|
|
| (113 intermediate revisions by 23 users not shown) |
| Line 1: |
Line 1: |
| = Security =
| | {{header|docs}}{{Docs_beat_open}} |
|
| |
|
| This section highlights various security items from Fedora.
| | == Disable SSL 3.0 and RC4 == |
|
| |
|
| == Security Enhancements ==
| | The SSL 3.0 protocol and the RC4 cipher are considered insecure and vulnerable to attacks. As such, these two are disabled by default for all Fedora components that use the system-wide crypto policies. This includes gnutls and openssl libraries, and all the applications based on them. |
|
| |
|
| Fedora continues to improve its many proactive [http://fedoraproject.org/wiki/Security/Features security features] .
| | Applications or environments that require SSL 3.0 or RC4 can use [https://github.com/nmav/fedora-crypto-policies/blob/master/crypto-policies.8.txt update-crypto-policies] to globally switch to the LEGACY policy to enable SSL 3.0 and RC4. |
|
| |
|
| === Support for SHA-256 and SHA-512 passwords ===
| | '''Note (Use note tag)''' - All applications that use TLS from NSS are not affected by this change. |
|
| |
|
| The <code>glibc</code> package in Fedora 8 had [http://people.redhat.com/drepper/sha-crypt.html support] for passwords using SHA-256 and SHA-512 hashing. Previously, only DES and MD5 were available. These tools have been extended in Fedora 9. Password hashing using the SHA-256 and SHA-512 hash functions is now supported. | | == OpenSSH 7.1 == |
| | The OpenSSH project continues to improve the security of network communication with the release of OpenSSH version 7.1. Details of the release are available at http://www.openssh.com/txt/release-7.1 |
|
| |
|
| To switch to SHA-256 or SHA-512 on an installed system, use <code>authconfig --passalgo=sha256 --update</code> or <code>authconfig --passalgo=sha512 --update</code>. Alternatively, use the <code>authconfig-gtk</code> GUI tool to configure the hashing method. Existing user accounts will not be affected until their passwords are changed.
| | == Package Hardening == |
| | Packages compiled for Fedora 23 will be compiled with a position-independent code flag enabled by default. This was an optional setting that as a default will protect users from certain potential security vulnerabilities. |
|
| |
|
| SHA-512 is used by default on newly installed systems. Other algorithms can be configured only for kickstart installations, by using the <code>--passalgo</code> or <code>--enablemd5</code> options for the kickstart <code>auth</code> command. If your installation does not use kickstart, use <code>authconfig</code> as described above, and then change the root user password, and passwords for other users created after installation.
| | == Standardized Passphrase Policy == |
| | A common password policy is being utilized to provide a set of consistent rules for password policies. These rules can be modified locally to fit user needs. |
|
| |
|
| New options now appear in <code>libuser</code>, <code>pam</code>, and <code>shadow-utils</code> to support these password hashing algorithms. Running <code>authconfig</code> configures all these options automatically, so it is not necessary to modify them manually.
| |
|
| |
|
| * New values for the <code>crypt_style</code> option, and the new options <code>hash_rounds_min</code>, and <code>hash_rounds_max</code>, are now supported in the <code>[defaults] </code> section of <code>/etc/libuser.conf</code>. Refer to the <code>libuser.conf(5)</code> man page for details.
| | [[Category:Docs Project]] |
| | | [[Category:Draft documentation]] |
| * New options, <code>sha256</code>, <code>sha512</code>, and <code>rounds</code>, are now supported by the <code>pam_unix</code> PAM module. Refer to the <code>pam_unix(8)</code> man page for details.
| | [[Category:Documentation beats]] |
| | |
| * New options, <code>ENCRYPT_METHOD</code>, <code>SHA_CRYPT_MIN_ROUNDS</code>, and <code>SHA_CRYPT_MAX_ROUNDS</code>, are now supported in <code>/etc/login.defs</code>. Refer to the <code>login.defs(5)</code> man page for details. Corresponding options were added to <code>chpasswd(8)</code> and <code>newusers(8)</code>.
| |
| | |
| === FORTIFY_SOURCE extended to cover more functions ===
| |
| | |
| [[Security/Features#FORTIFY_SOURCE| FORTIFY_SOURCE]] protection now covers <code>asprintf</code>, <code>dprintf</code>, <code>vasprintf</code>, <code>vdprintf</code>, <code>obstack_printf</code> and <code>obstack_vprintf</code>. This improvement is particularly useful for applications that use the <code>glib2</code> library, as several of its functions use <code>vasprintf</code>. | |
| | |
| === SELinux Enhancements ===
| |
| Different roles are now available, to allow finer-grained access control:
| |
| * <code>guest_t</code> does not allow running setuid binaries, making network connections, or using a GUI.
| |
| * <code>xguest_t</code> disallows network access except for HTTP via a Web browser, and no setuid binaries.
| |
| * <code>user_t</code> is ideal for office users: prevents becoming root via setuid applications.
| |
| * <code>staff_t</code> is same as <code>user_t</code>, except that root access via <code>sudo</code> is allowed.
| |
| * <code>unconfined_t</code> provides full access, the same as when not using SELinux.
| |
| | |
| As well, browser plug-ins wrapped with <code>nspluginwrapper</code>, which is the default, now run confined.
| |
| | |
| === Default Firewall Behavior ===
| |
| | |
| In Fedora 9, the default firewall behavior has changed. There are no default ports open, except for SSH (22), which is opened by '''Anaconda'''.
| |
| | |
| === General Information ===
| |
| | |
| A general introduction to the many proactive security features in Fedora, current status, and policies is available at http://fedoraproject.org/wiki/Security.
| |
| | |
| {{:/SELinux}}
| |
| {{:/FreeIPA}}
| |
Beat is open
This beat is now ready to have Fedora 25 content added by the beat writer
Disable SSL 3.0 and RC4
The SSL 3.0 protocol and the RC4 cipher are considered insecure and vulnerable to attacks. As such, these two are disabled by default for all Fedora components that use the system-wide crypto policies. This includes gnutls and openssl libraries, and all the applications based on them.
Applications or environments that require SSL 3.0 or RC4 can use update-crypto-policies to globally switch to the LEGACY policy to enable SSL 3.0 and RC4.
Note (Use note tag) - All applications that use TLS from NSS are not affected by this change.
OpenSSH 7.1
The OpenSSH project continues to improve the security of network communication with the release of OpenSSH version 7.1. Details of the release are available at http://www.openssh.com/txt/release-7.1
Package Hardening
Packages compiled for Fedora 23 will be compiled with a position-independent code flag enabled by default. This was an optional setting that as a default will protect users from certain potential security vulnerabilities.
Standardized Passphrase Policy
A common password policy is being utilized to provide a set of consistent rules for password policies. These rules can be modified locally to fit user needs.
