Switching to Fedora

Hello Fedora Team,

As a long-time user of Debian-based distros, I have found it quite cumbersome to constantly harden the config files for security purposes, as the distro has low security outside the kernel out of the box. I have heard great things about your distro, particularly that it comes ready to go with privacy and security features. I understand that you enforce policies with SELinux, but I am curious to know what other measures you take.

I have searched your site for a hardening guide, but have not found much information other than that provided by your parent company, Red Hat. However, even their guide is not as extensive as those available for Debian and Arch. Additionally, as your distro is somewhat a rolling release with short full update cycles, I am curious to know if changes I make to some of the config files will be overridden when the distro is updated.

Fedora has its own Security Team with a mission to provide the utmost secure operating environment to Fedora and EPEL users by:

• working with packagers to patch and update packages,
• identifying and helping to improve secure development practices,
• answering software security questions from the community.

There are many security related changes planned for each Fedora release, such as:

• Strong crypto settings: phase 3, forewarning 1/2
• Unified Kernel Support Phase 1
• Add _FORTIFY_SOURCE=3 to distribution build flags
• OpenSSL 3.0 + Deprecate OpenSSL 1.1
• Signed RPM Contents
• Use yescrypt as default hashing method for shadow passwords
• Optimal LUKS Encryption Sector Size

In addition, Fedora provides the following security features OOTB:

• Crypto Policies - system-wide policies for cryptographic protocols.
• SELinux - mandatory access controls for process and system resource.
• Firewalld - zone-based dynamically managed firewall.

See also:

• Fedora Silverblue - immutable image-based Fedora variant.
• Flatpak - software deployment method providing sandbox environment.

Configuration file changes are handled using rpmsave and rpmnew files. I have not encountered rpmsave files recently (old Java configuration files have both rpmnew and rpmsave under a versioned directory).

Fedora’s RPM packages are compiled with hardened build flags by default. You can see https://src.fedoraproject.org/rpms/redhat-rpm-config/blob/rawhide/f/buildflags.md - “Hardened builds” for details. You can see the used flags in the macros file by searching with “harden” in the file. - https://src.fedoraproject.org/rpms/redhat-rpm-config/blob/rawhide/f/macros.