What’s next for the Fedora Security Guide
The Fedora Security Guide has had a very complicated background. The guide, itself, started out as a series of entries on the Moin Moin wiki. The original article explained how to setup LUKS for full-disk encryption. That article sparked additional articles discussing setting up encryption for both data-at-rest and data-in-motion. When development was eventually moved to DocBookXML Red Hat donated its security guide code to Fedora’s guide which filled in the subject matter well. That combined effort later went on to create the Fedora Security Guide and, downstream, the RHEL 6 Security Guide.
I’m very proud of the effort that went into the guide from both Fedora community members and Red Hat-related contributors. Lots of information is now available in the guide and I’ve heard from more than several people that they use it as a reference for answering questions, hardening their systems, and understanding concepts. Hearing this type of feedback is quite helpful and knowing that my contributions are helping others is what drives my work on this guide.
I’ve noticed, though, that it has become incredibly difficult to maintain all this content. Much of it is clearly scope-creep from the original plan for the document. With much talk about the Fedora 20 release being a rebuilding release I thought it might be a good time to redefine the scope and goals. Having a somewhat narrower scope should help keep the document on topic and make it a better guide overall.
With that I propose the following:
Scope – The Fedora Security Guide documents instructions for hardening installations of certain high-visibility services that are shipped with Fedora. Additionally, instructions and concepts for securing data-at-rest and data-in-motion will also be maintained as long as the solutions are shipped from within the Fedora repositories.
- Document hardening instructions for high-visibility services such as Apache (httpd), postgresql and MariaDB, OpenSSH, and bind.
- Document hardening instructions for the “average desktop user”.
- Document means of encrypting data-at-rest.
- Document means of encryption and authenticating data-in-motion.
This is just an idea and comments are welcome. I’ll start hacking and cutting soon, though.