web/html/docs/security-guide/f12/en-US/html-single index.html, 1.3, 1.4

Eric Christensen sparks at fedoraproject.org
Thu Nov 19 04:51:28 UTC 2009


Author: sparks

Update of /cvs/fedora/web/html/docs/security-guide/f12/en-US/html-single
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv31488

Modified Files:
	index.html 
Log Message:
Finally got "Local users may install trusted packages" in the update!



View full diff with command:
/usr/bin/cvs -f diff  -kk -u -N -r 1.3 -r 1.4 index.html
Index: index.html
===================================================================
RCS file: /cvs/fedora/web/html/docs/security-guide/f12/en-US/html-single/index.html,v
retrieving revision 1.3
retrieving revision 1.4
diff -u -r1.3 -r1.4
--- index.html	17 Nov 2009 21:49:33 -0000	1.3
+++ index.html	19 Nov 2009 04:51:28 -0000	1.4
@@ -1,72 +1,77 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE html
-  PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml"><head><title>security-guide</title><link rel="stylesheet" href="./Common_Content/css/default.css" type="text/css"/><meta name="generator" content="publican"/><meta name="package" content=""/><meta name="description" content="The Linux Security Guide is designed to assist users of Linux in learning the processes and practices of securing workstations and servers against local and remote intrusion, exploitation, and malicious activity. Focused on Fedora Linux but detailing concepts and techniques valid for all Linux systems, The Linux Security Guide details the planning and the tools involved in creating a secured computing environment for the data center, workplace, and home. With proper administrative knowledge, vigilance, and tools, systems running Linux can be both fully functional and secured from most common intrusion and exploit methods."/></head><body class=""><div xml:lang="en-US" class="book" title="security-guide"><div clas
 s="titlepage"><div><div class="producttitle"><span class="productname">Fedora</span> <span class="productnumber">12</span></div><div><h1 id="d0e1" class="title">security-guide</h1></div><div><h2 class="subtitle">A Guide to Securing Fedora Linux</h2></div><p class="edition">Edition 1.1</p><div><h3 class="corpauthor">
-						<span class="inlinemediaobject"><object data="Common_Content/images/title_logo.svg" type="image/svg+xml"> Logo</object></span>
-					</h3></div><div><div xml:lang="en-US" class="authorgroup"><div class="author"><h3 class="author"><span class="firstname">Johnray</span> <span class="surname">Fuller</span></h3><div class="affiliation"><span class="orgname">Red Hat</span></div><code class="email"><a class="email" href="mailto:jrfuller at redhat.com">jrfuller at redhat.com</a></code></div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="surname">Ha</span></h3><div class="affiliation"><span class="orgname">Red Hat</span></div><code class="email"><a class="email" href="mailto:jha at redhat.com">jha at redhat.com</a></code></div><div class="author"><h3 class="author"><span class="firstname">David</span> <span class="surname">O'Brien</span></h3><div class="affiliation"><span class="orgname">Red Hat</span></div><code class="email"><a class="email" href="mailto:daobrien at redhat.com">daobrien at redhat.com</a></code></div><div class="author"><h3 class="author"><span class="firstname">Scott
 </span> <span class="surname">Radvan</span></h3><div class="affiliation"><span class="orgname">Red Hat</span></div><code class="email"><a class="email" href="mailto:sradvan at redhat.com">sradvan at redhat.com</a></code></div><div class="author"><h3 class="author"><span class="firstname">Eric</span> <span class="surname">Christensen</span></h3><div class="affiliation"><span class="orgname">Fedora Project</span> <span class="orgdiv">Documentation Team</span></div><code class="email"><a class="email" href="mailto:sparks at fedoraproject.org">sparks at fedoraproject.org</a></code></div></div></div><hr/><div><div id="d0e31" class="legalnotice"><h1 class="legalnotice">Legal Notice</h1><div class="para">
-		Copyright <span class="trademark"/>© 2009 Red Hat, Inc.
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>security-guide</title><link rel="stylesheet" href="./Common_Content/css/default.css" type="text/css" /><meta name="generator" content="publican 0.60" /><meta name="package" content="Fedora-security-guide-12-en-US-1.0-21" /><meta name="description" content="The Fedora Security Guide is designed to assist users of Fedora in learning the processes and practices of securing workstations and servers against local and remote intrusion, exploitation, and malicious activity. Focused on Fedora Linux but detailing concepts and techniques valid for all Linux systems, The Fedora Security Guide details the planning and the tools involved in creating a secured computing environment for the data center, workplace, and home. With proper administrative knowledge, vigilance, and tools, systems running Linux can be both fully functional and secured from most common intru
 sion and exploit methods." /></head><body class=""><div xml:lang="en-US" class="book" title="security-guide" lang="en-US"><div class="titlepage"><div><div class="producttitle"><span class="productname">Fedora</span> <span class="productnumber">12</span></div><div><h1 id="id506124" class="title">security-guide</h1></div><div><h2 class="subtitle">A Guide to Securing Fedora Linux</h2></div><p class="edition">Edition 1.0</p><div><h3 class="corpauthor">
+		<span class="inlinemediaobject"><object data="Common_Content/images/title_logo.svg" type="image/svg+xml"> Logo</object></span>
+	</h3></div><div><div xml:lang="en-US" class="authorgroup" lang="en-US"><div class="author"><h3 class="author"><span class="firstname">Johnray</span> <span class="surname">Fuller</span></h3><div class="affiliation"><span class="orgname">Red Hat</span></div><code class="email"><a class="email" href="mailto:jrfuller at redhat.com">jrfuller at redhat.com</a></code></div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="surname">Ha</span></h3><div class="affiliation"><span class="orgname">Red Hat</span></div><code class="email"><a class="email" href="mailto:jha at redhat.com">jha at redhat.com</a></code></div><div class="author"><h3 class="author"><span class="firstname">David</span> <span class="surname">O'Brien</span></h3><div class="affiliation"><span class="orgname">Red Hat</span></div><code class="email"><a class="email" href="mailto:daobrien at redhat.com">daobrien at redhat.com</a></code></div><div class="author"><h3 class="author"><span class="firstna
 me">Scott</span> <span class="surname">Radvan</span></h3><div class="affiliation"><span class="orgname">Red Hat</span></div><code class="email"><a class="email" href="mailto:sradvan at redhat.com">sradvan at redhat.com</a></code></div><div class="author"><h3 class="author"><span class="firstname">Eric</span> <span class="surname">Christensen</span></h3><div class="affiliation"><span class="orgname">Fedora Project</span> <span class="orgdiv">Documentation Team</span></div><code class="email"><a class="email" href="mailto:sparks at fedoraproject.org">sparks at fedoraproject.org</a></code></div><div class="author"><h3 class="author"><span class="firstname">Adam</span> <span class="surname">Ligas</span></h3><div class="affiliation"><span class="orgname">Fedora Project</span></div><code class="email"><a class="email" href="mailto:adam at physco.com">adam at physco.com</a></code></div></div></div><hr /><div><div id="id2060751" class="legalnotice"><h1 class="legalnotice">Legal Notice</h1><div class=
 "para">
+		Copyright <span class="trademark"></span>© 2009 Red Hat, Inc.
 	</div><div class="para">
 		The text of and illustrations in this document are licensed by Red Hat under a Creative Commons Attribution–Share Alike 3.0 Unported license ("CC-BY-SA"). An explanation of CC-BY-SA is available at <a href="http://creativecommons.org/licenses/by-sa/3.0/">http://creativecommons.org/licenses/by-sa/3.0/</a>. The original authors of this document, and Red Hat, designate the Fedora Project as the "Attribution Party" for purposes of CC-BY-SA. In accordance with CC-BY-SA, if you distribute this document or an adaptation of it, you must provide the URL for the original version.
 	</div><div class="para">
 		Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.
 	</div><div class="para">
-		Red Hat, Red Hat Enterprise Linux, the Shadowman logo, JBoss, MetaMatrix, Fedora, the Infinity Logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries. 
+		Red Hat, Red Hat Enterprise Linux, the Shadowman logo, JBoss, MetaMatrix, Fedora, the Infinity Logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries.
 	</div><div class="para">
 		For guidelines on the permitted uses of the Fedora trademarks, refer to <a href="https://fedoraproject.org/wiki/Legal:Trademark_guidelines">https://fedoraproject.org/wiki/Legal:Trademark_guidelines</a>.
 	</div><div class="para">
-		<span class="trademark">Linux</span>® is the registered trademark of Linus Torvalds in the United States and other countries. 
+		<span class="trademark">Linux</span>® is the registered trademark of Linus Torvalds in the United States and other countries.
 	</div><div class="para">
 		All other trademarks are the property of their respective owners.
-	</div></div></div><div><div class="abstract" title="Abstract"><h6>Abstract</h6><div class="para">The Linux Security Guide is designed to assist users of Linux in
+	</div></div></div><div><div class="abstract" title="Abstract"><h6>Abstract</h6><div class="para">
+The Fedora Security Guide is designed to assist users of Fedora in
 learning the processes and practices of securing workstations and
 servers against local and remote intrusion, exploitation, and
-malicious activity.</div><div class="para">Focused on Fedora Linux but detailing concepts and techniques valid
-for all Linux systems, The Linux Security Guide details the
+malicious activity.
+</div><div class="para">
+Focused on Fedora Linux but detailing concepts and techniques valid
+for all Linux systems, The Fedora Security Guide details the
 planning and the tools involved in creating a secured computing
-environment for the data center, workplace, and home.</div><div class="para">With proper administrative knowledge, vigilance, and tools, systems
+environment for the data center, workplace, and home.
+</div><div class="para">
+With proper administrative knowledge, vigilance, and tools, systems
 running Linux can be both fully functional and secured from most
-common intrusion and exploit methods.</div></div></div></div><hr/></div><div class="toc"><dl><dt><span class="preface"><a href="#pref-Security_Guide-Preface">Preface</a></span></dt><dd><dl><dt><span class="section"><a href="#d0e111">1. Document Conventions</a></span></dt><dd><dl><dt><span class="section"><a href="#d0e121">1.1. Typographic Conventions</a></span></dt><dt><span class="section"><a href="#d0e337">1.2. Pull-quote Conventions</a></span></dt><dt><span class="section"><a href="#d0e356">1.3. Notes and Warnings</a></span></dt></dl></dd><dt><span class="section"><a href="#We_Need_Feedback">2. We Need Feedback!</a></span></dt></dl></dd><dt><span class="chapter"><a href="#chap-Security_Guide-Security_Overview">1. Security Overview</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security_Guide-Introduction_to_Security">1.1. Introduction to Security</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security_Guide-Introduction_to_Security-What_i
 s_Computer_Security">1.1.1. What is Computer Security?</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Introduction_to_Security-SELinux">1.1.2. SELinux</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Introduction_to_Security-Security_Controls">1.1.3. Security Controls</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Introduction_to_Security-Conclusion">1.1.4. Conclusion</a></span></dt></dl></dd><dt><span class="section"><a href="#sect-Security_Guide-Vulnerability_Assessment">1.2. Vulnerability Assessment</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security_Guide-Vulnerability_Assessment-Thinking_Like_the_Enemy">1.2.1. Thinking Like the Enemy</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Vulnerability_Assessment-Defining_Assessment_and_Testing">1.2.2. Defining Assessment and Testing</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Vulnerabilit
 y_Assessment-Evaluating_the_Tools">1.2.3. Evaluating the Tools</a></span></dt></dl></dd><dt><span class="section"><a href="#sect-Security_Guide-Attackers_and_Vulnerabilities">1.3. Attackers and Vulnerabilities</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security_Guide-Attackers_and_Vulnerabilities-A_Quick_History_of_Hackers">1.3.1. A Quick History of Hackers</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Attackers_and_Vulnerabilities-Threats_to_Network_Security">1.3.2. Threats to Network Security</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Attackers_and_Vulnerabilities-Threats_to_Server_Security">1.3.3. Threats to Server Security</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Attackers_and_Vulnerabilities-Threats_to_Workstation_and_Home_PC_Security">1.3.4. Threats to Workstation and Home PC Security</a></span></dt></dl></dd><dt><span class="section"><a href="#sect-Security_Guide-Co
 mmon_Exploits_and_Attacks">1.4. Common Exploits and Attacks</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Security_Updates">1.5. Security Updates</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security_Guide-Security_Updates-Updating_Packages">1.5.1. Updating Packages</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Updating_Packages-Verifying_Signed_Packages">1.5.2. Verifying Signed Packages</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Updating_Packages-Installing_Signed_Packages">1.5.3. Installing Signed Packages</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Updating_Packages-Applying_the_Changes">1.5.4. Applying the Changes</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="#chap-Security_Guide-Securing_Your_Network">2. Securing Your Network</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security_Guide-Workstation_Security"
 >2.1. Workstation Security</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security_Guide-Workstation_Security-Evaluating_Workstation_Security">2.1.1. Evaluating Workstation Security</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Workstation_Security-BIOS_and_Boot_Loader_Security">2.1.2. BIOS and Boot Loader Security</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Workstation_Security-Password_Security">2.1.3. Password Security</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Workstation_Security-Administrative_Controls">2.1.4. Administrative Controls</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Workstation_Security-Available_Network_Services">2.1.5. Available Network Services</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Workstation_Security-Personal_Firewalls">2.1.6. Personal Firewalls</a></span></dt><dt><span class="section"><a href="#sec
 t-Security_Guide-Workstation_Security-Security_Enhanced_Communication_Tools">2.1.7. Security Enhanced Communication Tools</a></span></dt></dl></dd><dt><span class="section"><a href="#sect-Security_Guide-Server_Security">2.2. Server Security</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security_Guide-Server_Security-Securing_Services_With_TCP_Wrappers_and_xinetd">2.2.1. Securing Services With TCP Wrappers and xinetd</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Server_Security-Securing_Portmap">2.2.2. Securing Portmap</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Server_Security-Securing_NIS">2.2.3. Securing NIS</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Server_Security-Securing_NFS">2.2.4. Securing NFS</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Server_Security-Securing_the_Apache_HTTP_Server">2.2.5. Securing the Apache HTTP Server</a></span></dt><dt><s
 pan class="section"><a href="#sect-Security_Guide-Server_Security-Securing_FTP">2.2.6. Securing FTP</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Server_Security-Securing_Sendmail">2.2.7. Securing Sendmail</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Server_Security-Verifying_Which_Ports_Are_Listening">2.2.8. Verifying Which Ports Are Listening</a></span></dt></dl></dd><dt><span class="section"><a href="#sect-Security_Guide-Single_Sign_on_SSO">2.3. Single Sign-on (SSO)</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security_Guide-Single_Sign_on_SSO-Introduction">2.3.1. Introduction</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Single_Sign_on_SSO-Getting_Started_with_your_new_Smart_Card">2.3.2. Getting Started with your new Smart Card</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Single_Sign_on_SSO-How_Smart_Card_Enrollment_Works">2.3.3. How Smart Card Enrollm
 ent Works</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Single_Sign_on_SSO-How_Smart_Card_Login_Works">2.3.4. How Smart Card Login Works</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Single_Sign_on_SSO-Configuring_Firefox_to_use_Kerberos_for_SSO">2.3.5. Configuring Firefox to use Kerberos for SSO</a></span></dt></dl></dd><dt><span class="section"><a href="#sect-Security_Guide-Pluggable_Authentication_Modules_PAM">2.4. Pluggable Authentication Modules (PAM)</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security_Guide-Pluggable_Authentication_Modules_PAM-Advantages_of_PAM">2.4.1. Advantages of PAM</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Pluggable_Authentication_Modules_PAM-PAM_Configuration_Files">2.4.2. PAM Configuration Files</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Pluggable_Authentication_Modules_PAM-PAM_Configuration_File_Format">2.4.3. PAM Conf
 iguration File Format</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Pluggable_Authentication_Modules_PAM-Sample_PAM_Configuration_Files">2.4.4. Sample PAM Configuration Files</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Pluggable_Authentication_Modules_PAM-Creating_PAM_Modules">2.4.5. Creating PAM Modules</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Pluggable_Authentication_Modules_PAM-PAM_and_Administrative_Credential_Caching">2.4.6. PAM and Administrative Credential Caching</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Pluggable_Authentication_Modules_PAM-PAM_and_Device_Ownership">2.4.7. PAM and Device Ownership</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Pluggable_Authentication_Modules_PAM-Additional_Resources">2.4.8. Additional Resources</a></span></dt></dl></dd><dt><span class="section"><a href="#sect-Security_Guide-TCP_Wrappers_and_xinetd">2
 .5. TCP Wrappers and xinetd</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security_Guide-TCP_Wrappers_and_xinetd-TCP_Wrappers">2.5.1. TCP Wrappers</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-TCP_Wrappers_and_xinetd-TCP_Wrappers_Configuration_Files">2.5.2. TCP Wrappers Configuration Files</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-TCP_Wrappers_and_xinetd-xinetd">2.5.3. xinetd</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-TCP_Wrappers_and_xinetd-xinetd_Configuration_Files">2.5.4. xinetd Configuration Files</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-TCP_Wrappers_and_xinetd-Additional_Resources">2.5.5. Additional Resources</a></span></dt></dl></dd><dt><span class="section"><a href="#sect-Security_Guide-Kerberos">2.6. Kerberos</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security_Guide-Kerberos-What_is_Kerberos">2.6.1. What is Kerberos?<
 /a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Kerberos-Kerberos_Terminology">2.6.2. Kerberos Terminology</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Kerberos-How_Kerberos_Works">2.6.3. How Kerberos Works</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Kerberos-Kerberos_and_PAM">2.6.4. Kerberos and PAM</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Kerberos-Configuring_a_Kerberos_5_Server">2.6.5. Configuring a Kerberos 5 Server</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Kerberos-Configuring_a_Kerberos_5_Client">2.6.6. Configuring a Kerberos 5 Client</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Kerberos-Domain_to_Realm_Mapping">2.6.7. Domain-to-Realm Mapping</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Kerberos-Setting_Up_Secondary_KDCs">2.6.8. Setting Up Secondary KDCs</a></span></dt><dt><span class=
 "section"><a href="#sect-Security_Guide-Kerberos-Setting_Up_Cross_Realm_Authentication">2.6.9. Setting Up Cross Realm Authentication</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Kerberos-Additional_Resources">2.6.10. Additional Resources</a></span></dt></dl></dd><dt><span class="section"><a href="#sect-Security_Guide-Virtual_Private_Networks_VPNs">2.7. Virtual Private Networks (VPNs)</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security_Guide-Virtual_Private_Networks_VPNs-How_Does_a_VPN_Work">2.7.1. How Does a VPN Work?</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Virtual_Private_Networks_VPNs-VPNs_and_PROD">2.7.2. VPNs and Fedora</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Virtual_Private_Networks_VPNs-IPsec">2.7.3. IPsec</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Virtual_Private_Networks_VPNs-Creating_an_IPsec_Connection">2.7.4. Creating an <abbr cl
 ass="abbrev">IPsec</abbr> Connection</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Virtual_Private_Networks_VPNs-IPsec_Installation">2.7.5. IPsec Installation</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Virtual_Private_Networks_VPNs-IPsec_Host_to_Host_Configuration">2.7.6. IPsec Host-to-Host Configuration</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Virtual_Private_Networks_VPNs-IPsec_Network_to_Network_Configuration">2.7.7. IPsec Network-to-Network Configuration</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Virtual_Private_Networks_VPNs-Starting_and_Stopping_an_IPsec_Connection">2.7.8. Starting and Stopping an <abbr class="abbrev">IPsec</abbr> Connection</a></span></dt></dl></dd><dt><span class="section"><a href="#sect-Security_Guide-Firewalls">2.8. Firewalls</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security_Guide-Firewalls-Netfilter_and_IPTables">2.
 8.1. Netfilter and IPTables</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Firewalls-Basic_Firewall_Configuration">2.8.2. Basic Firewall Configuration</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Firewalls-Using_IPTables">2.8.3. Using IPTables</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Firewalls-Common_IPTables_Filtering">2.8.4. Common IPTables Filtering</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Firewalls-FORWARD_and_NAT_Rules">2.8.5. <code class="computeroutput">FORWARD</code> and <acronym class="acronym">NAT</acronym> Rules</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Firewalls-Malicious_Software_and_Spoofed_IP_Addresses">2.8.6. Malicious Software and Spoofed IP Addresses</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Firewalls-IPTables_and_Connection_Tracking">2.8.7. IPTables and Connection Tracking</a></span></dt><dt
 ><span class="section"><a href="#sect-Security_Guide-Firewalls-IPv6">2.8.8. IPv6</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Firewalls-Additional_Resources">2.8.9. Additional Resources</a></span></dt></dl></dd><dt><span class="section"><a href="#sect-Security_Guide-IPTables">2.9. IPTables</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security_Guide-IPTables-Packet_Filtering">2.9.1. Packet Filtering</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-IPTables-Command_Options_for_IPTables">2.9.2. Command Options for IPTables</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-IPTables-Saving_IPTables_Rules">2.9.3. Saving IPTables Rules</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-IPTables-IPTables_Control_Scripts">2.9.4. IPTables Control Scripts</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-IPTables-IPTables_and_IPv6">2.9.5. IPTables and IPv6</a
 ></span></dt><dt><span class="section"><a href="#sect-Security_Guide-IPTables-Additional_Resources">2.9.6. Additional Resources</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="#chap-Security_Guide-Encryption">3. Encryption</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security_Guide-Encryption-Data_at_Rest">3.1. Data at Rest</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Encryption-Protecting_Data_at_Rest-Full_Disk_Encryption">3.2. Full Disk Encryption</a></span></dt><dt><span class="section"><a href="#Security_Guide-Encryption-Protecting_Data_at_Rest-File_Based_Encryption">3.3. File Based Encryption</a></span></dt><dt><span class="section"><a href="#Security_Guide-Encryption-Data_in_Motion">3.4. Data in Motion</a></span></dt><dt><span class="section"><a href="#Security_Guide-Encryption-Data_in_Motion-Virtual_Private_Networks">3.5. Virtual Private Networks</a></span></dt><dt><span class="section"><a href="#Secur
 ity_Guide-Encryption-Data_in_Motion-Secure_Shell">3.6. Secure Shell</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-LUKS_Disk_Encryption">3.7. LUKS Disk Encryption</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security_Guide-LUKS_Disk_Encryption-LUKS_Implementation_in_Fedora">3.7.1. LUKS Implementation in Fedora</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-LUKS_Disk_Encryption-Manually_Encrypting_Directories">3.7.2. Manually Encrypting Directories</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-LUKS_Disk_Encryption-Manually_Encrypting_Directories-Step_by_Step_Instructions">3.7.3. Step-by-Step Instructions</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-LUKS_Disk_Encryption-Manually_Encrypting_Directories-What_you_have_just_accomplished">3.7.4. What you have just accomplished.</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-LUKS_Disk_Encrypti
 on-Links_of_Interest">3.7.5. Links of Interest</a></span></dt></dl></dd><dt><span class="section"><a href="#sect-Security_Guide-Encryption-7_Zip_Encrypted_Archives">3.8. 7-Zip Encrypted Archives</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security_Guide-Encryption-7_Zip_Encrypted_Archives-Installation">3.8.1. 7-Zip Installation in Fedora</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Encryption-7_Zip_Encrypted_Archives-Installation-Instructions">3.8.2. Step-by-Step Installation Instructions</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Encryption-7_Zip_Encrypted_Archives-Usage_Instructions">3.8.3. Step-by-Step Usage Instructions</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Encryption-7_Zip_Encrypted_Archives-Things_of_note">3.8.4. Things of note</a></span></dt></dl></dd><dt><span class="section"><a href="#sect-Security_Guide-Encryption-Using_GPG">3.9. Using GNU Privacy Guard (GnuPG
 )</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security_Guide-Encryption-Using_GPG-Keys_in_GNOME">3.9.1. Creating GPG Keys in GNOME</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Encryption-Using_GPG-Creating_GPG_Keys_in_KDE1">3.9.2. Creating GPG Keys in KDE</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Encryption-Using_GPG-Creating_GPG_Keys_in_KDE">3.9.3. Creating GPG Keys Using the Command Line</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Encryption-Using_GPG-About_Public_Key_Encryption">3.9.4. About Public Key Encryption</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="#chap-Security_Guide-General_Principles_of_Information_Security">4. General Principles of Information Security</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security_Guide-General_Principles_of_Information_Security-Tips_Guides_and_Tools">4.1. Tips, Guides, and Tools</a></span>
 </dt></dl></dd><dt><span class="chapter"><a href="#chap-Security_Guide-Secure_Installation">5. Secure Installation</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security_Guide-Secure_Installation-Disk_Partitions">5.1. Disk Partitions</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Secure_Installation-Utilize_LUKS_Partition_Encryption">5.2. Utilize LUKS Partition Encryption</a></span></dt></dl></dd><dt><span class="chapter"><a href="#chap-Security_Guide-Software_Maintenance">6. Software Maintenance</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security_Guide-Software_Maintenance-Install_Minimal_Software">6.1. Install Minimal Software</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Software_Maintenance-Plan_and_Configure_Security_Updates">6.2. Plan and Configure Security Updates</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Software_Maintenance-Plan_and_Configure_Security
 _Updates-Adjusting_Automatic_Updates">6.3. Adjusting Automatic Updates</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Software_Maintenance-Install_Signed_Packages_from_Well_Known_Repositories">6.4. Install Signed Packages from Well Known Repositories</a></span></dt></dl></dd><dt><span class="chapter"><a href="#chap-Security_Guide-References">7. References</a></span></dt></dl></div><div xml:lang="en-US" class="preface" title="Preface"><div class="titlepage"><div><div><h1 id="pref-Security_Guide-Preface" class="title">Preface</h1></div></div></div><div xml:lang="en-US" class="section" title="1. Document Conventions"><div class="titlepage"><div><div><h2 class="title" id="d0e111">1. Document Conventions</h2></div></div></div><div class="para">
+common intrusion and exploit methods.
+</div></div></div></div><hr /></div><div class="toc"><dl><dt><span class="preface"><a href="#pref-Security_Guide-Preface">Preface</a></span></dt><dd><dl><dt><span class="section"><a href="#id2147972">1. Document Conventions</a></span></dt><dd><dl><dt><span class="section"><a href="#id2124140">1.1. Typographic Conventions</a></span></dt><dt><span class="section"><a href="#id2163289">1.2. Pull-quote Conventions</a></span></dt><dt><span class="section"><a href="#id2075592">1.3. Notes and Warnings</a></span></dt></dl></dd><dt><span class="section"><a href="#We_Need_Feedback">2. We Need Feedback!</a></span></dt></dl></dd><dt><span class="chapter"><a href="#chap-Security_Guide-Security_Overview">1. Security Overview</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security_Guide-Introduction_to_Security">1.1. Introduction to Security</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security_Guide-Introduction_to_Security-What_is_Computer_Security">1.1
 .1. What is Computer Security?</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Introduction_to_Security-SELinux">1.1.2. SELinux</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Introduction_to_Security-Security_Controls">1.1.3. Security Controls</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Introduction_to_Security-Conclusion">1.1.4. Conclusion</a></span></dt></dl></dd><dt><span class="section"><a href="#sect-Security_Guide-Vulnerability_Assessment">1.2. Vulnerability Assessment</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security_Guide-Vulnerability_Assessment-Thinking_Like_the_Enemy">1.2.1. Thinking Like the Enemy</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Vulnerability_Assessment-Defining_Assessment_and_Testing">1.2.2. Defining Assessment and Testing</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Vulnerability_Assessment-Evaluating_
 the_Tools">1.2.3. Evaluating the Tools</a></span></dt></dl></dd><dt><span class="section"><a href="#sect-Security_Guide-Attackers_and_Vulnerabilities">1.3. Attackers and Vulnerabilities</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security_Guide-Attackers_and_Vulnerabilities-A_Quick_History_of_Hackers">1.3.1. A Quick History of Hackers</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Attackers_and_Vulnerabilities-Threats_to_Network_Security">1.3.2. Threats to Network Security</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Attackers_and_Vulnerabilities-Threats_to_Server_Security">1.3.3. Threats to Server Security</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Attackers_and_Vulnerabilities-Threats_to_Workstation_and_Home_PC_Security">1.3.4. Threats to Workstation and Home PC Security</a></span></dt></dl></dd><dt><span class="section"><a href="#sect-Security_Guide-Common_Exploits_and_Attack
 s">1.4. Common Exploits and Attacks</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Security_Updates">1.5. Security Updates</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security_Guide-Security_Updates-Updating_Packages">1.5.1. Updating Packages</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Updating_Packages-Verifying_Signed_Packages">1.5.2. Verifying Signed Packages</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Updating_Packages-Installing_Signed_Packages">1.5.3. Installing Signed Packages</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Updating_Packages-Applying_the_Changes">1.5.4. Applying the Changes</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="#chap-Security_Guide-Securing_Your_Network">2. Securing Your Network</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Release_Notes-Security-Install-trusted-packages">2.1. Local 
 users may install trusted packages</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Workstation_Security">2.2. Workstation Security</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security_Guide-Workstation_Security-Evaluating_Workstation_Security">2.2.1. Evaluating Workstation Security</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Workstation_Security-BIOS_and_Boot_Loader_Security">2.2.2. BIOS and Boot Loader Security</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Workstation_Security-Password_Security">2.2.3. Password Security</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Workstation_Security-Administrative_Controls">2.2.4. Administrative Controls</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Workstation_Security-Available_Network_Services">2.2.5. Available Network Services</a></span></dt><dt><span class="section"><a href="#sect-Security_
 Guide-Workstation_Security-Personal_Firewalls">2.2.6. Personal Firewalls</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Workstation_Security-Security_Enhanced_Communication_Tools">2.2.7. Security Enhanced Communication Tools</a></span></dt></dl></dd><dt><span class="section"><a href="#sect-Security_Guide-Server_Security">2.3. Server Security</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security_Guide-Server_Security-Securing_Services_With_TCP_Wrappers_and_xinetd">2.3.1. Securing Services With TCP Wrappers and xinetd</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Server_Security-Securing_Portmap">2.3.2. Securing Portmap</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Server_Security-Securing_NIS">2.3.3. Securing NIS</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Server_Security-Securing_NFS">2.3.4. Securing NFS</a></span></dt><dt><span class="section"><a href="#se
 ct-Security_Guide-Server_Security-Securing_the_Apache_HTTP_Server">2.3.5. Securing the Apache HTTP Server</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Server_Security-Securing_FTP">2.3.6. Securing FTP</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Server_Security-Securing_Sendmail">2.3.7. Securing Sendmail</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Server_Security-Verifying_Which_Ports_Are_Listening">2.3.8. Verifying Which Ports Are Listening</a></span></dt></dl></dd><dt><span class="section"><a href="#sect-Security_Guide-Single_Sign_on_SSO">2.4. Single Sign-on (SSO)</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security_Guide-Single_Sign_on_SSO-Introduction">2.4.1. Introduction</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Single_Sign_on_SSO-Getting_Started_with_your_new_Smart_Card">2.4.2. Getting Started with your new Smart Card</a></span></dt><dt><span 
 class="section"><a href="#sect-Security_Guide-Single_Sign_on_SSO-How_Smart_Card_Enrollment_Works">2.4.3. How Smart Card Enrollment Works</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Single_Sign_on_SSO-How_Smart_Card_Login_Works">2.4.4. How Smart Card Login Works</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Single_Sign_on_SSO-Configuring_Firefox_to_use_Kerberos_for_SSO">2.4.5. Configuring Firefox to use Kerberos for SSO</a></span></dt></dl></dd><dt><span class="section"><a href="#sect-Security_Guide-Pluggable_Authentication_Modules_PAM">2.5. Pluggable Authentication Modules (PAM)</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security_Guide-Pluggable_Authentication_Modules_PAM-Advantages_of_PAM">2.5.1. Advantages of PAM</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Pluggable_Authentication_Modules_PAM-PAM_Configuration_Files">2.5.2. PAM Configuration Files</a></span></dt><dt><span cl
 ass="section"><a href="#sect-Security_Guide-Pluggable_Authentication_Modules_PAM-PAM_Configuration_File_Format">2.5.3. PAM Configuration File Format</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Pluggable_Authentication_Modules_PAM-Sample_PAM_Configuration_Files">2.5.4. Sample PAM Configuration Files</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Pluggable_Authentication_Modules_PAM-Creating_PAM_Modules">2.5.5. Creating PAM Modules</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Pluggable_Authentication_Modules_PAM-PAM_and_Administrative_Credential_Caching">2.5.6. PAM and Administrative Credential Caching</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Pluggable_Authentication_Modules_PAM-PAM_and_Device_Ownership">2.5.7. PAM and Device Ownership</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Pluggable_Authentication_Modules_PAM-Additional_Resources">2.5.8. A
 dditional Resources</a></span></dt></dl></dd><dt><span class="section"><a href="#sect-Security_Guide-TCP_Wrappers_and_xinetd">2.6. TCP Wrappers and xinetd</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security_Guide-TCP_Wrappers_and_xinetd-TCP_Wrappers">2.6.1. TCP Wrappers</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-TCP_Wrappers_and_xinetd-TCP_Wrappers_Configuration_Files">2.6.2. TCP Wrappers Configuration Files</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-TCP_Wrappers_and_xinetd-xinetd">2.6.3. xinetd</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-TCP_Wrappers_and_xinetd-xinetd_Configuration_Files">2.6.4. xinetd Configuration Files</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-TCP_Wrappers_and_xinetd-Additional_Resources">2.6.5. Additional Resources</a></span></dt></dl></dd><dt><span class="section"><a href="#sect-Security_Guide-Kerberos">2.7. Kerberos</a><
 /span></dt><dd><dl><dt><span class="section"><a href="#sect-Security_Guide-Kerberos-What_is_Kerberos">2.7.1. What is Kerberos?</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Kerberos-Kerberos_Terminology">2.7.2. Kerberos Terminology</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Kerberos-How_Kerberos_Works">2.7.3. How Kerberos Works</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Kerberos-Kerberos_and_PAM">2.7.4. Kerberos and PAM</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Kerberos-Configuring_a_Kerberos_5_Server">2.7.5. Configuring a Kerberos 5 Server</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Kerberos-Configuring_a_Kerberos_5_Client">2.7.6. Configuring a Kerberos 5 Client</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Kerberos-Domain_to_Realm_Mapping">2.7.7. Domain-to-Realm Mapping</a></span></dt><dt><span class="section"><a 
 href="#sect-Security_Guide-Kerberos-Setting_Up_Secondary_KDCs">2.7.8. Setting Up Secondary KDCs</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Kerberos-Setting_Up_Cross_Realm_Authentication">2.7.9. Setting Up Cross Realm Authentication</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Kerberos-Additional_Resources">2.7.10. Additional Resources</a></span></dt></dl></dd><dt><span class="section"><a href="#sect-Security_Guide-Virtual_Private_Networks_VPNs">2.8. Virtual Private Networks (VPNs)</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security_Guide-Virtual_Private_Networks_VPNs-How_Does_a_VPN_Work">2.8.1. How Does a VPN Work?</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Virtual_Private_Networks_VPNs-VPNs_and_PROD">2.8.2. VPNs and Fedora</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Virtual_Private_Networks_VPNs-IPsec">2.8.3. IPsec</a></span></dt><dt><span class=
 "section"><a href="#sect-Security_Guide-Virtual_Private_Networks_VPNs-Creating_an_IPsec_Connection">2.8.4. Creating an <abbr class="abbrev">IPsec</abbr> Connection</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Virtual_Private_Networks_VPNs-IPsec_Installation">2.8.5. IPsec Installation</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Virtual_Private_Networks_VPNs-IPsec_Host_to_Host_Configuration">2.8.6. IPsec Host-to-Host Configuration</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Virtual_Private_Networks_VPNs-IPsec_Network_to_Network_Configuration">2.8.7. IPsec Network-to-Network Configuration</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Virtual_Private_Networks_VPNs-Starting_and_Stopping_an_IPsec_Connection">2.8.8. Starting and Stopping an <abbr class="abbrev">IPsec</abbr> Connection</a></span></dt></dl></dd><dt><span class="section"><a href="#sect-Security_Guide-Firewalls">2.9
 . Firewalls</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security_Guide-Firewalls-Netfilter_and_IPTables">2.9.1. Netfilter and IPTables</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Firewalls-Basic_Firewall_Configuration">2.9.2. Basic Firewall Configuration</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Firewalls-Using_IPTables">2.9.3. Using IPTables</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Firewalls-Common_IPTables_Filtering">2.9.4. Common IPTables Filtering</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Firewalls-FORWARD_and_NAT_Rules">2.9.5. <code class="computeroutput">FORWARD</code> and <acronym class="acronym">NAT</acronym> Rules</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Firewalls-Malicious_Software_and_Spoofed_IP_Addresses">2.9.6. Malicious Software and Spoofed IP Addresses</a></span></dt><dt><span class="section"><a hr
 ef="#sect-Security_Guide-Firewalls-IPTables_and_Connection_Tracking">2.9.7. IPTables and Connection Tracking</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Firewalls-IPv6">2.9.8. IPv6</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Firewalls-Additional_Resources">2.9.9. Additional Resources</a></span></dt></dl></dd><dt><span class="section"><a href="#sect-Security_Guide-IPTables">2.10. IPTables</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security_Guide-IPTables-Packet_Filtering">2.10.1. Packet Filtering</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-IPTables-Command_Options_for_IPTables">2.10.2. Command Options for IPTables</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-IPTables-Saving_IPTables_Rules">2.10.3. Saving IPTables Rules</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-IPTables-IPTables_Control_Scripts">2.10.4. IPTables Control Sc
 ripts</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-IPTables-IPTables_and_IPv6">2.10.5. IPTables and IPv6</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-IPTables-Additional_Resources">2.10.6. Additional Resources</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="#chap-Security_Guide-Encryption">3. Encryption</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security_Guide-Encryption-Data_at_Rest">3.1. Data at Rest</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Encryption-Protecting_Data_at_Rest-Full_Disk_Encryption">3.2. Full Disk Encryption</a></span></dt><dt><span class="section"><a href="#Security_Guide-Encryption-Protecting_Data_at_Rest-File_Based_Encryption">3.3. File Based Encryption</a></span></dt><dt><span class="section"><a href="#Security_Guide-Encryption-Data_in_Motion">3.4. Data in Motion</a></span></dt><dt><span class="section"><a href="#Security_Guide-Encr
 yption-Data_in_Motion-Virtual_Private_Networks">3.5. Virtual Private Networks</a></span></dt><dt><span class="section"><a href="#Security_Guide-Encryption-Data_in_Motion-Secure_Shell">3.6. Secure Shell</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-LUKS_Disk_Encryption">3.7. LUKS Disk Encryption</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security_Guide-LUKS_Disk_Encryption-LUKS_Implementation_in_Fedora">3.7.1. LUKS Implementation in Fedora</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-LUKS_Disk_Encryption-Manually_Encrypting_Directories">3.7.2. Manually Encrypting Directories</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-LUKS_Disk_Encryption-Manually_Encrypting_Directories-Step_by_Step_Instructions">3.7.3. Step-by-Step Instructions</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-LUKS_Disk_Encryption-Manually_Encrypting_Directories-What_you_have_just_accomplis
 hed">3.7.4. What you have just accomplished.</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-LUKS_Disk_Encryption-Links_of_Interest">3.7.5. Links of Interest</a></span></dt></dl></dd><dt><span class="section"><a href="#sect-Security_Guide-Encryption-7_Zip_Encrypted_Archives">3.8. 7-Zip Encrypted Archives</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security_Guide-Encryption-7_Zip_Encrypted_Archives-Installation">3.8.1. 7-Zip Installation in Fedora</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Encryption-7_Zip_Encrypted_Archives-Installation-Instructions">3.8.2. Step-by-Step Installation Instructions</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Encryption-7_Zip_Encrypted_Archives-Usage_Instructions">3.8.3. Step-by-Step Usage Instructions</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Encryption-7_Zip_Encrypted_Archives-Things_of_note">3.8.4. Things of note</a><
 /span></dt></dl></dd><dt><span class="section"><a href="#sect-Security_Guide-Encryption-Using_GPG">3.9. Using GNU Privacy Guard (GnuPG)</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security_Guide-Encryption-Using_GPG-Keys_in_GNOME">3.9.1. Creating GPG Keys in GNOME</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Encryption-Using_GPG-Creating_GPG_Keys_in_KDE1">3.9.2. Creating GPG Keys in KDE</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Encryption-Using_GPG-Creating_GPG_Keys_in_KDE">3.9.3. Creating GPG Keys Using the Command Line</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Encryption-Using_GPG-About_Public_Key_Encryption">3.9.4. About Public Key Encryption</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="#chap-Security_Guide-General_Principles_of_Information_Security">4. General Principles of Information Security</a></span></dt><dd><dl><dt><span class="section"><
 a href="#sect-Security_Guide-General_Principles_of_Information_Security-Tips_Guides_and_Tools">4.1. Tips, Guides, and Tools</a></span></dt></dl></dd><dt><span class="chapter"><a href="#chap-Security_Guide-Secure_Installation">5. Secure Installation</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security_Guide-Secure_Installation-Disk_Partitions">5.1. Disk Partitions</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Secure_Installation-Utilize_LUKS_Partition_Encryption">5.2. Utilize LUKS Partition Encryption</a></span></dt></dl></dd><dt><span class="chapter"><a href="#chap-Security_Guide-Software_Maintenance">6. Software Maintenance</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security_Guide-Software_Maintenance-Install_Minimal_Software">6.1. Install Minimal Software</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Software_Maintenance-Plan_and_Configure_Security_Updates">6.2. Plan and Configure Se
 curity Updates</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Software_Maintenance-Plan_and_Configure_Security_Updates-Adjusting_Automatic_Updates">6.3. Adjusting Automatic Updates</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Software_Maintenance-Install_Signed_Packages_from_Well_Known_Repositories">6.4. Install Signed Packages from Well Known Repositories</a></span></dt></dl></dd><dt><span class="chapter"><a href="#chap-Security_Guide-References">7. References</a></span></dt></dl></div><div xml:lang="en-US" class="preface" title="Preface" lang="en-US"><div class="titlepage"><div><div><h1 id="pref-Security_Guide-Preface" class="title">Preface</h1></div></div></div><div xml:lang="en-US" class="section" title="1. Document Conventions" lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="id2147972">1. Document Conventions</h2></div></div></div><div class="para">
 		This manual uses several conventions to highlight certain words and phrases and draw attention to specific pieces of information.
 	</div><div class="para">
 		In PDF and paper editions, this manual uses typefaces drawn from the <a href="https://fedorahosted.org/liberation-fonts/">Liberation Fonts</a> set. The Liberation Fonts set is also used in HTML editions if the set is installed on your system. If not, alternative but equivalent typefaces are displayed. Note: Red Hat Enterprise Linux 5 and later includes the Liberation Fonts set by default.
-	</div><div class="section" title="1.1. Typographic Conventions"><div class="titlepage"><div><div><h3 class="title" id="d0e121">1.1. Typographic Conventions</h3></div></div></div><div class="para">
+	</div><div class="section" title="1.1. Typographic Conventions"><div class="titlepage"><div><div><h3 class="title" id="id2124140">1.1. Typographic Conventions</h3></div></div></div><div class="para">
 			Four typographic conventions are used to call attention to specific words and phrases. These conventions, and the circumstances they apply to, are as follows.
 		</div><div class="para">
 			<code class="literal">Mono-spaced Bold</code>
 		</div><div class="para">
-			Used to highlight system input, including shell commands, file names and paths. Also used to highlight key caps and key-combinations. For example:
+			Used to highlight system input, including shell commands, file names and paths. Also used to highlight keycaps and key combinations. For example:
 		</div><div class="blockquote"><blockquote class="blockquote"><div class="para">
 				To see the contents of the file <code class="filename">my_next_bestselling_novel</code> in your current working directory, enter the <code class="command">cat my_next_bestselling_novel</code> command at the shell prompt and press <span class="keycap"><strong>Enter</strong></span> to execute the command.
 			</div></blockquote></div><div class="para">
-			The above includes a file name, a shell command and a key cap, all presented in Mono-spaced Bold and all distinguishable thanks to context.
+			The above includes a file name, a shell command and a keycap, all presented in mono-spaced bold and all distinguishable thanks to context.
 		</div><div class="para">
-			Key-combinations can be distinguished from key caps by the hyphen connecting each part of a key-combination. For example:
+			Key combinations can be distinguished from keycaps by the hyphen connecting each part of a key combination. For example:
 		</div><div class="blockquote"><blockquote class="blockquote"><div class="para">
 				Press <span class="keycap"><strong>Enter</strong></span> to execute the command.
 			</div><div class="para">
 				Press <span class="keycap"><strong>Ctrl</strong></span>+<span class="keycap"><strong>Alt</strong></span>+<span class="keycap"><strong>F1</strong></span> to switch to the first virtual terminal. Press <span class="keycap"><strong>Ctrl</strong></span>+<span class="keycap"><strong>Alt</strong></span>+<span class="keycap"><strong>F7</strong></span> to return to your X-Windows session.
 			</div></blockquote></div><div class="para">
-			The first sentence highlights the particular key cap to press. The second highlights two sets of three key caps, each set pressed simultaneously.
+			The first paragraph highlights the particular keycap to press. The second highlights two key combinations (each a set of three keycaps with each set pressed simultaneously).
 		</div><div class="para">
-			If source code is discussed, class names, methods, functions, variable names and returned values mentioned within a paragraph will be presented as above, in <code class="literal">Mono-spaced Bold</code>. For example:
+			If source code is discussed, class names, methods, functions, variable names and returned values mentioned within a paragraph will be presented as above, in <code class="literal">mono-spaced bold</code>. For example:
 		</div><div class="blockquote"><blockquote class="blockquote"><div class="para">
 				File-related classes include <code class="classname">filesystem</code> for file systems, <code class="classname">file</code> for files, and <code class="classname">dir</code> for directories. Each class has its own associated set of permissions.
 			</div></blockquote></div><div class="para">
 			<span class="application"><strong>Proportional Bold</strong></span>
 		</div><div class="para">
-			This denotes words or phrases encountered on a system, including application names; dialogue box text; labelled buttons; check-box and radio button labels; menu titles and sub-menu titles. For example:
+			This denotes words or phrases encountered on a system, including application names; dialog box text; labeled buttons; check-box and radio button labels; menu titles and sub-menu titles. For example:
 		</div><div class="blockquote"><blockquote class="blockquote"><div class="para">
 				Choose <span class="guimenu"><strong>System > Preferences > Mouse</strong></span> from the main menu bar to launch <span class="application"><strong>Mouse Preferences</strong></span>. In the <span class="guilabel"><strong>Buttons</strong></span> tab, click the <span class="guilabel"><strong>Left-handed mouse</strong></span> check box and click <span class="guibutton"><strong>Close</strong></span> to switch the primary mouse button from the left to the right (making the mouse suitable for use in the left hand).
 			</div><div class="para">
 				To insert a special character into a <span class="application"><strong>gedit</strong></span> file, choose <span class="guimenu"><strong>Applications > Accessories > Character Map</strong></span> from the main menu bar. Next, choose <span class="guimenu"><strong>Search > Find…</strong></span> from the <span class="application"><strong>Character Map</strong></span> menu bar, type the name of the character in the <span class="guilabel"><strong>Search</strong></span> field and click <span class="guibutton"><strong>Next</strong></span>. The character you sought will be highlighted in the <span class="guilabel"><strong>Character Table</strong></span>. Double-click this highlighted character to place it in the <span class="guilabel"><strong>Text to copy</strong></span> field and then click the <span class="guibutton"><strong>Copy</strong></span> button. Now switch back to your document and choose <span class="guimenu"><strong>Edit > Paste</strong></span> from the 
 <span class="application"><strong>gedit</strong></span> menu bar.
 			</div></blockquote></div><div class="para">
-			The above text includes application names; system-wide menu names and items; application-specific menu names; and buttons and text found within a GUI interface, all presented in Proportional Bold and all distinguishable by context.
+			The above text includes application names; system-wide menu names and items; application-specific menu names; and buttons and text found within a GUI interface, all presented in proportional bold and all distinguishable by context.
 		</div><div class="para">
-			Note the <span class="guimenu"><strong>></strong></span> shorthand used to indicate traversal through a menu and its sub-menus. This is to avoid the difficult-to-follow 'Select <span class="guimenuitem"><strong>Mouse</strong></span> from the <span class="guimenu"><strong>Preferences</strong></span> sub-menu in the <span class="guimenu"><strong>System</strong></span> menu of the main menu bar' approach.
+			Note the <span class="guimenu"><strong>></strong></span> shorthand used to indicate traversal through a menu and its sub-menus. This avoids difficult-to-follow phrasing such as 'Select <span class="guimenuitem"><strong>Mouse</strong></span> from the <span class="guimenu"><strong>Preferences</strong></span> sub-menu in the <span class="guimenu"><strong>System</strong></span> menu of the main menu bar'.
 		</div><div class="para">
 			<code class="command"><em class="replaceable"><code>Mono-spaced Bold Italic</code></em></code> or <span class="application"><strong><em class="replaceable"><code>Proportional Bold Italic</code></em></strong></span>
 		</div><div class="para">
-			Whether Mono-spaced Bold or Proportional Bold, the addition of Italics indicates replaceable or variable text. Italics denotes text you do not input literally or displayed text that changes depending on circumstance. For example:
+			Whether mono-spaced bold or proportional bold, the addition of italics indicates replaceable or variable text. Italics denotes text you do not input literally or displayed text that changes depending on circumstance. For example:
 		</div><div class="blockquote"><blockquote class="blockquote"><div class="para">
 				To connect to a remote machine using ssh, type <code class="command">ssh <em class="replaceable"><code>username</code></em>@<em class="replaceable"><code>domain.name</code></em></code> at a shell prompt. If the remote machine is <code class="filename">example.com</code> and your username on that machine is john, type <code class="command">ssh john at example.com</code>.
 			</div><div class="para">
@@ -79,56 +84,53 @@
 			Aside from standard usage for presenting the title of a work, italics denotes the first use of a new and important term. For example:
 		</div><div class="blockquote"><blockquote class="blockquote"><div class="para">
 				When the Apache HTTP Server accepts requests, it dispatches child processes or threads to handle them. This group of child processes or threads is known as a <em class="firstterm">server-pool</em>. Under Apache HTTP Server 2.0, the responsibility for creating and maintaining these server-pools has been abstracted to a group of modules called <em class="firstterm">Multi-Processing Modules</em> (<em class="firstterm">MPMs</em>). Unlike other modules, only one module from the MPM group can be loaded by the Apache HTTP Server.
-			</div></blockquote></div></div><div class="section" title="1.2. Pull-quote Conventions"><div class="titlepage"><div><div><h3 class="title" id="d0e337">1.2. Pull-quote Conventions</h3></div></div></div><div class="para">
-			Two, commonly multi-line, data types are set off visually from the surrounding text.
+			</div></blockquote></div></div><div class="section" title="1.2. Pull-quote Conventions"><div class="titlepage"><div><div><h3 class="title" id="id2163289">1.2. Pull-quote Conventions</h3></div></div></div><div class="para">
+			Terminal output and source code listings are set off visually from the surrounding text.
 		</div><div class="para">
-			Output sent to a terminal is set in <code class="computeroutput">Mono-spaced Roman</code> and presented thus:
-		</div><pre class="screen">
-books        Desktop   documentation  drafts  mss    photos   stuff  svn
+			Output sent to a terminal is set in <code class="computeroutput">mono-spaced roman</code> and presented thus:
+		</div><pre class="screen">books        Desktop   documentation  drafts  mss    photos   stuff  svn
 books_tests  Desktop1  downloads      images  notes  scripts  svgs
 </pre><div class="para">
-			Source-code listings are also set in <code class="computeroutput">Mono-spaced Roman</code> but are presented and highlighted as follows:
-		</div><pre class="programlisting">
-package org.jboss.book.jca.ex1;
+			Source-code listings are also set in <code class="computeroutput">mono-spaced roman</code> but add syntax highlighting as follows:
+		</div><pre class="programlisting"><pre class="programlisting">package org.<span class="perl_Function">jboss</span>.<span class="perl_Function">book</span>.<span class="perl_Function">jca</span>.<span class="perl_Function">ex1</span>;
 
-import javax.naming.InitialContext;
+<span class="perl_Keyword">import</span> javax.naming.InitialContext;
 
-public class ExClient
+<span class="perl_Keyword">public</span> <span class="perl_Keyword">class</span> ExClient
 {
-   public static void main(String args[]) 
-       throws Exception
+   <span class="perl_Keyword">public</span> <span class="perl_DataType">static</span> <span class="perl_DataType">void</span> <span class="perl_Function">main</span>(String args[]) 
+       <span class="perl_Keyword">throws</span> Exception
    {
-      InitialContext iniCtx = new InitialContext();
-      Object         ref    = iniCtx.lookup("EchoBean");
+      InitialContext iniCtx = <span class="perl_Keyword">new</span> InitialContext();
+      Object         ref    = iniCtx.<span class="perl_Function">lookup</span>(<span class="perl_String">"EchoBean"</span>);
       EchoHome       home   = (EchoHome) ref;
-      Echo           echo   = home.create();
+      Echo           echo   = home.<span class="perl_Function">create</span>();
 
-      System.out.println("Created Echo");
+      System.<span class="perl_Function">out</span>.<span class="perl_Function">println</span>(<span class="perl_String">"Created Echo"</span>);
 
-      System.out.println("Echo.echo('Hello') = " + echo.echo("Hello"));
+      System.<span class="perl_Function">out</span>.<span class="perl_Function">println</span>(<span class="perl_String">"Echo.echo('Hello') = "</span> + echo.<span class="perl_Function">echo</span>(<span class="perl_String">"Hello"</span>));
    }
-   
 }
-</pre></div><div class="section" title="1.3. Notes and Warnings"><div class="titlepage"><div><div><h3 class="title" id="d0e356">1.3. Notes and Warnings</h3></div></div></div><div class="para">
+</pre></pre></div><div class="section" title="1.3. Notes and Warnings"><div class="titlepage"><div><div><h3 class="title" id="id2075592">1.3. Notes and Warnings</h3></div></div></div><div class="para">
 			Finally, we use three visual styles to draw attention to information that might otherwise be overlooked.
 		</div><div class="note"><h2>Note</h2><div class="para">
-				A note is a tip or shortcut or alternative approach to the task at hand. Ignoring a note should have no negative consequences, but you might miss out on a trick that makes your life easier.
+				Notes are tips, shortcuts or alternative approaches to the task at hand. Ignoring a note should have no negative consequences, but you might miss out on a trick that makes your life easier.
 			</div></div><div class="important"><h2>Important</h2><div class="para">
-				Important boxes detail things that are easily missed: configuration changes that only apply to the current session, or services that need restarting before an update will apply. Ignoring Important boxes won't cause data loss but may cause irritation and frustration.
+				Important boxes detail things that are easily missed: configuration changes that only apply to the current session, or services that need restarting before an update will apply. Ignoring a box labeled 'Important' won't cause data loss but may cause irritation and frustration.
 			</div></div><div class="warning"><h2>Warning</h2><div class="para">
-				A Warning should not be ignored. Ignoring warnings will most likely cause data loss.
-			</div></div></div></div><div xml:lang="en-US" class="section" title="2. We Need Feedback!"><div class="titlepage"><div><div><h2 class="title" id="We_Need_Feedback">2. We Need Feedback!</h2></div></div></div><div class="para">
+				Warnings should not be ignored. Ignoring warnings will most likely cause data loss.
+			</div></div></div></div><div xml:lang="en-US" class="section" title="2. We Need Feedback!" lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="We_Need_Feedback">2. We Need Feedback!</h2></div></div></div><div class="para">
 		More information about the Linux Security Guide project can be found at <a href="https://fedorahosted.org/securityguide">https://fedorahosted.org/securityguide</a>
 	</div><div class="para">
 		To provide feedback for the Security Guide, please file a bug in <a href="https://bugzilla.redhat.com/enter_bug.cgi?component=security-guide&product=Fedora%20Documentation">https://bugzilla.redhat.com/enter_bug.cgi?component=security-guide&product=Fedora%20Documentation</a>. Please select the proper component in the dropdown menu which should be the page name.
-	</div></div></div><div xml:lang="en-US" class="chapter" title="Chapter 1. Security Overview"><div class="titlepage"><div><div><h2 class="title" id="chap-Security_Guide-Security_Overview">Chapter 1. Security Overview</h2></div></div></div><div class="toc"><dl><dt><span class="section"><a href="#sect-Security_Guide-Introduction_to_Security">1.1. Introduction to Security</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security_Guide-Introduction_to_Security-What_is_Computer_Security">1.1.1. What is Computer Security?</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Introduction_to_Security-SELinux">1.1.2. SELinux</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Introduction_to_Security-Security_Controls">1.1.3. Security Controls</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Introduction_to_Security-Conclusion">1.1.4. Conclusion</a></span></dt></dl></dd><dt><span class="section"><a href="#s
 ect-Security_Guide-Vulnerability_Assessment">1.2. Vulnerability Assessment</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security_Guide-Vulnerability_Assessment-Thinking_Like_the_Enemy">1.2.1. Thinking Like the Enemy</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Vulnerability_Assessment-Defining_Assessment_and_Testing">1.2.2. Defining Assessment and Testing</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Vulnerability_Assessment-Evaluating_the_Tools">1.2.3. Evaluating the Tools</a></span></dt></dl></dd><dt><span class="section"><a href="#sect-Security_Guide-Attackers_and_Vulnerabilities">1.3. Attackers and Vulnerabilities</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security_Guide-Attackers_and_Vulnerabilities-A_Quick_History_of_Hackers">1.3.1. A Quick History of Hackers</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Attackers_and_Vulnerabilities-Threats_to_Network_Se
 curity">1.3.2. Threats to Network Security</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Attackers_and_Vulnerabilities-Threats_to_Server_Security">1.3.3. Threats to Server Security</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Attackers_and_Vulnerabilities-Threats_to_Workstation_and_Home_PC_Security">1.3.4. Threats to Workstation and Home PC Security</a></span></dt></dl></dd><dt><span class="section"><a href="#sect-Security_Guide-Common_Exploits_and_Attacks">1.4. Common Exploits and Attacks</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Security_Updates">1.5. Security Updates</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security_Guide-Security_Updates-Updating_Packages">1.5.1. Updating Packages</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Updating_Packages-Verifying_Signed_Packages">1.5.2. Verifying Signed Packages</a></span></dt><dt><span class="section"><a
  href="#sect-Security_Guide-Updating_Packages-Installing_Signed_Packages">1.5.3. Installing Signed Packages</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Updating_Packages-Applying_the_Changes">1.5.4. Applying the Changes</a></span></dt></dl></dd></dl></div><div class="para">
+	</div></div></div><div xml:lang="en-US" class="chapter" title="Chapter 1. Security Overview" lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="chap-Security_Guide-Security_Overview">Chapter 1. Security Overview</h2></div></div></div><div class="toc"><dl><dt><span class="section"><a href="#sect-Security_Guide-Introduction_to_Security">1.1. Introduction to Security</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security_Guide-Introduction_to_Security-What_is_Computer_Security">1.1.1. What is Computer Security?</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Introduction_to_Security-SELinux">1.1.2. SELinux</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Introduction_to_Security-Security_Controls">1.1.3. Security Controls</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Introduction_to_Security-Conclusion">1.1.4. Conclusion</a></span></dt></dl></dd><dt><span class="section
 "><a href="#sect-Security_Guide-Vulnerability_Assessment">1.2. Vulnerability Assessment</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security_Guide-Vulnerability_Assessment-Thinking_Like_the_Enemy">1.2.1. Thinking Like the Enemy</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Vulnerability_Assessment-Defining_Assessment_and_Testing">1.2.2. Defining Assessment and Testing</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Vulnerability_Assessment-Evaluating_the_Tools">1.2.3. Evaluating the Tools</a></span></dt></dl></dd><dt><span class="section"><a href="#sect-Security_Guide-Attackers_and_Vulnerabilities">1.3. Attackers and Vulnerabilities</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security_Guide-Attackers_and_Vulnerabilities-A_Quick_History_of_Hackers">1.3.1. A Quick History of Hackers</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Attackers_and_Vulnerabilities-Threats_
 to_Network_Security">1.3.2. Threats to Network Security</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Attackers_and_Vulnerabilities-Threats_to_Server_Security">1.3.3. Threats to Server Security</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Attackers_and_Vulnerabilities-Threats_to_Workstation_and_Home_PC_Security">1.3.4. Threats to Workstation and Home PC Security</a></span></dt></dl></dd><dt><span class="section"><a href="#sect-Security_Guide-Common_Exploits_and_Attacks">1.4. Common Exploits and Attacks</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Security_Updates">1.5. Security Updates</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security_Guide-Security_Updates-Updating_Packages">1.5.1. Updating Packages</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Updating_Packages-Verifying_Signed_Packages">1.5.2. Verifying Signed Packages</a></span></dt><dt><span class
 ="section"><a href="#sect-Security_Guide-Updating_Packages-Installing_Signed_Packages">1.5.3. Installing Signed Packages</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Updating_Packages-Applying_the_Changes">1.5.4. Applying the Changes</a></span></dt></dl></dd></dl></div><div class="para">
 		Because of the increased reliance on powerful, networked computers to help run businesses and keep track of our personal information, entire industries have been formed around the practice of network and computer security. Enterprises have solicited the knowledge and skills of security experts to properly audit systems and tailor solutions to fit the operating requirements of the organization. Because most organizations are increasingly dynamic in nature, with workers accessing company IT resources locally and remotely, the need for secure computing environments has become more pronounced.
 	</div><div class="para">
 		Unfortunately, most organizations (as well as individual users) regard security as an afterthought, a process that is overlooked in favor of increased power, productivity, and budgetary concerns. Proper security implementation is often enacted postmortem — <span class="emphasis"><em>after</em></span> an unauthorized intrusion has already occurred. Security experts agree that taking the correct measures prior to connecting a site to an untrusted network, such as the Internet, is an effective means of thwarting most attempts at intrusion.
-	</div><div xml:lang="en-US" class="section" title="1.1. Introduction to Security"><div class="titlepage"><div><div><h2 class="title" id="sect-Security_Guide-Introduction_to_Security">1.1. Introduction to Security</h2></div></div></div><div class="section" title="1.1.1. What is Computer Security?"><div class="titlepage"><div><div><h3 class="title" id="sect-Security_Guide-Introduction_to_Security-What_is_Computer_Security">1.1.1. What is Computer Security?</h3></div></div></div><div class="para">
+	</div><div xml:lang="en-US" class="section" title="1.1. Introduction to Security" lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="sect-Security_Guide-Introduction_to_Security">1.1. Introduction to Security</h2></div></div></div><div class="section" title="1.1.1. What is Computer Security?"><div class="titlepage"><div><div><h3 class="title" id="sect-Security_Guide-Introduction_to_Security-What_is_Computer_Security">1.1.1. What is Computer Security?</h3></div></div></div><div class="para">
 			Computer security is a general term that covers a wide area of computing and information processing. Industries that depend on computer systems and networks to conduct daily business transactions and access crucial information regard their data as an important part of their overall assets. Several terms and metrics have entered our daily business vocabulary, such as total cost of ownership (TCO) and quality of service (QoS). Using these metrics, industries can calculate aspects such as data integrity and high-availability as part of their planning and process management costs. In some industries, such as electronic commerce, the availability and trustworthiness of data can be the difference between success and failure.
 		</div><div class="section" title="1.1.1.1. How did Computer Security Come about?"><div class="titlepage"><div><div><h4 class="title" id="sect-Security_Guide-What_is_Computer_Security-How_did_Computer_Security_Come_about">1.1.1.1. How did Computer Security Come about?</h4></div></div></div><div class="para">
-				Information security has evolved over the years due to the increasing reliance on public networks not to disclose personal, financial, and other restricted information. There are numerous instances such as the Mitnick <sup>[<a id="d0e412" href="#ftn.d0e412" class="footnote">1</a>]</sup>and the Vladimir Levin <sup>[<a id="d0e416" href="#ftn.d0e416" class="footnote">2</a>]</sup>cases that prompted organizations across all industries to re-think the way they handle information, as well as its transmission and disclosure. The popularity of the Internet was one of the most important developments that prompted an intensified effort in data security.
+				Information security has evolved over the years due to the increasing reliance on public networks not to disclose personal, financial, and other restricted information. There are numerous instances such as the Mitnick <sup>[<a id="id2114370" href="#ftn.id2114370" class="footnote">1</a>]</sup>and the Vladimir Levin <sup>[<a id="id2114362" href="#ftn.id2114362" class="footnote">2</a>]</sup>cases that prompted organizations across all industries to re-think the way they handle information, as well as its transmission and disclosure. The popularity of the Internet was one of the most important developments that prompted an intensified effort in data security.
 			</div><div class="para">
 				An ever-growing number of people are using their personal computers to gain access to the resources that the Internet has to offer. From research and information retrieval to electronic mail and commerce transaction, the Internet has been regarded as one of the most important developments of the 20th century.
 			</div><div class="para">
@@ -136,19 +138,19 @@
 			</div></div><div class="section" title="1.1.1.2. Security Today"><div class="titlepage"><div><div><h4 class="title" id="sect-Security_Guide-What_is_Computer_Security-Security_Today">1.1.1.2. Security Today</h4></div></div></div><div class="para">
 				In February of 2000, a Distributed Denial of Service (DDoS) attack was unleashed on several of the most heavily-trafficked sites on the Internet. The attack rendered yahoo.com, cnn.com, amazon.com, fbi.gov, and several other sites completely unreachable to normal users, as it tied up routers for several hours with large-byte ICMP packet transfers, also called a <em class="firstterm">ping flood</em>. The attack was brought on by unknown assailants using specially created, widely available programs that scanned vulnerable network servers, installed client applications called <em class="firstterm">trojans</em> on the servers, and timed an attack with every infected server flooding the victim sites and rendering them unavailable. Many blame the attack on fundamental flaws in the way routers and the protocols used are structured to accept all incoming data, no matter where or for what purpose the packets are sent.
 			</div><div class="para">
-				In 2007, a data breach exploiting the widely-known weaknesses of the Wired Equivalent Privacy (WEP) wireless encryption protocol resulted in the theft from a global financial institution of over 45 million credit card numbers.<sup>[<a id="d0e440" href="#ftn.d0e440" class="footnote">3</a>]</sup>
+				In 2007, a data breach exploiting the widely-known weaknesses of the Wired Equivalent Privacy (WEP) wireless encryption protocol resulted in the theft from a global financial institution of over 45 million credit card numbers.<sup>[<a id="id2103464" href="#ftn.id2103464" class="footnote">3</a>]</sup>
 			</div><div class="para">
-				In a separate incident, the billing records of over 2.2 million patients stored on a backup tape were stolen from the front seat of a courier's car.<sup>[<a id="d0e446" href="#ftn.d0e446" class="footnote">4</a>]</sup>
+				In a separate incident, the billing records of over 2.2 million patients stored on a backup tape were stolen from the front seat of a courier's car.<sup>[<a id="id2103461" href="#ftn.id2103461" class="footnote">4</a>]</sup>
 			</div><div class="para">
-				Currently, an estimated 1.4 billion people use or have used the Internet worldwide.<sup>[<a id="d0e452" href="#ftn.d0e452" class="footnote">5</a>]</sup> At the same time:
[...1967 lines suppressed...]
+							Refer to <a class="xref" href="#sect-Security_Guide-Command_Options_for_IPTables-Target_Options" title="2.10.2.5. Target Options">Section 2.10.2.5, “Target Options”</a> for more information about the <code class="command">LOG</code> target.
 						</div><div class="para">
 							The <code class="option">limit</code> module enables the following options:
 						</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
@@ -3749,7 +3771,7 @@
 									<code class="option">--mac-source</code> — Matches a MAC address of the network interface card that sent the packet. To exclude a MAC address from a rule, place an exclamation point character (<code class="option">!</code>) after the <code class="option">--mac-source</code> match option.
 								</div></li></ul></div></li></ul></div><div class="para">
 					Refer to the <code class="command">iptables</code> man page for more match options available through modules.
-				</div></div></div><div class="section" title="2.9.2.5. Target Options"><div class="titlepage"><div><div><h4 class="title" id="sect-Security_Guide-Command_Options_for_IPTables-Target_Options">2.9.2.5. Target Options</h4></div></div></div><div class="para">
+				</div></div></div><div class="section" title="2.10.2.5. Target Options"><div class="titlepage"><div><div><h4 class="title" id="sect-Security_Guide-Command_Options_for_IPTables-Target_Options">2.10.2.5. Target Options</h4></div></div></div><div class="para">
 				When a packet has matched a particular rule, the rule can direct the packet to a number of different targets which determine the appropriate action. Each chain has a default target, which is used if none of the rules on that chain match a packet or if none of the rules which match the packet specify a target.
 			</div><div class="para">
 				The following are the standard targets:
@@ -3764,7 +3786,7 @@
 					</div></li><li class="listitem"><div class="para">
 						<code class="option">RETURN</code> — Stops checking the packet against rules in the current chain. If the packet with a <code class="option">RETURN</code> target matches a rule in a chain called from another chain, the packet is returned to the first chain to resume rule checking where it left off. If the <code class="option">RETURN</code> rule is used on a built-in chain and the packet cannot move up to its previous chain, the default target for the current chain is used.
 					</div></li></ul></div><div class="para">
-				In addition, extensions are available which allow other targets to be specified. These extensions are called target modules or match option modules and most only apply to specific tables and situations. Refer to <a class="xref" href="#sect-Security_Guide-IPTables_Match_Options-Additional_Match_Option_Modules" title="2.9.2.4.4. Additional Match Option Modules">Section 2.9.2.4.4, “Additional Match Option Modules”</a> for more information about match option modules.
+				In addition, extensions are available which allow other targets to be specified. These extensions are called target modules or match option modules and most only apply to specific tables and situations. Refer to <a class="xref" href="#sect-Security_Guide-IPTables_Match_Options-Additional_Match_Option_Modules" title="2.10.2.4.4. Additional Match Option Modules">Section 2.10.2.4.4, “Additional Match Option Modules”</a> for more information about match option modules.
 			</div><div class="para">
 				Many extended target modules exist, most of which only apply to specific tables or situations. Some of the most popular target modules included by default in Fedora are:
 			</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
@@ -3789,7 +3811,7 @@
 						The <code class="option">REJECT</code> target accepts <code class="option">--reject-with <em class="replaceable"><code><type></code></em></code> (where <em class="replaceable"><code><type></code></em> is the rejection type) allowing more detailed information to be returned with the error packet. The message <code class="computeroutput">port-unreachable</code> is the default error type given if no other option is used. Refer to the <code class="command">iptables</code> man page for a full list of <code class="option"><em class="replaceable"><code><type></code></em></code> options.
 					</div></li></ul></div><div class="para">
 				Other target extensions, including several that are useful for IP masquerading using the <code class="option">nat</code> table, or with packet alteration using the <code class="option">mangle</code> table, can be found in the <code class="command">iptables</code> man page.
-			</div></div><div class="section" title="2.9.2.6. Listing Options"><div class="titlepage"><div><div><h4 class="title" id="sect-Security_Guide-Command_Options_for_IPTables-Listing_Options">2.9.2.6. Listing Options</h4></div></div></div><div class="para">
+			</div></div><div class="section" title="2.10.2.6. Listing Options"><div class="titlepage"><div><div><h4 class="title" id="sect-Security_Guide-Command_Options_for_IPTables-Listing_Options">2.10.2.6. Listing Options</h4></div></div></div><div class="para">
 				The default list command, <code class="command">iptables -L [<chain-name>]</code>, provides a very basic overview of the default filter table's current chains. Additional options provide more information:
 			</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
 						<code class="option">-v</code> — Displays verbose output, such as the number of packets and bytes each chain has processed, the number of packets and bytes each rule has matched, and which interfaces apply to a particular rule.
@@ -3801,7 +3823,7 @@
 						<code class="option">--line-numbers</code> — Lists rules in each chain next to their numeric order in the chain. This option is useful when attempting to delete the specific rule in a chain or to locate where to insert a rule within a chain.
 					</div></li><li class="listitem"><div class="para">
 						<code class="option">-t <table-name></code> — Specifies a table name. If omitted, defaults to the filter table.
-					</div></li></ul></div></div></div><div class="section" title="2.9.3. Saving IPTables Rules"><div class="titlepage"><div><div><h3 class="title" id="sect-Security_Guide-IPTables-Saving_IPTables_Rules">2.9.3. Saving IPTables Rules</h3></div></div></div><div class="para">
+					</div></li></ul></div></div></div><div class="section" title="2.10.3. Saving IPTables Rules"><div class="titlepage"><div><div><h3 class="title" id="sect-Security_Guide-IPTables-Saving_IPTables_Rules">2.10.3. Saving IPTables Rules</h3></div></div></div><div class="para">
 			Rules created with the <code class="command">iptables</code> command are stored in memory. If the system is restarted before saving the <code class="command">iptables</code> rule set, all rules are lost. For netfilter rules to persist through a system reboot, they need to be saved. To save netfilter rules, type the following command as root:
 		</div><pre class="screen"><code class="command"> /sbin/service iptables save </code>
 </pre><div class="para">
@@ -3817,10 +3839,10 @@
 				If distributing the <code class="filename">/etc/sysconfig/iptables</code> file to other machines, type <code class="command">/sbin/service iptables restart</code> for the new rules to take effect.
 			</div></div><div class="note"><h2>Note</h2><div class="para">
 				Note the difference between the <code class="command">iptables</code> <span class="emphasis"><em>command</em></span> (<code class="command">/sbin/iptables</code>), which is used to manipulate the tables and chains that constitute the <code class="command">iptables</code> functionality, and the <code class="command">iptables</code> <span class="emphasis"><em>service</em></span> (<code class="command">/sbin/iptables service</code>), which is used to enable and disable the <code class="command">iptables</code> service itself.
-			</div></div></div><div class="section" title="2.9.4. IPTables Control Scripts"><div class="titlepage"><div><div><h3 class="title" id="sect-Security_Guide-IPTables-IPTables_Control_Scripts">2.9.4. IPTables Control Scripts</h3></div></div></div><div class="para">
+			</div></div></div><div class="section" title="2.10.4. IPTables Control Scripts"><div class="titlepage"><div><div><h3 class="title" id="sect-Security_Guide-IPTables-IPTables_Control_Scripts">2.10.4. IPTables Control Scripts</h3></div></div></div><div class="para">
 			There are two basic methods for controlling <code class="command">iptables</code> in Fedora:
 		</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
-					<span class="application"><strong>Firewall Configuration Tool</strong></span> (<code class="command">system-config-securitylevel</code>) — A graphical interface for creating, activating, and saving basic firewall rules. Refer to <a class="xref" href="#sect-Security_Guide-Firewalls-Basic_Firewall_Configuration" title="2.8.2. Basic Firewall Configuration">Section 2.8.2, “Basic Firewall Configuration”</a> for more information.
+					<span class="application"><strong>Firewall Configuration Tool</strong></span> (<code class="command">system-config-securitylevel</code>) — A graphical interface for creating, activating, and saving basic firewall rules. Refer to <a class="xref" href="#sect-Security_Guide-Firewalls-Basic_Firewall_Configuration" title="2.9.2. Basic Firewall Configuration">Section 2.9.2, “Basic Firewall Configuration”</a> for more information.
 				</div></li><li class="listitem"><div class="para">
 					<code class="command">/sbin/service iptables <em class="replaceable"><code><option></code></em></code> — Used to manipulate various functions of <code class="command">iptables</code> using its initscript. The following options are available:
 				</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
@@ -3833,26 +3855,26 @@
 						</div><div class="para">
 							If the <code class="command">IPTABLES_SAVE_ON_STOP</code> directive in the <code class="filename">/etc/sysconfig/iptables-config</code> configuration file is changed from its default value to <code class="command">yes</code>, current rules are saved to <code class="filename">/etc/sysconfig/iptables</code> and any existing rules are moved to the file <code class="filename">/etc/sysconfig/iptables.save</code>.
 						</div><div class="para">
-							Refer to <a class="xref" href="#sect-Security_Guide-IPTables_Control_Scripts-IPTables_Control_Scripts_Configuration_File" title="2.9.4.1. IPTables Control Scripts Configuration File">Section 2.9.4.1, “IPTables Control Scripts Configuration File”</a> for more information about the <code class="filename">iptables-config</code> file.
+							Refer to <a class="xref" href="#sect-Security_Guide-IPTables_Control_Scripts-IPTables_Control_Scripts_Configuration_File" title="2.10.4.1. IPTables Control Scripts Configuration File">Section 2.10.4.1, “IPTables Control Scripts Configuration File”</a> for more information about the <code class="filename">iptables-config</code> file.
 						</div></li><li class="listitem"><div class="para">
 							<code class="command">restart</code> — If a firewall is running, the firewall rules in memory are flushed, and the firewall is started again if it is configured in <code class="filename">/etc/sysconfig/iptables</code>. This option only works if the <code class="command">ipchains</code> kernel module is not loaded.
 						</div><div class="para">
 							If the <code class="command">IPTABLES_SAVE_ON_RESTART</code> directive in the <code class="filename">/etc/sysconfig/iptables-config</code> configuration file is changed from its default value to <code class="command">yes</code>, current rules are saved to <code class="filename">/etc/sysconfig/iptables</code> and any existing rules are moved to the file <code class="filename">/etc/sysconfig/iptables.save</code>.
 						</div><div class="para">
-							Refer to <a class="xref" href="#sect-Security_Guide-IPTables_Control_Scripts-IPTables_Control_Scripts_Configuration_File" title="2.9.4.1. IPTables Control Scripts Configuration File">Section 2.9.4.1, “IPTables Control Scripts Configuration File”</a> for more information about the <code class="filename">iptables-config</code> file.
+							Refer to <a class="xref" href="#sect-Security_Guide-IPTables_Control_Scripts-IPTables_Control_Scripts_Configuration_File" title="2.10.4.1. IPTables Control Scripts Configuration File">Section 2.10.4.1, “IPTables Control Scripts Configuration File”</a> for more information about the <code class="filename">iptables-config</code> file.
 						</div></li><li class="listitem"><div class="para">
 							<code class="command">status</code> — Displays the status of the firewall and lists all active rules.
 						</div><div class="para">
-							The default configuration for this option displays IP addresses in each rule. To display domain and hostname information, edit the <code class="filename">/etc/sysconfig/iptables-config</code> file and change the value of <code class="command">IPTABLES_STATUS_NUMERIC</code> to <code class="command">no</code>. Refer to <a class="xref" href="#sect-Security_Guide-IPTables_Control_Scripts-IPTables_Control_Scripts_Configuration_File" title="2.9.4.1. IPTables Control Scripts Configuration File">Section 2.9.4.1, “IPTables Control Scripts Configuration File”</a> for more information about the <code class="filename">iptables-config</code> file.
+							The default configuration for this option displays IP addresses in each rule. To display domain and hostname information, edit the <code class="filename">/etc/sysconfig/iptables-config</code> file and change the value of <code class="command">IPTABLES_STATUS_NUMERIC</code> to <code class="command">no</code>. Refer to <a class="xref" href="#sect-Security_Guide-IPTables_Control_Scripts-IPTables_Control_Scripts_Configuration_File" title="2.10.4.1. IPTables Control Scripts Configuration File">Section 2.10.4.1, “IPTables Control Scripts Configuration File”</a> for more information about the <code class="filename">iptables-config</code> file.
 						</div></li><li class="listitem"><div class="para">
 							<code class="command">panic</code> — Flushes all firewall rules. The policy of all configured tables is set to <code class="command">DROP</code>.
 						</div><div class="para">
 							This option could be useful if a server is known to be compromised. Rather than physically disconnecting from the network or shutting down the system, you can use this option to stop all further network traffic but leave the machine in a state ready for analysis or other forensics.
 						</div></li><li class="listitem"><div class="para">
-							<code class="command">save</code> — Saves firewall rules to <code class="filename">/etc/sysconfig/iptables</code> using <code class="command">iptables-save</code>. Refer to <a class="xref" href="#sect-Security_Guide-IPTables-Saving_IPTables_Rules" title="2.9.3. Saving IPTables Rules">Section 2.9.3, “Saving IPTables Rules”</a> for more information.
+							<code class="command">save</code> — Saves firewall rules to <code class="filename">/etc/sysconfig/iptables</code> using <code class="command">iptables-save</code>. Refer to <a class="xref" href="#sect-Security_Guide-IPTables-Saving_IPTables_Rules" title="2.10.3. Saving IPTables Rules">Section 2.10.3, “Saving IPTables Rules”</a> for more information.
 						</div></li></ul></div></li></ul></div><div class="note"><h2>Note</h2><div class="para">
-				To use the same initscript commands to control netfilter for IPv6, substitute <code class="command">ip6tables</code> for <code class="command">iptables</code> in the <code class="command">/sbin/service</code> commands listed in this section. For more information about IPv6 and netfilter, refer to <a class="xref" href="#sect-Security_Guide-IPTables-IPTables_and_IPv6" title="2.9.5. IPTables and IPv6">Section 2.9.5, “IPTables and IPv6”</a>.
-			</div></div><div class="section" title="2.9.4.1. IPTables Control Scripts Configuration File"><div class="titlepage"><div><div><h4 class="title" id="sect-Security_Guide-IPTables_Control_Scripts-IPTables_Control_Scripts_Configuration_File">2.9.4.1. IPTables Control Scripts Configuration File</h4></div></div></div><div class="para">
+				To use the same initscript commands to control netfilter for IPv6, substitute <code class="command">ip6tables</code> for <code class="command">iptables</code> in the <code class="command">/sbin/service</code> commands listed in this section. For more information about IPv6 and netfilter, refer to <a class="xref" href="#sect-Security_Guide-IPTables-IPTables_and_IPv6" title="2.10.5. IPTables and IPv6">Section 2.10.5, “IPTables and IPv6”</a>.
+			</div></div><div class="section" title="2.10.4.1. IPTables Control Scripts Configuration File"><div class="titlepage"><div><div><h4 class="title" id="sect-Security_Guide-IPTables_Control_Scripts-IPTables_Control_Scripts_Configuration_File">2.10.4.1. IPTables Control Scripts Configuration File</h4></div></div></div><div class="para">
 				The behavior of the <code class="command">iptables</code> initscripts is controlled by the <code class="filename">/etc/sysconfig/iptables-config</code> configuration file. The following is a list of directives contained in this file:
 			</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
 						<code class="command">IPTABLES_MODULES</code> — Specifies a space-separated list of additional <code class="command">iptables</code> modules to load when a firewall is activated. These can include connection tracking and NAT helpers.
@@ -3886,7 +3908,7 @@
 								<code class="command">yes</code> — The default value. Returns only IP addresses within a status output.
 							</div></li><li class="listitem"><div class="para">
 								<code class="command">no</code> — Returns domain or hostnames within a status output.
-							</div></li></ul></div></li></ul></div></div></div><div class="section" title="2.9.5. IPTables and IPv6"><div class="titlepage"><div><div><h3 class="title" id="sect-Security_Guide-IPTables-IPTables_and_IPv6">2.9.5. IPTables and IPv6</h3></div></div></div><div class="para">
+							</div></li></ul></div></li></ul></div></div></div><div class="section" title="2.10.5. IPTables and IPv6"><div class="titlepage"><div><div><h3 class="title" id="sect-Security_Guide-IPTables-IPTables_and_IPv6">2.10.5. IPTables and IPv6</h3></div></div></div><div class="para">
 			If the <code class="filename">iptables-ipv6</code> package is installed, netfilter in Fedora can filter the next-generation IPv6 Internet protocol. The command used to manipulate the IPv6 netfilter is <code class="command">ip6tables</code>.
 		</div><div class="para">
 			Most directives for this command are identical to those used for <code class="command">iptables</code>, except the <code class="command">nat</code> table is not yet supported. This means that it is not yet possible to perform IPv6 network address translation tasks, such as masquerading and port forwarding.
@@ -3896,25 +3918,25 @@
 			Configuration options for the <code class="command">ip6tables</code> init script are stored in <code class="filename">/etc/sysconfig/ip6tables-config</code>, and the names for each directive vary slightly from their <code class="command">iptables</code> counterparts.
 		</div><div class="para">
 			For example, the <code class="filename">iptables-config</code> directive <code class="command">IPTABLES_MODULES</code>:the equivalent in the <code class="filename">ip6tables-config</code> file is <code class="command">IP6TABLES_MODULES</code>.
-		</div></div><div class="section" title="2.9.6. Additional Resources"><div class="titlepage"><div><div><h3 class="title" id="sect-Security_Guide-IPTables-Additional_Resources">2.9.6. Additional Resources</h3></div></div></div><div class="para">
+		</div></div><div class="section" title="2.10.6. Additional Resources"><div class="titlepage"><div><div><h3 class="title" id="sect-Security_Guide-IPTables-Additional_Resources">2.10.6. Additional Resources</h3></div></div></div><div class="para">
 			Refer to the following sources for additional information on packet filtering with <code class="command">iptables</code>.
 		</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
-					<a class="xref" href="#sect-Security_Guide-Firewalls" title="2.8. Firewalls">Section 2.8, “Firewalls”</a> — Contains a chapter about the role of firewalls within an overall security strategy as well as strategies for constructing firewall rules.
-				</div></li></ul></div><div class="section" title="2.9.6.1. Installed IP Tables Documentation"><div class="titlepage"><div><div><h4 class="title" id="sect-Security_Guide-Additional_Resources-Installed_IP_Tables_Documentation">2.9.6.1. Installed IP Tables Documentation</h4></div></div></div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
+					<a class="xref" href="#sect-Security_Guide-Firewalls" title="2.9. Firewalls">Section 2.9, “Firewalls”</a> — Contains a chapter about the role of firewalls within an overall security strategy as well as strategies for constructing firewall rules.
+				</div></li></ul></div><div class="section" title="2.10.6.1. Installed IP Tables Documentation"><div class="titlepage"><div><div><h4 class="title" id="sect-Security_Guide-Additional_Resources-Installed_IP_Tables_Documentation">2.10.6.1. Installed IP Tables Documentation</h4></div></div></div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
 						<code class="command">man iptables</code> — Contains a description of <code class="command">iptables</code> as well as a comprehensive list of targets, options, and match extensions.
-					</div></li></ul></div></div><div class="section" title="2.9.6.2. Useful IP Tables Websites"><div class="titlepage"><div><div><h4 class="title" id="sect-Security_Guide-Additional_Resources-Useful_IP_Tables_Websites">2.9.6.2. Useful IP Tables Websites</h4></div></div></div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
+					</div></li></ul></div></div><div class="section" title="2.10.6.2. Useful IP Tables Websites"><div class="titlepage"><div><div><h4 class="title" id="sect-Security_Guide-Additional_Resources-Useful_IP_Tables_Websites">2.10.6.2. Useful IP Tables Websites</h4></div></div></div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
 						<a href="http://www.netfilter.org/">http://www.netfilter.org/</a> — The home of the netfilter/iptables project. Contains assorted information about <code class="command">iptables</code>, including a FAQ addressing specific problems and various helpful guides by Rusty Russell, the Linux IP firewall maintainer. The HOWTO documents on the site cover subjects such as basic networking concepts, kernel packet filtering, and NAT configurations.
 					</div></li><li class="listitem"><div class="para">
 						<a href="http://www.linuxnewbie.org/nhf/Security/IPtables_Basics.html">http://www.linuxnewbie.org/nhf/Security/IPtables_Basics.html</a> — An introduction to the way packets move through the Linux kernel, plus an introduction to constructing basic <code class="command">iptables</code> commands.
-					</div></li></ul></div></div></div></div><div class="footnotes"><br/><hr width="100" align="left"/><div class="footnote"><p><sup>[<a id="ftn.d0e1504" href="#d0e1504" class="para">11</a>] </sup>
+					</div></li></ul></div></div></div></div><div class="footnotes"><br /><hr width="100" align="left" /><div class="footnote"><p><sup>[<a id="ftn.id2128594" href="#id2128594" class="para">11</a>] </sup>
 					Since system BIOSes differ between manufacturers, some may not support password protection of either type, while others may support one type but not the other.
-				</p></div><div class="footnote"><p><sup>[<a id="ftn.d0e1610" href="#d0e1610" class="para">12</a>] </sup>
+				</p></div><div class="footnote"><p><sup>[<a id="ftn.id563774" href="#id563774" class="para">12</a>] </sup>
 						GRUB also accepts unencrypted passwords, but it is recommended that an MD5 hash be used for added security.
-					</p></div><div class="footnote"><p><sup>[<a id="ftn.d0e2631" href="#d0e2631" class="para">13</a>] </sup>
+					</p></div><div class="footnote"><p><sup>[<a id="ftn.id2123511" href="#id2123511" class="para">13</a>] </sup>
 						This access is still subject to the restrictions imposed by SELinux, if it is enabled.
-					</p></div><div class="footnote"><p><sup>[<a id="ftn.d0e7547" href="#d0e7547" class="para">14</a>] </sup>
+					</p></div><div class="footnote"><p><sup>[<a id="ftn.id2062126" href="#id2062126" class="para">14</a>] </sup>
 				A system where both the client and the server share a common key that is used to encrypt and decrypt network communication.
-			</p></div></div></div><div xml:lang="en-US" class="chapter" title="Chapter 3. Encryption"><div class="titlepage"><div><div><h2 class="title" id="chap-Security_Guide-Encryption">Chapter 3. Encryption</h2></div></div></div><div class="toc"><dl><dt><span class="section"><a href="#sect-Security_Guide-Encryption-Data_at_Rest">3.1. Data at Rest</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Encryption-Protecting_Data_at_Rest-Full_Disk_Encryption">3.2. Full Disk Encryption</a></span></dt><dt><span class="section"><a href="#Security_Guide-Encryption-Protecting_Data_at_Rest-File_Based_Encryption">3.3. File Based Encryption</a></span></dt><dt><span class="section"><a href="#Security_Guide-Encryption-Data_in_Motion">3.4. Data in Motion</a></span></dt><dt><span class="section"><a href="#Security_Guide-Encryption-Data_in_Motion-Virtual_Private_Networks">3.5. Virtual Private Networks</a></span></dt><dt><span class="section"><a href="#Security_Guide-Encryptio
 n-Data_in_Motion-Secure_Shell">3.6. Secure Shell</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-LUKS_Disk_Encryption">3.7. LUKS Disk Encryption</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security_Guide-LUKS_Disk_Encryption-LUKS_Implementation_in_Fedora">3.7.1. LUKS Implementation in Fedora</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-LUKS_Disk_Encryption-Manually_Encrypting_Directories">3.7.2. Manually Encrypting Directories</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-LUKS_Disk_Encryption-Manually_Encrypting_Directories-Step_by_Step_Instructions">3.7.3. Step-by-Step Instructions</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-LUKS_Disk_Encryption-Manually_Encrypting_Directories-What_you_have_just_accomplished">3.7.4. What you have just accomplished.</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-LUKS_Disk_Encryption-Links_of_Interes
 t">3.7.5. Links of Interest</a></span></dt></dl></dd><dt><span class="section"><a href="#sect-Security_Guide-Encryption-7_Zip_Encrypted_Archives">3.8. 7-Zip Encrypted Archives</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security_Guide-Encryption-7_Zip_Encrypted_Archives-Installation">3.8.1. 7-Zip Installation in Fedora</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Encryption-7_Zip_Encrypted_Archives-Installation-Instructions">3.8.2. Step-by-Step Installation Instructions</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Encryption-7_Zip_Encrypted_Archives-Usage_Instructions">3.8.3. Step-by-Step Usage Instructions</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Encryption-7_Zip_Encrypted_Archives-Things_of_note">3.8.4. Things of note</a></span></dt></dl></dd><dt><span class="section"><a href="#sect-Security_Guide-Encryption-Using_GPG">3.9. Using GNU Privacy Guard (GnuPG)</a></span></dt><d
 d><dl><dt><span class="section"><a href="#sect-Security_Guide-Encryption-Using_GPG-Keys_in_GNOME">3.9.1. Creating GPG Keys in GNOME</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Encryption-Using_GPG-Creating_GPG_Keys_in_KDE1">3.9.2. Creating GPG Keys in KDE</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Encryption-Using_GPG-Creating_GPG_Keys_in_KDE">3.9.3. Creating GPG Keys Using the Command Line</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Encryption-Using_GPG-About_Public_Key_Encryption">3.9.4. About Public Key Encryption</a></span></dt></dl></dd></dl></div><div class="para">
+			</p></div></div></div><div xml:lang="en-US" class="chapter" title="Chapter 3. Encryption" lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="chap-Security_Guide-Encryption">Chapter 3. Encryption</h2></div></div></div><div class="toc"><dl><dt><span class="section"><a href="#sect-Security_Guide-Encryption-Data_at_Rest">3.1. Data at Rest</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Encryption-Protecting_Data_at_Rest-Full_Disk_Encryption">3.2. Full Disk Encryption</a></span></dt><dt><span class="section"><a href="#Security_Guide-Encryption-Protecting_Data_at_Rest-File_Based_Encryption">3.3. File Based Encryption</a></span></dt><dt><span class="section"><a href="#Security_Guide-Encryption-Data_in_Motion">3.4. Data in Motion</a></span></dt><dt><span class="section"><a href="#Security_Guide-Encryption-Data_in_Motion-Virtual_Private_Networks">3.5. Virtual Private Networks</a></span></dt><dt><span class="section"><a href="#Security_Gu
 ide-Encryption-Data_in_Motion-Secure_Shell">3.6. Secure Shell</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-LUKS_Disk_Encryption">3.7. LUKS Disk Encryption</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security_Guide-LUKS_Disk_Encryption-LUKS_Implementation_in_Fedora">3.7.1. LUKS Implementation in Fedora</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-LUKS_Disk_Encryption-Manually_Encrypting_Directories">3.7.2. Manually Encrypting Directories</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-LUKS_Disk_Encryption-Manually_Encrypting_Directories-Step_by_Step_Instructions">3.7.3. Step-by-Step Instructions</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-LUKS_Disk_Encryption-Manually_Encrypting_Directories-What_you_have_just_accomplished">3.7.4. What you have just accomplished.</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-LUKS_Disk_Encryption-Lin
 ks_of_Interest">3.7.5. Links of Interest</a></span></dt></dl></dd><dt><span class="section"><a href="#sect-Security_Guide-Encryption-7_Zip_Encrypted_Archives">3.8. 7-Zip Encrypted Archives</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security_Guide-Encryption-7_Zip_Encrypted_Archives-Installation">3.8.1. 7-Zip Installation in Fedora</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Encryption-7_Zip_Encrypted_Archives-Installation-Instructions">3.8.2. Step-by-Step Installation Instructions</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Encryption-7_Zip_Encrypted_Archives-Usage_Instructions">3.8.3. Step-by-Step Usage Instructions</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Encryption-7_Zip_Encrypted_Archives-Things_of_note">3.8.4. Things of note</a></span></dt></dl></dd><dt><span class="section"><a href="#sect-Security_Guide-Encryption-Using_GPG">3.9. Using GNU Privacy Guard (GnuPG)</a><
 /span></dt><dd><dl><dt><span class="section"><a href="#sect-Security_Guide-Encryption-Using_GPG-Keys_in_GNOME">3.9.1. Creating GPG Keys in GNOME</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Encryption-Using_GPG-Creating_GPG_Keys_in_KDE1">3.9.2. Creating GPG Keys in KDE</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Encryption-Using_GPG-Creating_GPG_Keys_in_KDE">3.9.3. Creating GPG Keys Using the Command Line</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Encryption-Using_GPG-About_Public_Key_Encryption">3.9.4. About Public Key Encryption</a></span></dt></dl></dd></dl></div><div class="para">
 		There are two main types of data that must be protected: data at rest and data in motion. These different types of data are protected in similar ways using similar technology but the implementations can be completely different. No single protective implementation can prevent all possible methods of compromise as the same information may be at rest and in motion at different points in time.
 	</div><div class="section" title="3.1. Data at Rest"><div class="titlepage"><div><div><h2 class="title" id="sect-Security_Guide-Encryption-Data_at_Rest">3.1. Data at Rest</h2></div></div></div><div class="para">
 			Data at rest is data that is stored on a hard drive, tape, CD, DVD, disk, or other media. This information's biggest threat comes from being physically stolen. Laptops in airports, CDs going through the mail, and backup tapes that get left in the wrong places are all examples of events where data can be compromised through theft. If the data was encrypted on the media then you wouldn't have to worry as much about the data being compromised.
@@ -3940,7 +3962,7 @@
 			SSH is very easy to activate. By simply starting the sshd service, the system will begin to accept connections and will allow access to the system when a correct username and password is provided during the connection process. The standard TCP port for the SSH service is 22, however this can be changed by modifying the configuration file <span class="emphasis"><em>/etc/ssh/sshd_config</em></span> and restarting the service. This file also contains other configuration options for SSH.
 		</div><div class="para">
 			Secure Shell (SSH) also provides encrypted tunnels between computers but only using a single port. <a href="http://www.redhatmagazine.com/2007/11/27/advanced-ssh-configuration-and-tunneling-we-dont-need-no-stinking-vpn-software">Port forwarding can be done over an SSH tunnel</a> and traffic will be encrypted as it passes over that tunnel but using port forwarding is not as fluid as a VPN.
-		</div></div><div xml:lang="en-US" class="section" title="3.7. LUKS Disk Encryption"><div class="titlepage"><div><div><h2 class="title" id="sect-Security_Guide-LUKS_Disk_Encryption">3.7. LUKS Disk Encryption</h2></div></div></div><div class="para">
+		</div></div><div xml:lang="en-US" class="section" title="3.7. LUKS Disk Encryption" lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="sect-Security_Guide-LUKS_Disk_Encryption">3.7. LUKS Disk Encryption</h2></div></div></div><div class="para">
 		Linux Unified Key Setup-on-disk-format (or LUKS) allows you to encrypt partitions on your Linux computer. This is particularly important when it comes to mobile computers and removable media. LUKS allows multiple user keys to decrypt a master key which is used for the bulk encryption of the partition.
 	</div><div class="section" title="3.7.1. LUKS Implementation in Fedora"><div class="titlepage"><div><div><h3 class="title" id="sect-Security_Guide-LUKS_Disk_Encryption-LUKS_Implementation_in_Fedora">3.7.1. LUKS Implementation in Fedora</h3></div></div></div><div class="para">
 			Fedora 9, and later, utilizes LUKS to perform file system encryption. By default, the option to encrypt the file system is unchecked during the installation. If you select the option to encrypt you hard drive, you will be prompted for a passphrase that will be asked every time you boot the computer. This passphrase "unlocks" the bulk encryption key that is used to decrypt your partition. If you choose to modify the default partition table you can choose which partitions you want to encrypt. This is set in the partition table settings
@@ -4008,7 +4030,7 @@
 					<a href="http://clemens.endorphin.org/LUKS/">LUKS - Linux Unified Key Setup</a>
 				</div></li><li class="listitem"><div class="para">
 					<a href="https://bugzilla.redhat.com/attachment.cgi?id=161912">HOWTO: Creating an encrypted Physical Volume (PV) using a second hard drive, pvmove, and a Fedora LiveCD</a>
-				</div></li></ul></div></div></div><div xml:lang="en-US" class="section" title="3.8. 7-Zip Encrypted Archives"><div class="titlepage"><div><div><h2 class="title" id="sect-Security_Guide-Encryption-7_Zip_Encrypted_Archives">3.8. 7-Zip Encrypted Archives</h2></div></div></div><div class="para">
+				</div></li></ul></div></div></div><div xml:lang="en-US" class="section" title="3.8. 7-Zip Encrypted Archives" lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="sect-Security_Guide-Encryption-7_Zip_Encrypted_Archives">3.8. 7-Zip Encrypted Archives</h2></div></div></div><div class="para">
 		<a href="http://www.7-zip.org/">7-Zip</a> is a cross-platform, next generation, file compression tool that can also use strong encryption (AES-256) to protect the contents of the archive. This is extremely useful when you need to move data between multiple computers that use varying operating systems (i.e. Linux at home, Windows at work) and you want a portable encryption solution.
 	</div><div class="section" title="3.8.1. 7-Zip Installation in Fedora"><div class="titlepage"><div><div><h3 class="title" id="sect-Security_Guide-Encryption-7_Zip_Encrypted_Archives-Installation">3.8.1. 7-Zip Installation in Fedora</h3></div></div></div><div class="para">
 			7-Zip is not a base package in Fedora, but it is available in the software repository. Once installed, the package will update alongside the rest of the software on the computer with no special attention necessary.
@@ -4046,7 +4068,7 @@
 			7-Zip is not shipped by default with Microsoft Windows or Mac OS X. If you need to use your 7-Zip files on those platforms you will need to install the appropriate version of 7-Zip on those computers. See the 7-Zip <a href="http://www.7-zip.org/download.html">download page</a>.
 		</div><div class="para">
 			GNOME's File Roller application will recognize your .7z files and attempt to open them, but it will fail with the error "''An error occurred while loading the archive.''" when it attempts to do so. This is because File Roller does not currently support the extraction of encrypted 7-Zip files. A bug report ([http://bugzilla.gnome.org/show_bug.cgi?id=490732 Gnome Bug 490732]) has been submitted.
-		</div></div></div><div xml:lang="en-US" class="section" title="3.9. Using GNU Privacy Guard (GnuPG)"><div class="titlepage"><div><div><h2 class="title" id="sect-Security_Guide-Encryption-Using_GPG">3.9. Using GNU Privacy Guard (GnuPG)</h2></div></div></div><div class="para">
+		</div></div></div><div xml:lang="en-US" class="section" title="3.9. Using GNU Privacy Guard (GnuPG)" lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="sect-Security_Guide-Encryption-Using_GPG">3.9. Using GNU Privacy Guard (GnuPG)</h2></div></div></div><div class="para">
 		GPG is used to identify yourself and authenticate your communications, including those with people you don't know. GPG allows anyone reading a GPG-signed email to verify its authenticity. In other words, GPG allows someone to be reasonably certain that communications signed by you actually are from you. GPG is useful because it helps prevent third parties from altering code or intercepting conversations and altering the message.
 	</div><div class="section" title="3.9.1. Creating GPG Keys in GNOME"><div class="titlepage"><div><div><h3 class="title" id="sect-Security_Guide-Encryption-Using_GPG-Keys_in_GNOME">3.9.1. Creating GPG Keys in GNOME</h3></div></div></div><div class="para">
 			Install the Seahorse utility, which makes GPG key management easier. From the main menu, select <code class="code">System > Administration > Add/Remove Software</code> and wait for PackageKit to start. Enter <code class="code">Seahorse</code> into the text box and select the Find. Select the checkbox next to the ''seahorse'' package and select ''Apply'' to add the software. You can also install <code class="code">Seahorse</code> at the command line with the command <code class="code">su -c "yum install seahorse"</code>.
@@ -4104,7 +4126,7 @@
 					<a href="http://en.wikipedia.org/wiki/Public-key_cryptography">Wikipedia - Public Key Cryptography</a>
 				</div></li><li class="listitem"><div class="para">
 					<a href="http://computer.howstuffworks.com/encryption.htm">HowStuffWorks - Encryption</a>
-				</div></li></ol></div></div></div></div><div xml:lang="en-US" class="chapter" title="Chapter 4. General Principles of Information Security"><div class="titlepage"><div><div><h2 class="title" id="chap-Security_Guide-General_Principles_of_Information_Security">Chapter 4. General Principles of Information Security</h2></div></div></div><div class="toc"><dl><dt><span class="section"><a href="#sect-Security_Guide-General_Principles_of_Information_Security-Tips_Guides_and_Tools">4.1. Tips, Guides, and Tools</a></span></dt></dl></div><div class="para">
+				</div></li></ol></div></div></div></div><div xml:lang="en-US" class="chapter" title="Chapter 4. General Principles of Information Security" lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="chap-Security_Guide-General_Principles_of_Information_Security">Chapter 4. General Principles of Information Security</h2></div></div></div><div class="toc"><dl><dt><span class="section"><a href="#sect-Security_Guide-General_Principles_of_Information_Security-Tips_Guides_and_Tools">4.1. Tips, Guides, and Tools</a></span></dt></dl></div><div class="para">
 		The following general principals provide an overview of good security practices:
 	</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
 				encrypt all data transmitted over networks to help prevent man-in-the-middle attacks and eavesdropping. It is important to encrypt authentication information, such as passwords.
@@ -4132,7 +4154,7 @@
 			The DISA <a href="http://iase.disa.mil/stigs/checklist/unix_checklist_v5r1-16_20090215.ZIP">UNIX Security Checklist Version 5, Release 1.16</a> provides a collection of documents and checklists, ranging from the correct ownerships and modes for system files, to patch control.
 		</div><div class="para">
 			Also, DISA has made available <a href="http://iase.disa.mil/stigs/SRR/unix.html">UNIX SPR scripts</a> that allow administrators to check specific settings on systems. These scripts provide XML-formatted reports listing any known vulnerable settings.
-		</div></div></div><div xml:lang="en-US" class="chapter" title="Chapter 5. Secure Installation"><div class="titlepage"><div><div><h2 class="title" id="chap-Security_Guide-Secure_Installation">Chapter 5. Secure Installation</h2></div></div></div><div class="toc"><dl><dt><span class="section"><a href="#sect-Security_Guide-Secure_Installation-Disk_Partitions">5.1. Disk Partitions</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Secure_Installation-Utilize_LUKS_Partition_Encryption">5.2. Utilize LUKS Partition Encryption</a></span></dt></dl></div><div class="para">
+		</div></div></div><div xml:lang="en-US" class="chapter" title="Chapter 5. Secure Installation" lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="chap-Security_Guide-Secure_Installation">Chapter 5. Secure Installation</h2></div></div></div><div class="toc"><dl><dt><span class="section"><a href="#sect-Security_Guide-Secure_Installation-Disk_Partitions">5.1. Disk Partitions</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Secure_Installation-Utilize_LUKS_Partition_Encryption">5.2. Utilize LUKS Partition Encryption</a></span></dt></dl></div><div class="para">
 		Security begins with the first time you put that CD or DVD into your disk drive to install Fedora. Configuring your system securely from the beginning makes it easier to implement additional security settings later.
 	</div><div class="section" title="5.1. Disk Partitions"><div class="titlepage"><div><div><h2 class="title" id="sect-Security_Guide-Secure_Installation-Disk_Partitions">5.1. Disk Partitions</h2></div></div></div><div class="para">
 			The NSA recommends creating separate partitions for /boot, /, /home, /tmp, and /var/tmp. The reasons for each are different and we will address each partition.
@@ -4144,7 +4166,7 @@
 			/tmp and /var/tmp - Both the /tmp and the /var/tmp directories are used to store data that doesn't need to be stored for a long period of time. However if a lot of data floods one of these directories it can consume all of your storage space. If this happens and these directories are stored within / then your system could become unstable and crash. For this reason, moving these directories into their own partitions is a good idea.
 		</div></div><div class="section" title="5.2. Utilize LUKS Partition Encryption"><div class="titlepage"><div><div><h2 class="title" id="sect-Security_Guide-Secure_Installation-Utilize_LUKS_Partition_Encryption">5.2. Utilize LUKS Partition Encryption</h2></div></div></div><div class="para">
 			Since Fedora 9, implementation of <a href="http://fedoraproject.org/wiki/Security_Guide/9/LUKSDiskEncryption">Linux Unified Key Setup-on-disk-format</a>(LUKS) encryption has become a lot easier. During the installation process an option to encrypt your partitions will be presented to the user. The user must supply a passphrase that will be the key to unlock the bulk encryption key that will be used to secure the partition's data.
-		</div></div></div><div xml:lang="en-US" class="chapter" title="Chapter 6. Software Maintenance"><div class="titlepage"><div><div><h2 class="title" id="chap-Security_Guide-Software_Maintenance">Chapter 6. Software Maintenance</h2></div></div></div><div class="toc"><dl><dt><span class="section"><a href="#sect-Security_Guide-Software_Maintenance-Install_Minimal_Software">6.1. Install Minimal Software</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Software_Maintenance-Plan_and_Configure_Security_Updates">6.2. Plan and Configure Security Updates</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Software_Maintenance-Plan_and_Configure_Security_Updates-Adjusting_Automatic_Updates">6.3. Adjusting Automatic Updates</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Software_Maintenance-Install_Signed_Packages_from_Well_Known_Repositories">6.4. Install Signed Packages from Well Known Repositories</a></span></dt></d
 l></div><div class="para">
+		</div></div></div><div xml:lang="en-US" class="chapter" title="Chapter 6. Software Maintenance" lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="chap-Security_Guide-Software_Maintenance">Chapter 6. Software Maintenance</h2></div></div></div><div class="toc"><dl><dt><span class="section"><a href="#sect-Security_Guide-Software_Maintenance-Install_Minimal_Software">6.1. Install Minimal Software</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Software_Maintenance-Plan_and_Configure_Security_Updates">6.2. Plan and Configure Security Updates</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Software_Maintenance-Plan_and_Configure_Security_Updates-Adjusting_Automatic_Updates">6.3. Adjusting Automatic Updates</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Software_Maintenance-Install_Signed_Packages_from_Well_Known_Repositories">6.4. Install Signed Packages from Well Known Repositories</a></
 span></dt></dl></div><div class="para">
 		Software maintenance is extremely important to maintaining a secure system. It is vital to patch software as soon as it becomes available in order to prevent attackers from using known holes to infiltrate your system.
 	</div><div class="section" title="6.1. Install Minimal Software"><div class="titlepage"><div><div><h2 class="title" id="sect-Security_Guide-Software_Maintenance-Install_Minimal_Software">6.1. Install Minimal Software</h2></div></div></div><div class="para">
 			It is best practice to install only the packages you will use because each piece of software on your computer could possibly contain a vulnerability. If you are installing from the DVD media take the opportunity to select exactly what packages you want to install during the installation. When you find you need another package, you can always add it to the system later.
@@ -4162,7 +4184,7 @@
 			Software packages are published through repositories. All well known repositories support package signing. Package signing uses public key technology to prove that the package that was published by the repository has not been changed since the signature was applied. This provides some protection against installing software that may have been maliciously altered after the package was created but before you downloaded it.
 		</div><div class="para">
 			Using too many repositories, untrustworthy repositories, or repositories with unsigned packages has a higher risk of introducing malicious or vulnerable code into your system. Use caution when adding repositories to yum/software update.
-		</div></div></div><div xml:lang="en-US" class="chapter" title="Chapter 7. References"><div class="titlepage"><div><div><h2 class="title" id="chap-Security_Guide-References">Chapter 7. References</h2></div></div></div><div class="para">
+		</div></div></div><div xml:lang="en-US" class="chapter" title="Chapter 7. References" lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="chap-Security_Guide-References">Chapter 7. References</h2></div></div></div><div class="para">
 		The following references are pointers to additional information that is relevant to SELinux and Fedora but beyond the scope of this guide. Note that due to the rapid development of SELinux, some of this material may only apply to specific releases of Fedora.
 	</div><div class="variablelist" title="Books" id="vari-Security_Guide-References-Books"><h6>Books</h6><dl><dt><span class="term">SELinux by Example</span></dt><dd><div class="para">
 					Mayer, MacMillan, and Caplan
@@ -4204,4 +4226,4 @@
 					<a href="http://www.cs.utah.edu/flux/fluke/html/flask.html">http://www.cs.utah.edu/flux/fluke/html/flask.html</a>
 				</div></dd><dt><span class="term">Full background on Fluke</span></dt><dd><div class="para">
 					<a href="http://www.cs.utah.edu/flux/fluke/html/index.html">http://www.cs.utah.edu/flux/fluke/html/index.html</a>
-				</div></dd></dl></div></div></div></body></html>
\ No newline at end of file
+				</div></dd></dl></div></div></div></body></html>




More information about the Fedora-docs-commits mailing list