From Fedora Project Wiki

Revision as of 04:16, 23 September 2014 by Immanetize (talk | contribs) (format-security)

Beat is open
This beat is now ready to have Fedora 25 content added by the beat writer


Crypto Policy

<para>Beginning in Fedora 21, a system-wide crypto policy will be available for users to quickly setup the cryptographic options for their systems. Users that must meet certain cryptographic standards can make the policy change in <filename>//etc/crypto-policies/config</filename>, and run update-crypto-policies. At this point applications that utilize the default set of ciphers in the GnuTLS and OpenSSL libraries will follow the policy requirements.</para>

<para>The available options are: (1) <literal>LEGACY</literal>, which ensures compatibility with legacy systems - 64-bit security, (2) <literal>DEFAULT</literal>, a reasonable default for today's standards - 80-bit security, and (3) <literal>FUTURE</literal>, a conservative level that is believed to withstand any near-term future attacks - 128-bit security. These levels affect SSL/TLS settings, including elliptic curve, signature hash functions, and ciphersuites and key sizes.</para>

<para>Additional information on this new feature can be found on the <ulink url="https://fedoraproject.org/wiki/Changes/CryptoPolicy">CryptoPolicy Changes wiki page</ulink>.</para>

systemd PrivateDevices and PrivateNetwork

Fedora is now more secure, as many long-running systemd services now run with physical device access and/or network access turned off. See [1] (NOTE:xref)

Format Security

Starting with Fedora 21, all packages built by GCC will compile with the flag *-Werror=format-security* . While this change has no user-visible change, it represents a substantial effort by Fedora packagers to protect your system from an entire class of vulnerability.

You can learn more about the security issues mitigated by Fedora's defensive security practices at https://fedoraproject.org/wiki/Format-Security-FAQ