Re: Security Changes For Fedora 9
On Thu, 2007-12-20 at 19:29 -0800, riley.marquis(a)tcsresearch.org wrote:
Security Updates For Fedora 9
Greetings!
I had several ideas for Fedora 9 in regards to improving the security of a
default installation.
1: Disable root account / Use Sudo
Maybe more secure from one point of view maybe
less secure from another.
So please no.
2: /etc/ssh/sshd_config changes
-PermitRootLogin no (currently 'yes')
Not before we have a way how to login
on remotely installed vnc machine.
-LoginGraceTime 1m (currently 2m)
If upstream changes it then
yes.
-Banner /etc/issue.net (currently not set)
sshd doesn't
support escape sequences which are currently present in
issue.net
-AllowGroups wheel (currently not set)
No.
We should also see if the OpenSSH developers would be willing to
make
these changes the default on Portable OpenSSH.
They wouldn't except perhaps the
LoginGraceTime change.
3: Add wheel group if not present
If there is no wheel group by default, we should include one in Fedora 9.
This means deciding on what Group ID (GID) to use. Anaconda would need to
force creation of a user account that is a part of this group.
There is a wheel
group by default with root as a member.
4: GCC Lockdowns
With the new GCC-4.3.0 recently built for Fedora 9, we should forbid
ordinary users access to the programs it contains, incl. rpmbuild, mock,
etc. Only members of the wheel, koji, and mock groups should have access
to software development tools. Did I miss any groups that should be
allowed access?
Nonsense.
--
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
Turkish proverb