Fedora™ Unleashed, 2008 edition

http://www.securityfocus.com/archive/1.

Security holes are often discussed on BugTraq before the software makers have even released the fix. The Security Focus site has other mailing lists and sections dedicated to Linux in general and is an excellent resource.

Understanding SELinux

Users moving from Windows to Linux often make the mistake of wanting to maximize the security of their system by changing the default Linux settings 'to what they ought to be.' If that's you, stop right there: Fedora is designed to be secure out of the box, which means you need to change nothing to be secure.

One of the most commonly misunderstood components of the Fedora security ecosystem is SELinux, which was designed by the US government's National Security Agency to ensure that Linux meets its high requirements for technology security. What people misunderstand about SELinux is that it works automatically, out of the box, whether you understand it or not; you don't need to enable it, tweak it, or even know how it works for it to help keep your system secure. SELinux is designed to complement, rather than replace, the existing Linux security permissions system, which means that anything allowed by SELinux but disallowed by your filesystem permissions is denied.

SELinux works by monitoring every system request of every program. For example, each time Apache wants to serve a web page, it has to ask SELinux whether it can read the requested file. Don't worry, the speed hit is minimal; but in terms of security, it means that even if Apache is compromised, it still can't be used to read sensitive files because SELinux stops it.

The only time you are likely to run into SELinux is when a program tries to do something it shouldn't. This might mean you have a security problem, but might also mean your system is trying to do something that the Fedora developers hadn't anticipated. Either way, you'll see a small bubble appear in the top- right corner of your screen, saying AVC denial, click icon to view. When you click the icon, the SELinux troubleshooter app appears, explaining what happened and why it was blocked. The troubleshooter also tells you what to do if the request was legitimate and you want to allow it in the future.

One last word of advice: even if SELinux does get in your way now and then, don't disable it. Several previous Linux security vulnerabilities have been exploited on other distros, but stopped on Fedora thanks to SELinux, which proves it works. Having your filesystem permissions set correctly, keeping SELinux enabled, and using the built-in firewall all helps to keep your system secure — make the most of it!

Related Fedora and Linux Commands

These commands are used to manage security in your Fedora system:

> Ethereal — GNOME graphical network scanner

> gnome-lokkit — Fedora's basic graphical firewalling tool for X

> lokkit — Fedora's basic graphical firewalling tool

> ssh — The OpenSSH remote login client and preferred replacement for telnet

> system-config-securitylevel — Fedora's graphical firewall configuration utility

Reference

> http://www.redhat.com/docs/manuals/linux/RHL-9-Manual/custom-guide/s1-basic-firewall- gnomelokkit.html — Red Hat's guide to basic firewall configuration. Newer documentation will appear at http://fedora.redhat.com/.

> http://www.insecure.org/nmap/ — This site contains information on Nmap.

> http://www.securityfocus.com/ — The Security Focus website.

> http://www.tripwire.org/ — Information and download links for the open-source version of Tripwire.

CHAPTER 31 Performance Tuning

Squeezing extra performance out of your hardware might sound like a pointless task given how cheap commodity upgrades are today. To a certain degree that is true — for most of us, it is cheaper to buy a new computer than to spend hours fighting to get a 5% speed boost. But what if the speed boost were 20%? How about if it were 50%?

The benefit you can get by optimizing your system varies depending on what kinds of tasks you are running, but there is something for everyone. Over the next few pages, we look at quick ways to optimize the Apache web server, both the GNOME and KDE desktop systems, both MySQL and PostgreSQL database servers, and more.

Before you start, you need to understand that optimization is not an absolute term: If you optimize a system, you improve its performance, but it is still possible it could further be increased. Getting 99.999% performance out of a system is not the objective because optimization suffers from the law of diminishing returns — the basic changes make the biggest differences, but after that it takes increasing amounts of work to obtain decreasing speed improvements.

Hard Disk

Many Linux users love to tinker under the hood to increase the performance of their computers, and Linux gives you some great tools to do just that. Whereas mothers tell us, 'Don't fix what's not broken,' fathers often say, 'Fix it until it breaks.' In this section, you learn about many of the commands used to tune, or 'tweak,' your file system.

Before you undertake any 'under the hood' work with Linux, however, keep a few points in mind. First, perform a benchmark on your system before you begin. Linux does not offer a well-developed benchmarking application, but availability changes rapidly. You can search online for the most up-to-date information for benchmarking applications for Linux. If you are a system administrator, you might choose to create your own bench marking tests. Second, tweak only one thing at a time so that you can tell what works, what does not work, and what breaks. Some of these tweaks might not work or might lock up your machine.

Always have a working boot disk handy and remember that you are personally assuming all risks for attempting any of these tweaks.

Using the BIOS and Kernel to Tune the Disk Drives