|
Tag: Redirect target changed |
(14 intermediate revisions by 3 users not shown) |
Line 1: |
Line 1: |
| == Mission ==
| | #REDIRECT [[SIGs/Security]] |
| To provide the utmost secure operating environment to Fedora and EPEL users by:
| |
| | |
| * working with packagers to patch and update packages,
| |
| * identifying and helping to improve practices,
| |
| * and answering questions from the community.
| |
| | |
| == Contact ==
| |
| | |
| If you need help or assistance with any issue, please feel free to contact the FST members at
| |
| | |
| * '''IRC''':
| |
| ** {{fpchat|#fedora-security}} - general security questions
| |
| ** {{fpchat|#fedora-security-team}} - FST IRC channel for working vulnerabilities
| |
| * '''Mailing lists''':
| |
| ** {{fplist|security}} - General security mailing list (good for questions)
| |
| ** {{fplist|security-team}} - Security Team mailing list
| |
| * '''Weekly meetings''':
| |
| ** Every Thursdays 14:00 UTC. -> [[Security_Team_meetings|Schedule and Agenda]]
| |
| | |
| === Security Response ===
| |
| | |
| To '''report a vulnerability''' in software please follow the procedure outlined on the [[Security Bugs]] page.
| |
| | |
| To '''report a security concern''' within the Fedora Project please email security at fedoraproject dot org.
| |
| | |
| == What we do ==
| |
| Fedora Security Team aims to ensure that users are protected from any vulnerabilities that exist in Fedora packages. The vulnerabilities are reported to Fedora package maintainers via [https://bugzilla.redhat.com/ Bugzilla] by Red Hat Product Security. These bugs are marked with '''keywords: SecurityTracking''' attribute in Bugzilla, for ex. => [https://bugzilla.redhat.com/show_bug.cgi?id=905374 CVE-2013-0333 rubygem-activesupport: json to yaml parsing]. The '''SecurityTracking''' keyword indicates that the bug could have security implications which need to be investigated. The package maintainer should then follow up with the upstream developers to obtain a patch or a new release which fixes the issue. Once such patch or a new release is available, the package maintainer then builds a new version of the package and submits an update to the Fedora or EPEL repositories via [https://admin.fedoraproject.org/updates/ Bodhi].
| |
| | |
| It is a straight forward process. But the problems arise when package maintainers either don't understand the issue or are too busy to triage it. That is where the Fedora Security Team comes in to help. We work with the upstream developers to obtain the security fixes and help package maintainers to push these fixes to the Fedora repositories.
| |
| | |
| === [https://cve.mitre.org/ CVEs] ===
| |
| | |
| CVE stands for '''Common Vulnerabilities and Exposures''' and is the global standard for uniquely identifying and tracking software security vulnerabilities. Each vulnerability in any package has a unique CVE ID assigned to it. If it is a new security issue, we need to [http://www.openwall.com/lists/oss-security/2014/09/07/1 request] a CVE ID for it from the [http://www.openwall.com/lists/oss-security/ oss-security] mailing list. Alternatively, we may also request CVEs from Red Hat via secalert@redhat.com. CVE ID are allocated by the [http://www.mitre.org/about/corporate-overview MITRE Corporation], which is the primary '''CVE Numbering Authority(CNA)'''.
| |
| | |
| For each assigned CVE two bugs are created: one is the parent bug which describes the issue in human understandable details and lists available fixes and a second is the child bug which is used to track progression of these fixes into individual products(Fedora, Fedora-EPEL etc.). The parent bug is a generic one; it is opened against '''Component: vulnerability'''. Child bugs are specific; they are opened against '''Component: <package-name>''' of an individual product and are marked with '''keywords: SecurityTracking'''.
| |
| | |
| == How to get involved ==
| |
| === Joining the team ===
| |
| | |
| Joining the Fedora Security Team is an easy, three-step process:
| |
| # subscribe to the {{fplist|security-team}} mailing list
| |
| # join us on the {{fpchat|#fedora-security-team}} IRC channel
| |
| # read the [[Security_Team#Work_Flow|work flow]]
| |
| | |
| Once you feel comfortable just jump in and start helping. If you have questions please ask on IRC or on the mailing list.
| |
| | |
| Also, please take a look at the proposed [[Security Team Apprenticeship]] program as this may help answer additional questions.
| |
| | |
| === Work Flow ===
| |
| # Select an open security bug from -> [https://bugzilla.redhat.com/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&classification=Fedora&keywords=Security%2C%20SecurityTracking%2C%20&query_format=advanced Open issues].
| |
| # [[Security_Team#Bug_Ownership|Own the bug]].
| |
| # Examine the bug details and validate if it is really a security issue.
| |
| # Determine if a fix is available and if the vulnerability is already fixed in Fedora by examining the current version and/or talking with the package maintainer.
| |
| # If a fix is not available, work with the upstream developers via bug tracking/mailing list/IRC channels to obtain a patch or new version which fixes the issue.
| |
| # Work with the package maintainer to get patch or fixed version packaged and pushed as a security update.
| |
| # GOTO 1;
| |
| | |
| You can log your 90-day Security Challenge work [https://ethercalc.org/90-day-challenge in the ethercalc spreadsheet].
| |
| | |
| If you run into a [[Policy_for_nonresponsive_package_maintainers | nonresponsive package maintainer]] we do follow Release Engineering policy.
| |
| | |
| === Bug Ownership ===
| |
| | |
| Each tracking bug should have an owner for several reasons. It would certainly be inefficient if the work was done twice. At times collisions and misunderstandings might occur if two people tried to coordinate a fix with an upstream developer independently. For these reasons, we should indicate the fact that we are working on the tracking bug by filling the Whiteboard of the bug with Bugzilla user name of the owner:
| |
| | |
| Whiteboard: fst_owner=<owner>,[<owner2>,<owner3>]
| |
| | |
| As <owner> FAS ID should be used; It simplifies further management. For the list of Bugzilla user names of the Fedora Security Team see the [[Security Team Roster]].
| |
| | |
| '''Note: For multiple FST owners FAS IDs should be comma-separated and NOT contain spaces.'''
| |
| | |
| == Bugzilla Links ==
| |
| * '''Open issues'''
| |
| ** [https://bugzilla.redhat.com/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&classification=Fedora&keywords=SecurityTracking%2C%20&keywords_type=allwords&list_id=2661454&priority=urgent&query_format=advanced Critical Vulnerabilities] [https://bugzilla.redhat.com/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&classification=Fedora&f1=status_whiteboard&keywords=SecurityTracking%2C%20&keywords_type=allwords&list_id=2661454&o1=notsubstring&priority=urgent&query_format=advanced&v1=fst_owner%3D Unowned]
| |
| ** [https://bugzilla.redhat.com/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&classification=Fedora&keywords=SecurityTracking%2C%20&keywords_type=allwords&list_id=2661457&priority=high&query_format=advanced Important Vulnerabilities] [https://bugzilla.redhat.com/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&classification=Fedora&f1=status_whiteboard&keywords=SecurityTracking%2C%20&keywords_type=allwords&list_id=2661457&o1=notsubstring&priority=high&query_format=advanced&v1=fst_owner%3D Unowned]
| |
| ** [https://bugzilla.redhat.com/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&classification=Fedora&keywords=SecurityTracking%2C%20&keywords_type=allwords&list_id=2661461&priority=medium&query_format=advanced Moderate Vulnerabilities] [https://bugzilla.redhat.com/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&classification=Fedora&f1=status_whiteboard&keywords=SecurityTracking%2C%20&keywords_type=allwords&list_id=2661461&o1=notsubstring&priority=medium&query_format=advanced&v1=fst_owner%3D Unowned]
| |
| ** [https://bugzilla.redhat.com/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&classification=Fedora&keywords=SecurityTracking%2C%20&keywords_type=allwords&list_id=2661462&priority=low&query_format=advanced Low Vulnerabilities] [https://bugzilla.redhat.com/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&classification=Fedora&f1=status_whiteboard&keywords=SecurityTracking%2C%20&keywords_type=allwords&list_id=2661462&o1=notsubstring&priority=low&query_format=advanced&v1=fst_owner%3D Unowned]
| |
| ** [https://bugzilla.redhat.com/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&classification=Fedora&keywords=SecurityTracking%2C%20&keywords_type=allwords&list_id=2661465&priority=unspecified&query_format=advanced Unknown Vulnerabilities] [https://bugzilla.redhat.com/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&classification=Fedora&f1=status_whiteboard&keywords=SecurityTracking%2C%20&keywords_type=allwords&list_id=2661465&o1=notsubstring&priority=unspecified&query_format=advanced&v1=fst_owner%3D Unowned]
| |
| ** [https://bugzilla.redhat.com/buglist.cgi?bug_status=POST&bug_status=MODIFIED&bug_status=ON_DEV&bug_status=ON_QA&classification=Fedora&keywords=SecurityTracking%2C%20&keywords_type=allwords&list_id=2719448&priority=unspecified&priority=urgent&priority=high&priority=medium&priority=low&query_format=advanced Bugs in MODIFIED, ON_DEV, ON_QA states] [https://bugzilla.redhat.com/buglist.cgi?bug_status=POST&bug_status=MODIFIED&bug_status=ON_DEV&bug_status=ON_QA&classification=Fedora&f1=status_whiteboard&keywords=SecurityTracking%2C%20&keywords_type=allwords&list_id=2719448&o1=notsubstring&priority=unspecified&priority=urgent&priority=high&priority=medium&priority=low&query_format=advanced&v1=fst_owner%3D Unowned]
| |
| | |
| == Tools/Resources ==
| |
| | |
| * [http://rootkit.nl/projects/lynis.html lynis]
| |
| * [https://fedorahosted.org/sectool/ sectools]
| |
| * [http://www.trapkit.de/tools/checksec.html checksec]
| |
| * [https://docs.fedoraproject.org/en-US/Fedora_Security_Team/html/Defensive_Coding/index.html Defensive coding]
| |
| * [https://fedorahosted.org/scap-security-guide/ SCAP Security Guide]
| |
| * [https://fedorahosted.org/sectool/ Sectool]
| |
| * [http://people.redhat.com/sgrubb/security/ Security Assessment Tools/Scripts]
| |
| * [https://fedoraproject.org/wiki/Policy_for_nonresponsive_package_maintainers Nonresponsive Package Maintainers Policy]
| |
| | |
| {{:Security Team Hall of Fame}}
| |
| | |
| [[Category:Security]]
| |