Chapter 6. Configuring basic system security
Computer security is the protection of computer systems and their hardware, software, information, and services from theft, damage, disruption, and misdirection. Ensuring computer security is an essential task, in particular in enterprises that process sensitive data and handle business transactions.
This section covers only the basic security features that you can configure after installation of the operating system.
6.1. Enabling the firewalld service
A firewall is a network security system that monitors and controls incoming and outgoing network traffic according to configured security rules. A firewall typically establishes a barrier between a trusted secure internal network and another outside network.
The firewalld
service, which provides a firewall in Red Hat Enterprise Linux, is automatically enabled during installation.
To enable the firewalld
service, follow this procedure.
Procedure
Display the current status of
firewalld
:$ systemctl status firewalld ● firewalld.service - firewalld - dynamic firewall daemon Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled) Active: inactive (dead) ...
If
firewalld
is not enabled and running, switch to theroot
user, and start thefirewalld
service and enable to start it automatically after the system restarts:# systemctl enable --now firewalld
Verification
Check that
firewalld
is running and enabled:$ systemctl status firewalld ● firewalld.service - firewalld - dynamic firewall daemon Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled) Active: active (running) ...
Additional resources
- Using and configuring firewalld
-
man firewalld(1)
6.2. Managing basic SELinux settings
Security-Enhanced Linux (SELinux) is an additional layer of system security that determines which processes can access which files, directories, and ports. These permissions are defined in SELinux policies. A policy is a set of rules that guide the SELinux security engine.
SELinux has two possible states:
- Disabled
- Enabled
When SELinux is enabled, it runs in one of the following modes:
Enabled
- Enforcing
- Permissive
In enforcing mode, SELinux enforces the loaded policies. SELinux denies access based on SELinux policy rules and enables only the interactions that are explicitly allowed. Enforcing mode is the safest SELinux mode and is the default mode after installation.
In permissive mode, SELinux does not enforce the loaded policies. SELinux does not deny access, but reports actions that break the rules to the /var/log/audit/audit.log
log. Permissive mode is the default mode during installation. Permissive mode is also useful in some specific cases, for example when troubleshooting problems.
Additional resources