|
|
| (102 intermediate revisions by 21 users not shown) |
| Line 1: |
Line 1: |
| <pre>#!html
| | {{header|docs}}{{Docs_beat_open}} |
| ==Security==</pre>
| |
|
| |
|
| This section highlights various security items from Fedora.
| | <title>Crypto Policy</title> |
|
| |
|
| == Security Enhancements ==
| | <para>Beginning in Fedora 21, a system-wide crypto policy will be available for users to quickly setup the cryptographic options for their systems. Users that must meet certain cryptographic standards can make the policy change in <filename>//etc/crypto-policies/config</filename>, and run update-crypto-policies. At this point applications that utilize the default set of ciphers in the GnuTLS and OpenSSL libraries will follow the policy requirements.</para> |
|
| |
|
| Fedora continues to improve its many proactive [http://fedoraproject.org/wiki/Security/Features security features] .
| | <para>The available options are: (1) <literal>LEGACY</literal>, which ensures compatibility with legacy systems - 64-bit security, (2) <literal>DEFAULT</literal>, a reasonable default for today's standards - 80-bit security, and (3) <literal>FUTURE</literal>, a conservative level that is believed to withstand any near-term future attacks - 128-bit security. These levels affect SSL/TLS settings, including elliptic curve, signature hash functions, and ciphersuites and key sizes.</para> |
|
| |
|
| === Support for SHA-256 and SHA-512 passwords === | | <para>Additional information on this new feature can be found on the <ulink url="https://fedoraproject.org/wiki/Changes/CryptoPolicy">CryptoPolicy Changes wiki page</ulink>.</para> |
|
| |
|
| The <code>glibc</code> package in Fedora 8 had [http://people.redhat.com/drepper/sha-crypt.html support] for passwords using SHA-256 and SHA-512 hashing. Previously, only DES and MD5 were available. These tools have been extended in Fedora 9. Password hashing using the SHA-256 and SHA-512 hash functions is now supported.
| |
|
| |
|
| To switch to SHA-256 or SHA-512 on an installed system, use <code>authconfig --passalgo=sha256 --update</code> or <code>authconfig --passalgo=sha512 --update</code>. Alternatively, use the <code>authconfig-gtk</code> GUI tool to configure the hashing method. Existing user accounts will not be affected until their passwords are changed.
| | [[Category:Docs Project]] |
| | | [[Category:Draft documentation]] |
| SHA-512 is used by default on newly installed systems. Other algorithms can be configured only for kickstart installations, by using the <code>--passalgo</code> or <code>--enablemd5</code> options for the kickstart <code>auth</code> command. If your installation does not use kickstart, use <code>authconfig</code> as described above, and then change the root user password, and passwords for other users created after installation.
| | [[Category:Documentation beats]] |
| | |
| New options now appear in <code>libuser</code>, <code>pam</code>, and <code>shadow-utils</code> to support these password hashing algorithms. Running <code>authconfig</code> configures all these options automatically, so it is not necessary to modify them manually.
| |
| | |
| * New values for the <code>crypt_style</code> option, and the new options <code>hash_rounds_min</code>, and <code>hash_rounds_max</code>, are now supported in the <code>[defaults] </code> section of <code>/etc/libuser.conf</code>. Refer to the <code>libuser.conf(5)</code> man page for details.
| |
| | |
| * New options, <code>sha256</code>, <code>sha512</code>, and <code>rounds</code>, are now supported by the <code>pam_unix</code> PAM module. Refer to the <code>pam_unix(8)</code> man page for details.
| |
| | |
| * New options, <code>ENCRYPT_METHOD</code>, <code>SHA_CRYPT_MIN_ROUNDS</code>, and <code>SHA_CRYPT_MAX_ROUNDS</code>, are now supported in <code>/etc/login.defs</code>. Refer to the <code>login.defs(5)</code> man page for details. Corresponding options were added to <code>chpasswd(8)</code> and <code>newusers(8)</code>.
| |
| | |
| === FORTIFY_SOURCE extended to cover more functions ===
| |
| | |
| [[Security/Features#FORTIFY_SOURCE| FORTIFY_SOURCE]] protection now covers <code>asprintf</code>, <code>dprintf</code>, <code>vasprintf</code>, <code>vdprintf</code>, <code>obstack_printf</code> and <code>obstack_vprintf</code>. This improvement is particularly useful for applications that use the <code>glib2</code> library, as several of its functions use <code>vasprintf</code>. | |
| | |
| === SELinux Enhancements ===
| |
| Different roles are now available, to allow finer-grained access control:
| |
| * <code>guest_t</code> does not allow running setuid binaries, making network connections, or using a GUI.
| |
| * <code>xguest_t</code> disallows network access except for HTTP via a Web browser, and no setuid binaries.
| |
| * <code>user_t</code> is ideal for office users: prevents becoming root via setuid applications.
| |
| * <code>staff_t</code> is same as <code>user_t</code>, except that root access via <code>sudo</code> is allowed.
| |
| * <code>unconfined_t</code> provides full access, the same as when not using SELinux.
| |
| | |
| As well, browser plug-ins wrapped with <code>nspluginwrapper</code>, which is the default, now run confined.
| |
| | |
| === Default Firewall Behavior ===
| |
| | |
| In Fedora 9, the default firewall behavior has changed. There are no default ports open, except for SSH (22), which is opened by '''Anaconda'''.
| |
| | |
| === General Information ===
| |
| | |
| A general introduction to the many proactive security features in Fedora, current status, and policies is available at http://fedoraproject.org/wiki/Security.
| |
| | |
| {{:/SELinux}}
| |
| {{:/FreeIPA}}
| |
Beat is open
This beat is now ready to have Fedora 25 content added by the beat writer
<title>Crypto Policy</title>
<para>Beginning in Fedora 21, a system-wide crypto policy will be available for users to quickly setup the cryptographic options for their systems. Users that must meet certain cryptographic standards can make the policy change in <filename>//etc/crypto-policies/config</filename>, and run update-crypto-policies. At this point applications that utilize the default set of ciphers in the GnuTLS and OpenSSL libraries will follow the policy requirements.</para>
<para>The available options are: (1) <literal>LEGACY</literal>, which ensures compatibility with legacy systems - 64-bit security, (2) <literal>DEFAULT</literal>, a reasonable default for today's standards - 80-bit security, and (3) <literal>FUTURE</literal>, a conservative level that is believed to withstand any near-term future attacks - 128-bit security. These levels affect SSL/TLS settings, including elliptic curve, signature hash functions, and ciphersuites and key sizes.</para>
<para>Additional information on this new feature can be found on the <ulink url="https://fedoraproject.org/wiki/Changes/CryptoPolicy">CryptoPolicy Changes wiki page</ulink>.</para>
