User Tools

Site Tools


linux:administration:security

Security

Users

  • show all logged in users
    users
  • show user/groups assignments and identifiers
    id

Files

  • /etc/passwd: defines users, their primary groups and login shell
  • /etc/shadow: password (hash) database
  • /etc/groups: defines all other groups a user is in

Sudoers

File /etc/sudoers defines users (and options) related to command sudo. It might make sense to specify a varying umask in ~/.bashrc.

if [[ $(id -u) -eq 0 ]]; then
   umask 0022
else
   umask 0027
fi

Firewall

Commands

  • show iptables firewall rules:
    iptables -L -n -v
  • show Uncomplicated Firewall (UFW) rules:
    sudo ufw status verbose
  • show all predefined UFW application profiles:
    sudo ufw app list
  • establish rules from predefined UFW application profile:
    sudo ufw allow samba
  • delete allow rules from UFW application profile:
    sudo ufw delete allow samba

Files

  • /etc/ufw/applications.d/*: predefined UFW application profiles
  • /var/log/ufw.log: UFW log (for example blocked packets)

OpenSSL

Commands

  • show contents of PEM coded certificate
    openssl x509 -in <cert>.pem -text

NSS

The Netscape Security Suite (NSS) manages certificates and PKCS#11 modules. There is also a GUI application, called nss-gui.

Commands

  • show all stored certificates in database cert8.db (see also Certificate Database Tool of Netscape Security Suite)
    certutil -L -d ~/.local/share/evolution
  • show all stored certificates on a (G&D StarSign) ElsterStick
    certutil -L -d ~/.local/share/evolution -h "ElsterStick 1.0"
  • add a new PKCS#11 module to database secmod.db (see also Security Module Database of Netscape Security Suite)
    modutil -add "StarSign USB Token" -libfile /usr/local/lib/libstarsignpkcs11.so -dbdir ~/.local/share/evolution

    This also works for Firefox, using certutil -L -h “StarSign USB Token” -d ~/.mozilla/firefox/*.default, but requires the package libnss3-tools. The cryptographic modules should then be shown as for example in this figure.

Especially on CentOS you should start the PC/SC damon (pcscd) on system boot, and not driven by udev (configure for example using Gnome application system-config-services). This ensures Firefox is running properly also without a USB security stick plugged in.

  • to show all cryptographic modules use:
    modutil -list -dbdir .

SELinux

linux/administration/security.txt · Last modified: 2018/06/27 22:44 by Ralf Hoppe