web/html/docs/security-guide/en_US/F11/html-single index.html, 1.1, 1.2
Eric Christensen
sparks at fedoraproject.org
Mon Oct 26 22:39:12 UTC 2009
- Previous message (by thread): web/html/docs/security-guide/en_US/F11/html chap-Security_Guide-Securing_Your_Network.html, 1.1, 1.2 chap-Security_Guide-Security_Overview.html, 1.1, 1.2 index.html, 1.1, 1.2 pref-Security_Guide-Preface.html, 1.1, 1.2 sect-Security_Guide-Kerberos.html, 1.1, 1.2 sect-Security_Guide-Threats_to_Server_Security-Inattentive_Administration.html, 1.1, 1.2
- Next message (by thread): web/html/docs/security-guide/en_US/F11/pdf security-guide.pdf, 1.1, 1.2
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: sparks
Update of /cvs/fedora/web/html/docs/security-guide/en_US/F11/html-single
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv4386/F11/html-single
Modified Files:
index.html
Log Message:
Updated to latest license.
Index: index.html
===================================================================
RCS file: /cvs/fedora/web/html/docs/security-guide/en_US/F11/html-single/index.html,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- index.html 5 Aug 2009 22:08:01 -0000 1.1
+++ index.html 26 Oct 2009 22:38:42 -0000 1.2
@@ -4,15 +4,19 @@
<html xmlns="http://www.w3.org/1999/xhtml"><head><title>security-guide</title><link rel="stylesheet" href="./Common_Content/css/default.css" type="text/css"/><meta name="generator" content="publican"/><meta name="package" content=""/><meta name="description" content="The Linux Security Guide is designed to assist users of Linux in learning the processes and practices of securing workstations and servers against local and remote intrusion, exploitation, and malicious activity. The Linux Security Guide details the planning and the tools involved in creating a secured computing environment for the data center, workplace, and home. With proper administrative knowledge, vigilance, and tools, systems running Linux can be both fully functional and secured from most common intrusion and exploit methods."/></head><body class=""><div class="book" lang="en-US"><div class="titlepage"><div><div class="producttitle"><span class="productname">fedora</span> <span class="productnumber">11</s
pan></div><div><h1 id="d0e1" class="title">security-guide</h1></div><div><h2 class="subtitle">A Guide to Securing Fedora Linux</h2></div><p class="edition">Edition 1.0</p><div><h3 class="corpauthor">
<span class="inlinemediaobject"><object data="Common_Content/images/title_logo.svg" type="image/svg+xml"> Logo</object></span>
</h3></div><div><div class="authorgroup"><div class="author"><h3 class="author"><span class="firstname">Johnray</span> <span class="surname">Fuller</span></h3><div class="affiliation"><span class="orgname">Red Hat</span></div><code class="email"><a class="email" href="mailto:jrfuller at redhat.com">jrfuller at redhat.com</a></code></div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="surname">Ha</span></h3><div class="affiliation"><span class="orgname">Red Hat</span></div><code class="email"><a class="email" href="mailto:jha at redhat.com">jha at redhat.com</a></code></div><div class="author"><h3 class="author"><span class="firstname">David</span> <span class="surname">O'Brien</span></h3><div class="affiliation"><span class="orgname">Red Hat</span></div><code class="email"><a class="email" href="mailto:daobrien at redhat.com">daobrien at redhat.com</a></code></div><div class="author"><h3 class="author"><span class="firstname">Scott</span> <span class
="surname">Radvan</span></h3><div class="affiliation"><span class="orgname">Red Hat</span></div><code class="email"><a class="email" href="mailto:sradvan at redhat.com">sradvan at redhat.com</a></code></div><div class="author"><h3 class="author"><span class="firstname">Eric</span> <span class="surname">Christensen</span></h3><div class="affiliation"><span class="orgname">Fedora Project</span> <span class="orgdiv">Documentation Team</span></div><code class="email"><a class="email" href="mailto:sparks at fedoraproject.org">sparks at fedoraproject.org</a></code></div></div></div><hr/><div><div id="d0e27" class="legalnotice"><h1 class="legalnotice">Legal Notice</h1><div class="para">
- Copyright <span class="trademark"/>© 2008 Red Hat, Inc. This material may only be distributed subject to the terms and conditions set forth in the Open Publication License, V1.0, (the latest version is presently available at <a href="http://www.opencontent.org/openpub/">http://www.opencontent.org/openpub/</a>).
+ Copyright <span class="trademark"/>© 2008 Red Hat, Inc.
</div><div class="para">
- Fedora and the Fedora Infinity Design logo are trademarks or registered trademarks of Red Hat, Inc., in the U.S. and other countries.
+ The text of and illustrations in this document are licensed by Red Hat under a Creative Commons Attribution–Share Alike 3.0 Unported license ("CC-BY-SA"). An explanation of CC-BY-SA is available at <a href="http://creativecommons.org/licenses/by-sa/3.0/">http://creativecommons.org/licenses/by-sa/3.0/</a>. The original authors of this document, and Red Hat, designate the Fedora Project as the "Attribution Party" for purposes of CC-BY-SA. In accordance with CC-BY-SA, if you distribute this document or an adaptation of it, you must provide the URL for the original version.
</div><div class="para">
- Red Hat and the Red Hat "Shadow Man" logo are registered trademarks of Red Hat Inc. in the United States and other countries.
+ Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.
</div><div class="para">
- All other trademarks and copyrights referred to are the property of their respective owners.
+ Red Hat, Red Hat Enterprise Linux, the Shadowman logo, JBoss, MetaMatrix, Fedora, the Infinity Logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries.
</div><div class="para">
- Documentation, as with software itself, may be subject to export control. Read about Fedora Project export controls at <a href="http://fedoraproject.org/wiki/Legal/Export">http://fedoraproject.org/wiki/Legal/Export</a>.
+ For guidelines on the permitted uses of the Fedora trademarks, refer to <a href="https://fedoraproject.org/wiki/Legal:Trademark_guidelines">https://fedoraproject.org/wiki/Legal:Trademark_guidelines</a>.
+ </div><div class="para">
+ <span class="trademark">Linux</span>® is the registered trademark of Linus Torvalds in the United States and other countries.
+ </div><div class="para">
+ All other trademarks are the property of their respective owners.
</div></div></div><div><div class="abstract"><h6>Abstract</h6><div class="para">The Linux Security Guide is designed to assist users of Linux in
learning the processes and practices of securing workstations and
servers against local and remote intrusion, exploitation, and
@@ -21,11 +25,11 @@
for the data center, workplace, and home. With proper
administrative knowledge, vigilance, and tools, systems running
Linux can be both fully functional and secured from most common
-intrusion and exploit methods.</div></div></div></div><hr/></div><div class="toc"><dl><dt><span class="preface"><a href="#pref-Security_Guide-Preface">Preface</a></span></dt><dd><dl><dt><span class="section"><a href="#d0e101">1. Document Conventions</a></span></dt><dd><dl><dt><span class="section"><a href="#d0e111">1.1. Typographic Conventions</a></span></dt><dt><span class="section"><a href="#d0e327">1.2. Pull-quote Conventions</a></span></dt><dt><span class="section"><a href="#d0e346">1.3. Notes and Warnings</a></span></dt></dl></dd><dt><span class="section"><a href="#We_Need_Feedback">2. We Need Feedback!</a></span></dt></dl></dd><dt><span class="chapter"><a href="#chap-Security_Guide-Security_Overview">1. Security Overview</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security_Guide-Introduction_to_Security">1.1. Introduction to Security</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security_Guide-Introduction_to_Security-What_is_Compu
ter_Security">1.1.1. What is Computer Security?</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Introduction_to_Security-SELinux">1.1.2. SELinux</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Introduction_to_Security-Security_Controls">1.1.3. Security Controls</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Introduction_to_Security-Conclusion">1.1.4. Conclusion</a></span></dt></dl></dd><dt><span class="section"><a href="#sect-Security_Guide-Vulnerability_Assessment">1.2. Vulnerability Assessment</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security_Guide-Vulnerability_Assessment-Thinking_Like_the_Enemy">1.2.1. Thinking Like the Enemy</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Vulnerability_Assessment-Defining_Assessment_and_Testing">1.2.2. Defining Assessment and Testing</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Vulnerability_Asses
sment-Evaluating_the_Tools">1.2.3. Evaluating the Tools</a></span></dt></dl></dd><dt><span class="section"><a href="#sect-Security_Guide-Attackers_and_Vulnerabilities">1.3. Attackers and Vulnerabilities</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security_Guide-Attackers_and_Vulnerabilities-A_Quick_History_of_Hackers">1.3.1. A Quick History of Hackers</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Attackers_and_Vulnerabilities-Threats_to_Network_Security">1.3.2. Threats to Network Security</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Attackers_and_Vulnerabilities-Threats_to_Server_Security">1.3.3. Threats to Server Security</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Attackers_and_Vulnerabilities-Threats_to_Workstation_and_Home_PC_Security">1.3.4. Threats to Workstation and Home PC Security</a></span></dt></dl></dd><dt><span class="section"><a href="#sect-Security_Guide-Common_Ex
ploits_and_Attacks">1.4. Common Exploits and Attacks</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Security_Updates">1.5. Security Updates</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security_Guide-Security_Updates-Updating_Packages">1.5.1. Updating Packages</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Updating_Packages-Verifying_Signed_Packages">1.5.2. Verifying Signed Packages</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Updating_Packages-Installing_Signed_Packages">1.5.3. Installing Signed Packages</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Updating_Packages-Applying_the_Changes">1.5.4. Applying the Changes</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="#chap-Security_Guide-Securing_Your_Network">2. Securing Your Network</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security_Guide-Workstation_Security">2.1. W
orkstation Security</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security_Guide-Workstation_Security-Evaluating_Workstation_Security">2.1.1. Evaluating Workstation Security</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Workstation_Security-BIOS_and_Boot_Loader_Security">2.1.2. BIOS and Boot Loader Security</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Workstation_Security-Password_Security">2.1.3. Password Security</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Workstation_Security-Administrative_Controls">2.1.4. Administrative Controls</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Workstation_Security-Available_Network_Services">2.1.5. Available Network Services</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Workstation_Security-Personal_Firewalls">2.1.6. Personal Firewalls</a></span></dt><dt><span class="section"><a href="#sect-Secur
ity_Guide-Workstation_Security-Security_Enhanced_Communication_Tools">2.1.7. Security Enhanced Communication Tools</a></span></dt></dl></dd><dt><span class="section"><a href="#sect-Security_Guide-Server_Security">2.2. Server Security</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security_Guide-Server_Security-Securing_Services_With_TCP_Wrappers_and_xinetd">2.2.1. Securing Services With TCP Wrappers and xinetd</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Server_Security-Securing_Portmap">2.2.2. Securing Portmap</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Server_Security-Securing_NIS">2.2.3. Securing NIS</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Server_Security-Securing_NFS">2.2.4. Securing NFS</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Server_Security-Securing_the_Apache_HTTP_Server">2.2.5. Securing the Apache HTTP Server</a></span></dt><dt><span cla
ss="section"><a href="#sect-Security_Guide-Server_Security-Securing_FTP">2.2.6. Securing FTP</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Server_Security-Securing_Sendmail">2.2.7. Securing Sendmail</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Server_Security-Verifying_Which_Ports_Are_Listening">2.2.8. Verifying Which Ports Are Listening</a></span></dt></dl></dd><dt><span class="section"><a href="#sect-Security_Guide-Single_Sign_on_SSO">2.3. Single Sign-on (SSO)</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security_Guide-Single_Sign_on_SSO-Introduction">2.3.1. Introduction</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Single_Sign_on_SSO-Getting_Started_with_your_new_Smart_Card">2.3.2. Getting Started with your new Smart Card</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Single_Sign_on_SSO-How_Smart_Card_Enrollment_Works">2.3.3. How Smart Card Enrollment Wor
ks</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Single_Sign_on_SSO-How_Smart_Card_Login_Works">2.3.4. How Smart Card Login Works</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Single_Sign_on_SSO-Configuring_Firefox_to_use_Kerberos_for_SSO">2.3.5. Configuring Firefox to use Kerberos for SSO</a></span></dt></dl></dd><dt><span class="section"><a href="#sect-Security_Guide-Pluggable_Authentication_Modules_PAM">2.4. Pluggable Authentication Modules (PAM)</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security_Guide-Pluggable_Authentication_Modules_PAM-Advantages_of_PAM">2.4.1. Advantages of PAM</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Pluggable_Authentication_Modules_PAM-PAM_Configuration_Files">2.4.2. PAM Configuration Files</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Pluggable_Authentication_Modules_PAM-PAM_Configuration_File_Format">2.4.3. PAM Configurati
on File Format</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Pluggable_Authentication_Modules_PAM-Sample_PAM_Configuration_Files">2.4.4. Sample PAM Configuration Files</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Pluggable_Authentication_Modules_PAM-Creating_PAM_Modules">2.4.5. Creating PAM Modules</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Pluggable_Authentication_Modules_PAM-PAM_and_Administrative_Credential_Caching">2.4.6. PAM and Administrative Credential Caching</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Pluggable_Authentication_Modules_PAM-PAM_and_Device_Ownership">2.4.7. PAM and Device Ownership</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Pluggable_Authentication_Modules_PAM-Additional_Resources">2.4.8. Additional Resources</a></span></dt></dl></dd><dt><span class="section"><a href="#sect-Security_Guide-TCP_Wrappers_and_xinetd">2.5. TCP
Wrappers and xinetd</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security_Guide-TCP_Wrappers_and_xinetd-TCP_Wrappers">2.5.1. TCP Wrappers</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-TCP_Wrappers_and_xinetd-TCP_Wrappers_Configuration_Files">2.5.2. TCP Wrappers Configuration Files</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-TCP_Wrappers_and_xinetd-xinetd">2.5.3. xinetd</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-TCP_Wrappers_and_xinetd-xinetd_Configuration_Files">2.5.4. xinetd Configuration Files</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-TCP_Wrappers_and_xinetd-Additional_Resources">2.5.5. Additional Resources</a></span></dt></dl></dd><dt><span class="section"><a href="#sect-Security_Guide-Kerberos">2.6. Kerberos</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security_Guide-Kerberos-What_is_Kerberos">2.6.1. What is Kerberos?</a></sp
an></dt><dt><span class="section"><a href="#sect-Security_Guide-Kerberos-Kerberos_Terminology">2.6.2. Kerberos Terminology</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Kerberos-How_Kerberos_Works">2.6.3. How Kerberos Works</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Kerberos-Kerberos_and_PAM">2.6.4. Kerberos and PAM</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Kerberos-Configuring_a_Kerberos_5_Server">2.6.5. Configuring a Kerberos 5 Server</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Kerberos-Configuring_a_Kerberos_5_Client">2.6.6. Configuring a Kerberos 5 Client</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Kerberos-Domain_to_Realm_Mapping">2.6.7. Domain-to-Realm Mapping</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Kerberos-Setting_Up_Secondary_KDCs">2.6.8. Setting Up Secondary KDCs</a></span></dt><dt><span class="sectio
n"><a href="#sect-Security_Guide-Kerberos-Setting_Up_Cross_Realm_Authentication">2.6.9. Setting Up Cross Realm Authentication</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Kerberos-Additional_Resources">2.6.10. Additional Resources</a></span></dt></dl></dd><dt><span class="section"><a href="#sect-Security_Guide-Virtual_Private_Networks_VPNs">2.7. Virtual Private Networks (VPNs)</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security_Guide-Virtual_Private_Networks_VPNs-How_Does_a_VPN_Work">2.7.1. How Does a VPN Work?</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Virtual_Private_Networks_VPNs-VPNs_and_PROD">2.7.2. VPNs and Fedora</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Virtual_Private_Networks_VPNs-IPsec">2.7.3. IPsec</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Virtual_Private_Networks_VPNs-Creating_an_IPsec_Connection">2.7.4. Creating an IPsec Connectio
n</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Virtual_Private_Networks_VPNs-IPsec_Installation">2.7.5. IPsec Installation</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Virtual_Private_Networks_VPNs-IPsec_Host_to_Host_Configuration">2.7.6. IPsec Host-to-Host Configuration</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Virtual_Private_Networks_VPNs-IPsec_Network_to_Network_Configuration">2.7.7. IPsec Network-to-Network Configuration</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Virtual_Private_Networks_VPNs-Starting_and_Stopping_an_IPsec_Connection">2.7.8. Starting and Stopping an IPsec Connection</a></span></dt></dl></dd><dt><span class="section"><a href="#sect-Security_Guide-Firewalls">2.8. Firewalls</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security_Guide-Firewalls-Netfilter_and_IPTables">2.8.1. Netfilter and IPTables</a></span></dt><dt><span class="sec
tion"><a href="#sect-Security_Guide-Firewalls-Basic_Firewall_Configuration">2.8.2. Basic Firewall Configuration</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Firewalls-Using_IPTables">2.8.3. Using IPTables</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Firewalls-Common_IPTables_Filtering">2.8.4. Common IPTables Filtering</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Firewalls-FORWARD_and_NAT_Rules">2.8.5. FORWARD and NAT Rules</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Firewalls-Malicious_Software_and_Spoofed_IP_Addresses">2.8.6. Malicious Software and Spoofed IP Addresses</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Firewalls-IPTables_and_Connection_Tracking">2.8.7. IPTables and Connection Tracking</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Firewalls-IPv6">2.8.8. IPv6</a></span></dt><dt><span class="section"><a href="#se
ct-Security_Guide-Firewalls-Additional_Resources">2.8.9. Additional Resources</a></span></dt></dl></dd><dt><span class="section"><a href="#sect-Security_Guide-IPTables">2.9. IPTables</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security_Guide-IPTables-Packet_Filtering">2.9.1. Packet Filtering</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-IPTables-Differences_Between_IPTables_and_IPChains">2.9.2. Differences Between IPTables and IPChains</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-IPTables-Command_Options_for_IPTables">2.9.3. Command Options for IPTables</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-IPTables-Saving_IPTables_Rules">2.9.4. Saving IPTables Rules</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-IPTables-IPTables_Control_Scripts">2.9.5. IPTables Control Scripts</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-IPTables-IPTables
_and_IPv6">2.9.6. IPTables and IPv6</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-IPTables-Additional_Resources">2.9.7. Additional Resources</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="#chap-Security_Guide-Encryption">3. Encryption</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security_Guide-Encryption-Data_at_Rest">3.1. Data at Rest</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Encryption-Protecting_Data_at_Rest-Full_Disk_Encryption">3.2. Full Disk Encryption</a></span></dt><dt><span class="section"><a href="#Security_Guide-Encryption-Protecting_Data_at_Rest-File_Based_Encryption">3.3. File Based Encryption</a></span></dt><dt><span class="section"><a href="#Security_Guide-Encryption-Data_in_Motion">3.4. Data in Motion</a></span></dt><dt><span class="section"><a href="#Security_Guide-Encryption-Data_in_Motion-Virtual_Private_Networks">3.5. Virtual Private Networks</a></span></dt><dt
><span class="section"><a href="#Security_Guide-Encryption-Data_in_Motion-Secure_Shell">3.6. Secure Shell</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-LUKS_Disk_Encryption">3.7. LUKS Disk Encryption</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security_Guide-LUKS_Disk_Encryption-LUKS_Implementation_in_Fedora">3.7.1. LUKS Implementation in Fedora</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-LUKS_Disk_Encryption-Manually_Encrypting_Directories">3.7.2. Manually Encrypting Directories</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-LUKS_Disk_Encryption-Manually_Encrypting_Directories-Step_by_Step_Instructions">3.7.3. Step-by-Step Instructions</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-LUKS_Disk_Encryption-Manually_Encrypting_Directories-What_you_have_just_accomplished">3.7.4. What you have just accomplished.</a></span></dt><dt><span class="section"><a href="#
sect-Security_Guide-LUKS_Disk_Encryption-Links_of_Interest">3.7.5. Links of Interest</a></span></dt></dl></dd><dt><span class="section"><a href="#sect-Security_Guide-Encryption-7_Zip_Encrypted_Archives">3.8. 7-Zip Encrypted Archives</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security_Guide-Encryption-7_Zip_Encrypted_Archives-Installation">3.8.1. 7-Zip Installation in Fedora</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Encryption-7_Zip_Encrypted_Archives-Installation-Instructions">3.8.2. Step-by-Step Installation Instructions</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Encryption-7_Zip_Encrypted_Archives-Usage_Instructions">3.8.3. Step-by-Step Usage Instructions</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Encryption-7_Zip_Encrypted_Archives-Things_of_note">3.8.4. Things of note</a></span></dt></dl></dd><dt><span class="section"><a href="#sect-Security_Guide-Encryption-Using_GP
G">3.9. Using GNU Privacy Guard (GnuPG)</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security_Guide-Encryption-Using_GPG-Keys_in_GNOME">3.9.1. Creating GPG Keys in GNOME</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Encryption-Using_GPG-Creating_GPG_Keys_in_KDE1">3.9.2. Creating GPG Keys in KDE</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Encryption-Using_GPG-Creating_GPG_Keys_in_KDE">3.9.3. Creating GPG Keys Using the Command Line</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Encryption-Using_GPG-About_Public_Key_Encryption">3.9.4. About Public Key Encryption</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="#chap-Security_Guide-General_Principles_of_Information_Security">4. General Principles of Information Security</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security_Guide-General_Principles_of_Information_Security-Tips_Guides_and_Tools">4
.1. Tips, Guides, and Tools</a></span></dt></dl></dd><dt><span class="chapter"><a href="#chap-Security_Guide-Secure_Installation">5. Secure Installation</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security_Guide-Secure_Installation-Disk_Partitions">5.1. Disk Partitions</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Secure_Installation-Utilize_LUKS_Partition_Encryption">5.2. Utilize LUKS Partition Encryption</a></span></dt></dl></dd><dt><span class="chapter"><a href="#chap-Security_Guide-Software_Maintenance">6. Software Maintenance</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security_Guide-Software_Maintenance-Install_Minimal_Software">6.1. Install Minimal Software</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Software_Maintenance-Plan_and_Configure_Security_Updates">6.2. Plan and Configure Security Updates</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Software_M
aintenance-Plan_and_Configure_Security_Updates-Adjusting_Automatic_Updates">6.3. Adjusting Automatic Updates</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Software_Maintenance-Install_Signed_Packages_from_Well_Known_Repositories">6.4. Install Signed Packages from Well Known Repositories</a></span></dt></dl></dd><dt><span class="chapter"><a href="#chap-Security_Guide-References">7. References</a></span></dt></dl></div><div class="preface" lang="en-US"><div class="titlepage"><div><div><h1 id="pref-Security_Guide-Preface" class="title">Preface</h1></div></div></div><div class="section" lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="d0e101">1. Document Conventions</h2></div></div></div><div class="para">
+intrusion and exploit methods.</div></div></div></div><hr/></div><div class="toc"><dl><dt><span class="preface"><a href="#pref-Security_Guide-Preface">Preface</a></span></dt><dd><dl><dt><span class="section"><a href="#d0e107">1. Document Conventions</a></span></dt><dd><dl><dt><span class="section"><a href="#d0e117">1.1. Typographic Conventions</a></span></dt><dt><span class="section"><a href="#d0e333">1.2. Pull-quote Conventions</a></span></dt><dt><span class="section"><a href="#d0e352">1.3. Notes and Warnings</a></span></dt></dl></dd><dt><span class="section"><a href="#We_Need_Feedback">2. We Need Feedback!</a></span></dt></dl></dd><dt><span class="chapter"><a href="#chap-Security_Guide-Security_Overview">1. Security Overview</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security_Guide-Introduction_to_Security">1.1. Introduction to Security</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security_Guide-Introduction_to_Security-What_is_Compu
ter_Security">1.1.1. What is Computer Security?</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Introduction_to_Security-SELinux">1.1.2. SELinux</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Introduction_to_Security-Security_Controls">1.1.3. Security Controls</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Introduction_to_Security-Conclusion">1.1.4. Conclusion</a></span></dt></dl></dd><dt><span class="section"><a href="#sect-Security_Guide-Vulnerability_Assessment">1.2. Vulnerability Assessment</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security_Guide-Vulnerability_Assessment-Thinking_Like_the_Enemy">1.2.1. Thinking Like the Enemy</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Vulnerability_Assessment-Defining_Assessment_and_Testing">1.2.2. Defining Assessment and Testing</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Vulnerability_Asses
sment-Evaluating_the_Tools">1.2.3. Evaluating the Tools</a></span></dt></dl></dd><dt><span class="section"><a href="#sect-Security_Guide-Attackers_and_Vulnerabilities">1.3. Attackers and Vulnerabilities</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security_Guide-Attackers_and_Vulnerabilities-A_Quick_History_of_Hackers">1.3.1. A Quick History of Hackers</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Attackers_and_Vulnerabilities-Threats_to_Network_Security">1.3.2. Threats to Network Security</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Attackers_and_Vulnerabilities-Threats_to_Server_Security">1.3.3. Threats to Server Security</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Attackers_and_Vulnerabilities-Threats_to_Workstation_and_Home_PC_Security">1.3.4. Threats to Workstation and Home PC Security</a></span></dt></dl></dd><dt><span class="section"><a href="#sect-Security_Guide-Common_Ex
ploits_and_Attacks">1.4. Common Exploits and Attacks</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Security_Updates">1.5. Security Updates</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security_Guide-Security_Updates-Updating_Packages">1.5.1. Updating Packages</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Updating_Packages-Verifying_Signed_Packages">1.5.2. Verifying Signed Packages</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Updating_Packages-Installing_Signed_Packages">1.5.3. Installing Signed Packages</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Updating_Packages-Applying_the_Changes">1.5.4. Applying the Changes</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="#chap-Security_Guide-Securing_Your_Network">2. Securing Your Network</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security_Guide-Workstation_Security">2.1. W
orkstation Security</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security_Guide-Workstation_Security-Evaluating_Workstation_Security">2.1.1. Evaluating Workstation Security</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Workstation_Security-BIOS_and_Boot_Loader_Security">2.1.2. BIOS and Boot Loader Security</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Workstation_Security-Password_Security">2.1.3. Password Security</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Workstation_Security-Administrative_Controls">2.1.4. Administrative Controls</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Workstation_Security-Available_Network_Services">2.1.5. Available Network Services</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Workstation_Security-Personal_Firewalls">2.1.6. Personal Firewalls</a></span></dt><dt><span class="section"><a href="#sect-Secur
ity_Guide-Workstation_Security-Security_Enhanced_Communication_Tools">2.1.7. Security Enhanced Communication Tools</a></span></dt></dl></dd><dt><span class="section"><a href="#sect-Security_Guide-Server_Security">2.2. Server Security</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security_Guide-Server_Security-Securing_Services_With_TCP_Wrappers_and_xinetd">2.2.1. Securing Services With TCP Wrappers and xinetd</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Server_Security-Securing_Portmap">2.2.2. Securing Portmap</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Server_Security-Securing_NIS">2.2.3. Securing NIS</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Server_Security-Securing_NFS">2.2.4. Securing NFS</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Server_Security-Securing_the_Apache_HTTP_Server">2.2.5. Securing the Apache HTTP Server</a></span></dt><dt><span cla
ss="section"><a href="#sect-Security_Guide-Server_Security-Securing_FTP">2.2.6. Securing FTP</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Server_Security-Securing_Sendmail">2.2.7. Securing Sendmail</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Server_Security-Verifying_Which_Ports_Are_Listening">2.2.8. Verifying Which Ports Are Listening</a></span></dt></dl></dd><dt><span class="section"><a href="#sect-Security_Guide-Single_Sign_on_SSO">2.3. Single Sign-on (SSO)</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security_Guide-Single_Sign_on_SSO-Introduction">2.3.1. Introduction</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Single_Sign_on_SSO-Getting_Started_with_your_new_Smart_Card">2.3.2. Getting Started with your new Smart Card</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Single_Sign_on_SSO-How_Smart_Card_Enrollment_Works">2.3.3. How Smart Card Enrollment Wor
ks</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Single_Sign_on_SSO-How_Smart_Card_Login_Works">2.3.4. How Smart Card Login Works</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Single_Sign_on_SSO-Configuring_Firefox_to_use_Kerberos_for_SSO">2.3.5. Configuring Firefox to use Kerberos for SSO</a></span></dt></dl></dd><dt><span class="section"><a href="#sect-Security_Guide-Pluggable_Authentication_Modules_PAM">2.4. Pluggable Authentication Modules (PAM)</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security_Guide-Pluggable_Authentication_Modules_PAM-Advantages_of_PAM">2.4.1. Advantages of PAM</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Pluggable_Authentication_Modules_PAM-PAM_Configuration_Files">2.4.2. PAM Configuration Files</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Pluggable_Authentication_Modules_PAM-PAM_Configuration_File_Format">2.4.3. PAM Configurati
on File Format</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Pluggable_Authentication_Modules_PAM-Sample_PAM_Configuration_Files">2.4.4. Sample PAM Configuration Files</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Pluggable_Authentication_Modules_PAM-Creating_PAM_Modules">2.4.5. Creating PAM Modules</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Pluggable_Authentication_Modules_PAM-PAM_and_Administrative_Credential_Caching">2.4.6. PAM and Administrative Credential Caching</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Pluggable_Authentication_Modules_PAM-PAM_and_Device_Ownership">2.4.7. PAM and Device Ownership</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Pluggable_Authentication_Modules_PAM-Additional_Resources">2.4.8. Additional Resources</a></span></dt></dl></dd><dt><span class="section"><a href="#sect-Security_Guide-TCP_Wrappers_and_xinetd">2.5. TCP
Wrappers and xinetd</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security_Guide-TCP_Wrappers_and_xinetd-TCP_Wrappers">2.5.1. TCP Wrappers</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-TCP_Wrappers_and_xinetd-TCP_Wrappers_Configuration_Files">2.5.2. TCP Wrappers Configuration Files</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-TCP_Wrappers_and_xinetd-xinetd">2.5.3. xinetd</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-TCP_Wrappers_and_xinetd-xinetd_Configuration_Files">2.5.4. xinetd Configuration Files</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-TCP_Wrappers_and_xinetd-Additional_Resources">2.5.5. Additional Resources</a></span></dt></dl></dd><dt><span class="section"><a href="#sect-Security_Guide-Kerberos">2.6. Kerberos</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security_Guide-Kerberos-What_is_Kerberos">2.6.1. What is Kerberos?</a></sp
an></dt><dt><span class="section"><a href="#sect-Security_Guide-Kerberos-Kerberos_Terminology">2.6.2. Kerberos Terminology</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Kerberos-How_Kerberos_Works">2.6.3. How Kerberos Works</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Kerberos-Kerberos_and_PAM">2.6.4. Kerberos and PAM</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Kerberos-Configuring_a_Kerberos_5_Server">2.6.5. Configuring a Kerberos 5 Server</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Kerberos-Configuring_a_Kerberos_5_Client">2.6.6. Configuring a Kerberos 5 Client</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Kerberos-Domain_to_Realm_Mapping">2.6.7. Domain-to-Realm Mapping</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Kerberos-Setting_Up_Secondary_KDCs">2.6.8. Setting Up Secondary KDCs</a></span></dt><dt><span class="sectio
n"><a href="#sect-Security_Guide-Kerberos-Setting_Up_Cross_Realm_Authentication">2.6.9. Setting Up Cross Realm Authentication</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Kerberos-Additional_Resources">2.6.10. Additional Resources</a></span></dt></dl></dd><dt><span class="section"><a href="#sect-Security_Guide-Virtual_Private_Networks_VPNs">2.7. Virtual Private Networks (VPNs)</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security_Guide-Virtual_Private_Networks_VPNs-How_Does_a_VPN_Work">2.7.1. How Does a VPN Work?</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Virtual_Private_Networks_VPNs-VPNs_and_PROD">2.7.2. VPNs and Fedora</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Virtual_Private_Networks_VPNs-IPsec">2.7.3. IPsec</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Virtual_Private_Networks_VPNs-Creating_an_IPsec_Connection">2.7.4. Creating an IPsec Connectio
n</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Virtual_Private_Networks_VPNs-IPsec_Installation">2.7.5. IPsec Installation</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Virtual_Private_Networks_VPNs-IPsec_Host_to_Host_Configuration">2.7.6. IPsec Host-to-Host Configuration</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Virtual_Private_Networks_VPNs-IPsec_Network_to_Network_Configuration">2.7.7. IPsec Network-to-Network Configuration</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Virtual_Private_Networks_VPNs-Starting_and_Stopping_an_IPsec_Connection">2.7.8. Starting and Stopping an IPsec Connection</a></span></dt></dl></dd><dt><span class="section"><a href="#sect-Security_Guide-Firewalls">2.8. Firewalls</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security_Guide-Firewalls-Netfilter_and_IPTables">2.8.1. Netfilter and IPTables</a></span></dt><dt><span class="sec
tion"><a href="#sect-Security_Guide-Firewalls-Basic_Firewall_Configuration">2.8.2. Basic Firewall Configuration</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Firewalls-Using_IPTables">2.8.3. Using IPTables</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Firewalls-Common_IPTables_Filtering">2.8.4. Common IPTables Filtering</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Firewalls-FORWARD_and_NAT_Rules">2.8.5. FORWARD and NAT Rules</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Firewalls-Malicious_Software_and_Spoofed_IP_Addresses">2.8.6. Malicious Software and Spoofed IP Addresses</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Firewalls-IPTables_and_Connection_Tracking">2.8.7. IPTables and Connection Tracking</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Firewalls-IPv6">2.8.8. IPv6</a></span></dt><dt><span class="section"><a href="#se
ct-Security_Guide-Firewalls-Additional_Resources">2.8.9. Additional Resources</a></span></dt></dl></dd><dt><span class="section"><a href="#sect-Security_Guide-IPTables">2.9. IPTables</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security_Guide-IPTables-Packet_Filtering">2.9.1. Packet Filtering</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-IPTables-Differences_Between_IPTables_and_IPChains">2.9.2. Differences Between IPTables and IPChains</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-IPTables-Command_Options_for_IPTables">2.9.3. Command Options for IPTables</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-IPTables-Saving_IPTables_Rules">2.9.4. Saving IPTables Rules</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-IPTables-IPTables_Control_Scripts">2.9.5. IPTables Control Scripts</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-IPTables-IPTables
_and_IPv6">2.9.6. IPTables and IPv6</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-IPTables-Additional_Resources">2.9.7. Additional Resources</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="#chap-Security_Guide-Encryption">3. Encryption</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security_Guide-Encryption-Data_at_Rest">3.1. Data at Rest</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Encryption-Protecting_Data_at_Rest-Full_Disk_Encryption">3.2. Full Disk Encryption</a></span></dt><dt><span class="section"><a href="#Security_Guide-Encryption-Protecting_Data_at_Rest-File_Based_Encryption">3.3. File Based Encryption</a></span></dt><dt><span class="section"><a href="#Security_Guide-Encryption-Data_in_Motion">3.4. Data in Motion</a></span></dt><dt><span class="section"><a href="#Security_Guide-Encryption-Data_in_Motion-Virtual_Private_Networks">3.5. Virtual Private Networks</a></span></dt><dt
><span class="section"><a href="#Security_Guide-Encryption-Data_in_Motion-Secure_Shell">3.6. Secure Shell</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-LUKS_Disk_Encryption">3.7. LUKS Disk Encryption</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security_Guide-LUKS_Disk_Encryption-LUKS_Implementation_in_Fedora">3.7.1. LUKS Implementation in Fedora</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-LUKS_Disk_Encryption-Manually_Encrypting_Directories">3.7.2. Manually Encrypting Directories</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-LUKS_Disk_Encryption-Manually_Encrypting_Directories-Step_by_Step_Instructions">3.7.3. Step-by-Step Instructions</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-LUKS_Disk_Encryption-Manually_Encrypting_Directories-What_you_have_just_accomplished">3.7.4. What you have just accomplished.</a></span></dt><dt><span class="section"><a href="#
sect-Security_Guide-LUKS_Disk_Encryption-Links_of_Interest">3.7.5. Links of Interest</a></span></dt></dl></dd><dt><span class="section"><a href="#sect-Security_Guide-Encryption-7_Zip_Encrypted_Archives">3.8. 7-Zip Encrypted Archives</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security_Guide-Encryption-7_Zip_Encrypted_Archives-Installation">3.8.1. 7-Zip Installation in Fedora</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Encryption-7_Zip_Encrypted_Archives-Installation-Instructions">3.8.2. Step-by-Step Installation Instructions</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Encryption-7_Zip_Encrypted_Archives-Usage_Instructions">3.8.3. Step-by-Step Usage Instructions</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Encryption-7_Zip_Encrypted_Archives-Things_of_note">3.8.4. Things of note</a></span></dt></dl></dd><dt><span class="section"><a href="#sect-Security_Guide-Encryption-Using_GP
G">3.9. Using GNU Privacy Guard (GnuPG)</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security_Guide-Encryption-Using_GPG-Keys_in_GNOME">3.9.1. Creating GPG Keys in GNOME</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Encryption-Using_GPG-Creating_GPG_Keys_in_KDE1">3.9.2. Creating GPG Keys in KDE</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Encryption-Using_GPG-Creating_GPG_Keys_in_KDE">3.9.3. Creating GPG Keys Using the Command Line</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Encryption-Using_GPG-About_Public_Key_Encryption">3.9.4. About Public Key Encryption</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="#chap-Security_Guide-General_Principles_of_Information_Security">4. General Principles of Information Security</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security_Guide-General_Principles_of_Information_Security-Tips_Guides_and_Tools">4
.1. Tips, Guides, and Tools</a></span></dt></dl></dd><dt><span class="chapter"><a href="#chap-Security_Guide-Secure_Installation">5. Secure Installation</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security_Guide-Secure_Installation-Disk_Partitions">5.1. Disk Partitions</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Secure_Installation-Utilize_LUKS_Partition_Encryption">5.2. Utilize LUKS Partition Encryption</a></span></dt></dl></dd><dt><span class="chapter"><a href="#chap-Security_Guide-Software_Maintenance">6. Software Maintenance</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security_Guide-Software_Maintenance-Install_Minimal_Software">6.1. Install Minimal Software</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Software_Maintenance-Plan_and_Configure_Security_Updates">6.2. Plan and Configure Security Updates</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Software_M
aintenance-Plan_and_Configure_Security_Updates-Adjusting_Automatic_Updates">6.3. Adjusting Automatic Updates</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Software_Maintenance-Install_Signed_Packages_from_Well_Known_Repositories">6.4. Install Signed Packages from Well Known Repositories</a></span></dt></dl></dd><dt><span class="chapter"><a href="#chap-Security_Guide-References">7. References</a></span></dt></dl></div><div class="preface" lang="en-US"><div class="titlepage"><div><div><h1 id="pref-Security_Guide-Preface" class="title">Preface</h1></div></div></div><div class="section" lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="d0e107">1. Document Conventions</h2></div></div></div><div class="para">
This manual uses several conventions to highlight certain words and phrases and draw attention to specific pieces of information.
</div><div class="para">
In PDF and paper editions, this manual uses typefaces drawn from the <a href="https://fedorahosted.org/liberation-fonts/">Liberation Fonts</a> set. The Liberation Fonts set is also used in HTML editions if the set is installed on your system. If not, alternative but equivalent typefaces are displayed. Note: Red Hat Enterprise Linux 5 and later includes the Liberation Fonts set by default.
- </div><div class="section" lang="en-US"><div class="titlepage"><div><div><h3 class="title" id="d0e111">1.1. Typographic Conventions</h3></div></div></div><div class="para">
+ </div><div class="section" lang="en-US"><div class="titlepage"><div><div><h3 class="title" id="d0e117">1.1. Typographic Conventions</h3></div></div></div><div class="para">
Four typographic conventions are used to call attention to specific words and phrases. These conventions, and the circumstances they apply to, are as follows.
</div><div class="para">
<code class="literal">Mono-spaced Bold</code>
@@ -75,7 +79,7 @@
Aside from standard usage for presenting the title of a work, italics denotes the first use of a new and important term. For example:
</div><div class="blockquote"><blockquote class="blockquote"><div class="para">
When the Apache HTTP Server accepts requests, it dispatches child processes or threads to handle them. This group of child processes or threads is known as a <em class="firstterm">server-pool</em>. Under Apache HTTP Server 2.0, the responsibility for creating and maintaining these server-pools has been abstracted to a group of modules called <em class="firstterm">Multi-Processing Modules</em> (<em class="firstterm">MPMs</em>). Unlike other modules, only one module from the MPM group can be loaded by the Apache HTTP Server.
- </div></blockquote></div></div><div class="section" lang="en-US"><div class="titlepage"><div><div><h3 class="title" id="d0e327">1.2. Pull-quote Conventions</h3></div></div></div><div class="para">
+ </div></blockquote></div></div><div class="section" lang="en-US"><div class="titlepage"><div><div><h3 class="title" id="d0e333">1.2. Pull-quote Conventions</h3></div></div></div><div class="para">
Two, commonly multi-line, data types are set off visually from the surrounding text.
</div><div class="para">
Output sent to a terminal is set in <code class="computeroutput">Mono-spaced Roman</code> and presented thus:
@@ -105,7 +109,7 @@
}
}
-</pre></div><div class="section" lang="en-US"><div class="titlepage"><div><div><h3 class="title" id="d0e346">1.3. Notes and Warnings</h3></div></div></div><div class="para">
+</pre></div><div class="section" lang="en-US"><div class="titlepage"><div><div><h3 class="title" id="d0e352">1.3. Notes and Warnings</h3></div></div></div><div class="para">
Finally, we use three visual styles to draw attention to information that might otherwise be overlooked.
</div><div class="note"><h2>Note</h2><div class="para">
A Note is a tip or shortcut or alternative approach to the task at hand. Ignoring a note should have no negative consequences, but you might miss out on a trick that makes your life easier.
@@ -124,7 +128,7 @@
</div><div class="section" lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="sect-Security_Guide-Introduction_to_Security">1.1. Introduction to Security</h2></div></div></div><div class="section" lang="en-US"><div class="titlepage"><div><div><h3 class="title" id="sect-Security_Guide-Introduction_to_Security-What_is_Computer_Security">1.1.1. What is Computer Security?</h3></div></div></div><div class="para">
Computer security is a general term that covers a wide area of computing and information processing. Industries that depend on computer systems and networks to conduct daily business transactions and access crucial information regard their data as an important part of their overall assets. Several terms and metrics have entered our daily business vocabulary, such as total cost of ownership (TCO) and quality of service (QoS). Using these metrics, industries can calculate aspects such as data integrity and high-availability as part of their planning and process management costs. In some industries, such as electronic commerce, the availability and trustworthiness of data can be the difference between success and failure.
</div><div class="section" lang="en-US"><div class="titlepage"><div><div><h4 class="title" id="sect-Security_Guide-What_is_Computer_Security-How_did_Computer_Security_Come_about">1.1.1.1. How did Computer Security Come about?</h4></div></div></div><div class="para">
- Information security has evolved over the years due to the increasing reliance on public networks not to disclose personal, financial, and other restricted information. There are numerous instances such as the Mitnick <sup>[<a id="d0e402" href="#ftn.d0e402" class="footnote">1</a>]</sup>and the Vladimir Levin <sup>[<a id="d0e406" href="#ftn.d0e406" class="footnote">2</a>]</sup>cases that prompted organizations across all industries to re-think the way they handle information, as well as its transmission and disclosure. The popularity of the Internet was one of the most important developments that prompted an intensified effort in data security.
+ Information security has evolved over the years due to the increasing reliance on public networks not to disclose personal, financial, and other restricted information. There are numerous instances such as the Mitnick <sup>[<a id="d0e408" href="#ftn.d0e408" class="footnote">1</a>]</sup>and the Vladimir Levin <sup>[<a id="d0e412" href="#ftn.d0e412" class="footnote">2</a>]</sup>cases that prompted organizations across all industries to re-think the way they handle information, as well as its transmission and disclosure. The popularity of the Internet was one of the most important developments that prompted an intensified effort in data security.
</div><div class="para">
An ever-growing number of people are using their personal computers to gain access to the resources that the Internet has to offer. From research and information retrieval to electronic mail and commerce transaction, the Internet has been regarded as one of the most important developments of the 20th century.
</div><div class="para">
@@ -132,19 +136,19 @@
</div></div><div class="section" lang="en-US"><div class="titlepage"><div><div><h4 class="title" id="sect-Security_Guide-What_is_Computer_Security-Security_Today">1.1.1.2. Security Today</h4></div></div></div><div class="para">
In February of 2000, a Distributed Denial of Service (DDoS) attack was unleashed on several of the most heavily-trafficked sites on the Internet. The attack rendered yahoo.com, cnn.com, amazon.com, fbi.gov, and several other sites completely unreachable to normal users, as it tied up routers for several hours with large-byte ICMP packet transfers, also called a <em class="firstterm">ping flood</em>. The attack was brought on by unknown assailants using specially created, widely available programs that scanned vulnerable network servers, installed client applications called <em class="firstterm">trojans</em> on the servers, and timed an attack with every infected server flooding the victim sites and rendering them unavailable. Many blame the attack on fundamental flaws in the way routers and the protocols used are structured to accept all incoming data, no matter where or for what purpose the packets are sent.
</div><div class="para">
- In 2007, a data breach exploiting the widely-known weaknesses of the Wired Equivalent Privacy (WEP) wireless encryption protocol resulted in the theft from a global financial institution of over 45 million credit card numbers.<sup>[<a id="d0e430" href="#ftn.d0e430" class="footnote">3</a>]</sup>
+ In 2007, a data breach exploiting the widely-known weaknesses of the Wired Equivalent Privacy (WEP) wireless encryption protocol resulted in the theft from a global financial institution of over 45 million credit card numbers.<sup>[<a id="d0e436" href="#ftn.d0e436" class="footnote">3</a>]</sup>
</div><div class="para">
- In a separate incident, the billing records of over 2.2 million patients stored on a backup tape were stolen from the front seat of a courier's car.<sup>[<a id="d0e436" href="#ftn.d0e436" class="footnote">4</a>]</sup>
+ In a separate incident, the billing records of over 2.2 million patients stored on a backup tape were stolen from the front seat of a courier's car.<sup>[<a id="d0e442" href="#ftn.d0e442" class="footnote">4</a>]</sup>
</div><div class="para">
- Currently, an estimated 1.4 billion people use or have used the Internet worldwide.<sup>[<a id="d0e442" href="#ftn.d0e442" class="footnote">5</a>]</sup> At the same time:
+ Currently, an estimated 1.4 billion people use or have used the Internet worldwide.<sup>[<a id="d0e448" href="#ftn.d0e448" class="footnote">5</a>]</sup> At the same time:
</div><div class="itemizedlist"><ul><li><div class="para">
- On any given day, there are approximately 225 major incidences of security breach reported to the CERT Coordination Center at Carnegie Mellon University.<sup>[<a id="d0e450" href="#ftn.d0e450" class="footnote">6</a>]</sup>
+ On any given day, there are approximately 225 major incidences of security breach reported to the CERT Coordination Center at Carnegie Mellon University.<sup>[<a id="d0e456" href="#ftn.d0e456" class="footnote">6</a>]</sup>
</div></li><li><div class="para">
- In 2003, the number of CERT reported incidences jumped to 137,529 from 82,094 in 2002 and from 52,658 in 2001.<sup>[<a id="d0e457" href="#ftn.d0e457" class="footnote">7</a>]</sup>
+ In 2003, the number of CERT reported incidences jumped to 137,529 from 82,094 in 2002 and from 52,658 in 2001.<sup>[<a id="d0e463" href="#ftn.d0e463" class="footnote">7</a>]</sup>
</div></li><li><div class="para">
- The worldwide economic impact of the three most dangerous Internet Viruses of the last three years was estimated at US$13.2 Billion.<sup>[<a id="d0e464" href="#ftn.d0e464" class="footnote">8</a>]</sup>
+ The worldwide economic impact of the three most dangerous Internet Viruses of the last three years was estimated at US$13.2 Billion.<sup>[<a id="d0e470" href="#ftn.d0e470" class="footnote">8</a>]</sup>
</div></li></ul></div><div class="para">
- From a 2008 global survey of business and technology executives "The Global State of Information Security"<sup>[<a id="d0e470" href="#ftn.d0e470" class="footnote">9</a>]</sup>, undertaken by <span class="emphasis"><em>CIO Magazine</em></span>, some points are:
+ From a 2008 global survey of business and technology executives "The Global State of Information Security"<sup>[<a id="d0e476" href="#ftn.d0e476" class="footnote">9</a>]</sup>, undertaken by <span class="emphasis"><em>CIO Magazine</em></span>, some points are:
</div><div class="itemizedlist"><ul><li><div class="para">
Just 43% of respondents audit or monitor user compliance with security policies
</div></li><li><div class="para">
@@ -377,7 +381,7 @@
</div><div class="para">
Refer to <a class="xref" href="#sect-Security_Guide-Security_Updates" title="1.5. Security Updates">Section 1.5, “Security Updatesâ€</a> for more information about keeping a system up-to-date.
</div></div><div class="section" lang="en-US"><div class="titlepage"><div><div><h4 class="title" id="sect-Security_Guide-Threats_to_Server_Security-Inattentive_Administration">1.3.3.3. Inattentive Administration</h4></div></div></div><div class="para">
- Administrators who fail to patch their systems are one of the greatest threats to server security. According to the <em class="firstterm">SysAdmin, Audit, Network, Security Institute</em> (<em class="firstterm">SANS</em>), the primary cause of computer security vulnerability is to "assign untrained people to maintain security and provide neither the training nor the time to make it possible to do the job."<sup>[<a id="d0e950" href="#ftn.d0e950" class="footnote">10</a>]</sup> This applies as much to inexperienced administrators as it does to overconfident or amotivated administrators.
+ Administrators who fail to patch their systems are one of the greatest threats to server security. According to the <em class="firstterm">SysAdmin, Audit, Network, Security Institute</em> (<em class="firstterm">SANS</em>), the primary cause of computer security vulnerability is to "assign untrained people to maintain security and provide neither the training nor the time to make it possible to do the job."<sup>[<a id="d0e956" href="#ftn.d0e956" class="footnote">10</a>]</sup> This applies as much to inexperienced administrators as it does to overconfident or amotivated administrators.
</div><div class="para">
Some administrators fail to patch their servers and workstations, while others fail to watch log messages from the system kernel or network traffic. Another common error is when default passwords or keys to services are left unchanged. For example, some databases have default administration passwords because the database developers assume that the system administrator changes these passwords immediately after installation. If a database administrator fails to change this password, even an inexperienced cracker can use a widely-known default password to gain administrative privileges to the database. These are only a few examples of how inattentive administration can lead to compromised servers.
</div></div><div class="section" lang="en-US"><div class="titlepage"><div><div><h4 class="title" id="sect-Security_Guide-Threats_to_Server_Security-Inherently_Insecure_Services">1.3.3.4. Inherently Insecure Services</h4></div></div></div><div class="para">
@@ -544,25 +548,25 @@
</div><div class="para">
To kill all active IMAP sessions, issue the following command:
</div><pre class="screen"><code class="command">killall imapd</code>
-</pre></dd></dl></div></div></div><div class="footnotes"><br/><hr width="100" align="left"/><div class="footnote"><p><sup>[<a id="ftn.d0e402" href="#d0e402" class="para">1</a>] </sup>
+</pre></dd></dl></div></div></div><div class="footnotes"><br/><hr width="100" align="left"/><div class="footnote"><p><sup>[<a id="ftn.d0e408" href="#d0e408" class="para">1</a>] </sup>
http://law.jrank.org/pages/3791/Kevin-Mitnick-Case-1999.html
- </p></div><div class="footnote"><p><sup>[<a id="ftn.d0e406" href="#d0e406" class="para">2</a>] </sup>
+ </p></div><div class="footnote"><p><sup>[<a id="ftn.d0e412" href="#d0e412" class="para">2</a>] </sup>
http://www.livinginternet.com/i/ia_hackers_levin.htm
- </p></div><div class="footnote"><p><sup>[<a id="ftn.d0e430" href="#d0e430" class="para">3</a>] </sup>
+ </p></div><div class="footnote"><p><sup>[<a id="ftn.d0e436" href="#d0e436" class="para">3</a>] </sup>
http://www.theregister.co.uk/2007/05/04/txj_nonfeasance/
- </p></div><div class="footnote"><p><sup>[<a id="ftn.d0e436" href="#d0e436" class="para">4</a>] </sup>
+ </p></div><div class="footnote"><p><sup>[<a id="ftn.d0e442" href="#d0e442" class="para">4</a>] </sup>
http://www.healthcareitnews.com/story.cms?id=9408
- </p></div><div class="footnote"><p><sup>[<a id="ftn.d0e442" href="#d0e442" class="para">5</a>] </sup>
+ </p></div><div class="footnote"><p><sup>[<a id="ftn.d0e448" href="#d0e448" class="para">5</a>] </sup>
http://www.internetworldstats.com/stats.htm
- </p></div><div class="footnote"><p><sup>[<a id="ftn.d0e450" href="#d0e450" class="para">6</a>] </sup>
+ </p></div><div class="footnote"><p><sup>[<a id="ftn.d0e456" href="#d0e456" class="para">6</a>] </sup>
http://www.cert.org
- </p></div><div class="footnote"><p><sup>[<a id="ftn.d0e457" href="#d0e457" class="para">7</a>] </sup>
+ </p></div><div class="footnote"><p><sup>[<a id="ftn.d0e463" href="#d0e463" class="para">7</a>] </sup>
http://www.cert.org/stats/fullstats.html
- </p></div><div class="footnote"><p><sup>[<a id="ftn.d0e464" href="#d0e464" class="para">8</a>] </sup>
+ </p></div><div class="footnote"><p><sup>[<a id="ftn.d0e470" href="#d0e470" class="para">8</a>] </sup>
http://www.newsfactor.com/perl/story/16407.html
- </p></div><div class="footnote"><p><sup>[<a id="ftn.d0e470" href="#d0e470" class="para">9</a>] </sup>
+ </p></div><div class="footnote"><p><sup>[<a id="ftn.d0e476" href="#d0e476" class="para">9</a>] </sup>
http://www.csoonline.com/article/454939/The_Global_State_of_Information_Security_
- </p></div><div class="footnote"><p><sup>[<a id="ftn.d0e950" href="#d0e950" class="para">10</a>] </sup>
+ </p></div><div class="footnote"><p><sup>[<a id="ftn.d0e956" href="#d0e956" class="para">10</a>] </sup>
http://www.sans.org/resources/errors.php
</p></div></div></div><div class="chapter" lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="chap-Security_Guide-Securing_Your_Network">Chapter 2. Securing Your Network</h2></div></div></div><div class="toc"><dl><dt><span class="section"><a href="#sect-Security_Guide-Workstation_Security">2.1. Workstation Security</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security_Guide-Workstation_Security-Evaluating_Workstation_Security">2.1.1. Evaluating Workstation Security</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Workstation_Security-BIOS_and_Boot_Loader_Security">2.1.2. BIOS and Boot Loader Security</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Workstation_Security-Password_Security">2.1.3. Password Security</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Workstation_Security-Administrative_Controls">2.1.4. Administrative Controls</a></span></dt><dt><span class="s
ection"><a href="#sect-Security_Guide-Workstation_Security-Available_Network_Services">2.1.5. Available Network Services</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Workstation_Security-Personal_Firewalls">2.1.6. Personal Firewalls</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Workstation_Security-Security_Enhanced_Communication_Tools">2.1.7. Security Enhanced Communication Tools</a></span></dt></dl></dd><dt><span class="section"><a href="#sect-Security_Guide-Server_Security">2.2. Server Security</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security_Guide-Server_Security-Securing_Services_With_TCP_Wrappers_and_xinetd">2.2.1. Securing Services With TCP Wrappers and xinetd</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Server_Security-Securing_Portmap">2.2.2. Securing Portmap</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Server_Security-Securing_NIS">2.2.3. S
ecuring NIS</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Server_Security-Securing_NFS">2.2.4. Securing NFS</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Server_Security-Securing_the_Apache_HTTP_Server">2.2.5. Securing the Apache HTTP Server</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Server_Security-Securing_FTP">2.2.6. Securing FTP</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Server_Security-Securing_Sendmail">2.2.7. Securing Sendmail</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Server_Security-Verifying_Which_Ports_Are_Listening">2.2.8. Verifying Which Ports Are Listening</a></span></dt></dl></dd><dt><span class="section"><a href="#sect-Security_Guide-Single_Sign_on_SSO">2.3. Single Sign-on (SSO)</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security_Guide-Single_Sign_on_SSO-Introduction">2.3.1. Introduction</a></span></dt><dt>
<span class="section"><a href="#sect-Security_Guide-Single_Sign_on_SSO-Getting_Started_with_your_new_Smart_Card">2.3.2. Getting Started with your new Smart Card</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Single_Sign_on_SSO-How_Smart_Card_Enrollment_Works">2.3.3. How Smart Card Enrollment Works</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Single_Sign_on_SSO-How_Smart_Card_Login_Works">2.3.4. How Smart Card Login Works</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Single_Sign_on_SSO-Configuring_Firefox_to_use_Kerberos_for_SSO">2.3.5. Configuring Firefox to use Kerberos for SSO</a></span></dt></dl></dd><dt><span class="section"><a href="#sect-Security_Guide-Pluggable_Authentication_Modules_PAM">2.4. Pluggable Authentication Modules (PAM)</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security_Guide-Pluggable_Authentication_Modules_PAM-Advantages_of_PAM">2.4.1. Advantages of PAM</a></
span></dt><dt><span class="section"><a href="#sect-Security_Guide-Pluggable_Authentication_Modules_PAM-PAM_Configuration_Files">2.4.2. PAM Configuration Files</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Pluggable_Authentication_Modules_PAM-PAM_Configuration_File_Format">2.4.3. PAM Configuration File Format</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Pluggable_Authentication_Modules_PAM-Sample_PAM_Configuration_Files">2.4.4. Sample PAM Configuration Files</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Pluggable_Authentication_Modules_PAM-Creating_PAM_Modules">2.4.5. Creating PAM Modules</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Pluggable_Authentication_Modules_PAM-PAM_and_Administrative_Credential_Caching">2.4.6. PAM and Administrative Credential Caching</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Pluggable_Authentication_Modules_PAM-PAM_and_De
vice_Ownership">2.4.7. PAM and Device Ownership</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Pluggable_Authentication_Modules_PAM-Additional_Resources">2.4.8. Additional Resources</a></span></dt></dl></dd><dt><span class="section"><a href="#sect-Security_Guide-TCP_Wrappers_and_xinetd">2.5. TCP Wrappers and xinetd</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security_Guide-TCP_Wrappers_and_xinetd-TCP_Wrappers">2.5.1. TCP Wrappers</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-TCP_Wrappers_and_xinetd-TCP_Wrappers_Configuration_Files">2.5.2. TCP Wrappers Configuration Files</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-TCP_Wrappers_and_xinetd-xinetd">2.5.3. xinetd</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-TCP_Wrappers_and_xinetd-xinetd_Configuration_Files">2.5.4. xinetd Configuration Files</a></span></dt><dt><span class="section"><a href="#sect-Security_Gui
de-TCP_Wrappers_and_xinetd-Additional_Resources">2.5.5. Additional Resources</a></span></dt></dl></dd><dt><span class="section"><a href="#sect-Security_Guide-Kerberos">2.6. Kerberos</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security_Guide-Kerberos-What_is_Kerberos">2.6.1. What is Kerberos?</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Kerberos-Kerberos_Terminology">2.6.2. Kerberos Terminology</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Kerberos-How_Kerberos_Works">2.6.3. How Kerberos Works</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Kerberos-Kerberos_and_PAM">2.6.4. Kerberos and PAM</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Kerberos-Configuring_a_Kerberos_5_Server">2.6.5. Configuring a Kerberos 5 Server</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Kerberos-Configuring_a_Kerberos_5_Client">2.6.6. Configuring a Kerberos 5 C
lient</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Kerberos-Domain_to_Realm_Mapping">2.6.7. Domain-to-Realm Mapping</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Kerberos-Setting_Up_Secondary_KDCs">2.6.8. Setting Up Secondary KDCs</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Kerberos-Setting_Up_Cross_Realm_Authentication">2.6.9. Setting Up Cross Realm Authentication</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Kerberos-Additional_Resources">2.6.10. Additional Resources</a></span></dt></dl></dd><dt><span class="section"><a href="#sect-Security_Guide-Virtual_Private_Networks_VPNs">2.7. Virtual Private Networks (VPNs)</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security_Guide-Virtual_Private_Networks_VPNs-How_Does_a_VPN_Work">2.7.1. How Does a VPN Work?</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Virtual_Private_Networks_VPNs-VPNs
_and_PROD">2.7.2. VPNs and Fedora</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Virtual_Private_Networks_VPNs-IPsec">2.7.3. IPsec</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Virtual_Private_Networks_VPNs-Creating_an_IPsec_Connection">2.7.4. Creating an IPsec Connection</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Virtual_Private_Networks_VPNs-IPsec_Installation">2.7.5. IPsec Installation</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Virtual_Private_Networks_VPNs-IPsec_Host_to_Host_Configuration">2.7.6. IPsec Host-to-Host Configuration</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Virtual_Private_Networks_VPNs-IPsec_Network_to_Network_Configuration">2.7.7. IPsec Network-to-Network Configuration</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Virtual_Private_Networks_VPNs-Starting_and_Stopping_an_IPsec_Connection">2.7.8. Startin
g and Stopping an IPsec Connection</a></span></dt></dl></dd><dt><span class="section"><a href="#sect-Security_Guide-Firewalls">2.8. Firewalls</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security_Guide-Firewalls-Netfilter_and_IPTables">2.8.1. Netfilter and IPTables</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Firewalls-Basic_Firewall_Configuration">2.8.2. Basic Firewall Configuration</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Firewalls-Using_IPTables">2.8.3. Using IPTables</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Firewalls-Common_IPTables_Filtering">2.8.4. Common IPTables Filtering</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Firewalls-FORWARD_and_NAT_Rules">2.8.5. FORWARD and NAT Rules</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Firewalls-Malicious_Software_and_Spoofed_IP_Addresses">2.8.6. Malicious Software and Spoofed
IP Addresses</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Firewalls-IPTables_and_Connection_Tracking">2.8.7. IPTables and Connection Tracking</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Firewalls-IPv6">2.8.8. IPv6</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Firewalls-Additional_Resources">2.8.9. Additional Resources</a></span></dt></dl></dd><dt><span class="section"><a href="#sect-Security_Guide-IPTables">2.9. IPTables</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security_Guide-IPTables-Packet_Filtering">2.9.1. Packet Filtering</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-IPTables-Differences_Between_IPTables_and_IPChains">2.9.2. Differences Between IPTables and IPChains</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-IPTables-Command_Options_for_IPTables">2.9.3. Command Options for IPTables</a></span></dt><dt><span class="sectio
n"><a href="#sect-Security_Guide-IPTables-Saving_IPTables_Rules">2.9.4. Saving IPTables Rules</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-IPTables-IPTables_Control_Scripts">2.9.5. IPTables Control Scripts</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-IPTables-IPTables_and_IPv6">2.9.6. IPTables and IPv6</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-IPTables-Additional_Resources">2.9.7. Additional Resources</a></span></dt></dl></dd></dl></div><div class="section" lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="sect-Security_Guide-Workstation_Security">2.1. Workstation Security</h2></div></div></div><div class="para">
Securing a Linux environment begins with the workstation. Whether locking down a personal machine or securing an enterprise system, sound security policy begins with the individual computer. A computer network is only as secure as its weakest node.
@@ -587,7 +591,7 @@
</div><div class="para">
If the workstation is located in a place where only authorized or trusted people have access, however, then securing the BIOS or the boot loader may not be necessary.
</div><div class="section" lang="en-US"><div class="titlepage"><div><div><h4 class="title" id="sect-Security_Guide-BIOS_and_Boot_Loader_Security-BIOS_Passwords">2.1.2.1. BIOS Passwords</h4></div></div></div><div class="para">
- The two primary reasons for password protecting the BIOS of a computer are<sup>[<a id="d0e1491" href="#ftn.d0e1491" class="footnote">11</a>]</sup>:
+ The two primary reasons for password protecting the BIOS of a computer are<sup>[<a id="d0e1497" href="#ftn.d0e1497" class="footnote">11</a>]</sup>:
</div><div class="orderedlist"><ol><li><div class="para">
<span class="emphasis"><em>Preventing Changes to BIOS Settings</em></span> — If an intruder has access to the BIOS, they can set it to boot from a diskette or CD-ROM. This makes it possible for them to enter rescue mode or single user mode, which in turn allows them to start arbitrary processes on the system or copy sensitive data.
</div></li><li><div class="para">
@@ -619,7 +623,7 @@
Next, edit the GRUB configuration file <code class="filename">/boot/grub/grub.conf</code>. Open the file and below the <code class="command">timeout</code> line in the main section of the document, add the following line:
</div><pre class="screen"><code class="command">password --md5 <em class="replaceable"><code><password-hash></code></em></code>
</pre><div class="para">
- Replace <em class="replaceable"><code><password-hash></code></em> with the value returned by <code class="command">/sbin/grub-md5-crypt</code><sup>[<a id="d0e1597" href="#ftn.d0e1597" class="footnote">12</a>]</sup>.
+ Replace <em class="replaceable"><code><password-hash></code></em> with the value returned by <code class="command">/sbin/grub-md5-crypt</code><sup>[<a id="d0e1603" href="#ftn.d0e1603" class="footnote">12</a>]</sup>.
</div><div class="para">
The next time the system boots, the GRUB menu prevents access to the editor or command interface without first pressing <span class="keycap"><strong>p</strong></span> followed by the GRUB password.
</div><div class="para">
@@ -872,12 +876,12 @@
</td></tr><tr><td>
Use PAM to limit root access to services.
</td><td>
- Edit the file for the target service in the <code class="filename">/etc/pam.d/</code> directory. Make sure the <code class="filename">pam_listfile.so</code> is required for authentication.<sup>[<a id="d0e2417" href="#ftn.d0e2417" class="footnote">a</a>]</sup>
+ Edit the file for the target service in the <code class="filename">/etc/pam.d/</code> directory. Make sure the <code class="filename">pam_listfile.so</code> is required for authentication.<sup>[<a id="d0e2423" href="#ftn.d0e2423" class="footnote">a</a>]</sup>
</td><td>
<table class="simplelist" border="0" summary="Simple list"><tr><td> Prevents root access to network services that are PAM aware. </td></tr><tr><td> The following services are prevented from accessing the root account: </td></tr><tr><td> · FTP clients </td></tr><tr><td> · Email clients </td></tr><tr><td> · <code class="command">login</code></td></tr><tr><td> · <code class="command">gdm</code></td></tr><tr><td> · <code class="command">kdm</code></td></tr><tr><td> · <code class="command">xdm</code></td></tr><tr><td> · <code class="command">ssh</code></td></tr><tr><td> · <code class="command">scp</code></td></tr><tr><td> · <code class="command">sftp</code></td></tr><tr><td> · Any PAM aware services </td></tr></table>
</td><td>
<table class="simplelist" border="0" summary="Simple list"><tr><td> Programs and services that are not PAM aware. </td></tr></table>
- </td></tr></tbody><tbody class="footnotes"><tr><td colspan="4"><div class="footnote"><p><sup>[<a id="ftn.d0e2417" href="#d0e2417" class="para">a</a>] </sup>
+ </td></tr></tbody><tbody class="footnotes"><tr><td colspan="4"><div class="footnote"><p><sup>[<a id="ftn.d0e2423" href="#d0e2423" class="para">a</a>] </sup>
Refer to <a class="xref" href="#sect-Security_Guide-Disallowing_Root_Access-Disabling_Root_Using_PAM" title="2.1.4.2.4. Disabling Root Using PAM">Section 2.1.4.2.4, “Disabling Root Using PAMâ€</a> for details.
</p></div></td></tr></tbody></table></div><h6>Table 2.1. Methods of Disabling the Root Account</h6></div><br class="table-break"/><div class="section" lang="en-US"><div class="titlepage"><div><div><h5 class="title" id="sect-Security_Guide-Disallowing_Root_Access-Disabling_the_Root_Shell">2.1.4.2.1. Disabling the Root Shell</h5></div></div></div><div class="para">
To prevent users from logging in directly as root, the system administrator can set the root account's shell to <code class="command">/sbin/nologin</code> in the <code class="filename">/etc/passwd</code> file. This prevents access to the root account through commands that require a shell, such as the <code class="command">su</code> and the <code class="command">ssh</code> commands.
@@ -912,7 +916,7 @@
</div><div class="section" lang="en-US"><div class="titlepage"><div><div><h5 class="title" id="sect-Security_Guide-Limiting_Root_Access-The_su_Command">2.1.4.3.1. The <code class="command">su</code> Command</h5></div></div></div><div class="para">
When a user executes the <code class="command">su</code> command, they are prompted for the root password and, after authentication, is given a root shell prompt.
</div><div class="para">
- Once logged in via the <code class="command">su</code> command, the user <span class="emphasis"><em>is</em></span> the root user and has absolute administrative access to the system<sup>[<a id="d0e2618" href="#ftn.d0e2618" class="footnote">13</a>]</sup>. In addition, once a user has become root, it is possible for them to use the <code class="command">su</code> command to change to any other user on the system without being prompted for a password.
+ Once logged in via the <code class="command">su</code> command, the user <span class="emphasis"><em>is</em></span> the root user and has absolute administrative access to the system<sup>[<a id="d0e2624" href="#ftn.d0e2624" class="footnote">13</a>]</sup>. In addition, once a user has become root, it is possible for them to use the <code class="command">su</code> command to change to any other user on the system without being prompted for a password.
</div><div class="para">
Because this program is so powerful, administrators within an organization may wish to limit who has access to the command.
</div><div class="para">
@@ -2350,7 +2354,7 @@
</div><div class="para">
Kerberos is a way to eliminate the need for protocols that allow unsafe methods of authentication, thereby enhancing overall network security.
</div><div class="section" lang="en-US"><div class="titlepage"><div><div><h3 class="title" id="sect-Security_Guide-Kerberos-What_is_Kerberos">2.6.1. What is Kerberos?</h3></div></div></div><div class="para">
- Kerberos is a network authentication protocol created by MIT, and uses symmetric-key cryptography<sup>[<a id="d0e7528" href="#ftn.d0e7528" class="footnote">14</a>]</sup> to authenticate users to network services, which means passwords are never actually sent over the network.
+ Kerberos is a network authentication protocol created by MIT, and uses symmetric-key cryptography<sup>[<a id="d0e7534" href="#ftn.d0e7534" class="footnote">14</a>]</sup> to authenticate users to network services, which means passwords are never actually sent over the network.
</div><div class="para">
Consequently, when users authenticate to network services using Kerberos, unauthorized users attempting to gather passwords by monitoring network traffic are effectively thwarted.
</div><div class="section" lang="en-US"><div class="titlepage"><div><div><h4 class="title" id="sect-Security_Guide-What_is_Kerberos-Advantages_of_Kerberos">2.6.1.1. Advantages of Kerberos</h4></div></div></div><div class="para">
@@ -3926,13 +3930,13 @@
<a href="http://www.netfilter.org/">http://www.netfilter.org/</a> — The home of the netfilter/iptables project. Contains assorted information about <code class="command">iptables</code>, including a FAQ addressing specific problems and various helpful guides by Rusty Russell, the Linux IP firewall maintainer. The HOWTO documents on the site cover subjects such as basic networking concepts, kernel packet filtering, and NAT configurations.
</div></li><li><div class="para">
<a href="http://www.linuxnewbie.org/nhf/Security/IPtables_Basics.html">http://www.linuxnewbie.org/nhf/Security/IPtables_Basics.html</a> — An introduction to the way packets move through the Linux kernel, plus an introduction to constructing basic <code class="command">iptables</code> commands.
- </div></li></ul></div></div></div></div><div class="footnotes"><br/><hr width="100" align="left"/><div class="footnote"><p><sup>[<a id="ftn.d0e1491" href="#d0e1491" class="para">11</a>] </sup>
+ </div></li></ul></div></div></div></div><div class="footnotes"><br/><hr width="100" align="left"/><div class="footnote"><p><sup>[<a id="ftn.d0e1497" href="#d0e1497" class="para">11</a>] </sup>
Since system BIOSes differ between manufacturers, some may not support password protection of either type, while others may support one type but not the other.
- </p></div><div class="footnote"><p><sup>[<a id="ftn.d0e1597" href="#d0e1597" class="para">12</a>] </sup>
+ </p></div><div class="footnote"><p><sup>[<a id="ftn.d0e1603" href="#d0e1603" class="para">12</a>] </sup>
GRUB also accepts unencrypted passwords, but it is recommended that an MD5 hash be used for added security.
- </p></div><div class="footnote"><p><sup>[<a id="ftn.d0e2618" href="#d0e2618" class="para">13</a>] </sup>
+ </p></div><div class="footnote"><p><sup>[<a id="ftn.d0e2624" href="#d0e2624" class="para">13</a>] </sup>
This access is still subject to the restrictions imposed by SELinux, if it is enabled.
- </p></div><div class="footnote"><p><sup>[<a id="ftn.d0e7528" href="#d0e7528" class="para">14</a>] </sup>
+ </p></div><div class="footnote"><p><sup>[<a id="ftn.d0e7534" href="#d0e7534" class="para">14</a>] </sup>
A system where both the client and the server share a common key that is used to encrypt and decrypt network communication.
</p></div></div></div><div class="chapter" lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="chap-Security_Guide-Encryption">Chapter 3. Encryption</h2></div></div></div><div class="toc"><dl><dt><span class="section"><a href="#sect-Security_Guide-Encryption-Data_at_Rest">3.1. Data at Rest</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Encryption-Protecting_Data_at_Rest-Full_Disk_Encryption">3.2. Full Disk Encryption</a></span></dt><dt><span class="section"><a href="#Security_Guide-Encryption-Protecting_Data_at_Rest-File_Based_Encryption">3.3. File Based Encryption</a></span></dt><dt><span class="section"><a href="#Security_Guide-Encryption-Data_in_Motion">3.4. Data in Motion</a></span></dt><dt><span class="section"><a href="#Security_Guide-Encryption-Data_in_Motion-Virtual_Private_Networks">3.5. Virtual Private Networks</a></span></dt><dt><span class="section"><a href="#Security_Guide-Encryption-Data_in_Motion-Secure_Shell">3.6.
Secure Shell</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-LUKS_Disk_Encryption">3.7. LUKS Disk Encryption</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security_Guide-LUKS_Disk_Encryption-LUKS_Implementation_in_Fedora">3.7.1. LUKS Implementation in Fedora</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-LUKS_Disk_Encryption-Manually_Encrypting_Directories">3.7.2. Manually Encrypting Directories</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-LUKS_Disk_Encryption-Manually_Encrypting_Directories-Step_by_Step_Instructions">3.7.3. Step-by-Step Instructions</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-LUKS_Disk_Encryption-Manually_Encrypting_Directories-What_you_have_just_accomplished">3.7.4. What you have just accomplished.</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-LUKS_Disk_Encryption-Links_of_Interest">3.7.5. Links of Interest</a></spa
n></dt></dl></dd><dt><span class="section"><a href="#sect-Security_Guide-Encryption-7_Zip_Encrypted_Archives">3.8. 7-Zip Encrypted Archives</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Security_Guide-Encryption-7_Zip_Encrypted_Archives-Installation">3.8.1. 7-Zip Installation in Fedora</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Encryption-7_Zip_Encrypted_Archives-Installation-Instructions">3.8.2. Step-by-Step Installation Instructions</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Encryption-7_Zip_Encrypted_Archives-Usage_Instructions">3.8.3. Step-by-Step Usage Instructions</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Encryption-7_Zip_Encrypted_Archives-Things_of_note">3.8.4. Things of note</a></span></dt></dl></dd><dt><span class="section"><a href="#sect-Security_Guide-Encryption-Using_GPG">3.9. Using GNU Privacy Guard (GnuPG)</a></span></dt><dd><dl><dt><span class="section"><a h
ref="#sect-Security_Guide-Encryption-Using_GPG-Keys_in_GNOME">3.9.1. Creating GPG Keys in GNOME</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Encryption-Using_GPG-Creating_GPG_Keys_in_KDE1">3.9.2. Creating GPG Keys in KDE</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Encryption-Using_GPG-Creating_GPG_Keys_in_KDE">3.9.3. Creating GPG Keys Using the Command Line</a></span></dt><dt><span class="section"><a href="#sect-Security_Guide-Encryption-Using_GPG-About_Public_Key_Encryption">3.9.4. About Public Key Encryption</a></span></dt></dl></dd></dl></div><div class="para">
There are two main types of data that must be protected: data at rest and data in motion. These different types of data are protected in similar ways using similar technology but the implementations can be completely different. No single protective implementation can prevent all possible methods of compromise as the same information may be at rest and in motion at different points in time.
- Previous message (by thread): web/html/docs/security-guide/en_US/F11/html chap-Security_Guide-Securing_Your_Network.html, 1.1, 1.2 chap-Security_Guide-Security_Overview.html, 1.1, 1.2 index.html, 1.1, 1.2 pref-Security_Guide-Preface.html, 1.1, 1.2 sect-Security_Guide-Kerberos.html, 1.1, 1.2 sect-Security_Guide-Threats_to_Server_Security-Inattentive_Administration.html, 1.1, 1.2
- Next message (by thread): web/html/docs/security-guide/en_US/F11/pdf security-guide.pdf, 1.1, 1.2
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the Fedora-docs-commits
mailing list