Security & Hardening

Securing your Oreon-based system is crucial. This guide covers fundamental security practices for Fedora/RHEL-like environments.

Firewall (firewalld)

Fedora and RHEL derivatives use firewalld as the default firewall management tool. It utilizes zones to manage trust levels for network connections and interfaces.

Key Commands:

  • Check status: sudo systemctl status firewalld
  • List active rules/zones: sudo firewall-cmd --list-all
  • Make configuration changes permanent: Add the --permanent flag to commands.
  • Reload after permanent changes: sudo firewall-cmd --reload

Example: Allow SSH only from a specific subnet:

# Remove default ssh service if present
sudo firewall-cmd --remove-service=ssh --permanent
# Add specific rule
sudo firewall-cmd --add-rich-rule='rule family="ipv4" source address="192.168.1.0/24" service name="ssh" accept' --permanent
# Reload firewall
sudo firewall-cmd --reload

Always configure the firewall according to the principle of least privilege, only opening necessary ports and services.

SELinux

SELinux (Security-Enhanced Linux) provides Mandatory Access Control (MAC), enforcing fine-grained permissions beyond standard Linux discretionary access controls.

Modes:

  • Enforcing: Actively blocks actions violating policy (Default & Recommended).
  • Permissive: Logs violations but does not block them (Useful for debugging).
  • Disabled: SELinux is turned off (Strongly discouraged).

Key Commands:

  • Check status: sestatus
  • Check current mode: getenforce
  • Temporarily set permissive: sudo setenforce 0
  • Temporarily set enforcing: sudo setenforce 1

Persistent mode changes require editing /etc/selinux/config and rebooting. Troubleshooting often involves checking audit logs (/var/log/audit/audit.log) using tools like ausearch or audit2why and adjusting policies or contexts if necessary.

User Privileges & sudo

Adhere to the principle of least privilege. Avoid using the root account directly for daily tasks.

  • Use standard user accounts.
  • Elevate privileges only when necessary using sudo.
  • Manage sudo permissions carefully using the visudo command to edit the sudoers configuration safely.
  • Grant specific commands or limit privileges rather than giving full root access whenever possible.

Refer to the User Management guide for details on creating users and groups.

System Updates

Keeping the system updated is one of the most critical security practices. Updates patch known vulnerabilities.

  • Regularly run sudo dnf update.
  • Consider configuring automatic updates using dnf-automatic for critical systems.

See the System Updates guide for more details.