m (1 revision(s)) |
(→Yum) |
||
(11 intermediate revisions by 2 users not shown) | |||
Line 1: | Line 1: | ||
{{Draft}} | |||
= DRAFT: Fedora Security Basics = | = DRAFT: Fedora Security Basics = | ||
== Fedora Security related Features == | |||
For a description fedora security related features see '''[[Security Features]]''' | |||
== Understanding Computer Security == | == Understanding Computer Security == | ||
Line 23: | Line 22: | ||
* [http://www.redhat.com/docs/manuals/enterprise/] | * [http://www.redhat.com/docs/manuals/enterprise/] | ||
== Security Measures in Fedora Systems == | == Security Measures in Fedora Systems == | ||
Line 44: | Line 42: | ||
The sections below provide some general advice on particular aspects of system security. | The sections below provide some general advice on particular aspects of system security. | ||
== User Accounts and the Root Account == | == User Accounts and the Root Account == | ||
Line 50: | Line 47: | ||
Create one account per user, with a strong password. Each user should log in to the system with their own account. Users may cause configuration and data files in their own home directory to be damaged or deleted, but they may not modify system files, nor may they access the files in the home directories of other users. | Create one account per user, with a strong password. Each user should log in to the system with their own account. Users may cause configuration and data files in their own home directory to be damaged or deleted, but they may not modify system files, nor may they access the files in the home directories of other users. | ||
{{ | {{Admon/warning | Avoid Logging in as <code>root</code> | You do not need to log in with the <code>root</code> account in order to manage your Fedora system.}} | ||
To perform administrative tasks, log in to your system with a standard user account, and use the <code>su</code> or <code>sudo</code> to run individual commands with the privileges of the <code>root</code> account. This ensures that only the specified commands are run with <code>root</code> access. The supplied configuration tools automatically prompt for the <code>root</code> password, if the user has not specified <code>root</code> access with <code>su</code> or <code>sudo</code>. | To perform administrative tasks, log in to your system with a standard user account, and use the <code>su</code> or <code>sudo</code> to run individual commands with the privileges of the <code>root</code> account. This ensures that only the specified commands are run with <code>root</code> access. The supplied configuration tools automatically prompt for the <code>root</code> password, if the user has not specified <code>root</code> access with <code>su</code> or <code>sudo</code>. | ||
Line 62: | Line 59: | ||
If you have several administrators for a system, configure <code>sudo</code> to enable each administrator to carry out commands with <code>root</code> access. The <code>sudo</code> facility also enables administrators to grant <code>root</code> access to user accounts for specific applications only. | If you have several administrators for a system, configure <code>sudo</code> to enable each administrator to carry out commands with <code>root</code> access. The <code>sudo</code> facility also enables administrators to grant <code>root</code> access to user accounts for specific applications only. | ||
{{ | {{Admon/note | Only One Administrator Needs the <code>root</code> Password | Authorized <code>sudo</code> users use their own password to run <code>root</code> commands with <code>sudo</code>. For this reason, only one administrator needs to know the <code>root</code> password for a server.}} | ||
Use the <code>visudo</code> command to edit the configuration file for <code>sudo</code>. | Use the <code>visudo</code> command to edit the configuration file for <code>sudo</code>. | ||
Line 69: | Line 66: | ||
* [http://www.courtesan.com/sudo/] | * [http://www.courtesan.com/sudo/] | ||
== Ensuring Strong Passwords == | == Ensuring Strong Passwords == | ||
Line 79: | Line 75: | ||
Each character in the password multiplies the difficulty of guessing the complete password. Use at least 8 characters in your passwords. Avoid passwords with less than 6 characters, as these are too weak. | Each character in the password multiplies the difficulty of guessing the complete password. Use at least 8 characters in your passwords. Avoid passwords with less than 6 characters, as these are too weak. | ||
{{ | {{Admon/tip | The <code>passwd</code> Utility Tests Password Strength | The <code>passwd</code> utility sets account passwords, and prompts if the password is too easily guessed.}} | ||
If possible, use keys rather than passwords for SSH remote access. SSH keys are considerably more complex than passwords. By default, the SSH service on Fedora prompts the user for a password if their client software does not have a valid key, but you may disable this feature. | If possible, use keys rather than passwords for SSH remote access. SSH keys are considerably more complex than passwords. By default, the SSH service on Fedora prompts the user for a password if their client software does not have a valid key, but you may disable this feature. | ||
{{ | {{Admon/important | Create Unique Passwords | Do not use the same passwords or key for more than one system.}} | ||
== Understanding Viruses and Spyware == | == Understanding Viruses and Spyware == | ||
{{ | {{Admon/important | Viruses for Microsoft Windows do not affect Linux systems | Software written for Microsoft Windows requires an appropriate system to run.}} | ||
Computer viruses run in an operating system or application to embed copies of themselves into files, such as e-mails, documents, and programs. These infected files may be transferred to other systems by users. Some viruses also trigger e-mail or file sharing features to directly copy themselves to other systems. The majority of computer viruses use, and require, specific features in Microsoft products in order to reproduce themselves. | Computer viruses run in an operating system or application to embed copies of themselves into files, such as e-mails, documents, and programs. These infected files may be transferred to other systems by users. Some viruses also trigger e-mail or file sharing features to directly copy themselves to other systems. The majority of computer viruses use, and require, specific features in Microsoft products in order to reproduce themselves. | ||
Line 105: | Line 100: | ||
Only install a plug-in, or any other type of software, if you trust the source of the software. If you need to compile a software product, download the source code directly from the website of the manufacturer. | Only install a plug-in, or any other type of software, if you trust the source of the software. If you need to compile a software product, download the source code directly from the website of the manufacturer. | ||
{{ | {{Admon/warning | Avoid Copying or Sending Suspicious E-mails and Files | You may pass on files that are infected with viruses designed to affect Microsoft Windows systems.}} | ||
Install anti-virus software if you provide network services for users that work on Microsoft Windows systems, or regularly exchange files with unprotected Windows systems. Fedora Extras includes the ClamAV anti-virus software, and several commercial vendors also provide anti-virus products for Linux systems. | Install anti-virus software if you provide network services for users that work on Microsoft Windows systems, or regularly exchange files with unprotected Windows systems. Fedora Extras includes the ClamAV anti-virus software, and several commercial vendors also provide anti-virus products for Linux systems. | ||
Line 116: | Line 111: | ||
* [http://fedora.redhat.com/docs/yum/] | * [http://fedora.redhat.com/docs/yum/] | ||
== Protecting Network Services from Attack == | == Protecting Network Services from Attack == | ||
Line 126: | Line 120: | ||
If you open the ports for a service through the firewall, configure the service to reject unauthorized access. Fedora includes the SELinux facility to restrict many network services to only the files and functions that they require, but a successful attack may cause a service to fail or become compromised. A compromised service may copy or modify databases and files that the service is permitted to access. | If you open the ports for a service through the firewall, configure the service to reject unauthorized access. Fedora includes the SELinux facility to restrict many network services to only the files and functions that they require, but a successful attack may cause a service to fail or become compromised. A compromised service may copy or modify databases and files that the service is permitted to access. | ||
{{ | {{Admon/note | Remote Access to E-mail and Printers | By default, the e-mail (SMTP) and printing (CUPS) services reject connections from remote systems. You may change the configuration of these services to allow access from other systems.}} | ||
The first security measure is to be selective about the network services that you permit. Expose the minimum number of services possible. Certain types of service are inherently insecure, and if possible you should avoid them: | The first security measure is to be selective about the network services that you permit. Expose the minimum number of services possible. Certain types of service are inherently insecure, and if possible you should avoid them: | ||
Line 141: | Line 135: | ||
Web applications are particularly susceptible to attack, and may have access to valuable data. Research a Web application carefully before you deploy it. Apply all of the security recommendations described in the documentation. If possible, subscribe to an e-mail or RSS service to receive news of security alerts and updated versions as they occur. | Web applications are particularly susceptible to attack, and may have access to valuable data. Research a Web application carefully before you deploy it. Apply all of the security recommendations described in the documentation. If possible, subscribe to an e-mail or RSS service to receive news of security alerts and updated versions as they occur. | ||
{{ | {{Admon/caution | Many Services Transmit Information without Encryption | The SSH service automatically encrypts all of the communications between SSH clients and the server. Many other types of service do not encrypt your password, or any other information, until you configure the options for SSL or SSH support. Configure encryption as described in the product documentation.}} | ||
Many attacks attempt to exploit known vulnerabilities in network services. Once a vulnerability is known, providers modify their software to address the issue and release a new version. For this reason, you should update the software on your system as new packages are released. | Many attacks attempt to exploit known vulnerabilities in network services. Once a vulnerability is known, providers modify their software to address the issue and release a new version. For this reason, you should update the software on your system as new packages are released. | ||
== Keeping Your System Updated == | |||
Most Fedora installations will have '''yum''' as well as '''PackageKit''' including one or more of its many GUI frontends installed. Either of this tools can be used, for a more extensive overview see | |||
* http://docs.fedoraproject.org/en-US/Fedora/14/html/Software_Management_Guide/index.html | |||
Either tool can only manage software packages for packages originating from Fedora repositories. You must check and manage downloaded scripts and manually compiled software by yourself. | |||
=== Yum / Dnf === | |||
Usually doing <pre>yum update | dnf update </pre> from the command line will do what is necessary. | |||
For more details on software installation and updates with <code>yum</code>, refer to the documentation: | For more details on software installation and updates with <code>yum</code>, refer to the documentation: http://fedora.redhat.com/docs/yum/ | ||
Yum provides also fine grained capabilities to filter and manage security updates: | |||
<pre>yum --security update</pre> | |||
will install updates marked as security relevant. | |||
<pre>yum updateinfo list security</pre> | |||
will list security relevant updates. | |||
Some of this functionality was previously provided by the '''yum-plugin-security''' plugin which is now integrated into yum. | |||
'''Automatised updates''' and automatic checks for updates with yum are described in [[AutoUpdates]]. | |||
== Subscribing to Security Announcement Services == | == Subscribing to Security Announcement Services == | ||
The Fedora Project | The Fedora Project has no dedicated security announcements. It is possible to receive security relevant package update announcements by email. Subscribe to https://admin.fedoraproject.org/mailman/listinfo/package-announce and use the freshly emailed password to login at https://admin.fedoraproject.org/mailman/options/package-announce and change the list options to filer for security updates. | ||
Security relevant updates can be also seen in this web interface: https://admin.fedoraproject.org/updates/ | |||
The low traffic security mailing list is for general questions regarding security: https://admin.fedoraproject.org/mailman/listinfo/security | |||
To view, or subscribe to, RSS feeds, visit the Fedora Project website http://fedoraproject.org/infofeed/ | |||
== Enabling Status Reports == | == Enabling Status Reports == | ||
Line 187: | Line 185: | ||
Enter the <code>root</code> password when prompted. | Enter the <code>root</code> password when prompted. | ||
{{ | {{Admon/note | Alternative Text Editors | If you use an alternative desktop or text editor, replace <code>gedit</code> with your preferred text editor.}} | ||
Change the line: | Change the line: | ||
Line 210: | Line 208: | ||
Enter the <code>root</code> password when prompted. | Enter the <code>root</code> password when prompted. | ||
== Security Checklists == | == Security Checklists == |
Latest revision as of 00:50, 27 February 2016
DRAFT: Fedora Security Basics
For a description fedora security related features see Security Features
Understanding Computer Security
Although new viruses and security flaws are announced daily, threats fall into several well-understood categories. The common types of threat to networked computer systems include:
- Viruses that spread between systems
- Malicious Software Applications, often designed to modify the system or transmit data to other systems
- Malicious Servers designed to exploit vulnerabilities in software that accesses them
- Attacks on Network Services by specialized cracking tools
- Interception of Information transmitted between networked systems
- User Behavior includes accidental errors and, more rarely, deliberate attempts to compromise the system
All of these threats have been in existance for many years. Researchers, developers, and security professionals, have developed a wide range of approaches to deal with each type of threat. As a result, it is possible to actively reduce the overall vulnerability of the system to both current and future threats. Applications and network services may be designed to avoid behavior that is known to be potentially unsafe, and specialized countermeasures may be implemented within the operating system itself.
The Red Hat Enterprise Linux Security Guide provides an overview of security issues, and advice on how to configure common software.
Security Measures in Fedora Systems
The security measures in Fedora include:
- A system firewall
- Separated user accounts
- Every system and user file is marked with a set of permissions that specify how it may be used
- Many network services may only access appropriate parts of the system
- No access to administrative facilities from standard user accounts without separate authorization
- Software installation methods that reject software from untrusted sources
- Utilities to update all of the supplied software on your system with one command
- Several features that prevent software from modifying other parts of the running system
- Automated e-mail status reports
By default, the installation process configures all of these features. One of the overall design goals of Fedora is that every system should be secure, without requiring extra efforts by the users. To this end, Fedora developers continue to refine core technologies such as software management, the SELinux access framework, and the GCC software compiler. The recommended applications and network services also have features that address common security issues.
You may modify the configurations of each component to tailor the security of your system to your requirements. The Fedora Project only provides software that is licensed under open source terms, to ensure that you may study and customize the software to any level that you wish. You may also directly help to improve the security of the Fedora distribution by participating in the processes of testing, documentation, and development.
The sections below provide some general advice on particular aspects of system security.
User Accounts and the Root Account
Create one account per user, with a strong password. Each user should log in to the system with their own account. Users may cause configuration and data files in their own home directory to be damaged or deleted, but they may not modify system files, nor may they access the files in the home directories of other users.
To perform administrative tasks, log in to your system with a standard user account, and use the su
or sudo
to run individual commands with the privileges of the root
account. This ensures that only the specified commands are run with root
access. The supplied configuration tools automatically prompt for the root
password, if the user has not specified root
access with su
or sudo
.
Read the info
manual on your system for details of the su
command:
info su
If you have several administrators for a system, configure sudo
to enable each administrator to carry out commands with root
access. The sudo
facility also enables administrators to grant root
access to user accounts for specific applications only.
Use the visudo
command to edit the configuration file for sudo
.
Refer to the sudo
project Website for more information on sudo
:
Ensuring Strong Passwords
Automated password cracking programs include multiple dictionaries for one or more languages, in order to be able to identify any password that is based on a standard word or name. Password cracking programs are also often able to identify a word even if characters are substituted.
To ensure that your passwords may not be easily identified, use a combination of upper case letters, lower case letters, numbers, and punctuation.
Each character in the password multiplies the difficulty of guessing the complete password. Use at least 8 characters in your passwords. Avoid passwords with less than 6 characters, as these are too weak.
If possible, use keys rather than passwords for SSH remote access. SSH keys are considerably more complex than passwords. By default, the SSH service on Fedora prompts the user for a password if their client software does not have a valid key, but you may disable this feature.
Understanding Viruses and Spyware
Computer viruses run in an operating system or application to embed copies of themselves into files, such as e-mails, documents, and programs. These infected files may be transferred to other systems by users. Some viruses also trigger e-mail or file sharing features to directly copy themselves to other systems. The majority of computer viruses use, and require, specific features in Microsoft products in order to reproduce themselves.
Some spyware programs use a feature of Microsoft Internet Explorer to install on Windows systems without the consent of a user. Other spyware products claim to provide features in order to convince users to install them.
Fedora systems do not allow new items of software to be installed or run without the explicit permission of a user:
- By default, applications such as the Open
Office.org suite and the Evolution e-mail client do not run programs embedded in e-mails or documents
- Web browsers require you to approve the installation of plug-ins
- Fedora supplies software as packages, rather than working programs
- If you download a working program, it cannot run until you choose to mark the files as executable
The Fedora Project distributes all software as package files, rather than working programs, and encourages other vendors to provide software for Fedora systems in the same format. The supplied utilities use these packages to construct or update working copies of software. Packages that fail integrity or digital signature tests are automatically rejected by the management utilities.
Only install a plug-in, or any other type of software, if you trust the source of the software. If you need to compile a software product, download the source code directly from the website of the manufacturer.
Install anti-virus software if you provide network services for users that work on Microsoft Windows systems, or regularly exchange files with unprotected Windows systems. Fedora Extras includes the ClamAV anti-virus software, and several commercial vendors also provide anti-virus products for Linux systems.
Refer to the ClamAV project Website for more information on the ClamAV software:
For more details on software installation, read the documentation on our Website:
Protecting Network Services from Attack
Every system connected to the Internet is eventually checked by automated cracking programs. Such programs frequently run on systems that have already been compromised by crackers, or infected with a virus. Compromised systems constantly check thousands of Internet addresses for active systems that use specific network services, and attack those that they find. These attacks may be defeated by simple countermeasures.
The default firewall configuration for Fedora systems blocks connections from other systems. Any attempt by a remote system to access a service on a blocked port simply fails. This means that no other system may connect to the SSH remote access service, or any other installed service, unless you specifically choose to unblock the relevant port.
If you open the ports for a service through the firewall, configure the service to reject unauthorized access. Fedora includes the SELinux facility to restrict many network services to only the files and functions that they require, but a successful attack may cause a service to fail or become compromised. A compromised service may copy or modify databases and files that the service is permitted to access.
The first security measure is to be selective about the network services that you permit. Expose the minimum number of services possible. Certain types of service are inherently insecure, and if possible you should avoid them:
- FTP: Use SSH or HTTP (with WebDAV for write access) instead
- NFS: Only use between trusted systems on private networks
- The "r" suite of utilities (e.g.
rexec
,rlogin
): Superceded by SSH - Telnet: Superceded by SSH
If possible, configure each accessible service to only accept connections from specific IP addresses. For information on how to secure a service, refer to the documentation for the product.
In all cases, only allow write access if it is necessary. Certain services, like HTTP file transfer, provide read-only access by default. If you configure a service to allow write access to files or databases, ensure that access is protected by strong passwords.
Web applications are particularly susceptible to attack, and may have access to valuable data. Research a Web application carefully before you deploy it. Apply all of the security recommendations described in the documentation. If possible, subscribe to an e-mail or RSS service to receive news of security alerts and updated versions as they occur.
Many attacks attempt to exploit known vulnerabilities in network services. Once a vulnerability is known, providers modify their software to address the issue and release a new version. For this reason, you should update the software on your system as new packages are released.
Keeping Your System Updated
Most Fedora installations will have yum as well as PackageKit including one or more of its many GUI frontends installed. Either of this tools can be used, for a more extensive overview see
Either tool can only manage software packages for packages originating from Fedora repositories. You must check and manage downloaded scripts and manually compiled software by yourself.
Yum / Dnf
Usually doing
yum update | dnf update
from the command line will do what is necessary.
For more details on software installation and updates with yum
, refer to the documentation: http://fedora.redhat.com/docs/yum/
Yum provides also fine grained capabilities to filter and manage security updates:
yum --security update
will install updates marked as security relevant.
yum updateinfo list security
will list security relevant updates.
Some of this functionality was previously provided by the yum-plugin-security plugin which is now integrated into yum.
Automatised updates and automatic checks for updates with yum are described in AutoUpdates.
Subscribing to Security Announcement Services
The Fedora Project has no dedicated security announcements. It is possible to receive security relevant package update announcements by email. Subscribe to https://admin.fedoraproject.org/mailman/listinfo/package-announce and use the freshly emailed password to login at https://admin.fedoraproject.org/mailman/options/package-announce and change the list options to filer for security updates.
Security relevant updates can be also seen in this web interface: https://admin.fedoraproject.org/updates/
The low traffic security mailing list is for general questions regarding security: https://admin.fedoraproject.org/mailman/listinfo/security
To view, or subscribe to, RSS feeds, visit the Fedora Project website http://fedoraproject.org/infofeed/
Enabling Status Reports
Automated processes on your Fedora system use the e-mail service to send reports to the system administrator. The logwatch
script sends an overall status report each day at 4am.
Follow the instructions below to configure the e-mail service to deliver these messages to an administrator:
Edit the file /etc/aliases
. You must have root
access in order to edit this file.
su -c 'gedit /etc/aliases'
Enter the root
password when prompted.
Change the line:
root: root
Replace the second root with your e-mail address. For example:
root: me@example.com
Save the file, and close the text editor.
To update the e-mail server configuration with the new alias, run the newaliases
command.
su -c 'newaliases'
Enter the root
password when prompted.
Security Checklists
Using the System Safely
- Use strong passwords for your accounts
- Log in with a standard user account
- Use
su
,sudo
, or the supplied configuration tools, to perform administrative tasks that requireroot
access - Only install software or plug-ins from trusted sources
- Discard e-mails with attachments if you do not recognise the source
- Only keep or copy a file if you know the original source of that file
Secure System Configuration
- Create one system account per active user
- If a number of users require some form of administrative access, configure
sudo
rather than distributing theroot
password - Only enable additional network services if they are necessary
- If possible, configure services to allow connections only from specific IP addresses that you know
- Only configure a service to allow write access to files if it is necessary
- If possible, require SSH keys rather than passwords for remote access
- If you expect to receive infected files, install and configure anti-virus software
- Enable e-mail reporting by setting an e-mail alias for
root
Routine Security Tasks
- Check the messages from your RSS and e-mail subscriptions for security announcements
- Update the system regularly
- If you install anti-virus software, update the virus signature data regularly
- Make backups of data and configuration files
- Lock user accounts that are no longer required
- Deactivate any network services that are no longer required
- Check the log files for unusual activity
You may wish to automate some of these tasks, so that they are performed automatically.