User Tools

Site Tools


Notes on Network and Local Security

Date: Fri Oct 26 2018

The documentation on various aspects of local and network security is extensive. This is just a brief overview of a few things to be aware of.

Shutting down services

Be sure to monitor enabled services. To list all enabled services -- that is, those services that are automatically started:

$ systemctl list-unit-files | grep enabled | less 
$ # comment: Or:
$ systemctl list-units

Imagine we want to be sure that bluetooth is disabled and not running:

$ systemctl status
● - Bluetooth
   Loaded: loaded (/lib/systemd/system/; static; vendor preset: enabl
   Active: inactive (dead)
     Docs: man:systemd.special(7)

Good. It's not running. If it were running, then we could disable it like so:

$ sudo systemctl disable

Remote logging

Logs are an important way to identify and understand how the machine is being used and what it is doing. Depending on the level of security you might need, you may want to send logs off site or off the server. rsyslogd is helpful here:

From the man page: rsyslogd -- reliable and extended syslogd

As you may remember, the syslogd service is used to log kernel, application, and other programs or services. rsyslogd extends syslogd in a number of ways, but one of the important extensions is to allow remote logging -- or forwarding logs to a remote and perhaps more secure machine (that is, a machine that is not exposed to the internet).

Visit /var/log/ and read the README file.


SELinux is a kernel module used to set policies for access controls.

From man 8 selinux page: SELinux -- NSA Security-Enhances Linux

There are books on using SELinux. Briefly, we should know a few things -- e.g., how to know how SELinux works with various software and various users. When we install and configure, e.g., Apache2, we'll need to work with SELinux to allow Apache2 to do various things.

To start and to check whether it is enabled:

$ cat /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
# SELINUXTYPE= can take one of these three values:
#     targeted - Targeted processes are protected,
#     minimum - Modification of targeted policy. Only selected processes are protected. 
#     mls - Multi Level Security protection.


$ getenforce

Additional info:

$ sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     actual (secure)
Max kernel policy version:      31

From the man 8 selinux page:

SELinux enabled values:

  • enforcing: enables SELinux for auditing and forces access denials
  • permissive: enables SELinux code for auditing only
  • disabled: completely disables SELinux protection

SELinux type policy values:

  • targeted: a policy where most user processes operate without restrictions, and only specific services are placed into distinct security domains that are confined by the policy
  • mls (Multi-Level Security): a policy where all processes are partitioned into fine-grained security domains and confined by policy

See also:

  • booleans(8)
  • setsebool(8)
  • sepolicy(8)
  • system-config-selinux(8)
  • togglesebool(8)
  • fixfiles(8)
  • restorecon(8)
  • setfiles(8)
  • semanage(8)
  • seinfo(8)
  • sesearch(8)

From the man 8 selinux page:

  • All files, directories, devices [...] have a security context/label associated with them.
  • Every confined service on the system has a man page in the following format:

For example, httpd has the httpd_selinux(8) man page. To see what's active on our systems, then we:

$ man -k selinux
selinux (8)          - NSA Security-Enhanced Linux (SELinux)
audit2allow (1)      - generate SELinux policy allow/dontaudit rules from logs of ...
... <truncated>

To view current policy settings:

# semanage boolean -l | less
# semanage boolean -l | grep "(on" less
# semanage boolean -l | grep httpd
# getsebool httpd_enable_cgi
# setsebool httd_enable_cgi off
# getsebool httpd_enable_cgi
# setsebool httd_enable_cgi on

SELinux Users

  • semanage-user -- SELinux Policy Management SELinux User mapping tool

From RedHat Docs:

  • Linux users in the user_t, guest_t, and xguest_t domains can only run set user ID (setuid) applications if SELinux policy permits it (for example, passwd). These users cannot run the su and sudo setuid applications, and therefore cannot use these applications to become root.
  • Linux users in the sysadm_t, staff_t, user_t, and xguest_t domains can log in using the X Window System and a terminal.
  • By default, Linux users in the guest_t and xguest_t domains cannot execute applications in their home directories or the /tmp directory, preventing them from executing applications, which inherit users' permissions, in directories they have write access to. This helps prevent flawed or malicious applications from modifying users' files.
  • By default, Linux users in the staff_t and user_t domains can execute applications in their home directories and /tmp. See Section 6.6, "Booleans for Users Executing Applications" for information about allowing and preventing users from executing applications in their home directories and /tmp.
  • The only network access Linux users in the xguest_t domain have is Firefox connecting to web pages.
## comment: see list of selinux users on system
# semanage user --list
## comment: see mapping of logins to user roles
# semanage login -l
# exit
$ id -Z         # comment: print security context

Let's check our user captkirk:

$ su captkirk
$ id -Z
$ exit

Let's change captkirk's SELinux role to user_u from unconfined_u:

# semanage login -a -s user_u captkirk
# semanage login -l
linux/local-network-security.txt · Last modified: 2019/01/21 11:24 by seanburns