From Fedora Project Wiki

Revision as of 19:30, 29 May 2008 by Anubis (talk | contribs) (→‎General Information: Fixed links)

Security

This section highlights various security items from Fedora.

Security Enhancements

Fedora continues to improve its many proactive security features .

Support for SHA-256 and SHA-512 passwords

The glibc package in Fedora 8 had support for passwords using SHA-256 and SHA-512 hashing. Previously, only DES and MD5 were available. These tools have been extended in Fedora 9. Password hashing using the SHA-256 and SHA-512 hash functions is now supported.

To switch to SHA-256 or SHA-512 on an installed system, use authconfig --passalgo=sha256 --update or authconfig --passalgo=sha512 --update. Alternatively, use the authconfig-gtk GUI tool to configure the hashing method. Existing user accounts will not be affected until their passwords are changed.

SHA-512 is used by default on newly installed systems. Other algorithms can be configured only for kickstart installations, by using the --passalgo or --enablemd5 options for the kickstart auth command. If your installation does not use kickstart, use authconfig as described above, and then change the root user password, and passwords for other users created after installation.

New options now appear in libuser, pam, and shadow-utils to support these password hashing algorithms. Running authconfig configures all these options automatically, so it is not necessary to modify them manually.

  • New values for the crypt_style option, and the new options hash_rounds_min, and hash_rounds_max, are now supported in the [defaults] section of /etc/libuser.conf. Refer to the libuser.conf(5) man page for details.
  • New options, sha256, sha512, and rounds, are now supported by the pam_unix PAM module. Refer to the pam_unix(8) man page for details.
  • New options, ENCRYPT_METHOD, SHA_CRYPT_MIN_ROUNDS, and SHA_CRYPT_MAX_ROUNDS, are now supported in /etc/login.defs. Refer to the login.defs(5) man page for details. Corresponding options were added to chpasswd(8) and newusers(8).

FORTIFY_SOURCE extended to cover more functions

FORTIFY_SOURCE protection now covers asprintf, dprintf, vasprintf, vdprintf, obstack_printf and obstack_vprintf. This improvement is particularly useful for applications that use the glib2 library, as several of its functions use vasprintf.

SELinux Enhancements

Different roles are now available, to allow finer-grained access control:

  • guest_t does not allow running setuid binaries, making network connections, or using a GUI.
  • xguest_t disallows network access except for HTTP via a Web browser, and no setuid binaries.
  • user_t is ideal for office users: prevents becoming root via setuid applications.
  • staff_t is same as user_t, except that root access via sudo is allowed.
  • unconfined_t provides full access, the same as when not using SELinux.

As well, browser plug-ins wrapped with nspluginwrapper, which is the default, now run confined.

Default Firewall Behavior

In Fedora 9, the default firewall behavior has changed. There are no default ports open, except for SSH (22), which is opened by Anaconda.

General Information

A general introduction to the many proactive security features in Fedora, current status, and policies is available at http://fedoraproject.org/wiki/Security.

Fedora SELinux Project Pages

Topics

Other related links

Documentation

If you want to work on formal documentation, you can use the Docs/Drafts/SELinux namespace. When you are done editing the draft, it can migrate to Docs/SELinux . Doing this lends an air of formality and provides higher immutability and accountability in the wiki, as only the DocWritersGroup can edit the Docs/ namespace FreeIPA