Security Guide
- About This Guide
- 1 Security and Confidentiality
- I Authentication
- II Local Security
- III Network Security
- IV Confining Privileges with AppArmor
- 18 Introducing AppArmor
- 19 Getting Started
- 20 Immunizing Programs
- 21 Profile Components and Syntax
- 22 AppArmor Profile Repositories
- 23 Building and Managing Profiles with YaST
- 24 Building Profiles from the Command Line
- 25 Profiling Your Web Applications Using ChangeHat
- 26 Confining Users with
pam_apparmor - 27 Managing Profiled Applications
- 28 Support
- 29 AppArmor Glossary
- V The Linux Audit Framework
- A Documentation Updates
- B GNU 授權
A Documentation Updates
- A.1 October 2016 (Initial Release of SUSE Linux Enterprise Desktop 12 SP2)
- A.2 March 2016 (Maintenance Release of SUSE Linux Enterprise Desktop 12 SP1)
- A.3 December 2015 (Initial Release of SUSE Linux Enterprise Desktop 12 SP1)
- A.4 February 2015 (Documentation Maintenance Update)
- A.5 October 2014 (Initial Release of SUSE Linux Enterprise Desktop 12)
This chapter lists content changes for this document.
This manual was updated on the following dates:
Section A.2, “March 2016 (Maintenance Release of SUSE Linux Enterprise Desktop 12 SP1)”
Section A.3, “December 2015 (Initial Release of SUSE Linux Enterprise Desktop 12 SP1)”
Section A.4, “February 2015 (Documentation Maintenance Update)”
Section A.5, “October 2014 (Initial Release of SUSE Linux Enterprise Desktop 12)”
A.1 October 2016 (Initial Release of SUSE Linux Enterprise Desktop 12 SP2) #
- Chapter 4, Authentication Server and Client
In Section 4.2, “Configuring an Authentication Client with YaST (SSSD)”, the command is called
sss_cache(https://bugzilla.suse.com/show_bug.cgi?id=993377).
- Chapter 14, SSH: Secure Network Operations
New section Section 14.4.2, “Rotating Host Keys” (Fate #318427).
A.2 March 2016 (Maintenance Release of SUSE Linux Enterprise Desktop 12 SP1) #
- Chapter 7, Network Authentication with Kerberos
Fixed wrong service name (
sldapdtoslapd) (https://bugzilla.suse.com/show_bug.cgi?id=963047).- Chapter 16, Configuring a VPN Server
Use larger keys (min. 2048bit) instead of 1024 (https://bugzilla.suse.com/show_bug.cgi?id=959634).
A.3 December 2015 (Initial Release of SUSE Linux Enterprise Desktop 12 SP1) #
- 一般
SUSE Linux Enterprise Desktop 的文件現在包括SMT Guide。
SUSE 提供的附加產品已重新命名為模組與延伸。手冊已更新,以反映這項變更。
依據技術回餽,修復了文件中的大量小問題並新增了大量內容。
註冊服務已從 Novell Customer Center 變更為 SUSE Customer Center。
在 YaST 中,現在您可以透過群組到達。為 gone (https://bugzilla.suse.com/show_bug.cgi?id=867809)。
- Chapter 4, Authentication Server and Client
Updated the chapter to reflect new GUI improvements for Kerberos/LDAP client (Fate #316349).
- Chapter 8, Configuring Security Settings with YaST
Updated chapter because of
systemd-related changes (Fate #318425).- Chapter 15, Masquerading and Firewalls
- Bugfixes
Removed obsolete
acpid.service(https://bugzilla.suse.com/show_bug.cgi?id=918655).Removed
/etc/sysconfig/auditdfrom Section 30.2, “Configuring the Audit Daemon”—this configuration file has been removed without replacement (https://bugzilla.suse.com/show_bug.cgi?id=918655).Extend Firewall Documentation to Describe How to Open a Port (https://bugzilla.suse.com/show_bug.cgi?id=914076).
A.4 February 2015 (Documentation Maintenance Update) #
- Bugfixes
Removed part on SELinux (https://bugzilla.suse.com/show_bug.cgi?id=913640).
Numerous small fixes for Chapter 16, Configuring a VPN Server:
A.5 October 2014 (Initial Release of SUSE Linux Enterprise Desktop 12) #
- 一般
由於不再提供 KDE,移除了所有 KDE 文件和參考內容。
由於不再支援 SuSEconfig,移除了所有相關參考內容 (Fate#100011)。
從 System V init 移至 systemd (Fate#310421)。更新了文件受影響的部分。
YaST 執行層級編輯器已變更為服務管理員 (Fate#312568)。更新了文件受影響的部分。
由於 ISDN 支援已被移除,移除了 ISDN 的所有參考內容 (Fate#314594)。
由於不再提供 YaST DSL 模組,移除了所有相關參考內容 (Fate#316264)。
由於不再提供 YaST 數據機模組,移除了所有相關參考內容 (Fate#316264)。
Btrfs 已變為根分割區的預設檔案系統 (Fate#315901)。更新了文件受影響的部分。
dmesg現在提供與ctime()格式類似的可讀時間戳記 (Fate#316056)。更新了文件受影響的部分。syslog 和 syslog-ng 已被 rsyslog 取代 (Fate#316175)。更新了文件受影響的部分。
MariaDB 現在做為關聯式資料庫而非 MySQL 提供 (Fate#313595)。更新了文件受影響的部分。
SUSE 相關產品不再在 http://download.novell.com 上提供,而是在 http://download.suse.com 上提供。連結已相應地調整。
Novell Customer Center 已取代為 SUSE Customer Center。更新了文件受影響的部分。
/var/run掛接為 tmpfs (Fate#303793)。更新了文件受影響的部分。不再支援以下架構:IA64 與 x86。更新了文件受影響的部分。
使用
ifconfig設定網路的傳統方法已由wicked取代。更新了文件受影響的部分。許多網路指令已過時,現已由更新的指令取代 (通常使用
ip)。更新了文件受影響的部分。arp︰ip neighborifconfig︰ip addr、ip linkiptunnel︰ip tunneliwconfig︰iwnameif︰ip link、ifrenamenetstat︰ss、ip route、ip -s link、ip maddrroute︰ip route依據技術回餽,修復了文件中的大量小問題並新增了大量內容。
- Chapter 2, Authentication with PAM
The
pam_pwcheckmodule has been replaced withpam_cracklibandpam_pwhistory. Updated chapter to reflect this change.- Chapter 4, Authentication Server and Client
Added a chapter about the new YaST authentication module for Kerberos and LDAP (Fate #316349). The chapter consists of two parts: Section 4.1, “Configuring an Authentication Server” and Section 4.2, “Configuring an Authentication Client with YaST (SSSD)” (Fate #308902).
- Chapter 5, LDAP—A Directory Service
Updated chapter to reflect the changes in YaST regarding authentication setup (Fate #316349).
- Chapter 7, Network Authentication with Kerberos
Updated chapter to reflect the changes in YaST regarding authentication setup (Fate #316349).
- Chapter 9, Authorization with PolKit
Updated chapter to reflect major software updates.
- Chapter 14, SSH: Secure Network Operations
Mentioned that SSH on SUSE Linux Enterprise Desktop uses cryptographic hardware acceleration if available (Fate #308239).
New section Section 14.3.2, “Setting Permissions for File Uploads” (Fate #312774).
- Chapter 17, Managing X.509 Certification
The YaST CA module now allows to export key and certificate into different files. See Section 17.2.5, “Changing Default Values” (Fate #305490).
- Part IV, “Confining Privileges with AppArmor”
Added short description of supported AppArmor profile flags in Section 21.6.1, “Profile Flags”.
Thoroughly explained the syntax and subtle differences in meaning for AppArmor include statements in Section 21.3, “Include Statements”.
Introduced extended ways to map a profile: Added Section 21.6.3, “Pattern Matching”, Section 21.6.4, “Namespaces” and updated Section 21.6.6, “Alias Rules”.
Added description for new optional
allowandfilekeywords for AppArmor profiles in Section 21.7.7, “OptionalallowandfileRules”.Added description for new
safeandunsafekeywords for AppArmor profiles to Section 21.8.10, “safeandunsafeKeywords”.New
PUx/puxandCUx/cuxprofile transitions added in Section 21.8.8, “Fallback Modes for Profile Transitions”.Added new section Section 21.6.3, “Pattern Matching”.
Restructured and completely rewrote Chapter 25, Profiling Your Web Applications Using ChangeHat.
Removed old content describing the YaST method.
Introduced a command line example on creating a hat for the Adminer application.
- Part V, “The Linux Audit Framework”
Numerous small fixes and additions, based on technical feedback.
- Obsolete Content
Section Adding a Profile Using the Wizard has been removed from Chapter 23, Building and Managing Profiles with YaST (Fate #308684).
Section Updating Profiles from Log Entries has been removed from Chapter 23, Building and Managing Profiles with YaST (Fate #308683).
Chapter Using the Fingerprint Reader has been removed from Part I, “Authentication” (Fate #313128).
- Bugfixes
Updated the AppArmor documentation to version 2.8 AppArmor (http://bugzilla.suse.com/show_bug.cgi?id=722915).