2 Security Guidelines
This chapter provides guidelines that help secure your Oracle Linux system.
For information about how to use OpenSCAP to scan a system for vulnerabilities, see Using OpenSCAP to Scan for Vulnerabilities.
Minimizing the Software Footprint
On systems on which Oracle Linux has been installed, remove
unneeded RPMs to minimize the software footprint. For example, you
could uninstall the X Windows package
(xorg-x11-server-Xorg
) if it is not required on
a server system.
To discover which package provides a given command or file, use the yum provides command, as shown in the following example:
yum provides /usr/sbin/sestatus
... policycoreutils-2.0.83-19.24.0.1.el6.x86_64 : SELinux policy core utilities Repo : installed Matched from: Other : Provides-match: /usr/sbin/sestatus
yum-utils
package. For example, the
following command lists the files that the btrfs-progs
package provides.
repoquery -l btrfs-progs
/sbin/btrfs /sbin/btrfs-convert /sbin/btrfs-debug-tree . . .
To uninstall a package, use the yum remove command, as shown in this example:
sudo yum remove xinetd
Loaded plugins: refresh-packagekit, security Setting up Remove Process Resolving Dependencies --> Running transaction check ---> Package xinetd.x86_64 2:2.3.14-35.el6_3 will be erased --> Finished Dependency Resolution Dependencies Resolved ================================================================================ Package Arch Version Repository Size ================================================================================ Removing: xinetd x86_64 2:2.3.14-35.el6_3 @ol6_latest 259 k Transaction Summary ================================================================================ Remove 1 Package(s) Installed size: 259 k Is this ok [y/N]: y Downloading Packages: Running rpm_check_debug Running Transaction Test Transaction Test Succeeded Running Transaction Erasing : 2:xinetd-2.3.14-35.el6_3.x86_64 1/1 Verifying : 2:xinetd-2.3.14-35.el6_3.x86_64 1/1 Removed: xinetd.x86_64 2:2.3.14-35.el6_3 Complete!
The following list contains packages that you should not install or that you should remove using the yum remove command if they are already installed.
-
krb5-appl-clients
Kerberos versions of ftp, rcp, rlogin, rsh and telnet. If possible, use SSH instead.
-
rsh
,rsh-server
rcp, rlogin, and rsh use unencrypted communication that can be snooped. Use SSH instead.
-
samba
Network services used by Samba. Remove this package if the system is not acting as an Active Directory server, a domain controller, or as a domain member, and it does not provide Microsoft Windows file and print sharing functionality.
-
talk
,talk-server
talk is considered obsolete.
-
telnet
,telnet-server
telnet
uses unencrypted communication that can be snooped. Use SSH instead. -
tftp
,tftp-server
TFTP uses unencrypted communication that can be snooped. Use only if required to support legacy hardware. If possible, use SSH or other secure protocol instead.
-
xinetd
The security model used by the Internet listener daemon is deprecated.
-
ypbind
,ypserv
The security model used by NIS is inherently flawed. Use an alternative such as LDAP or Kerberos instead.
Configuring System Logging
Verify that the rsyslog
logging service is
running:
sudo systemctl is-active rsyslog
active
If the rsyslogd
service is not running, start
it and enable it to start when the system is rebooted:
sudo systemctl start rsyslog sudo systemctl enable rsyslog
Ensure that each log file referenced in
/etc/rsyslog.conf
exists and is owned and only
readable by root
:
touch logfile sudo chown root:root logfile sudo chmod 0600 logfile
It is also recommended that you use a central log server and that you configure Logwatch on that server. See Configuring and Using System Logging.
Disabling Core Dumps
Core dumps can contain information that an attacker might be able
to exploit and they take up a large amount of disk space. To
prevent the system creating core dumps when the operating system
terminates a program due to a segment violation or other
unexpected error, add the following line to
/etc/security/limits.conf
:
* hard core 0
You can restrict access to core dumps to certain users or groups,
as described in the limits.conf(5)
manual page.
By default, the system prevents setuid
and
setgid
programs, programs that have changed
credentials, and programs whose binaries do not have read
permission from dumping core. To ensure that the setting is
permanently recorded, add the following lines to
/etc/sysctl.conf
:
# Disallow core dumping by setuid and setgid programs fs.suid_dumpable = 0
Then, run the sysctl -p command.
Note:
A value of 1 permits core dumps that are readable by the owner
of the dumping process. A value of 2 permits core dumps that are
readable only by root
for debugging purposes.
Minimizing Active Services
Restrict services to only those that a server requires. The default installation for an Oracle Linux server configures a minimal set of services:
-
cupsd
andlpd
(print services) -
sendmail
(email delivery service) -
sshd
(openSSH services)
If possible, configure one type of service per physical machine, virtual machine, or Linux Container. This technique limits exposure if a system is compromised.
If a service is not used, remove the software packages that are associated with the service. If it is not possible to remove a service because of software dependencies, use the chkconfig and service commands to disable the service.
For services that are in use, apply the latest Oracle support
patches and security updates to keep software packages up to date.
To protect against unauthorized changes, ensure that the
/etc/services
file is owned by
root
and writable only by
root
.
ls -Z /etc/services
-rw-r--r--. root root system_u:object_r:etc_t:SystemLow /etc/services
Unless specifically stated otherwise, consider disabling the services that are described in the following list, if they are not used on your system.
-
anacron
- Executes commands periodically. Primarily intended for use on laptop and user desktop machines that do not run continuously.
-
automount
- Manages mount points for the automatic file-system mounter. Disable this service on servers that do not require automounter functionality.
-
bluetooth
- Supports the connections of Bluetooth devices. Primarily intended for use on laptop and user desktop machines. Bluetooth provides an additional potential attack surface. Disable this service on servers that do not require Bluetooth functionality.
-
gpm
- (General Purpose Mouse) Provides support for the mouse pointer in a text console.
-
hidd
- (Bluetooth Human Interface Device daemon) Provides support for Bluetooth input devices such as a keyboard or mouse. Primarily intended for use on laptop and user desktop machines. Bluetooth provides an additional potential attack surface. Disable this service on servers that do not require Bluetooth functionality.
-
irqbalance
- Distributes hardware interrupts across processors on a multiprocessor system. Disable this service on servers that do not require this functionality.
-
iscsi
- Controls logging in to iSCSI targets and scanning of iSCSI devices. Disable this service on servers that do not access iSCSI devices.
-
iscsid
- Implements control and management for the iSCSI protocol. Disable this service on servers that do not access iSCSI devices.
-
kdump
- Enables a
kdump
kernel to be loaded into memory at boot time or a kernel dump to be saved if the system panics. Disable this service on servers that you do not use for debugging or testing. -
mcstrans
- Controls the SELinux Context Translation System service.
-
mdmonitor
- Checks the status of all software RAID arrays on the system. Disable this service on servers that do not use software RAID.
-
pcscd
- (PC/SC Smart Card Daemon) Supports communication with smart-card readers. Primarily intended for use on laptop and user desktop machines to support smart-card authentication. Disable this service on servers that do not use smart-card authentication.
-
sandbox
- Sets up
/tmp
,/var/tmp
, and home directories to be used with the pam_namespace, sandbox, and xguest application confinement utilities. Disable this service if you do not use these programs. -
setroubleshoot
- Controls the SELinux Troubleshooting service, which provides information about SELinux Access Vector Cache (AVC) denials to the sealert tool.
-
smartd
- Communicates with the Self-Monitoring, Analysis and Reporting Technology (SMART) systems that are integrated into many ATA-3 and later, and SCSI-3 disk drives. SMART systems monitor disk drives to measure reliability, predict disk degradation and failure, and perform drive testing.
-
xfs
- Caches fonts in memory to improve the performance of X Window System applications.
Consider disabling the network services that are described in the following table, if they are not used on your system.
-
avahi-daemon
- Implements Apple's Zero configuration networking (also known as Rendezvous or Bonjour). Primarily intended for use on laptop and user desktop machines to support music and file sharing. Disable this service on servers that do not require this functionality.
-
cups
- Implements the Common UNIX Printing System. Disable this service on servers that do not need to provide this functionality.
-
hplip
- Implements HP Linux Imaging and Printing to support faxing, printing, and scanning operations on HP inkjet and laser printers. Disable this service on servers that do not require this functionality.
-
isdn
- (Integrated Services Digital Network) Provides support for network connections over ISDN devices. Disable this service on servers that do not directly control ISDN devices.
-
netfs
- Mounts and unmounts network file systems, including NCP, NFS, and SMB. Disable this service on servers that do not require this functionality.
-
network
- Activates all network interfaces that are configured to start at boot time.
-
NetworkManager
- Switches network connections automatically to use the best connection that is available.
-
nfslock
- Implements the Network Status Monitor (NSM) used by NFS. Disable this service on servers that do not require this functionality.
-
nmb
- Provides NetBIOS name services used by Samba. Disable this service and remove the
samba
package if the system is not acting as an Active Directory server, a domain controller, or as a domain member, and it does not provide Microsoft Windows file and print sharing functionality. -
portmap
- Implements Remote Procedure Call (RPC) support for NFS. Disable this service on servers that do not require this functionality.
-
rhnsd
- Queries the Unbreakable Linux Network (ULN) for updates and information.
-
rpcgssd
- Used by NFS. Disable this service on servers that do not require this functionality.
-
rpcidmapd
- Used by NFS. Disable this service on servers that do not require this functionality.
-
smb
- Provides SMB network services used by Samba. Disable this service and remove the
samba
package if the system is not acting as an Active Directory server, a domain controller, or as a domain member, and it does not provide Microsoft Windows file and print sharing functionality.
To stop a service and prevent it from starting when you reboot the system, used the following commands:
sudo systemctl stop service_name sudo systemctl disable service_name
Locking Down Network Services
Note:
It is recommended that you do not install the
xinetd
Internet listener daemon. If you do
not need this service, remove the package altogether by using
the yum remove xinetd command.
If you must enable xinetd
on your system,
minimize the network services that xinetd
can
launch by disabling those services that are defined in the
configuration files in /etc/xinetd.d
and which
are not needed.
To counter potential Denial of Service (DoS) attacks, you can
configure the resource limits for such services by editing
/etc/xinetd.conf
and related configuration
files. For example, you can set limits for the connection rate,
the number of connection instances to a service, and the number of
connections from an IP address:
# Maximum number of connections per second and # number of seconds for which a service is disabled # if the maximum number of connections is exceeded cps = 50 10 # Maximum number of connections to a service instances = 50 # Maximum number of connections from an IP address per_source = 10
For more information, see the xinetd(8)
and
xinetd.conf(5)
manual pages.
Configuring a Packet-Filtering Firewall
You can configure the Netfilter feature to act as a packet-filtering firewall that uses rules to determine whether network packets are received, dropped, or forwarded.
The primary interfaces for configuring the packet-filter rules are the firewall-cmd command and the Firewall Configuration GUI (firewall-config) or the iptables and ip6tables utilities. By default, the rules should drop any packets that are not destined for a service that the server hosts or that originate from networks other than those to which you want to allow access.
In addition, you can use Network Address Translation (NAT) to hide
IP addresses behind a public IP address, and IP masquerading to
alter IP header information for routed packets. You can also set
rule-based packet logging and define a dedicated log file in
/etc/syslog.conf
.
For more information, see Configuring Packet-filtering Firewalls.
Configuring TCP Wrappers
The TCP wrappers feature mediates requests from clients to
services, and control access based on rules that you define in the
/etc/hosts.deny
and
/etc/hosts.allow
files. You can restrict and
permit service access for specific hosts or whole networks. A
common way of using TCP wrappers is to detect intrusion attempts.
For example, if a known malicious host or network attempts to
access a service, you can deny access and send a warning message
about the event to a log file or to the system console.
For more information, see Configuring TCP Wrappers.
Configuring Kernel Parameters
You can use several kernel parameters to counteract various kinds of attack.
-
kernel.randomize_va_space
: Controls Address Space Layout Randomization (ASLR), which can help defeat certain types of buffer overflow attacks. A value of 0 disables ASLR, 1 randomizes the positions of the stack, virtual dynamic shared object (VDSO) page, and shared memory regions, and 2 randomizes the positions of the stack, VDSO page, shared memory regions, and the data segment. The default and recommended setting is 2. -
net.ipv4.conf.all.accept_source_route
: Controls the handling of source-routed packets, which might have been generated outside the local network. A value of 0 rejects such packets, and 1 accepts them. The default and recommended setting is 0. -
net.ipv4.conf.all.rp_filter
: Controls reversed-path filtering of received packets to counter IP address spoofing. A value of 0 disables source validation, 1 causes packets to be dropped if the routing table entry for their source address does not match the network interface on which they arrive, and 2 causes packets to be dropped if source validation by reversed path fails (see RFC 1812). The default setting is 0. A value of 2 can cause otherwise valid packets to be dropped if the local network topology is complex and RIP or static routes are used. -
net.ipv4.icmp_echo_ignore_broadcasts
: Controls whether ICMP broadcasts are ignored to protect against Smurf DoS attacks. A value of 1 ignores such broadcasts, and 0 accepts them. The default and recommended setting is 1. -
net.ipv4.icmp_ignore_bogus_error_message
: Controls whether ICMP bogus error message responses are ignored. A value of 1 ignores such messages, and 0 accepts them. The default and recommended setting is 1.
To change the value of a kernel parameter, add the setting to
/etc/sysctl.conf
, for example:
kernel.randomize_va_space = 1
Then, run the sysctl -p command.
For additional security configurations on the kernel, see Configuring and Using Kernel Security Mechanisms.
Restricting Access to SSH Connections
The Secure Shell (SSH) allows protected, encrypted communication
with other systems. As SSH is an entry point into the system,
disable it if it is not required, or alternatively, edit the
/etc/ssh/sshd_config
file to restrict its use.
For example, the following setting does not allow
root
to log in using SSH:
PermitRootLogin no
You can restrict remote access to certain users and groups by
specifying the AllowUsers
,
AllowGroups
, DenyUsers
, and
DenyGroups
settings, for example:
DenyUsers carol dan AllowUsers alice bob
The ClientAliveInterval
and
ClientAliveCountMax
settings cause the SSH
client to time out automatically after a period of inactivity, for
example:
# Disconnect client after 300 seconds of inactivity ClientAliveCountMax 0 ClientAliveInterval 300
After changing the configuration file, restart the
sshd
service for the changes to take effect.
For more information, see the sshd_config(5)
manual page.
Configuring File System Mounts, File Permissions, and File Ownership
Use separate disk partitions for operating system and user data to
prevent a file system full issue from
impacting the operation of a server. For example, you might create
separate partitions for /home
,
/tmp
, p
,
/oracle
, and so on.
Establish disk quotas to prevent a user from accidentally or intentionally filling up a file system and denying access to other users.
To prevent the operating system files and utilities from being
altered during an attack, mount the /usr
file
system read-only. If you need to update any RPMs on the file
system, use the -o remount,rw option with the
mount command to remount
/usr
for both read and write access. After
performing the update, use the -o remount,ro
option to return the /usr
file system to
read-only mode.
To limit user access to non-root
local file
systems such as /tmp
or removable storage
partitions, specify the -o noexec, nosuid,
nodev options to mount. These option
prevent the execution of binaries (but not scripts), prevent the
setuid
bit from having any effect, and prevent
the use of device files.
Use the find command to check for unowned files and directories on each file system, for example:
find mount_point -mount -type f -nouser -o -nogroup -exec ls -l {} \; find mount_point -mount -type d -nouser -o -nogroup -exec ls -l {} \;
Unowned files and directories might be associated with a deleted user account, they might indicate an error with software installation or deleting, or they might a sign of an intrusion on the system. Correct the permissions and ownership of the files and directories that you find, or remove them. If possible, investigate and correct the problem that led to their creation.
Use the find command to check for world-writable directories on each file system, for example:
find mount_point -mount -type d -perm /o+w -exec ls -l {} \;
Investigate any world-writable directory that is owned by a user other than a system user. The user can remove or change any file that other users write to the directory. Correct the permissions and ownership of the directories that you find, or remove them.
You can also use find to check for
setuid
and setgid
executables.
find path -type f \( -perm -4000 -o -perm -2000 \) -exec ls -l {} \;
If the setuid
and setgid
bits are set, an executable can perform a task that requires other
rights, such as root
privileges. However,
buffer overrun attacks can exploit such executables to run
unauthorized code with the rights of the exploited process.
If you want to stop a setuid
and
setgid
executable from being used by
non-root
users, you can use the following
commands to unset the setuid
or
setgid
bit:
sudo chmod u-s file sudo chmod g-s file
The following table lists programs for which you might want to
consider unsetting the setuid
and
setgid
.
Note:
The list is not exhaustive, as many optional packages contain
setuid
and setgid
programs.
Program File | Bit Set | Description of Usage |
---|---|---|
|
|
Determines password aging information (via the -l option). |
|
|
Changes |
|
|
Changes the login shell. |
|
|
Edits, lists, or removes a |
|
|
Sends a system-wide message. |
|
|
Sends a message to another user. |
|
|
Invokes the X Windows server. |
|
|
Runs the SSH helper program for host-based authentication. |
|
|
Mounts an NFS file system. Note:
|
|
|
Requests notification of changes to network interfaces. |
|
|
Controls network interfaces. Permission for a user to
alter the state of a network interface also requires
|
Checking User Accounts and Privileges
Check the system for unlocked user accounts on a regular basis by using a command similar to the following:
for u in `cat /etc/passwd | cut -d: -f1 | sort`; do passwd -S $u; done
abrt LK 2012-06-28 0 99999 7 -1 (Password locked.) adm LK 2011-10-13 0 99999 7 -1 (Alternate authentication scheme in use.) apache LK 2012-06-28 0 99999 7 -1 (Password locked.) avahi LK 2012-06-28 0 99999 7 -1 (Password locked.) avahi-autoipd LK 2012-06-28 0 99999 7 -1 (Password locked.) bin LK 2011-10-13 0 99999 7 -1 (Alternate authentication scheme in use.) ...
In the output that is shown in this example, the second field
indicates whether a user account is locked
(LK
), does not have a password
(NP
), or has a valid password
(PS
). The third field shows the date on which
the user last changed their password. The remaining fields show
the minimum age, maximum age, warning period, and inactivity
period for the password and additional information about the
password's status. The unit of time is days.
Use the passwd command to set passwords on any accounts that are not protected.
Use the passwd -l command to lock unused accounts. Alternatively, use userdel to remove the accounts entirely.
For more information, see the passwd(1)
and
userdel(8)
manual pages.
To specify how user passwords are aged, edit the settings in the
/etc/login.defs
file. These settings are described in the following list.
-
PASS_MAX_DAYS
: Maximum number of days for which a password can be used before it must be changed. The default value is 99,999 days. -
PASS_MIN_DAYS
: Minimum number of days that is allowed between password changes. The default value is 0 days. -
PASS_WARN_AGE
: Number of days warning that is given before a password expires. The default value is 7 days.
For more information, see the login.defs(5)
manual page.
To change how long a user's account can be inactive before it is locked, use the usermod command. For example, to set the inactivity period to 30 days:
sudo usermod -f 30 username
To change the default inactivity period for new user accounts, use the useradd command:
sudo useradd -D -f 30
A value of -1
specifies that user accounts are
not locked due to inactivity.
For more information, see the useradd(8)
and
usermod(8)
manual pages.
Verify that no user accounts other than root
have a user ID of 0.
awk -F":" '$3 == 0 { print $1 }' /etc/passwd
root
If you install software that creates a default user account and password, change the vendor's default password immediately. Centralized user authentication using an LDAP implementation such as OpenLDAP can help to simplify user authentication and management tasks, and also reduces the risk arising from unused accounts or accounts without a password.
By default, an Oracle Linux system is configured so that you
cannot log in directly as root
.
You must log in as a named user before using either
su or sudo to perform tasks
as root
. This configuration allows system
accounting to trace the original login name of any user who
performs a privileged administrative action. If you want to grant
certain users authority to be able to perform specific
administrative tasks via sudo, use the
visudo command to modify the
/etc/sudoers
file. For example, the following
entry grants the user erin
the same privileges
as root
when using sudo, but
defines a limited set of privileges to frank
so
that he can run commands such as rpm and
yum:
erin ALL=(ALL) ALL frank ALL=SOFTWARE
Oracle Linux supports the pluggable authentication modules (PAM) feature, which makes it easier to enforce strong user authentication and password policies, including rules for password complexity, length, age, expiration and the reuse of previous passwords. You can configure PAM to block user access after too many failed login attempts, after normal working hours, or if too many concurrent sessions are opened.
PAM is highly customizable by its use of different modules with
customisable parameters. For example, the default password
integrity checking module pam_pwquality.so
tests password strength. The PAM configuration file
(/etc/pam.d/system-auth
) contains the following
default entries for testing a password's strength:
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password required pam_deny.so
The line for pam_pwquality.so
defines that a
user gets three attempts to choose a good password. From the
module's default settings, the password length must a minimum of
six characters, of which three characters must be different from
the previous password. The module only tests the quality of
passwords for users who are defined in
/etc/passwd
.
The line for pam_unix.so
specifies that the
module tests the password previously specified in the stack before
prompting for a password if necessary
(pam_pwquality
will already have performed such
checks for users defined in /etc/passwd
), uses
SHA-512 password hashing and the /etc/shadow
file, and allows access if the existing password is null.
You can modify the control flags and module parameters to change the checking that is performed when a user changes his or her password, for example:
password required pam_pwquality.so retry=3 minlen=8 difok=5 minclass=-1 password required pam_unix.so use_authtok sha512 shadow remember=5 password required pam_deny.so
The line for pam_pwquality.so
defines that a
user gets three attempts to choose a good password with a minimum
of eight characters, of which five characters must be different
from the previous password, and which must contain at least one
upper case letter, one lower case letter, one numeric digit, and
one non-alphanumeric character.
The line for pam_unix.so
specifies that the
module does not perform password checking, uses SHA-512 password
hashing and the /etc/shadow
file, and saves
information about the previous five passwords for each user in the
/etc/security/opasswd
file. As
nullok
is not specified, a user cannot change
his or her password if the existing password is null.
The omission of the try_first_pass
keyword
means that the user is always asked for their existing password,
even if he or she entered it for the same module or for a previous
module in the stack.
For more information, see Configuring and Using Pluggable Authentication Modules and the
pam_deny(8)
,
pam_pwquality(8)
, and
pam_unix(8)
manual pages.