Securing Linux - CentOS7

StrongBad

When you can, within reason, you want to have SELinux or AppArmor turned on. They are there for a reason, they provide rather a significant amount of additional protection.

stacksofplates

SELinux writes logs to the /var/log/audit/audit.log file, if auditd isn't running then its the /var/log/messages. If you check the logs, it pretty much tells you what you need to do to allow your service.

wirestyle22

Do you guys have any great resources for CentOS? If not, do you have any book recommendations? I need a lot of reading material.

Reid Cooper

@wirestyle22 said:

Do you guys have any great resources for CentOS? If not, do you have any book recommendations? I need a lot of reading material.

Have you been following SAM's new Linux guide? That's CentOS.

http://mangolassi.it/topic/7825/sam-learning-linux-system-administration

scottalanmiller

@Reid-Cooper said:

@wirestyle22 said:

Do you guys have any great resources for CentOS? If not, do you have any book recommendations? I need a lot of reading material.

Have you been following SAM's new Linux guide? That's CentOS.

http://mangolassi.it/topic/7825/sam-learning-linux-system-administration

I hear that it comes highly recommended.

coliver

@scottalanmiller said:

@Reid-Cooper said:

@wirestyle22 said:

Do you guys have any great resources for CentOS? If not, do you have any book recommendations? I need a lot of reading material.

Have you been following SAM's new Linux guide? That's CentOS.

http://mangolassi.it/topic/7825/sam-learning-linux-system-administration

I hear that it comes highly recommended.

There may be a bit of bias there.

wirestyle22

@scottalanmiller said:

@Reid-Cooper said:

@wirestyle22 said:

Do you guys have any great resources for CentOS? If not, do you have any book recommendations? I need a lot of reading material.

Have you been following SAM's new Linux guide? That's CentOS.

http://mangolassi.it/topic/7825/sam-learning-linux-system-administration

I hear that it comes highly recommended.

I will certainly check it out. I'm building my Linux Test Environment Server. I'm going to use it for a myriad of things.

scottalanmiller

I am trying hard to keep several new articles coming each week.

wirestyle22

@scottalanmiller said:

I am trying hard to keep several new articles coming each week.

I appreciate that greatly. I'll be updating my progress and I'm sure I'll be asking a lot of questions to break everything down and provide hypotheticals.

stacksofplates

If you're running Fedora, there is an SELinux Troubleshooter tool that comes in really handy. I just moved my KVM images to a different folder. I had to change the context of the folder to allow KVM to read the images. As soon as the error happened, I got a notification from the troubleshooter. Highlighted is the commands you need to allow the action.

hobbit666

What about users?
At the moment I don't create a new user I just use root with a strong password.

Can I "link" Linux with out AD and user our usernames and passwords that way (but limit how i.e. just the IT Dept?)? Or should I create new local users on the Linux machines?

scottalanmiller

@hobbit666 said:

What about users?
At the moment I don't create a new user I just use root with a strong password.

Can I "link" Linux with out AD and user our usernames and passwords that way (but limit how i.e. just the IT Dept?)? Or should I create new local users on the Linux machines?

Really depends on how you plan to use the system.

hobbit666

@scottalanmiller said:

@hobbit666 said:

What about users?
At the moment I don't create a new user I just use root with a strong password.

Can I "link" Linux with out AD and user our usernames and passwords that way (but limit how i.e. just the IT Dept?)? Or should I create new local users on the Linux machines?

Really depends on how you plan to use the system.

At the moment its one VM for FOG and another VM for SnipeIT

stacksofplates

@hobbit666 said:

What about users?
At the moment I don't create a new user I just use root with a strong password.

Can I "link" Linux with out AD and user our usernames and passwords that way (but limit how i.e. just the IT Dept?)? Or should I create new local users on the Linux machines?

If you're only going to have a few Linux boxes its probably easier to just script the user/key creation.

hobbit666

thinking about it ...... it's more the backend I guess as FOG and SnipeIT (soon to be Zabbix and Unifi as well) all have there own User control. So more for running yum update command once in a while

scottalanmiller

@hobbit666 said:

thinking about it ...... it's more the backend I guess as FOG and SnipeIT (soon to be Zabbix and Unifi as well) all have there own User control. So more for running yum update command once in a while

Yeah, UNIX logins are actually not all that common for end users. We have them, but it is because we use Linux as terminal servers.

StrongBad

@scottalanmiller I almost never use them. A few service accounts and that's about it.