Most of the major web browsers, such as Firefox, Chrome, and Chromium, come with their own pre-defined database of trusted CAs and their associated certificates. When you create a private CA, you'll need to import the CA certificate into your browser's trust store. Otherwise, your users will keep receiving messages about how the sites that they're viewing are using untrusted certificates. Indeed, that's the case with our Dogtag server. Any user who accesses it to request a certificate will receive a warning about how the CA is using a non-trusted certificate. We'll fix that by exporting the CA certificate from the Dogtag server and importing it into all of your users' browsers. Let's dig in, shall we?
Adding a CA to an operating system
by Donald A. Tevault
Mastering Linux Security and Hardening - Second Edition
- Title Page
- Copyright and Credits
- About Packt
- Contributors
- Preface
- Section 1: Setting up a Secure Linux System
- Running Linux in a Virtual Environment
- Looking at the threat landscape
- Why do security breaches happen?
- Keeping up with security news
- Differences between physical, virtual, and cloud setups
- Introducing VirtualBox and Cygwin
- Installing a virtual machine in VirtualBox
- Installing the EPEL repository on the CentOS 7 virtual machine
- Installing the EPEL repository on the CentOS 8 virtual machine
- Configuring a network for VirtualBox virtual machines
- Creating a virtual machine snapshot with VirtualBox
- Using Cygwin to connect to your virtual machines
- Using Windows 10 Pro Bash shell to interface with Linux virtual machines
- Keeping the Linux systems updated
- Summary
- Questions
- Further reading
- Securing User Accounts
- The dangers of logging in as the root user
- The advantages of using sudo
- Setting up sudo privileges for full administrative users
- Setting up sudo for users with only certain delegated privileges
- Advanced tips and tricks for using sudo
- The sudo timer
- View your sudo privileges
- Preventing users from having root shell access
- Preventing users from using shell escapes
- Preventing users from using other dangerous programs
- Limiting the user's actions with commands
- Letting users run as other users
- Preventing abuse via user's shell scripts
- Detecting and deleting default user accounts
- Locking down users' home directories the Red Hat or CentOS way
- Locking down users' home directories the Debian/Ubuntu way
- Enforcing strong password criteria
- Setting and enforcing password and account expiration
- Configuring default expiry data for useradd for Red Hat or CentOS only
- Setting expiry data on a per-account basis with useradd and usermod
- Setting expiry data on a per-account basis with chage
- Preventing brute-force password attacks
- Locking user accounts
- Locking the root user account
- Setting up security banners
- Detecting compromised passwords
- Understanding centralized user management
- Summary
- Questions
- Further reading
- Securing Your Server with a Firewall - Part 1
- Technical requirements
- An overview of firewalld
- An overview of iptables
- Uncomplicated firewall for Ubuntu systems
- Summary
- Questions
- Further reading
- Securing Your Server with a Firewall - Part 2
- Technical requirements
- nftables – a more universal type of firewall system
- firewalld for Red Hat systems
- Verifying the status of firewalld
- Working with firewalld zones
- Adding services to a firewalld zone
- Adding ports to a firewalld zone
- Blocking ICMP
- Using panic mode
- Logging dropped packets
- Using firewalld rich language rules
- Looking at iptables rules in RHEL/CentOS 7 firewalld
- Creating direct rules in RHEL/CentOS 7 firewalld
- Looking at nftables rules in RHEL/CentOS 8 firewalld
- Creating direct rules in RHEL/CentOS 8 firewalld
- Hands-on lab for firewalld commands
- Summary
- Questions
- Further reading
- Encryption Technologies
- GNU Privacy Guard (GPG)
- Encrypting partitions with Linux Unified Key Setup (LUKS)
- Encrypting directories with eCryptfs
- Home directory and disk encryption during Ubuntu installation
- Hands-on lab – encrypting a home directory for a new user account
- Creating a private directory within an existing home directory
- Hands-on lab – encrypting other directories with eCryptfs
- Encrypting the swap partition with eCryptfs
- Using VeraCrypt for cross-platform sharing of encrypted containers
- OpenSSL and the public key infrastructure
- Summary
- Questions
- Further reading
- SSH Hardening
- Ensuring that SSH protocol 1 is disabled
- Creating and managing keys for passwordless logins
- Disabling root user login
- Disabling username/password logins
- Configuring Secure Shell with strong encryption algorithms
- Setting system-wide encryption policies on RHEL 8/CentOS 8
- Configuring more detailed logging
- Configuring access control with whitelists and TCP Wrappers
- Configuring automatic logouts and security banners
- Configuring other miscellaneous security settings
- Setting up a chroot environment for SFTP users
- Sharing a directory with SSHFS
- Remotely connecting from Windows desktops
- Summary
- Questions
- Further reading
- Section 2: Mastering File and Directory Access Control (DAC)
- Mastering Discretionary Access Control
- Using chown to change ownership of files and directories
- Using chmod to set permissions on files and directories
- Using SUID and SGID on regular files
- The security implications of the SUID and SGID permissions
- Using extended file attributes to protect sensitive files
- Securing system configuration files
- Summary
- Questions
- Further reading
- Access Control Lists and Shared Directory Management
- Creating an ACL for either a user or a group
- Creating an inherited ACL for a directory
- Removing a specific permission by using an ACL mask
- Using the tar --acls option to prevent the loss of ACLs during a backup
- Creating a user group and adding members to it
- Creating a shared directory
- Setting the SGID bit and the sticky bit on the shared directory
- Using ACLs to access files in the shared directory
- Summary
- Questions
- Further reading
- Section 3: Advanced System Hardening Techniques
- Implementing Mandatory Access Control with SELinux and AppArmor
- How SELinux can benefit a systems administrator
- Setting security contexts for files and directories
- Troubleshooting with setroubleshoot
- Working with SELinux policies
- How AppArmor can benefit a systems administrator
- Looking at AppArmor profiles
- Working with AppArmor command-line utilities
- Troubleshooting AppArmor problems
- Exploiting a system with an evil Docker container
- Summary
- Questions
- Further reading
- Kernel Hardening and Process Isolation
- Understanding the /proc filesystem
- Setting kernel parameters with sysctl
- Configuring the sysctl.conf file
- Understanding process isolation
- Summary
- Questions
- Answers
- Further reading
- Scanning, Auditing, and Hardening
- Technical requirements
- Installing and updating ClamAV and maldet
- Scanning with ClamAV and maldet
- Scanning for rootkits with Rootkit Hunter
- Performing a quick malware analysis with strings and VirusTotal
- Understanding the auditd daemon
- Using ausearch and aureport
- Applying OpenSCAP policies with oscap
- Summary
- Questions
- Further reading
- Logging and Log Security
- Understanding the Linux system log files
- Understanding rsyslog
- Understanding journald
- Making things easier with Logwatch
- Setting up a remote log server
- Summary
- Questions
- Further reading
- Vulnerability Scanning and Intrusion Detection
- Security Tips and Tricks for the Busy Bee
- Technical requirements
- Auditing system services
- Password protecting the GRUB 2 bootloader
- Securely configuring BIOS/UEFI
- Using a security checklist for system setup
- Summary
- Questions
- Further reading
- Assessments
- Other Books You May Enjoy
Adding a CA to an operating system
-
No Comment
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.