Dear Wiki user, You have subscribed to a wiki page or wiki category on "Fedora Project Wiki" for change notification. The following page has been changed by PaulWFrields: http://fedoraproject.org/wiki/Docs/Beats/Security The comment on the change is: FC6t2 ------------------------------------------------------------------------------ A general introduction to the many proactive security features in Fedora, current status and policies is available at http://fedoraproject.org/wiki/Security. == What's New == - {{{ - === PAM module Deprecation === - `Pam_stack` is deprecated in this release. Linux-PAM 0.78 and later contains the {{{include}}} directive which obsoletes the `pam_stack` module. `pam_stack` module usage is logged with a deprecation warning. It might be removed in a future release. It must not be used in individual service configurations anymore. All packages in Fedora Core using PAM were modified so they do not use it. + This section has not been updated for Fedora Core [[GetVal(DocsDict,BeatsVer)]] by the [http://fedoraproject.org/wiki/DocsProject/ReleaseNotes/Beats beat writer]. - || (!) '''Upgrading and PAM Stacks''' || - || When a system is upgraded from previous Fedora Core releases and the system admininstrator previously modified some service configurations, those modified configuration files are ''not'' replaced when new packages are installed. Instead, the new configuration files are created as `.rpmnew` files. Such service configurations must be fixed so the `pam_stack` module is not used. Refer to the `.rpmnew` files for the actual changes needed. || - - {{{ diff -u /etc/pam.d/foo /etc/pam.d/foo.rpmnew - ##}}} - - The following example shows the `/etc/pam.d/login` configuration file in its original form using `pam_stack`, and then revised with the {{{include}}} directive. - - {{{ #%PAM-1.0 - auth required pam_securetty.so - auth required pam_stack.so service=system-auth - auth required pam_nologin.so - account required pam_stack.so service=system-auth - password required pam_stack.so service=system-auth - # pam_selinux.so close should be the first session rule - session required pam_selinux.so close - session required pam_stack.so service=system-auth - session required pam_loginuid.so - session optional pam_console.so - # pam_selinux.so open should be the last session rule - session required pam_selinux.so open - ##}}} - {{{ #%PAM-1.0 - auth required pam_securetty.so - auth include system-auth - # no module should remain after 'include' if 'sufficient' might - # be used in the included configuration file - # pam_nologin moved to account phase - it's more appropriate there - # other modules might be moved before the system-auth 'include' - account required pam_nologin.so - account include system-auth - password include system-auth - # pam_selinux.so close should be the first session rule - session required pam_selinux.so close - session include system-auth - # the system-auth config doesn't contain sufficient modules - # in the session phase - session required pam_loginuid.so - session optional pam_console.so - # pam_selinux.so open should be the last session rule - session required pam_selinux.so open - ##}}} - - === Buffer Overflow detection and variable reordering === - - All of the software in Fedora Core and Extras software repository for this release is compiled using a security feature called a ''stack protector''. This was using the compiler option `-fstack-protector`, which places a canary value on the stack of functions containing a local character array. Before returning from a protected function, the canary value is verified. If there was a buffer overflow, the canary will no longer match the expected value, aborting the program. The canary value is random each time the application is started, making remote exploitation very difficult. The stack protector feature does not protect against heap-based buffer overflows. - - This is a security feature written by Red Hat developers (http://gcc.gnu.org/ml/gcc-patches/2005-05/msg01193.html), reimplementing the IBM Pro``Police/SSP feature. For more information about Pro``Police/SSP, refer to http://www.research.ibm.com/trl/projects/security/ssp/. This feature is available as part of the GCC 4.1 compiler used in Fedora Core [[GetVal(DocsDict,BeatsVar)]]. - - The `FORTIFY_SOURCE` security feature for `gcc` and `glibc` introduced in Fedora Core 4 remains available. For more information about security features in Fedora, refer to http://fedoraproject.org/wiki/Security/Features. - }}} [[Include(/SELinux)]] ---- CategorySecurity
