Author: sradvan
Update of /cvs/fedora/web/html/docs/security-guide/en_US/F12/html-single
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv28845
Added Files:
index.html
Log Message:
--- NEW FILE index.html ---
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"><head><title&g...
rel="stylesheet" href="./Common_Content/css/default.css"
type="text/css"/><meta name="generator"
content="publican"/><meta name="package"
content=""/><meta name="description" content="The Linux
Security Guide is designed to assist users of Linux in learning the processes and
practices of securing workstations and servers against local and remote intrusion,
exploitation, and malicious activity. Focused on Fedora Linux but detailing concepts and
techniques valid for all Linux systems, The Linux Security Guide details the planning and
the tools involved in creating a secured computing environment for the data center,
workplace, and home. With proper administrative knowledge, vigilance, and tools, systems
running Linux can be both fully functional and secured from most common intrusion and
exploit methods."/></head><body class=""><div
class="book" lang="en-US"><div
class="titlepage"><div><div clas
s="producttitle"><span
class="productname">fedora</span> <span
class="productnumber">12</span></div><div><h1
id="d0e1"
class="title">security-guide</h1></div><div><h2
class="subtitle">A Guide to Securing Fedora Linux</h2></div><p
class="edition">Edition 1.1</p><div><h3
class="corpauthor">
<span class="inlinemediaobject"><object
data="Common_Content/images/title_logo.svg" type="image/svg+xml">
Logo</object></span>
</h3></div><div><div class="authorgroup"><div
class="author"><h3 class="author"><span
class="firstname">Johnray</span> <span
class="surname">Fuller</span></h3><div
class="affiliation"><span class="orgname">Red
Hat</span></div><code class="email"><a
class="email"
href="mailto:jrfuller@redhat.com">jrfuller@redhat.com</a></code></div><div
class="author"><h3 class="author"><span
class="firstname">John</span> <span
class="surname">Ha</span></h3><div
class="affiliation"><span class="orgname">Red
Hat</span></div><code class="email"><a
class="email"
href="mailto:jha@redhat.com">jha@redhat.com</a></code></div><div
class="author"><h3 class="author"><span
class="firstname">David</span> <span
class="surname">O'Brien</span></h3><div
class="affiliation"><span class="orgname">Red
Hat</span></div><code class="email"><a
class="email"
href="mailto:daobrien@redhat.com">daobrien@redhat.com</a></code></div><div
class="author"><h3 class="author"><span
class="firstname">Scott</span> <span clas
s="surname">Radvan</span></h3><div
class="affiliation"><span class="orgname">Red
Hat</span></div><code class="email"><a
class="email"
href="mailto:sradvan@redhat.com">sradvan@redhat.com</a></code></div><div
class="author"><h3 class="author"><span
class="firstname">Eric</span> <span
class="surname">Christensen</span></h3><div
class="affiliation"><span class="orgname">Fedora
Project</span> <span class="orgdiv">Documentation
Team</span></div><code class="email"><a
class="email"
href="mailto:sparks@fedoraproject.org">sparks@fedoraproject.org</a></code></div></div></div><hr/><div><div
id="d0e31" class="legalnotice"><h1
class="legalnotice">Legal Notice</h1><div
class="para">
Copyright <span class="trademark"/>© 2009 Red Hat, Inc. This material
may only be distributed subject to the terms and conditions set forth in the Open
Publication License, V1.0, (the latest version is presently available at <a
href="http://www.opencontent.org/openpub/">http://www.openco...>).
</div><div class="para">
Fedora and the Fedora Infinity Design logo are trademarks or registered trademarks of
Red Hat, Inc., in the U.S. and other countries.
</div><div class="para">
Red Hat and the Red Hat "Shadow Man" logo are registered trademarks of Red Hat
Inc. in the United States and other countries.
</div><div class="para">
All other trademarks and copyrights referred to are the property of their respective
owners.
</div><div class="para">
Documentation, as with software itself, may be subject to export control. Read about
Fedora Project export controls at <a
href="http://fedoraproject.org/wiki/Legal/Export">http://fed...;.
</div></div></div><div><div
class="abstract"><h6>Abstract</h6><div
class="para">The Linux Security Guide is designed to assist users of Linux
in
learning the processes and practices of securing workstations and
servers against local and remote intrusion, exploitation, and
malicious activity.</div><div class="para">Focused on Fedora Linux
but detailing concepts and techniques valid
for all Linux systems, The Linux Security Guide details the
planning and the tools involved in creating a secured computing
environment for the data center, workplace, and home.</div><div
class="para">With proper administrative knowledge, vigilance, and tools,
systems
running Linux can be both fully functional and secured from most
common intrusion and exploit
methods.</div></div></div></div><hr/></div><div
class="toc"><dl><dt><span class="preface"><a
href="#pref-Security_Guide-Preface">Preface</a></span></dt><dd><dl><dt><span
class="section"><a href="#d0e105">1. Document
Conventions</a></span></dt><dd><dl><dt><span
class="section"><a href="#d0e115">1.1. Typographic
Conventions</a></span></dt><dt><span
class="section"><a href="#d0e331">1.2. Pull-quote
Conventions</a></span></dt><dt><span
class="section"><a href="#d0e350">1.3. Notes and
Warnings</a></span></dt></dl></dd><dt><span
class="section"><a href="#We_Need_Feedback">2. We Need
Feedback!</a></span></dt></dl></dd><dt><span
class="chapter"><a
href="#chap-Security_Guide-Security_Overview">1. Security
Overview</a></span></dt><dd><dl><dt><span
class="section"><a
href="#sect-Security_Guide-Introduction_to_Security">1.1. Introduction to
Security</a></span></dt><dd><dl><dt><span
class="section"><a
href="#sect-Security_Guide-Introduction_to_Security-What_is
_Computer_Security">1.1.1. What is Computer
Security?</a></span></dt><dt><span
class="section"><a
href="#sect-Security_Guide-Introduction_to_Security-SELinux">1.1.2.
SELinux</a></span></dt><dt><span
class="section"><a
href="#sect-Security_Guide-Introduction_to_Security-Security_Controls">1.1.3.
Security Controls</a></span></dt><dt><span
class="section"><a
href="#sect-Security_Guide-Introduction_to_Security-Conclusion">1.1.4.
Conclusion</a></span></dt></dl></dd><dt><span
class="section"><a
href="#sect-Security_Guide-Vulnerability_Assessment">1.2. Vulnerability
Assessment</a></span></dt><dd><dl><dt><span
class="section"><a
href="#sect-Security_Guide-Vulnerability_Assessment-Thinking_Like_the_Enemy">1.2.1.
Thinking Like the Enemy</a></span></dt><dt><span
class="section"><a
href="#sect-Security_Guide-Vulnerability_Assessment-Defining_Assessment_and_Testing">1.2.2.
Defining Assessment and Testing</a></span></dt><dt><span
class="section"><a href="#sect-Security_Guide-Vulnerability
_Assessment-Evaluating_the_Tools">1.2.3. Evaluating the
Tools</a></span></dt></dl></dd><dt><span
class="section"><a
href="#sect-Security_Guide-Attackers_and_Vulnerabilities">1.3. Attackers and
Vulnerabilities</a></span></dt><dd><dl><dt><span
class="section"><a
href="#sect-Security_Guide-Attackers_and_Vulnerabilities-A_Quick_History_of_Hackers">1.3.1.
A Quick History of Hackers</a></span></dt><dt><span
class="section"><a
href="#sect-Security_Guide-Attackers_and_Vulnerabilities-Threats_to_Network_Security">1.3.2.
Threats to Network Security</a></span></dt><dt><span
class="section"><a
href="#sect-Security_Guide-Attackers_and_Vulnerabilities-Threats_to_Server_Security">1.3.3.
Threats to Server Security</a></span></dt><dt><span
class="section"><a
href="#sect-Security_Guide-Attackers_and_Vulnerabilities-Threats_to_Workstation_and_Home_PC_Security">1.3.4.
Threats to Workstation and Home PC
Security</a></span></dt></dl></dd><dt><span
class="section"><a href="#sect-Security_Guide-Com
mon_Exploits_and_Attacks">1.4. Common Exploits and
Attacks</a></span></dt><dt><span
class="section"><a
href="#sect-Security_Guide-Security_Updates">1.5. Security
Updates</a></span></dt><dd><dl><dt><span
class="section"><a
href="#sect-Security_Guide-Security_Updates-Updating_Packages">1.5.1.
Updating Packages</a></span></dt><dt><span
class="section"><a
href="#sect-Security_Guide-Updating_Packages-Verifying_Signed_Packages">1.5.2.
Verifying Signed Packages</a></span></dt><dt><span
class="section"><a
href="#sect-Security_Guide-Updating_Packages-Installing_Signed_Packages">1.5.3.
Installing Signed Packages</a></span></dt><dt><span
class="section"><a
href="#sect-Security_Guide-Updating_Packages-Applying_the_Changes">1.5.4.
Applying the
Changes</a></span></dt></dl></dd></dl></dd><dt><span
class="chapter"><a
href="#chap-Security_Guide-Securing_Your_Network">2. Securing Your
Network</a></span></dt><dd><dl><dt><span
class="section"><a
href="#sect-Security_Guide-Workstation_Security">
2.1. Workstation
Security</a></span></dt><dd><dl><dt><span
class="section"><a
href="#sect-Security_Guide-Workstation_Security-Evaluating_Workstation_Security">2.1.1.
Evaluating Workstation Security</a></span></dt><dt><span
class="section"><a
href="#sect-Security_Guide-Workstation_Security-BIOS_and_Boot_Loader_Security">2.1.2.
BIOS and Boot Loader Security</a></span></dt><dt><span
class="section"><a
href="#sect-Security_Guide-Workstation_Security-Password_Security">2.1.3.
Password Security</a></span></dt><dt><span
class="section"><a
href="#sect-Security_Guide-Workstation_Security-Administrative_Controls">2.1.4.
Administrative Controls</a></span></dt><dt><span
class="section"><a
href="#sect-Security_Guide-Workstation_Security-Available_Network_Services">2.1.5.
Available Network Services</a></span></dt><dt><span
class="section"><a
href="#sect-Security_Guide-Workstation_Security-Personal_Firewalls">2.1.6.
Personal Firewalls</a></span></dt><dt><span
class="section"><a href="#sect
-Security_Guide-Workstation_Security-Security_Enhanced_Communication_Tools">2.1.7.
Security Enhanced Communication
Tools</a></span></dt></dl></dd><dt><span
class="section"><a
href="#sect-Security_Guide-Server_Security">2.2. Server
Security</a></span></dt><dd><dl><dt><span
class="section"><a
href="#sect-Security_Guide-Server_Security-Securing_Services_With_TCP_Wrappers_and_xinetd">2.2.1.
Securing Services With TCP Wrappers and
xinetd</a></span></dt><dt><span
class="section"><a
href="#sect-Security_Guide-Server_Security-Securing_Portmap">2.2.2. Securing
Portmap</a></span></dt><dt><span
class="section"><a
href="#sect-Security_Guide-Server_Security-Securing_NIS">2.2.3. Securing
NIS</a></span></dt><dt><span class="section"><a
href="#sect-Security_Guide-Server_Security-Securing_NFS">2.2.4. Securing
NFS</a></span></dt><dt><span class="section"><a
href="#sect-Security_Guide-Server_Security-Securing_the_Apache_HTTP_Server">2.2.5.
Securing the Apache HTTP Server</a></span></dt><dt><sp
an class="section"><a
href="#sect-Security_Guide-Server_Security-Securing_FTP">2.2.6. Securing
FTP</a></span></dt><dt><span class="section"><a
href="#sect-Security_Guide-Server_Security-Securing_Sendmail">2.2.7. Securing
Sendmail</a></span></dt><dt><span
class="section"><a
href="#sect-Security_Guide-Server_Security-Verifying_Which_Ports_Are_Listening">2.2.8.
Verifying Which Ports Are
Listening</a></span></dt></dl></dd><dt><span
class="section"><a
href="#sect-Security_Guide-Single_Sign_on_SSO">2.3. Single Sign-on
(SSO)</a></span></dt><dd><dl><dt><span
class="section"><a
href="#sect-Security_Guide-Single_Sign_on_SSO-Introduction">2.3.1.
Introduction</a></span></dt><dt><span
class="section"><a
href="#sect-Security_Guide-Single_Sign_on_SSO-Getting_Started_with_your_new_Smart_Card">2.3.2.
Getting Started with your new Smart
Card</a></span></dt><dt><span
class="section"><a
href="#sect-Security_Guide-Single_Sign_on_SSO-How_Smart_Card_Enrollment_Works">2.3.3.
How Smart Card Enrollme
nt Works</a></span></dt><dt><span
class="section"><a
href="#sect-Security_Guide-Single_Sign_on_SSO-How_Smart_Card_Login_Works">2.3.4.
How Smart Card Login Works</a></span></dt><dt><span
class="section"><a
href="#sect-Security_Guide-Single_Sign_on_SSO-Configuring_Firefox_to_use_Kerberos_for_SSO">2.3.5.
Configuring Firefox to use Kerberos for
SSO</a></span></dt></dl></dd><dt><span
class="section"><a
href="#sect-Security_Guide-Pluggable_Authentication_Modules_PAM">2.4.
Pluggable Authentication Modules
(PAM)</a></span></dt><dd><dl><dt><span
class="section"><a
href="#sect-Security_Guide-Pluggable_Authentication_Modules_PAM-Advantages_of_PAM">2.4.1.
Advantages of PAM</a></span></dt><dt><span
class="section"><a
href="#sect-Security_Guide-Pluggable_Authentication_Modules_PAM-PAM_Configuration_Files">2.4.2.
PAM Configuration Files</a></span></dt><dt><span
class="section"><a
href="#sect-Security_Guide-Pluggable_Authentication_Modules_PAM-PAM_Configuration_File_Format">2.4.3.
PAM Confi
guration File Format</a></span></dt><dt><span
class="section"><a
href="#sect-Security_Guide-Pluggable_Authentication_Modules_PAM-Sample_PAM_Configuration_Files">2.4.4.
Sample PAM Configuration Files</a></span></dt><dt><span
class="section"><a
href="#sect-Security_Guide-Pluggable_Authentication_Modules_PAM-Creating_PAM_Modules">2.4.5.
Creating PAM Modules</a></span></dt><dt><span
class="section"><a
href="#sect-Security_Guide-Pluggable_Authentication_Modules_PAM-PAM_and_Administrative_Credential_Caching">2.4.6.
PAM and Administrative Credential
Caching</a></span></dt><dt><span
class="section"><a
href="#sect-Security_Guide-Pluggable_Authentication_Modules_PAM-PAM_and_Device_Ownership">2.4.7.
PAM and Device Ownership</a></span></dt><dt><span
class="section"><a
href="#sect-Security_Guide-Pluggable_Authentication_Modules_PAM-Additional_Resources">2.4.8.
Additional
Resources</a></span></dt></dl></dd><dt><span
class="section"><a
href="#sect-Security_Guide-TCP_Wrappers_and_xinetd">2.
5. TCP Wrappers and
xinetd</a></span></dt><dd><dl><dt><span
class="section"><a
href="#sect-Security_Guide-TCP_Wrappers_and_xinetd-TCP_Wrappers">2.5.1. TCP
Wrappers</a></span></dt><dt><span
class="section"><a
href="#sect-Security_Guide-TCP_Wrappers_and_xinetd-TCP_Wrappers_Configuration_Files">2.5.2.
TCP Wrappers Configuration Files</a></span></dt><dt><span
class="section"><a
href="#sect-Security_Guide-TCP_Wrappers_and_xinetd-xinetd">2.5.3.
xinetd</a></span></dt><dt><span
class="section"><a
href="#sect-Security_Guide-TCP_Wrappers_and_xinetd-xinetd_Configuration_Files">2.5.4.
xinetd Configuration Files</a></span></dt><dt><span
class="section"><a
href="#sect-Security_Guide-TCP_Wrappers_and_xinetd-Additional_Resources">2.5.5.
Additional
Resources</a></span></dt></dl></dd><dt><span
class="section"><a href="#sect-Security_Guide-Kerberos">2.6.
Kerberos</a></span></dt><dd><dl><dt><span
class="section"><a
href="#sect-Security_Guide-Kerberos-What_is_Kerberos">2.6.1. What is
Kerberos?</
a></span></dt><dt><span class="section"><a
href="#sect-Security_Guide-Kerberos-Kerberos_Terminology">2.6.2. Kerberos
Terminology</a></span></dt><dt><span
class="section"><a
href="#sect-Security_Guide-Kerberos-How_Kerberos_Works">2.6.3. How Kerberos
Works</a></span></dt><dt><span
class="section"><a
href="#sect-Security_Guide-Kerberos-Kerberos_and_PAM">2.6.4. Kerberos and
PAM</a></span></dt><dt><span class="section"><a
href="#sect-Security_Guide-Kerberos-Configuring_a_Kerberos_5_Server">2.6.5.
Configuring a Kerberos 5 Server</a></span></dt><dt><span
class="section"><a
href="#sect-Security_Guide-Kerberos-Configuring_a_Kerberos_5_Client">2.6.6.
Configuring a Kerberos 5 Client</a></span></dt><dt><span
class="section"><a
href="#sect-Security_Guide-Kerberos-Domain_to_Realm_Mapping">2.6.7.
Domain-to-Realm Mapping</a></span></dt><dt><span
class="section"><a
href="#sect-Security_Guide-Kerberos-Setting_Up_Secondary_KDCs">2.6.8. Setting
Up Secondary KDCs</a></span></dt><dt><span class="
section"><a
href="#sect-Security_Guide-Kerberos-Setting_Up_Cross_Realm_Authentication">2.6.9.
Setting Up Cross Realm Authentication</a></span></dt><dt><span
class="section"><a
href="#sect-Security_Guide-Kerberos-Additional_Resources">2.6.10. Additional
Resources</a></span></dt></dl></dd><dt><span
class="section"><a
href="#sect-Security_Guide-Virtual_Private_Networks_VPNs">2.7. Virtual
Private Networks
(VPNs)</a></span></dt><dd><dl><dt><span
class="section"><a
href="#sect-Security_Guide-Virtual_Private_Networks_VPNs-How_Does_a_VPN_Work">2.7.1.
How Does a VPN Work?</a></span></dt><dt><span
class="section"><a
href="#sect-Security_Guide-Virtual_Private_Networks_VPNs-VPNs_and_PROD">2.7.2.
VPNs and Fedora</a></span></dt><dt><span
class="section"><a
href="#sect-Security_Guide-Virtual_Private_Networks_VPNs-IPsec">2.7.3.
IPsec</a></span></dt><dt><span
class="section"><a
href="#sect-Security_Guide-Virtual_Private_Networks_VPNs-Creating_an_IPsec_Connection">2.7.4.
Creating an IPsec Con
nection</a></span></dt><dt><span
class="section"><a
href="#sect-Security_Guide-Virtual_Private_Networks_VPNs-IPsec_Installation">2.7.5.
IPsec Installation</a></span></dt><dt><span
class="section"><a
href="#sect-Security_Guide-Virtual_Private_Networks_VPNs-IPsec_Host_to_Host_Configuration">2.7.6.
IPsec Host-to-Host Configuration</a></span></dt><dt><span
class="section"><a
href="#sect-Security_Guide-Virtual_Private_Networks_VPNs-IPsec_Network_to_Network_Configuration">2.7.7.
IPsec Network-to-Network Configuration</a></span></dt><dt><span
class="section"><a
href="#sect-Security_Guide-Virtual_Private_Networks_VPNs-Starting_and_Stopping_an_IPsec_Connection">2.7.8.
Starting and Stopping an IPsec
Connection</a></span></dt></dl></dd><dt><span
class="section"><a href="#sect-Security_Guide-Firewalls">2.8.
Firewalls</a></span></dt><dd><dl><dt><span
class="section"><a
href="#sect-Security_Guide-Firewalls-Netfilter_and_IPTables">2.8.1. Netfilter
and IPTables</a></span></dt><dt><span clas
s="section"><a
href="#sect-Security_Guide-Firewalls-Basic_Firewall_Configuration">2.8.2.
Basic Firewall Configuration</a></span></dt><dt><span
class="section"><a
href="#sect-Security_Guide-Firewalls-Using_IPTables">2.8.3. Using
IPTables</a></span></dt><dt><span
class="section"><a
href="#sect-Security_Guide-Firewalls-Common_IPTables_Filtering">2.8.4. Common
IPTables Filtering</a></span></dt><dt><span
class="section"><a
href="#sect-Security_Guide-Firewalls-FORWARD_and_NAT_Rules">2.8.5. FORWARD
and NAT Rules</a></span></dt><dt><span
class="section"><a
href="#sect-Security_Guide-Firewalls-Malicious_Software_and_Spoofed_IP_Addresses">2.8.6.
Malicious Software and Spoofed IP
Addresses</a></span></dt><dt><span
class="section"><a
href="#sect-Security_Guide-Firewalls-IPTables_and_Connection_Tracking">2.8.7.
IPTables and Connection Tracking</a></span></dt><dt><span
class="section"><a
href="#sect-Security_Guide-Firewalls-IPv6">2.8.8.
IPv6</a></span></dt><dt><span
class="section"><a hre
f="#sect-Security_Guide-Firewalls-Additional_Resources">2.8.9. Additional
Resources</a></span></dt></dl></dd><dt><span
class="section"><a href="#sect-Security_Guide-IPTables">2.9.
IPTables</a></span></dt><dd><dl><dt><span
class="section"><a
href="#sect-Security_Guide-IPTables-Packet_Filtering">2.9.1. Packet
Filtering</a></span></dt><dt><span
class="section"><a
href="#sect-Security_Guide-IPTables-Command_Options_for_IPTables">2.9.2.
Command Options for IPTables</a></span></dt><dt><span
class="section"><a
href="#sect-Security_Guide-IPTables-Saving_IPTables_Rules">2.9.3. Saving
IPTables Rules</a></span></dt><dt><span
class="section"><a
href="#sect-Security_Guide-IPTables-IPTables_Control_Scripts">2.9.4. IPTables
Control Scripts</a></span></dt><dt><span
class="section"><a
href="#sect-Security_Guide-IPTables-IPTables_and_IPv6">2.9.5. IPTables and
IPv6</a></span></dt><dt><span
class="section"><a
href="#sect-Security_Guide-IPTables-Additional_Resources">2.9.6. Additional
Resources<
/a></span></dt></dl></dd></dl></dd><dt><span
class="chapter"><a href="#chap-Security_Guide-Encryption">3.
Encryption</a></span></dt><dd><dl><dt><span
class="section"><a
href="#sect-Security_Guide-Encryption-Data_at_Rest">3.1. Data at
Rest</a></span></dt><dt><span
class="section"><a
href="#sect-Security_Guide-Encryption-Protecting_Data_at_Rest-Full_Disk_Encryption">3.2.
Full Disk Encryption</a></span></dt><dt><span
class="section"><a
href="#Security_Guide-Encryption-Protecting_Data_at_Rest-File_Based_Encryption">3.3.
File Based Encryption</a></span></dt><dt><span
class="section"><a
href="#Security_Guide-Encryption-Data_in_Motion">3.4. Data in
Motion</a></span></dt><dt><span
class="section"><a
href="#Security_Guide-Encryption-Data_in_Motion-Virtual_Private_Networks">3.5.
Virtual Private Networks</a></span></dt><dt><span
class="section"><a
href="#Security_Guide-Encryption-Data_in_Motion-Secure_Shell">3.6. Secure
Shell</a></span></dt><dt><span
class="section"><a href="#sect-Secu
rity_Guide-LUKS_Disk_Encryption">3.7. LUKS Disk
Encryption</a></span></dt><dd><dl><dt><span
class="section"><a
href="#sect-Security_Guide-LUKS_Disk_Encryption-LUKS_Implementation_in_Fedora">3.7.1.
LUKS Implementation in Fedora</a></span></dt><dt><span
class="section"><a
href="#sect-Security_Guide-LUKS_Disk_Encryption-Manually_Encrypting_Directories">3.7.2.
Manually Encrypting Directories</a></span></dt><dt><span
class="section"><a
href="#sect-Security_Guide-LUKS_Disk_Encryption-Manually_Encrypting_Directories-Step_by_Step_Instructions">3.7.3.
Step-by-Step Instructions</a></span></dt><dt><span
class="section"><a
href="#sect-Security_Guide-LUKS_Disk_Encryption-Manually_Encrypting_Directories-What_you_have_just_accomplished">3.7.4.
What you have just accomplished.</a></span></dt><dt><span
class="section"><a
href="#sect-Security_Guide-LUKS_Disk_Encryption-Links_of_Interest">3.7.5.
Links of
Interest</a></span></dt></dl></dd><dt><span
class="section"><a href="#sect-Security_Guide-
Encryption-7_Zip_Encrypted_Archives">3.8. 7-Zip Encrypted
Archives</a></span></dt><dd><dl><dt><span
class="section"><a
href="#sect-Security_Guide-Encryption-7_Zip_Encrypted_Archives-Installation">3.8.1.
7-Zip Installation in Fedora</a></span></dt><dt><span
class="section"><a
href="#sect-Security_Guide-Encryption-7_Zip_Encrypted_Archives-Installation-Instructions">3.8.2.
Step-by-Step Installation Instructions</a></span></dt><dt><span
class="section"><a
href="#sect-Security_Guide-Encryption-7_Zip_Encrypted_Archives-Usage_Instructions">3.8.3.
Step-by-Step Usage Instructions</a></span></dt><dt><span
class="section"><a
href="#sect-Security_Guide-Encryption-7_Zip_Encrypted_Archives-Things_of_note">3.8.4.
Things of note</a></span></dt></dl></dd><dt><span
class="section"><a
href="#sect-Security_Guide-Encryption-Using_GPG">3.9. Using GNU Privacy Guard
(GnuPG)</a></span></dt><dd><dl><dt><span
class="section"><a
href="#sect-Security_Guide-Encryption-Using_GPG-Keys_in_GNOME">3.9.1. Crea
ting GPG Keys in GNOME</a></span></dt><dt><span
class="section"><a
href="#sect-Security_Guide-Encryption-Using_GPG-Creating_GPG_Keys_in_KDE1">3.9.2.
Creating GPG Keys in KDE</a></span></dt><dt><span
class="section"><a
href="#sect-Security_Guide-Encryption-Using_GPG-Creating_GPG_Keys_in_KDE">3.9.3.
Creating GPG Keys Using the Command
Line</a></span></dt><dt><span
class="section"><a
href="#sect-Security_Guide-Encryption-Using_GPG-About_Public_Key_Encryption">3.9.4.
About Public Key
Encryption</a></span></dt></dl></dd></dl></dd><dt><span
class="chapter"><a
href="#chap-Security_Guide-General_Principles_of_Information_Security">4.
General Principles of Information
Security</a></span></dt><dd><dl><dt><span
class="section"><a
href="#sect-Security_Guide-General_Principles_of_Information_Security-Tips_Guides_and_Tools">4.1.
Tips, Guides, and
Tools</a></span></dt></dl></dd><dt><span
class="chapter"><a
href="#chap-Security_Guide-Secure_Installation">5. Secure
Installation</a></span></d
t><dd><dl><dt><span class="section"><a
href="#sect-Security_Guide-Secure_Installation-Disk_Partitions">5.1. Disk
Partitions</a></span></dt><dt><span
class="section"><a
href="#sect-Security_Guide-Secure_Installation-Utilize_LUKS_Partition_Encryption">5.2.
Utilize LUKS Partition
Encryption</a></span></dt></dl></dd><dt><span
class="chapter"><a
href="#chap-Security_Guide-Software_Maintenance">6. Software
Maintenance</a></span></dt><dd><dl><dt><span
class="section"><a
href="#sect-Security_Guide-Software_Maintenance-Install_Minimal_Software">6.1.
Install Minimal Software</a></span></dt><dt><span
class="section"><a
href="#sect-Security_Guide-Software_Maintenance-Plan_and_Configure_Security_Updates">6.2.
Plan and Configure Security Updates</a></span></dt><dt><span
class="section"><a
href="#sect-Security_Guide-Software_Maintenance-Plan_and_Configure_Security_Updates-Adjusting_Automatic_Updates">6.3.
Adjusting Automatic Updates</a></span></dt><dt><span
class="section"><a href="#sect-S
ecurity_Guide-Software_Maintenance-Install_Signed_Packages_from_Well_Known_Repositories">6.4.
Install Signed Packages from Well Known
Repositories</a></span></dt></dl></dd><dt><span
class="chapter"><a href="#chap-Security_Guide-References">7.
References</a></span></dt></dl></div><div
class="preface" lang="en-US"><div
class="titlepage"><div><div><h1
id="pref-Security_Guide-Preface"
class="title">Preface</h1></div></div></div><div
class="section" lang="en-US"><div
class="titlepage"><div><div><h2 class="title"
id="d0e105">1. Document
Conventions</h2></div></div></div><div
class="para">
This manual uses several conventions to highlight certain words and phrases and draw
attention to specific pieces of information.
</div><div class="para">
In PDF and paper editions, this manual uses typefaces drawn from the <a
href="https://fedorahosted.org/liberation-fonts/">Liberation Fonts</a>
set. The Liberation Fonts set is also used in HTML editions if the set is installed on
your system. If not, alternative but equivalent typefaces are displayed. Note: Red Hat
Enterprise Linux 5 and later includes the Liberation Fonts set by default.
</div><div class="section" lang="en-US"><div
class="titlepage"><div><div><h3 class="title"
id="d0e115">1.1. Typographic
Conventions</h3></div></div></div><div
class="para">
Four typographic conventions are used to call attention to specific words and phrases.
These conventions, and the circumstances they apply to, are as follows.
</div><div class="para">
<code class="literal">Mono-spaced Bold</code>
</div><div class="para">
Used to highlight system input, including shell commands, file names and paths. Also
used to highlight key caps and key-combinations. For example:
</div><div class="blockquote"><blockquote
class="blockquote"><div class="para">
To see the contents of the file <code
class="filename">my_next_bestselling_novel</code> in your current
working directory, enter the <code class="command">cat
my_next_bestselling_novel</code> command at the shell prompt and press <span
class="keycap"><strong>Enter</strong></span> to execute the
command.
</div></blockquote></div><div class="para">
The above includes a file name, a shell command and a key cap, all presented in
Mono-spaced Bold and all distinguishable thanks to context.
</div><div class="para">
Key-combinations can be distinguished from key caps by the hyphen connecting each part
of a key-combination. For example:
</div><div class="blockquote"><blockquote
class="blockquote"><div class="para">
Press <span
class="keycap"><strong>Enter</strong></span> to execute the
command.
</div><div class="para">
Press <span
class="keycap"><strong>Ctrl</strong></span>+<span
class="keycap"><strong>Alt</strong></span>+<span
class="keycap"><strong>F1</strong></span> to switch to the
first virtual terminal. Press <span
class="keycap"><strong>Ctrl</strong></span>+<span
class="keycap"><strong>Alt</strong></span>+<span
class="keycap"><strong>F7</strong></span> to return to your
X-Windows session.
</div></blockquote></div><div class="para">
The first sentence highlights the particular key cap to press. The second highlights
two sets of three key caps, each set pressed simultaneously.
</div><div class="para">
If source code is discussed, class names, methods, functions, variable names and
returned values mentioned within a paragraph will be presented as above, in <code
class="literal">Mono-spaced Bold</code>. For example:
</div><div class="blockquote"><blockquote
class="blockquote"><div class="para">
File-related classes include <code
class="classname">filesystem</code> for file systems, <code
class="classname">file</code> for files, and <code
class="classname">dir</code> for directories. Each class has its own
associated set of permissions.
</div></blockquote></div><div class="para">
<span class="application"><strong>Proportional
Bold</strong></span>
</div><div class="para">
This denotes words or phrases encountered on a system, including application names;
dialogue box text; labelled buttons; check-box and radio button labels; menu titles and
sub-menu titles. For example:
</div><div class="blockquote"><blockquote
class="blockquote"><div class="para">
Choose <span class="guimenu"><strong>System > Preferences
> Mouse</strong></span> from the main menu bar to launch <span
class="application"><strong>Mouse
Preferences</strong></span>. In the <span
class="guilabel"><strong>Buttons</strong></span> tab, click
the <span class="guilabel"><strong>Left-handed
mouse</strong></span> check box and click <span
class="guibutton"><strong>Close</strong></span> to switch
the primary mouse button from the left to the right (making the mouse suitable for use in
the left hand).
</div><div class="para">
To insert a special character into a <span
class="application"><strong>gedit</strong></span> file,
choose <span class="guimenu"><strong>Applications >
Accessories > Character Map</strong></span> from the main menu bar.
Next, choose <span class="guimenu"><strong>Search >
Find…</strong></span> from the <span
class="application"><strong>Character Map</strong></span>
menu bar, type the name of the character in the <span
class="guilabel"><strong>Search</strong></span> field and
click <span
class="guibutton"><strong>Next</strong></span>. The
character you sought will be highlighted in the <span
class="guilabel"><strong>Character Table</strong></span>.
Double-click this highlighted character to place it in the <span
class="guilabel"><strong>Text to copy</strong></span> field
and then click the <span
class="guibutton"><strong>Copy</strong></span> button. Now
switch back to your document and choose <span
class="guimenu"><strong>Edit > Paste</strong></span>
from the <
span class="application"><strong>gedit</strong></span>
menu bar.
</div></blockquote></div><div class="para">
The above text includes application names; system-wide menu names and items;
application-specific menu names; and buttons and text found within a GUI interface, all
presented in Proportional Bold and all distinguishable by context.
</div><div class="para">
Note the <span
class="guimenu"><strong>></strong></span> shorthand
used to indicate traversal through a menu and its sub-menus. This is to avoid the
difficult-to-follow 'Select <span
class="guimenuitem"><strong>Mouse</strong></span> from the
<span
class="guimenu"><strong>Preferences</strong></span>
sub-menu in the <span
class="guimenu"><strong>System</strong></span> menu of the
main menu bar' approach.
</div><div class="para">
<code class="command"><em
class="replaceable"><code>Mono-spaced Bold
Italic</code></em></code> or <span
class="application"><strong><em
class="replaceable"><code>Proportional Bold
Italic</code></em></strong></span>
</div><div class="para">
Whether Mono-spaced Bold or Proportional Bold, the addition of Italics indicates
replaceable or variable text. Italics denotes text you do not input literally or displayed
text that changes depending on circumstance. For example:
</div><div class="blockquote"><blockquote
class="blockquote"><div class="para">
To connect to a remote machine using ssh, type <code
class="command">ssh <em
class="replaceable"><code>username</code></em>@<em
class="replaceable"><code>domain.name</code></em></code>
at a shell prompt. If the remote machine is <code
class="filename">example.com</code> and your username on that machine
is john, type <code class="command">ssh john(a)example.com</code>.
</div><div class="para">
The <code class="command">mount -o remount <em
class="replaceable"><code>file-system</code></em></code>
command remounts the named file system. For example, to remount the <code
class="filename">/home</code> file system, the command is <code
class="command">mount -o remount /home</code>.
</div><div class="para">
To see the version of a currently installed package, use the <code
class="command">rpm -q <em
class="replaceable"><code>package</code></em></code>
command. It will return a result as follows: <code class="command"><em
class="replaceable"><code>package-version-release</code></em></code>.
</div></blockquote></div><div class="para">
Note the words in bold italics above — username, domain.name, file-system, package,
version and release. Each word is a placeholder, either for text you enter when issuing a
command or for text displayed by the system.
</div><div class="para">
Aside from standard usage for presenting the title of a work, italics denotes the first
use of a new and important term. For example:
</div><div class="blockquote"><blockquote
class="blockquote"><div class="para">
When the Apache HTTP Server accepts requests, it dispatches child processes or threads
to handle them. This group of child processes or threads is known as a <em
class="firstterm">server-pool</em>. Under Apache HTTP Server 2.0, the
responsibility for creating and maintaining these server-pools has been abstracted to a
group of modules called <em class="firstterm">Multi-Processing
Modules</em> (<em class="firstterm">MPMs</em>). Unlike other
modules, only one module from the MPM group can be loaded by the Apache HTTP Server.
</div></blockquote></div></div><div
class="section" lang="en-US"><div
class="titlepage"><div><div><h3 class="title"
id="d0e331">1.2. Pull-quote
Conventions</h3></div></div></div><div
class="para">
Two, commonly multi-line, data types are set off visually from the surrounding text.
</div><div class="para">
Output sent to a terminal is set in <code
class="computeroutput">Mono-spaced Roman</code> and presented thus:
</div><pre class="screen">
books Desktop documentation drafts mss photos stuff svn
books_tests Desktop1 downloads images notes scripts svgs
</pre><div class="para">
Source-code listings are also set in <code
class="computeroutput">Mono-spaced Roman</code> but are presented and
highlighted as follows:
</div><pre class="programlisting">
package org.jboss.book.jca.ex1;
import javax.naming.InitialContext;
public class ExClient
{
public static void main(String args[])
throws Exception
{
InitialContext iniCtx = new InitialContext();
Object ref = iniCtx.lookup("EchoBean");
EchoHome home = (EchoHome) ref;
Echo echo = home.create();
System.out.println("Created Echo");
System.out.println("Echo.echo('Hello') = " +
echo.echo("Hello"));
}
}
</pre></div><div class="section"
lang="en-US"><div
class="titlepage"><div><div><h3 class="title"
id="d0e350">1.3. Notes and
Warnings</h3></div></div></div><div class="para">
Finally, we use three visual styles to draw attention to information that might
otherwise be overlooked.
</div><div class="note"><h2>Note</h2><div
class="para">
A note is a tip or shortcut or alternative approach to the task at hand. Ignoring a
note should have no negative consequences, but you might miss out on a trick that makes
your life easier.
</div></div><div
class="important"><h2>Important</h2><div
class="para">
Important boxes detail things that are easily missed: configuration changes that only
apply to the current session, or services that need restarting before an update will
apply. Ignoring Important boxes won't cause data loss but may cause irritation and
frustration.
</div></div><div
class="warning"><h2>Warning</h2><div
class="para">
A Warning should not be ignored. Ignoring warnings will most likely cause data loss.
</div></div></div></div><div class="section"
lang="en-US"><div
class="titlepage"><div><div><h2 class="title"
id="We_Need_Feedback">2. We Need
Feedback!</h2></div></div></div><div
class="para">
More information about the Linux Security Guide project can be found at <a
href="https://fedorahosted.org/securityguide">https://fedora...
</div><div class="para">
To provide feedback for the Security Guide, please file a bug in <a
href="https://bugzilla.redhat.com/enter_bug.cgi?component=security-g...;.
Please select the proper component in the dropdown menu which should be the page name.
</div></div></div><div class="chapter"
lang="en-US"><div
class="titlepage"><div><div><h2 class="title"
id="chap-Security_Guide-Security_Overview">Chapter 1. Security
Overview</h2></div></div></div><div
class="toc"><dl><dt><span class="section"><a
href="#sect-Security_Guide-Introduction_to_Security">1.1. Introduction to
Security</a></span></dt><dd><dl><dt><span
class="section"><a
href="#sect-Security_Guide-Introduction_to_Security-What_is_Computer_Security">1.1.1.
What is Computer Security?</a></span></dt><dt><span
class="section"><a
href="#sect-Security_Guide-Introduction_to_Security-SELinux">1.1.2.
SELinux</a></span></dt><dt><span
class="section"><a
href="#sect-Security_Guide-Introduction_to_Security-Security_Controls">1.1.3.
Security Controls</a></span></dt><dt><span
class="section"><a
href="#sect-Security_Guide-Introduction_to_Security-Conclusion">1.1.4.
Conclusion</a></span></dt></dl></dd><dt><span
class="section"><a
href="#sect-Security_Guide-Vulnerability_Assessment"
1.2. Vulnerability
Assessment</a></span></dt><dd><dl><dt><span
class="section"><a
href="#sect-Security_Guide-Vulnerability_Assessment-Thinking_Like_the_Enemy">1.2.1.
Thinking Like the Enemy</a></span></dt><dt><span
class="section"><a
href="#sect-Security_Guide-Vulnerability_Assessment-Defining_Assessment_and_Testing">1.2.2.
Defining Assessment and Testing</a></span></dt><dt><span
class="section"><a
href="#sect-Security_Guide-Vulnerability_Assessment-Evaluating_the_Tools">1.2.3.
Evaluating the
Tools</a></span></dt></dl></dd><dt><span
class="section"><a
href="#sect-Security_Guide-Attackers_and_Vulnerabilities">1.3. Attackers and
Vulnerabilities</a></span></dt><dd><dl><dt><span
class="section"><a
href="#sect-Security_Guide-Attackers_and_Vulnerabilities-A_Quick_History_of_Hackers">1.3.1.
A Quick History of Hackers</a></span></dt><dt><span
class="section"><a
href="#sect-Security_Guide-Attackers_and_Vulnerabilities-Threats_to_Network_Security">1.3.2.
Threats to Network Security</
a></span></dt><dt><span
class="section"><a
href="#sect-Security_Guide-Attackers_and_Vulnerabilities-Threats_to_Server_Security">1.3.3.
Threats to Server Security</a></span></dt><dt><span
class="section"><a
href="#sect-Security_Guide-Attackers_and_Vulnerabilities-Threats_to_Workstation_and_Home_PC_Security">1.3.4.
Threats to Workstation and Home PC
Security</a></span></dt></dl></dd><dt><span
class="section"><a
href="#sect-Security_Guide-Common_Exploits_and_Attacks">1.4. Common Exploits
and Attacks</a></span></dt><dt><span
class="section"><a
href="#sect-Security_Guide-Security_Updates">1.5. Security
Updates</a></span></dt><dd><dl><dt><span
class="section"><a
href="#sect-Security_Guide-Security_Updates-Updating_Packages">1.5.1.
Updating Packages</a></span></dt><dt><span
class="section"><a
href="#sect-Security_Guide-Updating_Packages-Verifying_Signed_Packages">1.5.2.
Verifying Signed Packages</a></span></dt><dt><span
class="section"><a href="#sect-Security_Guide-Updating_Package
s-Installing_Signed_Packages">1.5.3. Installing Signed
Packages</a></span></dt><dt><span
class="section"><a
href="#sect-Security_Guide-Updating_Packages-Applying_the_Changes">1.5.4.
Applying the
Changes</a></span></dt></dl></dd></dl></div><div
class="para">
Because of the increased reliance on powerful, networked computers to help run
businesses and keep track of our personal information, entire industries have been formed
around the practice of network and computer security. Enterprises have solicited the
knowledge and skills of security experts to properly audit systems and tailor solutions to
fit the operating requirements of the organization. Because most organizations are
increasingly dynamic in nature, with workers accessing company IT resources locally and
remotely, the need for secure computing environments has become more pronounced.
</div><div class="para">
Unfortunately, most organizations (as well as individual users) regard security as an
afterthought, a process that is overlooked in favor of increased power, productivity, and
budgetary concerns. Proper security implementation is often enacted postmortem — <span
class="emphasis"><em>after</em></span> an unauthorized
intrusion has already occurred. Security experts agree that taking the correct measures
prior to connecting a site to an untrusted network, such as the Internet, is an effective
means of thwarting most attempts at intrusion.
</div><div class="section" lang="en-US"><div
class="titlepage"><div><div><h2 class="title"
id="sect-Security_Guide-Introduction_to_Security">1.1. Introduction to
Security</h2></div></div></div><div class="section"
lang="en-US"><div
class="titlepage"><div><div><h3 class="title"
id="sect-Security_Guide-Introduction_to_Security-What_is_Computer_Security">1.1.1. What
is Computer Security?</h3></div></div></div><div
class="para">
Computer security is a general term that covers a wide area of computing and
information processing. Industries that depend on computer systems and networks to conduct
daily business transactions and access crucial information regard their data as an
important part of their overall assets. Several terms and metrics have entered our daily
business vocabulary, such as total cost of ownership (TCO) and quality of service (QoS).
Using these metrics, industries can calculate aspects such as data integrity and
high-availability as part of their planning and process management costs. In some
industries, such as electronic commerce, the availability and trustworthiness of data can
be the difference between success and failure.
</div><div class="section" lang="en-US"><div
class="titlepage"><div><div><h4 class="title"
id="sect-Security_Guide-What_is_Computer_Security-How_did_Computer_Security_Come_about">1.1.1.1. How
did Computer Security Come about?</h4></div></div></div><div
class="para">
Information security has evolved over the years due to the increasing reliance on
public networks not to disclose personal, financial, and other restricted information.
There are numerous instances such as the Mitnick <sup>[<a id="d0e406"
href="#ftn.d0e406" class="footnote">1</a>]</sup>and the
Vladimir Levin <sup>[<a id="d0e410" href="#ftn.d0e410"
class="footnote">2</a>]</sup>cases that prompted organizations
across all industries to re-think the way they handle information, as well as its
transmission and disclosure. The popularity of the Internet was one of the most important
developments that prompted an intensified effort in data security.
</div><div class="para">
An ever-growing number of people are using their personal computers to gain access to
the resources that the Internet has to offer. From research and information retrieval to
electronic mail and commerce transaction, the Internet has been regarded as one of the
most important developments of the 20th century.
</div><div class="para">
The Internet and its earlier protocols, however, were developed as a <em
class="firstterm">trust-based</em> system. That is, the Internet
Protocol was not designed to be secure in itself. There are no approved security standards
built into the TCP/IP communications stack, leaving it open to potentially malicious users
and processes across the network. Modern developments have made Internet communication
more secure, but there are still several incidents that gain national attention and alert
us to the fact that nothing is completely safe.
</div></div><div class="section"
lang="en-US"><div
class="titlepage"><div><div><h4 class="title"
id="sect-Security_Guide-What_is_Computer_Security-Security_Today">1.1.1.2. Security
Today</h4></div></div></div><div class="para">
In February of 2000, a Distributed Denial of Service (DDoS) attack was unleashed on
several of the most heavily-trafficked sites on the Internet. The attack rendered
yahoo.com,
cnn.com,
amazon.com,
fbi.gov, and several other sites completely unreachable to
normal users, as it tied up routers for several hours with large-byte ICMP packet
transfers, also called a <em class="firstterm">ping flood</em>. The
attack was brought on by unknown assailants using specially created, widely available
programs that scanned vulnerable network servers, installed client applications called
<em class="firstterm">trojans</em> on the servers, and timed an
attack with every infected server flooding the victim sites and rendering them
unavailable. Many blame the attack on fundamental flaws in the way routers and the
protocols used are structured to accept all incoming data, no matter where or for what
purpose the packets are sent.
</div><div class="para">
In 2007, a data breach exploiting the widely-known weaknesses of the Wired Equivalent
Privacy (WEP) wireless encryption protocol resulted in the theft from a global financial
institution of over 45 million credit card numbers.<sup>[<a id="d0e434"
href="#ftn.d0e434" class="footnote">3</a>]</sup>
</div><div class="para">
In a separate incident, the billing records of over 2.2 million patients stored on a
backup tape were stolen from the front seat of a courier's car.<sup>[<a
id="d0e440" href="#ftn.d0e440"
class="footnote">4</a>]</sup>
</div><div class="para">
Currently, an estimated 1.4 billion people use or have used the Internet
worldwide.<sup>[<a id="d0e446" href="#ftn.d0e446"
class="footnote">5</a>]</sup> At the same time:
</div><div class="itemizedlist"><ul><li><div
class="para">
On any given day, there are approximately 225 major incidences of security breach
reported to the CERT Coordination Center at Carnegie Mellon University.<sup>[<a
id="d0e454" href="#ftn.d0e454"
class="footnote">6</a>]</sup>
</div></li><li><div class="para">
In 2003, the number of CERT reported incidences jumped to 137,529 from 82,094 in
2002 and from 52,658 in 2001.<sup>[<a id="d0e461"
href="#ftn.d0e461" class="footnote">7</a>]</sup>
</div></li><li><div class="para">
The worldwide economic impact of the three most dangerous Internet Viruses of the
last three years was estimated at US$13.2 Billion.<sup>[<a id="d0e468"
href="#ftn.d0e468" class="footnote">8</a>]</sup>
</div></li></ul></div><div class="para">
From a 2008 global survey of business and technology executives "The Global State
of Information Security"<sup>[<a id="d0e474"
href="#ftn.d0e474" class="footnote">9</a>]</sup>,
undertaken by <span class="emphasis"><em>CIO
Magazine</em></span>, some points are:
</div><div class="itemizedlist"><ul><li><div
class="para">
Just 43% of respondents audit or monitor user compliance with security policies
</div></li><li><div class="para">
Only 22% keep an inventory of the outside companies that use their data
</div></li><li><div class="para">
The source of nearly half of security incidents was marked as "Unknown"
</div></li><li><div class="para">
44% of respondents plan to increase security spending in the next year
</div></li><li><div class="para">
59% have an information security strategy
</div></li></ul></div><div class="para">
These results enforce the reality that computer security has become a quantifiable and
justifiable expense for IT budgets. Organizations that require data integrity and high
availability elicit the skills of system administrators, developers, and engineers to
ensure 24x7 reliability of their systems, services, and information. Falling victim to
malicious users, processes, or coordinated attacks is a direct threat to the success of
the organization.
</div><div class="para">
Unfortunately, system and network security can be a difficult proposition, requiring
an intricate knowledge of how an organization regards, uses, manipulates, and transmits
its information. Understanding the way an organization (and the people that make up the
organization) conducts business is paramount to implementing a proper security plan.
</div></div><div class="section"
lang="en-US"><div
class="titlepage"><div><div><h4 class="title"
id="sect-Security_Guide-What_is_Computer_Security-Standardizing_Security">1.1.1.3. Standardizing
Security</h4></div></div></div><div class="para">
Enterprises in every industry rely on regulations and rules that are set by
standards-making bodies such as the American Medical Association (AMA) or the Institute of
Electrical and Electronics Engineers (IEEE). The same ideals hold true for information
security. Many security consultants and vendors agree upon the standard security model
known as CIA, or <em class="firstterm">Confidentiality, Integrity, and
Availability</em>. This three-tiered model is a generally accepted component to
assessing risks of sensitive information and establishing security policy. The following
describes the CIA model in further detail:
</div><div class="itemizedlist"><ul><li><div
class="para">
Confidentiality — Sensitive information must be available only to a set of
pre-defined individuals. Unauthorized transmission and usage of information should be
restricted. For example, confidentiality of information ensures that a customer's
personal or financial information is not obtained by an unauthorized individual for
malicious purposes such as identity theft or credit fraud.
</div></li><li><div class="para">
Integrity — Information should not be altered in ways that render it incomplete or
incorrect. Unauthorized users should be restricted from the ability to modify or destroy
sensitive information.
</div></li><li><div class="para">
Availability — Information should be accessible to authorized users any time that it
is needed. Availability is a warranty that information can be obtained with an agreed-upon
frequency and timeliness. This is often measured in terms of percentages and agreed to
formally in Service Level Agreements (SLAs) used by network service providers and their
enterprise clients.
</div></li></ul></div></div></div><div
class="section" lang="en-US"><div
class="titlepage"><div><div><h3 class="title"
id="sect-Security_Guide-Introduction_to_Security-SELinux">1.1.2. SELinux</h3></div></div></div><div
class="para">
Fedora includes an enhancement to the Linux kernel called SELinux, which implements a
Mandatory Access Control (MAC) architecture that provides a fine-grained level of control
over files, processes, users and applications in the system. Detailed discussion of
SELinux is beyond the scope of this document; however, for more information on SELinux and
its use in Fedora, refer to the Fedora SELinux User Guide available at <a
href="http://docs.fedoraproject.org/selinux-user-guide/">htt...;.
For more information on configuring and running services in Fedora that are protected by
SELinux, refer to the SELinux Managing Confined Services Guide available at <a
href="http://docs.fedoraproject.org/selinux-managing-confined-servic...;.
Other available resources for SELinux are listed in <a class="xref"
href="#chap-Security_Guide-References" title="Chapter 7.
References">Chapter 7, <i>References</i></a>.
</div></div><div class="section"
lang="en-US"><div
class="titlepage"><div><div><h3 class="title"
id="sect-Security_Guide-Introduction_to_Security-Security_Controls">1.1.3. Security
Controls</h3></div></div></div><div class="para">
Computer security is often divided into three distinct master categories, commonly
referred to as <em class="wordasword">controls</em>:
</div><div class="itemizedlist"><ul><li><div
class="para">
Physical
</div></li><li><div class="para">
Technical
</div></li><li><div class="para">
Administrative
</div></li></ul></div><div class="para">
These three broad categories define the main objectives of proper security
implementation. Within these controls are sub-categories that further detail the controls
and how to implement them.
</div><div class="section" lang="en-US"><div
class="titlepage"><div><div><h4 class="title"
id="sect-Security_Guide-Security_Controls-Physical_Controls">1.1.3.1. Physical
Controls</h4></div></div></div><div class="para">
Physical control is the implementation of security measures in a defined structure
used to deter or prevent unauthorized access to sensitive material. Examples of physical
controls are:
</div><div class="itemizedlist"><ul><li><div
class="para">
Closed-circuit surveillance cameras
</div></li><li><div class="para">
Motion or thermal alarm systems
</div></li><li><div class="para">
Security guards
</div></li><li><div class="para">
Picture IDs
</div></li><li><div class="para">
Locked and dead-bolted steel doors
</div></li><li><div class="para">
Biometrics (includes fingerprint, voice, face, iris, handwriting, and other
automated methods used to recognize individuals)
</div></li></ul></div></div><div
class="section" lang="en-US"><div
class="titlepage"><div><div><h4 class="title"
id="sect-Security_Guide-Security_Controls-Technical_Controls">1.1.3.2. Technical
Controls</h4></div></div></div><div class="para">
Technical controls use technology as a basis for controlling the access and usage of
sensitive data throughout a physical structure and over a network. Technical controls are
far-reaching in scope and encompass such technologies as:
</div><div class="itemizedlist"><ul><li><div
class="para">
Encryption
[...3804 lines suppressed...]
<a
href="http://clemens.endorphin.org/LUKS/">LUKS - Linux Unified Key
Setup</a>
</div></li><li><div class="para">
<a
href="https://bugzilla.redhat.com/attachment.cgi?id=161912">...:
Creating an encrypted Physical Volume (PV) using a second hard drive, pvmove, and a Fedora
LiveCD</a>
</div></li></ul></div></div></div><div
class="section" lang="en-US"><div
class="titlepage"><div><div><h2 class="title"
id="sect-Security_Guide-Encryption-7_Zip_Encrypted_Archives">3.8. 7-Zip
Encrypted Archives</h2></div></div></div><div
class="para">
<a
href="http://www.7-zip.org/">7-Zip</a> is a cross-platform,
next generation, file compression tool that can also use strong encryption (AES-256) to
protect the contents of the archive. This is extremely useful when you need to move data
between multiple computers that use varying operating systems (i.e. Linux at home, Windows
at work) and you want a portable encryption solution.
</div><div class="section" lang="en-US"><div
class="titlepage"><div><div><h3 class="title"
id="sect-Security_Guide-Encryption-7_Zip_Encrypted_Archives-Installation">3.8.1. 7-Zip
Installation in Fedora</h3></div></div></div><div
class="para">
7-Zip is not a base package in Fedora, but it is available in the software repository.
Once installed, the package will update alongside the rest of the software on the computer
with no special attention necessary.
</div></div><div class="section"
lang="en-US"><div
class="titlepage"><div><div><h3 class="title"
id="sect-Security_Guide-Encryption-7_Zip_Encrypted_Archives-Installation-Instructions">3.8.2. Step-by-Step
Installation Instructions</h3></div></div></div><div
class="itemizedlist"><ul><li><div class="para">
Open a Terminal: <code class="code">Click
''Applications'' -> ''System Tools'' ->
''Terminal''</code>
</div></li><li><div class="para">
Install 7-Zip with sudo access: <code class="code">sudo yum install
p7zip</code>
</div></li><li><div class="para">
Close the Terminal: <code class="code">exit</code>
</div></li></ul></div></div><div
class="section" lang="en-US"><div
class="titlepage"><div><div><h3 class="title"
id="sect-Security_Guide-Encryption-7_Zip_Encrypted_Archives-Usage_Instructions">3.8.3. Step-by-Step
Usage Instructions</h3></div></div></div><div
class="para">
By following these instructions you are going to compress and encrypt your
"Documents" directory. Your original "Documents" directory will remain
unaltered. This technique can be applied to any directory or file you have access to on
the filesystem.
</div><div class="itemizedlist"><ul><li><div
class="para">
Open a Terminal:<code class="code">Click
''Applications'' -> ''System Tools'' ->
''Terminal''</code>
</div></li><li><div class="para">
Compress and Encrypt: (enter a password when prompted) <code
class="code">7za a -mhe=on -ms=on -p Documents.7z Documents/</code>
</div></li></ul></div><div class="para">
The "Documents" directory is now compressed and encrypted. The following
instructions will move the encrypted archive somewhere new and then extract it.
</div><div class="itemizedlist"><ul><li><div
class="para">
Create a new directory: <code class="code">mkdir
newplace</code>
</div></li><li><div class="para">
Move the encrypted file: <code class="code">mv Documents.7z
newplace</code>
</div></li><li><div class="para">
Go to the new directory: <code class="code">cd newplace</code>
</div></li><li><div class="para">
Extract the file: (enter the password when prompted) <code
class="code">7za x Documents.7z</code>
</div></li></ul></div><div class="para">
The archive is now extracted into the new location. The following instructions will
clean up all the prior steps and restore your computer to its previous state.
</div><div class="itemizedlist"><ul><li><div
class="para">
Go up a directory: <code class="code">cd ..</code>
</div></li><li><div class="para">
Delete the test archive and test extraction: <code class="code">rm -r
newplace</code>
</div></li><li><div class="para">
Close the Terminal: <code class="code">exit</code>
</div></li></ul></div></div><div
class="section" lang="en-US"><div
class="titlepage"><div><div><h3 class="title"
id="sect-Security_Guide-Encryption-7_Zip_Encrypted_Archives-Things_of_note">3.8.4. Things
of note</h3></div></div></div><div class="para">
7-Zip is not shipped by default with Microsoft Windows or Mac OS X. If you need to use
your 7-Zip files on those platforms you will need to install the appropriate version of
7-Zip on those computers. See the 7-Zip <a
href="http://www.7-zip.org/download.html">download page</a>.
</div><div class="para">
GNOME's File Roller application will recognize your .7z files and attempt to open
them, but it will fail with the error "''An error occurred while loading the
archive.''" when it attempts to do so. This is because File Roller does not
currently support the extraction of encrypted 7-Zip files. A bug report
([
http://bugzilla.gnome.org/show_bug.cgi?id=490732 Gnome Bug 490732]) has been submitted.
</div></div></div><div class="section"
lang="en-US"><div
class="titlepage"><div><div><h2 class="title"
id="sect-Security_Guide-Encryption-Using_GPG">3.9. Using GNU Privacy Guard
(GnuPG)</h2></div></div></div><div class="para">
GPG is used to identify yourself and authenticate your communications, including those
with people you don't know. GPG allows anyone reading a GPG-signed email to verify its
authenticity. In other words, GPG allows someone to be reasonably certain that
communications signed by you actually are from you. GPG is useful because it helps prevent
third parties from altering code or intercepting conversations and altering the message.
</div><div class="section" lang="en-US"><div
class="titlepage"><div><div><h3 class="title"
id="sect-Security_Guide-Encryption-Using_GPG-Keys_in_GNOME">3.9.1. Creating
GPG Keys in GNOME</h3></div></div></div><div
class="para">
Install the Seahorse utility, which makes GPG key management easier. From the main
menu, select <code class="code">System > Administration >
Add/Remove Software</code> and wait for PackageKit to start. Enter <code
class="code">Seahorse</code> into the text box and select the Find.
Select the checkbox next to the ''seahorse'' package and select
''Apply'' to add the software. You can also install <code
class="code">Seahorse</code> at the command line with the command
<code class="code">su -c "yum install seahorse"</code>.
</div><div class="para">
To create a key, from the ''Applications > Accessories'' menu
select ''Passwords and Encryption Keys'', which starts the application
<code class="code">Seahorse</code>. From the ''Key''
menu select ''Create New Key...'' then ''PGP Key'' then
click ''Continue''. Type your full name, email address, and an optional
comment describing who are you (e.g.: John C. Smith, jsmith(a)example.com, The Man). Click
''Create''. A dialog is displayed asking for a passphrase for the key.
Choose a strong passphrase but also easy to remember. Click ''OK'' and the
key is created.
</div><div class="warning"><h2>Warning</h2><div
class="para">
If you forget your passphrase, the key cannot be used and any data encrypted using
that key will be lost.
</div></div><div class="para">
To find your GPG key ID, look in the ''Key ID'' column next to the
newly created key. In most cases, if you are asked for the key ID, you should prepend
"0x" to the key ID, as in "0x6789ABCD". You should make a backup of
your private key and store it somewhere secure.
</div></div><div class="section"
lang="en-US"><div
class="titlepage"><div><div><h3 class="title"
id="sect-Security_Guide-Encryption-Using_GPG-Creating_GPG_Keys_in_KDE1">3.9.2. Creating
GPG Keys in KDE</h3></div></div></div><div
class="para">
Start the KGpg program from the main menu by selecting Applications > Utilities
> Encryption Tool. If you have never used KGpg before, the program walks you
through the process of creating your own GPG keypair. A dialog box appears prompting you
to create a new key pair. Enter your name, email address, and an optional comment. You can
also choose an expiration time for your key, as well as the key strength (number of bits)
and algorithms. The next dialog box prompts you for your passphrase. At this point, your
key appears in the main <code class="code">KGpg</code> window.
</div><div class="warning"><h2>Warning</h2><div
class="para">
If you forget your passphrase, the key cannot be used and any data encrypted using
that key will be lost.
</div></div><div class="para">
To find your GPG key ID, look in the ''Key ID'' column next to the
newly created key. In most cases, if you are asked for the key ID, you should prepend
"0x" to the key ID, as in "0x6789ABCD". You should make a backup of
your private key and store it somewhere secure.
</div></div><div class="section"
lang="en-US"><div
class="titlepage"><div><div><h3 class="title"
id="sect-Security_Guide-Encryption-Using_GPG-Creating_GPG_Keys_in_KDE">3.9.3. Creating
GPG Keys Using the Command Line</h3></div></div></div><div
class="para">
Use the following shell command: <code class="code">gpg
--gen-key</code>
</div><div class="para">
This command generates a key pair that consists of a public and a private key. Other
people use your public key to authenticate and/or decrypt your communications. Distribute
your public key as widely as possible, especially to people who you know will want to
receive authentic communications from you, such as a mailing list. The Fedora
Documentation Project, for example, asks participants to include a GPG public key in their
self-introduction.
</div><div class="para">
A series of prompts directs you through the process. Press the <code
class="code">Enter</code> key to assign a default value if desired. The
first prompt asks you to select what kind of key you prefer:
</div><div class="para">
Please select what kind of key you want: (1) DSA and ElGamal (default) (2) DSA (sign
only) (4) RSA (sign only) Your selection? In almost all cases, the default is the correct
choice. A DSA/ElGamal key allows you not only to sign communications, but also to encrypt
files.
</div><div class="para">
Next, choose the key size: minimum keysize is 768 bits default keysize is 1024 bits
highest suggested keysize is 2048 bits What keysize do you want? (1024) Again, the default
is sufficient for almost all users, and represents an ''extremely'' strong
level of security.
</div><div class="para">
Next, choose when the key will expire. It is a good idea to choose an expiration date
instead of using the default, which is ''none.'' If, for example, the
email address on the key becomes invalid, an expiration date will remind others to stop
using that public key.
</div><div class="para">
Please specify how long the key should be valid. 0 = key does not expire d = key
expires in n days w = key expires in n weeks m = key expires in n months y = key expires
in n years Key is valid for? (0)
</div><div class="para">
Entering a value of <code class="code">1y</code>, for example,
makes the key valid for one year. (You may change this expiration date after the key is
generated, if you change your mind.)
</div><div class="para">
Before the <code class="code">gpg</code>code> program asks
for signature information, the following prompt appears: <code
class="code">Is this correct (y/n)?</code> Enter <code
class="code">y</code>code> to finish the process.
</div><div class="para">
Next, enter your name and email address. Remember this process is about authenticating
you as a real individual. For this reason, include your real name. Do not use aliases or
handles, since these disguise or obfuscate your identity.
</div><div class="para">
Enter your real email address for your GPG key. If you choose a bogus email address, it
will be more difficult for others to find your public key. This makes authenticating your
communications difficult. If you are using this GPG key for
[[DocsProject/SelfIntroduction| self-introduction]] on a mailing list, for example, enter
the email address you use on that list.
</div><div class="para">
Use the comment field to include aliases or other information. (Some people use
different keys for different purposes and identify each key with a comment, such as
"Office" or "Open Source Projects.")
</div><div class="para">
At the confirmation prompt, enter the letter O to continue if all entries are correct,
or use the other options to fix any problems. Finally, enter a passphrase for your secret
key. The <code class="code">gpg</code> program asks you to enter
your passphrase twice to ensure you made no typing errors.
</div><div class="para">
Finally, <code class="code">gpg</code> generates random data to
make your key as unique as possible. Move your mouse, type random keys, or perform other
tasks on the system during this step to speed up the process. Once this step is finished,
your keys are complete and ready to use:
</div><pre class="screen">
pub 1024D/1B2AFA1C 2005-03-31 John Q. Doe (Fedora Docs Project)
&lt;jqdoe(a)example.com&gt;
Key fingerprint = 117C FE83 22EA B843 3E86 6486 4320 545E 1B2A FA1C
sub 1024g/CEA4B22E 2005-03-31 [expires: 2006-03-31]
</pre><div class="para">
The key fingerprint is a shorthand "signature" for your key. It allows you to
confirm to others that they have received your actual public key without any tampering.
You do not need to write this fingerprint down. To display the fingerprint at any time,
use this command, substituting your email address: <code class="code"> gpg
--fingerprint jqdoe(a)example.com </code>
</div><div class="para">
Your "GPG key ID" consists of 8 hex digits identifying the public key. In the
example above, the GPG key ID is 1B2AFA1C. In most cases, if you are asked for the key ID,
you should prepend "0x" to the key ID, as in "0x1B2AFA1C".
</div><div class="warning"><h2>Warning</h2><div
class="para">
If you forget your passphrase, the key cannot be used and any data encrypted using
that key will be lost.
</div></div></div><div class="section"
lang="en-US"><div
class="titlepage"><div><div><h3 class="title"
id="sect-Security_Guide-Encryption-Using_GPG-About_Public_Key_Encryption">3.9.4. About
Public Key Encryption</h3></div></div></div><div
class="orderedlist"><ol><li><div class="para">
<a
href="http://en.wikipedia.org/wiki/Public-key_cryptography">... -
Public Key Cryptography</a>
</div></li><li><div class="para">
<a
href="http://computer.howstuffworks.com/encryption.htm">HowS... -
Encryption</a>
</div></li></ol></div></div></div></div><div
class="chapter" lang="en-US"><div
class="titlepage"><div><div><h2 class="title"
id="chap-Security_Guide-General_Principles_of_Information_Security">Chapter 4. General
Principles of Information Security</h2></div></div></div><div
class="toc"><dl><dt><span class="section"><a
href="#sect-Security_Guide-General_Principles_of_Information_Security-Tips_Guides_and_Tools">4.1.
Tips, Guides, and Tools</a></span></dt></dl></div><div
class="para">
The following general principals provide an overview of good security practices:
</div><div class="itemizedlist"><ul><li><div
class="para">
encrypt all data transmitted over networks to help prevent man-in-the-middle attacks
and eavesdropping. It is important to encrypt authentication information, such as
passwords.
</div></li><li><div class="para">
minimize the amount of software installed and running services.
</div></li><li><div class="para">
use security-enhancing software and tools, for example, Security-Enhanced Linux
(SELinux) for Mandatory Access Control (MAC), Netfilter iptables for packet filtering
(firewall), and the GNU Privacy Guard (GnuPG) for encrypting files.
</div></li><li><div class="para">
if possible, run each network service on a separate system to minimize the risk of one
compromised service being used to compromise other services.
</div></li><li><div class="para">
maintain user accounts: create and enforce a strong password policy; delete unused
user accounts.
</div></li><li><div class="para">
routinely review system and application logs. By default, security-relevant system
logs are written to <code class="filename">/var/log/secure</code>
and <code class="filename">/var/log/audit/audit.log</code>. Note:
sending logs to a dedicated log server helps prevent attackers from easily modifying local
logs to avoid detection.
</div></li><li><div class="para">
never log in as the root user unless absolutely necessary. It is recommended that
administrators use <code class="command">sudo</code> to execute
commands as root when required. Users capable of running <code
class="command">sudo</code> are specified in <code
class="filename">/etc/sudoers</code>. Use the <code
class="command">visudo</code> utility to edit <code
class="filename">/etc/sudoers</code>.
</div></li></ul></div><div class="section"
lang="en-US"><div
class="titlepage"><div><div><h2 class="title"
id="sect-Security_Guide-General_Principles_of_Information_Security-Tips_Guides_and_Tools">4.1. Tips,
Guides, and Tools</h2></div></div></div><div
class="para">
The United States' <a
href="http://www.nsa.gov/">National Security
Agency (NSA)</a> provides hardening guides and tips for many different operating
systems, to help government agencies, businesses, and individuals secure their systems
against attack. The following guides (in PDF format) provide guidance for Red Hat
Enterprise Linux 5:
</div><div class="itemizedlist"><ul><li><div
class="para">
<a
href="http://www.nsa.gov/ia/_files/os/redhat/rhel5-pamphlet-i731.pdf...
Tips for the Red Hat Enterprise Linux 5</a>
</div></li><li><div class="para">
<a
href="http://www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdf&qu... to
the Secure Configuration of Red Hat Enterprise Linux 5</a>
</div></li></ul></div><div class="para">
The <a
href="http://www.disa.mil/">Defense Information Systems Agency
(DISA)</a> provides documentation, checklists, and tests to help secure your system
(<a
href="http://iase.disa.mil/index2.html">Information Assurance Support
Environment</a>). The <a
href="http://iase.disa.mil/stigs/stig/unix-stig-v5r1.pdf">UNIX SECURITY
TECHNICAL IMPLEMENTATION GUIDE</a> (PDF) is a very specific guide to UNIX security -
an advanced knowledge of UNIX and Linux is recommended before reading this guide.
</div><div class="para">
The DISA <a
href="http://iase.disa.mil/stigs/checklist/unix_checklist_v5r1-16_20...
Security Checklist Version 5, Release 1.16</a> provides a collection of documents
and checklists, ranging from the correct ownerships and modes for system files, to patch
control.
</div><div class="para">
Also, DISA has made available <a
href="http://iase.disa.mil/stigs/SRR/unix.html">UNIX SPR scripts</a>
that allow administrators to check specific settings on systems. These scripts provide
XML-formatted reports listing any known vulnerable settings.
</div></div></div><div class="chapter"
lang="en-US"><div
class="titlepage"><div><div><h2 class="title"
id="chap-Security_Guide-Secure_Installation">Chapter 5. Secure
Installation</h2></div></div></div><div
class="toc"><dl><dt><span class="section"><a
href="#sect-Security_Guide-Secure_Installation-Disk_Partitions">5.1. Disk
Partitions</a></span></dt><dt><span
class="section"><a
href="#sect-Security_Guide-Secure_Installation-Utilize_LUKS_Partition_Encryption">5.2.
Utilize LUKS Partition
Encryption</a></span></dt></dl></div><div
class="para">
Security begins with the first time you put that CD or DVD into your disk drive to
install Fedora. Configuring your system securely from the beginning makes it easier to
implement additional security settings later.
</div><div class="section" lang="en-US"><div
class="titlepage"><div><div><h2 class="title"
id="sect-Security_Guide-Secure_Installation-Disk_Partitions">5.1. Disk
Partitions</h2></div></div></div><div
class="para">
The NSA recommends creating separate partitions for /boot, /, /home, /tmp, and
/var/tmp. The reasons for each are different and we will address each partition.
</div><div class="para">
/boot - This partition is the first partition that is read by the system during boot
up. The boot loader and kernel images that are used to boot your system into Fedora are
stored in this partition. This partition should not be encrypted. If this partition is
included in / and that partition is encrypted or otherwise becomes unavailable then your
system will not be able to boot.
</div><div class="para">
/home - When user data (/home) is stored in / instead of in a separate partition, the
partition can fill up causing the operating system to become unstable. Also, when
upgrading your system to the next version of Fedora it is a lot easier when you can keep
your data in the /home partition as it will not be overwritten during installation. If the
root partition (/) becomes corrupt your data could be lost forever. By using a separate
partition there is slightly more protection against data loss. You can also target this
partition for frequent backups.
</div><div class="para">
/tmp and /var/tmp - Both the /tmp and the /var/tmp directories are used to store data
that doesn't need to be stored for a long period of time. However if a lot of data
floods one of these directories it can consume all of your storage space. If this happens
and these directories are stored within / then your system could become unstable and
crash. For this reason, moving these directories into their own partitions is a good
idea.
</div></div><div class="section"
lang="en-US"><div
class="titlepage"><div><div><h2 class="title"
id="sect-Security_Guide-Secure_Installation-Utilize_LUKS_Partition_Encryption">5.2. Utilize
LUKS Partition Encryption</h2></div></div></div><div
class="para">
Since Fedora 9, implementation of <a
href="http://fedoraproject.org/wiki/Security_Guide/9/LUKSDiskEncrypt...
Unified Key Setup-on-disk-format</a>(LUKS) encryption has become a lot easier.
During the installation process an option to encrypt your partitions will be presented to
the user. The user must supply a passphrase that will be the key to unlock the bulk
encryption key that will be used to secure the partition's data.
</div></div></div><div class="chapter"
lang="en-US"><div
class="titlepage"><div><div><h2 class="title"
id="chap-Security_Guide-Software_Maintenance">Chapter 6. Software
Maintenance</h2></div></div></div><div
class="toc"><dl><dt><span class="section"><a
href="#sect-Security_Guide-Software_Maintenance-Install_Minimal_Software">6.1.
Install Minimal Software</a></span></dt><dt><span
class="section"><a
href="#sect-Security_Guide-Software_Maintenance-Plan_and_Configure_Security_Updates">6.2.
Plan and Configure Security Updates</a></span></dt><dt><span
class="section"><a
href="#sect-Security_Guide-Software_Maintenance-Plan_and_Configure_Security_Updates-Adjusting_Automatic_Updates">6.3.
Adjusting Automatic Updates</a></span></dt><dt><span
class="section"><a
href="#sect-Security_Guide-Software_Maintenance-Install_Signed_Packages_from_Well_Known_Repositories">6.4.
Install Signed Packages from Well Known
Repositories</a></span></dt></dl></div><div
class="para">
Software maintenance is extremely important to maintaining a secure system. It is vital
to patch software as soon as it becomes available in order to prevent attackers from using
known holes to infiltrate your system.
</div><div class="section" lang="en-US"><div
class="titlepage"><div><div><h2 class="title"
id="sect-Security_Guide-Software_Maintenance-Install_Minimal_Software">6.1. Install
Minimal Software</h2></div></div></div><div
class="para">
It is best practice to install only the packages you will use because each piece of
software on your computer could possibly contain a vulnerability. If you are installing
from the DVD media take the opportunity to select exactly what packages you want to
install during the installation. When you find you need another package, you can always
add it to the system later.
</div></div><div class="section"
lang="en-US"><div
class="titlepage"><div><div><h2 class="title"
id="sect-Security_Guide-Software_Maintenance-Plan_and_Configure_Security_Updates">6.2. Plan
and Configure Security Updates</h2></div></div></div><div
class="para">
All software contains bugs. Often, these bugs can result in a vulnerability that can
expose your system to malicious users. Unpatched systems are a common cause of computer
intrusions. You should have a plan to install security patches in a timely manner to close
those vulnerabilities so they can not be exploited.
</div><div class="para">
For home users, security updates should be installed as soon as possible. Configuring
automatic installation of security updates is one way to avoid having to remember, but
does carry a slight risk that something can cause a conflict with your configuration or
with other software on the system.
</div><div class="para">
For business or advanced home users, security updates should be tested and schedule for
installation. Additional controls will need to be used to protect the system during the
time between the patch release and its installation on the system. These controls would
depend on the exact vulnerability, but could include additional firewall rules, the use of
external firewalls, or changes in software settings.
</div></div><div class="section"
lang="en-US"><div
class="titlepage"><div><div><h2 class="title"
id="sect-Security_Guide-Software_Maintenance-Plan_and_Configure_Security_Updates-Adjusting_Automatic_Updates">6.3. Adjusting
Automatic Updates</h2></div></div></div><div
class="para">
Fedora is configured to apply all updates on a daily schedule. If you want to change
the how your system installs updates you must do so via '''Software Update
Preferences'''. You can change the schedule, the type of updates to apply or
to notify you of available updates.
</div><div class="para">
In Gnome, you can find controls for your updates at: <code
class="code">System -> Preferences -> Software
Updates</code>. In KDE it is located at: <code
class="code">Applications -> Settings -> Software
Updates</code>.
</div></div><div class="section"
lang="en-US"><div
class="titlepage"><div><div><h2 class="title"
id="sect-Security_Guide-Software_Maintenance-Install_Signed_Packages_from_Well_Known_Repositories">6.4. Install
Signed Packages from Well Known
Repositories</h2></div></div></div><div
class="para">
Software packages are published through repositories. All well known repositories
support package signing. Package signing uses public key technology to prove that the
package that was published by the repository has not been changed since the signature was
applied. This provides some protection against installing software that may have been
maliciously altered after the package was created but before you downloaded it.
</div><div class="para">
Using too many repositories, untrustworthy repositories, or repositories with unsigned
packages has a higher risk of introducing malicious or vulnerable code into your system.
Use caution when adding repositories to yum/software update.
</div></div></div><div class="chapter"
lang="en-US"><div
class="titlepage"><div><div><h2 class="title"
id="chap-Security_Guide-References">Chapter 7. References</h2></div></div></div><div
class="para">
The following references are pointers to additional information that is relevant to
SELinux and Fedora but beyond the scope of this guide. Note that due to the rapid
development of SELinux, some of this material may only apply to specific releases of
Fedora.
</div><div class="variablelist"
id="vari-Security_Guide-References-Books"><h6>Books</h6><dl><dt><span
class="term">SELinux by Example</span></dt><dd><div
class="para">
Mayer, MacMillan, and Caplan
</div><div class="para">
Prentice Hall, 2007
</div></dd></dl></div><div class="variablelist"
id="vari-Security_Guide-References-Tutorials_and_Help"><h6>Tutorials
and Help</h6><dl><dt><span class="term">Understanding
and Customizing the Apache HTTP SELinux Policy</span></dt><dd><div
class="para">
<a
href="http://fedora.redhat.com/docs/selinux-apache-fc3/">htt...
</div></dd><dt><span class="term">Tutorials and
talks from Russell Coker</span></dt><dd><div
class="para">
<a
href="http://www.coker.com.au/selinux/talks/ibmtu-2004/">http://www.coker.com.au/selinux/talks/ibmtu-2004/</a>
</div></dd><dt><span class="term">Generic Writing
SELinux policy HOWTO</span></dt><dd><div class="para">
<a
href="http://www.lurking-grue.org/writingselinuxpolicyHOWTO.html&quo...
</div></dd><dt><span class="term">Red Hat
Knowledgebase</span></dt><dd><div class="para">
<a
href="http://kbase.redhat.com/">http://kbase.redhat.com/<...
</div></dd></dl></div><div class="variablelist"
id="vari-Security_Guide-References-General_Information"><h6>General
Information</h6><dl><dt><span class="term">NSA SELinux
main website</span></dt><dd><div class="para">
<a
href="http://www.nsa.gov/research/selinux/index.shtml">http:...
</div></dd><dt><span class="term">NSA SELinux
FAQ</span></dt><dd><div class="para">
<a
href="http://www.nsa.gov/research/selinux/faqs.shtml">http:/...
</div></dd><dt><span class="term">Fedora SELinux FAQ
</span></dt><dd><div class="para">
<a
href="http://fedora.redhat.com/docs/selinux-faq-fc3/">http:/...
</div></dd><dt><span class="term">SELinux NSA's
Open Source Security Enhanced Linux</span></dt><dd><div
class="para">
<a
href="http://www.oreilly.com/catalog/selinux/">http://www.or...
</div></dd></dl></div><div class="variablelist"
id="vari-Security_Guide-References-Technology"><h6>Technology</h6><dl><dt><span
class="term">An Overview of Object Classes and
Permissions</span></dt><dd><div class="para">
<a
href="http://www.tresys.com/selinux/obj_perms_help.html">htt...
</div></dd><dt><span class="term">Integrating
Flexible Support for Security Policies into the Linux Operating System (a history of Flask
implementation in Linux)</span></dt><dd><div
class="para">
<a
href="http://www.nsa.gov/research/_files/selinux/papers/selsymp2005....
</div></dd><dt><span class="term">Implementing
SELinux as a Linux Security Module</span></dt><dd><div
class="para">
<a
href="http://www.nsa.gov/research/_files/publications/implementing_s...
</div></dd><dt><span class="term">A Security Policy
Configuration for the Security-Enhanced Linux</span></dt><dd><div
class="para">
<a
href="http://www.nsa.gov/research/_files/selinux/papers/policy/polic...
</div></dd></dl></div><div class="variablelist"
id="vari-Security_Guide-References-Community"><h6>Community</h6><dl><dt><span
class="term">Fedora SELinux User
Guide</span></dt><dd><div class="para">
<a
href="http://docs.fedoraproject.org/selinux-user-guide/">htt...
</div></dd><dt><span class="term">Fedora SELinux
Managing Confined Services Guide</span></dt><dd><div
class="para">
<a
href="http://docs.fedoraproject.org/selinux-managing-confined-servic...
</div></dd><dt><span class="term">SELinux community
page</span></dt><dd><div class="para">
<a
href="http://selinux.sourceforge.net">http://selinux.sourceforge.net</a>
</div></dd><dt><span
class="term">IRC</span></dt><dd><div
class="para">
irc.freenode.net, #selinux, #fedora-selinux, #security
</div></dd></dl></div><div class="variablelist"
id="vari-Security_Guide-References-History"><h6>History</h6><dl><dt><span
class="term">Quick history of Flask</span></dt><dd><div
class="para">
<a
href="http://www.cs.utah.edu/flux/fluke/html/flask.html">htt...
</div></dd><dt><span class="term">Full background on
Fluke</span></dt><dd><div class="para">
<a
href="http://www.cs.utah.edu/flux/fluke/html/index.html">htt...
</div></dd></dl></div></div></div></body></html>