From Fedora Project Wiki

Revision as of 04:05, 23 January 2009 by Sparks (talk | contribs) (Docs/Beats/Security moved to Documentation Security Beat: Natural language name change.)

Security

This section highlights various security items from Fedora.

Security Enhancements

Fedora continues to improve its many proactive security features.

http://fedoraproject.org/wiki/Security/Features

SELinux

The SELinux project pages have troubleshooting tips, explanations, and pointers to documentation and references. Some useful links include the following:

SELinux Enhancements

Different roles are now available, to allow finer-grained access control:

  • guest_t does not allow running setuid binaries, making network connections, or using a GUI.
  • xguest_t disallows network access except for HTTP via a Web browser, and no setuid binaries.
  • user_t is ideal for office users: prevents becoming root via setuid applications.
  • staff_t is same as user_t, except that root-level access via sudo is allowed.
  • unconfined_t provides full access, the same as when not using SELinux.

Browser plug-ins wrapped with nspluginwrapper, which is the default, are confined by SELinux policy.

Security Audit Package

SecTool provides users with a tool that can check their systems for security issues. There are libraries included that allow for the customization of system tests. More information can be found at the project home:

https://fedorahosted.org/sectool

General Information

A general introduction to the many proactive security features in Fedora, current status, and policies is available at http://fedoraproject.org/wiki/Security.

FreeIPA

Free IPA is a centrally managed identity, policy, and audit installation.

The IPA server installer assumes a relatively clean system, installing and configuring several services:

  • a Fedora Directory Server instance
  • KDC
  • Apache
  • ntpd
  • TurboGears

Some effort is made to be able to roll back the changes made but they are not guaranteed. Similarly the ipa-client-install tool overwrites PAM (/etc/pam.conf) and Kerberos (/etc/krb5.conf) configurations.

IPA does not support other instances of Fedora Directory Server on the same machine at install time, even listening on different ports. In order to install IPA, other instances must be removed. IPA itself can handle this removal.

There is currently no mechanism for migrating existing users into an IPA server.

For more information, refer to the feature page:

http://fedoraproject.org/wiki/Features/freeIPA