Introduction

Welcome to the Official Red Hat Linux Security Guide!

The Official Red Hat Linux Security Guide is designed to assist users of Red Hat Linux in learning the process and practice of securing workstations and servers against local and remote intrusion, exploitation, and malicious activity. The Official Red Hat Linux Security Guide details the planning and the tools involved in creating a secured computing environment for the data center, workplace, and home. With the proper knowledge, vigilance, and tools, systems running Red Hat Linux can be both fully functional and secured from most common intrusion and exploit methods.

This guide discusses several security-related topics in great detail, including:

Firewalls
Encryption
Securing Critical Services
Virtual Private Networks
Intrusion Detection

We would like to thank Thomas Rude for his generous contributions to this manual. He wrote the Vulnerability Assessments and Incident Response chapters. Rock on, "farmerdude."

This manual assumes that you have an advanced knowledge of Red Hat Linux. If you are a new user or have basic to intermediate knowledge of Red Hat Linux and would like more information about how to use Red Hat Linux, please refer to the following guides, which discuss the fundamental aspects of Red Hat Linux in greater detail than the Official Red Hat Linux Security Guide:

Official Red Hat Linux Installation Guide for information regarding installation
Official Red Hat Linux Getting Started Guide to learn about how to use Red Hat Linux and its many applications
Official Red Hat Linux Customization Guide for more detailed information about configuring Red Hat Linux to suit your particular needs as a user. This guide includes some services that are discussed (from a security standpoint) in the Official Red Hat Linux Security Guide.
Official Red Hat Linux Reference Guide provides detailed information suited for more experienced users to refer to when needed, as opposed to step-by-step instructions.

HTML and PDF versions of all Official Red Hat Linux manuals are available online at http://www.redhat.com/docs/.

Note

Although this manual reflects the most current information possible, you should read the Red Hat Linux Release Notes for information that may not have been available prior to our documentation being finalized. They can be found on the Red Hat Linux CD #1 and online at:

http://www.redhat.com/docs/manuals/linux

Document Conventions

When you read this manual, you will see that certain words are represented in different fonts, typefaces, sizes, and weights. This highlighting is systematic; different words are represented in the same style to indicate their inclusion in a specific category. The types of words that are represented this way include the following:

command

Linux commands (and other operating system commands, when used) are represented this way. This style should indicate to you that you can type the word or phrase on the command line and press [Enter] to invoke a command. Sometimes a command contains words that would be displayed in a different style on their own (such as filenames). In these cases, they are considered to be part of the command, so the entire phrase will be displayed as a command. For example:

Use the cat testfile command to view the contents of a file, named testfile, in the current working directory.

filename

Filenames, directory names, paths, and RPM package names are represented this way. This style should indicate that a particular file or directory exists by that name on your Red Hat Linux system. Examples:

The .bashrc file in your home directory contains bash shell definitions and aliases for your own use.

The /etc/fstab file contains information about different system devices and filesystems.

Install the webalizer RPM if you want to use a Web server log file analysis program.

application

This style should indicate to you that the program named is an end-user application (as opposed to system software). For example:

Use Mozilla to browse the Web.

[key]

A key on the keyboard is shown in this style. For example:

To use [Tab] completion, type in a character and then press the [Tab] key. Your terminal will display the list of files in the directory that start with that letter.

[key]-[combination]

A combination of keystrokes is represented in this way. For example:

The [Ctrl]-[Alt]-[Backspace] key combination will exit your graphical session and return you to the graphical login screen or the console.

text found on a GUI interface

A title, word, or phrase found on a GUI interface screen or window will be shown in this style. When you see text shown in this style, it is being used to identify a particular GUI screen or an element on a GUI screen (such as text associated with a checkbox or field). Example:

Select the Require Password checkbox if you would like your screensaver to require a password before stopping.

top level of a menu on a GUI screen or window

When you see a word in this style, it indicates that the word is the top level of a pulldown menu. If you click on the word on the GUI screen, the rest of the menu should appear. For example:

Under File on a GNOME terminal, you will see the New Tab option that allows you to open multiple shell prompts in the same window.

If you need to type in a sequence of commands from a GUI menu, they will be shown like the following example:

Go to Main Menu Button (on the Panel) => Programming => Emacs to start the Emacs text editor.

button on a GUI screen or window

This style indicates that the text will be found on a clickable button on a GUI screen. For example:

Click on the Back button to return to the webpage you last viewed.

computer output

When you see text in this style, it indicates text displayed by the computer on the command line. You will see responses to commands you typed in, error messages, and interactive prompts for your input during scripts or programs shown this way. For example:

Use the ls command to display the contents of a directory:

$ ls
Desktop                about.html       logs          paulwesterberg.png
Mail                   backupfiles      mail          reports

The output returned in response to the command (in this case, the contents of the directory) is shown in this style.

prompt

A prompt, which is a computer's way of signifying that it is ready for you to input something, will be shown in this style. Examples:

$

#

[stephen@maturin stephen]$

leopard login:

user input

Text that the user has to type, either on the command line, or into a text box on a GUI screen, is displayed in this style. In the following example, text is displayed in this style:

To boot your system into the text based installation program, you will need to type in the text command at the boot: prompt.

Additionally, we use several different strategies to draw your attention to certain pieces of information. In order of how critical the information is to your system, these items will be marked as note, tip, important, caution, or a warning. For example:

	Note
	Remember that Linux is case sensitive. In other words, a rose is not a ROSE is not a rOsE.

	Tip
	The directory `/usr/share/doc` contains additional documentation for packages installed on your system.

	Important
	If you modify the DHCP configuration file, the changes will not take effect until you restart the DHCP daemon.

	Caution
	Do not perform routine tasks as root — use a regular user account unless you need to use the root account for system administration tasks.

	Warning
	If you choose not to partition manually, a server installation will remove all existing partitions on all installed hard drives. Do not choose this installation class unless you are sure you have no data you need to save.