Default security vs RedHat documentation
FedoraForum.org - Fedora Support Forums and Community
Results 1 to 4 of 4
  1. #1
    Join Date
    Jul 2019
    Location
    Serbia
    Posts
    7
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Question Default security vs RedHat documentation

    So, because fedora docs seem to be under construction (e.g. "Fedora Security Guide" non existant reference in what is otherwise a very minimal documentation, albeit good quality),

    I cannot figure out what is the relation between, say, RedHat security hardening guide and fedora default security (whatever the latest kernel and system).

    I'll give you an example:

    Do we "need" to configure "unbound" on a workstation? DNSSEC appears to be working even without it... or not?
    It is default on some other *nixes...
    Is it crucial?

    Another example

    Fedora has some RHEL functionality like crypto-policy.
    When set to FUTURE, package repo doesn't work. Weak keys.

    Example three:

    Nowhere is it mentioned that selinux is on by default. Is it really that transparent that I cannot even seem to figure out it's on?

    Example four:

    A non-domain, non-company private workstation: SCAP baseline policy is too strict perhaps?

    Anyway, new to the forum, first post, gauging the involment... perhaps a bit ranty, flame if you want.
    --------------------------------------------------------------------------------------------------------------------
    "I know we both abhore this rampant bum banditry I see everywhere in your country."

  2. #2
    Join Date
    Feb 2009
    Location
    Florida
    Posts
    672
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Re: Default security vs RedHat documentation

    Nowhere is it mentioned that selinux is on by default. Is it really that transparent that I cannot even seem to figure out it's on?
    To see the status of selinux enforcement, open a terminal and type following at command prompt:

    $ getenforce
    Laptop: Toshiba / Intel B960 2.20Ghz x2/ 4GB/ 320GB SataII/ Intel HD/ fc30.x86_64
    Tower: GigaByte (970A) / AMD FX 8320 3.5Ghz x8/ 16GB/ 9TB Sata III/ AMD 6770HD/ fc30.x86_64
    Bookshelf: Shuttle DS61 (H61)/ i3-3225 3.3Ghz x2/ 16GB/ 320GB Sata II/ Intel HD 4000/ fc29.x86_64
    Embedded: BeagleBone Blk / ARM AM3358 1 GHz x1/ 512MB/ 2GB eMMC/ PowerVR SGX530/ fc27.armv7hl

  3. #3
    Join Date
    Jan 2010
    Posts
    7,431
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Re: Default security vs RedHat documentation

    SELinux has become far more transparent in recent years. Sometimes, the better you know something, the harder it is to document SELinux being on by default might be one of those things that "everybody knows," even though they don't. It probably is documented somewhere, maybe in a security section.

    Even a few years ago, you'd see many howto articles begin with turn off SELinux, though many others would criticize that step.. Nowadays, it seldom gets in the way and has also become easier to fix when it does.

  4. #4
    Join Date
    Jan 2009
    Location
    New Zealand
    Posts
    99
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Re: Default security vs RedHat documentation

    Most of the packages these days come with selinux rules which in the most case allow it to be transparent, a "semodule -l" shows how many packages have also loaded selinux rules. They are not perfect and you will still get denies that noticeably break things. I generally on a new build set "setenforce 0" for a week or two while collecting denies and load my own local rules based on that before turning it back on, the local rules I require these days have gone from over fifty to on most servers less than five now.

    My biggest shock with fedora was on doing a workstation install from the workstation install dvd when I had to rebuild a desktop, I went to add my required rules and found all firewall ports were opened by explicit rules. Normally I do a server install where most ports are closed by default. Probably makes life easier for newbies and while the ports are all open as most services such as sshd are not started by default on the workstation install it does open the user up to risk as they install additional software.

    While fc30 is the latest I did not take the time to download a workstation install for fc30 just for this post but I would guess it is the same.
    I did a fresh install from Fedora-Workstation-Live-x86_64-28-1.1.iso to make sure I was not remembering incorrectly, this is the default below from a fc28 live desktop install to harddisk and after the reboot.
    [mark@localhost ~]$ sudo firewall-cmd --list-services
    [sudo] password for mark:
    dhcpv6-client ssh samba-client mdns
    [mark@localhost ~]$ sudo firewall-cmd --list-ports
    1025-65535/udp 1025-65535/tcp
    [mark@localhost ~]$

    Server installs have the ports closed by default, so a lack of consistency to make it easier for new desktop users ?. Probably not an issue as those users are unlikely to have their routers forwarding external traffic to their desktops; but as your post was about default security is worth a mention.

Similar Threads

  1. Replies: 1
    Last Post: 10th September 2016, 09:34 AM
  2. Default Security Settings
    By masteq in forum EOL (End Of Life) Versions
    Replies: 8
    Last Post: 24th February 2004, 04:36 PM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •