Paranoid Penguin - Security Features in SUSE 10.0
Over the years, we've seen more and better security features incorporated into our favorite Linux distributions. Distribution-specific security awareness manifests itself in many ways, including:
Availability of security-enhancing applications.
“Hardening” functionality in setup/installation scripts.
The way patches are handled.
Default settings of network applications.
This month, I begin a series of three articles on distribution-specific security in SUSE Linux, Debian GNU/Linux and Red Hat Enterprise Linux. These are the three distributions with which I've had the most experience, and they are arguably the three most popular. (But as with anything, if you want to contribute an article about your own favorite distribution, go for it! See our author's guide at www.linuxjournal.com/xstatic/author/authguide.)
I'll start with SUSE 10.0. SUSE is a general-purpose, commercially produced Linux distribution developed for Intel 32- and 64-bit platforms. Originally based in Germany and still primarily developed there, SUSE is now owned by Novell. There are a number of different SUSE products, including SUSE Linux, a “personal” version available from numerous retail outlets; SUSE Linux Enterprise Server, an “enterprise-grade” version available directly from Novell; and OpenSUSE, which is essentially the same as SUSE Linux but without installation media (it's installable only over the Internet), printed manuals or installation support.
The basis of this article is SUSE Linux 10.0, that is, the commercial “personal use” version. Everything I say here should be equally applicable to OpenLinux 10.0, and mostly relevant to the Enterprise versions of SUSE. Presumably, the Enterprise versions include additional security-related packages and features.
System security begins with installation. This is your first opportunity to make crucial decisions concerning what role the system will play, which software the system will run and how the system will be configured. Therefore, it's useful to begin our discussion of SUSE security with the installation process.
All versions of SUSE use YaST (Yet Another Setup Tool) both for initial system installation and for ongoing system administration. Over the years, YaST has evolved from a simple RPM front end to a modular, comprehensive administration tool that can be used to configure not only low-level system software but also complex server applications such as Apache and Postfix.
We'll talk more about YaST shortly. Your immediate problem during initial OS installation, however, is deciding which software packages to install. And if you're security-focused, this is a happy problem. SUSE Linux 10.0 offers a wide variety of security applications from which to choose.
In my view, these applications fall into two categories: system security applications and security-scanning applications. The former include both general-purpose applications with strong security features—Postfix springs instantly to mind—and applications whose sole purpose is providing security controls to other applications or to the underlying operating system, of which tcpwrappers is a classic example. Table 1 lists the packages in SUSE Linux 10.0 that enhance system security.
Table 1. Some Security-Enhancing Packages in SUSE Linux 10.0
|aide, fam||File integrity checkers, both similar to Tripwire.|
|bind-chrootenv||Automatically creates a chroot environment in which to run BIND (the DNS daemon) more securely.|
|clamav, antivir||Antivirus packages—clamav is completely free, but antivir is commercial (free for personal use).|
|cracklib||Library and utilities to prevent users from choosing easily guessed passwords.|
|gpg, gpg2, gpa||GNU Privacy Guard (gpg), a versatile and ubiquitous e-mail- and file-encryption utility.|
|ipsectools, openswan||Tools for building IPsec-based virtual private networks.|
|openldap, freeradius||Open-source authentication daemons.|
|proxy-suite||An FTP security proxy developed by SUSE.|
|seccheck||SUSE-customized cron scripts that perform various security checks against logs, system state and so on, and send e-mail reports to you.|
|subdomain-utils, subdomain-profiles, mod-change-hat and so on||AppArmor, a mandatory access control (MAC) system that restricts the behavior of specific binaries. SUSE uses this instead of SELinux, which it closely resembles.|
|squid, SquidGuard||Squid is a popular HTTP/HTTPS proxy. SquidGuard adds access controls and other security features.|
|SUSEfirewall||SUSE's handy front end for Linux's netfilter/iptables.|
|syslog-ng||Advanced system logger, much more powerful than syslogd. syslog-ng is SUSE's default logger.|
|tinyca2||Front end to OpenSSL for managing Certificate Authorities.|
|vsftpd||The Very Secure FTP Daemon.|
|xen, FAUmachine, uml-utilities, bochs||The Xen, FAUmachine, User Mode Linux and BOCHS virtual machine environments.|
Actually, the lengthy list of packages in Table 1 represents only particular favorites of mine and SUSE-specific selections. SUSE includes many, many more system security tools, including tcpd (tcpwrappers), openssl, chkrootkit, sudo and wipe. You can view the full list of packages included in SUSE Linux 10.0 at www.novell.com/products/linuxpackages/professional/index_all.html.
Besides securing the system on which you install SUSE, you may be interested in using a SUSE system to validate the security of other systems or of entire networks. SUSE is a good choice for this. Table 2 shows some SUSE Linux 10.0 packages that can be used for security scanning. Note that you should never install these packages (except perhaps Snort) on any Internet-connected server. Each is of much greater use to an attacker than it is to you in that context. Scanning software should be performed from systems that are normally kept out of harm's way.
Table 2. Security Scanners in SUSE Linux 10.0
|ethereal, tcpdump||Excellent packet sniffers.|
|fping||Flood ping (multiple-target ping).|
|john||John the Ripper, a password-cracking tool (legitimately used for identifying weak passwords).|
|kismet||Wireless LAN sniffer.|
|nessus-core, nessus-libraries||The Nessus general-purpose security scanner.|
|nmap||Undisputed king of port scanners.|
|snort||Outstanding packet sniffer, packet logger and intrusion detection system.|
If you're new to SUSE, you should be aware that by default, YaST uses a Selections filter (view) for selecting packages, in which only a small subset of all available packages is offered to you. If you don't see something you need in this view, for example, nessus-core, use the Package Groups filter to see a more complete set of categories. If you want to see a single list of all packages in alphabetical order, simply set the filter to Package Groups and click on the group zzz All (Figure 1).
You also can set the filter to Search to search for packages by name or keyword.
After you've selected and installed all software packages, YaST allows you to set the root password and create the first (nonroot) user account. By default, SUSE uses Blowfish for password encryption, and YaST checks the password you type for complexity. (Too-simple a password can be easily guessed or brute-force cracked by an attacker.)
You're also given the opportunity to enable local firewall scripts (enabled by default), and the SSH and VNC remote-shell daemons (both disabled by default). Note that of the latter two, SSH is the best choice for administering bastion hosts (hardened Internet servers)--among other reasons, you shouldn't be using the X Window System on bastion hosts unless you've got a very specific, very compelling reason. YaST, it should be noted, runs perfectly well in text (ncurses) mode, with exactly the same modules and options as the X version. Also, tightvnc, the version of the VNC remote-desktop tool shipped with SUSE, doesn't encrypt session data, only authentication data.
Note also that at installation time, you aren't given the opportunity to customize your local firewall settings. Initially, a default script is used that provides a simple “allow all outbound transactions, allow nothing inbound that wasn't initiated locally” policy. In other words, the default SUSEfirewall script is perfectly appropriate for most desktop systems, but it is inadequate for server use. You can change this later on by running YaST's Firewall module.
YaST then lets you choose from the following methods for authenticating nonroot users:
local /etc/passwd file (default).
Samba (Windows NT Domains).
Active Directory authentication is also supported in SUSE Linux 10.0, via Kerberos.
Once you've selected an authentication method, you can create your first nonroot user account. Be sure to leave Automatic Logon disabled unless your system has very low security requirements indeed—enabling this causes the machine to log in your nonroot user automatically at boot time. (About the only situation in which this is a good idea, I think, is for kiosk-type systems!)
And that's it—SUSE installation is now finished! Your job as a security-conscious system administrator, however, is not.
|Designing Electronics with Linux||May 22, 2013|
|Dynamic DNS—an Object Lesson in Problem Solving||May 21, 2013|
|Using Salt Stack and Vagrant for Drupal Development||May 20, 2013|
|Making Linux and Android Get Along (It's Not as Hard as It Sounds)||May 16, 2013|
|Drupal Is a Framework: Why Everyone Needs to Understand This||May 15, 2013|
|Home, My Backup Data Center||May 13, 2013|
- Linux Systems Administrator
- Senior Perl Developer
- Technical Support Rep
- UX Designer
- New Products
- Designing Electronics with Linux
- Making Linux and Android Get Along (It's Not as Hard as It Sounds)
- Dynamic DNS—an Object Lesson in Problem Solving
- Using Salt Stack and Vagrant for Drupal Development
- Evernote is much more...
58 min 56 sec ago
- Reply to comment | Linux Journal
9 hours 44 min ago
- Dynamic DNS
10 hours 18 min ago
- Reply to comment | Linux Journal
11 hours 16 min ago
- Reply to comment | Linux Journal
12 hours 7 min ago
- Not free anymore
16 hours 8 min ago
19 hours 56 min ago
- Reply to comment | Linux Journal
20 hours 4 min ago
- Understanding the Linux Kernel
22 hours 18 min ago
1 day 48 min ago
Enter to Win an Adafruit Pi Cobbler Breakout Kit for Raspberry Pi
It's Raspberry Pi month at Linux Journal. Each week in May, Adafruit will be giving away a Pi-related prize to a lucky, randomly drawn LJ reader. Winners will be announced weekly.
Fill out the fields below to enter to win this week's prize-- a Pi Cobbler Breakout Kit for Raspberry Pi.
Congratulations to our winners so far:
- 5-8-13, Pi Starter Pack: Jack Davis
- 5-15-13, Pi Model B 512MB RAM: Patrick Dunn
- 5-21-13, Prototyping Pi Plate Kit: Philip Kirby
- Next winner announced on 5-27-13!
Free Webinar: Hadoop
How to Build an Optimal Hadoop Cluster to Store and Maintain Unlimited Amounts of Data Using Microservers
Realizing the promise of Apache® Hadoop® requires the effective deployment of compute, memory, storage and networking to achieve optimal results. With its flexibility and multitude of options, it is easy to over or under provision the server infrastructure, resulting in poor performance and high TCO. Join us for an in depth, technical discussion with industry experts from leading Hadoop and server companies who will provide insights into the key considerations for designing and deploying an optimal Hadoop cluster.
Some of key questions to be discussed are:
- What is the “typical” Hadoop cluster and what should be installed on the different machine types?
- Why should you consider the typical workload patterns when making your hardware decisions?
- Are all microservers created equal for Hadoop deployments?
- How do I plan for expansion if I require more compute, memory, storage or networking?