Question

Suppose you have to harden a Red Hat Linux server for security purpose. Give examples of 4 configuration actions that need to be completed. Describe the purposes and steps in performing these tasks.

Answer 1

USING SYSTEM-WIDE CRYPTOGRAPHIC POLICIES:

When a system-wide policy is set up, RHEL applications obey it and refuse to use non-policy-compliant algorithms and protocols, unless you expressly order the application to do so. That is, the policy refers to the default behaviour of applications when running with the configuration given by the device, but if appropriate, you can override it. By eliminating vulnerable cypher suites and protocols, solid crypto defaults The list below includes cypher suites and protocols omitted from RHEL 8 's core cryptographic libraries. They are not present in the sources, or their assistance is disabled during the build process, so they can not be used by applications. DES (starting from RHEL 7)

All cypher suites in the export grade (since RHEL 7) MD5 (since RHEL

7) in signatures SSLv2 (starting from RHEL 7) SSLv3 (starting from RHEL 8)

All ECC curves < 224 bits (since RHEL 6)

All binary field ECC curves (since RHEL 6)

CONFIGURING Software Via PKCS # 11 TO USE CRYPTOGRAPHIC HARDWARE

An application programming interface (API) is specified by PKCS # 11 (Public-Key Cryptography Standard) for cryptographic devices that hold cryptographic information and perform cryptographic functions. These devices are called tokens, and in a hardware or software form they can be implemented.

A PKCS # 11 token can store different types of objects, including a certificate, a data object, and a hidden, private or public key. Via the PKCS#11 URI scheme, these objects are unqquely recognisable.

A PKCS # 11 URI is a standard way, according to the object attributes, to define a particular object in a PKCS # 11 module. This allows you to configure all libraries and applications in the form of a URI with the same configuration string.

The OpenSC PKCS # 11 driver is supported by Red Hat Enterprise Linux 8 for smart cards by default.

Using private key security HSMs in Apache and Nginxx

HTTP servers Apache and Nginx can operate with private keys stored on hardware security modules (HSMs) to avoid leakage of the keys and man-in-the-middle attacks. Notice that high-performance HSMs for busy servers are typically needed for this.

HTTP Server Apache

The Apache HTTP server (httpd) uses the OpenSSL library for secure communication in the context of the HTTPS protocol. OpenSSL does not support native PKCS # 11. You must instal the opensslpkcs11 package to use HSMs, which provides access via the engine interface to the PKCS # 11 modules. Instead of a standard file name, you can use a PKCS # 11 URI to define a server key and certificate in the configuration file /etc / httpd / conf.d / ssl.conf

Configuration compliance tools in RHEL

Red Hat Enterprise Linux offers tools that allow

you to conduct a fully automated audit of compliance.

These tools are built on the standard of the Security Content Automation Protocol (SCAP) and are designed to tailor compliance policies automatically.

SCAP Workbench-The graphical utility scapworkbench is intended to carry out configuration and vulnerability scans on a single local or remote device. Based on these scans and assessments, you can even use it to produce security reports.

OpenSCAP-The OpenSCAP library is designed to perform configuration and vulnerability scans on a local device, verify configuration compliance content, and produce reports and guides based on these scans and evaluations, with the accompanying oscap command-line utility.

SCAP Security Guide (SSG)-For Linux systems, the scap-security guide kit offers the current set of security policies. The guide consists of a catalogue of specific hardening advice, where appropriate, related to government specifications. The project bridges the difference between abstract criteria for policies and concrete guidelines for implementation.

Script Check Engine (SCE) SCE is a SCAP protocol extension that allows administrators to use a scripting language to write their security content, such as Bash, Python , and Ruby. In the openscapenginesce kit, the SCE extension is given. The SCE itself is not part of the norm for SCAP. You may use the OpenSCAP solution for the Red Hat Satellite to conduct automatic compliance audits on multiple systems remotely.