en-US/Security.xml
John J. McDonough
jjmcd at fedoraproject.org
Thu Mar 18 19:00:30 UTC 2010
en-US/Security.xml | 106 ++++++++++++++++++++++++++++++++++++++++++++++++++---
1 file changed, 101 insertions(+), 5 deletions(-)
New commits:
commit ad00446ddc855232d71c0035d67565f251d49b48
Author: John J. McDonough <jjmcd at Aidan.(none)>
Date: Thu Mar 18 15:00:17 2010 -0400
Security beat
diff --git a/en-US/Security.xml b/en-US/Security.xml
index a38882e..f3eced5 100644
--- a/en-US/Security.xml
+++ b/en-US/Security.xml
@@ -3,11 +3,107 @@
]>
<section id="sect-Release_Notes-Security">
- <title>Security</title>
- <remark>This beat is located here: <ulink type="http" url="https://fedoraproject.org/wiki/Docs/Beats/Security">https://fedoraproject.org/wiki/Docs/Beats/Security</ulink></remark>
- <para>
- This section highlights various security items from Fedora.
- </para>
+ <title>Security</title>
+ <remark>
+ This beat is located here: <ulink type="http"
+ url="https://fedoraproject.org/wiki/Docs/Beats/Security">https://fedoraproject.org/wiki/Docs/Beats/Security</ulink>
+ </remark>
+
+ <section>
+ <title>Dogtag Certificate System </title>
+ <para>
+ Dogtag Certificate System (<literal>DGS</literal>) is an enterprise-class
+ open source Certificate Authority (<literal>CA</literal>) supporting all
+ aspects of certificate lifecycle management including Certificate
+ Authority (<literal>CA</literal>), Data Recovery Manager
+ (<literal>DRM</literal>), Online Certificate Status Protocol
+ (<literal>OCSP</literal>) Manager, Registration Authority
+ (<literal>RA</literal>), Token Key Service (<literal>TKS</literal>), Token
+ Processing System (<literal>TPS</literal>) and smartcard management,
+ trough ESC (<literal>Enterprise Security Client</literal>).
+ </para>
+ <para>
+ Refer to <ulink
+ url="http://fedoraproject.org/w/index.php?title=Features/DogtagCertificateSystem">
+ Dogtag Certificate System</ulink> for additional details.
+ </para>
+ </section>
+
+ <section>
+ <title>modprobe Whitelist </title>
+ <para>
+ <application>modprobe</application> Whitelist allows system administrators
+ in high-security situations to limit the modules loaded by
+ <application>modprobe</application> to a specific list of modules
+ configured by the administrator, making it impossible for unprivileged
+ users to exploit vulnerabilities in modules that are not ordinarily used
+ by e.g. attaching hardware and so limit the amount of (potentially
+ vulnerable) code that can run in the kernel.
+ </para>
+ <para>
+ <application>modprobe</application> can also run specified commands
+ instead of loading a module (using the <command>install</command>
+ configuration directive); this is restricted using the same whitelist as
+ well. To help system administrators compile the whitelist, additional
+ functionality is added to <application>modprobe</application>: it will be
+ possible to log all information (similar to using <command>modprobe
+ -v</command>) to a specified file, including
+ <application>modprobe</application> actions run in the dracut initrd. A
+ script will be provided that compiles a proposed whitelist from the logged
+ data.
+ </para>
+ <para>
+ If desired and configured by the system administrator, a significant
+ reduction of the kernel-space attack surface, avoiding risk of
+ vulnerabilities in rarely-used kernel-mode code: a sample desktop Fedora
+ system currently has 79 modules loaded, out of 1964 available modules
+ (4%). When counting code size, and the main kernel file (/boot/vmlinuz*)
+ is included, the sample desktop system runs 8.36 MB of kernel-space code,
+ out of 34.66 MB available (24%).
+ </para>
+ <para>
+ You may refer to the <ulink
+ url="http://fedoraproject.org/w/index.php?title=Features/ModprobeWhitelist">Modprobe
+ Whitelist </ulink> feature page on the Fedora wiki for a more complete
+ description of this feature.
+ </para>
+ </section>
+
+ <section>
+ <title>User Account Dialog </title>
+ <para>
+ A new User Account Dialog is redesigned and implemented to create new
+ users and edit user-related information in single-user systems or small
+ deployments. This new dialog supersedes functionality that was previously
+ available in a variety of tools, such as
+ <application>system-config-user</application>,
+ <application>gnome-about-me</application>,
+ <application>gdmsetup</application> and
+ <application>polkit-gnome-authorization</application>, and makes it
+ available in one place.
+ </para>
+ <para>
+ <ulink
+ url="http://fedoraproject.org/w/index.php?title=Features/UserAccountDialog">User
+ Account Dialog </ulink> on the Fedora wiki includes more details.
+ </para>
+ </section>
+
+ <section>
+ <title>Policy Kit One </title>
+ <para>
+ Policy Kit One replaces the old deprecated Policy Kit and allows the KDE
+ users to have a better experience of their applications and desktop in
+ general. In Fedora 12 KDE Desktop Edition uses Gnome Authentication Agent,
+ with Policy Kit One now is possible to utilize the native KDE
+ authentication agent, KAuth.
+ </para>
+ <para>
+ For a complete description of this feature, refer to <ulink
+ url="http://fedoraproject.org/w/index.php?title=Features/KDE_PolicyKitOneQt">KDE
+ PolicyKit One Qt </ulink> on the Fedora wiki.
+ </para>
+ </section>
</section>
More information about the docs-commits
mailing list