security-guide</tit= le><link rel=3D"stylesheet" href=3D"./Common_Content/css/default.css" type=3D= "text/css"/><meta name=3D"generator" content=3D"publican"/><meta name=3D"pack= age" content=3D""/><meta name=3D"description" content=3D"The Linux Security G= uide is designed to assist users of Linux in learning the processes and pract= ices of securing workstations and servers against local and remote intrusion,= exploitation, and malicious activity. Focused on Fedora Linux but detailing = concepts and techniques valid for all Linux systems, The Linux Security Guide= details the planning and the tools involved in creating a secured computing = environment for the data center, workplace, and home. With proper administrat= ive knowledge, vigilance, and tools, systems running Linux can be both fully = functional and secured from most common intrusion and exploit methods."/></he= ad><body class=3D""><div class=3D"book" lang=3D"en-US"><div class=3D"titlepag= e"><div><div clas s=3D"producttitle"><span class=3D"productname">fedora</span> <span class=3D"= productnumber">12</span></div><div><h1 id=3D"d0e1" class=3D"title">security-g= uide</h1></div><div><h2 class=3D"subtitle">A Guide to Securing Fedora Linux</= h2></div><p class=3D"edition">Edition 1.1</p><div><h3 class=3D"corpauthor"> <span class=3D"inlinemediaobject"><object data=3D"Common_Content/images= /title_logo.svg" type=3D"image/svg+xml"> Logo</object></span> </h3></div><div><div class=3D"authorgroup"><div class=3D"author"><h3 cla= ss=3D"author"><span class=3D"firstname">Johnray</span> <span class=3D"surname= ">Fuller</span></h3><div class=3D"affiliation"><span class=3D"orgname">Red Ha= t</span></div><code class=3D"email"><a class=3D"email" href=3D"mailto:jrfulle= r(a)redhat.com">jrfuller(a)redhat.com</a></code></div><div class=3D"author"><= h3 class=3D"author"><span class=3D"firstname">John</span> <span class=3D"surn= ame">Ha</span></h3><div class=3D"affiliation"><span class=3D"orgname">Red Hat= </span></div><code class=3D"email"><a class=3D"email" href=3D"mailto:jha(a)re= dhat.com">jha(a)redhat.com</a></code></div><div class=3D"author"><h3 class=3D= "author"><span class=3D"firstname">David</span> <span class=3D"surname">O'Bri= en</span></h3><div class=3D"affiliation"><span class=3D"orgname">Red Hat</spa= n></div><code class=3D"email"><a class=3D"email" href=3D"mailto:daobrien(a)re= dhat.com">daobrien(a)redhat.com</a></code></div><div class=3D"author"><h3 cla= ss=3D"author"><span class=3D"firstname">Scott</span> <span clas s=3D"surname">Radvan</span></h3><div class=3D"affiliation"><span class=3D"or= gname">Red Hat</span></div><code class=3D"email"><a class=3D"email" href=3D"m= ailto:sradvan(a)redhat.com">sradvan(a)redhat.com</a></code></div><div class= =3D"author"><h3 class=3D"author"><span class=3D"firstname">Eric</span> <span = class=3D"surname">Christensen</span></h3><div class=3D"affiliation"><span cla= ss=3D"orgname">Fedora Project</span> <span class=3D"orgdiv">Documentation Tea= m</span></div><code class=3D"email"><a class=3D"email" href=3D"mailto:sparks(= a)fedoraproject.org">sparks(a)fedoraproject.org</a></code></div></div></div><= hr/><div><div id=3D"d0e31" class=3D"legalnotice"><h1 class=3D"legalnotice">Le= gal Notice</h1><div class=3D"para"> Copyright <span class=3D"trademark"/>=C2=A9 2009 Red Hat, Inc. This materia= l may only be distributed subject to the terms and conditions set forth in th= e Open Publication License, V1.0, (the latest version is presently available = at <a href=3D"http://www.opencontent.org/openpub/">http://www.opencontent.org= /openpub/</a>). </div><div class=3D"para"> Fedora and the Fedora Infinity Design logo are trademarks or registered tra= demarks of Red Hat, Inc., in the U.S. and other countries. </div><div class=3D"para"> Red Hat and the Red Hat "Shadow Man" logo are registered trademarks of Red = Hat Inc. in the United States and other countries. </div><div class=3D"para"> All other trademarks and copyrights referred to are the property of their r= espective owners. </div><div class=3D"para"> Documentation, as with software itself, may be subject to export control. R= ead about Fedora Project export controls at <a href=3D"http://fedoraproject.o= rg/wiki/Legal/Export">http://fedoraproject.org/wiki/Legal/Export</a>.=20 </div></div></div><div><div class=3D"abstract"><h6>Abstract</h6><div class= =3D"para">The Linux Security Guide is designed to assist users of Linux in learning the processes and practices of securing workstations and servers against local and remote intrusion, exploitation, and malicious activity.</div><div class=3D"para">Focused on Fedora Linux but deta= iling concepts and techniques valid for all Linux systems, The Linux Security Guide details the planning and the tools involved in creating a secured computing environment for the data center, workplace, and home.</div><div class=3D"para= ">With proper administrative knowledge, vigilance, and tools, systems running Linux can be both fully functional and secured from most common intrusion and exploit methods.</div></div></div></div><hr/></div><div = class=3D"toc"><dl><dt><span class=3D"preface"><a href=3D"#pref-Security_Guide= -Preface">Preface</a></span></dt><dd><dl><dt><span class=3D"section"><a href= =3D"#d0e105">1. Document Conventions</a></span></dt><dd><dl><dt><span class= =3D"section"><a href=3D"#d0e115">1.1. Typographic Conventions</a></span></dt>= <dt><span class=3D"section"><a href=3D"#d0e331">1.2. Pull-quote Conventions</= a></span></dt><dt><span class=3D"section"><a href=3D"#d0e350">1.3. Notes and = Warnings</a></span></dt></dl></dd><dt><span class=3D"section"><a href=3D"#We_= Need_Feedback">2. We Need Feedback!</a></span></dt></dl></dd><dt><span class= =3D"chapter"><a href=3D"#chap-Security_Guide-Security_Overview">1. Security O= verview</a></span></dt><dd><dl><dt><span class=3D"section"><a href=3D"#sect-S= ecurity_Guide-Introduction_to_Security">1.1. Introduction to Security</a></sp= an></dt><dd><dl><dt><span class=3D"section"><a href=3D"#sect-Security_Guide-I= ntroduction_to_Security-What_is _Computer_Security">1.1.1. What is Computer Security?</a></span></dt><dt><sp= an class=3D"section"><a href=3D"#sect-Security_Guide-Introduction_to_Security= -SELinux">1.1.2. SELinux</a></span></dt><dt><span class=3D"section"><a href= =3D"#sect-Security_Guide-Introduction_to_Security-Security_Controls">1.1.3. S= ecurity Controls</a></span></dt><dt><span class=3D"section"><a href=3D"#sect-= Security_Guide-Introduction_to_Security-Conclusion">1.1.4. Conclusion</a></sp= an></dt></dl></dd><dt><span class=3D"section"><a href=3D"#sect-Security_Guide= -Vulnerability_Assessment">1.2. Vulnerability Assessment</a></span></dt><dd><= dl><dt><span class=3D"section"><a href=3D"#sect-Security_Guide-Vulnerability_= Assessment-Thinking_Like_the_Enemy">1.2.1. Thinking Like the Enemy</a></span>= </dt><dt><span class=3D"section"><a href=3D"#sect-Security_Guide-Vulnerabilit= y_Assessment-Defining_Assessment_and_Testing">1.2.2. Defining Assessment and = Testing</a></span></dt><dt><span class=3D"section"><a href=3D"#sect-Security_= Guide-Vulnerability _Assessment-Evaluating_the_Tools">1.2.3. Evaluating the Tools</a></span></dt= ></dl></dd><dt><span class=3D"section"><a href=3D"#sect-Security_Guide-Attack= ers_and_Vulnerabilities">1.3. Attackers and Vulnerabilities</a></span></dt><d= d><dl><dt><span class=3D"section"><a href=3D"#sect-Security_Guide-Attackers_a= nd_Vulnerabilities-A_Quick_History_of_Hackers">1.3.1. A Quick History of Hack= ers</a></span></dt><dt><span class=3D"section"><a href=3D"#sect-Security_Guid= e-Attackers_and_Vulnerabilities-Threats_to_Network_Security">1.3.2. Threats t= o Network Security</a></span></dt><dt><span class=3D"section"><a href=3D"#sec= t-Security_Guide-Attackers_and_Vulnerabilities-Threats_to_Server_Security">1.= 3.3. Threats to Server Security</a></span></dt><dt><span class=3D"section"><a= href=3D"#sect-Security_Guide-Attackers_and_Vulnerabilities-Threats_to_Workst= ation_and_Home_PC_Security">1.3.4. Threats to Workstation and Home PC Securit= y</a></span></dt></dl></dd><dt><span class=3D"section"><a href=3D"#sect-Secur= ity_Guide-Com mon_Exploits_and_Attacks">1.4. Common Exploits and Attacks</a></span></dt><d= t><span class=3D"section"><a href=3D"#sect-Security_Guide-Security_Updates">1= .5. Security Updates</a></span></dt><dd><dl><dt><span class=3D"section"><a hr= ef=3D"#sect-Security_Guide-Security_Updates-Updating_Packages">1.5.1. Updatin= g Packages</a></span></dt><dt><span class=3D"section"><a href=3D"#sect-Securi= ty_Guide-Updating_Packages-Verifying_Signed_Packages">1.5.2. Verifying Signed= Packages</a></span></dt><dt><span class=3D"section"><a href=3D"#sect-Securit= y_Guide-Updating_Packages-Installing_Signed_Packages">1.5.3. Installing Signe= d Packages</a></span></dt><dt><span class=3D"section"><a href=3D"#sect-Securi= ty_Guide-Updating_Packages-Applying_the_Changes">1.5.4. Applying the Changes<= /a></span></dt></dl></dd></dl></dd><dt><span class=3D"chapter"><a href=3D"#ch= ap-Security_Guide-Securing_Your_Network">2. Securing Your Network</a></span><= /dt><dd><dl><dt><span class=3D"section"><a href=3D"#sect-Security_Guide-Works= tation_Security"> 2.1. Workstation Security</a></span></dt><dd><dl><dt><span class=3D"section"= ><a href=3D"#sect-Security_Guide-Workstation_Security-Evaluating_Workstation_= Security">2.1.1. Evaluating Workstation Security</a></span></dt><dt><span cla= ss=3D"section"><a href=3D"#sect-Security_Guide-Workstation_Security-BIOS_and_= Boot_Loader_Security">2.1.2. BIOS and Boot Loader Security</a></span></dt><dt= ><span class=3D"section"><a href=3D"#sect-Security_Guide-Workstation_Security= -Password_Security">2.1.3. Password Security</a></span></dt><dt><span class= =3D"section"><a href=3D"#sect-Security_Guide-Workstation_Security-Administrat= ive_Controls">2.1.4. Administrative Controls</a></span></dt><dt><span class= =3D"section"><a href=3D"#sect-Security_Guide-Workstation_Security-Available_N= etwork_Services">2.1.5. Available Network Services</a></span></dt><dt><span c= lass=3D"section"><a href=3D"#sect-Security_Guide-Workstation_Security-Persona= l_Firewalls">2.1.6. Personal Firewalls</a></span></dt><dt><span class=3D"sect= ion"><a href=3D"#sect -Security_Guide-Workstation_Security-Security_Enhanced_Communication_Tools">= 2.1.7. Security Enhanced Communication Tools</a></span></dt></dl></dd><dt><sp= an class=3D"section"><a href=3D"#sect-Security_Guide-Server_Security">2.2. Se= rver Security</a></span></dt><dd><dl><dt><span class=3D"section"><a href=3D"#= sect-Security_Guide-Server_Security-Securing_Services_With_TCP_Wrappers_and_x= inetd">2.2.1. Securing Services With TCP Wrappers and xinetd</a></span></dt><= dt><span class=3D"section"><a href=3D"#sect-Security_Guide-Server_Security-Se= curing_Portmap">2.2.2. Securing Portmap</a></span></dt><dt><span class=3D"sec= tion"><a href=3D"#sect-Security_Guide-Server_Security-Securing_NIS">2.2.3. Se= curing NIS</a></span></dt><dt><span class=3D"section"><a href=3D"#sect-Securi= ty_Guide-Server_Security-Securing_NFS">2.2.4. Securing NFS</a></span></dt><dt= ><span class=3D"section"><a href=3D"#sect-Security_Guide-Server_Security-Secu= ring_the_Apache_HTTP_Server">2.2.5. Securing the Apache HTTP Server</a></span= ></dt><dt><sp an class=3D"section"><a href=3D"#sect-Security_Guide-Server_Security-Securin= g_FTP">2.2.6. Securing FTP</a></span></dt><dt><span class=3D"section"><a href= =3D"#sect-Security_Guide-Server_Security-Securing_Sendmail">2.2.7. Securing S= endmail</a></span></dt><dt><span class=3D"section"><a href=3D"#sect-Security_= Guide-Server_Security-Verifying_Which_Ports_Are_Listening">2.2.8. Verifying W= hich Ports Are Listening</a></span></dt></dl></dd><dt><span class=3D"section"= ><a href=3D"#sect-Security_Guide-Single_Sign_on_SSO">2.3. Single Sign-on (SSO= )</a></span></dt><dd><dl><dt><span class=3D"section"><a href=3D"#sect-Securit= y_Guide-Single_Sign_on_SSO-Introduction">2.3.1. Introduction</a></span></dt><= dt><span class=3D"section"><a href=3D"#sect-Security_Guide-Single_Sign_on_SSO= -Getting_Started_with_your_new_Smart_Card">2.3.2. Getting Started with your n= ew Smart Card</a></span></dt><dt><span class=3D"section"><a href=3D"#sect-Sec= urity_Guide-Single_Sign_on_SSO-How_Smart_Card_Enrollment_Works">2.3.3. How Sm= art Card Enrollme nt Works</a></span></dt><dt><span class=3D"section"><a href=3D"#sect-Securit= y_Guide-Single_Sign_on_SSO-How_Smart_Card_Login_Works">2.3.4. How Smart Card = Login Works</a></span></dt><dt><span class=3D"section"><a href=3D"#sect-Secur= ity_Guide-Single_Sign_on_SSO-Configuring_Firefox_to_use_Kerberos_for_SSO">2.3= .5. Configuring Firefox to use Kerberos for SSO</a></span></dt></dl></dd><dt>= <span class=3D"section"><a href=3D"#sect-Security_Guide-Pluggable_Authenticat= ion_Modules_PAM">2.4. Pluggable Authentication Modules (PAM)</a></span></dt><= dd><dl><dt><span class=3D"section"><a href=3D"#sect-Security_Guide-Pluggable_= Authentication_Modules_PAM-Advantages_of_PAM">2.4.1. Advantages of PAM</a></s= pan></dt><dt><span class=3D"section"><a href=3D"#sect-Security_Guide-Pluggabl= e_Authentication_Modules_PAM-PAM_Configuration_Files">2.4.2. PAM Configuratio= n Files</a></span></dt><dt><span class=3D"section"><a href=3D"#sect-Security_= Guide-Pluggable_Authentication_Modules_PAM-PAM_Configuration_File_Format">2.4= .3. PAM Confi guration File Format</a></span></dt><dt><span class=3D"section"><a href=3D"#= sect-Security_Guide-Pluggable_Authentication_Modules_PAM-Sample_PAM_Configura= tion_Files">2.4.4. Sample PAM Configuration Files</a></span></dt><dt><span cl= ass=3D"section"><a href=3D"#sect-Security_Guide-Pluggable_Authentication_Modu= les_PAM-Creating_PAM_Modules">2.4.5. Creating PAM Modules</a></span></dt><dt>= <span class=3D"section"><a href=3D"#sect-Security_Guide-Pluggable_Authenticat= ion_Modules_PAM-PAM_and_Administrative_Credential_Caching">2.4.6. PAM and Adm= inistrative Credential Caching</a></span></dt><dt><span class=3D"section"><a = href=3D"#sect-Security_Guide-Pluggable_Authentication_Modules_PAM-PAM_and_Dev= ice_Ownership">2.4.7. PAM and Device Ownership</a></span></dt><dt><span class= =3D"section"><a href=3D"#sect-Security_Guide-Pluggable_Authentication_Modules= _PAM-Additional_Resources">2.4.8. Additional Resources</a></span></dt></dl></= dd><dt><span class=3D"section"><a href=3D"#sect-Security_Guide-TCP_Wrappers_a= nd_xinetd">2. 5. TCP Wrappers and xinetd</a></span></dt><dd><dl><dt><span class=3D"section= "><a href=3D"#sect-Security_Guide-TCP_Wrappers_and_xinetd-TCP_Wrappers">2.5.1= . TCP Wrappers</a></span></dt><dt><span class=3D"section"><a href=3D"#sect-Se= curity_Guide-TCP_Wrappers_and_xinetd-TCP_Wrappers_Configuration_Files">2.5.2.= TCP Wrappers Configuration Files</a></span></dt><dt><span class=3D"section">= <a href=3D"#sect-Security_Guide-TCP_Wrappers_and_xinetd-xinetd">2.5.3. xinetd= </a></span></dt><dt><span class=3D"section"><a href=3D"#sect-Security_Guide-T= CP_Wrappers_and_xinetd-xinetd_Configuration_Files">2.5.4. xinetd Configuratio= n Files</a></span></dt><dt><span class=3D"section"><a href=3D"#sect-Security_= Guide-TCP_Wrappers_and_xinetd-Additional_Resources">2.5.5. Additional Resourc= es</a></span></dt></dl></dd><dt><span class=3D"section"><a href=3D"#sect-Secu= rity_Guide-Kerberos">2.6. Kerberos</a></span></dt><dd><dl><dt><span class=3D"= section"><a href=3D"#sect-Security_Guide-Kerberos-What_is_Kerberos">2.6.1. Wh= at is Kerberos?</ a></span></dt><dt><span class=3D"section"><a href=3D"#sect-Security_Guide-Ke= rberos-Kerberos_Terminology">2.6.2. Kerberos Terminology</a></span></dt><dt><= span class=3D"section"><a href=3D"#sect-Security_Guide-Kerberos-How_Kerberos_= Works">2.6.3. How Kerberos Works</a></span></dt><dt><span class=3D"section"><= a href=3D"#sect-Security_Guide-Kerberos-Kerberos_and_PAM">2.6.4. Kerberos and= PAM</a></span></dt><dt><span class=3D"section"><a href=3D"#sect-Security_Gui= de-Kerberos-Configuring_a_Kerberos_5_Server">2.6.5. Configuring a Kerberos 5 = Server</a></span></dt><dt><span class=3D"section"><a href=3D"#sect-Security_G= uide-Kerberos-Configuring_a_Kerberos_5_Client">2.6.6. Configuring a Kerberos = 5 Client</a></span></dt><dt><span class=3D"section"><a href=3D"#sect-Security= _Guide-Kerberos-Domain_to_Realm_Mapping">2.6.7. Domain-to-Realm Mapping</a></= span></dt><dt><span class=3D"section"><a href=3D"#sect-Security_Guide-Kerbero= s-Setting_Up_Secondary_KDCs">2.6.8. Setting Up Secondary KDCs</a></span></dt>= <dt><span class=3D" section"><a href=3D"#sect-Security_Guide-Kerberos-Setting_Up_Cross_Realm_Aut= hentication">2.6.9. Setting Up Cross Realm Authentication</a></span></dt><dt>= <span class=3D"section"><a href=3D"#sect-Security_Guide-Kerberos-Additional_R= esources">2.6.10. Additional Resources</a></span></dt></dl></dd><dt><span cla= ss=3D"section"><a href=3D"#sect-Security_Guide-Virtual_Private_Networks_VPNs"= >2.7. Virtual Private Networks (VPNs)</a></span></dt><dd><dl><dt><span class= =3D"section"><a href=3D"#sect-Security_Guide-Virtual_Private_Networks_VPNs-Ho= w_Does_a_VPN_Work">2.7.1. How Does a VPN Work?</a></span></dt><dt><span class= =3D"section"><a href=3D"#sect-Security_Guide-Virtual_Private_Networks_VPNs-VP= Ns_and_PROD">2.7.2. VPNs and Fedora</a></span></dt><dt><span class=3D"section= "><a href=3D"#sect-Security_Guide-Virtual_Private_Networks_VPNs-IPsec">2.7.3.= IPsec</a></span></dt><dt><span class=3D"section"><a href=3D"#sect-Security_G= uide-Virtual_Private_Networks_VPNs-Creating_an_IPsec_Connection">2.7.4. Creat= ing an IPsec Con nection</a></span></dt><dt><span class=3D"section"><a href=3D"#sect-Security= _Guide-Virtual_Private_Networks_VPNs-IPsec_Installation">2.7.5. IPsec Install= ation</a></span></dt><dt><span class=3D"section"><a href=3D"#sect-Security_Gu= ide-Virtual_Private_Networks_VPNs-IPsec_Host_to_Host_Configuration">2.7.6. IP= sec Host-to-Host Configuration</a></span></dt><dt><span class=3D"section"><a = href=3D"#sect-Security_Guide-Virtual_Private_Networks_VPNs-IPsec_Network_to_N= etwork_Configuration">2.7.7. IPsec Network-to-Network Configuration</a></span= ></dt><dt><span class=3D"section"><a href=3D"#sect-Security_Guide-Virtual_Pri= vate_Networks_VPNs-Starting_and_Stopping_an_IPsec_Connection">2.7.8. Starting= and Stopping an IPsec Connection</a></span></dt></dl></dd><dt><span class=3D= "section"><a href=3D"#sect-Security_Guide-Firewalls">2.8. Firewalls</a></span= ></dt><dd><dl><dt><span class=3D"section"><a href=3D"#sect-Security_Guide-Fir= ewalls-Netfilter_and_IPTables">2.8.1. Netfilter and IPTables</a></span></dt><= dt><span clas s=3D"section"><a href=3D"#sect-Security_Guide-Firewalls-Basic_Firewall_Confi= guration">2.8.2. Basic Firewall Configuration</a></span></dt><dt><span class= =3D"section"><a href=3D"#sect-Security_Guide-Firewalls-Using_IPTables">2.8.3.= Using IPTables</a></span></dt><dt><span class=3D"section"><a href=3D"#sect-S= ecurity_Guide-Firewalls-Common_IPTables_Filtering">2.8.4. Common IPTables Fil= tering</a></span></dt><dt><span class=3D"section"><a href=3D"#sect-Security_G= uide-Firewalls-FORWARD_and_NAT_Rules">2.8.5. FORWARD and NAT Rules</a></span>= </dt><dt><span class=3D"section"><a href=3D"#sect-Security_Guide-Firewalls-Ma= licious_Software_and_Spoofed_IP_Addresses">2.8.6. Malicious Software and Spoo= fed IP Addresses</a></span></dt><dt><span class=3D"section"><a href=3D"#sect-= Security_Guide-Firewalls-IPTables_and_Connection_Tracking">2.8.7. IPTables an= d Connection Tracking</a></span></dt><dt><span class=3D"section"><a href=3D"#= sect-Security_Guide-Firewalls-IPv6">2.8.8. IPv6</a></span></dt><dt><span clas= s=3D"section"><a hre f=3D"#sect-Security_Guide-Firewalls-Additional_Resources">2.8.9. Additional = Resources</a></span></dt></dl></dd><dt><span class=3D"section"><a href=3D"#se= ct-Security_Guide-IPTables">2.9. IPTables</a></span></dt><dd><dl><dt><span cl= ass=3D"section"><a href=3D"#sect-Security_Guide-IPTables-Packet_Filtering">2.= 9.1. Packet Filtering</a></span></dt><dt><span class=3D"section"><a href=3D"#= sect-Security_Guide-IPTables-Command_Options_for_IPTables">2.9.2. Command Opt= ions for IPTables</a></span></dt><dt><span class=3D"section"><a href=3D"#sect= -Security_Guide-IPTables-Saving_IPTables_Rules">2.9.3. Saving IPTables Rules<= /a></span></dt><dt><span class=3D"section"><a href=3D"#sect-Security_Guide-IP= Tables-IPTables_Control_Scripts">2.9.4. IPTables Control Scripts</a></span></= dt><dt><span class=3D"section"><a href=3D"#sect-Security_Guide-IPTables-IPTab= les_and_IPv6">2.9.5. IPTables and IPv6</a></span></dt><dt><span class=3D"sect= ion"><a href=3D"#sect-Security_Guide-IPTables-Additional_Resources">2.9.6. Ad= ditional Resources< /a></span></dt></dl></dd></dl></dd><dt><span class=3D"chapter"><a href=3D"#c= hap-Security_Guide-Encryption">3. Encryption</a></span></dt><dd><dl><dt><span= class=3D"section"><a href=3D"#sect-Security_Guide-Encryption-Data_at_Rest">3= .1. Data at Rest</a></span></dt><dt><span class=3D"section"><a href=3D"#sect-= Security_Guide-Encryption-Protecting_Data_at_Rest-Full_Disk_Encryption">3.2. = Full Disk Encryption</a></span></dt><dt><span class=3D"section"><a href=3D"#S= ecurity_Guide-Encryption-Protecting_Data_at_Rest-File_Based_Encryption">3.3. = File Based Encryption</a></span></dt><dt><span class=3D"section"><a href=3D"#= Security_Guide-Encryption-Data_in_Motion">3.4. Data in Motion</a></span></dt>= <dt><span class=3D"section"><a href=3D"#Security_Guide-Encryption-Data_in_Mot= ion-Virtual_Private_Networks">3.5. Virtual Private Networks</a></span></dt><d= t><span class=3D"section"><a href=3D"#Security_Guide-Encryption-Data_in_Motio= n-Secure_Shell">3.6. Secure Shell</a></span></dt><dt><span class=3D"section">= <a href=3D"#sect-Secu rity_Guide-LUKS_Disk_Encryption">3.7. LUKS Disk Encryption</a></span></dt><d= d><dl><dt><span class=3D"section"><a href=3D"#sect-Security_Guide-LUKS_Disk_E= ncryption-LUKS_Implementation_in_Fedora">3.7.1. LUKS Implementation in Fedora= </a></span></dt><dt><span class=3D"section"><a href=3D"#sect-Security_Guide-L= UKS_Disk_Encryption-Manually_Encrypting_Directories">3.7.2. Manually Encrypti= ng Directories</a></span></dt><dt><span class=3D"section"><a href=3D"#sect-Se= curity_Guide-LUKS_Disk_Encryption-Manually_Encrypting_Directories-Step_by_Ste= p_Instructions">3.7.3. Step-by-Step Instructions</a></span></dt><dt><span cla= ss=3D"section"><a href=3D"#sect-Security_Guide-LUKS_Disk_Encryption-Manually_= Encrypting_Directories-What_you_have_just_accomplished">3.7.4. What you have = just accomplished.</a></span></dt><dt><span class=3D"section"><a href=3D"#sec= t-Security_Guide-LUKS_Disk_Encryption-Links_of_Interest">3.7.5. Links of Inte= rest</a></span></dt></dl></dd><dt><span class=3D"section"><a href=3D"#sect-Se= curity_Guide- Encryption-7_Zip_Encrypted_Archives">3.8. 7-Zip Encrypted Archives</a></span= ></dt><dd><dl><dt><span class=3D"section"><a href=3D"#sect-Security_Guide-Enc= ryption-7_Zip_Encrypted_Archives-Installation">3.8.1. 7-Zip Installation in F= edora</a></span></dt><dt><span class=3D"section"><a href=3D"#sect-Security_Gu= ide-Encryption-7_Zip_Encrypted_Archives-Installation-Instructions">3.8.2. Ste= p-by-Step Installation Instructions</a></span></dt><dt><span class=3D"section= "><a href=3D"#sect-Security_Guide-Encryption-7_Zip_Encrypted_Archives-Usage_I= nstructions">3.8.3. Step-by-Step Usage Instructions</a></span></dt><dt><span = class=3D"section"><a href=3D"#sect-Security_Guide-Encryption-7_Zip_Encrypted_= Archives-Things_of_note">3.8.4. Things of note</a></span></dt></dl></dd><dt><= span class=3D"section"><a href=3D"#sect-Security_Guide-Encryption-Using_GPG">= 3.9. Using GNU Privacy Guard (GnuPG)</a></span></dt><dd><dl><dt><span class= =3D"section"><a href=3D"#sect-Security_Guide-Encryption-Using_GPG-Keys_in_GNO= ME">3.9.1. Crea ting GPG Keys in GNOME</a></span></dt><dt><span class=3D"section"><a href=3D= "#sect-Security_Guide-Encryption-Using_GPG-Creating_GPG_Keys_in_KDE1">3.9.2. = Creating GPG Keys in KDE</a></span></dt><dt><span class=3D"section"><a href= =3D"#sect-Security_Guide-Encryption-Using_GPG-Creating_GPG_Keys_in_KDE">3.9.3= . Creating GPG Keys Using the Command Line</a></span></dt><dt><span class=3D"= section"><a href=3D"#sect-Security_Guide-Encryption-Using_GPG-About_Public_Ke= y_Encryption">3.9.4. About Public Key Encryption</a></span></dt></dl></dd></d= l></dd><dt><span class=3D"chapter"><a href=3D"#chap-Security_Guide-General_Pr= inciples_of_Information_Security">4. General Principles of Information Securi= ty</a></span></dt><dd><dl><dt><span class=3D"section"><a href=3D"#sect-Securi= ty_Guide-General_Principles_of_Information_Security-Tips_Guides_and_Tools">4.= 1. Tips, Guides, and Tools</a></span></dt></dl></dd><dt><span class=3D"chapte= r"><a href=3D"#chap-Security_Guide-Secure_Installation">5. Secure Installatio= n</a></span></d t><dd><dl><dt><span class=3D"section"><a href=3D"#sect-Security_Guide-Secure= _Installation-Disk_Partitions">5.1. Disk Partitions</a></span></dt><dt><span = class=3D"section"><a href=3D"#sect-Security_Guide-Secure_Installation-Utilize= _LUKS_Partition_Encryption">5.2. Utilize LUKS Partition Encryption</a></span>= </dt></dl></dd><dt><span class=3D"chapter"><a href=3D"#chap-Security_Guide-So= ftware_Maintenance">6. Software Maintenance</a></span></dt><dd><dl><dt><span = class=3D"section"><a href=3D"#sect-Security_Guide-Software_Maintenance-Instal= l_Minimal_Software">6.1. Install Minimal Software</a></span></dt><dt><span cl= ass=3D"section"><a href=3D"#sect-Security_Guide-Software_Maintenance-Plan_and= _Configure_Security_Updates">6.2. Plan and Configure Security Updates</a></sp= an></dt><dt><span class=3D"section"><a href=3D"#sect-Security_Guide-Software_= Maintenance-Plan_and_Configure_Security_Updates-Adjusting_Automatic_Updates">= 6.3. Adjusting Automatic Updates</a></span></dt><dt><span class=3D"section"><= a href=3D"#sect-S ecurity_Guide-Software_Maintenance-Install_Signed_Packages_from_Well_Known_R= epositories">6.4. Install Signed Packages from Well Known Repositories</a></s= pan></dt></dl></dd><dt><span class=3D"chapter"><a href=3D"#chap-Security_Guid= e-References">7. References</a></span></dt></dl></div><div class=3D"preface" = lang=3D"en-US"><div class=3D"titlepage"><div><div><h1 id=3D"pref-Security_Gui= de-Preface" class=3D"title">Preface</h1></div></div></div><div class=3D"secti= on" lang=3D"en-US"><div class=3D"titlepage"><div><div><h2 class=3D"title" id= =3D"d0e105">1.=C2=A0Document Conventions</h2></div></div></div><div class=3D"= para"> This manual uses several conventions to highlight certain words and phrases= and draw attention to specific pieces of information. </div><div class=3D"para"> In PDF and paper editions, this manual uses typefaces drawn from the <a hre= f=3D"https://fedorahosted.org/liberation-fonts/">Liberation Fonts</a> set. Th= e Liberation Fonts set is also used in HTML editions if the set is installed = on your system. If not, alternative but equivalent typefaces are displayed. N= ote: Red Hat Enterprise Linux 5 and later includes the Liberation Fonts set b= y default. </div><div class=3D"section" lang=3D"en-US"><div class=3D"titlepage"><div><d= iv><h3 class=3D"title" id=3D"d0e115">1.1.=C2=A0Typographic Conventions</h3></= div></div></div><div class=3D"para"> Four typographic conventions are used to call attention to specific words = and phrases. These conventions, and the circumstances they apply to, are as f= ollows. </div><div class=3D"para"> <code class=3D"literal">Mono-spaced Bold</code> </div><div class=3D"para"> Used to highlight system input, including shell commands, file names and p= aths. Also used to highlight key caps and key-combinations. For example: </div><div class=3D"blockquote"><blockquote class=3D"blockquote"><div class= =3D"para"> To see the contents of the file <code class=3D"filename">my_next_bestsell= ing_novel</code> in your current working directory, enter the <code class=3D"= command">cat my_next_bestselling_novel</code> command at the shell prompt and= press <span class=3D"keycap"><strong>Enter</strong></span> to execute the co= mmand. </div></blockquote></div><div class=3D"para"> The above includes a file name, a shell command and a key cap, all present= ed in Mono-spaced Bold and all distinguishable thanks to context. </div><div class=3D"para"> Key-combinations can be distinguished from key caps by the hyphen connecti= ng each part of a key-combination. For example: </div><div class=3D"blockquote"><blockquote class=3D"blockquote"><div class= =3D"para"> Press <span class=3D"keycap"><strong>Enter</strong></span> to execute the= command. </div><div class=3D"para"> Press <span class=3D"keycap"><strong>Ctrl</strong></span>+<span class=3D"= keycap"><strong>Alt</strong></span>+<span class=3D"keycap"><strong>F1</strong= ></span> to switch to the first virtual terminal. Press <span class=3D"keycap= "><strong>Ctrl</strong></span>+<span class=3D"keycap"><strong>Alt</strong></s= pan>+<span class=3D"keycap"><strong>F7</strong></span> to return to your X-Wi= ndows session. </div></blockquote></div><div class=3D"para"> The first sentence highlights the particular key cap to press. The second = highlights two sets of three key caps, each set pressed simultaneously. </div><div class=3D"para"> If source code is discussed, class names, methods, functions, variable nam= es and returned values mentioned within a paragraph will be presented as abov= e, in <code class=3D"literal">Mono-spaced Bold</code>. For example: </div><div class=3D"blockquote"><blockquote class=3D"blockquote"><div class= =3D"para"> File-related classes include <code class=3D"classname">filesystem</code> = for file systems, <code class=3D"classname">file</code> for files, and <code = class=3D"classname">dir</code> for directories. Each class has its own associ= ated set of permissions. </div></blockquote></div><div class=3D"para"> <span class=3D"application"><strong>Proportional Bold</strong></span> </div><div class=3D"para"> This denotes words or phrases encountered on a system, including applicati= on names; dialogue box text; labelled buttons; check-box and radio button lab= els; menu titles and sub-menu titles. For example: </div><div class=3D"blockquote"><blockquote class=3D"blockquote"><div class= =3D"para"> Choose <span class=3D"guimenu"><strong>System > Preferences > Mouse= </strong></span> from the main menu bar to launch <span class=3D"application"= ><strong>Mouse Preferences</strong></span>. In the <span class=3D"guilabel"><= strong>Buttons</strong></span> tab, click the <span class=3D"guilabel"><stron= g>Left-handed mouse</strong></span> check box and click <span class=3D"guibut= ton"><strong>Close</strong></span> to switch the primary mouse button from th= e left to the right (making the mouse suitable for use in the left hand). </div><div class=3D"para"> To insert a special character into a <span class=3D"application"><strong>= gedit</strong></span> file, choose <span class=3D"guimenu"><strong>Applicatio= ns > Accessories > Character Map</strong></span> from the main menu bar= . Next, choose <span class=3D"guimenu"><strong>Search > Find=E2=80=A6</str= ong></span> from the <span class=3D"application"><strong>Character Map</stron= g></span> menu bar, type the name of the character in the <span class=3D"guil= abel"><strong>Search</strong></span> field and click <span class=3D"guibutton= "><strong>Next</strong></span>. The character you sought will be highlighted = in the <span class=3D"guilabel"><strong>Character Table</strong></span>. Doub= le-click this highlighted character to place it in the <span class=3D"guilabe= l"><strong>Text to copy</strong></span> field and then click the <span class= =3D"guibutton"><strong>Copy</strong></span> button. Now switch back to your d= ocument and choose <span class=3D"guimenu"><strong>Edit > Paste</strong></= span> from the < span class=3D"application"><strong>gedit</strong></span> menu bar. </div></blockquote></div><div class=3D"para"> The above text includes application names; system-wide menu names and item= s; application-specific menu names; and buttons and text found within a GUI i= nterface, all presented in Proportional Bold and all distinguishable by conte= xt. </div><div class=3D"para"> Note the <span class=3D"guimenu"><strong>></strong></span> shorthand us= ed to indicate traversal through a menu and its sub-menus. This is to avoid t= he difficult-to-follow 'Select <span class=3D"guimenuitem"><strong>Mouse</str= ong></span> from the <span class=3D"guimenu"><strong>Preferences</strong></sp= an> sub-menu in the <span class=3D"guimenu"><strong>System</strong></span> me= nu of the main menu bar' approach. </div><div class=3D"para"> <code class=3D"command"><em class=3D"replaceable"><code>Mono-spaced Bold I= talic</code></em></code> or <span class=3D"application"><strong><em class=3D"= replaceable"><code>Proportional Bold Italic</code></em></strong></span> </div><div class=3D"para"> Whether Mono-spaced Bold or Proportional Bold, the addition of Italics ind= icates replaceable or variable text. Italics denotes text you do not input li= terally or displayed text that changes depending on circumstance. For example: </div><div class=3D"blockquote"><blockquote class=3D"blockquote"><div class= =3D"para"> To connect to a remote machine using ssh, type <code class=3D"command">ss= h <em class=3D"replaceable"><code>username</code></em>@<em class=3D"replaceab= le"><code>domain.name</code></em></code> at a shell prompt. If the remote mac= hine is <code class=3D"filename">example.com</code> and your username on that= machine is john, type <code class=3D"command">ssh john(a)example.com</code>. </div><div class=3D"para"> The <code class=3D"command">mount -o remount <em class=3D"replaceable"><c= ode>file-system</code></em></code> command remounts the named file system. Fo= r example, to remount the <code class=3D"filename">/home</code> file system, = the command is <code class=3D"command">mount -o remount /home</code>. </div><div class=3D"para"> To see the version of a currently installed package, use the <code class= =3D"command">rpm -q <em class=3D"replaceable"><code>package</code></em></code= > command. It will return a result as follows: <code class=3D"command"><em cl= ass=3D"replaceable"><code>package-version-release</code></em></code>. </div></blockquote></div><div class=3D"para"> Note the words in bold italics above =E2=80=94 username, domain.name, file= -system, package, version and release. Each word is a placeholder, either for= text you enter when issuing a command or for text displayed by the system. </div><div class=3D"para"> Aside from standard usage for presenting the title of a work, italics deno= tes the first use of a new and important term. For example: </div><div class=3D"blockquote"><blockquote class=3D"blockquote"><div class= =3D"para"> When the Apache HTTP Server accepts requests, it dispatches child process= es or threads to handle them. This group of child processes or threads is kno= wn as a <em class=3D"firstterm">server-pool</em>. Under Apache HTTP Server 2.= 0, the responsibility for creating and maintaining these server-pools has bee= n abstracted to a group of modules called <em class=3D"firstterm">Multi-Proce= ssing Modules</em> (<em class=3D"firstterm">MPMs</em>). Unlike other modules,= only one module from the MPM group can be loaded by the Apache HTTP Server. </div></blockquote></div></div><div class=3D"section" lang=3D"en-US"><div = class=3D"titlepage"><div><div><h3 class=3D"title" id=3D"d0e331">1.2.=C2=A0Pul= l-quote Conventions</h3></div></div></div><div class=3D"para"> Two, commonly multi-line, data types are set off visually from the surroun= ding text. </div><div class=3D"para"> Output sent to a terminal is set in <code class=3D"computeroutput">Mono-sp= aced Roman</code> and presented thus: </div><pre class=3D"screen"> books Desktop documentation drafts mss photos stuff svn books_tests Desktop1 downloads images notes scripts svgs </pre><div class=3D"para"> Source-code listings are also set in <code class=3D"computeroutput">Mono-s= paced Roman</code> but are presented and highlighted as follows: </div><pre class=3D"programlisting"> package org.jboss.book.jca.ex1; import javax.naming.InitialContext; public class ExClient { public static void main(String args[])=20 throws Exception { InitialContext iniCtx =3D new InitialContext(); Object ref =3D iniCtx.lookup("EchoBean"); EchoHome home =3D (EchoHome) ref; Echo echo =3D home.create(); System.out.println("Created Echo"); System.out.println("Echo.echo('Hello') =3D " + echo.echo("Hello")); } =20 } </pre></div><div class=3D"section" lang=3D"en-US"><div class=3D"titlepage"><d= iv><div><h3 class=3D"title" id=3D"d0e350">1.3.=C2=A0Notes and Warnings</h3></= div></div></div><div class=3D"para"> Finally, we use three visual styles to draw attention to information that = might otherwise be overlooked. </div><div class=3D"note"><h2>Note</h2><div class=3D"para"> A note is a tip or shortcut or alternative approach to the task at hand. = Ignoring a note should have no negative consequences, but you might miss out = on a trick that makes your life easier. </div></div><div class=3D"important"><h2>Important</h2><div class=3D"para"> Important boxes detail things that are easily missed: configuration chang= es that only apply to the current session, or services that need restarting b= efore an update will apply. Ignoring Important boxes won't cause data loss bu= t may cause irritation and frustration. </div></div><div class=3D"warning"><h2>Warning</h2><div class=3D"para"> A Warning should not be ignored. Ignoring warnings will most likely cause= data loss. </div></div></div></div><div class=3D"section" lang=3D"en-US"><div class= =3D"titlepage"><div><div><h2 class=3D"title" id=3D"We_Need_Feedback">2.=C2=A0= We Need Feedback!</h2></div></div></div><div class=3D"para"> More information about the Linux Security Guide project can be found at <a = href=3D"https://fedorahosted.org/securityguide">https://fedorahosted.org/secu= rityguide</a> </div><div class=3D"para"> To provide feedback for the Security Guide, please file a bug in <a href=3D= "https://bugzilla.redhat.com/enter_bug.cgi?component=3Dsecurity-guide&pro= duct=3DFedora%20Documentation">https://bugzilla.redhat.com/enter_bug.cgi?comp= onent=3Dsecurity-guide&product=3DFedora%20Documentation</a>. Please selec= t the proper component in the dropdown menu which should be the page name. </div></div></div><div class=3D"chapter" lang=3D"en-US"><div class=3D"titlep= age"><div><div><h2 class=3D"title" id=3D"chap-Security_Guide-Security_Overvie= w">Chapter=C2=A01.=C2=A0Security Overview</h2></div></div></div><div class=3D= "toc"><dl><dt><span class=3D"section"><a href=3D"#sect-Security_Guide-Introdu= ction_to_Security">1.1. Introduction to Security</a></span></dt><dd><dl><dt><= span class=3D"section"><a href=3D"#sect-Security_Guide-Introduction_to_Securi= ty-What_is_Computer_Security">1.1.1. What is Computer Security?</a></span></d= t><dt><span class=3D"section"><a href=3D"#sect-Security_Guide-Introduction_to= _Security-SELinux">1.1.2. SELinux</a></span></dt><dt><span class=3D"section">= <a href=3D"#sect-Security_Guide-Introduction_to_Security-Security_Controls">1= .1.3. Security Controls</a></span></dt><dt><span class=3D"section"><a href=3D= "#sect-Security_Guide-Introduction_to_Security-Conclusion">1.1.4. Conclusion<= /a></span></dt></dl></dd><dt><span class=3D"section"><a href=3D"#sect-Securit= y_Guide-Vulnerability_Assessment" >1.2. Vulnerability Assessment</a></span></dt><dd><dl><dt><span class=3D"sec= tion"><a href=3D"#sect-Security_Guide-Vulnerability_Assessment-Thinking_Like_= the_Enemy">1.2.1. Thinking Like the Enemy</a></span></dt><dt><span class=3D"s= ection"><a href=3D"#sect-Security_Guide-Vulnerability_Assessment-Defining_Ass= essment_and_Testing">1.2.2. Defining Assessment and Testing</a></span></dt><d= t><span class=3D"section"><a href=3D"#sect-Security_Guide-Vulnerability_Asses= sment-Evaluating_the_Tools">1.2.3. Evaluating the Tools</a></span></dt></dl><= /dd><dt><span class=3D"section"><a href=3D"#sect-Security_Guide-Attackers_and= _Vulnerabilities">1.3. Attackers and Vulnerabilities</a></span></dt><dd><dl><= dt><span class=3D"section"><a href=3D"#sect-Security_Guide-Attackers_and_Vuln= erabilities-A_Quick_History_of_Hackers">1.3.1. A Quick History of Hackers</a>= </span></dt><dt><span class=3D"section"><a href=3D"#sect-Security_Guide-Attac= kers_and_Vulnerabilities-Threats_to_Network_Security">1.3.2. Threats to Netwo= rk Security</ a></span></dt><dt><span class=3D"section"><a href=3D"#sect-Security_Guide-At= tackers_and_Vulnerabilities-Threats_to_Server_Security">1.3.3. Threats to Ser= ver Security</a></span></dt><dt><span class=3D"section"><a href=3D"#sect-Secu= rity_Guide-Attackers_and_Vulnerabilities-Threats_to_Workstation_and_Home_PC_S= ecurity">1.3.4. Threats to Workstation and Home PC Security</a></span></dt></= dl></dd><dt><span class=3D"section"><a href=3D"#sect-Security_Guide-Common_Ex= ploits_and_Attacks">1.4. Common Exploits and Attacks</a></span></dt><dt><span= class=3D"section"><a href=3D"#sect-Security_Guide-Security_Updates">1.5. Sec= urity Updates</a></span></dt><dd><dl><dt><span class=3D"section"><a href=3D"#= sect-Security_Guide-Security_Updates-Updating_Packages">1.5.1. Updating Packa= ges</a></span></dt><dt><span class=3D"section"><a href=3D"#sect-Security_Guid= e-Updating_Packages-Verifying_Signed_Packages">1.5.2. Verifying Signed Packag= es</a></span></dt><dt><span class=3D"section"><a href=3D"#sect-Security_Guide= -Updating_Package s-Installing_Signed_Packages">1.5.3. Installing Signed Packages</a></span></= dt><dt><span class=3D"section"><a href=3D"#sect-Security_Guide-Updating_Packa= ges-Applying_the_Changes">1.5.4. Applying the Changes</a></span></dt></dl></d= d></dl></div><div class=3D"para"> Because of the increased reliance on powerful, networked computers to help = run businesses and keep track of our personal information, entire industries = have been formed around the practice of network and computer security. Enterp= rises have solicited the knowledge and skills of security experts to properly= audit systems and tailor solutions to fit the operating requirements of the = organization. Because most organizations are increasingly dynamic in nature, = with workers accessing company IT resources locally and remotely, the need fo= r secure computing environments has become more pronounced. </div><div class=3D"para"> Unfortunately, most organizations (as well as individual users) regard secu= rity as an afterthought, a process that is overlooked in favor of increased p= ower, productivity, and budgetary concerns. Proper security implementation is= often enacted postmortem =E2=80=94 <span class=3D"emphasis"><em>after</em></= span> an unauthorized intrusion has already occurred. Security experts agree = that taking the correct measures prior to connecting a site to an untrusted n= etwork, such as the Internet, is an effective means of thwarting most attempt= s at intrusion. </div><div class=3D"section" lang=3D"en-US"><div class=3D"titlepage"><div><d= iv><h2 class=3D"title" id=3D"sect-Security_Guide-Introduction_to_Security">1.= 1.=C2=A0Introduction to Security</h2></div></div></div><div class=3D"section"= lang=3D"en-US"><div class=3D"titlepage"><div><div><h3 class=3D"title" id=3D"= sect-Security_Guide-Introduction_to_Security-What_is_Computer_Security">1.1.1= .=C2=A0What is Computer Security?</h3></div></div></div><div class=3D"para"> Computer security is a general term that covers a wide area of computing a= nd information processing. Industries that depend on computer systems and net= works to conduct daily business transactions and access crucial information r= egard their data as an important part of their overall assets. Several terms = and metrics have entered our daily business vocabulary, such as total cost of= ownership (TCO) and quality of service (QoS). Using these metrics, industrie= s can calculate aspects such as data integrity and high-availability as part = of their planning and process management costs. In some industries, such as e= lectronic commerce, the availability and trustworthiness of data can be the d= ifference between success and failure. </div><div class=3D"section" lang=3D"en-US"><div class=3D"titlepage"><div><= div><h4 class=3D"title" id=3D"sect-Security_Guide-What_is_Computer_Security-H= ow_did_Computer_Security_Come_about">1.1.1.1.=C2=A0How did Computer Security = Come about?</h4></div></div></div><div class=3D"para"> Information security has evolved over the years due to the increasing rel= iance on public networks not to disclose personal, financial, and other restr= icted information. There are numerous instances such as the Mitnick <sup>[<a = id=3D"d0e406" href=3D"#ftn.d0e406" class=3D"footnote">1</a>]</sup>and the Vla= dimir Levin <sup>[<a id=3D"d0e410" href=3D"#ftn.d0e410" class=3D"footnote">2<= /a>]</sup>cases that prompted organizations across all industries to re-think= the way they handle information, as well as its transmission and disclosure.= The popularity of the Internet was one of the most important developments th= at prompted an intensified effort in data security. </div><div class=3D"para"> An ever-growing number of people are using their personal computers to ga= in access to the resources that the Internet has to offer. From research and = information retrieval to electronic mail and commerce transaction, the Intern= et has been regarded as one of the most important developments of the 20th ce= ntury. </div><div class=3D"para"> The Internet and its earlier protocols, however, were developed as a <em = class=3D"firstterm">trust-based</em> system. That is, the Internet Protocol w= as not designed to be secure in itself. There are no approved security standa= rds built into the TCP/IP communications stack, leaving it open to potentiall= y malicious users and processes across the network. Modern developments have = made Internet communication more secure, but there are still several incident= s that gain national attention and alert us to the fact that nothing is compl= etely safe. </div></div><div class=3D"section" lang=3D"en-US"><div class=3D"titlepage"= ><div><div><h4 class=3D"title" id=3D"sect-Security_Guide-What_is_Computer_Sec= urity-Security_Today">1.1.1.2.=C2=A0Security Today</h4></div></div></div><div= class=3D"para"> In February of 2000, a Distributed Denial of Service (DDoS) attack was un= leashed on several of the most heavily-trafficked sites on the Internet. The = attack rendered yahoo.com, cnn.com, amazon.com, fbi.gov, and several other si= tes completely unreachable to normal users, as it tied up routers for several= hours with large-byte ICMP packet transfers, also called a <em class=3D"firs= tterm">ping flood</em>. The attack was brought on by unknown assailants using= specially created, widely available programs that scanned vulnerable network= servers, installed client applications called <em class=3D"firstterm">trojan= s</em> on the servers, and timed an attack with every infected server floodin= g the victim sites and rendering them unavailable. Many blame the attack on f= undamental flaws in the way routers and the protocols used are structured to = accept all incoming data, no matter where or for what purpose the packets are= sent. </div><div class=3D"para"> In 2007, a data breach exploiting the widely-known weaknesses of the Wire= d Equivalent Privacy (WEP) wireless encryption protocol resulted in the theft= from a global financial institution of over 45 million credit card numbers.<= sup>[<a id=3D"d0e434" href=3D"#ftn.d0e434" class=3D"footnote">3</a>]</sup> </div><div class=3D"para"> In a separate incident, the billing records of over 2.2 million patients = stored on a backup tape were stolen from the front seat of a courier's car.<s= up>[<a id=3D"d0e440" href=3D"#ftn.d0e440" class=3D"footnote">4</a>]</sup> </div><div class=3D"para"> Currently, an estimated 1.4 billion people use or have used the Internet = worldwide.<sup>[<a id=3D"d0e446" href=3D"#ftn.d0e446" class=3D"footnote">5</a= >]</sup> At the same time: </div><div class=3D"itemizedlist"><ul><li><div class=3D"para"> On any given day, there are approximately 225 major incidences of secur= ity breach reported to the CERT Coordination Center at Carnegie Mellon Univer= sity.<sup>[<a id=3D"d0e454" href=3D"#ftn.d0e454" class=3D"footnote">6</a>]</s= up> </div></li><li><div class=3D"para"> In 2003, the number of CERT reported incidences jumped to 137,529 from = 82,094 in 2002 and from 52,658 in 2001.<sup>[<a id=3D"d0e461" href=3D"#ftn.d0= e461" class=3D"footnote">7</a>]</sup> </div></li><li><div class=3D"para"> The worldwide economic impact of the three most dangerous Internet Viru= ses of the last three years was estimated at US$13.2 Billion.<sup>[<a id=3D"d= 0e468" href=3D"#ftn.d0e468" class=3D"footnote">8</a>]</sup> </div></li></ul></div><div class=3D"para"> From a 2008 global survey of business and technology executives "The Glob= al State of Information Security"<sup>[<a id=3D"d0e474" href=3D"#ftn.d0e474" = class=3D"footnote">9</a>]</sup>, undertaken by <span class=3D"emphasis"><em>C= IO Magazine</em></span>, some points are: </div><div class=3D"itemizedlist"><ul><li><div class=3D"para"> Just 43% of respondents audit or monitor user compliance with security = policies </div></li><li><div class=3D"para"> Only 22% keep an inventory of the outside companies that use their data </div></li><li><div class=3D"para"> The source of nearly half of security incidents was marked as "Unknown" </div></li><li><div class=3D"para"> 44% of respondents plan to increase security spending in the next year </div></li><li><div class=3D"para"> 59% have an information security strategy </div></li></ul></div><div class=3D"para"> These results enforce the reality that computer security has become a qua= ntifiable and justifiable expense for IT budgets. Organizations that require = data integrity and high availability elicit the skills of system administrato= rs, developers, and engineers to ensure 24x7 reliability of their systems, se= rvices, and information. Falling victim to malicious users, processes, or coo= rdinated attacks is a direct threat to the success of the organization. </div><div class=3D"para"> Unfortunately, system and network security can be a difficult proposition= , requiring an intricate knowledge of how an organization regards, uses, mani= pulates, and transmits its information. Understanding the way an organization= (and the people that make up the organization) conducts business is paramoun= t to implementing a proper security plan. </div></div><div class=3D"section" lang=3D"en-US"><div class=3D"titlepage"= ><div><div><h4 class=3D"title" id=3D"sect-Security_Guide-What_is_Computer_Sec= urity-Standardizing_Security">1.1.1.3.=C2=A0Standardizing Security</h4></div>= </div></div><div class=3D"para"> Enterprises in every industry rely on regulations and rules that are set = by standards-making bodies such as the American Medical Association (AMA) or = the Institute of Electrical and Electronics Engineers (IEEE). The same ideals= hold true for information security. Many security consultants and vendors ag= ree upon the standard security model known as CIA, or <em class=3D"firstterm"= >Confidentiality, Integrity, and Availability</em>. This three-tiered model i= s a generally accepted component to assessing risks of sensitive information = and establishing security policy. The following describes the CIA model in fu= rther detail: </div><div class=3D"itemizedlist"><ul><li><div class=3D"para"> Confidentiality =E2=80=94 Sensitive information must be available only = to a set of pre-defined individuals. Unauthorized transmission and usage of i= nformation should be restricted. For example, confidentiality of information = ensures that a customer's personal or financial information is not obtained b= y an unauthorized individual for malicious purposes such as identity theft or= credit fraud. </div></li><li><div class=3D"para"> Integrity =E2=80=94 Information should not be altered in ways that rend= er it incomplete or incorrect. Unauthorized users should be restricted from t= he ability to modify or destroy sensitive information. </div></li><li><div class=3D"para"> Availability =E2=80=94 Information should be accessible to authorized u= sers any time that it is needed. Availability is a warranty that information = can be obtained with an agreed-upon frequency and timeliness. This is often m= easured in terms of percentages and agreed to formally in Service Level Agree= ments (SLAs) used by network service providers and their enterprise clients. </div></li></ul></div></div></div><div class=3D"section" lang=3D"en-US">= <div class=3D"titlepage"><div><div><h3 class=3D"title" id=3D"sect-Security_Gu= ide-Introduction_to_Security-SELinux">1.1.2.=C2=A0SELinux</h3></div></div></d= iv><div class=3D"para"> Fedora includes an enhancement to the Linux kernel called SELinux, which i= mplements a Mandatory Access Control (MAC) architecture that provides a fine-= grained level of control over files, processes, users and applications in the= system. Detailed discussion of SELinux is beyond the scope of this document;= however, for more information on SELinux and its use in Fedora, refer to the= Fedora SELinux User Guide available at <a href=3D"http://docs.fedoraproject.= org/selinux-user-guide/">http://docs.fedoraproject.org/selinux-user-guide/</a= >. For more information on configuring and running services in Fedora that ar= e protected by SELinux, refer to the SELinux Managing Confined Services Guide= available at <a href=3D"http://docs.fedoraproject.org/selinux-managing-confi= ned-services-guide/">http://docs.fedoraproject.org/selinux-managing-confined-= services-guide</a>. Other available resources for SELinux are listed in <a cl= ass=3D"xref" href=3D"#chap-Security_Guide-References" title=3D"Chapter=C2=A07= .=C2=A0 References">Chapter=C2=A07, <i>References</i></a>. </div></div><div class=3D"section" lang=3D"en-US"><div class=3D"titlepage">= <div><div><h3 class=3D"title" id=3D"sect-Security_Guide-Introduction_to_Secur= ity-Security_Controls">1.1.3.=C2=A0Security Controls</h3></div></div></div><d= iv class=3D"para"> Computer security is often divided into three distinct master categories, = commonly referred to as <em class=3D"wordasword">controls</em>: </div><div class=3D"itemizedlist"><ul><li><div class=3D"para"> Physical </div></li><li><div class=3D"para"> Technical </div></li><li><div class=3D"para"> Administrative </div></li></ul></div><div class=3D"para"> These three broad categories define the main objectives of proper security= implementation. Within these controls are sub-categories that further detail= the controls and how to implement them. </div><div class=3D"section" lang=3D"en-US"><div class=3D"titlepage"><div><= div><h4 class=3D"title" id=3D"sect-Security_Guide-Security_Controls-Physical_= Controls">1.1.3.1.=C2=A0Physical Controls</h4></div></div></div><div class=3D= "para"> Physical control is the implementation of security measures in a defined = structure used to deter or prevent unauthorized access to sensitive material.= Examples of physical controls are: </div><div class=3D"itemizedlist"><ul><li><div class=3D"para"> Closed-circuit surveillance cameras </div></li><li><div class=3D"para"> Motion or thermal alarm systems </div></li><li><div class=3D"para"> Security guards </div></li><li><div class=3D"para"> Picture IDs </div></li><li><div class=3D"para"> Locked and dead-bolted steel doors </div></li><li><div class=3D"para"> Biometrics (includes fingerprint, voice, face, iris, handwriting, and o= ther automated methods used to recognize individuals) </div></li></ul></div></div><div class=3D"section" lang=3D"en-US"><div c= lass=3D"titlepage"><div><div><h4 class=3D"title" id=3D"sect-Security_Guide-Se= curity_Controls-Technical_Controls">1.1.3.2.=C2=A0Technical Controls</h4></di= v></div></div><div class=3D"para"> Technical controls use technology as a basis for controlling the access a= nd usage of sensitive data throughout a physical structure and over a network= . Technical controls are far-reaching in scope and encompass such technologie= s as: </div><div class=3D"itemizedlist"><ul><li><div class=3D"para"> Encryption [...3804 lines suppressed...] <a href=3D"http://clemens.endorphin.org/LUKS/">LUKS - Linux Unified Key = Setup</a> </div></li><li><div class=3D"para"> <a href=3D"https://bugzilla.redhat.com/attachment.cgi?id=3D161912">HOWTO= : Creating an encrypted Physical Volume (PV) using a second hard drive, pvmov= e, and a Fedora LiveCD</a> </div></li></ul></div></div></div><div class=3D"section" lang=3D"en-US"><= div class=3D"titlepage"><div><div><h2 class=3D"title" id=3D"sect-Security_Gui= de-Encryption-7_Zip_Encrypted_Archives">3.8.=C2=A07-Zip Encrypted Archives</h= 2></div></div></div><div class=3D"para"> <a href=3D"http://www.7-zip.org/">7-Zip</a> is a cross-platform, next gener= ation, file compression tool that can also use strong encryption (AES-256) to= protect the contents of the archive. This is extremely useful when you need = to move data between multiple computers that use varying operating systems (i= .e. Linux at home, Windows at work) and you want a portable encryption soluti= on. </div><div class=3D"section" lang=3D"en-US"><div class=3D"titlepage"><div><d= iv><h3 class=3D"title" id=3D"sect-Security_Guide-Encryption-7_Zip_Encrypted_A= rchives-Installation">3.8.1.=C2=A07-Zip Installation in Fedora</h3></div></di= v></div><div class=3D"para"> 7-Zip is not a base package in Fedora, but it is available in the software= repository. Once installed, the package will update alongside the rest of th= e software on the computer with no special attention necessary. </div></div><div class=3D"section" lang=3D"en-US"><div class=3D"titlepage">= <div><div><h3 class=3D"title" id=3D"sect-Security_Guide-Encryption-7_Zip_Encr= ypted_Archives-Installation-Instructions">3.8.2.=C2=A0Step-by-Step Installati= on Instructions</h3></div></div></div><div class=3D"itemizedlist"><ul><li><di= v class=3D"para"> Open a Terminal: <code class=3D"code">Click ''Applications'' -> ''Sys= tem Tools'' -> ''Terminal''</code> </div></li><li><div class=3D"para"> Install 7-Zip with sudo access: <code class=3D"code">sudo yum install p7= zip</code> </div></li><li><div class=3D"para"> Close the Terminal: <code class=3D"code">exit</code> </div></li></ul></div></div><div class=3D"section" lang=3D"en-US"><div cl= ass=3D"titlepage"><div><div><h3 class=3D"title" id=3D"sect-Security_Guide-Enc= ryption-7_Zip_Encrypted_Archives-Usage_Instructions">3.8.3.=C2=A0Step-by-Step= Usage Instructions</h3></div></div></div><div class=3D"para"> By following these instructions you are going to compress and encrypt your= "Documents" directory. Your original "Documents" directory will remain unalt= ered. This technique can be applied to any directory or file you have access = to on the filesystem. </div><div class=3D"itemizedlist"><ul><li><div class=3D"para"> Open a Terminal:<code class=3D"code">Click ''Applications'' -> ''Syst= em Tools'' -> ''Terminal''</code> </div></li><li><div class=3D"para"> Compress and Encrypt: (enter a password when prompted) <code class=3D"co= de">7za a -mhe=3Don -ms=3Don -p Documents.7z Documents/</code> </div></li></ul></div><div class=3D"para"> The "Documents" directory is now compressed and encrypted. The following i= nstructions will move the encrypted archive somewhere new and then extract it. </div><div class=3D"itemizedlist"><ul><li><div class=3D"para"> Create a new directory: <code class=3D"code">mkdir newplace</code> </div></li><li><div class=3D"para"> Move the encrypted file: <code class=3D"code">mv Documents.7z newplace</= code> </div></li><li><div class=3D"para"> Go to the new directory: <code class=3D"code">cd newplace</code> </div></li><li><div class=3D"para"> Extract the file: (enter the password when prompted) <code class=3D"code= ">7za x Documents.7z</code> </div></li></ul></div><div class=3D"para"> The archive is now extracted into the new location. The following instruct= ions will clean up all the prior steps and restore your computer to its previ= ous state. </div><div class=3D"itemizedlist"><ul><li><div class=3D"para"> Go up a directory: <code class=3D"code">cd ..</code> </div></li><li><div class=3D"para"> Delete the test archive and test extraction: <code class=3D"code">rm -r = newplace</code> </div></li><li><div class=3D"para"> Close the Terminal: <code class=3D"code">exit</code> </div></li></ul></div></div><div class=3D"section" lang=3D"en-US"><div cl= ass=3D"titlepage"><div><div><h3 class=3D"title" id=3D"sect-Security_Guide-Enc= ryption-7_Zip_Encrypted_Archives-Things_of_note">3.8.4.=C2=A0Things of note</= h3></div></div></div><div class=3D"para"> 7-Zip is not shipped by default with Microsoft Windows or Mac OS X. If you= need to use your 7-Zip files on those platforms you will need to install the= appropriate version of 7-Zip on those computers. See the 7-Zip <a href=3D"ht= tp://www.7-zip.org/download.html">download page</a>. </div><div class=3D"para"> GNOME's File Roller application will recognize your .7z files and attempt = to open them, but it will fail with the error "''An error occurred while load= ing the archive.''" when it attempts to do so. This is because File Roller do= es not currently support the extraction of encrypted 7-Zip files. A bug repor= t ([http://bugzilla.gnome.org/show_bug.cgi?id=3D490732 Gnome Bug 490732]) has= been submitted. </div></div></div><div class=3D"section" lang=3D"en-US"><div class=3D"title= page"><div><div><h2 class=3D"title" id=3D"sect-Security_Guide-Encryption-Usin= g_GPG">3.9.=C2=A0Using GNU Privacy Guard (GnuPG)</h2></div></div></div><div c= lass=3D"para"> GPG is used to identify yourself and authenticate your communications, incl= uding those with people you don't know. GPG allows anyone reading a GPG-signe= d email to verify its authenticity. In other words, GPG allows someone to be = reasonably certain that communications signed by you actually are from you. G= PG is useful because it helps prevent third parties from altering code or int= ercepting conversations and altering the message. </div><div class=3D"section" lang=3D"en-US"><div class=3D"titlepage"><div><d= iv><h3 class=3D"title" id=3D"sect-Security_Guide-Encryption-Using_GPG-Keys_in= _GNOME">3.9.1.=C2=A0Creating GPG Keys in GNOME</h3></div></div></div><div cla= ss=3D"para"> Install the Seahorse utility, which makes GPG key management easier. From = the main menu, select <code class=3D"code">System > Administration > Ad= d/Remove Software</code> and wait for PackageKit to start. Enter <code class= =3D"code">Seahorse</code> into the text box and select the Find. Select the c= heckbox next to the ''seahorse'' package and select ''Apply'' to add the soft= ware. You can also install <code class=3D"code">Seahorse</code> at the comman= d line with the command <code class=3D"code">su -c "yum install seahorse"</co= de>. </div><div class=3D"para"> To create a key, from the ''Applications > Accessories'' menu select ''= Passwords and Encryption Keys'', which starts the application <code class=3D"= code">Seahorse</code>. From the ''Key'' menu select ''Create New Key...'' the= n ''PGP Key'' then click ''Continue''. Type your full name, email address, an= d an optional comment describing who are you (e.g.: John C. Smith, jsmith(a)e= xample.com, The Man). Click ''Create''. A dialog is displayed asking for a pa= ssphrase for the key. Choose a strong passphrase but also easy to remember. C= lick ''OK'' and the key is created. </div><div class=3D"warning"><h2>Warning</h2><div class=3D"para"> If you forget your passphrase, the key cannot be used and any data encryp= ted using that key will be lost. </div></div><div class=3D"para"> To find your GPG key ID, look in the ''Key ID'' column next to the newly c= reated key. In most cases, if you are asked for the key ID, you should prepen= d "0x" to the key ID, as in "0x6789ABCD". You should make a backup of your pr= ivate key and store it somewhere secure. </div></div><div class=3D"section" lang=3D"en-US"><div class=3D"titlepage">= <div><div><h3 class=3D"title" id=3D"sect-Security_Guide-Encryption-Using_GPG-= Creating_GPG_Keys_in_KDE1">3.9.2.=C2=A0Creating GPG Keys in KDE</h3></div></d= iv></div><div class=3D"para"> Start the KGpg program from the main menu by selecting Applications > U= tilities > Encryption Tool. If you have never used KGpg before, the progra= m walks you through the process of creating your own GPG keypair. A dialog bo= x appears prompting you to create a new key pair. Enter your name, email addr= ess, and an optional comment. You can also choose an expiration time for your= key, as well as the key strength (number of bits) and algorithms. The next d= ialog box prompts you for your passphrase. At this point, your key appears in= the main <code class=3D"code">KGpg</code> window. </div><div class=3D"warning"><h2>Warning</h2><div class=3D"para"> If you forget your passphrase, the key cannot be used and any data encryp= ted using that key will be lost. </div></div><div class=3D"para"> To find your GPG key ID, look in the ''Key ID'' column next to the newly c= reated key. In most cases, if you are asked for the key ID, you should prepen= d "0x" to the key ID, as in "0x6789ABCD". You should make a backup of your pr= ivate key and store it somewhere secure. </div></div><div class=3D"section" lang=3D"en-US"><div class=3D"titlepage">= <div><div><h3 class=3D"title" id=3D"sect-Security_Guide-Encryption-Using_GPG-= Creating_GPG_Keys_in_KDE">3.9.3.=C2=A0Creating GPG Keys Using the Command Lin= e</h3></div></div></div><div class=3D"para"> Use the following shell command: <code class=3D"code">gpg --gen-key</code> </div><div class=3D"para"> This command generates a key pair that consists of a public and a private = key. Other people use your public key to authenticate and/or decrypt your com= munications. Distribute your public key as widely as possible, especially to = people who you know will want to receive authentic communications from you, s= uch as a mailing list. The Fedora Documentation Project, for example, asks pa= rticipants to include a GPG public key in their self-introduction. </div><div class=3D"para"> A series of prompts directs you through the process. Press the <code class= =3D"code">Enter</code> key to assign a default value if desired. The first pr= ompt asks you to select what kind of key you prefer: </div><div class=3D"para"> Please select what kind of key you want: (1) DSA and ElGamal (default) (2)= DSA (sign only) (4) RSA (sign only) Your selection? In almost all cases, the= default is the correct choice. A DSA/ElGamal key allows you not only to sign= communications, but also to encrypt files. </div><div class=3D"para"> Next, choose the key size: minimum keysize is 768 bits default keysize is = 1024 bits highest suggested keysize is 2048 bits What keysize do you want? (1= 024) Again, the default is sufficient for almost all users, and represents an= ''extremely'' strong level of security. </div><div class=3D"para"> Next, choose when the key will expire. It is a good idea to choose an expi= ration date instead of using the default, which is ''none.'' If, for example,= the email address on the key becomes invalid, an expiration date will remind= others to stop using that public key. </div><div class=3D"para"> Please specify how long the key should be valid. 0 =3D key does not expire= d =3D key expires in n days w =3D key expires in n weeks m =3D key expires i= n n months y =3D key expires in n years Key is valid for? (0) </div><div class=3D"para"> Entering a value of <code class=3D"code">1y</code>, for example, makes the= key valid for one year. (You may change this expiration date after the key i= s generated, if you change your mind.) </div><div class=3D"para"> Before the <code class=3D"code">gpg</code>code> program asks for signat= ure information, the following prompt appears: <code class=3D"code">Is this c= orrect (y/n)?</code> Enter <code class=3D"code">y</code>code> to finish th= e process. </div><div class=3D"para"> Next, enter your name and email address. Remember this process is about au= thenticating you as a real individual. For this reason, include your real nam= e. Do not use aliases or handles, since these disguise or obfuscate your iden= tity. </div><div class=3D"para"> Enter your real email address for your GPG key. If you choose a bogus emai= l address, it will be more difficult for others to find your public key. This= makes authenticating your communications difficult. If you are using this GP= G key for [[DocsProject/SelfIntroduction| self-introduction]] on a mailing li= st, for example, enter the email address you use on that list. </div><div class=3D"para"> Use the comment field to include aliases or other information. (Some peopl= e use different keys for different purposes and identify each key with a comm= ent, such as "Office" or "Open Source Projects.") </div><div class=3D"para"> At the confirmation prompt, enter the letter O to continue if all entries = are correct, or use the other options to fix any problems. Finally, enter a p= assphrase for your secret key. The <code class=3D"code">gpg</code> program as= ks you to enter your passphrase twice to ensure you made no typing errors. </div><div class=3D"para"> Finally, <code class=3D"code">gpg</code> generates random data to make you= r key as unique as possible. Move your mouse, type random keys, or perform ot= her tasks on the system during this step to speed up the process. Once this s= tep is finished, your keys are complete and ready to use: </div><pre class=3D"screen"> pub 1024D/1B2AFA1C 2005-03-31 John Q. Doe (Fedora Docs Project) <jqdoe(a)= example.com> Key fingerprint =3D 117C FE83 22EA B843 3E86 6486 4320 545E 1B2A FA1C sub 1024g/CEA4B22E 2005-03-31 [expires: 2006-03-31] </pre><div class=3D"para"> The key fingerprint is a shorthand "signature" for your key. It allows you= to confirm to others that they have received your actual public key without = any tampering. You do not need to write this fingerprint down. To display the= fingerprint at any time, use this command, substituting your email address: = <code class=3D"code"> gpg --fingerprint jqdoe(a)example.com </code> </div><div class=3D"para"> Your "GPG key ID" consists of 8 hex digits identifying the public key. In = the example above, the GPG key ID is 1B2AFA1C. In most cases, if you are aske= d for the key ID, you should prepend "0x" to the key ID, as in "0x1B2AFA1C". </div><div class=3D"warning"><h2>Warning</h2><div class=3D"para"> If you forget your passphrase, the key cannot be used and any data encryp= ted using that key will be lost. </div></div></div><div class=3D"section" lang=3D"en-US"><div class=3D"titl= epage"><div><div><h3 class=3D"title" id=3D"sect-Security_Guide-Encryption-Usi= ng_GPG-About_Public_Key_Encryption">3.9.4.=C2=A0About Public Key Encryption</= h3></div></div></div><div class=3D"orderedlist"><ol><li><div class=3D"para"> <a href=3D"http://en.wikipedia.org/wiki/Public-key_cryptography">Wikiped= ia - Public Key Cryptography</a> </div></li><li><div class=3D"para"> <a href=3D"http://computer.howstuffworks.com/encryption.htm">HowStuffWor= ks - Encryption</a> </div></li></ol></div></div></div></div><div class=3D"chapter" lang=3D"en= -US"><div class=3D"titlepage"><div><div><h2 class=3D"title" id=3D"chap-Securi= ty_Guide-General_Principles_of_Information_Security">Chapter=C2=A04.=C2=A0Gen= eral Principles of Information Security</h2></div></div></div><div class=3D"t= oc"><dl><dt><span class=3D"section"><a href=3D"#sect-Security_Guide-General_P= rinciples_of_Information_Security-Tips_Guides_and_Tools">4.1. Tips, Guides, a= nd Tools</a></span></dt></dl></div><div class=3D"para"> The following general principals provide an overview of good security pract= ices: </div><div class=3D"itemizedlist"><ul><li><div class=3D"para"> encrypt all data transmitted over networks to help prevent man-in-the-mid= dle attacks and eavesdropping. It is important to encrypt authentication info= rmation, such as passwords. </div></li><li><div class=3D"para"> minimize the amount of software installed and running services. </div></li><li><div class=3D"para"> use security-enhancing software and tools, for example, Security-Enhanced= Linux (SELinux) for Mandatory Access Control (MAC), Netfilter iptables for p= acket filtering (firewall), and the GNU Privacy Guard (GnuPG) for encrypting = files. </div></li><li><div class=3D"para"> if possible, run each network service on a separate system to minimize th= e risk of one compromised service being used to compromise other services. </div></li><li><div class=3D"para"> maintain user accounts: create and enforce a strong password policy; dele= te unused user accounts. </div></li><li><div class=3D"para"> routinely review system and application logs. By default, security-releva= nt system logs are written to <code class=3D"filename">/var/log/secure</code>= and <code class=3D"filename">/var/log/audit/audit.log</code>. Note: sending = logs to a dedicated log server helps prevent attackers from easily modifying = local logs to avoid detection. </div></li><li><div class=3D"para"> never log in as the root user unless absolutely necessary. It is recommen= ded that administrators use <code class=3D"command">sudo</code> to execute co= mmands as root when required. Users capable of running <code class=3D"command= ">sudo</code> are specified in <code class=3D"filename">/etc/sudoers</code>. = Use the <code class=3D"command">visudo</code> utility to edit <code class=3D"= filename">/etc/sudoers</code>. </div></li></ul></div><div class=3D"section" lang=3D"en-US"><div class=3D"= titlepage"><div><div><h2 class=3D"title" id=3D"sect-Security_Guide-General_Pr= inciples_of_Information_Security-Tips_Guides_and_Tools">4.1.=C2=A0Tips, Guide= s, and Tools</h2></div></div></div><div class=3D"para"> The United States' <a href=3D"http://www.nsa.gov/">National Security Agenc= y (NSA)</a> provides hardening guides and tips for many different operating s= ystems, to help government agencies, businesses, and individuals secure their= systems against attack. The following guides (in PDF format) provide guidanc= e for Red Hat Enterprise Linux 5: </div><div class=3D"itemizedlist"><ul><li><div class=3D"para"> <a href=3D"http://www.nsa.gov/ia/_files/os/redhat/rhel5-pamphlet-i731.pd= f">Hardening Tips for the Red Hat Enterprise Linux 5</a> </div></li><li><div class=3D"para"> <a href=3D"http://www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdf">= Guide to the Secure Configuration of Red Hat Enterprise Linux 5</a> </div></li></ul></div><div class=3D"para"> The <a href=3D"http://www.disa.mil/">Defense Information Systems Agency (D= ISA)</a> provides documentation, checklists, and tests to help secure your sy= stem (<a href=3D"http://iase.disa.mil/index2.html">Information Assurance Supp= ort Environment</a>). The <a href=3D"http://iase.disa.mil/stigs/stig/unix-sti= g-v5r1.pdf">UNIX SECURITY TECHNICAL IMPLEMENTATION GUIDE</a> (PDF) is a very = specific guide to UNIX security - an advanced knowledge of UNIX and Linux is = recommended before reading this guide. </div><div class=3D"para"> The DISA <a href=3D"http://iase.disa.mil/stigs/checklist/unix_checklist_v5= r1-16_20090215.ZIP">UNIX Security Checklist Version 5, Release 1.16</a> provi= des a collection of documents and checklists, ranging from the correct owners= hips and modes for system files, to patch control. </div><div class=3D"para"> Also, DISA has made available <a href=3D"http://iase.disa.mil/stigs/SRR/un= ix.html">UNIX SPR scripts</a> that allow administrators to check specific set= tings on systems. These scripts provide XML-formatted reports listing any kno= wn vulnerable settings. </div></div></div><div class=3D"chapter" lang=3D"en-US"><div class=3D"title= page"><div><div><h2 class=3D"title" id=3D"chap-Security_Guide-Secure_Installa= tion">Chapter=C2=A05.=C2=A0Secure Installation</h2></div></div></div><div cla= ss=3D"toc"><dl><dt><span class=3D"section"><a href=3D"#sect-Security_Guide-Se= cure_Installation-Disk_Partitions">5.1. Disk Partitions</a></span></dt><dt><s= pan class=3D"section"><a href=3D"#sect-Security_Guide-Secure_Installation-Uti= lize_LUKS_Partition_Encryption">5.2. Utilize LUKS Partition Encryption</a></s= pan></dt></dl></div><div class=3D"para"> Security begins with the first time you put that CD or DVD into your disk d= rive to install Fedora. Configuring your system securely from the beginning m= akes it easier to implement additional security settings later. </div><div class=3D"section" lang=3D"en-US"><div class=3D"titlepage"><div><d= iv><h2 class=3D"title" id=3D"sect-Security_Guide-Secure_Installation-Disk_Par= titions">5.1.=C2=A0Disk Partitions</h2></div></div></div><div class=3D"para"> The NSA recommends creating separate partitions for /boot, /, /home, /tmp,= and /var/tmp. The reasons for each are different and we will address each pa= rtition. </div><div class=3D"para"> /boot - This partition is the first partition that is read by the system d= uring boot up. The boot loader and kernel images that are used to boot your s= ystem into Fedora are stored in this partition. This partition should not be = encrypted. If this partition is included in / and that partition is encrypted= or otherwise becomes unavailable then your system will not be able to boot. </div><div class=3D"para"> /home - When user data (/home) is stored in / instead of in a separate par= tition, the partition can fill up causing the operating system to become unst= able. Also, when upgrading your system to the next version of Fedora it is a = lot easier when you can keep your data in the /home partition as it will not = be overwritten during installation. If the root partition (/) becomes corrupt= your data could be lost forever. By using a separate partition there is slig= htly more protection against data loss. You can also target this partition fo= r frequent backups. </div><div class=3D"para"> /tmp and /var/tmp - Both the /tmp and the /var/tmp directories are used to= store data that doesn't need to be stored for a long period of time. However= if a lot of data floods one of these directories it can consume all of your = storage space. If this happens and these directories are stored within / then= your system could become unstable and crash. For this reason, moving these d= irectories into their own partitions is a good idea. </div></div><div class=3D"section" lang=3D"en-US"><div class=3D"titlepage">= <div><div><h2 class=3D"title" id=3D"sect-Security_Guide-Secure_Installation-U= tilize_LUKS_Partition_Encryption">5.2.=C2=A0Utilize LUKS Partition Encryption= </h2></div></div></div><div class=3D"para"> Since Fedora 9, implementation of <a href=3D"http://fedoraproject.org/wiki= /Security_Guide/9/LUKSDiskEncryption">Linux Unified Key Setup-on-disk-format<= /a>(LUKS) encryption has become a lot easier. During the installation process= an option to encrypt your partitions will be presented to the user. The user= must supply a passphrase that will be the key to unlock the bulk encryption = key that will be used to secure the partition's data. </div></div></div><div class=3D"chapter" lang=3D"en-US"><div class=3D"title= page"><div><div><h2 class=3D"title" id=3D"chap-Security_Guide-Software_Mainte= nance">Chapter=C2=A06.=C2=A0Software Maintenance</h2></div></div></div><div c= lass=3D"toc"><dl><dt><span class=3D"section"><a href=3D"#sect-Security_Guide-= Software_Maintenance-Install_Minimal_Software">6.1. Install Minimal Software<= /a></span></dt><dt><span class=3D"section"><a href=3D"#sect-Security_Guide-So= ftware_Maintenance-Plan_and_Configure_Security_Updates">6.2. Plan and Configu= re Security Updates</a></span></dt><dt><span class=3D"section"><a href=3D"#se= ct-Security_Guide-Software_Maintenance-Plan_and_Configure_Security_Updates-Ad= justing_Automatic_Updates">6.3. Adjusting Automatic Updates</a></span></dt><d= t><span class=3D"section"><a href=3D"#sect-Security_Guide-Software_Maintenanc= e-Install_Signed_Packages_from_Well_Known_Repositories">6.4. Install Signed P= ackages from Well Known Repositories</a></span></dt></dl></div><div class=3D"= para"> Software maintenance is extremely important to maintaining a secure system.= It is vital to patch software as soon as it becomes available in order to pr= event attackers from using known holes to infiltrate your system. </div><div class=3D"section" lang=3D"en-US"><div class=3D"titlepage"><div><d= iv><h2 class=3D"title" id=3D"sect-Security_Guide-Software_Maintenance-Install= _Minimal_Software">6.1.=C2=A0Install Minimal Software</h2></div></div></div><= div class=3D"para"> It is best practice to install only the packages you will use because each= piece of software on your computer could possibly contain a vulnerability. I= f you are installing from the DVD media take the opportunity to select exactl= y what packages you want to install during the installation. When you find yo= u need another package, you can always add it to the system later. </div></div><div class=3D"section" lang=3D"en-US"><div class=3D"titlepage">= <div><div><h2 class=3D"title" id=3D"sect-Security_Guide-Software_Maintenance-= Plan_and_Configure_Security_Updates">6.2.=C2=A0Plan and Configure Security Up= dates</h2></div></div></div><div class=3D"para"> All software contains bugs. Often, these bugs can result in a vulnerabilit= y that can expose your system to malicious users. Unpatched systems are a com= mon cause of computer intrusions. You should have a plan to install security = patches in a timely manner to close those vulnerabilities so they can not be = exploited. </div><div class=3D"para"> For home users, security updates should be installed as soon as possible. = Configuring automatic installation of security updates is one way to avoid ha= ving to remember, but does carry a slight risk that something can cause a con= flict with your configuration or with other software on the system. </div><div class=3D"para"> For business or advanced home users, security updates should be tested and= schedule for installation. Additional controls will need to be used to prote= ct the system during the time between the patch release and its installation = on the system. These controls would depend on the exact vulnerability, but co= uld include additional firewall rules, the use of external firewalls, or chan= ges in software settings. </div></div><div class=3D"section" lang=3D"en-US"><div class=3D"titlepage">= <div><div><h2 class=3D"title" id=3D"sect-Security_Guide-Software_Maintenance-= Plan_and_Configure_Security_Updates-Adjusting_Automatic_Updates">6.3.=C2=A0Ad= justing Automatic Updates</h2></div></div></div><div class=3D"para"> Fedora is configured to apply all updates on a daily schedule. If you want= to change the how your system installs updates you must do so via '''Softwar= e Update Preferences'''. You can change the schedule, the type of updates to = apply or to notify you of available updates. </div><div class=3D"para"> In Gnome, you can find controls for your updates at: <code class=3D"code">= System -> Preferences -> Software Updates</code>. In KDE it is located = at: <code class=3D"code">Applications -> Settings -> Software Updates</= code>. </div></div><div class=3D"section" lang=3D"en-US"><div class=3D"titlepage">= <div><div><h2 class=3D"title" id=3D"sect-Security_Guide-Software_Maintenance-= Install_Signed_Packages_from_Well_Known_Repositories">6.4.=C2=A0Install Signe= d Packages from Well Known Repositories</h2></div></div></div><div class=3D"p= ara"> Software packages are published through repositories. All well known repos= itories support package signing. Package signing uses public key technology t= o prove that the package that was published by the repository has not been ch= anged since the signature was applied. This provides some protection against = installing software that may have been maliciously altered after the package = was created but before you downloaded it. </div><div class=3D"para"> Using too many repositories, untrustworthy repositories, or repositories w= ith unsigned packages has a higher risk of introducing malicious or vulnerabl= e code into your system. Use caution when adding repositories to yum/software= update. </div></div></div><div class=3D"chapter" lang=3D"en-US"><div class=3D"title= page"><div><div><h2 class=3D"title" id=3D"chap-Security_Guide-References">Cha= pter=C2=A07.=C2=A0References</h2></div></div></div><div class=3D"para"> The following references are pointers to additional information that is rel= evant to SELinux and Fedora but beyond the scope of this guide. Note that due= to the rapid development of SELinux, some of this material may only apply to= specific releases of Fedora. </div><div class=3D"variablelist" id=3D"vari-Security_Guide-References-Books= "><h6>Books</h6><dl><dt><span class=3D"term">SELinux by Example</span></dt><d= d><div class=3D"para"> Mayer, MacMillan, and Caplan </div><div class=3D"para"> Prentice Hall, 2007 </div></dd></dl></div><div class=3D"variablelist" id=3D"vari-Security_Gui= de-References-Tutorials_and_Help"><h6>Tutorials and Help</h6><dl><dt><span cl= ass=3D"term">Understanding and Customizing the Apache HTTP SELinux Policy</sp= an></dt><dd><div class=3D"para"> <a href=3D"http://fedora.redhat.com/docs/selinux-apache-fc3/">http://fed= ora.redhat.com/docs/selinux-apache-fc3/</a> </div></dd><dt><span class=3D"term">Tutorials and talks from Russell Coke= r</span></dt><dd><div class=3D"para"> <a href=3D"http://www.coker.com.au/selinux/talks/ibmtu-2004/">http://www= .coker.com.au/selinux/talks/ibmtu-2004/</a> </div></dd><dt><span class=3D"term">Generic Writing SELinux policy HOWTO<= /span></dt><dd><div class=3D"para"> <a href=3D"http://www.lurking-grue.org/writingselinuxpolicyHOWTO.html">h= ttp://www.lurking-grue.org/writingselinuxpolicyHOWTO.html</a> </div></dd><dt><span class=3D"term">Red Hat Knowledgebase</span></dt><dd>= <div class=3D"para"> <a href=3D"http://kbase.redhat.com/">http://kbase.redhat.com/</a> </div></dd></dl></div><div class=3D"variablelist" id=3D"vari-Security_Gui= de-References-General_Information"><h6>General Information</h6><dl><dt><span = class=3D"term">NSA SELinux main website</span></dt><dd><div class=3D"para"> <a href=3D"http://www.nsa.gov/research/selinux/index.shtml">http://www.n= sa.gov/selinux/</a> </div></dd><dt><span class=3D"term">NSA SELinux FAQ</span></dt><dd><div c= lass=3D"para"> <a href=3D"http://www.nsa.gov/research/selinux/faqs.shtml">http://www.ns= a.gov/selinux/info/faq.cfm</a> </div></dd><dt><span class=3D"term">Fedora SELinux FAQ </span></dt><dd><d= iv class=3D"para"> <a href=3D"http://fedora.redhat.com/docs/selinux-faq-fc3/">http://fedora= .redhat.com/docs/selinux-faq-fc3/</a> </div></dd><dt><span class=3D"term">SELinux NSA's Open Source Security En= hanced Linux</span></dt><dd><div class=3D"para"> <a href=3D"http://www.oreilly.com/catalog/selinux/">http://www.oreilly.c= om/catalog/selinux/</a> </div></dd></dl></div><div class=3D"variablelist" id=3D"vari-Security_Gui= de-References-Technology"><h6>Technology</h6><dl><dt><span class=3D"term">An = Overview of Object Classes and Permissions</span></dt><dd><div class=3D"para"> <a href=3D"http://www.tresys.com/selinux/obj_perms_help.html">http://www= .tresys.com/selinux/obj_perms_help.html</a> </div></dd><dt><span class=3D"term">Integrating Flexible Support for Secu= rity Policies into the Linux Operating System (a history of Flask implementat= ion in Linux)</span></dt><dd><div class=3D"para"> <a href=3D"http://www.nsa.gov/research/_files/selinux/papers/selsymp2005= .pdf">http://www.nsa.gov/research/_files/selinux/papers/selsymp2005.pdf</a> </div></dd><dt><span class=3D"term">Implementing SELinux as a Linux Secur= ity Module</span></dt><dd><div class=3D"para"> <a href=3D"http://www.nsa.gov/research/_files/publications/implementing_= selinux.pdf">http://www.nsa.gov/research/_files/publications/implementing_sel= inux.pdf</a> </div></dd><dt><span class=3D"term">A Security Policy Configuration for t= he Security-Enhanced Linux</span></dt><dd><div class=3D"para"> <a href=3D"http://www.nsa.gov/research/_files/selinux/papers/policy/poli= cy.shtml">http://www.nsa.gov/research/_files/selinux/papers/policy/policy.sht= ml</a> </div></dd></dl></div><div class=3D"variablelist" id=3D"vari-Security_Gui= de-References-Community"><h6>Community</h6><dl><dt><span class=3D"term">Fedor= a SELinux User Guide</span></dt><dd><div class=3D"para"> <a href=3D"http://docs.fedoraproject.org/selinux-user-guide/">http://doc= s.fedoraproject.org/selinux-user-guide/</a> </div></dd><dt><span class=3D"term">Fedora SELinux Managing Confined Serv= ices Guide</span></dt><dd><div class=3D"para"> <a href=3D"http://docs.fedoraproject.org/selinux-managing-confined-servi= ces-guide/">http://docs.fedoraproject.org/selinux-managing-confined-services-= guide/</a> </div></dd><dt><span class=3D"term">SELinux community page</span></dt><dd= ><div class=3D"para"> <a href=3D"http://selinux.sourceforge.net">http://selinux.sourceforge.ne= t</a> </div></dd><dt><span class=3D"term">IRC</span></dt><dd><div class=3D"para= "> irc.freenode.net, #selinux, #fedora-selinux, #security </div></dd></dl></div><div class=3D"variablelist" id=3D"vari-Security_Gui= de-References-History"><h6>History</h6><dl><dt><span class=3D"term">Quick his= tory of Flask</span></dt><dd><div class=3D"para"> <a href=3D"http://www.cs.utah.edu/flux/fluke/html/flask.html">http://www= .cs.utah.edu/flux/fluke/html/flask.html</a> </div></dd><dt><span class=3D"term">Full background on Fluke</span></dt><= dd><div class=3D"para"> <a href=3D"http://www.cs.utah.edu/flux/fluke/html/index.html">http://www= .cs.utah.edu/flux/fluke/html/index.html</a> </div></dd></dl></div></div></div></body></html> --===============1636507031001999043==--

From sradvan@fedoraproject.org Wed Jun 10 15:47:40 2015 From: sradvan To: docs-commits@lists.fedoraproject.org Subject: web/html/docs/security-guide/en_US/F12/html-single index.html, NONE, 1.1 Date: Wed, 26 Aug 2009 03:57:06 +0000 Message-ID: <20090826035706.AD3A111C0044@cvs1.fedora.phx.redhat.com> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============1636507031001999043==" --===============1636507031001999043== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Author: sradvan Update of /cvs/fedora/web/html/docs/security-guide/en_US/F12/html-single In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv28845 Added Files: index.html=20 Log Message: --- NEW FILE index.html --- security-guide</tit= le><link rel=3D"stylesheet" href=3D"./Common_Content/css/default.css" type=3D= "text/css"/><meta name=3D"generator" content=3D"publican"/><meta name=3D"pack= age" content=3D""/><meta name=3D"description" content=3D"The Linux Security G= uide is designed to assist users of Linux in learning the processes and pract= ices of securing workstations and servers against local and remote intrusion,= exploitation, and malicious activity. Focused on Fedora Linux but detailing = concepts and techniques valid for all Linux systems, The Linux Security Guide= details the planning and the tools involved in creating a secured computing = environment for the data center, workplace, and home. With proper administrat= ive knowledge, vigilance, and tools, systems running Linux can be both fully = functional and secured from most common intrusion and exploit methods."/></he= ad><body class=3D""><div class=3D"book" lang=3D"en-US"><div class=3D"titlepag= e"><div><div clas s=3D"producttitle"><span class=3D"productname">fedora</span> <span class=3D"= productnumber">12</span></div><div><h1 id=3D"d0e1" class=3D"title">security-g= uide</h1></div><div><h2 class=3D"subtitle">A Guide to Securing Fedora Linux</= h2></div><p class=3D"edition">Edition 1.1</p><div><h3 class=3D"corpauthor"> <span class=3D"inlinemediaobject"><object data=3D"Common_Content/images= /title_logo.svg" type=3D"image/svg+xml"> Logo</object></span> </h3></div><div><div class=3D"authorgroup"><div class=3D"author"><h3 cla= ss=3D"author"><span class=3D"firstname">Johnray</span> <span class=3D"surname= ">Fuller</span></h3><div class=3D"affiliation"><span class=3D"orgname">Red Ha= t</span></div><code class=3D"email"><a class=3D"email" href=3D"mailto:jrfulle= r(a)redhat.com">jrfuller(a)redhat.com</a></code></div><div class=3D"author"><= h3 class=3D"author"><span class=3D"firstname">John</span> <span class=3D"surn= ame">Ha</span></h3><div class=3D"affiliation"><span class=3D"orgname">Red Hat= </span></div><code class=3D"email"><a class=3D"email" href=3D"mailto:jha(a)re= dhat.com">jha(a)redhat.com</a></code></div><div class=3D"author"><h3 class=3D= "author"><span class=3D"firstname">David</span> <span class=3D"surname">O'Bri= en</span></h3><div class=3D"affiliation"><span class=3D"orgname">Red Hat</spa= n></div><code class=3D"email"><a class=3D"email" href=3D"mailto:daobrien(a)re= dhat.com">daobrien(a)redhat.com</a></code></div><div class=3D"author"><h3 cla= ss=3D"author"><span class=3D"firstname">Scott</span> <span clas s=3D"surname">Radvan</span></h3><div class=3D"affiliation"><span class=3D"or= gname">Red Hat</span></div><code class=3D"email"><a class=3D"email" href=3D"m= ailto:sradvan(a)redhat.com">sradvan(a)redhat.com</a></code></div><div class= =3D"author"><h3 class=3D"author"><span class=3D"firstname">Eric</span> <span = class=3D"surname">Christensen</span></h3><div class=3D"affiliation"><span cla= ss=3D"orgname">Fedora Project</span> <span class=3D"orgdiv">Documentation Tea= m</span></div><code class=3D"email"><a class=3D"email" href=3D"mailto:sparks(= a)fedoraproject.org">sparks(a)fedoraproject.org</a></code></div></div></div><= hr/><div><div id=3D"d0e31" class=3D"legalnotice"><h1 class=3D"legalnotice">Le= gal Notice</h1><div class=3D"para"> Copyright <span class=3D"trademark"/>=C2=A9 2009 Red Hat, Inc. This materia= l may only be distributed subject to the terms and conditions set forth in th= e Open Publication License, V1.0, (the latest version is presently available = at <a href=3D"http://www.opencontent.org/openpub/">http://www.opencontent.org= /openpub/</a>). </div><div class=3D"para"> Fedora and the Fedora Infinity Design logo are trademarks or registered tra= demarks of Red Hat, Inc., in the U.S. and other countries. </div><div class=3D"para"> Red Hat and the Red Hat "Shadow Man" logo are registered trademarks of Red = Hat Inc. in the United States and other countries. </div><div class=3D"para"> All other trademarks and copyrights referred to are the property of their r= espective owners. </div><div class=3D"para"> Documentation, as with software itself, may be subject to export control. R= ead about Fedora Project export controls at <a href=3D"http://fedoraproject.o= rg/wiki/Legal/Export">http://fedoraproject.org/wiki/Legal/Export</a>.=20 </div></div></div><div><div class=3D"abstract"><h6>Abstract</h6><div class= =3D"para">The Linux Security Guide is designed to assist users of Linux in learning the processes and practices of securing workstations and servers against local and remote intrusion, exploitation, and malicious activity.</div><div class=3D"para">Focused on Fedora Linux but deta= iling concepts and techniques valid for all Linux systems, The Linux Security Guide details the planning and the tools involved in creating a secured computing environment for the data center, workplace, and home.</div><div class=3D"para= ">With proper administrative knowledge, vigilance, and tools, systems running Linux can be both fully functional and secured from most common intrusion and exploit methods.</div></div></div></div><hr/></div><div = class=3D"toc"><dl><dt><span class=3D"preface"><a href=3D"#pref-Security_Guide= -Preface">Preface</a></span></dt><dd><dl><dt><span class=3D"section"><a href= =3D"#d0e105">1. Document Conventions</a></span></dt><dd><dl><dt><span class= =3D"section"><a href=3D"#d0e115">1.1. Typographic Conventions</a></span></dt>= <dt><span class=3D"section"><a href=3D"#d0e331">1.2. Pull-quote Conventions</= a></span></dt><dt><span class=3D"section"><a href=3D"#d0e350">1.3. Notes and = Warnings</a></span></dt></dl></dd><dt><span class=3D"section"><a href=3D"#We_= Need_Feedback">2. We Need Feedback!</a></span></dt></dl></dd><dt><span class= =3D"chapter"><a href=3D"#chap-Security_Guide-Security_Overview">1. Security O= verview</a></span></dt><dd><dl><dt><span class=3D"section"><a href=3D"#sect-S= ecurity_Guide-Introduction_to_Security">1.1. Introduction to Security</a></sp= an></dt><dd><dl><dt><span class=3D"section"><a href=3D"#sect-Security_Guide-I= ntroduction_to_Security-What_is _Computer_Security">1.1.1. What is Computer Security?</a></span></dt><dt><sp= an class=3D"section"><a href=3D"#sect-Security_Guide-Introduction_to_Security= -SELinux">1.1.2. SELinux</a></span></dt><dt><span class=3D"section"><a href= =3D"#sect-Security_Guide-Introduction_to_Security-Security_Controls">1.1.3. S= ecurity Controls</a></span></dt><dt><span class=3D"section"><a href=3D"#sect-= Security_Guide-Introduction_to_Security-Conclusion">1.1.4. Conclusion</a></sp= an></dt></dl></dd><dt><span class=3D"section"><a href=3D"#sect-Security_Guide= -Vulnerability_Assessment">1.2. Vulnerability Assessment</a></span></dt><dd><= dl><dt><span class=3D"section"><a href=3D"#sect-Security_Guide-Vulnerability_= Assessment-Thinking_Like_the_Enemy">1.2.1. Thinking Like the Enemy</a></span>= </dt><dt><span class=3D"section"><a href=3D"#sect-Security_Guide-Vulnerabilit= y_Assessment-Defining_Assessment_and_Testing">1.2.2. Defining Assessment and = Testing</a></span></dt><dt><span class=3D"section"><a href=3D"#sect-Security_= Guide-Vulnerability _Assessment-Evaluating_the_Tools">1.2.3. Evaluating the Tools</a></span></dt= ></dl></dd><dt><span class=3D"section"><a href=3D"#sect-Security_Guide-Attack= ers_and_Vulnerabilities">1.3. Attackers and Vulnerabilities</a></span></dt><d= d><dl><dt><span class=3D"section"><a href=3D"#sect-Security_Guide-Attackers_a= nd_Vulnerabilities-A_Quick_History_of_Hackers">1.3.1. A Quick History of Hack= ers</a></span></dt><dt><span class=3D"section"><a href=3D"#sect-Security_Guid= e-Attackers_and_Vulnerabilities-Threats_to_Network_Security">1.3.2. Threats t= o Network Security</a></span></dt><dt><span class=3D"section"><a href=3D"#sec= t-Security_Guide-Attackers_and_Vulnerabilities-Threats_to_Server_Security">1.= 3.3. Threats to Server Security</a></span></dt><dt><span class=3D"section"><a= href=3D"#sect-Security_Guide-Attackers_and_Vulnerabilities-Threats_to_Workst= ation_and_Home_PC_Security">1.3.4. Threats to Workstation and Home PC Securit= y</a></span></dt></dl></dd><dt><span class=3D"section"><a href=3D"#sect-Secur= ity_Guide-Com mon_Exploits_and_Attacks">1.4. Common Exploits and Attacks</a></span></dt><d= t><span class=3D"section"><a href=3D"#sect-Security_Guide-Security_Updates">1= .5. Security Updates</a></span></dt><dd><dl><dt><span class=3D"section"><a hr= ef=3D"#sect-Security_Guide-Security_Updates-Updating_Packages">1.5.1. Updatin= g Packages</a></span></dt><dt><span class=3D"section"><a href=3D"#sect-Securi= ty_Guide-Updating_Packages-Verifying_Signed_Packages">1.5.2. Verifying Signed= Packages</a></span></dt><dt><span class=3D"section"><a href=3D"#sect-Securit= y_Guide-Updating_Packages-Installing_Signed_Packages">1.5.3. Installing Signe= d Packages</a></span></dt><dt><span class=3D"section"><a href=3D"#sect-Securi= ty_Guide-Updating_Packages-Applying_the_Changes">1.5.4. Applying the Changes<= /a></span></dt></dl></dd></dl></dd><dt><span class=3D"chapter"><a href=3D"#ch= ap-Security_Guide-Securing_Your_Network">2. Securing Your Network</a></span><= /dt><dd><dl><dt><span class=3D"section"><a href=3D"#sect-Security_Guide-Works= tation_Security"> 2.1. Workstation Security</a></span></dt><dd><dl><dt><span class=3D"section"= ><a href=3D"#sect-Security_Guide-Workstation_Security-Evaluating_Workstation_= Security">2.1.1. Evaluating Workstation Security</a></span></dt><dt><span cla= ss=3D"section"><a href=3D"#sect-Security_Guide-Workstation_Security-BIOS_and_= Boot_Loader_Security">2.1.2. BIOS and Boot Loader Security</a></span></dt><dt= ><span class=3D"section"><a href=3D"#sect-Security_Guide-Workstation_Security= -Password_Security">2.1.3. Password Security</a></span></dt><dt><span class= =3D"section"><a href=3D"#sect-Security_Guide-Workstation_Security-Administrat= ive_Controls">2.1.4. Administrative Controls</a></span></dt><dt><span class= =3D"section"><a href=3D"#sect-Security_Guide-Workstation_Security-Available_N= etwork_Services">2.1.5. Available Network Services</a></span></dt><dt><span c= lass=3D"section"><a href=3D"#sect-Security_Guide-Workstation_Security-Persona= l_Firewalls">2.1.6. Personal Firewalls</a></span></dt><dt><span class=3D"sect= ion"><a href=3D"#sect -Security_Guide-Workstation_Security-Security_Enhanced_Communication_Tools">= 2.1.7. Security Enhanced Communication Tools</a></span></dt></dl></dd><dt><sp= an class=3D"section"><a href=3D"#sect-Security_Guide-Server_Security">2.2. Se= rver Security</a></span></dt><dd><dl><dt><span class=3D"section"><a href=3D"#= sect-Security_Guide-Server_Security-Securing_Services_With_TCP_Wrappers_and_x= inetd">2.2.1. Securing Services With TCP Wrappers and xinetd</a></span></dt><= dt><span class=3D"section"><a href=3D"#sect-Security_Guide-Server_Security-Se= curing_Portmap">2.2.2. Securing Portmap</a></span></dt><dt><span class=3D"sec= tion"><a href=3D"#sect-Security_Guide-Server_Security-Securing_NIS">2.2.3. Se= curing NIS</a></span></dt><dt><span class=3D"section"><a href=3D"#sect-Securi= ty_Guide-Server_Security-Securing_NFS">2.2.4. Securing NFS</a></span></dt><dt= ><span class=3D"section"><a href=3D"#sect-Security_Guide-Server_Security-Secu= ring_the_Apache_HTTP_Server">2.2.5. Securing the Apache HTTP Server</a></span= ></dt><dt><sp an class=3D"section"><a href=3D"#sect-Security_Guide-Server_Security-Securin= g_FTP">2.2.6. Securing FTP</a></span></dt><dt><span class=3D"section"><a href= =3D"#sect-Security_Guide-Server_Security-Securing_Sendmail">2.2.7. Securing S= endmail</a></span></dt><dt><span class=3D"section"><a href=3D"#sect-Security_= Guide-Server_Security-Verifying_Which_Ports_Are_Listening">2.2.8. Verifying W= hich Ports Are Listening</a></span></dt></dl></dd><dt><span class=3D"section"= ><a href=3D"#sect-Security_Guide-Single_Sign_on_SSO">2.3. Single Sign-on (SSO= )</a></span></dt><dd><dl><dt><span class=3D"section"><a href=3D"#sect-Securit= y_Guide-Single_Sign_on_SSO-Introduction">2.3.1. Introduction</a></span></dt><= dt><span class=3D"section"><a href=3D"#sect-Security_Guide-Single_Sign_on_SSO= -Getting_Started_with_your_new_Smart_Card">2.3.2. Getting Started with your n= ew Smart Card</a></span></dt><dt><span class=3D"section"><a href=3D"#sect-Sec= urity_Guide-Single_Sign_on_SSO-How_Smart_Card_Enrollment_Works">2.3.3. How Sm= art Card Enrollme nt Works</a></span></dt><dt><span class=3D"section"><a href=3D"#sect-Securit= y_Guide-Single_Sign_on_SSO-How_Smart_Card_Login_Works">2.3.4. How Smart Card = Login Works</a></span></dt><dt><span class=3D"section"><a href=3D"#sect-Secur= ity_Guide-Single_Sign_on_SSO-Configuring_Firefox_to_use_Kerberos_for_SSO">2.3= .5. Configuring Firefox to use Kerberos for SSO</a></span></dt></dl></dd><dt>= <span class=3D"section"><a href=3D"#sect-Security_Guide-Pluggable_Authenticat= ion_Modules_PAM">2.4. Pluggable Authentication Modules (PAM)</a></span></dt><= dd><dl><dt><span class=3D"section"><a href=3D"#sect-Security_Guide-Pluggable_= Authentication_Modules_PAM-Advantages_of_PAM">2.4.1. Advantages of PAM</a></s= pan></dt><dt><span class=3D"section"><a href=3D"#sect-Security_Guide-Pluggabl= e_Authentication_Modules_PAM-PAM_Configuration_Files">2.4.2. PAM Configuratio= n Files</a></span></dt><dt><span class=3D"section"><a href=3D"#sect-Security_= Guide-Pluggable_Authentication_Modules_PAM-PAM_Configuration_File_Format">2.4= .3. PAM Confi guration File Format</a></span></dt><dt><span class=3D"section"><a href=3D"#= sect-Security_Guide-Pluggable_Authentication_Modules_PAM-Sample_PAM_Configura= tion_Files">2.4.4. Sample PAM Configuration Files</a></span></dt><dt><span cl= ass=3D"section"><a href=3D"#sect-Security_Guide-Pluggable_Authentication_Modu= les_PAM-Creating_PAM_Modules">2.4.5. Creating PAM Modules</a></span></dt><dt>= <span class=3D"section"><a href=3D"#sect-Security_Guide-Pluggable_Authenticat= ion_Modules_PAM-PAM_and_Administrative_Credential_Caching">2.4.6. PAM and Adm= inistrative Credential Caching</a></span></dt><dt><span class=3D"section"><a = href=3D"#sect-Security_Guide-Pluggable_Authentication_Modules_PAM-PAM_and_Dev= ice_Ownership">2.4.7. PAM and Device Ownership</a></span></dt><dt><span class= =3D"section"><a href=3D"#sect-Security_Guide-Pluggable_Authentication_Modules= _PAM-Additional_Resources">2.4.8. Additional Resources</a></span></dt></dl></= dd><dt><span class=3D"section"><a href=3D"#sect-Security_Guide-TCP_Wrappers_a= nd_xinetd">2. 5. TCP Wrappers and xinetd</a></span></dt><dd><dl><dt><span class=3D"section= "><a href=3D"#sect-Security_Guide-TCP_Wrappers_and_xinetd-TCP_Wrappers">2.5.1= . TCP Wrappers</a></span></dt><dt><span class=3D"section"><a href=3D"#sect-Se= curity_Guide-TCP_Wrappers_and_xinetd-TCP_Wrappers_Configuration_Files">2.5.2.= TCP Wrappers Configuration Files</a></span></dt><dt><span class=3D"section">= <a href=3D"#sect-Security_Guide-TCP_Wrappers_and_xinetd-xinetd">2.5.3. xinetd= </a></span></dt><dt><span class=3D"section"><a href=3D"#sect-Security_Guide-T= CP_Wrappers_and_xinetd-xinetd_Configuration_Files">2.5.4. xinetd Configuratio= n Files</a></span></dt><dt><span class=3D"section"><a href=3D"#sect-Security_= Guide-TCP_Wrappers_and_xinetd-Additional_Resources">2.5.5. Additional Resourc= es</a></span></dt></dl></dd><dt><span class=3D"section"><a href=3D"#sect-Secu= rity_Guide-Kerberos">2.6. Kerberos</a></span></dt><dd><dl><dt><span class=3D"= section"><a href=3D"#sect-Security_Guide-Kerberos-What_is_Kerberos">2.6.1. Wh= at is Kerberos?</ a></span></dt><dt><span class=3D"section"><a href=3D"#sect-Security_Guide-Ke= rberos-Kerberos_Terminology">2.6.2. Kerberos Terminology</a></span></dt><dt><= span class=3D"section"><a href=3D"#sect-Security_Guide-Kerberos-How_Kerberos_= Works">2.6.3. How Kerberos Works</a></span></dt><dt><span class=3D"section"><= a href=3D"#sect-Security_Guide-Kerberos-Kerberos_and_PAM">2.6.4. Kerberos and= PAM</a></span></dt><dt><span class=3D"section"><a href=3D"#sect-Security_Gui= de-Kerberos-Configuring_a_Kerberos_5_Server">2.6.5. Configuring a Kerberos 5 = Server</a></span></dt><dt><span class=3D"section"><a href=3D"#sect-Security_G= uide-Kerberos-Configuring_a_Kerberos_5_Client">2.6.6. Configuring a Kerberos = 5 Client</a></span></dt><dt><span class=3D"section"><a href=3D"#sect-Security= _Guide-Kerberos-Domain_to_Realm_Mapping">2.6.7. Domain-to-Realm Mapping</a></= span></dt><dt><span class=3D"section"><a href=3D"#sect-Security_Guide-Kerbero= s-Setting_Up_Secondary_KDCs">2.6.8. Setting Up Secondary KDCs</a></span></dt>= <dt><span class=3D" section"><a href=3D"#sect-Security_Guide-Kerberos-Setting_Up_Cross_Realm_Aut= hentication">2.6.9. Setting Up Cross Realm Authentication</a></span></dt><dt>= <span class=3D"section"><a href=3D"#sect-Security_Guide-Kerberos-Additional_R= esources">2.6.10. Additional Resources</a></span></dt></dl></dd><dt><span cla= ss=3D"section"><a href=3D"#sect-Security_Guide-Virtual_Private_Networks_VPNs"= >2.7. Virtual Private Networks (VPNs)</a></span></dt><dd><dl><dt><span class= =3D"section"><a href=3D"#sect-Security_Guide-Virtual_Private_Networks_VPNs-Ho= w_Does_a_VPN_Work">2.7.1. How Does a VPN Work?</a></span></dt><dt><span class= =3D"section"><a href=3D"#sect-Security_Guide-Virtual_Private_Networks_VPNs-VP= Ns_and_PROD">2.7.2. VPNs and Fedora</a></span></dt><dt><span class=3D"section= "><a href=3D"#sect-Security_Guide-Virtual_Private_Networks_VPNs-IPsec">2.7.3.= IPsec</a></span></dt><dt><span class=3D"section"><a href=3D"#sect-Security_G= uide-Virtual_Private_Networks_VPNs-Creating_an_IPsec_Connection">2.7.4. Creat= ing an IPsec Con nection</a></span></dt><dt><span class=3D"section"><a href=3D"#sect-Security= _Guide-Virtual_Private_Networks_VPNs-IPsec_Installation">2.7.5. IPsec Install= ation</a></span></dt><dt><span class=3D"section"><a href=3D"#sect-Security_Gu= ide-Virtual_Private_Networks_VPNs-IPsec_Host_to_Host_Configuration">2.7.6. IP= sec Host-to-Host Configuration</a></span></dt><dt><span class=3D"section"><a = href=3D"#sect-Security_Guide-Virtual_Private_Networks_VPNs-IPsec_Network_to_N= etwork_Configuration">2.7.7. IPsec Network-to-Network Configuration</a></span= ></dt><dt><span class=3D"section"><a href=3D"#sect-Security_Guide-Virtual_Pri= vate_Networks_VPNs-Starting_and_Stopping_an_IPsec_Connection">2.7.8. Starting= and Stopping an IPsec Connection</a></span></dt></dl></dd><dt><span class=3D= "section"><a href=3D"#sect-Security_Guide-Firewalls">2.8. Firewalls</a></span= ></dt><dd><dl><dt><span class=3D"section"><a href=3D"#sect-Security_Guide-Fir= ewalls-Netfilter_and_IPTables">2.8.1. Netfilter and IPTables</a></span></dt><= dt><span clas s=3D"section"><a href=3D"#sect-Security_Guide-Firewalls-Basic_Firewall_Confi= guration">2.8.2. Basic Firewall Configuration</a></span></dt><dt><span class= =3D"section"><a href=3D"#sect-Security_Guide-Firewalls-Using_IPTables">2.8.3.= Using IPTables</a></span></dt><dt><span class=3D"section"><a href=3D"#sect-S= ecurity_Guide-Firewalls-Common_IPTables_Filtering">2.8.4. Common IPTables Fil= tering</a></span></dt><dt><span class=3D"section"><a href=3D"#sect-Security_G= uide-Firewalls-FORWARD_and_NAT_Rules">2.8.5. FORWARD and NAT Rules</a></span>= </dt><dt><span class=3D"section"><a href=3D"#sect-Security_Guide-Firewalls-Ma= licious_Software_and_Spoofed_IP_Addresses">2.8.6. Malicious Software and Spoo= fed IP Addresses</a></span></dt><dt><span class=3D"section"><a href=3D"#sect-= Security_Guide-Firewalls-IPTables_and_Connection_Tracking">2.8.7. IPTables an= d Connection Tracking</a></span></dt><dt><span class=3D"section"><a href=3D"#= sect-Security_Guide-Firewalls-IPv6">2.8.8. IPv6</a></span></dt><dt><span clas= s=3D"section"><a hre f=3D"#sect-Security_Guide-Firewalls-Additional_Resources">2.8.9. Additional = Resources</a></span></dt></dl></dd><dt><span class=3D"section"><a href=3D"#se= ct-Security_Guide-IPTables">2.9. IPTables</a></span></dt><dd><dl><dt><span cl= ass=3D"section"><a href=3D"#sect-Security_Guide-IPTables-Packet_Filtering">2.= 9.1. Packet Filtering</a></span></dt><dt><span class=3D"section"><a href=3D"#= sect-Security_Guide-IPTables-Command_Options_for_IPTables">2.9.2. Command Opt= ions for IPTables</a></span></dt><dt><span class=3D"section"><a href=3D"#sect= -Security_Guide-IPTables-Saving_IPTables_Rules">2.9.3. Saving IPTables Rules<= /a></span></dt><dt><span class=3D"section"><a href=3D"#sect-Security_Guide-IP= Tables-IPTables_Control_Scripts">2.9.4. IPTables Control Scripts</a></span></= dt><dt><span class=3D"section"><a href=3D"#sect-Security_Guide-IPTables-IPTab= les_and_IPv6">2.9.5. IPTables and IPv6</a></span></dt><dt><span class=3D"sect= ion"><a href=3D"#sect-Security_Guide-IPTables-Additional_Resources">2.9.6. Ad= ditional Resources< /a></span></dt></dl></dd></dl></dd><dt><span class=3D"chapter"><a href=3D"#c= hap-Security_Guide-Encryption">3. Encryption</a></span></dt><dd><dl><dt><span= class=3D"section"><a href=3D"#sect-Security_Guide-Encryption-Data_at_Rest">3= .1. Data at Rest</a></span></dt><dt><span class=3D"section"><a href=3D"#sect-= Security_Guide-Encryption-Protecting_Data_at_Rest-Full_Disk_Encryption">3.2. = Full Disk Encryption</a></span></dt><dt><span class=3D"section"><a href=3D"#S= ecurity_Guide-Encryption-Protecting_Data_at_Rest-File_Based_Encryption">3.3. = File Based Encryption</a></span></dt><dt><span class=3D"section"><a href=3D"#= Security_Guide-Encryption-Data_in_Motion">3.4. Data in Motion</a></span></dt>= <dt><span class=3D"section"><a href=3D"#Security_Guide-Encryption-Data_in_Mot= ion-Virtual_Private_Networks">3.5. Virtual Private Networks</a></span></dt><d= t><span class=3D"section"><a href=3D"#Security_Guide-Encryption-Data_in_Motio= n-Secure_Shell">3.6. Secure Shell</a></span></dt><dt><span class=3D"section">= <a href=3D"#sect-Secu rity_Guide-LUKS_Disk_Encryption">3.7. LUKS Disk Encryption</a></span></dt><d= d><dl><dt><span class=3D"section"><a href=3D"#sect-Security_Guide-LUKS_Disk_E= ncryption-LUKS_Implementation_in_Fedora">3.7.1. LUKS Implementation in Fedora= </a></span></dt><dt><span class=3D"section"><a href=3D"#sect-Security_Guide-L= UKS_Disk_Encryption-Manually_Encrypting_Directories">3.7.2. Manually Encrypti= ng Directories</a></span></dt><dt><span class=3D"section"><a href=3D"#sect-Se= curity_Guide-LUKS_Disk_Encryption-Manually_Encrypting_Directories-Step_by_Ste= p_Instructions">3.7.3. Step-by-Step Instructions</a></span></dt><dt><span cla= ss=3D"section"><a href=3D"#sect-Security_Guide-LUKS_Disk_Encryption-Manually_= Encrypting_Directories-What_you_have_just_accomplished">3.7.4. What you have = just accomplished.</a></span></dt><dt><span class=3D"section"><a href=3D"#sec= t-Security_Guide-LUKS_Disk_Encryption-Links_of_Interest">3.7.5. Links of Inte= rest</a></span></dt></dl></dd><dt><span class=3D"section"><a href=3D"#sect-Se= curity_Guide- Encryption-7_Zip_Encrypted_Archives">3.8. 7-Zip Encrypted Archives</a></span= ></dt><dd><dl><dt><span class=3D"section"><a href=3D"#sect-Security_Guide-Enc= ryption-7_Zip_Encrypted_Archives-Installation">3.8.1. 7-Zip Installation in F= edora</a></span></dt><dt><span class=3D"section"><a href=3D"#sect-Security_Gu= ide-Encryption-7_Zip_Encrypted_Archives-Installation-Instructions">3.8.2. Ste= p-by-Step Installation Instructions</a></span></dt><dt><span class=3D"section= "><a href=3D"#sect-Security_Guide-Encryption-7_Zip_Encrypted_Archives-Usage_I= nstructions">3.8.3. Step-by-Step Usage Instructions</a></span></dt><dt><span = class=3D"section"><a href=3D"#sect-Security_Guide-Encryption-7_Zip_Encrypted_= Archives-Things_of_note">3.8.4. Things of note</a></span></dt></dl></dd><dt><= span class=3D"section"><a href=3D"#sect-Security_Guide-Encryption-Using_GPG">= 3.9. Using GNU Privacy Guard (GnuPG)</a></span></dt><dd><dl><dt><span class= =3D"section"><a href=3D"#sect-Security_Guide-Encryption-Using_GPG-Keys_in_GNO= ME">3.9.1. Crea ting GPG Keys in GNOME</a></span></dt><dt><span class=3D"section"><a href=3D= "#sect-Security_Guide-Encryption-Using_GPG-Creating_GPG_Keys_in_KDE1">3.9.2. = Creating GPG Keys in KDE</a></span></dt><dt><span class=3D"section"><a href= =3D"#sect-Security_Guide-Encryption-Using_GPG-Creating_GPG_Keys_in_KDE">3.9.3= . Creating GPG Keys Using the Command Line</a></span></dt><dt><span class=3D"= section"><a href=3D"#sect-Security_Guide-Encryption-Using_GPG-About_Public_Ke= y_Encryption">3.9.4. About Public Key Encryption</a></span></dt></dl></dd></d= l></dd><dt><span class=3D"chapter"><a href=3D"#chap-Security_Guide-General_Pr= inciples_of_Information_Security">4. General Principles of Information Securi= ty</a></span></dt><dd><dl><dt><span class=3D"section"><a href=3D"#sect-Securi= ty_Guide-General_Principles_of_Information_Security-Tips_Guides_and_Tools">4.= 1. Tips, Guides, and Tools</a></span></dt></dl></dd><dt><span class=3D"chapte= r"><a href=3D"#chap-Security_Guide-Secure_Installation">5. Secure Installatio= n</a></span></d t><dd><dl><dt><span class=3D"section"><a href=3D"#sect-Security_Guide-Secure= _Installation-Disk_Partitions">5.1. Disk Partitions</a></span></dt><dt><span = class=3D"section"><a href=3D"#sect-Security_Guide-Secure_Installation-Utilize= _LUKS_Partition_Encryption">5.2. Utilize LUKS Partition Encryption</a></span>= </dt></dl></dd><dt><span class=3D"chapter"><a href=3D"#chap-Security_Guide-So= ftware_Maintenance">6. Software Maintenance</a></span></dt><dd><dl><dt><span = class=3D"section"><a href=3D"#sect-Security_Guide-Software_Maintenance-Instal= l_Minimal_Software">6.1. Install Minimal Software</a></span></dt><dt><span cl= ass=3D"section"><a href=3D"#sect-Security_Guide-Software_Maintenance-Plan_and= _Configure_Security_Updates">6.2. Plan and Configure Security Updates</a></sp= an></dt><dt><span class=3D"section"><a href=3D"#sect-Security_Guide-Software_= Maintenance-Plan_and_Configure_Security_Updates-Adjusting_Automatic_Updates">= 6.3. Adjusting Automatic Updates</a></span></dt><dt><span class=3D"section"><= a href=3D"#sect-S ecurity_Guide-Software_Maintenance-Install_Signed_Packages_from_Well_Known_R= epositories">6.4. Install Signed Packages from Well Known Repositories</a></s= pan></dt></dl></dd><dt><span class=3D"chapter"><a href=3D"#chap-Security_Guid= e-References">7. References</a></span></dt></dl></div><div class=3D"preface" = lang=3D"en-US"><div class=3D"titlepage"><div><div><h1 id=3D"pref-Security_Gui= de-Preface" class=3D"title">Preface</h1></div></div></div><div class=3D"secti= on" lang=3D"en-US"><div class=3D"titlepage"><div><div><h2 class=3D"title" id= =3D"d0e105">1.=C2=A0Document Conventions</h2></div></div></div><div class=3D"= para"> This manual uses several conventions to highlight certain words and phrases= and draw attention to specific pieces of information. </div><div class=3D"para"> In PDF and paper editions, this manual uses typefaces drawn from the <a hre= f=3D"https://fedorahosted.org/liberation-fonts/">Liberation Fonts</a> set. Th= e Liberation Fonts set is also used in HTML editions if the set is installed = on your system. If not, alternative but equivalent typefaces are displayed. N= ote: Red Hat Enterprise Linux 5 and later includes the Liberation Fonts set b= y default. </div><div class=3D"section" lang=3D"en-US"><div class=3D"titlepage"><div><d= iv><h3 class=3D"title" id=3D"d0e115">1.1.=C2=A0Typographic Conventions</h3></= div></div></div><div class=3D"para"> Four typographic conventions are used to call attention to specific words = and phrases. These conventions, and the circumstances they apply to, are as f= ollows. </div><div class=3D"para"> <code class=3D"literal">Mono-spaced Bold</code> </div><div class=3D"para"> Used to highlight system input, including shell commands, file names and p= aths. Also used to highlight key caps and key-combinations. For example: </div><div class=3D"blockquote"><blockquote class=3D"blockquote"><div class= =3D"para"> To see the contents of the file <code class=3D"filename">my_next_bestsell= ing_novel</code> in your current working directory, enter the <code class=3D"= command">cat my_next_bestselling_novel</code> command at the shell prompt and= press <span class=3D"keycap"><strong>Enter</strong></span> to execute the co= mmand. </div></blockquote></div><div class=3D"para"> The above includes a file name, a shell command and a key cap, all present= ed in Mono-spaced Bold and all distinguishable thanks to context. </div><div class=3D"para"> Key-combinations can be distinguished from key caps by the hyphen connecti= ng each part of a key-combination. For example: </div><div class=3D"blockquote"><blockquote class=3D"blockquote"><div class= =3D"para"> Press <span class=3D"keycap"><strong>Enter</strong></span> to execute the= command. </div><div class=3D"para"> Press <span class=3D"keycap"><strong>Ctrl</strong></span>+<span class=3D"= keycap"><strong>Alt</strong></span>+<span class=3D"keycap"><strong>F1</strong= ></span> to switch to the first virtual terminal. Press <span class=3D"keycap= "><strong>Ctrl</strong></span>+<span class=3D"keycap"><strong>Alt</strong></s= pan>+<span class=3D"keycap"><strong>F7</strong></span> to return to your X-Wi= ndows session. </div></blockquote></div><div class=3D"para"> The first sentence highlights the particular key cap to press. The second = highlights two sets of three key caps, each set pressed simultaneously. </div><div class=3D"para"> If source code is discussed, class names, methods, functions, variable nam= es and returned values mentioned within a paragraph will be presented as abov= e, in <code class=3D"literal">Mono-spaced Bold</code>. For example: </div><div class=3D"blockquote"><blockquote class=3D"blockquote"><div class= =3D"para"> File-related classes include <code class=3D"classname">filesystem</code> = for file systems, <code class=3D"classname">file</code> for files, and <code = class=3D"classname">dir</code> for directories. Each class has its own associ= ated set of permissions. </div></blockquote></div><div class=3D"para"> <span class=3D"application"><strong>Proportional Bold</strong></span> </div><div class=3D"para"> This denotes words or phrases encountered on a system, including applicati= on names; dialogue box text; labelled buttons; check-box and radio button lab= els; menu titles and sub-menu titles. For example: </div><div class=3D"blockquote"><blockquote class=3D"blockquote"><div class= =3D"para"> Choose <span class=3D"guimenu"><strong>System > Preferences > Mouse= </strong></span> from the main menu bar to launch <span class=3D"application"= ><strong>Mouse Preferences</strong></span>. In the <span class=3D"guilabel"><= strong>Buttons</strong></span> tab, click the <span class=3D"guilabel"><stron= g>Left-handed mouse</strong></span> check box and click <span class=3D"guibut= ton"><strong>Close</strong></span> to switch the primary mouse button from th= e left to the right (making the mouse suitable for use in the left hand). </div><div class=3D"para"> To insert a special character into a <span class=3D"application"><strong>= gedit</strong></span> file, choose <span class=3D"guimenu"><strong>Applicatio= ns > Accessories > Character Map</strong></span> from the main menu bar= . Next, choose <span class=3D"guimenu"><strong>Search > Find=E2=80=A6</str= ong></span> from the <span class=3D"application"><strong>Character Map</stron= g></span> menu bar, type the name of the character in the <span class=3D"guil= abel"><strong>Search</strong></span> field and click <span class=3D"guibutton= "><strong>Next</strong></span>. The character you sought will be highlighted = in the <span class=3D"guilabel"><strong>Character Table</strong></span>. Doub= le-click this highlighted character to place it in the <span class=3D"guilabe= l"><strong>Text to copy</strong></span> field and then click the <span class= =3D"guibutton"><strong>Copy</strong></span> button. Now switch back to your d= ocument and choose <span class=3D"guimenu"><strong>Edit > Paste</strong></= span> from the < span class=3D"application"><strong>gedit</strong></span> menu bar. </div></blockquote></div><div class=3D"para"> The above text includes application names; system-wide menu names and item= s; application-specific menu names; and buttons and text found within a GUI i= nterface, all presented in Proportional Bold and all distinguishable by conte= xt. </div><div class=3D"para"> Note the <span class=3D"guimenu"><strong>></strong></span> shorthand us= ed to indicate traversal through a menu and its sub-menus. This is to avoid t= he difficult-to-follow 'Select <span class=3D"guimenuitem"><strong>Mouse</str= ong></span> from the <span class=3D"guimenu"><strong>Preferences</strong></sp= an> sub-menu in the <span class=3D"guimenu"><strong>System</strong></span> me= nu of the main menu bar' approach. </div><div class=3D"para"> <code class=3D"command"><em class=3D"replaceable"><code>Mono-spaced Bold I= talic</code></em></code> or <span class=3D"application"><strong><em class=3D"= replaceable"><code>Proportional Bold Italic</code></em></strong></span> </div><div class=3D"para"> Whether Mono-spaced Bold or Proportional Bold, the addition of Italics ind= icates replaceable or variable text. Italics denotes text you do not input li= terally or displayed text that changes depending on circumstance. For example: </div><div class=3D"blockquote"><blockquote class=3D"blockquote"><div class= =3D"para"> To connect to a remote machine using ssh, type <code class=3D"command">ss= h <em class=3D"replaceable"><code>username</code></em>@<em class=3D"replaceab= le"><code>domain.name</code></em></code> at a shell prompt. If the remote mac= hine is <code class=3D"filename">example.com</code> and your username on that= machine is john, type <code class=3D"command">ssh john(a)example.com</code>. </div><div class=3D"para"> The <code class=3D"command">mount -o remount <em class=3D"replaceable"><c= ode>file-system</code></em></code> command remounts the named file system. Fo= r example, to remount the <code class=3D"filename">/home</code> file system, = the command is <code class=3D"command">mount -o remount /home</code>. </div><div class=3D"para"> To see the version of a currently installed package, use the <code class= =3D"command">rpm -q <em class=3D"replaceable"><code>package</code></em></code= > command. It will return a result as follows: <code class=3D"command"><em cl= ass=3D"replaceable"><code>package-version-release</code></em></code>. </div></blockquote></div><div class=3D"para"> Note the words in bold italics above =E2=80=94 username, domain.name, file= -system, package, version and release. Each word is a placeholder, either for= text you enter when issuing a command or for text displayed by the system. </div><div class=3D"para"> Aside from standard usage for presenting the title of a work, italics deno= tes the first use of a new and important term. For example: </div><div class=3D"blockquote"><blockquote class=3D"blockquote"><div class= =3D"para"> When the Apache HTTP Server accepts requests, it dispatches child process= es or threads to handle them. This group of child processes or threads is kno= wn as a <em class=3D"firstterm">server-pool</em>. Under Apache HTTP Server 2.= 0, the responsibility for creating and maintaining these server-pools has bee= n abstracted to a group of modules called <em class=3D"firstterm">Multi-Proce= ssing Modules</em> (<em class=3D"firstterm">MPMs</em>). Unlike other modules,= only one module from the MPM group can be loaded by the Apache HTTP Server. </div></blockquote></div></div><div class=3D"section" lang=3D"en-US"><div = class=3D"titlepage"><div><div><h3 class=3D"title" id=3D"d0e331">1.2.=C2=A0Pul= l-quote Conventions</h3></div></div></div><div class=3D"para"> Two, commonly multi-line, data types are set off visually from the surroun= ding text. </div><div class=3D"para"> Output sent to a terminal is set in <code class=3D"computeroutput">Mono-sp= aced Roman</code> and presented thus: </div><pre class=3D"screen"> books Desktop documentation drafts mss photos stuff svn books_tests Desktop1 downloads images notes scripts svgs </pre><div class=3D"para"> Source-code listings are also set in <code class=3D"computeroutput">Mono-s= paced Roman</code> but are presented and highlighted as follows: </div><pre class=3D"programlisting"> package org.jboss.book.jca.ex1; import javax.naming.InitialContext; public class ExClient { public static void main(String args[])=20 throws Exception { InitialContext iniCtx =3D new InitialContext(); Object ref =3D iniCtx.lookup("EchoBean"); EchoHome home =3D (EchoHome) ref; Echo echo =3D home.create(); System.out.println("Created Echo"); System.out.println("Echo.echo('Hello') =3D " + echo.echo("Hello")); } =20 } </pre></div><div class=3D"section" lang=3D"en-US"><div class=3D"titlepage"><d= iv><div><h3 class=3D"title" id=3D"d0e350">1.3.=C2=A0Notes and Warnings</h3></= div></div></div><div class=3D"para"> Finally, we use three visual styles to draw attention to information that = might otherwise be overlooked. </div><div class=3D"note"><h2>Note</h2><div class=3D"para"> A note is a tip or shortcut or alternative approach to the task at hand. = Ignoring a note should have no negative consequences, but you might miss out = on a trick that makes your life easier. </div></div><div class=3D"important"><h2>Important</h2><div class=3D"para"> Important boxes detail things that are easily missed: configuration chang= es that only apply to the current session, or services that need restarting b= efore an update will apply. Ignoring Important boxes won't cause data loss bu= t may cause irritation and frustration. </div></div><div class=3D"warning"><h2>Warning</h2><div class=3D"para"> A Warning should not be ignored. Ignoring warnings will most likely cause= data loss. </div></div></div></div><div class=3D"section" lang=3D"en-US"><div class= =3D"titlepage"><div><div><h2 class=3D"title" id=3D"We_Need_Feedback">2.=C2=A0= We Need Feedback!</h2></div></div></div><div class=3D"para"> More information about the Linux Security Guide project can be found at <a = href=3D"https://fedorahosted.org/securityguide">https://fedorahosted.org/secu= rityguide</a> </div><div class=3D"para"> To provide feedback for the Security Guide, please file a bug in <a href=3D= "https://bugzilla.redhat.com/enter_bug.cgi?component=3Dsecurity-guide&pro= duct=3DFedora%20Documentation">https://bugzilla.redhat.com/enter_bug.cgi?comp= onent=3Dsecurity-guide&product=3DFedora%20Documentation</a>. Please selec= t the proper component in the dropdown menu which should be the page name. </div></div></div><div class=3D"chapter" lang=3D"en-US"><div class=3D"titlep= age"><div><div><h2 class=3D"title" id=3D"chap-Security_Guide-Security_Overvie= w">Chapter=C2=A01.=C2=A0Security Overview</h2></div></div></div><div class=3D= "toc"><dl><dt><span class=3D"section"><a href=3D"#sect-Security_Guide-Introdu= ction_to_Security">1.1. Introduction to Security</a></span></dt><dd><dl><dt><= span class=3D"section"><a href=3D"#sect-Security_Guide-Introduction_to_Securi= ty-What_is_Computer_Security">1.1.1. What is Computer Security?</a></span></d= t><dt><span class=3D"section"><a href=3D"#sect-Security_Guide-Introduction_to= _Security-SELinux">1.1.2. SELinux</a></span></dt><dt><span class=3D"section">= <a href=3D"#sect-Security_Guide-Introduction_to_Security-Security_Controls">1= .1.3. Security Controls</a></span></dt><dt><span class=3D"section"><a href=3D= "#sect-Security_Guide-Introduction_to_Security-Conclusion">1.1.4. Conclusion<= /a></span></dt></dl></dd><dt><span class=3D"section"><a href=3D"#sect-Securit= y_Guide-Vulnerability_Assessment" >1.2. Vulnerability Assessment</a></span></dt><dd><dl><dt><span class=3D"sec= tion"><a href=3D"#sect-Security_Guide-Vulnerability_Assessment-Thinking_Like_= the_Enemy">1.2.1. Thinking Like the Enemy</a></span></dt><dt><span class=3D"s= ection"><a href=3D"#sect-Security_Guide-Vulnerability_Assessment-Defining_Ass= essment_and_Testing">1.2.2. Defining Assessment and Testing</a></span></dt><d= t><span class=3D"section"><a href=3D"#sect-Security_Guide-Vulnerability_Asses= sment-Evaluating_the_Tools">1.2.3. Evaluating the Tools</a></span></dt></dl><= /dd><dt><span class=3D"section"><a href=3D"#sect-Security_Guide-Attackers_and= _Vulnerabilities">1.3. Attackers and Vulnerabilities</a></span></dt><dd><dl><= dt><span class=3D"section"><a href=3D"#sect-Security_Guide-Attackers_and_Vuln= erabilities-A_Quick_History_of_Hackers">1.3.1. A Quick History of Hackers</a>= </span></dt><dt><span class=3D"section"><a href=3D"#sect-Security_Guide-Attac= kers_and_Vulnerabilities-Threats_to_Network_Security">1.3.2. Threats to Netwo= rk Security</ a></span></dt><dt><span class=3D"section"><a href=3D"#sect-Security_Guide-At= tackers_and_Vulnerabilities-Threats_to_Server_Security">1.3.3. Threats to Ser= ver Security</a></span></dt><dt><span class=3D"section"><a href=3D"#sect-Secu= rity_Guide-Attackers_and_Vulnerabilities-Threats_to_Workstation_and_Home_PC_S= ecurity">1.3.4. Threats to Workstation and Home PC Security</a></span></dt></= dl></dd><dt><span class=3D"section"><a href=3D"#sect-Security_Guide-Common_Ex= ploits_and_Attacks">1.4. Common Exploits and Attacks</a></span></dt><dt><span= class=3D"section"><a href=3D"#sect-Security_Guide-Security_Updates">1.5. Sec= urity Updates</a></span></dt><dd><dl><dt><span class=3D"section"><a href=3D"#= sect-Security_Guide-Security_Updates-Updating_Packages">1.5.1. Updating Packa= ges</a></span></dt><dt><span class=3D"section"><a href=3D"#sect-Security_Guid= e-Updating_Packages-Verifying_Signed_Packages">1.5.2. Verifying Signed Packag= es</a></span></dt><dt><span class=3D"section"><a href=3D"#sect-Security_Guide= -Updating_Package s-Installing_Signed_Packages">1.5.3. Installing Signed Packages</a></span></= dt><dt><span class=3D"section"><a href=3D"#sect-Security_Guide-Updating_Packa= ges-Applying_the_Changes">1.5.4. Applying the Changes</a></span></dt></dl></d= d></dl></div><div class=3D"para"> Because of the increased reliance on powerful, networked computers to help = run businesses and keep track of our personal information, entire industries = have been formed around the practice of network and computer security. Enterp= rises have solicited the knowledge and skills of security experts to properly= audit systems and tailor solutions to fit the operating requirements of the = organization. Because most organizations are increasingly dynamic in nature, = with workers accessing company IT resources locally and remotely, the need fo= r secure computing environments has become more pronounced. </div><div class=3D"para"> Unfortunately, most organizations (as well as individual users) regard secu= rity as an afterthought, a process that is overlooked in favor of increased p= ower, productivity, and budgetary concerns. Proper security implementation is= often enacted postmortem =E2=80=94 <span class=3D"emphasis"><em>after</em></= span> an unauthorized intrusion has already occurred. Security experts agree = that taking the correct measures prior to connecting a site to an untrusted n= etwork, such as the Internet, is an effective means of thwarting most attempt= s at intrusion. </div><div class=3D"section" lang=3D"en-US"><div class=3D"titlepage"><div><d= iv><h2 class=3D"title" id=3D"sect-Security_Guide-Introduction_to_Security">1.= 1.=C2=A0Introduction to Security</h2></div></div></div><div class=3D"section"= lang=3D"en-US"><div class=3D"titlepage"><div><div><h3 class=3D"title" id=3D"= sect-Security_Guide-Introduction_to_Security-What_is_Computer_Security">1.1.1= .=C2=A0What is Computer Security?</h3></div></div></div><div class=3D"para"> Computer security is a general term that covers a wide area of computing a= nd information processing. Industries that depend on computer systems and net= works to conduct daily business transactions and access crucial information r= egard their data as an important part of their overall assets. Several terms = and metrics have entered our daily business vocabulary, such as total cost of= ownership (TCO) and quality of service (QoS). Using these metrics, industrie= s can calculate aspects such as data integrity and high-availability as part = of their planning and process management costs. In some industries, such as e= lectronic commerce, the availability and trustworthiness of data can be the d= ifference between success and failure. </div><div class=3D"section" lang=3D"en-US"><div class=3D"titlepage"><div><= div><h4 class=3D"title" id=3D"sect-Security_Guide-What_is_Computer_Security-H= ow_did_Computer_Security_Come_about">1.1.1.1.=C2=A0How did Computer Security = Come about?</h4></div></div></div><div class=3D"para"> Information security has evolved over the years due to the increasing rel= iance on public networks not to disclose personal, financial, and other restr= icted information. There are numerous instances such as the Mitnick <sup>[<a = id=3D"d0e406" href=3D"#ftn.d0e406" class=3D"footnote">1</a>]</sup>and the Vla= dimir Levin <sup>[<a id=3D"d0e410" href=3D"#ftn.d0e410" class=3D"footnote">2<= /a>]</sup>cases that prompted organizations across all industries to re-think= the way they handle information, as well as its transmission and disclosure.= The popularity of the Internet was one of the most important developments th= at prompted an intensified effort in data security. </div><div class=3D"para"> An ever-growing number of people are using their personal computers to ga= in access to the resources that the Internet has to offer. From research and = information retrieval to electronic mail and commerce transaction, the Intern= et has been regarded as one of the most important developments of the 20th ce= ntury. </div><div class=3D"para"> The Internet and its earlier protocols, however, were developed as a <em = class=3D"firstterm">trust-based</em> system. That is, the Internet Protocol w= as not designed to be secure in itself. There are no approved security standa= rds built into the TCP/IP communications stack, leaving it open to potentiall= y malicious users and processes across the network. Modern developments have = made Internet communication more secure, but there are still several incident= s that gain national attention and alert us to the fact that nothing is compl= etely safe. </div></div><div class=3D"section" lang=3D"en-US"><div class=3D"titlepage"= ><div><div><h4 class=3D"title" id=3D"sect-Security_Guide-What_is_Computer_Sec= urity-Security_Today">1.1.1.2.=C2=A0Security Today</h4></div></div></div><div= class=3D"para"> In February of 2000, a Distributed Denial of Service (DDoS) attack was un= leashed on several of the most heavily-trafficked sites on the Internet. The = attack rendered yahoo.com, cnn.com, amazon.com, fbi.gov, and several other si= tes completely unreachable to normal users, as it tied up routers for several= hours with large-byte ICMP packet transfers, also called a <em class=3D"firs= tterm">ping flood</em>. The attack was brought on by unknown assailants using= specially created, widely available programs that scanned vulnerable network= servers, installed client applications called <em class=3D"firstterm">trojan= s</em> on the servers, and timed an attack with every infected server floodin= g the victim sites and rendering them unavailable. Many blame the attack on f= undamental flaws in the way routers and the protocols used are structured to = accept all incoming data, no matter where or for what purpose the packets are= sent. </div><div class=3D"para"> In 2007, a data breach exploiting the widely-known weaknesses of the Wire= d Equivalent Privacy (WEP) wireless encryption protocol resulted in the theft= from a global financial institution of over 45 million credit card numbers.<= sup>[<a id=3D"d0e434" href=3D"#ftn.d0e434" class=3D"footnote">3</a>]</sup> </div><div class=3D"para"> In a separate incident, the billing records of over 2.2 million patients = stored on a backup tape were stolen from the front seat of a courier's car.<s= up>[<a id=3D"d0e440" href=3D"#ftn.d0e440" class=3D"footnote">4</a>]</sup> </div><div class=3D"para"> Currently, an estimated 1.4 billion people use or have used the Internet = worldwide.<sup>[<a id=3D"d0e446" href=3D"#ftn.d0e446" class=3D"footnote">5</a= >]</sup> At the same time: </div><div class=3D"itemizedlist"><ul><li><div class=3D"para"> On any given day, there are approximately 225 major incidences of secur= ity breach reported to the CERT Coordination Center at Carnegie Mellon Univer= sity.<sup>[<a id=3D"d0e454" href=3D"#ftn.d0e454" class=3D"footnote">6</a>]</s= up> </div></li><li><div class=3D"para"> In 2003, the number of CERT reported incidences jumped to 137,529 from = 82,094 in 2002 and from 52,658 in 2001.<sup>[<a id=3D"d0e461" href=3D"#ftn.d0= e461" class=3D"footnote">7</a>]</sup> </div></li><li><div class=3D"para"> The worldwide economic impact of the three most dangerous Internet Viru= ses of the last three years was estimated at US$13.2 Billion.<sup>[<a id=3D"d= 0e468" href=3D"#ftn.d0e468" class=3D"footnote">8</a>]</sup> </div></li></ul></div><div class=3D"para"> From a 2008 global survey of business and technology executives "The Glob= al State of Information Security"<sup>[<a id=3D"d0e474" href=3D"#ftn.d0e474" = class=3D"footnote">9</a>]</sup>, undertaken by <span class=3D"emphasis"><em>C= IO Magazine</em></span>, some points are: </div><div class=3D"itemizedlist"><ul><li><div class=3D"para"> Just 43% of respondents audit or monitor user compliance with security = policies </div></li><li><div class=3D"para"> Only 22% keep an inventory of the outside companies that use their data </div></li><li><div class=3D"para"> The source of nearly half of security incidents was marked as "Unknown" </div></li><li><div class=3D"para"> 44% of respondents plan to increase security spending in the next year </div></li><li><div class=3D"para"> 59% have an information security strategy </div></li></ul></div><div class=3D"para"> These results enforce the reality that computer security has become a qua= ntifiable and justifiable expense for IT budgets. Organizations that require = data integrity and high availability elicit the skills of system administrato= rs, developers, and engineers to ensure 24x7 reliability of their systems, se= rvices, and information. Falling victim to malicious users, processes, or coo= rdinated attacks is a direct threat to the success of the organization. </div><div class=3D"para"> Unfortunately, system and network security can be a difficult proposition= , requiring an intricate knowledge of how an organization regards, uses, mani= pulates, and transmits its information. Understanding the way an organization= (and the people that make up the organization) conducts business is paramoun= t to implementing a proper security plan. </div></div><div class=3D"section" lang=3D"en-US"><div class=3D"titlepage"= ><div><div><h4 class=3D"title" id=3D"sect-Security_Guide-What_is_Computer_Sec= urity-Standardizing_Security">1.1.1.3.=C2=A0Standardizing Security</h4></div>= </div></div><div class=3D"para"> Enterprises in every industry rely on regulations and rules that are set = by standards-making bodies such as the American Medical Association (AMA) or = the Institute of Electrical and Electronics Engineers (IEEE). The same ideals= hold true for information security. Many security consultants and vendors ag= ree upon the standard security model known as CIA, or <em class=3D"firstterm"= >Confidentiality, Integrity, and Availability</em>. This three-tiered model i= s a generally accepted component to assessing risks of sensitive information = and establishing security policy. The following describes the CIA model in fu= rther detail: </div><div class=3D"itemizedlist"><ul><li><div class=3D"para"> Confidentiality =E2=80=94 Sensitive information must be available only = to a set of pre-defined individuals. Unauthorized transmission and usage of i= nformation should be restricted. For example, confidentiality of information = ensures that a customer's personal or financial information is not obtained b= y an unauthorized individual for malicious purposes such as identity theft or= credit fraud. </div></li><li><div class=3D"para"> Integrity =E2=80=94 Information should not be altered in ways that rend= er it incomplete or incorrect. Unauthorized users should be restricted from t= he ability to modify or destroy sensitive information. </div></li><li><div class=3D"para"> Availability =E2=80=94 Information should be accessible to authorized u= sers any time that it is needed. Availability is a warranty that information = can be obtained with an agreed-upon frequency and timeliness. This is often m= easured in terms of percentages and agreed to formally in Service Level Agree= ments (SLAs) used by network service providers and their enterprise clients. </div></li></ul></div></div></div><div class=3D"section" lang=3D"en-US">= <div class=3D"titlepage"><div><div><h3 class=3D"title" id=3D"sect-Security_Gu= ide-Introduction_to_Security-SELinux">1.1.2.=C2=A0SELinux</h3></div></div></d= iv><div class=3D"para"> Fedora includes an enhancement to the Linux kernel called SELinux, which i= mplements a Mandatory Access Control (MAC) architecture that provides a fine-= grained level of control over files, processes, users and applications in the= system. Detailed discussion of SELinux is beyond the scope of this document;= however, for more information on SELinux and its use in Fedora, refer to the= Fedora SELinux User Guide available at <a href=3D"http://docs.fedoraproject.= org/selinux-user-guide/">http://docs.fedoraproject.org/selinux-user-guide/</a= >. For more information on configuring and running services in Fedora that ar= e protected by SELinux, refer to the SELinux Managing Confined Services Guide= available at <a href=3D"http://docs.fedoraproject.org/selinux-managing-confi= ned-services-guide/">http://docs.fedoraproject.org/selinux-managing-confined-= services-guide</a>. Other available resources for SELinux are listed in <a cl= ass=3D"xref" href=3D"#chap-Security_Guide-References" title=3D"Chapter=C2=A07= .=C2=A0 References">Chapter=C2=A07, <i>References</i></a>. </div></div><div class=3D"section" lang=3D"en-US"><div class=3D"titlepage">= <div><div><h3 class=3D"title" id=3D"sect-Security_Guide-Introduction_to_Secur= ity-Security_Controls">1.1.3.=C2=A0Security Controls</h3></div></div></div><d= iv class=3D"para"> Computer security is often divided into three distinct master categories, = commonly referred to as <em class=3D"wordasword">controls</em>: </div><div class=3D"itemizedlist"><ul><li><div class=3D"para"> Physical </div></li><li><div class=3D"para"> Technical </div></li><li><div class=3D"para"> Administrative </div></li></ul></div><div class=3D"para"> These three broad categories define the main objectives of proper security= implementation. Within these controls are sub-categories that further detail= the controls and how to implement them. </div><div class=3D"section" lang=3D"en-US"><div class=3D"titlepage"><div><= div><h4 class=3D"title" id=3D"sect-Security_Guide-Security_Controls-Physical_= Controls">1.1.3.1.=C2=A0Physical Controls</h4></div></div></div><div class=3D= "para"> Physical control is the implementation of security measures in a defined = structure used to deter or prevent unauthorized access to sensitive material.= Examples of physical controls are: </div><div class=3D"itemizedlist"><ul><li><div class=3D"para"> Closed-circuit surveillance cameras </div></li><li><div class=3D"para"> Motion or thermal alarm systems </div></li><li><div class=3D"para"> Security guards </div></li><li><div class=3D"para"> Picture IDs </div></li><li><div class=3D"para"> Locked and dead-bolted steel doors </div></li><li><div class=3D"para"> Biometrics (includes fingerprint, voice, face, iris, handwriting, and o= ther automated methods used to recognize individuals) </div></li></ul></div></div><div class=3D"section" lang=3D"en-US"><div c= lass=3D"titlepage"><div><div><h4 class=3D"title" id=3D"sect-Security_Guide-Se= curity_Controls-Technical_Controls">1.1.3.2.=C2=A0Technical Controls</h4></di= v></div></div><div class=3D"para"> Technical controls use technology as a basis for controlling the access a= nd usage of sensitive data throughout a physical structure and over a network= . Technical controls are far-reaching in scope and encompass such technologie= s as: </div><div class=3D"itemizedlist"><ul><li><div class=3D"para"> Encryption [...3804 lines suppressed...] <a href=3D"http://clemens.endorphin.org/LUKS/">LUKS - Linux Unified Key = Setup</a> </div></li><li><div class=3D"para"> <a href=3D"https://bugzilla.redhat.com/attachment.cgi?id=3D161912">HOWTO= : Creating an encrypted Physical Volume (PV) using a second hard drive, pvmov= e, and a Fedora LiveCD</a> </div></li></ul></div></div></div><div class=3D"section" lang=3D"en-US"><= div class=3D"titlepage"><div><div><h2 class=3D"title" id=3D"sect-Security_Gui= de-Encryption-7_Zip_Encrypted_Archives">3.8.=C2=A07-Zip Encrypted Archives</h= 2></div></div></div><div class=3D"para"> <a href=3D"http://www.7-zip.org/">7-Zip</a> is a cross-platform, next gener= ation, file compression tool that can also use strong encryption (AES-256) to= protect the contents of the archive. This is extremely useful when you need = to move data between multiple computers that use varying operating systems (i= .e. Linux at home, Windows at work) and you want a portable encryption soluti= on. </div><div class=3D"section" lang=3D"en-US"><div class=3D"titlepage"><div><d= iv><h3 class=3D"title" id=3D"sect-Security_Guide-Encryption-7_Zip_Encrypted_A= rchives-Installation">3.8.1.=C2=A07-Zip Installation in Fedora</h3></div></di= v></div><div class=3D"para"> 7-Zip is not a base package in Fedora, but it is available in the software= repository. Once installed, the package will update alongside the rest of th= e software on the computer with no special attention necessary. </div></div><div class=3D"section" lang=3D"en-US"><div class=3D"titlepage">= <div><div><h3 class=3D"title" id=3D"sect-Security_Guide-Encryption-7_Zip_Encr= ypted_Archives-Installation-Instructions">3.8.2.=C2=A0Step-by-Step Installati= on Instructions</h3></div></div></div><div class=3D"itemizedlist"><ul><li><di= v class=3D"para"> Open a Terminal: <code class=3D"code">Click ''Applications'' -> ''Sys= tem Tools'' -> ''Terminal''</code> </div></li><li><div class=3D"para"> Install 7-Zip with sudo access: <code class=3D"code">sudo yum install p7= zip</code> </div></li><li><div class=3D"para"> Close the Terminal: <code class=3D"code">exit</code> </div></li></ul></div></div><div class=3D"section" lang=3D"en-US"><div cl= ass=3D"titlepage"><div><div><h3 class=3D"title" id=3D"sect-Security_Guide-Enc= ryption-7_Zip_Encrypted_Archives-Usage_Instructions">3.8.3.=C2=A0Step-by-Step= Usage Instructions</h3></div></div></div><div class=3D"para"> By following these instructions you are going to compress and encrypt your= "Documents" directory. Your original "Documents" directory will remain unalt= ered. This technique can be applied to any directory or file you have access = to on the filesystem. </div><div class=3D"itemizedlist"><ul><li><div class=3D"para"> Open a Terminal:<code class=3D"code">Click ''Applications'' -> ''Syst= em Tools'' -> ''Terminal''</code> </div></li><li><div class=3D"para"> Compress and Encrypt: (enter a password when prompted) <code class=3D"co= de">7za a -mhe=3Don -ms=3Don -p Documents.7z Documents/</code> </div></li></ul></div><div class=3D"para"> The "Documents" directory is now compressed and encrypted. The following i= nstructions will move the encrypted archive somewhere new and then extract it. </div><div class=3D"itemizedlist"><ul><li><div class=3D"para"> Create a new directory: <code class=3D"code">mkdir newplace</code> </div></li><li><div class=3D"para"> Move the encrypted file: <code class=3D"code">mv Documents.7z newplace</= code> </div></li><li><div class=3D"para"> Go to the new directory: <code class=3D"code">cd newplace</code> </div></li><li><div class=3D"para"> Extract the file: (enter the password when prompted) <code class=3D"code= ">7za x Documents.7z</code> </div></li></ul></div><div class=3D"para"> The archive is now extracted into the new location. The following instruct= ions will clean up all the prior steps and restore your computer to its previ= ous state. </div><div class=3D"itemizedlist"><ul><li><div class=3D"para"> Go up a directory: <code class=3D"code">cd ..</code> </div></li><li><div class=3D"para"> Delete the test archive and test extraction: <code class=3D"code">rm -r = newplace</code> </div></li><li><div class=3D"para"> Close the Terminal: <code class=3D"code">exit</code> </div></li></ul></div></div><div class=3D"section" lang=3D"en-US"><div cl= ass=3D"titlepage"><div><div><h3 class=3D"title" id=3D"sect-Security_Guide-Enc= ryption-7_Zip_Encrypted_Archives-Things_of_note">3.8.4.=C2=A0Things of note</= h3></div></div></div><div class=3D"para"> 7-Zip is not shipped by default with Microsoft Windows or Mac OS X. If you= need to use your 7-Zip files on those platforms you will need to install the= appropriate version of 7-Zip on those computers. See the 7-Zip <a href=3D"ht= tp://www.7-zip.org/download.html">download page</a>. </div><div class=3D"para"> GNOME's File Roller application will recognize your .7z files and attempt = to open them, but it will fail with the error "''An error occurred while load= ing the archive.''" when it attempts to do so. This is because File Roller do= es not currently support the extraction of encrypted 7-Zip files. A bug repor= t ([http://bugzilla.gnome.org/show_bug.cgi?id=3D490732 Gnome Bug 490732]) has= been submitted. </div></div></div><div class=3D"section" lang=3D"en-US"><div class=3D"title= page"><div><div><h2 class=3D"title" id=3D"sect-Security_Guide-Encryption-Usin= g_GPG">3.9.=C2=A0Using GNU Privacy Guard (GnuPG)</h2></div></div></div><div c= lass=3D"para"> GPG is used to identify yourself and authenticate your communications, incl= uding those with people you don't know. GPG allows anyone reading a GPG-signe= d email to verify its authenticity. In other words, GPG allows someone to be = reasonably certain that communications signed by you actually are from you. G= PG is useful because it helps prevent third parties from altering code or int= ercepting conversations and altering the message. </div><div class=3D"section" lang=3D"en-US"><div class=3D"titlepage"><div><d= iv><h3 class=3D"title" id=3D"sect-Security_Guide-Encryption-Using_GPG-Keys_in= _GNOME">3.9.1.=C2=A0Creating GPG Keys in GNOME</h3></div></div></div><div cla= ss=3D"para"> Install the Seahorse utility, which makes GPG key management easier. From = the main menu, select <code class=3D"code">System > Administration > Ad= d/Remove Software</code> and wait for PackageKit to start. Enter <code class= =3D"code">Seahorse</code> into the text box and select the Find. Select the c= heckbox next to the ''seahorse'' package and select ''Apply'' to add the soft= ware. You can also install <code class=3D"code">Seahorse</code> at the comman= d line with the command <code class=3D"code">su -c "yum install seahorse"</co= de>. </div><div class=3D"para"> To create a key, from the ''Applications > Accessories'' menu select ''= Passwords and Encryption Keys'', which starts the application <code class=3D"= code">Seahorse</code>. From the ''Key'' menu select ''Create New Key...'' the= n ''PGP Key'' then click ''Continue''. Type your full name, email address, an= d an optional comment describing who are you (e.g.: John C. Smith, jsmith(a)e= xample.com, The Man). Click ''Create''. A dialog is displayed asking for a pa= ssphrase for the key. Choose a strong passphrase but also easy to remember. C= lick ''OK'' and the key is created. </div><div class=3D"warning"><h2>Warning</h2><div class=3D"para"> If you forget your passphrase, the key cannot be used and any data encryp= ted using that key will be lost. </div></div><div class=3D"para"> To find your GPG key ID, look in the ''Key ID'' column next to the newly c= reated key. In most cases, if you are asked for the key ID, you should prepen= d "0x" to the key ID, as in "0x6789ABCD". You should make a backup of your pr= ivate key and store it somewhere secure. </div></div><div class=3D"section" lang=3D"en-US"><div class=3D"titlepage">= <div><div><h3 class=3D"title" id=3D"sect-Security_Guide-Encryption-Using_GPG-= Creating_GPG_Keys_in_KDE1">3.9.2.=C2=A0Creating GPG Keys in KDE</h3></div></d= iv></div><div class=3D"para"> Start the KGpg program from the main menu by selecting Applications > U= tilities > Encryption Tool. If you have never used KGpg before, the progra= m walks you through the process of creating your own GPG keypair. A dialog bo= x appears prompting you to create a new key pair. Enter your name, email addr= ess, and an optional comment. You can also choose an expiration time for your= key, as well as the key strength (number of bits) and algorithms. The next d= ialog box prompts you for your passphrase. At this point, your key appears in= the main <code class=3D"code">KGpg</code> window. </div><div class=3D"warning"><h2>Warning</h2><div class=3D"para"> If you forget your passphrase, the key cannot be used and any data encryp= ted using that key will be lost. </div></div><div class=3D"para"> To find your GPG key ID, look in the ''Key ID'' column next to the newly c= reated key. In most cases, if you are asked for the key ID, you should prepen= d "0x" to the key ID, as in "0x6789ABCD". You should make a backup of your pr= ivate key and store it somewhere secure. </div></div><div class=3D"section" lang=3D"en-US"><div class=3D"titlepage">= <div><div><h3 class=3D"title" id=3D"sect-Security_Guide-Encryption-Using_GPG-= Creating_GPG_Keys_in_KDE">3.9.3.=C2=A0Creating GPG Keys Using the Command Lin= e</h3></div></div></div><div class=3D"para"> Use the following shell command: <code class=3D"code">gpg --gen-key</code> </div><div class=3D"para"> This command generates a key pair that consists of a public and a private = key. Other people use your public key to authenticate and/or decrypt your com= munications. Distribute your public key as widely as possible, especially to = people who you know will want to receive authentic communications from you, s= uch as a mailing list. The Fedora Documentation Project, for example, asks pa= rticipants to include a GPG public key in their self-introduction. </div><div class=3D"para"> A series of prompts directs you through the process. Press the <code class= =3D"code">Enter</code> key to assign a default value if desired. The first pr= ompt asks you to select what kind of key you prefer: </div><div class=3D"para"> Please select what kind of key you want: (1) DSA and ElGamal (default) (2)= DSA (sign only) (4) RSA (sign only) Your selection? In almost all cases, the= default is the correct choice. A DSA/ElGamal key allows you not only to sign= communications, but also to encrypt files. </div><div class=3D"para"> Next, choose the key size: minimum keysize is 768 bits default keysize is = 1024 bits highest suggested keysize is 2048 bits What keysize do you want? (1= 024) Again, the default is sufficient for almost all users, and represents an= ''extremely'' strong level of security. </div><div class=3D"para"> Next, choose when the key will expire. It is a good idea to choose an expi= ration date instead of using the default, which is ''none.'' If, for example,= the email address on the key becomes invalid, an expiration date will remind= others to stop using that public key. </div><div class=3D"para"> Please specify how long the key should be valid. 0 =3D key does not expire= d =3D key expires in n days w =3D key expires in n weeks m =3D key expires i= n n months y =3D key expires in n years Key is valid for? (0) </div><div class=3D"para"> Entering a value of <code class=3D"code">1y</code>, for example, makes the= key valid for one year. (You may change this expiration date after the key i= s generated, if you change your mind.) </div><div class=3D"para"> Before the <code class=3D"code">gpg</code>code> program asks for signat= ure information, the following prompt appears: <code class=3D"code">Is this c= orrect (y/n)?</code> Enter <code class=3D"code">y</code>code> to finish th= e process. </div><div class=3D"para"> Next, enter your name and email address. Remember this process is about au= thenticating you as a real individual. For this reason, include your real nam= e. Do not use aliases or handles, since these disguise or obfuscate your iden= tity. </div><div class=3D"para"> Enter your real email address for your GPG key. If you choose a bogus emai= l address, it will be more difficult for others to find your public key. This= makes authenticating your communications difficult. If you are using this GP= G key for [[DocsProject/SelfIntroduction| self-introduction]] on a mailing li= st, for example, enter the email address you use on that list. </div><div class=3D"para"> Use the comment field to include aliases or other information. (Some peopl= e use different keys for different purposes and identify each key with a comm= ent, such as "Office" or "Open Source Projects.") </div><div class=3D"para"> At the confirmation prompt, enter the letter O to continue if all entries = are correct, or use the other options to fix any problems. Finally, enter a p= assphrase for your secret key. The <code class=3D"code">gpg</code> program as= ks you to enter your passphrase twice to ensure you made no typing errors. </div><div class=3D"para"> Finally, <code class=3D"code">gpg</code> generates random data to make you= r key as unique as possible. Move your mouse, type random keys, or perform ot= her tasks on the system during this step to speed up the process. Once this s= tep is finished, your keys are complete and ready to use: </div><pre class=3D"screen"> pub 1024D/1B2AFA1C 2005-03-31 John Q. Doe (Fedora Docs Project) <jqdoe(a)= example.com> Key fingerprint =3D 117C FE83 22EA B843 3E86 6486 4320 545E 1B2A FA1C sub 1024g/CEA4B22E 2005-03-31 [expires: 2006-03-31] </pre><div class=3D"para"> The key fingerprint is a shorthand "signature" for your key. It allows you= to confirm to others that they have received your actual public key without = any tampering. You do not need to write this fingerprint down. To display the= fingerprint at any time, use this command, substituting your email address: = <code class=3D"code"> gpg --fingerprint jqdoe(a)example.com </code> </div><div class=3D"para"> Your "GPG key ID" consists of 8 hex digits identifying the public key. In = the example above, the GPG key ID is 1B2AFA1C. In most cases, if you are aske= d for the key ID, you should prepend "0x" to the key ID, as in "0x1B2AFA1C". </div><div class=3D"warning"><h2>Warning</h2><div class=3D"para"> If you forget your passphrase, the key cannot be used and any data encryp= ted using that key will be lost. </div></div></div><div class=3D"section" lang=3D"en-US"><div class=3D"titl= epage"><div><div><h3 class=3D"title" id=3D"sect-Security_Guide-Encryption-Usi= ng_GPG-About_Public_Key_Encryption">3.9.4.=C2=A0About Public Key Encryption</= h3></div></div></div><div class=3D"orderedlist"><ol><li><div class=3D"para"> <a href=3D"http://en.wikipedia.org/wiki/Public-key_cryptography">Wikiped= ia - Public Key Cryptography</a> </div></li><li><div class=3D"para"> <a href=3D"http://computer.howstuffworks.com/encryption.htm">HowStuffWor= ks - Encryption</a> </div></li></ol></div></div></div></div><div class=3D"chapter" lang=3D"en= -US"><div class=3D"titlepage"><div><div><h2 class=3D"title" id=3D"chap-Securi= ty_Guide-General_Principles_of_Information_Security">Chapter=C2=A04.=C2=A0Gen= eral Principles of Information Security</h2></div></div></div><div class=3D"t= oc"><dl><dt><span class=3D"section"><a href=3D"#sect-Security_Guide-General_P= rinciples_of_Information_Security-Tips_Guides_and_Tools">4.1. Tips, Guides, a= nd Tools</a></span></dt></dl></div><div class=3D"para"> The following general principals provide an overview of good security pract= ices: </div><div class=3D"itemizedlist"><ul><li><div class=3D"para"> encrypt all data transmitted over networks to help prevent man-in-the-mid= dle attacks and eavesdropping. It is important to encrypt authentication info= rmation, such as passwords. </div></li><li><div class=3D"para"> minimize the amount of software installed and running services. </div></li><li><div class=3D"para"> use security-enhancing software and tools, for example, Security-Enhanced= Linux (SELinux) for Mandatory Access Control (MAC), Netfilter iptables for p= acket filtering (firewall), and the GNU Privacy Guard (GnuPG) for encrypting = files. </div></li><li><div class=3D"para"> if possible, run each network service on a separate system to minimize th= e risk of one compromised service being used to compromise other services. </div></li><li><div class=3D"para"> maintain user accounts: create and enforce a strong password policy; dele= te unused user accounts. </div></li><li><div class=3D"para"> routinely review system and application logs. By default, security-releva= nt system logs are written to <code class=3D"filename">/var/log/secure</code>= and <code class=3D"filename">/var/log/audit/audit.log</code>. Note: sending = logs to a dedicated log server helps prevent attackers from easily modifying = local logs to avoid detection. </div></li><li><div class=3D"para"> never log in as the root user unless absolutely necessary. It is recommen= ded that administrators use <code class=3D"command">sudo</code> to execute co= mmands as root when required. Users capable of running <code class=3D"command= ">sudo</code> are specified in <code class=3D"filename">/etc/sudoers</code>. = Use the <code class=3D"command">visudo</code> utility to edit <code class=3D"= filename">/etc/sudoers</code>. </div></li></ul></div><div class=3D"section" lang=3D"en-US"><div class=3D"= titlepage"><div><div><h2 class=3D"title" id=3D"sect-Security_Guide-General_Pr= inciples_of_Information_Security-Tips_Guides_and_Tools">4.1.=C2=A0Tips, Guide= s, and Tools</h2></div></div></div><div class=3D"para"> The United States' <a href=3D"http://www.nsa.gov/">National Security Agenc= y (NSA)</a> provides hardening guides and tips for many different operating s= ystems, to help government agencies, businesses, and individuals secure their= systems against attack. The following guides (in PDF format) provide guidanc= e for Red Hat Enterprise Linux 5: </div><div class=3D"itemizedlist"><ul><li><div class=3D"para"> <a href=3D"http://www.nsa.gov/ia/_files/os/redhat/rhel5-pamphlet-i731.pd= f">Hardening Tips for the Red Hat Enterprise Linux 5</a> </div></li><li><div class=3D"para"> <a href=3D"http://www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdf">= Guide to the Secure Configuration of Red Hat Enterprise Linux 5</a> </div></li></ul></div><div class=3D"para"> The <a href=3D"http://www.disa.mil/">Defense Information Systems Agency (D= ISA)</a> provides documentation, checklists, and tests to help secure your sy= stem (<a href=3D"http://iase.disa.mil/index2.html">Information Assurance Supp= ort Environment</a>). The <a href=3D"http://iase.disa.mil/stigs/stig/unix-sti= g-v5r1.pdf">UNIX SECURITY TECHNICAL IMPLEMENTATION GUIDE</a> (PDF) is a very = specific guide to UNIX security - an advanced knowledge of UNIX and Linux is = recommended before reading this guide. </div><div class=3D"para"> The DISA <a href=3D"http://iase.disa.mil/stigs/checklist/unix_checklist_v5= r1-16_20090215.ZIP">UNIX Security Checklist Version 5, Release 1.16</a> provi= des a collection of documents and checklists, ranging from the correct owners= hips and modes for system files, to patch control. </div><div class=3D"para"> Also, DISA has made available <a href=3D"http://iase.disa.mil/stigs/SRR/un= ix.html">UNIX SPR scripts</a> that allow administrators to check specific set= tings on systems. These scripts provide XML-formatted reports listing any kno= wn vulnerable settings. </div></div></div><div class=3D"chapter" lang=3D"en-US"><div class=3D"title= page"><div><div><h2 class=3D"title" id=3D"chap-Security_Guide-Secure_Installa= tion">Chapter=C2=A05.=C2=A0Secure Installation</h2></div></div></div><div cla= ss=3D"toc"><dl><dt><span class=3D"section"><a href=3D"#sect-Security_Guide-Se= cure_Installation-Disk_Partitions">5.1. Disk Partitions</a></span></dt><dt><s= pan class=3D"section"><a href=3D"#sect-Security_Guide-Secure_Installation-Uti= lize_LUKS_Partition_Encryption">5.2. Utilize LUKS Partition Encryption</a></s= pan></dt></dl></div><div class=3D"para"> Security begins with the first time you put that CD or DVD into your disk d= rive to install Fedora. Configuring your system securely from the beginning m= akes it easier to implement additional security settings later. </div><div class=3D"section" lang=3D"en-US"><div class=3D"titlepage"><div><d= iv><h2 class=3D"title" id=3D"sect-Security_Guide-Secure_Installation-Disk_Par= titions">5.1.=C2=A0Disk Partitions</h2></div></div></div><div class=3D"para"> The NSA recommends creating separate partitions for /boot, /, /home, /tmp,= and /var/tmp. The reasons for each are different and we will address each pa= rtition. </div><div class=3D"para"> /boot - This partition is the first partition that is read by the system d= uring boot up. The boot loader and kernel images that are used to boot your s= ystem into Fedora are stored in this partition. This partition should not be = encrypted. If this partition is included in / and that partition is encrypted= or otherwise becomes unavailable then your system will not be able to boot. </div><div class=3D"para"> /home - When user data (/home) is stored in / instead of in a separate par= tition, the partition can fill up causing the operating system to become unst= able. Also, when upgrading your system to the next version of Fedora it is a = lot easier when you can keep your data in the /home partition as it will not = be overwritten during installation. If the root partition (/) becomes corrupt= your data could be lost forever. By using a separate partition there is slig= htly more protection against data loss. You can also target this partition fo= r frequent backups. </div><div class=3D"para"> /tmp and /var/tmp - Both the /tmp and the /var/tmp directories are used to= store data that doesn't need to be stored for a long period of time. However= if a lot of data floods one of these directories it can consume all of your = storage space. If this happens and these directories are stored within / then= your system could become unstable and crash. For this reason, moving these d= irectories into their own partitions is a good idea. </div></div><div class=3D"section" lang=3D"en-US"><div class=3D"titlepage">= <div><div><h2 class=3D"title" id=3D"sect-Security_Guide-Secure_Installation-U= tilize_LUKS_Partition_Encryption">5.2.=C2=A0Utilize LUKS Partition Encryption= </h2></div></div></div><div class=3D"para"> Since Fedora 9, implementation of <a href=3D"http://fedoraproject.org/wiki= /Security_Guide/9/LUKSDiskEncryption">Linux Unified Key Setup-on-disk-format<= /a>(LUKS) encryption has become a lot easier. During the installation process= an option to encrypt your partitions will be presented to the user. The user= must supply a passphrase that will be the key to unlock the bulk encryption = key that will be used to secure the partition's data. </div></div></div><div class=3D"chapter" lang=3D"en-US"><div class=3D"title= page"><div><div><h2 class=3D"title" id=3D"chap-Security_Guide-Software_Mainte= nance">Chapter=C2=A06.=C2=A0Software Maintenance</h2></div></div></div><div c= lass=3D"toc"><dl><dt><span class=3D"section"><a href=3D"#sect-Security_Guide-= Software_Maintenance-Install_Minimal_Software">6.1. Install Minimal Software<= /a></span></dt><dt><span class=3D"section"><a href=3D"#sect-Security_Guide-So= ftware_Maintenance-Plan_and_Configure_Security_Updates">6.2. Plan and Configu= re Security Updates</a></span></dt><dt><span class=3D"section"><a href=3D"#se= ct-Security_Guide-Software_Maintenance-Plan_and_Configure_Security_Updates-Ad= justing_Automatic_Updates">6.3. Adjusting Automatic Updates</a></span></dt><d= t><span class=3D"section"><a href=3D"#sect-Security_Guide-Software_Maintenanc= e-Install_Signed_Packages_from_Well_Known_Repositories">6.4. Install Signed P= ackages from Well Known Repositories</a></span></dt></dl></div><div class=3D"= para"> Software maintenance is extremely important to maintaining a secure system.= It is vital to patch software as soon as it becomes available in order to pr= event attackers from using known holes to infiltrate your system. </div><div class=3D"section" lang=3D"en-US"><div class=3D"titlepage"><div><d= iv><h2 class=3D"title" id=3D"sect-Security_Guide-Software_Maintenance-Install= _Minimal_Software">6.1.=C2=A0Install Minimal Software</h2></div></div></div><= div class=3D"para"> It is best practice to install only the packages you will use because each= piece of software on your computer could possibly contain a vulnerability. I= f you are installing from the DVD media take the opportunity to select exactl= y what packages you want to install during the installation. When you find yo= u need another package, you can always add it to the system later. </div></div><div class=3D"section" lang=3D"en-US"><div class=3D"titlepage">= <div><div><h2 class=3D"title" id=3D"sect-Security_Guide-Software_Maintenance-= Plan_and_Configure_Security_Updates">6.2.=C2=A0Plan and Configure Security Up= dates</h2></div></div></div><div class=3D"para"> All software contains bugs. Often, these bugs can result in a vulnerabilit= y that can expose your system to malicious users. Unpatched systems are a com= mon cause of computer intrusions. You should have a plan to install security = patches in a timely manner to close those vulnerabilities so they can not be = exploited. </div><div class=3D"para"> For home users, security updates should be installed as soon as possible. = Configuring automatic installation of security updates is one way to avoid ha= ving to remember, but does carry a slight risk that something can cause a con= flict with your configuration or with other software on the system. </div><div class=3D"para"> For business or advanced home users, security updates should be tested and= schedule for installation. Additional controls will need to be used to prote= ct the system during the time between the patch release and its installation = on the system. These controls would depend on the exact vulnerability, but co= uld include additional firewall rules, the use of external firewalls, or chan= ges in software settings. </div></div><div class=3D"section" lang=3D"en-US"><div class=3D"titlepage">= <div><div><h2 class=3D"title" id=3D"sect-Security_Guide-Software_Maintenance-= Plan_and_Configure_Security_Updates-Adjusting_Automatic_Updates">6.3.=C2=A0Ad= justing Automatic Updates</h2></div></div></div><div class=3D"para"> Fedora is configured to apply all updates on a daily schedule. If you want= to change the how your system installs updates you must do so via '''Softwar= e Update Preferences'''. You can change the schedule, the type of updates to = apply or to notify you of available updates. </div><div class=3D"para"> In Gnome, you can find controls for your updates at: <code class=3D"code">= System -> Preferences -> Software Updates</code>. In KDE it is located = at: <code class=3D"code">Applications -> Settings -> Software Updates</= code>. </div></div><div class=3D"section" lang=3D"en-US"><div class=3D"titlepage">= <div><div><h2 class=3D"title" id=3D"sect-Security_Guide-Software_Maintenance-= Install_Signed_Packages_from_Well_Known_Repositories">6.4.=C2=A0Install Signe= d Packages from Well Known Repositories</h2></div></div></div><div class=3D"p= ara"> Software packages are published through repositories. All well known repos= itories support package signing. Package signing uses public key technology t= o prove that the package that was published by the repository has not been ch= anged since the signature was applied. This provides some protection against = installing software that may have been maliciously altered after the package = was created but before you downloaded it. </div><div class=3D"para"> Using too many repositories, untrustworthy repositories, or repositories w= ith unsigned packages has a higher risk of introducing malicious or vulnerabl= e code into your system. Use caution when adding repositories to yum/software= update. </div></div></div><div class=3D"chapter" lang=3D"en-US"><div class=3D"title= page"><div><div><h2 class=3D"title" id=3D"chap-Security_Guide-References">Cha= pter=C2=A07.=C2=A0References</h2></div></div></div><div class=3D"para"> The following references are pointers to additional information that is rel= evant to SELinux and Fedora but beyond the scope of this guide. Note that due= to the rapid development of SELinux, some of this material may only apply to= specific releases of Fedora. </div><div class=3D"variablelist" id=3D"vari-Security_Guide-References-Books= "><h6>Books</h6><dl><dt><span class=3D"term">SELinux by Example</span></dt><d= d><div class=3D"para"> Mayer, MacMillan, and Caplan </div><div class=3D"para"> Prentice Hall, 2007 </div></dd></dl></div><div class=3D"variablelist" id=3D"vari-Security_Gui= de-References-Tutorials_and_Help"><h6>Tutorials and Help</h6><dl><dt><span cl= ass=3D"term">Understanding and Customizing the Apache HTTP SELinux Policy</sp= an></dt><dd><div class=3D"para"> <a href=3D"http://fedora.redhat.com/docs/selinux-apache-fc3/">http://fed= ora.redhat.com/docs/selinux-apache-fc3/</a> </div></dd><dt><span class=3D"term">Tutorials and talks from Russell Coke= r</span></dt><dd><div class=3D"para"> <a href=3D"http://www.coker.com.au/selinux/talks/ibmtu-2004/">http://www= .coker.com.au/selinux/talks/ibmtu-2004/</a> </div></dd><dt><span class=3D"term">Generic Writing SELinux policy HOWTO<= /span></dt><dd><div class=3D"para"> <a href=3D"http://www.lurking-grue.org/writingselinuxpolicyHOWTO.html">h= ttp://www.lurking-grue.org/writingselinuxpolicyHOWTO.html</a> </div></dd><dt><span class=3D"term">Red Hat Knowledgebase</span></dt><dd>= <div class=3D"para"> <a href=3D"http://kbase.redhat.com/">http://kbase.redhat.com/</a> </div></dd></dl></div><div class=3D"variablelist" id=3D"vari-Security_Gui= de-References-General_Information"><h6>General Information</h6><dl><dt><span = class=3D"term">NSA SELinux main website</span></dt><dd><div class=3D"para"> <a href=3D"http://www.nsa.gov/research/selinux/index.shtml">http://www.n= sa.gov/selinux/</a> </div></dd><dt><span class=3D"term">NSA SELinux FAQ</span></dt><dd><div c= lass=3D"para"> <a href=3D"http://www.nsa.gov/research/selinux/faqs.shtml">http://www.ns= a.gov/selinux/info/faq.cfm</a> </div></dd><dt><span class=3D"term">Fedora SELinux FAQ </span></dt><dd><d= iv class=3D"para"> <a href=3D"http://fedora.redhat.com/docs/selinux-faq-fc3/">http://fedora= .redhat.com/docs/selinux-faq-fc3/</a> </div></dd><dt><span class=3D"term">SELinux NSA's Open Source Security En= hanced Linux</span></dt><dd><div class=3D"para"> <a href=3D"http://www.oreilly.com/catalog/selinux/">http://www.oreilly.c= om/catalog/selinux/</a> </div></dd></dl></div><div class=3D"variablelist" id=3D"vari-Security_Gui= de-References-Technology"><h6>Technology</h6><dl><dt><span class=3D"term">An = Overview of Object Classes and Permissions</span></dt><dd><div class=3D"para"> <a href=3D"http://www.tresys.com/selinux/obj_perms_help.html">http://www= .tresys.com/selinux/obj_perms_help.html</a> </div></dd><dt><span class=3D"term">Integrating Flexible Support for Secu= rity Policies into the Linux Operating System (a history of Flask implementat= ion in Linux)</span></dt><dd><div class=3D"para"> <a href=3D"http://www.nsa.gov/research/_files/selinux/papers/selsymp2005= .pdf">http://www.nsa.gov/research/_files/selinux/papers/selsymp2005.pdf</a> </div></dd><dt><span class=3D"term">Implementing SELinux as a Linux Secur= ity Module</span></dt><dd><div class=3D"para"> <a href=3D"http://www.nsa.gov/research/_files/publications/implementing_= selinux.pdf">http://www.nsa.gov/research/_files/publications/implementing_sel= inux.pdf</a> </div></dd><dt><span class=3D"term">A Security Policy Configuration for t= he Security-Enhanced Linux</span></dt><dd><div class=3D"para"> <a href=3D"http://www.nsa.gov/research/_files/selinux/papers/policy/poli= cy.shtml">http://www.nsa.gov/research/_files/selinux/papers/policy/policy.sht= ml</a> </div></dd></dl></div><div class=3D"variablelist" id=3D"vari-Security_Gui= de-References-Community"><h6>Community</h6><dl><dt><span class=3D"term">Fedor= a SELinux User Guide</span></dt><dd><div class=3D"para"> <a href=3D"http://docs.fedoraproject.org/selinux-user-guide/">http://doc= s.fedoraproject.org/selinux-user-guide/</a> </div></dd><dt><span class=3D"term">Fedora SELinux Managing Confined Serv= ices Guide</span></dt><dd><div class=3D"para"> <a href=3D"http://docs.fedoraproject.org/selinux-managing-confined-servi= ces-guide/">http://docs.fedoraproject.org/selinux-managing-confined-services-= guide/</a> </div></dd><dt><span class=3D"term">SELinux community page</span></dt><dd= ><div class=3D"para"> <a href=3D"http://selinux.sourceforge.net">http://selinux.sourceforge.ne= t</a> </div></dd><dt><span class=3D"term">IRC</span></dt><dd><div class=3D"para= "> irc.freenode.net, #selinux, #fedora-selinux, #security </div></dd></dl></div><div class=3D"variablelist" id=3D"vari-Security_Gui= de-References-History"><h6>History</h6><dl><dt><span class=3D"term">Quick his= tory of Flask</span></dt><dd><div class=3D"para"> <a href=3D"http://www.cs.utah.edu/flux/fluke/html/flask.html">http://www= .cs.utah.edu/flux/fluke/html/flask.html</a> </div></dd><dt><span class=3D"term">Full background on Fluke</span></dt><= dd><div class=3D"para"> <a href=3D"http://www.cs.utah.edu/flux/fluke/html/index.html">http://www= .cs.utah.edu/flux/fluke/html/index.html</a> </div></dd></dl></div></div></div></body></html> --===============1636507031001999043==--