(→ssh: ecc question) |
Shawndwells (talk | contribs) (→SCAP) |
||
(7 intermediate revisions by one other user not shown) | |||
Line 13: | Line 13: | ||
=== Firewalls === | === Firewalls === | ||
Yeah, there is currently no good documentation on setting up firewalld. | Yeah, there is currently no good documentation on setting up firewalld. | ||
=== Partitioning === | |||
Provide recommended secure partitioning scheme(s) with minimum sizes, usage of LVM and explain why. | |||
=== SCAP === | === SCAP === | ||
Man, this is going to be a huge topic. From setup to auditing to writing your own rules... SCAP should be written up well. | Man, this is going to be a huge topic. From setup to auditing to writing your own rules... SCAP should be written up well. | ||
(Leverage all the work the SCAP Security Guide community has done) | |||
Perhaps author the Fedora Security Guide from the SSG? This will allow for XCCDF content, and give the community "requirements" to start authoring OVAL against. | |||
=== Encryption === | === Encryption === | ||
Line 21: | Line 27: | ||
* Hardware-based full disk encryption. Caveat: Certain firmware does not prompt for the password on warm reboots, so you need to add a GRUB password (otherwise someone at the console could just switch to a VTY, reboot, and access the box), which is currently not supported ([https://bugzilla.redhat.com/show_bug.cgi?id=840160 bug 840160]). | * Hardware-based full disk encryption. Caveat: Certain firmware does not prompt for the password on warm reboots, so you need to add a GRUB password (otherwise someone at the console could just switch to a VTY, reboot, and access the box), which is currently not supported ([https://bugzilla.redhat.com/show_bug.cgi?id=840160 bug 840160]). | ||
Address FIPS compliance, or specifically that it is not FIPS-compliant, and explain why. | |||
=== Use cases === | === Use cases === | ||
==== httpd ==== | ==== httpd ==== | ||
How do I setup Apache to be secure and use good ciphers? | How do I setup Apache to be secure and use good ciphers? | ||
Explain why certain ciphers are good, and why others are bad. | |||
==== dovecot ==== | ==== dovecot ==== | ||
How do I setup dovecot to be secure and use good ciphers? | How do I setup dovecot to be secure and use good ciphers? | ||
Explain why certain ciphers are good, and why others are bad. | |||
==== ssh ==== | ==== ssh ==== | ||
Line 43: | Line 55: | ||
How to sandbox an application or system service. | How to sandbox an application or system service. | ||
Address centralizing syslog/audit log files. | |||
=== IPv4/IPv6 === | |||
How to securely setup IPv6. | |||
Security issues with tunneling IPv6 over IPv4. | |||
[[Category:Docs Project]] | [[Category:Docs Project]] |
Latest revision as of 04:37, 11 February 2014
History
The current (Fedora 20) Security Guide (minus the SELinux stuff) is a mash together of the RHEL 6 Security Guide and the hardening advice that was posted on the Fedora wiki around the time of Fedora 12. It's quite obvious to anyone reading the entire document that the beginning of the guide reads one way while the end reads differently as if they had different missions (they do!).
Looking forward
It's okay to look at the guide and say that while much of the guide is okay much of it is crap. There may be a need for basic security education I feel that it is best suited to other documentation and training resources. I'd like to go into the next version of this guide with a fresh look at what is needed: hardening advice, auditing advice, how to use the security tools that are available, etc. This will not be easy but it's doable.
The recommended configuration should disable any algorithms that don't provide 128bits of security (see NIST SP 800-57 and ENISA "Algorithms, Key Sizes and Parameters Report. 2013 recommendations" for details). The guide should (whenever possible) also provide information about possible compatibility problems introduced by the changed settings and ways to diagnose issues if they arise.
Topics to be covered
SELinux
There is a lot of SELinux stuff in guide. It needs to be combed through and evaluated to determine what is needed, necessary, and up to date. There is also a treasure trove of stuff on Dan Walsh's blog that needs to be converted and brought into the mix. I'm sure we're missing some rather large topics regarding what SELinux can do now.
Firewalls
Yeah, there is currently no good documentation on setting up firewalld.
Partitioning
Provide recommended secure partitioning scheme(s) with minimum sizes, usage of LVM and explain why.
SCAP
Man, this is going to be a huge topic. From setup to auditing to writing your own rules... SCAP should be written up well. (Leverage all the work the SCAP Security Guide community has done)
Perhaps author the Fedora Security Guide from the SSG? This will allow for XCCDF content, and give the community "requirements" to start authoring OVAL against.
Encryption
It's hard. Lets try to make it a little easier.
- Hardware-based full disk encryption. Caveat: Certain firmware does not prompt for the password on warm reboots, so you need to add a GRUB password (otherwise someone at the console could just switch to a VTY, reboot, and access the box), which is currently not supported (bug 840160).
Address FIPS compliance, or specifically that it is not FIPS-compliant, and explain why.
Use cases
httpd
How do I setup Apache to be secure and use good ciphers?
Explain why certain ciphers are good, and why others are bad.
dovecot
How do I setup dovecot to be secure and use good ciphers?
Explain why certain ciphers are good, and why others are bad.
ssh
How to setup secure root logon (PermintRootLogin)? How to regenerate host keys (because early boot is entropy starved). How to generate host and user keys that provide 128 bits of security (3072bit RSA, 256bit ECDSA). Best practice on ssh key usage, distribution, key signing, ssh-agent usage. How to setup two factor authentication. How to disable insecure algorithms in server in client (group1 DH key exchange, single DES and arc4 encryption).
When using ECC, which curves match the best practices, and how can users enable them? How does http://safecurves.cr.yp.to/ fit in?
Auditing
Application and daemons sandboxing
How to sandbox an application or system service. Address centralizing syslog/audit log files.
IPv4/IPv6
How to securely setup IPv6. Security issues with tunneling IPv6 over IPv4.