Security Changes For Fedora 9
Tomas Mraz
tmraz at redhat.com
Fri Dec 21 12:20:24 UTC 2007
On Thu, 2007-12-20 at 19:29 -0800, riley.marquis at tcsresearch.org wrote:
> Security Updates For Fedora 9
>
> Greetings!
> I had several ideas for Fedora 9 in regards to improving the security of a
> default installation.
>
> 1: Disable root account / Use Sudo
Maybe more secure from one point of view maybe less secure from another.
So please no.
> 2: /etc/ssh/sshd_config changes
> -PermitRootLogin no (currently 'yes')
Not before we have a way how to login on remotely installed vnc machine.
> -LoginGraceTime 1m (currently 2m)
If upstream changes it then yes.
> -Banner /etc/issue.net (currently not set)
sshd doesn't support escape sequences which are currently present in
issue.net
> -AllowGroups wheel (currently not set)
No.
> We should also see if the OpenSSH developers would be willing to make
> these changes the default on Portable OpenSSH.
They wouldn't except perhaps the LoginGraceTime change.
> 3: Add wheel group if not present
> If there is no wheel group by default, we should include one in Fedora 9.
> This means deciding on what Group ID (GID) to use. Anaconda would need to
> force creation of a user account that is a part of this group.
There is a wheel group by default with root as a member.
> 4: GCC Lockdowns
> With the new GCC-4.3.0 recently built for Fedora 9, we should forbid
> ordinary users access to the programs it contains, incl. rpmbuild, mock,
> etc. Only members of the wheel, koji, and mock groups should have access
> to software development tools. Did I miss any groups that should be
> allowed access?
Nonsense.
--
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
Turkish proverb
More information about the Fedora-security-list
mailing list