The Security SIG has three missions that contributors can assist with:
- Secure Coding
- Code Auditing
- Security Response
Contributors can work on any or all of these missions.
Secure Coding
Secure coding is writing code with security in mind from the beginning. By not making security mistakes the code is more secure and time won't be wasted down the road having to rewrite or redesign features and functionality.
Communicating
E-Mail List
- Fedora security list: For discussion about improvement of Fedora security.
IRC
- #fedora-security[?] - Fedora's Security SIG channel on Freenode.
Projects
Defensive Coding book
The Defensive Coding book is published on the Fedora Docs website and is under development. The purpose of the book is to document common mistakes developers make and help educate developers on how to better their code from the beginning.
Training and Articles
In addition to the Defensive Coding book the Security SIG is charged with creating training resources. Videos and smaller articles on secure development can also be created to concentrate specific topics. These resources should be stored in the secure coding git repository.
Security Basics and HOWTO Articles
Basic Fedora security HOWTO is SecurityBasics
Code Auditing
Communicating
IRC
- #fedora-security[?] - Fedora's Security SIG channel on Freenode.
Security Response
The Security Team helps packagers fix security vulnerabilities in packages they maintain. Most of these vulnerabilities come from the open source software community and packagers are notified by a ticket in Bugzilla.
Fedora Security Response Procedures
Security issues should be reported following the procedures outlined on the Security Bugs page.
Security Issues Classification
So what counts a security issue in Fedora? Find answers in the Security Classifications page.
Security Features
Security features available in Fedora is explained on Security Features page.
Fedora Security Response
The Fedora Security Response Team handles security issues within Fedora. Red Hat Product Security can be reached by mailing secalert AT redhat DOT com.
Endemic Security Risks
Due to the Fedora Project's use of resources not directly under our control, such as mirrors, Fedora and its users have exposure to additional endemic risks, and takes as many steps as possible mitigate these risks.
References
- http://people.redhat.com/drepper/nonselsec.pdf
- http://docs.fedoraproject.org/selinux-faq/
- Fedora Updates Policy
Presentations
Fedora Security Advisories
Fedora Security Tracking Bugs
- To track security vulnerabilities in packages, tracking bugs are used.
List of Embedded Software
- We are maintaining a list of embedded software within various packages. This will help us to quickly identify if a problem in library X can be corrected with updating library X, or if it also requires updating other packages that may contain their own private copies of library X. The embedded software list is used for this purpose.
List of SUID / SGID executables
- We are maintaining a list of SUID / SGID bit equipped executables within various packages. This will help us to quickly identify privileged binaries. This list is preliminary planned to be prepared for Fedora release of 14 and it will be enhanced later to include list of privileged binaries in also in newer versions of Fedora. The list of SUID SGID executables is used for this purpose.
Pages in category "Security"
The following 30 pages are in this category, out of 30 total.
D
S
- Secure Coding Training Curriculum
- Security
- Security Bugs
- Security Bugs/ar
- Security Classifications
- Security Features
- Security Guide Audit
- Security of Embedded Software
- Archive:Security Status
- Security Status for 2002
- Security Status for 2004
- Security Status for 2005
- Security Status for2003
- Security Team FAD 2016
- Security Team Hall of Fame
- Security Tracking Bugs