Question

In: Computer Science

Suppose you have to harden a Red Hat Linux server for security purpose. Give examples of...

Suppose you have to harden a Red Hat Linux server for security purpose. Give examples of 4 configuration actions that need to be completed. Describe the purposes and steps in performing these tasks.

Solutions

Expert Solution

USING SYSTEM-WIDE CRYPTOGRAPHIC POLICIES:

When a system-wide policy is set up, RHEL applications obey it and refuse to use non-policy-compliant algorithms and protocols, unless you expressly order the application to do so. That is, the policy refers to the default behaviour of applications when running with the configuration given by the device, but if appropriate, you can override it. By eliminating vulnerable cypher suites and protocols, solid crypto defaults The list below includes cypher suites and protocols omitted from RHEL 8 's core cryptographic libraries. They are not present in the sources, or their assistance is disabled during the build process, so they can not be used by applications. DES (starting from RHEL 7)

All cypher suites in the export grade (since RHEL 7) MD5 (since RHEL

7) in signatures SSLv2 (starting from RHEL 7) SSLv3 (starting from RHEL 8)

All ECC curves < 224 bits (since RHEL 6)

All binary field ECC curves (since RHEL 6)

CONFIGURING Software Via PKCS # 11 TO USE CRYPTOGRAPHIC HARDWARE

An application programming interface (API) is specified by PKCS # 11 (Public-Key Cryptography Standard) for cryptographic devices that hold cryptographic information and perform cryptographic functions. These devices are called tokens, and in a hardware or software form they can be implemented.

A PKCS # 11 token can store different types of objects, including a certificate, a data object, and a hidden, private or public key. Via the PKCS#11 URI scheme, these objects are unqquely recognisable.

A PKCS # 11 URI is a standard way, according to the object attributes, to define a particular object in a PKCS # 11 module. This allows you to configure all libraries and applications in the form of a URI with the same configuration string.

The OpenSC PKCS # 11 driver is supported by Red Hat Enterprise Linux 8 for smart cards by default.

Using private key security HSMs in Apache and Nginxx

HTTP servers Apache and Nginx can operate with private keys stored on hardware security modules (HSMs) to avoid leakage of the keys and man-in-the-middle attacks. Notice that high-performance HSMs for busy servers are typically needed for this.

HTTP Server Apache

The Apache HTTP server (httpd) uses the OpenSSL library for secure communication in the context of the HTTPS protocol. OpenSSL does not support native PKCS # 11. You must instal the opensslpkcs11 package to use HSMs, which provides access via the engine interface to the PKCS # 11 modules. Instead of a standard file name, you can use a PKCS # 11 URI to define a server key and certificate in the configuration file /etc / httpd / conf.d / ssl.conf

Configuration compliance tools in RHEL

Red Hat Enterprise Linux offers tools that allow

you to conduct a fully automated audit of compliance.

These tools are built on the standard of the Security Content Automation Protocol (SCAP) and are designed to tailor compliance policies automatically.

SCAP Workbench-The graphical utility scapworkbench is intended to carry out configuration and vulnerability scans on a single local or remote device. Based on these scans and assessments, you can even use it to produce security reports.

OpenSCAP-The OpenSCAP library is designed to perform configuration and vulnerability scans on a local device, verify configuration compliance content, and produce reports and guides based on these scans and evaluations, with the accompanying oscap command-line utility.

SCAP Security Guide (SSG)-For Linux systems, the scap-security guide kit offers the current set of security policies. The guide consists of a catalogue of specific hardening advice, where appropriate, related to government specifications. The project bridges the difference between abstract criteria for policies and concrete guidelines for implementation.

Script Check Engine (SCE) SCE is a SCAP protocol extension that allows administrators to use a scripting language to write their security content, such as Bash, Python , and Ruby. In the openscapenginesce kit, the SCE extension is given. The SCE itself is not part of the norm for SCAP. You may use the OpenSCAP solution for the Red Hat Satellite to conduct automatic compliance audits on multiple systems remotely.


Related Solutions

[Linux permissions] Suppose that you are a superuser on a Linux system, and there is a...
[Linux permissions] Suppose that you are a superuser on a Linux system, and there is a file “/home/alice/foo”, which is owned by an ordinary user Alice. You need to give a permission to read a this file to an ordinary user Bob, but no one else (of course, you as superuser will be able to read it too). Explain how you will do it. Note: You do not have to provide specific commands, just a short description will suffice. [Limitations...
[Linux permissions] Suppose that you are a superuser on a Linux system, and there is a...
[Linux permissions] Suppose that you are a superuser on a Linux system, and there is a file “/home/alice/foo”, which is owned by an ordinary user Alice. You need to give a permission to read a this file to an ordinary user Bob, but no one else (of course, you as superuser will be able to read it too). Explain how you will do it. Note: You do not have to provide specific commands, just a short description will suffice.
Suppose 4 blue and 4 red chips are in a hat. Each time we draw a...
Suppose 4 blue and 4 red chips are in a hat. Each time we draw a chip we look at its color. If it is blue, we replace it along with one new blue chip. If it is red, we replace it along with two new red chips. What is the probability that, in successive drawing of chips, the second one is blue?
Suppose you have 24 items (three red, three blue, three yellow, and three green) to give...
Suppose you have 24 items (three red, three blue, three yellow, and three green) to give to 24 students. How many different ways can you distribute the things to the students? (Note: the items of the same color are identical)
1. Give examples of security measures that might be used to control information security, personnel security,...
1. Give examples of security measures that might be used to control information security, personnel security, and health hazard security issues. 2. Should the federal and state governments enact tougher laws or regs to deal with security violators? If so, what are your recommendations?
lab of operating system: you should do this on linux server its mandatory please show your...
lab of operating system: you should do this on linux server its mandatory please show your work by taking screenshot and show all the commands performed and show the result. PROBLEM 1: Create a file and name it f1 • Cerate a directory and name it d1 • Move f1 to d1 • Create a directory and name it d2 • Move d1 to d2 • Check if d1 is inside d2 • Check if f1 is inside d1 •...
Give three examples of how Linux is used in distinctly different applications to illustrate its proliferation...
Give three examples of how Linux is used in distinctly different applications to illustrate its proliferation in a diverse range of modern application domains?
1. You own a share in Red Hat. Every period it has a 15 percent chance...
1. You own a share in Red Hat. Every period it has a 15 percent chance of going bankrupt. The interest rate is 0. If it survives to the end of the first period, it will pay $2 in dividends, $3 in dividends at the end of the second period, $3 in dividends at the end of the third period, and $4 in dividends at the end of the fourth period. It will pay no dividends after the end of...
1. A)You own a share in Red Hat. Every period it has a 15 percent chance...
1. A)You own a share in Red Hat. Every period it has a 15 percent chance of going bankrupt. The interest rate is 0. If it survives to the end of the first period, it will pay $2 in dividends, $3 in dividends at the end of the second period, $3 in dividends at the end of the third period, and $4 in dividends at the end of the fourth period. It will pay no dividends after the end of...
In debian and in red hat how would you update a package with file1.1.deb and file1.1.rpm...
In debian and in red hat how would you update a package with file1.1.deb and file1.1.rpm respectively? Use linux
ADVERTISEMENT
ADVERTISEMENT
ADVERTISEMENT