Category:Security

From FedoraProject

(Difference between revisions)
Jump to: navigation, search
(Communicating)
 
(23 intermediate revisions by 4 users not shown)
Line 1: Line 1:
 
The Security SIG has three missions that contributors can assist with:
 
The Security SIG has three missions that contributors can assist with:
  
# Secure Coding
+
# [[:Category:Security#Security Response|Security Response]]
# Code Auditing
+
# [[:Category:Security#Secure Coding|Secure Coding]]
# Security Response
+
# [[:Category:Security#Code Auditing|Code Auditing]]
  
 
Contributors can work on any or all of these missions.
 
Contributors can work on any or all of these missions.
 +
 +
== Security Response ==
 +
The [[Security Team]] helps packagers fix security vulnerabilities in packages they maintain.  Most of these vulnerabilities come from the open source software community and packagers are notified by a ticket in [https://bugzilla.redhat.com Bugzilla].
 +
 +
=== Communicating ===
 +
==== IRC ====
 +
* {{fpchat|#fedora-security}} - general security questions
 +
* {{fpchat|#fedora-security-team}} - FST IRC channel for working vulnerabilities
 +
 +
==== Mailing Lists ====
 +
* {{fplist|security}} - General security mailing list (good for questions)
 +
* {{fplist|security-team}} - Security Team mailing list
 +
 +
=== Reporting Vulnerabilities ===
 +
 +
Security issues should be reported following the procedures outlined on the [[Security Bugs]] page.
  
 
== Secure Coding ==
 
== Secure Coding ==
Line 13: Line 29:
 
=== Communicating ===
 
=== Communicating ===
 
==== E-Mail List ====
 
==== E-Mail List ====
* [https://lists.fedorahosted.org/mailman/listinfo/secure-coding-announce Secure Coding Announce list]
+
* Fedora {{fplist|security}} list: For discussion about improvement of Fedora security.
* [https://lists.fedorahosted.org/mailman/listinfo/secure-coding-dev Secure Coding Development list]
+
  
 
==== IRC ====
 
==== IRC ====
Line 28: Line 43:
  
 
In addition to the Defensive Coding book the Security SIG is charged with creating training resources.  Videos and smaller articles on secure development can also be created to concentrate specific topics.  These resources should be stored in the [https://fedorahosted.org/secure-coding/ secure coding] git repository.
 
In addition to the Defensive Coding book the Security SIG is charged with creating training resources.  Videos and smaller articles on secure development can also be created to concentrate specific topics.  These resources should be stored in the [https://fedorahosted.org/secure-coding/ secure coding] git repository.
 +
 +
==== Security Basics and HOWTO Articles====
 +
 +
Basic Fedora security HOWTO is [[SecurityBasics]]
  
 
== Code Auditing ==
 
== Code Auditing ==
=== Communicating ===
 
==== IRC ====
 
* '''{{fpchat|#fedora-security}}''' - Fedora's Security SIG channel on Freenode.
 
  
== Security Response ==
+
Many security vulnerabilities are found with the help of a code audit.  If you are interested in performing an audit please see our [[:Category:Code_Audit|auditing resource]] page.
 +
 
 
=== Communicating ===
 
=== Communicating ===
==== E-mail list ====
 
 
Fedora {{fplist|security}} list: For discussion about improvement of Fedora security.
 
 
 
==== IRC ====
 
==== IRC ====
 
* '''{{fpchat|#fedora-security}}''' - Fedora's Security SIG channel on Freenode.
 
* '''{{fpchat|#fedora-security}}''' - Fedora's Security SIG channel on Freenode.
 
=== Fedora Security Response Procedures ===
 
 
If you would like to report any potential security issues with Fedora follow the procedures in [[Security/Bugs|Security Bugs]] page for escalated attention to it.
 
 
=== Security Issues Classification ===
 
 
So what counts a security issue in Fedora? Find answers in the [[Security/Classifications|Security Classifications]] page.
 
 
=== Security Status ===
 
 
The current security status of Fedora is available from [[Security/Status|Security Status]] page.
 
 
=== Security Features ===
 
 
Security features available in Fedora is explained on [[Security/Features|Security Features]] page.
 
 
=== Fedora Security Response ===
 
 
The Fedora [[Security/ResponseTeam|Security Response Team]] handles security issues within Fedora. The Red Hat security team can be reached by mailing secalert AT SPAMFREE redhat DOT com. Information regarding known public issues can be found on the [[Security/Status|Security Status]] page.
 
 
=== Endemic Security Risks  ===
 
 
Due to the Fedora Project's use of resources not directly under our control, such as mirrors, Fedora and its users have exposure to [[Mirror_manager_security_risks|additional endemic risks]], and takes as many steps as possible mitigate these risks.
 
 
=== References ===
 
 
* http://people.redhat.com/drepper/nonselsec.pdf
 
* http://docs.fedoraproject.org/selinux-faq/
 
* [[Updates_Policy|Fedora Updates Policy]]
 
 
=== Presentations ===
 
 
* http://fedoraproject.org/wiki/Presentations
 
 
=== Fedora Security Advisories ===
 
 
* http://fedoraproject.org/wiki/FSA
 
 
=== Fedora Security Tracking Bugs ===
 
 
* To track security vulnerabilities in packages, [[Security/TrackingBugs|tracking bugs]] are used.
 
 
=== List of Embedded Software ===
 
 
* We are maintaining a list of embedded software within various packages.  This will help us to quickly identify if a problem in library X can be corrected with updating library X, or if it also requires updating other packages that may contain their own private copies of library X.  The [[Security/EmbeddedSoftware|embedded software list]] is used for this purpose.
 
 
=== List of SUID / SGID executables ===
 
 
* We are maintaining a list of SUID / SGID bit equipped executables
 
within various packages. This will help us to quickly identify
 
privileged binaries. This list is preliminary planned to be prepared
 
for Fedora release of 14 and it will be enhanced later to include
 
list of privileged binaries in also in newer versions of Fedora.
 
The [[Security/SetUserGroupIDExecutables| list of SUID SGID executables]]
 
is used for this purpose.
 
 
  
 
[[Category:Documentation]]
 
[[Category:Documentation]]

Latest revision as of 19:45, 9 November 2015

The Security SIG has three missions that contributors can assist with:

  1. Security Response
  2. Secure Coding
  3. Code Auditing

Contributors can work on any or all of these missions.

Contents

[edit] Security Response

The Security Team helps packagers fix security vulnerabilities in packages they maintain. Most of these vulnerabilities come from the open source software community and packagers are notified by a ticket in Bugzilla.

[edit] Communicating

[edit] IRC

[edit] Mailing Lists

  • security - General security mailing list (good for questions)
  • security-team - Security Team mailing list

[edit] Reporting Vulnerabilities

Security issues should be reported following the procedures outlined on the Security Bugs page.

[edit] Secure Coding

Secure coding is writing code with security in mind from the beginning. By not making security mistakes the code is more secure and time won't be wasted down the road having to rewrite or redesign features and functionality.

[edit] Communicating

[edit] E-Mail List

  • Fedora security list: For discussion about improvement of Fedora security.

[edit] IRC

[edit] Projects

[edit] Defensive Coding book

The Defensive Coding book is published on the Fedora Docs website and is under development. The purpose of the book is to document common mistakes developers make and help educate developers on how to better their code from the beginning.

[edit] Training and Articles

In addition to the Defensive Coding book the Security SIG is charged with creating training resources. Videos and smaller articles on secure development can also be created to concentrate specific topics. These resources should be stored in the secure coding git repository.

[edit] Security Basics and HOWTO Articles

Basic Fedora security HOWTO is SecurityBasics

[edit] Code Auditing

Many security vulnerabilities are found with the help of a code audit. If you are interested in performing an audit please see our auditing resource page.

[edit] Communicating

[edit] IRC

Subcategories

This category has the following 2 subcategories, out of 2 total.