security-guide</t= itle><link rel=3D"stylesheet" href=3D"./Common_Content/css/default.css" typ= e=3D"text/css"/><meta name=3D"generator" content=3D"publican"/><meta name= =3D"package" content=3D""/><meta name=3D"description" content=3D"The Linux = Security Guide is designed to assist users of Linux in learning the process= es and practices of securing workstations and servers against local and rem= ote intrusion, exploitation, and malicious activity. Focused on Fedora Linu= x but detailing concepts and techniques valid for all Linux systems, The Li= nux Security Guide details the planning and the tools involved in creating = a secured computing environment for the data center, workplace, and home. W= ith proper administrative knowledge, vigilance, and tools, systems running = Linux can be both fully functional and secured from most common intrusion a= nd exploit methods."/></head><body class=3D""><div class=3D"book" lang=3D"e= n-US"><div class=3D"titlepage"><div><div clas s=3D"producttitle"><span class=3D"productname">fedora</span> <span class= =3D"productnumber">12</span></div><div><h1 id=3D"d0e1" class=3D"title">secu= rity-guide</h1></div><div><h2 class=3D"subtitle">A Guide to Securing Fedora= Linux</h2></div><p class=3D"edition">Edition 1.1</p><div><h3 class=3D"corp= author"> <span class=3D"inlinemediaobject"><object data=3D"Common_Content/imag= es/title_logo.svg" type=3D"image/svg+xml"> Logo</object></span> </h3></div><div><div class=3D"authorgroup"><div class=3D"author"><h3 c= lass=3D"author"><span class=3D"firstname">Johnray</span> <span class=3D"sur= name">Fuller</span></h3><div class=3D"affiliation"><span class=3D"orgname">= Red Hat</span></div><code class=3D"email"><a class=3D"email" href=3D"mailto= :jrfuller(a)redhat.com">jrfuller(a)redhat.com</a></code></div><div class=3D= "author"><h3 class=3D"author"><span class=3D"firstname">John</span> <span c= lass=3D"surname">Ha</span></h3><div class=3D"affiliation"><span class=3D"or= gname">Red Hat</span></div><code class=3D"email"><a class=3D"email" href=3D= "mailto:jha(a)redhat.com">jha(a)redhat.com</a></code></div><div class=3D"au= thor"><h3 class=3D"author"><span class=3D"firstname">David</span> <span cla= ss=3D"surname">O'Brien</span></h3><div class=3D"affiliation"><span class=3D= "orgname">Red Hat</span></div><code class=3D"email"><a class=3D"email" href= =3D"mailto:daobrien(a)redhat.com">daobrien(a)redhat.com</a></code></div><di= v class=3D"author"><h3 class=3D"author"><span class=3D"firstname">Scott</sp= an> <span clas s=3D"surname">Radvan</span></h3><div class=3D"affiliation"><span class=3D"= orgname">Red Hat</span></div><code class=3D"email"><a class=3D"email" href= =3D"mailto:sradvan(a)redhat.com">sradvan(a)redhat.com</a></code></div><div = class=3D"author"><h3 class=3D"author"><span class=3D"firstname">Eric</span>= <span class=3D"surname">Christensen</span></h3><div class=3D"affiliation">= <span class=3D"orgname">Fedora Project</span> <span class=3D"orgdiv">Docume= ntation Team</span></div><code class=3D"email"><a class=3D"email" href=3D"m= ailto:sparks(a)fedoraproject.org">sparks(a)fedoraproject.org</a></code></di= v></div></div><hr/><div><div id=3D"d0e31" class=3D"legalnotice"><h1 class= =3D"legalnotice">Legal Notice</h1><div class=3D"para"> Copyright <span class=3D"trademark"/>=C2=A9 2009 Red Hat, Inc. This mater= ial may only be distributed subject to the terms and conditions set forth i= n the Open Publication License, V1.0, (the latest version is presently avai= lable at <a href=3D"http://www.opencontent.org/openpub/">http://www.opencon= tent.org/openpub/</a>). </div><div class=3D"para"> Fedora and the Fedora Infinity Design logo are trademarks or registered t= rademarks of Red Hat, Inc., in the U.S. and other countries. </div><div class=3D"para"> Red Hat and the Red Hat "Shadow Man" logo are registered trademarks of Re= d Hat Inc. in the United States and other countries. </div><div class=3D"para"> All other trademarks and copyrights referred to are the property of their= respective owners. </div><div class=3D"para"> Documentation, as with software itself, may be subject to export control.= Read about Fedora Project export controls at <a href=3D"http://fedoraproje= ct.org/wiki/Legal/Export">http://fedoraproject.org/wiki/Legal/Export</a>. = </div></div></div><div><div class=3D"abstract"><h6>Abstract</h6><div class= =3D"para">The Linux Security Guide is designed to assist users of Linux in learning the processes and practices of securing workstations and servers against local and remote intrusion, exploitation, and malicious activity.</div><div class=3D"para">Focused on Fedora Linux but de= tailing concepts and techniques valid for all Linux systems, The Linux Security Guide details the planning and the tools involved in creating a secured computing environment for the data center, workplace, and home.</div><div class=3D"pa= ra">With proper administrative knowledge, vigilance, and tools, systems running Linux can be both fully functional and secured from most common intrusion and exploit methods.</div></div></div></div><hr/></div><di= v class=3D"toc"><dl><dt><span class=3D"preface"><a href=3D"#pref-Security_G= uide-Preface">Preface</a></span></dt><dd><dl><dt><span class=3D"section"><a= href=3D"#d0e105">1. Document Conventions</a></span></dt><dd><dl><dt><span = class=3D"section"><a href=3D"#d0e115">1.1. Typographic Conventions</a></spa= n></dt><dt><span class=3D"section"><a href=3D"#d0e331">1.2. Pull-quote Conv= entions</a></span></dt><dt><span class=3D"section"><a href=3D"#d0e350">1.3.= Notes and Warnings</a></span></dt></dl></dd><dt><span class=3D"section"><a= href=3D"#We_Need_Feedback">2. We Need Feedback!</a></span></dt></dl></dd><= dt><span class=3D"chapter"><a href=3D"#chap-Security_Guide-Security_Overvie= w">1. Security Overview</a></span></dt><dd><dl><dt><span class=3D"section">= <a href=3D"#sect-Security_Guide-Introduction_to_Security">1.1. Introduction= to Security</a></span></dt><dd><dl><dt><span class=3D"section"><a href=3D"= #sect-Security_Guide-Introduction_to_Security-What_is _Computer_Security">1.1.1. What is Computer Security?</a></span></dt><dt><= span class=3D"section"><a href=3D"#sect-Security_Guide-Introduction_to_Secu= rity-SELinux">1.1.2. SELinux</a></span></dt><dt><span class=3D"section"><a = href=3D"#sect-Security_Guide-Introduction_to_Security-Security_Controls">1.= 1.3. Security Controls</a></span></dt><dt><span class=3D"section"><a href= =3D"#sect-Security_Guide-Introduction_to_Security-Conclusion">1.1.4. Conclu= sion</a></span></dt></dl></dd><dt><span class=3D"section"><a href=3D"#sect-= Security_Guide-Vulnerability_Assessment">1.2. Vulnerability Assessment</a><= /span></dt><dd><dl><dt><span class=3D"section"><a href=3D"#sect-Security_Gu= ide-Vulnerability_Assessment-Thinking_Like_the_Enemy">1.2.1. Thinking Like = the Enemy</a></span></dt><dt><span class=3D"section"><a href=3D"#sect-Secur= ity_Guide-Vulnerability_Assessment-Defining_Assessment_and_Testing">1.2.2. = Defining Assessment and Testing</a></span></dt><dt><span class=3D"section">= <a href=3D"#sect-Security_Guide-Vulnerability _Assessment-Evaluating_the_Tools">1.2.3. Evaluating the Tools</a></span></= dt></dl></dd><dt><span class=3D"section"><a href=3D"#sect-Security_Guide-At= tackers_and_Vulnerabilities">1.3. Attackers and Vulnerabilities</a></span><= /dt><dd><dl><dt><span class=3D"section"><a href=3D"#sect-Security_Guide-Att= ackers_and_Vulnerabilities-A_Quick_History_of_Hackers">1.3.1. A Quick Histo= ry of Hackers</a></span></dt><dt><span class=3D"section"><a href=3D"#sect-S= ecurity_Guide-Attackers_and_Vulnerabilities-Threats_to_Network_Security">1.= 3.2. Threats to Network Security</a></span></dt><dt><span class=3D"section"= ><a href=3D"#sect-Security_Guide-Attackers_and_Vulnerabilities-Threats_to_S= erver_Security">1.3.3. Threats to Server Security</a></span></dt><dt><span = class=3D"section"><a href=3D"#sect-Security_Guide-Attackers_and_Vulnerabili= ties-Threats_to_Workstation_and_Home_PC_Security">1.3.4. Threats to Worksta= tion and Home PC Security</a></span></dt></dl></dd><dt><span class=3D"secti= on"><a href=3D"#sect-Security_Guide-Com mon_Exploits_and_Attacks">1.4. Common Exploits and Attacks</a></span></dt>= <dt><span class=3D"section"><a href=3D"#sect-Security_Guide-Security_Update= s">1.5. Security Updates</a></span></dt><dd><dl><dt><span class=3D"section"= ><a href=3D"#sect-Security_Guide-Security_Updates-Updating_Packages">1.5.1.= Updating Packages</a></span></dt><dt><span class=3D"section"><a href=3D"#s= ect-Security_Guide-Updating_Packages-Verifying_Signed_Packages">1.5.2. Veri= fying Signed Packages</a></span></dt><dt><span class=3D"section"><a href=3D= "#sect-Security_Guide-Updating_Packages-Installing_Signed_Packages">1.5.3. = Installing Signed Packages</a></span></dt><dt><span class=3D"section"><a hr= ef=3D"#sect-Security_Guide-Updating_Packages-Applying_the_Changes">1.5.4. A= pplying the Changes</a></span></dt></dl></dd></dl></dd><dt><span class=3D"c= hapter"><a href=3D"#chap-Security_Guide-Securing_Your_Network">2. Securing = Your Network</a></span></dt><dd><dl><dt><span class=3D"section"><a href=3D"= #sect-Security_Guide-Workstation_Security"> 2.1. Workstation Security</a></span></dt><dd><dl><dt><span class=3D"sectio= n"><a href=3D"#sect-Security_Guide-Workstation_Security-Evaluating_Workstat= ion_Security">2.1.1. Evaluating Workstation Security</a></span></dt><dt><sp= an class=3D"section"><a href=3D"#sect-Security_Guide-Workstation_Security-B= IOS_and_Boot_Loader_Security">2.1.2. BIOS and Boot Loader Security</a></spa= n></dt><dt><span class=3D"section"><a href=3D"#sect-Security_Guide-Workstat= ion_Security-Password_Security">2.1.3. Password Security</a></span></dt><dt= ><span class=3D"section"><a href=3D"#sect-Security_Guide-Workstation_Securi= ty-Administrative_Controls">2.1.4. Administrative Controls</a></span></dt><= dt><span class=3D"section"><a href=3D"#sect-Security_Guide-Workstation_Secu= rity-Available_Network_Services">2.1.5. Available Network Services</a></spa= n></dt><dt><span class=3D"section"><a href=3D"#sect-Security_Guide-Workstat= ion_Security-Personal_Firewalls">2.1.6. Personal Firewalls</a></span></dt><= dt><span class=3D"section"><a href=3D"#sect -Security_Guide-Workstation_Security-Security_Enhanced_Communication_Tools= ">2.1.7. Security Enhanced Communication Tools</a></span></dt></dl></dd><dt= ><span class=3D"section"><a href=3D"#sect-Security_Guide-Server_Security">2= .2. Server Security</a></span></dt><dd><dl><dt><span class=3D"section"><a h= ref=3D"#sect-Security_Guide-Server_Security-Securing_Services_With_TCP_Wrap= pers_and_xinetd">2.2.1. Securing Services With TCP Wrappers and xinetd</a><= /span></dt><dt><span class=3D"section"><a href=3D"#sect-Security_Guide-Serv= er_Security-Securing_Portmap">2.2.2. Securing Portmap</a></span></dt><dt><s= pan class=3D"section"><a href=3D"#sect-Security_Guide-Server_Security-Secur= ing_NIS">2.2.3. Securing NIS</a></span></dt><dt><span class=3D"section"><a = href=3D"#sect-Security_Guide-Server_Security-Securing_NFS">2.2.4. Securing = NFS</a></span></dt><dt><span class=3D"section"><a href=3D"#sect-Security_Gu= ide-Server_Security-Securing_the_Apache_HTTP_Server">2.2.5. Securing the Ap= ache HTTP Server</a></span></dt><dt><sp an class=3D"section"><a href=3D"#sect-Security_Guide-Server_Security-Secur= ing_FTP">2.2.6. Securing FTP</a></span></dt><dt><span class=3D"section"><a = href=3D"#sect-Security_Guide-Server_Security-Securing_Sendmail">2.2.7. Secu= ring Sendmail</a></span></dt><dt><span class=3D"section"><a href=3D"#sect-S= ecurity_Guide-Server_Security-Verifying_Which_Ports_Are_Listening">2.2.8. V= erifying Which Ports Are Listening</a></span></dt></dl></dd><dt><span class= =3D"section"><a href=3D"#sect-Security_Guide-Single_Sign_on_SSO">2.3. Singl= e Sign-on (SSO)</a></span></dt><dd><dl><dt><span class=3D"section"><a href= =3D"#sect-Security_Guide-Single_Sign_on_SSO-Introduction">2.3.1. Introducti= on</a></span></dt><dt><span class=3D"section"><a href=3D"#sect-Security_Gui= de-Single_Sign_on_SSO-Getting_Started_with_your_new_Smart_Card">2.3.2. Gett= ing Started with your new Smart Card</a></span></dt><dt><span class=3D"sect= ion"><a href=3D"#sect-Security_Guide-Single_Sign_on_SSO-How_Smart_Card_Enro= llment_Works">2.3.3. How Smart Card Enrollme nt Works</a></span></dt><dt><span class=3D"section"><a href=3D"#sect-Secur= ity_Guide-Single_Sign_on_SSO-How_Smart_Card_Login_Works">2.3.4. How Smart C= ard Login Works</a></span></dt><dt><span class=3D"section"><a href=3D"#sect= -Security_Guide-Single_Sign_on_SSO-Configuring_Firefox_to_use_Kerberos_for_= SSO">2.3.5. Configuring Firefox to use Kerberos for SSO</a></span></dt></dl= ></dd><dt><span class=3D"section"><a href=3D"#sect-Security_Guide-Pluggable= _Authentication_Modules_PAM">2.4. Pluggable Authentication Modules (PAM)</a= ></span></dt><dd><dl><dt><span class=3D"section"><a href=3D"#sect-Security_= Guide-Pluggable_Authentication_Modules_PAM-Advantages_of_PAM">2.4.1. Advant= ages of PAM</a></span></dt><dt><span class=3D"section"><a href=3D"#sect-Sec= urity_Guide-Pluggable_Authentication_Modules_PAM-PAM_Configuration_Files">2= .4.2. PAM Configuration Files</a></span></dt><dt><span class=3D"section"><a= href=3D"#sect-Security_Guide-Pluggable_Authentication_Modules_PAM-PAM_Conf= iguration_File_Format">2.4.3. PAM Confi guration File Format</a></span></dt><dt><span class=3D"section"><a href=3D= "#sect-Security_Guide-Pluggable_Authentication_Modules_PAM-Sample_PAM_Confi= guration_Files">2.4.4. Sample PAM Configuration Files</a></span></dt><dt><s= pan class=3D"section"><a href=3D"#sect-Security_Guide-Pluggable_Authenticat= ion_Modules_PAM-Creating_PAM_Modules">2.4.5. Creating PAM Modules</a></span= ></dt><dt><span class=3D"section"><a href=3D"#sect-Security_Guide-Pluggable= _Authentication_Modules_PAM-PAM_and_Administrative_Credential_Caching">2.4.= 6. PAM and Administrative Credential Caching</a></span></dt><dt><span class= =3D"section"><a href=3D"#sect-Security_Guide-Pluggable_Authentication_Modul= es_PAM-PAM_and_Device_Ownership">2.4.7. PAM and Device Ownership</a></span>= </dt><dt><span class=3D"section"><a href=3D"#sect-Security_Guide-Pluggable_= Authentication_Modules_PAM-Additional_Resources">2.4.8. Additional Resource= s</a></span></dt></dl></dd><dt><span class=3D"section"><a href=3D"#sect-Sec= urity_Guide-TCP_Wrappers_and_xinetd">2. 5. TCP Wrappers and xinetd</a></span></dt><dd><dl><dt><span class=3D"secti= on"><a href=3D"#sect-Security_Guide-TCP_Wrappers_and_xinetd-TCP_Wrappers">2= .5.1. TCP Wrappers</a></span></dt><dt><span class=3D"section"><a href=3D"#s= ect-Security_Guide-TCP_Wrappers_and_xinetd-TCP_Wrappers_Configuration_Files= ">2.5.2. TCP Wrappers Configuration Files</a></span></dt><dt><span class=3D= "section"><a href=3D"#sect-Security_Guide-TCP_Wrappers_and_xinetd-xinetd">2= .5.3. xinetd</a></span></dt><dt><span class=3D"section"><a href=3D"#sect-Se= curity_Guide-TCP_Wrappers_and_xinetd-xinetd_Configuration_Files">2.5.4. xin= etd Configuration Files</a></span></dt><dt><span class=3D"section"><a href= =3D"#sect-Security_Guide-TCP_Wrappers_and_xinetd-Additional_Resources">2.5.= 5. Additional Resources</a></span></dt></dl></dd><dt><span class=3D"section= "><a href=3D"#sect-Security_Guide-Kerberos">2.6. Kerberos</a></span></dt><d= d><dl><dt><span class=3D"section"><a href=3D"#sect-Security_Guide-Kerberos-= What_is_Kerberos">2.6.1. What is Kerberos?</ a></span></dt><dt><span class=3D"section"><a href=3D"#sect-Security_Guide-= Kerberos-Kerberos_Terminology">2.6.2. Kerberos Terminology</a></span></dt><= dt><span class=3D"section"><a href=3D"#sect-Security_Guide-Kerberos-How_Ker= beros_Works">2.6.3. How Kerberos Works</a></span></dt><dt><span class=3D"se= ction"><a href=3D"#sect-Security_Guide-Kerberos-Kerberos_and_PAM">2.6.4. Ke= rberos and PAM</a></span></dt><dt><span class=3D"section"><a href=3D"#sect-= Security_Guide-Kerberos-Configuring_a_Kerberos_5_Server">2.6.5. Configuring= a Kerberos 5 Server</a></span></dt><dt><span class=3D"section"><a href=3D"= #sect-Security_Guide-Kerberos-Configuring_a_Kerberos_5_Client">2.6.6. Confi= guring a Kerberos 5 Client</a></span></dt><dt><span class=3D"section"><a hr= ef=3D"#sect-Security_Guide-Kerberos-Domain_to_Realm_Mapping">2.6.7. Domain-= to-Realm Mapping</a></span></dt><dt><span class=3D"section"><a href=3D"#sec= t-Security_Guide-Kerberos-Setting_Up_Secondary_KDCs">2.6.8. Setting Up Seco= ndary KDCs</a></span></dt><dt><span class=3D" section"><a href=3D"#sect-Security_Guide-Kerberos-Setting_Up_Cross_Realm_A= uthentication">2.6.9. Setting Up Cross Realm Authentication</a></span></dt>= <dt><span class=3D"section"><a href=3D"#sect-Security_Guide-Kerberos-Additi= onal_Resources">2.6.10. Additional Resources</a></span></dt></dl></dd><dt><= span class=3D"section"><a href=3D"#sect-Security_Guide-Virtual_Private_Netw= orks_VPNs">2.7. Virtual Private Networks (VPNs)</a></span></dt><dd><dl><dt>= <span class=3D"section"><a href=3D"#sect-Security_Guide-Virtual_Private_Net= works_VPNs-How_Does_a_VPN_Work">2.7.1. How Does a VPN Work?</a></span></dt>= <dt><span class=3D"section"><a href=3D"#sect-Security_Guide-Virtual_Private= _Networks_VPNs-VPNs_and_PROD">2.7.2. VPNs and Fedora</a></span></dt><dt><sp= an class=3D"section"><a href=3D"#sect-Security_Guide-Virtual_Private_Networ= ks_VPNs-IPsec">2.7.3. IPsec</a></span></dt><dt><span class=3D"section"><a h= ref=3D"#sect-Security_Guide-Virtual_Private_Networks_VPNs-Creating_an_IPsec= _Connection">2.7.4. Creating an IPsec Con nection</a></span></dt><dt><span class=3D"section"><a href=3D"#sect-Securi= ty_Guide-Virtual_Private_Networks_VPNs-IPsec_Installation">2.7.5. IPsec Ins= tallation</a></span></dt><dt><span class=3D"section"><a href=3D"#sect-Secur= ity_Guide-Virtual_Private_Networks_VPNs-IPsec_Host_to_Host_Configuration">2= .7.6. IPsec Host-to-Host Configuration</a></span></dt><dt><span class=3D"se= ction"><a href=3D"#sect-Security_Guide-Virtual_Private_Networks_VPNs-IPsec_= Network_to_Network_Configuration">2.7.7. IPsec Network-to-Network Configura= tion</a></span></dt><dt><span class=3D"section"><a href=3D"#sect-Security_G= uide-Virtual_Private_Networks_VPNs-Starting_and_Stopping_an_IPsec_Connectio= n">2.7.8. Starting and Stopping an IPsec Connection</a></span></dt></dl></d= d><dt><span class=3D"section"><a href=3D"#sect-Security_Guide-Firewalls">2.= 8. Firewalls</a></span></dt><dd><dl><dt><span class=3D"section"><a href=3D"= #sect-Security_Guide-Firewalls-Netfilter_and_IPTables">2.8.1. Netfilter and= IPTables</a></span></dt><dt><span clas s=3D"section"><a href=3D"#sect-Security_Guide-Firewalls-Basic_Firewall_Con= figuration">2.8.2. Basic Firewall Configuration</a></span></dt><dt><span cl= ass=3D"section"><a href=3D"#sect-Security_Guide-Firewalls-Using_IPTables">2= .8.3. Using IPTables</a></span></dt><dt><span class=3D"section"><a href=3D"= #sect-Security_Guide-Firewalls-Common_IPTables_Filtering">2.8.4. Common IPT= ables Filtering</a></span></dt><dt><span class=3D"section"><a href=3D"#sect= -Security_Guide-Firewalls-FORWARD_and_NAT_Rules">2.8.5. FORWARD and NAT Rul= es</a></span></dt><dt><span class=3D"section"><a href=3D"#sect-Security_Gui= de-Firewalls-Malicious_Software_and_Spoofed_IP_Addresses">2.8.6. Malicious = Software and Spoofed IP Addresses</a></span></dt><dt><span class=3D"section= "><a href=3D"#sect-Security_Guide-Firewalls-IPTables_and_Connection_Trackin= g">2.8.7. IPTables and Connection Tracking</a></span></dt><dt><span class= =3D"section"><a href=3D"#sect-Security_Guide-Firewalls-IPv6">2.8.8. IPv6</a= ></span></dt><dt><span class=3D"section"><a hre f=3D"#sect-Security_Guide-Firewalls-Additional_Resources">2.8.9. Additiona= l Resources</a></span></dt></dl></dd><dt><span class=3D"section"><a href=3D= "#sect-Security_Guide-IPTables">2.9. IPTables</a></span></dt><dd><dl><dt><s= pan class=3D"section"><a href=3D"#sect-Security_Guide-IPTables-Packet_Filte= ring">2.9.1. Packet Filtering</a></span></dt><dt><span class=3D"section"><a= href=3D"#sect-Security_Guide-IPTables-Command_Options_for_IPTables">2.9.2.= Command Options for IPTables</a></span></dt><dt><span class=3D"section"><a= href=3D"#sect-Security_Guide-IPTables-Saving_IPTables_Rules">2.9.3. Saving= IPTables Rules</a></span></dt><dt><span class=3D"section"><a href=3D"#sect= -Security_Guide-IPTables-IPTables_Control_Scripts">2.9.4. IPTables Control = Scripts</a></span></dt><dt><span class=3D"section"><a href=3D"#sect-Securit= y_Guide-IPTables-IPTables_and_IPv6">2.9.5. IPTables and IPv6</a></span></dt= ><dt><span class=3D"section"><a href=3D"#sect-Security_Guide-IPTables-Addit= ional_Resources">2.9.6. Additional Resources< /a></span></dt></dl></dd></dl></dd><dt><span class=3D"chapter"><a href=3D"= #chap-Security_Guide-Encryption">3. Encryption</a></span></dt><dd><dl><dt><= span class=3D"section"><a href=3D"#sect-Security_Guide-Encryption-Data_at_R= est">3.1. Data at Rest</a></span></dt><dt><span class=3D"section"><a href= =3D"#sect-Security_Guide-Encryption-Protecting_Data_at_Rest-Full_Disk_Encry= ption">3.2. Full Disk Encryption</a></span></dt><dt><span class=3D"section"= ><a href=3D"#Security_Guide-Encryption-Protecting_Data_at_Rest-File_Based_E= ncryption">3.3. File Based Encryption</a></span></dt><dt><span class=3D"sec= tion"><a href=3D"#Security_Guide-Encryption-Data_in_Motion">3.4. Data in Mo= tion</a></span></dt><dt><span class=3D"section"><a href=3D"#Security_Guide-= Encryption-Data_in_Motion-Virtual_Private_Networks">3.5. Virtual Private Ne= tworks</a></span></dt><dt><span class=3D"section"><a href=3D"#Security_Guid= e-Encryption-Data_in_Motion-Secure_Shell">3.6. Secure Shell</a></span></dt>= <dt><span class=3D"section"><a href=3D"#sect-Secu rity_Guide-LUKS_Disk_Encryption">3.7. LUKS Disk Encryption</a></span></dt>= <dd><dl><dt><span class=3D"section"><a href=3D"#sect-Security_Guide-LUKS_Di= sk_Encryption-LUKS_Implementation_in_Fedora">3.7.1. LUKS Implementation in = Fedora</a></span></dt><dt><span class=3D"section"><a href=3D"#sect-Security= _Guide-LUKS_Disk_Encryption-Manually_Encrypting_Directories">3.7.2. Manuall= y Encrypting Directories</a></span></dt><dt><span class=3D"section"><a href= =3D"#sect-Security_Guide-LUKS_Disk_Encryption-Manually_Encrypting_Directori= es-Step_by_Step_Instructions">3.7.3. Step-by-Step Instructions</a></span></= dt><dt><span class=3D"section"><a href=3D"#sect-Security_Guide-LUKS_Disk_En= cryption-Manually_Encrypting_Directories-What_you_have_just_accomplished">3= .7.4. What you have just accomplished.</a></span></dt><dt><span class=3D"se= ction"><a href=3D"#sect-Security_Guide-LUKS_Disk_Encryption-Links_of_Intere= st">3.7.5. Links of Interest</a></span></dt></dl></dd><dt><span class=3D"se= ction"><a href=3D"#sect-Security_Guide- Encryption-7_Zip_Encrypted_Archives">3.8. 7-Zip Encrypted Archives</a></sp= an></dt><dd><dl><dt><span class=3D"section"><a href=3D"#sect-Security_Guide= -Encryption-7_Zip_Encrypted_Archives-Installation">3.8.1. 7-Zip Installatio= n in Fedora</a></span></dt><dt><span class=3D"section"><a href=3D"#sect-Sec= urity_Guide-Encryption-7_Zip_Encrypted_Archives-Installation-Instructions">= 3.8.2. Step-by-Step Installation Instructions</a></span></dt><dt><span clas= s=3D"section"><a href=3D"#sect-Security_Guide-Encryption-7_Zip_Encrypted_Ar= chives-Usage_Instructions">3.8.3. Step-by-Step Usage Instructions</a></span= ></dt><dt><span class=3D"section"><a href=3D"#sect-Security_Guide-Encryptio= n-7_Zip_Encrypted_Archives-Things_of_note">3.8.4. Things of note</a></span>= </dt></dl></dd><dt><span class=3D"section"><a href=3D"#sect-Security_Guide-= Encryption-Using_GPG">3.9. Using GNU Privacy Guard (GnuPG)</a></span></dt><= dd><dl><dt><span class=3D"section"><a href=3D"#sect-Security_Guide-Encrypti= on-Using_GPG-Keys_in_GNOME">3.9.1. Crea ting GPG Keys in GNOME</a></span></dt><dt><span class=3D"section"><a href= =3D"#sect-Security_Guide-Encryption-Using_GPG-Creating_GPG_Keys_in_KDE1">3.= 9.2. Creating GPG Keys in KDE</a></span></dt><dt><span class=3D"section"><a= href=3D"#sect-Security_Guide-Encryption-Using_GPG-Creating_GPG_Keys_in_KDE= ">3.9.3. Creating GPG Keys Using the Command Line</a></span></dt><dt><span = class=3D"section"><a href=3D"#sect-Security_Guide-Encryption-Using_GPG-Abou= t_Public_Key_Encryption">3.9.4. About Public Key Encryption</a></span></dt>= </dl></dd></dl></dd><dt><span class=3D"chapter"><a href=3D"#chap-Security_G= uide-General_Principles_of_Information_Security">4. General Principles of I= nformation Security</a></span></dt><dd><dl><dt><span class=3D"section"><a h= ref=3D"#sect-Security_Guide-General_Principles_of_Information_Security-Tips= _Guides_and_Tools">4.1. Tips, Guides, and Tools</a></span></dt></dl></dd><d= t><span class=3D"chapter"><a href=3D"#chap-Security_Guide-Secure_Installati= on">5. Secure Installation</a></span></d t><dd><dl><dt><span class=3D"section"><a href=3D"#sect-Security_Guide-Secu= re_Installation-Disk_Partitions">5.1. Disk Partitions</a></span></dt><dt><s= pan class=3D"section"><a href=3D"#sect-Security_Guide-Secure_Installation-U= tilize_LUKS_Partition_Encryption">5.2. Utilize LUKS Partition Encryption</a= ></span></dt></dl></dd><dt><span class=3D"chapter"><a href=3D"#chap-Securit= y_Guide-Software_Maintenance">6. Software Maintenance</a></span></dt><dd><d= l><dt><span class=3D"section"><a href=3D"#sect-Security_Guide-Software_Main= tenance-Install_Minimal_Software">6.1. Install Minimal Software</a></span><= /dt><dt><span class=3D"section"><a href=3D"#sect-Security_Guide-Software_Ma= intenance-Plan_and_Configure_Security_Updates">6.2. Plan and Configure Secu= rity Updates</a></span></dt><dt><span class=3D"section"><a href=3D"#sect-Se= curity_Guide-Software_Maintenance-Plan_and_Configure_Security_Updates-Adjus= ting_Automatic_Updates">6.3. Adjusting Automatic Updates</a></span></dt><dt= ><span class=3D"section"><a href=3D"#sect-S ecurity_Guide-Software_Maintenance-Install_Signed_Packages_from_Well_Known= _Repositories">6.4. Install Signed Packages from Well Known Repositories</a= ></span></dt></dl></dd><dt><span class=3D"chapter"><a href=3D"#chap-Securit= y_Guide-References">7. References</a></span></dt></dl></div><div class=3D"p= reface" lang=3D"en-US"><div class=3D"titlepage"><div><div><h1 id=3D"pref-Se= curity_Guide-Preface" class=3D"title">Preface</h1></div></div></div><div cl= ass=3D"section" lang=3D"en-US"><div class=3D"titlepage"><div><div><h2 class= =3D"title" id=3D"d0e105">1.=C2=A0Document Conventions</h2></div></div></div= ><div class=3D"para"> This manual uses several conventions to highlight certain words and phras= es and draw attention to specific pieces of information. </div><div class=3D"para"> In PDF and paper editions, this manual uses typefaces drawn from the <a h= ref=3D"https://fedorahosted.org/liberation-fonts/">Liberation Fonts</a> set= . The Liberation Fonts set is also used in HTML editions if the set is inst= alled on your system. If not, alternative but equivalent typefaces are disp= layed. Note: Red Hat Enterprise Linux 5 and later includes the Liberation F= onts set by default. </div><div class=3D"section" lang=3D"en-US"><div class=3D"titlepage"><div>= <div><h3 class=3D"title" id=3D"d0e115">1.1.=C2=A0Typographic Conventions</h= 3></div></div></div><div class=3D"para"> Four typographic conventions are used to call attention to specific word= s and phrases. These conventions, and the circumstances they apply to, are = as follows. </div><div class=3D"para"> <code class=3D"literal">Mono-spaced Bold</code> </div><div class=3D"para"> Used to highlight system input, including shell commands, file names and= paths. Also used to highlight key caps and key-combinations. For example: </div><div class=3D"blockquote"><blockquote class=3D"blockquote"><div cla= ss=3D"para"> To see the contents of the file <code class=3D"filename">my_next_bestse= lling_novel</code> in your current working directory, enter the <code class= =3D"command">cat my_next_bestselling_novel</code> command at the shell prom= pt and press <span class=3D"keycap"><strong>Enter</strong></span> to execut= e the command. </div></blockquote></div><div class=3D"para"> The above includes a file name, a shell command and a key cap, all prese= nted in Mono-spaced Bold and all distinguishable thanks to context. </div><div class=3D"para"> Key-combinations can be distinguished from key caps by the hyphen connec= ting each part of a key-combination. For example: </div><div class=3D"blockquote"><blockquote class=3D"blockquote"><div cla= ss=3D"para"> Press <span class=3D"keycap"><strong>Enter</strong></span> to execute t= he command. </div><div class=3D"para"> Press <span class=3D"keycap"><strong>Ctrl</strong></span>+<span class= =3D"keycap"><strong>Alt</strong></span>+<span class=3D"keycap"><strong>F1</= strong></span> to switch to the first virtual terminal. Press <span class= =3D"keycap"><strong>Ctrl</strong></span>+<span class=3D"keycap"><strong>Alt= </strong></span>+<span class=3D"keycap"><strong>F7</strong></span> to retur= n to your X-Windows session. </div></blockquote></div><div class=3D"para"> The first sentence highlights the particular key cap to press. The secon= d highlights two sets of three key caps, each set pressed simultaneously. </div><div class=3D"para"> If source code is discussed, class names, methods, functions, variable n= ames and returned values mentioned within a paragraph will be presented as = above, in <code class=3D"literal">Mono-spaced Bold</code>. For example: </div><div class=3D"blockquote"><blockquote class=3D"blockquote"><div cla= ss=3D"para"> File-related classes include <code class=3D"classname">filesystem</code= > for file systems, <code class=3D"classname">file</code> for files, and <c= ode class=3D"classname">dir</code> for directories. Each class has its own = associated set of permissions. </div></blockquote></div><div class=3D"para"> <span class=3D"application"><strong>Proportional Bold</strong></span> </div><div class=3D"para"> This denotes words or phrases encountered on a system, including applica= tion names; dialogue box text; labelled buttons; check-box and radio button= labels; menu titles and sub-menu titles. For example: </div><div class=3D"blockquote"><blockquote class=3D"blockquote"><div cla= ss=3D"para"> Choose <span class=3D"guimenu"><strong>System > Preferences > Mou= se</strong></span> from the main menu bar to launch <span class=3D"applicat= ion"><strong>Mouse Preferences</strong></span>. In the <span class=3D"guila= bel"><strong>Buttons</strong></span> tab, click the <span class=3D"guilabel= "><strong>Left-handed mouse</strong></span> check box and click <span class= =3D"guibutton"><strong>Close</strong></span> to switch the primary mouse bu= tton from the left to the right (making the mouse suitable for use in the l= eft hand). </div><div class=3D"para"> To insert a special character into a <span class=3D"application"><stron= g>gedit</strong></span> file, choose <span class=3D"guimenu"><strong>Applic= ations > Accessories > Character Map</strong></span> from the main me= nu bar. Next, choose <span class=3D"guimenu"><strong>Search > Find=E2=80= =A6</strong></span> from the <span class=3D"application"><strong>Character = Map</strong></span> menu bar, type the name of the character in the <span c= lass=3D"guilabel"><strong>Search</strong></span> field and click <span clas= s=3D"guibutton"><strong>Next</strong></span>. The character you sought will= be highlighted in the <span class=3D"guilabel"><strong>Character Table</st= rong></span>. Double-click this highlighted character to place it in the <s= pan class=3D"guilabel"><strong>Text to copy</strong></span> field and then = click the <span class=3D"guibutton"><strong>Copy</strong></span> button. No= w switch back to your document and choose <span class=3D"guimenu"><strong>E= dit > Paste</strong></span> from the < span class=3D"application"><strong>gedit</strong></span> menu bar. </div></blockquote></div><div class=3D"para"> The above text includes application names; system-wide menu names and it= ems; application-specific menu names; and buttons and text found within a G= UI interface, all presented in Proportional Bold and all distinguishable by= context. </div><div class=3D"para"> Note the <span class=3D"guimenu"><strong>></strong></span> shorthand = used to indicate traversal through a menu and its sub-menus. This is to avo= id the difficult-to-follow 'Select <span class=3D"guimenuitem"><strong>Mous= e</strong></span> from the <span class=3D"guimenu"><strong>Preferences</str= ong></span> sub-menu in the <span class=3D"guimenu"><strong>System</strong>= </span> menu of the main menu bar' approach. </div><div class=3D"para"> <code class=3D"command"><em class=3D"replaceable"><code>Mono-spaced Bold= Italic</code></em></code> or <span class=3D"application"><strong><em class= =3D"replaceable"><code>Proportional Bold Italic</code></em></strong></span> </div><div class=3D"para"> Whether Mono-spaced Bold or Proportional Bold, the addition of Italics i= ndicates replaceable or variable text. Italics denotes text you do not inpu= t literally or displayed text that changes depending on circumstance. For e= xample: </div><div class=3D"blockquote"><blockquote class=3D"blockquote"><div cla= ss=3D"para"> To connect to a remote machine using ssh, type <code class=3D"command">= ssh <em class=3D"replaceable"><code>username</code></em>@<em class=3D"repla= ceable"><code>domain.name</code></em></code> at a shell prompt. If the remo= te machine is <code class=3D"filename">example.com</code> and your username= on that machine is john, type <code class=3D"command">ssh john(a)example.c= om</code>. </div><div class=3D"para"> The <code class=3D"command">mount -o remount <em class=3D"replaceable">= <code>file-system</code></em></code> command remounts the named file system= . For example, to remount the <code class=3D"filename">/home</code> file sy= stem, the command is <code class=3D"command">mount -o remount /home</code>. </div><div class=3D"para"> To see the version of a currently installed package, use the <code clas= s=3D"command">rpm -q <em class=3D"replaceable"><code>package</code></em></c= ode> command. It will return a result as follows: <code class=3D"command"><= em class=3D"replaceable"><code>package-version-release</code></em></code>. </div></blockquote></div><div class=3D"para"> Note the words in bold italics above =E2=80=94 username, domain.name, fi= le-system, package, version and release. Each word is a placeholder, either= for text you enter when issuing a command or for text displayed by the sys= tem. </div><div class=3D"para"> Aside from standard usage for presenting the title of a work, italics de= notes the first use of a new and important term. For example: </div><div class=3D"blockquote"><blockquote class=3D"blockquote"><div cla= ss=3D"para"> When the Apache HTTP Server accepts requests, it dispatches child proce= sses or threads to handle them. This group of child processes or threads is= known as a <em class=3D"firstterm">server-pool</em>. Under Apache HTTP Ser= ver 2.0, the responsibility for creating and maintaining these server-pools= has been abstracted to a group of modules called <em class=3D"firstterm">M= ulti-Processing Modules</em> (<em class=3D"firstterm">MPMs</em>). Unlike ot= her modules, only one module from the MPM group can be loaded by the Apache= HTTP Server. </div></blockquote></div></div><div class=3D"section" lang=3D"en-US"><di= v class=3D"titlepage"><div><div><h3 class=3D"title" id=3D"d0e331">1.2.=C2= =A0Pull-quote Conventions</h3></div></div></div><div class=3D"para"> Two, commonly multi-line, data types are set off visually from the surro= unding text. </div><div class=3D"para"> Output sent to a terminal is set in <code class=3D"computeroutput">Mono-= spaced Roman</code> and presented thus: </div><pre class=3D"screen"> books Desktop documentation drafts mss photos stuff svn books_tests Desktop1 downloads images notes scripts svgs </pre><div class=3D"para"> Source-code listings are also set in <code class=3D"computeroutput">Mono= -spaced Roman</code> but are presented and highlighted as follows: </div><pre class=3D"programlisting"> package org.jboss.book.jca.ex1; import javax.naming.InitialContext; public class ExClient { public static void main(String args[]) = throws Exception { InitialContext iniCtx =3D new InitialContext(); Object ref =3D iniCtx.lookup("EchoBean"); EchoHome home =3D (EchoHome) ref; Echo echo =3D home.create(); System.out.println("Created Echo"); System.out.println("Echo.echo('Hello') =3D " + echo.echo("Hello")); } = } </pre></div><div class=3D"section" lang=3D"en-US"><div class=3D"titlepage">= <div><div><h3 class=3D"title" id=3D"d0e350">1.3.=C2=A0Notes and Warnings</h= 3></div></div></div><div class=3D"para"> Finally, we use three visual styles to draw attention to information tha= t might otherwise be overlooked. </div><div class=3D"note"><h2>Note</h2><div class=3D"para"> A note is a tip or shortcut or alternative approach to the task at hand= . Ignoring a note should have no negative consequences, but you might miss = out on a trick that makes your life easier. </div></div><div class=3D"important"><h2>Important</h2><div class=3D"par= a"> Important boxes detail things that are easily missed: configuration cha= nges that only apply to the current session, or services that need restarti= ng before an update will apply. Ignoring Important boxes won't cause data l= oss but may cause irritation and frustration. </div></div><div class=3D"warning"><h2>Warning</h2><div class=3D"para"> A Warning should not be ignored. Ignoring warnings will most likely cau= se data loss. </div></div></div></div><div class=3D"section" lang=3D"en-US"><div class= =3D"titlepage"><div><div><h2 class=3D"title" id=3D"We_Need_Feedback">2.=C2= =A0We Need Feedback!</h2></div></div></div><div class=3D"para"> More information about the Linux Security Guide project can be found at <= a href=3D"https://fedorahosted.org/securityguide">https://fedorahosted.org/= securityguide</a> </div><div class=3D"para"> To provide feedback for the Security Guide, please file a bug in <a href= =3D"https://bugzilla.redhat.com/enter_bug.cgi?component=3Dsecurity-guide&am= p;product=3DFedora%20Documentation">https://bugzilla.redhat.com/enter_bug.c= gi?component=3Dsecurity-guide&product=3DFedora%20Documentation</a>. Ple= ase select the proper component in the dropdown menu which should be the pa= ge name. </div></div></div><div class=3D"chapter" lang=3D"en-US"><div class=3D"titl= epage"><div><div><h2 class=3D"title" id=3D"chap-Security_Guide-Security_Ove= rview">Chapter=C2=A01.=C2=A0Security Overview</h2></div></div></div><div cl= ass=3D"toc"><dl><dt><span class=3D"section"><a href=3D"#sect-Security_Guide= -Introduction_to_Security">1.1. Introduction to Security</a></span></dt><dd= ><dl><dt><span class=3D"section"><a href=3D"#sect-Security_Guide-Introducti= on_to_Security-What_is_Computer_Security">1.1.1. What is Computer Security?= </a></span></dt><dt><span class=3D"section"><a href=3D"#sect-Security_Guide= -Introduction_to_Security-SELinux">1.1.2. SELinux</a></span></dt><dt><span = class=3D"section"><a href=3D"#sect-Security_Guide-Introduction_to_Security-= Security_Controls">1.1.3. Security Controls</a></span></dt><dt><span class= =3D"section"><a href=3D"#sect-Security_Guide-Introduction_to_Security-Concl= usion">1.1.4. Conclusion</a></span></dt></dl></dd><dt><span class=3D"sectio= n"><a href=3D"#sect-Security_Guide-Vulnerability_Assessment" >1.2. Vulnerability Assessment</a></span></dt><dd><dl><dt><span class=3D"s= ection"><a href=3D"#sect-Security_Guide-Vulnerability_Assessment-Thinking_L= ike_the_Enemy">1.2.1. Thinking Like the Enemy</a></span></dt><dt><span clas= s=3D"section"><a href=3D"#sect-Security_Guide-Vulnerability_Assessment-Defi= ning_Assessment_and_Testing">1.2.2. Defining Assessment and Testing</a></sp= an></dt><dt><span class=3D"section"><a href=3D"#sect-Security_Guide-Vulnera= bility_Assessment-Evaluating_the_Tools">1.2.3. Evaluating the Tools</a></sp= an></dt></dl></dd><dt><span class=3D"section"><a href=3D"#sect-Security_Gui= de-Attackers_and_Vulnerabilities">1.3. Attackers and Vulnerabilities</a></s= pan></dt><dd><dl><dt><span class=3D"section"><a href=3D"#sect-Security_Guid= e-Attackers_and_Vulnerabilities-A_Quick_History_of_Hackers">1.3.1. A Quick = History of Hackers</a></span></dt><dt><span class=3D"section"><a href=3D"#s= ect-Security_Guide-Attackers_and_Vulnerabilities-Threats_to_Network_Securit= y">1.3.2. Threats to Network Security</ a></span></dt><dt><span class=3D"section"><a href=3D"#sect-Security_Guide-= Attackers_and_Vulnerabilities-Threats_to_Server_Security">1.3.3. Threats to= Server Security</a></span></dt><dt><span class=3D"section"><a href=3D"#sec= t-Security_Guide-Attackers_and_Vulnerabilities-Threats_to_Workstation_and_H= ome_PC_Security">1.3.4. Threats to Workstation and Home PC Security</a></sp= an></dt></dl></dd><dt><span class=3D"section"><a href=3D"#sect-Security_Gui= de-Common_Exploits_and_Attacks">1.4. Common Exploits and Attacks</a></span>= </dt><dt><span class=3D"section"><a href=3D"#sect-Security_Guide-Security_U= pdates">1.5. Security Updates</a></span></dt><dd><dl><dt><span class=3D"sec= tion"><a href=3D"#sect-Security_Guide-Security_Updates-Updating_Packages">1= .5.1. Updating Packages</a></span></dt><dt><span class=3D"section"><a href= =3D"#sect-Security_Guide-Updating_Packages-Verifying_Signed_Packages">1.5.2= . Verifying Signed Packages</a></span></dt><dt><span class=3D"section"><a h= ref=3D"#sect-Security_Guide-Updating_Package s-Installing_Signed_Packages">1.5.3. Installing Signed Packages</a></span>= </dt><dt><span class=3D"section"><a href=3D"#sect-Security_Guide-Updating_P= ackages-Applying_the_Changes">1.5.4. Applying the Changes</a></span></dt></= dl></dd></dl></div><div class=3D"para"> Because of the increased reliance on powerful, networked computers to hel= p run businesses and keep track of our personal information, entire industr= ies have been formed around the practice of network and computer security. = Enterprises have solicited the knowledge and skills of security experts to = properly audit systems and tailor solutions to fit the operating requiremen= ts of the organization. Because most organizations are increasingly dynamic= in nature, with workers accessing company IT resources locally and remotel= y, the need for secure computing environments has become more pronounced. </div><div class=3D"para"> Unfortunately, most organizations (as well as individual users) regard se= curity as an afterthought, a process that is overlooked in favor of increas= ed power, productivity, and budgetary concerns. Proper security implementat= ion is often enacted postmortem =E2=80=94 <span class=3D"emphasis"><em>afte= r</em></span> an unauthorized intrusion has already occurred. Security expe= rts agree that taking the correct measures prior to connecting a site to an= untrusted network, such as the Internet, is an effective means of thwartin= g most attempts at intrusion. </div><div class=3D"section" lang=3D"en-US"><div class=3D"titlepage"><div>= <div><h2 class=3D"title" id=3D"sect-Security_Guide-Introduction_to_Security= ">1.1.=C2=A0Introduction to Security</h2></div></div></div><div class=3D"se= ction" lang=3D"en-US"><div class=3D"titlepage"><div><div><h3 class=3D"title= " id=3D"sect-Security_Guide-Introduction_to_Security-What_is_Computer_Secur= ity">1.1.1.=C2=A0What is Computer Security?</h3></div></div></div><div clas= s=3D"para"> Computer security is a general term that covers a wide area of computing= and information processing. Industries that depend on computer systems and= networks to conduct daily business transactions and access crucial informa= tion regard their data as an important part of their overall assets. Severa= l terms and metrics have entered our daily business vocabulary, such as tot= al cost of ownership (TCO) and quality of service (QoS). Using these metric= s, industries can calculate aspects such as data integrity and high-availab= ility as part of their planning and process management costs. In some indus= tries, such as electronic commerce, the availability and trustworthiness of= data can be the difference between success and failure. </div><div class=3D"section" lang=3D"en-US"><div class=3D"titlepage"><div= ><div><h4 class=3D"title" id=3D"sect-Security_Guide-What_is_Computer_Securi= ty-How_did_Computer_Security_Come_about">1.1.1.1.=C2=A0How did Computer Sec= urity Come about?</h4></div></div></div><div class=3D"para"> Information security has evolved over the years due to the increasing r= eliance on public networks not to disclose personal, financial, and other r= estricted information. There are numerous instances such as the Mitnick <su= p>[<a id=3D"d0e406" href=3D"#ftn.d0e406" class=3D"footnote">1</a>]</sup>and= the Vladimir Levin <sup>[<a id=3D"d0e410" href=3D"#ftn.d0e410" class=3D"fo= otnote">2</a>]</sup>cases that prompted organizations across all industries= to re-think the way they handle information, as well as its transmission a= nd disclosure. The popularity of the Internet was one of the most important= developments that prompted an intensified effort in data security. </div><div class=3D"para"> An ever-growing number of people are using their personal computers to = gain access to the resources that the Internet has to offer. From research = and information retrieval to electronic mail and commerce transaction, the = Internet has been regarded as one of the most important developments of the= 20th century. </div><div class=3D"para"> The Internet and its earlier protocols, however, were developed as a <e= m class=3D"firstterm">trust-based</em> system. That is, the Internet Protoc= ol was not designed to be secure in itself. There are no approved security = standards built into the TCP/IP communications stack, leaving it open to po= tentially malicious users and processes across the network. Modern developm= ents have made Internet communication more secure, but there are still seve= ral incidents that gain national attention and alert us to the fact that no= thing is completely safe. </div></div><div class=3D"section" lang=3D"en-US"><div class=3D"titlepag= e"><div><div><h4 class=3D"title" id=3D"sect-Security_Guide-What_is_Computer= _Security-Security_Today">1.1.1.2.=C2=A0Security Today</h4></div></div></di= v><div class=3D"para"> In February of 2000, a Distributed Denial of Service (DDoS) attack was = unleashed on several of the most heavily-trafficked sites on the Internet. = The attack rendered yahoo.com, cnn.com, amazon.com, fbi.gov, and several ot= her sites completely unreachable to normal users, as it tied up routers for= several hours with large-byte ICMP packet transfers, also called a <em cla= ss=3D"firstterm">ping flood</em>. The attack was brought on by unknown assa= ilants using specially created, widely available programs that scanned vuln= erable network servers, installed client applications called <em class=3D"f= irstterm">trojans</em> on the servers, and timed an attack with every infec= ted server flooding the victim sites and rendering them unavailable. Many b= lame the attack on fundamental flaws in the way routers and the protocols u= sed are structured to accept all incoming data, no matter where or for what= purpose the packets are sent. </div><div class=3D"para"> In 2007, a data breach exploiting the widely-known weaknesses of the Wi= red Equivalent Privacy (WEP) wireless encryption protocol resulted in the t= heft from a global financial institution of over 45 million credit card num= bers.<sup>[<a id=3D"d0e434" href=3D"#ftn.d0e434" class=3D"footnote">3</a>]<= /sup> </div><div class=3D"para"> In a separate incident, the billing records of over 2.2 million patient= s stored on a backup tape were stolen from the front seat of a courier's ca= r.<sup>[<a id=3D"d0e440" href=3D"#ftn.d0e440" class=3D"footnote">4</a>]</su= p> </div><div class=3D"para"> Currently, an estimated 1.4 billion people use or have used the Interne= t worldwide.<sup>[<a id=3D"d0e446" href=3D"#ftn.d0e446" class=3D"footnote">= 5</a>]</sup> At the same time: </div><div class=3D"itemizedlist"><ul><li><div class=3D"para"> On any given day, there are approximately 225 major incidences of sec= urity breach reported to the CERT Coordination Center at Carnegie Mellon Un= iversity.<sup>[<a id=3D"d0e454" href=3D"#ftn.d0e454" class=3D"footnote">6</= a>]</sup> </div></li><li><div class=3D"para"> In 2003, the number of CERT reported incidences jumped to 137,529 fro= m 82,094 in 2002 and from 52,658 in 2001.<sup>[<a id=3D"d0e461" href=3D"#ft= n.d0e461" class=3D"footnote">7</a>]</sup> </div></li><li><div class=3D"para"> The worldwide economic impact of the three most dangerous Internet Vi= ruses of the last three years was estimated at US$13.2 Billion.<sup>[<a id= =3D"d0e468" href=3D"#ftn.d0e468" class=3D"footnote">8</a>]</sup> </div></li></ul></div><div class=3D"para"> From a 2008 global survey of business and technology executives "The Gl= obal State of Information Security"<sup>[<a id=3D"d0e474" href=3D"#ftn.d0e4= 74" class=3D"footnote">9</a>]</sup>, undertaken by <span class=3D"emphasis"= ><em>CIO Magazine</em></span>, some points are: </div><div class=3D"itemizedlist"><ul><li><div class=3D"para"> Just 43% of respondents audit or monitor user compliance with securit= y policies </div></li><li><div class=3D"para"> Only 22% keep an inventory of the outside companies that use their da= ta </div></li><li><div class=3D"para"> The source of nearly half of security incidents was marked as "Unknow= n" </div></li><li><div class=3D"para"> 44% of respondents plan to increase security spending in the next year </div></li><li><div class=3D"para"> 59% have an information security strategy </div></li></ul></div><div class=3D"para"> These results enforce the reality that computer security has become a q= uantifiable and justifiable expense for IT budgets. Organizations that requ= ire data integrity and high availability elicit the skills of system admini= strators, developers, and engineers to ensure 24x7 reliability of their sys= tems, services, and information. Falling victim to malicious users, process= es, or coordinated attacks is a direct threat to the success of the organiz= ation. </div><div class=3D"para"> Unfortunately, system and network security can be a difficult propositi= on, requiring an intricate knowledge of how an organization regards, uses, = manipulates, and transmits its information. Understanding the way an organi= zation (and the people that make up the organization) conducts business is = paramount to implementing a proper security plan. </div></div><div class=3D"section" lang=3D"en-US"><div class=3D"titlepag= e"><div><div><h4 class=3D"title" id=3D"sect-Security_Guide-What_is_Computer= _Security-Standardizing_Security">1.1.1.3.=C2=A0Standardizing Security</h4>= </div></div></div><div class=3D"para"> Enterprises in every industry rely on regulations and rules that are se= t by standards-making bodies such as the American Medical Association (AMA)= or the Institute of Electrical and Electronics Engineers (IEEE). The same = ideals hold true for information security. Many security consultants and ve= ndors agree upon the standard security model known as CIA, or <em class=3D"= firstterm">Confidentiality, Integrity, and Availability</em>. This three-ti= ered model is a generally accepted component to assessing risks of sensitiv= e information and establishing security policy. The following describes the= CIA model in further detail: </div><div class=3D"itemizedlist"><ul><li><div class=3D"para"> Confidentiality =E2=80=94 Sensitive information must be available onl= y to a set of pre-defined individuals. Unauthorized transmission and usage = of information should be restricted. For example, confidentiality of inform= ation ensures that a customer's personal or financial information is not ob= tained by an unauthorized individual for malicious purposes such as identit= y theft or credit fraud. </div></li><li><div class=3D"para"> Integrity =E2=80=94 Information should not be altered in ways that re= nder it incomplete or incorrect. Unauthorized users should be restricted fr= om the ability to modify or destroy sensitive information. </div></li><li><div class=3D"para"> Availability =E2=80=94 Information should be accessible to authorized= users any time that it is needed. Availability is a warranty that informat= ion can be obtained with an agreed-upon frequency and timeliness. This is o= ften measured in terms of percentages and agreed to formally in Service Lev= el Agreements (SLAs) used by network service providers and their enterprise= clients. </div></li></ul></div></div></div><div class=3D"section" lang=3D"en-US= "><div class=3D"titlepage"><div><div><h3 class=3D"title" id=3D"sect-Securit= y_Guide-Introduction_to_Security-SELinux">1.1.2.=C2=A0SELinux</h3></div></d= iv></div><div class=3D"para"> Fedora includes an enhancement to the Linux kernel called SELinux, which= implements a Mandatory Access Control (MAC) architecture that provides a f= ine-grained level of control over files, processes, users and applications = in the system. Detailed discussion of SELinux is beyond the scope of this d= ocument; however, for more information on SELinux and its use in Fedora, re= fer to the Fedora SELinux User Guide available at <a href=3D"http://docs.fe= doraproject.org/selinux-user-guide/">http://docs.fedoraproject.org/selinux-= user-guide/</a>. For more information on configuring and running services i= n Fedora that are protected by SELinux, refer to the SELinux Managing Confi= ned Services Guide available at <a href=3D"http://docs.fedoraproject.org/se= linux-managing-confined-services-guide/">http://docs.fedoraproject.org/seli= nux-managing-confined-services-guide</a>. Other available resources for SEL= inux are listed in <a class=3D"xref" href=3D"#chap-Security_Guide-Reference= s" title=3D"Chapter=C2=A07.=C2=A0 References">Chapter=C2=A07, <i>References</i></a>. </div></div><div class=3D"section" lang=3D"en-US"><div class=3D"titlepage= "><div><div><h3 class=3D"title" id=3D"sect-Security_Guide-Introduction_to_S= ecurity-Security_Controls">1.1.3.=C2=A0Security Controls</h3></div></div></= div><div class=3D"para"> Computer security is often divided into three distinct master categories= , commonly referred to as <em class=3D"wordasword">controls</em>: </div><div class=3D"itemizedlist"><ul><li><div class=3D"para"> Physical </div></li><li><div class=3D"para"> Technical </div></li><li><div class=3D"para"> Administrative </div></li></ul></div><div class=3D"para"> These three broad categories define the main objectives of proper securi= ty implementation. Within these controls are sub-categories that further de= tail the controls and how to implement them. </div><div class=3D"section" lang=3D"en-US"><div class=3D"titlepage"><div= ><div><h4 class=3D"title" id=3D"sect-Security_Guide-Security_Controls-Physi= cal_Controls">1.1.3.1.=C2=A0Physical Controls</h4></div></div></div><div cl= ass=3D"para"> Physical control is the implementation of security measures in a define= d structure used to deter or prevent unauthorized access to sensitive mater= ial. Examples of physical controls are: </div><div class=3D"itemizedlist"><ul><li><div class=3D"para"> Closed-circuit surveillance cameras </div></li><li><div class=3D"para"> Motion or thermal alarm systems </div></li><li><div class=3D"para"> Security guards </div></li><li><div class=3D"para"> Picture IDs </div></li><li><div class=3D"para"> Locked and dead-bolted steel doors </div></li><li><div class=3D"para"> Biometrics (includes fingerprint, voice, face, iris, handwriting, and= other automated methods used to recognize individuals) </div></li></ul></div></div><div class=3D"section" lang=3D"en-US"><div= class=3D"titlepage"><div><div><h4 class=3D"title" id=3D"sect-Security_Guid= e-Security_Controls-Technical_Controls">1.1.3.2.=C2=A0Technical Controls</h= 4></div></div></div><div class=3D"para"> Technical controls use technology as a basis for controlling the access= and usage of sensitive data throughout a physical structure and over a net= work. Technical controls are far-reaching in scope and encompass such techn= ologies as: </div><div class=3D"itemizedlist"><ul><li><div class=3D"para"> Encryption [...3804 lines suppressed...] <a href=3D"http://clemens.endorphin.org/LUKS/">LUKS - Linux Unified Ke= y Setup</a> </div></li><li><div class=3D"para"> <a href=3D"https://bugzilla.redhat.com/attachment.cgi?id=3D161912">HOW= TO: Creating an encrypted Physical Volume (PV) using a second hard drive, p= vmove, and a Fedora LiveCD</a> </div></li></ul></div></div></div><div class=3D"section" lang=3D"en-US"= ><div class=3D"titlepage"><div><div><h2 class=3D"title" id=3D"sect-Security= _Guide-Encryption-7_Zip_Encrypted_Archives">3.8.=C2=A07-Zip Encrypted Archi= ves</h2></div></div></div><div class=3D"para"> <a href=3D"http://www.7-zip.org/">7-Zip</a> is a cross-platform, next gen= eration, file compression tool that can also use strong encryption (AES-256= ) to protect the contents of the archive. This is extremely useful when you= need to move data between multiple computers that use varying operating sy= stems (i.e. Linux at home, Windows at work) and you want a portable encrypt= ion solution. </div><div class=3D"section" lang=3D"en-US"><div class=3D"titlepage"><div>= <div><h3 class=3D"title" id=3D"sect-Security_Guide-Encryption-7_Zip_Encrypt= ed_Archives-Installation">3.8.1.=C2=A07-Zip Installation in Fedora</h3></di= v></div></div><div class=3D"para"> 7-Zip is not a base package in Fedora, but it is available in the softwa= re repository. Once installed, the package will update alongside the rest o= f the software on the computer with no special attention necessary. </div></div><div class=3D"section" lang=3D"en-US"><div class=3D"titlepage= "><div><div><h3 class=3D"title" id=3D"sect-Security_Guide-Encryption-7_Zip_= Encrypted_Archives-Installation-Instructions">3.8.2.=C2=A0Step-by-Step Inst= allation Instructions</h3></div></div></div><div class=3D"itemizedlist"><ul= ><li><div class=3D"para"> Open a Terminal: <code class=3D"code">Click ''Applications'' -> ''S= ystem Tools'' -> ''Terminal''</code> </div></li><li><div class=3D"para"> Install 7-Zip with sudo access: <code class=3D"code">sudo yum install = p7zip</code> </div></li><li><div class=3D"para"> Close the Terminal: <code class=3D"code">exit</code> </div></li></ul></div></div><div class=3D"section" lang=3D"en-US"><div = class=3D"titlepage"><div><div><h3 class=3D"title" id=3D"sect-Security_Guide= -Encryption-7_Zip_Encrypted_Archives-Usage_Instructions">3.8.3.=C2=A0Step-b= y-Step Usage Instructions</h3></div></div></div><div class=3D"para"> By following these instructions you are going to compress and encrypt yo= ur "Documents" directory. Your original "Documents" directory will remain u= naltered. This technique can be applied to any directory or file you have a= ccess to on the filesystem. </div><div class=3D"itemizedlist"><ul><li><div class=3D"para"> Open a Terminal:<code class=3D"code">Click ''Applications'' -> ''Sy= stem Tools'' -> ''Terminal''</code> </div></li><li><div class=3D"para"> Compress and Encrypt: (enter a password when prompted) <code class=3D"= code">7za a -mhe=3Don -ms=3Don -p Documents.7z Documents/</code> </div></li></ul></div><div class=3D"para"> The "Documents" directory is now compressed and encrypted. The following= instructions will move the encrypted archive somewhere new and then extrac= t it. </div><div class=3D"itemizedlist"><ul><li><div class=3D"para"> Create a new directory: <code class=3D"code">mkdir newplace</code> </div></li><li><div class=3D"para"> Move the encrypted file: <code class=3D"code">mv Documents.7z newplace= </code> </div></li><li><div class=3D"para"> Go to the new directory: <code class=3D"code">cd newplace</code> </div></li><li><div class=3D"para"> Extract the file: (enter the password when prompted) <code class=3D"co= de">7za x Documents.7z</code> </div></li></ul></div><div class=3D"para"> The archive is now extracted into the new location. The following instru= ctions will clean up all the prior steps and restore your computer to its p= revious state. </div><div class=3D"itemizedlist"><ul><li><div class=3D"para"> Go up a directory: <code class=3D"code">cd ..</code> </div></li><li><div class=3D"para"> Delete the test archive and test extraction: <code class=3D"code">rm -= r newplace</code> </div></li><li><div class=3D"para"> Close the Terminal: <code class=3D"code">exit</code> </div></li></ul></div></div><div class=3D"section" lang=3D"en-US"><div = class=3D"titlepage"><div><div><h3 class=3D"title" id=3D"sect-Security_Guide= -Encryption-7_Zip_Encrypted_Archives-Things_of_note">3.8.4.=C2=A0Things of = note</h3></div></div></div><div class=3D"para"> 7-Zip is not shipped by default with Microsoft Windows or Mac OS X. If y= ou need to use your 7-Zip files on those platforms you will need to install= the appropriate version of 7-Zip on those computers. See the 7-Zip <a href= =3D"http://www.7-zip.org/download.html">download page</a>. </div><div class=3D"para"> GNOME's File Roller application will recognize your .7z files and attemp= t to open them, but it will fail with the error "''An error occurred while = loading the archive.''" when it attempts to do so. This is because File Rol= ler does not currently support the extraction of encrypted 7-Zip files. A b= ug report ([http://bugzilla.gnome.org/show_bug.cgi?id=3D490732 Gnome Bug 49= 0732]) has been submitted. </div></div></div><div class=3D"section" lang=3D"en-US"><div class=3D"tit= lepage"><div><div><h2 class=3D"title" id=3D"sect-Security_Guide-Encryption-= Using_GPG">3.9.=C2=A0Using GNU Privacy Guard (GnuPG)</h2></div></div></div>= <div class=3D"para"> GPG is used to identify yourself and authenticate your communications, in= cluding those with people you don't know. GPG allows anyone reading a GPG-s= igned email to verify its authenticity. In other words, GPG allows someone = to be reasonably certain that communications signed by you actually are fro= m you. GPG is useful because it helps prevent third parties from altering c= ode or intercepting conversations and altering the message. </div><div class=3D"section" lang=3D"en-US"><div class=3D"titlepage"><div>= <div><h3 class=3D"title" id=3D"sect-Security_Guide-Encryption-Using_GPG-Key= s_in_GNOME">3.9.1.=C2=A0Creating GPG Keys in GNOME</h3></div></div></div><d= iv class=3D"para"> Install the Seahorse utility, which makes GPG key management easier. Fro= m the main menu, select <code class=3D"code">System > Administration >= ; Add/Remove Software</code> and wait for PackageKit to start. Enter <code = class=3D"code">Seahorse</code> into the text box and select the Find. Selec= t the checkbox next to the ''seahorse'' package and select ''Apply'' to add= the software. You can also install <code class=3D"code">Seahorse</code> at= the command line with the command <code class=3D"code">su -c "yum install = seahorse"</code>. </div><div class=3D"para"> To create a key, from the ''Applications > Accessories'' menu select = ''Passwords and Encryption Keys'', which starts the application <code class= =3D"code">Seahorse</code>. From the ''Key'' menu select ''Create New Key...= '' then ''PGP Key'' then click ''Continue''. Type your full name, email add= ress, and an optional comment describing who are you (e.g.: John C. Smith, = jsmith(a)example.com, The Man). Click ''Create''. A dialog is displayed ask= ing for a passphrase for the key. Choose a strong passphrase but also easy = to remember. Click ''OK'' and the key is created. </div><div class=3D"warning"><h2>Warning</h2><div class=3D"para"> If you forget your passphrase, the key cannot be used and any data encr= ypted using that key will be lost. </div></div><div class=3D"para"> To find your GPG key ID, look in the ''Key ID'' column next to the newly= created key. In most cases, if you are asked for the key ID, you should pr= epend "0x" to the key ID, as in "0x6789ABCD". You should make a backup of y= our private key and store it somewhere secure. </div></div><div class=3D"section" lang=3D"en-US"><div class=3D"titlepage= "><div><div><h3 class=3D"title" id=3D"sect-Security_Guide-Encryption-Using_= GPG-Creating_GPG_Keys_in_KDE1">3.9.2.=C2=A0Creating GPG Keys in KDE</h3></d= iv></div></div><div class=3D"para"> Start the KGpg program from the main menu by selecting Applications >= Utilities > Encryption Tool. If you have never used KGpg before, the pr= ogram walks you through the process of creating your own GPG keypair. A dia= log box appears prompting you to create a new key pair. Enter your name, em= ail address, and an optional comment. You can also choose an expiration tim= e for your key, as well as the key strength (number of bits) and algorithms= . The next dialog box prompts you for your passphrase. At this point, your = key appears in the main <code class=3D"code">KGpg</code> window. </div><div class=3D"warning"><h2>Warning</h2><div class=3D"para"> If you forget your passphrase, the key cannot be used and any data encr= ypted using that key will be lost. </div></div><div class=3D"para"> To find your GPG key ID, look in the ''Key ID'' column next to the newly= created key. In most cases, if you are asked for the key ID, you should pr= epend "0x" to the key ID, as in "0x6789ABCD". You should make a backup of y= our private key and store it somewhere secure. </div></div><div class=3D"section" lang=3D"en-US"><div class=3D"titlepage= "><div><div><h3 class=3D"title" id=3D"sect-Security_Guide-Encryption-Using_= GPG-Creating_GPG_Keys_in_KDE">3.9.3.=C2=A0Creating GPG Keys Using the Comma= nd Line</h3></div></div></div><div class=3D"para"> Use the following shell command: <code class=3D"code">gpg --gen-key</cod= e> </div><div class=3D"para"> This command generates a key pair that consists of a public and a privat= e key. Other people use your public key to authenticate and/or decrypt your= communications. Distribute your public key as widely as possible, especial= ly to people who you know will want to receive authentic communications fro= m you, such as a mailing list. The Fedora Documentation Project, for exampl= e, asks participants to include a GPG public key in their self-introduction. </div><div class=3D"para"> A series of prompts directs you through the process. Press the <code cla= ss=3D"code">Enter</code> key to assign a default value if desired. The firs= t prompt asks you to select what kind of key you prefer: </div><div class=3D"para"> Please select what kind of key you want: (1) DSA and ElGamal (default) (= 2) DSA (sign only) (4) RSA (sign only) Your selection? In almost all cases,= the default is the correct choice. A DSA/ElGamal key allows you not only t= o sign communications, but also to encrypt files. </div><div class=3D"para"> Next, choose the key size: minimum keysize is 768 bits default keysize i= s 1024 bits highest suggested keysize is 2048 bits What keysize do you want= ? (1024) Again, the default is sufficient for almost all users, and represe= nts an ''extremely'' strong level of security. </div><div class=3D"para"> Next, choose when the key will expire. It is a good idea to choose an ex= piration date instead of using the default, which is ''none.'' If, for exam= ple, the email address on the key becomes invalid, an expiration date will = remind others to stop using that public key. </div><div class=3D"para"> Please specify how long the key should be valid. 0 =3D key does not expi= re d =3D key expires in n days w =3D key expires in n weeks m =3D key expir= es in n months y =3D key expires in n years Key is valid for? (0) </div><div class=3D"para"> Entering a value of <code class=3D"code">1y</code>, for example, makes t= he key valid for one year. (You may change this expiration date after the k= ey is generated, if you change your mind.) </div><div class=3D"para"> Before the <code class=3D"code">gpg</code>code> program asks for sign= ature information, the following prompt appears: <code class=3D"code">Is th= is correct (y/n)?</code> Enter <code class=3D"code">y</code>code> to fin= ish the process. </div><div class=3D"para"> Next, enter your name and email address. Remember this process is about = authenticating you as a real individual. For this reason, include your real= name. Do not use aliases or handles, since these disguise or obfuscate you= r identity. </div><div class=3D"para"> Enter your real email address for your GPG key. If you choose a bogus em= ail address, it will be more difficult for others to find your public key. = This makes authenticating your communications difficult. If you are using t= his GPG key for [[DocsProject/SelfIntroduction| self-introduction]] on a ma= iling list, for example, enter the email address you use on that list. </div><div class=3D"para"> Use the comment field to include aliases or other information. (Some peo= ple use different keys for different purposes and identify each key with a = comment, such as "Office" or "Open Source Projects.") </div><div class=3D"para"> At the confirmation prompt, enter the letter O to continue if all entrie= s are correct, or use the other options to fix any problems. Finally, enter= a passphrase for your secret key. The <code class=3D"code">gpg</code> prog= ram asks you to enter your passphrase twice to ensure you made no typing er= rors. </div><div class=3D"para"> Finally, <code class=3D"code">gpg</code> generates random data to make y= our key as unique as possible. Move your mouse, type random keys, or perfor= m other tasks on the system during this step to speed up the process. Once = this step is finished, your keys are complete and ready to use: </div><pre class=3D"screen"> pub 1024D/1B2AFA1C 2005-03-31 John Q. Doe (Fedora Docs Project) <jqdoe(= a)example.com> Key fingerprint =3D 117C FE83 22EA B843 3E86 6486 4320 545E 1B2A FA1C sub 1024g/CEA4B22E 2005-03-31 [expires: 2006-03-31] </pre><div class=3D"para"> The key fingerprint is a shorthand "signature" for your key. It allows y= ou to confirm to others that they have received your actual public key with= out any tampering. You do not need to write this fingerprint down. To displ= ay the fingerprint at any time, use this command, substituting your email a= ddress: <code class=3D"code"> gpg --fingerprint jqdoe(a)example.com </code> </div><div class=3D"para"> Your "GPG key ID" consists of 8 hex digits identifying the public key. I= n the example above, the GPG key ID is 1B2AFA1C. In most cases, if you are = asked for the key ID, you should prepend "0x" to the key ID, as in "0x1B2AF= A1C". </div><div class=3D"warning"><h2>Warning</h2><div class=3D"para"> If you forget your passphrase, the key cannot be used and any data encr= ypted using that key will be lost. </div></div></div><div class=3D"section" lang=3D"en-US"><div class=3D"ti= tlepage"><div><div><h3 class=3D"title" id=3D"sect-Security_Guide-Encryption= -Using_GPG-About_Public_Key_Encryption">3.9.4.=C2=A0About Public Key Encryp= tion</h3></div></div></div><div class=3D"orderedlist"><ol><li><div class=3D= "para"> <a href=3D"http://en.wikipedia.org/wiki/Public-key_cryptography">Wikip= edia - Public Key Cryptography</a> </div></li><li><div class=3D"para"> <a href=3D"http://computer.howstuffworks.com/encryption.htm">HowStuffW= orks - Encryption</a> </div></li></ol></div></div></div></div><div class=3D"chapter" lang=3D"= en-US"><div class=3D"titlepage"><div><div><h2 class=3D"title" id=3D"chap-Se= curity_Guide-General_Principles_of_Information_Security">Chapter=C2=A04.=C2= =A0General Principles of Information Security</h2></div></div></div><div cl= ass=3D"toc"><dl><dt><span class=3D"section"><a href=3D"#sect-Security_Guide= -General_Principles_of_Information_Security-Tips_Guides_and_Tools">4.1. Tip= s, Guides, and Tools</a></span></dt></dl></div><div class=3D"para"> The following general principals provide an overview of good security pra= ctices: </div><div class=3D"itemizedlist"><ul><li><div class=3D"para"> encrypt all data transmitted over networks to help prevent man-in-the-m= iddle attacks and eavesdropping. It is important to encrypt authentication = information, such as passwords. </div></li><li><div class=3D"para"> minimize the amount of software installed and running services. </div></li><li><div class=3D"para"> use security-enhancing software and tools, for example, Security-Enhanc= ed Linux (SELinux) for Mandatory Access Control (MAC), Netfilter iptables f= or packet filtering (firewall), and the GNU Privacy Guard (GnuPG) for encry= pting files. </div></li><li><div class=3D"para"> if possible, run each network service on a separate system to minimize = the risk of one compromised service being used to compromise other services. </div></li><li><div class=3D"para"> maintain user accounts: create and enforce a strong password policy; de= lete unused user accounts. </div></li><li><div class=3D"para"> routinely review system and application logs. By default, security-rele= vant system logs are written to <code class=3D"filename">/var/log/secure</c= ode> and <code class=3D"filename">/var/log/audit/audit.log</code>. Note: se= nding logs to a dedicated log server helps prevent attackers from easily mo= difying local logs to avoid detection. </div></li><li><div class=3D"para"> never log in as the root user unless absolutely necessary. It is recomm= ended that administrators use <code class=3D"command">sudo</code> to execut= e commands as root when required. Users capable of running <code class=3D"c= ommand">sudo</code> are specified in <code class=3D"filename">/etc/sudoers<= /code>. Use the <code class=3D"command">visudo</code> utility to edit <code= class=3D"filename">/etc/sudoers</code>. </div></li></ul></div><div class=3D"section" lang=3D"en-US"><div class= =3D"titlepage"><div><div><h2 class=3D"title" id=3D"sect-Security_Guide-Gene= ral_Principles_of_Information_Security-Tips_Guides_and_Tools">4.1.=C2=A0Tip= s, Guides, and Tools</h2></div></div></div><div class=3D"para"> The United States' <a href=3D"http://www.nsa.gov/">National Security Age= ncy (NSA)</a> provides hardening guides and tips for many different operati= ng systems, to help government agencies, businesses, and individuals secure= their systems against attack. The following guides (in PDF format) provide= guidance for Red Hat Enterprise Linux 5: </div><div class=3D"itemizedlist"><ul><li><div class=3D"para"> <a href=3D"http://www.nsa.gov/ia/_files/os/redhat/rhel5-pamphlet-i731.= pdf">Hardening Tips for the Red Hat Enterprise Linux 5</a> </div></li><li><div class=3D"para"> <a href=3D"http://www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdf= ">Guide to the Secure Configuration of Red Hat Enterprise Linux 5</a> </div></li></ul></div><div class=3D"para"> The <a href=3D"http://www.disa.mil/">Defense Information Systems Agency = (DISA)</a> provides documentation, checklists, and tests to help secure you= r system (<a href=3D"http://iase.disa.mil/index2.html">Information Assuranc= e Support Environment</a>). The <a href=3D"http://iase.disa.mil/stigs/stig/= unix-stig-v5r1.pdf">UNIX SECURITY TECHNICAL IMPLEMENTATION GUIDE</a> (PDF) = is a very specific guide to UNIX security - an advanced knowledge of UNIX a= nd Linux is recommended before reading this guide. </div><div class=3D"para"> The DISA <a href=3D"http://iase.disa.mil/stigs/checklist/unix_checklist_= v5r1-16_20090215.ZIP">UNIX Security Checklist Version 5, Release 1.16</a> p= rovides a collection of documents and checklists, ranging from the correct = ownerships and modes for system files, to patch control. </div><div class=3D"para"> Also, DISA has made available <a href=3D"http://iase.disa.mil/stigs/SRR/= unix.html">UNIX SPR scripts</a> that allow administrators to check specific= settings on systems. These scripts provide XML-formatted reports listing a= ny known vulnerable settings. </div></div></div><div class=3D"chapter" lang=3D"en-US"><div class=3D"tit= lepage"><div><div><h2 class=3D"title" id=3D"chap-Security_Guide-Secure_Inst= allation">Chapter=C2=A05.=C2=A0Secure Installation</h2></div></div></div><d= iv class=3D"toc"><dl><dt><span class=3D"section"><a href=3D"#sect-Security_= Guide-Secure_Installation-Disk_Partitions">5.1. Disk Partitions</a></span><= /dt><dt><span class=3D"section"><a href=3D"#sect-Security_Guide-Secure_Inst= allation-Utilize_LUKS_Partition_Encryption">5.2. Utilize LUKS Partition Enc= ryption</a></span></dt></dl></div><div class=3D"para"> Security begins with the first time you put that CD or DVD into your disk= drive to install Fedora. Configuring your system securely from the beginni= ng makes it easier to implement additional security settings later. </div><div class=3D"section" lang=3D"en-US"><div class=3D"titlepage"><div>= <div><h2 class=3D"title" id=3D"sect-Security_Guide-Secure_Installation-Disk= _Partitions">5.1.=C2=A0Disk Partitions</h2></div></div></div><div class=3D"= para"> The NSA recommends creating separate partitions for /boot, /, /home, /tm= p, and /var/tmp. The reasons for each are different and we will address eac= h partition. </div><div class=3D"para"> /boot - This partition is the first partition that is read by the system= during boot up. The boot loader and kernel images that are used to boot yo= ur system into Fedora are stored in this partition. This partition should n= ot be encrypted. If this partition is included in / and that partition is e= ncrypted or otherwise becomes unavailable then your system will not be able= to boot. </div><div class=3D"para"> /home - When user data (/home) is stored in / instead of in a separate p= artition, the partition can fill up causing the operating system to become = unstable. Also, when upgrading your system to the next version of Fedora it= is a lot easier when you can keep your data in the /home partition as it w= ill not be overwritten during installation. If the root partition (/) becom= es corrupt your data could be lost forever. By using a separate partition t= here is slightly more protection against data loss. You can also target thi= s partition for frequent backups. </div><div class=3D"para"> /tmp and /var/tmp - Both the /tmp and the /var/tmp directories are used = to store data that doesn't need to be stored for a long period of time. How= ever if a lot of data floods one of these directories it can consume all of= your storage space. If this happens and these directories are stored withi= n / then your system could become unstable and crash. For this reason, movi= ng these directories into their own partitions is a good idea. </div></div><div class=3D"section" lang=3D"en-US"><div class=3D"titlepage= "><div><div><h2 class=3D"title" id=3D"sect-Security_Guide-Secure_Installati= on-Utilize_LUKS_Partition_Encryption">5.2.=C2=A0Utilize LUKS Partition Encr= yption</h2></div></div></div><div class=3D"para"> Since Fedora 9, implementation of <a href=3D"http://fedoraproject.org/wi= ki/Security_Guide/9/LUKSDiskEncryption">Linux Unified Key Setup-on-disk-for= mat</a>(LUKS) encryption has become a lot easier. During the installation p= rocess an option to encrypt your partitions will be presented to the user. = The user must supply a passphrase that will be the key to unlock the bulk e= ncryption key that will be used to secure the partition's data. </div></div></div><div class=3D"chapter" lang=3D"en-US"><div class=3D"tit= lepage"><div><div><h2 class=3D"title" id=3D"chap-Security_Guide-Software_Ma= intenance">Chapter=C2=A06.=C2=A0Software Maintenance</h2></div></div></div>= <div class=3D"toc"><dl><dt><span class=3D"section"><a href=3D"#sect-Securit= y_Guide-Software_Maintenance-Install_Minimal_Software">6.1. Install Minimal= Software</a></span></dt><dt><span class=3D"section"><a href=3D"#sect-Secur= ity_Guide-Software_Maintenance-Plan_and_Configure_Security_Updates">6.2. Pl= an and Configure Security Updates</a></span></dt><dt><span class=3D"section= "><a href=3D"#sect-Security_Guide-Software_Maintenance-Plan_and_Configure_S= ecurity_Updates-Adjusting_Automatic_Updates">6.3. Adjusting Automatic Updat= es</a></span></dt><dt><span class=3D"section"><a href=3D"#sect-Security_Gui= de-Software_Maintenance-Install_Signed_Packages_from_Well_Known_Repositorie= s">6.4. Install Signed Packages from Well Known Repositories</a></span></dt= ></dl></div><div class=3D"para"> Software maintenance is extremely important to maintaining a secure syste= m. It is vital to patch software as soon as it becomes available in order t= o prevent attackers from using known holes to infiltrate your system. </div><div class=3D"section" lang=3D"en-US"><div class=3D"titlepage"><div>= <div><h2 class=3D"title" id=3D"sect-Security_Guide-Software_Maintenance-Ins= tall_Minimal_Software">6.1.=C2=A0Install Minimal Software</h2></div></div><= /div><div class=3D"para"> It is best practice to install only the packages you will use because ea= ch piece of software on your computer could possibly contain a vulnerabilit= y. If you are installing from the DVD media take the opportunity to select = exactly what packages you want to install during the installation. When you= find you need another package, you can always add it to the system later. </div></div><div class=3D"section" lang=3D"en-US"><div class=3D"titlepage= "><div><div><h2 class=3D"title" id=3D"sect-Security_Guide-Software_Maintena= nce-Plan_and_Configure_Security_Updates">6.2.=C2=A0Plan and Configure Secur= ity Updates</h2></div></div></div><div class=3D"para"> All software contains bugs. Often, these bugs can result in a vulnerabil= ity that can expose your system to malicious users. Unpatched systems are a= common cause of computer intrusions. You should have a plan to install sec= urity patches in a timely manner to close those vulnerabilities so they can= not be exploited. </div><div class=3D"para"> For home users, security updates should be installed as soon as possible= . Configuring automatic installation of security updates is one way to avoi= d having to remember, but does carry a slight risk that something can cause= a conflict with your configuration or with other software on the system. </div><div class=3D"para"> For business or advanced home users, security updates should be tested a= nd schedule for installation. Additional controls will need to be used to p= rotect the system during the time between the patch release and its install= ation on the system. These controls would depend on the exact vulnerability= , but could include additional firewall rules, the use of external firewall= s, or changes in software settings. </div></div><div class=3D"section" lang=3D"en-US"><div class=3D"titlepage= "><div><div><h2 class=3D"title" id=3D"sect-Security_Guide-Software_Maintena= nce-Plan_and_Configure_Security_Updates-Adjusting_Automatic_Updates">6.3.= =C2=A0Adjusting Automatic Updates</h2></div></div></div><div class=3D"para"> Fedora is configured to apply all updates on a daily schedule. If you wa= nt to change the how your system installs updates you must do so via '''Sof= tware Update Preferences'''. You can change the schedule, the type of updat= es to apply or to notify you of available updates. </div><div class=3D"para"> In Gnome, you can find controls for your updates at: <code class=3D"code= ">System -> Preferences -> Software Updates</code>. In KDE it is loca= ted at: <code class=3D"code">Applications -> Settings -> Software Upd= ates</code>. </div></div><div class=3D"section" lang=3D"en-US"><div class=3D"titlepage= "><div><div><h2 class=3D"title" id=3D"sect-Security_Guide-Software_Maintena= nce-Install_Signed_Packages_from_Well_Known_Repositories">6.4.=C2=A0Install= Signed Packages from Well Known Repositories</h2></div></div></div><div cl= ass=3D"para"> Software packages are published through repositories. All well known rep= ositories support package signing. Package signing uses public key technolo= gy to prove that the package that was published by the repository has not b= een changed since the signature was applied. This provides some protection = against installing software that may have been maliciously altered after th= e package was created but before you downloaded it. </div><div class=3D"para"> Using too many repositories, untrustworthy repositories, or repositories= with unsigned packages has a higher risk of introducing malicious or vulne= rable code into your system. Use caution when adding repositories to yum/so= ftware update. </div></div></div><div class=3D"chapter" lang=3D"en-US"><div class=3D"tit= lepage"><div><div><h2 class=3D"title" id=3D"chap-Security_Guide-References"= >Chapter=C2=A07.=C2=A0References</h2></div></div></div><div class=3D"para"> The following references are pointers to additional information that is r= elevant to SELinux and Fedora but beyond the scope of this guide. Note that= due to the rapid development of SELinux, some of this material may only ap= ply to specific releases of Fedora. </div><div class=3D"variablelist" id=3D"vari-Security_Guide-References-Boo= ks"><h6>Books</h6><dl><dt><span class=3D"term">SELinux by Example</span></d= t><dd><div class=3D"para"> Mayer, MacMillan, and Caplan </div><div class=3D"para"> Prentice Hall, 2007 </div></dd></dl></div><div class=3D"variablelist" id=3D"vari-Security_G= uide-References-Tutorials_and_Help"><h6>Tutorials and Help</h6><dl><dt><spa= n class=3D"term">Understanding and Customizing the Apache HTTP SELinux Poli= cy</span></dt><dd><div class=3D"para"> <a href=3D"http://fedora.redhat.com/docs/selinux-apache-fc3/">http://f= edora.redhat.com/docs/selinux-apache-fc3/</a> </div></dd><dt><span class=3D"term">Tutorials and talks from Russell Co= ker</span></dt><dd><div class=3D"para"> <a href=3D"http://www.coker.com.au/selinux/talks/ibmtu-2004/">http://w= ww.coker.com.au/selinux/talks/ibmtu-2004/</a> </div></dd><dt><span class=3D"term">Generic Writing SELinux policy HOWT= O</span></dt><dd><div class=3D"para"> <a href=3D"http://www.lurking-grue.org/writingselinuxpolicyHOWTO.html"= >http://www.lurking-grue.org/writingselinuxpolicyHOWTO.html</a> </div></dd><dt><span class=3D"term">Red Hat Knowledgebase</span></dt><d= d><div class=3D"para"> <a href=3D"http://kbase.redhat.com/">http://kbase.redhat.com/</a> </div></dd></dl></div><div class=3D"variablelist" id=3D"vari-Security_G= uide-References-General_Information"><h6>General Information</h6><dl><dt><s= pan class=3D"term">NSA SELinux main website</span></dt><dd><div class=3D"pa= ra"> <a href=3D"http://www.nsa.gov/research/selinux/index.shtml">http://www= .nsa.gov/selinux/</a> </div></dd><dt><span class=3D"term">NSA SELinux FAQ</span></dt><dd><div= class=3D"para"> <a href=3D"http://www.nsa.gov/research/selinux/faqs.shtml">http://www.= nsa.gov/selinux/info/faq.cfm</a> </div></dd><dt><span class=3D"term">Fedora SELinux FAQ </span></dt><dd>= <div class=3D"para"> <a href=3D"http://fedora.redhat.com/docs/selinux-faq-fc3/">http://fedo= ra.redhat.com/docs/selinux-faq-fc3/</a> </div></dd><dt><span class=3D"term">SELinux NSA's Open Source Security = Enhanced Linux</span></dt><dd><div class=3D"para"> <a href=3D"http://www.oreilly.com/catalog/selinux/">http://www.oreilly= .com/catalog/selinux/</a> </div></dd></dl></div><div class=3D"variablelist" id=3D"vari-Security_G= uide-References-Technology"><h6>Technology</h6><dl><dt><span class=3D"term"= >An Overview of Object Classes and Permissions</span></dt><dd><div class=3D= "para"> <a href=3D"http://www.tresys.com/selinux/obj_perms_help.html">http://w= ww.tresys.com/selinux/obj_perms_help.html</a> </div></dd><dt><span class=3D"term">Integrating Flexible Support for Se= curity Policies into the Linux Operating System (a history of Flask impleme= ntation in Linux)</span></dt><dd><div class=3D"para"> <a href=3D"http://www.nsa.gov/research/_files/selinux/papers/selsymp20= 05.pdf">http://www.nsa.gov/research/_files/selinux/papers/selsymp2005.pdf</= a> </div></dd><dt><span class=3D"term">Implementing SELinux as a Linux Sec= urity Module</span></dt><dd><div class=3D"para"> <a href=3D"http://www.nsa.gov/research/_files/publications/implementin= g_selinux.pdf">http://www.nsa.gov/research/_files/publications/implementing= _selinux.pdf</a> </div></dd><dt><span class=3D"term">A Security Policy Configuration for= the Security-Enhanced Linux</span></dt><dd><div class=3D"para"> <a href=3D"http://www.nsa.gov/research/_files/selinux/papers/policy/po= licy.shtml">http://www.nsa.gov/research/_files/selinux/papers/policy/policy= .shtml</a> </div></dd></dl></div><div class=3D"variablelist" id=3D"vari-Security_G= uide-References-Community"><h6>Community</h6><dl><dt><span class=3D"term">F= edora SELinux User Guide</span></dt><dd><div class=3D"para"> <a href=3D"http://docs.fedoraproject.org/selinux-user-guide/">http://d= ocs.fedoraproject.org/selinux-user-guide/</a> </div></dd><dt><span class=3D"term">Fedora SELinux Managing Confined Se= rvices Guide</span></dt><dd><div class=3D"para"> <a href=3D"http://docs.fedoraproject.org/selinux-managing-confined-ser= vices-guide/">http://docs.fedoraproject.org/selinux-managing-confined-servi= ces-guide/</a> </div></dd><dt><span class=3D"term">SELinux community page</span></dt><= dd><div class=3D"para"> <a href=3D"http://selinux.sourceforge.net">http://selinux.sourceforge.= net</a> </div></dd><dt><span class=3D"term">IRC</span></dt><dd><div class=3D"pa= ra"> irc.freenode.net, #selinux, #fedora-selinux, #security </div></dd></dl></div><div class=3D"variablelist" id=3D"vari-Security_G= uide-References-History"><h6>History</h6><dl><dt><span class=3D"term">Quick= history of Flask</span></dt><dd><div class=3D"para"> <a href=3D"http://www.cs.utah.edu/flux/fluke/html/flask.html">http://w= ww.cs.utah.edu/flux/fluke/html/flask.html</a> </div></dd><dt><span class=3D"term">Full background on Fluke</span></dt= ><dd><div class=3D"para"> <a href=3D"http://www.cs.utah.edu/flux/fluke/html/index.html">http://w= ww.cs.utah.edu/flux/fluke/html/index.html</a> </div></dd></dl></div></div></div></body></html> --===============4856365286322843494==--

From sradvan at fedoraproject.org Wed Jun 10 15:47:40 2015 Content-Type: multipart/mixed; boundary="===============4856365286322843494==" MIME-Version: 1.0 From: sradvan To: docs-commits at lists.fedoraproject.org Subject: web/html/docs/security-guide/en_US/F12/html-single index.html, NONE, 1.1 Date: Wed, 26 Aug 2009 03:57:06 +0000 Message-ID: <20090826035706.AD3A111C0044@cvs1.fedora.phx.redhat.com> --===============4856365286322843494== Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Author: sradvan Update of /cvs/fedora/web/html/docs/security-guide/en_US/F12/html-single In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv28845 Added Files: index.html = Log Message: --- NEW FILE index.html --- security-guide</t= itle><link rel=3D"stylesheet" href=3D"./Common_Content/css/default.css" typ= e=3D"text/css"/><meta name=3D"generator" content=3D"publican"/><meta name= =3D"package" content=3D""/><meta name=3D"description" content=3D"The Linux = Security Guide is designed to assist users of Linux in learning the process= es and practices of securing workstations and servers against local and rem= ote intrusion, exploitation, and malicious activity. Focused on Fedora Linu= x but detailing concepts and techniques valid for all Linux systems, The Li= nux Security Guide details the planning and the tools involved in creating = a secured computing environment for the data center, workplace, and home. W= ith proper administrative knowledge, vigilance, and tools, systems running = Linux can be both fully functional and secured from most common intrusion a= nd exploit methods."/></head><body class=3D""><div class=3D"book" lang=3D"e= n-US"><div class=3D"titlepage"><div><div clas s=3D"producttitle"><span class=3D"productname">fedora</span> <span class= =3D"productnumber">12</span></div><div><h1 id=3D"d0e1" class=3D"title">secu= rity-guide</h1></div><div><h2 class=3D"subtitle">A Guide to Securing Fedora= Linux</h2></div><p class=3D"edition">Edition 1.1</p><div><h3 class=3D"corp= author"> <span class=3D"inlinemediaobject"><object data=3D"Common_Content/imag= es/title_logo.svg" type=3D"image/svg+xml"> Logo</object></span> </h3></div><div><div class=3D"authorgroup"><div class=3D"author"><h3 c= lass=3D"author"><span class=3D"firstname">Johnray</span> <span class=3D"sur= name">Fuller</span></h3><div class=3D"affiliation"><span class=3D"orgname">= Red Hat</span></div><code class=3D"email"><a class=3D"email" href=3D"mailto= :jrfuller(a)redhat.com">jrfuller(a)redhat.com</a></code></div><div class=3D= "author"><h3 class=3D"author"><span class=3D"firstname">John</span> <span c= lass=3D"surname">Ha</span></h3><div class=3D"affiliation"><span class=3D"or= gname">Red Hat</span></div><code class=3D"email"><a class=3D"email" href=3D= "mailto:jha(a)redhat.com">jha(a)redhat.com</a></code></div><div class=3D"au= thor"><h3 class=3D"author"><span class=3D"firstname">David</span> <span cla= ss=3D"surname">O'Brien</span></h3><div class=3D"affiliation"><span class=3D= "orgname">Red Hat</span></div><code class=3D"email"><a class=3D"email" href= =3D"mailto:daobrien(a)redhat.com">daobrien(a)redhat.com</a></code></div><di= v class=3D"author"><h3 class=3D"author"><span class=3D"firstname">Scott</sp= an> <span clas s=3D"surname">Radvan</span></h3><div class=3D"affiliation"><span class=3D"= orgname">Red Hat</span></div><code class=3D"email"><a class=3D"email" href= =3D"mailto:sradvan(a)redhat.com">sradvan(a)redhat.com</a></code></div><div = class=3D"author"><h3 class=3D"author"><span class=3D"firstname">Eric</span>= <span class=3D"surname">Christensen</span></h3><div class=3D"affiliation">= <span class=3D"orgname">Fedora Project</span> <span class=3D"orgdiv">Docume= ntation Team</span></div><code class=3D"email"><a class=3D"email" href=3D"m= ailto:sparks(a)fedoraproject.org">sparks(a)fedoraproject.org</a></code></di= v></div></div><hr/><div><div id=3D"d0e31" class=3D"legalnotice"><h1 class= =3D"legalnotice">Legal Notice</h1><div class=3D"para"> Copyright <span class=3D"trademark"/>=C2=A9 2009 Red Hat, Inc. This mater= ial may only be distributed subject to the terms and conditions set forth i= n the Open Publication License, V1.0, (the latest version is presently avai= lable at <a href=3D"http://www.opencontent.org/openpub/">http://www.opencon= tent.org/openpub/</a>). </div><div class=3D"para"> Fedora and the Fedora Infinity Design logo are trademarks or registered t= rademarks of Red Hat, Inc., in the U.S. and other countries. </div><div class=3D"para"> Red Hat and the Red Hat "Shadow Man" logo are registered trademarks of Re= d Hat Inc. in the United States and other countries. </div><div class=3D"para"> All other trademarks and copyrights referred to are the property of their= respective owners. </div><div class=3D"para"> Documentation, as with software itself, may be subject to export control.= Read about Fedora Project export controls at <a href=3D"http://fedoraproje= ct.org/wiki/Legal/Export">http://fedoraproject.org/wiki/Legal/Export</a>. = </div></div></div><div><div class=3D"abstract"><h6>Abstract</h6><div class= =3D"para">The Linux Security Guide is designed to assist users of Linux in learning the processes and practices of securing workstations and servers against local and remote intrusion, exploitation, and malicious activity.</div><div class=3D"para">Focused on Fedora Linux but de= tailing concepts and techniques valid for all Linux systems, The Linux Security Guide details the planning and the tools involved in creating a secured computing environment for the data center, workplace, and home.</div><div class=3D"pa= ra">With proper administrative knowledge, vigilance, and tools, systems running Linux can be both fully functional and secured from most common intrusion and exploit methods.</div></div></div></div><hr/></div><di= v class=3D"toc"><dl><dt><span class=3D"preface"><a href=3D"#pref-Security_G= uide-Preface">Preface</a></span></dt><dd><dl><dt><span class=3D"section"><a= href=3D"#d0e105">1. Document Conventions</a></span></dt><dd><dl><dt><span = class=3D"section"><a href=3D"#d0e115">1.1. Typographic Conventions</a></spa= n></dt><dt><span class=3D"section"><a href=3D"#d0e331">1.2. Pull-quote Conv= entions</a></span></dt><dt><span class=3D"section"><a href=3D"#d0e350">1.3.= Notes and Warnings</a></span></dt></dl></dd><dt><span class=3D"section"><a= href=3D"#We_Need_Feedback">2. We Need Feedback!</a></span></dt></dl></dd><= dt><span class=3D"chapter"><a href=3D"#chap-Security_Guide-Security_Overvie= w">1. Security Overview</a></span></dt><dd><dl><dt><span class=3D"section">= <a href=3D"#sect-Security_Guide-Introduction_to_Security">1.1. Introduction= to Security</a></span></dt><dd><dl><dt><span class=3D"section"><a href=3D"= #sect-Security_Guide-Introduction_to_Security-What_is _Computer_Security">1.1.1. What is Computer Security?</a></span></dt><dt><= span class=3D"section"><a href=3D"#sect-Security_Guide-Introduction_to_Secu= rity-SELinux">1.1.2. SELinux</a></span></dt><dt><span class=3D"section"><a = href=3D"#sect-Security_Guide-Introduction_to_Security-Security_Controls">1.= 1.3. Security Controls</a></span></dt><dt><span class=3D"section"><a href= =3D"#sect-Security_Guide-Introduction_to_Security-Conclusion">1.1.4. Conclu= sion</a></span></dt></dl></dd><dt><span class=3D"section"><a href=3D"#sect-= Security_Guide-Vulnerability_Assessment">1.2. Vulnerability Assessment</a><= /span></dt><dd><dl><dt><span class=3D"section"><a href=3D"#sect-Security_Gu= ide-Vulnerability_Assessment-Thinking_Like_the_Enemy">1.2.1. Thinking Like = the Enemy</a></span></dt><dt><span class=3D"section"><a href=3D"#sect-Secur= ity_Guide-Vulnerability_Assessment-Defining_Assessment_and_Testing">1.2.2. = Defining Assessment and Testing</a></span></dt><dt><span class=3D"section">= <a href=3D"#sect-Security_Guide-Vulnerability _Assessment-Evaluating_the_Tools">1.2.3. Evaluating the Tools</a></span></= dt></dl></dd><dt><span class=3D"section"><a href=3D"#sect-Security_Guide-At= tackers_and_Vulnerabilities">1.3. Attackers and Vulnerabilities</a></span><= /dt><dd><dl><dt><span class=3D"section"><a href=3D"#sect-Security_Guide-Att= ackers_and_Vulnerabilities-A_Quick_History_of_Hackers">1.3.1. A Quick Histo= ry of Hackers</a></span></dt><dt><span class=3D"section"><a href=3D"#sect-S= ecurity_Guide-Attackers_and_Vulnerabilities-Threats_to_Network_Security">1.= 3.2. Threats to Network Security</a></span></dt><dt><span class=3D"section"= ><a href=3D"#sect-Security_Guide-Attackers_and_Vulnerabilities-Threats_to_S= erver_Security">1.3.3. Threats to Server Security</a></span></dt><dt><span = class=3D"section"><a href=3D"#sect-Security_Guide-Attackers_and_Vulnerabili= ties-Threats_to_Workstation_and_Home_PC_Security">1.3.4. Threats to Worksta= tion and Home PC Security</a></span></dt></dl></dd><dt><span class=3D"secti= on"><a href=3D"#sect-Security_Guide-Com mon_Exploits_and_Attacks">1.4. Common Exploits and Attacks</a></span></dt>= <dt><span class=3D"section"><a href=3D"#sect-Security_Guide-Security_Update= s">1.5. Security Updates</a></span></dt><dd><dl><dt><span class=3D"section"= ><a href=3D"#sect-Security_Guide-Security_Updates-Updating_Packages">1.5.1.= Updating Packages</a></span></dt><dt><span class=3D"section"><a href=3D"#s= ect-Security_Guide-Updating_Packages-Verifying_Signed_Packages">1.5.2. Veri= fying Signed Packages</a></span></dt><dt><span class=3D"section"><a href=3D= "#sect-Security_Guide-Updating_Packages-Installing_Signed_Packages">1.5.3. = Installing Signed Packages</a></span></dt><dt><span class=3D"section"><a hr= ef=3D"#sect-Security_Guide-Updating_Packages-Applying_the_Changes">1.5.4. A= pplying the Changes</a></span></dt></dl></dd></dl></dd><dt><span class=3D"c= hapter"><a href=3D"#chap-Security_Guide-Securing_Your_Network">2. Securing = Your Network</a></span></dt><dd><dl><dt><span class=3D"section"><a href=3D"= #sect-Security_Guide-Workstation_Security"> 2.1. Workstation Security</a></span></dt><dd><dl><dt><span class=3D"sectio= n"><a href=3D"#sect-Security_Guide-Workstation_Security-Evaluating_Workstat= ion_Security">2.1.1. Evaluating Workstation Security</a></span></dt><dt><sp= an class=3D"section"><a href=3D"#sect-Security_Guide-Workstation_Security-B= IOS_and_Boot_Loader_Security">2.1.2. BIOS and Boot Loader Security</a></spa= n></dt><dt><span class=3D"section"><a href=3D"#sect-Security_Guide-Workstat= ion_Security-Password_Security">2.1.3. Password Security</a></span></dt><dt= ><span class=3D"section"><a href=3D"#sect-Security_Guide-Workstation_Securi= ty-Administrative_Controls">2.1.4. Administrative Controls</a></span></dt><= dt><span class=3D"section"><a href=3D"#sect-Security_Guide-Workstation_Secu= rity-Available_Network_Services">2.1.5. Available Network Services</a></spa= n></dt><dt><span class=3D"section"><a href=3D"#sect-Security_Guide-Workstat= ion_Security-Personal_Firewalls">2.1.6. Personal Firewalls</a></span></dt><= dt><span class=3D"section"><a href=3D"#sect -Security_Guide-Workstation_Security-Security_Enhanced_Communication_Tools= ">2.1.7. Security Enhanced Communication Tools</a></span></dt></dl></dd><dt= ><span class=3D"section"><a href=3D"#sect-Security_Guide-Server_Security">2= .2. Server Security</a></span></dt><dd><dl><dt><span class=3D"section"><a h= ref=3D"#sect-Security_Guide-Server_Security-Securing_Services_With_TCP_Wrap= pers_and_xinetd">2.2.1. Securing Services With TCP Wrappers and xinetd</a><= /span></dt><dt><span class=3D"section"><a href=3D"#sect-Security_Guide-Serv= er_Security-Securing_Portmap">2.2.2. Securing Portmap</a></span></dt><dt><s= pan class=3D"section"><a href=3D"#sect-Security_Guide-Server_Security-Secur= ing_NIS">2.2.3. Securing NIS</a></span></dt><dt><span class=3D"section"><a = href=3D"#sect-Security_Guide-Server_Security-Securing_NFS">2.2.4. Securing = NFS</a></span></dt><dt><span class=3D"section"><a href=3D"#sect-Security_Gu= ide-Server_Security-Securing_the_Apache_HTTP_Server">2.2.5. Securing the Ap= ache HTTP Server</a></span></dt><dt><sp an class=3D"section"><a href=3D"#sect-Security_Guide-Server_Security-Secur= ing_FTP">2.2.6. Securing FTP</a></span></dt><dt><span class=3D"section"><a = href=3D"#sect-Security_Guide-Server_Security-Securing_Sendmail">2.2.7. Secu= ring Sendmail</a></span></dt><dt><span class=3D"section"><a href=3D"#sect-S= ecurity_Guide-Server_Security-Verifying_Which_Ports_Are_Listening">2.2.8. V= erifying Which Ports Are Listening</a></span></dt></dl></dd><dt><span class= =3D"section"><a href=3D"#sect-Security_Guide-Single_Sign_on_SSO">2.3. Singl= e Sign-on (SSO)</a></span></dt><dd><dl><dt><span class=3D"section"><a href= =3D"#sect-Security_Guide-Single_Sign_on_SSO-Introduction">2.3.1. Introducti= on</a></span></dt><dt><span class=3D"section"><a href=3D"#sect-Security_Gui= de-Single_Sign_on_SSO-Getting_Started_with_your_new_Smart_Card">2.3.2. Gett= ing Started with your new Smart Card</a></span></dt><dt><span class=3D"sect= ion"><a href=3D"#sect-Security_Guide-Single_Sign_on_SSO-How_Smart_Card_Enro= llment_Works">2.3.3. How Smart Card Enrollme nt Works</a></span></dt><dt><span class=3D"section"><a href=3D"#sect-Secur= ity_Guide-Single_Sign_on_SSO-How_Smart_Card_Login_Works">2.3.4. How Smart C= ard Login Works</a></span></dt><dt><span class=3D"section"><a href=3D"#sect= -Security_Guide-Single_Sign_on_SSO-Configuring_Firefox_to_use_Kerberos_for_= SSO">2.3.5. Configuring Firefox to use Kerberos for SSO</a></span></dt></dl= ></dd><dt><span class=3D"section"><a href=3D"#sect-Security_Guide-Pluggable= _Authentication_Modules_PAM">2.4. Pluggable Authentication Modules (PAM)</a= ></span></dt><dd><dl><dt><span class=3D"section"><a href=3D"#sect-Security_= Guide-Pluggable_Authentication_Modules_PAM-Advantages_of_PAM">2.4.1. Advant= ages of PAM</a></span></dt><dt><span class=3D"section"><a href=3D"#sect-Sec= urity_Guide-Pluggable_Authentication_Modules_PAM-PAM_Configuration_Files">2= .4.2. PAM Configuration Files</a></span></dt><dt><span class=3D"section"><a= href=3D"#sect-Security_Guide-Pluggable_Authentication_Modules_PAM-PAM_Conf= iguration_File_Format">2.4.3. PAM Confi guration File Format</a></span></dt><dt><span class=3D"section"><a href=3D= "#sect-Security_Guide-Pluggable_Authentication_Modules_PAM-Sample_PAM_Confi= guration_Files">2.4.4. Sample PAM Configuration Files</a></span></dt><dt><s= pan class=3D"section"><a href=3D"#sect-Security_Guide-Pluggable_Authenticat= ion_Modules_PAM-Creating_PAM_Modules">2.4.5. Creating PAM Modules</a></span= ></dt><dt><span class=3D"section"><a href=3D"#sect-Security_Guide-Pluggable= _Authentication_Modules_PAM-PAM_and_Administrative_Credential_Caching">2.4.= 6. PAM and Administrative Credential Caching</a></span></dt><dt><span class= =3D"section"><a href=3D"#sect-Security_Guide-Pluggable_Authentication_Modul= es_PAM-PAM_and_Device_Ownership">2.4.7. PAM and Device Ownership</a></span>= </dt><dt><span class=3D"section"><a href=3D"#sect-Security_Guide-Pluggable_= Authentication_Modules_PAM-Additional_Resources">2.4.8. Additional Resource= s</a></span></dt></dl></dd><dt><span class=3D"section"><a href=3D"#sect-Sec= urity_Guide-TCP_Wrappers_and_xinetd">2. 5. TCP Wrappers and xinetd</a></span></dt><dd><dl><dt><span class=3D"secti= on"><a href=3D"#sect-Security_Guide-TCP_Wrappers_and_xinetd-TCP_Wrappers">2= .5.1. TCP Wrappers</a></span></dt><dt><span class=3D"section"><a href=3D"#s= ect-Security_Guide-TCP_Wrappers_and_xinetd-TCP_Wrappers_Configuration_Files= ">2.5.2. TCP Wrappers Configuration Files</a></span></dt><dt><span class=3D= "section"><a href=3D"#sect-Security_Guide-TCP_Wrappers_and_xinetd-xinetd">2= .5.3. xinetd</a></span></dt><dt><span class=3D"section"><a href=3D"#sect-Se= curity_Guide-TCP_Wrappers_and_xinetd-xinetd_Configuration_Files">2.5.4. xin= etd Configuration Files</a></span></dt><dt><span class=3D"section"><a href= =3D"#sect-Security_Guide-TCP_Wrappers_and_xinetd-Additional_Resources">2.5.= 5. Additional Resources</a></span></dt></dl></dd><dt><span class=3D"section= "><a href=3D"#sect-Security_Guide-Kerberos">2.6. Kerberos</a></span></dt><d= d><dl><dt><span class=3D"section"><a href=3D"#sect-Security_Guide-Kerberos-= What_is_Kerberos">2.6.1. What is Kerberos?</ a></span></dt><dt><span class=3D"section"><a href=3D"#sect-Security_Guide-= Kerberos-Kerberos_Terminology">2.6.2. Kerberos Terminology</a></span></dt><= dt><span class=3D"section"><a href=3D"#sect-Security_Guide-Kerberos-How_Ker= beros_Works">2.6.3. How Kerberos Works</a></span></dt><dt><span class=3D"se= ction"><a href=3D"#sect-Security_Guide-Kerberos-Kerberos_and_PAM">2.6.4. Ke= rberos and PAM</a></span></dt><dt><span class=3D"section"><a href=3D"#sect-= Security_Guide-Kerberos-Configuring_a_Kerberos_5_Server">2.6.5. Configuring= a Kerberos 5 Server</a></span></dt><dt><span class=3D"section"><a href=3D"= #sect-Security_Guide-Kerberos-Configuring_a_Kerberos_5_Client">2.6.6. Confi= guring a Kerberos 5 Client</a></span></dt><dt><span class=3D"section"><a hr= ef=3D"#sect-Security_Guide-Kerberos-Domain_to_Realm_Mapping">2.6.7. Domain-= to-Realm Mapping</a></span></dt><dt><span class=3D"section"><a href=3D"#sec= t-Security_Guide-Kerberos-Setting_Up_Secondary_KDCs">2.6.8. Setting Up Seco= ndary KDCs</a></span></dt><dt><span class=3D" section"><a href=3D"#sect-Security_Guide-Kerberos-Setting_Up_Cross_Realm_A= uthentication">2.6.9. Setting Up Cross Realm Authentication</a></span></dt>= <dt><span class=3D"section"><a href=3D"#sect-Security_Guide-Kerberos-Additi= onal_Resources">2.6.10. Additional Resources</a></span></dt></dl></dd><dt><= span class=3D"section"><a href=3D"#sect-Security_Guide-Virtual_Private_Netw= orks_VPNs">2.7. Virtual Private Networks (VPNs)</a></span></dt><dd><dl><dt>= <span class=3D"section"><a href=3D"#sect-Security_Guide-Virtual_Private_Net= works_VPNs-How_Does_a_VPN_Work">2.7.1. How Does a VPN Work?</a></span></dt>= <dt><span class=3D"section"><a href=3D"#sect-Security_Guide-Virtual_Private= _Networks_VPNs-VPNs_and_PROD">2.7.2. VPNs and Fedora</a></span></dt><dt><sp= an class=3D"section"><a href=3D"#sect-Security_Guide-Virtual_Private_Networ= ks_VPNs-IPsec">2.7.3. IPsec</a></span></dt><dt><span class=3D"section"><a h= ref=3D"#sect-Security_Guide-Virtual_Private_Networks_VPNs-Creating_an_IPsec= _Connection">2.7.4. Creating an IPsec Con nection</a></span></dt><dt><span class=3D"section"><a href=3D"#sect-Securi= ty_Guide-Virtual_Private_Networks_VPNs-IPsec_Installation">2.7.5. IPsec Ins= tallation</a></span></dt><dt><span class=3D"section"><a href=3D"#sect-Secur= ity_Guide-Virtual_Private_Networks_VPNs-IPsec_Host_to_Host_Configuration">2= .7.6. IPsec Host-to-Host Configuration</a></span></dt><dt><span class=3D"se= ction"><a href=3D"#sect-Security_Guide-Virtual_Private_Networks_VPNs-IPsec_= Network_to_Network_Configuration">2.7.7. IPsec Network-to-Network Configura= tion</a></span></dt><dt><span class=3D"section"><a href=3D"#sect-Security_G= uide-Virtual_Private_Networks_VPNs-Starting_and_Stopping_an_IPsec_Connectio= n">2.7.8. Starting and Stopping an IPsec Connection</a></span></dt></dl></d= d><dt><span class=3D"section"><a href=3D"#sect-Security_Guide-Firewalls">2.= 8. Firewalls</a></span></dt><dd><dl><dt><span class=3D"section"><a href=3D"= #sect-Security_Guide-Firewalls-Netfilter_and_IPTables">2.8.1. Netfilter and= IPTables</a></span></dt><dt><span clas s=3D"section"><a href=3D"#sect-Security_Guide-Firewalls-Basic_Firewall_Con= figuration">2.8.2. Basic Firewall Configuration</a></span></dt><dt><span cl= ass=3D"section"><a href=3D"#sect-Security_Guide-Firewalls-Using_IPTables">2= .8.3. Using IPTables</a></span></dt><dt><span class=3D"section"><a href=3D"= #sect-Security_Guide-Firewalls-Common_IPTables_Filtering">2.8.4. Common IPT= ables Filtering</a></span></dt><dt><span class=3D"section"><a href=3D"#sect= -Security_Guide-Firewalls-FORWARD_and_NAT_Rules">2.8.5. FORWARD and NAT Rul= es</a></span></dt><dt><span class=3D"section"><a href=3D"#sect-Security_Gui= de-Firewalls-Malicious_Software_and_Spoofed_IP_Addresses">2.8.6. Malicious = Software and Spoofed IP Addresses</a></span></dt><dt><span class=3D"section= "><a href=3D"#sect-Security_Guide-Firewalls-IPTables_and_Connection_Trackin= g">2.8.7. IPTables and Connection Tracking</a></span></dt><dt><span class= =3D"section"><a href=3D"#sect-Security_Guide-Firewalls-IPv6">2.8.8. IPv6</a= ></span></dt><dt><span class=3D"section"><a hre f=3D"#sect-Security_Guide-Firewalls-Additional_Resources">2.8.9. Additiona= l Resources</a></span></dt></dl></dd><dt><span class=3D"section"><a href=3D= "#sect-Security_Guide-IPTables">2.9. IPTables</a></span></dt><dd><dl><dt><s= pan class=3D"section"><a href=3D"#sect-Security_Guide-IPTables-Packet_Filte= ring">2.9.1. Packet Filtering</a></span></dt><dt><span class=3D"section"><a= href=3D"#sect-Security_Guide-IPTables-Command_Options_for_IPTables">2.9.2.= Command Options for IPTables</a></span></dt><dt><span class=3D"section"><a= href=3D"#sect-Security_Guide-IPTables-Saving_IPTables_Rules">2.9.3. Saving= IPTables Rules</a></span></dt><dt><span class=3D"section"><a href=3D"#sect= -Security_Guide-IPTables-IPTables_Control_Scripts">2.9.4. IPTables Control = Scripts</a></span></dt><dt><span class=3D"section"><a href=3D"#sect-Securit= y_Guide-IPTables-IPTables_and_IPv6">2.9.5. IPTables and IPv6</a></span></dt= ><dt><span class=3D"section"><a href=3D"#sect-Security_Guide-IPTables-Addit= ional_Resources">2.9.6. Additional Resources< /a></span></dt></dl></dd></dl></dd><dt><span class=3D"chapter"><a href=3D"= #chap-Security_Guide-Encryption">3. Encryption</a></span></dt><dd><dl><dt><= span class=3D"section"><a href=3D"#sect-Security_Guide-Encryption-Data_at_R= est">3.1. Data at Rest</a></span></dt><dt><span class=3D"section"><a href= =3D"#sect-Security_Guide-Encryption-Protecting_Data_at_Rest-Full_Disk_Encry= ption">3.2. Full Disk Encryption</a></span></dt><dt><span class=3D"section"= ><a href=3D"#Security_Guide-Encryption-Protecting_Data_at_Rest-File_Based_E= ncryption">3.3. File Based Encryption</a></span></dt><dt><span class=3D"sec= tion"><a href=3D"#Security_Guide-Encryption-Data_in_Motion">3.4. Data in Mo= tion</a></span></dt><dt><span class=3D"section"><a href=3D"#Security_Guide-= Encryption-Data_in_Motion-Virtual_Private_Networks">3.5. Virtual Private Ne= tworks</a></span></dt><dt><span class=3D"section"><a href=3D"#Security_Guid= e-Encryption-Data_in_Motion-Secure_Shell">3.6. Secure Shell</a></span></dt>= <dt><span class=3D"section"><a href=3D"#sect-Secu rity_Guide-LUKS_Disk_Encryption">3.7. LUKS Disk Encryption</a></span></dt>= <dd><dl><dt><span class=3D"section"><a href=3D"#sect-Security_Guide-LUKS_Di= sk_Encryption-LUKS_Implementation_in_Fedora">3.7.1. LUKS Implementation in = Fedora</a></span></dt><dt><span class=3D"section"><a href=3D"#sect-Security= _Guide-LUKS_Disk_Encryption-Manually_Encrypting_Directories">3.7.2. Manuall= y Encrypting Directories</a></span></dt><dt><span class=3D"section"><a href= =3D"#sect-Security_Guide-LUKS_Disk_Encryption-Manually_Encrypting_Directori= es-Step_by_Step_Instructions">3.7.3. Step-by-Step Instructions</a></span></= dt><dt><span class=3D"section"><a href=3D"#sect-Security_Guide-LUKS_Disk_En= cryption-Manually_Encrypting_Directories-What_you_have_just_accomplished">3= .7.4. What you have just accomplished.</a></span></dt><dt><span class=3D"se= ction"><a href=3D"#sect-Security_Guide-LUKS_Disk_Encryption-Links_of_Intere= st">3.7.5. Links of Interest</a></span></dt></dl></dd><dt><span class=3D"se= ction"><a href=3D"#sect-Security_Guide- Encryption-7_Zip_Encrypted_Archives">3.8. 7-Zip Encrypted Archives</a></sp= an></dt><dd><dl><dt><span class=3D"section"><a href=3D"#sect-Security_Guide= -Encryption-7_Zip_Encrypted_Archives-Installation">3.8.1. 7-Zip Installatio= n in Fedora</a></span></dt><dt><span class=3D"section"><a href=3D"#sect-Sec= urity_Guide-Encryption-7_Zip_Encrypted_Archives-Installation-Instructions">= 3.8.2. Step-by-Step Installation Instructions</a></span></dt><dt><span clas= s=3D"section"><a href=3D"#sect-Security_Guide-Encryption-7_Zip_Encrypted_Ar= chives-Usage_Instructions">3.8.3. Step-by-Step Usage Instructions</a></span= ></dt><dt><span class=3D"section"><a href=3D"#sect-Security_Guide-Encryptio= n-7_Zip_Encrypted_Archives-Things_of_note">3.8.4. Things of note</a></span>= </dt></dl></dd><dt><span class=3D"section"><a href=3D"#sect-Security_Guide-= Encryption-Using_GPG">3.9. Using GNU Privacy Guard (GnuPG)</a></span></dt><= dd><dl><dt><span class=3D"section"><a href=3D"#sect-Security_Guide-Encrypti= on-Using_GPG-Keys_in_GNOME">3.9.1. Crea ting GPG Keys in GNOME</a></span></dt><dt><span class=3D"section"><a href= =3D"#sect-Security_Guide-Encryption-Using_GPG-Creating_GPG_Keys_in_KDE1">3.= 9.2. Creating GPG Keys in KDE</a></span></dt><dt><span class=3D"section"><a= href=3D"#sect-Security_Guide-Encryption-Using_GPG-Creating_GPG_Keys_in_KDE= ">3.9.3. Creating GPG Keys Using the Command Line</a></span></dt><dt><span = class=3D"section"><a href=3D"#sect-Security_Guide-Encryption-Using_GPG-Abou= t_Public_Key_Encryption">3.9.4. About Public Key Encryption</a></span></dt>= </dl></dd></dl></dd><dt><span class=3D"chapter"><a href=3D"#chap-Security_G= uide-General_Principles_of_Information_Security">4. General Principles of I= nformation Security</a></span></dt><dd><dl><dt><span class=3D"section"><a h= ref=3D"#sect-Security_Guide-General_Principles_of_Information_Security-Tips= _Guides_and_Tools">4.1. Tips, Guides, and Tools</a></span></dt></dl></dd><d= t><span class=3D"chapter"><a href=3D"#chap-Security_Guide-Secure_Installati= on">5. Secure Installation</a></span></d t><dd><dl><dt><span class=3D"section"><a href=3D"#sect-Security_Guide-Secu= re_Installation-Disk_Partitions">5.1. Disk Partitions</a></span></dt><dt><s= pan class=3D"section"><a href=3D"#sect-Security_Guide-Secure_Installation-U= tilize_LUKS_Partition_Encryption">5.2. Utilize LUKS Partition Encryption</a= ></span></dt></dl></dd><dt><span class=3D"chapter"><a href=3D"#chap-Securit= y_Guide-Software_Maintenance">6. Software Maintenance</a></span></dt><dd><d= l><dt><span class=3D"section"><a href=3D"#sect-Security_Guide-Software_Main= tenance-Install_Minimal_Software">6.1. Install Minimal Software</a></span><= /dt><dt><span class=3D"section"><a href=3D"#sect-Security_Guide-Software_Ma= intenance-Plan_and_Configure_Security_Updates">6.2. Plan and Configure Secu= rity Updates</a></span></dt><dt><span class=3D"section"><a href=3D"#sect-Se= curity_Guide-Software_Maintenance-Plan_and_Configure_Security_Updates-Adjus= ting_Automatic_Updates">6.3. Adjusting Automatic Updates</a></span></dt><dt= ><span class=3D"section"><a href=3D"#sect-S ecurity_Guide-Software_Maintenance-Install_Signed_Packages_from_Well_Known= _Repositories">6.4. Install Signed Packages from Well Known Repositories</a= ></span></dt></dl></dd><dt><span class=3D"chapter"><a href=3D"#chap-Securit= y_Guide-References">7. References</a></span></dt></dl></div><div class=3D"p= reface" lang=3D"en-US"><div class=3D"titlepage"><div><div><h1 id=3D"pref-Se= curity_Guide-Preface" class=3D"title">Preface</h1></div></div></div><div cl= ass=3D"section" lang=3D"en-US"><div class=3D"titlepage"><div><div><h2 class= =3D"title" id=3D"d0e105">1.=C2=A0Document Conventions</h2></div></div></div= ><div class=3D"para"> This manual uses several conventions to highlight certain words and phras= es and draw attention to specific pieces of information. </div><div class=3D"para"> In PDF and paper editions, this manual uses typefaces drawn from the <a h= ref=3D"https://fedorahosted.org/liberation-fonts/">Liberation Fonts</a> set= . The Liberation Fonts set is also used in HTML editions if the set is inst= alled on your system. If not, alternative but equivalent typefaces are disp= layed. Note: Red Hat Enterprise Linux 5 and later includes the Liberation F= onts set by default. </div><div class=3D"section" lang=3D"en-US"><div class=3D"titlepage"><div>= <div><h3 class=3D"title" id=3D"d0e115">1.1.=C2=A0Typographic Conventions</h= 3></div></div></div><div class=3D"para"> Four typographic conventions are used to call attention to specific word= s and phrases. These conventions, and the circumstances they apply to, are = as follows. </div><div class=3D"para"> <code class=3D"literal">Mono-spaced Bold</code> </div><div class=3D"para"> Used to highlight system input, including shell commands, file names and= paths. Also used to highlight key caps and key-combinations. For example: </div><div class=3D"blockquote"><blockquote class=3D"blockquote"><div cla= ss=3D"para"> To see the contents of the file <code class=3D"filename">my_next_bestse= lling_novel</code> in your current working directory, enter the <code class= =3D"command">cat my_next_bestselling_novel</code> command at the shell prom= pt and press <span class=3D"keycap"><strong>Enter</strong></span> to execut= e the command. </div></blockquote></div><div class=3D"para"> The above includes a file name, a shell command and a key cap, all prese= nted in Mono-spaced Bold and all distinguishable thanks to context. </div><div class=3D"para"> Key-combinations can be distinguished from key caps by the hyphen connec= ting each part of a key-combination. For example: </div><div class=3D"blockquote"><blockquote class=3D"blockquote"><div cla= ss=3D"para"> Press <span class=3D"keycap"><strong>Enter</strong></span> to execute t= he command. </div><div class=3D"para"> Press <span class=3D"keycap"><strong>Ctrl</strong></span>+<span class= =3D"keycap"><strong>Alt</strong></span>+<span class=3D"keycap"><strong>F1</= strong></span> to switch to the first virtual terminal. Press <span class= =3D"keycap"><strong>Ctrl</strong></span>+<span class=3D"keycap"><strong>Alt= </strong></span>+<span class=3D"keycap"><strong>F7</strong></span> to retur= n to your X-Windows session. </div></blockquote></div><div class=3D"para"> The first sentence highlights the particular key cap to press. The secon= d highlights two sets of three key caps, each set pressed simultaneously. </div><div class=3D"para"> If source code is discussed, class names, methods, functions, variable n= ames and returned values mentioned within a paragraph will be presented as = above, in <code class=3D"literal">Mono-spaced Bold</code>. For example: </div><div class=3D"blockquote"><blockquote class=3D"blockquote"><div cla= ss=3D"para"> File-related classes include <code class=3D"classname">filesystem</code= > for file systems, <code class=3D"classname">file</code> for files, and <c= ode class=3D"classname">dir</code> for directories. Each class has its own = associated set of permissions. </div></blockquote></div><div class=3D"para"> <span class=3D"application"><strong>Proportional Bold</strong></span> </div><div class=3D"para"> This denotes words or phrases encountered on a system, including applica= tion names; dialogue box text; labelled buttons; check-box and radio button= labels; menu titles and sub-menu titles. For example: </div><div class=3D"blockquote"><blockquote class=3D"blockquote"><div cla= ss=3D"para"> Choose <span class=3D"guimenu"><strong>System > Preferences > Mou= se</strong></span> from the main menu bar to launch <span class=3D"applicat= ion"><strong>Mouse Preferences</strong></span>. In the <span class=3D"guila= bel"><strong>Buttons</strong></span> tab, click the <span class=3D"guilabel= "><strong>Left-handed mouse</strong></span> check box and click <span class= =3D"guibutton"><strong>Close</strong></span> to switch the primary mouse bu= tton from the left to the right (making the mouse suitable for use in the l= eft hand). </div><div class=3D"para"> To insert a special character into a <span class=3D"application"><stron= g>gedit</strong></span> file, choose <span class=3D"guimenu"><strong>Applic= ations > Accessories > Character Map</strong></span> from the main me= nu bar. Next, choose <span class=3D"guimenu"><strong>Search > Find=E2=80= =A6</strong></span> from the <span class=3D"application"><strong>Character = Map</strong></span> menu bar, type the name of the character in the <span c= lass=3D"guilabel"><strong>Search</strong></span> field and click <span clas= s=3D"guibutton"><strong>Next</strong></span>. The character you sought will= be highlighted in the <span class=3D"guilabel"><strong>Character Table</st= rong></span>. Double-click this highlighted character to place it in the <s= pan class=3D"guilabel"><strong>Text to copy</strong></span> field and then = click the <span class=3D"guibutton"><strong>Copy</strong></span> button. No= w switch back to your document and choose <span class=3D"guimenu"><strong>E= dit > Paste</strong></span> from the < span class=3D"application"><strong>gedit</strong></span> menu bar. </div></blockquote></div><div class=3D"para"> The above text includes application names; system-wide menu names and it= ems; application-specific menu names; and buttons and text found within a G= UI interface, all presented in Proportional Bold and all distinguishable by= context. </div><div class=3D"para"> Note the <span class=3D"guimenu"><strong>></strong></span> shorthand = used to indicate traversal through a menu and its sub-menus. This is to avo= id the difficult-to-follow 'Select <span class=3D"guimenuitem"><strong>Mous= e</strong></span> from the <span class=3D"guimenu"><strong>Preferences</str= ong></span> sub-menu in the <span class=3D"guimenu"><strong>System</strong>= </span> menu of the main menu bar' approach. </div><div class=3D"para"> <code class=3D"command"><em class=3D"replaceable"><code>Mono-spaced Bold= Italic</code></em></code> or <span class=3D"application"><strong><em class= =3D"replaceable"><code>Proportional Bold Italic</code></em></strong></span> </div><div class=3D"para"> Whether Mono-spaced Bold or Proportional Bold, the addition of Italics i= ndicates replaceable or variable text. Italics denotes text you do not inpu= t literally or displayed text that changes depending on circumstance. For e= xample: </div><div class=3D"blockquote"><blockquote class=3D"blockquote"><div cla= ss=3D"para"> To connect to a remote machine using ssh, type <code class=3D"command">= ssh <em class=3D"replaceable"><code>username</code></em>@<em class=3D"repla= ceable"><code>domain.name</code></em></code> at a shell prompt. If the remo= te machine is <code class=3D"filename">example.com</code> and your username= on that machine is john, type <code class=3D"command">ssh john(a)example.c= om</code>. </div><div class=3D"para"> The <code class=3D"command">mount -o remount <em class=3D"replaceable">= <code>file-system</code></em></code> command remounts the named file system= . For example, to remount the <code class=3D"filename">/home</code> file sy= stem, the command is <code class=3D"command">mount -o remount /home</code>. </div><div class=3D"para"> To see the version of a currently installed package, use the <code clas= s=3D"command">rpm -q <em class=3D"replaceable"><code>package</code></em></c= ode> command. It will return a result as follows: <code class=3D"command"><= em class=3D"replaceable"><code>package-version-release</code></em></code>. </div></blockquote></div><div class=3D"para"> Note the words in bold italics above =E2=80=94 username, domain.name, fi= le-system, package, version and release. Each word is a placeholder, either= for text you enter when issuing a command or for text displayed by the sys= tem. </div><div class=3D"para"> Aside from standard usage for presenting the title of a work, italics de= notes the first use of a new and important term. For example: </div><div class=3D"blockquote"><blockquote class=3D"blockquote"><div cla= ss=3D"para"> When the Apache HTTP Server accepts requests, it dispatches child proce= sses or threads to handle them. This group of child processes or threads is= known as a <em class=3D"firstterm">server-pool</em>. Under Apache HTTP Ser= ver 2.0, the responsibility for creating and maintaining these server-pools= has been abstracted to a group of modules called <em class=3D"firstterm">M= ulti-Processing Modules</em> (<em class=3D"firstterm">MPMs</em>). Unlike ot= her modules, only one module from the MPM group can be loaded by the Apache= HTTP Server. </div></blockquote></div></div><div class=3D"section" lang=3D"en-US"><di= v class=3D"titlepage"><div><div><h3 class=3D"title" id=3D"d0e331">1.2.=C2= =A0Pull-quote Conventions</h3></div></div></div><div class=3D"para"> Two, commonly multi-line, data types are set off visually from the surro= unding text. </div><div class=3D"para"> Output sent to a terminal is set in <code class=3D"computeroutput">Mono-= spaced Roman</code> and presented thus: </div><pre class=3D"screen"> books Desktop documentation drafts mss photos stuff svn books_tests Desktop1 downloads images notes scripts svgs </pre><div class=3D"para"> Source-code listings are also set in <code class=3D"computeroutput">Mono= -spaced Roman</code> but are presented and highlighted as follows: </div><pre class=3D"programlisting"> package org.jboss.book.jca.ex1; import javax.naming.InitialContext; public class ExClient { public static void main(String args[]) = throws Exception { InitialContext iniCtx =3D new InitialContext(); Object ref =3D iniCtx.lookup("EchoBean"); EchoHome home =3D (EchoHome) ref; Echo echo =3D home.create(); System.out.println("Created Echo"); System.out.println("Echo.echo('Hello') =3D " + echo.echo("Hello")); } = } </pre></div><div class=3D"section" lang=3D"en-US"><div class=3D"titlepage">= <div><div><h3 class=3D"title" id=3D"d0e350">1.3.=C2=A0Notes and Warnings</h= 3></div></div></div><div class=3D"para"> Finally, we use three visual styles to draw attention to information tha= t might otherwise be overlooked. </div><div class=3D"note"><h2>Note</h2><div class=3D"para"> A note is a tip or shortcut or alternative approach to the task at hand= . Ignoring a note should have no negative consequences, but you might miss = out on a trick that makes your life easier. </div></div><div class=3D"important"><h2>Important</h2><div class=3D"par= a"> Important boxes detail things that are easily missed: configuration cha= nges that only apply to the current session, or services that need restarti= ng before an update will apply. Ignoring Important boxes won't cause data l= oss but may cause irritation and frustration. </div></div><div class=3D"warning"><h2>Warning</h2><div class=3D"para"> A Warning should not be ignored. Ignoring warnings will most likely cau= se data loss. </div></div></div></div><div class=3D"section" lang=3D"en-US"><div class= =3D"titlepage"><div><div><h2 class=3D"title" id=3D"We_Need_Feedback">2.=C2= =A0We Need Feedback!</h2></div></div></div><div class=3D"para"> More information about the Linux Security Guide project can be found at <= a href=3D"https://fedorahosted.org/securityguide">https://fedorahosted.org/= securityguide</a> </div><div class=3D"para"> To provide feedback for the Security Guide, please file a bug in <a href= =3D"https://bugzilla.redhat.com/enter_bug.cgi?component=3Dsecurity-guide&am= p;product=3DFedora%20Documentation">https://bugzilla.redhat.com/enter_bug.c= gi?component=3Dsecurity-guide&product=3DFedora%20Documentation</a>. Ple= ase select the proper component in the dropdown menu which should be the pa= ge name. </div></div></div><div class=3D"chapter" lang=3D"en-US"><div class=3D"titl= epage"><div><div><h2 class=3D"title" id=3D"chap-Security_Guide-Security_Ove= rview">Chapter=C2=A01.=C2=A0Security Overview</h2></div></div></div><div cl= ass=3D"toc"><dl><dt><span class=3D"section"><a href=3D"#sect-Security_Guide= -Introduction_to_Security">1.1. Introduction to Security</a></span></dt><dd= ><dl><dt><span class=3D"section"><a href=3D"#sect-Security_Guide-Introducti= on_to_Security-What_is_Computer_Security">1.1.1. What is Computer Security?= </a></span></dt><dt><span class=3D"section"><a href=3D"#sect-Security_Guide= -Introduction_to_Security-SELinux">1.1.2. SELinux</a></span></dt><dt><span = class=3D"section"><a href=3D"#sect-Security_Guide-Introduction_to_Security-= Security_Controls">1.1.3. Security Controls</a></span></dt><dt><span class= =3D"section"><a href=3D"#sect-Security_Guide-Introduction_to_Security-Concl= usion">1.1.4. Conclusion</a></span></dt></dl></dd><dt><span class=3D"sectio= n"><a href=3D"#sect-Security_Guide-Vulnerability_Assessment" >1.2. Vulnerability Assessment</a></span></dt><dd><dl><dt><span class=3D"s= ection"><a href=3D"#sect-Security_Guide-Vulnerability_Assessment-Thinking_L= ike_the_Enemy">1.2.1. Thinking Like the Enemy</a></span></dt><dt><span clas= s=3D"section"><a href=3D"#sect-Security_Guide-Vulnerability_Assessment-Defi= ning_Assessment_and_Testing">1.2.2. Defining Assessment and Testing</a></sp= an></dt><dt><span class=3D"section"><a href=3D"#sect-Security_Guide-Vulnera= bility_Assessment-Evaluating_the_Tools">1.2.3. Evaluating the Tools</a></sp= an></dt></dl></dd><dt><span class=3D"section"><a href=3D"#sect-Security_Gui= de-Attackers_and_Vulnerabilities">1.3. Attackers and Vulnerabilities</a></s= pan></dt><dd><dl><dt><span class=3D"section"><a href=3D"#sect-Security_Guid= e-Attackers_and_Vulnerabilities-A_Quick_History_of_Hackers">1.3.1. A Quick = History of Hackers</a></span></dt><dt><span class=3D"section"><a href=3D"#s= ect-Security_Guide-Attackers_and_Vulnerabilities-Threats_to_Network_Securit= y">1.3.2. Threats to Network Security</ a></span></dt><dt><span class=3D"section"><a href=3D"#sect-Security_Guide-= Attackers_and_Vulnerabilities-Threats_to_Server_Security">1.3.3. Threats to= Server Security</a></span></dt><dt><span class=3D"section"><a href=3D"#sec= t-Security_Guide-Attackers_and_Vulnerabilities-Threats_to_Workstation_and_H= ome_PC_Security">1.3.4. Threats to Workstation and Home PC Security</a></sp= an></dt></dl></dd><dt><span class=3D"section"><a href=3D"#sect-Security_Gui= de-Common_Exploits_and_Attacks">1.4. Common Exploits and Attacks</a></span>= </dt><dt><span class=3D"section"><a href=3D"#sect-Security_Guide-Security_U= pdates">1.5. Security Updates</a></span></dt><dd><dl><dt><span class=3D"sec= tion"><a href=3D"#sect-Security_Guide-Security_Updates-Updating_Packages">1= .5.1. Updating Packages</a></span></dt><dt><span class=3D"section"><a href= =3D"#sect-Security_Guide-Updating_Packages-Verifying_Signed_Packages">1.5.2= . Verifying Signed Packages</a></span></dt><dt><span class=3D"section"><a h= ref=3D"#sect-Security_Guide-Updating_Package s-Installing_Signed_Packages">1.5.3. Installing Signed Packages</a></span>= </dt><dt><span class=3D"section"><a href=3D"#sect-Security_Guide-Updating_P= ackages-Applying_the_Changes">1.5.4. Applying the Changes</a></span></dt></= dl></dd></dl></div><div class=3D"para"> Because of the increased reliance on powerful, networked computers to hel= p run businesses and keep track of our personal information, entire industr= ies have been formed around the practice of network and computer security. = Enterprises have solicited the knowledge and skills of security experts to = properly audit systems and tailor solutions to fit the operating requiremen= ts of the organization. Because most organizations are increasingly dynamic= in nature, with workers accessing company IT resources locally and remotel= y, the need for secure computing environments has become more pronounced. </div><div class=3D"para"> Unfortunately, most organizations (as well as individual users) regard se= curity as an afterthought, a process that is overlooked in favor of increas= ed power, productivity, and budgetary concerns. Proper security implementat= ion is often enacted postmortem =E2=80=94 <span class=3D"emphasis"><em>afte= r</em></span> an unauthorized intrusion has already occurred. Security expe= rts agree that taking the correct measures prior to connecting a site to an= untrusted network, such as the Internet, is an effective means of thwartin= g most attempts at intrusion. </div><div class=3D"section" lang=3D"en-US"><div class=3D"titlepage"><div>= <div><h2 class=3D"title" id=3D"sect-Security_Guide-Introduction_to_Security= ">1.1.=C2=A0Introduction to Security</h2></div></div></div><div class=3D"se= ction" lang=3D"en-US"><div class=3D"titlepage"><div><div><h3 class=3D"title= " id=3D"sect-Security_Guide-Introduction_to_Security-What_is_Computer_Secur= ity">1.1.1.=C2=A0What is Computer Security?</h3></div></div></div><div clas= s=3D"para"> Computer security is a general term that covers a wide area of computing= and information processing. Industries that depend on computer systems and= networks to conduct daily business transactions and access crucial informa= tion regard their data as an important part of their overall assets. Severa= l terms and metrics have entered our daily business vocabulary, such as tot= al cost of ownership (TCO) and quality of service (QoS). Using these metric= s, industries can calculate aspects such as data integrity and high-availab= ility as part of their planning and process management costs. In some indus= tries, such as electronic commerce, the availability and trustworthiness of= data can be the difference between success and failure. </div><div class=3D"section" lang=3D"en-US"><div class=3D"titlepage"><div= ><div><h4 class=3D"title" id=3D"sect-Security_Guide-What_is_Computer_Securi= ty-How_did_Computer_Security_Come_about">1.1.1.1.=C2=A0How did Computer Sec= urity Come about?</h4></div></div></div><div class=3D"para"> Information security has evolved over the years due to the increasing r= eliance on public networks not to disclose personal, financial, and other r= estricted information. There are numerous instances such as the Mitnick <su= p>[<a id=3D"d0e406" href=3D"#ftn.d0e406" class=3D"footnote">1</a>]</sup>and= the Vladimir Levin <sup>[<a id=3D"d0e410" href=3D"#ftn.d0e410" class=3D"fo= otnote">2</a>]</sup>cases that prompted organizations across all industries= to re-think the way they handle information, as well as its transmission a= nd disclosure. The popularity of the Internet was one of the most important= developments that prompted an intensified effort in data security. </div><div class=3D"para"> An ever-growing number of people are using their personal computers to = gain access to the resources that the Internet has to offer. From research = and information retrieval to electronic mail and commerce transaction, the = Internet has been regarded as one of the most important developments of the= 20th century. </div><div class=3D"para"> The Internet and its earlier protocols, however, were developed as a <e= m class=3D"firstterm">trust-based</em> system. That is, the Internet Protoc= ol was not designed to be secure in itself. There are no approved security = standards built into the TCP/IP communications stack, leaving it open to po= tentially malicious users and processes across the network. Modern developm= ents have made Internet communication more secure, but there are still seve= ral incidents that gain national attention and alert us to the fact that no= thing is completely safe. </div></div><div class=3D"section" lang=3D"en-US"><div class=3D"titlepag= e"><div><div><h4 class=3D"title" id=3D"sect-Security_Guide-What_is_Computer= _Security-Security_Today">1.1.1.2.=C2=A0Security Today</h4></div></div></di= v><div class=3D"para"> In February of 2000, a Distributed Denial of Service (DDoS) attack was = unleashed on several of the most heavily-trafficked sites on the Internet. = The attack rendered yahoo.com, cnn.com, amazon.com, fbi.gov, and several ot= her sites completely unreachable to normal users, as it tied up routers for= several hours with large-byte ICMP packet transfers, also called a <em cla= ss=3D"firstterm">ping flood</em>. The attack was brought on by unknown assa= ilants using specially created, widely available programs that scanned vuln= erable network servers, installed client applications called <em class=3D"f= irstterm">trojans</em> on the servers, and timed an attack with every infec= ted server flooding the victim sites and rendering them unavailable. Many b= lame the attack on fundamental flaws in the way routers and the protocols u= sed are structured to accept all incoming data, no matter where or for what= purpose the packets are sent. </div><div class=3D"para"> In 2007, a data breach exploiting the widely-known weaknesses of the Wi= red Equivalent Privacy (WEP) wireless encryption protocol resulted in the t= heft from a global financial institution of over 45 million credit card num= bers.<sup>[<a id=3D"d0e434" href=3D"#ftn.d0e434" class=3D"footnote">3</a>]<= /sup> </div><div class=3D"para"> In a separate incident, the billing records of over 2.2 million patient= s stored on a backup tape were stolen from the front seat of a courier's ca= r.<sup>[<a id=3D"d0e440" href=3D"#ftn.d0e440" class=3D"footnote">4</a>]</su= p> </div><div class=3D"para"> Currently, an estimated 1.4 billion people use or have used the Interne= t worldwide.<sup>[<a id=3D"d0e446" href=3D"#ftn.d0e446" class=3D"footnote">= 5</a>]</sup> At the same time: </div><div class=3D"itemizedlist"><ul><li><div class=3D"para"> On any given day, there are approximately 225 major incidences of sec= urity breach reported to the CERT Coordination Center at Carnegie Mellon Un= iversity.<sup>[<a id=3D"d0e454" href=3D"#ftn.d0e454" class=3D"footnote">6</= a>]</sup> </div></li><li><div class=3D"para"> In 2003, the number of CERT reported incidences jumped to 137,529 fro= m 82,094 in 2002 and from 52,658 in 2001.<sup>[<a id=3D"d0e461" href=3D"#ft= n.d0e461" class=3D"footnote">7</a>]</sup> </div></li><li><div class=3D"para"> The worldwide economic impact of the three most dangerous Internet Vi= ruses of the last three years was estimated at US$13.2 Billion.<sup>[<a id= =3D"d0e468" href=3D"#ftn.d0e468" class=3D"footnote">8</a>]</sup> </div></li></ul></div><div class=3D"para"> From a 2008 global survey of business and technology executives "The Gl= obal State of Information Security"<sup>[<a id=3D"d0e474" href=3D"#ftn.d0e4= 74" class=3D"footnote">9</a>]</sup>, undertaken by <span class=3D"emphasis"= ><em>CIO Magazine</em></span>, some points are: </div><div class=3D"itemizedlist"><ul><li><div class=3D"para"> Just 43% of respondents audit or monitor user compliance with securit= y policies </div></li><li><div class=3D"para"> Only 22% keep an inventory of the outside companies that use their da= ta </div></li><li><div class=3D"para"> The source of nearly half of security incidents was marked as "Unknow= n" </div></li><li><div class=3D"para"> 44% of respondents plan to increase security spending in the next year </div></li><li><div class=3D"para"> 59% have an information security strategy </div></li></ul></div><div class=3D"para"> These results enforce the reality that computer security has become a q= uantifiable and justifiable expense for IT budgets. Organizations that requ= ire data integrity and high availability elicit the skills of system admini= strators, developers, and engineers to ensure 24x7 reliability of their sys= tems, services, and information. Falling victim to malicious users, process= es, or coordinated attacks is a direct threat to the success of the organiz= ation. </div><div class=3D"para"> Unfortunately, system and network security can be a difficult propositi= on, requiring an intricate knowledge of how an organization regards, uses, = manipulates, and transmits its information. Understanding the way an organi= zation (and the people that make up the organization) conducts business is = paramount to implementing a proper security plan. </div></div><div class=3D"section" lang=3D"en-US"><div class=3D"titlepag= e"><div><div><h4 class=3D"title" id=3D"sect-Security_Guide-What_is_Computer= _Security-Standardizing_Security">1.1.1.3.=C2=A0Standardizing Security</h4>= </div></div></div><div class=3D"para"> Enterprises in every industry rely on regulations and rules that are se= t by standards-making bodies such as the American Medical Association (AMA)= or the Institute of Electrical and Electronics Engineers (IEEE). The same = ideals hold true for information security. Many security consultants and ve= ndors agree upon the standard security model known as CIA, or <em class=3D"= firstterm">Confidentiality, Integrity, and Availability</em>. This three-ti= ered model is a generally accepted component to assessing risks of sensitiv= e information and establishing security policy. The following describes the= CIA model in further detail: </div><div class=3D"itemizedlist"><ul><li><div class=3D"para"> Confidentiality =E2=80=94 Sensitive information must be available onl= y to a set of pre-defined individuals. Unauthorized transmission and usage = of information should be restricted. For example, confidentiality of inform= ation ensures that a customer's personal or financial information is not ob= tained by an unauthorized individual for malicious purposes such as identit= y theft or credit fraud. </div></li><li><div class=3D"para"> Integrity =E2=80=94 Information should not be altered in ways that re= nder it incomplete or incorrect. Unauthorized users should be restricted fr= om the ability to modify or destroy sensitive information. </div></li><li><div class=3D"para"> Availability =E2=80=94 Information should be accessible to authorized= users any time that it is needed. Availability is a warranty that informat= ion can be obtained with an agreed-upon frequency and timeliness. This is o= ften measured in terms of percentages and agreed to formally in Service Lev= el Agreements (SLAs) used by network service providers and their enterprise= clients. </div></li></ul></div></div></div><div class=3D"section" lang=3D"en-US= "><div class=3D"titlepage"><div><div><h3 class=3D"title" id=3D"sect-Securit= y_Guide-Introduction_to_Security-SELinux">1.1.2.=C2=A0SELinux</h3></div></d= iv></div><div class=3D"para"> Fedora includes an enhancement to the Linux kernel called SELinux, which= implements a Mandatory Access Control (MAC) architecture that provides a f= ine-grained level of control over files, processes, users and applications = in the system. Detailed discussion of SELinux is beyond the scope of this d= ocument; however, for more information on SELinux and its use in Fedora, re= fer to the Fedora SELinux User Guide available at <a href=3D"http://docs.fe= doraproject.org/selinux-user-guide/">http://docs.fedoraproject.org/selinux-= user-guide/</a>. For more information on configuring and running services i= n Fedora that are protected by SELinux, refer to the SELinux Managing Confi= ned Services Guide available at <a href=3D"http://docs.fedoraproject.org/se= linux-managing-confined-services-guide/">http://docs.fedoraproject.org/seli= nux-managing-confined-services-guide</a>. Other available resources for SEL= inux are listed in <a class=3D"xref" href=3D"#chap-Security_Guide-Reference= s" title=3D"Chapter=C2=A07.=C2=A0 References">Chapter=C2=A07, <i>References</i></a>. </div></div><div class=3D"section" lang=3D"en-US"><div class=3D"titlepage= "><div><div><h3 class=3D"title" id=3D"sect-Security_Guide-Introduction_to_S= ecurity-Security_Controls">1.1.3.=C2=A0Security Controls</h3></div></div></= div><div class=3D"para"> Computer security is often divided into three distinct master categories= , commonly referred to as <em class=3D"wordasword">controls</em>: </div><div class=3D"itemizedlist"><ul><li><div class=3D"para"> Physical </div></li><li><div class=3D"para"> Technical </div></li><li><div class=3D"para"> Administrative </div></li></ul></div><div class=3D"para"> These three broad categories define the main objectives of proper securi= ty implementation. Within these controls are sub-categories that further de= tail the controls and how to implement them. </div><div class=3D"section" lang=3D"en-US"><div class=3D"titlepage"><div= ><div><h4 class=3D"title" id=3D"sect-Security_Guide-Security_Controls-Physi= cal_Controls">1.1.3.1.=C2=A0Physical Controls</h4></div></div></div><div cl= ass=3D"para"> Physical control is the implementation of security measures in a define= d structure used to deter or prevent unauthorized access to sensitive mater= ial. Examples of physical controls are: </div><div class=3D"itemizedlist"><ul><li><div class=3D"para"> Closed-circuit surveillance cameras </div></li><li><div class=3D"para"> Motion or thermal alarm systems </div></li><li><div class=3D"para"> Security guards </div></li><li><div class=3D"para"> Picture IDs </div></li><li><div class=3D"para"> Locked and dead-bolted steel doors </div></li><li><div class=3D"para"> Biometrics (includes fingerprint, voice, face, iris, handwriting, and= other automated methods used to recognize individuals) </div></li></ul></div></div><div class=3D"section" lang=3D"en-US"><div= class=3D"titlepage"><div><div><h4 class=3D"title" id=3D"sect-Security_Guid= e-Security_Controls-Technical_Controls">1.1.3.2.=C2=A0Technical Controls</h= 4></div></div></div><div class=3D"para"> Technical controls use technology as a basis for controlling the access= and usage of sensitive data throughout a physical structure and over a net= work. Technical controls are far-reaching in scope and encompass such techn= ologies as: </div><div class=3D"itemizedlist"><ul><li><div class=3D"para"> Encryption [...3804 lines suppressed...] <a href=3D"http://clemens.endorphin.org/LUKS/">LUKS - Linux Unified Ke= y Setup</a> </div></li><li><div class=3D"para"> <a href=3D"https://bugzilla.redhat.com/attachment.cgi?id=3D161912">HOW= TO: Creating an encrypted Physical Volume (PV) using a second hard drive, p= vmove, and a Fedora LiveCD</a> </div></li></ul></div></div></div><div class=3D"section" lang=3D"en-US"= ><div class=3D"titlepage"><div><div><h2 class=3D"title" id=3D"sect-Security= _Guide-Encryption-7_Zip_Encrypted_Archives">3.8.=C2=A07-Zip Encrypted Archi= ves</h2></div></div></div><div class=3D"para"> <a href=3D"http://www.7-zip.org/">7-Zip</a> is a cross-platform, next gen= eration, file compression tool that can also use strong encryption (AES-256= ) to protect the contents of the archive. This is extremely useful when you= need to move data between multiple computers that use varying operating sy= stems (i.e. Linux at home, Windows at work) and you want a portable encrypt= ion solution. </div><div class=3D"section" lang=3D"en-US"><div class=3D"titlepage"><div>= <div><h3 class=3D"title" id=3D"sect-Security_Guide-Encryption-7_Zip_Encrypt= ed_Archives-Installation">3.8.1.=C2=A07-Zip Installation in Fedora</h3></di= v></div></div><div class=3D"para"> 7-Zip is not a base package in Fedora, but it is available in the softwa= re repository. Once installed, the package will update alongside the rest o= f the software on the computer with no special attention necessary. </div></div><div class=3D"section" lang=3D"en-US"><div class=3D"titlepage= "><div><div><h3 class=3D"title" id=3D"sect-Security_Guide-Encryption-7_Zip_= Encrypted_Archives-Installation-Instructions">3.8.2.=C2=A0Step-by-Step Inst= allation Instructions</h3></div></div></div><div class=3D"itemizedlist"><ul= ><li><div class=3D"para"> Open a Terminal: <code class=3D"code">Click ''Applications'' -> ''S= ystem Tools'' -> ''Terminal''</code> </div></li><li><div class=3D"para"> Install 7-Zip with sudo access: <code class=3D"code">sudo yum install = p7zip</code> </div></li><li><div class=3D"para"> Close the Terminal: <code class=3D"code">exit</code> </div></li></ul></div></div><div class=3D"section" lang=3D"en-US"><div = class=3D"titlepage"><div><div><h3 class=3D"title" id=3D"sect-Security_Guide= -Encryption-7_Zip_Encrypted_Archives-Usage_Instructions">3.8.3.=C2=A0Step-b= y-Step Usage Instructions</h3></div></div></div><div class=3D"para"> By following these instructions you are going to compress and encrypt yo= ur "Documents" directory. Your original "Documents" directory will remain u= naltered. This technique can be applied to any directory or file you have a= ccess to on the filesystem. </div><div class=3D"itemizedlist"><ul><li><div class=3D"para"> Open a Terminal:<code class=3D"code">Click ''Applications'' -> ''Sy= stem Tools'' -> ''Terminal''</code> </div></li><li><div class=3D"para"> Compress and Encrypt: (enter a password when prompted) <code class=3D"= code">7za a -mhe=3Don -ms=3Don -p Documents.7z Documents/</code> </div></li></ul></div><div class=3D"para"> The "Documents" directory is now compressed and encrypted. The following= instructions will move the encrypted archive somewhere new and then extrac= t it. </div><div class=3D"itemizedlist"><ul><li><div class=3D"para"> Create a new directory: <code class=3D"code">mkdir newplace</code> </div></li><li><div class=3D"para"> Move the encrypted file: <code class=3D"code">mv Documents.7z newplace= </code> </div></li><li><div class=3D"para"> Go to the new directory: <code class=3D"code">cd newplace</code> </div></li><li><div class=3D"para"> Extract the file: (enter the password when prompted) <code class=3D"co= de">7za x Documents.7z</code> </div></li></ul></div><div class=3D"para"> The archive is now extracted into the new location. The following instru= ctions will clean up all the prior steps and restore your computer to its p= revious state. </div><div class=3D"itemizedlist"><ul><li><div class=3D"para"> Go up a directory: <code class=3D"code">cd ..</code> </div></li><li><div class=3D"para"> Delete the test archive and test extraction: <code class=3D"code">rm -= r newplace</code> </div></li><li><div class=3D"para"> Close the Terminal: <code class=3D"code">exit</code> </div></li></ul></div></div><div class=3D"section" lang=3D"en-US"><div = class=3D"titlepage"><div><div><h3 class=3D"title" id=3D"sect-Security_Guide= -Encryption-7_Zip_Encrypted_Archives-Things_of_note">3.8.4.=C2=A0Things of = note</h3></div></div></div><div class=3D"para"> 7-Zip is not shipped by default with Microsoft Windows or Mac OS X. If y= ou need to use your 7-Zip files on those platforms you will need to install= the appropriate version of 7-Zip on those computers. See the 7-Zip <a href= =3D"http://www.7-zip.org/download.html">download page</a>. </div><div class=3D"para"> GNOME's File Roller application will recognize your .7z files and attemp= t to open them, but it will fail with the error "''An error occurred while = loading the archive.''" when it attempts to do so. This is because File Rol= ler does not currently support the extraction of encrypted 7-Zip files. A b= ug report ([http://bugzilla.gnome.org/show_bug.cgi?id=3D490732 Gnome Bug 49= 0732]) has been submitted. </div></div></div><div class=3D"section" lang=3D"en-US"><div class=3D"tit= lepage"><div><div><h2 class=3D"title" id=3D"sect-Security_Guide-Encryption-= Using_GPG">3.9.=C2=A0Using GNU Privacy Guard (GnuPG)</h2></div></div></div>= <div class=3D"para"> GPG is used to identify yourself and authenticate your communications, in= cluding those with people you don't know. GPG allows anyone reading a GPG-s= igned email to verify its authenticity. In other words, GPG allows someone = to be reasonably certain that communications signed by you actually are fro= m you. GPG is useful because it helps prevent third parties from altering c= ode or intercepting conversations and altering the message. </div><div class=3D"section" lang=3D"en-US"><div class=3D"titlepage"><div>= <div><h3 class=3D"title" id=3D"sect-Security_Guide-Encryption-Using_GPG-Key= s_in_GNOME">3.9.1.=C2=A0Creating GPG Keys in GNOME</h3></div></div></div><d= iv class=3D"para"> Install the Seahorse utility, which makes GPG key management easier. Fro= m the main menu, select <code class=3D"code">System > Administration >= ; Add/Remove Software</code> and wait for PackageKit to start. Enter <code = class=3D"code">Seahorse</code> into the text box and select the Find. Selec= t the checkbox next to the ''seahorse'' package and select ''Apply'' to add= the software. You can also install <code class=3D"code">Seahorse</code> at= the command line with the command <code class=3D"code">su -c "yum install = seahorse"</code>. </div><div class=3D"para"> To create a key, from the ''Applications > Accessories'' menu select = ''Passwords and Encryption Keys'', which starts the application <code class= =3D"code">Seahorse</code>. From the ''Key'' menu select ''Create New Key...= '' then ''PGP Key'' then click ''Continue''. Type your full name, email add= ress, and an optional comment describing who are you (e.g.: John C. Smith, = jsmith(a)example.com, The Man). Click ''Create''. A dialog is displayed ask= ing for a passphrase for the key. Choose a strong passphrase but also easy = to remember. Click ''OK'' and the key is created. </div><div class=3D"warning"><h2>Warning</h2><div class=3D"para"> If you forget your passphrase, the key cannot be used and any data encr= ypted using that key will be lost. </div></div><div class=3D"para"> To find your GPG key ID, look in the ''Key ID'' column next to the newly= created key. In most cases, if you are asked for the key ID, you should pr= epend "0x" to the key ID, as in "0x6789ABCD". You should make a backup of y= our private key and store it somewhere secure. </div></div><div class=3D"section" lang=3D"en-US"><div class=3D"titlepage= "><div><div><h3 class=3D"title" id=3D"sect-Security_Guide-Encryption-Using_= GPG-Creating_GPG_Keys_in_KDE1">3.9.2.=C2=A0Creating GPG Keys in KDE</h3></d= iv></div></div><div class=3D"para"> Start the KGpg program from the main menu by selecting Applications >= Utilities > Encryption Tool. If you have never used KGpg before, the pr= ogram walks you through the process of creating your own GPG keypair. A dia= log box appears prompting you to create a new key pair. Enter your name, em= ail address, and an optional comment. You can also choose an expiration tim= e for your key, as well as the key strength (number of bits) and algorithms= . The next dialog box prompts you for your passphrase. At this point, your = key appears in the main <code class=3D"code">KGpg</code> window. </div><div class=3D"warning"><h2>Warning</h2><div class=3D"para"> If you forget your passphrase, the key cannot be used and any data encr= ypted using that key will be lost. </div></div><div class=3D"para"> To find your GPG key ID, look in the ''Key ID'' column next to the newly= created key. In most cases, if you are asked for the key ID, you should pr= epend "0x" to the key ID, as in "0x6789ABCD". You should make a backup of y= our private key and store it somewhere secure. </div></div><div class=3D"section" lang=3D"en-US"><div class=3D"titlepage= "><div><div><h3 class=3D"title" id=3D"sect-Security_Guide-Encryption-Using_= GPG-Creating_GPG_Keys_in_KDE">3.9.3.=C2=A0Creating GPG Keys Using the Comma= nd Line</h3></div></div></div><div class=3D"para"> Use the following shell command: <code class=3D"code">gpg --gen-key</cod= e> </div><div class=3D"para"> This command generates a key pair that consists of a public and a privat= e key. Other people use your public key to authenticate and/or decrypt your= communications. Distribute your public key as widely as possible, especial= ly to people who you know will want to receive authentic communications fro= m you, such as a mailing list. The Fedora Documentation Project, for exampl= e, asks participants to include a GPG public key in their self-introduction. </div><div class=3D"para"> A series of prompts directs you through the process. Press the <code cla= ss=3D"code">Enter</code> key to assign a default value if desired. The firs= t prompt asks you to select what kind of key you prefer: </div><div class=3D"para"> Please select what kind of key you want: (1) DSA and ElGamal (default) (= 2) DSA (sign only) (4) RSA (sign only) Your selection? In almost all cases,= the default is the correct choice. A DSA/ElGamal key allows you not only t= o sign communications, but also to encrypt files. </div><div class=3D"para"> Next, choose the key size: minimum keysize is 768 bits default keysize i= s 1024 bits highest suggested keysize is 2048 bits What keysize do you want= ? (1024) Again, the default is sufficient for almost all users, and represe= nts an ''extremely'' strong level of security. </div><div class=3D"para"> Next, choose when the key will expire. It is a good idea to choose an ex= piration date instead of using the default, which is ''none.'' If, for exam= ple, the email address on the key becomes invalid, an expiration date will = remind others to stop using that public key. </div><div class=3D"para"> Please specify how long the key should be valid. 0 =3D key does not expi= re d =3D key expires in n days w =3D key expires in n weeks m =3D key expir= es in n months y =3D key expires in n years Key is valid for? (0) </div><div class=3D"para"> Entering a value of <code class=3D"code">1y</code>, for example, makes t= he key valid for one year. (You may change this expiration date after the k= ey is generated, if you change your mind.) </div><div class=3D"para"> Before the <code class=3D"code">gpg</code>code> program asks for sign= ature information, the following prompt appears: <code class=3D"code">Is th= is correct (y/n)?</code> Enter <code class=3D"code">y</code>code> to fin= ish the process. </div><div class=3D"para"> Next, enter your name and email address. Remember this process is about = authenticating you as a real individual. For this reason, include your real= name. Do not use aliases or handles, since these disguise or obfuscate you= r identity. </div><div class=3D"para"> Enter your real email address for your GPG key. If you choose a bogus em= ail address, it will be more difficult for others to find your public key. = This makes authenticating your communications difficult. If you are using t= his GPG key for [[DocsProject/SelfIntroduction| self-introduction]] on a ma= iling list, for example, enter the email address you use on that list. </div><div class=3D"para"> Use the comment field to include aliases or other information. (Some peo= ple use different keys for different purposes and identify each key with a = comment, such as "Office" or "Open Source Projects.") </div><div class=3D"para"> At the confirmation prompt, enter the letter O to continue if all entrie= s are correct, or use the other options to fix any problems. Finally, enter= a passphrase for your secret key. The <code class=3D"code">gpg</code> prog= ram asks you to enter your passphrase twice to ensure you made no typing er= rors. </div><div class=3D"para"> Finally, <code class=3D"code">gpg</code> generates random data to make y= our key as unique as possible. Move your mouse, type random keys, or perfor= m other tasks on the system during this step to speed up the process. Once = this step is finished, your keys are complete and ready to use: </div><pre class=3D"screen"> pub 1024D/1B2AFA1C 2005-03-31 John Q. Doe (Fedora Docs Project) <jqdoe(= a)example.com> Key fingerprint =3D 117C FE83 22EA B843 3E86 6486 4320 545E 1B2A FA1C sub 1024g/CEA4B22E 2005-03-31 [expires: 2006-03-31] </pre><div class=3D"para"> The key fingerprint is a shorthand "signature" for your key. It allows y= ou to confirm to others that they have received your actual public key with= out any tampering. You do not need to write this fingerprint down. To displ= ay the fingerprint at any time, use this command, substituting your email a= ddress: <code class=3D"code"> gpg --fingerprint jqdoe(a)example.com </code> </div><div class=3D"para"> Your "GPG key ID" consists of 8 hex digits identifying the public key. I= n the example above, the GPG key ID is 1B2AFA1C. In most cases, if you are = asked for the key ID, you should prepend "0x" to the key ID, as in "0x1B2AF= A1C". </div><div class=3D"warning"><h2>Warning</h2><div class=3D"para"> If you forget your passphrase, the key cannot be used and any data encr= ypted using that key will be lost. </div></div></div><div class=3D"section" lang=3D"en-US"><div class=3D"ti= tlepage"><div><div><h3 class=3D"title" id=3D"sect-Security_Guide-Encryption= -Using_GPG-About_Public_Key_Encryption">3.9.4.=C2=A0About Public Key Encryp= tion</h3></div></div></div><div class=3D"orderedlist"><ol><li><div class=3D= "para"> <a href=3D"http://en.wikipedia.org/wiki/Public-key_cryptography">Wikip= edia - Public Key Cryptography</a> </div></li><li><div class=3D"para"> <a href=3D"http://computer.howstuffworks.com/encryption.htm">HowStuffW= orks - Encryption</a> </div></li></ol></div></div></div></div><div class=3D"chapter" lang=3D"= en-US"><div class=3D"titlepage"><div><div><h2 class=3D"title" id=3D"chap-Se= curity_Guide-General_Principles_of_Information_Security">Chapter=C2=A04.=C2= =A0General Principles of Information Security</h2></div></div></div><div cl= ass=3D"toc"><dl><dt><span class=3D"section"><a href=3D"#sect-Security_Guide= -General_Principles_of_Information_Security-Tips_Guides_and_Tools">4.1. Tip= s, Guides, and Tools</a></span></dt></dl></div><div class=3D"para"> The following general principals provide an overview of good security pra= ctices: </div><div class=3D"itemizedlist"><ul><li><div class=3D"para"> encrypt all data transmitted over networks to help prevent man-in-the-m= iddle attacks and eavesdropping. It is important to encrypt authentication = information, such as passwords. </div></li><li><div class=3D"para"> minimize the amount of software installed and running services. </div></li><li><div class=3D"para"> use security-enhancing software and tools, for example, Security-Enhanc= ed Linux (SELinux) for Mandatory Access Control (MAC), Netfilter iptables f= or packet filtering (firewall), and the GNU Privacy Guard (GnuPG) for encry= pting files. </div></li><li><div class=3D"para"> if possible, run each network service on a separate system to minimize = the risk of one compromised service being used to compromise other services. </div></li><li><div class=3D"para"> maintain user accounts: create and enforce a strong password policy; de= lete unused user accounts. </div></li><li><div class=3D"para"> routinely review system and application logs. By default, security-rele= vant system logs are written to <code class=3D"filename">/var/log/secure</c= ode> and <code class=3D"filename">/var/log/audit/audit.log</code>. Note: se= nding logs to a dedicated log server helps prevent attackers from easily mo= difying local logs to avoid detection. </div></li><li><div class=3D"para"> never log in as the root user unless absolutely necessary. It is recomm= ended that administrators use <code class=3D"command">sudo</code> to execut= e commands as root when required. Users capable of running <code class=3D"c= ommand">sudo</code> are specified in <code class=3D"filename">/etc/sudoers<= /code>. Use the <code class=3D"command">visudo</code> utility to edit <code= class=3D"filename">/etc/sudoers</code>. </div></li></ul></div><div class=3D"section" lang=3D"en-US"><div class= =3D"titlepage"><div><div><h2 class=3D"title" id=3D"sect-Security_Guide-Gene= ral_Principles_of_Information_Security-Tips_Guides_and_Tools">4.1.=C2=A0Tip= s, Guides, and Tools</h2></div></div></div><div class=3D"para"> The United States' <a href=3D"http://www.nsa.gov/">National Security Age= ncy (NSA)</a> provides hardening guides and tips for many different operati= ng systems, to help government agencies, businesses, and individuals secure= their systems against attack. The following guides (in PDF format) provide= guidance for Red Hat Enterprise Linux 5: </div><div class=3D"itemizedlist"><ul><li><div class=3D"para"> <a href=3D"http://www.nsa.gov/ia/_files/os/redhat/rhel5-pamphlet-i731.= pdf">Hardening Tips for the Red Hat Enterprise Linux 5</a> </div></li><li><div class=3D"para"> <a href=3D"http://www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdf= ">Guide to the Secure Configuration of Red Hat Enterprise Linux 5</a> </div></li></ul></div><div class=3D"para"> The <a href=3D"http://www.disa.mil/">Defense Information Systems Agency = (DISA)</a> provides documentation, checklists, and tests to help secure you= r system (<a href=3D"http://iase.disa.mil/index2.html">Information Assuranc= e Support Environment</a>). The <a href=3D"http://iase.disa.mil/stigs/stig/= unix-stig-v5r1.pdf">UNIX SECURITY TECHNICAL IMPLEMENTATION GUIDE</a> (PDF) = is a very specific guide to UNIX security - an advanced knowledge of UNIX a= nd Linux is recommended before reading this guide. </div><div class=3D"para"> The DISA <a href=3D"http://iase.disa.mil/stigs/checklist/unix_checklist_= v5r1-16_20090215.ZIP">UNIX Security Checklist Version 5, Release 1.16</a> p= rovides a collection of documents and checklists, ranging from the correct = ownerships and modes for system files, to patch control. </div><div class=3D"para"> Also, DISA has made available <a href=3D"http://iase.disa.mil/stigs/SRR/= unix.html">UNIX SPR scripts</a> that allow administrators to check specific= settings on systems. These scripts provide XML-formatted reports listing a= ny known vulnerable settings. </div></div></div><div class=3D"chapter" lang=3D"en-US"><div class=3D"tit= lepage"><div><div><h2 class=3D"title" id=3D"chap-Security_Guide-Secure_Inst= allation">Chapter=C2=A05.=C2=A0Secure Installation</h2></div></div></div><d= iv class=3D"toc"><dl><dt><span class=3D"section"><a href=3D"#sect-Security_= Guide-Secure_Installation-Disk_Partitions">5.1. Disk Partitions</a></span><= /dt><dt><span class=3D"section"><a href=3D"#sect-Security_Guide-Secure_Inst= allation-Utilize_LUKS_Partition_Encryption">5.2. Utilize LUKS Partition Enc= ryption</a></span></dt></dl></div><div class=3D"para"> Security begins with the first time you put that CD or DVD into your disk= drive to install Fedora. Configuring your system securely from the beginni= ng makes it easier to implement additional security settings later. </div><div class=3D"section" lang=3D"en-US"><div class=3D"titlepage"><div>= <div><h2 class=3D"title" id=3D"sect-Security_Guide-Secure_Installation-Disk= _Partitions">5.1.=C2=A0Disk Partitions</h2></div></div></div><div class=3D"= para"> The NSA recommends creating separate partitions for /boot, /, /home, /tm= p, and /var/tmp. The reasons for each are different and we will address eac= h partition. </div><div class=3D"para"> /boot - This partition is the first partition that is read by the system= during boot up. The boot loader and kernel images that are used to boot yo= ur system into Fedora are stored in this partition. This partition should n= ot be encrypted. If this partition is included in / and that partition is e= ncrypted or otherwise becomes unavailable then your system will not be able= to boot. </div><div class=3D"para"> /home - When user data (/home) is stored in / instead of in a separate p= artition, the partition can fill up causing the operating system to become = unstable. Also, when upgrading your system to the next version of Fedora it= is a lot easier when you can keep your data in the /home partition as it w= ill not be overwritten during installation. If the root partition (/) becom= es corrupt your data could be lost forever. By using a separate partition t= here is slightly more protection against data loss. You can also target thi= s partition for frequent backups. </div><div class=3D"para"> /tmp and /var/tmp - Both the /tmp and the /var/tmp directories are used = to store data that doesn't need to be stored for a long period of time. How= ever if a lot of data floods one of these directories it can consume all of= your storage space. If this happens and these directories are stored withi= n / then your system could become unstable and crash. For this reason, movi= ng these directories into their own partitions is a good idea. </div></div><div class=3D"section" lang=3D"en-US"><div class=3D"titlepage= "><div><div><h2 class=3D"title" id=3D"sect-Security_Guide-Secure_Installati= on-Utilize_LUKS_Partition_Encryption">5.2.=C2=A0Utilize LUKS Partition Encr= yption</h2></div></div></div><div class=3D"para"> Since Fedora 9, implementation of <a href=3D"http://fedoraproject.org/wi= ki/Security_Guide/9/LUKSDiskEncryption">Linux Unified Key Setup-on-disk-for= mat</a>(LUKS) encryption has become a lot easier. During the installation p= rocess an option to encrypt your partitions will be presented to the user. = The user must supply a passphrase that will be the key to unlock the bulk e= ncryption key that will be used to secure the partition's data. </div></div></div><div class=3D"chapter" lang=3D"en-US"><div class=3D"tit= lepage"><div><div><h2 class=3D"title" id=3D"chap-Security_Guide-Software_Ma= intenance">Chapter=C2=A06.=C2=A0Software Maintenance</h2></div></div></div>= <div class=3D"toc"><dl><dt><span class=3D"section"><a href=3D"#sect-Securit= y_Guide-Software_Maintenance-Install_Minimal_Software">6.1. Install Minimal= Software</a></span></dt><dt><span class=3D"section"><a href=3D"#sect-Secur= ity_Guide-Software_Maintenance-Plan_and_Configure_Security_Updates">6.2. Pl= an and Configure Security Updates</a></span></dt><dt><span class=3D"section= "><a href=3D"#sect-Security_Guide-Software_Maintenance-Plan_and_Configure_S= ecurity_Updates-Adjusting_Automatic_Updates">6.3. Adjusting Automatic Updat= es</a></span></dt><dt><span class=3D"section"><a href=3D"#sect-Security_Gui= de-Software_Maintenance-Install_Signed_Packages_from_Well_Known_Repositorie= s">6.4. Install Signed Packages from Well Known Repositories</a></span></dt= ></dl></div><div class=3D"para"> Software maintenance is extremely important to maintaining a secure syste= m. It is vital to patch software as soon as it becomes available in order t= o prevent attackers from using known holes to infiltrate your system. </div><div class=3D"section" lang=3D"en-US"><div class=3D"titlepage"><div>= <div><h2 class=3D"title" id=3D"sect-Security_Guide-Software_Maintenance-Ins= tall_Minimal_Software">6.1.=C2=A0Install Minimal Software</h2></div></div><= /div><div class=3D"para"> It is best practice to install only the packages you will use because ea= ch piece of software on your computer could possibly contain a vulnerabilit= y. If you are installing from the DVD media take the opportunity to select = exactly what packages you want to install during the installation. When you= find you need another package, you can always add it to the system later. </div></div><div class=3D"section" lang=3D"en-US"><div class=3D"titlepage= "><div><div><h2 class=3D"title" id=3D"sect-Security_Guide-Software_Maintena= nce-Plan_and_Configure_Security_Updates">6.2.=C2=A0Plan and Configure Secur= ity Updates</h2></div></div></div><div class=3D"para"> All software contains bugs. Often, these bugs can result in a vulnerabil= ity that can expose your system to malicious users. Unpatched systems are a= common cause of computer intrusions. You should have a plan to install sec= urity patches in a timely manner to close those vulnerabilities so they can= not be exploited. </div><div class=3D"para"> For home users, security updates should be installed as soon as possible= . Configuring automatic installation of security updates is one way to avoi= d having to remember, but does carry a slight risk that something can cause= a conflict with your configuration or with other software on the system. </div><div class=3D"para"> For business or advanced home users, security updates should be tested a= nd schedule for installation. Additional controls will need to be used to p= rotect the system during the time between the patch release and its install= ation on the system. These controls would depend on the exact vulnerability= , but could include additional firewall rules, the use of external firewall= s, or changes in software settings. </div></div><div class=3D"section" lang=3D"en-US"><div class=3D"titlepage= "><div><div><h2 class=3D"title" id=3D"sect-Security_Guide-Software_Maintena= nce-Plan_and_Configure_Security_Updates-Adjusting_Automatic_Updates">6.3.= =C2=A0Adjusting Automatic Updates</h2></div></div></div><div class=3D"para"> Fedora is configured to apply all updates on a daily schedule. If you wa= nt to change the how your system installs updates you must do so via '''Sof= tware Update Preferences'''. You can change the schedule, the type of updat= es to apply or to notify you of available updates. </div><div class=3D"para"> In Gnome, you can find controls for your updates at: <code class=3D"code= ">System -> Preferences -> Software Updates</code>. In KDE it is loca= ted at: <code class=3D"code">Applications -> Settings -> Software Upd= ates</code>. </div></div><div class=3D"section" lang=3D"en-US"><div class=3D"titlepage= "><div><div><h2 class=3D"title" id=3D"sect-Security_Guide-Software_Maintena= nce-Install_Signed_Packages_from_Well_Known_Repositories">6.4.=C2=A0Install= Signed Packages from Well Known Repositories</h2></div></div></div><div cl= ass=3D"para"> Software packages are published through repositories. All well known rep= ositories support package signing. Package signing uses public key technolo= gy to prove that the package that was published by the repository has not b= een changed since the signature was applied. This provides some protection = against installing software that may have been maliciously altered after th= e package was created but before you downloaded it. </div><div class=3D"para"> Using too many repositories, untrustworthy repositories, or repositories= with unsigned packages has a higher risk of introducing malicious or vulne= rable code into your system. Use caution when adding repositories to yum/so= ftware update. </div></div></div><div class=3D"chapter" lang=3D"en-US"><div class=3D"tit= lepage"><div><div><h2 class=3D"title" id=3D"chap-Security_Guide-References"= >Chapter=C2=A07.=C2=A0References</h2></div></div></div><div class=3D"para"> The following references are pointers to additional information that is r= elevant to SELinux and Fedora but beyond the scope of this guide. Note that= due to the rapid development of SELinux, some of this material may only ap= ply to specific releases of Fedora. </div><div class=3D"variablelist" id=3D"vari-Security_Guide-References-Boo= ks"><h6>Books</h6><dl><dt><span class=3D"term">SELinux by Example</span></d= t><dd><div class=3D"para"> Mayer, MacMillan, and Caplan </div><div class=3D"para"> Prentice Hall, 2007 </div></dd></dl></div><div class=3D"variablelist" id=3D"vari-Security_G= uide-References-Tutorials_and_Help"><h6>Tutorials and Help</h6><dl><dt><spa= n class=3D"term">Understanding and Customizing the Apache HTTP SELinux Poli= cy</span></dt><dd><div class=3D"para"> <a href=3D"http://fedora.redhat.com/docs/selinux-apache-fc3/">http://f= edora.redhat.com/docs/selinux-apache-fc3/</a> </div></dd><dt><span class=3D"term">Tutorials and talks from Russell Co= ker</span></dt><dd><div class=3D"para"> <a href=3D"http://www.coker.com.au/selinux/talks/ibmtu-2004/">http://w= ww.coker.com.au/selinux/talks/ibmtu-2004/</a> </div></dd><dt><span class=3D"term">Generic Writing SELinux policy HOWT= O</span></dt><dd><div class=3D"para"> <a href=3D"http://www.lurking-grue.org/writingselinuxpolicyHOWTO.html"= >http://www.lurking-grue.org/writingselinuxpolicyHOWTO.html</a> </div></dd><dt><span class=3D"term">Red Hat Knowledgebase</span></dt><d= d><div class=3D"para"> <a href=3D"http://kbase.redhat.com/">http://kbase.redhat.com/</a> </div></dd></dl></div><div class=3D"variablelist" id=3D"vari-Security_G= uide-References-General_Information"><h6>General Information</h6><dl><dt><s= pan class=3D"term">NSA SELinux main website</span></dt><dd><div class=3D"pa= ra"> <a href=3D"http://www.nsa.gov/research/selinux/index.shtml">http://www= .nsa.gov/selinux/</a> </div></dd><dt><span class=3D"term">NSA SELinux FAQ</span></dt><dd><div= class=3D"para"> <a href=3D"http://www.nsa.gov/research/selinux/faqs.shtml">http://www.= nsa.gov/selinux/info/faq.cfm</a> </div></dd><dt><span class=3D"term">Fedora SELinux FAQ </span></dt><dd>= <div class=3D"para"> <a href=3D"http://fedora.redhat.com/docs/selinux-faq-fc3/">http://fedo= ra.redhat.com/docs/selinux-faq-fc3/</a> </div></dd><dt><span class=3D"term">SELinux NSA's Open Source Security = Enhanced Linux</span></dt><dd><div class=3D"para"> <a href=3D"http://www.oreilly.com/catalog/selinux/">http://www.oreilly= .com/catalog/selinux/</a> </div></dd></dl></div><div class=3D"variablelist" id=3D"vari-Security_G= uide-References-Technology"><h6>Technology</h6><dl><dt><span class=3D"term"= >An Overview of Object Classes and Permissions</span></dt><dd><div class=3D= "para"> <a href=3D"http://www.tresys.com/selinux/obj_perms_help.html">http://w= ww.tresys.com/selinux/obj_perms_help.html</a> </div></dd><dt><span class=3D"term">Integrating Flexible Support for Se= curity Policies into the Linux Operating System (a history of Flask impleme= ntation in Linux)</span></dt><dd><div class=3D"para"> <a href=3D"http://www.nsa.gov/research/_files/selinux/papers/selsymp20= 05.pdf">http://www.nsa.gov/research/_files/selinux/papers/selsymp2005.pdf</= a> </div></dd><dt><span class=3D"term">Implementing SELinux as a Linux Sec= urity Module</span></dt><dd><div class=3D"para"> <a href=3D"http://www.nsa.gov/research/_files/publications/implementin= g_selinux.pdf">http://www.nsa.gov/research/_files/publications/implementing= _selinux.pdf</a> </div></dd><dt><span class=3D"term">A Security Policy Configuration for= the Security-Enhanced Linux</span></dt><dd><div class=3D"para"> <a href=3D"http://www.nsa.gov/research/_files/selinux/papers/policy/po= licy.shtml">http://www.nsa.gov/research/_files/selinux/papers/policy/policy= .shtml</a> </div></dd></dl></div><div class=3D"variablelist" id=3D"vari-Security_G= uide-References-Community"><h6>Community</h6><dl><dt><span class=3D"term">F= edora SELinux User Guide</span></dt><dd><div class=3D"para"> <a href=3D"http://docs.fedoraproject.org/selinux-user-guide/">http://d= ocs.fedoraproject.org/selinux-user-guide/</a> </div></dd><dt><span class=3D"term">Fedora SELinux Managing Confined Se= rvices Guide</span></dt><dd><div class=3D"para"> <a href=3D"http://docs.fedoraproject.org/selinux-managing-confined-ser= vices-guide/">http://docs.fedoraproject.org/selinux-managing-confined-servi= ces-guide/</a> </div></dd><dt><span class=3D"term">SELinux community page</span></dt><= dd><div class=3D"para"> <a href=3D"http://selinux.sourceforge.net">http://selinux.sourceforge.= net</a> </div></dd><dt><span class=3D"term">IRC</span></dt><dd><div class=3D"pa= ra"> irc.freenode.net, #selinux, #fedora-selinux, #security </div></dd></dl></div><div class=3D"variablelist" id=3D"vari-Security_G= uide-References-History"><h6>History</h6><dl><dt><span class=3D"term">Quick= history of Flask</span></dt><dd><div class=3D"para"> <a href=3D"http://www.cs.utah.edu/flux/fluke/html/flask.html">http://w= ww.cs.utah.edu/flux/fluke/html/flask.html</a> </div></dd><dt><span class=3D"term">Full background on Fluke</span></dt= ><dd><div class=3D"para"> <a href=3D"http://www.cs.utah.edu/flux/fluke/html/index.html">http://w= ww.cs.utah.edu/flux/fluke/html/index.html</a> </div></dd></dl></div></div></div></body></html> --===============4856365286322843494==--