From Fedora Project Wiki

(Addition of sectool information)
(corrected typo)
(97 intermediate revisions by 18 users not shown)
Line 1: Line 1:
== Security ==
{{header|docs}}{{Docs_beat_open}}


This section highlights various security items from Fedora.
<title>Crypto Policy</title>


=== Security Enhancements ===
<para>Beginning in Fedora 21, a system-wide crypto policy will be available for users to quickly setup the cryptographic options for their systems.  Users that must meet certain cryptographic standards can make the policy change in <filename>//etc/crypto-policies/config</filename>, and run update-crypto-policies. At this point applications that utilize the default set of ciphers in the GnuTLS and OpenSSL libraries will follow the policy requirements.</para>


Fedora continues to improve its many proactive [http://fedoraproject.org/wiki/Security/Features security features] .
<para>The available options are: (1) <literal>LEGACY</literal>, which ensures compatibility with legacy systems - 64-bit security, (2) <literal>DEFAULT</literal>, a reasonable default for today's standards - 80-bit security, and (3) <literal>FUTURE</literal>, a conservative level that is believed to withstand any near-term future attacks - 128-bit security. These levels affect SSL/TLS settings, including elliptic curve, signature hash functions, and ciphersuites and key sizes.</para>


=== SELinux Enhancements ===
<para>Additional information on this new feature can be found on the <ulink url="https://fedoraproject.org/wiki/Changes/CryptoPolicy">CryptoPolicy Changes wiki page</ulink>.</para>
Different roles are now available, to allow finer-grained access control:
* <code>guest_t</code> does not allow running setuid binaries, making network connections, or using a GUI.
* <code>xguest_t</code> disallows network access except for HTTP via a Web browser, and no setuid binaries.
* <code>user_t</code> is ideal for office users: prevents becoming root via setuid applications.
* <code>staff_t</code> is same as <code>user_t</code>, except that root access via <code>sudo</code> is allowed.
* <code>unconfined_t</code> provides full access, the same as when not using SELinux.


As well, browser plug-ins wrapped with <code>nspluginwrapper</code>, which is the default, now run confined.


=== Security Audit Package ===
[[Category:Docs Project]]
Sectool provides users with a tool that can check their systems for security issues. Included are libraries that allow for the customization of system tests. More information can be found at the [https://fedorahosted.org/sectool | project home].
[[Category:Draft documentation]]
 
[[Category:Documentation beats]]
=== General Information ===
 
A general introduction to the many proactive security features in Fedora, current status, and policies is available at http://fedoraproject.org/wiki/Security.
 
{{/SELinux}}
{{/FreeIPA}}

Revision as of 07:03, 4 June 2014

DocsProject Header docTeam1.png
Note.png
Beat is open
This beat is now ready to have Fedora 25 content added by the beat writer


<title>Crypto Policy</title>

<para>Beginning in Fedora 21, a system-wide crypto policy will be available for users to quickly setup the cryptographic options for their systems. Users that must meet certain cryptographic standards can make the policy change in <filename>//etc/crypto-policies/config</filename>, and run update-crypto-policies. At this point applications that utilize the default set of ciphers in the GnuTLS and OpenSSL libraries will follow the policy requirements.</para>

<para>The available options are: (1) <literal>LEGACY</literal>, which ensures compatibility with legacy systems - 64-bit security, (2) <literal>DEFAULT</literal>, a reasonable default for today's standards - 80-bit security, and (3) <literal>FUTURE</literal>, a conservative level that is believed to withstand any near-term future attacks - 128-bit security. These levels affect SSL/TLS settings, including elliptic curve, signature hash functions, and ciphersuites and key sizes.</para>

<para>Additional information on this new feature can be found on the <ulink url="https://fedoraproject.org/wiki/Changes/CryptoPolicy">CryptoPolicy Changes wiki page</ulink>.</para>

Retrieved from "https://fedoraproject.org/w/index.php?title=Documentation_Security_Beat&oldid=379227"