m (Fixing links) |
mNo edit summary |
||
| Line 1: | Line 1: | ||
= Security = | == Security == | ||
This section highlights various security items from Fedora. | This section highlights various security items from Fedora. | ||
== Security Enhancements == | === Security Enhancements === | ||
Fedora continues to improve its many proactive [http://fedoraproject.org/wiki/Security/Features security features] . | Fedora continues to improve its many proactive [http://fedoraproject.org/wiki/Security/Features security features] . | ||
=== Support for SHA-256 and SHA-512 passwords === | ==== Support for SHA-256 and SHA-512 passwords ==== | ||
The <code>glibc</code> package in Fedora 8 had [http://people.redhat.com/drepper/sha-crypt.html support] for passwords using SHA-256 and SHA-512 hashing. Previously, only DES and MD5 were available. These tools have been extended in Fedora 9. Password hashing using the SHA-256 and SHA-512 hash functions is now supported. | The <code>glibc</code> package in Fedora 8 had [http://people.redhat.com/drepper/sha-crypt.html support] for passwords using SHA-256 and SHA-512 hashing. Previously, only DES and MD5 were available. These tools have been extended in Fedora 9. Password hashing using the SHA-256 and SHA-512 hash functions is now supported. | ||
| Line 23: | Line 23: | ||
* New options, <code>ENCRYPT_METHOD</code>, <code>SHA_CRYPT_MIN_ROUNDS</code>, and <code>SHA_CRYPT_MAX_ROUNDS</code>, are now supported in <code>/etc/login.defs</code>. Refer to the <code>login.defs(5)</code> man page for details. Corresponding options were added to <code>chpasswd(8)</code> and <code>newusers(8)</code>. | * New options, <code>ENCRYPT_METHOD</code>, <code>SHA_CRYPT_MIN_ROUNDS</code>, and <code>SHA_CRYPT_MAX_ROUNDS</code>, are now supported in <code>/etc/login.defs</code>. Refer to the <code>login.defs(5)</code> man page for details. Corresponding options were added to <code>chpasswd(8)</code> and <code>newusers(8)</code>. | ||
=== FORTIFY_SOURCE extended to cover more functions === | ==== FORTIFY_SOURCE extended to cover more functions ==== | ||
[[Security/Features#FORTIFY_SOURCE| FORTIFY_SOURCE]] protection now covers <code>asprintf</code>, <code>dprintf</code>, <code>vasprintf</code>, <code>vdprintf</code>, <code>obstack_printf</code> and <code>obstack_vprintf</code>. This improvement is particularly useful for applications that use the <code>glib2</code> library, as several of its functions use <code>vasprintf</code>. | [[Security/Features#FORTIFY_SOURCE| FORTIFY_SOURCE]] protection now covers <code>asprintf</code>, <code>dprintf</code>, <code>vasprintf</code>, <code>vdprintf</code>, <code>obstack_printf</code> and <code>obstack_vprintf</code>. This improvement is particularly useful for applications that use the <code>glib2</code> library, as several of its functions use <code>vasprintf</code>. | ||
=== SELinux Enhancements === | ==== SELinux Enhancements ==== | ||
Different roles are now available, to allow finer-grained access control: | Different roles are now available, to allow finer-grained access control: | ||
* <code>guest_t</code> does not allow running setuid binaries, making network connections, or using a GUI. | * <code>guest_t</code> does not allow running setuid binaries, making network connections, or using a GUI. | ||
| Line 37: | Line 37: | ||
As well, browser plug-ins wrapped with <code>nspluginwrapper</code>, which is the default, now run confined. | As well, browser plug-ins wrapped with <code>nspluginwrapper</code>, which is the default, now run confined. | ||
=== Default Firewall Behavior === | ==== Default Firewall Behavior ==== | ||
In Fedora 9, the default firewall behavior has changed. There are no default ports open, except for SSH (22), which is opened by '''Anaconda'''. | In Fedora 9, the default firewall behavior has changed. There are no default ports open, except for SSH (22), which is opened by '''Anaconda'''. | ||
=== General Information === | ==== General Information ==== | ||
A general introduction to the many proactive security features in Fedora, current status, and policies is available at http://fedoraproject.org/wiki/Security. | A general introduction to the many proactive security features in Fedora, current status, and policies is available at http://fedoraproject.org/wiki/Security. | ||
Revision as of 02:36, 9 September 2008
Security
This section highlights various security items from Fedora.
Security Enhancements
Fedora continues to improve its many proactive security features .
Support for SHA-256 and SHA-512 passwords
The glibc package in Fedora 8 had support for passwords using SHA-256 and SHA-512 hashing. Previously, only DES and MD5 were available. These tools have been extended in Fedora 9. Password hashing using the SHA-256 and SHA-512 hash functions is now supported.
To switch to SHA-256 or SHA-512 on an installed system, use authconfig --passalgo=sha256 --update or authconfig --passalgo=sha512 --update. Alternatively, use the authconfig-gtk GUI tool to configure the hashing method. Existing user accounts will not be affected until their passwords are changed.
SHA-512 is used by default on newly installed systems. Other algorithms can be configured only for kickstart installations, by using the --passalgo or --enablemd5 options for the kickstart auth command. If your installation does not use kickstart, use authconfig as described above, and then change the root user password, and passwords for other users created after installation.
New options now appear in libuser, pam, and shadow-utils to support these password hashing algorithms. Running authconfig configures all these options automatically, so it is not necessary to modify them manually.
- New values for the
crypt_styleoption, and the new optionshash_rounds_min, andhash_rounds_max, are now supported in the[defaults]section of/etc/libuser.conf. Refer to thelibuser.conf(5)man page for details.
- New options,
sha256,sha512, androunds, are now supported by thepam_unixPAM module. Refer to thepam_unix(8)man page for details.
- New options,
ENCRYPT_METHOD,SHA_CRYPT_MIN_ROUNDS, andSHA_CRYPT_MAX_ROUNDS, are now supported in/etc/login.defs. Refer to thelogin.defs(5)man page for details. Corresponding options were added tochpasswd(8)andnewusers(8).
FORTIFY_SOURCE extended to cover more functions
FORTIFY_SOURCE protection now covers asprintf, dprintf, vasprintf, vdprintf, obstack_printf and obstack_vprintf. This improvement is particularly useful for applications that use the glib2 library, as several of its functions use vasprintf.
SELinux Enhancements
Different roles are now available, to allow finer-grained access control:
guest_tdoes not allow running setuid binaries, making network connections, or using a GUI.xguest_tdisallows network access except for HTTP via a Web browser, and no setuid binaries.user_tis ideal for office users: prevents becoming root via setuid applications.staff_tis same asuser_t, except that root access viasudois allowed.unconfined_tprovides full access, the same as when not using SELinux.
As well, browser plug-ins wrapped with nspluginwrapper, which is the default, now run confined.
Default Firewall Behavior
In Fedora 9, the default firewall behavior has changed. There are no default ports open, except for SSH (22), which is opened by Anaconda.
General Information
A general introduction to the many proactive security features in Fedora, current status, and policies is available at http://fedoraproject.org/wiki/Security.
SELinux
The SELinux project pages have troubleshooting tips, explanations, and pointers to documentation and references. Some useful links include the following:
- New SELinux project pages: SELinux
- Troubleshooting tips: SELinux/Troubleshooting
- Frequently Asked Questions: SELinux FAQ
- Listing of SELinux commands: SELinux/Commands
- Details of confined domains: SELinux/Domains
FreeIPA
Free IPA is a centrally managed identity, policy, and audit installation.
The IPA server installer assumes a relatively clean system, installing and configuring several services:
- a Fedora Directory Server instance
- KDC
- Apache
- ntpd
- TurboGears
Some effort is made to be able to roll back the changes made but they are not guaranteed. Similarly the ipa-client-install tool overwrites PAM (/etc/pam.conf) and Kerberos (/etc/krb5.conf) configurations.
IPA does not support other instances of Fedora Directory Server on the same machine at install time, even listening on different ports. In order to install IPA, other instances must be removed. IPA itself can handle this removal.
There is currently no mechanism for migrating existing users into an IPA server.
For more information, refer to the feature page: