From Fedora Project Wiki

Revision as of 04:16, 23 September 2014 by Immanetize (talk | contribs) (format-security)

DocsProject Header docTeam1.png
Beat is open
This beat is now ready to have Fedora 25 content added by the beat writer

Crypto Policy

<para>Beginning in Fedora 21, a system-wide crypto policy will be available for users to quickly setup the cryptographic options for their systems. Users that must meet certain cryptographic standards can make the policy change in <filename>//etc/crypto-policies/config</filename>, and run update-crypto-policies. At this point applications that utilize the default set of ciphers in the GnuTLS and OpenSSL libraries will follow the policy requirements.</para>

<para>The available options are: (1) <literal>LEGACY</literal>, which ensures compatibility with legacy systems - 64-bit security, (2) <literal>DEFAULT</literal>, a reasonable default for today's standards - 80-bit security, and (3) <literal>FUTURE</literal>, a conservative level that is believed to withstand any near-term future attacks - 128-bit security. These levels affect SSL/TLS settings, including elliptic curve, signature hash functions, and ciphersuites and key sizes.</para>

<para>Additional information on this new feature can be found on the <ulink url="">CryptoPolicy Changes wiki page</ulink>.</para>

systemd PrivateDevices and PrivateNetwork

Fedora is now more secure, as many long-running systemd services now run with physical device access and/or network access turned off. See [1] (NOTE:xref)

Format Security

Starting with Fedora 21, all packages built by GCC will compile with the flag *-Werror=format-security* . While this change has no user-visible change, it represents a substantial effort by Fedora packagers to protect your system from an entire class of vulnerability.

You can learn more about the security issues mitigated by Fedora's defensive security practices at