Sys t e m wit h T o o ls and Se r vic e s

Warning
Ke e p in mind that only fully trus te d us e rs s hould be as s igne d me mbe rs hip in the
pkcs11 group, as all me mbe rs of this group have the right to block othe r us e rs of
the o penCrypt o ki s e rvice from acce s s ing configure d PKCS#11 toke ns . All
me mbe rs of this group can als o e xe cute arbitrary code with the privile ge s of any
othe r us e rs of o penCrypt o ki.

4.10.4. Using Smart Cards t o Supply Credent ials t o OpenSSH
The s mart card is a lightwe ight hardware s e curity module in a USB s tick, MicroSD, or
SmartCard form factor. It provide s a re mote ly manage able s e cure ke y s tore . In Re d Hat
Ente rpris e Linux 7, Ope nSSH s upports authe ntication us ing s mart cards .
To us e your s mart card with Ope nSSH, s tore the public ke y from the card to the
~/.ssh/authorized_keys file . Ins tall the PKCS#11 library provide d by the opensc package
on the clie nt. PKCS#11 is a Public-Ke y Cryptography Standard that de fine s an application
programming inte rface (API) to cryptographic de vice s calle d toke ns . e nte r the following
command as root:
~]# yum install opensc
To us e s mart cards that are not s upporte d by opensc (CoolKe y and CAC), ins tall the
coolkey package by running the following command as root:
~]# yum install coolkey

4.10.4.1. Ret rieving a Public Key f rom a Card
To lis t the ke ys on your card, us e the ssh-keygen command. Spe cify the s hare d library
(Ope nSC in the following e xample ) with the -D dire ctive .
~]$ ssh-keygen -D /usr/lib64/pkcs11/opensc-pkcs11.so
ssh-rsa AAAAB3NzaC1yc[...]+g4Mb9

4.10.4.2. St oring a Public Key on a Server
To e nable authe ntication us ing a s mart card on a re mote s e rve r, trans fe r the public ke y to
the re mote s e rve r. Do it by copying the re trie ve d s tring (ke y) and pas ting it to the re mote
s he ll, or by s toring your ke y to a file (smartcard.pub in the following e xample ) and us ing
the ssh-copy-id command:
~]$ SSH_COPY_ID_LEGACY=1 ssh-copy-id -i smartcard.pub user@hostname
user@hostname's password:
Number of key(s) added: 1
Now try logging into the machine, with:
"ssh user@hostname"
and check to make sure that only the key(s) you wanted were added.

151

Se c ur it y Guide

Storing a public ke y without a private ke y file re quire s to us e the SSH_COPY_ID_LEGACY=1
e nvironme nt variable .

4.10.4.3. Aut hent icat ing t o a Server wit h a Key on a Smart Card
Ope nSSH can re ad your public ke y from a s mart card and pe rform ope rations with your
private ke y without e xpos ing the ke y its e lf. This me ans that the private ke y doe s not
le ave the card. To conne ct to a re mote s e rve r us ing your s mart card for authe ntication,
e nte r the following command and e nte r the PIN prote cting your card:
[localhost ~]$ ssh -I /usr/lib64/pkcs11/opensc-pkcs11.so hostname
Enter PIN for 'Test (UserPIN)':
[hostname ~]$
Re place the hostname with the actual hos t name to which you want to conne ct.
To s ave unne ce s s ary typing ne xt time you conne ct to the re mote s e rve r, s tore the path
to the PKCS#11 library in your ~/.ssh/config file :
Host hostname
PKCS11Provider /usr/lib64/pkcs11/opensc-pkcs11.so
Conne ct by running the ssh command without any additional options :
[localhost ~]$ ssh hostname
Enter PIN for 'Test (UserPIN)':
[hostname ~]$

4.10.4.4. Using ssh-agent t o Aut omat e PIN Logging In
Se t up e nvironme ntal variable s to s tart us ing ssh-agent. You can s kip this s te p in mos t
cas e s be caus e ssh-agent is alre ady running in a typical s e s s ion. Us e the following
command to che ck whe the r you can conne ct to your authe ntication age nt:
~]$ ssh-add -l
Could not open a connection to your authentication agent.
~]$ eval `ssh-agent`
To avoid writing your PIN e ve ry time you conne ct us ing this ke y, add the card to the age nt
by running the following command:
~]$ ssh-add -s /usr/lib64/pkcs11/opensc-pkcs11.so
Enter PIN for 'Test (UserPIN)':
Card added: /usr/lib64/pkcs11/opensc-pkcs11.so
To re move the card from ssh-agent, us e the following command:
~]$ ssh-add -e /usr/lib64/pkcs11/opensc-pkcs11.so
Card removed: /usr/lib64/pkcs11/opensc-pkcs11.so

4.10.4.5. Addit ional Resources

152

⁠C hapt e r 4 . Har de ning Yo ur Sys t e m wit h T o o ls and Se r vic e s

Se tting up your hardware or s oftware toke n is de s cribe d in the Smart Card s upport in Re d
Hat Ente rpris e Linux 7 article .

4.10.5. T rust ed and Encrypt ed Keys
Trusted and encrypted keys are variable -le ngth s ymme tric ke ys ge ne rate d by the ke rne l
that utiliz e the ke rne l ke yring s e rvice . The fact that the ke ys ne ve r appe ar in us e r s pace
in an une ncrypte d form me ans that the ir inte grity can be ve rifie d, which in turn me ans that
the y can be us e d, for e xample , by the e xte nde d ve rification module (EVM) to ve rify and
confirm the inte grity of a running s ys te m. Us e r-le ve l programs can only e ve r acce s s the
ke ys in the form of e ncrypte d blobs.
Trus te d ke ys ne e d a hardware compone nt: the Trusted Platform Module (TPM) chip, which
is us e d to both cre ate and e ncrypt (seal) the ke ys . The TPM s e als the ke ys us ing a 2048bit RSA ke y calle d the storage root key (SRK).
In addition to that, trus te d ke ys may als o be s e ale d us ing a s pe cific s e t of the TPM's
platform configuration register (PCR) value s . The PCR contains a s e t of inte gritymanage me nt value s that re fle ct the BIOS, boot loade r, and ope rating s ys te m. This me ans
that PCR-s e ale d ke ys can only be de crypte d by the TPM on the e xact s ame s ys te m on
which the y we re e ncrypte d. Howe ve r, once a PCR-s e ale d trus te d ke y is loade d (adde d to
a ke yring), and thus its as s ociate d PCR value s are ve rifie d, it can be update d with ne w (or
future ) PCR value s , s o that a ne w ke rne l, for e xample , can be boote d. A s ingle ke y can
als o be s ave d as multiple blobs , e ach with diffe re nt PCR value s .
Encrypte d ke ys do not re quire a TPM, as the y us e the ke rne l AES e ncryption, which make s
the m fas te r than trus te d ke ys . Encrypte d ke ys are cre ate d us ing ke rne l-ge ne rate d
random numbe rs and e ncrypte d by a master key whe n the y are e xporte d into us e r-s pace
blobs . This mas te r ke y can be e ithe r a trus te d ke y or a us e r ke y, which is the ir main
dis advantage — if the mas te r ke y is not a trus te d ke y, the e ncrypte d ke y is only as
s e cure as the us e r ke y us e d to e ncrypt it.

4.10.5.1. Working wit h Keys
Prior to any ope rations with ke ys , re le vant ke rne l module s ne e d to be loade d. For trus te d
ke ys , it is the t rust ed module , and for e ncrypte d ke ys , it is the encrypt ed-keys module .
Us e the following command as the root us e r to load both of the s e module s at once :
~]# modprobe trusted encrypted-keys
Trus te d and e ncrypte d ke ys can be cre ate d, loade d, e xporte d, and update d us ing the
keyct l utility. For de taile d information about us ing keyct l, s e e ke yctl(1).

No te
In orde r to us e a TPM (s uch as for cre ating and s e aling trus te d ke ys ), it ne e ds to be
e nable d and active . This can be us ually achie ve d through a s e tting in the machine 's
BIOS or us ing the tpm_setactive command from the tpm-tools package of utilitie s .
Als o, the T ro uSers application ne e ds to be ins talle d (the trousers package ), and the
tcsd dae mon, which is a part of the T ro uSers s uite , running to communicate with
the TPM.
To cre ate a trus te d ke y us ing a TPM, e xe cute the keyctl command with the following
s yntax:

153

Se c ur it y Guide

keyctl add trusted name "new keylength [options]" keyring
Us ing the above s yntax, an e xample command can be cons tructe d as follows :
~]$ keyctl add trusted kmk "new 32" @u
642500861
The above e xample cre ate s a trus te d ke y calle d kmk with the le ngth of 32 byte s (256 bits )
and place s it in the us e r ke yring (@u). The ke ys may have a le ngth of 32 to 128 byte s (256
to 1024 bits ). Us e the show s ubcommand to lis t the curre nt s tructure of the ke rne l
ke yrings :
~]$ keyctl show
Session Keyring
-3 --alswrv
97833714 --alswrv
642500861 --alswrv

500
500
500

500
-1
500

keyring: _ses
\_ keyring: _uid.1000
\_ trusted: kmk

The print s ubcommand outputs the e ncrypte d ke y to the s tandard output. To e xport the
ke y to a us e r-s pace blob, us e the pipe s ubcommand as follows :
~]$ keyctl pipe 642500861 > kmk.blob
To load the trus te d ke y from the us e r-s pace blob, us e the add command again with the
blob as an argume nt:
~]$ keyctl add trusted kmk "load `cat kmk.blob`" @u
268728824
The TPM-s e ale d trus te d ke y can the n be e mploye d to cre ate s e cure e ncrypte d ke ys . The
following command s yntax is us e d for ge ne rating e ncrypte d ke ys :
~]$ keyctl add encrypted name "new [format] key-type:master-key-name
keylength" keyring
Bas e d on the above s yntax, a command for ge ne rating an e ncrypte d ke y us ing the
alre ady cre ate d trus te d ke y can be cons tructe d as follows :
~]$ keyctl add encrypted encr-key "new trusted:kmk 32" @u
159771175
To cre ate an e ncrypte d ke y on s ys te ms whe re a TPM is not available , us e a random
s e que nce of numbe rs to ge ne rate a us e r ke y, which is the n us e d to s e al the actual
e ncrypte d ke ys .
~]$ keyctl add user kmk-user "`dd if=/dev/urandom bs=1 count=32
2>/dev/null`" @u
427069434
The n ge ne rate the e ncrypte d ke y us ing the random-numbe r us e r ke y:

154

⁠C hapt e r 4 . Har de ning Yo ur Sys t e m wit h T o o ls and Se r vic e s

~]$ keyctl add encrypted encr-key "new user:kmk-user 32" @u
1012412758
The list s ubcommand can be us e d to lis t all ke ys in the s pe cifie d ke rne l ke yring:
~]$ keyctl list @u
2 keys in keyring:
427069434: --alswrv 1000 1000 user: kmk-user
1012412758: --alswrv 1000 1000 encrypted: encr-key

Impo rtant
Ke e p in mind that e ncrypte d ke ys that are not s e ale d by a mas te r trus te d ke y are
only as s e cure as the us e r mas te r ke y (random-numbe r ke y) us e d to e ncrypt the m.
The re fore , the mas te r us e r ke y s hould be loade d as s e cure ly as pos s ible and
pre fe rably e arly during the boot proce s s .

4.10.5.2. Addit ional Resources
The following offline and online re s ource s can be us e d to acquire additional information
pe rtaining to the us e of trus te d and e ncrypte d ke ys .

Inst alled Document at ion
ke yctl(1) — De s cribe s the us e of the keyct l utility and its s ubcommands .

Online Document at ion
Re d Hat Ente rpris e Linux 7 SELinux Us e r's and Adminis trator's Guide — The SELinux
User's and Administrator's Guide for Re d Hat Ente rpris e Linux 7 de s cribe s the bas ic
principle s of SELinux and docume nts in de tail how to configure and us e SELinux with
various s e rvice s , s uch as the Apache HT T P Server.
https ://www.ke rne l.org/doc/Docume ntation/s e curity/ke ys -trus te d-e ncrypte d.txt — The
official docume ntation about the trus te d and e ncrypte d ke ys fe ature of the Linux ke rne l.

See Also
Se ction A.1.1, “Advance d Encryption Standard — AES” provide s a concis e de s cription of
the Advanced Encryption Standard.
Se ction A.2, “Public-ke y Encryption” de s cribe s the public-ke y cryptographic approach
and the various cryptographic protocols it us e s .

4.10.6. Using t he Random Number Generat or
In orde r to be able to ge ne rate s e cure cryptographic ke ys that cannot be e as ily broke n, a
s ource of random numbe rs is re quire d. Ge ne rally, the more random the numbe rs are , the
be tte r the chance of obtaining unique ke ys . Entropy for ge ne rating random numbe rs is
us ually obtaine d from computing e nvironme ntal "nois e " or us ing a hardware random
number generator.

155

Se c ur it y Guide

The rngd dae mon, which is a part of the rng-tools package , is capable of us ing both
e nvironme ntal nois e and hardware random numbe r ge ne rators for e xtracting e ntropy. The
dae mon che cks whe the r the data s upplie d by the s ource of randomne s s is s ufficie ntly
random and the n s tore s it in the random-numbe r e ntropy pool of the ke rne l. The random
numbe rs it ge ne rate s are made available through the /dev/random and /dev/urandom
characte r de vice s .
The diffe re nce be twe e n /dev/random and /dev/urandom is that the forme r is a blocking
de vice , which me ans it s tops s upplying numbe rs whe n it de te rmine s that the amount of
e ntropy is ins ufficie nt for ge ne rating a prope rly random output. Conve rs e ly, /dev/urandom
is a non-blocking s ource , which re us e s the e ntropy pool of the ke rne l and is thus able to
provide an unlimite d s upply of ps e udo-random numbe rs , albe it with le s s e ntropy. As s uch,
/dev/urandom s hould not be us e d for cre ating long-te rm cryptographic ke ys .
To ins tall the rng-tools package , is s ue the following command as the root us e r:
~]# yum install rng-tools
To s tart the rngd dae mon, e xe cute the following command as root:
~]# systemctl start rngd
To que ry the s tatus of the dae mon, us e the following command:
~]# systemctl status rngd
To s tart the rngd dae mon with optional parame te rs , e xe cute it dire ctly. For e xample , to
s pe cify an alte rnative s ource of random-numbe r input (othe r than /dev/hwrandom), us e
the following command:
~]# rngd --rng-device=/dev/hwrng
The above command s tarts the rngd dae mon with /dev/hwrng as the de vice from which
random numbe rs are re ad. Similarly, you can us e the -o (or --random-device) option to
choos e the ke rne l de vice for random-numbe r output (othe r than the de fault /dev/random).
Se e the rngd(8) manual page for a lis t of all available options .
To che ck which s ource s of e ntropy are available in a give n s ys te m, e xe cute the following
command as root:
~]# rngd -v
Unable to open file: /dev/tpm0
Available entropy sources:
DRNG
If the re is not any TPM de vice pre s e nt, you will s e e only the Inte l Digital Random Numbe r
Ge ne rator (DRNG) as a s ource of e ntropy. To che ck if your CPU s upports the RDRAND
proce s s or ins truction, e nte r the following command:
~]$ cat /proc/cpuinfo | grep rdrand

156

⁠C hapt e r 4 . Har de ning Yo ur Sys t e m wit h T o o ls and Se r vic e s

No te
For more information and s oftware code e xample s , s e e Inte l Digital Random Numbe r
Ge ne rator (DRNG) Software Imple me ntation Guide .
The rng-tools package als o contains the rngt est utility, which can be us e d to che ck the
randomne s s of data. To te s t the le ve l of randomne s s of the output of /dev/random, us e
the rngt est tool as follows :
~]$ cat /dev/random | rngtest -c 1000
rngtest 5
Copyright (c) 2004 by Henrique de Moraes Holschuh
This is free software; see the source for copying conditions. There is
NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR
PURPOSE.
rngtest: starting FIPS tests...
rngtest: bits received from input: 20000032
rngtest: FIPS 140-2 successes: 998
rngtest: FIPS 140-2 failures: 2
rngtest: FIPS 140-2(2001-10-10) Monobit: 0
rngtest: FIPS 140-2(2001-10-10) Poker: 0
rngtest: FIPS 140-2(2001-10-10) Runs: 0
rngtest: FIPS 140-2(2001-10-10) Long run: 2
rngtest: FIPS 140-2(2001-10-10) Continuous run: 0
rngtest: input channel speed: (min=1.171; avg=8.453; max=11.374)Mibits/s
rngtest: FIPS tests speed: (min=15.545; avg=143.126;
max=157.632)Mibits/s
rngtest: Program run time: 2390520 microseconds
A high numbe r of failure s s hown in the output of the rngt est tool indicate s that the
randomne s s of the te s te d data is ins ufficie nt and s hould not be re lie d upon. Se e the
rngte s t(1) manual page for a lis t of options available for the rngt est utility.
Re d Hat Ente rpris e Linux 7 introduce d the virt io RNG (Random Numbe r Ge ne rator) de vice
that provide s KVM virtual machine s with acce s s to e ntropy from the hos t machine . With
the re comme nde d s e tup, hwrng fe e ds into the e ntropy pool of the hos t Linux ke rne l
(through /dev/random), and QEMU will us e /dev/random as the s ource for e ntropy
re que s te d by gue s ts .

157

Se c ur it y Guide

Figure 4.4. T he virt io RNG device
Pre vious ly, Re d Hat Ente rpris e Linux 7.0 and Re d Hat Ente rpris e Linux 6 gue s ts could
make us e of the e ntropy from hos ts through the rngd us e r s pace dae mon. Se tting up the
dae mon was a manual s te p for e ach Re d Hat Ente rpris e Linux ins tallation. With Re d Hat
Ente rpris e Linux 7.1, the manual s te p has be e n e liminate d, making the e ntire proce s s
s e amle s s and automatic. The us e of rngd is now not re quire d and the gue s t ke rne l its e lf
fe tche s e ntropy from the hos t whe n the available e ntropy falls be low a s pe cific thre s hold.
The gue s t ke rne l is the n in a pos ition to make random numbe rs available to applications
as s oon as the y re que s t the m.
The Re d Hat Ente rpris e Linux ins talle r, Anaco nda, now provide s the virt io -rng module in
its ins talle r image , making available hos t e ntropy during the Re d Hat Ente rpris e Linux
ins tallation.

4.11. Hardening T LS Configurat ion
TLS (Transport Layer Security) is a cryptographic protocol us e d to s e cure ne twork

158

⁠C hapt e r 4 . Har de ning Yo ur Sys t e m wit h T o o ls and Se r vic e s

communications . Whe n harde ning s ys te m s e curity s e ttings by configuring pre fe rre d keyexchange protocols, authentication methods, and encryption algorithms, it is ne ce s s ary to
be ar in mind that the broade r the range of s upporte d clie nts , the lowe r the re s ulting
s e curity. Conve rs e ly, s trict s e curity s e ttings le ad to a limite d compatibility with clie nts ,
which can re s ult in s ome us e rs be ing locke d out of the s ys te m. Be s ure to targe t the
s tricte s t available configuration and only re lax it whe n it is re quire d for compatibility
re as ons .
Note that the de fault s e ttings provide d by librarie s include d in Re d Hat Ente rpris e Linux 7
are s e cure e nough for mos t de ployme nts . The TLS imple me ntations us e s e cure
algorithms whe re pos s ible while not pre ve nting conne ctions from or to le gacy clie nts or
s e rve rs . Apply the harde ne d s e ttings de s cribe d in this s e ction in e nvironme nts with s trict
s e curity re quire me nts whe re le gacy clie nts or s e rve rs that do not s upport s e cure
algorithms or protocols are not e xpe cte d or allowe d to conne ct.

4.11.1. Choosing Algorit hms t o Enable
The re are s e ve ral compone nts that ne e d to be s e le cte d and configure d. Each of the
following dire ctly influe nce s the robus tne s s of the re s ulting configuration (and,
cons e que ntly, the le ve l of s upport in clie nts ) or the computational de mands that the
s olution has on the s ys te m.

Prot ocol Versions
The late s t ve rs ion of TLS provide s the be s t s e curity me chanis m. Unle s s you have a
compe lling re as on to include s upport for olde r ve rs ions of TLS (or e ve n SSL), allow your
s ys te ms to ne gotiate conne ctions us ing only the late s t ve rs ion of TLS.
Do not allow ne gotiation us ing SSL ve rs ion 2 or 3. Both of thos e ve rs ions have s e rious
s e curity vulne rabilitie s . Only allow ne gotiation us ing TLS ve rs ion 1.0 or highe r. The curre nt
ve rs ion of TLS, 1.2, s hould always be pre fe rre d.

No te
Ple as e note that curre ntly, the s e curity of all ve rs ions of TLS de pe nds on the us e of
TLS e xte ns ions , s pe cific ciphe rs (s e e be low), and othe r workarounds . All TLS
conne ction pe e rs ne e d to imple me nt s e cure re ne gotiation indication (RFC 5746),
mus t not s upport compre s s ion, and mus t imple me nt mitigating me as ure s for timing
attacks agains t CBC-mode ciphe rs (the Lucky Thirte e n attack). TLS 1.0 clie nts ne e d
to additionally imple me nt re cord s plitting (a workaround agains t the BEAST attack).
TLS 1.2 s upports Authenticated Encryption with Associated Data (AEAD) mode
ciphe rs like AES-GCM, AES-CCM, or Camellia-GCM, which have no known is s ue s . All
the me ntione d mitigations are imple me nte d in cryptographic librarie s include d in
Re d Hat Ente rpris e Linux.
Se e Table 4.6, “Protocol Ve rs ions ” for a quick ove rvie w of protocol ve rs ions and
re comme nde d us age .
T able 4.6. Pro t o co l Versio ns
Pro t o co l
Versio n

Usage Reco mmendat io n

SSL v2

Do not us e . Has s e rious s e curity vulne rabilitie s .

159

Se c ur it y Guide

Pro t o co l
Versio n

Usage Reco mmendat io n

SSL v3
TLS 1.0

Do not us e . Has s e rious s e curity vulne rabilitie s .
Us e for inte rope rability purpos e s whe re ne e de d. Has known is s ue s that
cannot be mitigate d in a way that guarante e s inte rope rability, and thus
mitigations are not e nable d by de fault. Doe s not s upport mode rn ciphe r
s uite s .
Us e for inte rope rability purpos e s whe re ne e de d. Has no known is s ue s
but re lie s on protocol fixe s that are include d in all the TLS
imple me ntations in Re d Hat Ente rpris e Linux. Doe s not s upport mode rn
ciphe r s uite s .
Re comme nde d ve rs ion. Supports the mode rn AEAD ciphe r s uite s .

TLS 1.1

TLS 1.2

Some compone nts in Re d Hat Ente rpris e Linux are configure d to us e TLS 1.0 e ve n though
the y provide s upport for TLS 1.1 or e ve n 1.2. This is motivate d by an atte mpt to achie ve
the highe s t le ve l of inte rope rability with e xte rnal s e rvice s that may not s upport the late s t
ve rs ions of TLS. De pe nding on your inte rope rability re quire me nts , e nable the highe s t
available ve rs ion of TLS.

Impo rtant
SSL v3 is not re comme nde d for us e . Howe ve r, if, de s pite the fact that it is
cons ide re d ins e cure and uns uitable for ge ne ral us e , you abs olute ly mus t le ave
SSL v3 e nable d, s e e Se ction 4.9, “Us ing s tunne l” for ins tructions on how to us e
st unnel to s e cure ly e ncrypt communications e ve n whe n us ing s e rvice s that do not
s upport e ncryption or are only capable of us ing obs ole te and ins e cure mode s of
e ncryption.

Cipher Suit es
Mode rn, more s e cure cipher suites s hould be pre fe rre d to old, ins e cure one s . Always
dis able the us e of e NULL and aNULL ciphe r s uite s , which do not offe r any e ncryption or
authe ntication at all. If at all pos s ible , ciphe rs s uite s bas e d on RC4 or HMAC-MD5, which
have s e rious s hortcomings , s hould als o be dis able d. The s ame applie s to the s o-calle d
export ciphe r s uite s , which have be e n inte ntionally made we ake r, and thus are e as y to
bre ak.
While not imme diate ly ins e cure , ciphe r s uite s that offe r le s s than 128 bits of s e curity
s hould not be cons ide re d for the ir s hort us e ful life . Algorithms that us e 128 bit of s e curity
or more can be e xpe cte d to be unbre akable for at le as t s e ve ral ye ars , and are thus
s trongly re comme nde d. Note that while 3DES ciphe rs adve rtis e the us e of 168 bits , the y
actually offe r 112 bits of s e curity.
Always give pre fe re nce to ciphe r s uite s that s upport (perfect) forward secrecy (PFS), which
e ns ure s the confide ntiality of e ncrypte d data e ve n in cas e the s e rve r ke y is
compromis e d. This rule s out the fas t RSA ke y e xchange , but allows for the us e of ECDHE
and DHE. Of the two, ECDHE is the fas te r and the re fore the pre fe rre d choice .
You s hould als o give pre fe re nce to AEAD ciphe rs , s uch as AES-GCM, be fore CBC-mode
ciphe rs as the y are not vulne rable to padding oracle attacks . Additionally, in many cas e s ,
AES-GCM is fas te r than AES in CBC mode , e s pe cially whe n the hardware has cryptographic
acce le rators for AES.

160

⁠C hapt e r 4 . Har de ning Yo ur Sys t e m wit h T o o ls and Se r vic e s

Note als o that whe n us ing the ECDHE ke y e xchange with ECDSA ce rtificate s , the trans action
is e ve n fas te r than pure RSA ke y e xchange . To provide s upport for le gacy clie nts , you can
ins tall two pairs of ce rtificate s and ke ys on a s e rve r: one with ECDSA ke ys (for ne w clie nts )
and one with RSA ke ys (for le gacy one s ).

Public Key Lengt h
Whe n us ing RSA ke ys , always pre fe r ke y le ngths of at le as t 3072 bits s igne d by at le as t
SHA-256, which is s ufficie ntly large for true 128 bits of s e curity.

Warning
Ke e p in mind that the s e curity of your s ys te m is only as s trong as the we ake s t link
in the chain. For e xample , a s trong ciphe r alone doe s not guarante e good s e curity.
The ke ys and the ce rtificate s are jus t as important, as we ll as the has h functions
and ke ys us e d by the Certification Authority (CA) to s ign your ke ys .

4.11.2. Using Implement at ions of T LS
Re d Hat Ente rpris e Linux 7 is dis tribute d with s e ve ral full-fe ature d imple me ntations of TLS.
In this s e ction, the configuration of OpenSSL and GnuT LS is de s cribe d. Se e
Se ction 4.11.3, “Configuring Spe cific Applications ” for ins tructions on how to configure TLS
s upport in individual applications .
The available TLS imple me ntations offe r s upport for various cipher suites that de fine all
the e le me nts that come toge the r whe n e s tablis hing and us ing TLS-s e cure d
communications .
Us e the tools include d with the diffe re nt imple me ntations to lis t and s pe cify ciphe r s uite s
that provide the be s t pos s ible s e curity for your us e cas e while cons ide ring the
re comme ndations outline d in Se ction 4.11.1, “Choos ing Algorithms to Enable ”. The
re s ulting ciphe r s uite s can the n be us e d to configure the way individual applications
ne gotiate and s e cure conne ctions .

Impo rtant
Be s ure to che ck your s e ttings following e ve ry update or upgrade of the TLS
imple me ntation you us e or the applications that utiliz e that imple me ntation. Ne w
ve rs ions may introduce ne w ciphe r s uite s that you do not want to have e nable d and
that your curre nt configuration doe s not dis able .

4.11.2.1. Working wit h Cipher Suit es in OpenSSL
OpenSSL is a toolkit and a cryptography library that s upport the SSL and TLS protocols . On
Re d Hat Ente rpris e Linux 7, a configuration file is provide d at /etc/pki/tls/openssl.cnf.
The format of this configuration file is de s cribe d in config(1). Se e als o Se ction 4.8.9,
“Configuring Ope nSSL”.
To ge t a lis t of all ciphe r s uite s s upporte d by your ins tallation of OpenSSL, us e the
openssl command with the ciphers s ubcommand as follows :

161

Se c ur it y Guide

~]$ openssl ciphers -v 'ALL:COMPLEMENTOFALL'
Pas s othe r parame te rs (re fe rre d to as cipher strings and keywords in OpenSSL
docume ntation) to the ciphers s ubcommand to narrow the output. Spe cial ke ywords can
be us e d to only lis t s uite s that s atis fy a ce rtain condition. For e xample , to only lis t s uite s
that are de fine d as be longing to the HIGH group, us e the following command:
~]$ openssl ciphers -v 'HIGH'
Se e the ciphe rs (1) manual page for a lis t of available ke ywords and ciphe r s trings .
To obtain a lis t of ciphe r s uite s that s atis fy the re comme ndations outline d in
Se ction 4.11.1, “Choos ing Algorithms to Enable ”, us e a command s imilar to the following:
~]$ openssl ciphers -v 'kEECDH+aECDSA+AES:kEECDH+AES+aRSA:kEDH+aRSA+AES'
| column -t
ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA
Enc=AESGCM(256) Mac=AEAD
ECDHE-ECDSA-AES256-SHA384
TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(256)
Mac=SHA384
ECDHE-ECDSA-AES256-SHA
SSLv3
Kx=ECDH Au=ECDSA Enc=AES(256)
Mac=SHA1
ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA
Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-AES128-SHA256
TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(128)
Mac=SHA256
ECDHE-ECDSA-AES128-SHA
SSLv3
Kx=ECDH Au=ECDSA Enc=AES(128)
Mac=SHA1
ECDHE-RSA-AES256-GCM-SHA384
TLSv1.2 Kx=ECDH Au=RSA
Enc=AESGCM(256) Mac=AEAD
ECDHE-RSA-AES256-SHA384
TLSv1.2 Kx=ECDH Au=RSA
Enc=AES(256)
Mac=SHA384
ECDHE-RSA-AES256-SHA
SSLv3
Kx=ECDH Au=RSA
Enc=AES(256)
Mac=SHA1
ECDHE-RSA-AES128-GCM-SHA256
TLSv1.2 Kx=ECDH Au=RSA
Enc=AESGCM(128) Mac=AEAD
ECDHE-RSA-AES128-SHA256
TLSv1.2 Kx=ECDH Au=RSA
Enc=AES(128)
Mac=SHA256
ECDHE-RSA-AES128-SHA
SSLv3
Kx=ECDH Au=RSA
Enc=AES(128)
Mac=SHA1
DHE-RSA-AES256-GCM-SHA384
TLSv1.2 Kx=DH
Au=RSA
Enc=AESGCM(256) Mac=AEAD
DHE-RSA-AES256-SHA256
TLSv1.2 Kx=DH
Au=RSA
Enc=AES(256)
Mac=SHA256
DHE-RSA-AES256-SHA
SSLv3
Kx=DH
Au=RSA
Enc=AES(256)
Mac=SHA1
DHE-RSA-AES128-GCM-SHA256
TLSv1.2 Kx=DH
Au=RSA
Enc=AESGCM(128) Mac=AEAD
DHE-RSA-AES128-SHA256
TLSv1.2 Kx=DH
Au=RSA
Enc=AES(128)
Mac=SHA256
DHE-RSA-AES128-SHA
SSLv3
Kx=DH
Au=RSA
Enc=AES(128)
Mac=SHA1

162

⁠C hapt e r 4 . Har de ning Yo ur Sys t e m wit h T o o ls and Se r vic e s

The above command omits all ins e cure ciphe rs , give s pre fe re nce to ephemeral elliptic
curve Diffie-Hellman ke y e xchange and ECDSA ciphe rs , and omits RSA ke y e xchange
(thus e ns uring perfect forward secrecy).
Note that this is a rathe r s trict configuration, and it might be ne ce s s ary to re lax the
conditions in re al-world s ce narios to allow for a compatibility with a broade r range of
clie nts .

4.11.2.2. Working wit h Cipher Suit es in GnuT LS
GnuT LS is a communications library that imple me nts the SSL and TLS protocols and
re late d te chnologie s .

No te
The GnuT LS ins tallation on Re d Hat Ente rpris e Linux 7 offe rs optimal de fault
configuration value s that provide s ufficie nt s e curity for the majority of us e cas e s .
Unle s s you ne e d to s atis fy s pe cial s e curity re quire me nts , it is re comme nde d to us e
the s upplie d de faults .
Us e the gnutls-cli command with the -l (or --list) option to lis t all s upporte d ciphe r
s uite s :
~]$ gnutls-cli -l
To narrow the lis t of ciphe r s uite s dis playe d by the -l option, pas s one or more
parame te rs (re fe rre d to as priority strings and keywords in GnuT LS docume ntation) to the
--priority option. Se e the GnuT LS docume ntation at
http://www.gnutls .org/manual/gnutls .html#Priority-Strings for a lis t of all available priority
s trings . For e xample , is s ue the following command to ge t a lis t of ciphe r s uite s that offe r
at le as t 128 bits of s e curity:
~]$ gnutls-cli --priority SECURE128 -l
To obtain a lis t of ciphe r s uite s that s atis fy the re comme ndations outline d in
Se ction 4.11.1, “Choos ing Algorithms to Enable ”, us e a command s imilar to the following:
~]$ gnutls-cli --priority SECURE256:+SECURE128:-VERS-TLS-ALL:+VERSTLS1.2:-RSA:-DHE-DSS:-CAMELLIA-128-CBC:-CAMELLIA-256-CBC -l
Cipher suites for SECURE256:+SECURE128:-VERS-TLS-ALL:+VERS-TLS1.2:-RSA:DHE-DSS:-CAMELLIA-128-CBC:-CAMELLIA-256-CBC
TLS_ECDHE_ECDSA_AES_256_GCM_SHA384
0xc0, 0x2c
TLS1.2
TLS_ECDHE_ECDSA_AES_256_CBC_SHA384
0xc0, 0x24
TLS1.2
TLS_ECDHE_ECDSA_AES_256_CBC_SHA1
0xc0, 0x0a
SSL3.0
TLS_ECDHE_ECDSA_AES_128_GCM_SHA256
0xc0, 0x2b
TLS1.2
TLS_ECDHE_ECDSA_AES_128_CBC_SHA256
0xc0, 0x23
TLS1.2
TLS_ECDHE_ECDSA_AES_128_CBC_SHA1
0xc0, 0x09
SSL3.0

163

Se c ur it y Guide

TLS_ECDHE_RSA_AES_256_GCM_SHA384
TLS1.2
TLS_ECDHE_RSA_AES_256_CBC_SHA1
SSL3.0
TLS_ECDHE_RSA_AES_128_GCM_SHA256
TLS1.2
TLS_ECDHE_RSA_AES_128_CBC_SHA256
TLS1.2
TLS_ECDHE_RSA_AES_128_CBC_SHA1
SSL3.0
TLS_DHE_RSA_AES_256_CBC_SHA256
TLS1.2
TLS_DHE_RSA_AES_256_CBC_SHA1
SSL3.0
TLS_DHE_RSA_AES_128_GCM_SHA256
TLS1.2
TLS_DHE_RSA_AES_128_CBC_SHA256
TLS1.2
TLS_DHE_RSA_AES_128_CBC_SHA1
SSL3.0

0xc0, 0x30
0xc0, 0x14
0xc0, 0x2f
0xc0, 0x27
0xc0, 0x13
0x00, 0x6b
0x00, 0x39
0x00, 0x9e
0x00, 0x67
0x00, 0x33

Certificate types: CTYPE-X.509
Protocols: VERS-TLS1.2
Compression: COMP-NULL
Elliptic curves: CURVE-SECP384R1, CURVE-SECP521R1, CURVE-SECP256R1
PK-signatures: SIGN-RSA-SHA384, SIGN-ECDSA-SHA384, SIGN-RSA-SHA512,
SIGN-ECDSA-SHA512, SIGN-RSA-SHA256, SIGN-DSA-SHA256, SIGN-ECDSA-SHA256
The above command limits the output to ciphe rs with at le as t 128 bits of s e curity while
giving pre fe re nce to the s tronge r one s . It als o forbids RSA ke y e xchange and DSS
authe ntication.
Note that this is a rathe r s trict configuration, and it might be ne ce s s ary to re lax the
conditions in re al-world s ce narios to allow for a compatibility with a broade r range of
clie nts .

4.11.3. Conf iguring Specif ic Applicat ions
Diffe re nt applications provide the ir own configuration me chanis ms for TLS. This s e ction
de s cribe s the TLS-re late d configuration file s e mploye d by the mos t commonly us e d
s e rve r applications and offe rs e xample s of typical configurations .
Re gardle s s of the configuration you choos e to us e , always make s ure to mandate that
your s e rve r application e nforce s server-side cipher order, s o that the ciphe r s uite to be
us e d is de te rmine d by the orde r you configure .

4.11.3.1. Conf iguring t he Apache HT T P Server
The Apache HT T P Server can us e both OpenSSL and NSS librarie s for its TLS ne e ds .
De pe nding on your choice of the TLS library, you ne e d to ins tall e ithe r the mo d_ssl or the
mo d_nss module (provide d by e ponymous package s ). For e xample , to ins tall the package
that provide s the OpenSSL mo d_ssl module , is s ue the following command as root:
~]# yum install mod_ssl

164

⁠C hapt e r 4 . Har de ning Yo ur Sys t e m wit h T o o ls and Se r vic e s

The mod_ssl package ins talls the /etc/httpd/conf.d/ssl.conf configuration file , which
can be us e d to modify the TLS-re late d s e ttings of the Apache HT T P Server. Similarly,
the mod_nss package ins talls the /etc/httpd/conf.d/nss.conf configuration file .
Ins tall the httpd-manual package to obtain comple te docume ntation for the Apache HT T P
Server, including TLS configuration. The dire ctive s available in the
/etc/httpd/conf.d/ssl.conf configuration file are de s cribe d in de tail in
/usr/share/httpd/manual/mod/mod_ssl.html. Example s of various s e ttings are in
/usr/share/httpd/manual/ssl/ssl_howto.html.
Whe n modifying the s e ttings in the /etc/httpd/conf.d/ssl.conf configuration file , be
s ure to cons ide r the following thre e dire ctive s at the minimum:
SSLProtocol
Us e this dire ctive to s pe cify the ve rs ion of TLS (or SSL) you want to allow.
SSLCipherSuite
Us e this dire ctive to s pe cify your pre fe rre d ciphe r s uite or dis able the one s you
want to dis allow.
SSLHonorCipherOrder
Uncomme nt and s e t this dire ctive to on to e ns ure that the conne cting clie nts
adhe re to the orde r of ciphe rs you s pe cifie d.
For e xample :
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite HIGH:!aNULL:!MD5
SSLHonorCipherOrder on
Note that the above configuration is the bare minimum, and it can be harde ne d
s ignificantly by following the re comme ndations outline d in Se ction 4.11.1, “Choos ing
Algorithms to Enable ”.
To configure and us e the mo d_nss module , modify the /etc/httpd/conf.d/nss.conf
configuration file . The mo d_nss module is de rive d from mo d_ssl, and as s uch it s hare s
many fe ature s with it, not le as t the s tructure of the configuration file , and the dire ctive s
that are available . Note that the mo d_nss dire ctive s have a pre fix of NSS ins te ad of SSL.
Se e https ://git.fe dorahos te d.org/cgit/mod_ns s .git/plain/docs /mod_ns s .html for an ove rvie w
of information about mo d_nss, including a lis t of mo d_ssl configuration dire ctive s that are
not applicable to mo d_nss.

4.11.3.2. Conf iguring t he Dovecot Mail Server
To configure your ins tallation of the Do veco t mail s e rve r to us e TLS, modify the
/etc/dovecot/conf.d/10-ssl.conf configuration file . You can find an e xplanation of
s ome of the bas ic configuration dire ctive s available in that file in
/usr/share/doc/dovecot-2.2.10/wiki/SSL.DovecotConfiguration.txt (this he lp file
is ins talle d along with the s tandard ins tallation of Do veco t ).
Whe n modifying the s e ttings in the /etc/dovecot/conf.d/10-ssl.conf configuration file ,
be s ure to cons ide r the following thre e dire ctive s at the minimum:
ssl_protocols

165

Se c ur it y Guide

Us e this dire ctive to s pe cify the ve rs ion of TLS (or SSL) you want to allow.
ssl_cipher_list
Us e this dire ctive to s pe cify your pre fe rre d ciphe r s uite s or dis able the one s you
want to dis allow.
ssl_prefer_server_ciphers
Uncomme nt and s e t this dire ctive to yes to e ns ure that the conne cting clie nts
adhe re to the orde r of ciphe rs you s pe cifie d.
For e xample :
ssl_protocols = !SSLv2 !SSLv3
ssl_cipher_list = HIGH:!aNULL:!MD5
ssl_prefer_server_ciphers = yes
Note that the above configuration is the bare minimum, and it can be harde ne d
s ignificantly by following the re comme ndations outline d in Se ction 4.11.1, “Choos ing
Algorithms to Enable ”.

4.11.4. Addit ional Inf ormat ion
For more information about T LS configuration and re late d topics , s e e the re s ource s lis te d
be low.

Inst alled Document at ion
config(1) — De s cribe s the format of the /etc/ssl/openssl.conf configuration file .
ciphe rs (1) — Include s a lis t of available OpenSSL ke ywords and ciphe r s trings .
/usr/share/httpd/manual/mod/mod_ssl.html — Contains de taile d de s criptions of the
dire ctive s available in the /etc/httpd/conf.d/ssl.conf configuration file us e d by the
mo d_ssl module for the Apache HT T P Server.
/usr/share/httpd/manual/ssl/ssl_howto.html — Contains practical e xample s of
re al-world s e ttings in the /etc/httpd/conf.d/ssl.conf configuration file us e d by the
mo d_ssl module for the Apache HT T P Server.
/usr/share/doc/dovecot-2.2.10/wiki/SSL.DovecotConfiguration.txt — Explains
s ome of the bas ic configuration dire ctive s available in the /etc/dovecot/conf.d/10ssl.conf configuration file us e d by the Do veco t mail s e rve r.

Online Document at ion
Re d Hat Ente rpris e Linux 7 SELinux Us e r's and Adminis trator's Guide — The SELinux
User's and Administrator's Guide for Re d Hat Ente rpris e Linux 7 de s cribe s the bas ic
principle s of SELinux and docume nts in de tail how to configure and us e SELinux with
various s e rvice s , s uch as the Apache HT T P Server.
http://tools .ie tf.org/html/draft-ie tf-uta-tls -bcp-00 — Re comme ndations for s e cure us e of
TLS and DTLS.

See Also

166

⁠C hapt e r 4 . Har de ning Yo ur Sys t e m wit h T o o ls and Se r vic e s

Se ction A.2.4, “SSL/TLS” provide s a concis e de s cription of the SSL and TLS protocols .
Se ction 4.8, “Us ing Ope nSSL” de s cribe s , among othe r things , how to us e OpenSSL to
cre ate and manage ke ys , ge ne rate ce rtificate s , and e ncrypt and de crypt file s .

4.12. Using MACsec (IEEE 802.1AE)
Media Access Control Security (MACsec) e ncrypts and authe nticate s all traffic in LANs
with the GCM-AES-128 algorithm. MACs e c can prote ct not only your IP traffic, but als o ARP
and ne ighbor dis cove ry or DHCP. MACsec ope rate s in the diffe re nt laye r than IPsec or SSL
and TLS. Combine MACsec with s e curity protocols for othe r ne tworking laye rs to take
advantage of diffe re nt s e curity guarante e s that the s e s tandards provide .
Se e the MACs e c: a diffe re nt s olution to e ncrypt ne twork traffic article for more information
about the archite cture of a MACsec ne twork, us e cas e s ce narios , and configuration
e xample s .

167

Se c ur it y Guide

Chapt er 5. Syst em Audit ing
The Linux Audit s ys te m provide s a way to track s e curity-re le vant information on your
s ys te m. Bas e d on pre -configure d rule s , Audit ge ne rate s log e ntrie s to re cord as much
information about the e ve nts that are happe ning on your s ys te m as pos s ible . This
information is crucial for mis s ion-critical e nvironme nts to de te rmine the violator of the
s e curity policy and the actions the y pe rforme d. Audit doe s not provide additional s e curity
to your s ys te m; rathe r, it can be us e d to dis cove r violations of s e curity policie s us e d on
your s ys te m. The s e violations can furthe r be pre ve nte d by additional s e curity me as ure s
s uch as SELinux.
The following lis t s ummariz e s s ome of the information that Audit is capable of re cording in
its log file s :
Date and time , type , and outcome of an e ve nt.
Se ns itivity labe ls of s ubje cts and obje cts .
As s ociation of an e ve nt with the ide ntity of the us e r who trigge re d the e ve nt.
All modifications to Audit configuration and atte mpts to acce s s Audit log file s .
All us e s of authe ntication me chanis ms , s uch as SSH, Ke rbe ros , and othe rs .
Change s to any trus te d databas e , s uch as /etc/passwd.
Atte mpts to import or e xport information into or from the s ys te m.
Include or e xclude e ve nts bas e d on us e r ide ntity, s ubje ct and obje ct labe ls , and othe r
attribute s .
The us e of the Audit s ys te m is als o a re quire me nt for a numbe r of s e curity-re late d
ce rtifications . Audit is de s igne d to me e t or e xce e d the re quire me nts of the following
ce rtifications or compliance guide s :
Controlle d Acce s s Prote ction Profile (CAPP)
Labe le d Se curity Prote ction Profile (LSPP)
Rule Se t Bas e Acce s s Control (RSBAC)
National Indus trial Se curity Program Ope rating Manual (NISPOM)
Fe de ral Information Se curity Manage me nt Act (FISMA)
Payme nt Card Indus try — Data Se curity Standard (PCI-DSS)
Se curity Te chnical Imple me ntation Guide s (STIG)
Audit has als o be e n:
Evaluate d by National Information As s urance Partne rs hip (NIAP) and Be s t Se curity
Indus trie s (BSI).
Ce rtifie d to LSPP/CAPP/RSBAC/EAL4+ on Re d Hat Ente rpris e Linux 5.
Ce rtifie d to Ope rating Sys te m Prote ction Profile / Evaluation As s urance Le ve l 4+
(OSPP/EAL4+) on Re d Hat Ente rpris e Linux 6.

168

⁠C hapt e r 5. Sys t e m Audit ing

Use Cases
Wat ching f ile access
Audit can track whe the r a file or a dire ctory has be e n acce s s e d, modifie d,
e xe cute d, or the file 's attribute s have be e n change d. This is us e ful, for e xample ,
to de te ct acce s s to important file s and have an Audit trail available in cas e one of
the s e file s is corrupte d.
Mo nit o ring syst em calls
Audit can be configure d to ge ne rate a log e ntry e ve ry time a particular s ys te m
call is us e d. This can be us e d, for e xample , to track change s to the s ys te m time
by monitoring the settimeofday, clock_adjtime, and othe r time -re late d s ys te m
calls .
Reco rding co mmands run by a user
Audit can track whe the r a file has be e n e xe cute d, s o rule s can be de fine d to
re cord e ve ry e xe cution of a particular command. For e xample , a rule can be
de fine d for e ve ry e xe cutable in the /bin dire ctory. The re s ulting log e ntrie s can
the n be s e arche d by us e r ID to ge ne rate an audit trail of e xe cute d commands
pe r us e r.
Reco rding execut io n o f syst em pat hnames
As ide from watching file acce s s which trans late s a path to an inode at rule
invocation, Audit can now watch the e xe cution of a path e ve n if it doe s not e xis t at
rule invocation, or if the file is re place d afte r rule invocation. This allows rule s to
continue to work afte r upgrading a program e xe cutable or be fore it is e ve n
ins talle d.
Reco rding securit y event s
The pam_faillock authe ntication module is capable of re cording faile d login
atte mpts . Audit can be s e t up to re cord faile d login atte mpts as we ll, and provide s
additional information about the us e r who atte mpte d to log in.
Searching f o r event s
Audit provide s the ausearch utility, which can be us e d to filte r the log e ntrie s
and provide a comple te audit trail bas e d on a numbe r of conditions .
Running summary repo rt s
The aurepo rt utility can be us e d to ge ne rate , among othe r things , daily re ports
of re corde d e ve nts . A s ys te m adminis trator can the n analyz e the s e re ports and
inve s tigate s us picious activity furthe r.
Mo nit o ring net wo rk access
The ipt ables and ebt ables utilitie s can be configure d to trigge r Audit e ve nts ,
allowing s ys te m adminis trators to monitor ne twork acce s s .

169

Se c ur it y Guide

No te
Sys te m pe rformance may be affe cte d de pe nding on the amount of information that
is colle cte d by Audit.

5.1. Audit Syst em Archit ect ure
The Audit s ys te m cons is ts of two main parts : the us e r-s pace applications and utilitie s , and
the ke rne l-s ide s ys te m call proce s s ing. The ke rne l compone nt re ce ive s s ys te m calls from
us e r-s pace applications and filte rs the m through one of the thre e filte rs : user, task, or exit.
Once a s ys te m call pas s e s the exclude filte r, it is s e nt through one of the afore me ntione d
filte rs , which, bas e d on the Audit rule configuration, s e nds it to the Audit dae mon for
furthe r proce s s ing. Figure 5.1, “Audit Sys te m Archite cture ” illus trate s this proce s s .

Figure 5.1. Audit Syst em Archit ect ure
The us e r-s pace Audit dae mon colle cts the information from the ke rne l and cre ate s e ntrie s
in a log file . Othe r Audit us e r-s pace utilitie s inte ract with the Audit dae mon, the ke rne l
Audit compone nt, or the Audit log file s :
audisp — the Audit dis patche r dae mon inte racts with the Audit dae mon and s e nds
e ve nts to othe r applications for furthe r proce s s ing. The purpos e of this dae mon is to
provide a plug-in me chanis m s o that re al-time analytical programs can inte ract with
Audit e ve nts .
audit ct l — the Audit control utility inte racts with the ke rne l Audit compone nt to
manage rule s and to control a numbe r of s e ttings and parame te rs of the e ve nt
ge ne ration proce s s .

170

⁠C hapt e r 5. Sys t e m Audit ing

The re maining Audit utilitie s take the conte nts of the Audit log file s as input and
ge ne rate output bas e d on us e r's re quire me nts . For e xample , the aurepo rt utility
ge ne rate s a re port of all re corde d e ve nts .

5.2. Inst alling t he audit Packages
In orde r to us e the Audit s ys te m, you mus t have the audit package s ins talle d on your
s ys te m. The audit package s (audit and audit-libs) are ins talle d by de fault on Re d Hat
Ente rpris e Linux 7. If you do not have the s e package s ins talle d, e xe cute the following
command as the root us e r to ins tall Audit and the de pe nde ncie s :
~]# yum install audit

5.3. Configuring t he

audit

Service

The Audit dae mon can be configure d in the /etc/audit/auditd.conf file . This file
cons is ts of configuration parame te rs that modify the be havior of the Audit dae mon. Empty
line s and te xt following a has h s ign (#) are ignore d. For furthe r de tails , s e e the
audit.conf(5) man page .

5.3.1. Conf iguring auditd f or a Secure Environment
The de fault auditd configuration s hould be s uitable for mos t e nvironme nts . Howe ve r, if
your e nvironme nt has to me e t s trict s e curity policie s , the following s e ttings are
s ugge s te d for the Audit dae mon configuration in the /etc/audit/auditd.conf file :
lo g_f ile
The dire ctory that holds the Audit log file s (us ually /var/log/audit/) s hould
re s ide on a s e parate mount point. This pre ve nts othe r proce s s e s from
cons uming s pace in this dire ctory, and provide s accurate de te ction of the
re maining s pace for the Audit dae mon.
max_lo g_f ile
Spe cifie s the maximum s iz e of a s ingle Audit log file , mus t be s e t to make full
us e of the available s pace on the partition that holds the Audit log file s .
max_lo g_f ile_act io n
De cide s what action is take n once the limit s e t in max_log_file is re ache d,
s hould be s e t to keep_logs to pre ve nt Audit log file s from be ing ove rwritte n.
space_lef t
Spe cifie s the amount of fre e s pace le ft on the dis k for which an action that is s e t
in the space_left_action parame te r is trigge re d. Mus t be s e t to a numbe r that
give s the adminis trator e nough time to re s pond and fre e up dis k s pace . The
space_left value de pe nds on the rate at which the Audit log file s are ge ne rate d.
space_lef t _act io n
It is re comme nde d to s e t the space_left_action parame te r to email or exec
with an appropriate notification me thod.

171

Se c ur it y Guide

admin_space_lef t
Spe cifie s the abs olute minimum amount of fre e s pace for which an action that is
s e t in the admin_space_left_action parame te r is trigge re d, mus t be s e t to a
value that le ave s e nough s pace to log actions pe rforme d by the adminis trator.
admin_space_lef t _act io n
Should be s e t to single to put the s ys te m into s ingle -us e r mode and allow the
adminis trator to fre e up s ome dis k s pace .
disk_f ull_act io n
Spe cifie s an action that is trigge re d whe n no fre e s pace is available on the
partition that holds the Audit log file s , mus t be s e t to halt or single. This
e ns ure s that the s ys te m is e ithe r s hut down or ope rating in s ingle -us e r mode
whe n Audit can no longe r log e ve nts .
disk_erro r_act io n
Spe cifie s an action that is trigge re d in cas e an e rror is de te cte d on the partition
that holds the Audit log file s , mus t be s e t to syslog, single, or halt, de pe nding
on your local s e curity policie s re garding the handling of hardware malfunctions .
f lush
Should be s e t to incremental_async. It works in combination with the freq
parame te r, which de te rmine s how many re cords can be s e nt to the dis k be fore
forcing a hard s ynchroniz ation with the hard drive . The freq parame te r s hould be
s e t to 100. The s e parame te rs as s ure that Audit e ve nt data is s ynchroniz e d with
the log file s on the dis k while ke e ping good pe rformance for burs ts of activity.
The re maining configuration options s hould be s e t according to your local s e curity policy.

5.4. St art ing t he

audit

Service

Once auditd is configure d, s tart the s e rvice to colle ct Audit information and s tore it in the
log file s . Exe cute the following command as the root us e r to s tart auditd:
~]# service auditd start

No te
The service command is the only way to corre ctly inte ract with the auditd dae mon.
You ne e d to us e the service command s o that the auid value is prope rly re corde d.
You can us e the systemctl command only for two actions : enable and status.
To configure auditd to s tart at boot time us ing the following command as the root us e r:
~]# systemctl enable auditd
A numbe r of othe r actions can be pe rforme d on auditd us ing the service auditd
action command, whe re action can be one of the following:

172

⁠C hapt e r 5. Sys t e m Audit ing

stop
Stops auditd.
restart
Re s tarts auditd.
reload o r force-reload
Re loads the configuration of audit d from the /etc/audit/auditd.conf file .
rotate
Rotate s the log file s in the /var/log/audit/ dire ctory.
resume
Re s ume s logging of Audit e ve nts afte r it has be e n pre vious ly s us pe nde d, for
e xample , whe n the re is not e nough fre e s pace on the dis k partition that holds the
Audit log file s .
condrestart o r try-restart
Re s tarts audit d only if it is alre ady running.
status
Dis plays the running s tatus of audit d.

5.5. Defining Audit Rules
The Audit s ys te m ope rate s on a s e t of rule s that de fine what is to be capture d in the log
file s . The following type s of Audit rule s can be s pe cifie d:
Co nt ro l rules
Allow the Audit s ys te m's be havior and s ome of its configuration to be modifie d.
File syst em rules
Als o known as file watche s , allow the auditing of acce s s to a particular file or a
dire ctory.
Syst em call rules
Allow logging of s ys te m calls that any s pe cifie d program make s .
Audit rule s can be s e t:
on the command line us ing the audit ct l utility. Note that the s e rule s are not pe rs is te nt
acros s re boots . For de tails , s e e Se ction 5.5.1, “De fining Audit Rule s with audit ct l”
in the /etc/audit/audit.rules file . For de tails , s e e Se ction 5.5.3, “De fining Pe rs is te nt
Audit Rule s and Controls in the /etc/audit/audit.rules File ”

5.5.1. Def ining Audit Rules wit h audit ct l
The auditctl command allows you to control the bas ic functionality of the Audit s ys te m
and to de fine rule s that de cide which Audit e ve nts are logge d.

173

Se c ur it y Guide

No te
All commands which inte ract with the Audit s e rvice and the Audit log file s re quire
root privile ge s . Ens ure you e xe cute the s e commands as the root us e r. Additionally,
CAP_AUDIT_CONTROL is re quire d to s e t up audit s e rvice s and CAP_AUDIT_WRITE is
re quire d to log us e r me s s age s .

Def ining Cont rol Rules
The following are s ome of the control rule s that allow you to modify the be havior of the
Audit s ys te m:
-b
s e ts the maximum amount of e xis ting Audit buffe rs in the ke rne l, for e xample :
~]# auditctl -b 8192
-f
s e ts the action that is pe rforme d whe n a critical e rror is de te cte d, for e xample :
~]# auditctl -f 2
The above configuration trigge rs a ke rne l panic in cas e of a critical e rror.
-e
e nable s and dis able s the Audit s ys te m or locks its configuration, for e xample :
~]# auditctl -e 2
The above command locks the Audit configuration.
-r
s e ts the rate of ge ne rate d me s s age s pe r s e cond, for e xample :
~]# auditctl -r 0
The above configuration s e ts no rate limit on ge ne rate d me s s age s .
-s
re ports the s tatus of the Audit s ys te m, for e xample :
~]# auditctl -s
AUDIT_STATUS: enabled=1 flag=2 pid=0 rate_limit=0
backlog_limit=8192 lost=259 backlog=0
-l
lis ts all curre ntly loade d Audit rule s , for e xample :

174

⁠C hapt e r 5. Sys t e m Audit ing

~]# auditctl -l
-w /etc/passwd -p wa -k passwd_changes
-w /etc/selinux -p wa -k selinux_changes
-w /sbin/insmod -p x -k module_insertion
⋮
-D
de le te s all curre ntly loade d Audit rule s , for e xample :
~]# auditctl -D
No rules

Def ining File Syst em Rules
To de fine a file s ys te m rule , us e the following s yntax:
auditctl -w path_to_file -p permissions -k key_name
whe re :
path_to_file is the file or dire ctory that is audite d.
permissions are the pe rmis s ions that are logge d:
r — re ad acce s s to a file or a dire ctory.
w — write acce s s to a file or a dire ctory.
x — e xe cute acce s s to a file or a dire ctory.
a — change in the file 's or dire ctory's attribute .
key_name is an optional s tring that he lps you ide ntify which rule or a s e t of rule s
ge ne rate d a particular log e ntry.

Example 5.1. File Syst em Rules
To de fine a rule that logs all write acce s s to, and e ve ry attribute change of, the
/etc/passwd file , e xe cute the following command:
~]# auditctl -w /etc/passwd -p wa -k passwd_changes
Note that the s tring following the -k option is arbitrary.
To de fine a rule that logs all write acce s s to, and e ve ry attribute change of, all the file s
in the /etc/selinux/ dire ctory, e xe cute the following command:
~]# auditctl -w /etc/selinux/ -p wa -k selinux_changes
To de fine a rule that logs the e xe cution of the /sbin/insmod command, which ins e rts a
module into the Linux ke rne l, e xe cute the following command:
~]# auditctl -w /sbin/insmod -p x -k module_insertion

175

Se c ur it y Guide

Def ining Syst em Call Rules
To de fine a s ys te m call rule , us e the following s yntax:
auditctl -a action,filter -S system_call -F field=value -k key_name
whe re :
action and filter s pe cify whe n a ce rtain e ve nt is logge d. action can be e ithe r always or
never. filter s pe cifie s which ke rne l rule -matching filte r is applie d to the e ve nt. The rule matching filte r can be one of the following: task, exit, user, and exclude. For more
information about the s e filte rs , s e e the be ginning of Se ction 5.1, “Audit Sys te m
Archite cture ”.
system_call s pe cifie s the s ys te m call by its name . A lis t of all s ys te m calls can be
found in the /usr/include/asm/unistd_64.h file . Se ve ral s ys te m calls can be
groupe d into one rule , e ach s pe cifie d afte r its own -S option.
field=value s pe cifie s additional options that furthe r modify the rule to match e ve nts
bas e d on a s pe cifie d archite cture , group ID, proce s s ID, and othe rs . For a full lis ting of
all available fie ld type s and the ir value s , s e e the auditctl(8) man page .
key_name is an optional s tring that he lps you ide ntify which rule or a s e t of rule s
ge ne rate d a particular log e ntry.

Example 5.2. Syst em Call Rules
To de fine a rule that cre ate s a log e ntry e ve ry time the adjtimex or settimeofday
s ys te m calls are us e d by a program, and the s ys te m us e s the 64-bit archite cture ,
e xe cute the following command:
~]# auditctl -a always,exit -F arch=b64 -S adjtimex -S settimeofday -k
time_change
To de fine a rule that cre ate s a log e ntry e ve ry time a file is de le te d or re name d by a
s ys te m us e r whos e ID is 1000 or large r, e xe cute the following command:
~]# auditctl -a always,exit -S unlink -S unlinkat -S rename -S
renameat -F auid>=1000 -F auid!=4294967295 -k delete
Note that the -F auid!=4294967295 option is us e d to e xclude us e rs whos e login UID is
not s e t.
It is als o pos s ible to de fine a file s ys te m rule us ing the s ys te m call rule s yntax. The
following command cre ate s a rule for s ys te m calls that is analogous to the -w
/etc/shadow -p wa file s ys te m rule :
~]# auditctl -a always,exit -F path=/etc/shadow -F perm=wa

5.5.2. Def ining Execut able File Rules
To de fine an e xe cutable file rule , us e the following s yntax:

176

⁠C hapt e r 5. Sys t e m Audit ing

auditctl -a action,filter [ -F arch=cpu -S system_call] -F
exe=path_to_executable_file -k key_name
whe re :
action and filter s pe cify whe n a ce rtain e ve nt is logge d. action can be e ithe r always or
never. filter s pe cifie s which ke rne l rule -matching filte r is applie d to the e ve nt. The rule matching filte r can be one of the following: task, exit, user, and exclude. For more
information about the s e filte rs , s e e the be ginning of Se ction 5.1, “Audit Sys te m
Archite cture ”.
system_call s pe cifie s the s ys te m call by its name . A lis t of all s ys te m calls can be
found in the /usr/include/asm/unistd_64.h file . Se ve ral s ys te m calls can be
groupe d into one rule , e ach s pe cifie d afte r its own -S option.
path_to_executable_file is the abs olute path to the e xe cutable file that is audite d.
key_name is an optional s tring that he lps you ide ntify which rule or a s e t of rule s
ge ne rate d a particular log e ntry.

Example 5.3. Execut able File Rules
To de fine a rule that logs all e xe cution of the /bin/id program, e xe cute the following
command:
~]# auditctl -F exe=/bin/id -S execve -k execution_bin_id

5.5.3. Def ining Persist ent Audit Rules and Cont rols in t he
/etc/audit/audit.rules File
To de fine Audit rule s that are pe rs is te nt acros s re boots , you mus t include the m in the
/etc/audit/audit.rules file . This file us e s the s ame auditctl command line s yntax to
s pe cify the rule s . Empty line s and te xt following a has h s ign (#) are ignore d.
The auditctl command can als o be us e d to re ad rule s from a s pe cifie d file us ing the -R
option, for e xample :
~]# auditctl -R /usr/share/doc/audit/rules/30-stig.rules

Def ining Cont rol Rules
A file can contain only the following control rule s that modify the be havior of the Audit
s ys te m: -b, -D, -e, -f, -r, and --loginuid-immutable. For more information on the s e
options , s e e Se ction 5.5.1, “De fining Control Rule s ”.

Example 5.4. Co nt ro l Rules in audit.rules
# Delete all previous rules
-D
# Set buffer size

177

Se c ur it y Guide

-b 8192
# Make the configuration immutable -- reboot is required to change
audit rules
-e 2
# Panic when a failure occurs
-f 2
# Generate at most 100 audit messages per second
-r 100
# Make login UID immutable once it is set (may break containers)
--loginuid-immutable 1

Def ining File Syst em and Syst em Call Rules
File s ys te m and s ys te m call rule s are de fine d us ing the auditctl s yntax. The e xample s
in Se ction 5.5.1, “De fining Audit Rule s with audit ct l” can be re pre s e nte d with the following
rule s file :

Example 5.5. File Syst em and Syst em Call Rules in audit.rules
-w /etc/passwd -p wa -k passwd_changes
-w /etc/selinux/ -p wa -k selinux_changes
-w /sbin/insmod -p x -k module_insertion
-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time_change
-a always,exit -S unlink -S unlinkat -S rename -S renameat -F
auid>=1000 -F auid!=4294967295 -k delete

Preconf igured Rules Files
In the /usr/share/doc/audit/rules/ dire ctory, the audit package provide s a s e t of pre configure d rule s file s according to various ce rtification s tandards :
30-nispom.rules — Audit rule configuration that me e ts the re quire me nts s pe cifie d in
the Information Sys te m Se curity chapte r of the National Indus trial Se curity Program
Ope rating Manual.
30-pci-dss-v31.rules — Audit rule configuration that me e ts the re quire me nts s e t by
Payme nt Card Indus try Data Se curity Standard (PCI DSS) v3.1.
30-stig.rules — Audit rule configuration that me e ts the re quire me nts s e t by
Se curity Te chnical Imple me ntation Guide s (STIG).
To us e the s e configuration file s , cre ate a backup of your original
/etc/audit/audit.rules file and copy the configuration file of your choice ove r the
/etc/audit/audit.rules file :
~]# cp /etc/audit/audit.rules /etc/audit/audit.rules_backup
~]# cp /usr/share/doc/audit/rules/30-stig.rules /etc/audit/audit.rules

178

⁠C hapt e r 5. Sys t e m Audit ing

No te
The Audit rule s have a numbe ring s che me that allows the m to be orde re d. To le arn
more about the naming s che me , s e e the /usr/share/doc/audit/rules/READMErules file .

5.6. Underst anding Audit Log Files
By de fault, the Audit s ys te m s tore s log e ntrie s in the /var/log/audit/audit.log file ; if
log rotation is e nable d, rotate d audit.log file s are s tore d in the s ame dire ctory.
The following Audit rule logs e ve ry atte mpt to re ad or modify the /etc/ssh/sshd_config
file :
-w /etc/ssh/sshd_config -p warx -k sshd_config
If the auditd dae mon is running, for e xample , us ing the following command cre ate s a ne w
e ve nt in the Audit log file :
~]$ cat /etc/ssh/sshd_config
This e ve nt in the audit.log file looks as follows :
type=SYSCALL msg=audit(1364481363.243:24287): arch=c000003e syscall=2
success=no exit=-13 a0=7fffd19c5592 a1=0 a2=7fffd19c4b50 a3=a items=1
ppid=2686 pid=3538 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000
fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts0 ses=1 comm="cat"
exe="/bin/cat" subj=unconfined_u:unconfined_r:unconfined_t:s0s0:c0.c1023 key="sshd_config"
type=CWD msg=audit(1364481363.243:24287): cwd="/home/shadowman"
type=PATH msg=audit(1364481363.243:24287): item=0
name="/etc/ssh/sshd_config" inode=409248 dev=fd:00 mode=0100600 ouid=0
ogid=0 rdev=00:00 obj=system_u:object_r:etc_t:s0
The above e ve nt cons is ts of thre e re cords , which s hare the s ame time s tamp and s e rial
numbe r. Re cords always tart with the type= ke yword. Each re cord cons is ts of s e ve ral
name=value pairs s e parate d by a white s pace or a comma. A de taile d analys is of the
above e ve nt follows :

First Record
type=SYSCALL
The type fie ld contains the type of the re cord. In this e xample , the SYSCALL value
s pe cifie s that this re cord was trigge re d by a s ys te m call to the ke rne l.
For a lis t of all pos s ible type value s and the ir e xplanations , s e e Se ction B.2,
“Audit Re cord Type s ”.
msg=audit(1364481363.243:24287):
The msg fie ld re cords :

179

Se c ur it y Guide

a time s tamp and a unique ID of the re cord in the form
audit(time_stamp:ID). Multiple re cords can s hare the s ame time s tamp and
ID if the y we re ge ne rate d as part of the s ame Audit e ve nt. The time s tamp is
us ing the Unix time format - s e conds s ince 00:00:00 UTC on 1 January 1970.
various e ve nt-s pe cific name=value pairs provide d by the ke rne l or us e r s pace
applications .
arch=c000003e
The arch fie ld contains information about the CPU archite cture of the s ys te m. The
value , c000003e, is e ncode d in he xade cimal notation. Whe n s e arching Audit
re cords with the ausearch command, us e the -i or --interpret option to
automatically conve rt he xade cimal value s into the ir human-re adable e quivale nts .
The c000003e value is inte rpre te d as x86_64.
syscall=2
The syscall fie ld re cords the type of the s ys te m call that was s e nt to the ke rne l.
The value , 2, can be matche d with its human-re adable e quivale nt in the
/usr/include/asm/unistd_64.h file . In this cas e , 2 is the open s ys te m call. Note
that the ausyscall utility allows you to conve rt s ys te m call numbe rs to the ir
human-re adable e quivale nts . Us e the ausyscall --dump command to dis play a
lis ting of all s ys te m calls along with the ir numbe rs . For more information, s e e the
aus ys call(8) man page .
success=no
The success fie ld re cords whe the r the s ys te m call re corde d in that particular
e ve nt s ucce e de d or faile d. In this cas e , the call did not s ucce e d.
exit=-13
The exit fie ld contains a value that s pe cifie s the e xit code re turne d by the
s ys te m call. This value varie s for diffe re nt s ys te m call. You can inte rpre t the
value to its human-re adable e quivale nt with the following command:
~]# ausearch --interpret --exit -13
Note that the pre vious e xample as s ume s that your Audit log contains an e ve nt
that faile d with e xit code -13.
a0=7fffd19c5592, a1=0, a2=7fffd19c5592, a3=a
The a0 to a3 fie lds re cord the firs t four argume nts , e ncode d in he xade cimal
notation, of the s ys te m call in this e ve nt. The s e argume nts de pe nd on the
s ys te m call that is us e d; the y can be inte rpre te d by the ausearch utility.
items=1
The items fie ld contains the numbe r of auxiliary re cords that follow the s ys call
re cord.
ppid=2686
The ppid fie ld re cords the Pare nt Proce s s ID (PPID). In this cas e , 2686 was the
PPID of the pare nt proce s s s uch as bash.
pid=3538

180

⁠C hapt e r 5. Sys t e m Audit ing

The pid fie ld re cords the Proce s s ID (PID). In this cas e , 3538 was the PID of the
cat proce s s .
auid=1000
The auid fie ld re cords the Audit us e r ID, that is the loginuid. This ID is as s igne d
to a us e r upon login and is inhe rite d by e ve ry proce s s e ve n whe n the us e r's
ide ntity change s , for e xample , by s witching us e r accounts with the su - john
command.
uid=1000
The uid fie ld re cords the us e r ID of the us e r who s tarte d the analyz e d proce s s .
The us e r ID can be inte rpre te d into us e r name s with the following command:
ausearch -i --uid UID.
gid=1000
The gid fie ld re cords the group ID of the us e r who s tarte d the analyz e d proce s s .
euid=1000
The euid fie ld re cords the e ffe ctive us e r ID of the us e r who s tarte d the analyz e d
proce s s .
suid=1000
The suid fie ld re cords the s e t us e r ID of the us e r who s tarte d the analyz e d
proce s s .
fsuid=1000
The fsuid fie ld re cords the file s ys te m us e r ID of the us e r who s tarte d the
analyz e d proce s s .
egid=1000
The egid fie ld re cords the e ffe ctive group ID of the us e r who s tarte d the
analyz e d proce s s .
sgid=1000
The sgid fie ld re cords the s e t group ID of the us e r who s tarte d the analyz e d
proce s s .
fsgid=1000
The fsgid fie ld re cords the file s ys te m group ID of the us e r who s tarte d the
analyz e d proce s s .
tty=pts0
The tty fie ld re cords the te rminal from which the analyz e d proce s s was invoke d.
ses=1
The ses fie ld re cords the s e s s ion ID of the s e s s ion from which the analyz e d
proce s s was invoke d.
comm="cat"

181

Se c ur it y Guide

The comm fie ld re cords the command-line name of the command that was us e d to
invoke the analyz e d proce s s . In this cas e , the cat command was us e d to trigge r
this Audit e ve nt.
exe="/bin/cat"
The exe fie ld re cords the path to the e xe cutable that was us e d to invoke the
analyz e d proce s s .
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
The subj fie ld re cords the SELinux conte xt with which the analyz e d proce s s was
labe le d at the time of e xe cution.
key="sshd_config"
The key fie ld re cords the adminis trator-de fine d s tring as s ociate d with the rule
that ge ne rate d this e ve nt in the Audit log.

Second Record
type=CWD
In the s e cond re cord, the type fie ld value is CWD — curre nt working dire ctory. This
type is us e d to re cord the working dire ctory from which the proce s s that invoke d
the s ys te m call s pe cifie d in the firs t re cord was e xe cute d.
The purpos e of this re cord is to re cord the curre nt proce s s 's location in cas e a
re lative path winds up be ing capture d in the as s ociate d PATH re cord. This way the
abs olute path can be re cons tructe d.
msg=audit(1364481363.243:24287)
The msg fie ld holds the s ame time s tamp and ID value as the value in the firs t
re cord. The time s tamp is us ing the Unix time format - s e conds s ince 00:00:00
UTC on 1 January 1970.
cwd="/home/user_name"
The cwd fie ld contains the path to the dire ctory in which the s ys te m call was
invoke d.

T hird Record
type=PATH
In the third re cord, the type fie ld value is PATH. An Audit e ve nt contains a PATHtype re cord for e ve ry path that is pas s e d to the s ys te m call as an argume nt. In
this Audit e ve nt, only one path (/etc/ssh/sshd_config) was us e d as an
argume nt.
msg=audit(1364481363.243:24287):
The msg fie ld holds the s ame time s tamp and ID value as the value in the firs t
and s e cond re cord.
item=0

182

⁠C hapt e r 5. Sys t e m Audit ing

The item fie ld indicate s which ite m, of the total numbe r of ite ms re fe re nce d in
the SYSCALL type re cord, the curre nt re cord is . This numbe r is z e ro-bas e d; a
value of 0 me ans it is the firs t ite m.
name="/etc/ssh/sshd_config"
The name fie ld re cords the full path of the file or dire ctory that was pas s e d to the
s ys te m call as an argume nt. In this cas e , it was the /etc/ssh/sshd_config file .
inode=409248
The inode fie ld contains the inode numbe r as s ociate d with the file or dire ctory
re corde d in this e ve nt. The following command dis plays the file or dire ctory that
is as s ociate d with the 409248 inode numbe r:
~]# find / -inum 409248 -print
/etc/ssh/sshd_config
dev=fd:00
The dev fie ld s pe cifie s the minor and major ID of the de vice that contains the file
or dire ctory re corde d in this e ve nt. In this cas e , the value re pre s e nts the
/dev/fd/0 de vice .
mode=0100600
The mode fie ld re cords the file or dire ctory pe rmis s ions , e ncode d in nume rical
notation as re turne d by the stat command in the st_mode fie ld. Se e the stat(2)
man page for more information. In this cas e , 0100600 can be inte rpre te d as -rw------, me aning that only the root us e r has re ad and write pe rmis s ions to the
/etc/ssh/sshd_config file .
ouid=0
The ouid fie ld re cords the obje ct owne r's us e r ID.
ogid=0
The ogid fie ld re cords the obje ct owne r's group ID.
rdev=00:00
The rdev fie ld contains a re corde d de vice ide ntifie r for s pe cial file s only. In this
cas e , it is not us e d as the re corde d file is a re gular file .
obj=system_u:object_r:etc_t:s0
The obj fie ld re cords the SELinux conte xt with which the re corde d file or dire ctory
was labe le d at the time of e xe cution.
The Audit e ve nt analyz e d above contains only a s ubs e t of all pos s ible fie lds that an e ve nt
can contain. For a lis t of all e ve nt fie lds and the ir e xplanation, s e e Se ction B.1, “Audit
Eve nt Fie lds ”. For a lis t of all e ve nt type s and the ir e xplanation, s e e Se ction B.2, “Audit
Re cord Type s ”.

Example 5.6. Addit io nal audit.log Event s

183

Se c ur it y Guide

The following Audit e ve nt re cords a s ucce s s ful s tart of the auditd dae mon. The ver
fie ld s hows the ve rs ion of the Audit dae mon that was s tarte d.
type=DAEMON_START msg=audit(1363713609.192:5426): auditd start,
ver=2.2 format=raw kernel=2.6.32-358.2.1.el6.x86_64 auid=1000 pid=4979
subj=unconfined_u:system_r:auditd_t:s0 res=success
The following Audit e ve nt re cords a faile d atte mpt of us e r with UID of 1000 to log in as
the root us e r.
type=USER_AUTH msg=audit(1364475353.159:24270): user pid=3280 uid=1000
auid=1000 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0s0:c0.c1023 msg='op=PAM:authentication acct="root" exe="/bin/su"
hostname=? addr=? terminal=pts/0 res=failed'

5.7. Searching t he Audit Log Files
The ausearch utility allows you to s e arch Audit log file s for s pe cific e ve nts . By de fault,
ausearch s e arche s the /var/log/audit/audit.log file . You can s pe cify a diffe re nt file
us ing the ausearch options -if file_name command. Supplying multiple options in one
ausearch command is e quivale nt to us ing the AND ope rator be twe e n fie ld type s and the
OR ope rator be twe e n multiple ins tance s of the s ame fie ld type .

Example 5.7. Using ausearch t o Search Audit Lo g Files
To s e arch the /var/log/audit/audit.log file for faile d login atte mpts , us e the
following command:
~]# ausearch --message USER_LOGIN --success no --interpret
To s e arch for all account, group, and role change s , us e the following command:
~]# ausearch -m ADD_USER -m DEL_USER -m ADD_GROUP -m USER_CHAUTHTOK -m
DEL_GROUP -m CHGRP_ID -m ROLE_ASSIGN -m ROLE_REMOVE -i
To s e arch for all logge d actions pe rforme d by a ce rtain us e r, us ing the us e r's login ID
(auid), us e the following command:
~]# ausearch -ua 1000 -i
To s e arch for all faile d s ys te m calls from ye s te rday up until now, us e the following
command:
~]# ausearch --start yesterday --end now -m SYSCALL -sv no -i

For a full lis ting of all ausearch options , s e e the aus e arch(8) man page .

5.8. Creat ing Audit Report s

184

⁠C hapt e r 5. Sys t e m Audit ing

The aurepo rt utility allows you to ge ne rate s ummary and columnar re ports on the
e ve nts re corde d in Audit log file s . By de fault, all audit.log file s in the /var/log/audit/
dire ctory are que rie d to cre ate the re port. You can s pe cify a diffe re nt file to run the re port
agains t us ing the aureport options -if file_name command.

Example 5.8. Using aureport t o Generat e Audit Repo rt s
To ge ne rate a re port for logge d e ve nts in the pas t thre e days e xcluding the curre nt
e xample day, us e the following command:
~]# aureport --start 04/08/2013 00:00:00 --end 04/11/2013 00:00:00
To ge ne rate a re port of all e xe cutable file e ve nts , us e the following command:
~]# aureport -x
To ge ne rate a s ummary of the e xe cutable file e ve nt re port above , us e the following
command:
~]# aureport -x --summary
To ge ne rate a s ummary re port of faile d e ve nts for all us e rs , us e the following
command:
~]# aureport -u --failed --summary -i
To ge ne rate a s ummary re port of all faile d login atte mpts pe r e ach s ys te m us e r, us e
the following command:
~]# aureport --login --summary -i
To ge ne rate a re port from an ausearch que ry that s e arche s all file acce s s e ve nts for
us e r ID 1000, us e the following command:
~]# ausearch --start today --loginuid 1000 --raw | aureport -f -summary
To ge ne rate a re port of all Audit file s that are que rie d and the time range of e ve nts
the y include , us e the following command:
~]# aureport -t

For a full lis ting of all aureport options , s e e the aure port(8) man page .

5.9. Addit ional Resources
For more information about the Audit s ys te m, s e e the following s ource s .

Online Sources

185

Se c ur it y Guide

The Linux Audit Docume ntation Proje ct page : https ://github.com/linux-audit/auditdocume ntation/wiki.

Inst alled Document at ion
Docume ntation provide d by the audit package can be found in the
/usr/share/doc/audit/ dire ctory.

Manual Pages
audis pd.conf(5)
auditd.conf(5)
aus e arch-e xpre s s ion(5)
audit.rule s (7)
audis pd(8)
auditctl(8)
auditd(8)
aulas t(8)
aulas tlog(8)
aure port(8)
aus e arch(8)
aus ys call(8)
autrace (8)
auvirt(8)

186

⁠C hapt e r 6 . Co mplianc e and Vulne r abilit y Sc anning wit h O pe nSCAP

Chapt er 6. Compliance and Vulnerabilit y Scanning wit h
OpenSCAP
6.1. Securit y Compliance in Red Hat Ent erprise Linux
A compliance audit is a proce s s of figuring out whe the r a give n obje ct follows all the rule s
writte n out in a compliance policy. The compliance policy is de fine d by s e curity
profe s s ionals who s pe cify de s ire d s e ttings , ofte n in the form of a che cklis t, that are to be
us e d in the computing e nvironme nt.
The compliance policy can vary s ubs tantially acros s organiz ations and e ve n acros s
diffe re nt s ys te ms within the s ame organiz ation. Diffe re nce s among the s e policie s are
bas e d on the purpos e of the s e s ys te ms and its importance for the organiz ation. The
cus tom s oftware s e ttings and de ployme nt characte ris tics als o rais e a ne e d for cus tom
policy che cklis ts .
Re d Hat Ente rpris e Linux provide s tools that allow for fully automate d compliance audit.
The s e tools are bas e d on the Se curity Conte nt Automation Protocol (SCAP) s tandard and
are de s igne d for automate d tailoring of compliance policie s .

Securit y Co mpliance T o o ls Suppo rt ed o n Red Hat Ent erprise Linux 7
SCAP Wo rkbench — The scap-workbench graphical utility is de s igne d to pe rform
configuration and vulne rability s cans on a s ingle local or re mote s ys te m. It can be als o
us e d to ge ne rate s e curity re ports bas e d on the s e s cans and e valuations .
OpenSCAP — The o scap command-line utility is de s igne d to pe rform configuration and
vulne rability s cans on a local s ys te m, to validate s e curity compliance conte nt, and to
ge ne rate re ports and guide s bas e d on the s e s cans and e valuations .
Script Check Engine (SCE) — SCE is an e xte ns ion to the SCAP protocol that allows
adminis trators to write the ir s e curity conte nt us ing a s cripting language , s uch as Bas h,
Python, or Ruby. The SCE e xte ns ion is provide d in the openscap-engine-sce package .
SCAP Securit y Guide (SSG) — The scap-security-guide package provide s the late s t
colle ction of s e curity policie s for Linux s ys te ms . The guidance cons is ts of a catalog of
practical harde ning advice , linke d to gove rnme nt re quire me nts whe re applicable . The
proje ct bridge s the gap be twe e n ge ne raliz e d policy re quire me nts and s pe cific
imple me ntation guide line s .
If you re quire pe rforming automate d compliance audits on multiple s ys te ms re mote ly, you
can utiliz e Ope nSCAP s olution for Re d Hat Sate llite . For more information s e e Se ction 6.7,
“Us ing Ope nSCAP with Re d Hat Sate llite ” and Se ction 6.9, “Additional Re s ource s ”.

6.2. Defining Compliance Policy
The s e curity or compliance policy is rare ly writte n from s cratch. ISO 270 0 0 s tandard
s e rie s , de rivative works , and othe r s ource s provide s e curity policy te mplate s and practice
re comme ndations that s hould be he lpful to s tart with. Howe ve r, organiz ations building
the irs information s e curity program ne e d to ame nd the policy te mplate s to align with the ir

187

Se c ur it y Guide

ne e ds . The policy te mplate s hould be chos e n on the bas is of its re le vancy to the company
e nvironme nt and the n the te mplate has to be adjus te d be caus e e ithe r the te mplate
contains build-in as s umptions which cannot be applie d to the organiz ation, or the te mplate
e xplicitly re quire s that ce rtain de cis ions have to be made .
Re d Hat Ente rpris e Linux auditing capabilitie s are bas e d on the Se curity Conte nt
Automation Protocol (SCAP) s tandard. SCAP is a s ynthe s is of inte rope rable s pe cifications
that s tandardiz e the format and nome nclature by which s oftware flaw and s e curity
configuration information is communicate d, both to machine s and humans . SCAP is a multipurpos e frame work of s pe cifications that s upports automate d configuration, vulne rability
and patch che cking, te chnical control compliance activitie s , and s e curity me as ure me nt.
In othe r words , SCAP is a ve ndor-ne utral way of e xpre s s ing s e curity policy, and as s uch it
is wide ly us e d in mode rn e nte rpris e s . SCAP s pe cifications cre ate an e cos ys te m whe re
the format of s e curity conte nt is we ll known and s tandardiz e d while the imple me ntation of
the s canne r or policy e ditor is not mandate d. Such a s tatus e nable s organiz ations to build
the ir s e curity policy (SCAP conte nt) once , no matte r how many s e curity ve ndors do the y
e mploy.
The late s t ve rs ion of SCAP include s s e ve ral unde rlying s tandards . The s e compone nts are
organiz e d into groups according to the ir function within SCAP as follows :

SCAP Co mpo nent s
Languages — This group cons is ts of SCAP language s that de fine s tandard vocabularie s
and conve ntions for e xpre s s ing compliance policy.
The eXtensible Configuration Checklist Description Format (XCCDF) — A language
de s igne d to e xpre s s , organiz e , and manage s e curity guidance .
Open Vulnerability and Assessment Language (OVAL) — A language de ve lope d to
pe rform logical as s e rtion about the s tate of the s canne d s ys te m.
Open Checklist Interactive Language (OCIL) — A language de s igne d to provide a
s tandard way to que ry us e rs and inte rpre t us e r re s pons e s to the give n que s tions .
Asset Identification (AI) — A language de ve lope d to provide a data mode l, me thods ,
and guidance for ide ntifying s e curity as s e ts .
Asset Reporting Format (ARF) — A language de s igne d to e xpre s s the trans port
format of information about colle cte d s e curity as s e ts and the re lations hip be twe e n
as s e ts and s e curity re ports .
Enumerations — This group include s SCAP s tandards that de fine naming format and an
official lis t or dictionary of ite ms from ce rtain s e curity-re late d are as of inte re s t.
Common Configuration Enumeration (CCE) — An e nume ration of s e curity-re le vant
configuration e le me nts for applications and ope rating s ys te ms .
Common Platform Enumeration (CPE) — A s tructure d naming s che me us e d to ide ntify
information te chnology (IT) s ys te ms , platforms , and s oftware package s .
Common Vulnerabilities and Exposures (CVE) — A re fe re nce me thod to a colle ction of
publicly known s oftware vulne rabilitie s and e xpos ure s .
Metrics — This group compris e s of frame works to ide ntify and e valuate s e curity ris ks .
Common Configuration Scoring System (CCSS) — A me tric s ys te m to e valuate

188

⁠C hapt e r 6 . Co mplianc e and Vulne r abilit y Sc anning wit h O pe nSCAP

s e curity-re le vant configuration e le me nts and as s ign the m s core s in orde r to he lp
us e rs to prioritiz e appropriate re s pons e s te ps .
Common Vulnerability Scoring System (CVSS) — A me tric s ys te m to e valuate
s oftware vulne rabilitie s and as s ign the m s core s in orde r to he lp us e rs prioritiz e
the ir s e curity ris ks .
Integrity — An SCAP s pe cification to maintain inte grity of SCAP conte nt and s can re s ults .
Trust Model for Security Automation Data (TMSAD) — A s e t of re comme ndations
e xplaining us age of e xis ting s pe cification to re pre s e nt s ignature s , has he s , ke y
information, and ide ntity information in conte xt of an XML file within a s e curity
automation domain.
Each of the SCAP compone nts has its own XML-bas e d docume nt format and its XML name
s pace . A compliance policy e xpre s s e d in SCAP can e ithe r take a form of a s ingle OVAL
de finition XML file , data s tre am file , s ingle z ip archive , or a s e t of s e parate XML file s
containing an XCCDF file that re pre s e nts a policy che cklis t.

6.2.1. T he XCCDF File Format
The XCCDF language is de s igne d to s upport information inte rchange , docume nt
ge ne ration, organiz ational and s ituational tailoring, automate d compliance te s ting, and
compliance s coring. The language is mos tly de s criptive and doe s not contain any
commands to pe rform s e curity s cans . Howe ve r, an XCCDF docume nt can re fe r to othe r
SCAP compone nts , and as s uch it can be us e d to craft a compliance policy that is portable
among all the targe t platforms with the e xce ption of the re late d as s e s s me nt docume nts
(OVAL, OCIL).
The common way to re pre s e nt a compliance policy is a s e t of XML file s whe re one of the
file s is an XCCDF che cklis t. This XCCDF file us ually points to the as s e s s me nt re s ource s ,
multiple OVAL, OCIL and the Script Che ck Engine (SCE) file s . Furthe rmore , the file s e t can
contain a CPE dictionary file and an OVAL file de fining obje cts for this dictionary.
Be ing an XML-bas e d language , the XCCDF de fine s and us e s a vas t s e le ction of XML
e le me nts and attribute s . The following lis t brie fly introduce s the main XCCDF e le me nts ;
for more de tails about XCCDF, cons ult the NIST Inte rage ncy Re port 7275 Re vis ion 4.

Main XML Element s o f t he XCCDF Do cument
 — This is a root e le me nt that e nclos e s the whole XCCDF
docume nt. It may als o contain che cklis t me tadata, s uch as a title , de s cription, lis t of
authors , date of the late s t modification, and s tatus of the che cklis t acce ptance .
 — This is a ke y e le me nt that re pre s e nts a che cklis t re quire me nt and
holds its de s cription. It may contain child e le me nts that de fine actions ve rifying or
e nforcing compliance with the give n rule or modify the rule its e lf.
 — This ke y e le me nt is us e d for e xpre s s ing prope rtie s of othe r XCCDF
e le me nts within the be nchmark.
 — This e le me nt is us e d to organiz e an XCCDF docume nt to s tructure s
with the s ame conte xt or re quire me nt domains by gathe ring the ,
, and  e le me nts .
 — This e le me nt s e rve s for a name d tailoring of the XCCDF

189

Se c ur it y Guide

be nchmark. It allows the be nchmark to hold s e ve ral diffe re nt tailorings .
 utiliz e s s e ve ral s e le ctor e le me nts , s uch as  or
, to de te rmine which e le me nts are going to be modifie d and
proce s s e d while it is in e ffe ct.
 — This e le me nt allows de fining the be nchmark profile s outs ide the
be nchmark, which is s ome time s de s irable for manual tailoring of the compliance policy.
 — This e le me nt s e rve s for ke e ping the s can re s ults for the
give n be nchmark on the targe t s ys te m. Each  s hould re fe r to the
profile that was us e d to de fine the compliance policy for the particular s can and it
s hould als o contain important information about the targe t s ys te m that is re le vant for
the s can.
 — This is a child e le me nt of  that is us e d
to hold the re s ult of applying a s pe cific rule from the be nchmark to the targe t s ys te m.
 — This is a child e le me nt of  that s e rve s for re me diation of
the targe t s ys te m that is not compliant with the give n rule . It can contain a command or
s cript that is run on the targe t s ys te m in orde r to bring the s ys te m into compliance the
rule .
 — This is a child e le me nt of  that re fe rs to an e xte rnal
s ource which de fine s how to e valuate the give n rule .
 — This is a s e le ctor e le me nt that is us e d for including or e xcluding
the chos e n rule s or groups of rule s from the policy.
 — This is a s e le ctor e le me nt that is us e d for ove rwriting the
curre nt value of the s pe cifie d  e le me nt without modifying any of its
othe r prope rtie s .
 — This is a s e le ctor e le me nt that is us e d for s pe cifying
cons traints of the particular  e le me nt during policy tailoring.
 — This s e le ctor e le me nt allows ove rwriting prope rtie s of the
s e le cte d rule s .

Example 6.1. An Example o f an XCCDF Do cument



incomplete
0.1

Profile title is compulsory






190

⁠C hapt e r 6 . Co mplianc e and Vulne r abilit y Sc anning wit h O pe nSCAP

telnet-server
dhcpd
tftpd


The telnet-server Package Shall Not Be Installed 

Removing the telnet-server package decreases the risk
of the telnet service’s accidental (or intentional) activation


yum -y remove














6.2.2. T he OVAL File Format
The Ope n Vulne rability As s e s s me nt Language (OVAL) is the e s s e ntial and olde s t
compone nt of SCAP. The main goal of the OVAL s tandard is to e nable inte rope rability
among s e curity products . That is achie ve d by s tandardiz ation of the following thre e
domains :

1. Re pre s e ntation of the targe t s ys te m configuration.
2. Analys is of the targe t s ys te m for the pre s e nce of a particular machine s tate .
3. Re porting the re s ults of the comparis on be twe e n the s pe cifie d machine s tate and
the obs e rve d machine s tate .
Unlike othe r tools or cus tom s cripts , the OVAL language de s cribe s a de s ire d s tate of
re s ource s in a de clarative manne r. The OVAL language code is ne ve r e xe cute d dire ctly,
but by me ans of an OVAL inte rpre te r tool calle d scanner. The de clarative nature of OVAL
e ns ure s that the s tate of the as s e s s e d s ys te m is not accide ntally modifie d, which is
important be caus e s e curity s canne rs are ofte n run with the highe s t pos s ible privile ge s .

191

Se c ur it y Guide

OVAL s pe cification is ope n for public comme nts and contribution and various IT companie s
collaborate with the MITRE Corporation, fe de rally funde d not-for-profit organiz ation. The
OVAL s pe cification is continuous ly e volving and diffe re nt e ditions are dis tinguis he d by a
ve rs ion numbe r. The curre nt ve rs ion 5.11.1 was re le as e d in April 2015.
Like all othe r SCAP compone nts , OVAL is bas e d on XML. The OVAL s tandard de fine s
s e ve ral docume nt formats . Each of the m include s diffe re nt kind of information and s e rve s
a diffe re nt purpos e .

T he OVAL Do cument Fo rmat s
The OVAL Definitions format is the mos t common OVAL file format that is us e d dire ctly
for s ys te m s cans . The OVAL De finitions docume nt de s cribe s the de s ire d s tate of the
targe t s ys te m.
The OVAL Variables format de fine s variable s us e d to ame nd the OVAL De finitions
docume nt. The OVAL Variable s docume nt is typically us e d in conjunction with the OVAL
De finitions docume nt to tailor the s e curity conte nt for the targe t s ys te m at runtime .
The OVAL System Characteristics format holds information about the as s e s s e d s ys te m.
The OVAL Sys te m Characte ris tics docume nt is typically us e d to compare the actual
s tate of the s ys te m agains t the e xpe cte d s tate de fine d by an OVAL De finitions
docume nt.
The OVAL Results is the mos t compre he ns ive OVAL format that is us e d to re port
re s ults of the s ys te m e valuation. The OVAL Re s ults docume nt typically contains copy of
the e valuate d OVAL de finitions , bound OVAL variable s , OVAL s ys te m characte ris tics ,
and re s ults of te s ts that are compute d bas e d on comparis on of the s ys te m
characte ris tics and the de finitions .
The OVAL Directives format is us e d to tailor ve rbos ity of an OVAL Re s ult docume nt by
e ithe r including or e xcluding ce rtain de tails .
The OVAL Common Model format contains de finitions of cons tructs and e nume rations
us e d in s e ve ral othe r OVAL s che me s . It is us e d to re us e OVAL de finitions in orde r to
avoid duplications acros s multiple docume nts .
The OVAL De finitions docume nt cons is ts of a s e t of configuration re quire me nts whe re
e ach re quire me nt is de fine d in the following five bas ic s e ctions : definitions, tests, objects,
states, and variables. The e le me nts within the de finitions s e ction de s cribe which of the
te s ts s hall be fulfille d to s atis fy the give n de finition. The te s t e le me nts link obje cts and
s tate s toge the r. During the s ys te m e valuation, a te s t is cons ide re d pas s e d whe n a
re s ource of the as s e s s e d s ys te m that is de note d by the give n obje ct e le me nt
corre s ponds with the give n s tate e le me nt. The variable s s e ction de fine s e xte rnal
variable s which may be us e d to adjus t e le me nts from the s tate s s e ction. Be s ide s the s e
s e ctions , the OVAL De finitions docume nt typically contains als o the generator and
signature s e ctions . The generator s e ction holds information about the docume nt origin and
various additional information re late d to its conte nt.
Each e le me nt from the OVAL docume nt bas ic s e ctions is unambiguous ly ide ntifie d by an
ide ntifie r in the following form:
oval:namespace:type:ID

192

⁠C hapt e r 6 . Co mplianc e and Vulne r abilit y Sc anning wit h O pe nSCAP

whe re namespace is a name s pace de fining the ide ntifie r, type is e ithe r def for de finitions
e le me nts , tst for te s ts e le me nts , obj for obje cts e le me nt, ste for s tate s e le me nts , and var
for variable s e le me nts , and ID is an inte ge r value of the ide ntifie r.

Example 6.2. An Example o f an OVAL Def init io ns Do cument




vim
5.10.1
2012-11-22T15:00:00+01:00




Red Hat Enterprise Linux 7

Red Hat Enterprise Linux 7



The operating system installed on the system is Red Hat
Enterprise Linux 7






















/etc/redhat-release




^redhat-release
^7[^\d]




6.2.3. T he Dat a St ream Format
SCAP data s tre am is a file format us e d s ince SCAP ve rs ion 1.2 and it re pre s e nts a bundle
of XCCDF, OVAL, and othe r compone nt file s which can be us e d to de fine a compliance
policy e xpre s s e d by an XCCDF che cklis t. It als o contains an inde x and catalog that allow
s plitting the give n data s tre am into file s according to the SCAP compone nts .
The data s tre am us e s XML format that cons is ts of a he ade r forme d by a table of conte nts
and a lis t of the  e le me nts . Each of the s e e le me nts e ncompas s e s an
SCAP compone nt s uch as XCCDF, OVAL, CPE, and othe r. The data s tre am file may contain
multiple compone nts of the s ame type , and thus cove ring all s e curity policie s ne e de d by
your organiz ation.

Example 6.3. An Example o f a Dat a St ream Header


























6.3. Using SCAP Workbench
SCAP Wo rkbench (scap-workbench) is a graphical utility that allows us e rs to pe rform
configuration and vulne rability s cans on a s ingle local or a re mote s ys te m, pe rform
re me diation of the s ys te m, and ge ne rate re ports bas e d on s can e valuations . Note that
compare d with the o scap command-line utility, SCAP Wo rkbench has only limite d
functionality. SCAP Wo rkbench can als o proce s s only s e curity conte nt in the form of
XCCDF and data-s tre am file s .
The following s e ctions e xplain how to ins tall, s tart, and utiliz e SCAP Workbe nch in orde r to
pe rform s ys te m s cans , re me diation, s can cus tomiz ation, and dis play re le vant e xample s
for the s e tas ks .

6.3.1. Inst alling SCAP Workbench
To ins tall SCAP Wo rkbench on your s ys te m, e nte r the following command as root:
~]# yum install scap-workbench
This command ins talls all package s re quire d by SCAP Workbe nch to function prope rly,
including the scap-workbench package that provide s the utility its e lf. Note that re quire d
de pe nde ncie s , s uch as the qt and openssh package s , will be automatically update d to the
ne we s t available ve rs ion if the package s are alre ady ins talle d on your s ys te m.
Be fore you can s tart us ing SCAP Workbe nch e ffe ctive ly, you als o ne e d to ins tall or import
s ome s e curity conte nt on your s ys te m. For e xample , you can ins tall the SCAP Se curity
Guide (SSG) package , scap-security-guide, which contains the curre ntly mos t e volve d and
e laborate s e t of s e curity police s for Linux s ys te ms . To ins tall the SCAP Se curity Guide
package on your s ys te m, e nte r the following command as root:
~]# yum install scap-security-guide
Afte r you ins tall scap-security-guide on your s ys te m, unle s s s pe cifie d othe rwis e , the SSG
s e curity conte nt is available unde r the /usr/share/xml/scap/ssg/content/ dire ctory,
and you can proce e d with othe r s e curity compliance ope rations .
To find othe r pos s ible s ource s of e xis ting SCAP conte nt that might s uit your ne e ds , s e e
Se ction 6.9, “Additional Re s ource s ”.

6.3.2. Running SCAP Workbench
Afte r a s ucce s s ful ins tallation of both, the SCAP Wo rkbench utility and SCAP conte nt, you
can s tart us ing SCAP Wo rkbench on your s ys te ms . For running SCAP Wo rkbench from

196

⁠C hapt e r 6 . Co mplianc e and Vulne r abilit y Sc anning wit h O pe nSCAP

the GNOME Classic de s ktop e nvironme nt, pre s s the Super ke y to e nte r the Activities
Overview, type scap-workbench, and the n pre s s Enter. The Super ke y appe ars in a
varie ty of guis e s , de pe nding on the ke yboard and othe r hardware , but ofte n as e ithe r the
Windows or Command ke y, and typically to the le ft of the Spacebar ke y.

Figure 6.1. Open SCAP Securit y Guide Windo w
As s oon as you s tart the utility, the Open SCAP Security Guide window appe ars . Afte r a
s e le ction one of the guide s , the SCAP Workbench window appe ars . This window cons is ts of
s e ve ral inte ractive compone nts , which you s hould be come familiar with be fore you s tart
s canning your s ys te m:
File
This me nu lis t offe rs s e ve ral options to load or s ave a SCAP-re late d conte nt. To
s how the initial Open SCAP Security Guide window, click the me nu ite m with the
s ame name . Alte rnative ly, load anothe r cus tomiz ation file in the XCCDF format by
clicking Open Other Content. To s ave your cus tomiz ation as an XCCDF XML file ,
us e the Save Customization Only ite m. The Save All allows you to s ave SCAP
file s e ithe r to the s e le cte d dire ctory or as an RPM package .

197

Se c ur it y Guide

Cust o mizat io n
This combo box informs you about the cus tomiz ation us e d for the give n s e curity
policy. You can s e le ct cus tom rule s that will be applie d for the s ys te m e valuation
by clicking this combo box. The de fault value is (no cust o mizat io n), which
me ans that the re will be no change s to the us e d s e curity policy. If you made any
change s to the s e le cte d s e curity profile , you can s ave thos e change s as an XML
file by clicking the Save Customization Only ite m in the File me nu.
Pro f ile
This combo box contains the name of the s e le cte d s e curity profile . You can s e le ct
the s e curity profile from a give n XCCDF or data-s tre am file by clicking this combo
box. To cre ate a ne w profile that inhe rits prope rtie s of the s e le cte d s e curity
profile , click the Customize button.
T arget
The two radio buttons e nable you to s e le ct whe the r the s ys te m to be e valuate d
is a local or re mote machine .
Select ed Rules
This fie ld dis plays a lis t of s e curity rule s that are s ubje ct of the s e curity policy.
Expanding a particular s e curity rule provide s de taile d information about that rule .
St at us bar
This is a graphical bar that indicate s s tatus of an ope ration that is be ing
pe rforme d.
Fet ch remo t e reso urces
This che ck box allows to ins truct the s canne r to download a re mote OVAL conte nt
de fine d in an XML file .
Dry run
Us e this che ck box to ge t command line argume nts to the diagnos tics window
ins te ad of running the s can.
Remediat e
This che ck box e nable s the re me diation fe ature during the s ys te m e valuation. If
you che ck this box, SCAP Workbe nch will atte mpt to corre ct s ys te m s e ttings that
would fail to match the s tate de fine d by the policy.
Scan
This button allows you to s tart the e valuation of the s pe cifie d s ys te m.

198

⁠C hapt e r 6 . Co mplianc e and Vulne r abilit y Sc anning wit h O pe nSCAP

Figure 6.2. SCAP Wo rkbench Windo w

6.3.3. Scanning t he Syst em
The main functionality of SCAP Wo rkbench is to pe rform s e curity s cans on a s e le cte d
s ys te m in accordance with the give n XCCDF or data s tre am file . To e valuate your s ys te m
agains t the s e le cte d s e curity policy, follow the s e s te ps :
1. Se le ct a s e curity policy by us ing e ithe r the Open SCAP Security Guide window, or
Open Other Content in the File me nu and s e arch the re s pe ctive XCCDF, SCAP
RPM or data s tre am file .

Warning
Se le cting a s e curity policy re s ults in the los s of any pre vious cus tomiz ation
change s that we re not s ave d. To re -apply the los t options , you have to
choos e the available profile and cus tomiz ation conte nt again. Note that your
pre vious cus tomiz ations may not be applicable with the ne w s e curity policy.

199

Se c ur it y Guide

2. To us e a pre -arrange d a file with cus tomiz e d s e curity conte nt s pe cific to your us e
cas e , you can load this file by clicking on the Cust o mizat io n combo box. You can
als o cre ate a cus tom tailoring file by alte ring an available s e curity profile . For more
information, s e e Se ction 6.3.4, “Cus tomiz ing Se curity Profile s ”.
a. Se le ct the (no customization) option if you do not want to us e any
cus tomiz ation for the curre nt s ys te m e valuation. This is the de fault option if
no pre vious cus tomiz ation was s e le cte d.
b. Se le ct the (open customization file...) option to s e arch for the
particular tailoring file to be us e d for the curre nt s ys te m e valuation.
c. If you have pre vious ly us e d s ome cus tomiz ation file , SCAP Wo rkbench
re me mbe rs this file and adds it to the lis t. This s implifie s re pe titive
application of the s ame s can.
3. Se le ct a s uitable s e curity profile by clicking the Pro f ile combo box.
a. To modify the s e le cte d profile , click the Customize button. For more
information about profile cus tomiz ation, s e e Se ction 6.3.4, “Cus tomiz ing
Se curity Profile s ”.
4. Se le ct e ithe r of two Target radio buttons to s can e ithe r a local or a re mote
machine .
a. If you have s e le cte d a re mote s ys te m, s pe cify it by e nte ring the us e r name ,
hos t name , and the port information as s hown in the following e xample . If
you have pre vious ly us e d the re mote s can, you can als o s e le ct a re mote
s ys te m from a lis t of re ce ntly s canne d machine s .

Figure 6.3. Specif ying a Remo t e Syst em
5. You can allow automatic corre ction of the s ys te m configuration by s e le cting the
Remediate che ck box. With this option e nable d, SCAP Wo rkbench atte mpts to
change the s ys te m configuration in accordance with the s e curity rule s applie d by
the policy, s hould the re late d che cks fail during the s ys te m s can.

Warning
If not us e d care fully, running the s ys te m e valuation with the re me diation
option e nable d could re nde r the s ys te m non-functional.
6. Click the Scan button to initiate the s ys te m s can.

6.3.4. Cust omizing Securit y Prof iles

200

⁠C hapt e r 6 . Co mplianc e and Vulne r abilit y Sc anning wit h O pe nSCAP

Afte r s e le cting the s e curity profile that s uits your s e curity policy, you can furthe r adjus t it
by clicking the Customize button. This will ope n the ne w Cus tomiz ation window that allows
you to modify the curre ntly s e le cte d XCCDF profile without actually changing the
re s pe ctive XCCDF file .

Figure 6.4. Cust o mizing t he Select ed Securit y Pro f ile
The Customization window contains a comple te s e t of XCCDF e le me nts re le vant to the
s e le cte d s e curity profile with de taile d information about e ach e le me nt and its functionality.
You can e nable or dis able the s e e le me nts by s e le cting or de -s e le cting the re s pe ctive
che ck boxe s in the main fie ld of this window. The Customization window als o s upports
undo and redo functionality; you can undo or re do your s e le ctions by clicking the
re s pe ctive arrow icon in the top le ft corne r of the window.
You can als o change variable s that will late r be us e d for e valuation. Find the de s ire d ite m
in the Customization window, navigate to the right part and us e the Modify value fie ld.

201

Se c ur it y Guide

Figure 6.5. Set t ing a value f o r t he select ed it em in t he Cust o mizat io n windo w
Afte r you have finis he d your profile cus tomiz ations , confirm the change s by clicking the
Confirm Customization button. Your change s are now in the me mory and do not pe rs is t
if SCAP Wo rkbench is clos e d or ce rtain change s , s uch as s e le cting a ne w SCAP conte nt
or choos ing anothe r cus tomiz ation option, are made . To s tore your change s , click the Save
Customization button in the SCAP Workbench window. This action allows you to s ave your
change s to the s e curity profile as an XCCDF cus tomiz ation file in the chos e n dire ctory.
Note that this cus tomiz ation file can be furthe r s e le cte d with othe r profile s .

6.3.5. Saving SCAP Cont ent
SCAP Wo rkbench als o allows you to s ave SCAP conte nt that is us e d with your s ys te m
e valuations . You can e ithe r s ave a cus tomiz ation file s e parate ly (s e e Se ction 6.3.4,
“Cus tomiz ing Se curity Profile s ”) or you can s ave all s e curity conte nt at once by clicking the
Save content combo box and s e le cting e ithe r the Save into a directory or Save as
RPM options .
By s e le cting the Save into a directory option, SCAP Wo rkbench s ave s both the
XCCDF or data-s tre am file and the cus tomiz ation file to the s pe cifie d location. This can be
us e ful as a backup s olution.
By s e le cting the Save as RPM option, you can ins truct SCAP Wo rkbench to cre ate an
RPM package containing the XCCDF or data s tre am file and cus tomiz ation file . This is
us e ful for dis tributing the de s ire d s e curity conte nt to s ys te ms that cannot be s canne d
re mote ly, or jus t for de live ring the conte nt for furthe r proce s s ing.

202

⁠C hapt e r 6 . Co mplianc e and Vulne r abilit y Sc anning wit h O pe nSCAP

Figure 6.6. Saving t he Current SCAP Co nt ent as an RPM Package

6.3.6. Viewing Scan Result s and Generat ing Scan Report s
Afte r the s ys te m s can is finis he d, thre e ne w buttons , Clear, Save Results, and Show
Report, will appe ar ins te ad of the Scan button.

Warning
Clicking the Clear button pe rmane ntly re move s the s can re s ults .
To s tore the s can re s ults in the form of an XCCDF, ARF, or HTML file , click the Save
Results combo box. Choos e the HTML Report option to ge ne rate the s can re port in
human-re adable form. The XCCDF and ARF (data s tre am) formats are s uitable for furthe r
automatic proce s s ing. You can re pe ate dly choos e all thre e options .
If you pre fe r to vie w the s can re s ults imme diate ly without s aving the m, you can click the
Show Report button, which ope ns the s can re s ults in the form of a te mporary HTML file in
your de fault we b brows e r.

6.4. Using oscap
203

Se c ur it y Guide

The o scap command-line utility allows us e rs to s can the ir local s ys te ms , validate s e curity
compliance conte nt, and ge ne rate re ports and guide s bas e d on the s e s cans and
e valuations . This utility s e rve s as a front e nd to the Ope nSCAP library and groups its
functionalitie s to module s (s ub-commands ) bas e d on the type of SCAP conte nt it
proce s s e s .
The following s e ctions e xplain how to ins tall o scap and pe rform the mos t common
ope rations . Example s are provide d to illus trate the s e tas ks . To le arn more about s pe cific
s ub-commands , us e the --help option with an o scap command:
oscap [options] module module_operation
[module_operation_options_and_arguments] --help
whe re module re pre s e nts the type of SCAP conte nt that is be ing proce s s e d, and
module_operation is a s ub-command for the s pe cific ope ration on the SCAP conte nt.

Example 6.4. Get t ing Help o n a Specif ic o scap Operat io n
~]$ oscap ds sds-split --help
oscap -> ds -> sds-split
Split given SourceDataStream into separate files
Usage: oscap [options] ds sds-split [options] SDS TARGET_DIRECTORY
SDS - Source data stream that will be split into multiple files.
TARGET_DIRECTORY - Directory of the resulting files.
Options:
--datastream-id 
collection to use.
--xccdf-id 
should be evaluated.

- ID of the datastream in the
- ID of XCCDF in the datastream that

To le arn about all o scap fe ature s and the comple te lis t of its options , s e e the oscap(8)
manual page .

6.4.1. Inst alling oscap
To ins tall o scap to your s ys te m, e nte r the following command as root:
~]# yum install openscap-scanner
This command allows you to ins tall all package s re quire d by o scap to function prope rly,
including the openscap package . To be able to write your own s e curity conte nt, you s hould
als o ins tall the openscap-engine-sce package , which provide s the Script Che ck Engine
(SCE). The SCE is an e xte ns ion of the SCAP protocol that allows conte nt authors to write
the ir s e curity conte nt us ing a s cripting language , s uch as Bas h, Python, or Ruby. Note that
the openscap-engine-sce package is only available from the Optional channe l. Se e Enabling
Supple me ntary and Optional Re pos itorie s .

204

⁠C hapt e r 6 . Co mplianc e and Vulne r abilit y Sc anning wit h O pe nSCAP

Optionally, afte r ins talling o scap, you can che ck the capabilitie s of your ve rs ion of o scap,
what s pe cifications it s upports , whe re the ce rtain o scap file s are s tore d, what kinds of
SCAP obje cts you can us e , and othe r us e ful information. To dis play this information, type
the following command:
~]$ oscap -V
OpenSCAP command line tool (oscap) 1.0.4
Copyright 2009--2014 Red Hat Inc., Durham, North Carolina.
==== Supported specifications ====
XCCDF Version: 1.2
OVAL Version: 5.10.1
CPE Version: 2.3
CVSS Version: 2.0
CVE Version: 2.0
Asset Identification Version: 1.1
Asset Reporting Format Version: 1.1
==== Capabilities added by auto-loaded plugins ====
SCE Version: 1.0 (from libopenscap_sce.so.8)
==== Paths ====
Schema files: /usr/share/openscap/schemas
Schematron files: /usr/share/openscap/xsl
Default CPE files: /usr/share/openscap/cpe
Probes: /usr/libexec/openscap
==== Inbuilt CPE names ====
Red Hat Enterprise Linux - cpe:/o:redhat:enterprise_linux
Red Hat Enterprise Linux 5 - cpe:/o:redhat:enterprise_linux:5
Red Hat Enterprise Linux 6 - cpe:/o:redhat:enterprise_linux:6
Red Hat Enterprise Linux 7 - cpe:/o:redhat:enterprise_linux:7
Fedora 16 - cpe:/o:fedoraproject:fedora:16
Fedora 17 - cpe:/o:fedoraproject:fedora:17
Fedora 18 - cpe:/o:fedoraproject:fedora:18
Fedora 19 - cpe:/o:fedoraproject:fedora:19
Fedora 20 - cpe:/o:fedoraproject:fedora:20
Fedora 21 - cpe:/o:fedoraproject:fedora:21
Red Hat Enterprise Linux Optional Productivity Applications cpe:/a:redhat:rhel_productivity
Red Hat Enterprise Linux Optional Productivity Applications 5 cpe:/a:redhat:rhel_productivity:5
==== Supported OVAL objects and associated OpenSCAP probes ====
system_info
probe_system_info
family
probe_family
filehash
probe_filehash
environmentvariable
probe_environmentvariable
textfilecontent54
probe_textfilecontent54
textfilecontent
probe_textfilecontent
variable
probe_variable
xmlfilecontent
probe_xmlfilecontent
environmentvariable58
probe_environmentvariable58
filehash58
probe_filehash58
inetlisteningservers
probe_inetlisteningservers
rpminfo
probe_rpminfo

205

Se c ur it y Guide

partition
iflisteners
rpmverify
rpmverifyfile
rpmverifypackage
selinuxboolean
selinuxsecuritycontext
file
interface
password
process
runlevel
shadow
uname
xinetd
sysctl
process58
fileextendedattribute
routingtable

probe_partition
probe_iflisteners
probe_rpmverify
probe_rpmverifyfile
probe_rpmverifypackage
probe_selinuxboolean
probe_selinuxsecuritycontext
probe_file
probe_interface
probe_password
probe_process
probe_runlevel
probe_shadow
probe_uname
probe_xinetd
probe_sysctl
probe_process58
probe_fileextendedattribute
probe_routingtable

Be fore you can s tart us ing o scap e ffe ctive ly, you als o ne e d to ins tall or import s ome
s e curity conte nt on your s ys te m. For e xample , you can ins tall the SCAP Se curity Guide
(SSG) package , scap-security-guide, which contains the curre ntly mos t e volve d and
e laborate s e t of s e curity police s for Linux s ys te ms . To ins tall the SCAP Se curity Guide
package on your s ys te m, e nte r the following command as root:
~]# yum install scap-security-guide
Afte r you ins tall scap-security-guide on your s ys te m, unle s s s pe cifie d othe rwis e , the SSG
s e curity conte nt is available unde r the /usr/share/xml/scap/ssg/content/ dire ctory,
and you can proce e d with othe r s e curity compliance ope rations .
To find othe r pos s ible s ource s of e xis ting SCAP conte nt that might s uit your ne e ds , s e e
Se ction 6.9, “Additional Re s ource s ”.
Afte r ins talling the SCAP conte nt on your s ys te m, o scap can proce s s the conte nt whe n
s upplie d with the file path to the conte nt. The o scap utility s upports SCAP ve rs ion 1.2 and
is backward-compatible with SCAP ve rs ions 1.1 and 1.0, s o it can proce s s e arlie r ve rs ions
of SCAP conte nt without any s pe cial re quire me nts .

6.4.2. Displaying SCAP Cont ent
SCAP s tandard de fine s nume rous file formats . The o scap utility can proce s s or cre ate
file s conforming to many of the formats . In orde r to furthe r proce s s the give n file with
SCAP conte nt, you ne e d to unde rs tand how to us e o scap with the give n file type . If you
are uns ure how to us e a particular file , you can e ithe r ope n and re ad the file , or you can
us e the info module of o scap which pars e s the file and e xtracts re le vant information in
human-re adable format.
e nte r the following command to e xamine the inte rnal s tructure of a SCAP docume nt and
dis play us e ful information s uch as the docume nt type , s pe cification ve rs ion, a s tatus of
the docume nt, the date the docume nt was publis he d, and the date the docume nt was
copie d to a file s ys te m:
oscap info file

206

⁠C hapt e r 6 . Co mplianc e and Vulne r abilit y Sc anning wit h O pe nSCAP

whe re file is the full path to the s e curity conte nt file be ing e xamine d. The following
e xample be tte r illus trate s the us age of the oscap info command:

Example 6.5. Displaying Inf o rmat io n Abo ut SCAP Co nt ent
~]$ oscap info /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml
Document type: Source Data Stream
Imported: 2014-03-14T12:22:01
Stream: scap_org.open-scap_datastream_from_xccdf_ssg-rhel7-xccdf1.2.xml
Generated: (null)
Version: 1.2
Checklists:
Ref-Id: scap_org.open-scap_cref_ssg-rhel7-xccdf-1.2.xml
Profiles:
xccdf_org.ssgproject.content_profile_test
xccdf_org.ssgproject.content_profile_rht-ccp
xccdf_org.ssgproject.content_profile_common
xccdf_org.ssgproject.content_profile_stigrhel7-server-upstream
Referenced check files:
ssg-rhel7-oval.xml
system:
http://oval.mitre.org/XMLSchema/oval-definitions-5
Checks:
Ref-Id: scap_org.open-scap_cref_ssg-rhel7-oval.xml
Ref-Id: scap_org.open-scap_cref_output--ssg-rhel7-cpe-oval.xml
Ref-Id: scap_org.open-scap_cref_output--ssg-rhel7-oval.xml
Dictionaries:
Ref-Id: scap_org.open-scap_cref_output--ssg-rhel7-cpedictionary.xml

6.4.3. Scanning t he Syst em
The mos t important functionality of o scap is to pe rform configuration and vulne rability
s cans of a local s ys te m. The following is a ge ne ral s yntax of the re s pe ctive command:
oscap [options] module eval [module_operation_options_and_arguments]
The o scap utility can s can s ys te ms agains t the SCAP conte nt re pre s e nte d by both an
XCCDF (The e Xte ns ible Configuration Che cklis t De s cription Format) be nchmark and OVAL
(Ope n Vulne rability and As s e s s me nt Language ) de finitions . The s e curity policy can be in
the form of a s ingle OVAL or XCCDF file or multiple s e parate XML file s whe re e ach file
re pre s e nts a diffe re nt compone nt (XCCDF, OVAL, CPE, CVE, and othe rs ). The re s ult of a
s can can be printe d to both s tandard output and an XML file . The re s ult file can the n be
furthe r proce s s e d by o scap in orde r to ge ne rate a re port in a human-re adable format.
The following e xample s illus trate the mos t common us age of the command.

Example 6.6. Scanning t he Syst em Using t he SSG OVAL def init io ns

207

Se c ur it y Guide

To s can your s ys te m agains t the SSG OVAL de finition file while e valuating all de finitions ,
e nte r the following command:
~]$ oscap oval eval --results scan-oval-results.xml
/usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml
The re s ults of the s can are s tore d as the scan-oval-results.xml file in the curre nt
dire ctory.

Example 6.7. Scanning t he Syst em Using t he SSG OVAL def init io ns
To e valuate a particular OVAL de finition from the s e curity policy re pre s e nte d by the
SSG data s tre am file , e nte r the following command:
~]$ oscap oval eval --id oval:ssg:def:100 --results scan-ovalresults.xml /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml
The re s ults of the s can are s tore d as the scan-oval-results.xml file in the curre nt
dire ctory.

Example 6.8. Scanning t he Syst em Using t he SSG XCCDF benchmark
To pe rform the SSG XCCDF be nchmark for the
xccdf_org.ssgproject.content_profile_rht-ccp profile on your s ys te m, e nte r the
following command:
~]$ oscap xccdf eval --profile
xccdf_org.ssgproject.content_profile_rht-ccp --results scan-xccdfresults.xml /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml
The re s ults of the s can are s tore d as the scan-xccdf-results.xml file in the curre nt
dire ctory.

No te
The --profile command-line argume nt s e le cts the s e curity profile from the
give n XCCDF or data s tre am file . The lis t of available profile s can be obtaine d by
running the oscap info command. If the --profile command-line argume nt is
omitte d the de fault XCCDF profile is us e d as re quire d by SCAP s tandard. Note that
the de fault XCCDF profile may or may not be an appropriate s e curity policy.

6.4.4. Generat ing Report s and Guides
Anothe r us e ful fe ature s of o scap is the ability to ge ne rate SCAP conte nt in a humanre adable format. The o scap utility allows you to trans form an XML file into the HTML or
plain-te xt format. This fe ature is us e d to ge ne rate s e curity guide s and che cklis ts , which
s e rve as a s ource of information, as we ll as guidance for s e cure s ys te m configuration.
The re s ults of s ys te m s cans can als o be trans forme d to we ll-re adable re s ult re ports . The
ge ne ral command s yntax is the following:

208

⁠C hapt e r 6 . Co mplianc e and Vulne r abilit y Sc anning wit h O pe nSCAP

oscap module generate sub-module [specific_module/submodule_options_and_arguments] file
whe re module is e ithe r xccdf or oval, sub-module is a type of the ge ne rate d docume nt,
and file re pre s e nts an XCCDF or OVAL file .
The following are the mos t common e xample s of the command us age :

Example 6.9. Generat ing a Guide wit h a Checklist
To produce an SSG guide with a che cklis t for the
xccdf_org.ssgproject.content_profile_rht-ccp profile , e nte r the following
command:
~]$ oscap xccdf generate guide --profile
xccdf_org.ssgproject.content_profile_rht-ccp
/usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml > ssg-guidechecklist.html
The guide is s tore d as the ssg-guide-checklist.html file in the curre nt dire ctory.

Example 6.10 . T ransf o rming an SSG OVAL Scan Result int o a Repo rt
To trans form a re s ult of an SSG OVAL s can into an HTML file , e nte r the following
command:
~]$ oscap oval generate report scan-oval-results.xml > ssg-scan-ovalreport.html
The re s ult re port is s tore d as the ssg-scan-oval-report.html file in the curre nt
dire ctory. This e xample as s ume s that you run the command from the s ame location
whe re the scan-oval-results.xml file is s tore d. Othe rwis e you ne e d to s pe cify the
fully-qualifie d path of the file that contains the s can re s ults .

Example 6.11. T ransf o rming an SSG XCCDF Scan Result int o a Repo rt
To trans form a re s ult of an SSG XCCDF s can into an HTML file , e nte r the following
command:
~]$ oscap xccdf generate report scan-xccdf-results.xml > scan-xccdfreport.html
The re s ult re port is s tore d as the ssg-scan-xccdf-report.html file in the curre nt
dire ctory. Alte rnative ly, you can ge ne rate this re port in the time of the s can us ing the -report command-line argume nt:
~]$ oscap xccdf eval --profile
xccdf_org.ssgproject.content_profile_rht-ccp --results scan-xccdfresults.xml --report scan-xccdf-report.html
/usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml

209

Se c ur it y Guide

6.4.5. Validat ing SCAP Cont ent
Be fore you s tart us ing a s e curity policy on your s ys te ms , you s hould firs t ve rify the policy
in orde r to avoid any pos s ible s yntax or s e mantic e rrors in the policy. The o scap utility
can be us e d to validate the s e curity conte nt agains t s tandard SCAP XML s che mas . The
validation re s ults are printe d to the s tandard e rror s tre am (s tde rr). The ge ne ral s yntax of
s uch a validation command is the following:
oscap module validate [module_options_and_arguments] file
whe re file is the full path to the file be ing validate d. The only e xce ption is the data s tre am
module (ds ), which us e s the sds-validate ope ration ins te ad of validate. Note that all
SCAP compone nts within the give n data s tre am are validate d automatically and none of
the compone nts is s pe cifie d s e parate ly, as can be s e e n in the following e xample :
~]$ oscap ds sds-validate /usr/share/xml/scap/ssg/content/ssg-rhel7ds.xml
With ce rtain SCAP conte nt, s uch as OVAL s pe cification, you can als o pe rform a Sche matron
validation. The Sche matron validation is s lowe r than the s tandard validation but provide s
de e pe r analys is , and is thus able to de te ct more e rrors . The following SSG e xample
s hows typical us age of the command:
~]$ oscap oval validate --schematron
/usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml

6.4.6. Using OpenSCAP t o Remediat e t he Syst em
OpenSCAP allows to automatically re me diate s ys te ms that have be e n found in a noncompliant s tate . For s ys te m re me diation, an XCCDF file with ins tructions is re quire d. The
scap-security-guide package cons tains ce rtain re me diation ins tructions .
Sys te m re me diation cons is ts of the following s te ps :
1. OpenSCAP pe rforms a re gular XCCDF e valuation.
2. An as s e s s me nt of the re s ults is pe rforme d by e valuating the OVAL de finitions .
Each rule that has faile d is marke d as a candidate for re me diation.
3. OpenSCAP s e arche s for an appropriate fix e le me nt, re s olve s it, pre pare s the
e nvironme nt, and e xe cute s the fix s cript.
4. Any output of the fix s cript is capture d by OpenSCAP and s tore d within the ruleresult e le me nt. The re turn value of the fix s cript is s tore d as we ll.
5. Whe ne ve r OpenSCAP e xe cute s a fix s cript, it imme diate lly e valuate s the OVAL
de finition again (to ve rify that the fix s cript has be e n applie d corre ctly). During this
s e cond run, if the OVAL e valuation re turns s ucce s s , the re s ult of the rule is fixed,
othe rwis e it is an error.
6. De taile d re s ults of the re me diation are s tore d in an output XCCDF file . It contains
two TestResult e le me nts . The firs t TestResult e le me nt re pre s e nts the s can
prior to the re me diation. The s e cond TestResult is de rive d from the firs t one and
contains re me diation re s ults .

210

⁠C hapt e r 6 . Co mplianc e and Vulne r abilit y Sc anning wit h O pe nSCAP

The re are thre e mode s of ope ration of OpenSCAP with re gard to re me diation: online ,
offline , and re vie w.

6.4.6.1. OpenSCAP Online Remediat ion
Online re me diation e xe cute s fix e le me nts at the time of s canning. Evaluation and
re me diation are pe rforme d as a part of a s ingle command.
To e nable online re me diation, us e the --remediate command-line option. For e xample , to
e xe cute online re me diation us ing the scap-security-guide package , run:
~]$ oscap xccdf eval --remediate --profile
xccdf_org.ssgproject.content_profile_rht-ccp --results scan-xccdfresults.xml /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml
The output of this command cons is ts of two s e ctions . The firs t s e ction s hows the re s ult of
the s can prior to the re me diation, and the s e cond s e ction s hows the re s ult of the s can
afte r applying the re me diation. The s e cond part can contain only fixed and error re s ults .
The fixed re s ult indicate s that the s can pe rforme d afte r the re me diation pas s e d. The
error re s ult indicate s that e ve n afte r applying the re me diation, the e valuation s till doe s
not pas s .

6.4.6.2. OpenSCAP Of f line Remediat ion
Offline re me diation allows you to pos tpone fix e xe cution. In the firs t s te p, the s ys te m is
only e valuate d, and the re s ults are s tore d in a TestResult e le me nt in an XCCDF file .
In the s e cond s te p, oscap e xe cute s the fix s cripts and ve rifie s the re s ult. It is s afe to
s tore the re s ults into the input file , no data will be los t. During offline re me diation,
OpenSCAP cre ate s a ne w TestResult e le me nt that is bas e d on the input one and
inhe rits all the data. The ne wly cre ate d TestResult diffe rs only in the rule-result
e le me nts that have faile d. For thos e , re me diation is e xe cute d.
To pe rform offline re me diation us ing the scap-security-guide package , run:
~]$ oscap xccdf eval --profile
xccdf_org.ssgproject.content_profile_rht-ccp --results scan-xccdfresults.xml /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml
~]$ oscap xccdf remediate --results scan-xccdf-results.xml scan-xccdfresults.xml

6.4.6.3. OpenSCAP Remediat ion Review
The re vie w mode allows us e rs to s tore re me diation ins tructions to a file for furthe r
re vie w. The re me diation conte nt is not e xe cute d during this ope ration.
To ge ne rate re me diation ins tructions in the form of a s he ll s cript, run:
~]$ oscap xccdf generate fix --template urn:xccdf:fix:script:sh -profile xccdf_org.ssgproject.content_profile_rht-ccp --output myremediation-script.sh /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml

6.5. Using OpenSCAP wit h Docker
211

Se c ur it y Guide

6.5. Using OpenSCAP wit h Docker
The oscap-docker command-line utility allows us e rs to us e the oscap program to s can
the ir docke r-formatte d containe r image s and containe rs almos t in the s ame way as the ir
local s ys te ms .
The following s e ction e xplains the ins tallation of oscap-docker and offe rs bas ic e xample s
of us age . To le arn more about s ub-commands , us e the --help option with the oscapdocker or oscap commands .
To e nable the s canning of image s and containe rs , you ne e d to have the docker package
ins talle d, too. Se e the Ge tting Docke r in Re d Hat Ente rpris e Linux 7 chapte r of the Getting
Started with Containers guide for ins tructions on ins talling Do cker.
e nte r the following command to ins tall oscap-docker:
# yum install openscap-utils

Example 6.12. Using o scap-do cker
oscap-docker scan_target[-cve] target_identifier [oscap-arguments]
Whe re scan_target is an image or a containe r to s can, and target_identifier is the name
or the ID of the targe t.
The s e cond of the following commands attache s a containe r image , de te rmine s the
variant and ve rs ion of the ope rating s ys te m, downloads the CVE s tre am applicable to
the give n s ys te m, and finally runs the vulne rability s can:
# docker images
REPOSITORY
registry.access.redhat.com/rhel7
c453594215e4

TAG
latest

IMAGE ID

# oscap-docker image-cve registry.access.redhat.com/rhel7
The s e cond of the following commands runs the OpenSCAP s can within a chroot
e nvironme nt of a running containe r. The re s ults may diffe r from s canning of a containe r
image due to de fine d mount points . We us e d the OVAL patch de finition
com.redhat.rhsa-all.xml in this e xample .
# docker ps
CONTAINER ID
5ef05eef4a01
sleepy_kirch

IMAGE
COMMAND
NAMES
registry.access.redhat.com/rhel7 "/bin/bash"

# oscap-docker container 5ef05eef4a01 oval eval com.redhat.rhsaall.xml

6.6. Using OpenSCAP wit h At omic

212

⁠C hapt e r 6 . Co mplianc e and Vulne r abilit y Sc anning wit h O pe nSCAP

To ve rify all the containe r image s and containe rs pre s e nt on the s ys te m are fre e of
known CVE vulne rabilitie s or common mis configurations , us e the OpenSCAP s canning
capabilitie s through the atomic scan command.

At omic Scan
To ins tall the atomic tool on your s ys te m for containe r manage me nt, e nte r the following
command as root:
# yum install atomic
Afte r the atomic tool is ins talle d, you als o ne e d a s canne r. Re d Hat re comme nds choos ing
the OpenSCAP-bas e d rhel7/openscap docke r image . Ins tall it by running the following
command as root:
# atomic install rhel7/openscap
Once the OpenSCAP docke r image is in place , you can is s ue atomic scan commands .
Scan the containe rs and containe r image s by running the following command as root:
# atomic scan $ID
Whe re $ID is the ID of the containe r. If you want to s can all containe r image s or
containe rs , us e the --images or --containers dire ctive , re s pe ctive ly. To s can both
type s , us e the --all dire ctive .

T he OpenSCAP Scanner
The rhel7/openscap containe r image as the de fault s canne r of the atomic scan curre ntly
s upports two s can type s targe ting Re d Hat Ente rpris e Linux s ys te ms only. Supporte d s can
type s can be lis te d by running the following command as root:
# atomic scan --scanner openscap --list
The de fault s can type is CVE scan. Us e it for che cking the targe t for known s e curity
vulne rabilitie s as de fine d in the CVE OVAL de finitions re le as e d by Re d Hat.

Warning
The OVAL de finitions us e d by the CVE scan type are bundle d in the containe r image
during the build proce s s , and as s uch are not always up-to-date .
The s e cond s upporte d s can type is standards_compliance, whe re Standard Sys te m
Se curity Profile of the bundle d SCAP Se curity Guide is us e d for e valuation. This is s e curity
bas e line profile of Re d Hat Ente rpris e Linux.

Example 6.13. Scanning t he Co nt ainer Image wit h At o mic Scan
The following e xample of the atomic scan us age s hows how to s can a
Re d Hat Ente rpris e Linux image and the n lis t of all found vulne rabilitie s with --verbose
dire ctive .

213

Se c ur it y Guide

# docker pull rhel7
Using default tag: latest
98a88a8b722a: Download complete
# atomic scan 98a88a8b722a
Container/Image
Cri
Imp
Med
Low
----------------------98a88a8b722a
0
0
0
0
# atomic scan --verbose 98a88a8b722a
docker run -t --rm -v /etc/localtime:/etc/localtime -v
/run/atomic/2016-10-14-06-42-55-991951:/scanin -v
/var/lib/atomic/openscap/2016-10-14-06-42-55-991951:/scanout:rw,Z -v
/etc/oscapd:/etc/oscapd:ro rhel7/openscap oscapd-evaluate scan --nostandard-compliance --targets chroots-in-dir:///scanin --output
/scanout
INFO:OpenSCAP Daemon one-off evaluator 0.1.6
WARNING:Can't import the 'docker' package. Container scanning
functionality will be disabled.
INFO:Creating tasks directory at '/var/lib/oscapd/tasks' because it
didn't exist.
INFO:Creating results directory at '/var/lib/oscapd/results' because
it didn't exist.
INFO:Creating results work in progress directory at
'/var/lib/oscapd/work_in_progress' because it didn't exist.
INFO:Evaluated EvaluationSpec, exit_code=0.
INFO:Evaluated EvaluationSpec, exit_code=0.
INFO:[100.00%] Scanned target
'chroot:///scanin/98a88a8b722a71835dd761c88451c681a8f1bc6e577f90d4dc8b
234100bd4861'
98a88a8b722a (registry.access.redhat.com/rhel7:latest)
98a88a8b722a passed the scan
Files associated with this scan are in /var/lib/atomic/openscap/201610-14-06-42-55-991951.

No te
A de taile d de s cription of the atomic command us age and containe rs is found in the
Product Docume ntation for Re d Hat Ente rpris e Linux Atomic Hos t. The Re d Hat
Cus tome r Portal als o provide s a guide to the Atomic command line inte rface (CLI).

6.7. Using OpenSCAP wit h Red Hat Sat ellit e
Whe n running multiple Re d Hat Ente rpris e Linux s ys te ms , it is important to ke e p all your
s ys te ms compliant with your s e curity policy and pe rform s e curity s cans and e valuations
re mote ly from one location. This can be achie ve d by us ing Re d Hat Sate llite 5.5 or late r
with the spacewalk-oscap package ins talle d on your Sate llite clie nt. The package is
available from the Red Hat Net wo rk T o o ls channe l. Se e How to e nable /dis able a
re pos itory us ing Re d Hat Subs cription-Manage r?

214

⁠C hapt e r 6 . Co mplianc e and Vulne r abilit y Sc anning wit h O pe nSCAP

This s olution s upports two me thods of pe rforming s e curity compliance s cans , vie wing and
furthe r proce s s ing of the s can re s ults . You can e ithe r us e the OpenSCAP Satellite Web
Interface or run commands and s cripts from the Satellite API. For more information
about this s olution to s e curity compliance , its re quire me nts and capabilitie s , s e e the Re d
Hat Sate llite docume ntation.

6.8. Pract ical Examples
This s e ction de mons trate s practical us age of ce rtain s e curity conte nt provide d for Re d Hat
products .

6.8.1. Audit ing Securit y Vulnerabilit ies of Red Hat Product s
Re d Hat continuous ly provide s OVAL de finitions for the ir products . The s e de finitions allow
for fully automate d audit of vulne rabilitie s in the ins talle d s oftware . To find out more
information about this proje ct, s e e http://www.re dhat.com/s e curity/data/me trics /. To
download the s e de finitions , e nte r the following command:
~]$ wget http://www.redhat.com/security/data/oval/com.redhat.rhsaall.xml
The us e rs of Re d Hat Sate llite 5 may find us e ful the XCCDF part of the patch de finitions .
To download the s e de finitions , e nte r the following command:
~]$ wget http://www.redhat.com/security/data/metrics/com.redhat.rhsaall.xccdf.xml
To audit s e curity vulne rabilitie s for the s oftware ins talle d on the s ys te m, e nte r the
following command:
~]$ oscap oval eval --results rhsa-results-oval.xml --report ovalreport.html com.redhat.rhsa-all.xml
The o scap utility maps Re d Hat Se curity Advis orie s to CVE ide ntifie rs that are linke d to
the National Vulne rability Databas e and re ports which s e curity advis orie s are not applie d.

No te
Note that the s e OVAL de finitions are de s igne d to only cove r s oftware and update s
re le as e d by Re d Hat. You ne e d to provide additional de finitions in orde r to de te ct
the patch s tatus of third-party s oftware .

6.8.2. Audit ing Syst em Set t ings wit h SCAP Securit y Guide
The SCAP Se curity Guide (SSG) proje ct's package , scap-security-guide, contains the late s t
s e t of s e curity police s for Linux s ys te ms . To ins tall the SCAP Se curity Guide package on
your s ys te m, e nte r the following command as root:
~]# yum install scap-security-guide

215

Se c ur it y Guide

A part of scap-security-guide is als o a guidance for Re d Hat Ente rpris e Linux 7 s e ttings . To
ins pe ct the s e curity conte nt available with scap-security-guide, us e the oscap info
module :
~]$ oscap info /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml
The output of this command is an outline of the SSG docume nt and it contains available
configuration profile s . To audit your s ys te m s e ttings , choos e a s uitable profile and run the
appropriate e valuation command. For e xample , the following command is us e d to as s e s s
the give n s ys te m agains t a draft SCAP profile for Re d Hat Ce rtifie d Cloud Provide rs :
~]$ oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_rhtccp --results ssg-rhel7-xccdf-result.xml --report ssg-rhel7-report.html
/usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml

6.9. Addit ional Resources
For more information about various s e curity compliance fie lds of inte re s t, s e e the
re s ource s be low.

Inst alled Document at ion
os cap(8) — The manual page for the o scap command-line utility provide s a comple te
lis t of available options and the ir us age e xplanation.
s cap-workbe nch(8) — The manual page for the SCAP Workbench application provide s a
bas ic information about the application as we ll as s ome links to pote ntial s ource s of
SCAP conte nt.
s cap-s e curity-guide (8) — The manual page for scap-securit y-guide provide s furthe r
docume ntation about the various available SCAP s e curity profile s . Example s how to
utiliz e the provide d be nchmarks us ing the OpenSCAP utility are provide d as we ll.

Online Document at ion
The Ope nSCAP proje ct page — The home page to the Ope nSCAP proje ct provide s
de taile d information about the o scap utility and othe r compone nts and proje cts re late d
to SCAP.
The SCAP Workbe nch proje ct page — The home page to the SCAP Workbe nch proje ct
provide s de taile d information about the scap-wo rkbench application.
The SCAP Se curity Guide (SSG) proje ct page — The home page to the SSG proje ct that
provide s the late s t s e curity conte nt for Re d Hat Ente rpris e Linux.
National Ins titute of Standards and Te chnology (NIST) SCAP page — This page
re pre s e nts a vas t colle ction of SCAP re late d mate rials , including SCAP publications ,
s pe cifications , and the SCAP Validation Program.
National Vulne rability Databas e (NVD) — This page re pre s e nts the large s t re pos itory of
SCAP conte nt and othe r SCAP s tandards bas e d vulne rability manage me nt data.
Re d Hat OVAL conte nt re pos itory — This is a re pos itory containing OVAL de finitions for
Re d Hat Ente rpris e Linux s ys te ms .

216

⁠C hapt e r 6 . Co mplianc e and Vulne r abilit y Sc anning wit h O pe nSCAP

MITRE CVE — This is a databas e of publicly known s e curity vulne rabilitie s provide d by
the MITRE corporation.
MITRE OVAL — This page re pre s e nts an OVAL re late d proje ct provide d by the MITRE
corporation. Amongs t othe r OVAL re late d information, the s e page s contain the late s t
ve rs ion of the OVAL language and a huge re pos itory of OVAL conte nt, counting ove r 22
thous ands OVAL de finitions .
Re d Hat Sate llite docume ntation — This s e t of guide s de s cribe s , amongs t othe r topics ,
how to maintain s ys te m s e curity on multiple s ys te ms by us ing Ope nSCAP.

217

Se c ur it y Guide

Chapt er 7. Federal St andards and Regulat ions
In orde r to maintain s e curity le ve ls , it is pos s ible for your organiz ation to make e fforts to
comply with fe de ral and indus try s e curity s pe cifications , s tandards and re gulations . This
chapte r de s cribe s s ome of the s e s tandards and re gulations .

7.1. Federal Informat ion Processing St andard (FIPS)
The Fe de ral Information Proce s s ing Standard (FIPS) Publication 140-2 is a compute r
s e curity s tandard, de ve lope d by the U.S. Gove rnme nt and indus try working group to
validate the quality of cryptographic module s . Se e the official FIPS publications he re :
http://cs rc.nis t.gov/publications /Pubs FIPS.html. At the time of the Re d Hat Ente rpris e Linux
7.3 re le as e , Publication 140-3 is at Draft s tatus , and may not re pre s e nt the comple te d
s tandard.
The FIPS 140-2 s tandard e ns ure s that cryptographic tools imple me nt the ir algorithms
prope rly. Se e the full FIPS 140-2 s tandard at http://cs rc.nis t.gov/publications /fips /fips 1402/fips 1402.pdf for furthe r de tails on the s e le ve ls and the othe r s pe cifications of the FIPS
s tandard.
To s e e the comple te lis t of all FIPS 140-2 ce rtificate s , vis it
http://cs rc.nis t.gov/groups /STM/cmvp/docume nts /140-1/140val-all.htm. To le arn about
compliance re quire me nts , s e e the Re d Hat Gove rnme nt: Standards page .

7.1.1. Enabling FIPS Mode
To make Re d Hat Ente rpris e Linux compliant with the Fe de ral Information Proce s s ing
Standard (FIPS) Publication 140-2, you ne e d to make s e ve ral change s to e ns ure that
accre dite d cryptographic module s are us e d. You can e ithe r e nable FIPS mode during
s ys te m ins tallation or afte r it.

During t he Syst em Inst allat ion
To fulfil the strict FIPS 140-2 compliance, add the fips=1 ke rne l option to the ke rne l
command line during s ys te m ins tallation. With this option, all ke ys ' ge ne rations are done
with FIPS-approve d algorithms and continuous monitoring te s ts in place . Afte r the
ins tallation, the s ys te m is configure d to boot into FIPS mode automatically.

Impo rtant
Ens ure that the s ys te m has ple nty of e ntropy during the ins tallation proce s s by
moving the mous e around or by pre s s ing many ke ys troke s . The re comme nde d
amount of ke ys troke s is 256 and more . Le s s than 256 ke ys troke s could ge ne rate a
non-unique ke y.

Af t er t he Syst em Inst allat ion
To turn your s ys te m, ke rne l and us e r s pace , into FIPS mode anytime afte r the s ys te m
ins tallation, follow the s e s te ps :
1. Make s ure pre linking is dis able d.

218

⁠C hapt e r 7. Fe de r al St andar ds and Re gulat io ns

For prope r ope ration of the in-module inte grity ve rification, pre linking of librarie s
and binarie s has to be dis able d. Pre linking is done by the prelink package , which is
not ins talle d by de fault. To dis able pre linking, s e t the PRELINKING=no option in the
/etc/sysconfig/prelink configuration file . To dis able e xis ting pre linking on all
s ys te m file s , us e the prelink -u -a command.
2. Ins tall the dracut-fips package :
~]# yum install dracut-fips
For the CPUs with the AES Ne w Ins tructions (AES-NI) s upport, ins tall the dracut-fipsaesni package as we ll:
~]# yum install dracut-fips-aesni
3. Re ge ne rate the initramfs file .
To e nable the in-module inte grity ve rification and to have all re quire d module s
pre s e nt during the ke rne l boot, the initramfs file has to be re ge ne rate d:
~]# dracut -v -f

Warning
This ope ration will ove rwrite the e xis ting initramfs file .
4. Modify boot loade r configuration.
To boot into FIPS mode , add the fips=1 option to the ke rne l command line of the
boot loade r. If your /boot or /boot/EFI/ partitions re s ide on s e parate partitions ,
add the boot= (whe re  s tands for /boot or /boot/EFI)
parame te r to the ke rne l command line as we ll.
To ide ntify the boot partition, e nte r the following command:
~]$ df /boot
Filesystem
/dev/sda1

1K-blocks
495844

Used Available Use% Mounted on
53780
416464 12% /boot

To e ns ure that the boot= configuration option works e ve n if the de vice naming
change s be twe e n boots , ide ntify the unive rs ally unique ide ntifie r (UUID) of the
partition by running the following command:
~]$ blkid /dev/sda1
/dev/sda1: UUID="05c000f1-f899-467b-a4d9-d5ca4424c797" TYPE="ext4"
Appe nd the UUID to the ke rne l command line :
boot=UUID=05c000f1-f899-467b-a4d9-d5ca4424c797
De pe nding on your boot loade r, make the following change s :

219

Se c ur it y Guide

grub2
Add the fips=1 and boot= options to the
GRUB_CMDLINE_LINUX ke y in the /etc/default/grub file . To apply the change s
to /etc/default/grub, re build the grub.cfg file as follows :
On BIOS-bas e d machine s , e nte r the following command as root:
~]# grub2-mkconfig -o /boot/grub2/grub.cfg
On UEFI-bas e d machine s , e nte r the following command as root:
~]# grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg
z ipl (on the IBM z Sys te ms archite cture only)
Add the fips=1 and boot= options to the
/etc/zipl.conf to the ke rne l command line and apply the change s by running
the following command as root:
~]# zipl
5. Re boot your s ys te m.

7.2. Nat ional Indust rial Securit y Program Operat ing Manual
(NISPOM)
The NISPOM (als o calle d DoD 5220.22-M), as a compone nt of the National Indus trial
Se curity Program (NISP), e s tablis he s a s e rie s of proce dure s and re quire me nts for all
gove rnme nt contractors with re gard to clas s ifie d information. The curre nt NISPOM is date d
Fe bruary 28, 2006, with incorporate d major change s from March 28, 2013. The NISPOM
docume nt can be downloade d from the following URL: http://www.nis pom.org/NISPOMdownload.html.

7.3. Payment Card Indust ry Dat a Securit y St andard (PCI
DSS)
From https ://www.pcis e curitys tandards .org/about/inde x.s html: The PCI Security Standards
Council is an open global forum, launched in 2006, that is responsible for the development,
management, education, and awareness of the PCI Security Standards, including the Data
Security Standard (DSS).
You can download the PCI DSS s tandard from
https ://www.pcis e curitys tandards .org/s e curity_s tandards /pci_ds s .s html.

7.4. Securit y T echnical Implement at ion Guide
A Se curity Te chnical Imple me ntation Guide (STIG) is a me thodology for s tandardiz e d
s e cure ins tallation and mainte nance of compute r s oftware and hardware .
Se e the following URL for more information on STIG:
http://ias e .dis a.mil/s tigs /Page s /inde x.as px.

220

⁠A ppe ndix A. Enc r ypt io n St andar ds

Appendix A. Encrypt ion St andards
A.1. Synchronous Encrypt ion
A.1.1. Advanced Encrypt ion St andard — AES
In cryptography, the Advance d Encryption Standard (AES) is an e ncryption s tandard
adopte d by the U.S. Gove rnme nt. The s tandard compris e s thre e block ciphe rs , AES-128,
AES-192 and AES-256, adopte d from a large r colle ction originally publis he d as Rijndae l.
Each AES ciphe r has a 128-bit block s iz e , with ke y s iz e s of 128, 192 and 256 bits ,
re s pe ctive ly. The AES ciphe rs have be e n analyz e d e xte ns ive ly and are now us e d
worldwide , as was the cas e with its pre de ce s s or, the Data Encryption Standard (DES). ⁠ [3]

A.1.1.1. AES Hist ory
AES was announce d by National Ins titute of Standards and Te chnology (NIST) as U.S. FIPS
PUB 197 (FIPS 197) on Nove mbe r 26, 2001 afte r a 5-ye ar s tandardiz ation proce s s . Fifte e n
compe ting de s igns we re pre s e nte d and e valuate d be fore Rijndae l was s e le cte d as the
mos t s uitable . It be came e ffe ctive as a s tandard May 26, 2002. It is available in many
diffe re nt e ncryption package s . AES is the firs t publicly acce s s ible and ope n ciphe r
approve d by the NSA for top s e cre t information (s e e the Se curity s e ction in the Wikipe dia
article on AES). ⁠ [4]
The Rijndae l ciphe r was de ve lope d by two Be lgian cryptographe rs , Joan Dae me n and
Vince nt Rijme n, and s ubmitte d by the m to the AES s e le ction proce s s . Rijndae l is a
portmante au of the name s of the two inve ntors . ⁠ [5]

A.1.2. Dat a Encrypt ion St andard — DES
The Data Encryption Standard (DES) is a block ciphe r (a form of s hare d s e cre t e ncryption)
that was s e le cte d by the National Bure au of Standards as an official Fe de ral Information
Proce s s ing Standard (FIPS) for the Unite d State s in 1976 and which has s ubs e que ntly
e njoye d wide s pre ad us e inte rnationally. It is bas e d on a s ymme tric-ke y algorithm that
us e s a 56-bit ke y. The algorithm was initially controve rs ial with clas s ifie d de s ign
e le me nts , a re lative ly s hort ke y le ngth, and s us picions about a National Se curity Age ncy
(NSA) backdoor. DES cons e que ntly came unde r inte ns e acade mic s crutiny which motivate d
the mode rn unde rs tanding of block ciphe rs and the ir cryptanalys is . ⁠ [6]

A.1.2.1. DES Hist ory
DES is now cons ide re d to be ins e cure for many applications . This is chie fly due to the 56bit ke y s iz e be ing too s mall; in January, 1999, dis tribute d.ne t and the Ele ctronic Frontie r
Foundation collaborate d to publicly bre ak a DES ke y in 22 hours and 15 minute s . The re are
als o s ome analytical re s ults which de mons trate the ore tical we akne s s e s in the ciphe r,
although the y are unfe as ible to mount in practice . The algorithm is be lie ve d to be
practically s e cure in the form of Triple DES, although the re are the ore tical attacks . In
re ce nt ye ars , the ciphe r has be e n s upe rs e de d by the Advance d Encryption Standard
(AES). ⁠ [7]
In s ome docume ntation, a dis tinction is made be twe e n DES as a s tandard and DES the
algorithm which is re fe rre d to as the DEA (the Data Encryption Algorithm). ⁠ [8]

221

Se c ur it y Guide

A.2. Public-key Encrypt ion
Public-ke y cryptography is a cryptographic approach, e mploye d by many cryptographic
algorithms and cryptos ys te ms , whos e dis tinguis hing characte ris tic is the us e of
as ymme tric ke y algorithms ins te ad of or in addition to s ymme tric ke y algorithms . Us ing
the te chnique s of public ke y-private ke y cryptography, many me thods of prote cting
communications or authe nticating me s s age s forme rly unknown have be come practical.
The y do not re quire a s e cure initial e xchange of one or more s e cre t ke ys as is re quire d
whe n us ing s ymme tric ke y algorithms . It can als o be us e d to cre ate digital s ignature s . ⁠ [9]
Public ke y cryptography is a fundame ntal and wide ly us e d te chnology around the world,
and is the approach which unde rlie s s uch Inte rne t s tandards as Trans port Laye r Se curity
(TLS) (s ucce s s or to SSL), PGP and GPG. ⁠ [10]
The dis tinguis hing te chnique us e d in public ke y cryptography is the us e of as ymme tric ke y
algorithms , whe re the ke y us e d to e ncrypt a me s s age is not the s ame as the ke y us e d to
de crypt it. Each us e r has a pair of cryptographic ke ys — a public ke y and a private ke y.
The private ke y is ke pt s e cre t, whils t the public ke y may be wide ly dis tribute d. Me s s age s
are e ncrypte d with the re cipie nt's public ke y and can only be de crypte d with the
corre s ponding private ke y. The ke ys are re late d mathe matically, but the private ke y
cannot be fe as ibly (ie , in actual or proje cte d practice ) de rive d from the public ke y. It was
the dis cove ry of s uch algorithms which re volutioniz e d the practice of cryptography
be ginning in the middle 1970s . ⁠ [11]
In contras t, Symme tric-ke y algorithms , variations of which have be e n us e d for s ome
thous ands of ye ars , us e a s ingle s e cre t ke y s hare d by s e nde r and re ce ive r (which mus t
als o be ke pt private , thus accounting for the ambiguity of the common te rminology) for
both e ncryption and de cryption. To us e a s ymme tric e ncryption s che me , the s e nde r and
re ce ive r mus t s e cure ly s hare a ke y in advance . ⁠ [12]
Be caus e s ymme tric ke y algorithms are ne arly always much le s s computationally
inte ns ive , it is common to e xchange a ke y us ing a ke y-e xchange algorithm and trans mit
data us ing that ke y and a s ymme tric ke y algorithm. PGP, and the SSL/TLS family of
s che me s do this , for ins tance , and are calle d hybrid cryptos ys te ms in cons e que nce . ⁠ [13]

A.2.1. Dif f ie-Hellman
Diffie –He llman ke y e xchange (D–H) is a cryptographic protocol that allows two partie s that
have no prior knowle dge of e ach othe r to jointly e s tablis h a s hare d s e cre t ke y ove r an
ins e cure communications channe l. This ke y can the n be us e d to e ncrypt s ubs e que nt
communications us ing a s ymme tric ke y ciphe r. ⁠ [14]

A.2.1.1. Dif f ie-Hellman Hist ory
The s che me was firs t publis he d by Whitfie ld Diffie and Martin He llman in 1976, although it
late r e me rge d that it had be e n s e parate ly inve nte d a fe w ye ars e arlie r within GCHQ, the
Britis h s ignals inte llige nce age ncy, by Malcolm J. Williams on but was ke pt clas s ifie d. In
2002, He llman s ugge s te d the algorithm be calle d Diffie –He llman–Me rkle ke y e xchange in
re cognition of Ralph Me rkle 's contribution to the inve ntion of public-ke y cryptography
(He llman, 2002). ⁠ [15]

222

⁠A ppe ndix A. Enc r ypt io n St andar ds

Although Diffie –He llman ke y agre e me nt its e lf is an anonymous (non-authe nticate d) ke yagre e me nt protocol, it provide s the bas is for a varie ty of authe nticate d protocols , and is
us e d to provide pe rfe ct forward s e cre cy in Trans port Laye r Se curity's e phe me ral mode s
(re fe rre d to as EDH or DHE de pe nding on the ciphe r s uite ). ⁠ [16]
U.S. Pate nt 4,200,770, now e xpire d, de s cribe s the algorithm and cre dits He llman, Diffie ,
and Me rkle as inve ntors . ⁠ [17]

A.2.2. RSA
In cryptography, RSA (which s tands for Rive s t, Shamir and Adle man who firs t publicly
de s cribe d it) is an algorithm for public-ke y cryptography. It is the firs t algorithm known to
be s uitable for s igning as we ll as e ncryption, and was one of the firs t gre at advance s in
public ke y cryptography. RSA is wide ly us e d in e le ctronic comme rce protocols , and is
be lie ve d to be s e cure give n s ufficie ntly long ke ys and the us e of up-to-date
imple me ntations .

A.2.3. DSA
DSA (Digital Signature Algorithm) is a s tandard for digital s ignature s , a Unite d State s
fe de ral gove rnme nt s tandard for digital s ignature s . DSA is for s ignature s only and is not
an e ncryption algorithm. ⁠ [18]

A.2.4. SSL/T LS
Trans port Laye r Se curity (TLS) and its pre de ce s s or, Se cure Socke ts Laye r (SSL), are
cryptographic protocols that provide s e curity for communications ove r ne tworks s uch as
the Inte rne t. TLS and SSL e ncrypt the s e gme nts of ne twork conne ctions at the Trans port
Laye r e nd-to-e nd.
Se ve ral ve rs ions of the protocols are in wide s pre ad us e in applications like we b brows ing,
e le ctronic mail, Inte rne t faxing, ins tant me s s aging and voice -ove r-IP (VoIP). ⁠ [19]

A.2.5. Cramer-Shoup Crypt osyst em
The Crame r–Shoup s ys te m is an as ymme tric ke y e ncryption algorithm, and was the firs t
e fficie nt s che me prove n to be s e cure agains t adaptive chos e n ciphe rte xt attack us ing
s tandard cryptographic as s umptions . Its s e curity is bas e d on the computational
intractability (wide ly as s ume d, but not prove d) of the de cis ional Diffie –He llman as s umption.
De ve lope d by Ronald Crame r and Victor Shoup in 1998, it is an e xte ns ion of the ElGamal
cryptos ys te m. In contras t to ElGamal, which is e xtre me ly malle able , Crame r–Shoup adds
additional e le me nts to e ns ure non-malle ability e ve n agains t a re s ource ful attacke r. This
non-malle ability is achie ve d through the us e of a collis ion-re s is tant has h function and
additional computations , re s ulting in a ciphe rte xt which is twice as large as in ElGamal.
[20]

A.2.6. ElGamal Encrypt ion
In cryptography, the ElGamal e ncryption s ys te m is an as ymme tric ke y e ncryption
algorithm for public-ke y cryptography which is bas e d on the Diffie -He llman ke y agre e me nt.
It was de s cribe d by Tahe r ElGamal in 1985. ElGamal e ncryption is us e d in the fre e GNU
Privacy Guard s oftware , re ce nt ve rs ions of PGP, and othe r cryptos ys te ms . ⁠ [21]

223

Se c ur it y Guide

[3] "Advanced Encryption Standard." Wikipedia. 14 Novem ber 2009
http://en.wikipedia.org/wiki/Advanced_Encryption_Standard
[4] "Advanced Encryption Standard." Wikipedia. 14 Novem ber 2009
http://en.wikipedia.org/wiki/Advanced_Encryption_Standard
[5] "Advanced Encryption Standard." Wikipedia. 14 Novem ber 2009
http://en.wikipedia.org/wiki/Advanced_Encryption_Standard
[6] "Data Encryption Standard." Wikipedia. 14 Novem ber 2009
http://en.wikipedia.org/wiki/Data_Encryption_Standard
[7] "Data Encryption Standard." Wikipedia. 14 Novem ber 2009
http://en.wikipedia.org/wiki/Data_Encryption_Standard
[8] "Data Encryption Standard." Wikipedia. 14 Novem ber 2009
http://en.wikipedia.org/wiki/Data_Encryption_Standard
[9] "P ublic-key Encryption." Wikipedia. 14 Novem ber 2009 http://en.wikipedia.org/wiki/P ublickey_cryptography
[10] "P ublic-key Encryption." Wikipedia. 14 Novem ber 2009 http://en.wikipedia.org/wiki/P ublickey_cryptography
[11] "P ublic-key Encryption." Wikipedia. 14 Novem ber 2009 http://en.wikipedia.org/wiki/P ublickey_cryptography
[12] "P ublic-key Encryption." Wikipedia. 14 Novem ber 2009 http://en.wikipedia.org/wiki/P ublickey_cryptography
[13] "P ublic-key Encryption." Wikipedia. 14 Novem ber 2009 http://en.wikipedia.org/wiki/P ublickey_cryptography
[14] "Diffie-Hellm an." Wikipedia. 14 Novem ber 2009 http://en.wikipedia.org/wiki/Diffie-Hellm an
[15] "Diffie-Hellm an." Wikipedia. 14 Novem ber 2009 http://en.wikipedia.org/wiki/Diffie-Hellm an
[16] "Diffie-Hellm an." Wikipedia. 14 Novem ber 2009 http://en.wikipedia.org/wiki/Diffie-Hellm an
[17] "Diffie-Hellm an." Wikipedia. 14 Novem ber 2009 http://en.wikipedia.org/wiki/Diffie-Hellm an
[18] "DSA." Wikipedia. 24 February 2010 http://en.wikipedia.org/wiki/Digital_Signature_Algorithm
[19] "TLS/SSL." Wikipedia. 24 February 2010 http://en.wikipedia.org/wiki/Transport_Layer_Security
[20] "C ram er-Shoup cryptosystem ." Wikipedia. 24 February 2010
http://en.wikipedia.org/wiki/C ram er–Shoup_cryptosystem
[21] "ElGam al encryption" Wikipedia. 24 February 2010
http://en.wikipedia.org/wiki/ElGam al_encryption

224

⁠A ppe ndix B. Audit Sys t e m Re f e r e nc e

Appendix B. Audit Syst em Reference
B.1. Audit Event Fields
Table B.1, “Eve nt Fie lds ” lis ts all curre ntly-s upporte d Audit e ve nt fie lds . An e ve nt fie ld is
the value pre ce ding the e qual s ign in the Audit log file s .
T able B.1. Event Fields
Event Field

Explanat io n

a0, a1, a2, a3

Re cords the firs t four argume nts of the s ys te m call, e ncode d
in he xade cimal notation.
Re cords a us e r's account name .
Re cords the IPv4 or IPv6 addre s s . This fie ld us ually follows a
hostname fie ld and contains the addre s s the hos t name
re s olve s to.
Re cords information about the CPU archite cture of the s ys te m,
e ncode d in he xade cimal notation.
Re cords the Audit us e r ID. This ID is as s igne d to a us e r upon
login and is inhe rite d by e ve ry proce s s e ve n whe n the us e r's
ide ntity change s (for e xample , by s witching us e r accounts with
su - john).
Re cords the numbe r of bits that we re us e d to s e t a particular
Linux capability. For more information on Linux capabilitie s ,
s e e the capabilitie s (7) man page .
Re cords data re late d to the s e tting of an inhe rite d file
s ys te m-bas e d capability.
Re cords data re late d to the s e tting of a pe rmitte d file s ys te mbas e d capability.
Re cords data re late d to the s e tting of an e ffe ctive proce s s bas e d capability.
Re cords data re late d to the s e tting of an inhe rite d proce s s bas e d capability.
Re cords data re late d to the s e tting of a pe rmitte d proce s s bas e d capability.
Re cords the path to the cgroup that contains the proce s s at
the time the Audit e ve nt was ge ne rate d.
Re cords the e ntire command line that is e xe cute d. This is
us e ful in cas e of s he ll inte rpre te rs whe re the exe fie ld
re cords , for e xample , /bin/bash as the s he ll inte rpre te r and
the cmd fie ld re cords the re s t of the command line that is
e xe cute d, for e xample helloworld.sh --help.
Re cords the command that is e xe cute d. This is us e ful in cas e
of s he ll inte rpre te rs whe re the exe fie ld re cords , for e xample ,
/bin/bash as the s he ll inte rpre te r and the comm fie ld re cords
the name of the s cript that is e xe cute d, for e xample
helloworld.sh.
Re cords the path to the dire ctory in which a s ys te m call was
invoke d.
Re cords data as s ociate d with TTY re cords .
Re cords the minor and major ID of the de vice that contains
the file or dire ctory re corde d in an e ve nt.

acct
addr

arch
auid

capability

cap_fi
cap_fp
cap_pe
cap_pi
cap_pp
cgroup
cmd

comm

cwd
data
dev

225

Se c ur it y Guide

Event Field

Explanat io n

devmajor
devminor
egid

Re cords the major de vice ID.
Re cords the minor de vice ID.
Re cords the e ffe ctive group ID of the us e r who s tarte d the
analyz e d proce s s .
Re cords the e ffe ctive us e r ID of the us e r who s tarte d the
analyz e d proce s s .
Re cords the path to the e xe cutable that was us e d to invoke
the analyz e d proce s s .
Re cords the e xit code re turne d by a s ys te m call. This value
varie s by s ys te m call. You can inte rpre t the value to its
human-re adable e quivale nt with the following command:
ausearch --interpret --exit exit_code
Re cords the type of addre s s protocol that was us e d, e ithe r
IPv4 or IPv6.
Re cords the type of the file .
Re cords the file s ys te m name flags .
Re cords the file s ys te m group ID of the us e r who s tarte d the
analyz e d proce s s .
Re cords the file s ys te m us e r ID of the us e r who s tarte d the
analyz e d proce s s .
Re cords the group ID.
Re cords the hos t name .
Re cords the type of a Inte rne t Control Me s s age Protocol
(ICMP) package that is re ce ive d. Audit me s s age s containing
this fie ld are us ually ge ne rate d by ipt ables.
Re cords the us e r ID of an account that was change d.
Re cords the inode numbe r as s ociate d with the file or dire ctory
re corde d in an Audit e ve nt.
Re cords the group ID of the inode 's owne r.
Re cords the us e r ID of the inode 's owne r.
Re cords the numbe r of path re cords that are attache d to this
re cord.
Re cords the us e r de fine d s tring as s ociate d with a rule that
ge ne rate d a particular e ve nt in the Audit log.
Re cords the Audit rule lis t ID. The following is a lis t of known
IDs :

euid
exe
exit

family
filetype
flags
fsgid
fsuid
gid
hostname
icmptype

id
inode
inode_gid
inode_uid
items
key
list

0
1
4
5
mode
msg

msgtype

name

226

— user
— task
— exit
— exclude

Re cords the file or dire ctory pe rmis s ions , e ncode d in
nume rical notation.
Re cords a time s tamp and a unique ID of a re cord, or various
e ve nt-s pe cific = pairs provide d by the ke rne l
or us e r s pace applications .
Re cords the me s s age type that is re turne d in cas e of a us e rbas e d AVC de nial. The me s s age type is de te rmine d by DBus .
Re cords the full path of the file or dire ctory that was pas s e d
to the s ys te m call as an argume nt.

⁠A ppe ndix B. Audit Sys t e m Re f e r e nc e

Event Field

Explanat io n

new-disk

Re cords the name of a ne w dis k re s ource that is as s igne d to
a virtual machine .
Re cords the amount of a ne w me mory re s ource that is
as s igne d to a virtual machine .
Re cords the numbe r of a ne w virtual CPU re s ource that is
as s igne d to a virtual machine .
Re cords the MAC addre s s of a ne w ne twork inte rface
re s ource that is as s igne d to a virtual machine .
Re cords a group ID that is as s igne d to a us e r.
Re cords the us e r ID of the us e r that has logge d in to acce s s
the s ys te m (as oppos e d to, for e xample , us ing su) and has
s tarte d the targe t proce s s . This fie ld is e xclus ive to the
re cord of type OBJ_PID.
Re cords the command that was us e d to s tart the targe t
proce s s .This fie ld is e xclus ive to the re cord of type OBJ_PID.
Re cords the proce s s ID of the targe t proce s s . This fie ld is
e xclus ive to the re cord of type OBJ_PID.
Re cords the s e s s ion ID of the targe t proce s s . This fie ld is
e xclus ive to the re cord of type OBJ_PID.
Re cords the re al us e r ID of the targe t proce s s
Re cords the SELinux conte xt of an obje ct. An obje ct can be a
file , a dire ctory, a s ocke t, or anything that is re ce iving the
action of a s ubje ct.
Re cords the group ID of an obje ct.
Re cords the high SELinux le ve l of an obje ct.
Re cords the low SELinux le ve l of an obje ct.
Re cords the SELinux role of an obje ct.
Re cords the UID of an obje ct
Re cords the us e r that is as s ociate d with an obje ct.
Re cords the obje ct owne r's group ID.
Re cords the name of an old dis k re s ource whe n a ne w dis k
re s ource is as s igne d to a virtual machine .
Re cords the amount of an old me mory re s ource whe n a ne w
amount of me mory is as s igne d to a virtual machine .
Re cords the numbe r of an old virtual CPU re s ource whe n a
ne w virtual CPU is as s igne d to a virtual machine .
Re cords the MAC addre s s of an old ne twork inte rface
re s ource whe n a ne w ne twork inte rface is as s igne d to a
virtual machine .
Re cords the pre vious value of the ne twork promis cuity flag.
Re cords the re al us e r ID of the us e r who s tarte d the targe t
proce s s .
Re cords the full path of the file or dire ctory that was pas s e d
to the s ys te m call as an argume nt in cas e of AVC-re late d
Audit e ve nts
Re cords the file pe rmis s ion that was us e d to ge ne rate an
e ve nt (that is , re ad, write , e xe cute , or attribute change )

new-mem
new-vcpu
new-net
new_gid
oauid

ocomm
opid
oses
ouid
obj

obj_gid
obj_lev_high
obj_lev_low
obj_role
obj_uid
obj_user
ogid
old-disk
old-mem
old-vcpu
old-net

old_prom
ouid
path

perm

227

Se c ur it y Guide

Event Field

Explanat io n

pid

The pid fie ld s e mantics de pe nd on the origin of the value in
this fie ld.
In fie lds ge ne rate d from us e r-s pace , this fie ld holds a proce s s
ID.
In fie lds ge ne rate d by the ke rne l, this fie ld holds a thre ad ID.
The thre ad ID is e qual to proce s s ID for s ingle -thre ade d
proce s s e s . Note that the value of this thre ad ID is diffe re nt
from the value s of pthre ad_t IDs us e d in us e r-s pace . For
more information, s e e the ge ttid(2) man page .

ppid
prom
proto
res
result
saddr
sauid

ses
sgid
sig
subj
subj_clr
subj_role
subj_sen
subj_user
success
suid
syscall
terminal
tty
uid
vm

228

Re cords the Pare nt Proce s s ID (PID).
Re cords the ne twork promis cuity flag.
Re cords the ne tworking protocol that was us e d. This fie ld is
s pe cific to Audit e ve nts ge ne rate d by ipt ables.
Re cords the re s ult of the ope ration that trigge re d the Audit
e ve nt.
Re cords the re s ult of the ope ration that trigge re d the Audit
e ve nt.
Re cords the s ocke t addre s s .
Re cords the s e nde r Audit login us e r ID. This ID is provide d by
D-Bus as the ke rne l is unable to s e e which us e r is s e nding
the original auid.
Re cords the s e s s ion ID of the s e s s ion from which the
analyz e d proce s s was invoke d.
Re cords the s e t group ID of the us e r who s tarte d the
analyz e d proce s s .
Re cords the numbe r of a s ignal that caus e s a program to e nd
abnormally. Us ually, this is a s ign of a s ys te m intrus ion.
Re cords the SELinux conte xt of a s ubje ct. A s ubje ct can be a
proce s s , a us e r, or anything that is acting upon an obje ct.
Re cords the SELinux cle arance of a s ubje ct.
Re cords the SELinux role of a s ubje ct.
Re cords the SELinux s e ns itivity of a s ubje ct.
Re cords the us e r that is as s ociate d with a s ubje ct.
Re cords whe the r a s ys te m call was s ucce s s ful or faile d.
Re cords the s e t us e r ID of the us e r who s tarte d the analyz e d
proce s s .
Re cords the type of the s ys te m call that was s e nt to the
ke rne l.
Re cords the te rminal name (without /dev/).
Re cords the name of the controlling te rminal. The value
(none) is us e d if the proce s s has no controlling te rminal.
Re cords the re al us e r ID of the us e r who s tarte d the analyz e d
proce s s .
Re cords the name of a virtual machine from which the Audit
e ve nt originate d.

⁠A ppe ndix B. Audit Sys t e m Re f e r e nc e

B.2. Audit Record T ypes
Table B.2, “Re cord Type s ” lis ts all curre ntly-s upporte d type s of Audit re cords . The e ve nt
type is s pe cifie d in the type= fie ld at the be ginning of e ve ry Audit re cord.
T able B.2. Reco rd T ypes
Event T ype

Explanat io n

ADD_GROUP
ADD_USER

Trigge re d whe n a us e r-s pace group is adde d.
Trigge re d whe n a us e r-s pace us e r account is adde d.
Trigge re d whe n a proce s s e s e nds abnormally (with a s ignal
that could caus e a core dump, if e nable d).
Trigge re d whe n a file or a dire ctory acce s s e nds abnormally.

ANOM_ABEND ⁠ [a]
ANOM_ACCESS_FS [a]
ANOM_ADD_ACCT [a]

ANOM_EXEC [a]

Trigge re d whe n a us e r-s pace account addition e nds
abnormally.
Trigge re d whe n a failure of the Abs tract Machine Te s t Utility
(AMTU) is de te cte d.
Trigge re d whe n a failure in the cryptographic s ys te m is
de te cte d.
Trigge re d whe n a us e r-s pace account de le tion e nds
abnormally.
Trigge re d whe n an e xe cution of a file e nds abnormally.

ANOM_LOGIN_ACCT [a]

Trigge re d whe n an account login atte mpt e nds abnormally.

ANOM_LOGIN_FAILURES [

Trigge re d whe n the limit of faile d login atte mpts is re ache d.

ANOM_AMTU_FAIL [a]
ANOM_CRYPTO_FAIL [a]
ANOM_DEL_ACCT [a]

a]

ANOM_LOGIN_LOCATION [
a]

ANOM_LOGIN_SESSIONS [
a]

ANOM_LOGIN_TIME [a]
ANOM_MAX_DAC [a]
ANOM_MAX_MAC [a]
ANOM_MK_EXEC [a]
ANOM_MOD_ACCT [a]
ANOM_PROMISCUOUS [a]
ANOM_RBAC_FAIL [a]
ANOM_RBAC_INTEGRITY_
FAIL [a]
ANOM_ROOT_TRANS [a]
AVC
AVC_PATH

Trigge re d whe n a login atte mpt is made from a forbidde n
location.
Trigge re d whe n a login atte mpt re ache s the maximum amount
of concurre nt s e s s ions .
Trigge re d whe n a login atte mpt is made at a time whe n it is
pre ve nte d by, for e xample , pam_time.
Trigge re d whe n the maximum amount of Dis cre tionary Acce s s
Control (DAC) failure s is re ache d.
Trigge re d whe n the maximum amount of Mandatory Acce s s
Control (MAC) failure s is re ache d.
Trigge re d whe n a file is made e xe cutable .
Trigge re d whe n a us e r-s pace account modification e nds
abnormally.
Trigge re d whe n a de vice e nable s or dis able s promis cuous
mode .
Trigge re d whe n a Role -Bas e d Acce s s Control (RBAC) s e lf-te s t
failure is de te cte d.
Trigge re d whe n a Role -Bas e d Acce s s Control (RBAC) file
inte grity te s t failure is de te cte d.
Trigge re d whe n a us e r be come s root.
Trigge re d to re cord an SELinux pe rmis s ion che ck.
Trigge re d to re cord the dentry and vfsmount pair whe n an
SELinux pe rmis s ion che ck occurs .

229

Se c ur it y Guide

Event T ype

Explanat io n

BPRM_FCAPS

Trigge re d whe n a us e r e xe cute s a program with a file s ys te m
capability.
Trigge re d to re cord the capabilitie s be ing s e t for proce s s bas e d capabilitie s , for e xample , running as root to drop
capabilitie s .
Trigge re d whe n a us e r-s pace group ID is change d.
Trigge re d whe n a us e r-s pace us e r ID is change d.
Trigge re d whe n the Audit s ys te m configuration is modifie d.
Trigge re d whe n a us e r acquire s us e r-s pace cre de ntials .
Trigge re d whe n a us e r dis pos e s of us e r-s pace cre de ntials .
Trigge re d whe n a us e r re fre s he s the ir us e r-s pace
cre de ntials .
Trigge re d whe n a de crypt, e ncrypt, or randomiz e
cryptographic ope ration fails .
Trigge re d to re cord the cryptographic ke y ide ntifie r us e d for
cryptographic purpos e s .
Trigge re d whe n a cryptographic office r login atte mpt is
de te cte d.
Trigge re d whe n a cryptographic office r logout atte mpt is
de te cte d.
Trigge re d whe n a change in a cryptographic parame te r is
de te cte d.
Trigge re d whe n a re play attack is de te cte d.
Trigge re d to re cord parame te rs s e t during a TLS s e s s ion
e s tablis hme nt.
Trigge re d to re cord cryptographic te s t re s ults as re quire d by
the FIPS-140 s tandard.
Trigge re d to re cord the curre nt working dire ctory.
Trigge re d to re cord DAC che ck re s ults .
Trigge re d whe n a dae mon is s toppe d due to an e rror.
Trigge re d whe n the auditd dae mon acce pts a re mote
conne ction.
Trigge re d whe n the auditd dae mon clos e s a re mote
conne ction.
Trigge re d whe n a dae mon configuration change is de te cte d.
Trigge re d whe n a dae mon is s ucce s s fully s toppe d.
Trigge re d whe n the auditd dae mon re s ume s logging.
Trigge re d whe n the auditd dae mon rotate s the Audit log
file s .
Trigge re d whe n the auditd dae mon is s tarte d.
Trigge re d whe n a us e r-s pace group is de le te d
Trigge re d whe n a us e r-s pace us e r is de le te d
Trigge re d whe n a de vice is allocate d.
Trigge re d whe n a de vice is de allocate d.
Trigge re d to re cord the e nd of a multi-re cord e ve nt.
Trigge re d to re cord argume nts of the execve(2) s ys te m call.
Trigge re d to re cord the us e of the pipe and socketpair
s ys te m calls .
Trigge re d whe n a file s ys te m re labe l ope ration is de te cte d.

CAPSET

CHGRP_ID
CHUSER_ID
CONFIG_CHANGE
CRED_ACQ
CRED_DISP
CRED_REFR
CRYPTO_FAILURE_USER
CRYPTO_KEY_USER
CRYPTO_LOGIN
CRYPTO_LOGOUT
CRYPTO_PARAM_CHANGE_
USER
CRYPTO_REPLAY_USER
CRYPTO_SESSION
CRYPTO_TEST_USER
CWD
DAC_CHECK
DAEMON_ABORT
DAEMON_ACCEPT
DAEMON_CLOSE
DAEMON_CONFIG
DAEMON_END
DAEMON_RESUME
DAEMON_ROTATE
DAEMON_START
DEL_GROUP
DEL_USER
DEV_ALLOC
DEV_DEALLOC
EOE
EXECVE
FD_PAIR
FS_RELABEL

230

⁠A ppe ndix B. Audit Sys t e m Re f e r e nc e

Event T ype

Explanat io n

GRP_AUTH

Trigge re d whe n a group pas s word is us e d to authe nticate
agains t a us e r-s pace group.
Trigge re d to re cord a data inte grity ve rification e ve nt run by
the ke rne l.
Trigge re d to re cord a has h type inte grity ve rification e ve nt
run by the ke rne l.
Trigge re d to re cord a me tadata inte grity ve rification e ve nt run
by the ke rne l.
Trigge re d to re cord Platform Configuration Re gis te r (PCR)
invalidation me s s age s .
Trigge re d to re cord a policy rule .

INTEGRITY_DATA ⁠ [b]
INTEGRITY_HASH [b]
INTEGRITY_METADATA [b]
INTEGRITY_PCR [b]
INTEGRITY_RULE [b]
INTEGRITY_STATUS [b]
IPC
IPC_SET_PERM
KERNEL
KERNEL_OTHER
LABEL_LEVEL_CHANGE
LABEL_OVERRIDE
LOGIN
MAC_CIPSOV4_ADD

MAC_CIPSOV4_DEL

MAC_CONFIG_CHANGE
MAC_IPSEC_EVENT
MAC_MAP_ADD

MAC_MAP_DEL

MAC_POLICY_LOAD
MAC_STATUS
MAC_UNLBL_ALLOW
MAC_UNLBL_STCADD
MAC_UNLBL_STCDEL
MMAP

Trigge re d to re cord the s tatus of inte grity ve rification.
Trigge re d to re cord information about a Inte r-Proce s s
Communication obje ct re fe re nce d by a s ys te m call.
Trigge re d to re cord information about ne w value s s e t by an
IPC_SET control ope ration on an IPC obje ct.
Trigge re d to re cord the initializ ation of the Audit s ys te m.
Trigge re d to re cord information from third-party ke rne l
module s .
Trigge re d whe n an obje ct's le ve l labe l is modifie d.
Trigge re d whe n an adminis trator ove rride s an obje ct's le ve l
labe l.
Trigge re d to re cord re le vant login information whe n a us e r log
in to acce s s the s ys te m.
Trigge re d whe n a Comme rcial Inte rne t Protocol Se curity
Option (CIPSO) us e r adds a ne w Domain of Inte rpre tation
(DOI). Adding DOIs is a part of the packe t labe ling capabilitie s
of the ke rne l provide d by Ne tLabe l.
Trigge re d whe n a CIPSO us e r de le te s an e xis ting DOI. Adding
DOIs is a part of the packe t labe ling capabilitie s of the ke rne l
provide d by Ne tLabe l.
Trigge re d whe n an SELinux Boole an value is change d.
Trigge re d to re cord information about an IPSe c e ve nt, whe n
one is de te cte d, or whe n the IPSe c configuration change s .
Trigge re d whe n a ne w Linux Se curity Module (LSM) domain
mapping is adde d. LSM domain mapping is a part of the packe t
labe ling capabilitie s of the ke rne l provide d by Ne tLabe l.
Trigge re d whe n an e xis ting LSM domain mapping is adde d.
LSM domain mapping is a part of the packe t labe ling
capabilitie s of the ke rne l provide d by Ne tLabe l.
Trigge re d whe n a SELinux policy file is loade d.
Trigge re d whe n the SELinux mode (e nforcing, pe rmis s ive , off)
is change d.
Trigge re d whe n unlabe le d traffic is allowe d whe n us ing the
packe t labe ling capabilitie s of the ke rne l provide d by Ne tLabe l.
Trigge re d whe n a s tatic labe l is adde d whe n us ing the packe t
labe ling capabilitie s of the ke rne l provide d by Ne tLabe l.
Trigge re d whe n a s tatic labe l is de le te d whe n us ing the
packe t labe ling capabilitie s of the ke rne l provide d by Ne tLabe l.
Trigge re d to re cord a file de s criptor and flags of the mmap(2)
s ys te m call.

231

Se c ur it y Guide

Event T ype

Explanat io n

MQ_GETSETATTR

Trigge re d to re cord the mq_getattr(3) and mq_setattr(3)
me s s age que ue attribute s .
Trigge re d to re cord argume nts of the mq_notify(3) s ys te m
call.
Trigge re d to re cord argume nts of the mq_open(3) s ys te m
call.
Trigge re d to re cord argume nts of the mq_send(3) and
mq_receive(3) s ys te m calls .
Trigge re d whe n Ne tfilte r chain modifications are de te cte d.
Trigge re d to re cord packe ts trave rs ing Ne tfilte r chains .
Trigge re d to re cord information about a proce s s to which a
s ignal is s e nt.
Trigge re d to re cord file name path information.
Trigge re d whe n a us e r account is locke d.

MQ_NOTIFY
MQ_OPEN
MQ_SENDRECV
NETFILTER_CFG
NETFILTER_PKT
OBJ_PID
PATH
RESP_ACCT_LOCK ⁠ [c]
RESP_ACCT_LOCK_TIMED
[c]

RESP_ACCT_REMOTE [c]

Trigge re d whe n a us e r account is locke d for a s pe cifie d pe riod
of time .

ED [c]

Trigge re d whe n a us e r account is locke d from a re mote
s e s s ion.
Trigge re d whe n a us e r account is unlocke d afte r a configure d
pe riod of time .

RESP_ALERT [c]

Trigge re d whe n an ale rt e mail is s e nt.

RESP_ANOMALY [c]

Trigge re d whe n an anomaly was not acte d upon.

RESP_EXEC [c]
RESP_HALT [c]

Trigge re d whe n an intrus ion de te ction program re s ponds to a
thre at originating from the e xe cution of a program.
Trigge re d whe n the s ys te m is s hut down.

RESP_KILL_PROC [c]

Trigge re d whe n a proce s s is te rminate d.

RESP_SEBOOL [c]

Trigge re d whe n an SELinux Boole an value is s e t.

RESP_SINGLE [c]

Trigge re d whe n the s ys te m is put into s ingle -us e r mode .

RESP_TERM_ACCESS [c]

Trigge re d whe n a s e s s ion is te rminate d.

RESP_TERM_LOCK [c]
ROLE_ASSIGN

Trigge re d whe n a te rminal is locke d.

RESP_ACCT_UNLOCK_TIM

ROLE_MODIFY
ROLE_REMOVE
SELINUX_ERR
SERVICE_START
SERVICE_STOP
SOCKADDR
SOCKETCALL

SYSCALL
SYSTEM_BOOT
SYSTEM_RUNLEVEL
SYSTEM_SHUTDOWN
TEST

232

Trigge re d whe n an adminis trator as s igns a us e r to an SELinux
role .
Trigge re d whe n an adminis trator modifie s an SELinux role .
Trigge re d whe n an adminis trator re move s a us e r from an
SELinux role .
Trigge re d whe n an inte rnal SELinux e rror is de te cte d.
Trigge re d whe n a s e rvice is s tarte d.
Trigge re d whe n a s e rvice is s toppe d.
Trigge re d to re cord a s ocke t addre s s .
Trigge re d to re cord argume nts of the sys_socketcall
s ys te m call (us e d to multiple x many s ocke t-re late d s ys te m
calls ).
Trigge re d to re cord a s ys te m call to the ke rne l.
Trigge re d whe n the s ys te m is boote d up.
Trigge re d whe n the s ys te m's run le ve l is change d.
Trigge re d whe n the s ys te m is s hut down.
Trigge re d to re cord the s ucce s s value of a te s t me s s age .

⁠A ppe ndix B. Audit Sys t e m Re f e r e nc e

Event T ype

Explanat io n

TRUSTED_APP

The re cord of this type can be us e d by third party application
that re quire auditing.
Trigge re d whe n TTY input was s e nt to an adminis trative
proce s s .
Trigge re d whe n a us e r-s pace us e r account is modifie d.
Trigge re d whe n a us e r-s pace authe ntication atte mpt is
de te cte d.
Trigge re d whe n a us e r-s pace AVC me s s age is ge ne rate d.
Trigge re d whe n a us e r account attribute is modifie d.
Trigge re d whe n a us e r-s pace s he ll command is e xe cute d.
Trigge re d whe n a us e r-s pace s e s s ion is te rminate d.
Trigge re d whe n a us e r account s tate e rror is de te cte d.
Trigge re d whe n an obje ct is e xporte d with an SELinux labe l.
Trigge re d whe n a us e r logs in.
Trigge re d whe n a us e r logs out.
Trigge re d whe n a us e r-s pace dae mon loads an SELinux policy.
Trigge re d to re cord us e r-s pace manage me nt data.
Trigge re d whe n a us e r's SELinux role is change d.
Trigge re d whe n a us e r-s pace SELinux e rror is de te cte d.
Trigge re d whe n a us e r-s pace s e s s ion is s tarte d.
Trigge re d whe n an e xplanatory me s s age about TTY input to
an adminis trative proce s s is s e nt from us e r-s pace .
Trigge re d whe n an obje ct is e xporte d without SELinux labe l.

TTY
USER_ACCT
USER_AUTH
USER_AVC
USER_CHAUTHTOK
USER_CMD
USER_END
USER_ERR
USER_LABELED_EXPORT
USER_LOGIN
USER_LOGOUT
USER_MAC_POLICY_LOAD
USER_MGMT
USER_ROLE_CHANGE
USER_SELINUX_ERR
USER_START
USER_TTY
USER_UNLABELED_EXPOR
T
USYS_CONFIG
VIRT_CONTROL
VIRT_MACHINE_ID
VIRT_RESOURCE

Trigge re d
de te cte d.
Trigge re d
s toppe d.
Trigge re d
Trigge re d

whe n a us e r-s pace s ys te m configuration change is
whe n a virtual machine is s tarte d, paus e d, or

to re cord the binding of a labe l to a virtual machine .
to re cord re s ource as s ignme nt of a virtual machine .
[a] All Audit event types prepended with ANOM are intended to be processed by an intrusion

detection program .
[b] This event type is related to the Integrity Measurem ent Architecture (IMA), which functions
best with a Trusted P latform Module (TP M) chip.
[c] All Audit event types prepended with RESP are intended responses of an intrusion
detection system in case it detects m alicious activity on the system .

233

Se c ur it y Guide

Appendix C. Revision Hist ory
Revisio n 1-24
Mo n Feb 6 20 17
Mirek Jaho da
As ync re le as e with mis c. update s , e s pe cially in the fire walld s e ction.
Revisio n 1-23
T ue No v 1 20 16
Ve rs ion for 7.3 GA publication.

Mirek Jaho da

Revisio n 1-19
Mo n Jul 18 20 16
The Smart Cards s e ction adde d.

Mirek Jaho da

Revisio n 1-18
Mo n Jun 27 20 16
The Ope nSCAP-dae mon and Atomic Scan s e ction adde d.

Mirek Jaho da

Revisio n 1-17
Fri Jun 3 20 16
As ync re le as e with mis c. update s .

Mirek Jaho da

Revisio n 1-16
Pos t 7.2 GA fixe s .

Ro bert Krát ký

T ue Jan 5 20 16

Revisio n 1-15
T ue No v 10 20 15
Ve rs ion for 7.2 GA re le as e .

Ro bert Krát ký

Revisio n 1-14.18
Mo n No v 0 9 20 15
As ync re le as e with mis c. update s .

Ro bert Krát ký

Revisio n 1-14.17
Wed Feb 18 20 15
Ve rs ion for 7.1 GA re le as e .

Ro bert Krát ký

Revisio n 1-14.15
Fri Dec 0 6 20 14
Update to s ort orde r on the Re d Hat Cus tome r Portal.

Ro bert Krát ký

Revisio n 1-14.13
T hu No v 27 20 14
Update s re fle cting the POODLE vuln.

Ro bert Krát ký

Revisio n 1-14.12
T ue Jun 0 3 20 14
Ve rs ion for 7.0 GA re le as e .

T o máš Čapek

234
Source Exif Data: 
File Type                       : PDF
File Type Extension             : pdf
MIME Type                       : application/pdf
PDF Version                     : 1.4
Linearized                      : No
Title                           : Security Guide
Creator                         : wkhtmltopdf 0.12.1-development
Producer                        : Qt 4.8.6
Create Date                     : 2017:02:06 08:10:47-05:00
Page Count                      : 238
Page Mode                       : UseOutlines
EXIF Metadata provided by EXIF.tools

Navigation menu