web/html/docs/security-guide/f12/en-US/html-single index.html, 1.1, 1.2
Rüdiger Landmann
rlandmann at fedoraproject.org
Mon Nov 9 06:02:27 UTC 2009
Author: rlandmann
Update of /cvs/fedora/web/html/docs/security-guide/f12/en-US/html-single
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv20833/en-US/html-single
Modified Files:
index.html
Log Message:
Add F12 security guide in es-ES and nl-NL
Index: index.html
===================================================================
RCS file: /cvs/fedora/web/html/docs/security-guide/f12/en-US/html-single/index.html,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- index.html 8 Nov 2009 22:05:05 -0000 1.1
+++ index.html 9 Nov 2009 06:00:56 -0000 1.2
@@ -1,77 +1,72 @@
<?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>security-guide</title><link rel="stylesheet" href="./Common_Content/css/default.css" type="text/css" /><meta name="generator" content="publican 0.60" /><meta name="package" content="fedora-security-guide-12-en-US-1.1-18" /><meta name="description" content="The Linux Security Guide is designed to assist users of Linux in learning the processes and practices of securing workstations and servers against local and remote intrusion, exploitation, and malicious activity. Focused on Fedora Linux but detailing concepts and techniques valid for all Linux systems, The Linux Security Guide details the planning and the tools involved in creating a secured computing environment for the data center, workplace, and home. With proper administrative knowledge, vigilance, and tools, systems running Linux can be both fully functional and secured from most common intrusio
n and exploit methods." /></head><body class=""><div xml:lang="en-US" class="book" title="security-guide" lang="en-US"><div class="titlepage"><div><div class="producttitle"><span class="productname">fedora</span> <span class="productnumber">12</span></div><div><h1 id="id1962982" class="title">security-guide</h1></div><div><h2 class="subtitle">A Guide to Securing Fedora Linux</h2></div><p class="edition">Edition 1.1</p><div><h3 class="corpauthor">
- <span class="inlinemediaobject"><object data="Common_Content/images/title_logo.svg" type="image/svg+xml"> Logo</object></span>
- </h3></div><div><div xml:lang="en-US" class="authorgroup" lang="en-US"><div class="author"><h3 class="author"><span class="firstname">Johnray</span> <span class="surname">Fuller</span></h3><div class="affiliation"><span class="orgname">Red Hat</span></div><code class="email"><a class="email" href="mailto:jrfuller at redhat.com">jrfuller at redhat.com</a></code></div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="surname">Ha</span></h3><div class="affiliation"><span class="orgname">Red Hat</span></div><code class="email"><a class="email" href="mailto:jha at redhat.com">jha at redhat.com</a></code></div><div class="author"><h3 class="author"><span class="firstname">David</span> <span class="surname">O'Brien</span></h3><div class="affiliation"><span class="orgname">Red Hat</span></div><code class="email"><a class="email" href="mailto:daobrien at redhat.com">daobrien at redhat.com</a></code></div><div class="author"><h3 class="author"><span class="firstna
me">Scott</span> <span class="surname">Radvan</span></h3><div class="affiliation"><span class="orgname">Red Hat</span></div><code class="email"><a class="email" href="mailto:sradvan at redhat.com">sradvan at redhat.com</a></code></div><div class="author"><h3 class="author"><span class="firstname">Eric</span> <span class="surname">Christensen</span></h3><div class="affiliation"><span class="orgname">Fedora Project</span> <span class="orgdiv">Documentation Team</span></div><code class="email"><a class="email" href="mailto:sparks at fedoraproject.org">sparks at fedoraproject.org</a></code></div></div></div><hr /><div><div id="id645691" class="legalnotice"><h1 class="legalnotice">Legal Notice</h1><div class="para">
- Copyright <span class="trademark"></span>© 2009 Red Hat, Inc.
+<!DOCTYPE html
+ PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml"><head><title>security-guide</title><link rel="stylesheet" href="./Common_Content/css/default.css" type="text/css"/><meta name="generator" content="publican"/><meta name="package" content=""/><meta name="description" content="The Linux Security Guide is designed to assist users of Linux in learning the processes and practices of securing workstations and servers against local and remote intrusion, exploitation, and malicious activity. Focused on Fedora Linux but detailing concepts and techniques valid for all Linux systems, The Linux Security Guide details the planning and the tools involved in creating a secured computing environment for the data center, workplace, and home. With proper administrative knowledge, vigilance, and tools, systems running Linux can be both fully functional and secured from most common intrusion and exploit methods."/></head><body class="draft "><div xml:lang="en-US" class="book" title="security-guide"><di
v class="titlepage"><div><div class="producttitle"><span class="productname">Fedora</span> <span class="productnumber">12</span></div><div><h1 id="d0e1" class="title">security-guide</h1></div><div><h2 class="subtitle">A Guide to Securing Fedora Linux</h2></div><p class="edition">Edition 1.1</p><div><h3 class="corpauthor">
+ <span class="inlinemediaobject"><object data="Common_Content/images/title_logo.svg" type="image/svg+xml"> Logo</object></span>
+ </h3></div><div><div xml:lang="en-US" class="authorgroup"><div class="author"><h3 class="author"><span class="firstname">Johnray</span> <span class="surname">Fuller</span></h3><div class="affiliation"><span class="orgname">Red Hat</span></div><code class="email"><a class="email" href="mailto:jrfuller at redhat.com">jrfuller at redhat.com</a></code></div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="surname">Ha</span></h3><div class="affiliation"><span class="orgname">Red Hat</span></div><code class="email"><a class="email" href="mailto:jha at redhat.com">jha at redhat.com</a></code></div><div class="author"><h3 class="author"><span class="firstname">David</span> <span class="surname">O'Brien</span></h3><div class="affiliation"><span class="orgname">Red Hat</span></div><code class="email"><a class="email" href="mailto:daobrien at redhat.com">daobrien at redhat.com</a></code></div><div class="author"><h3 class="author"><span class="firstname">Scott
</span> <span class="surname">Radvan</span></h3><div class="affiliation"><span class="orgname">Red Hat</span></div><code class="email"><a class="email" href="mailto:sradvan at redhat.com">sradvan at redhat.com</a></code></div><div class="author"><h3 class="author"><span class="firstname">Eric</span> <span class="surname">Christensen</span></h3><div class="affiliation"><span class="orgname">Fedora Project</span> <span class="orgdiv">Documentation Team</span></div><code class="email"><a class="email" href="mailto:sparks at fedoraproject.org">sparks at fedoraproject.org</a></code></div></div></div><hr/><div><div id="d0e31" class="legalnotice"><h1 class="legalnotice">Legal Notice</h1><div class="para">
+ Copyright <span class="trademark"/>© 2009 Red Hat, Inc.
</div><div class="para">
The text of and illustrations in this document are licensed by Red Hat under a Creative Commons Attribution–Share Alike 3.0 Unported license ("CC-BY-SA"). An explanation of CC-BY-SA is available at <a href="http://creativecommons.org/licenses/by-sa/3.0/">http://creativecommons.org/licenses/by-sa/3.0/</a>. The original authors of this document, and Red Hat, designate the Fedora Project as the "Attribution Party" for purposes of CC-BY-SA. In accordance with CC-BY-SA, if you distribute this document or an adaptation of it, you must provide the URL for the original version.
</div><div class="para">
Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.
</div><div class="para">
- Red Hat, Red Hat Enterprise Linux, the Shadowman logo, JBoss, MetaMatrix, Fedora, the Infinity Logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries.
+ Red Hat, Red Hat Enterprise Linux, the Shadowman logo, JBoss, MetaMatrix, Fedora, the Infinity Logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries.
</div><div class="para">
For guidelines on the permitted uses of the Fedora trademarks, refer to <a href="https://fedoraproject.org/wiki/Legal:Trademark_guidelines">https://fedoraproject.org/wiki/Legal:Trademark_guidelines</a>.
</div><div class="para">
- <span class="trademark">Linux</span>® is the registered trademark of Linus Torvalds in the United States and other countries.
+ <span class="trademark">Linux</span>® is the registered trademark of Linus Torvalds in the United States and other countries.
</div><div class="para">
All other trademarks are the property of their respective owners.
- </div></div></div><div><div class="abstract" title="Abstract"><h6>Abstract</h6><div class="para">
-The Linux Security Guide is designed to assist users of Linux in
+ </div></div></div><div><div class="abstract" title="Abstract"><h6>Abstract</h6><div class="para">The Linux Security Guide is designed to assist users of Linux in
learning the processes and practices of securing workstations and
servers against local and remote intrusion, exploitation, and
-malicious activity.
-</div><div class="para">
-Focused on Fedora Linux but detailing concepts and techniques valid
+malicious activity.</div><div class="para">Focused on Fedora Linux but detailing concepts and techniques valid
for all Linux systems, The Linux Security Guide details the
planning and the tools involved in creating a secured computing
-environment for the data center, workplace, and home.
-</div><div class="para">
-With proper administrative knowledge, vigilance, and tools, systems
+environment for the data center, workplace, and home.</div><div class="para">With proper administrative knowledge, vigilance, and tools, systems
running Linux can be both fully functional and secured from most
-common intrusion and exploit methods.
-</div></div></div></div><hr /></div><div class="toc"><dl><dt><span class="preface"><a href="#pref-Security_Guide-Preface">Preface</a></span></dt><dd><dl><dt><span class="section"><a href="#id639409">1. Document Conventions</a></span></dt><dd><dl><dt><span class="section"><a href="#id645070">1.1. Typographic Conventions</a></span></dt><dt><span class="section"><a href="#id591154">1.2. Pull-quote Conventions</a></span></dt><dt><span class="section"><a href="#id645085">1.3. Notes and Warnings</a></span></dt></dl></dd><dt><span class="section"><a href="#We_Need_Feedback">2. We Need Feedback!</a></span></dt></dl></dd><dt><span class="chapter"><a href="#chap-Security_Guide-Security_Overview">1. Security Overview</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security_Guide-Introduction_to_Security">1.1. Introduction to Security</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security_Guide-Introduction_to_Security-What_is_Computer_Security">1.1.1.
What is Computer Security?</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Introduction_to_Security-SELinux">1.1.2. SELinux</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Introduction_to_Security-Security_Controls">1.1.3. Security Controls</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Introduction_to_Security-Conclusion">1.1.4. Conclusion</a></span></dt></dl></dd><dt><span class="section"><a href="#sect-Security_Guide-Vulnerability_Assessment">1.2. Vulnerability Assessment</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security_Guide-Vulnerability_Assessment-Thinking_Like_the_Enemy">1.2.1. Thinking Like the Enemy</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Vulnerability_Assessment-Defining_Assessment_and_Testing">1.2.2. Defining Assessment and Testing</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Vulnerability_Assessment-Evaluating_the_
Tools">1.2.3. Evaluating the Tools</a></span></dt></dl></dd><dt><span class="section"><a href="#sect-Security_Guide-Attackers_and_Vulnerabilities">1.3. Attackers and Vulnerabilities</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security_Guide-Attackers_and_Vulnerabilities-A_Quick_History_of_Hackers">1.3.1. A Quick History of Hackers</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Attackers_and_Vulnerabilities-Threats_to_Network_Security">1.3.2. Threats to Network Security</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Attackers_and_Vulnerabilities-Threats_to_Server_Security">1.3.3. Threats to Server Security</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Attackers_and_Vulnerabilities-Threats_to_Workstation_and_Home_PC_Security">1.3.4. Threats to Workstation and Home PC Security</a></span></dt></dl></dd><dt><span class="section"><a href="#sect-Security_Guide-Common_Exploits_and_Attacks">1
.4. Common Exploits and Attacks</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Security_Updates">1.5. Security Updates</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security_Guide-Security_Updates-Updating_Packages">1.5.1. Updating Packages</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Updating_Packages-Verifying_Signed_Packages">1.5.2. Verifying Signed Packages</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Updating_Packages-Installing_Signed_Packages">1.5.3. Installing Signed Packages</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Updating_Packages-Applying_the_Changes">1.5.4. Applying the Changes</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="#chap-Security_Guide-Securing_Your_Network">2. Securing Your Network</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security_Guide-Workstation_Security">2.1. Workstation Security</
a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security_Guide-Workstation_Security-Evaluating_Workstation_Security">2.1.1. Evaluating Workstation Security</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Workstation_Security-BIOS_and_Boot_Loader_Security">2.1.2. BIOS and Boot Loader Security</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Workstation_Security-Password_Security">2.1.3. Password Security</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Workstation_Security-Administrative_Controls">2.1.4. Administrative Controls</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Workstation_Security-Available_Network_Services">2.1.5. Available Network Services</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Workstation_Security-Personal_Firewalls">2.1.6. Personal Firewalls</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Workstation
_Security-Security_Enhanced_Communication_Tools">2.1.7. Security Enhanced Communication Tools</a></span></dt></dl></dd><dt><span class="section"><a href="#sect-Security_Guide-Server_Security">2.2. Server Security</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security_Guide-Server_Security-Securing_Services_With_TCP_Wrappers_and_xinetd">2.2.1. Securing Services With TCP Wrappers and xinetd</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Server_Security-Securing_Portmap">2.2.2. Securing Portmap</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Server_Security-Securing_NIS">2.2.3. Securing NIS</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Server_Security-Securing_NFS">2.2.4. Securing NFS</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Server_Security-Securing_the_Apache_HTTP_Server">2.2.5. Securing the Apache HTTP Server</a></span></dt><dt><span class="section"><a href=
"#sect-Security_Guide-Server_Security-Securing_FTP">2.2.6. Securing FTP</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Server_Security-Securing_Sendmail">2.2.7. Securing Sendmail</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Server_Security-Verifying_Which_Ports_Are_Listening">2.2.8. Verifying Which Ports Are Listening</a></span></dt></dl></dd><dt><span class="section"><a href="#sect-Security_Guide-Single_Sign_on_SSO">2.3. Single Sign-on (SSO)</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security_Guide-Single_Sign_on_SSO-Introduction">2.3.1. Introduction</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Single_Sign_on_SSO-Getting_Started_with_your_new_Smart_Card">2.3.2. Getting Started with your new Smart Card</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Single_Sign_on_SSO-How_Smart_Card_Enrollment_Works">2.3.3. How Smart Card Enrollment Works</a></span></dt><dt
><span class="section"><a href="#sect-Security_Guide-Single_Sign_on_SSO-How_Smart_Card_Login_Works">2.3.4. How Smart Card Login Works</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Single_Sign_on_SSO-Configuring_Firefox_to_use_Kerberos_for_SSO">2.3.5. Configuring Firefox to use Kerberos for SSO</a></span></dt></dl></dd><dt><span class="section"><a href="#sect-Security_Guide-Pluggable_Authentication_Modules_PAM">2.4. Pluggable Authentication Modules (PAM)</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security_Guide-Pluggable_Authentication_Modules_PAM-Advantages_of_PAM">2.4.1. Advantages of PAM</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Pluggable_Authentication_Modules_PAM-PAM_Configuration_Files">2.4.2. PAM Configuration Files</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Pluggable_Authentication_Modules_PAM-PAM_Configuration_File_Format">2.4.3. PAM Configuration File Format</a></s
pan></dt><dt><span class="section"><a href="#sect-Security_Guide-Pluggable_Authentication_Modules_PAM-Sample_PAM_Configuration_Files">2.4.4. Sample PAM Configuration Files</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Pluggable_Authentication_Modules_PAM-Creating_PAM_Modules">2.4.5. Creating PAM Modules</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Pluggable_Authentication_Modules_PAM-PAM_and_Administrative_Credential_Caching">2.4.6. PAM and Administrative Credential Caching</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Pluggable_Authentication_Modules_PAM-PAM_and_Device_Ownership">2.4.7. PAM and Device Ownership</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Pluggable_Authentication_Modules_PAM-Additional_Resources">2.4.8. Additional Resources</a></span></dt></dl></dd><dt><span class="section"><a href="#sect-Security_Guide-TCP_Wrappers_and_xinetd">2.5. TCP Wrappers and xinetd<
/a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security_Guide-TCP_Wrappers_and_xinetd-TCP_Wrappers">2.5.1. TCP Wrappers</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-TCP_Wrappers_and_xinetd-TCP_Wrappers_Configuration_Files">2.5.2. TCP Wrappers Configuration Files</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-TCP_Wrappers_and_xinetd-xinetd">2.5.3. xinetd</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-TCP_Wrappers_and_xinetd-xinetd_Configuration_Files">2.5.4. xinetd Configuration Files</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-TCP_Wrappers_and_xinetd-Additional_Resources">2.5.5. Additional Resources</a></span></dt></dl></dd><dt><span class="section"><a href="#sect-Security_Guide-Kerberos">2.6. Kerberos</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security_Guide-Kerberos-What_is_Kerberos">2.6.1. What is Kerberos?</a></span></dt><dt><span cla
ss="section"><a href="#sect-Security_Guide-Kerberos-Kerberos_Terminology">2.6.2. Kerberos Terminology</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Kerberos-How_Kerberos_Works">2.6.3. How Kerberos Works</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Kerberos-Kerberos_and_PAM">2.6.4. Kerberos and PAM</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Kerberos-Configuring_a_Kerberos_5_Server">2.6.5. Configuring a Kerberos 5 Server</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Kerberos-Configuring_a_Kerberos_5_Client">2.6.6. Configuring a Kerberos 5 Client</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Kerberos-Domain_to_Realm_Mapping">2.6.7. Domain-to-Realm Mapping</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Kerberos-Setting_Up_Secondary_KDCs">2.6.8. Setting Up Secondary KDCs</a></span></dt><dt><span class="section"><a href="#sect-Sec
urity_Guide-Kerberos-Setting_Up_Cross_Realm_Authentication">2.6.9. Setting Up Cross Realm Authentication</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Kerberos-Additional_Resources">2.6.10. Additional Resources</a></span></dt></dl></dd><dt><span class="section"><a href="#sect-Security_Guide-Virtual_Private_Networks_VPNs">2.7. Virtual Private Networks (VPNs)</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security_Guide-Virtual_Private_Networks_VPNs-How_Does_a_VPN_Work">2.7.1. How Does a VPN Work?</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Virtual_Private_Networks_VPNs-VPNs_and_PROD">2.7.2. VPNs and Fedora</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Virtual_Private_Networks_VPNs-IPsec">2.7.3. IPsec</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Virtual_Private_Networks_VPNs-Creating_an_IPsec_Connection">2.7.4. Creating an <abbr class="abbrev">IPsec</abbr> Co
nnection</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Virtual_Private_Networks_VPNs-IPsec_Installation">2.7.5. IPsec Installation</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Virtual_Private_Networks_VPNs-IPsec_Host_to_Host_Configuration">2.7.6. IPsec Host-to-Host Configuration</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Virtual_Private_Networks_VPNs-IPsec_Network_to_Network_Configuration">2.7.7. IPsec Network-to-Network Configuration</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Virtual_Private_Networks_VPNs-Starting_and_Stopping_an_IPsec_Connection">2.7.8. Starting and Stopping an <abbr class="abbrev">IPsec</abbr> Connection</a></span></dt></dl></dd><dt><span class="section"><a href="#sect-Security_Guide-Firewalls">2.8. Firewalls</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security_Guide-Firewalls-Netfilter_and_IPTables">2.8.1. Netfilter and IPTables<
/a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Firewalls-Basic_Firewall_Configuration">2.8.2. Basic Firewall Configuration</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Firewalls-Using_IPTables">2.8.3. Using IPTables</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Firewalls-Common_IPTables_Filtering">2.8.4. Common IPTables Filtering</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Firewalls-FORWARD_and_NAT_Rules">2.8.5. <code class="computeroutput">FORWARD</code> and <acronym class="acronym">NAT</acronym> Rules</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Firewalls-Malicious_Software_and_Spoofed_IP_Addresses">2.8.6. Malicious Software and Spoofed IP Addresses</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Firewalls-IPTables_and_Connection_Tracking">2.8.7. IPTables and Connection Tracking</a></span></dt><dt><span class="section"><a hr
ef="#sect-Security_Guide-Firewalls-IPv6">2.8.8. IPv6</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Firewalls-Additional_Resources">2.8.9. Additional Resources</a></span></dt></dl></dd><dt><span class="section"><a href="#sect-Security_Guide-IPTables">2.9. IPTables</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security_Guide-IPTables-Packet_Filtering">2.9.1. Packet Filtering</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-IPTables-Command_Options_for_IPTables">2.9.2. Command Options for IPTables</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-IPTables-Saving_IPTables_Rules">2.9.3. Saving IPTables Rules</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-IPTables-IPTables_Control_Scripts">2.9.4. IPTables Control Scripts</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-IPTables-IPTables_and_IPv6">2.9.5. IPTables and IPv6</a></span></dt><dt><span class
="section"><a href="#sect-Security_Guide-IPTables-Additional_Resources">2.9.6. Additional Resources</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="#chap-Security_Guide-Encryption">3. Encryption</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security_Guide-Encryption-Data_at_Rest">3.1. Data at Rest</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Encryption-Protecting_Data_at_Rest-Full_Disk_Encryption">3.2. Full Disk Encryption</a></span></dt><dt><span class="section"><a href="#Security_Guide-Encryption-Protecting_Data_at_Rest-File_Based_Encryption">3.3. File Based Encryption</a></span></dt><dt><span class="section"><a href="#Security_Guide-Encryption-Data_in_Motion">3.4. Data in Motion</a></span></dt><dt><span class="section"><a href="#Security_Guide-Encryption-Data_in_Motion-Virtual_Private_Networks">3.5. Virtual Private Networks</a></span></dt><dt><span class="section"><a href="#Security_Guide-Encryption-Data_in
_Motion-Secure_Shell">3.6. Secure Shell</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-LUKS_Disk_Encryption">3.7. LUKS Disk Encryption</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security_Guide-LUKS_Disk_Encryption-LUKS_Implementation_in_Fedora">3.7.1. LUKS Implementation in Fedora</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-LUKS_Disk_Encryption-Manually_Encrypting_Directories">3.7.2. Manually Encrypting Directories</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-LUKS_Disk_Encryption-Manually_Encrypting_Directories-Step_by_Step_Instructions">3.7.3. Step-by-Step Instructions</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-LUKS_Disk_Encryption-Manually_Encrypting_Directories-What_you_have_just_accomplished">3.7.4. What you have just accomplished.</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-LUKS_Disk_Encryption-Links_of_Interest">3.7.5.
Links of Interest</a></span></dt></dl></dd><dt><span class="section"><a href="#sect-Security_Guide-Encryption-7_Zip_Encrypted_Archives">3.8. 7-Zip Encrypted Archives</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security_Guide-Encryption-7_Zip_Encrypted_Archives-Installation">3.8.1. 7-Zip Installation in Fedora</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Encryption-7_Zip_Encrypted_Archives-Installation-Instructions">3.8.2. Step-by-Step Installation Instructions</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Encryption-7_Zip_Encrypted_Archives-Usage_Instructions">3.8.3. Step-by-Step Usage Instructions</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Encryption-7_Zip_Encrypted_Archives-Things_of_note">3.8.4. Things of note</a></span></dt></dl></dd><dt><span class="section"><a href="#sect-Security_Guide-Encryption-Using_GPG">3.9. Using GNU Privacy Guard (GnuPG)</a></span></dt><dd><dl><dt
><span class="section"><a href="#sect-Security_Guide-Encryption-Using_GPG-Keys_in_GNOME">3.9.1. Creating GPG Keys in GNOME</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Encryption-Using_GPG-Creating_GPG_Keys_in_KDE1">3.9.2. Creating GPG Keys in KDE</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Encryption-Using_GPG-Creating_GPG_Keys_in_KDE">3.9.3. Creating GPG Keys Using the Command Line</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Encryption-Using_GPG-About_Public_Key_Encryption">3.9.4. About Public Key Encryption</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="#chap-Security_Guide-General_Principles_of_Information_Security">4. General Principles of Information Security</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security_Guide-General_Principles_of_Information_Security-Tips_Guides_and_Tools">4.1. Tips, Guides, and Tools</a></span></dt></dl></dd><dt><span cla
ss="chapter"><a href="#chap-Security_Guide-Secure_Installation">5. Secure Installation</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security_Guide-Secure_Installation-Disk_Partitions">5.1. Disk Partitions</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Secure_Installation-Utilize_LUKS_Partition_Encryption">5.2. Utilize LUKS Partition Encryption</a></span></dt></dl></dd><dt><span class="chapter"><a href="#chap-Security_Guide-Software_Maintenance">6. Software Maintenance</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security_Guide-Software_Maintenance-Install_Minimal_Software">6.1. Install Minimal Software</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Software_Maintenance-Plan_and_Configure_Security_Updates">6.2. Plan and Configure Security Updates</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Software_Maintenance-Plan_and_Configure_Security_Updates-Adjusting_Automatic
_Updates">6.3. Adjusting Automatic Updates</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Software_Maintenance-Install_Signed_Packages_from_Well_Known_Repositories">6.4. Install Signed Packages from Well Known Repositories</a></span></dt></dl></dd><dt><span class="chapter"><a href="#chap-Security_Guide-References">7. References</a></span></dt></dl></div><div xml:lang="en-US" class="preface" title="Preface" lang="en-US"><div class="titlepage"><div><div><h1 id="pref-Security_Guide-Preface" class="title">Preface</h1></div></div></div><div xml:lang="en-US" class="section" title="1. Document Conventions" lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="id639409">1. Document Conventions</h2></div></div></div><div class="para">
+common intrusion and exploit methods.</div></div></div></div><hr/></div><div class="toc"><dl><dt><span class="preface"><a href="#pref-Security_Guide-Preface">Preface</a></span></dt><dd><dl><dt><span class="section"><a href="#d0e111">1. Document Conventions</a></span></dt><dd><dl><dt><span class="section"><a href="#d0e121">1.1. Typographic Conventions</a></span></dt><dt><span class="section"><a href="#d0e337">1.2. Pull-quote Conventions</a></span></dt><dt><span class="section"><a href="#d0e356">1.3. Notes and Warnings</a></span></dt></dl></dd><dt><span class="section"><a href="#We_Need_Feedback">2. We Need Feedback!</a></span></dt></dl></dd><dt><span class="chapter"><a href="#chap-Security_Guide-Security_Overview">1. Security Overview</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security_Guide-Introduction_to_Security">1.1. Introduction to Security</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security_Guide-Introduction_to_Security-What_i
s_Computer_Security">1.1.1. What is Computer Security?</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Introduction_to_Security-SELinux">1.1.2. SELinux</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Introduction_to_Security-Security_Controls">1.1.3. Security Controls</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Introduction_to_Security-Conclusion">1.1.4. Conclusion</a></span></dt></dl></dd><dt><span class="section"><a href="#sect-Security_Guide-Vulnerability_Assessment">1.2. Vulnerability Assessment</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security_Guide-Vulnerability_Assessment-Thinking_Like_the_Enemy">1.2.1. Thinking Like the Enemy</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Vulnerability_Assessment-Defining_Assessment_and_Testing">1.2.2. Defining Assessment and Testing</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Vulnerabilit
y_Assessment-Evaluating_the_Tools">1.2.3. Evaluating the Tools</a></span></dt></dl></dd><dt><span class="section"><a href="#sect-Security_Guide-Attackers_and_Vulnerabilities">1.3. Attackers and Vulnerabilities</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security_Guide-Attackers_and_Vulnerabilities-A_Quick_History_of_Hackers">1.3.1. A Quick History of Hackers</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Attackers_and_Vulnerabilities-Threats_to_Network_Security">1.3.2. Threats to Network Security</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Attackers_and_Vulnerabilities-Threats_to_Server_Security">1.3.3. Threats to Server Security</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Attackers_and_Vulnerabilities-Threats_to_Workstation_and_Home_PC_Security">1.3.4. Threats to Workstation and Home PC Security</a></span></dt></dl></dd><dt><span class="section"><a href="#sect-Security_Guide-Co
mmon_Exploits_and_Attacks">1.4. Common Exploits and Attacks</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Security_Updates">1.5. Security Updates</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security_Guide-Security_Updates-Updating_Packages">1.5.1. Updating Packages</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Updating_Packages-Verifying_Signed_Packages">1.5.2. Verifying Signed Packages</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Updating_Packages-Installing_Signed_Packages">1.5.3. Installing Signed Packages</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Updating_Packages-Applying_the_Changes">1.5.4. Applying the Changes</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="#chap-Security_Guide-Securing_Your_Network">2. Securing Your Network</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security_Guide-Workstation_Security"
>2.1. Workstation Security</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security_Guide-Workstation_Security-Evaluating_Workstation_Security">2.1.1. Evaluating Workstation Security</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Workstation_Security-BIOS_and_Boot_Loader_Security">2.1.2. BIOS and Boot Loader Security</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Workstation_Security-Password_Security">2.1.3. Password Security</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Workstation_Security-Administrative_Controls">2.1.4. Administrative Controls</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Workstation_Security-Available_Network_Services">2.1.5. Available Network Services</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Workstation_Security-Personal_Firewalls">2.1.6. Personal Firewalls</a></span></dt><dt><span class="section"><a href="#sec
t-Security_Guide-Workstation_Security-Security_Enhanced_Communication_Tools">2.1.7. Security Enhanced Communication Tools</a></span></dt></dl></dd><dt><span class="section"><a href="#sect-Security_Guide-Server_Security">2.2. Server Security</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security_Guide-Server_Security-Securing_Services_With_TCP_Wrappers_and_xinetd">2.2.1. Securing Services With TCP Wrappers and xinetd</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Server_Security-Securing_Portmap">2.2.2. Securing Portmap</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Server_Security-Securing_NIS">2.2.3. Securing NIS</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Server_Security-Securing_NFS">2.2.4. Securing NFS</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Server_Security-Securing_the_Apache_HTTP_Server">2.2.5. Securing the Apache HTTP Server</a></span></dt><dt><s
pan class="section"><a href="#sect-Security_Guide-Server_Security-Securing_FTP">2.2.6. Securing FTP</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Server_Security-Securing_Sendmail">2.2.7. Securing Sendmail</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Server_Security-Verifying_Which_Ports_Are_Listening">2.2.8. Verifying Which Ports Are Listening</a></span></dt></dl></dd><dt><span class="section"><a href="#sect-Security_Guide-Single_Sign_on_SSO">2.3. Single Sign-on (SSO)</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security_Guide-Single_Sign_on_SSO-Introduction">2.3.1. Introduction</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Single_Sign_on_SSO-Getting_Started_with_your_new_Smart_Card">2.3.2. Getting Started with your new Smart Card</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Single_Sign_on_SSO-How_Smart_Card_Enrollment_Works">2.3.3. How Smart Card Enrollm
ent Works</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Single_Sign_on_SSO-How_Smart_Card_Login_Works">2.3.4. How Smart Card Login Works</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Single_Sign_on_SSO-Configuring_Firefox_to_use_Kerberos_for_SSO">2.3.5. Configuring Firefox to use Kerberos for SSO</a></span></dt></dl></dd><dt><span class="section"><a href="#sect-Security_Guide-Pluggable_Authentication_Modules_PAM">2.4. Pluggable Authentication Modules (PAM)</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security_Guide-Pluggable_Authentication_Modules_PAM-Advantages_of_PAM">2.4.1. Advantages of PAM</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Pluggable_Authentication_Modules_PAM-PAM_Configuration_Files">2.4.2. PAM Configuration Files</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Pluggable_Authentication_Modules_PAM-PAM_Configuration_File_Format">2.4.3. PAM Conf
iguration File Format</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Pluggable_Authentication_Modules_PAM-Sample_PAM_Configuration_Files">2.4.4. Sample PAM Configuration Files</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Pluggable_Authentication_Modules_PAM-Creating_PAM_Modules">2.4.5. Creating PAM Modules</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Pluggable_Authentication_Modules_PAM-PAM_and_Administrative_Credential_Caching">2.4.6. PAM and Administrative Credential Caching</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Pluggable_Authentication_Modules_PAM-PAM_and_Device_Ownership">2.4.7. PAM and Device Ownership</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Pluggable_Authentication_Modules_PAM-Additional_Resources">2.4.8. Additional Resources</a></span></dt></dl></dd><dt><span class="section"><a href="#sect-Security_Guide-TCP_Wrappers_and_xinetd">2
.5. TCP Wrappers and xinetd</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security_Guide-TCP_Wrappers_and_xinetd-TCP_Wrappers">2.5.1. TCP Wrappers</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-TCP_Wrappers_and_xinetd-TCP_Wrappers_Configuration_Files">2.5.2. TCP Wrappers Configuration Files</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-TCP_Wrappers_and_xinetd-xinetd">2.5.3. xinetd</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-TCP_Wrappers_and_xinetd-xinetd_Configuration_Files">2.5.4. xinetd Configuration Files</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-TCP_Wrappers_and_xinetd-Additional_Resources">2.5.5. Additional Resources</a></span></dt></dl></dd><dt><span class="section"><a href="#sect-Security_Guide-Kerberos">2.6. Kerberos</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security_Guide-Kerberos-What_is_Kerberos">2.6.1. What is Kerberos?<
/a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Kerberos-Kerberos_Terminology">2.6.2. Kerberos Terminology</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Kerberos-How_Kerberos_Works">2.6.3. How Kerberos Works</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Kerberos-Kerberos_and_PAM">2.6.4. Kerberos and PAM</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Kerberos-Configuring_a_Kerberos_5_Server">2.6.5. Configuring a Kerberos 5 Server</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Kerberos-Configuring_a_Kerberos_5_Client">2.6.6. Configuring a Kerberos 5 Client</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Kerberos-Domain_to_Realm_Mapping">2.6.7. Domain-to-Realm Mapping</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Kerberos-Setting_Up_Secondary_KDCs">2.6.8. Setting Up Secondary KDCs</a></span></dt><dt><span class=
"section"><a href="#sect-Security_Guide-Kerberos-Setting_Up_Cross_Realm_Authentication">2.6.9. Setting Up Cross Realm Authentication</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Kerberos-Additional_Resources">2.6.10. Additional Resources</a></span></dt></dl></dd><dt><span class="section"><a href="#sect-Security_Guide-Virtual_Private_Networks_VPNs">2.7. Virtual Private Networks (VPNs)</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security_Guide-Virtual_Private_Networks_VPNs-How_Does_a_VPN_Work">2.7.1. How Does a VPN Work?</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Virtual_Private_Networks_VPNs-VPNs_and_PROD">2.7.2. VPNs and Fedora</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Virtual_Private_Networks_VPNs-IPsec">2.7.3. IPsec</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Virtual_Private_Networks_VPNs-Creating_an_IPsec_Connection">2.7.4. Creating an <abbr cl
ass="abbrev">IPsec</abbr> Connection</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Virtual_Private_Networks_VPNs-IPsec_Installation">2.7.5. IPsec Installation</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Virtual_Private_Networks_VPNs-IPsec_Host_to_Host_Configuration">2.7.6. IPsec Host-to-Host Configuration</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Virtual_Private_Networks_VPNs-IPsec_Network_to_Network_Configuration">2.7.7. IPsec Network-to-Network Configuration</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Virtual_Private_Networks_VPNs-Starting_and_Stopping_an_IPsec_Connection">2.7.8. Starting and Stopping an <abbr class="abbrev">IPsec</abbr> Connection</a></span></dt></dl></dd><dt><span class="section"><a href="#sect-Security_Guide-Firewalls">2.8. Firewalls</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security_Guide-Firewalls-Netfilter_and_IPTables">2.
8.1. Netfilter and IPTables</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Firewalls-Basic_Firewall_Configuration">2.8.2. Basic Firewall Configuration</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Firewalls-Using_IPTables">2.8.3. Using IPTables</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Firewalls-Common_IPTables_Filtering">2.8.4. Common IPTables Filtering</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Firewalls-FORWARD_and_NAT_Rules">2.8.5. <code class="computeroutput">FORWARD</code> and <acronym class="acronym">NAT</acronym> Rules</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Firewalls-Malicious_Software_and_Spoofed_IP_Addresses">2.8.6. Malicious Software and Spoofed IP Addresses</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Firewalls-IPTables_and_Connection_Tracking">2.8.7. IPTables and Connection Tracking</a></span></dt><dt
><span class="section"><a href="#sect-Security_Guide-Firewalls-IPv6">2.8.8. IPv6</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Firewalls-Additional_Resources">2.8.9. Additional Resources</a></span></dt></dl></dd><dt><span class="section"><a href="#sect-Security_Guide-IPTables">2.9. IPTables</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security_Guide-IPTables-Packet_Filtering">2.9.1. Packet Filtering</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-IPTables-Command_Options_for_IPTables">2.9.2. Command Options for IPTables</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-IPTables-Saving_IPTables_Rules">2.9.3. Saving IPTables Rules</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-IPTables-IPTables_Control_Scripts">2.9.4. IPTables Control Scripts</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-IPTables-IPTables_and_IPv6">2.9.5. IPTables and IPv6</a
></span></dt><dt><span class="section"><a href="#sect-Security_Guide-IPTables-Additional_Resources">2.9.6. Additional Resources</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="#chap-Security_Guide-Encryption">3. Encryption</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security_Guide-Encryption-Data_at_Rest">3.1. Data at Rest</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Encryption-Protecting_Data_at_Rest-Full_Disk_Encryption">3.2. Full Disk Encryption</a></span></dt><dt><span class="section"><a href="#Security_Guide-Encryption-Protecting_Data_at_Rest-File_Based_Encryption">3.3. File Based Encryption</a></span></dt><dt><span class="section"><a href="#Security_Guide-Encryption-Data_in_Motion">3.4. Data in Motion</a></span></dt><dt><span class="section"><a href="#Security_Guide-Encryption-Data_in_Motion-Virtual_Private_Networks">3.5. Virtual Private Networks</a></span></dt><dt><span class="section"><a href="#Secur
ity_Guide-Encryption-Data_in_Motion-Secure_Shell">3.6. Secure Shell</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-LUKS_Disk_Encryption">3.7. LUKS Disk Encryption</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security_Guide-LUKS_Disk_Encryption-LUKS_Implementation_in_Fedora">3.7.1. LUKS Implementation in Fedora</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-LUKS_Disk_Encryption-Manually_Encrypting_Directories">3.7.2. Manually Encrypting Directories</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-LUKS_Disk_Encryption-Manually_Encrypting_Directories-Step_by_Step_Instructions">3.7.3. Step-by-Step Instructions</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-LUKS_Disk_Encryption-Manually_Encrypting_Directories-What_you_have_just_accomplished">3.7.4. What you have just accomplished.</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-LUKS_Disk_Encrypti
on-Links_of_Interest">3.7.5. Links of Interest</a></span></dt></dl></dd><dt><span class="section"><a href="#sect-Security_Guide-Encryption-7_Zip_Encrypted_Archives">3.8. 7-Zip Encrypted Archives</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security_Guide-Encryption-7_Zip_Encrypted_Archives-Installation">3.8.1. 7-Zip Installation in Fedora</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Encryption-7_Zip_Encrypted_Archives-Installation-Instructions">3.8.2. Step-by-Step Installation Instructions</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Encryption-7_Zip_Encrypted_Archives-Usage_Instructions">3.8.3. Step-by-Step Usage Instructions</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Encryption-7_Zip_Encrypted_Archives-Things_of_note">3.8.4. Things of note</a></span></dt></dl></dd><dt><span class="section"><a href="#sect-Security_Guide-Encryption-Using_GPG">3.9. Using GNU Privacy Guard (GnuPG
)</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security_Guide-Encryption-Using_GPG-Keys_in_GNOME">3.9.1. Creating GPG Keys in GNOME</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Encryption-Using_GPG-Creating_GPG_Keys_in_KDE1">3.9.2. Creating GPG Keys in KDE</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Encryption-Using_GPG-Creating_GPG_Keys_in_KDE">3.9.3. Creating GPG Keys Using the Command Line</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Encryption-Using_GPG-About_Public_Key_Encryption">3.9.4. About Public Key Encryption</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="#chap-Security_Guide-General_Principles_of_Information_Security">4. General Principles of Information Security</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security_Guide-General_Principles_of_Information_Security-Tips_Guides_and_Tools">4.1. Tips, Guides, and Tools</a></span>
</dt></dl></dd><dt><span class="chapter"><a href="#chap-Security_Guide-Secure_Installation">5. Secure Installation</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security_Guide-Secure_Installation-Disk_Partitions">5.1. Disk Partitions</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Secure_Installation-Utilize_LUKS_Partition_Encryption">5.2. Utilize LUKS Partition Encryption</a></span></dt></dl></dd><dt><span class="chapter"><a href="#chap-Security_Guide-Software_Maintenance">6. Software Maintenance</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security_Guide-Software_Maintenance-Install_Minimal_Software">6.1. Install Minimal Software</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Software_Maintenance-Plan_and_Configure_Security_Updates">6.2. Plan and Configure Security Updates</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Software_Maintenance-Plan_and_Configure_Security
_Updates-Adjusting_Automatic_Updates">6.3. Adjusting Automatic Updates</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Software_Maintenance-Install_Signed_Packages_from_Well_Known_Repositories">6.4. Install Signed Packages from Well Known Repositories</a></span></dt></dl></dd><dt><span class="chapter"><a href="#chap-Security_Guide-References">7. References</a></span></dt></dl></div><div xml:lang="en-US" class="preface" title="Preface"><div class="titlepage"><div><div><h1 id="pref-Security_Guide-Preface" class="title">Preface</h1></div></div></div><div xml:lang="en-US" class="section" title="1. Document Conventions"><div class="titlepage"><div><div><h2 class="title" id="d0e111">1. Document Conventions</h2></div></div></div><div class="para">
This manual uses several conventions to highlight certain words and phrases and draw attention to specific pieces of information.
</div><div class="para">
In PDF and paper editions, this manual uses typefaces drawn from the <a href="https://fedorahosted.org/liberation-fonts/">Liberation Fonts</a> set. The Liberation Fonts set is also used in HTML editions if the set is installed on your system. If not, alternative but equivalent typefaces are displayed. Note: Red Hat Enterprise Linux 5 and later includes the Liberation Fonts set by default.
- </div><div class="section" title="1.1. Typographic Conventions"><div class="titlepage"><div><div><h3 class="title" id="id645070">1.1. Typographic Conventions</h3></div></div></div><div class="para">
+ </div><div class="section" title="1.1. Typographic Conventions"><div class="titlepage"><div><div><h3 class="title" id="d0e121">1.1. Typographic Conventions</h3></div></div></div><div class="para">
Four typographic conventions are used to call attention to specific words and phrases. These conventions, and the circumstances they apply to, are as follows.
</div><div class="para">
<code class="literal">Mono-spaced Bold</code>
</div><div class="para">
- Used to highlight system input, including shell commands, file names and paths. Also used to highlight keycaps and key combinations. For example:
+ Used to highlight system input, including shell commands, file names and paths. Also used to highlight key caps and key-combinations. For example:
</div><div class="blockquote"><blockquote class="blockquote"><div class="para">
To see the contents of the file <code class="filename">my_next_bestselling_novel</code> in your current working directory, enter the <code class="command">cat my_next_bestselling_novel</code> command at the shell prompt and press <span class="keycap"><strong>Enter</strong></span> to execute the command.
</div></blockquote></div><div class="para">
- The above includes a file name, a shell command and a keycap, all presented in mono-spaced bold and all distinguishable thanks to context.
+ The above includes a file name, a shell command and a key cap, all presented in Mono-spaced Bold and all distinguishable thanks to context.
</div><div class="para">
- Key combinations can be distinguished from keycaps by the hyphen connecting each part of a key combination. For example:
+ Key-combinations can be distinguished from key caps by the hyphen connecting each part of a key-combination. For example:
</div><div class="blockquote"><blockquote class="blockquote"><div class="para">
Press <span class="keycap"><strong>Enter</strong></span> to execute the command.
</div><div class="para">
Press <span class="keycap"><strong>Ctrl</strong></span>+<span class="keycap"><strong>Alt</strong></span>+<span class="keycap"><strong>F1</strong></span> to switch to the first virtual terminal. Press <span class="keycap"><strong>Ctrl</strong></span>+<span class="keycap"><strong>Alt</strong></span>+<span class="keycap"><strong>F7</strong></span> to return to your X-Windows session.
</div></blockquote></div><div class="para">
- The first paragraph highlights the particular keycap to press. The second highlights two key combinations (each a set of three keycaps with each set pressed simultaneously).
+ The first sentence highlights the particular key cap to press. The second highlights two sets of three key caps, each set pressed simultaneously.
</div><div class="para">
- If source code is discussed, class names, methods, functions, variable names and returned values mentioned within a paragraph will be presented as above, in <code class="literal">mono-spaced bold</code>. For example:
+ If source code is discussed, class names, methods, functions, variable names and returned values mentioned within a paragraph will be presented as above, in <code class="literal">Mono-spaced Bold</code>. For example:
</div><div class="blockquote"><blockquote class="blockquote"><div class="para">
File-related classes include <code class="classname">filesystem</code> for file systems, <code class="classname">file</code> for files, and <code class="classname">dir</code> for directories. Each class has its own associated set of permissions.
</div></blockquote></div><div class="para">
<span class="application"><strong>Proportional Bold</strong></span>
</div><div class="para">
- This denotes words or phrases encountered on a system, including application names; dialog box text; labeled buttons; check-box and radio button labels; menu titles and sub-menu titles. For example:
+ This denotes words or phrases encountered on a system, including application names; dialogue box text; labelled buttons; check-box and radio button labels; menu titles and sub-menu titles. For example:
</div><div class="blockquote"><blockquote class="blockquote"><div class="para">
Choose <span class="guimenu"><strong>System > Preferences > Mouse</strong></span> from the main menu bar to launch <span class="application"><strong>Mouse Preferences</strong></span>. In the <span class="guilabel"><strong>Buttons</strong></span> tab, click the <span class="guilabel"><strong>Left-handed mouse</strong></span> check box and click <span class="guibutton"><strong>Close</strong></span> to switch the primary mouse button from the left to the right (making the mouse suitable for use in the left hand).
</div><div class="para">
To insert a special character into a <span class="application"><strong>gedit</strong></span> file, choose <span class="guimenu"><strong>Applications > Accessories > Character Map</strong></span> from the main menu bar. Next, choose <span class="guimenu"><strong>Search > Find…</strong></span> from the <span class="application"><strong>Character Map</strong></span> menu bar, type the name of the character in the <span class="guilabel"><strong>Search</strong></span> field and click <span class="guibutton"><strong>Next</strong></span>. The character you sought will be highlighted in the <span class="guilabel"><strong>Character Table</strong></span>. Double-click this highlighted character to place it in the <span class="guilabel"><strong>Text to copy</strong></span> field and then click the <span class="guibutton"><strong>Copy</strong></span> button. Now switch back to your document and choose <span class="guimenu"><strong>Edit > Paste</strong></span> from the
<span class="application"><strong>gedit</strong></span> menu bar.
</div></blockquote></div><div class="para">
- The above text includes application names; system-wide menu names and items; application-specific menu names; and buttons and text found within a GUI interface, all presented in proportional bold and all distinguishable by context.
+ The above text includes application names; system-wide menu names and items; application-specific menu names; and buttons and text found within a GUI interface, all presented in Proportional Bold and all distinguishable by context.
</div><div class="para">
- Note the <span class="guimenu"><strong>></strong></span> shorthand used to indicate traversal through a menu and its sub-menus. This avoids difficult-to-follow phrasing such as 'Select <span class="guimenuitem"><strong>Mouse</strong></span> from the <span class="guimenu"><strong>Preferences</strong></span> sub-menu in the <span class="guimenu"><strong>System</strong></span> menu of the main menu bar'.
+ Note the <span class="guimenu"><strong>></strong></span> shorthand used to indicate traversal through a menu and its sub-menus. This is to avoid the difficult-to-follow 'Select <span class="guimenuitem"><strong>Mouse</strong></span> from the <span class="guimenu"><strong>Preferences</strong></span> sub-menu in the <span class="guimenu"><strong>System</strong></span> menu of the main menu bar' approach.
</div><div class="para">
<code class="command"><em class="replaceable"><code>Mono-spaced Bold Italic</code></em></code> or <span class="application"><strong><em class="replaceable"><code>Proportional Bold Italic</code></em></strong></span>
</div><div class="para">
- Whether mono-spaced bold or proportional bold, the addition of italics indicates replaceable or variable text. Italics denotes text you do not input literally or displayed text that changes depending on circumstance. For example:
+ Whether Mono-spaced Bold or Proportional Bold, the addition of Italics indicates replaceable or variable text. Italics denotes text you do not input literally or displayed text that changes depending on circumstance. For example:
</div><div class="blockquote"><blockquote class="blockquote"><div class="para">
To connect to a remote machine using ssh, type <code class="command">ssh <em class="replaceable"><code>username</code></em>@<em class="replaceable"><code>domain.name</code></em></code> at a shell prompt. If the remote machine is <code class="filename">example.com</code> and your username on that machine is john, type <code class="command">ssh john at example.com</code>.
</div><div class="para">
@@ -84,53 +79,56 @@
Aside from standard usage for presenting the title of a work, italics denotes the first use of a new and important term. For example:
</div><div class="blockquote"><blockquote class="blockquote"><div class="para">
When the Apache HTTP Server accepts requests, it dispatches child processes or threads to handle them. This group of child processes or threads is known as a <em class="firstterm">server-pool</em>. Under Apache HTTP Server 2.0, the responsibility for creating and maintaining these server-pools has been abstracted to a group of modules called <em class="firstterm">Multi-Processing Modules</em> (<em class="firstterm">MPMs</em>). Unlike other modules, only one module from the MPM group can be loaded by the Apache HTTP Server.
- </div></blockquote></div></div><div class="section" title="1.2. Pull-quote Conventions"><div class="titlepage"><div><div><h3 class="title" id="id591154">1.2. Pull-quote Conventions</h3></div></div></div><div class="para">
- Terminal output and source code listings are set off visually from the surrounding text.
+ </div></blockquote></div></div><div class="section" title="1.2. Pull-quote Conventions"><div class="titlepage"><div><div><h3 class="title" id="d0e337">1.2. Pull-quote Conventions</h3></div></div></div><div class="para">
+ Two, commonly multi-line, data types are set off visually from the surrounding text.
</div><div class="para">
- Output sent to a terminal is set in <code class="computeroutput">mono-spaced roman</code> and presented thus:
- </div><pre class="screen">books Desktop documentation drafts mss photos stuff svn
+ Output sent to a terminal is set in <code class="computeroutput">Mono-spaced Roman</code> and presented thus:
+ </div><pre class="screen">
+books Desktop documentation drafts mss photos stuff svn
books_tests Desktop1 downloads images notes scripts svgs
</pre><div class="para">
- Source-code listings are also set in <code class="computeroutput">mono-spaced roman</code> but add syntax highlighting as follows:
- </div><pre class="programlisting"><pre class="programlisting">package org.<span class="perl_Function">jboss</span>.<span class="perl_Function">book</span>.<span class="perl_Function">jca</span>.<span class="perl_Function">ex1</span>;
+ Source-code listings are also set in <code class="computeroutput">Mono-spaced Roman</code> but are presented and highlighted as follows:
+ </div><pre class="programlisting">
+package org.jboss.book.jca.ex1;
-<span class="perl_Keyword">import</span> javax.naming.InitialContext;
+import javax.naming.InitialContext;
-<span class="perl_Keyword">public</span> <span class="perl_Keyword">class</span> ExClient
+public class ExClient
{
- <span class="perl_Keyword">public</span> <span class="perl_DataType">static</span> <span class="perl_DataType">void</span> <span class="perl_Function">main</span>(String args[])
- <span class="perl_Keyword">throws</span> Exception
+ public static void main(String args[])
+ throws Exception
{
- InitialContext iniCtx = <span class="perl_Keyword">new</span> InitialContext();
- Object ref = iniCtx.<span class="perl_Function">lookup</span>(<span class="perl_String">"EchoBean"</span>);
+ InitialContext iniCtx = new InitialContext();
+ Object ref = iniCtx.lookup("EchoBean");
EchoHome home = (EchoHome) ref;
- Echo echo = home.<span class="perl_Function">create</span>();
+ Echo echo = home.create();
- System.<span class="perl_Function">out</span>.<span class="perl_Function">println</span>(<span class="perl_String">"Created Echo"</span>);
+ System.out.println("Created Echo");
- System.<span class="perl_Function">out</span>.<span class="perl_Function">println</span>(<span class="perl_String">"Echo.echo('Hello') = "</span> + echo.<span class="perl_Function">echo</span>(<span class="perl_String">"Hello"</span>));
+ System.out.println("Echo.echo('Hello') = " + echo.echo("Hello"));
}
+
}
-</pre></pre></div><div class="section" title="1.3. Notes and Warnings"><div class="titlepage"><div><div><h3 class="title" id="id645085">1.3. Notes and Warnings</h3></div></div></div><div class="para">
+</pre></div><div class="section" title="1.3. Notes and Warnings"><div class="titlepage"><div><div><h3 class="title" id="d0e356">1.3. Notes and Warnings</h3></div></div></div><div class="para">
Finally, we use three visual styles to draw attention to information that might otherwise be overlooked.
</div><div class="note"><h2>Note</h2><div class="para">
- Notes are tips, shortcuts or alternative approaches to the task at hand. Ignoring a note should have no negative consequences, but you might miss out on a trick that makes your life easier.
+ A note is a tip or shortcut or alternative approach to the task at hand. Ignoring a note should have no negative consequences, but you might miss out on a trick that makes your life easier.
</div></div><div class="important"><h2>Important</h2><div class="para">
- Important boxes detail things that are easily missed: configuration changes that only apply to the current session, or services that need restarting before an update will apply. Ignoring a box labeled 'Important' won't cause data loss but may cause irritation and frustration.
+ Important boxes detail things that are easily missed: configuration changes that only apply to the current session, or services that need restarting before an update will apply. Ignoring Important boxes won't cause data loss but may cause irritation and frustration.
</div></div><div class="warning"><h2>Warning</h2><div class="para">
- Warnings should not be ignored. Ignoring warnings will most likely cause data loss.
- </div></div></div></div><div xml:lang="en-US" class="section" title="2. We Need Feedback!" lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="We_Need_Feedback">2. We Need Feedback!</h2></div></div></div><div class="para">
+ A Warning should not be ignored. Ignoring warnings will most likely cause data loss.
+ </div></div></div></div><div xml:lang="en-US" class="section" title="2. We Need Feedback!"><div class="titlepage"><div><div><h2 class="title" id="We_Need_Feedback">2. We Need Feedback!</h2></div></div></div><div class="para">
More information about the Linux Security Guide project can be found at <a href="https://fedorahosted.org/securityguide">https://fedorahosted.org/securityguide</a>
</div><div class="para">
To provide feedback for the Security Guide, please file a bug in <a href="https://bugzilla.redhat.com/enter_bug.cgi?component=security-guide&product=Fedora%20Documentation">https://bugzilla.redhat.com/enter_bug.cgi?component=security-guide&product=Fedora%20Documentation</a>. Please select the proper component in the dropdown menu which should be the page name.
- </div></div></div><div xml:lang="en-US" class="chapter" title="Chapter 1. Security Overview" lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="chap-Security_Guide-Security_Overview">Chapter 1. Security Overview</h2></div></div></div><div class="toc"><dl><dt><span class="section"><a href="#sect-Security_Guide-Introduction_to_Security">1.1. Introduction to Security</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security_Guide-Introduction_to_Security-What_is_Computer_Security">1.1.1. What is Computer Security?</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Introduction_to_Security-SELinux">1.1.2. SELinux</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Introduction_to_Security-Security_Controls">1.1.3. Security Controls</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Introduction_to_Security-Conclusion">1.1.4. Conclusion</a></span></dt></dl></dd><dt><span class="section
"><a href="#sect-Security_Guide-Vulnerability_Assessment">1.2. Vulnerability Assessment</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security_Guide-Vulnerability_Assessment-Thinking_Like_the_Enemy">1.2.1. Thinking Like the Enemy</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Vulnerability_Assessment-Defining_Assessment_and_Testing">1.2.2. Defining Assessment and Testing</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Vulnerability_Assessment-Evaluating_the_Tools">1.2.3. Evaluating the Tools</a></span></dt></dl></dd><dt><span class="section"><a href="#sect-Security_Guide-Attackers_and_Vulnerabilities">1.3. Attackers and Vulnerabilities</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security_Guide-Attackers_and_Vulnerabilities-A_Quick_History_of_Hackers">1.3.1. A Quick History of Hackers</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Attackers_and_Vulnerabilities-Threats_
to_Network_Security">1.3.2. Threats to Network Security</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Attackers_and_Vulnerabilities-Threats_to_Server_Security">1.3.3. Threats to Server Security</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Attackers_and_Vulnerabilities-Threats_to_Workstation_and_Home_PC_Security">1.3.4. Threats to Workstation and Home PC Security</a></span></dt></dl></dd><dt><span class="section"><a href="#sect-Security_Guide-Common_Exploits_and_Attacks">1.4. Common Exploits and Attacks</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Security_Updates">1.5. Security Updates</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security_Guide-Security_Updates-Updating_Packages">1.5.1. Updating Packages</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Updating_Packages-Verifying_Signed_Packages">1.5.2. Verifying Signed Packages</a></span></dt><dt><span class
="section"><a href="#sect-Security_Guide-Updating_Packages-Installing_Signed_Packages">1.5.3. Installing Signed Packages</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Updating_Packages-Applying_the_Changes">1.5.4. Applying the Changes</a></span></dt></dl></dd></dl></div><div class="para">
+ </div></div></div><div xml:lang="en-US" class="chapter" title="Chapter 1. Security Overview"><div class="titlepage"><div><div><h2 class="title" id="chap-Security_Guide-Security_Overview">Chapter 1. Security Overview</h2></div></div></div><div class="toc"><dl><dt><span class="section"><a href="#sect-Security_Guide-Introduction_to_Security">1.1. Introduction to Security</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security_Guide-Introduction_to_Security-What_is_Computer_Security">1.1.1. What is Computer Security?</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Introduction_to_Security-SELinux">1.1.2. SELinux</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Introduction_to_Security-Security_Controls">1.1.3. Security Controls</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Introduction_to_Security-Conclusion">1.1.4. Conclusion</a></span></dt></dl></dd><dt><span class="section"><a href="#s
ect-Security_Guide-Vulnerability_Assessment">1.2. Vulnerability Assessment</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security_Guide-Vulnerability_Assessment-Thinking_Like_the_Enemy">1.2.1. Thinking Like the Enemy</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Vulnerability_Assessment-Defining_Assessment_and_Testing">1.2.2. Defining Assessment and Testing</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Vulnerability_Assessment-Evaluating_the_Tools">1.2.3. Evaluating the Tools</a></span></dt></dl></dd><dt><span class="section"><a href="#sect-Security_Guide-Attackers_and_Vulnerabilities">1.3. Attackers and Vulnerabilities</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security_Guide-Attackers_and_Vulnerabilities-A_Quick_History_of_Hackers">1.3.1. A Quick History of Hackers</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Attackers_and_Vulnerabilities-Threats_to_Network_Se
curity">1.3.2. Threats to Network Security</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Attackers_and_Vulnerabilities-Threats_to_Server_Security">1.3.3. Threats to Server Security</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Attackers_and_Vulnerabilities-Threats_to_Workstation_and_Home_PC_Security">1.3.4. Threats to Workstation and Home PC Security</a></span></dt></dl></dd><dt><span class="section"><a href="#sect-Security_Guide-Common_Exploits_and_Attacks">1.4. Common Exploits and Attacks</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Security_Updates">1.5. Security Updates</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security_Guide-Security_Updates-Updating_Packages">1.5.1. Updating Packages</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Updating_Packages-Verifying_Signed_Packages">1.5.2. Verifying Signed Packages</a></span></dt><dt><span class="section"><a
href="#sect-Security_Guide-Updating_Packages-Installing_Signed_Packages">1.5.3. Installing Signed Packages</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Updating_Packages-Applying_the_Changes">1.5.4. Applying the Changes</a></span></dt></dl></dd></dl></div><div class="para">
Because of the increased reliance on powerful, networked computers to help run businesses and keep track of our personal information, entire industries have been formed around the practice of network and computer security. Enterprises have solicited the knowledge and skills of security experts to properly audit systems and tailor solutions to fit the operating requirements of the organization. Because most organizations are increasingly dynamic in nature, with workers accessing company IT resources locally and remotely, the need for secure computing environments has become more pronounced.
</div><div class="para">
Unfortunately, most organizations (as well as individual users) regard security as an afterthought, a process that is overlooked in favor of increased power, productivity, and budgetary concerns. Proper security implementation is often enacted postmortem — <span class="emphasis"><em>after</em></span> an unauthorized intrusion has already occurred. Security experts agree that taking the correct measures prior to connecting a site to an untrusted network, such as the Internet, is an effective means of thwarting most attempts at intrusion.
- </div><div xml:lang="en-US" class="section" title="1.1. Introduction to Security" lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="sect-Security_Guide-Introduction_to_Security">1.1. Introduction to Security</h2></div></div></div><div class="section" title="1.1.1. What is Computer Security?"><div class="titlepage"><div><div><h3 class="title" id="sect-Security_Guide-Introduction_to_Security-What_is_Computer_Security">1.1.1. What is Computer Security?</h3></div></div></div><div class="para">
+ </div><div xml:lang="en-US" class="section" title="1.1. Introduction to Security"><div class="titlepage"><div><div><h2 class="title" id="sect-Security_Guide-Introduction_to_Security">1.1. Introduction to Security</h2></div></div></div><div class="section" title="1.1.1. What is Computer Security?"><div class="titlepage"><div><div><h3 class="title" id="sect-Security_Guide-Introduction_to_Security-What_is_Computer_Security">1.1.1. What is Computer Security?</h3></div></div></div><div class="para">
Computer security is a general term that covers a wide area of computing and information processing. Industries that depend on computer systems and networks to conduct daily business transactions and access crucial information regard their data as an important part of their overall assets. Several terms and metrics have entered our daily business vocabulary, such as total cost of ownership (TCO) and quality of service (QoS). Using these metrics, industries can calculate aspects such as data integrity and high-availability as part of their planning and process management costs. In some industries, such as electronic commerce, the availability and trustworthiness of data can be the difference between success and failure.
</div><div class="section" title="1.1.1.1. How did Computer Security Come about?"><div class="titlepage"><div><div><h4 class="title" id="sect-Security_Guide-What_is_Computer_Security-How_did_Computer_Security_Come_about">1.1.1.1. How did Computer Security Come about?</h4></div></div></div><div class="para">
- Information security has evolved over the years due to the increasing reliance on public networks not to disclose personal, financial, and other restricted information. There are numerous instances such as the Mitnick <sup>[<a id="id643094" href="#ftn.id643094" class="footnote">1</a>]</sup>and the Vladimir Levin <sup>[<a id="id643086" href="#ftn.id643086" class="footnote">2</a>]</sup>cases that prompted organizations across all industries to re-think the way they handle information, as well as its transmission and disclosure. The popularity of the Internet was one of the most important developments that prompted an intensified effort in data security.
+ Information security has evolved over the years due to the increasing reliance on public networks not to disclose personal, financial, and other restricted information. There are numerous instances such as the Mitnick <sup>[<a id="d0e412" href="#ftn.d0e412" class="footnote">1</a>]</sup>and the Vladimir Levin <sup>[<a id="d0e416" href="#ftn.d0e416" class="footnote">2</a>]</sup>cases that prompted organizations across all industries to re-think the way they handle information, as well as its transmission and disclosure. The popularity of the Internet was one of the most important developments that prompted an intensified effort in data security.
</div><div class="para">
An ever-growing number of people are using their personal computers to gain access to the resources that the Internet has to offer. From research and information retrieval to electronic mail and commerce transaction, the Internet has been regarded as one of the most important developments of the 20th century.
</div><div class="para">
@@ -138,19 +136,19 @@
</div></div><div class="section" title="1.1.1.2. Security Today"><div class="titlepage"><div><div><h4 class="title" id="sect-Security_Guide-What_is_Computer_Security-Security_Today">1.1.1.2. Security Today</h4></div></div></div><div class="para">
In February of 2000, a Distributed Denial of Service (DDoS) attack was unleashed on several of the most heavily-trafficked sites on the Internet. The attack rendered yahoo.com, cnn.com, amazon.com, fbi.gov, and several other sites completely unreachable to normal users, as it tied up routers for several hours with large-byte ICMP packet transfers, also called a <em class="firstterm">ping flood</em>. The attack was brought on by unknown assailants using specially created, widely available programs that scanned vulnerable network servers, installed client applications called <em class="firstterm">trojans</em> on the servers, and timed an attack with every infected server flooding the victim sites and rendering them unavailable. Many blame the attack on fundamental flaws in the way routers and the protocols used are structured to accept all incoming data, no matter where or for what purpose the packets are sent.
</div><div class="para">
- In 2007, a data breach exploiting the widely-known weaknesses of the Wired Equivalent Privacy (WEP) wireless encryption protocol resulted in the theft from a global financial institution of over 45 million credit card numbers.<sup>[<a id="id1043869" href="#ftn.id1043869" class="footnote">3</a>]</sup>
+ In 2007, a data breach exploiting the widely-known weaknesses of the Wired Equivalent Privacy (WEP) wireless encryption protocol resulted in the theft from a global financial institution of over 45 million credit card numbers.<sup>[<a id="d0e440" href="#ftn.d0e440" class="footnote">3</a>]</sup>
</div><div class="para">
- In a separate incident, the billing records of over 2.2 million patients stored on a backup tape were stolen from the front seat of a courier's car.<sup>[<a id="id1043866" href="#ftn.id1043866" class="footnote">4</a>]</sup>
+ In a separate incident, the billing records of over 2.2 million patients stored on a backup tape were stolen from the front seat of a courier's car.<sup>[<a id="d0e446" href="#ftn.d0e446" class="footnote">4</a>]</sup>
</div><div class="para">
- Currently, an estimated 1.4 billion people use or have used the Internet worldwide.<sup>[<a id="id1043807" href="#ftn.id1043807" class="footnote">5</a>]</sup> At the same time:
+ Currently, an estimated 1.4 billion people use or have used the Internet worldwide.<sup>[<a id="d0e452" href="#ftn.d0e452" class="footnote">5</a>]</sup> At the same time:
</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
- On any given day, there are approximately 225 major incidences of security breach reported to the CERT Coordination Center at Carnegie Mellon University.<sup>[<a id="id1043837" href="#ftn.id1043837" class="footnote">6</a>]</sup>
+ On any given day, there are approximately 225 major incidences of security breach reported to the CERT Coordination Center at Carnegie Mellon University.<sup>[<a id="d0e460" href="#ftn.d0e460" class="footnote">6</a>]</sup>
</div></li><li class="listitem"><div class="para">
- In 2003, the number of CERT reported incidences jumped to 137,529 from 82,094 in 2002 and from 52,658 in 2001.<sup>[<a id="id1043825" href="#ftn.id1043825" class="footnote">7</a>]</sup>
+ In 2003, the number of CERT reported incidences jumped to 137,529 from 82,094 in 2002 and from 52,658 in 2001.<sup>[<a id="d0e467" href="#ftn.d0e467" class="footnote">7</a>]</sup>
</div></li><li class="listitem"><div class="para">
- The worldwide economic impact of the three most dangerous Internet Viruses of the last three years was estimated at US$13.2 Billion.<sup>[<a id="id1043810" href="#ftn.id1043810" class="footnote">8</a>]</sup>
+ The worldwide economic impact of the three most dangerous Internet Viruses of the last three years was estimated at US$13.2 Billion.<sup>[<a id="d0e474" href="#ftn.d0e474" class="footnote">8</a>]</sup>
</div></li></ul></div><div class="para">
- From a 2008 global survey of business and technology executives "The Global State of Information Security"<sup>[<a id="id1043796" href="#ftn.id1043796" class="footnote">9</a>]</sup>, undertaken by <span class="emphasis"><em>CIO Magazine</em></span>, some points are:
+ From a 2008 global survey of business and technology executives "The Global State of Information Security"<sup>[<a id="d0e480" href="#ftn.d0e480" class="footnote">9</a>]</sup>, undertaken by <span class="emphasis"><em>CIO Magazine</em></span>, some points are:
</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
Just 43% of respondents audit or monitor user compliance with security policies
</div></li><li class="listitem"><div class="para">
@@ -223,7 +221,7 @@
Personnel registration and accounting
</div></li></ul></div></div></div><div class="section" title="1.1.4. Conclusion"><div class="titlepage"><div><div><h3 class="title" id="sect-Security_Guide-Introduction_to_Security-Conclusion">1.1.4. Conclusion</h3></div></div></div><div class="para">
Now that you have learned about the origins, reasons, and aspects of security, you will find it easier to determine the appropriate course of action with regard to Fedora. It is important to know what factors and conditions make up security in order to plan and implement a proper strategy. With this information in mind, the process can be formalized and the path becomes clearer as you delve deeper into the specifics of the security process.
- </div></div></div><div xml:lang="en-US" class="section" title="1.2. Vulnerability Assessment" lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="sect-Security_Guide-Vulnerability_Assessment">1.2. Vulnerability Assessment</h2></div></div></div><div class="para">
+ </div></div></div><div xml:lang="en-US" class="section" title="1.2. Vulnerability Assessment"><div class="titlepage"><div><div><h2 class="title" id="sect-Security_Guide-Vulnerability_Assessment">1.2. Vulnerability Assessment</h2></div></div></div><div class="para">
Given time, resources, and motivation, a cracker can break into nearly any system. At the end of the day, all of the security procedures and technologies currently available cannot guarantee that any systems are completely safe from intrusion. Routers help secure gateways to the Internet. Firewalls help secure the edge of the network. Virtual Private Networks safely pass data in an encrypted stream. Intrusion detection systems warn you of malicious activity. However, the success of each of these technologies is dependent upon a number of variables, including:
</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
The expertise of the staff responsible for configuring, monitoring, and maintaining the technologies.
@@ -340,7 +338,7 @@
<a href="http://www.bindview.com/Support/Razor/Utilities/">http://www.bindview.com/Support/Razor/Utilities/</a>
</div></div><div class="section" title="1.2.3.5. Anticipating Your Future Needs"><div class="titlepage"><div><div><h4 class="title" id="sect-Security_Guide-Evaluating_the_Tools-Anticipating_Your_Future_Needs">1.2.3.5. Anticipating Your Future Needs</h4></div></div></div><div class="para">
Depending upon your target and resources, there are many tools available. There are tools for wireless networks, Novell networks, Windows systems, Linux systems, and more. Another essential part of performing assessments may include reviewing physical security, personnel screening, or voice/PBX network assessment. New concepts, such as <em class="firstterm">war walking</em>, which involves scanning the perimeter of your enterprise's physical structures for wireless network vulnerabilities, are some emerging concepts that you can investigate and, if needed, incorporate into your assessments. Imagination and exposure are the only limits of planning and conducting vulnerability assessments.
- </div></div></div></div><div xml:lang="en-US" class="section" title="1.3. Attackers and Vulnerabilities" lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="sect-Security_Guide-Attackers_and_Vulnerabilities">1.3. Attackers and Vulnerabilities</h2></div></div></div><div class="para">
+ </div></div></div></div><div xml:lang="en-US" class="section" title="1.3. Attackers and Vulnerabilities"><div class="titlepage"><div><div><h2 class="title" id="sect-Security_Guide-Attackers_and_Vulnerabilities">1.3. Attackers and Vulnerabilities</h2></div></div></div><div class="para">
To plan and implement a good security strategy, first be aware of some of the issues which determined, motivated attackers exploit to compromise systems. However, before detailing these issues, the terminology used when identifying an attacker must be defined.
</div><div class="section" title="1.3.1. A Quick History of Hackers"><div class="titlepage"><div><div><h3 class="title" id="sect-Security_Guide-Attackers_and_Vulnerabilities-A_Quick_History_of_Hackers">1.3.1. A Quick History of Hackers</h3></div></div></div><div class="para">
The modern meaning of the term <em class="firstterm">hacker</em> has origins dating back to the 1960s and the Massachusetts Institute of Technology (MIT) Tech Model Railroad Club, which designed train sets of large scale and intricate detail. Hacker was a name used for club members who discovered a clever trick or workaround for a problem.
@@ -383,7 +381,7 @@
</div><div class="para">
Refer to <a class="xref" href="#sect-Security_Guide-Security_Updates" title="1.5. Security Updates">Section 1.5, “Security Updatesâ€</a> for more information about keeping a system up-to-date.
</div></div><div class="section" title="1.3.3.3. Inattentive Administration"><div class="titlepage"><div><div><h4 class="title" id="sect-Security_Guide-Threats_to_Server_Security-Inattentive_Administration">1.3.3.3. Inattentive Administration</h4></div></div></div><div class="para">
- Administrators who fail to patch their systems are one of the greatest threats to server security. According to the <em class="firstterm">SysAdmin, Audit, Network, Security Institute</em> (<em class="firstterm">SANS</em>), the primary cause of computer security vulnerability is to "assign untrained people to maintain security and provide neither the training nor the time to make it possible to do the job."<sup>[<a id="id658119" href="#ftn.id658119" class="footnote">10</a>]</sup> This applies as much to inexperienced administrators as it does to overconfident or amotivated administrators.
+ Administrators who fail to patch their systems are one of the greatest threats to server security. According to the <em class="firstterm">SysAdmin, Audit, Network, Security Institute</em> (<em class="firstterm">SANS</em>), the primary cause of computer security vulnerability is to "assign untrained people to maintain security and provide neither the training nor the time to make it possible to do the job."<sup>[<a id="d0e963" href="#ftn.d0e963" class="footnote">10</a>]</sup> This applies as much to inexperienced administrators as it does to overconfident or amotivated administrators.
</div><div class="para">
Some administrators fail to patch their servers and workstations, while others fail to watch log messages from the system kernel or network traffic. Another common error is when default passwords or keys to services are left unchanged. For example, some databases have default administration passwords because the database developers assume that the system administrator changes these passwords immediately after installation. If a database administrator fails to change this password, even an inexperienced cracker can use a widely-known default password to gain administrative privileges to the database. These are only a few examples of how inattentive administration can lead to compromised servers.
</div></div><div class="section" title="1.3.3.4. Inherently Insecure Services"><div class="titlepage"><div><div><h4 class="title" id="sect-Security_Guide-Threats_to_Server_Security-Inherently_Insecure_Services">1.3.3.4. Inherently Insecure Services</h4></div></div></div><div class="para">
@@ -406,9 +404,9 @@
Even when using secure protocols, such as SSH, a remote user may be vulnerable to certain attacks if they do not keep their client applications updated. For instance, v.1 SSH clients are vulnerable to an X-forwarding attack from malicious SSH servers. Once connected to the server, the attacker can quietly capture any keystrokes and mouse clicks made by the client over the network. This problem was fixed in the v.2 SSH protocol, but it is up to the user to keep track of what applications have such vulnerabilities and update them as necessary.
</div><div class="para">
<a class="xref" href="#sect-Security_Guide-Workstation_Security" title="2.1. Workstation Security">Section 2.1, “Workstation Securityâ€</a> discusses in more detail what steps administrators and home users should take to limit the vulnerability of computer workstations.
- </div></div></div></div><div xml:lang="en-US" class="section" title="1.4. Common Exploits and Attacks" lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="sect-Security_Guide-Common_Exploits_and_Attacks">1.4. Common Exploits and Attacks</h2></div></div></div><div class="para">
+ </div></div></div></div><div xml:lang="en-US" class="section" title="1.4. Common Exploits and Attacks"><div class="titlepage"><div><div><h2 class="title" id="sect-Security_Guide-Common_Exploits_and_Attacks">1.4. Common Exploits and Attacks</h2></div></div></div><div class="para">
<a class="xref" href="#tabl-Security_Guide-Common_Exploits_and_Attacks-Common_Exploits" title="Table 1.1. Common Exploits">Table 1.1, “Common Exploitsâ€</a> details some of the most common exploits and entry points used by intruders to access organizational network resources. Key to these common exploits are the explanations of how they are performed and how administrators can properly safeguard their network against such attacks.
- </div><div class="table" id="tabl-Security_Guide-Common_Exploits_and_Attacks-Common_Exploits"><div class="table-contents"><table summary="Common Exploits" border="1"><colgroup><col width="20%" /><col width="40%" /><col width="40%" /></colgroup><thead><tr><th>
+ </div><div class="table" id="tabl-Security_Guide-Common_Exploits_and_Attacks-Common_Exploits"><div class="table-contents"><table summary="Common Exploits" border="1"><colgroup><col width="2*"/><col width="4*"/><col width="4*"/></colgroup><thead><tr><th>
Exploit
</th><th>
Description
@@ -456,7 +454,7 @@
Attacker or group of attackers coordinate against an organization's network or server resources by sending unauthorized packets to the target host (either server, router, or workstation). This forces the resource to become unavailable to legitimate users.
</td><td>
<table border="0" summary="Simple list" class="simplelist"><tr><td> The most reported DoS case in the US occurred in 2000. Several highly-trafficked commercial and government sites were rendered unavailable by a coordinated ping flood attack using several compromised systems with high bandwidth connections acting as <em class="firstterm">zombies</em>, or redirected broadcast nodes. </td></tr><tr><td> Source packets are usually forged (as well as rebroadcasted), making investigation as to the true source of the attack difficult. </td></tr><tr><td> Advances in ingress filtering (IETF rfc2267) using <code class="command">iptables</code> and Network Intrusion Detection Systems such as <code class="command">snort</code> assist administrators in tracking down and preventing distributed DoS attacks. </td></tr></table>
- </td></tr></tbody></table></div><h6>Table 1.1. Common Exploits</h6></div><br class="table-break" /></div><div xml:lang="en-US" class="section" title="1.5. Security Updates" lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="sect-Security_Guide-Security_Updates">1.5. Security Updates</h2></div></div></div><div class="para">
+ </td></tr></tbody></table></div><h6>Table 1.1. Common Exploits</h6></div><br class="table-break"/></div><div xml:lang="en-US" class="section" title="1.5. Security Updates"><div class="titlepage"><div><div><h2 class="title" id="sect-Security_Guide-Security_Updates">1.5. Security Updates</h2></div></div></div><div class="para">
As security vulnerabilities are discovered, the affected software must be updated in order to limit any potential security risks. If the software is part of a package within a Fedora distribution that is currently supported, Fedora is committed to releasing updated packages that fix the vulnerability as soon as is possible. Often, announcements about a given security exploit are accompanied with a patch (or source code that fixes the problem). This patch is then applied to the Fedora package and tested and released as an errata update. However, if an announcement does not include a patch, a developer first works with the maintainer of the software to fix the problem. Once the problem is fixed, the package is tested and released as an errata update.
</div><div class="para">
If an errata update is released for software used on your system, it is highly recommended that you update the affected packages as soon as possible to minimize the amount of time the system is potentially vulnerable.
@@ -550,27 +548,27 @@
</div><div class="para">
To kill all active IMAP sessions, issue the following command:
</div><pre class="screen"><code class="command">killall imapd</code>
-</pre></dd></dl></div></div></div><div class="footnotes"><br /><hr width="100" align="left" /><div class="footnote"><p><sup>[<a id="ftn.id643094" href="#id643094" class="para">1</a>] </sup>
+</pre></dd></dl></div></div></div><div class="footnotes"><br/><hr width="100" align="left"/><div class="footnote"><p><sup>[<a id="ftn.d0e412" href="#d0e412" class="para">1</a>] </sup>
http://law.jrank.org/pages/3791/Kevin-Mitnick-Case-1999.html
- </p></div><div class="footnote"><p><sup>[<a id="ftn.id643086" href="#id643086" class="para">2</a>] </sup>
+ </p></div><div class="footnote"><p><sup>[<a id="ftn.d0e416" href="#d0e416" class="para">2</a>] </sup>
http://www.livinginternet.com/i/ia_hackers_levin.htm
- </p></div><div class="footnote"><p><sup>[<a id="ftn.id1043869" href="#id1043869" class="para">3</a>] </sup>
+ </p></div><div class="footnote"><p><sup>[<a id="ftn.d0e440" href="#d0e440" class="para">3</a>] </sup>
http://www.theregister.co.uk/2007/05/04/txj_nonfeasance/
- </p></div><div class="footnote"><p><sup>[<a id="ftn.id1043866" href="#id1043866" class="para">4</a>] </sup>
+ </p></div><div class="footnote"><p><sup>[<a id="ftn.d0e446" href="#d0e446" class="para">4</a>] </sup>
http://www.healthcareitnews.com/story.cms?id=9408
- </p></div><div class="footnote"><p><sup>[<a id="ftn.id1043807" href="#id1043807" class="para">5</a>] </sup>
+ </p></div><div class="footnote"><p><sup>[<a id="ftn.d0e452" href="#d0e452" class="para">5</a>] </sup>
http://www.internetworldstats.com/stats.htm
- </p></div><div class="footnote"><p><sup>[<a id="ftn.id1043837" href="#id1043837" class="para">6</a>] </sup>
+ </p></div><div class="footnote"><p><sup>[<a id="ftn.d0e460" href="#d0e460" class="para">6</a>] </sup>
http://www.cert.org
- </p></div><div class="footnote"><p><sup>[<a id="ftn.id1043825" href="#id1043825" class="para">7</a>] </sup>
+ </p></div><div class="footnote"><p><sup>[<a id="ftn.d0e467" href="#d0e467" class="para">7</a>] </sup>
http://www.cert.org/stats/fullstats.html
- </p></div><div class="footnote"><p><sup>[<a id="ftn.id1043810" href="#id1043810" class="para">8</a>] </sup>
+ </p></div><div class="footnote"><p><sup>[<a id="ftn.d0e474" href="#d0e474" class="para">8</a>] </sup>
http://www.newsfactor.com/perl/story/16407.html
- </p></div><div class="footnote"><p><sup>[<a id="ftn.id1043796" href="#id1043796" class="para">9</a>] </sup>
+ </p></div><div class="footnote"><p><sup>[<a id="ftn.d0e480" href="#d0e480" class="para">9</a>] </sup>
http://www.csoonline.com/article/454939/The_Global_State_of_Information_Security_
- </p></div><div class="footnote"><p><sup>[<a id="ftn.id658119" href="#id658119" class="para">10</a>] </sup>
+ </p></div><div class="footnote"><p><sup>[<a id="ftn.d0e963" href="#d0e963" class="para">10</a>] </sup>
http://www.sans.org/resources/errors.php
- </p></div></div></div><div xml:lang="en-US" class="chapter" title="Chapter 2. Securing Your Network" lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="chap-Security_Guide-Securing_Your_Network">Chapter 2. Securing Your Network</h2></div></div></div><div class="toc"><dl><dt><span class="section"><a href="#sect-Security_Guide-Workstation_Security">2.1. Workstation Security</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security_Guide-Workstation_Security-Evaluating_Workstation_Security">2.1.1. Evaluating Workstation Security</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Workstation_Security-BIOS_and_Boot_Loader_Security">2.1.2. BIOS and Boot Loader Security</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Workstation_Security-Password_Security">2.1.3. Password Security</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Workstation_Security-Administrative_Controls">2.1.
4. Administrative Controls</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Workstation_Security-Available_Network_Services">2.1.5. Available Network Services</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Workstation_Security-Personal_Firewalls">2.1.6. Personal Firewalls</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Workstation_Security-Security_Enhanced_Communication_Tools">2.1.7. Security Enhanced Communication Tools</a></span></dt></dl></dd><dt><span class="section"><a href="#sect-Security_Guide-Server_Security">2.2. Server Security</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security_Guide-Server_Security-Securing_Services_With_TCP_Wrappers_and_xinetd">2.2.1. Securing Services With TCP Wrappers and xinetd</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Server_Security-Securing_Portmap">2.2.2. Securing Portmap</a></span></dt><dt><span class="section"><a href=
"#sect-Security_Guide-Server_Security-Securing_NIS">2.2.3. Securing NIS</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Server_Security-Securing_NFS">2.2.4. Securing NFS</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Server_Security-Securing_the_Apache_HTTP_Server">2.2.5. Securing the Apache HTTP Server</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Server_Security-Securing_FTP">2.2.6. Securing FTP</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Server_Security-Securing_Sendmail">2.2.7. Securing Sendmail</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Server_Security-Verifying_Which_Ports_Are_Listening">2.2.8. Verifying Which Ports Are Listening</a></span></dt></dl></dd><dt><span class="section"><a href="#sect-Security_Guide-Single_Sign_on_SSO">2.3. Single Sign-on (SSO)</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security_Guide-Single_Sign_
on_SSO-Introduction">2.3.1. Introduction</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Single_Sign_on_SSO-Getting_Started_with_your_new_Smart_Card">2.3.2. Getting Started with your new Smart Card</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Single_Sign_on_SSO-How_Smart_Card_Enrollment_Works">2.3.3. How Smart Card Enrollment Works</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Single_Sign_on_SSO-How_Smart_Card_Login_Works">2.3.4. How Smart Card Login Works</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Single_Sign_on_SSO-Configuring_Firefox_to_use_Kerberos_for_SSO">2.3.5. Configuring Firefox to use Kerberos for SSO</a></span></dt></dl></dd><dt><span class="section"><a href="#sect-Security_Guide-Pluggable_Authentication_Modules_PAM">2.4. Pluggable Authentication Modules (PAM)</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security_Guide-Pluggable_Authentication_M
odules_PAM-Advantages_of_PAM">2.4.1. Advantages of PAM</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Pluggable_Authentication_Modules_PAM-PAM_Configuration_Files">2.4.2. PAM Configuration Files</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Pluggable_Authentication_Modules_PAM-PAM_Configuration_File_Format">2.4.3. PAM Configuration File Format</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Pluggable_Authentication_Modules_PAM-Sample_PAM_Configuration_Files">2.4.4. Sample PAM Configuration Files</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Pluggable_Authentication_Modules_PAM-Creating_PAM_Modules">2.4.5. Creating PAM Modules</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Pluggable_Authentication_Modules_PAM-PAM_and_Administrative_Credential_Caching">2.4.6. PAM and Administrative Credential Caching</a></span></dt><dt><span class="section"><a href="#sect-Se
curity_Guide-Pluggable_Authentication_Modules_PAM-PAM_and_Device_Ownership">2.4.7. PAM and Device Ownership</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Pluggable_Authentication_Modules_PAM-Additional_Resources">2.4.8. Additional Resources</a></span></dt></dl></dd><dt><span class="section"><a href="#sect-Security_Guide-TCP_Wrappers_and_xinetd">2.5. TCP Wrappers and xinetd</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security_Guide-TCP_Wrappers_and_xinetd-TCP_Wrappers">2.5.1. TCP Wrappers</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-TCP_Wrappers_and_xinetd-TCP_Wrappers_Configuration_Files">2.5.2. TCP Wrappers Configuration Files</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-TCP_Wrappers_and_xinetd-xinetd">2.5.3. xinetd</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-TCP_Wrappers_and_xinetd-xinetd_Configuration_Files">2.5.4. xinetd Configuration Files</a></spa
n></dt><dt><span class="section"><a href="#sect-Security_Guide-TCP_Wrappers_and_xinetd-Additional_Resources">2.5.5. Additional Resources</a></span></dt></dl></dd><dt><span class="section"><a href="#sect-Security_Guide-Kerberos">2.6. Kerberos</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security_Guide-Kerberos-What_is_Kerberos">2.6.1. What is Kerberos?</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Kerberos-Kerberos_Terminology">2.6.2. Kerberos Terminology</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Kerberos-How_Kerberos_Works">2.6.3. How Kerberos Works</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Kerberos-Kerberos_and_PAM">2.6.4. Kerberos and PAM</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Kerberos-Configuring_a_Kerberos_5_Server">2.6.5. Configuring a Kerberos 5 Server</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Kerberos-Config
uring_a_Kerberos_5_Client">2.6.6. Configuring a Kerberos 5 Client</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Kerberos-Domain_to_Realm_Mapping">2.6.7. Domain-to-Realm Mapping</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Kerberos-Setting_Up_Secondary_KDCs">2.6.8. Setting Up Secondary KDCs</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Kerberos-Setting_Up_Cross_Realm_Authentication">2.6.9. Setting Up Cross Realm Authentication</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Kerberos-Additional_Resources">2.6.10. Additional Resources</a></span></dt></dl></dd><dt><span class="section"><a href="#sect-Security_Guide-Virtual_Private_Networks_VPNs">2.7. Virtual Private Networks (VPNs)</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security_Guide-Virtual_Private_Networks_VPNs-How_Does_a_VPN_Work">2.7.1. How Does a VPN Work?</a></span></dt><dt><span class="section"><a h
ref="#sect-Security_Guide-Virtual_Private_Networks_VPNs-VPNs_and_PROD">2.7.2. VPNs and Fedora</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Virtual_Private_Networks_VPNs-IPsec">2.7.3. IPsec</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Virtual_Private_Networks_VPNs-Creating_an_IPsec_Connection">2.7.4. Creating an <abbr class="abbrev">IPsec</abbr> Connection</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Virtual_Private_Networks_VPNs-IPsec_Installation">2.7.5. IPsec Installation</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Virtual_Private_Networks_VPNs-IPsec_Host_to_Host_Configuration">2.7.6. IPsec Host-to-Host Configuration</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Virtual_Private_Networks_VPNs-IPsec_Network_to_Network_Configuration">2.7.7. IPsec Network-to-Network Configuration</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide
-Virtual_Private_Networks_VPNs-Starting_and_Stopping_an_IPsec_Connection">2.7.8. Starting and Stopping an <abbr class="abbrev">IPsec</abbr> Connection</a></span></dt></dl></dd><dt><span class="section"><a href="#sect-Security_Guide-Firewalls">2.8. Firewalls</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security_Guide-Firewalls-Netfilter_and_IPTables">2.8.1. Netfilter and IPTables</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Firewalls-Basic_Firewall_Configuration">2.8.2. Basic Firewall Configuration</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Firewalls-Using_IPTables">2.8.3. Using IPTables</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Firewalls-Common_IPTables_Filtering">2.8.4. Common IPTables Filtering</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Firewalls-FORWARD_and_NAT_Rules">2.8.5. <code class="computeroutput">FORWARD</code> and <acronym class="acrony
m">NAT</acronym> Rules</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Firewalls-Malicious_Software_and_Spoofed_IP_Addresses">2.8.6. Malicious Software and Spoofed IP Addresses</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Firewalls-IPTables_and_Connection_Tracking">2.8.7. IPTables and Connection Tracking</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Firewalls-IPv6">2.8.8. IPv6</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Firewalls-Additional_Resources">2.8.9. Additional Resources</a></span></dt></dl></dd><dt><span class="section"><a href="#sect-Security_Guide-IPTables">2.9. IPTables</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security_Guide-IPTables-Packet_Filtering">2.9.1. Packet Filtering</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-IPTables-Command_Options_for_IPTables">2.9.2. Command Options for IPTables</a></span></dt><dt><spa
n class="section"><a href="#sect-Security_Guide-IPTables-Saving_IPTables_Rules">2.9.3. Saving IPTables Rules</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-IPTables-IPTables_Control_Scripts">2.9.4. IPTables Control Scripts</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-IPTables-IPTables_and_IPv6">2.9.5. IPTables and IPv6</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-IPTables-Additional_Resources">2.9.6. Additional Resources</a></span></dt></dl></dd></dl></div><div xml:lang="en-US" class="section" title="2.1. Workstation Security" lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="sect-Security_Guide-Workstation_Security">2.1. Workstation Security</h2></div></div></div><div class="para">
+ </p></div></div></div><div xml:lang="en-US" class="chapter" title="Chapter 2. Securing Your Network"><div class="titlepage"><div><div><h2 class="title" id="chap-Security_Guide-Securing_Your_Network">Chapter 2. Securing Your Network</h2></div></div></div><div class="toc"><dl><dt><span class="section"><a href="#sect-Security_Guide-Workstation_Security">2.1. Workstation Security</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security_Guide-Workstation_Security-Evaluating_Workstation_Security">2.1.1. Evaluating Workstation Security</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Workstation_Security-BIOS_and_Boot_Loader_Security">2.1.2. BIOS and Boot Loader Security</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Workstation_Security-Password_Security">2.1.3. Password Security</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Workstation_Security-Administrative_Controls">2.1.4. Administra
tive Controls</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Workstation_Security-Available_Network_Services">2.1.5. Available Network Services</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Workstation_Security-Personal_Firewalls">2.1.6. Personal Firewalls</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Workstation_Security-Security_Enhanced_Communication_Tools">2.1.7. Security Enhanced Communication Tools</a></span></dt></dl></dd><dt><span class="section"><a href="#sect-Security_Guide-Server_Security">2.2. Server Security</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security_Guide-Server_Security-Securing_Services_With_TCP_Wrappers_and_xinetd">2.2.1. Securing Services With TCP Wrappers and xinetd</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Server_Security-Securing_Portmap">2.2.2. Securing Portmap</a></span></dt><dt><span class="section"><a href="#sect-Securi
ty_Guide-Server_Security-Securing_NIS">2.2.3. Securing NIS</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Server_Security-Securing_NFS">2.2.4. Securing NFS</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Server_Security-Securing_the_Apache_HTTP_Server">2.2.5. Securing the Apache HTTP Server</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Server_Security-Securing_FTP">2.2.6. Securing FTP</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Server_Security-Securing_Sendmail">2.2.7. Securing Sendmail</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Server_Security-Verifying_Which_Ports_Are_Listening">2.2.8. Verifying Which Ports Are Listening</a></span></dt></dl></dd><dt><span class="section"><a href="#sect-Security_Guide-Single_Sign_on_SSO">2.3. Single Sign-on (SSO)</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security_Guide-Single_Sign_on_SSO-Introd
uction">2.3.1. Introduction</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Single_Sign_on_SSO-Getting_Started_with_your_new_Smart_Card">2.3.2. Getting Started with your new Smart Card</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Single_Sign_on_SSO-How_Smart_Card_Enrollment_Works">2.3.3. How Smart Card Enrollment Works</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Single_Sign_on_SSO-How_Smart_Card_Login_Works">2.3.4. How Smart Card Login Works</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Single_Sign_on_SSO-Configuring_Firefox_to_use_Kerberos_for_SSO">2.3.5. Configuring Firefox to use Kerberos for SSO</a></span></dt></dl></dd><dt><span class="section"><a href="#sect-Security_Guide-Pluggable_Authentication_Modules_PAM">2.4. Pluggable Authentication Modules (PAM)</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security_Guide-Pluggable_Authentication_Modules_PAM-Ad
vantages_of_PAM">2.4.1. Advantages of PAM</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Pluggable_Authentication_Modules_PAM-PAM_Configuration_Files">2.4.2. PAM Configuration Files</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Pluggable_Authentication_Modules_PAM-PAM_Configuration_File_Format">2.4.3. PAM Configuration File Format</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Pluggable_Authentication_Modules_PAM-Sample_PAM_Configuration_Files">2.4.4. Sample PAM Configuration Files</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Pluggable_Authentication_Modules_PAM-Creating_PAM_Modules">2.4.5. Creating PAM Modules</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Pluggable_Authentication_Modules_PAM-PAM_and_Administrative_Credential_Caching">2.4.6. PAM and Administrative Credential Caching</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-
Pluggable_Authentication_Modules_PAM-PAM_and_Device_Ownership">2.4.7. PAM and Device Ownership</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Pluggable_Authentication_Modules_PAM-Additional_Resources">2.4.8. Additional Resources</a></span></dt></dl></dd><dt><span class="section"><a href="#sect-Security_Guide-TCP_Wrappers_and_xinetd">2.5. TCP Wrappers and xinetd</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security_Guide-TCP_Wrappers_and_xinetd-TCP_Wrappers">2.5.1. TCP Wrappers</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-TCP_Wrappers_and_xinetd-TCP_Wrappers_Configuration_Files">2.5.2. TCP Wrappers Configuration Files</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-TCP_Wrappers_and_xinetd-xinetd">2.5.3. xinetd</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-TCP_Wrappers_and_xinetd-xinetd_Configuration_Files">2.5.4. xinetd Configuration Files</a></span></dt><dt><s
pan class="section"><a href="#sect-Security_Guide-TCP_Wrappers_and_xinetd-Additional_Resources">2.5.5. Additional Resources</a></span></dt></dl></dd><dt><span class="section"><a href="#sect-Security_Guide-Kerberos">2.6. Kerberos</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security_Guide-Kerberos-What_is_Kerberos">2.6.1. What is Kerberos?</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Kerberos-Kerberos_Terminology">2.6.2. Kerberos Terminology</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Kerberos-How_Kerberos_Works">2.6.3. How Kerberos Works</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Kerberos-Kerberos_and_PAM">2.6.4. Kerberos and PAM</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Kerberos-Configuring_a_Kerberos_5_Server">2.6.5. Configuring a Kerberos 5 Server</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Kerberos-Configuring_a_Kerbe
ros_5_Client">2.6.6. Configuring a Kerberos 5 Client</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Kerberos-Domain_to_Realm_Mapping">2.6.7. Domain-to-Realm Mapping</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Kerberos-Setting_Up_Secondary_KDCs">2.6.8. Setting Up Secondary KDCs</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Kerberos-Setting_Up_Cross_Realm_Authentication">2.6.9. Setting Up Cross Realm Authentication</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Kerberos-Additional_Resources">2.6.10. Additional Resources</a></span></dt></dl></dd><dt><span class="section"><a href="#sect-Security_Guide-Virtual_Private_Networks_VPNs">2.7. Virtual Private Networks (VPNs)</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security_Guide-Virtual_Private_Networks_VPNs-How_Does_a_VPN_Work">2.7.1. How Does a VPN Work?</a></span></dt><dt><span class="section"><a href="#sect-Se
curity_Guide-Virtual_Private_Networks_VPNs-VPNs_and_PROD">2.7.2. VPNs and Fedora</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Virtual_Private_Networks_VPNs-IPsec">2.7.3. IPsec</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Virtual_Private_Networks_VPNs-Creating_an_IPsec_Connection">2.7.4. Creating an <abbr class="abbrev">IPsec</abbr> Connection</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Virtual_Private_Networks_VPNs-IPsec_Installation">2.7.5. IPsec Installation</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Virtual_Private_Networks_VPNs-IPsec_Host_to_Host_Configuration">2.7.6. IPsec Host-to-Host Configuration</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Virtual_Private_Networks_VPNs-IPsec_Network_to_Network_Configuration">2.7.7. IPsec Network-to-Network Configuration</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Virtual_Priv
ate_Networks_VPNs-Starting_and_Stopping_an_IPsec_Connection">2.7.8. Starting and Stopping an <abbr class="abbrev">IPsec</abbr> Connection</a></span></dt></dl></dd><dt><span class="section"><a href="#sect-Security_Guide-Firewalls">2.8. Firewalls</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security_Guide-Firewalls-Netfilter_and_IPTables">2.8.1. Netfilter and IPTables</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Firewalls-Basic_Firewall_Configuration">2.8.2. Basic Firewall Configuration</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Firewalls-Using_IPTables">2.8.3. Using IPTables</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Firewalls-Common_IPTables_Filtering">2.8.4. Common IPTables Filtering</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Firewalls-FORWARD_and_NAT_Rules">2.8.5. <code class="computeroutput">FORWARD</code> and <acronym class="acronym">NAT</acron
ym> Rules</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Firewalls-Malicious_Software_and_Spoofed_IP_Addresses">2.8.6. Malicious Software and Spoofed IP Addresses</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Firewalls-IPTables_and_Connection_Tracking">2.8.7. IPTables and Connection Tracking</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Firewalls-IPv6">2.8.8. IPv6</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Firewalls-Additional_Resources">2.8.9. Additional Resources</a></span></dt></dl></dd><dt><span class="section"><a href="#sect-Security_Guide-IPTables">2.9. IPTables</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security_Guide-IPTables-Packet_Filtering">2.9.1. Packet Filtering</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-IPTables-Command_Options_for_IPTables">2.9.2. Command Options for IPTables</a></span></dt><dt><span class="sect
ion"><a href="#sect-Security_Guide-IPTables-Saving_IPTables_Rules">2.9.3. Saving IPTables Rules</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-IPTables-IPTables_Control_Scripts">2.9.4. IPTables Control Scripts</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-IPTables-IPTables_and_IPv6">2.9.5. IPTables and IPv6</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-IPTables-Additional_Resources">2.9.6. Additional Resources</a></span></dt></dl></dd></dl></div><div xml:lang="en-US" class="section" title="2.1. Workstation Security"><div class="titlepage"><div><div><h2 class="title" id="sect-Security_Guide-Workstation_Security">2.1. Workstation Security</h2></div></div></div><div class="para">
Securing a Linux environment begins with the workstation. Whether locking down a personal machine or securing an enterprise system, sound security policy begins with the individual computer. A computer network is only as secure as its weakest node.
</div><div class="section" title="2.1.1. Evaluating Workstation Security"><div class="titlepage"><div><div><h3 class="title" id="sect-Security_Guide-Workstation_Security-Evaluating_Workstation_Security">2.1.1. Evaluating Workstation Security</h3></div></div></div><div class="para">
When evaluating the security of a Fedora workstation, consider the following:
@@ -593,7 +591,7 @@
</div><div class="para">
If the workstation is located in a place where only authorized or trusted people have access, however, then securing the BIOS or the boot loader may not be necessary.
</div><div class="section" title="2.1.2.1. BIOS Passwords"><div class="titlepage"><div><div><h4 class="title" id="sect-Security_Guide-BIOS_and_Boot_Loader_Security-BIOS_Passwords">2.1.2.1. BIOS Passwords</h4></div></div></div><div class="para">
- The two primary reasons for password protecting the BIOS of a computer are<sup>[<a id="id534033" href="#ftn.id534033" class="footnote">11</a>]</sup>:
+ The two primary reasons for password protecting the BIOS of a computer are<sup>[<a id="d0e1504" href="#ftn.d0e1504" class="footnote">11</a>]</sup>:
</div><div class="orderedlist"><ol><li class="listitem"><div class="para">
<span class="emphasis"><em>Preventing Changes to BIOS Settings</em></span> — If an intruder has access to the BIOS, they can set it to boot from a diskette or CD-ROM. This makes it possible for them to enter rescue mode or single user mode, which in turn allows them to start arbitrary processes on the system or copy sensitive data.
</div></li><li class="listitem"><div class="para">
@@ -625,7 +623,7 @@
Next, edit the GRUB configuration file <code class="filename">/boot/grub/grub.conf</code>. Open the file and below the <code class="command">timeout</code> line in the main section of the document, add the following line:
</div><pre class="screen"><code class="command">password --md5 <em class="replaceable"><code><password-hash></code></em></code>
</pre><div class="para">
- Replace <em class="replaceable"><code><password-hash></code></em> with the value returned by <code class="command">/sbin/grub-md5-crypt</code><sup>[<a id="id634479" href="#ftn.id634479" class="footnote">12</a>]</sup>.
+ Replace <em class="replaceable"><code><password-hash></code></em> with the value returned by <code class="command">/sbin/grub-md5-crypt</code><sup>[<a id="d0e1610" href="#ftn.d0e1610" class="footnote">12</a>]</sup>.
</div><div class="para">
The next time the system boots, the GRUB menu prevents access to the editor or command interface without first pressing <span class="keycap"><strong>p</strong></span> followed by the GRUB password.
</div><div class="para">
@@ -820,9 +818,9 @@
Click the <span class="guilabel"><strong>Password Info</strong></span> tab, and select the check box for <span class="guilabel"><strong>Enable password expiration</strong></span>.
</div></li><li class="step" title="Step 5"><div class="para">
Enter the required value in the <span class="guilabel"><strong>Days before change required</strong></span> field, and click <span class="guibutton"><strong>OK</strong></span>.
- </div></li></ol></div><div class="figure" id="figu-Security_Guide-Password_Aging-Specifying_password_aging_options"><div class="figure-contents"><div class="mediaobject"><img src="images/fed-user_pass_info.png" width="444" alt="Specifying password aging options" /><div class="longdesc"><div class="para">
+ </div></li></ol></div><div class="figure" id="figu-Security_Guide-Password_Aging-Specifying_password_aging_options"><div class="figure-contents"><div class="mediaobject"><img src="images/fed-user_pass_info.png" alt="Specifying password aging options"/><div class="longdesc"><div class="para">
<span class="guilabel"><strong>Password Info</strong></span> pane illustration.
- </div></div></div></div><h6>Figure 2.1. Specifying password aging options</h6></div><br class="figure-break" /></div></div></div><div class="section" title="2.1.4. Administrative Controls"><div class="titlepage"><div><div><h3 class="title" id="sect-Security_Guide-Workstation_Security-Administrative_Controls">2.1.4. Administrative Controls</h3></div></div></div><div class="para">
+ </div></div></div></div><h6>Figure 2.1. Specifying password aging options</h6></div><br class="figure-break"/></div></div></div><div class="section" title="2.1.4. Administrative Controls"><div class="titlepage"><div><div><h3 class="title" id="sect-Security_Guide-Workstation_Security-Administrative_Controls">2.1.4. Administrative Controls</h3></div></div></div><div class="para">
When administering a home machine, the user must perform some tasks as the root user or by acquiring effective root privileges via a <em class="firstterm">setuid</em> program, such as <code class="command">sudo</code> or <code class="command">su</code>. A setuid program is one that operates with the user ID (<span class="emphasis"><em>UID</em></span>) of the program's owner rather than the user operating the program. Such programs are denoted by an <code class="computeroutput">s</code> in the owner section of a long format listing, as in the following example:
</div><pre class="screen"><code class="computeroutput">-rwsr-xr-x 1 root root 47324 May 1 08:09 /bin/su</code>
</pre><div class="note"><h2>Note</h2><div class="para">
@@ -843,7 +841,7 @@
If an administrator is uncomfortable allowing users to log in as root for these or other reasons, the root password should be kept secret, and access to runlevel one or single user mode should be disallowed through boot loader password protection (refer to <a class="xref" href="#sect-Security_Guide-BIOS_and_Boot_Loader_Security-Boot_Loader_Passwords" title="2.1.2.2. Boot Loader Passwords">Section 2.1.2.2, “Boot Loader Passwordsâ€</a> for more information on this topic.)
</div><div class="para">
<a class="xref" href="#tabl-Security_Guide-Disallowing_Root_Access-Methods_of_Disabling_the_Root_Account" title="Table 2.1. Methods of Disabling the Root Account">Table 2.1, “Methods of Disabling the Root Accountâ€</a> describes ways that an administrator can further ensure that root logins are disallowed:
- </div><div class="table" id="tabl-Security_Guide-Disallowing_Root_Access-Methods_of_Disabling_the_Root_Account"><div class="table-contents"><table summary="Methods of Disabling the Root Account" border="1"><colgroup><col width="12%" /><col width="29%" /><col width="29%" /><col width="29%" /></colgroup><thead><tr><th>
+ </div><div class="table" id="tabl-Security_Guide-Disallowing_Root_Access-Methods_of_Disabling_the_Root_Account"><div class="table-contents"><table summary="Methods of Disabling the Root Account" border="1"><colgroup><col width="20*"/><col width="50*"/><col width="50*"/><col width="50*"/></colgroup><thead><tr><th>
Method
</th><th>
Description
@@ -878,14 +876,14 @@
</td></tr><tr><td>
Use PAM to limit root access to services.
</td><td>
- Edit the file for the target service in the <code class="filename">/etc/pam.d/</code> directory. Make sure the <code class="filename">pam_listfile.so</code> is required for authentication.<sup>[<a id="id1052233" href="#ftn.id1052233" class="footnote">a</a>]</sup>
+ Edit the file for the target service in the <code class="filename">/etc/pam.d/</code> directory. Make sure the <code class="filename">pam_listfile.so</code> is required for authentication.<sup>[<a id="d0e2430" href="#ftn.d0e2430" class="footnote">a</a>]</sup>
</td><td>
<table border="0" summary="Simple list" class="simplelist"><tr><td> Prevents root access to network services that are PAM aware. </td></tr><tr><td> The following services are prevented from accessing the root account: </td></tr><tr><td> · FTP clients </td></tr><tr><td> · Email clients </td></tr><tr><td> · <code class="command">login</code></td></tr><tr><td> · <code class="command">gdm</code></td></tr><tr><td> · <code class="command">kdm</code></td></tr><tr><td> · <code class="command">xdm</code></td></tr><tr><td> · <code class="command">ssh</code></td></tr><tr><td> · <code class="command">scp</code></td></tr><tr><td> · <code class="command">sftp</code></td></tr><tr><td> · Any PAM aware services </td></tr></table>
</td><td>
<table border="0" summary="Simple list" class="simplelist"><tr><td> Programs and services that are not PAM aware. </td></tr></table>
- </td></tr></tbody><tbody class="footnotes"><tr><td colspan="4"><div class="footnote"><p><sup>[<a id="ftn.id1052233" href="#id1052233" class="para">a</a>] </sup>
+ </td></tr></tbody><tbody class="footnotes"><tr><td colspan="4"><div class="footnote"><p><sup>[<a id="ftn.d0e2430" href="#d0e2430" class="para">a</a>] </sup>
Refer to <a class="xref" href="#sect-Security_Guide-Disallowing_Root_Access-Disabling_Root_Using_PAM" title="2.1.4.2.4. Disabling Root Using PAM">Section 2.1.4.2.4, “Disabling Root Using PAMâ€</a> for details.
- </p></div></td></tr></tbody></table></div><h6>Table 2.1. Methods of Disabling the Root Account</h6></div><br class="table-break" /><div class="section" title="2.1.4.2.1. Disabling the Root Shell"><div class="titlepage"><div><div><h5 class="title" id="sect-Security_Guide-Disallowing_Root_Access-Disabling_the_Root_Shell">2.1.4.2.1. Disabling the Root Shell</h5></div></div></div><div class="para">
+ </p></div></td></tr></tbody></table></div><h6>Table 2.1. Methods of Disabling the Root Account</h6></div><br class="table-break"/><div class="section" title="2.1.4.2.1. Disabling the Root Shell"><div class="titlepage"><div><div><h5 class="title" id="sect-Security_Guide-Disallowing_Root_Access-Disabling_the_Root_Shell">2.1.4.2.1. Disabling the Root Shell</h5></div></div></div><div class="para">
To prevent users from logging in directly as root, the system administrator can set the root account's shell to <code class="command">/sbin/nologin</code> in the <code class="filename">/etc/passwd</code> file. This prevents access to the root account through commands that require a shell, such as the <code class="command">su</code> and the <code class="command">ssh</code> commands.
</div><div class="important"><h2>Important</h2><div class="para">
Programs that do not require access to the shell, such as email clients or the <code class="command">sudo</code> command, can still access the root account.
@@ -918,7 +916,7 @@
</div><div class="section" title="2.1.4.3.1. The su Command"><div class="titlepage"><div><div><h5 class="title" id="sect-Security_Guide-Limiting_Root_Access-The_su_Command">2.1.4.3.1. The <code class="command">su</code> Command</h5></div></div></div><div class="para">
When a user executes the <code class="command">su</code> command, they are prompted for the root password and, after authentication, is given a root shell prompt.
</div><div class="para">
- Once logged in via the <code class="command">su</code> command, the user <span class="emphasis"><em>is</em></span> the root user and has absolute administrative access to the system<sup>[<a id="id687804" href="#ftn.id687804" class="footnote">13</a>]</sup>. In addition, once a user has become root, it is possible for them to use the <code class="command">su</code> command to change to any other user on the system without being prompted for a password.
+ Once logged in via the <code class="command">su</code> command, the user <span class="emphasis"><em>is</em></span> the root user and has absolute administrative access to the system<sup>[<a id="d0e2631" href="#ftn.d0e2631" class="footnote">13</a>]</sup>. In addition, once a user has become root, it is possible for them to use the <code class="command">su</code> command to change to any other user on the system without being prompted for a password.
</div><div class="para">
Because this program is so powerful, administrators within an organization may wish to limit who has access to the command.
</div><div class="para">
@@ -935,15 +933,15 @@
</div></li><li class="step" title="Step 3"><div class="para">
Click <span class="guibutton"><strong>Properties</strong></span> on the toolbar to display the User Properties dialog box (or choose <span class="guimenuitem"><strong>Properties</strong></span> on the <span class="guimenu"><strong>File</strong></span> menu).
</div></li><li class="step" title="Step 4"><div class="para">
- Click the <span class="guilabel"><strong>Groups</strong></span> tab, select the check box for the wheel group, and then click <span class="guibutton"><strong>OK</strong></span>. Refer to <a class="xref" href="#figu-Security_Guide-The_su_Command-Adding_users_to_the_wheel_group." title="Figure 2.2. Adding users to the "wheel" group.">Figure 2.2, “Adding users to the "wheel" group.â€</a>.
+ Click the <span class="guilabel"><strong>Groups</strong></span> tab, select the check box for the wheel group, and then click <span class="guibutton"><strong>OK</strong></span>. Refer to <a class="xref" href="#figu-Security_Guide-The_su_Command-Adding_users_to_the_wheel_group." title="Figure 2.2. Adding users to the "wheel" group.">Figure 2.2, “Adding users to the "wheel" group.â€</a>.
</div></li><li class="step" title="Step 5"><div class="para">
Open the PAM configuration file for <code class="command">su</code> (<code class="filename">/etc/pam.d/su</code>) in a text editor and remove the comment <span class="keycap"><strong>#</strong></span> from the following line:
</div><pre class="screen">auth required /lib/security/$ISA/pam_wheel.so use_uid
</pre><div class="para">
This change means that only members of the administrative group <code class="computeroutput">wheel</code> can use this program.
- </div></li></ol></div><div class="figure" id="figu-Security_Guide-The_su_Command-Adding_users_to_the_wheel_group."><div class="figure-contents"><div class="mediaobject"><img src="images/fed-user_pass_groups.png" width="444" alt="Adding users to the "wheel" group." /><div class="longdesc"><div class="para">
+ </div></li></ol></div><div class="figure" id="figu-Security_Guide-The_su_Command-Adding_users_to_the_wheel_group."><div class="figure-contents"><div class="mediaobject"><img src="images/fed-user_pass_groups.png" alt="Adding users to the "wheel" group."/><div class="longdesc"><div class="para">
<span class="guilabel"><strong>Groups</strong></span> pane illustration
- </div></div></div></div><h6>Figure 2.2. Adding users to the "wheel" group.</h6></div><br class="figure-break" /><div class="note"><h2>Note</h2><div class="para">
+ </div></div></div></div><h6>Figure 2.2. Adding users to the "wheel" group.</h6></div><br class="figure-break"/><div class="note"><h2>Note</h2><div class="para">
The root user is part of the <code class="computeroutput">wheel</code> group by default.
</div></div></div><div class="section" title="2.1.4.3.2. The sudo Command"><div class="titlepage"><div><div><h5 class="title" id="sect-Security_Guide-Limiting_Root_Access-The_sudo_Command">2.1.4.3.2. The <code class="command">sudo</code> Command</h5></div></div></div><div class="para">
The <code class="command">sudo</code> command offers another approach to giving users administrative access. When trusted users precede an administrative command with <code class="command">sudo</code>, they are prompted for <span class="emphasis"><em>their own</em></span> password. Then, when they have been authenticated and assuming that the command is permitted, the administrative command is executed as if they were the root user.
@@ -1008,9 +1006,9 @@
<code class="command">sshd</code> — The OpenSSH server, which is a secure replacement for Telnet.
</div></li></ul></div><div class="para">
When determining whether to leave these services running, it is best to use common sense and err on the side of caution. For example, if a printer is not available, do not leave <code class="command">cupsd</code> running. The same is true for <code class="command">portmap</code>. If you do not mount NFSv3 volumes or use NIS (the <code class="command">ypbind</code> service), then <code class="command">portmap</code> should be disabled.
- </div><div class="figure" id="figu-Security_Guide-Identifying_and_Configuring_Services-Services_Configuration_Tool"><div class="figure-contents"><div class="mediaobject"><img src="images/fed-service_config.png" width="444" alt="Services Configuration Tool" /><div class="longdesc"><div class="para">
+ </div><div class="figure" id="figu-Security_Guide-Identifying_and_Configuring_Services-Services_Configuration_Tool"><div class="figure-contents"><div class="mediaobject"><img src="images/fed-service_config.png" alt="Services Configuration Tool"/><div class="longdesc"><div class="para">
<span class="application"><strong>Services Configuration Tool</strong></span> illustration
- </div></div></div></div><h6>Figure 2.3. <span class="application">Services Configuration Tool</span></h6></div><br class="figure-break" /><div class="para">
+ </div></div></div></div><h6>Figure 2.3. <span class="application">Services Configuration Tool</span></h6></div><br class="figure-break"/><div class="para">
If unsure of the purpose for a particular service, the <span class="application"><strong>Services Configuration Tool</strong></span> has a description field, illustrated in <a class="xref" href="#figu-Security_Guide-Identifying_and_Configuring_Services-Services_Configuration_Tool" title="Figure 2.3. Services Configuration Tool">Figure 2.3, “<span class="application">Services Configuration Tool</span>â€</a>, that provides additional information.
</div><div class="para">
Checking which network services are available to start at boot time is only part of the story. You should also check which ports are open and listening. Refer to <a class="xref" href="#sect-Security_Guide-Server_Security-Verifying_Which_Ports_Are_Listening" title="2.2.8. Verifying Which Ports Are Listening">Section 2.2.8, “Verifying Which Ports Are Listeningâ€</a> for more information.
@@ -1094,7 +1092,7 @@
Although the <code class="command">sshd</code> service is inherently secure, the service <span class="emphasis"><em>must</em></span> be kept up-to-date to prevent security threats. Refer to <a class="xref" href="#sect-Security_Guide-Security_Updates" title="1.5. Security Updates">Section 1.5, “Security Updatesâ€</a> for more information.
</div></div><div class="para">
GPG is one way to ensure private email communication. It can be used both to email sensitive data over public networks and to protect sensitive data on hard drives.
- </div></div></div><div xml:lang="en-US" class="section" title="2.2. Server Security" lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="sect-Security_Guide-Server_Security">2.2. Server Security</h2></div></div></div><div class="para">
+ </div></div></div><div xml:lang="en-US" class="section" title="2.2. Server Security"><div class="titlepage"><div><div><h2 class="title" id="sect-Security_Guide-Server_Security">2.2. Server Security</h2></div></div></div><div class="para">
When a system is used as a server on a public network, it becomes a target for attacks. Hardening the system and locking down services is therefore of paramount importance for the system administrator.
</div><div class="para">
Before delving into specific issues, review the following general tips for enhancing server security:
@@ -1470,7 +1468,7 @@
ypbind 657 0 7u IPv4 1319 TCP *:834 (LISTEN)
</pre><div class="para">
These tools reveal a great deal about the status of the services running on a machine. These tools are flexible and can provide a wealth of information about network services and configuration. Refer to the man pages for <code class="command">lsof</code>, <code class="command">netstat</code>, <code class="command">nmap</code>, and <code class="filename">services</code> for more information.
- </div></div></div><div xml:lang="en-US" class="section" title="2.3. Single Sign-on (SSO)" lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="sect-Security_Guide-Single_Sign_on_SSO">2.3. Single Sign-on (SSO)</h2></div></div></div><div class="section" title="2.3.1. Introduction"><div class="titlepage"><div><div><h3 class="title" id="sect-Security_Guide-Single_Sign_on_SSO-Introduction">2.3.1. Introduction</h3></div></div></div><div class="para">
+ </div></div></div><div xml:lang="en-US" class="section" title="2.3. Single Sign-on (SSO)"><div class="titlepage"><div><div><h2 class="title" id="sect-Security_Guide-Single_Sign_on_SSO">2.3. Single Sign-on (SSO)</h2></div></div></div><div class="section" title="2.3.1. Introduction"><div class="titlepage"><div><div><h3 class="title" id="sect-Security_Guide-Single_Sign_on_SSO-Introduction">2.3.1. Introduction</h3></div></div></div><div class="para">
The Fedora SSO functionality reduces the number of times Fedora desktop users have to enter their passwords. Several major applications leverage the same underlying authentication and authorization mechanisms so that users can log in to Fedora from the log-in screen, and then not need to re-enter their passwords. These applications are detailed below.
</div><div class="para">
In addition, users can log in to their machines even when there is no network (<em class="firstterm">offline mode</em>) or where network connectivity is unreliable, for example, wireless access. In the latter case, services will degrade gracefully.
@@ -1576,9 +1574,9 @@
The enrollment page is displayed on the user's desktop. The user completes the required details and the user's system then connects to the Token Processing System (<abbr class="abbrev">TPS</abbr>) and the <abbr class="abbrev">CA</abbr>.
</div></li><li class="listitem"><div class="para">
The <abbr class="abbrev">TPS</abbr> enrolls the smart card using a certificate signed by the <abbr class="abbrev">CA</abbr>.
- </div></li></ol></div><div class="figure" id="figu-Security_Guide-How_Smart_Card_Enrollment_Works-How_Smart_Card_Enrollment_Works"><div class="figure-contents"><div class="mediaobject"><img src="images/SCLoginEnrollment.png" width="444" alt="How Smart Card Enrollment Works" /><div class="longdesc"><div class="para">
+ </div></li></ol></div><div class="figure" id="figu-Security_Guide-How_Smart_Card_Enrollment_Works-How_Smart_Card_Enrollment_Works"><div class="figure-contents"><div class="mediaobject"><img src="images/SCLoginEnrollment.png" alt="How Smart Card Enrollment Works"/><div class="longdesc"><div class="para">
How Smart Card Enrollment Works.
- </div></div></div></div><h6>Figure 2.4. How Smart Card Enrollment Works</h6></div><br class="figure-break" /></div><div class="section" title="2.3.4. How Smart Card Login Works"><div class="titlepage"><div><div><h3 class="title" id="sect-Security_Guide-Single_Sign_on_SSO-How_Smart_Card_Login_Works">2.3.4. How Smart Card Login Works</h3></div></div></div><div class="para">
+ </div></div></div></div><h6>Figure 2.4. How Smart Card Enrollment Works</h6></div><br class="figure-break"/></div><div class="section" title="2.3.4. How Smart Card Login Works"><div class="titlepage"><div><div><h3 class="title" id="sect-Security_Guide-Single_Sign_on_SSO-How_Smart_Card_Login_Works">2.3.4. How Smart Card Login Works</h3></div></div></div><div class="para">
This section provides a brief overview of the process of logging in using a smart card.
</div><div class="orderedlist"><ol><li class="listitem"><div class="para">
When the user inserts their smart card into the smart card reader, this event is recognized by the PAM facility, which prompts for the user's PIN.
@@ -1586,9 +1584,9 @@
The system then looks up the user's current certificates and verifies their validity. The certificate is then mapped to the user's UID.
</div></li><li class="listitem"><div class="para">
This is validated against the KDC and login granted.
- </div></li></ol></div><div class="figure" id="figu-Security_Guide-How_Smart_Card_Login_Works-How_Smart_Card_Login_Works"><div class="figure-contents"><div class="mediaobject"><img src="images/SCLogin.png" width="444" alt="How Smart Card Login Works" /><div class="longdesc"><div class="para">
+ </div></li></ol></div><div class="figure" id="figu-Security_Guide-How_Smart_Card_Login_Works-How_Smart_Card_Login_Works"><div class="figure-contents"><div class="mediaobject"><img src="images/SCLogin.png" alt="How Smart Card Login Works"/><div class="longdesc"><div class="para">
How Smart Card Login Works.
- </div></div></div></div><h6>Figure 2.5. How Smart Card Login Works</h6></div><br class="figure-break" /><div class="note"><h2>Note</h2><div class="para">
+ </div></div></div></div><h6>Figure 2.5. How Smart Card Login Works</h6></div><br class="figure-break"/><div class="note"><h2>Note</h2><div class="para">
You cannot log in with a card that has not been enrolled, even if it has been formatted. You need to log in with a formatted, enrolled card, or not using a smart card, before you can enroll a new card.
</div></div><div class="para">
Refer to <a class="xref" href="#sect-Security_Guide-Kerberos" title="2.6. Kerberos">Section 2.6, “Kerberosâ€</a> and <a class="xref" href="#sect-Security_Guide-Pluggable_Authentication_Modules_PAM" title="2.4. Pluggable Authentication Modules (PAM)">Section 2.4, “Pluggable Authentication Modules (PAM)â€</a> for more information on Kerberos and <acronym class="acronym">PAM</acronym>.
@@ -1610,9 +1608,9 @@
</div><div class="para">
If you do not see these two configuration options listed, your version of Firefox may be too old to support Negotiate authentication, and you should consider upgrading.
</div></div>
- </div></li></ol></div><div class="figure" id="figu-Security_Guide-Configuring_Firefox_to_use_Kerberos_for_SSO-Configuring_Firefox_for_SSO_with_Kerberos"><div class="figure-contents"><div class="mediaobject"><img src="images/fed-firefox_kerberos_SSO.png" width="444" alt="Configuring Firefox for SSO with Kerberos" /><div class="longdesc"><div class="para">
+ </div></li></ol></div><div class="figure" id="figu-Security_Guide-Configuring_Firefox_to_use_Kerberos_for_SSO-Configuring_Firefox_for_SSO_with_Kerberos"><div class="figure-contents"><div class="mediaobject"><img src="images/fed-firefox_kerberos_SSO.png" alt="Configuring Firefox for SSO with Kerberos"/><div class="longdesc"><div class="para">
Configuring Firefox to use Kerberos for SSO.
- </div></div></div></div><h6>Figure 2.6. Configuring Firefox for SSO with Kerberos</h6></div><br class="figure-break" /><div class="para">
+ </div></div></div></div><h6>Figure 2.6. Configuring Firefox for SSO with Kerberos</h6></div><br class="figure-break"/><div class="para">
You now need to ensure that you have Kerberos tickets. In a command shell, type <code class="command">kinit</code> to retrieve Kerberos tickets. To display the list of available tickets, type <code class="command">klist</code>. The following shows an example output from these commands:
</div><pre class="screen">[user at host ~] $ kinit
Password for user at EXAMPLE.COM:
@@ -1653,7 +1651,7 @@
example.com = EXAMPLE.COM
</pre><div class="para">
If nothing appears in the log it is possible that you are behind a proxy, and that proxy is stripping off the HTTP headers required for Negotiate authentication. As a workaround, you can try to connect to the server using HTTPS instead, which allows the request to pass through unmodified. Then proceed to debug using the log file, as described above.
- </div></div></div></div><div xml:lang="en-US" class="section" title="2.4. Pluggable Authentication Modules (PAM)" lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="sect-Security_Guide-Pluggable_Authentication_Modules_PAM">2.4. Pluggable Authentication Modules (PAM)</h2></div></div></div><div class="para">
+ </div></div></div></div><div xml:lang="en-US" class="section" title="2.4. Pluggable Authentication Modules (PAM)"><div class="titlepage"><div><div><h2 class="title" id="sect-Security_Guide-Pluggable_Authentication_Modules_PAM">2.4. Pluggable Authentication Modules (PAM)</h2></div></div></div><div class="para">
Programs that grant users access to a system use <em class="firstterm">authentication</em> to verify each other's identity (that is, to establish that a user is who they say they are).
</div><div class="para">
Historically, each program had its own way of authenticating users. In Fedora, many programs are configured to use a centralized authentication mechanism called <em class="firstterm">Pluggable Authentication Modules</em> (<acronym class="acronym">PAM</acronym>).
@@ -1804,13 +1802,13 @@
You can verify the actual state of the timestamp file by inspecting the <code class="filename">/var/run/sudo/<user></code> file. For the desktop, the relevant file is <code class="filename">unknown:root</code>. If it is present and its timestamp is less than five minutes old, the credentials are valid.
</div><div class="para">
The existence of the timestamp file is indicated by an authentication icon, which appears in the notification area of the panel.
- </div><div class="figure" id="figu-Security_Guide-PAM_and_Administrative_Credential_Caching-The_Authentication_Icon"><div class="figure-contents"><div class="mediaobject"><img src="images/authicon.png" alt="The Authentication Icon" /><div class="longdesc"><div class="para">
+ </div><div class="figure" id="figu-Security_Guide-PAM_and_Administrative_Credential_Caching-The_Authentication_Icon"><div class="figure-contents"><div class="mediaobject"><img src="images/authicon.png" alt="The Authentication Icon"/><div class="longdesc"><div class="para">
Illustration of the authentication icon.
- </div></div></div></div><h6>Figure 2.7. The Authentication Icon</h6></div><br class="figure-break" /><div class="section" title="2.4.6.1. Removing the Timestamp File"><div class="titlepage"><div><div><h4 class="title" id="sect-Security_Guide-PAM_and_Administrative_Credential_Caching-Removing_the_Timestamp_File">2.4.6.1. Removing the Timestamp File</h4></div></div></div><div class="para">
+ </div></div></div></div><h6>Figure 2.7. The Authentication Icon</h6></div><br class="figure-break"/><div class="section" title="2.4.6.1. Removing the Timestamp File"><div class="titlepage"><div><div><h4 class="title" id="sect-Security_Guide-PAM_and_Administrative_Credential_Caching-Removing_the_Timestamp_File">2.4.6.1. Removing the Timestamp File</h4></div></div></div><div class="para">
Before abandoning a console where a PAM timestamp is active, it is recommended that the timestamp file be destroyed. To do this from a graphical environment, click the authentication icon on the panel. This causes a dialog box to appear. Click the <span class="guibutton"><strong>Forget Authorization</strong></span> button to destroy the active timestamp file.
- </div><div class="figure" id="figu-Security_Guide-Removing_the_Timestamp_File-Dismiss_Authentication_Dialog"><div class="figure-contents"><div class="mediaobject"><img src="images/auth-panel.png" width="444" alt="Dismiss Authentication Dialog" /><div class="longdesc"><div class="para">
+ </div><div class="figure" id="figu-Security_Guide-Removing_the_Timestamp_File-Dismiss_Authentication_Dialog"><div class="figure-contents"><div class="mediaobject"><img src="images/auth-panel.png" alt="Dismiss Authentication Dialog"/><div class="longdesc"><div class="para">
Illustration of the authentication dismissal dialog box.
- </div></div></div></div><h6>Figure 2.8. Dismiss Authentication Dialog</h6></div><br class="figure-break" /><div class="para">
+ </div></div></div></div><h6>Figure 2.8. Dismiss Authentication Dialog</h6></div><br class="figure-break"/><div class="para">
You should be aware of the following with respect to the PAM timestamp file:
</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
If logged in to the system remotely using <code class="command">ssh</code>, use the <code class="command">/sbin/pam_timestamp_check -k root</code> command to destroy the timestamp file.
@@ -1901,13 +1899,13 @@
<a href="http://www.kernel.org/pub/linux/libs/pam/">http://www.kernel.org/pub/linux/libs/pam/</a> — The primary distribution website for the Linux-PAM project, containing information on various PAM modules, a FAQ, and additional PAM documentation.
</div><div class="note"><h2>Note</h2><div class="para">
The documentation in the above website is for the last released upstream version of PAM and might not be 100% accurate for the PAM version included in Fedora.
- </div></div></li></ul></div></div></div></div><div xml:lang="en-US" class="section" title="2.5. TCP Wrappers and xinetd" lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="sect-Security_Guide-TCP_Wrappers_and_xinetd">2.5. TCP Wrappers and xinetd</h2></div></div></div><div class="para">
+ </div></div></li></ul></div></div></div></div><div xml:lang="en-US" class="section" title="2.5. TCP Wrappers and xinetd"><div class="titlepage"><div><div><h2 class="title" id="sect-Security_Guide-TCP_Wrappers_and_xinetd">2.5. TCP Wrappers and xinetd</h2></div></div></div><div class="para">
Controlling access to network services is one of the most important security tasks facing a server administrator. Fedora provides several tools for this purpose. For example, an <code class="command">iptables</code>-based firewall filters out unwelcome network packets within the kernel's network stack. For network services that utilize it, <em class="firstterm">TCP Wrappers</em> add an additional layer of protection by defining which hosts are or are not allowed to connect to "<span class="emphasis"><em>wrapped</em></span>" network services. One such wrapped network service is the <code class="systemitem">xinetd</code> <span class="emphasis"><em>super server</em></span>. This service is called a super server because it controls connections to a subset of network services and further refines access control.
</div><div class="para">
<a class="xref" href="#figu-Security_Guide-TCP_Wrappers_and_xinetd-Access_Control_to_Network_Services" title="Figure 2.9. Access Control to Network Services">Figure 2.9, “Access Control to Network Servicesâ€</a> is a basic illustration of how these tools work together to protect network services.
- </div><div class="figure" id="figu-Security_Guide-TCP_Wrappers_and_xinetd-Access_Control_to_Network_Services"><div class="figure-contents"><div class="mediaobject"><img src="images/tcp_wrap_diagram.png" alt="Access Control to Network Services" /><div class="longdesc"><div class="para">
+ </div><div class="figure" id="figu-Security_Guide-TCP_Wrappers_and_xinetd-Access_Control_to_Network_Services"><div class="figure-contents"><div class="mediaobject"><img src="images/tcp_wrap_diagram.png" alt="Access Control to Network Services"/><div class="longdesc"><div class="para">
Exhibit A: Access Control to Network Services Flowchart
- </div></div></div></div><h6>Figure 2.9. Access Control to Network Services</h6></div><br class="figure-break" /><div class="para">
+ </div></div></div></div><h6>Figure 2.9. Access Control to Network Services</h6></div><br class="figure-break"/><div class="para">
This chapter focuses on the role of TCP Wrappers and <code class="systemitem">xinetd</code> in controlling access to network services and reviews how these tools can be used to enhance both logging and utilization management. Refer to <a class="xref" href="#sect-Security_Guide-IPTables" title="2.9. IPTables">Section 2.9, “IPTablesâ€</a> for information about using firewalls with <code class="command">iptables</code>.
</div><div class="section" title="2.5.1. TCP Wrappers"><div class="titlepage"><div><div><h3 class="title" id="sect-Security_Guide-TCP_Wrappers_and_xinetd-TCP_Wrappers">2.5.1. TCP Wrappers</h3></div></div></div><div class="para">
The TCP Wrappers package (<code class="filename">tcp_wrappers</code>) is installed by default and provides host-based access control to network services. The most important component within the package is the <code class="filename">/usr/lib/libwrap.a</code> library. In general terms, a TCP-wrapped service is one that has been compiled against the <code class="filename">libwrap.a</code> library.
@@ -2351,14 +2349,14 @@
<a href="http://www.docstoc.com/docs/2133633/An-Unofficial-Xinetd-Tutorial">http://www.docstoc.com/docs/2133633/An-Unofficial-Xinetd-Tutorial</a> — A thorough tutorial that discusses many different ways to optimize default <code class="systemitem">xinetd</code> configuration files to meet specific security goals.
</div></li></ul></div></div><div class="section" title="2.5.5.3. Related Books"><div class="titlepage"><div><div><h4 class="title" id="sect-Security_Guide-Additional_Resources-Related_Books">2.5.5.3. Related Books</h4></div></div></div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
<em class="citetitle">Hacking Linux Exposed</em> by Brian Hatch, James Lee, and George Kurtz; Osbourne/McGraw-Hill — An excellent security resource with information about TCP Wrappers and <code class="systemitem">xinetd</code>.
- </div></li></ul></div></div></div></div><div xml:lang="en-US" class="section" title="2.6. Kerberos" lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="sect-Security_Guide-Kerberos">2.6. Kerberos</h2></div></div></div><div class="para">
+ </div></li></ul></div></div></div></div><div xml:lang="en-US" class="section" title="2.6. Kerberos"><div class="titlepage"><div><div><h2 class="title" id="sect-Security_Guide-Kerberos">2.6. Kerberos</h2></div></div></div><div class="para">
System security and integrity within a network can be unwieldy. It can occupy the time of several administrators just to keep track of what services are being run on a network and the manner in which these services are used.
</div><div class="para">
Further, authenticating users to network services can prove dangerous when the method used by the protocol is inherently insecure, as evidenced by the transfer of unencrypted passwords over a network using the traditional FTP and Telnet protocols.
</div><div class="para">
Kerberos is a way to eliminate the need for protocols that allow unsafe methods of authentication, thereby enhancing overall network security.
</div><div class="section" title="2.6.1. What is Kerberos?"><div class="titlepage"><div><div><h3 class="title" id="sect-Security_Guide-Kerberos-What_is_Kerberos">2.6.1. What is Kerberos?</h3></div></div></div><div class="para">
- Kerberos is a network authentication protocol created by MIT, and uses symmetric-key cryptography<sup>[<a id="id564913" href="#ftn.id564913" class="footnote">14</a>]</sup> to authenticate users to network services, which means passwords are never actually sent over the network.
+ Kerberos is a network authentication protocol created by MIT, and uses symmetric-key cryptography<sup>[<a id="d0e7547" href="#ftn.d0e7547" class="footnote">14</a>]</sup> to authenticate users to network services, which means passwords are never actually sent over the network.
</div><div class="para">
Consequently, when users authenticate to network services using Kerberos, unauthorized users attempting to gather passwords by monitoring network traffic are effectively thwarted.
</div><div class="section" title="2.6.1.1. Advantages of Kerberos"><div class="titlepage"><div><div><h4 class="title" id="sect-Security_Guide-What_is_Kerberos-Advantages_of_Kerberos">2.6.1.1. Advantages of Kerberos</h4></div></div></div><div class="para">
@@ -2530,9 +2528,9 @@
When a client attempts to access a service running on a particular server, it knows the name of the service (<span class="emphasis"><em>host</em></span>) and the name of the server (<span class="emphasis"><em>foo.example.com</em></span>), but because more than one realm may be deployed on your network, it must guess at the name of the realm in which the service resides.
</div><div class="para">
By default, the name of the realm is taken to be the DNS domain name of the server, upper-cased.
- </div><div class="literallayout"><p>foo.example.org → EXAMPLE.ORG<br />
- foo.example.com → EXAMPLE.COM<br />
- foo.hq.example.com → HQ.EXAMPLE.COM<br />
+ </div><div class="literallayout"><p>foo.example.org → EXAMPLE.ORG<br/>
+ foo.example.com → EXAMPLE.COM<br/>
+ foo.hq.example.com → HQ.EXAMPLE.COM<br/>
</p></div><div class="para">
In some configurations, this will be sufficient, but in others, the realm name which is derived will be the name of a non-existant realm. In these cases, the mapping from the server's DNS domain name to the name of its realm must be specified in the <span class="emphasis"><em>domain_realm</em></span> section of the client system's <code class="filename">krb5.conf</code>. For example:
</div><pre class="screen">[domain_realm]
@@ -2592,14 +2590,14 @@
<code class="prompt">kadmin:</code> <strong class="userinput"><code>quit</code></strong>
</pre><div class="para">
With its service key, the slave KDC could authenticate any client which would connect to it. Obviously, not all of them should be allowed to provide the slave's <code class="command">kprop</code> service with a new realm database. To restrict access, the <code class="command">kprop</code> service on the slave KDC will only accept updates from clients whose principal names are listed in <code class="filename">/var/kerberos/krb5kdc/kpropd.acl</code>. Add the master KDC's host service's name to that file.
- </div><div class="literallayout"><p> <code class="computeroutput"><code class="prompt">#</code> <strong class="userinput"><code>echo host/masterkdc.example.com at EXAMPLE.COM > /var/kerberos/krb5kdc/kpropd.acl</code></strong></code><br />
+ </div><div class="literallayout"><p> <code class="computeroutput"><code class="prompt">#</code> <strong class="userinput"><code>echo host/masterkdc.example.com at EXAMPLE.COM > /var/kerberos/krb5kdc/kpropd.acl</code></strong></code><br/>
</p></div><div class="para">
Once the slave KDC has obtained a copy of the database, it will also need the master key which was used to encrypt it. If your KDC database's master key is stored in a <span class="emphasis"><em>stash</em></span> file on the master KDC (typically named <code class="filename">/var/kerberos/krb5kdc/.k5.REALM</code>, either copy it to the slave KDC using any available secure method, or create a dummy database and identical stash file on the slave KDC by running <code class="command">kdb5_util create -s</code> (the dummy database will be overwritten by the first successful database propagation) and supplying the same password.
</div><div class="para">
Ensure that the slave KDC's firewall allows the master KDC to contact it using TCP on port 754 (<span class="emphasis"><em>krb5_prop</em></span>), and start the <code class="command">kprop</code> service. Then, double-check that the <code class="command">kadmin</code> service is <span class="emphasis"><em>disabled</em></span>.
</div><div class="para">
Now perform a manual database propagation test by dumping the realm database, on the master KDC, to the default data file which the <code class="command">kprop</code> command will read (<code class="filename">/var/kerberos/krb5kdc/slave_datatrans</code>), and then use the <code class="command">kprop</code> command to transmit its contents to the slave KDC.
- </div><div class="literallayout"><p> <code class="computeroutput"><code class="prompt">#</code> <strong class="userinput"><code>/usr/kerberos/sbin/kdb5_util dump /var/kerberos/krb5kdc/slave_datatrans</code></strong><code class="prompt">#</code> <strong class="userinput"><code>kprop slavekdc.example.com</code></strong></code><br />
+ </div><div class="literallayout"><p> <code class="computeroutput"><code class="prompt">#</code> <strong class="userinput"><code>/usr/kerberos/sbin/kdb5_util dump /var/kerberos/krb5kdc/slave_datatrans</code></strong><code class="prompt">#</code> <strong class="userinput"><code>kprop slavekdc.example.com</code></strong></code><br/>
</p></div><div class="para">
Using <code class="command">kinit</code>, verify that a client system whose <code class="filename">krb5.conf</code> lists only the slave KDC in its list of KDCs for your realm is now correctly able to obtain initial credentials from the slave KDC.
</div><div class="para">
@@ -2610,7 +2608,7 @@
For the simplest case, in order for a client of a realm named <code class="literal">A.EXAMPLE.COM</code> to access a service in the <code class="literal">B.EXAMPLE.COM</code> realm, both realms must share a key for a principal named <code class="literal">krbtgt/B.EXAMPLE.COM at A.EXAMPLE.COM</code>, and both keys must have the same key version number associated with them.
</div><div class="para">
To accomplish this, select a very strong password or passphrase, and create an entry for the principal in both realms using kadmin.
- </div><div class="literallayout"><p> <code class="computeroutput"><code class="prompt">#</code> <strong class="userinput"><code>kadmin -r A.EXAMPLE.COM</code></strong></code> <code class="computeroutput"><code class="prompt">kadmin:</code> <strong class="userinput"><code>add_principal krbtgt/B.EXAMPLE.COM at A.EXAMPLE.COM</code></strong></code> <code class="computeroutput">Enter password for principal "krbtgt/B.EXAMPLE.COM at A.EXAMPLE.COM":</code> <code class="computeroutput">Re-enter password for principal "krbtgt/B.EXAMPLE.COM at A.EXAMPLE.COM":</code> <code class="computeroutput">Principal "krbtgt/B.EXAMPLE.COM at A.EXAMPLE.COM" created.</code> <strong class="userinput"><code>quit</code></strong> <code class="computeroutput"><code class="prompt">#</code> <strong class="userinput"><code>kadmin -r B.EXAMPLE.COM</code></strong></code> <code class="computeroutput"><code class="prompt">kadmin:</code> <strong class="userinput"><code>add_principal krbtgt/B.EXA
MPLE.COM at A.EXAMPLE.COM</code></strong></code> <code class="computeroutput">Enter password for principal "krbtgt/B.EXAMPLE.COM at A.EXAMPLE.COM":</code> <code class="computeroutput">Re-enter password for principal "krbtgt/B.EXAMPLE.COM at A.EXAMPLE.COM":</code> <code class="computeroutput">Principal "krbtgt/B.EXAMPLE.COM at A.EXAMPLE.COM" created.</code> <strong class="userinput"><code>quit</code></strong><br />
+ </div><div class="literallayout"><p> <code class="computeroutput"><code class="prompt">#</code> <strong class="userinput"><code>kadmin -r A.EXAMPLE.COM</code></strong></code> <code class="computeroutput"><code class="prompt">kadmin:</code> <strong class="userinput"><code>add_principal krbtgt/B.EXAMPLE.COM at A.EXAMPLE.COM</code></strong></code> <code class="computeroutput">Enter password for principal "krbtgt/B.EXAMPLE.COM at A.EXAMPLE.COM":</code> <code class="computeroutput">Re-enter password for principal "krbtgt/B.EXAMPLE.COM at A.EXAMPLE.COM":</code> <code class="computeroutput">Principal "krbtgt/B.EXAMPLE.COM at A.EXAMPLE.COM" created.</code> <strong class="userinput"><code>quit</code></strong> <code class="computeroutput"><code class="prompt">#</code> <strong class="userinput"><code>kadmin -r B.EXAMPLE.COM</code></strong></code> <code class="computeroutput"><code class="prompt">kadmin:</code> <strong class="userinput"><code>add_principal krbtgt/B.EXA
MPLE.COM at A.EXAMPLE.COM</code></strong></code> <code class="computeroutput">Enter password for principal "krbtgt/B.EXAMPLE.COM at A.EXAMPLE.COM":</code> <code class="computeroutput">Re-enter password for principal "krbtgt/B.EXAMPLE.COM at A.EXAMPLE.COM":</code> <code class="computeroutput">Principal "krbtgt/B.EXAMPLE.COM at A.EXAMPLE.COM" created.</code> <strong class="userinput"><code>quit</code></strong><br/>
</p></div><div class="para">
Use the <code class="command">get_principal</code> command to verify that both entries have matching key version numbers (<code class="literal">kvno</code> values) and encryption types.
</div><div class="important"><h2>Dumping the Database Doesn't Do It</h2><div class="para">
@@ -2625,7 +2623,7 @@
Now you face the more conventional problems: the client's system must be configured so that it can properly deduce the realm to which a particular service belongs, and it must be able to determine how to obtain credentials for services in that realm.
</div><div class="para">
First things first: the principal name for a service provided from a specific server system in a given realm typically looks like this:
- </div><div class="literallayout"><p>service/server.example.com at EXAMPLE.COM<br />
+ </div><div class="literallayout"><p>service/server.example.com at EXAMPLE.COM<br/>
</p></div><div class="para">
In this example, <span class="emphasis"><em>service</em></span> is typically either the name of the protocol in use (other common values include <span class="emphasis"><em>ldap</em></span>, <span class="emphasis"><em>imap</em></span>, <span class="emphasis"><em>cvs</em></span>, and <span class="emphasis"><em>HTTP</em></span>) or <span class="emphasis"><em>host</em></span>, <span class="emphasis"><em>server.example.com</em></span> is the fully-qualified domain name of the system which runs the service, and <code class="literal">EXAMPLE.COM</code> is the name of the realm.
</div><div class="para">
@@ -2673,13 +2671,13 @@
The format of the <code class="literal">capaths</code> section is relatively straightforward: each entry in the section is named after a realm in which a client might exist. Inside of that subsection, the set of intermediate realms from which the client must obtain credentials is listed as values of the key which corresponds to the realm in which a service might reside. If there are no intermediate realms, the value "." is used.
</div><div class="para">
Here's an example:
- </div><div class="literallayout"><p> [capaths]<br />
- A.EXAMPLE.COMÂ =Â {<br />
- B.EXAMPLE.COMÂ =Â .<br />
- C.EXAMPLE.COMÂ =Â B.EXAMPLE.COM<br />
- D.EXAMPLE.COMÂ =Â B.EXAMPLE.COM<br />
- D.EXAMPLE.COMÂ =Â C.EXAMPLE.COM<br />
- }<br />
+ </div><div class="literallayout"><p> [capaths]<br/>
+ A.EXAMPLE.COMÂ =Â {<br/>
+ B.EXAMPLE.COMÂ =Â .<br/>
+ C.EXAMPLE.COMÂ =Â B.EXAMPLE.COM<br/>
+ D.EXAMPLE.COMÂ =Â B.EXAMPLE.COM<br/>
+ D.EXAMPLE.COMÂ =Â C.EXAMPLE.COM<br/>
+ }<br/>
</p></div><div class="para">
In this example, clients in the <code class="literal">A.EXAMPLE.COM</code> realm can obtain cross-realm credentials for <code class="literal">B.EXAMPLE.COM</code> directly from the <code class="literal">A.EXAMPLE.COM</code> KDC.
</div><div class="para">
@@ -2690,7 +2688,7 @@
Without a capath entry indicating otherwise, Kerberos assumes that cross-realm trust relationships form a hierarchy.
</div><div class="para">
Clients in the <code class="literal">A.EXAMPLE.COM</code> realm can obtain cross-realm credentials from <code class="literal">B.EXAMPLE.COM</code> realm directly. Without the "." indicating this, the client would instead attempt to use a hierarchical path, in this case:
- </div><div class="literallayout"><p> A.EXAMPLE.COM → EXAMPLE.COM → B.EXAMPLE.COM<br />
+ </div><div class="literallayout"><p> A.EXAMPLE.COM → EXAMPLE.COM → B.EXAMPLE.COM<br/>
</p></div></div></div><div class="section" title="2.6.10. Additional Resources"><div class="titlepage"><div><div><h3 class="title" id="sect-Security_Guide-Kerberos-Additional_Resources">2.6.10. Additional Resources</h3></div></div></div><div class="para">
For more information about Kerberos, refer to the following resources.
</div><div class="section" title="2.6.10.1. Installed Kerberos Documentation"><div class="titlepage"><div><div><h4 class="title" id="sect-Security_Guide-Additional_Resources-Installed_Kerberos_Documentation">2.6.10.1. Installed Kerberos Documentation</h4></div></div></div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
@@ -2731,7 +2729,7 @@
<a href="http://www.ornl.gov/~jar/HowToKerb.html">http://www.ornl.gov/~jar/HowToKerb.html</a> — <em class="citetitle">How to Kerberize your site</em> is a good reference for kerberizing a network.
</div></li><li class="listitem"><div class="para">
<a href="http://www.networkcomputing.com/netdesign/kerb1.html">http://www.networkcomputing.com/netdesign/kerb1.html</a> — <em class="citetitle">Kerberos Network Design Manual</em> is a thorough overview of the Kerberos system.
- </div></li></ul></div></div></div></div><div xml:lang="en-US" class="section" title="2.7. Virtual Private Networks (VPNs)" lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="sect-Security_Guide-Virtual_Private_Networks_VPNs">2.7. Virtual Private Networks (VPNs)</h2></div></div></div><div class="para">
+ </div></li></ul></div></div></div></div><div xml:lang="en-US" class="section" title="2.7. Virtual Private Networks (VPNs)"><div class="titlepage"><div><div><h2 class="title" id="sect-Security_Guide-Virtual_Private_Networks_VPNs">2.7. Virtual Private Networks (VPNs)</h2></div></div></div><div class="para">
Organizations with several satellite offices often connect to each other with dedicated lines for efficiency and protection of sensitive data in transit. For example, many businesses use frame relay or <em class="firstterm">Asynchronous Transfer Mode</em> (<acronym class="acronym">ATM</acronym>) lines as an end-to-end networking solution to link one office with others. This can be an expensive proposition, especially for small to medium sized businesses (<acronym class="acronym">SMB</acronym>s) that want to expand without paying the high costs associated with enterprise-level, dedicated digital circuits.
</div><div class="para">
To address this need, <em class="firstterm">Virtual Private Networks</em> (<abbr class="abbrev">VPN</abbr>s) were developed. Following the same functional principles as dedicated circuits, <abbr class="abbrev">VPN</abbr>s allow for secured digital communication between two parties (or networks), creating a <em class="firstterm">Wide Area Network</em> (<acronym class="acronym">WAN</acronym>) from existing <em class="firstterm">Local Area Networks</em> (<acronym class="acronym">LAN</acronym>s). Where it differs from frame relay or ATM is in its transport medium. <abbr class="abbrev">VPN</abbr>s transmit over IP using datagrams as the transport layer, making it a secure conduit through the Internet to an intended destination. Most free software <abbr class="abbrev">VPN</abbr> implementations incorporate open standard encryption methods to further mask data in transit.
@@ -2833,9 +2831,9 @@
Repeat the entire procedure for the other host. It is essential that the same keys from step <a class="xref" href="#list-Security_Guide-list-Security_Guide-list-Security_Guide-st-host-to-host-keys">8</a> be used on the other hosts. Otherwise, <abbr class="abbrev">IPsec</abbr> will not work.
</div></li></ol></div><div class="para">
After configuring the <abbr class="abbrev">IPsec</abbr> connection, it appears in the <abbr class="abbrev">IPsec</abbr> list as shown in <a class="xref" href="#figu-Security_Guide-Host_to_Host_Connection-IPsec_Connection" title="Figure 2.10. IPsec Connection">Figure 2.10, “IPsec Connectionâ€</a>.
- </div><div class="figure" id="figu-Security_Guide-Host_to_Host_Connection-IPsec_Connection"><div class="figure-contents"><div class="mediaobject"><img src="images/fed-ipsec_host2host.png" width="444" alt="IPsec Connection" /><div class="longdesc"><div class="para">
+ </div><div class="figure" id="figu-Security_Guide-Host_to_Host_Connection-IPsec_Connection"><div class="figure-contents"><div class="mediaobject"><img src="images/fed-ipsec_host2host.png" alt="IPsec Connection"/><div class="longdesc"><div class="para">
IPsec Connection
- </div></div></div></div><h6>Figure 2.10. IPsec Connection</h6></div><br class="figure-break" /><div class="para">
+ </div></div></div></div><h6>Figure 2.10. IPsec Connection</h6></div><br class="figure-break"/><div class="para">
The following files are created when the <abbr class="abbrev">IPsec</abbr> connection is configured:
</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
<code class="filename">/etc/sysconfig/network-scripts/ifcfg-<em class="replaceable"><code><nickname></code></em></code>
@@ -2952,9 +2950,9 @@
IP 172.16.45.107 > 172.16.44.192: AH(spi=0x0954ccb6,seq=0xbb): ESP(spi=0x0c9f2164,seq=0xbb)
</pre></div></div></div><div class="section" title="2.7.7. IPsec Network-to-Network Configuration"><div class="titlepage"><div><div><h3 class="title" id="sect-Security_Guide-Virtual_Private_Networks_VPNs-IPsec_Network_to_Network_Configuration">2.7.7. IPsec Network-to-Network Configuration</h3></div></div></div><div class="para">
IPsec can also be configured to connect an entire network (such as a <acronym class="acronym">LAN</acronym> or <acronym class="acronym">WAN</acronym>) to a remote network using a network-to-network connection. A network-to-network connection requires the setup of <abbr class="abbrev">IPsec</abbr> routers on each side of the connecting networks to transparently process and route information from one node on a <acronym class="acronym">LAN</acronym> to a node on a remote <acronym class="acronym">LAN</acronym>. <a class="xref" href="#figu-Security_Guide-IPsec_Network_to_Network_Configuration-A_network_to_network_IPsec_tunneled_connection" title="Figure 2.11. A network-to-network IPsec tunneled connection">Figure 2.11, “A network-to-network <abbr class="abbrev">IPsec</abbr> tunneled connectionâ€</a> shows a network-to-network <abbr class="abbrev">IPsec</abbr> tunneled connection.
- </div><div class="figure" id="figu-Security_Guide-IPsec_Network_to_Network_Configuration-A_network_to_network_IPsec_tunneled_connection"><div class="figure-contents"><div class="mediaobject"><img src="images/n-t-n-ipsec-diagram.png" width="444" alt="A network-to-network IPsec tunneled connection" /><div class="longdesc"><div class="para">
+ </div><div class="figure" id="figu-Security_Guide-IPsec_Network_to_Network_Configuration-A_network_to_network_IPsec_tunneled_connection"><div class="figure-contents"><div class="mediaobject"><img src="images/n-t-n-ipsec-diagram.png" alt="A network-to-network IPsec tunneled connection"/><div class="longdesc"><div class="para">
A network-to-network <abbr class="abbrev">IPsec</abbr> tunneled connection
- </div></div></div></div><h6>Figure 2.11. A network-to-network <abbr class="abbrev">IPsec</abbr> tunneled connection</h6></div><br class="figure-break" /><div class="para">
+ </div></div></div></div><h6>Figure 2.11. A network-to-network <abbr class="abbrev">IPsec</abbr> tunneled connection</h6></div><br class="figure-break"/><div class="para">
This diagram shows two separate <acronym class="acronym">LAN</acronym>s separated by the Internet. These <acronym class="acronym">LAN</acronym>s use <abbr class="abbrev">IPsec</abbr> routers to authenticate and initiate a connection using a secure tunnel through the Internet. Packets that are intercepted in transit would require brute-force decryption in order to crack the cipher protecting the packets between these <acronym class="acronym">LAN</acronym>s. The process of communicating from one node in the 192.168.1.0/24 IP range to another in the 192.168.2.0/24 range is completely transparent to the nodes as the processing, encryption/decryption, and routing of the <abbr class="abbrev">IPsec</abbr> packets are completely handled by the <abbr class="abbrev">IPsec</abbr> router.
</div><div class="para">
The information needed for a network-to-network connection include:
@@ -2976,9 +2974,9 @@
For example, as shown in <a class="xref" href="#figu-Security_Guide-Network_to_Network_VPN_Connection-Network_to_Network_IPsec" title="Figure 2.12. Network-to-Network IPsec">Figure 2.12, “Network-to-Network IPsecâ€</a>, if the 192.168.1.0/24 private network sends network traffic to the 192.168.2.0/24 private network, the packets go through gateway0, to ipsec0, through the Internet, to ipsec1, to gateway1, and to the 192.168.2.0/24 subnet.
</div><div class="para">
<abbr class="abbrev">IPsec</abbr> routers require publicly addressable IP addresses and a second Ethernet device connected to their respective private networks. Traffic only travels through an <abbr class="abbrev">IPsec</abbr> router if it is intended for another <abbr class="abbrev">IPsec</abbr> router with which it has an encrypted connection.
- </div><div class="figure" id="figu-Security_Guide-Network_to_Network_VPN_Connection-Network_to_Network_IPsec"><div class="figure-contents"><div class="mediaobject"><img src="images/n-t-n-ipsec-diagram.png" width="444" alt="Network-to-Network IPsec" /><div class="longdesc"><div class="para">
+ </div><div class="figure" id="figu-Security_Guide-Network_to_Network_VPN_Connection-Network_to_Network_IPsec"><div class="figure-contents"><div class="mediaobject"><img src="images/n-t-n-ipsec-diagram.png" alt="Network-to-Network IPsec"/><div class="longdesc"><div class="para">
Network-to-Network IPsec
- </div></div></div></div><h6>Figure 2.12. Network-to-Network IPsec</h6></div><br class="figure-break" /><div class="para">
+ </div></div></div></div><h6>Figure 2.12. Network-to-Network IPsec</h6></div><br class="figure-break"/><div class="para">
Alternate network configuration options include a firewall between each IP router and the Internet, and an intranet firewall between each <abbr class="abbrev">IPsec</abbr> router and subnet gateway. The <abbr class="abbrev">IPsec</abbr> router and the gateway for the subnet can be one system with two Ethernet devices: one with a public IP address that acts as the <abbr class="abbrev">IPsec</abbr> router; and one with a private IP address that acts as the gateway for the private subnet. Each <abbr class="abbrev">IPsec</abbr> router can use the gateway for its private network or a public gateway to send the packets to the other <abbr class="abbrev">IPsec</abbr> router.
</div><div class="para">
Use the following procedure to configure a network-to-network <abbr class="abbrev">IPsec</abbr> connection:
@@ -3008,9 +3006,9 @@
<span class="guilabel"><strong>Local Network Gateway</strong></span> — The gateway for the private subnet.
</div></li></ul></div><div class="para">
Click <span class="guibutton"><strong>Forward</strong></span> to continue.
- </div><div class="figure" id="figu-Security_Guide-Network_to_Network_VPN_Connection-Local_Network_Information"><div class="figure-contents"><div class="mediaobject"><img src="images/fed-ipsec_n_to_n_local.png" width="444" alt="Local Network Information" /><div class="longdesc"><div class="para">
+ </div><div class="figure" id="figu-Security_Guide-Network_to_Network_VPN_Connection-Local_Network_Information"><div class="figure-contents"><div class="mediaobject"><img src="images/fed-ipsec_n_to_n_local.png" alt="Local Network Information"/><div class="longdesc"><div class="para">
Local Network Information
- </div></div></div></div><h6>Figure 2.13. Local Network Information</h6></div><br class="figure-break" /></li><li class="listitem"><div class="para">
+ </div></div></div></div><h6>Figure 2.13. Local Network Information</h6></div><br class="figure-break"/></li><li class="listitem"><div class="para">
On the <span class="guilabel"><strong>Remote Network</strong></span> page, enter the following information:
</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
<span class="guilabel"><strong>Remote IP Address</strong></span> — The publicly addressable IP address of the <abbr class="abbrev">IPsec</abbr> router for the <span class="emphasis"><em>other</em></span> private network. In our example, for ipsec0, enter the publicly addressable IP address of ipsec1, and vice versa.
@@ -3026,9 +3024,9 @@
Specify an authentication key or click <span class="guibutton"><strong>Generate</strong></span> to generate one. This key can be any combination of numbers and letters.
</div></li></ul></div><div class="para">
Click <span class="guibutton"><strong>Forward</strong></span> to continue.
- </div><div class="figure" id="figu-Security_Guide-Network_to_Network_VPN_Connection-Remote_Network_Information"><div class="figure-contents"><div class="mediaobject"><img src="images/fed-ipsec_n_to_n_remote.png" width="444" alt="Remote Network Information" /><div class="longdesc"><div class="para">
+ </div><div class="figure" id="figu-Security_Guide-Network_to_Network_VPN_Connection-Remote_Network_Information"><div class="figure-contents"><div class="mediaobject"><img src="images/fed-ipsec_n_to_n_remote.png" alt="Remote Network Information"/><div class="longdesc"><div class="para">
Remote Network Information
- </div></div></div></div><h6>Figure 2.14. Remote Network Information</h6></div><br class="figure-break" /></li><li class="listitem"><div class="para">
+ </div></div></div></div><h6>Figure 2.14. Remote Network Information</h6></div><br class="figure-break"/></li><li class="listitem"><div class="para">
Verify the information on the <span class="guilabel"><strong>IPsec — Summary</strong></span> page, and then click <span class="guibutton"><strong>Apply</strong></span>.
</div></li><li class="listitem"><div class="para">
Select <span class="guimenu"><strong>File</strong></span> => <span class="guimenuitem"><strong>Save</strong></span> to save the configuration.
@@ -3143,13 +3141,13 @@
</div><div class="para">
To stop the connection, use the following command:
</div><pre class="screen">[root at myServer ~] # /sbin/ifdown <em class="replaceable"><code><nickname></code></em>
-</pre></div></div><div xml:lang="en-US" class="section" title="2.8. Firewalls" lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="sect-Security_Guide-Firewalls">2.8. Firewalls</h2></div></div></div><div class="para">
+</pre></div></div><div xml:lang="en-US" class="section" title="2.8. Firewalls"><div class="titlepage"><div><div><h2 class="title" id="sect-Security_Guide-Firewalls">2.8. Firewalls</h2></div></div></div><div class="para">
Information security is commonly thought of as a process and not a product. However, standard security implementations usually employ some form of dedicated mechanism to control access privileges and restrict network resources to users who are authorized, identifiable, and traceable. Fedora includes several tools to assist administrators and security engineers with network-level access control issues.
</div><div class="para">
Firewalls are one of the core components of a network security implementation. Several vendors market firewall solutions catering to all levels of the marketplace: from home users protecting one PC to data center solutions safeguarding vital enterprise information. Firewalls can be stand-alone hardware solutions, such as firewall appliances by Cisco, Nokia, and Sonicwall. Vendors such as Checkpoint, McAfee, and Symantec have also developed proprietary software firewall solutions for home and business markets.
</div><div class="para">
Apart from the differences between hardware and software firewalls, there are also differences in the way firewalls function that separate one solution from another. <a class="xref" href="#tabl-Security_Guide-Firewalls-Firewall_Types" title="Table 2.2. Firewall Types">Table 2.2, “Firewall Typesâ€</a> details three common types of firewalls and how they function:
- </div><div class="table" id="tabl-Security_Guide-Firewalls-Firewall_Types"><div class="table-contents"><table summary="Firewall Types" border="1"><colgroup><col width="10%" /><col width="30%" /><col width="30%" /><col width="30%" /></colgroup><thead><tr><th>
+ </div><div class="table" id="tabl-Security_Guide-Firewalls-Firewall_Types"><div class="table-contents"><table summary="Firewall Types" border="1"><colgroup><col width="1*"/><col width="3*"/><col width="3*"/><col width="3*"/></colgroup><thead><tr><th>
Method
</th><th>
Description
@@ -3181,7 +3179,7 @@
<table border="0" summary="Simple list" class="simplelist"><tr><td> · Gives administrators control over what applications and protocols function outside of the LAN </td></tr><tr><td> · Some proxy servers can cache frequently-accessed data locally rather than having to use the Internet connection to request it. This helps to reduce bandwidth consumption </td></tr><tr><td> · Proxy services can be logged and monitored closely, allowing tighter control over resource utilization on the network </td></tr></table>
</td><td>
<table border="0" summary="Simple list" class="simplelist"><tr><td> · Proxies are often application-specific (HTTP, Telnet, etc.), or protocol-restricted (most proxies work with TCP-connected services only) </td></tr><tr><td> · Application services cannot run behind a proxy, so your application servers must use a separate form of network security </td></tr><tr><td> · Proxies can become a network bottleneck, as all requests and transmissions are passed through one source rather than directly from a client to a remote service </td></tr></table>
- </td></tr></tbody></table></div><h6>Table 2.2. Firewall Types</h6></div><br class="table-break" /><div class="section" title="2.8.1. Netfilter and IPTables"><div class="titlepage"><div><div><h3 class="title" id="sect-Security_Guide-Firewalls-Netfilter_and_IPTables">2.8.1. Netfilter and IPTables</h3></div></div></div><div class="para">
+ </td></tr></tbody></table></div><h6>Table 2.2. Firewall Types</h6></div><br class="table-break"/><div class="section" title="2.8.1. Netfilter and IPTables"><div class="titlepage"><div><div><h3 class="title" id="sect-Security_Guide-Firewalls-Netfilter_and_IPTables">2.8.1. Netfilter and IPTables</h3></div></div></div><div class="para">
The Linux kernel features a powerful networking subsystem called <em class="firstterm">Netfilter</em>. The Netfilter subsystem provides stateful or stateless packet filtering as well as NAT and IP masquerading services. Netfilter also has the ability to <em class="firstterm">mangle</em> IP header information for advanced routing and connection state management. Netfilter is controlled using the <code class="command">iptables</code> tool.
</div><div class="section" title="2.8.1.1. IPTables Overview"><div class="titlepage"><div><div><h4 class="title" id="sect-Security_Guide-Netfilter_and_IPTables-IPTables_Overview">2.8.1.1. IPTables Overview</h4></div></div></div><div class="para">
The power and flexibility of Netfilter is implemented using the <code class="command">iptables</code> administration tool, a command line tool similar in syntax to its predecessor, <code class="command">ipchains</code>, which Netfilter/iptables replaced in the Linux kernel 2.4 and above.
@@ -3200,9 +3198,9 @@
</div><div class="para">
To start this application, use the following command:
</div><pre class="screen">[root at myServer ~] # system-config-firewall
-</pre><div class="figure" id="figu-Security_Guide-RHSECLEVELTOOL-RHSECLEVELTOOL"><div class="figure-contents"><div class="mediaobject"><img src="images/fed-firewall_config.png" width="444" alt="Firewall Configuration Tool" /><div class="longdesc"><div class="para">
+</pre><div class="figure" id="figu-Security_Guide-RHSECLEVELTOOL-RHSECLEVELTOOL"><div class="figure-contents"><div class="mediaobject"><img src="images/fed-firewall_config.png" alt="Firewall Configuration Tool"/><div class="longdesc"><div class="para">
Security Level Configuration
- </div></div></div></div><h6>Figure 2.15. <span class="application">Firewall Configuration Tool</span></h6></div><br class="figure-break" /><div class="note"><h2>Note</h2><div class="para">
+ </div></div></div></div><h6>Figure 2.15. <span class="application">Firewall Configuration Tool</span></h6></div><br class="figure-break"/><div class="note"><h2>Note</h2><div class="para">
The <span class="application"><strong>Firewall Configuration Tool</strong></span> only configures a basic firewall. If the system needs more complex rules, refer to <a class="xref" href="#sect-Security_Guide-IPTables" title="2.9. IPTables">Section 2.9, “IPTablesâ€</a> for details on configuring specific <code class="command">iptables</code> rules.
</div></div></div><div class="section" title="2.8.2.2. Enabling and Disabling the Firewall"><div class="titlepage"><div><div><h4 class="title" id="sect-Security_Guide-Basic_Firewall_Configuration-Enabling_and_Disabling_the_Firewall">2.8.2.2. Enabling and Disabling the Firewall</h4></div></div></div><div class="para">
Select one of the following options for the firewall:
@@ -3445,7 +3443,7 @@
<em class="citetitle">Red Hat Linux Firewalls</em>, by Bill McCarty; Red Hat Press — a comprehensive reference to building network and server firewalls using open source packet filtering technology such as Netfilter and <code class="command">iptables</code>. It includes topics that cover analyzing firewall logs, developing firewall rules, and customizing your firewall using various graphical tools.
</div></li><li class="listitem"><div class="para">
<em class="citetitle">Linux Firewalls</em>, by Robert Ziegler; New Riders Press — contains a wealth of information on building firewalls using both 2.2 kernel <code class="command">ipchains</code> as well as Netfilter and <code class="command">iptables</code>. Additional security topics such as remote access issues and intrusion detection systems are also covered.
- </div></li></ul></div></div></div></div><div xml:lang="en-US" class="section" title="2.9. IPTables" lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="sect-Security_Guide-IPTables">2.9. IPTables</h2></div></div></div><div class="para">
+ </div></li></ul></div></div></div></div><div xml:lang="en-US" class="section" title="2.9. IPTables"><div class="titlepage"><div><div><h2 class="title" id="sect-Security_Guide-IPTables">2.9. IPTables</h2></div></div></div><div class="para">
Included with Fedora are advanced tools for network <em class="firstterm">packet filtering</em> — the process of controlling network packets as they enter, move through, and exit the network stack within the kernel. Kernel versions prior to 2.4 relied on <code class="command">ipchains</code> for packet filtering and used lists of rules applied to packets at each step of the filtering process. The 2.4 kernel introduced <code class="command">iptables</code> (also called <em class="firstterm">netfilter</em>), which is similar to <code class="command">ipchains</code> but greatly expands the scope and control available for filtering network packets.
</div><div class="para">
This chapter focuses on packet filtering basics, explains various options available with <code class="command">iptables</code> commands, and explains how filtering rules can be preserved between system reboots.
@@ -3908,15 +3906,15 @@
<a href="http://www.netfilter.org/">http://www.netfilter.org/</a> — The home of the netfilter/iptables project. Contains assorted information about <code class="command">iptables</code>, including a FAQ addressing specific problems and various helpful guides by Rusty Russell, the Linux IP firewall maintainer. The HOWTO documents on the site cover subjects such as basic networking concepts, kernel packet filtering, and NAT configurations.
</div></li><li class="listitem"><div class="para">
<a href="http://www.linuxnewbie.org/nhf/Security/IPtables_Basics.html">http://www.linuxnewbie.org/nhf/Security/IPtables_Basics.html</a> — An introduction to the way packets move through the Linux kernel, plus an introduction to constructing basic <code class="command">iptables</code> commands.
- </div></li></ul></div></div></div></div><div class="footnotes"><br /><hr width="100" align="left" /><div class="footnote"><p><sup>[<a id="ftn.id534033" href="#id534033" class="para">11</a>] </sup>
+ </div></li></ul></div></div></div></div><div class="footnotes"><br/><hr width="100" align="left"/><div class="footnote"><p><sup>[<a id="ftn.d0e1504" href="#d0e1504" class="para">11</a>] </sup>
Since system BIOSes differ between manufacturers, some may not support password protection of either type, while others may support one type but not the other.
- </p></div><div class="footnote"><p><sup>[<a id="ftn.id634479" href="#id634479" class="para">12</a>] </sup>
+ </p></div><div class="footnote"><p><sup>[<a id="ftn.d0e1610" href="#d0e1610" class="para">12</a>] </sup>
GRUB also accepts unencrypted passwords, but it is recommended that an MD5 hash be used for added security.
- </p></div><div class="footnote"><p><sup>[<a id="ftn.id687804" href="#id687804" class="para">13</a>] </sup>
+ </p></div><div class="footnote"><p><sup>[<a id="ftn.d0e2631" href="#d0e2631" class="para">13</a>] </sup>
This access is still subject to the restrictions imposed by SELinux, if it is enabled.
- </p></div><div class="footnote"><p><sup>[<a id="ftn.id564913" href="#id564913" class="para">14</a>] </sup>
+ </p></div><div class="footnote"><p><sup>[<a id="ftn.d0e7547" href="#d0e7547" class="para">14</a>] </sup>
A system where both the client and the server share a common key that is used to encrypt and decrypt network communication.
- </p></div></div></div><div xml:lang="en-US" class="chapter" title="Chapter 3. Encryption" lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="chap-Security_Guide-Encryption">Chapter 3. Encryption</h2></div></div></div><div class="toc"><dl><dt><span class="section"><a href="#sect-Security_Guide-Encryption-Data_at_Rest">3.1. Data at Rest</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Encryption-Protecting_Data_at_Rest-Full_Disk_Encryption">3.2. Full Disk Encryption</a></span></dt><dt><span class="section"><a href="#Security_Guide-Encryption-Protecting_Data_at_Rest-File_Based_Encryption">3.3. File Based Encryption</a></span></dt><dt><span class="section"><a href="#Security_Guide-Encryption-Data_in_Motion">3.4. Data in Motion</a></span></dt><dt><span class="section"><a href="#Security_Guide-Encryption-Data_in_Motion-Virtual_Private_Networks">3.5. Virtual Private Networks</a></span></dt><dt><span class="section"><a href="#Security_Gu
ide-Encryption-Data_in_Motion-Secure_Shell">3.6. Secure Shell</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-LUKS_Disk_Encryption">3.7. LUKS Disk Encryption</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security_Guide-LUKS_Disk_Encryption-LUKS_Implementation_in_Fedora">3.7.1. LUKS Implementation in Fedora</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-LUKS_Disk_Encryption-Manually_Encrypting_Directories">3.7.2. Manually Encrypting Directories</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-LUKS_Disk_Encryption-Manually_Encrypting_Directories-Step_by_Step_Instructions">3.7.3. Step-by-Step Instructions</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-LUKS_Disk_Encryption-Manually_Encrypting_Directories-What_you_have_just_accomplished">3.7.4. What you have just accomplished.</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-LUKS_Disk_Encryption-Lin
ks_of_Interest">3.7.5. Links of Interest</a></span></dt></dl></dd><dt><span class="section"><a href="#sect-Security_Guide-Encryption-7_Zip_Encrypted_Archives">3.8. 7-Zip Encrypted Archives</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security_Guide-Encryption-7_Zip_Encrypted_Archives-Installation">3.8.1. 7-Zip Installation in Fedora</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Encryption-7_Zip_Encrypted_Archives-Installation-Instructions">3.8.2. Step-by-Step Installation Instructions</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Encryption-7_Zip_Encrypted_Archives-Usage_Instructions">3.8.3. Step-by-Step Usage Instructions</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Encryption-7_Zip_Encrypted_Archives-Things_of_note">3.8.4. Things of note</a></span></dt></dl></dd><dt><span class="section"><a href="#sect-Security_Guide-Encryption-Using_GPG">3.9. Using GNU Privacy Guard (GnuPG)</a><
/span></dt><dd><dl><dt><span class="section"><a href="#sect-Security_Guide-Encryption-Using_GPG-Keys_in_GNOME">3.9.1. Creating GPG Keys in GNOME</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Encryption-Using_GPG-Creating_GPG_Keys_in_KDE1">3.9.2. Creating GPG Keys in KDE</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Encryption-Using_GPG-Creating_GPG_Keys_in_KDE">3.9.3. Creating GPG Keys Using the Command Line</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Encryption-Using_GPG-About_Public_Key_Encryption">3.9.4. About Public Key Encryption</a></span></dt></dl></dd></dl></div><div class="para">
+ </p></div></div></div><div xml:lang="en-US" class="chapter" title="Chapter 3. Encryption"><div class="titlepage"><div><div><h2 class="title" id="chap-Security_Guide-Encryption">Chapter 3. Encryption</h2></div></div></div><div class="toc"><dl><dt><span class="section"><a href="#sect-Security_Guide-Encryption-Data_at_Rest">3.1. Data at Rest</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Encryption-Protecting_Data_at_Rest-Full_Disk_Encryption">3.2. Full Disk Encryption</a></span></dt><dt><span class="section"><a href="#Security_Guide-Encryption-Protecting_Data_at_Rest-File_Based_Encryption">3.3. File Based Encryption</a></span></dt><dt><span class="section"><a href="#Security_Guide-Encryption-Data_in_Motion">3.4. Data in Motion</a></span></dt><dt><span class="section"><a href="#Security_Guide-Encryption-Data_in_Motion-Virtual_Private_Networks">3.5. Virtual Private Networks</a></span></dt><dt><span class="section"><a href="#Security_Guide-Encryptio
n-Data_in_Motion-Secure_Shell">3.6. Secure Shell</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-LUKS_Disk_Encryption">3.7. LUKS Disk Encryption</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security_Guide-LUKS_Disk_Encryption-LUKS_Implementation_in_Fedora">3.7.1. LUKS Implementation in Fedora</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-LUKS_Disk_Encryption-Manually_Encrypting_Directories">3.7.2. Manually Encrypting Directories</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-LUKS_Disk_Encryption-Manually_Encrypting_Directories-Step_by_Step_Instructions">3.7.3. Step-by-Step Instructions</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-LUKS_Disk_Encryption-Manually_Encrypting_Directories-What_you_have_just_accomplished">3.7.4. What you have just accomplished.</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-LUKS_Disk_Encryption-Links_of_Interes
t">3.7.5. Links of Interest</a></span></dt></dl></dd><dt><span class="section"><a href="#sect-Security_Guide-Encryption-7_Zip_Encrypted_Archives">3.8. 7-Zip Encrypted Archives</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security_Guide-Encryption-7_Zip_Encrypted_Archives-Installation">3.8.1. 7-Zip Installation in Fedora</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Encryption-7_Zip_Encrypted_Archives-Installation-Instructions">3.8.2. Step-by-Step Installation Instructions</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Encryption-7_Zip_Encrypted_Archives-Usage_Instructions">3.8.3. Step-by-Step Usage Instructions</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Encryption-7_Zip_Encrypted_Archives-Things_of_note">3.8.4. Things of note</a></span></dt></dl></dd><dt><span class="section"><a href="#sect-Security_Guide-Encryption-Using_GPG">3.9. Using GNU Privacy Guard (GnuPG)</a></span></dt><d
d><dl><dt><span class="section"><a href="#sect-Security_Guide-Encryption-Using_GPG-Keys_in_GNOME">3.9.1. Creating GPG Keys in GNOME</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Encryption-Using_GPG-Creating_GPG_Keys_in_KDE1">3.9.2. Creating GPG Keys in KDE</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Encryption-Using_GPG-Creating_GPG_Keys_in_KDE">3.9.3. Creating GPG Keys Using the Command Line</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Encryption-Using_GPG-About_Public_Key_Encryption">3.9.4. About Public Key Encryption</a></span></dt></dl></dd></dl></div><div class="para">
There are two main types of data that must be protected: data at rest and data in motion. These different types of data are protected in similar ways using similar technology but the implementations can be completely different. No single protective implementation can prevent all possible methods of compromise as the same information may be at rest and in motion at different points in time.
</div><div class="section" title="3.1. Data at Rest"><div class="titlepage"><div><div><h2 class="title" id="sect-Security_Guide-Encryption-Data_at_Rest">3.1. Data at Rest</h2></div></div></div><div class="para">
Data at rest is data that is stored on a hard drive, tape, CD, DVD, disk, or other media. This information's biggest threat comes from being physically stolen. Laptops in airports, CDs going through the mail, and backup tapes that get left in the wrong places are all examples of events where data can be compromised through theft. If the data was encrypted on the media then you wouldn't have to worry as much about the data being compromised.
@@ -3942,7 +3940,7 @@
SSH is very easy to activate. By simply starting the sshd service, the system will begin to accept connections and will allow access to the system when a correct username and password is provided during the connection process. The standard TCP port for the SSH service is 22, however this can be changed by modifying the configuration file <span class="emphasis"><em>/etc/ssh/sshd_config</em></span> and restarting the service. This file also contains other configuration options for SSH.
</div><div class="para">
Secure Shell (SSH) also provides encrypted tunnels between computers but only using a single port. <a href="http://www.redhatmagazine.com/2007/11/27/advanced-ssh-configuration-and-tunneling-we-dont-need-no-stinking-vpn-software">Port forwarding can be done over an SSH tunnel</a> and traffic will be encrypted as it passes over that tunnel but using port forwarding is not as fluid as a VPN.
- </div></div><div xml:lang="en-US" class="section" title="3.7. LUKS Disk Encryption" lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="sect-Security_Guide-LUKS_Disk_Encryption">3.7. LUKS Disk Encryption</h2></div></div></div><div class="para">
+ </div></div><div xml:lang="en-US" class="section" title="3.7. LUKS Disk Encryption"><div class="titlepage"><div><div><h2 class="title" id="sect-Security_Guide-LUKS_Disk_Encryption">3.7. LUKS Disk Encryption</h2></div></div></div><div class="para">
Linux Unified Key Setup-on-disk-format (or LUKS) allows you to encrypt partitions on your Linux computer. This is particularly important when it comes to mobile computers and removable media. LUKS allows multiple user keys to decrypt a master key which is used for the bulk encryption of the partition.
</div><div class="section" title="3.7.1. LUKS Implementation in Fedora"><div class="titlepage"><div><div><h3 class="title" id="sect-Security_Guide-LUKS_Disk_Encryption-LUKS_Implementation_in_Fedora">3.7.1. LUKS Implementation in Fedora</h3></div></div></div><div class="para">
Fedora 9, and later, utilizes LUKS to perform file system encryption. By default, the option to encrypt the file system is unchecked during the installation. If you select the option to encrypt you hard drive, you will be prompted for a passphrase that will be asked every time you boot the computer. This passphrase "unlocks" the bulk encryption key that is used to decrypt your partition. If you choose to modify the default partition table you can choose which partitions you want to encrypt. This is set in the partition table settings
@@ -4010,7 +4008,7 @@
<a href="http://clemens.endorphin.org/LUKS/">LUKS - Linux Unified Key Setup</a>
</div></li><li class="listitem"><div class="para">
<a href="https://bugzilla.redhat.com/attachment.cgi?id=161912">HOWTO: Creating an encrypted Physical Volume (PV) using a second hard drive, pvmove, and a Fedora LiveCD</a>
- </div></li></ul></div></div></div><div xml:lang="en-US" class="section" title="3.8. 7-Zip Encrypted Archives" lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="sect-Security_Guide-Encryption-7_Zip_Encrypted_Archives">3.8. 7-Zip Encrypted Archives</h2></div></div></div><div class="para">
+ </div></li></ul></div></div></div><div xml:lang="en-US" class="section" title="3.8. 7-Zip Encrypted Archives"><div class="titlepage"><div><div><h2 class="title" id="sect-Security_Guide-Encryption-7_Zip_Encrypted_Archives">3.8. 7-Zip Encrypted Archives</h2></div></div></div><div class="para">
<a href="http://www.7-zip.org/">7-Zip</a> is a cross-platform, next generation, file compression tool that can also use strong encryption (AES-256) to protect the contents of the archive. This is extremely useful when you need to move data between multiple computers that use varying operating systems (i.e. Linux at home, Windows at work) and you want a portable encryption solution.
</div><div class="section" title="3.8.1. 7-Zip Installation in Fedora"><div class="titlepage"><div><div><h3 class="title" id="sect-Security_Guide-Encryption-7_Zip_Encrypted_Archives-Installation">3.8.1. 7-Zip Installation in Fedora</h3></div></div></div><div class="para">
7-Zip is not a base package in Fedora, but it is available in the software repository. Once installed, the package will update alongside the rest of the software on the computer with no special attention necessary.
@@ -4048,7 +4046,7 @@
7-Zip is not shipped by default with Microsoft Windows or Mac OS X. If you need to use your 7-Zip files on those platforms you will need to install the appropriate version of 7-Zip on those computers. See the 7-Zip <a href="http://www.7-zip.org/download.html">download page</a>.
</div><div class="para">
GNOME's File Roller application will recognize your .7z files and attempt to open them, but it will fail with the error "''An error occurred while loading the archive.''" when it attempts to do so. This is because File Roller does not currently support the extraction of encrypted 7-Zip files. A bug report ([http://bugzilla.gnome.org/show_bug.cgi?id=490732 Gnome Bug 490732]) has been submitted.
- </div></div></div><div xml:lang="en-US" class="section" title="3.9. Using GNU Privacy Guard (GnuPG)" lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="sect-Security_Guide-Encryption-Using_GPG">3.9. Using GNU Privacy Guard (GnuPG)</h2></div></div></div><div class="para">
+ </div></div></div><div xml:lang="en-US" class="section" title="3.9. Using GNU Privacy Guard (GnuPG)"><div class="titlepage"><div><div><h2 class="title" id="sect-Security_Guide-Encryption-Using_GPG">3.9. Using GNU Privacy Guard (GnuPG)</h2></div></div></div><div class="para">
GPG is used to identify yourself and authenticate your communications, including those with people you don't know. GPG allows anyone reading a GPG-signed email to verify its authenticity. In other words, GPG allows someone to be reasonably certain that communications signed by you actually are from you. GPG is useful because it helps prevent third parties from altering code or intercepting conversations and altering the message.
</div><div class="section" title="3.9.1. Creating GPG Keys in GNOME"><div class="titlepage"><div><div><h3 class="title" id="sect-Security_Guide-Encryption-Using_GPG-Keys_in_GNOME">3.9.1. Creating GPG Keys in GNOME</h3></div></div></div><div class="para">
Install the Seahorse utility, which makes GPG key management easier. From the main menu, select <code class="code">System > Administration > Add/Remove Software</code> and wait for PackageKit to start. Enter <code class="code">Seahorse</code> into the text box and select the Find. Select the checkbox next to the ''seahorse'' package and select ''Apply'' to add the software. You can also install <code class="code">Seahorse</code> at the command line with the command <code class="code">su -c "yum install seahorse"</code>.
@@ -4106,7 +4104,7 @@
<a href="http://en.wikipedia.org/wiki/Public-key_cryptography">Wikipedia - Public Key Cryptography</a>
</div></li><li class="listitem"><div class="para">
<a href="http://computer.howstuffworks.com/encryption.htm">HowStuffWorks - Encryption</a>
- </div></li></ol></div></div></div></div><div xml:lang="en-US" class="chapter" title="Chapter 4. General Principles of Information Security" lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="chap-Security_Guide-General_Principles_of_Information_Security">Chapter 4. General Principles of Information Security</h2></div></div></div><div class="toc"><dl><dt><span class="section"><a href="#sect-Security_Guide-General_Principles_of_Information_Security-Tips_Guides_and_Tools">4.1. Tips, Guides, and Tools</a></span></dt></dl></div><div class="para">
+ </div></li></ol></div></div></div></div><div xml:lang="en-US" class="chapter" title="Chapter 4. General Principles of Information Security"><div class="titlepage"><div><div><h2 class="title" id="chap-Security_Guide-General_Principles_of_Information_Security">Chapter 4. General Principles of Information Security</h2></div></div></div><div class="toc"><dl><dt><span class="section"><a href="#sect-Security_Guide-General_Principles_of_Information_Security-Tips_Guides_and_Tools">4.1. Tips, Guides, and Tools</a></span></dt></dl></div><div class="para">
The following general principals provide an overview of good security practices:
</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
encrypt all data transmitted over networks to help prevent man-in-the-middle attacks and eavesdropping. It is important to encrypt authentication information, such as passwords.
@@ -4134,7 +4132,7 @@
The DISA <a href="http://iase.disa.mil/stigs/checklist/unix_checklist_v5r1-16_20090215.ZIP">UNIX Security Checklist Version 5, Release 1.16</a> provides a collection of documents and checklists, ranging from the correct ownerships and modes for system files, to patch control.
</div><div class="para">
Also, DISA has made available <a href="http://iase.disa.mil/stigs/SRR/unix.html">UNIX SPR scripts</a> that allow administrators to check specific settings on systems. These scripts provide XML-formatted reports listing any known vulnerable settings.
- </div></div></div><div xml:lang="en-US" class="chapter" title="Chapter 5. Secure Installation" lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="chap-Security_Guide-Secure_Installation">Chapter 5. Secure Installation</h2></div></div></div><div class="toc"><dl><dt><span class="section"><a href="#sect-Security_Guide-Secure_Installation-Disk_Partitions">5.1. Disk Partitions</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Secure_Installation-Utilize_LUKS_Partition_Encryption">5.2. Utilize LUKS Partition Encryption</a></span></dt></dl></div><div class="para">
+ </div></div></div><div xml:lang="en-US" class="chapter" title="Chapter 5. Secure Installation"><div class="titlepage"><div><div><h2 class="title" id="chap-Security_Guide-Secure_Installation">Chapter 5. Secure Installation</h2></div></div></div><div class="toc"><dl><dt><span class="section"><a href="#sect-Security_Guide-Secure_Installation-Disk_Partitions">5.1. Disk Partitions</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Secure_Installation-Utilize_LUKS_Partition_Encryption">5.2. Utilize LUKS Partition Encryption</a></span></dt></dl></div><div class="para">
Security begins with the first time you put that CD or DVD into your disk drive to install Fedora. Configuring your system securely from the beginning makes it easier to implement additional security settings later.
</div><div class="section" title="5.1. Disk Partitions"><div class="titlepage"><div><div><h2 class="title" id="sect-Security_Guide-Secure_Installation-Disk_Partitions">5.1. Disk Partitions</h2></div></div></div><div class="para">
The NSA recommends creating separate partitions for /boot, /, /home, /tmp, and /var/tmp. The reasons for each are different and we will address each partition.
@@ -4146,7 +4144,7 @@
/tmp and /var/tmp - Both the /tmp and the /var/tmp directories are used to store data that doesn't need to be stored for a long period of time. However if a lot of data floods one of these directories it can consume all of your storage space. If this happens and these directories are stored within / then your system could become unstable and crash. For this reason, moving these directories into their own partitions is a good idea.
</div></div><div class="section" title="5.2. Utilize LUKS Partition Encryption"><div class="titlepage"><div><div><h2 class="title" id="sect-Security_Guide-Secure_Installation-Utilize_LUKS_Partition_Encryption">5.2. Utilize LUKS Partition Encryption</h2></div></div></div><div class="para">
Since Fedora 9, implementation of <a href="http://fedoraproject.org/wiki/Security_Guide/9/LUKSDiskEncryption">Linux Unified Key Setup-on-disk-format</a>(LUKS) encryption has become a lot easier. During the installation process an option to encrypt your partitions will be presented to the user. The user must supply a passphrase that will be the key to unlock the bulk encryption key that will be used to secure the partition's data.
- </div></div></div><div xml:lang="en-US" class="chapter" title="Chapter 6. Software Maintenance" lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="chap-Security_Guide-Software_Maintenance">Chapter 6. Software Maintenance</h2></div></div></div><div class="toc"><dl><dt><span class="section"><a href="#sect-Security_Guide-Software_Maintenance-Install_Minimal_Software">6.1. Install Minimal Software</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Software_Maintenance-Plan_and_Configure_Security_Updates">6.2. Plan and Configure Security Updates</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Software_Maintenance-Plan_and_Configure_Security_Updates-Adjusting_Automatic_Updates">6.3. Adjusting Automatic Updates</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Software_Maintenance-Install_Signed_Packages_from_Well_Known_Repositories">6.4. Install Signed Packages from Well Known Repositories</a></
span></dt></dl></div><div class="para">
+ </div></div></div><div xml:lang="en-US" class="chapter" title="Chapter 6. Software Maintenance"><div class="titlepage"><div><div><h2 class="title" id="chap-Security_Guide-Software_Maintenance">Chapter 6. Software Maintenance</h2></div></div></div><div class="toc"><dl><dt><span class="section"><a href="#sect-Security_Guide-Software_Maintenance-Install_Minimal_Software">6.1. Install Minimal Software</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Software_Maintenance-Plan_and_Configure_Security_Updates">6.2. Plan and Configure Security Updates</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Software_Maintenance-Plan_and_Configure_Security_Updates-Adjusting_Automatic_Updates">6.3. Adjusting Automatic Updates</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Software_Maintenance-Install_Signed_Packages_from_Well_Known_Repositories">6.4. Install Signed Packages from Well Known Repositories</a></span></dt></d
l></div><div class="para">
Software maintenance is extremely important to maintaining a secure system. It is vital to patch software as soon as it becomes available in order to prevent attackers from using known holes to infiltrate your system.
</div><div class="section" title="6.1. Install Minimal Software"><div class="titlepage"><div><div><h2 class="title" id="sect-Security_Guide-Software_Maintenance-Install_Minimal_Software">6.1. Install Minimal Software</h2></div></div></div><div class="para">
It is best practice to install only the packages you will use because each piece of software on your computer could possibly contain a vulnerability. If you are installing from the DVD media take the opportunity to select exactly what packages you want to install during the installation. When you find you need another package, you can always add it to the system later.
@@ -4164,7 +4162,7 @@
Software packages are published through repositories. All well known repositories support package signing. Package signing uses public key technology to prove that the package that was published by the repository has not been changed since the signature was applied. This provides some protection against installing software that may have been maliciously altered after the package was created but before you downloaded it.
</div><div class="para">
Using too many repositories, untrustworthy repositories, or repositories with unsigned packages has a higher risk of introducing malicious or vulnerable code into your system. Use caution when adding repositories to yum/software update.
- </div></div></div><div xml:lang="en-US" class="chapter" title="Chapter 7. References" lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="chap-Security_Guide-References">Chapter 7. References</h2></div></div></div><div class="para">
+ </div></div></div><div xml:lang="en-US" class="chapter" title="Chapter 7. References"><div class="titlepage"><div><div><h2 class="title" id="chap-Security_Guide-References">Chapter 7. References</h2></div></div></div><div class="para">
The following references are pointers to additional information that is relevant to SELinux and Fedora but beyond the scope of this guide. Note that due to the rapid development of SELinux, some of this material may only apply to specific releases of Fedora.
</div><div class="variablelist" title="Books" id="vari-Security_Guide-References-Books"><h6>Books</h6><dl><dt><span class="term">SELinux by Example</span></dt><dd><div class="para">
Mayer, MacMillan, and Caplan
@@ -4206,4 +4204,4 @@
<a href="http://www.cs.utah.edu/flux/fluke/html/flask.html">http://www.cs.utah.edu/flux/fluke/html/flask.html</a>
</div></dd><dt><span class="term">Full background on Fluke</span></dt><dd><div class="para">
<a href="http://www.cs.utah.edu/flux/fluke/html/index.html">http://www.cs.utah.edu/flux/fluke/html/index.html</a>
- </div></dd></dl></div></div></div></body></html>
+ </div></dd></dl></div></div></div></body></html>
\ No newline at end of file
More information about the Fedora-docs-commits
mailing list