From Fedora Project Wiki

 
(119 intermediate revisions by 23 users not shown)
Line 1: Line 1:
= Security =
+
{{header|docs}}
  
This section highlights various security items from Fedora.
+
{{Docs_beat_closed}}
  
== Security Enhancements ==
+
[[Category:Docs Project]]
 
+
[[Category:Draft documentation]]
Fedora continues to improve its many proactive [http://fedoraproject.org/wiki/Security/Features security features] .
+
[[Category:Documentation beats]]
 
 
=== Support for SHA-256 and SHA-512 passwords ===
 
 
 
The <code>glibc</code> package in Fedora 8 had [http://people.redhat.com/drepper/sha-crypt.html support] for passwords using SHA-256 and SHA-512 hashing.  Previously, only DES and MD5 were available.  These tools have been extended in Fedora 9. Password hashing using the SHA-256 and SHA-512 hash functions is now supported.
 
 
 
To switch to SHA-256 or SHA-512 on an installed system, use <code>authconfig --passalgo=sha256 --update</code> or <code>authconfig --passalgo=sha512 --update</code>.  Alternatively, use the <code>authconfig-gtk</code> GUI tool to configure the hashing method.  Existing user accounts will not be affected until their passwords are changed.
 
 
 
SHA-512 is used by default on newly installed systems.  Other algorithms can be configured only for kickstart installations, by using the <code>--passalgo</code> or <code>--enablemd5</code> options for the kickstart <code>auth</code> command. If your installation does not use kickstart, use <code>authconfig</code> as described above, and then change the root user password, and passwords for other users created after installation.
 
 
 
New options now appear in <code>libuser</code>, <code>pam</code>, and <code>shadow-utils</code> to support these password hashing algorithms.  Running <code>authconfig</code> configures all these options automatically, so it is not necessary to modify them manually.
 
 
 
* New values for the <code>crypt_style</code> option, and the new options <code>hash_rounds_min</code>, and <code>hash_rounds_max</code>, are now supported in the <code>[defaults] </code> section of <code>/etc/libuser.conf</code>. Refer to the <code>libuser.conf(5)</code> man page for details.
 
 
 
* New options, <code>sha256</code>, <code>sha512</code>, and <code>rounds</code>, are now supported by the <code>pam_unix</code> PAM module. Refer to the <code>pam_unix(8)</code> man page for details.
 
 
 
* New options, <code>ENCRYPT_METHOD</code>, <code>SHA_CRYPT_MIN_ROUNDS</code>, and <code>SHA_CRYPT_MAX_ROUNDS</code>, are now supported in <code>/etc/login.defs</code>. Refer to the <code>login.defs(5)</code> man page for details. Corresponding options were added to <code>chpasswd(8)</code> and <code>newusers(8)</code>.
 
 
 
=== FORTIFY_SOURCE extended to cover more functions ===
 
 
 
[[Security/Features#FORTIFY_SOURCE| FORTIFY_SOURCE]] protection now covers <code>asprintf</code>, <code>dprintf</code>, <code>vasprintf</code>, <code>vdprintf</code>, <code>obstack_printf</code> and <code>obstack_vprintf</code>. This improvement is particularly useful for applications that use the <code>glib2</code> library, as several of its functions use <code>vasprintf</code>.
 
 
 
=== SELinux Enhancements ===
 
Different roles are now available, to allow finer-grained access control:
 
* <code>guest_t</code> does not allow running setuid binaries, making network connections, or using a GUI.
 
* <code>xguest_t</code> disallows network access except for HTTP via a Web browser, and no setuid binaries.
 
* <code>user_t</code> is ideal for office users: prevents becoming root via setuid applications.
 
* <code>staff_t</code> is same as <code>user_t</code>, except that root access via <code>sudo</code> is allowed.
 
* <code>unconfined_t</code> provides full access, the same as when not using SELinux.
 
 
 
As well, browser plug-ins wrapped with <code>nspluginwrapper</code>, which is the default, now run confined.
 
 
 
=== Default Firewall Behavior ===
 
 
 
In Fedora 9, the default firewall behavior has changed. There are no default ports open, except for SSH (22), which is opened by '''Anaconda'''.
 
 
 
=== General Information ===
 
 
 
A general introduction to the many proactive security features in Fedora, current status, and policies is available at http://fedoraproject.org/wiki/Security.
 
 
 
{{:/SELinux}}
 
{{:/FreeIPA}}
 

Latest revision as of 01:33, 20 September 2016

DocsProject Header docTeam1.png


Warning.png
Beat Closed on Wiki
Work on beats has now moved to git at https://pagure.io/fedora-docs/release-notes. If you have changes or additions, please contact the docs team via #fedora-docs, docs@lists.fedoraproject.org, or with the release-notes BZ component.