RHCSA Security Hardening & System Optimization
π Introduction
Securing a Linux system and optimizing its performance is crucial for maintaining system integrity, preventing unauthorized access, and ensuring smooth operations. The RHCSA exam tests your knowledge of SELinux, sudo privileges, and performance tuning. This guide provides step-by-step instructions on configuring security settings and optimizing system performance.
π What Youβll Learn in This Guide
πΉ Understanding and managing SELinux policies
πΉ Configuring and securing sudo privileges
πΉ Optimizing system performance using tuning tools
πΉ Hardening the system against security threats
πΉ Monitoring performance and system logs for security incidents
π‘ SELinux: Security-Enhanced Linux
1οΈβ£ Understanding SELinux Modes
SELinux provides mandatory access control (MAC) policies to enhance security. It operates in three modes:
- Enforcing (Default): SELinux policies are enforced, blocking unauthorized access.
- Permissive: SELinux logs policy violations but does not enforce them.
- Disabled: SELinux is turned off (not recommended).
To check the current SELinux mode:
sestatus # Display SELinux status and current mode
To switch SELinux mode temporarily:
sudo setenforce 0 # Set SELinux to permissive mode
sudo setenforce 1 # Set SELinux to enforcing mode
To permanently change SELinux mode, edit /etc/selinux/config:
sudo vi /etc/selinux/config
Modify the line:
SELINUX=enforcing # Change to 'permissive' or 'disabled' if needed
π Best Practice: Keep SELinux in enforcing mode unless debugging an issue.
2οΈβ£ Managing SELinux Policies
To list SELinux contexts for files and processes:
ls -Z /var/www/html # Show SELinux context of web files
ps -eZ | grep httpd # Check SELinux context of a running process
To restore default SELinux contexts:
sudo restorecon -Rv /var/www/html # Restore correct SELinux labels
To allow a process to use a specific port:
sudo semanage port -a -t http_port_t -p tcp 8080 # Allow HTTPD on port 8080
π Best Practice: Use audit2why to analyze SELinux denials and suggest solutions:
audit2why < /var/log/audit/audit.log
β‘ Managing Sudo Privileges
1οΈβ£ Granting Sudo Access to a User
To add a user to the wheel group (which has sudo privileges by default):
sudo usermod -aG wheel username # Add user to sudo group
To verify sudo access:
sudo -l -U username # List user's sudo privileges
2οΈβ£ Configuring Sudo Privileges (Visudo)
Edit the sudoers file safely:
sudo visudo
Add the following to grant a specific user sudo access:
username ALL=(ALL) ALL # Allow full sudo privileges
To allow a user to execute specific commands without a password:
username ALL=(ALL) NOPASSWD: /usr/sbin/reboot, /bin/systemctl restart httpd
π Best Practice: Grant minimal privileges necessary for a task to improve security.
π System Performance Tuning
1οΈβ£ Monitoring System Performance
To check CPU usage:
top # Live system monitoring
mpstat 1 # CPU usage per second
To check memory usage:
free -h # Show available and used memory
To check disk performance:
iostat -x 1 # Display disk I/O statistics
To analyze overall system performance:
vmstat 1 # View CPU, memory, and disk performance in real time
2οΈβ£ Optimizing System Performance
Tuning Kernel Parameters
Modify kernel parameters for performance tuning:
echo "vm.swappiness=10" | sudo tee -a /etc/sysctl.conf # Reduce swap usage
sudo sysctl -p # Apply changes
Disabling Unused Services
List active services:
systemctl list-units --type=service
Disable unnecessary services:
sudo systemctl disable avahi-daemon # Example of disabling Avahi service
π Best Practice: Regularly monitor system resources and disable services that are not in use.
π Hardening the System Against Security Threats
1οΈβ£ Managing Firewalld for Enhanced Security
Check firewall status:
sudo systemctl status firewalld
To allow essential services:
sudo firewall-cmd --permanent --add-service=ssh
sudo firewall-cmd --permanent --add-service=http
sudo firewall-cmd --reload
2οΈβ£ Enforcing Strong Password Policies
Edit PAM configuration to require stronger passwords:
sudo vi /etc/security/pwquality.conf
Modify parameters such as:
minlen = 12 # Minimum password length
minclass = 3 # Require at least 3 character classes (uppercase, lowercase, digits, symbols)
π Best Practice: Regularly audit user accounts and enforce password expiration policies using:
sudo chage -l username # Check password expiration settings
π Essential Practice for RHCSA
β Configure and manage SELinux policies
β Grant and manage sudo privileges securely
β Monitor and optimize CPU, memory, and disk performance
β Harden system security with firewalld and PAM policies
β Regularly audit and troubleshoot security logs
π Next Article: RHCSA Networking & Firewall Management
π© Subscribe to our blog for more RHCSA tutorials and updates! π
