05 Security and Certificate Management

  • .

Introduction to Linux and SUSE Security

Security is a critical aspect of operating systems to protect data and resources from unauthorized access. Linux, including SUSE Linux Enterprise Server (SLES), provides various built-in security features such as file permissions, access control, firewalls, and user authentication.

  • Security principles in Linux:

    1. Principle of Least Privilege: Grant only the minimum necessary permissions.
    2. Audit and Logging: Always record system activity for early detection.
    3. Patch and Update: Ensure the system is always up to date to prevent vulnerability exploits.

File Permissions, ACL, and SELinux/AppArmor

File Permissions

Linux uses a file permission model to control access to files and directories.

  • Types of permissions:

    • Read (r)\*\*: Read a file or list a directory.
    • Write (w)\*\*: Modify a file or add files to a directory.
    • Execute (x)\*\*: Run a file or access a directory.

  • Managing file permissions:

    • View file permissions:

      ls -l

    • Change file permissions:

      chmod 750 file.txt

ACL (Access Control List)

ACL allows more granular permission settings compared to the traditional permission model.

  1. Enable ACL:
    Ensure the filesystem supports ACL:

    sudo mount -o remount,acl /dev/sdX1 /mnt

  2. Basic ACL Commands:

    • Add ACL:

      setfacl -m u:username:rwx file.txt

    • View ACL:

      getfacl file.txt

    • Remove ACL:

      setfacl -x u:username file.txt

SELinux dan AppArmor

SELinux and AppArmor are additional security mechanisms based on Mandatory Access Control (MAC).

  • SELinux:

    • Enforces security policies on services and applications.

    • Check SELinux status:

      sestatus

    • Change SELinux mode:

      sudo setenforce 0 # Permissive mode
sudo setenforce 1 # Enforcing mode

  • AppArmor:

    • AppArmor uses profiles to restrict application access.

    • View active profiles:

      sudo aa-status

    • Enforce a profile:

      sudo aa-enforce /etc/apparmor.d/usr.sbin.nginx

Firewall Management

Firewall in SUSE Linux

SUSE Linux supports firewalld and SuSEfirewall2 for managing network rules.

  • Firewalld:

    • Start firewalld

      sudo systemctl start firewalld

    • Add a rule:

      sudo firewall-cmd --add-port=22/tcp –permanent
sudo firewall-cmd –reload

  • SuSEfirewall2:

    • Configuration in /etc/sysconfig/SuSEfirewall2.

    • Restart SuSEfirewall2:

      sudo systemctl restart SuSEfirewall2

Authentication and User Security

User Authentication

Linux manages user accounts using the /etc/passwd and /etc/shadow files.

  • Managing User Accounts:

    • Add a user:

      sudo useradd username
sudo passwd username

    • Delete a user:

      sudo userdel username

User Security

  1. Lock a User Account

    sudo passwd -l username

  2. Set Password Policy:
    Edit the /etc/security/pwquality.conf file:

    minlen = 12
dcredit = -1
ucredit = -1

Using SSH and Digital Certificates for Network Security

SSH (Secure Shell)

SSH is a protocol for secure remote access.

  • SSH Configuration:

    1. Install the SSH package:

      sudo zypper install openssh

    2. Start the SSH service:

      sudo systemctl start sshd

    3. Configure /etc/ssh/sshd_config for additional security:

      PermitRootLogin no
PasswordAuthentication no

Digital Certificates

Digital certificates are used to encrypt communications and verify identities.

  • Generate an SSH key:

    1. Create an SSH key pair:

      ssh-keygen -t rsa -b 4096

    2. Copy the public key to the server:

      ssh-copy-id user@hostname

  • Using OpenSSL for Certificates

    1. Generate a private key:

      openssl genrsa -out private.key 2048

    2. Create a certificate request:

      openssl req -new -key private.key -out request.csr

    3. Create a self-signed certificate:

      openssl x509 -req -days 365 -in request.csr -signkey private.key -out certificate.crt