Softpanorama (slightly skeptical) Open Source Software Educational Society

May the source be with you, but remember the KISS principle ;-)

SUSE Security

This is a difficult task to say the least. Some ideas:

• Partitioning/File System Security

• Minimization of the installed software packages

  • Not much can be done here.

• Account security settings with YaST

• Frequent patching

• Create baseline and document the configuration

• Configure logging to remote SYSLOG

Seccheck is simple set of four scripts that can be adapted for partitcular company to provide dayly, weekly and monthly status reports. See Novell SUSE Linux Enterprise Server 10 seccheck

Fo more ideas see Security Tools in Linux Distributions, Part II

System Hardening

Again, the first step to secure a system is to remove all the unwanted services. SuSE uses Inetd to listen for a connection and the YaST2 (yet another setup tool) configuration tool to graphically edit network services. YaST2 showed that time, Telnet, rlogin and finger services were activated by default and that Telnet, rlogin and finger were routed through tcpd for access control. We disabled all three as services we did not want, then checked to make sure OpenSSH was started as a dæmon in /etc/rc.d/sshd as a secure replacement for these services.

The next step in the security check is ensuring that the critical system files do not have weak file permissions. SuSE has a security script, Harden_suse, which secures the operating system and makes it resistant to attacks. A strange thing happens when using Harden_suse, however: the script issues a warning that the script is only verified to work on SuSE 5.3 up to 7.2. SuSE changed the filesystem in 8.0 to be Linux Standards Base compliant, which may have broken the script. This warning, followed by a second warning that said "the script will secure your system which means it will disable almost all services on the system and tamper with some configuration file", made me very wary. Rather than take a risk of an unsupported script that will disable my system, I left it alone.

Fortunately, SuSE's YaST2 control center also has a security setting control tool, part of the Security and Users menu. It allows root to define a set of local security configurations, including password settings, user creation settings, console behavior and file permissions. The security settings have the default filesystem permissions set to "easy". This means most system files are readable by root, but not by other users. The more stringent "secure" setting restricts the files that can be viewed by root. And the "paranoid" setting requires that users who run applications be predefined. A list of the system files, their ownership and file permissions is located in /etc/permission.easy, /etc/permission.secure and /etc/permissions.paranoid. Users can even customize their own file permission setting by adding themselves to /etc/permissions.local. The YaST2 security setting control tool performs many of the same functions as Harden_suse and uses an interactive graphical menu. Most users should be comfortable with the easy or secure settings. Select "paranoid" only if you are sure you need it.

 

Figure 3. YaST2 Security Set

Host System Monitoring

SuSE 8.0 includes Aide, Logdigest, Nmap, Seccheck and Tripwire as optional HIDS programs. Nmap works in the same way as it does in Red Hat. Tripwire works almost the same, except there is no database installation script, such as twinstall.sh in Red Hat, nor it there crontab, which we will note again later.

Seccheck

Seccheck, security checker, is a host security analyzer with three different levels of scans. When Seccheck is installed, it automatically adds a crontab, /etc/cron.d/seccheck, to run daily, weekly and monthly security checks.

The Seccheck daily, run at midnight, checks for user security vulnerabilities, system abnormalities, modules changes and port changes. It also checks for changes in user and group information and for common weaknesses that may indicate an intrusion. The changes from the last daily Seccheck run are then mailed to root. See Table 2 for a list of checks in the daily scan.

Table 2: SuSE Daily Security Check

 

/etc/passwd check	Length/number/contents of fields, accounts with same uid accounts with uid/gid of 0 or 1 beside root and bin
/etc/shadow check	Length/number/contents of fields, accounts with no password
/etc/group check	Length/number/contents of fields
User root checks	Secure umask and PATH
/etc/ftpusers	Checks if important system users are put there
/etc/aliases	Checks for mail aliases which execute programs
.rhosts check	Checks if users' .rhosts file contain + signs
Home directory	Checks if home directories are writable or owned by someone else
dot-files check	Checks many dot-files in the home directories if they are writable or owned by someone else
Mailbox check	Checks if user mailboxes are owned by user and unreadable
NFS export check	Exports should not be exported globally
NFS import check	NFS mounts should have the "nosuid" option set
Promisc check	Checks if network cards are in promiscuous mode
list modules	Lists loaded modules
list sockets	Lists open ports

Copied from Marc Heuse.

The weekly security check is a more exhaustive user and file system check, checks that are important but too intensive to run daily. The weekly scripts are run every Monday at 1:00am. They include checks for weak passwords, changes in the system files, files and executables that are group or world writable and all system devices. Again, only the differences from the previous weekly security scan are mailed to root. See Table 3 for a list of checks in the weekly scan.

Table 3. SuSE Weekly Security Check

 

Password check	Runs john to crack the password file, user will get an email notice to change his password
rpm md5 check	Checks for changed files via rpm's md5 checksum feature
suid/sgid check	Lists all suid and sgid files
exec group write	Lists all executables which are group/world writable
Writable check	Lists all files which are world writable (incl. Above)
Device check	Lists all devices

Also copied from Marc Heuse.

The monthly security check is run on the first day of every month at 4:00am, and it sends a complete set of information in both daily and weekly checks to root. One pitfall of using Seccheck is that one has to pay attention to when changes are reported. Since only changes to the system from the last Seccheck analysis are e-mailed, anomalies appear only once. If you miss a change, you may not catch suspicious activity for a week or even a month.

Seccheck is a good set of security auditing tools that monitor many of the user-related vulnerabilities. It is surprising that is it not enabled by default.

Even though Seccheck has a filesystem integrity check, it is always better to install a separate system integrity checker with control of the file signature database. SuSE has both Aide and Tripwire as optional HIDS. Since I already discussed Tripwire in the Red Hat example, I am using Aide for this SuSE example. Aide (advanced intrusion detection environment), is a file integrity checker and free replacement to Tripwire. It does not have some of the licensing restrictions of Tripwire. To start using Aide, simply run

#aide - - init

to create the Aide database. SuSE has the Aide configuration file in /etc/aide.conf and the database is written into /var/lib/aide/aide.db.new. To use check the filesystem use

# aide - - check

Aide can be run daily to report changes in the filesystem, the same way Tripwire is ran. SuSE also does not include a crontab to run Aide automatically, the way Red Hat does with Tripwire. Nor does the Tripwire package on SuSE automatically add a Tripwire crontab. Aide and Tripwire can be used both as an alarm to a system penetration and for intrusion recovery. Both are good; use at least one of them.

Logdigest

Logdigest is a log analysis and reporting tool that can be optionally installed in SuSE. Based on Logcheck by Psionic Technologies, Logdigest scans log files, sorts the information and e-mails an analysis to the system administrator. Logdigest uses a keyword system to prioritize the log entries, presenting system attacks and unusual events first. It extends Logcheck's report by adding information about the system's mail queue, usage status, network device status and disk usage information to the report.

Logdigest is installed in /etc/cron.daily as aaa_base_logdigest. The Logdigest configuration file and keyword files are installed in /etc/logdigest. The configuration file and keyword files allow system administers to define which log entries to prioritize, which log entries to ignore, which logs to parse, who to send the report to and if extended system status information should be added. The Logdigest report is most useful if as much system information is analyzed as possible. By default, Logdigest only scans /var/log/messages, the system information log file, and /var/log/mail, the mail information log file. To increase Logdigest's efficiency, either add all the system logs to the list of logs scanned by Logdigest or reconfigure the syslog dæmon to log all information to /var/log/messages. Reconfiguring syslog, by editing /etc/syslog.conf, to log all message to /var/log/messages insures that no log files will be left out and no information will be missed. Logdigest should be run daily but before the log files are rotated.

Network Monitoring

SuSE installs Iptraf and Ethereal by default and Arpwatch, Snort, Saint and Nessus as optional packages.

Since Iptraf, Ethereal and Arpwatch work in the same way as do the versions in Red Hat, I'll concentrate on the other tools selected earlier in our installation: Scanlogd, Snort, Saint and Nessus.

Scanlogd is system dæmon that logs portscans to the system logs. Scanlogd can be started as a network dæmon from /etc/rc.d/scanlogd. It logs scans if at least "7 privileged ports or 21 non-privileged ports, or a weighted average of the two have been access, with no longer than 3 seconds between the accesses". Scanlogd can be run continuously to monitor for hackers probing the system. Because Scanlogd logs only scans to syslog, it depends on the system administrator to monitor the logs and take action.

Snort is a network intrusion detection tool that can log and analyze packets in real time. It can detect a variety of port scans, probes, OS fingerprinting and attacks. Snort is a modular rules-based system that detects a number of attacks, not only Linux and UNIX but also Microsoft attacks. It provides real-time alerts to the host via syslog or to a remote host via a UNIX socket.

Snort can be started as a network dæmon from /etc/rc.d/snort. Users will want to add their home network information to the Snort configuration file in /etc/snort/snort.conf. The /etc/snort directory contains many attack signature modules, including signatures for IIS, DNS, finger, FTP, NetBIOS, Telnet, ColdFusion and FrontPage attacks. Snort should be run continuously to monitor for attacks. It provides great information, but it also depends on the system administrator to check the logs and take action.

Finally, Saint (Security Administrator's Integrated Network Tool) and Nessus are optional NIDS tools. They are vulnerability scanners rather than network monitors. They scan target hosts, determine which applications are running and report if any known vulnerabilities are found.

Sanit is a web-based vulnerability scanner. It gathers information about networks and hosts and displays the information using a standard browser, such as Netscape or Konqueror. Running Saint on SuSE is as easy as typing

# saint

in an X terminal. In the past, Saint required the system to have a fully qualified domain name and other authentication to work, but no longer. It includes options for a variety of scans, including an option to scan for only the SANS top 20 Internet Security Vulnerabilities. Saint is a good tool to run after you have secured your system. It help you verify that your system is secured from know vulnerabilities.

 

Figure 4. Saint Browser Menu

 

Nessus is a client/server distributed program that also can test multiple servers for a wide range of vulnerabilities. The server portion of Nessus can be started as a dæmon from /etc/rc.d/nessusd. The client, nessus, controls the scans and displays the report, and it can run as an X, Java or MS-window client. The Nessus server dæmon asks you to create encrypted user/password keys using the nessus-adduser command, if you have not already created them. This prevents unauthorized users from connecting to the server and running scans. A Nessus check shows a system's vulnerabilities and makes recommendations on changes to improve security. The Nessusd dæmon should be ran as needed; otherwise it uses up resources and creates a service that could be hacked.

Conclusions

Securing a Red Hat or SuSE system has been made much simpler with the security tools now available on each distribution. Both Red Hat and SuSE have good security addons. Red Hat tools include Tripwire and Logwatch as HIDS and Arpwatch, Ethereal and Iptraf as NIDS. SuSE offers system hardening tools, part of YaST2 security control center, as well as Seccheck, Tripwire, Aide and Logdigest as HIDS. Ethereal, Iptraf, Scanlogd, Saint, Snort and Nessus all are available as NIDS. Spend a little time finding and using the tools on a distribution during the installation process. It can save you a lot of time and help keep your system secure.

Resources

For more detail discussions of the tools in this article, see:

"Using xinetd", Jose Nazario, Linux Journal, March 2001.

"Checking Your Work with Scanners, Part 1: nmap", Mick Bauer, Linux Journal, May 2001.

"Intrusion Detection for the Masses", Mick Bauer Linux Journal, July 2001.

"Understanding IDS for Linux", Pedro Bueno, Linux Journal, May 2002.

"Checking Your Work with Scanners, Part II: Nessus", Mick Bauer, Linux Journal, May 2001.

For more information about Linux distribution features, see "2001 Linux Functional Review", D.H. Brown Associates, Inc, September 2001.

For more information on widely used security tools, visit "Top 50 Security Tools"

Security Consensus Operational Readiness Evaluation, Linux.doc Checklist

For more information about Harden_Suse, visit Marc Heuse's web site.

For more about scanlogd, see the Scanlogd man page.

Bobby S. Wen is a senior technical manager with two engineering degrees and an MBA. He started playing with Linux in 1994 and has been addicted ever since. In his spare time, he tries to prevent his children from hacking into the home gateway server and turning on chat and file sharing.

email: bwen@yahoo.com

Old News ;-)

Novell SUSE Linux Enterprise Server 10 seccheck

Security Features in SUSE 10.0

February 23rd, 2006 | Paranoid Penguin

by Mick Bauer in

• Linux Journal

SUSE is a security-friendly distribution with a plethora of security-related tools.

Over the years, we've seen more and better security features incorporated into our favorite Linux distributions. Distribution-specific security awareness manifests itself in many ways, including:

• Availability of security-enhancing applications.
• “Hardening” functionality in setup/installation scripts.
• The way patches are handled.
• Default settings of network applications.

This month, I begin a series of three articles on distribution-specific security in SUSE Linux, Debian GNU/Linux and Red Hat Enterprise Linux. These are the three distributions with which I've had the most experience, and they are arguably the three most popular. (But as with anything, if you want to contribute an article about your own favorite distribution, go for it! See our author's guide at www.linuxjournal.com/xstatic/author/authguide.)

I'll start with SUSE 10.0. SUSE is a general-purpose, commercially produced Linux distribution developed for Intel 32- and 64-bit platforms. Originally based in Germany and still primarily developed there, SUSE is now owned by Novell. There are a number of different SUSE products, including SUSE Linux, a “personal” version available from numerous retail outlets; SUSE Linux Enterprise Server, an “enterprise-grade” version available directly from Novell; and OpenSUSE, which is essentially the same as SUSE Linux but without installation media (it's installable only over the Internet), printed manuals or installation support.

The basis of this article is SUSE Linux 10.0, that is, the commercial “personal use” version. Everything I say here should be equally applicable to OpenLinux 10.0, and mostly relevant to the Enterprise versions of SUSE. Presumably, the Enterprise versions include additional security-related packages and features.

Installing SUSE Linux 10.0

System security begins with installation. This is your first opportunity to make crucial decisions concerning what role the system will play, which software the system will run and how the system will be configured. Therefore, it's useful to begin our discussion of SUSE security with the installation process.

All versions of SUSE use YaST (Yet Another Setup Tool) both for initial system installation and for ongoing system administration. Over the years, YaST has evolved from a simple RPM front end to a modular, comprehensive administration tool that can be used to configure not only low-level system software but also complex server applications such as Apache and Postfix.

We'll talk more about YaST shortly. Your immediate problem during initial OS installation, however, is deciding which software packages to install. And if you're security-focused, this is a happy problem. SUSE Linux 10.0 offers a wide variety of security applications from which to choose.

In my view, these applications fall into two categories: system security applications and security-scanning applications. The former include both general-purpose applications with strong security features—Postfix springs instantly to mind—and applications whose sole purpose is providing security controls to other applications or to the underlying operating system, of which tcpwrappers is a classic example. Table 1 lists the packages in SUSE Linux 10.0 that enhance system security.

Table 1. Some Security-Enhancing Packages in SUSE Linux 10.0

Package Name	Description
aide, fam	File integrity checkers, both similar to Tripwire.
bind-chrootenv	Automatically creates a chroot environment in which to run BIND (the DNS daemon) more securely.
clamav, antivir	Antivirus packages—clamav is completely free, but antivir is commercial (free for personal use).
cracklib	Library and utilities to prevent users from choosing easily guessed passwords.
gpg, gpg2, gpa	GNU Privacy Guard (gpg), a versatile and ubiquitous e-mail- and file-encryption utility.
ipsectools, openswan	Tools for building IPsec-based virtual private networks.
openldap, freeradius	Open-source authentication daemons.
proxy-suite	An FTP security proxy developed by SUSE.
seccheck	SUSE-customized cron scripts that perform various security checks against logs, system state and so on, and send e-mail reports to you.
subdomain-utils, subdomain-profiles, mod-change-hat and so on	AppArmor, a mandatory access control (MAC) system that restricts the behavior of specific binaries. SUSE uses this instead of SELinux, which it closely resembles.
squid, SquidGuard	Squid is a popular HTTP/HTTPS proxy. SquidGuard adds access controls and other security features.
SUSEfirewall	SUSE's handy front end for Linux's netfilter/iptables.
syslog-ng	Advanced system logger, much more powerful than syslogd. syslog-ng is SUSE's default logger.
tinyca2	Front end to OpenSSL for managing Certificate Authorities.
yast2-firewall	Firewall functionality.
vsftpd	The Very Secure FTP Daemon.
xen, FAUmachine, uml-utilities, bochs	The Xen, FAUmachine, User Mode Linux and BOCHS virtual machine environments.

Actually, the lengthy list of packages in Table 1 represents only particular favorites of mine and SUSE-specific selections. SUSE includes many, many more system security tools, including tcpd (tcpwrappers), openssl, chkrootkit, sudo and wipe. You can view the full list of packages included in SUSE Linux 10.0 at www.novell.com/products/linuxpackages/professional/index_all.html.

Besides securing the system on which you install SUSE, you may be interested in using a SUSE system to validate the security of other systems or of entire networks. SUSE is a good choice for this. Table 2 shows some SUSE Linux 10.0 packages that can be used for security scanning. Note that you should never install these packages (except perhaps Snort) on any Internet-connected server. Each is of much greater use to an attacker than it is to you in that context. Scanning software should be performed from systems that are normally kept out of harm's way.

Table 2. Security Scanners in SUSE Linux 10.0

Package Name	Description
ethereal, tcpdump	Excellent packet sniffers.
fping	Flood ping (multiple-target ping).
john	John the Ripper, a password-cracking tool (legitimately used for identifying weak passwords).
kismet	Wireless LAN sniffer.
nessus-core, nessus-libraries	The Nessus general-purpose security scanner.
nmap	Undisputed king of port scanners.
snort	Outstanding packet sniffer, packet logger and intrusion detection system.

If you're new to SUSE, you should be aware that by default, YaST uses a Selections filter (view) for selecting packages, in which only a small subset of all available packages is offered to you. If you don't see something you need in this view, for example, nessus-core, use the Package Groups filter to see a more complete set of categories. If you want to see a single list of all packages in alphabetical order, simply set the filter to Package Groups and click on the group zzz All (Figure 1).

Figure 1. Viewing All Available Packages in YaST

You also can set the filter to Search to search for packages by name or keyword.

After you've selected and installed all software packages, YaST allows you to set the root password and create the first (nonroot) user account. By default, SUSE uses Blowfish for password encryption, and YaST checks the password you type for complexity. (Too-simple a password can be easily guessed or brute-force cracked by an attacker.)

You're also given the opportunity to enable local firewall scripts (enabled by default), and the SSH and VNC remote-shell daemons (both disabled by default). Note that of the latter two, SSH is the best choice for administering bastion hosts (hardened Internet servers)--among other reasons, you shouldn't be using the X Window System on bastion hosts unless you've got a very specific, very compelling reason. YaST, it should be noted, runs perfectly well in text (ncurses) mode, with exactly the same modules and options as the X version. Also, tightvnc, the version of the VNC remote-desktop tool shipped with SUSE, doesn't encrypt session data, only authentication data.

Note also that at installation time, you aren't given the opportunity to customize your local firewall settings. Initially, a default script is used that provides a simple “allow all outbound transactions, allow nothing inbound that wasn't initiated locally” policy. In other words, the default SUSEfirewall script is perfectly appropriate for most desktop systems, but it is inadequate for server use. You can change this later on by running YaST's Firewall module.

YaST then lets you choose from the following methods for authenticating nonroot users:

• local /etc/passwd file (default).
• LDAP.
• NIS.
• Samba (Windows NT Domains).

Active Directory authentication is also supported in SUSE Linux 10.0, via Kerberos.

Once you've selected an authentication method, you can create your first nonroot user account. Be sure to leave Automatic Logon disabled unless your system has very low security requirements indeed—enabling this causes the machine to log in your nonroot user automatically at boot time. (About the only situation in which this is a good idea, I think, is for kiosk-type systems!)

And that's it—SUSE installation is now finished! Your job as a security-conscious system administrator, however, is not.

Security-Related YaST Modules

After the first time you boot your newly minted SUSE Linux system, you immediately should log in as your unprivileged user and invoke YaST. If you do this from within KDE or GNOME, you'll be prompted for the root password automatically, but in a text-console session, you need to use su -c to invoke /sbin/yast.

As I mentioned earlier, YaST has a lot of security functionality built in. YaST modules particularly relevant to system security are listed in Table 3.

Table 3. Security-Related YaST Modules

YaST Section	Module Name	Description
Software	Online Update	Sets up manual and automatic software updates.
	Software Management	For installing and removing packages.
	Virtual Machine Installation (XEN)	Creates virtual machines for the Xen 3 virtual machine environment.
System	/etc/sysconfig Editor	Edits daemon startup parameters.
	System Services (Runlevel)	Manages startup scripts.
	Powertweak	Sets advanced kernel parameters, such as TCP timewait sockets.
Network Services	DNS Server	Configures BIND.
	HTTP Server	Configures Apache.
	LDAP Client	Sets up LDAP authentication and lookups.
	Mail Transfer Agent	Configures Postfix or Sendmail.
	Kerberos Client	Sets up Kerberos authentication, including Active Directory.
	Remote Administration	Configures TightVNC.
Novell AppArmor	Various	For managing AppArmor mandatory access controls on specific binaries.
Security and Users	Firewall	For managing netfilter/iptables settings.
	Local Security	Determines password complexity and length, password aging, file-permission schemes and various other system security parameters.
	Group Management	Used to create, edit and delete group accounts.
	User Management	Used to create, edit and delete user accounts (actually the same module as Group Management, which is dual-purpose).

Of these YaST modules, Online Update is one of the most important. You immediately should use it to configure automatic patch downloads and, unless your system is under a change-control process, automatic patch installation as well. YaST Online Update was one of the first automatic patch utilities offered in a major Linux distribution, and it's still one of the best. Use it to take advantage of SUSE's excellent record of providing prompt, well-tested security patches.

The Firewall module (Figure 2) is also extremely useful, especially if you're uncomfortable creating and managing your own firewall scripts (I acknowledge that people like me, who find this fascinating and fun, are rare). Similarly, Group/User Management eliminates the need for you ever to edit /etc/group or /etc/passwd manually.

Figure 2. YaST's Firewall Module

The Virtual Machine Installation module and Novell AppArmor section are also especially noteworthy. So much so, in fact, that I should spend some time talking about SUSE's virtual machine and mandatory access control systems, respectively, in a little more depth.

Virtual Machines in SUSE Linux

You may recall my article “The Future of Linux Security” [LJ, August 2005], in which I touted virtual machine environments and hypervisors (aka security monitors) as being an important new direction in system security. If you don't recall this, the gist of it is that it's because MAC schemes such as SELinux are viewed by many people as too complex. A simpler approach instead is to run each major application or service on its own virtual machine. That way, if for example a virtual machine in which Sendmail is running gets compromised, a virtual machine running Apache2 on the same physical hardware won't be in immediate or direct danger.

Virtual machines, therefore, provide a powerful and easy-to-understand means of isolating complex applications from each other. And, SUSE Linux 10.0 includes no fewer than three different virtual machine technologies.

The Xen 3 environment, which originated at Cambridge University, is provided by SUSE as a “technology preview”. To the best of my determination, this simply means that because Xen 3 is an immature and potentially unstable application, SUSE is simply trying to lower people's expectations of its usability—the version of Xen 3 in SUSE Linux 10.0 isn't a special preview or evaluation version or anything like that. Xen 3 supports Linux, FreeBSD, NetBSD and Plan9 “guest” (virtual) systems.

Alternatively, the FAUmachine virtualization environment includes RPM packages that enable support for SUSE 9, Debian 3.0, OpenBSD 3.5/3.6 and Red Hat 9 guest systems. One advantage of FAUmachine over Xen 3 is that in FAUmachine, the guest systems' kernels run on the host system with nonroot (unprivileged-user) permissions.

User Mode Linux is another virtualization environment offered in SUSE Linux 10.0 via the uml-utilities package. Like FAUmachine, its guest kernels run without root privileges.

Novell (Immunix) AppArmor

However, not everyone has given up on MAC-based system security, and SUSE has covered this area handsomely by acquiring and repackaging Immunix's AppArmor (aka Subdomain). AppArmor is similar to SELinux, in that it allows you to restrict the behavior of specific processes, with an effect similar to but more effective than running them in chroot jails.

(Note that although SUSE provides the libselinux package and includes SELinux functionality in its default kernel, SELinux isn't officially supported in SUSE Linux. You need the packages available at www.cip.ifi.lmu.de/~bleher/selinux to run SELinux in SUSE Linux.)

The document /usr/share/doc/packages/subdomain-docs/ug_apparmor.pdf, included in the subdomain-docs package, is the AppArmor User's Guide, and it tells you everything you need to know about configuring and using AppArmor. Suffice it to say for now that if you simply run the YaST AppArmor Control Panel module and enable AppArmor, a default profile is loaded that includes settings for many common daemons and commands, including netstat, ping, traceroute, firefox, evolution, gaim, syslogd, acroread, ethereal, appropos, procmail, postfix (smtpd, and so on), Apache2 (httpd2-prefork), nscd, identd, ntpd, sshd and squid.

This is a limited-feature version of AppArmor, so apparently it provides only a subset of features available in the full $1,250 US version. Personally, I'm not clear as to precisely what the difference is, though—everything I tried to do with the version in SUSE Linux 10.0 seemed to work fine, so this would not appear to be a too significantly crippled edition. Perhaps the full version includes a longer list of preconfigured applications.

Conclusion

These aren't SUSE Linux 10.0's only security features. I haven't talked about how secure many applications' default settings are (in general they're quite secure, with daemons running with nonroot privileges whenever possible, network listeners such as sshd typically disabled by default and so on).

This is a very security-friendly version of SUSE Linux indeed. Remember, though, that real security begins with you—little of SUSE's security potential is realized until you configure or at least enable it yourself! Hopefully, this article has helped you get a feel for what that potential is.

Next month, it's on to Debian 3.1. Until then, be safe!

Mick Bauer (darth.elmo@wiremonkeys.org) is Network Security Architect for one of the US's largest banks. He is the author of the O'Reilly book Linux Server Security, 2nd edition (formerly called Building Secure Servers With Linux), an occasional presenter at information security conferences and composer of the “Network Engineering Polka”.

Recommended Links

SUSE Linux Enterprise Security Announcements and Support

Chapter 8. Basic Security

[PDF] SLES Security Guide (1993)

NASA Linux Installation and Security Check List

SUSE Security Lockdown - Hardening Your Linux System - openSUSE

Marc's (Security) Homepage @ SuSE

http://www.suse.de/security/

SUSE Security FAQ - Suntel Communications knowledgebase

SLES-security-guide

Old Security Tools developed by SuSE

Marc's (Security) Homepage @ SuSE

• Harden SuSE v3.5 - 12th June 2001
  (Hardening script for SuSE to run after installing, creates also an undo script)
  Description, on SuSE since v6.1, works only on SuSE Harden SuSE - A special script for hardening a SuSE Linux 5.3 - 6.3. By answering 9 questions, the system is reconfigured very tightly. e.g. disabling insecure network services, removing suid/sgid/world-writable permissions which are not critical. RPM: hardsuse.rpm
• Security Check v2.0 - 1st July 2001
  (Daily/weeky/monthy running security scripts via cron which checks the system security integrity) SuSE Secchk - These are cron scripts which run daily, weekly and monthly to check the security of the system and compare them to the last run. RPM: seccheck.rpm
  Description, on SuSE since v6.2, works on most Linux distributions (e.g. Redhat), might need to set the corresponding cron entry
• Compartment v1.1 - 24th February 2001
  (A tool for starting applications/services/daemons in a secure environment. Supports Linux Capabilities, chrooting, set-user, set-group, and intial scripts)
  Description, on SuSE since 7.1, works on all Linux distributions with a kernel >= 2.2

USENET and Other Mail Lists

SuSE has got two free security mailing list services to which any interested party may subscribe:

suse-security@suse.com - moderated and for general/linux/SuSE security discussions. All SuSE security announcements are send to this list.

suse-security-announce@suse.com - SuSE's announce-only mailing list. Only SuSE's security annoucements are sent to this list.

To subscribe to the list, send a message to: suse-security-subscribe@suse.com

To remove your address from the list, send a message to: suse-security-unsubscribe@suse.com

Send mail to the following for info and FAQ for this list: suse-security-info@suse.com suse-security-faq@suse.com