RHCSA Security Hardening & System Optimization

Expertise in Cloud, Networking & DevOps
Photo by Marc PEZIN / Unsplash

πŸ“Œ Introduction

Securing a Linux system and optimizing its performance is crucial for maintaining system integrity, preventing unauthorized access, and ensuring smooth operations. The RHCSA exam tests your knowledge of SELinux, sudo privileges, and performance tuning. This guide provides step-by-step instructions on configuring security settings and optimizing system performance.


πŸ“– What You’ll Learn in This Guide

πŸ”Ή Understanding and managing SELinux policies

πŸ”Ή Configuring and securing sudo privileges

πŸ”Ή Optimizing system performance using tuning tools

πŸ”Ή Hardening the system against security threats

πŸ”Ή Monitoring performance and system logs for security incidents


πŸ›‘ SELinux: Security-Enhanced Linux

1️⃣ Understanding SELinux Modes

SELinux provides mandatory access control (MAC) policies to enhance security. It operates in three modes:

  • Enforcing (Default): SELinux policies are enforced, blocking unauthorized access.
  • Permissive: SELinux logs policy violations but does not enforce them.
  • Disabled: SELinux is turned off (not recommended).

To check the current SELinux mode:

sestatus  # Display SELinux status and current mode

To switch SELinux mode temporarily:

sudo setenforce 0  # Set SELinux to permissive mode
sudo setenforce 1  # Set SELinux to enforcing mode

To permanently change SELinux mode, edit /etc/selinux/config:

sudo vi /etc/selinux/config

Modify the line:

SELINUX=enforcing  # Change to 'permissive' or 'disabled' if needed

πŸ” Best Practice: Keep SELinux in enforcing mode unless debugging an issue.


2️⃣ Managing SELinux Policies

To list SELinux contexts for files and processes:

ls -Z /var/www/html  # Show SELinux context of web files
ps -eZ | grep httpd  # Check SELinux context of a running process

To restore default SELinux contexts:

sudo restorecon -Rv /var/www/html  # Restore correct SELinux labels

To allow a process to use a specific port:

sudo semanage port -a -t http_port_t -p tcp 8080  # Allow HTTPD on port 8080

πŸ” Best Practice: Use audit2why to analyze SELinux denials and suggest solutions:

audit2why < /var/log/audit/audit.log

⚑ Managing Sudo Privileges

1️⃣ Granting Sudo Access to a User

To add a user to the wheel group (which has sudo privileges by default):

sudo usermod -aG wheel username  # Add user to sudo group

To verify sudo access:

sudo -l -U username  # List user's sudo privileges

2️⃣ Configuring Sudo Privileges (Visudo)

Edit the sudoers file safely:

sudo visudo

Add the following to grant a specific user sudo access:

username ALL=(ALL) ALL  # Allow full sudo privileges

To allow a user to execute specific commands without a password:

username ALL=(ALL) NOPASSWD: /usr/sbin/reboot, /bin/systemctl restart httpd

πŸ” Best Practice: Grant minimal privileges necessary for a task to improve security.


πŸš€ System Performance Tuning

1️⃣ Monitoring System Performance

To check CPU usage:

top  # Live system monitoring
mpstat 1  # CPU usage per second

To check memory usage:

free -h  # Show available and used memory

To check disk performance:

iostat -x 1  # Display disk I/O statistics

To analyze overall system performance:

vmstat 1  # View CPU, memory, and disk performance in real time

2️⃣ Optimizing System Performance

Tuning Kernel Parameters

Modify kernel parameters for performance tuning:

echo "vm.swappiness=10" | sudo tee -a /etc/sysctl.conf  # Reduce swap usage
sudo sysctl -p  # Apply changes

Disabling Unused Services

List active services:

systemctl list-units --type=service

Disable unnecessary services:

sudo systemctl disable avahi-daemon  # Example of disabling Avahi service

πŸ” Best Practice: Regularly monitor system resources and disable services that are not in use.


πŸ” Hardening the System Against Security Threats

1️⃣ Managing Firewalld for Enhanced Security

Check firewall status:

sudo systemctl status firewalld

To allow essential services:

sudo firewall-cmd --permanent --add-service=ssh
sudo firewall-cmd --permanent --add-service=http
sudo firewall-cmd --reload

2️⃣ Enforcing Strong Password Policies

Edit PAM configuration to require stronger passwords:

sudo vi /etc/security/pwquality.conf

Modify parameters such as:

minlen = 12  # Minimum password length
minclass = 3  # Require at least 3 character classes (uppercase, lowercase, digits, symbols)

πŸ” Best Practice: Regularly audit user accounts and enforce password expiration policies using:

sudo chage -l username  # Check password expiration settings

πŸ›  Essential Practice for RHCSA

βœ… Configure and manage SELinux policies

βœ… Grant and manage sudo privileges securely

βœ… Monitor and optimize CPU, memory, and disk performance

βœ… Harden system security with firewalld and PAM policies

βœ… Regularly audit and troubleshoot security logs


πŸ“Œ Next Article: RHCSA Networking & Firewall Management

πŸ“© Subscribe to our blog for more RHCSA tutorials and updates! πŸš€

Read more