SELinux is addressed in a completely separate guide. Eric On Wed, 2009-03-11 at 08:59 -0400, Daniel J Walsh wrote:

On Wed, 11 Mar 2009 10:55:05 -0400 Daniel J Walsh <dwalsh(a)redhat.com&gt; wrote: You make a good point, mention of SELinux was quite buried among other stuff, so I've added a short section early on in the guide to briefly describe it and refer to further information. Thanks for pointing this out. Specifically, section 1.1.2 which you can see here: http://sradvan.fedorapeople.org/Security_Guide/en-US/ Cheers, -- Scott Radvan, Content Author Red Hat APAC (Brisbane) http://www.apac.redhat.com

On Thu, 12 Mar 2009 09:19:37 +1000 Scott Radvan <sradvan(a)redhat.com&gt; wrote: Some general comments: - As of F10 (I think) sha256 is the default, not md5 for passwords. Check the "2.1.3. Password Security" section for that? - Where you mention tools it might be cool to mention the ones that are available in Fedora/EPEL currently. Might be too hard to tag them all and keep it up to date however. - Section "2.4.7.1. Device Ownership". Is pam_console really still used for this? I thought ConsoleKit did all the setup anymore. - How about a section on openvpn? It should be a lot easier rand more flexable than ipsec. - ecryptfs might be worth a mention in the encryption section. Possibly also fuse-encfs ? Thats the ones I see off the top of my head. ;) Thanks for writing this up! kevin

Hello, On Wed, 2009-03-11 at 12:43 +1000, Scott Radvan wrote: How do you want comments? I see the other comments back to this list but I also followed some links down to fedorahosted.org under the "We need feedback" section. I've only given it a preliminary glance but I've passed the URL onto others of my "Threat Analysis Team" at Internet Security Systems (ISS now IBM-ISS). Here are some of my preliminary thoughts on what you have and I'll look at signing up on the site... Couple of things. Very good on the smart-card stuff. I'm a very big proponent on that. The more the better. Please add information on using smartcards with ssh. I got that to eventually work on F9 but it was a royal PITA. Really could use an expanded section on ssh and ssh authentication methods. Ssh is such a major component in a number of other tools, such as rsync, it needs emphasized coverage or possibly a reference to more extensive works. Use of authentication keys and authentication agents should get some coverage. Kerberos got fairly extended coverage but I would wager more people use ssh than have to deal with Kerberos. 2.1.3. Password Security Creating strong passwords and password creation methodology - very good. More emphasis on "passphrases" to replace "passwords" would be even better. IMNSHO, password aging is actually bad for security. People think it improves security when, in fact, it degrades security. My reasoning here: In addition to encouraging people to write them down (which is one good point against password aging): * It ignores the "anatomy of a hack" model where the attackers first action as part of compromising a password is to secure his access regardless of password. This can take the form of backdoors or simply ssh authorized keys. The password is never needed after that. * For the above reason, changing a password does not resecure a compromised account nor does it limit access from an attacker. * It encourages people to use the same or similar passwords for multiple accounts to ease remembering. * It forces users to periodically enter a "new" password twice under circumstances which may itself lead to compromise. Shoulder surfing someone when they are changing a password is much easier because it's easier to spot and they're entering it twice making the shoulder surfing itself easier. Trojaned password changing apps are also common in hacker toolkits. * It discourages strong (difficult to remember) passwords. Good strong passwords can be difficult to come up with. A good strong password is not something an attacker is going to brute force (maybe shoulder surf, if he's really REALLY good at it). * Encouraging weak passwords can result in a "jumping in front of a bus" effect (this time around you just happen to select a password they are guessing for). * It is no replacement for strong passwords which have been checked for complexity. * With stong passwords, it is not necessary. * Without strong passwords, it is not sufficient. * It may be required for corporate compliance under the guise of "security" but that can lead to a false sense of security. You may have to do it anyways, just don't even begin to think it means you're secure. Section 3 Encryption No mention of E-Mail encryption, or S/MIME (or PGP/Mime). Section 2.2 Server Security No mention of using SSL protected protocols (https, pop3s, imaps, smtps) as secure alternatives. Regards, Mike -- Michael H. Warfield (AI4NB) | (770) 985-6132 | mhw(a)WittsEnd.com /\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it!