Skip to content
Log In

Guide to the Secure Configuration of Fedora

Rules, Groups, and Values defined within the XCCDF Benchmark

  • Hash function for kernel module signing

    The hash function to use when signing modules during kernel build process.
    Value
    Show

  • Disable Dovecot

    If the system does not need to operate as an IMAP or POP3 server, the dovecot software should be disabled and removed.
    Group
    Show

  • McAfee Endpoint Security Software

    In DoD environments, McAfee Host-based Security System (HBSS) and VirusScan Enterprise for Linux (VSEL) is required to be installed on all systems.
    Group
    Show

  • Install AIDE

    The aide package can be installed with the following command: 
    $ sudo dnf install aide
    Rule Medium Severity
    Show

  • Build and Test AIDE Database

    Run the following command to generate a new database: <pre>$ sudo /usr/sbin/aide --init</pre> By default, the database will be written to the file <code>/var/lib/aide/aide.db.new.gz</code>. Sto...
    Rule Medium Severity
    Show

  • Configure AIDE to Verify the Audit Tools

    The operating system file integrity tool must be configured to protect the integrity of the audit tools.
    Rule Medium Severity
    Show

  • Install Intrusion Detection Software

    The base Fedora platform already includes a sophisticated auditing system that can detect intruder activity, as well as SELinux, which provides host-based intrusion prevention capabilities by confi...
    Rule High Severity
    Show

  • Enable Dracut FIPS Module

    To enable FIPS mode, run the following command: <pre>fips-mode-setup --enable</pre> To enable FIPS, the system requires that the <code>fips</code> module is added in <code>dracut</code> configurati...
    Rule High Severity
    Show

  • Ensure '/etc/system-fips' exists

    On a system where FIPS mode is enabled, /etc/system-fips must exist. To enable FIPS mode, run the following command: 
    fips-mode-setup --enable
    Rule High Severity
    Show

  • Set kernel parameter 'crypto.fips_enabled' to 1

    System running in FIPS mode is indicated by kernel parameter <code>'crypto.fips_enabled'</code>. This parameter should be set to <code>1</code> in FIPS mode. To enable FIPS mode, run the following ...
    Rule High Severity
    Show

Node 2

siemur/test-space

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules