|
|
(14 intermediate revisions by 5 users not shown) |
Line 1: |
Line 1: |
| {{header|docs}}{{Docs_beat_open}} | | {{header|docs}} |
|
| |
|
| == Crypto Policy ==
| | {{Docs_beat_closed}} |
| | |
| <para>Beginning in Fedora 21, a system-wide crypto policy will be available for users to quickly setup the cryptographic options for their systems. Users that must meet certain cryptographic standards can make the policy change in <filename>//etc/crypto-policies/config</filename>, and run update-crypto-policies. At this point applications that utilize the default set of ciphers in the GnuTLS and OpenSSL libraries will follow the policy requirements.</para>
| |
| | |
| <para>The available options are: (1) <literal>LEGACY</literal>, which ensures compatibility with legacy systems - 64-bit security, (2) <literal>DEFAULT</literal>, a reasonable default for today's standards - 80-bit security, and (3) <literal>FUTURE</literal>, a conservative level that is believed to withstand any near-term future attacks - 128-bit security. These levels affect SSL/TLS settings, including elliptic curve, signature hash functions, and ciphersuites and key sizes.</para>
| |
| | |
| <para>Additional information on this new feature can be found on the <ulink url="https://fedoraproject.org/wiki/Changes/CryptoPolicy">CryptoPolicy Changes wiki page</ulink>.</para>
| |
| | |
| == systemd PrivateDevices and PrivateNetwork ==
| |
| Fedora is now more secure, as many long-running '''systemd''' services now run with physical device access and/or network access turned off. See [https://fedoraproject.org/wiki/Documentation_System_Daemons_Beat#systemd_PrivateDevices_and_PrivateNetwork] (NOTE:xref)
| |
| | |
| == Format Security ==
| |
| | |
| Starting with Fedora 21, all packages built by GCC will compile with the flag *-Werror=format-security* . While this change has no user-visible change, it represents a substantial effort by Fedora packagers to protect your system from an entire class of vulnerability.
| |
| | |
| You can learn more about the security issues mitigated by Fedora's defensive security practices at https://fedoraproject.org/wiki/Format-Security-FAQ
| |
|
| |
|
| [[Category:Docs Project]] | | [[Category:Docs Project]] |
| [[Category:Draft documentation]] | | [[Category:Draft documentation]] |
| [[Category:Documentation beats]] | | [[Category:Documentation beats]] |
|
| |
| == More secure Smart Card support ===
| |
|
| |
|
| |
| The PCSC daemon in Fedora 21 allows for fine grained access control to smart cards that is tied to the system processes rather than solely depending on
| |
| the smart card controls. That is the polkit framework is being used to decide access on the smart card.
| |
|
| |
| In addition a default policy file is shipped with Fedora that restricts access to smart cards in a system to the console users and the administrator only.
| |
| The shipped policy can be modified by editing the file at /usr/share/polkit-1/actions/org.debian.pcsc-lite.policy.
| |
|
| |
| Additional documentation on the PCSC policies is provided in /usr/share/doc/pcsc-lite/README.polkit
| |