Home > Fedora Docs, Fedora Project, Security Guide > What’s next for the Fedora Security Guide

What’s next for the Fedora Security Guide

The Fedora Security Guide has had a very complicated background.  The guide, itself, started out as a series of entries on the Moin Moin wiki.  The original article explained how to setup LUKS for full-disk encryption.  That article sparked additional articles discussing setting up encryption for both data-at-rest and data-in-motion.  When development was eventually moved to DocBookXML Red Hat donated its security guide code to Fedora’s guide which filled in the subject matter well.  That combined effort later went on to create the Fedora Security Guide and, downstream, the RHEL 6 Security Guide.

I’m very proud of the effort that went into the guide from both Fedora community members and Red Hat-related contributors.  Lots of information is now available in the guide and I’ve heard from more than several people that they use it as a reference for answering questions, hardening their systems, and understanding concepts.  Hearing this type of feedback is quite helpful and knowing that my contributions are helping others is what drives my work on this guide.

I’ve noticed, though, that it has become incredibly difficult to maintain all this content.  Much of it is clearly scope-creep from the original plan for the document.  With much talk about the Fedora 20 release being a rebuilding release I thought it might be a good time to redefine the scope and goals.  Having a somewhat narrower scope should help keep the document on topic and make it a better guide overall.

With that I propose the following:

Scope – The Fedora Security Guide documents instructions for hardening installations of certain high-visibility services that are shipped with Fedora.  Additionally, instructions and concepts for securing data-at-rest and data-in-motion will also be maintained as long as the solutions are shipped from within the Fedora repositories.

Goals –

  1. Document hardening instructions for high-visibility services such as Apache (httpd), postgresql and MariaDB, OpenSSH, and bind.
  2. Document hardening instructions for the “average desktop user”.
  3. Document means of encrypting data-at-rest.
  4. Document means of encryption and authenticating data-in-motion.

This is just an idea and comments are welcome.  I’ll start hacking and cutting soon, though.

  1. Vratislav Podzimek
    2013-06-26 at 15:23 EDT

    I agree with this roadmap and I have one question. Do you think it would be worth to convert the suggestions to a SCAP content and provide it as a default content for the Fedora? I’ve been working on a project [1] that would allow choosing a “Security profile” in the installation process. These profiles could reflect the suggestions from the Security Guide and the installer addon may try to configure the system according to them.

    [1] https://fedorahosted.org/oscap-anaconda-addon/

    • 2013-06-26 at 18:02 EDT

      Essentially, I would want to document the SCAP content. I suspect that would make my efforts to be the most efficient and complete. There *may* be another effort for this, though. I’ll have to look around to see. If that’s the case then I may need to contribute there and make the Security Guide more of an intro document.

  2. 2013-06-27 at 01:08 EDT

    I’d love to pitch in with some of this work. My team does a lot of this for RHEL/CentOS already.

    • 2013-06-27 at 16:22 EDT

      I’m trying to figure out a way to work more openly with the SCAP stuff. I’m more than willing to accept help with the Security Guide, though. The more the merrier!

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s