Product SiteDocumentation Site

Fedora 20

Security Guide

A Guide to Securing Fedora Linux

Edition 20.0

Logo

Johnray Fuller

Red Hat

John Ha

Red Hat

David O'Brien

Red Hat

Scott Radvan

Red Hat

Eric Christensen

Fedora Project Documentation Team

Adam Ligas

Fedora Project

Murray McAllister

Red Hat Engineering Content Services

Scott Radvan

Red Hat Engineering Content Services

Daniel Walsh

Red Hat Security Engineering

Dominick Grift

Technical editor for the Introduction, SELinux Contexts, Targeted Policy, Working with SELinux, Confining Users, and Troubleshooting chapters. 

Eric Paris

Technical editor for the Mounting File Systems and Raw Audit Messages sections. 
Red Hat Security Engineering

James Morris

Technical editor for the Introduction and Targeted Policy chapters. 
Red Hat Security Engineering

Legal Notice

Copyright © 2007-2014 Fedora Project Contributors.
The text of and illustrations in this document are licensed by Red Hat under a Creative Commons Attribution–Share Alike 3.0 Unported license ("CC-BY-SA"). An explanation of CC-BY-SA is available at http://creativecommons.org/licenses/by-sa/3.0/. The original authors of this document, and Red Hat, designate the Fedora Project as the "Attribution Party" for purposes of CC-BY-SA. In accordance with CC-BY-SA, if you distribute this document or an adaptation of it, you must provide the URL for the original version.
Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.
Red Hat, Red Hat Enterprise Linux, the Shadowman logo, JBoss, MetaMatrix, Fedora, the Infinity Logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries.
For guidelines on the permitted uses of the Fedora trademarks, refer to https://fedoraproject.org/wiki/Legal:Trademark_guidelines.
Linux® is the registered trademark of Linus Torvalds in the United States and other countries.
Java® is a registered trademark of Oracle and/or its affiliates.
XFS® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States and/or other countries.
MySQL® is a registered trademark of MySQL AB in the United States, the European Union and other countries.
All other trademarks are the property of their respective owners.

Abstract

The Fedora Security Guide is designed to assist users of Fedora in learning the processes and practices of securing workstations and servers against local and remote intrusion, exploitation, and malicious activity. Focused on Fedora Linux but detailing concepts and techniques valid for all Linux systems, the Fedora Security Guide details the planning and the tools involved in creating a secured computing environment for the data center, workplace, and home. With proper administrative knowledge, vigilance, and tools, systems running Linux can be both fully functional and secured from most common intrusion and exploit methods.
Preface
1. Document Conventions
1.1. Typographic Conventions
1.2. Pull-quote Conventions
1.3. Notes and Warnings
2. We want feedback
1. Security Overview
1.1. Introduction to Security
1.1.1. What is Computer Security?
1.1.2. SELinux
1.1.3. Security Controls
1.1.4. Conclusion
1.2. Attackers and Vulnerabilities
1.2.1. A Quick History of Hackers
1.2.2. Threats to Network Security
1.2.3. Threats to Server Security
1.2.4. Threats to Workstation and Home PC Security
1.3. Vulnerability Assessment
1.3.1. Thinking Like the Enemy
1.3.2. Defining Assessment and Testing
1.3.3. Evaluating the Tools
1.4. Common Exploits and Attacks
1.5. Security Updates
1.5.1. Updating Packages
1.5.2. Verifying Signed Packages
1.5.3. Installing Signed Packages
1.5.4. Applying the Changes
2. Basic Hardening Guide
2.1. General Principles
2.2. Physical Security
2.3. Why this is important
2.4. Networking
2.4.1. iptables
2.4.2. IPv6
2.5. Keeping software up to date
2.6. Services
2.7. NTP
3. Securing Your Network
3.1. Workstation Security
3.1.1. Evaluating Workstation Security
3.1.2. BIOS and Boot Loader Security
3.1.3. Password Security
3.1.4. Administrative Controls
3.1.5. Available Network Services
3.1.6. Personal Firewalls
3.1.7. Security Enhanced Communication Tools
3.2. Server Security
3.2.1. Securing Services With TCP Wrappers and xinetd
3.2.2. Securing Portmap
3.2.3. Securing NIS
3.2.4. Securing NFS
3.2.5. Securing the Apache HTTP Server
3.2.6. Securing FTP
3.2.7. Securing Sendmail
3.2.8. Verifying Which Ports Are Listening
3.3. Single Sign-on (SSO)
3.3.1. Introduction
3.3.2. Getting Started with your new Smart Card
3.3.3. How Smart Card Enrollment Works
3.3.4. How Smart Card Login Works
3.3.5. Configuring Firefox to use Kerberos for SSO
3.4. Multifactor Authentication Solutions
3.4.1. Yubikey
3.5. Pluggable Authentication Modules (PAM)
3.5.1. Advantages of PAM
3.5.2. PAM Configuration Files
3.5.3. PAM Configuration File Format
3.5.4. Sample PAM Configuration Files
3.5.5. Creating PAM Modules
3.5.6. PAM and Administrative Credential Caching
3.5.7. PAM and Device Ownership
3.5.8. Additional Resources
3.6. Kerberos
3.6.1. What is Kerberos?
3.6.2. Kerberos Terminology
3.6.3. How Kerberos Works
3.6.4. Kerberos and PAM
3.6.5. Configuring a Kerberos 5 Server
3.6.6. Configuring a Kerberos 5 Client
3.6.7. Domain-to-Realm Mapping
3.6.8. Setting Up Secondary KDCs
3.6.9. Setting Up Cross Realm Authentication
3.6.10. Additional Resources
3.7. Using Firewalls
3.7.1. Introduction to firewalld
3.7.2. Understanding firewalld
3.7.3. Comparison of Firewalld to system-config-firewall and iptables
3.7.4. Understanding Network Zones
3.7.5. Choosing a Network Zone
3.7.6. Understanding Predefined Services
3.7.7. Understanding The Direct Interface
3.7.8. Check if firewalld is installed
3.7.9. Disabling firewalld
3.7.10. Start firewalld
3.7.11. Check if firewalld is running
3.7.12. Installing firewalld
3.7.13. Configuring the Firewall
3.7.14. Additional Resources
4. Encryption
4.1. Data at Rest
4.1.1. Full Disk Encryption
4.1.2. File Based Encryption
4.2. Data in Motion
4.2.1. Virtual Private Networks (VPNs)
4.2.2. Secure Shell
4.2.3. Crypto Policy
4.2.4. Disk Encryption
4.2.5. Using GNU Privacy Guard (GnuPG)
5. General Principles of Information Security
6. Secure Installation
6.1. Disk Partitions
6.2. Utilize LUKS Partition Encryption
7. Software Maintenance
7.1. Install Minimal Software
7.2. Plan and Configure Security Updates
7.3. Adjusting Automatic Updates
7.4. Install Signed Packages from Well Known Repositories
8. Common Vulnerabilities and Exposures (CVEs)
8.1. YUM Plugin
9. Yubikey
9.1. Yubikey Neo
9.1.1. Installing the necessary tools
9.1.2. Creating the key on the Yubikey Neo
9.1.3. Using gnupg2
10. SELinux
10.1. Introduction
10.1.1. Benefits of running SELinux
10.1.2. Examples
10.1.3. SELinux Architecture
10.1.4. SELinux Modes
10.2. SELinux Contexts
10.2.1. Domain Transitions
10.2.2. SELinux Contexts for Processes
10.2.3. SELinux Contexts for Users
10.3. Targeted Policy
10.3.1. Confined Processes
10.3.2. Unconfined Processes
10.3.3. Confined and Unconfined Users
10.4. Working with SELinux
10.4.1. SELinux Packages
10.4.2. Which Log File is Used
10.4.3. Main Configuration File
10.4.4. Enabling and Disabling SELinux
10.4.5. Booleans
10.4.6. SELinux Contexts – Labeling Files
10.4.7. The file_t and default_t Types
10.4.8. Mounting File Systems
10.4.9. Maintaining SELinux Labels
10.4.10. Information Gathering Tools
10.4.11. Multi-Level Security (MLS)
10.4.12. File Name Transition
10.4.13. Disable ptrace()
10.4.14. Thumbnail Protection
10.5. The sepolicy Suite
10.5.1. The sepolicy Python Bindings
10.5.2. Generating SELinux Policy Modules: sepolicy generate
10.5.3. Understanding Domain Transitions: sepolicy transition
10.5.4. Generating Manual Pages: sepolicy manpage
10.5.5. Manage SELinux Graphically sepolicy gui
10.6. Confining Users
10.6.1. Linux and SELinux User Mappings
10.6.2. Confining New Linux Users: useradd
10.6.3. Confining Existing Linux Users: semanage login
10.6.4. Changing the Default Mapping
10.6.5. xguest: Kiosk Mode
10.6.6. Booleans for Users Executing Applications
10.7. sVirt
10.7.1. Security and Virtualization
10.7.2. sVirt Labeling
10.8. Secure Linux Containers
10.9. SELinux systemd Access Control
10.9.1. SELinux Access Permissions for Services
10.9.2. SELinux and journald
10.10. Troubleshooting
10.10.1. What Happens when Access is Denied
10.10.2. Top Three Causes of Problems
10.10.3. Fixing Problems
10.11. Further Information
10.11.1. Contributors
10.11.2. Other Resources
11. Managing Confined Services
11.1. Introduction
11.2. The Apache HTTP Server
11.2.1. The Apache HTTP Server and SELinux
11.2.2. Types
11.2.3. Booleans
11.2.4. Configuration examples
11.3. Samba
11.3.1. Samba and SELinux
11.3.2. Types
11.3.3. Booleans
11.3.4. Configuration examples
11.4. File Transfer Protocol
11.4.1. FTP and SELinux
11.4.2. Types
11.4.3. Booleans
11.4.4. Configuration Examples
11.5. Network File System
11.5.1. NFS and SELinux
11.5.2. Types
11.5.3. Booleans
11.5.4. Configuration Examples
11.6. Berkeley Internet Name Domain
11.6.1. BIND and SELinux
11.6.2. Types
11.6.3. Booleans
11.6.4. Configuration Examples
11.7. Concurrent Versioning System
11.7.1. CVS and SELinux
11.7.2. Types
11.7.3. Booleans
11.7.4. Configuration Examples
11.8. Squid Caching Proxy
11.8.1. Squid Caching Proxy and SELinux
11.8.2. Types
11.8.3. Booleans
11.8.4. Configuration Examples
11.9. MySQL
11.9.1. MySQL and SELinux
11.9.2. Types
11.9.3. Booleans
11.9.4. Configuration Examples
11.10. PostgreSQL
11.10.1. PostgreSQL and SELinux
11.10.2. Types
11.10.3. Booleans
11.10.4. Configuration Examples
11.11. rsync
11.11.1. rsync and SELinux
11.11.2. Types
11.11.3. Booleans
11.11.4. Configuration Examples
11.12. Postfix
11.12.1. Postfix and SELinux
11.12.2. Types
11.12.3. Booleans
11.12.4. Configuration Examples
A. Encryption Standards
A.1. Synchronous Encryption
A.1.1. Advanced Encryption Standard - AES
A.1.2. Data Encryption Standard - DES
A.2. Public-key Encryption
A.2.1. Diffie-Hellman
A.2.2. RSA
A.2.3. DSA
A.2.4. SSL/TLS
A.2.5. Cramer-Shoup Cryptosystem
A.2.6. ElGamal Encryption
B. Revision History