openSUSE Linux Guide

Introduction

This comprehensive guide covers all aspects of openSUSE Linux administration, from basic system management to advanced security hardening. Each section provides detailed explanations and practical commands for system administrators and power users.

System Management

System Updates and Upgrades

Regular System Updates

Regular system updates are crucial for maintaining system security and stability. Here's how to perform them:

# Update repository information
sudo zypper refresh

# Update all packages
sudo zypper update

# Show update history
cat /var/log/zypp/history

Distribution Upgrade

For major version upgrades (e.g., Leap 15.4 to 15.5):

# Refresh repositories
sudo zypper refresh

# Perform distribution upgrade
sudo zypper dup

# Verify system status after upgrade
sudo zypper verify

Automatic Updates Configuration

Enable and configure automatic updates for enhanced security:

# Install auto-update configuration tool
sudo zypper install yast2-online-update-configuration

# Configure automatic updates
sudo yast2 online_update_configuration

System Cleaning

Regular system cleaning helps maintain optimal performance:

# Clear package cache
sudo zypper clean --all

# Remove unused packages
sudo zypper packages --unneeded
sudo zypper remove --clean-deps $(zypper packages --unneeded | awk '{print $5}')

# Clean journal logs
sudo journalctl --vacuum-size=100M

# Remove temporary files
sudo rm -rf /tmp/*
sudo rm -rf /var/tmp/*

# Clean old snapshots
sudo snapper list
sudo snapper delete number

Kernel Management

Kernel Updates and Maintenance

# List installed kernels
zypper se -si "kernel-*"

# Install latest kernel
sudo zypper install kernel-default

# Remove old kernels (keeping current and previous)
sudo zypper remove --clean-deps $(zypper se -si "kernel-*" | grep "^i" | tail -n +2 | head -n -2 | awk '{print $3}')

Kernel Parameters Configuration

# Edit kernel parameters
sudo nano /etc/default/grub

# Common parameters for security:
GRUB_CMDLINE_LINUX_DEFAULT="quiet splash page_alloc.shuffle=1 slab_nomerge pti=on spectre_v2=on spec_store_bypass_disable=on mds=full,nosmt"

# Update GRUB configuration
sudo grub2-mkconfig -o /boot/grub2/grub.cfg

Security and Hardening

Basic System Hardening

User Account Security

Configure strong password policies and account security:

# Edit password policy
sudo nano /etc/security/pwquality.conf

# Recommended settings:
minlen = 12
minclass = 3
maxrepeat = 3
enforce_for_root
dcredit = -1
ucredit = -1
lcredit = -1
ocredit = -1

# Configure password aging
sudo nano /etc/login.defs

PASS_MAX_DAYS 90
PASS_MIN_DAYS 7
PASS_WARN_AGE 14

Filesystem Security

Secure mount options prevent various attacks:

# Edit fstab
sudo nano /etc/fstab

# Add security options to relevant partitions:
/dev/sda1 /home ext4 defaults,nodev,nosuid,noexec 0 2
/dev/sda2 /tmp ext4 defaults,nodev,nosuid,noexec 0 2
/dev/sda3 /var ext4 defaults,nosuid 0 2

Advanced Security Implementation

SELinux Configuration

Set up and configure SELinux for enhanced security:

# Install SELinux
sudo zypper install selinux-tools selinux-policy

# Enable SELinux
sudo selinux-activate

# Set enforcing mode
sudo setenforce 1

# Configure SELinux policy
sudo nano /etc/selinux/config
SELINUX=enforcing
SELINUXTYPE=targeted

AppArmor Enhancement

AppArmor provides mandatory access control:

# Install AppArmor utilities
sudo zypper install apparmor-utils

# Enable AppArmor
sudo systemctl enable apparmor
sudo systemctl start apparmor

# Create new profile
sudo aa-genprof /path/to/application

# Enforce profiles
sudo aa-enforce /etc/apparmor.d/*

DNS Security and Privacy

Secure DNS Configuration

Implement secure DNS settings:

# Install BIND
sudo zypper install bind

# Configure BIND security
sudo nano /etc/named.conf

options {
    allow-query { trusted; };
    recursion no;
    version none;
    dnssec-enable yes;
    dnssec-validation yes;
};

DNS Privacy Enhancement

Protect DNS queries with encryption:

# Install DNSCrypt
sudo zypper install dnscrypt-proxy

# Configure DNSCrypt
sudo nano /etc/dnscrypt-proxy/dnscrypt-proxy.toml

server_names = ['cloudflare', 'quad9']
require_dnssec = true

# Enable DNSCrypt
sudo systemctl enable dnscrypt-proxy
sudo systemctl start dnscrypt-proxy

Privacy Enhancements

System Privacy

Minimize data collection and exposure:

# Disable telemetry
sudo zypper remove telemetry

# Configure privacy-oriented logging
sudo nano /etc/systemd/journald.conf

MaxRetentionSec=1month
SystemMaxUse=500M
ForwardToSyslog=no

Secure Communication

Implement encrypted communication:

# Install GPG
sudo zypper install gpg

# Generate key pair
gpg --full-generate-key

# Export keys
gpg --export --armor email@address > public.key
gpg --export-secret-key --armor email@address > private.key

Intrusion Detection

AIDE Configuration

Set up file integrity monitoring:

# Install AIDE
sudo zypper install aide

# Initialize database
sudo aide --init
sudo mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db

# Schedule daily checks
echo "0 3 * * * root /usr/sbin/aide --check" | sudo tee -a /etc/crontab

Package Management

Repository Management

# Add repository
sudo zypper addrepo URL repository_name

# Refresh repositories
sudo zypper refresh

# List repositories
sudo zypper repos

# Remove repository
sudo zypper removerepo repository_name

Package Operations

# Search packages
zypper se package_name

# Install package
sudo zypper install package_name

# Remove package
sudo zypper remove package_name

# Verify package
sudo zypper verify package_name

Network Configuration

Basic Network Setup

# Configure network interface
sudo yast2 lan

# Show connections
nmcli connection show

# Configure static IP
nmcli connection modify CONN_NAME ipv4.addresses IP_ADDRESS/24

Firewall Configuration

# Install firewall
sudo zypper install firewalld

# Enable firewall
sudo systemctl enable firewalld
sudo systemctl start firewalld

# Configure rules
sudo firewall-cmd --permanent --add-service=https
sudo firewall-cmd --permanent --add-port=80/tcp
sudo firewall-cmd --reload

Performance Optimization

System Tuning

# Install tuning daemon
sudo zypper install tuned

# Enable tuned
sudo systemctl enable tuned
sudo systemctl start tuned

# Set performance profile
sudo tuned-adm profile latency-performance

Resource Management

# Monitor system resources
top
htop

# Check disk usage
df -h
du -sh /*

# Monitor I/O
iotop

Maintenance and Monitoring

System Monitoring

# Install monitoring tools
sudo zypper install sysstat

# Monitor CPU
mpstat 1

# Monitor memory
vmstat 1

# Monitor disk I/O
iostat -x 1

Backup Configuration

# Create system backup
sudo tar -czf /backup/system_$(date +%Y%m%d).tar.gz /etc /home /root /var/log

# Schedule automated backups
sudo nano /etc/cron.daily/backup

Troubleshooting

System Diagnostics

# Check system logs
journalctl -xe

# Check service status
systemctl status service_name

# Monitor system messages
tail -f /var/log/messages

Recovery Procedures

# Enter rescue mode
sudo systemctl rescue

# Check filesystem
fsck -f /dev/sda1

# Repair package database
sudo rpm --rebuilddb

Best Practices

Regular System Maintenance
- Perform system updates weekly
- Monitor system logs daily
- Create system backups regularly
- Review security configurations monthly
Security Measures
- Use strong passwords and change them regularly
- Keep security tools updated
- Monitor system access logs
- Implement principle of least privilege
Performance Optimization
- Regular cleanup of temporary files
- Monitor resource usage
- Optimize service configurations
- Regular database maintenance
Documentation
- Document all system changes
- Maintain configuration backups
- Keep recovery procedures updated
- Document custom scripts and configurations

Additional Resources

Conclusion

This guide provides a comprehensive foundation for managing and securing openSUSE Linux systems. Regular review and updates of these practices ensure optimal system performance and security. Remember to stay current with security advisories and best practices as they evolve.

Remember that system administration is an ongoing process that requires regular attention to security updates, performance monitoring, and system maintenance. Always test changes in a non-production environment first and maintain proper backups before making significant system modifications.

Introduction​

System Management​

System Updates and Upgrades​

Regular System Updates​

Distribution Upgrade​

Automatic Updates Configuration​

System Cleaning​

Kernel Management​

Kernel Updates and Maintenance​

Kernel Parameters Configuration​

Security and Hardening​

Basic System Hardening​

User Account Security​

Filesystem Security​

Advanced Security Implementation​

SELinux Configuration​

AppArmor Enhancement​

DNS Security and Privacy​

Secure DNS Configuration​

DNS Privacy Enhancement​

Privacy Enhancements​

System Privacy​

Secure Communication​

Intrusion Detection​

AIDE Configuration​

Package Management​

Repository Management​

Package Operations​

Network Configuration​

Basic Network Setup​

Firewall Configuration​

Performance Optimization​

System Tuning​

Resource Management​

Maintenance and Monitoring​

System Monitoring​

Backup Configuration​

Troubleshooting​

System Diagnostics​

Recovery Procedures​

Best Practices​

Additional Resources​

Conclusion​