Red Hat Enterprise Linux (RHEL) has a lot of guides and advice on how to harden the RHEL platform, but security how-tos for Novell's SUSE Linux Enterprise Server (SLES) are not as plentiful. Don't fret, SLES administrators: security help has arrived. This guide will show you how to harden SLES (assuming you are running SLES 10, as this guide refers back to documentation from Novell) in eight easy steps.
Minimize your SLES installation
Like most distributions, SLES provides a minimal installation option. You can select this option during the initial installation process and it will install a minimal build on the system, generally about 200-300 packages not including a GUI or any development tools. If you're installing a lot of hosts, then I'd recommend automating the build process using
Be selective with services
After installation, be aware that most distributions (including SLES) initialize a lot of unnecessary services. SLES also adds some users and groups that are potentially unnecessary. To remedy this, use the built-in configuration management tool, YaST. If you've installed a GUI, you can launch YaST from your window manager. Otherwise, you can run YaST in text mode. You can use YaST to delete unwanted users and groups, and to disable unwanted services.
Lock down your running services
An important service you will want to retain is the secure shell (SSH) server, which allows secure remote management of your hosts. You will need to configure and lock down SSH to take full advantage of this.
Another lock-down tool is AppArmor, Novell's answer to SELinux. AppArmor is designed to only allow applications to execute the functionality they require and nothing else, limiting the potential for malicious attacks. However, AppArmor requires some considerable configuration and management. An AppArmor implementation should be planned and managed rather than enabled ad hoc.
Firewall your host
Now that we have restricted our services, we want to run a firewall. SLES comes with the netfilter (iptables) firewall which can either be configured using YaST (#sec_fire_suse_yast) or by editing the /etc/sysconfig/SuSEfirewall2 file . After editing, you will need to restart the firewall for the new rules to take effect. Apply firewall rules with care: a bad rule could lead to you being locked out of the host (especially bad if it is remote from you.)
Don't run as root
Apart from a few tasks that absolutely require the admin being the root user, you should never manage your host while logged in as root. Linux distributions provide a very useful mechanism called sudo that allows an authorized user to briefly (by default, for 5 minutes) step up their authentication to run particular commands as root. This process is tracked and logged, allowing you to keep watch on who executes what command. You can also limit the commands that can be executed. The sudo package that contains this functionality is installed as part of the base minimal install and can be configured by editing the /etc/sudoers file.
Institute a password policy In addition to a tool like sudo, one of the best defenses against compromise of a user account is a solid password policy. Ensure that your users understand that simple passwords are easily guessable and should not be used. SLES, like many Linux distributions, makes use of PAM modules to help you control password and authentication policy.
Keep packages up-to-date
As always, a proactive policy is the first line of defense; it is always better to anticipate a disaster than to have to recover from one which could have been prevented. One of the best things you can do to protect your hosts from attack is keep them up-to-date. Regularly check, download and apply updates to your packages. YaST provides the easiest method (either via a GUI or using the ncurses-based command line version). You can also check the current security patches and issues related to SLES on Novell's Security Information page.
Monitor and respond
Finally, once you've hardened your host, you need to monitor it. Check your logs, direct your syslog output to a central logging server and check the logging output using tools like SEC or Swatch. You will need to tune your correlation and alerting logic regularly to ensure that the right alerts are being generated. Most importantly: when alerts are received, investigate them. There is no point alerting on security events if you don't respond to the alerts with due diligence.
I hope you've enjoyed this quick introduction to hardening your SLES hosts. You can find additional security and system administration information for SLES at the Novell site and in the SLES documentation.
About the author: James Turnbull is the author of Pro Nagios 2.0. and Hardening Linux. A security architect for the National Australia Bank, James is the resident security expert for SearchEnterpriseLinux.com. Recently, James discussed the risk of viruses and malware to Linux systems
This was first published in March 2008