Paranoid Penguin - Security Features in SUSE 10.0
Over the years, we've seen more and better security features incorporated into our favorite Linux distributions. Distribution-specific security awareness manifests itself in many ways, including:
Availability of security-enhancing applications.
“Hardening” functionality in setup/installation scripts.
The way patches are handled.
Default settings of network applications.
This month, I begin a series of three articles on distribution-specific security in SUSE Linux, Debian GNU/Linux and Red Hat Enterprise Linux. These are the three distributions with which I've had the most experience, and they are arguably the three most popular. (But as with anything, if you want to contribute an article about your own favorite distribution, go for it! See our author's guide at www.linuxjournal.com/xstatic/author/authguide.)
I'll start with SUSE 10.0. SUSE is a general-purpose, commercially produced Linux distribution developed for Intel 32- and 64-bit platforms. Originally based in Germany and still primarily developed there, SUSE is now owned by Novell. There are a number of different SUSE products, including SUSE Linux, a “personal” version available from numerous retail outlets; SUSE Linux Enterprise Server, an “enterprise-grade” version available directly from Novell; and OpenSUSE, which is essentially the same as SUSE Linux but without installation media (it's installable only over the Internet), printed manuals or installation support.
The basis of this article is SUSE Linux 10.0, that is, the commercial “personal use” version. Everything I say here should be equally applicable to OpenLinux 10.0, and mostly relevant to the Enterprise versions of SUSE. Presumably, the Enterprise versions include additional security-related packages and features.
System security begins with installation. This is your first opportunity to make crucial decisions concerning what role the system will play, which software the system will run and how the system will be configured. Therefore, it's useful to begin our discussion of SUSE security with the installation process.
All versions of SUSE use YaST (Yet Another Setup Tool) both for initial system installation and for ongoing system administration. Over the years, YaST has evolved from a simple RPM front end to a modular, comprehensive administration tool that can be used to configure not only low-level system software but also complex server applications such as Apache and Postfix.
We'll talk more about YaST shortly. Your immediate problem during initial OS installation, however, is deciding which software packages to install. And if you're security-focused, this is a happy problem. SUSE Linux 10.0 offers a wide variety of security applications from which to choose.
In my view, these applications fall into two categories: system security applications and security-scanning applications. The former include both general-purpose applications with strong security features—Postfix springs instantly to mind—and applications whose sole purpose is providing security controls to other applications or to the underlying operating system, of which tcpwrappers is a classic example. Table 1 lists the packages in SUSE Linux 10.0 that enhance system security.
Table 1. Some Security-Enhancing Packages in SUSE Linux 10.0
|aide, fam||File integrity checkers, both similar to Tripwire.|
|bind-chrootenv||Automatically creates a chroot environment in which to run BIND (the DNS daemon) more securely.|
|clamav, antivir||Antivirus packages—clamav is completely free, but antivir is commercial (free for personal use).|
|cracklib||Library and utilities to prevent users from choosing easily guessed passwords.|
|gpg, gpg2, gpa||GNU Privacy Guard (gpg), a versatile and ubiquitous e-mail- and file-encryption utility.|
|ipsectools, openswan||Tools for building IPsec-based virtual private networks.|
|openldap, freeradius||Open-source authentication daemons.|
|proxy-suite||An FTP security proxy developed by SUSE.|
|seccheck||SUSE-customized cron scripts that perform various security checks against logs, system state and so on, and send e-mail reports to you.|
|subdomain-utils, subdomain-profiles, mod-change-hat and so on||AppArmor, a mandatory access control (MAC) system that restricts the behavior of specific binaries. SUSE uses this instead of SELinux, which it closely resembles.|
|squid, SquidGuard||Squid is a popular HTTP/HTTPS proxy. SquidGuard adds access controls and other security features.|
|SUSEfirewall||SUSE's handy front end for Linux's netfilter/iptables.|
|syslog-ng||Advanced system logger, much more powerful than syslogd. syslog-ng is SUSE's default logger.|
|tinyca2||Front end to OpenSSL for managing Certificate Authorities.|
|vsftpd||The Very Secure FTP Daemon.|
|xen, FAUmachine, uml-utilities, bochs||The Xen, FAUmachine, User Mode Linux and BOCHS virtual machine environments.|
Actually, the lengthy list of packages in Table 1 represents only particular favorites of mine and SUSE-specific selections. SUSE includes many, many more system security tools, including tcpd (tcpwrappers), openssl, chkrootkit, sudo and wipe. You can view the full list of packages included in SUSE Linux 10.0 at www.novell.com/products/linuxpackages/professional/index_all.html.
Besides securing the system on which you install SUSE, you may be interested in using a SUSE system to validate the security of other systems or of entire networks. SUSE is a good choice for this. Table 2 shows some SUSE Linux 10.0 packages that can be used for security scanning. Note that you should never install these packages (except perhaps Snort) on any Internet-connected server. Each is of much greater use to an attacker than it is to you in that context. Scanning software should be performed from systems that are normally kept out of harm's way.
Table 2. Security Scanners in SUSE Linux 10.0
|ethereal, tcpdump||Excellent packet sniffers.|
|fping||Flood ping (multiple-target ping).|
|john||John the Ripper, a password-cracking tool (legitimately used for identifying weak passwords).|
|kismet||Wireless LAN sniffer.|
|nessus-core, nessus-libraries||The Nessus general-purpose security scanner.|
|nmap||Undisputed king of port scanners.|
|snort||Outstanding packet sniffer, packet logger and intrusion detection system.|
If you're new to SUSE, you should be aware that by default, YaST uses a Selections filter (view) for selecting packages, in which only a small subset of all available packages is offered to you. If you don't see something you need in this view, for example, nessus-core, use the Package Groups filter to see a more complete set of categories. If you want to see a single list of all packages in alphabetical order, simply set the filter to Package Groups and click on the group zzz All (Figure 1).
You also can set the filter to Search to search for packages by name or keyword.
After you've selected and installed all software packages, YaST allows you to set the root password and create the first (nonroot) user account. By default, SUSE uses Blowfish for password encryption, and YaST checks the password you type for complexity. (Too-simple a password can be easily guessed or brute-force cracked by an attacker.)
You're also given the opportunity to enable local firewall scripts (enabled by default), and the SSH and VNC remote-shell daemons (both disabled by default). Note that of the latter two, SSH is the best choice for administering bastion hosts (hardened Internet servers)--among other reasons, you shouldn't be using the X Window System on bastion hosts unless you've got a very specific, very compelling reason. YaST, it should be noted, runs perfectly well in text (ncurses) mode, with exactly the same modules and options as the X version. Also, tightvnc, the version of the VNC remote-desktop tool shipped with SUSE, doesn't encrypt session data, only authentication data.
Note also that at installation time, you aren't given the opportunity to customize your local firewall settings. Initially, a default script is used that provides a simple “allow all outbound transactions, allow nothing inbound that wasn't initiated locally” policy. In other words, the default SUSEfirewall script is perfectly appropriate for most desktop systems, but it is inadequate for server use. You can change this later on by running YaST's Firewall module.
YaST then lets you choose from the following methods for authenticating nonroot users:
local /etc/passwd file (default).
Samba (Windows NT Domains).
Active Directory authentication is also supported in SUSE Linux 10.0, via Kerberos.
Once you've selected an authentication method, you can create your first nonroot user account. Be sure to leave Automatic Logon disabled unless your system has very low security requirements indeed—enabling this causes the machine to log in your nonroot user automatically at boot time. (About the only situation in which this is a good idea, I think, is for kiosk-type systems!)
And that's it—SUSE installation is now finished! Your job as a security-conscious system administrator, however, is not.
Editorial Advisory Panel
Thank you to our 2014 Editorial Advisors!
- Jeff Parent
- Brad Baillio
- Nick Baronian
- Steve Case
- Chadalavada Kalyana
- Caleb Cullen
- Keir Davis
- Michael Eager
- Nick Faltys
- Dennis Frey
- Philip Jacob
- Jay Kruizenga
- Steve Marquez
- Dave McAllister
- Craig Oda
- Mike Roberts
- Chris Stark
- Patrick Swartz
- David Lynch
- Alicia Gibb
- Thomas Quinlan
- Carson McDonald
- Kristen Shoemaker
- Charnell Luchich
- James Walker
- Victor Gregorio
- Hari Boukis
- Brian Conner
- David Lane