Security Shortcomings in Fedora

Why are there not more security programs in Fedora’s software offering?

Why isn’t there an expert breakdown of what one can do to harden a Fedora system?

I find that a lot of stuff does not work properly, or it is old, or both. For example, COMODO does not work smoothly in Fedora 30; chkrootkit comes as an old version; and Lynis comes as an old version too.

I think security should be up front and prioritized, and one does not get the impression that this is the case right now with Fedora. Can someone please fix this.

Have you looked at Security Lab?

There are lots of these on the internet, and the Security SIG is always ready to help. Have you contacted them yet?

If packages are not available, or not up to date, it is generally because the volunteers that maintain the package are short on time. Please consider joining the package maintainers to help improve the software that the repositories provide.

I’m sorry you get that impression, but I can tell you that we all agree that security is important, and it is prioritised to the extent where resources will permit. The RedHat security team also keeps an eye on CVEs, for example.

Why not you :smiley: ? Everything is free/open source, all our resources only require an FAS that you already have—you can start now!


Here is an example of what goes wrong in Fedora:

The rkhunter.log file was locked on my system. After unlocking it, I could see that some tests had been turned off. This is the kind of bad thing that I face. I can wipe my OS, etc., but why should I put Fedora back onto my computer? It seems that I cannot make it safe.

[07:36:51] Info: Using package manager 'RPM' for file property checks
[07:36:51] Info: Found the 'rpm' command: /bin/rpm
[07:36:51] Info: Previous file attributes were stored
[07:36:51] Info: Enabled tests are: all
[07:36:51] Info: *Disabled tests are: suspscan hidden_ports deleted_files packet_cap_apps apps ipc_shared_mem*
[07:36:51] Info: Current logging will be appended to the log file
[07:36:51] Info: Found kernel symbols file '/proc/kallsyms'

So, in such advanced tasks the maintainer (who we can safely assume knows what they are doing) pick a set of defaults that work for most cases. If you think these defaults aren’t enough, please file a bug and discuss them with the maintainer so that they can benefit all users. In cases where the defaults aren’t sufficient, the user must modify the configurations to fit their use-case. One set of configurations just does not fit every user.

1 Like

Well, I think that you can’t measure how much an operating system is secure looking at the security scanner tools it provides. Actually Fedora doesn’t offer neither a real-time anti virus :sweat_smile:

Fedora frequently receives kernel and core components updates, and as you know, having an updated system is the first security countermeasure. In addition Fedora comes with a firewall and selinux enabled.

By the way, chkrootkit RPM is at version 0.53, like the latest release that you can find on the chkrootkit web site.

Instead you are right, Lynis is not at the very last version, (2.7.1 that comes with Fedora was released on 2019-01-30, while the last version was released on 2019-04-21).
However, as far as I can see, if you want the very last version, you can enable the repository offered by the Lynis developers: CISOfy Software Repository (Community)

I hope you will change your impression :smiley: