Merge pull request #1058 from owncloud/add-urandom-information

Add some more hardening recommendations

admin_manual/configuration_server/harden_server.rst

@@ -8,9 +8,25 @@ ownCloud instance.
 This document lists some security hardenings which require manual interaction by administrators. The whole document content
 is based on the assumption that you run ownCloud Server on Apache2 on a Linux environment.
 
-.. note:: ownCloud will warn you in the administration interface if some critical security relevant options are missing,
-          however in some cases that are considered second level as defense administrators are encouraged to check these
-          hardenings manually.
+.. note:: ownCloud will warn you in the administration interface if some critical security-relevant options are missing.
+          However, it is still up to the server administrator to review and maintain system security.
+
+Operating system
+----------------
+
+Give PHP read accesss to ``/dev/urandom``
+*****************************************
+ownCloud uses a `RFC 4086 ("Randomness Requirements for Security")`_ compliant mixer to generate cryptographically secure
+pseudo-random numbers. This means that when generating a random number ownCloud will request multiple random numbers from
+different sources and derive from these the final random number.
+
+The random number generation also tries to request random numbers from ``/dev/urandom``, thus it is highly recommended to
+configure your setup in such a way that PHP is able to read random data from it.
+
+Enable hardening modules such as SELinux
+****************************************
+It is highly recommend to enable hardening modules such as SELinux where possible. See See :doc:`selinux_configuration.rst`
+to learn more about SELinux.
 
 Deployment
 ----------
@@ -18,8 +34,18 @@ Deployment
 Move data directory outside of the web root
 *******************************************
 It is highly recommended to move the data directory (where ownCloud stores its data) outside of the web root (i.e. outside
-of ``/var/www``), this can be done by modifying the ``datadirectory`` switch in the configuration file. It is possible to
-do this also after an instance has been installed by moving the folder manually.
+of ``/var/www``) It is possible to do this by moving the folder manually, and then adjusting the ``'datadirectory'``
+parameter in ``config.php``.
+
+Disable preview image generation
+********************************
+ownCloud is able to generate preview images of common filetypes such as images or text files. By default the preview generation
+for some file types that we consider secure enough for deployment is enabled by default. However, administrators should be
+aware that these previews are generated using PHP libraries written in C which might be vulnerable to vulnerable attack vectors.
+
+For high security deployments we recommend disabling the preview generation by setting the ``enable_previews`` switch to
+``false`` in ``config.php``. As an administrator you are also able to manage which preview providers are enabled
+by modifying the ``enabledPreviewProviders`` option switch.
 
 Use HTTPS
 ---------
@@ -101,3 +127,4 @@ and verify that above mentioned security headers are shipped.
 
 .. _Mozilla SSL Configuration Generator: https://mozilla.github.io/server-side-tls/ssl-config-generator/
 .. _Qualys SSL Labs Tests: https://www.ssllabs.com/ssltest/
+.. _RFC 4086 ("Randomness Requirements for Security"): https://tools.ietf.org/html/rfc4086#section-5.2

admin_manual/installation/selinux_configuration.rst

@@ -48,3 +48,11 @@ Use this setting to allow LDAP connections::
 
  setsebool -P httpd_can_connect_ldap on
   
+Allow access to remote network
+------------------------------
+
+ownCloud requires access to remote networks for functionalities such as Server-to-Server sharing, external storages or
+the app store. To allow this access use the following setting::
+
+ setsebool -P httpd_can_network_connect on
+