Security Changes For Fedora 9
maximilian_bianco at yahoo.com
Fri Dec 21 15:53:19 UTC 2007
Personally i like being able to log in as root when necessary. This way i don't have to worry
about a mis-configured sudoers file. I am still a little green when it comes to the security
subject but I think its important for new users to know about the root account and the dangers
involved. The advanced users will be able to set things up the way you suggest without any trouble
but a new user might be a little bewildered by the whole thing. Distros like Ubuntu setup the
first user as admin/root if i am not mistaken, Apple takes the same approach i think though i
don't know the particulars of the two setups, it makes me nervous. Feel free to educate me.
--- riley.marquis at tcsresearch.org wrote:
> Security Updates For Fedora 9
> I had several ideas for Fedora 9 in regards to improving the security of a
> default installation.
> 1: Disable root account / Use Sudo
> 2: /etc/ssh/sshd_config changes
> -PermitRootLogin no (currently 'yes')
> -LoginGraceTime 1m (currently 2m)
> -Banner /etc/issue.net (currently not set)
> -AllowGroups wheel (currently not set)
> We should also see if the OpenSSH developers would be willing to make
> these changes the default on Portable OpenSSH.
> 3: Add wheel group if not present
> If there is no wheel group by default, we should include one in Fedora 9.
> This means deciding on what Group ID (GID) to use. Anaconda would need to
> force creation of a user account that is a part of this group.
> 4: GCC Lockdowns
> With the new GCC-4.3.0 recently built for Fedora 9, we should forbid
> ordinary users access to the programs it contains, incl. rpmbuild, mock,
> etc. Only members of the wheel, koji, and mock groups should have access
> to software development tools. Did I miss any groups that should be
> allowed access?
> 5: Bastille
> Be sure to incorporate the most important Bastille fixes
> (www.bastille-linux.org). This project appears to have stalled and
> requires an older version of Fedora to run, unless you're a Perl ninja =)
> Maybe we should contact the developer (Jay Beale), and ask him what he
> needs to revive the project? Perhaps the Fedora community can be of
> 6: Make Packages for PortSentry & LogCheck
> Can we add PortSentry & LogCheck to the list of available Fedora Packages?
> I know the project appears to have stalled since late 2003.
> 7: Password Protect Single User Mode (Runlevel 1)
> 8: USB Key Authentication / Dual Factor Authentication
> Should we use PGP or another tool to allow people to login/logout with a
> USB drive?
> This would have to work for KDE and Gnome at the very least, and while we
> are at it, we might as well support XFCE. Inserting/Removing the USB
> drive could automatically login/logout the user, with or without a
> password as a second form of authentication, depending on how Joe Admin
> wants his security set up.
> 9: Can we include TrueCrypt as a new package, provided it meets the
> requirements, such as having an open source license, no patents or
> copyrights, etc?
> Hope these ideas prove useful to the community.
> Riley F. Marquis III
> Senior Analyst - TCS Research
> Fedora-security-list mailing list
> Fedora-security-list at redhat.com
Looking for last minute shopping deals?
Find them fast with Yahoo! Search. http://tools.search.yahoo.com/newsearch/category.php?category=shopping
More information about the security