SecurityBasics

= DRAFT: Fedora Security Basics =

Understanding Computer Security
Although new viruses and security flaws are announced daily, threats fall into several well-understood categories. The common types of threat to networked computer systems include:


 * Viruses that spread between systems
 * Malicious Software Applications, often designed to modify the system or transmit data to other systems
 * Malicious Servers designed to exploit vulnerabilities in software that accesses them
 * Attacks on Network Services by specialized cracking tools
 * Interception of Information transmitted between networked systems
 * User Behavior includes accidental errors and, more rarely, deliberate attempts to compromise the system

All of these threats have been in existance for many years. Researchers, developers, and security professionals, have developed a wide range of approaches to deal with each type of threat. As a result, it is possible to actively reduce the overall vulnerability of the system to both current and future threats. Applications and network services may be designed to avoid behavior that is known to be potentially unsafe, and specialized countermeasures may be implemented within the operating system itself.

The Red Hat Enterprise Linux Security Guide provides an overview of security issues, and advice on how to configure common software.


 * 

Security Measures in Fedora Systems
The security measures in Fedora include:


 * A system firewall
 * Separated user accounts
 * Every system and user file is marked with a set of permissions that specify how it may be used
 * Many network services may only access appropriate parts of the system
 * No access to administrative facilities from standard user accounts without separate authorization
 * Software installation methods that reject software from untrusted sources
 * Utilities to update all of the supplied software on your system with one command
 * Several features that prevent software from modifying other parts of the running system
 * Automated e-mail status reports

By default, the installation process configures all of these features. One of the overall design goals of Fedora is that every system should be secure, without requiring extra efforts by the users. To this end, Fedora developers continue to refine core technologies such as software management, the SELinux access framework, and the GCC software compiler. The recommended applications and network services also have features that address common security issues.

You may modify the configurations of each component to tailor the security of your system to your requirements. The Fedora Project only provides software that is licensed under open source terms, to ensure that you may study and customize the software to any level that you wish. You may also directly help to improve the security of the Fedora distribution by participating in the processes of testing, documentation, and development.

The sections below provide some general advice on particular aspects of system security.

User Accounts and the Root Account
Create one account per user, with a strong password. Each user should log in to the system with their own account. Users may cause configuration and data files in their own home directory to be damaged or deleted, but they may not modify system files, nor may they access the files in the home directories of other users.

To perform administrative tasks, log in to your system with a standard user account, and use the  or   to run individual commands with the privileges of the   account. This ensures that only the specified commands are run with  access. The supplied configuration tools automatically prompt for the  password, if the user has not specified   access with   or.

Read the  manual on your system for details of the   command:

info su

If you have several administrators for a system, configure  to enable each administrator to carry out commands with   access. The  facility also enables administrators to grant   access to user accounts for specific applications only.

Use the  command to edit the configuration file for.

Refer to the  project Website for more information on  :


 * 

Ensuring Strong Passwords
Automated password cracking programs include multiple dictionaries for one or more languages, in order to be able to identify any password that is based on a standard word or name. Password cracking programs are also often able to identify a word even if characters are substituted.

To ensure that your passwords may not be easily identified, use a combination of upper case letters, lower case letters, numbers, and punctuation.

Each character in the password multiplies the difficulty of guessing the complete password. Use at least 8 characters in your passwords. Avoid passwords with less than 6 characters, as these are too weak.

If possible, use keys rather than passwords for SSH remote access. SSH keys are considerably more complex than passwords. By default, the SSH service on Fedora prompts the user for a password if their client software does not have a valid key, but you may disable this feature.

Understanding Viruses and Spyware
Computer viruses run in an operating system or application to embed copies of themselves into files, such as e-mails, documents, and programs. These infected files may be transferred to other systems by users. Some viruses also trigger e-mail or file sharing features to directly copy themselves to other systems. The majority of computer viruses use, and require, specific features in Microsoft products in order to reproduce themselves.

Some spyware programs use a feature of Microsoft Internet Explorer to install on Windows systems without the consent of a user. Other spyware products claim to provide features in order to convince users to install them.

Fedora systems do not allow new items of software to be installed or run without the explicit permission of a user:


 * By default, applications such as the Open, ): Superceded by SSH
 * Telnet: Superceded by SSH

If possible, configure each accessible service to only accept connections from specific IP addresses. For information on how to secure a service, refer to the documentation for the product.

In all cases, only allow write access if it is necessary. Certain services, like HTTP file transfer, provide read-only access by default. If you configure a service to allow write access to files or databases, ensure that access is protected by strong passwords.

Web applications are particularly susceptible to attack, and may have access to valuable data. Research a Web application carefully before you deploy it. Apply all of the security recommendations described in the documentation. If possible, subscribe to an e-mail or RSS service to receive news of security alerts and updated versions as they occur.

Many attacks attempt to exploit known vulnerabilities in network services. Once a vulnerability is known, providers modify their software to address the issue and release a new version. For this reason, you should update the software on your system as new packages are released.

Keeping Your System Updated
To carry out a full system update, follow the instructions in the Fedora documentation:


 * http://fedora.redhat.com/docs/yum/sn-updating-your-system.html

For more details on software installation and updates with, refer to the documentation:


 * 

The  utility may only manage software packages. You must check and manage downloaded scripts and manually compiled software. To ensure that you have the latest versions of manually installed software, subscribe to e-mail or RSS services that notify you when new versions are released.

Subscribing to Security Announcement Services
The Fedora Project provides both an e-mail announcements service, and RSS information feeds.

To subscribe to e-mail announcements, go to the webpage for the fedora-announce-list


 * 

To view, or subscribe to, RSS feeds, visit the Fedora Project website


 * 

Enabling Status Reports
Automated processes on your Fedora system use the e-mail service to send reports to the system administrator. The  script sends an overall status report each day at 4am.

Follow the instructions below to configure the e-mail service to deliver these messages to an administrator:

Edit the file. You must have  access in order to edit this file.

su -c 'gedit /etc/aliases'

Enter the  password when prompted.

Change the line:

root: root

Replace the second root with your e-mail address. For example:

root: me@example.com

Save the file, and close the text editor.

To update the e-mail server configuration with the new alias, run the  command.

su -c 'newaliases'

Enter the  password when prompted.

Using the System Safely

 * Use strong passwords for your accounts
 * Log in with a standard user account
 * Use,  , or the supplied configuration tools, to perform administrative tasks that require   access
 * Only install software or plug-ins from trusted sources
 * Discard e-mails with attachments if you do not recognise the source
 * Only keep or copy a file if you know the original source of that file

Secure System Configuration

 * Create one system account per active user
 * If a number of users require some form of administrative access, configure  rather than distributing the   password
 * Only enable additional network services if they are necessary
 * If possible, configure services to allow connections only from specific IP addresses that you know
 * Only configure a service to allow write access to files if it is necessary
 * If possible, require SSH keys rather than passwords for remote access
 * If you expect to receive infected files, install and configure anti-virus software
 * Enable e-mail reporting by setting an e-mail alias for

Routine Security Tasks

 * Check the messages from your RSS and e-mail subscriptions for security announcements
 * Update the system regularly
 * If you install anti-virus software, update the virus signature data regularly
 * Make backups of data and configuration files
 * Lock user accounts that are no longer required
 * Deactivate any network services that are no longer required
 * Check the log files for unusual activity

You may wish to automate some of these tasks, so that they are performed automatically.