Login
[x]
Log in using an account from:
Fedora Account System
Red Hat Associate
Red Hat Customer
Or login using a Red Hat Bugzilla account
Forgot Password
Login:
Hide Forgot
Create an Account
Red Hat Bugzilla – Attachment 687521 Details for
Bug 901704
Replace "Fedora" with "&PRODUCT;"
[?]
New
Simple Search
Advanced Search
My Links
Browse
Requests
Reports
Current State
Search
Tabular reports
Graphical reports
Duplicates
Other Reports
User Changes
Plotly Reports
Bug Status
Bug Severity
Non-Defaults
|
Product Dashboard
Help
Page Help!
Bug Writing Guidelines
What's new
Browser Support Policy
5.0.4.rh83 Release notes
FAQ
Guides index
User guide
Web Services
Contact
Legal
This site requires JavaScript to be enabled to function correctly, please enable it.
[patch]
Patch to replace *some* of the 'Fedora's with &PRODUCT;
0001-Replaced-Fedora-with-PRODUCT-.-BZ-901704.patch (text/plain), 97.39 KB, created by
Eric Christensen
on 2013-01-25 15:45:34 UTC
(
hide
)
Description:
Patch to replace *some* of the 'Fedora's with &PRODUCT;
Filename:
MIME Type:
Creator:
Eric Christensen
Created:
2013-01-25 15:45:34 UTC
Size:
97.39 KB
patch
obsolete
>From 279bdbc4af674444d82cdeb2b0272fa6c4c60e1d Mon Sep 17 00:00:00 2001 >From: Eric H Christensen <sparks@redhat.com> >Date: Fri, 25 Jan 2013 10:44:32 -0500 >Subject: [PATCH] Replaced 'Fedora' with '&PRODUCT;'. BZ 901704 > >--- > en-US/7_Zip.xml | 4 ++-- > en-US/Basic_Hardening.xml | 8 ++------ > en-US/CVE.xml | 4 ++-- > en-US/Encryption.xml | 2 +- > en-US/Exploits.xml | 2 +- > en-US/Firewall.xml | 10 +++++----- > en-US/IP_Tables.xml | 8 ++++---- > en-US/Kerberos.xml | 6 +++--- > en-US/LUKSDiskEncryption.xml | 12 ++++++------ > en-US/Pam.xml | 12 ++++++------ > en-US/Risks.xml | 4 ++-- > en-US/SSO_Overview.xml | 20 ++++++++++---------- > en-US/Secure_Installation.xml | 8 ++++---- > en-US/Security_Introduction.xml | 4 ++-- > en-US/Security_Updates.xml | 14 +++++++------- > en-US/Server.xml | 6 +++--- > en-US/Tcp_Wrappers.xml | 6 +++--- > en-US/Using_GPG.xml | 12 ++++++------ > en-US/VPN.xml | 30 +++++++++++++++--------------- > en-US/Vulnerability_Assessment.xml | 6 +++--- > en-US/Wstation.xml | 30 +++++++++++++++--------------- > en-US/Yubikey.xml | 2 +- > 22 files changed, 103 insertions(+), 107 deletions(-) > >diff --git a/en-US/7_Zip.xml b/en-US/7_Zip.xml >index 630726d..cbc9254 100644 >--- a/en-US/7_Zip.xml >+++ b/en-US/7_Zip.xml >@@ -8,9 +8,9 @@ > <ulink url="http://www.7-zip.org/">7-Zip</ulink> is a cross-platform, next generation, file compression tool that can also use strong encryption (AES-256) to protect the contents of the archive. This is extremely useful when you need to move data between multiple computers that use varying operating systems (i.e. Linux at home, Windows at work) and you want a portable encryption solution. > </para> > <section id="sect-Security_Guide-Encryption-7_Zip_Encrypted_Archives-Installation"> >- <title>7-Zip Installation in Fedora</title> >+ <title>7-Zip Installation</title> > <para> >- 7-Zip is not a base package in Fedora, but it is available in the software repository. Once installed, the package will update alongside the rest of the software on the computer with no special attention necessary. >+ 7-Zip is not a base package in &PRODUCT;, but it is available in the software repository. Once installed, the package will update alongside the rest of the software on the computer with no special attention necessary. > </para> > </section> > <section id="sect-Security_Guide-Encryption-7_Zip_Encrypted_Archives-Installation-Instructions"> >diff --git a/en-US/Basic_Hardening.xml b/en-US/Basic_Hardening.xml >index 83eac8d..1cf757d 100644 >--- a/en-US/Basic_Hardening.xml >+++ b/en-US/Basic_Hardening.xml >@@ -5,7 +5,7 @@ > <chapter id="chap-Security_Guide-Basic_Hardening"> > <title>Basic Hardening Guide</title> > <para> >- The <ulink url="http://www.nsa.gov">US National Security Agency</ulink> (NSA) has developed two guides for hardening a default installation of Red Hat Enterprise Linux 5. Many of the tips provided in these guides are also valid for installations of Fedora. This Basic Hardening Guide will cover portions of the NSA's Hardening Tips and will explain why implementing these tips are important. This document does not represent the full NSA Hardening Guide. >+ The <ulink url="http://www.nsa.gov">US National Security Agency</ulink> (NSA) has developed two guides for hardening a default installation of Red Hat Enterprise Linux 5. Many of the tips provided in these guides are also valid for installations of &PRODUCT;. This Basic Hardening Guide will cover portions of the NSA's Hardening Tips and will explain why implementing these tips are important. This document does not represent the full NSA Hardening Guide. > </para> > <para> > As with any change to a system these changes could cause unintended results. Changes should be evaluated for appropriateness on your system before implementing. >@@ -29,17 +29,13 @@ > <section id="sect-Security_Guide-Basic_Hardening-Physical_Security"> > <title>Physical Security</title> > <para>Physical security of the system is of utmost importance. Many of the suggestions given here won't protect your system if the attacker has physical access to the system.</para> >- <important><para>This section contains information regarding GRUB Legacy and not the current release of GRUB (also known as GRUB2). Fedora 16 does not use GRUB Legacy so many of the commands below will not function in Fedora 16 or later versions.</para></important> >+ <important><para>This section contains information regarding GRUB Legacy and not the current release of GRUB (also known as GRUB2).</para></important> > <para>Configure the BIOS to disable booting from CDs/DVDs, floppies, and external devices, and set a password to protect these settings. Next, set a password for the GRUB bootloader. Generate a password hash using the command <command>/sbin/grub-md5-crypt</command>. Add the hash to the first line of <command>/etc/grub.conf</command> using <command>password --md5 'passwordhash'</command>. This prevents users from entering single user mode or changing settings at boot time.</para> > </section> > <section id="sect-Security_Guide-Basic_Hardening-Physical_Security-Why_is_this_important"> > <title>Why this is important</title> > <para>An attacker could take complete control of your system by booting from an external source. By booting from an external source (e.g. a live Linux CD) many of the security settings are bypassed. If the attacker can modify the GRUB settings they can boot into single user mode which allows admin access to the system.</para> > </section> >- <section id="sect-Security_Guide-Basic_Hardening-Physical_Security-What_else_can_I_do"> >- <title>What else can I do?</title> >- <para>Ever since Fedora 9, LUKS encryption has been natively supported to protect data stored in a LUKS encrypted partition. When you install Fedora 9, check the box to encrypt your file system when you setup your file system. By encrypting your root partition and your <filename>/home</filename> partition (or the single / partition if you accept the default file system) attackers using an external source or booting into single user mode. Of course you use a strong passphrase to protect your data.</para> >- </section> > <section id="sect-Security_Guide-Basic_Hardening-Networking"> > <title>Networking</title> > <para>The computer's network connection is the gateway to your system. Your files and processor time could be available to anyone who successfully connects to your system via this network connection if other safeguards have not been implemented. One of the primary ways to keep you in control of your system is to prevent the attackers from gaining access to your system in the first place.</para> >diff --git a/en-US/CVE.xml b/en-US/CVE.xml >index e962f5d..84b40c5 100644 >--- a/en-US/CVE.xml >+++ b/en-US/CVE.xml >@@ -13,7 +13,7 @@ > <section id="sect-Security_Guide-CVE-yum_plugin"> > <title>YUM Plugin</title> > <para> >- The <package>yum-plugin-security</package> package is a feature of Fedora. If installed, the yum module provided by this package can be used to limit yum to retrieve only security-related updates. It can also be used to provide information about which Red Hat advisory, which bug in Red Hatâs Bugzilla database, or which CVE number from MITREâs Common Vulnerabilities and Exposures directory is addressed by a package update. >+ The <package>yum-plugin-security</package> package is a feature of &PRODUCT;. If installed, the yum module provided by this package can be used to limit yum to retrieve only security-related updates. It can also be used to provide information about which Red Hat advisory, which bug in Red Hatâs Bugzilla database, or which CVE number from MITREâs Common Vulnerabilities and Exposures directory is addressed by a package update. > </para> > <para> > Enabling these features is as simple as running the <command>yum install yum-plugin-security</command> command. >@@ -89,7 +89,7 @@ To apply all updates related to the CVE ID CVE-2007-5707 and updates related to > More information about these new capabilities is documented in the <package>yum-plugin-security</package>(8) man page. > </para> > <para> >-For more information on Fedora security updates, please visit the Fedora Security page at <ulink url="https://fedoraproject.org/wiki/Security">https://fedoraproject.org/wiki/Security</ulink>. >+For more information on security updates, please visit the Fedora Security page at <ulink url="https://fedoraproject.org/wiki/Security">https://fedoraproject.org/wiki/Security</ulink>. > </para> > </section> > </chapter> >diff --git a/en-US/Encryption.xml b/en-US/Encryption.xml >index be5c2f4..cb8fa28 100644 >--- a/en-US/Encryption.xml >+++ b/en-US/Encryption.xml >@@ -18,7 +18,7 @@ > Full disk or partition encryption is one of the best ways of protecting your data. Not only is each file protected but also the temporary storage that may contain parts of these files is also protected. Full disk encryption will protect all of your files so you don't have to worry about selecting what you want to protect and possibly missing a file. > </para> > <para> >- Fedora 9, and later, natively supports LUKS Encryption. LUKS will bulk encrypt your hard drive partitions so that while your computer is off your data is protected. This will also protect your computer from attackers attempting to use single-user-mode to login to your computer or otherwise gain access. >+ &PRODUCT; natively supports LUKS Encryption. LUKS will bulk encrypt your hard drive partitions so that while your computer is off your data is protected. This will also protect your computer from attackers attempting to use single-user-mode to login to your computer or otherwise gain access. > </para> > <para> > Full disk encryption solutions like LUKS only protect the data when your computer is off. Once the computer is on and LUKS has decrypted the disk, the files on that disk are available to anyone who would normally have access to them. To protect your files when the computer is on, use full disk encryption in combination with another solution such as file based encryption. Also remember to lock your computer whenever you are away from it. A passphrase protected screen saver set to activate after a few minutes of inactivity is a good way to keep intruders out. >diff --git a/en-US/Exploits.xml b/en-US/Exploits.xml >index 7cd1d31..8c31fb6 100644 >--- a/en-US/Exploits.xml >+++ b/en-US/Exploits.xml >@@ -32,7 +32,7 @@ > Null or Default Passwords > </entry> > <entry> >- Leaving administrative passwords blank or using a default password set by the product vendor. This is most common in hardware such as routers and firewalls, though some services that run on Linux can contain default administrator passwords (though Fedora 12 does not ship with them). >+ Leaving administrative passwords blank or using a default password set by the product vendor. This is most common in hardware such as routers and firewalls, though some services that run on Linux can contain default administrator passwords. > </entry> > <entry> > <simplelist> >diff --git a/en-US/Firewall.xml b/en-US/Firewall.xml >index dd866fb..64c4d59 100644 >--- a/en-US/Firewall.xml >+++ b/en-US/Firewall.xml >@@ -5,7 +5,7 @@ > <section id="sect-Security_Guide-Firewalls"> > <title>Firewalls</title> > <para> >- Information security is commonly thought of as a process and not a product. However, standard security implementations usually employ some form of dedicated mechanism to control access privileges and restrict network resources to users who are authorized, identifiable, and traceable. Fedora includes several tools to assist administrators and security engineers with network-level access control issues. >+ Information security is commonly thought of as a process and not a product. However, standard security implementations usually employ some form of dedicated mechanism to control access privileges and restrict network resources to users who are authorized, identifiable, and traceable. &PRODUCT; includes several tools to assist administrators and security engineers with network-level access control issues. > </para> > <para> > Firewalls are one of the core components of a network security implementation. Several vendors market firewall solutions catering to all levels of the marketplace: from home users protecting one PC to data center solutions safeguarding vital enterprise information. Firewalls can be stand-alone hardware solutions, such as firewall appliances by Cisco, Nokia, and Sonicwall. Vendors such as Checkpoint, McAfee, and Symantec have also developed proprietary software firewall solutions for home and business markets. >@@ -130,12 +130,12 @@ > Just as a firewall in a building attempts to prevent a fire from spreading, a computer firewall attempts to prevent malicious software from spreading to your computer. It also helps to prevent unauthorized users from accessing your computer. > </para> > <para> >- In a default Fedora installation, a firewall exists between your computer or network and any untrusted networks, for example the Internet. It determines which services on your computer remote users can access. A properly configured firewall can greatly increase the security of your system. It is recommended that you configure a firewall for any Fedora system with an Internet connection. >+ In a default &PRODUCT; installation, a firewall exists between your computer or network and any untrusted networks, for example the Internet. It determines which services on your computer remote users can access. A properly configured firewall can greatly increase the security of your system. It is recommended that you configure a firewall for any &PRODUCT; system with an Internet connection. > </para> > <section id="sect-Security_Guide-Basic_Firewall_Configuration-RHSECLEVELTOOL"> > <title><application>Firewall Administration Tool</application></title> > <para> >- During the <guilabel>Firewall Configuration</guilabel> screen of the Fedora installation, you were given the option to enable a basic firewall as well as to allow specific devices, incoming services, and ports. >+ During the <guilabel>Firewall Configuration</guilabel> screen of the &PRODUCT; installation, you were given the option to enable a basic firewall as well as to allow specific devices, incoming services, and ports. > </para> > <para> > After installation, you can change this preference by using the <application>Firewall Administration Tool</application>. >@@ -457,7 +457,7 @@ > <note> > <title>Note</title> > <para> >- By default, the IPv4 policy in Fedora kernels disables support for IP forwarding. This prevents machines that run Fedora from functioning as dedicated edge routers. To enable IP forwarding, use the following command: >+ By default, the IPv4 policy in &PRODUCT; kernels disables support for IP forwarding. This prevents machines that run &PRODUCT; from functioning as dedicated edge routers. To enable IP forwarding, use the following command: > </para> > <screen>[root@myServer ~ ] # sysctl -w net.ipv4.ip_forward=1</screen> > <para> >@@ -618,7 +618,7 @@ > The introduction of the next-generation Internet Protocol, called IPv6, expands beyond the 32-bit address limit of IPv4 (or IP). IPv6 supports 128-bit addresses, and carrier networks that are IPv6 aware are therefore able to address a larger number of routable addresses than IPv4. > </para> > <para> >- Fedora supports IPv6 firewall rules using the Netfilter 6 subsystem and the <command>ip6tables</command> command. In Fedora 12, both IPv4 and IPv6 services are enabled by default. >+ &PRODUCT; supports IPv6 firewall rules using the Netfilter 6 subsystem and the <command>ip6tables</command> command. > </para> > <para> > The <command>ip6tables</command> command syntax is identical to <command>iptables</command> in every aspect except that it supports 128-bit addresses. For example, use the following command to enable SSH connections on an IPv6-aware network server: >diff --git a/en-US/IP_Tables.xml b/en-US/IP_Tables.xml >index 7feddd8..cadbeb8 100644 >--- a/en-US/IP_Tables.xml >+++ b/en-US/IP_Tables.xml >@@ -5,7 +5,7 @@ > <section id="sect-Security_Guide-IPTables"> > <title>IPTables</title> > <para> >- Included with Fedora are advanced tools for network <firstterm>packet filtering</firstterm> — the process of controlling network packets as they enter, move through, and exit the network stack within the kernel. Kernel versions prior to 2.4 relied on <command>ipchains</command> for packet filtering and used lists of rules applied to packets at each step of the filtering process. The 2.4 kernel introduced <command>iptables</command> (also called <firstterm>netfilter</firstterm>), which is similar to <command>ipchains</command> but greatly expands the scope and control available for filtering network packets. >+ Included with &PRODUCT; are advanced tools for network <firstterm>packet filtering</firstterm> — the process of controlling network packets as they enter, move through, and exit the network stack within the kernel. Kernel versions prior to 2.4 relied on <command>ipchains</command> for packet filtering and used lists of rules applied to packets at each step of the filtering process. The 2.4 kernel introduced <command>iptables</command> (also called <firstterm>netfilter</firstterm>), which is similar to <command>ipchains</command> but greatly expands the scope and control available for filtering network packets. > </para> > <para> > This chapter focuses on packet filtering basics, explains various options available with <command>iptables</command> commands, and explains how filtering rules can be preserved between system reboots. >@@ -374,7 +374,7 @@ > The standard targets are <option>ACCEPT</option>, <option>DROP</option>, <option>QUEUE</option>, and <option>RETURN</option>. > </para> > <para> >- Extended options are also available through modules loaded by default with the Fedora <command>iptables</command> RPM package. Valid targets in these modules include <option>LOG</option>, <option>MARK</option>, and <option>REJECT</option>, among others. Refer to the <command>iptables</command> man page for more information about these and other targets. >+ Extended options are also available through modules loaded by default with the &PRODUCT; <command>iptables</command> RPM package. Valid targets in these modules include <option>LOG</option>, <option>MARK</option>, and <option>REJECT</option>, among others. Refer to the <command>iptables</command> man page for more information about these and other targets. > </para> > <para> > This option can also be used to direct a packet matching a particular rule to a user-defined chain outside of the current chain so that other rules can be applied to the packet. >@@ -727,7 +727,7 @@ > In addition, extensions are available which allow other targets to be specified. These extensions are called target modules or match option modules and most only apply to specific tables and situations. Refer to <xref linkend="sect-Security_Guide-IPTables_Match_Options-Additional_Match_Option_Modules" /> for more information about match option modules. > </para> > <para> >- Many extended target modules exist, most of which only apply to specific tables or situations. Some of the most popular target modules included by default in Fedora are: >+ Many extended target modules exist, most of which only apply to specific tables or situations. Some of the most popular target modules included by default in &PRODUCT; are: > </para> > <itemizedlist> > <listitem> >@@ -857,7 +857,7 @@ > <section id="sect-Security_Guide-IPTables-IPTables_Control_Scripts"> > <title>IPTables Control Scripts</title> > <para> >- There are two basic methods for controlling <command>iptables</command> in Fedora: >+ There are two basic methods for controlling <command>iptables</command>: > </para> > <itemizedlist> > <listitem> >diff --git a/en-US/Kerberos.xml b/en-US/Kerberos.xml >index 529453b..6ff2845 100644 >--- a/en-US/Kerberos.xml >+++ b/en-US/Kerberos.xml >@@ -54,7 +54,7 @@ > </listitem> > <listitem> > <para> >- Kerberos has only partial compatibility with the Pluggable Authentication Modules (PAM) system used by most Fedora servers. Refer to <xref linkend="sect-Security_Guide-Kerberos-Kerberos_and_PAM" /> for more information about this issue. >+ Kerberos has only partial compatibility with the Pluggable Authentication Modules (PAM) system used by most &PRODUCT; servers. Refer to <xref linkend="sect-Security_Guide-Kerberos-Kerberos_and_PAM" /> for more information about this issue. > </para> > </listitem> > <listitem> >@@ -328,7 +328,7 @@ > Ensure that time synchronization and DNS are functioning correctly on all client and server machines before configuring Kerberos. Pay particular attention to time synchronization between the Kerberos server and its clients. If the time difference between the server and client is greater than five minutes (this is configurable in Kerberos 5), Kerberos clients can not authenticate to the server. This time synchronization is necessary to prevent an attacker from using an old Kerberos ticket to masquerade as a valid user. > </para> > <para> >- It is advisable to set up a Network Time Protocol (NTP) compatible client/server network even if Kerberos is not being used. Fedora includes the <filename>ntp</filename> package for this purpose. Refer to <filename>/usr/share/doc/ntp-<replaceable><version-number></replaceable>/index.html</filename> (where <replaceable><version-number></replaceable> is the version number of the <filename>ntp</filename> package installed on your system) for details about how to set up Network Time Protocol servers, and <ulink url="http://www.ntp.org">http://www.ntp.org</ulink> for more information about NTP. >+ It is advisable to set up a Network Time Protocol (NTP) compatible client/server network even if Kerberos is not being used. &PRODUCT; includes the <filename>ntp</filename> package for this purpose. Refer to <filename>/usr/share/doc/ntp-<replaceable>version-number</replaceable>/index.html</filename> (where <replaceable>version-number</replaceable> is the version number of the <filename>ntp</filename> package installed on your system) for details about how to set up Network Time Protocol servers, and <ulink url="http://www.ntp.org">http://www.ntp.org</ulink> for more information about NTP. > </para> > </step> > <step> >@@ -462,7 +462,7 @@ > IMAP — To use a kerberized IMAP server, the <filename>cyrus-imap</filename> package uses Kerberos 5 if it also has the <filename>cyrus-sasl-gssapi</filename> package installed. The <filename>cyrus-sasl-gssapi</filename> package contains the Cyrus SASL plugins which support GSS-API authentication. Cyrus IMAP should function properly with Kerberos as long as the <command>cyrus</command> user is able to find the proper key in <filename>/etc/krb5.keytab</filename>, and the root for the principal is set to <command>imap</command> (created with <command>kadmin</command>). > </para> > <para> >- An alternative to <filename>cyrus-imap</filename> can be found in the <command>dovecot</command> package, which is also included in Fedora. This package contains an IMAP server but does not, to date, support GSS-API and Kerberos. >+ An alternative to <filename>cyrus-imap</filename> can be found in the <command>dovecot</command> package, which is also included in &PRODUCT;. This package contains an IMAP server but does not, to date, support GSS-API and Kerberos. > </para> > </listitem> > <listitem> >diff --git a/en-US/LUKSDiskEncryption.xml b/en-US/LUKSDiskEncryption.xml >index f604bfe..250314b 100644 >--- a/en-US/LUKSDiskEncryption.xml >+++ b/en-US/LUKSDiskEncryption.xml >@@ -7,13 +7,13 @@ > <para> > Linux Unified Key Setup-on-disk-format (or LUKS) allows you to encrypt partitions on your Linux computer. This is particularly important when it comes to mobile computers and removable media. LUKS allows multiple user keys to decrypt a master key which is used for the bulk encryption of the partition. > </para> >- <section id="sect-Security_Guide-LUKS_Disk_Encryption-LUKS_Implementation_in_Fedora"> >- <title>LUKS Implementation in Fedora</title> >+ <section id="sect-Security_Guide-LUKS_Disk_Encryption-LUKS_Implementation"> >+ <title>LUKS Implementation in &PRODUCT;</title> > <para> >- Fedora 9, and later, utilizes LUKS to perform file system encryption. By default, the option to encrypt the file system is unchecked during the installation. If you select the option to encrypt you hard drive, you will be prompted for a passphrase that will be asked every time you boot the computer. This passphrase "unlocks" the bulk encryption key that is used to decrypt your partition. If you choose to modify the default partition table you can choose which partitions you want to encrypt. This is set in the partition table settings >+ &PRODUCT; utilizes LUKS to perform file system encryption. By default, the option to encrypt the file system is unchecked during the installation. If you select the option to encrypt you hard drive, you will be prompted for a passphrase that will be asked every time you boot the computer. This passphrase "unlocks" the bulk encryption key that is used to decrypt your partition. If you choose to modify the default partition table you can choose which partitions you want to encrypt. This is set in the partition table settings > </para> > <para> >- Fedora's default implementation of LUKS is AES 128 with a SHA256 hashing. Ciphers that are available are: >+ &PRODUCT;'s default implementation of LUKS is AES 128 with a SHA256 hashing. Ciphers that are available are: > </para> > <itemizedlist> > <listitem> >@@ -58,7 +58,7 @@ > </para> > </note> > <para> >- If you are running a version of Fedora prior to Fedora 9 and want to encrypt a partition, or you want to encrypt a partition after the installation of the current version of Fedora, the following directions are for you. The below example demonstrates encrypting your /home partition but any partition can be used. >+ If you want to manually encrypt a partition the following directions are for you. The below example demonstrates encrypting your /home partition but any partition can be used. > </para> > <para> > The following procedure will wipe all your existing data, so be sure to have a tested backup before you start. This also requires you to have a separate partition for /home (in my case that is /dev/VG00/LV_home). All the following must be done as root. Any of these steps failing means you must not continue until the step succeeded. >@@ -168,7 +168,7 @@ > <section id="sect-Security_Guide-LUKS_Disk_Encryption-Links_of_Interest"> > <title>Links of Interest</title> > <para> >- For additional information on LUKS or encrypting hard drives under Fedora please visit one of the following links: >+ For additional information on LUKS or encrypting hard drives please visit one of the following links: > </para> > <itemizedlist> > <listitem> >diff --git a/en-US/Pam.xml b/en-US/Pam.xml >index e034c8b..e69da6f 100644 >--- a/en-US/Pam.xml >+++ b/en-US/Pam.xml >@@ -8,7 +8,7 @@ > Programs that grant users access to a system use <firstterm>authentication</firstterm> to verify each other's identity (that is, to establish that a user is who they say they are). > </para> > <para> >- Historically, each program had its own way of authenticating users. In Fedora, many programs are configured to use a centralized authentication mechanism called <firstterm>Pluggable Authentication Modules</firstterm> (<acronym>PAM</acronym>). >+ Historically, each program had its own way of authenticating users. In &PRODUCT;, many programs are configured to use a centralized authentication mechanism called <firstterm>Pluggable Authentication Modules</firstterm> (<acronym>PAM</acronym>). > </para> > <para> > PAM uses a pluggable, modular architecture, which affords the system administrator a great deal of flexibility in setting authentication policies for the system. >@@ -338,7 +338,7 @@ session required pam_unix.so</screen> > <section id="sect-Security_Guide-Pluggable_Authentication_Modules_PAM-PAM_and_Administrative_Credential_Caching"> > <title>PAM and Administrative Credential Caching</title> > <para> >- A number of graphical administrative tools in Fedora provide users with elevated privileges for up to five minutes using the <filename>pam_timestamp.so</filename> module. It is important to understand how this mechanism works, because a user who walks away from a terminal while <filename>pam_timestamp.so</filename> is in effect leaves the machine open to manipulation by anyone with physical access to the console. >+ A number of graphical administrative tools in &PRODUCT; provide users with elevated privileges for up to five minutes using the <filename>pam_timestamp.so</filename> module. It is important to understand how this mechanism works, because a user who walks away from a terminal while <filename>pam_timestamp.so</filename> is in effect leaves the machine open to manipulation by anyone with physical access to the console. > </para> > <para> > In the PAM timestamp scheme, the graphical administrative application prompts the user for the root password when it is launched. When the user has been authenticated, the <filename>pam_timestamp.so</filename> module creates a timestamp file. By default, this is created in the <filename>/var/run/sudo/</filename> directory. If the timestamp file already exists, graphical administrative programs do not prompt for a password. Instead, the <filename>pam_timestamp.so</filename> module freshens the timestamp file, reserving an extra five minutes of unchallenged administrative access for the user. >@@ -441,12 +441,12 @@ session required pam_unix.so</screen> > <section id="sect-Security_Guide-Pluggable_Authentication_Modules_PAM-PAM_and_Device_Ownership"> > <title>PAM and Device Ownership</title> > <para> >- In Fedora, the first user who logs in at the physical console of the machine can manipulate certain devices and perform certain tasks normally reserved for the root user. This is controlled by a PAM module called <filename>pam_console.so</filename>. >+ In &PRODUCT;, the first user who logs in at the physical console of the machine can manipulate certain devices and perform certain tasks normally reserved for the root user. This is controlled by a PAM module called <filename>pam_console.so</filename>. > </para> > <section id="sect-Security_Guide-PAM_and_Device_Ownership-Device_Ownership"> > <title>Device Ownership</title> > <para> >- When a user logs in to a Fedora system, the <filename>pam_console.so</filename> module is called by <command>login</command> or the graphical login programs, <application>gdm</application>, <application>kdm</application>, and <application>xdm</application>. If this user is the first user to log in at the physical console — referred to as the <firstterm>console user</firstterm> — the module grants the user ownership of a variety of devices normally owned by root. The console user owns these devices until the last local session for that user ends. After this user has logged out, ownership of the devices reverts back to the root user. >+ When a user logs in to a &PRODUCT; system, the <filename>pam_console.so</filename> module is called by <command>login</command> or the graphical login programs, <application>gdm</application>, <application>kdm</application>, and <application>xdm</application>. If this user is the first user to log in at the physical console — referred to as the <firstterm>console user</firstterm> — the module grants the user ownership of a variety of devices normally owned by root. The console user owns these devices until the last local session for that user ends. After this user has logged out, ownership of the devices reverts back to the root user. > </para> > <para> > The devices affected include, but are not limited to, sound cards, diskette drives, and CD-ROM drives. >@@ -552,7 +552,7 @@ session required pam_unix.so</screen> > <command>pam</command> — Good introductory information on PAM, including the structure and purpose of the PAM configuration files. > </para> > <para> >- Note that this man page discusses both <filename>/etc/pam.conf</filename> and individual configuration files in the <filename>/etc/pam.d/</filename> directory. By default, Fedora uses the individual configuration files in the <filename>/etc/pam.d/</filename> directory, ignoring <filename>/etc/pam.conf</filename> even if it exists. >+ Note that this man page discusses both <filename>/etc/pam.conf</filename> and individual configuration files in the <filename>/etc/pam.d/</filename> directory. By default, &PRODUCT; uses the individual configuration files in the <filename>/etc/pam.d/</filename> directory, ignoring <filename>/etc/pam.conf</filename> even if it exists. > </para> > </listitem> > <listitem> >@@ -603,7 +603,7 @@ session required pam_unix.so</screen> > <note> > <title>Note</title> > <para> >- The documentation in the above website is for the last released upstream version of PAM and might not be 100% accurate for the PAM version included in Fedora. >+ The documentation in the above website is for the last released upstream version of PAM and might not be 100% accurate for the PAM version included in &PRODUCT;. > </para> > </note> > </listitem> >diff --git a/en-US/Risks.xml b/en-US/Risks.xml >index 0b15397..50d0403 100644 >--- a/en-US/Risks.xml >+++ b/en-US/Risks.xml >@@ -78,7 +78,7 @@ > <section id="sect-Security_Guide-Threats_to_Server_Security-Unused_Services_and_Open_Ports"> > <title>Unused Services and Open Ports</title> > <para> >- A full installation of Fedora contains 1000+ application and library packages. However, most server administrators do not opt to install every single package in the distribution, preferring instead to install a base installation of packages, including several server applications. >+ A full installation of &PRODUCT; contains 1000+ application and library packages. However, most server administrators do not opt to install every single package in the distribution, preferring instead to install a base installation of packages, including several server applications. > </para> > <para> > A common occurrence among system administrators is to install the operating system without paying attention to what programs are actually being installed. This can be problematic because unneeded services may be installed, configured with the default settings, and possibly turned on. This can cause unwanted services, such as Telnet, DHCP, or DNS, to run on a server or workstation without the administrator realizing it, which in turn can cause unwanted traffic to the server, or even, a potential pathway into the system for crackers. Refer To <xref linkend="sect-Security_Guide-Server_Security" /> for information on closing ports and disabling unused services. >@@ -130,7 +130,7 @@ > Another category of insecure services include network file systems and information services such as NFS or NIS, which are developed explicitly for LAN usage but are, unfortunately, extended to include WANs (for remote users). NFS does not, by default, have any authentication or security mechanisms configured to prevent a cracker from mounting the NFS share and accessing anything contained therein. NIS, as well, has vital information that must be known by every computer on a network, including passwords and file permissions, within a plain text ASCII or DBM (ASCII-derived) database. A cracker who gains access to this database can then access every user account on a network, including the administrator's account. > </para> > <para> >- By default, Fedora is released with all such services turned off. However, since administrators often find themselves forced to use these services, careful configuration is critical. Refer to <xref linkend="sect-Security_Guide-Server_Security" /> for more information about setting up services in a safe manner. >+ By default, &PRODUCT; is released with all such services turned off. However, since administrators often find themselves forced to use these services, careful configuration is critical. Refer to <xref linkend="sect-Security_Guide-Server_Security" /> for more information about setting up services in a safe manner. > </para> > </section> > >diff --git a/en-US/SSO_Overview.xml b/en-US/SSO_Overview.xml >index 080dde3..18c3b79 100644 >--- a/en-US/SSO_Overview.xml >+++ b/en-US/SSO_Overview.xml >@@ -7,7 +7,7 @@ > <section id="sect-Security_Guide-Single_Sign_on_SSO-Introduction"> > <title>Introduction</title> > <para> >- The Fedora SSO functionality reduces the number of times Fedora desktop users have to enter their passwords. Several major applications leverage the same underlying authentication and authorization mechanisms so that users can log in to Fedora from the log-in screen, and then not need to re-enter their passwords. These applications are detailed below. >+ The &PRODUCT; SSO functionality reduces the number of times &PRODUCT; desktop users have to enter their passwords. Several major applications leverage the same underlying authentication and authorization mechanisms so that users can log in to &PRODUCT; from the log-in screen, and then not need to re-enter their passwords. These applications are detailed below. > </para> > <para> > In addition, users can log in to their machines even when there is no network (<firstterm>offline mode</firstterm>) or where network connectivity is unreliable, for example, wireless access. In the latter case, services will degrade gracefully. >@@ -15,7 +15,7 @@ > <section id="sect-Security_Guide-Introduction-Supported_Applications"> > <title>Supported Applications</title> > <para> >- The following applications are currently supported by the unified log-in scheme in Fedora: >+ The following applications are currently supported by the unified log-in scheme in &PRODUCT;: > </para> > <itemizedlist> > <listitem> >@@ -39,7 +39,7 @@ > <section id="sect-Security_Guide-Introduction-Supported_Authentication_Mechanisms"> > <title>Supported Authentication Mechanisms</title> > <para> >- Fedora currently supports the following authentication mechanisms: >+ &PRODUCT; currently supports the following authentication mechanisms: > </para> > <itemizedlist> > <listitem> >@@ -58,23 +58,23 @@ > <section id="sect-Security_Guide-Introduction-Supported_Smart_Cards"> > <title>Supported Smart Cards</title> > <para> >- Fedora has been tested with the Cyberflex e-gate card and reader, but any card that complies with both Java card 2.1.1 and Global Platform 2.0.1 specifications should operate correctly, as should any reader that is supported by PCSC-lite. >+ &PRODUCT; has been tested with the Cyberflex e-gate card and reader, but any card that complies with both Java card 2.1.1 and Global Platform 2.0.1 specifications should operate correctly, as should any reader that is supported by PCSC-lite. > </para> > <para> >- Fedora has also been tested with Common Access Cards (CAC). The supported reader for CAC is the SCM SCR 331 USB Reader. >+ &PRODUCT; has also been tested with Common Access Cards (CAC). The supported reader for CAC is the SCM SCR 331 USB Reader. > </para> > <para> >- As of Fedora 5.2, Gemalto smart cards (Cyberflex Access 64k v2, standard with DER SHA1 value configured as in PKCSI v2.1) are now supported. These smart cards now use readers compliant with Chip/Smart Card Interface Devices (CCID). >+ Gemalto smart cards (Cyberflex Access 64k v2, standard with DER SHA1 value configured as in PKCSI v2.1) are now supported. These smart cards now use readers compliant with Chip/Smart Card Interface Devices (CCID). > </para> > </section> > > <section id="sect-Security_Guide-Introduction-Advantages_of_PROD_Single_Sign_on"> >- <title>Advantages of Fedora Single Sign-on</title> >+ <title>Advantages of &PRODUCT; Single Sign-on</title> > <para> >- Numerous security mechanisms currently exist that utilize a large number of protocols and credential stores. Examples include SSL, SSH, IPsec, and Kerberos. Fedora SSO aims to unify these schemes to support the requirements listed above. This does not mean replacing Kerberos with X.509v3 certificates, but rather uniting them to reduce the burden on both system users and the administrators who manage them. >+ Numerous security mechanisms currently exist that utilize a large number of protocols and credential stores. Examples include SSL, SSH, IPsec, and Kerberos. &PRODUCT; SSO aims to unify these schemes to support the requirements listed above. This does not mean replacing Kerberos with X.509v3 certificates, but rather uniting them to reduce the burden on both system users and the administrators who manage them. > </para> > <para> >- To achieve this goal, Fedora: >+ To achieve this goal, &PRODUCT;: > </para> > <itemizedlist> > <listitem> >@@ -84,7 +84,7 @@ > </listitem> > <listitem> > <para> >- Ships the Certificate System's Enterprise Security Client (ESC) with the base operating system. The ESC application monitors smart card insertion events. If it detects that the user has inserted a smart card that was designed to be used with the Fedora Certificate System server product, it displays a user interface instructing the user how to enroll that smart card. >+ Ships the Certificate System's Enterprise Security Client (ESC) with the base operating system. The ESC application monitors smart card insertion events. If it detects that the user has inserted a smart card that was designed to be used with the Certificate System server product, it displays a user interface instructing the user how to enroll that smart card. > </para> > </listitem> > <listitem> >diff --git a/en-US/Secure_Installation.xml b/en-US/Secure_Installation.xml >index 052c1c1..4fda000 100644 >--- a/en-US/Secure_Installation.xml >+++ b/en-US/Secure_Installation.xml >@@ -5,7 +5,7 @@ > <chapter id="chap-Security_Guide-Secure_Installation"> > <title>Secure Installation</title> > <para> >- Security begins with the first time you put that CD or DVD into your disk drive to install Fedora. Configuring your system securely from the beginning makes it easier to implement additional security settings later. >+ Security begins with the first time you put that CD or DVD into your disk drive to install &PRODUCT;. Configuring your system securely from the beginning makes it easier to implement additional security settings later. > </para> > <section id="sect-Security_Guide-Secure_Installation-Disk_Partitions"> > <title>Disk Partitions</title> >@@ -13,10 +13,10 @@ > The NSA recommends creating separate partitions for /boot, /, /home, /tmp, and /var/tmp. The reasons for each are different and we will address each partition. > </para> > <para> >- /boot - This partition is the first partition that is read by the system during boot up. The boot loader and kernel images that are used to boot your system into Fedora are stored in this partition. This partition should not be encrypted. If this partition is included in / and that partition is encrypted or otherwise becomes unavailable then your system will not be able to boot. >+ /boot - This partition is the first partition that is read by the system during boot up. The boot loader and kernel images that are used to boot your system into &PRODUCT; are stored in this partition. This partition should not be encrypted. If this partition is included in / and that partition is encrypted or otherwise becomes unavailable then your system will not be able to boot. > </para> > <para> >- /home - When user data (/home) is stored in / instead of in a separate partition, the partition can fill up causing the operating system to become unstable. Also, when upgrading your system to the next version of Fedora it is a lot easier when you can keep your data in the /home partition as it will not be overwritten during installation. If the root partition (/) becomes corrupt your data could be lost forever. By using a separate partition there is slightly more protection against data loss. You can also target this partition for frequent backups. >+ /home - When user data (/home) is stored in / instead of in a separate partition, the partition can fill up causing the operating system to become unstable. Also, when upgrading your system to the next version of &PRODUCT; it is a lot easier when you can keep your data in the /home partition as it will not be overwritten during installation. If the root partition (/) becomes corrupt your data could be lost forever. By using a separate partition there is slightly more protection against data loss. You can also target this partition for frequent backups. > </para> > <para> > /tmp and /var/tmp - Both the /tmp and the /var/tmp directories are used to store data that doesn't need to be stored for a long period of time. However if a lot of data floods one of these directories it can consume all of your storage space. If this happens and these directories are stored within / then your system could become unstable and crash. For this reason, moving these directories into their own partitions is a good idea. >@@ -25,7 +25,7 @@ > <section id="sect-Security_Guide-Secure_Installation-Utilize_LUKS_Partition_Encryption"> > <title>Utilize LUKS Partition Encryption</title> > <para> >- Since Fedora 9, implementation of <ulink url="http://fedoraproject.org/wiki/Security_Guide/9/LUKSDiskEncryption">Linux Unified Key Setup-on-disk-format</ulink>(LUKS) encryption has become a lot easier. During the installation process an option to encrypt your partitions will be presented to the user. The user must supply a passphrase that will be the key to unlock the bulk encryption key that will be used to secure the partition's data. >+ The implementation of <ulink url="http://fedoraproject.org/wiki/Security_Guide/9/LUKSDiskEncryption">Linux Unified Key Setup-on-disk-format</ulink>(LUKS) encryption has become a lot easier in recent years. During the installation process an option to encrypt your partitions will be presented to the user. The user must supply a passphrase that will be the key to unlock the bulk encryption key that will be used to secure the partition's data. > </para> > </section> > >diff --git a/en-US/Security_Introduction.xml b/en-US/Security_Introduction.xml >index de831ae..87945d8 100644 >--- a/en-US/Security_Introduction.xml >+++ b/en-US/Security_Introduction.xml >@@ -130,7 +130,7 @@ > <section id="sect-Security_Guide-Introduction_to_Security-SELinux"> > <title>SELinux</title> > <para> >-Fedora includes an enhancement to the Linux kernel called SELinux, which implements a Mandatory Access Control (MAC) architecture that provides a fine-grained level of control over files, processes, users and applications in the system. Detailed discussion of SELinux is beyond the scope of this document; however, for more information on SELinux and its use in Fedora, refer to the Fedora SELinux User Guide available at <ulink url="http://docs.fedoraproject.org/">http://docs.fedoraproject.org/</ulink>. For more information on configuring and running services in Fedora that are protected by SELinux, refer to the SELinux Managing Confined Services Guide available at <ulink url="http://docs.fedoraproject.org">http://docs.fedoraproject.org/</ulink>. >+&PRODUCT; includes an enhancement to the Linux kernel called SELinux, which implements a Mandatory Access Control (MAC) architecture that provides a fine-grained level of control over files, processes, users and applications in the system. Detailed discussion of SELinux is beyond the scope of this document; however, for more information on SELinux and its use in &PRODUCT;, refer to the &PRODUCT; SELinux User Guide available at <ulink url="http://docs.fedoraproject.org/">http://docs.fedoraproject.org/</ulink>. For more information on configuring and running services in &PRODUCT; that are protected by SELinux, refer to the SELinux Managing Confined Services Guide available at <ulink url="http://docs.fedoraproject.org">http://docs.fedoraproject.org/</ulink>. > > Other available resources for SELinux are listed in <xref linkend="chap-Security_Guide-References" />. > </para> >@@ -266,7 +266,7 @@ Other available resources for SELinux are listed in <xref linkend="chap-Security > <section id="sect-Security_Guide-Introduction_to_Security-Conclusion"> > <title>Conclusion</title> > <para> >- Now that you have learned about the origins, reasons, and aspects of security, you will find it easier to determine the appropriate course of action with regard to Fedora. It is important to know what factors and conditions make up security in order to plan and implement a proper strategy. With this information in mind, the process can be formalized and the path becomes clearer as you delve deeper into the specifics of the security process. >+ Now that you have learned about the origins, reasons, and aspects of security, you will find it easier to determine the appropriate course of action with regard to &PRODUCT;. It is important to know what factors and conditions make up security in order to plan and implement a proper strategy. With this information in mind, the process can be formalized and the path becomes clearer as you delve deeper into the specifics of the security process. > </para> > </section> > >diff --git a/en-US/Security_Updates.xml b/en-US/Security_Updates.xml >index 2fcd499..410cebb 100644 >--- a/en-US/Security_Updates.xml >+++ b/en-US/Security_Updates.xml >@@ -5,7 +5,7 @@ > <section id="sect-Security_Guide-Security_Updates"> > <title>Security Updates</title> > <para> >- As security vulnerabilities are discovered, the affected software must be updated in order to limit any potential security risks. If the software is part of a package within a Fedora distribution that is currently supported, Fedora is committed to releasing updated packages that fix the vulnerability as soon as is possible. Often, announcements about a given security exploit are accompanied with a patch (or source code that fixes the problem). This patch is then applied to the Fedora package and tested and released as an errata update. However, if an announcement does not include a patch, a developer first works with the maintainer of the software to fix the problem. Once the problem is fixed, the package is tested and released as an errata update. >+ As security vulnerabilities are discovered, the affected software must be updated in order to limit any potential security risks. If the software is part of a package within a &PRODUCT; distribution that is currently supported, &PRODUCT; is committed to releasing updated packages that fix the vulnerability as soon as is possible. Often, announcements about a given security exploit are accompanied with a patch (or source code that fixes the problem). This patch is then applied to the &PRODUCT; package and tested and released as an errata update. However, if an announcement does not include a patch, a developer first works with the maintainer of the software to fix the problem. Once the problem is fixed, the package is tested and released as an errata update. > </para> > <para> > If an errata update is released for software used on your system, it is highly recommended that you update the affected packages as soon as possible to minimize the amount of time the system is potentially vulnerable. >@@ -13,12 +13,12 @@ > <section id="sect-Security_Guide-Security_Updates-Updating_Packages"> > <title>Updating Packages</title> > <para> >- When updating software on a system, it is important to download the update from a trusted source. An attacker can easily rebuild a package with the same version number as the one that is supposed to fix the problem but with a different security exploit and release it on the Internet. If this happens, using security measures such as verifying files against the original RPM does not detect the exploit. Thus, it is very important to only download RPMs from trusted sources, such as from Fedora and to check the signature of the package to verify its integrity. >+ When updating software on a system, it is important to download the update from a trusted source. An attacker can easily rebuild a package with the same version number as the one that is supposed to fix the problem but with a different security exploit and release it on the Internet. If this happens, using security measures such as verifying files against the original RPM does not detect the exploit. Thus, it is very important to only download RPMs from trusted sources, such as from &PRODUCT; and to check the signature of the package to verify its integrity. > </para> > <note> > <title>Note</title> > <para> >- Fedora includes a convenient panel icon that displays visible alerts when there is an update for a Fedora system. >+ &PRODUCT; includes a convenient panel icon that displays visible alerts when there is an update for a &PRODUCT; system. > </para> > </note> > </section> >@@ -26,10 +26,10 @@ > <section id="sect-Security_Guide-Updating_Packages-Verifying_Signed_Packages"> > <title>Verifying Signed Packages</title> > <para> >- All Fedora packages are signed with the Fedora <firstterm>GPG</firstterm> key. GPG stands for GNU Privacy Guard, or GnuPG, a free software package used for ensuring the authenticity of distributed files. For example, a private key (secret key) locks the package while the public key unlocks and verifies the package. If the public key distributed by Fedora does not match the private key during RPM verification, the package may have been altered and therefore cannot be trusted. >+ All &PRODUCT; packages are signed with the &PRODUCT; <firstterm>GPG</firstterm> key. GPG stands for GNU Privacy Guard, or GnuPG, a free software package used for ensuring the authenticity of distributed files. For example, a private key (secret key) locks the package while the public key unlocks and verifies the package. If the public key distributed by &PRODUCT; does not match the private key during RPM verification, the package may have been altered and therefore cannot be trusted. > </para> > <para> >- The RPM utility within Fedora automatically tries to verify the GPG signature of an RPM package before installing it. If the Fedora GPG key is not installed, install it from a secure, static location, such as an Fedora installation CD-ROM or DVD. >+ The RPM utility within &PRODUCT; automatically tries to verify the GPG signature of an RPM package before installing it. If the &PRODUCT GPG key is not installed, install it from a secure, static location, such as an &PRODUCT installation CD-ROM or DVD. > </para> > <para> > Assuming the disc is mounted in <filename>/mnt/cdrom</filename>, use the following command to import it into the <firstterm>keyring</firstterm> (a database of trusted keys on the system): >@@ -52,7 +52,7 @@ > </para> > <screen><command>rpm -K /tmp/updates/*.rpm</command></screen> > <para> >- For each package, if the GPG key verifies successfully, the command returns <computeroutput>gpg OK</computeroutput>. If it doesn't, make sure you are using the correct Fedora public key, as well as verifying the source of the content. Packages that do not pass GPG verifications should not be installed, as they may have been altered by a third party. >+ For each package, if the GPG key verifies successfully, the command returns <computeroutput>gpg OK</computeroutput>. If it doesn't, make sure you are using the correct &PRODUCT; public key, as well as verifying the source of the content. Packages that do not pass GPG verifications should not be installed, as they may have been altered by a third party. > </para> > <para> > After verifying the GPG key and downloading all the packages associated with the errata report, install the packages as root at a shell prompt. >@@ -120,7 +120,7 @@ > <term>Kernel</term> > <listitem> > <para> >- The kernel is the core software component for the Fedora operating system. It manages access to memory, the processor, and peripherals as well as schedules all tasks. >+ The kernel is the core software component for the &PRODUCT; operating system. It manages access to memory, the processor, and peripherals as well as schedules all tasks. > </para> > <para> > Because of its central role, the kernel cannot be restarted without also stopping the computer. Therefore, an updated version of the kernel cannot be used until the system is rebooted. >diff --git a/en-US/Server.xml b/en-US/Server.xml >index 213a54a..f614f7b 100644 >--- a/en-US/Server.xml >+++ b/en-US/Server.xml >@@ -397,7 +397,7 @@ iptables -A INPUT -p ALL -s! 192.168.0.0/24 --dport 835 -j DROP</screen> > <important> > <title>Important</title> > <para> >- The version of NFS included in Fedora, NFSv4, no longer requires the <command>portmap</command> service as outlined in <xref linkend="sect-Security_Guide-Server_Security-Securing_Portmap" />. NFS traffic now utilizes TCP in all versions, rather than UDP, and requires it when using NFSv4. NFSv4 now includes Kerberos user and group authentication, as part of the <filename>RPCSEC_GSS</filename> kernel module. Information on <command>portmap</command> is still included, since Fedora supports NFSv2 and NFSv3, both of which utilize <command>portmap</command>. >+ The version of NFS included in &PRODUCT;, NFSv4, no longer requires the <command>portmap</command> service as outlined in <xref linkend="sect-Security_Guide-Server_Security-Securing_Portmap" />. NFS traffic now utilizes TCP in all versions, rather than UDP, and requires it when using NFSv4. NFSv4 now includes Kerberos user and group authentication, as part of the <filename>RPCSEC_GSS</filename> kernel module. Information on <command>portmap</command> is still included, since &PRODUCT; supports NFSv2 and NFSv3, both of which utilize <command>portmap</command>. > </para> > </important> > <section id="sect-Security_Guide-Securing_NFS-Carefully_Plan_the_Network"> >@@ -478,7 +478,7 @@ iptables -A INPUT -p ALL -s! 192.168.0.0/24 --dport 835 -j DROP</screen> > <section id="sect-Security_Guide-Server_Security-Securing_the_Apache_HTTP_Server"> > <title>Securing the Apache HTTP Server</title> > <para> >- The Apache HTTP Server is one of the most stable and secure services that ships with Fedora. A large number of options and techniques are available to secure the Apache HTTP Server — too numerous to delve into deeply here. The following section briefly explains good practices when running the Apache HTTP Server. >+ The Apache HTTP Server is one of the most stable and secure services that ships with &PRODUCT;. A large number of options and techniques are available to secure the Apache HTTP Server — too numerous to delve into deeply here. The following section briefly explains good practices when running the Apache HTTP Server. > </para> > <para> > Always verify that any scripts running on the system work as intended <emphasis>before</emphasis> putting them into production. Also, ensure that only the root user has write permissions to any directory containing scripts or CGIs. To do this, run the following commands as the root user: >@@ -535,7 +535,7 @@ UserDir disabled root</screen> > The <firstterm>File Transfer Protocol</firstterm> (<abbrev>FTP</abbrev>) is an older TCP protocol designed to transfer files over a network. Because all transactions with the server, including user authentication, are unencrypted, it is considered an insecure protocol and should be carefully configured. > </para> > <para> >- Fedora provides three FTP servers. >+ &PRODUCT; provides three FTP servers. > </para> > <itemizedlist> > <listitem> >diff --git a/en-US/Tcp_Wrappers.xml b/en-US/Tcp_Wrappers.xml >index 8070c26..a4c6291 100644 >--- a/en-US/Tcp_Wrappers.xml >+++ b/en-US/Tcp_Wrappers.xml >@@ -5,7 +5,7 @@ > <section id="sect-Security_Guide-TCP_Wrappers_and_xinetd"> > <title>TCP Wrappers and xinetd</title> > <para> >- Controlling access to network services is one of the most important security tasks facing a server administrator. Fedora provides several tools for this purpose. For example, an <command>iptables</command>-based firewall filters out unwelcome network packets within the kernel's network stack. For network services that utilize it, <firstterm>TCP Wrappers</firstterm> add an additional layer of protection by defining which hosts are or are not allowed to connect to "<emphasis>wrapped</emphasis>" network services. One such wrapped network service is the <systemitem class="daemon">xinetd</systemitem> <emphasis>super server</emphasis>. This service is called a super server because it controls connections to a subset of network services and further refines access control. >+ Controlling access to network services is one of the most important security tasks facing a server administrator. &PRODUCT; provides several tools for this purpose. For example, an <command>iptables</command>-based firewall filters out unwelcome network packets within the kernel's network stack. For network services that utilize it, <firstterm>TCP Wrappers</firstterm> add an additional layer of protection by defining which hosts are or are not allowed to connect to "<emphasis>wrapped</emphasis>" network services. One such wrapped network service is the <systemitem class="daemon">xinetd</systemitem> <emphasis>super server</emphasis>. This service is called a super server because it controls connections to a subset of network services and further refines access control. > </para> > <para> > <xref linkend="figu-Security_Guide-TCP_Wrappers_and_xinetd-Access_Control_to_Network_Services" /> is a basic illustration of how these tools work together to protect network services. >@@ -41,7 +41,7 @@ > In addition to access control and logging, TCP Wrappers can execute commands to interact with the client before denying or releasing control of the connection to the requested network service. > </para> > <para> >- Because TCP Wrappers are a valuable addition to any server administrator's arsenal of security tools, most network services within Fedora are linked to the <filename>libwrap.a</filename> library. Some such applications include <systemitem class="daemon">/usr/sbin/sshd</systemitem>, <command>/usr/sbin/sendmail</command>, and <systemitem class="daemon">/usr/sbin/xinetd</systemitem>. >+ Because TCP Wrappers are a valuable addition to any server administrator's arsenal of security tools, most network services within &PRODUCT; are linked to the <filename>libwrap.a</filename> library. Some such applications include <systemitem class="daemon">/usr/sbin/sshd</systemitem>, <command>/usr/sbin/sendmail</command>, and <systemitem class="daemon">/usr/sbin/xinetd</systemitem>. > </para> > <note> > <title>Note</title> >@@ -366,7 +366,7 @@ > <section id="sect-Security_Guide-TCP_Wrappers_Configuration_Files-Option_Fields"> > <title>Option Fields</title> > <para> >- In addition to basic rules that allow and deny access, the Fedora implementation of TCP Wrappers supports extensions to the access control language through <firstterm>option fields</firstterm>. By using option fields in hosts access rules, administrators can accomplish a variety of tasks such as altering log behavior, consolidating access control, and launching shell commands. >+ In addition to basic rules that allow and deny access, the &PRODUCT; implementation of TCP Wrappers supports extensions to the access control language through <firstterm>option fields</firstterm>. By using option fields in hosts access rules, administrators can accomplish a variety of tasks such as altering log behavior, consolidating access control, and launching shell commands. > </para> > <section id="sect-Security_Guide-Option_Fields-Logging"> > <title>Logging</title> >diff --git a/en-US/Using_GPG.xml b/en-US/Using_GPG.xml >index 29997f5..e6ed3a1 100644 >--- a/en-US/Using_GPG.xml >+++ b/en-US/Using_GPG.xml >@@ -47,7 +47,7 @@ > Use the following shell command: <code>gpg --gen-key</code> > </para> > <para> >- This command generates a key pair that consists of a public and a private key. Other people use your public key to authenticate and/or decrypt your communications. Distribute your public key as widely as possible, especially to people who you know will want to receive authentic communications from you, such as a mailing list. The Fedora Documentation Project, for example, asks participants to include a GPG public key in their self-introduction. >+ This command generates a key pair that consists of a public and a private key. Other people use your public key to authenticate and/or decrypt your communications. Distribute your public key as widely as possible, especially to people who you know will want to receive authentic communications from you, such as a mailing list. > </para> > <para> > A series of prompts directs you through the process. Press the <code>Enter</code> key to assign a default value if desired. The first prompt asks you to select what kind of key you prefer: >@@ -105,7 +105,7 @@ What keysize do you want? (2048)</screen> > Finally, <code>gpg</code> generates random data to make your key as unique as possible. Move your mouse, type random keys, or perform other tasks on the system during this step to speed up the process. Once this step is finished, your keys are complete and ready to use: > </para> > <screen> >-pub 1024D/1B2AFA1C 2005-03-31 John Q. Doe (Fedora Docs Project) <jqdoe@example.com> >+pub 1024D/1B2AFA1C 2005-03-31 John Q. Doe <jqdoe@example.com> > Key fingerprint = 117C FE83 22EA B843 3E86 6486 4320 545E 1B2A FA1C > sub 1024g/CEA4B22E 2005-03-31 [expires: 2006-03-31] > </screen> >@@ -163,7 +163,7 @@ sending-filters=/home/max/bin/ez-pine-gpg-sign _INCLUDEALLHDRS_, > <section id="sect-Security_Guide-Encryption-Using_GPG-Using_GPG_with_Evolution-Configuring"> > <title>Configuring GPG for use with Evolution</title> > <para> >- To configure GPG for use in <application>Evolution</application> select from the <application>Evolution</application> Main Menu, select Tools, Settings... In the left pane, select Mail Accounts. In the right pane, select the email account you use for Fedora Project correspondence. Then select the Edit button. The <application>Evolution</application> Account Editor dialog appears. Select the Security tab. >+ To configure GPG for use in <application>Evolution</application> select from the <application>Evolution</application> Main Menu, select Tools, Settings... In the left pane, select Mail Accounts. In the right pane, select the email account you use for correspondence. Then select the Edit button. The <application>Evolution</application> Account Editor dialog appears. Select the Security tab. > </para> > <para> > In the PGP/GPG Key ID field, enter the GPG key ID matching this account's email address. If you are not sure what your key ID is, use this command: <code>gpg --fingerprint EMAIL_ADDRESS</code>. The key ID is the same as the last eight characters (4 bytes) of the key fingerprint. It is a good idea to click the option Always encrypt to myself when sending encrypted mail. You may also want to select Always sign outgoing messages when using this account. >@@ -184,7 +184,7 @@ If you do not mark public keys as trusted in your keyring, you will not be able > <section id="sect-Security_Guide-Encryption-Using_GPG-Using_GPG_with_Evolution-Signing_and_Encrypting"> > <title>Signing and Encrypting email with Evolution</title> > <para> >- Signing email allows the recipients to verify that the email actually came from you. The FDP (and the whole of the Fedora Project) encourage you to sign email to other participants, including on Fedora mailing lists. Encrypting email allows only your recipients to read your email. Please do not send encrypted email over the Fedora mailing lists, since almost no one will be able to read it. >+ Signing email allows the recipients to verify that the email actually came from you. > </para> > <para> > While composing your email, choose the Security menu, and then select PGP Sign to sign your message. To encrypt your message, select PGP Encrypt. You may sign an encrypted message as well, which is good practice. When you send the message, Evolution will ask you to enter your GPG key passphrase. (After three unsuccessful attempts Evolution generates an error.) If you select the option Remember this password for the remainder of this session, you will not need to use your passphrase again to sign or decrypt, unless you quit and restart Evolution. >@@ -193,9 +193,9 @@ While composing your email, choose the Security menu, and then select PGP Sign t > </section> > <section id="sect-Security_Guide-Encryption-Using_GPG-Using_GPG_with_Thunderbird"> > <title>Using GPG with Thunderbird</title> >- <para>Fedora Core includes Mozilla Thunderbird in the thunderbird package, and the mozilla-mail package for the Mozilla Suite email application. Thunderbird is the recommended Mozilla email application. This appears on your desktop as Applications > Internet > Thunderbird Email.</para> >+ <para>&PRODUCT; includes Mozilla Thunderbird in the thunderbird package, and the mozilla-mail package for the Mozilla Suite email application. Thunderbird is the recommended Mozilla email application. This appears on your desktop as Applications > Internet > Thunderbird Email.</para> > <para>Mozilla products support extensions, plugins that add new features to the main application. The Enigmail extensions provide GPG support to email products from Mozilla. Versions of Enigmail exist for both Mozilla Thunderbird, and the Mozilla Suite (Seamonkey). Netscape software from AOL is based on the Mozilla products, and may also use this extension.</para> >- <para>To install Enigmail on Fedora systems, follow the instructions given below.</para> >+ <para>To install Enigmail on &PRODUCT; systems, follow the instructions given below.</para> > <para>Enigmail uses the term OpenPGP in menu items and options. GPG is an implementation of OpenPGP, and you may treat the terms as equivalent.</para> > <para>The homepage for Enigmail is: <ulink url="http://enigmail.mozdev.org/download.html"></ulink>.</para> > <para>This page provides screenshots of Enigmail and GPG in action: <ulink url="http://enigmail.mozdev.org/screenshots.html"></ulink>.</para> >diff --git a/en-US/VPN.xml b/en-US/VPN.xml >index ca9c96d..1cf796a 100644 >--- a/en-US/VPN.xml >+++ b/en-US/VPN.xml >@@ -27,19 +27,19 @@ > </section> > > <section id="sect-Security_Guide-Virtual_Private_Networks_VPNs-VPNs_and_PROD"> >- <title>VPNs and Fedora</title> >+ <title>VPNs and &PRODUCT;</title> > <para> >- Fedora provides various options in terms of implementing a software solution to securely connect to a <acronym>WAN</acronym>. <firstterm>Internet Protocol Security</firstterm> (<acronym>IPsec</acronym>) is the supported <abbrev>VPN</abbrev> implementation for Fedora, and sufficiently addresses the usability needs of organizations with branch offices or remote users. >+ &PRODUCT; provides various options in terms of implementing a software solution to securely connect to a <acronym>WAN</acronym>. <firstterm>Internet Protocol Security</firstterm> (<acronym>IPsec</acronym>) is the supported <abbrev>VPN</abbrev> implementation for &PRODUCT;, and sufficiently addresses the usability needs of organizations with branch offices or remote users. > </para> > </section> > > <section id="sect-Security_Guide-Virtual_Private_Networks_VPNs-IPsec"> > <title>IPsec</title> > <para> >- Fedora supports <abbrev>IPsec</abbrev> for connecting remote hosts and networks to each other using a secure tunnel on a common carrier network such as the Internet. <abbrev>IPsec</abbrev> can be implemented using a host-to-host (one computer workstation to another) or network-to-network (one <acronym>LAN</acronym>/<acronym>WAN</acronym> to another) configuration. >+ &PRODUCT; supports <abbrev>IPsec</abbrev> for connecting remote hosts and networks to each other using a secure tunnel on a common carrier network such as the Internet. <abbrev>IPsec</abbrev> can be implemented using a host-to-host (one computer workstation to another) or network-to-network (one <acronym>LAN</acronym>/<acronym>WAN</acronym> to another) configuration. > </para> > <para> >- The <abbrev>IPsec</abbrev> implementation in Fedora uses <firstterm>Internet Key Exchange</firstterm> (<firstterm>IKE</firstterm>), a protocol implemented by the Internet Engineering Task Force (<acronym>IETF</acronym>), used for mutual authentication and secure associations between connecting systems. >+ The <abbrev>IPsec</abbrev> implementation in &PRODUCT; uses <firstterm>Internet Key Exchange</firstterm> (<firstterm>IKE</firstterm>), a protocol implemented by the Internet Engineering Task Force (<acronym>IETF</acronym>), used for mutual authentication and secure associations between connecting systems. > </para> > </section> > >@@ -49,13 +49,13 @@ > An <abbrev>IPsec</abbrev> connection is split into two logical phases. In phase 1, an <abbrev>IPsec</abbrev> node initializes the connection with the remote node or network. The remote node or network checks the requesting node's credentials and both parties negotiate the authentication method for the connection. > </para> > <para> >- On Fedora systems, an <abbrev>IPsec</abbrev> connection uses the <firstterm>pre-shared key</firstterm> method of <abbrev>IPsec</abbrev> node authentication. In a pre-shared key <abbrev>IPsec</abbrev> connection, both hosts must use the same key in order to move to Phase 2 of the <abbrev>IPsec</abbrev> connection. >+ On &PRODUCT; systems, an <abbrev>IPsec</abbrev> connection uses the <firstterm>pre-shared key</firstterm> method of <abbrev>IPsec</abbrev> node authentication. In a pre-shared key <abbrev>IPsec</abbrev> connection, both hosts must use the same key in order to move to Phase 2 of the <abbrev>IPsec</abbrev> connection. > </para> > <para> > Phase 2 of the <abbrev>IPsec</abbrev> connection is where the <firstterm>Security Association</firstterm> (<acronym>SA</acronym>) is created between <abbrev>IPsec</abbrev> nodes. This phase establishes an <abbrev>SA</abbrev> database with configuration information, such as the encryption method, secret session key exchange parameters, and more. This phase manages the actual <abbrev>IPsec</abbrev> connection between remote nodes and networks. > </para> > <para> >- The Fedora implementation of <abbrev>IPsec</abbrev> uses IKE for sharing keys between hosts across the Internet. The <command>racoon</command> keying daemon handles the IKE key distribution and exchange. Refer to the <command>racoon</command> man page for more information about this daemon. >+ The &PRODUCT; implementation of <abbrev>IPsec</abbrev> uses IKE for sharing keys between hosts across the Internet. The <command>racoon</command> keying daemon handles the IKE key distribution and exchange. Refer to the <command>racoon</command> man page for more information about this daemon. > </para> > </section> > >@@ -82,7 +82,7 @@ > </listitem> > </itemizedlist> > <para> >- To configure <abbrev>IPsec</abbrev> on Fedora, you can use the <application>Network Administration Tool</application>, or manually edit the networking and <abbrev>IPsec</abbrev> configuration files. >+ To configure <abbrev>IPsec</abbrev> on &PRODUCT;, you can use the <application>Network Administration Tool</application>, or manually edit the networking and <abbrev>IPsec</abbrev> configuration files. > </para> > <itemizedlist> > <listitem> >@@ -101,7 +101,7 @@ > <section id="sect-Security_Guide-Virtual_Private_Networks_VPNs-IPsec_Host_to_Host_Configuration"> > <title>IPsec Host-to-Host Configuration</title> > <para> >- IPsec can be configured to connect one desktop or workstation (host) to another using a host-to-host connection. This type of connection uses the network to which each host is connected to create a secure tunnel between each host. The requirements of a host-to-host connection are minimal, as is the configuration of <abbrev>IPsec</abbrev> on each host. The hosts need only a dedicated connection to a carrier network (such as the Internet) and Fedora to create the <abbrev>IPsec</abbrev> connection. >+ IPsec can be configured to connect one desktop or workstation (host) to another using a host-to-host connection. This type of connection uses the network to which each host is connected to create a secure tunnel between each host. The requirements of a host-to-host connection are minimal, as is the configuration of <abbrev>IPsec</abbrev> on each host. The hosts need only a dedicated connection to a carrier network (such as the Internet) and &PRODUCT; to create the <abbrev>IPsec</abbrev> connection. > </para> > <section id="sect-Security_Guide-IPsec_Host_to_Host_Configuration-Host_to_Host_Connection"> > <title>Host-to-Host Connection</title> >@@ -353,7 +353,7 @@ IKE_METHOD=PSK</screen> > } > }</screen> > <para> >- The default phase 1 configuration file that is created when an <abbrev>IPsec</abbrev> connection is initialized contains the following statements used by the Fedora implementation of IPsec: >+ The default phase 1 configuration file that is created when an <abbrev>IPsec</abbrev> connection is initialized contains the following statements used by the &PRODUCT; implementation of IPsec: > </para> > <variablelist> > <varlistentry> >@@ -368,7 +368,7 @@ IKE_METHOD=PSK</screen> > <term>exchange_mode aggressive</term> > <listitem> > <para> >- The default configuration for <abbrev>IPsec</abbrev> on Fedora uses an aggressive authentication mode, which lowers the connection overhead while allowing configuration of several <abbrev>IPsec</abbrev> connections with multiple hosts. >+ The default configuration for <abbrev>IPsec</abbrev> on &PRODUCT; uses an aggressive authentication mode, which lowers the connection overhead while allowing configuration of several <abbrev>IPsec</abbrev> connections with multiple hosts. > </para> > </listitem> > </varlistentry> >@@ -376,7 +376,7 @@ IKE_METHOD=PSK</screen> > <term>my_identifier address</term> > <listitem> > <para> >- Specifies the identification method to use when authenticating nodes. Fedora uses IP addresses to identify nodes. >+ Specifies the identification method to use when authenticating nodes. &PRODUCT; uses IP addresses to identify nodes. > </para> > </listitem> > </varlistentry> >@@ -400,7 +400,7 @@ IKE_METHOD=PSK</screen> > <term>authentication_method pre_shared_key</term> > <listitem> > <para> >- Specifies the authentication method used during node negotiation. By default, Fedora uses pre-shared keys for authentication. >+ Specifies the authentication method used during node negotiation. By default, &PRODUCT; uses pre-shared keys for authentication. > </para> > </listitem> > </varlistentry> >@@ -450,7 +450,7 @@ include "/etc/racoon/X.X.X.X.conf";</screen> > <term>pfs_group 2</term> > <listitem> > <para> >- Defines the Diffie-Hellman key exchange protocol, which determines the method by which the <abbrev>IPsec</abbrev> nodes establish a mutual temporary session key for the second phase of <abbrev>IPsec</abbrev> connectivity. By default, the Fedora implementation of <abbrev>IPsec</abbrev> uses group 2 (or <computeroutput>modp1024</computeroutput>) of the Diffie-Hellman cryptographic key exchange groups. Group 2 uses a 1024-bit modular exponentiation that prevents attackers from decrypting previous <abbrev>IPsec</abbrev> transmissions even if a private key is compromised. >+ Defines the Diffie-Hellman key exchange protocol, which determines the method by which the <abbrev>IPsec</abbrev> nodes establish a mutual temporary session key for the second phase of <abbrev>IPsec</abbrev> connectivity. By default, the &PRODUCT; implementation of <abbrev>IPsec</abbrev> uses group 2 (or <computeroutput>modp1024</computeroutput>) of the Diffie-Hellman cryptographic key exchange groups. Group 2 uses a 1024-bit modular exponentiation that prevents attackers from decrypting previous <abbrev>IPsec</abbrev> transmissions even if a private key is compromised. > </para> > </listitem> > </varlistentry> >@@ -458,7 +458,7 @@ include "/etc/racoon/X.X.X.X.conf";</screen> > <term>lifetime time 1 hour</term> > <listitem> > <para> >- This parameter specifies the lifetime of an SA and can be quantified either by time or by bytes of data. The default Fedora implementation of <abbrev>IPsec</abbrev> specifies a one hour lifetime. >+ This parameter specifies the lifetime of an SA and can be quantified either by time or by bytes of data. The default &PRODUCT; implementation of <abbrev>IPsec</abbrev> specifies a one hour lifetime. > </para> > </listitem> > </varlistentry> >@@ -466,7 +466,7 @@ include "/etc/racoon/X.X.X.X.conf";</screen> > <term>encryption_algorithm 3des, blowfish 448, rijndael</term> > <listitem> > <para> >- Specifies the supported encryption ciphers for phase 2. Fedora supports 3DES, 448-bit Blowfish, and Rijndael (the cipher used in the <firstterm>Advanced Encryption Standard</firstterm>, or <acronym>AES</acronym>). >+ Specifies the supported encryption ciphers for phase 2. &PRODUCT; supports 3DES, 448-bit Blowfish, and Rijndael (the cipher used in the <firstterm>Advanced Encryption Standard</firstterm>, or <acronym>AES</acronym>). > </para> > </listitem> > </varlistentry> >diff --git a/en-US/Vulnerability_Assessment.xml b/en-US/Vulnerability_Assessment.xml >index 1bbc1f2..7769463 100644 >--- a/en-US/Vulnerability_Assessment.xml >+++ b/en-US/Vulnerability_Assessment.xml >@@ -152,7 +152,7 @@ > <section id="sect-Security_Guide-Evaluating_the_Tools-Scanning_Hosts_with_Nmap"> > <title>Scanning Hosts with Nmap</title> > <para> >- Nmap is a popular tool included in Fedora that can be used to determine the layout of a network. Nmap has been available for many years and is probably the most often used tool when gathering information. An excellent man page is included that provides a detailed description of its options and usage. Administrators can use Nmap on a network to find host systems and open ports on those systems. >+ Nmap is a popular port scanning tool included in &PRODUCT; that can be used to determine the layout of a network. Nmap has been available for many years and is probably the most often used tool when gathering information. An excellent man page is included that provides a detailed description of its options and usage. Administrators can use Nmap on a network to find host systems and open ports on those systems. > </para> > <para> > Nmap is a competent first step in vulnerability assessment. You can map out all the hosts within your network and even pass an option that allows Nmap to attempt to identify the operating system running on a particular host. Nmap is a good foundation for establishing a policy of using secure services and stopping unused services. >@@ -197,7 +197,7 @@ PORT STATE SERVICE > <note> > <title>Note</title> > <para> >- The Nessus client and server software is included in Fedora repositories but requires a subscription to use. It has been included in this document as a reference to users who may be interested in using this popular application. >+ The Nessus client and server software is included in &PRODUCT; repositories but requires a subscription to use. It has been included in this document as a reference to users who may be interested in using this popular application. > </para> > </note> > <para> >@@ -229,7 +229,7 @@ PORT STATE SERVICE > <note> > <title>Note</title> > <para> >- VLAD is not included with Fedora and is not supported. It has been included in this document as a reference to users who may be interested in using this popular application. >+ VLAD is not included with &PRODUCT; and is not supported. It has been included in this document as a reference to users who may be interested in using this popular application. > </para> > </note> > <para> >diff --git a/en-US/Wstation.xml b/en-US/Wstation.xml >index 0a8c8db..3e65e94 100644 >--- a/en-US/Wstation.xml >+++ b/en-US/Wstation.xml >@@ -10,7 +10,7 @@ > <section id="sect-Security_Guide-Workstation_Security-Evaluating_Workstation_Security"> > <title>Evaluating Workstation Security</title> > <para> >- When evaluating the security of a Fedora workstation, consider the following: >+ When evaluating the security of a &PRODUCT; workstation, consider the following: > </para> > <itemizedlist> > <listitem> >@@ -116,7 +116,7 @@ > </listitem> > </orderedlist> > <para> >- Fedora ships with the GRUB boot loader on the x86 platform. For a detailed look at GRUB, refer to the Red Hat Installation Guide. >+ &PRODUCT; ships with the GRUB boot loader on the x86 platform. For a detailed look at GRUB, refer to the Red Hat Installation Guide. > </para> > <section id="sect-Security_Guide-Boot_Loader_Passwords-Password_Protecting_GRUB"> > <title>Password Protecting GRUB</title> >@@ -173,7 +173,7 @@ > <section id="sect-Security_Guide-Workstation_Security-Password_Security"> > <title>Password Security</title> > <para> >- Passwords are the primary method that Fedora uses to verify a user's identity. This is why password security is so important for protection of the user, the workstation, and the network. >+ Passwords are the primary method that &PRODUCT; uses to verify a user's identity. This is why password security is so important for protection of the user, the workstation, and the network. > </para> > <para> > For security purposes, the installation program configures the system to use <firstterm>Message-Digest Algorithm</firstterm> (<emphasis>MD5</emphasis>) and shadow passwords. It is highly recommended that you do not alter these settings. >@@ -376,7 +376,7 @@ > </listitem> > <listitem> > <para> >- <emphasis>Mix Upper and Lower Case Letters</emphasis> — Fedora is case sensitive, so mix cases to enhance the strength of the password. >+ <emphasis>Mix Upper and Lower Case Letters</emphasis> — &PRODUCT; is case sensitive, so mix cases to enhance the strength of the password. > </para> > </listitem> > <listitem> >@@ -469,7 +469,7 @@ > The password check that is performed at the time of their creation does not discover bad passwords as effectively as running a password cracking program against the passwords. > </para> > <para> >- Many password cracking programs are available that run under Fedora, although none ship with the operating system. Below is a brief list of some of the more popular password cracking programs: >+ Many password cracking programs are available that run under &PRODUCT;, although none ship with the operating system. Below is a brief list of some of the more popular password cracking programs: > </para> > <itemizedlist> > <listitem> >@@ -510,7 +510,7 @@ > Password aging is another technique used by system administrators to defend against bad passwords within an organization. Password aging means that after a specified period (usually 90 days), the user is prompted to create a new password. The theory behind this is that if a user is forced to change his password periodically, a cracked password is only useful to an intruder for a limited amount of time. The downside to password aging, however, is that users are more likely to write their passwords down. > </para> > <para> >- There are two primary programs used to specify password aging under Fedora: the <command>chage</command> command or the graphical <application>User Manager</application> (<command>system-config-users</command>) application. >+ There are two primary programs used to specify password aging under &PRODUCT;: the <command>chage</command> command or the graphical <application>User Manager</application> (<command>system-config-users</command>) application. > </para> > <para> > The <option>-M</option> option of the <command>chage</command> command specifies the maximum number of days the password is valid. For example, to set a user's password to expire in 90 days, use the following command: >@@ -796,7 +796,7 @@ Account Expiration Date (YYYY-MM-DD) [1969-12-31]: > <section id="sect-Security_Guide-Disallowing_Root_Access-Disabling_Root_Logins"> > <title>Disabling Root Logins</title> > <para> >- To further limit access to the root account, administrators can disable root logins at the console by editing the <filename>/etc/securetty</filename> file. This file lists all devices the root user is allowed to log into. If the file does not exist at all, the root user can log in through any communication device on the system, whether via the console or a raw network interface. This is dangerous, because a user can log in to his machine as root via Telnet, which transmits the password in plain text over the network. By default, Fedora's <filename>/etc/securetty</filename> file only allows the root user to log in at the console physically attached to the machine. To prevent root from logging in, remove the contents of this file by typing the following command: >+ To further limit access to the root account, administrators can disable root logins at the console by editing the <filename>/etc/securetty</filename> file. This file lists all devices the root user is allowed to log into. If the file does not exist at all, the root user can log in through any communication device on the system, whether via the console or a raw network interface. This is dangerous, because a user can log in to his machine as root via Telnet, which transmits the password in plain text over the network. By default, &PRODUCT;'s <filename>/etc/securetty</filename> file only allows the root user to log in at the console physically attached to the machine. To prevent root from logging in, remove the contents of this file by typing the following command: > </para> > <screen><command>echo > /etc/securetty</command></screen> > <warning> >@@ -810,7 +810,7 @@ Account Expiration Date (YYYY-MM-DD) [1969-12-31]: > <section id="sect-Security_Guide-Disallowing_Root_Access-Disabling_Root_SSH_Logins"> > <title>Disabling Root SSH Logins</title> > <para> >- Root logins via the SSH protocol are disabled by default in Fedora; however, if this option has been enabled, it can be disabled again by editing the SSH daemon's configuration file (<filename>/etc/ssh/sshd_config</filename>). Change the line that reads: >+ Root logins via the SSH protocol are disabled by default in &PRODUCT;; however, if this option has been enabled, it can be disabled again by editing the SSH daemon's configuration file (<filename>/etc/ssh/sshd_config</filename>). Change the line that reads: > </para> > <screen><computeroutput>PermitRootLogin yes</computeroutput></screen> > <para> >@@ -985,7 +985,7 @@ sense=deny file=/etc/vsftpd.ftpusers onerr=succeed</screen> > While user access to administrative controls is an important issue for system administrators within an organization, monitoring which network services are active is of paramount importance to anyone who administers and operates a Linux system. > </para> > <para> >- Many services under Fedora behave as network servers. If a network service is running on a machine, then a server application (called a <firstterm>daemon</firstterm>), is listening for connections on one or more network ports. Each of these servers should be treated as a potential avenue of attack. >+ Many services under &PRODUCT; behave as network servers. If a network service is running on a machine, then a server application (called a <firstterm>daemon</firstterm>), is listening for connections on one or more network ports. Each of these servers should be treated as a potential avenue of attack. > </para> > <section id="sect-Security_Guide-Available_Network_Services-Risks_To_Services"> > <title>Risks To Services</title> >@@ -1017,7 +1017,7 @@ sense=deny file=/etc/vsftpd.ftpusers onerr=succeed</screen> > <note> > <title>Note</title> > <para> >- The threat of buffer overflow vulnerabilities is mitigated in Fedora by <firstterm>ExecShield</firstterm>, an executable memory segmentation and protection technology supported by x86-compatible uni- and multi-processor kernels. ExecShield reduces the risk of buffer overflow by separating virtual memory into executable and non-executable segments. Any program code that tries to execute outside of the executable segment (such as malicious code injected from a buffer overflow exploit) triggers a segmentation fault and terminates. >+ The threat of buffer overflow vulnerabilities is mitigated in &PRODUCT; by <firstterm>ExecShield</firstterm>, an executable memory segmentation and protection technology supported by x86-compatible uni- and multi-processor kernels. ExecShield reduces the risk of buffer overflow by separating virtual memory into executable and non-executable segments. Any program code that tries to execute outside of the executable segment (such as malicious code injected from a buffer overflow exploit) triggers a segmentation fault and terminates. > </para> > <para> > Execshield also includes support for <firstterm>No eXecute</firstterm> (<acronym>NX</acronym>) technology on AMD64 platforms and <firstterm>eXecute Disable</firstterm> (<acronym>XD</acronym>) technology on Itanium and <trademark class="registered">Intel</trademark> 64 systems. These technologies work in conjunction with ExecShield to prevent malicious code from running in the executable portion of virtual memory with a granularity of 4KB of executable code, lowering the risk of attack from stealthy buffer overflow exploits. >@@ -1034,12 +1034,12 @@ sense=deny file=/etc/vsftpd.ftpusers onerr=succeed</screen> > <section id="sect-Security_Guide-Available_Network_Services-Identifying_and_Configuring_Services"> > <title>Identifying and Configuring Services</title> > <para> >- To enhance security, most network services installed with Fedora are turned off by default. There are, however, some notable exceptions: >+ To enhance security, most network services installed with &PRODUCT; are turned off by default. There are, however, some notable exceptions: > </para> > <itemizedlist> > <listitem> > <para> >- <command>cupsd</command> — The default print server for Fedora. >+ <command>cupsd</command> — The default print server for &PRODUCT;. > </para> > </listitem> > <listitem> >@@ -1133,7 +1133,7 @@ sense=deny file=/etc/vsftpd.ftpusers onerr=succeed</screen> > </listitem> > <listitem> > <para> >- <command>authd</command> (this was called <command>identd</command> in previous Fedora releases.) >+ <command>authd</command> (this was called <command>identd</command> in previous &PRODUCT; releases.) > </para> > </listitem> > <listitem> >@@ -1207,7 +1207,7 @@ sense=deny file=/etc/vsftpd.ftpusers onerr=succeed</screen> > Firewalls prevent network packets from accessing the system's network interface. If a request is made to a port that is blocked by a firewall, the request is ignored. If a service is listening on one of these blocked ports, it does not receive the packets and is effectively disabled. For this reason, care should be taken when configuring a firewall to block access to ports not in use, while not blocking access to ports used by configured services. > </para> > <para> >- For most users, the best tool for configuring a simple firewall is the graphical firewall configuration tool which ships with Fedora: the <application>Firewall Administration Tool</application> (<command>system-config-firewall</command>). This tool creates broad <command>iptables</command> rules for a general-purpose firewall using a control panel interface. >+ For most users, the best tool for configuring a simple firewall is the graphical firewall configuration tool which ships with &PRODUCT;: the <application>Firewall Administration Tool</application> (<command>system-config-firewall</command>). This tool creates broad <command>iptables</command> rules for a general-purpose firewall using a control panel interface. > </para> > <para> > Refer to <xref linkend="sect-Security_Guide-Firewalls-Basic_Firewall_Configuration" /> for more information about using this application and its available options. >@@ -1223,7 +1223,7 @@ sense=deny file=/etc/vsftpd.ftpusers onerr=succeed</screen> > As the size and popularity of the Internet has grown, so has the threat of communication interception. Over the years, tools have been developed to encrypt communications as they are transferred over the network. > </para> > <para> >- Fedora ships with two basic tools that use high-level, public-key-cryptography-based encryption algorithms to protect information as it travels over the network. >+ &PRODUCT; ships with two basic tools that use high-level, public-key-cryptography-based encryption algorithms to protect information as it travels over the network. > </para> > <itemizedlist> > <listitem> >diff --git a/en-US/Yubikey.xml b/en-US/Yubikey.xml >index d5f8045..2cb3389 100644 >--- a/en-US/Yubikey.xml >+++ b/en-US/Yubikey.xml >@@ -10,7 +10,7 @@ > <section id="sect-Security_Guide-Yubikey-Centralized_Server"> > <title>Using Yubikey with a centralized server</title> > <para> >- A PAM module already exists in the Fedora repositories that allow authentication of computers that can contact an authentication server. The server can either be setup at the domain level or the Yubico's servers can be utilized. This method of authentication is a great enterprise solution where multiple users may need access to multiple computers on the domain. The steps below describe this setup. >+ A PAM module already exists in the &PRODUCT; repositories that allow authentication of computers that can contact an authentication server. The server can either be setup at the domain level or the Yubico's servers can be utilized. This method of authentication is a great enterprise solution where multiple users may need access to multiple computers on the domain. The steps below describe this setup. > </para> > <procedure> > <step> >-- >1.7.1 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=687521">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 901704
:
682699
|
682723
| 687521