This course is now legacy content

This course is using an outdated version of the technology and is now considered to be Legacy content. It will be removed from our catalog on June 28, 2024. Please be sure to complete your course and finish any remaining labs before that date. We recommend moving to version 9.2, which is the latest version currently available.

Bookmark this page

P 1 2 3 4 5 6 7 8 9 10 11 12

Chapter 1. Managing Security and Risk

SectionManaging Security and Risk
Quiz: Managing Security and Risk
Reviewing Recommended Security Practices
Guided Exercise: Reviewing Recommended Security Practices
Lab: Managing Security and Risk
Summary

Abstract

Goal	Define strategies to manage security on Red Hat Enterprise Linux servers.
Objectives	Describe the fundamental concepts of security management for Red Hat Enterprise Linux servers, how to approach the security management process, and how Red Hat's development process and security response practices help. Review simple recommended practices to improve the security of a server system.
Sections	Managing Security and Risk (and Quiz) Reviewing Recommended Security Practices (and Guided Exercise)
Lab	Managing Security and Risk

Managing Security and Risk

Objectives

After completing this section, students should be able to describe:

Fundamental concepts of security management for Red Hat Enterprise Linux servers and how to approach the security management process.
Red Hat's development process and security response practices.

Risk Management

A risk is any event that presents the possibility of loss, whether it be financial or productivity loss or delays to services. Continuous risk management is a process for taking a proactive approach to discovering potential risk, assessing facts, and taking action based on the facts to resolve those risks. Monitoring risk indicators and the actions taken to resolve them is important to succeed in risk management. Communicating to stakeholders what those risk indicators are, the actions taken to resolve them, and the results, all promote confidence and stability in the process.

The following diagram illustrates a process for continuously managing security risks by maintaining constant attention to potential security vulnerabilities and taking a proactive approach to maintaining a secure computing environment.

Figure 1.1: Continuous risk management life cycle

Managing Security

Managing security in your computing environments is a collection of continuous activities. Red Hat offers solutions that enable security in each phase of the continuous security life cycle. The following diagram illustrates a continuous security life cycle that incorporates the risk management life cycle.

Figure 1.2: Continuous security and risk management life cycle

Continuous Security

Security must be both proactive and reactive. It must be considered at every stage of your application and infrastructure life cycle. To do this effectively, you need to integrate security experts into your application, deployment, and infrastructure teams.

Design

Develop security requirements, design security process and procedures, communicate so that all team members take these into account when designing applications and infrastructure for continuous security and compliance. Collaboratively develop and communicate your security policy and procedures.

In this stage you may be looking at what security policies you must comply with, and you would determine how to implement controls and technologies to accomplish that.

Red Hat consultants and partners are available to help customers design security into their applications and application development life cycle and their infrastructure and operations management process.

Build

Build security features into your applications and your infrastructure.

Automate and integrate security testing into your continuous integration and continuous deployment process. Use test outcomes to trigger appropriate action: deploy or prevent deployment.
Define security profiles and automate the configuration of those profiles whenever new systems are deployed.

This is when you implement your designs and build your applications, and determine how you will deploy them to production in a repeatable, reliable, and secure way. You may also be thinking about how you will deploy and provision the infrastructure supporting those servers, using tools such as Kickstart, Red Hat Satellite, Red Hat Virtualization, and Red Hat Ansible Automation to help.

From Red Hat's perspective, this involves ensuring that we provide stable and safe development platforms and middleware that you can use to design and create your applications.

Run

Run on trusted platforms with built-in security features, such as SELinux.

You can take advantage of the tools Red Hat provides to help operate your systems. This may include taking advantage of the tested, stable software that Red Hat ships with full support. Or you may be using technologies that Red Hat provides, such as SELinux that helps make it harder for attackers to exploit security-related issues.

Manage

Maintain an up-to-date catalog of assets and monitor access and usage. Deploy a management solution that provides a single management interface across your footprints: physical, virtual, and private and public cloud. Actively manage users and access.

Red Hat Satellite can help you keep track of what systems are deployed in your environment and whether or not they are up-to-date with errata. Other management tools, such as Red Hat Ansible Automation may make it easier for you to remediate configuration drift and ensure that your servers and applications are correctly configured and deployed. You may have tools like Red Hat CloudForms to help users deploy curated images and instances in cloud or managed virtualization environments.

Using these solutions effectively allows you to automatically apply, audit, and remediate security and regulatory compliance policies across workloads, whether deployed to bare-metal or virtual servers, as a container, on-premise, or in a public, private, or hybrid cloud.

Adapt

Use analytics and automation to adapt, revise, update, and remediate as the landscape changes. As roles and responsibilities change, update access settings.

You can use tools such as Red Hat Insights to help identify common misconfigurations or new security issues that Red Hat has identified in order to proactively adapt to emerging issues.

As you adapt to the ever-changing security landscape, you can take what you have learned and revisit the Design stage, starting the cycle over again.

How Red Hat Can Help You Manage Security

Securing computing infrastructures has changed significantly in recent years. Keeping your operating systems updated with the latest security patches is no longer sufficient. Operating system providers must be more proactive in combating security problems.

Red Hat’s Product Security team analyses threats and vulnerabilities against all of our products every day, and provides relevant advice and updates through the Red Hat Customer Portal. Red Hat provides patches to supported versions of Red Hat products, frequently on the same day the vulnerability is first published, minimizing disruption by allowing enterprises to continue to work safely with current versions and upgrade to newer versions when the business is ready.

Red Hat Product Security provides the guidance, stability, and security needed to confidently deploy enterprise solutions.

Red Hat aims to:

Help protect customers from meaningful security concerns when using Red Hat products and services.
Investigate, track, and explain security issues that may affect users of Red Hat supported products and services.
Be the point of contact for customers, users, and researchers who have found security issues in our products and services and publish the procedures for dealing with those issues.
Ensure timely security fixes and ensure our customers can easily find, obtain, and understand security advisories and updates for our supported products and services.
Help customers keep their systems updated to minimize the risk of security issues and provide automated analysis enforcement of security practices.
Work with other Linux vendors and open source software to reduce the risk of security issues through information sharing and peer review.

Red Hat Security Reporting

Red Hat takes security very seriously, and aims to take immediate action to address serious security-related problems that involve Red Hat products or services.

Red Hat Security Response

The Red Hat Security Response Team is a point of contact for customers concerning security issues related to Red Hat products. The Security Response Team investigates and verifies issues. They analyze which products are affected, determine the impact, and determine the required remedial action. In cases where a security update is produced, the Security Response Team works to determine an appropriate public notification. The Security Response Team is responsible for publishing Red Hat Security Advisories (RHSAs) as well as handling inquiries from customers.

You should report any suspected security vulnerability in a Red Hat product or service to Red Hat Product Security at <secalert@redhat.com>. Only members of Red Hat Product Security, a restricted and carefully chosen group of Red Hat employees, have access to material sent to the <secalert@redhat.com> address. No outside users can subscribe to this list.

Email sent to <secalert@redhat.com> is read and acknowledged by a team member within three working days. For complex issues that require significant attention, Red Hat opens an investigation and provides you with a mechanism to check the status of the teams progress at any time. Any information you share with Red Hat about security issues, that are not public knowledge, is kept confidential within Red Hat. It is not passed on to any third party without your permission.

Making Customers Aware of Risks

Red Hat Product Security provides objective information about security risks that affect you, regardless of possible media hype. Red Hat uses the following workflow to communicate accurate information about how these vulnerabilities affect you, so you can make informed decisions.

Figure 1.3: Security risk awareness workflow

Red Hat Security Severity Ratings

Red Hat Product Security rates the impact of security issues found in Red Hat products using a 4-point scale (Low, Moderate, Important, and Critical), as well as Common Vulnerability Scoring System (CVSS)-based scores. These provide a prioritized risk assessment to help you understand and schedule upgrades to your systems, enabling informed decisions on the risk each issue places on your unique environment.

The 4-point scale indicates how serious Red Hat considers an issue to be, helping you judge the severity and determine what the most important updates are. The scale takes into account the potential risk based on a technical analysis of the exact flaw and its type, but not the current threat level. A given rating will not change if an exploit or worm is later released for a flaw, or if one is available before the release of a fix.

Table 1.1. Issue Severity Classification

Impact	Description
Critical	This rating is given to flaws that could be easily exploited by a remote unauthenticated attacker and lead to system compromise (arbitrary code execution) without requiring user interaction. These are the types of vulnerabilities that can be exploited by worms. Flaws that require an authenticated remote user, a local user, or an unlikely configuration are not classed as Critical impact.
Important	This rating is given to flaws that can easily compromise the confidentiality, integrity, or availability of resources. These are the types of vulnerabilities that allow local users to gain privileges, allow unauthenticated remote users to view resources that should otherwise be protected by authentication, allow authenticated remote users to execute arbitrary code, or allow remote users to cause a denial of service.
Moderate	This rating is given to flaws that may be more difficult to exploit, but could lead to some compromise of the confidentiality, integrity, or availability of resources under certain circumstances. These are the types of vulnerabilities that could have had a Critical impact or Important impact but are less easily exploited based on a technical evaluation of the flaw, or that affect unlikely configurations.
Low	This rating is given to all other issues that have a security impact. These are the types of vulnerabilities that are believed to require unlikely circumstances to be able to be exploited, or where a successful exploit would have minimal consequences.

A Red Hat security advisory can contain fixes for more than one vulnerability and for packages related to more than one product (such as both Red Hat Enterprise Linux 5 and 6). Each issue in an advisory has an impact rating for each product. The overall severity of an advisory is the highest severity out of all the individual issues, across all the products that the advisory targets. For simplicity, advisories only show the overall severity (except for kernel advisories, which list the severity of each issue). The advisories contain links to the relevant entries in Red Hat's bug-tracking system, where you can examine individual impacts and additional commentary.

When a technology that is enabled and most likely used by default completely blocks the exploitation of a particular vulnerability across all architectures, Red Hat adjusts the severity level. When a technology reduces the risk of a vulnerability, we may adjust the severity level and give an explanation of the decision in the bug-tracking entry.

Backporting Security Fixes

Backporting refers to the action of taking a fix for a security flaw out of the most recent version of an upstream software package and applying that fix to an older version of the package distributed by Red Hat. Backporting is common among vendors such as Red Hat and is essential to ensuring we can deploy automated updates to customers with minimal risk. Backporting might be a new concept for those more familiar with proprietary software updates.

An Example of Why Red Hat Backports Security Fixes

Backporting is a tradeoff between fixing security vulnerabilities and not breaking customer applications by forcing an immediate update to a newer version of software with different features, APIs, or behaviors. One way Red Hat could remediate a security issue would be to provide a later version of a software package and forcing customers to upgrade. However, this approach might cause problems for other parts of customer applications that depend on certain API behaviors, features, or database formats and schemas.

For example, Red Hat provided version 5.3 of PHP in Red Hat Enterprise Linux 6. The upstream developers of PHP stopped supporting PHP 5.3 on August 14, 2014. The upstream developers no longer release updates of any kind for PHP 5.3. If security issues occur, the upstream project only fixes them in later versions of PHP.

On October 14, 2014, a buffer overflow flaw was found in PHP which Red Hat rated as Important (CVE-2014-3670). This issue could allow a remote attacker to crash a PHP application or, possibly, execute arbitrary code with the privileges of the user running that PHP application.

The upstream project developed a fix, and released it for PHP 5.4. But because they no longer support PHP 5.3, that version of PHP was not updated by the upstream project.

However, Red Hat had customers using PHP 5.3. Red Hat did not want to force them to migrate to PHP 5.4 due to the risk of backward compatibility problems between versions 5.3 and 5.4. Therefore, Red Hat backported the fix for this issue from PHP 5.4 to PHP 5.3 without changing other features, and released updated packages for Red Hat Enterprise Linux 6 customers.

This allowed Red Hat customers to continue to run PHP 5.3 and not be vulnerable to CVE-2014-3670, even though the last upstream release of PHP 5.3 was still vulnerable to the issue.

Red Hat performs the following procedures to backport security fixes:

Identify the fixes and isolate them from any other changes.
Make sure the fixes do not introduce unwanted side effects.
Apply the fixes to our previously released versions.

For most products, Red Hat's default practice is to backport security fixes, but sometimes Red Hat provides version updates for certain packages after careful testing and analysis. These are likely to be packages that have no interaction with others, or those used by an end-user, such as web browsers and instant messaging clients.

Understanding the Relationship Between Software Version and Vulnerabilities

Backporting has a number of advantages for customers, but it can create confusion when it is not understood. Customers need to be aware that just looking at the version number of a package does not indicate if they are vulnerable or not. For example, stories in the press may include phrases such as "upgrade to Apache httpd 2.0.43 to fix the issue," which only takes into account the upstream version number. This can cause confusion because even after installing updated packages from a vendor, it is not likely that customers will have the latest upstream version. They will instead have an earlier upstream version with backported patches applied.

Also, some security scanning and auditing tools make decisions about vulnerabilities based solely on the version number of components they find. This results in false positives as the tools do not take into account backported security fixes.

Red Hat CVEs and Errata

Because of backporting, the version of a software package is not the best way to track whether it is vulnerable to a particular issue. In order to make it easier to track specific security vulnerabilities, Red Hat works with the Common Vulnerabilities and Exposures (CVE) project to report and track security-related software issues using standardized numbers and names.

Each CVE entry consists of an ID number, including the year and a sequence number to uniquely identify it, a short description to summarize the issue, and a list of links to content relevant to the vulnerability (providing more information about the issue or discussing whether particular products are affected).

The community web presence and management of the CVE compatibility program is handled by the MITRE Corporation. CVE format is also used for the National Vulnerability Database (NVD) managed by the US National Institute of Standards and Technology (NIST).

Since the introduction of Red Hat Enterprise Linux, Red Hat is careful to explain in security advisories how issues are fixed, whether by moving to a later upstream version or by backporting patches to the existing version. Red Hat has attached CVE names to all Red Hat advisories since January 2000, allowing customers to easily cross-reference vulnerabilities and find out how and when Red Hat fixed them, independent of version numbers.

Red Hat also supplies OVAL definitions (machine-readable versions of our advisories) that third-party vulnerability tools can use to determine the status of vulnerabilities, even when security fixes have been backported. In doing this, Red Hat hopes to remove some of the confusion surrounding backporting and make it easier for customers to always keep up-to-date with the latest security fixes.

After Red Hat releases a security fix, bug fix, or feature enhancement in a distributed software package, Red Hat issues an errata announcement. There are three types of errata announcements:

Red Hat Security Advisory (RHSA): Packages listed are updated to fix a security-related issue.
Red Hat Bug Fix Advisory (RHBA): Packages listed are updated to fix an issue that is not security-related.
Red Hat Enhancement Advisory (RHEA): Packages listed are updated to add an additional enhancement, such as new features.

The Red Hat Security Advisory (RHSA) will contain a unique advisory ID, a severity, an issue date, a brief description of the issue fixed by the updated packages, and the list of packages included in the advisory that require updating. The severity is used by customers to determine how important a specific security update is to their environment.

Important

A single CVE entry may result in multiple Red Hat Security Advisories as the issue is addressed in different products.

Likewise, a single Red Hat Security Advisory may address several CVE issues in one software update. Red Hat may also update multiple related software packages as part of the advisory.

Using YUM to manage security errata

Using YUM to Manage Security Errata

The Yum package manager includes several security-related features that can be used to search, list, display, and install security errata. These features also make it possible to use Yum to install nothing but security updates.

To check for security-related updates available for your system, enter the following command as root:

[root@demo ~]# yum updateinfo --security
...output omitted...
Updates Information Summary: updates
8 Security notice(s)
    1 Critical Security notice(s)
    5 Important Security notice(s)
    2 Moderate Security notice(s)
...output omitted...

Enter the following Yum command to identify RHSAs specifically related to critical security notices:

[root@demo ~]# yum updateinfo list updates | grep Critical
RHSA-2018:1453 Critical/Sec.  dhclient-12:4.2.5-68.el7_5.1.x86_64
RHSA-2018:1453 Critical/Sec.  dhcp-common-12:4.2.5-68.el7_5.1.x86_64
RHSA-2018:1453 Critical/Sec.  dhcp-libs-12:4.2.5-68.el7_5.1.x86_64

Enter the following Yum command to view the RHSA details:

[root@demo ~]# yum updateinfo RHSA-2018:1453
...output omitted...
===============================================================================
  Critical: dhcp security update
===============================================================================
  Update ID : RHSA-2018:1453
    Release : 0
       Type : security
     Status : final
     Issued : 2018-05-15 12:14:45 UTC
    Updated : 2018-05-15 12:15:00 UTC       Bugs : 1567974 - CVE-2018-1111 dhcp: Command injection vulnerability in the DHCP client NetworkManager integration script
       CVEs : CVE-2018-1111
Description : The Dynamic Host Configuration Protocol (DHCP) is a protocol
            : that allows individual devices on an IP network to
            : get their own network configuration information,
            : including an IP address, a subnet mask, and a
            : broadcast address. The dhcp packages provide a
            : relay agent and ISC DHCP service required to
            : enable and administer DHCP on a network.
            :
            : Security Fix(es):
            :
            : * A command injection flaw was found in the
            :   NetworkManager integration script included in
            :   the DHCP client packages in Red Hat Enterprise
            :   Linux. A malicious DHCP server, or an attacker
            :   on the local network able to spoof DHCP
            :   responses, could use this flaw to execute
            :   arbitrary commands with root privileges on
            :   systems using NetworkManager and configured to
            :   obtain network configuration using the DHCP
            :   protocol. (CVE-2018-1111)
            :
            : Red Hat would like to thank Felix Wilhelm (Google
            : Security Team) for reporting this issue.
   Severity : Critical
updateinfo info done
Uploading Enabled Repositories Report
Loaded plugins: langpacks, product-id, subscription-manager

Enter the following Yum command with the CVE code listed from the RHSA details to identify the required packages that resolve the critical security issues:

[root@demo ~]# yum updateinfo list --cve CVE-2018-1111
...output omitted...
RHSA-2018:1453 Critical/Sec. dhclient-12:4.2.5-68.el7_5.1.x86_64
RHSA-2018:1453 Critical/Sec. dhcp-common-12:4.2.5-68.el7_5.1.x86_64
RHSA-2018:1453 Critical/Sec. dhcp-libs-12:4.2.5-68.el7_5.1.x86_64
updateinfo list done
Uploading Enabled Repositories Report
Loaded plugins: langpacks, product-id, subscription-manager

Enter the following Yum command with the CVE code listed in the RHSA details to update the system with packages that resolve the security issues:

[root@demo ~]# yum update --cve CVE-2018-1111
...output omitted...
3 package(s) needed (+0 related) for security, out of 56 available
Resolving Dependencies
...output omitted...
Updated:
  dhclient.x86_64 12:4.2.5-68.el7_5.1
  dhcp-common.x86_64 12:4.2.5-68.el7_5.1
  dhcp-libs.x86_64 12:4.2.5-68.el7_5.1
Complete!
Uploading Enabled Repositories Report
Loaded plugins: langpacks, product-id, subscription-manager

References

Red Hat Product Security Center

Security Contacts and Procedures

Notifications and Advisories

Understanding Red Hat security ratings

Backporting Security Fixes

Common Vulnerabilities and Exposures

National Vulnerability Database

Red Hat CVE Database

For more information, refer to the Keeping Your System Up-to-Date chapter in the Red Hat Enterprise Linux 7 Security Guide at https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html-single/security_guide/#chap-Keeping_Your_System_Up-to-Date

Discuss Red Hat Security: Linux in Physical, Virtual, and Cloud

Go to community

Welcome to the Red Hat Security: Linux in Physical, Virtual, and Cloud (RH415) group!

Deanna

26 wrz 2023

We are excited to launch a space dedicated to the Red Hat Training course Red Hat Security: Linux in Physical, Virtual, and Cloud! To gain the most value from this group - click the "Join Group" button in the upper right hand corner of the group home page.We encourage group members to collaborate in this group to discuss topics, ask questions, share best practices and tips, provide course feedback, and share their accomplishments as it relates to RH415.Read more about Red Hat Security: Linux in Physical, Virtual, and Cloud here.

415

Revision: rh415-7.5-813735c