Guide to the Secure Configuration of Fedora
Rules, Groups, and Values defined within the XCCDF Benchmark
-
Verify User Who Owns Backup group File
To properly set the owner of/etc/group-, run the command:$ sudo chown root /etc/group-
Rule Medium Severity -
Verify Permissions on shadow File
To properly set the permissions of/etc/shadow, run the command:$ sudo chmod 0000 /etc/shadow
Rule Medium Severity -
Verify that Shared Library Directories Have Root Group Ownership
System-wide shared library files, which are linked to executables during process load time or run time, are stored in the following directories by default: <pre>/lib /lib64 /usr/lib /usr/lib64 </pr...Rule Medium Severity -
Verify that Shared Library Directories Have Root Ownership
System-wide shared library files, which are linked to executables during process load time or run time, are stored in the following directories by default: <pre>/lib /lib64 /usr/lib /usr/lib64 </pr...Rule Medium Severity -
Verify that Shared Library Directories Have Restrictive Permissions
System-wide shared library directories, which contain are linked to executables during process load time or run time, are stored in the following directories by default: <pre>/lib /lib64 /usr/lib /...Rule Medium Severity -
Verify that Shared Library Files Have Restrictive Permissions
System-wide shared library files, which are linked to executables during process load time or run time, are stored in the following directories by default: <pre>/lib /lib64 /usr/lib /usr/lib64 </pr...Rule Medium Severity -
Verify the system-wide library files in directories "/lib", "/lib64", "/usr/lib/" and "/usr/lib64" are group-owned by root.
System-wide library files are stored in the following directories by default: <pre>/lib /lib64 /usr/lib /usr/lib64 </pre> All system-wide shared library files should be protected from unauthorised ...Rule Medium Severity -
Disable Mounting of hfs
To configure the system to prevent the <code>hfs</code> kernel module from being loaded, add the following line to the file <code>/etc/modprobe.d/hfs.conf</code>: <pre>install hfs /bin/false</pre>...Rule Low Severity -
Disable Mounting of jffs2
To configure the system to prevent the <code>jffs2</code> kernel module from being loaded, add the following line to the file <code>/etc/modprobe.d/jffs2.conf</code>: <pre>install jffs2 /bin/false...Rule Low Severity -
Disable Mounting of squashfs
To configure the system to prevent the <code>squashfs</code> kernel module from being loaded, add the following line to the file <code>/etc/modprobe.d/squashfs.conf</code>: <pre>install squashfs /...Rule Low Severity -
Disable storing core dumps
To set the runtime status of the <code>kernel.core_pattern</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w kernel.core_pattern=|/bin/false</pre> To make sure that the sett...Rule Medium Severity -
Configure file name of core dumps
To set the runtime status of the <code>kernel.core_uses_pid</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w kernel.core_uses_pid=0</pre> To make sure that the setting is p...Rule Medium Severity -
Disable Core Dumps
A core dump file is the memory image of an executable program when it was terminated by the operating system due to errant behavior. In most cases, only software developers legitimately need to acc...Group -
Disable Core Dumps for All Users
To disable core dumps for all users, add the following line to <code>/etc/security/limits.conf</code>, or to a file within the <code>/etc/security/limits.d/</code> directory: <pre>* hard core...Rule Medium Severity -
Disable Core Dumps for SUID programs
To set the runtime status of the <code>fs.suid_dumpable</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w fs.suid_dumpable=0</pre> To make sure that the setting is persisten...Rule Medium Severity -
Enable page allocator poisoning
To enable poisoning of free pages, add the argument <code>page_poison=1</code> to the default GRUB 2 command line for the Linux operating system. Configure the default Grub2 kernel command line to ...Rule Medium Severity -
Enable SLUB/SLAB allocator poisoning
To enable poisoning of SLUB/SLAB objects, add the argument <code>slub_debug=<xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_slub_debug_options" use="legacy"></xccdf-1.2:sub> <...Rule Medium Severity -
Uninstall setroubleshoot-plugins Package
The SETroubleshoot plugins are used to analyze SELinux AVC data. The service provides information around configuration errors, unauthorized intrusions, and other potential errors. The <code>setroub...Rule Low Severity -
Ensure No Device Files are Unlabeled by SELinux
Device files, which are used for communication with important system resources, should be labeled with proper SELinux types. If any device files carry the SELinux type <code>device_t</code> or <cod...Rule Medium Severity -
Services
The best protection against vulnerable software is running less software. This section describes how to review the software which Fedora installs on a system and disable software which is not neede...Group -
Disable Avahi Publishing
To prevent Avahi from publishing its records, edit <code>/etc/avahi/avahi-daemon.conf</code> and ensure the following line appears in the <code>[publish]</code> section: <pre>disable-publishing=yes...Rule Low Severity -
Uninstall Automatic Bug Reporting Tool (abrt)
The Automatic Bug Reporting Tool (<code>abrt</code>) collects and reports crash data when an application crash is detected. Using a variety of plugins, abrt can email crash reports to system admini...Rule Medium Severity -
Verify Group Who Owns cron.daily
To properly set the group owner of/etc/cron.daily, run the command:$ sudo chgrp root /etc/cron.daily
Rule Medium Severity -
Verify Group Who Owns cron.hourly
To properly set the group owner of/etc/cron.hourly, run the command:$ sudo chgrp root /etc/cron.hourly
Rule Medium Severity -
Verify Group Who Owns cron.weekly
To properly set the group owner of/etc/cron.weekly, run the command:$ sudo chgrp root /etc/cron.weekly
Rule Medium Severity -
Verify Permissions on cron.hourly
To properly set the permissions of/etc/cron.hourly, run the command:$ sudo chmod 0700 /etc/cron.hourly
Rule Medium Severity -
Verify Permissions on cron.monthly
To properly set the permissions of/etc/cron.monthly, run the command:$ sudo chmod 0700 /etc/cron.monthly
Rule Medium Severity -
Restrict at and cron to Authorized Users if Necessary
The <code>/etc/cron.allow</code> and <code>/etc/at.allow</code> files contain lists of users who are allowed to use <code>cron</code> and at to delay execution of processes. If these files exist an...Group -
DHCP
The Dynamic Host Configuration Protocol (DHCP) allows systems to request and obtain an IP address and other configuration parameters from a server. <br> <br> This guide recommends configuring...Group -
Minimize the DHCP-Configured Options
Create the file <code>/etc/dhcp/dhclient.conf</code>, and add an appropriate setting for each of the ten configuration settings which can be obtained via DHCP. For each setting, do one of the follo...Rule Unknown Severity -
Configure Firewalls to Protect the FTP Server
By default, <code>iptables</code> blocks access to the ports used by the web server. To configure <code>iptables</code> to allow port 21 traffic, one must edit <code>/etc/sysconfig/iptables</code>...Rule Unknown Severity -
Install vsftpd Package
If this system must operate as an FTP server, install the <code>vsftpd</code> package via the standard channels. The <code>vsftpd</code> package can be installed with the following command: <pre> $...Rule Low Severity -
Web Server
The web server is responsible for providing access to content via the HTTP protocol. Web servers represent a significant security risk because: <br> <br> <ul> <li>The HTTP port is commo...Group -
Uninstall cyrus-imapd Package
Thecyrus-imapdpackage can be removed with the following command:$ sudo dnf remove cyrus-imapd
Rule Unknown Severity -
Ensure LDAP client is not installed
The Lightweight Directory Access Protocol (LDAP) is a service that provides a method for looking up information from a central database. The <code>openldap-clients</code> package can be removed wit...Rule Low Severity -
Mail Server Software
Mail servers are used to send and receive email over the network. Mail is a very common service, and Mail Transfer Agents (MTAs) are obvious targets of network attack. Ensure that systems are not r...Group -
Configure System to Forward All Mail From Postmaster to The Root Account
Verify the administrators are notified in the event of an audit processing failure. Check that the "/etc/aliases" file has a defined value for "root". <pre>$ sudo grep "postmaster:\s*root$" /etc/al...Rule Medium Severity -
Uninstall nfs-utils Package
Thenfs-utilspackage can be removed with the following command:$ sudo dnf remove nfs-utils
Rule Low Severity -
Disable rpcbind Service
The rpcbind utility maps RPC services to the ports on which they listen. RPC processes notify rpcbind when they start, registering the ports they are listening on and the RPC program numbers they e...Rule Low Severity -
Disable RPC ID Mapping Service (rpcidmapd)
The rpcidmapd service is used to map user names and groups to UID and GID numbers on NFSv4 mounts. If NFS is not in use on the local system then this service should be disabled. The <code>rpcidmap...Rule Unknown Severity -
Configure NFS Services to Use Fixed Ports (NFSv3 and NFSv2)
Firewalling should be done at each host and at the border firewalls to protect the NFS daemons from remote access, since NFS servers should never be accessible from outside the organization. Howeve...Group -
Specify UID and GID for Anonymous NFS Connections
To specify the UID and GID for remote root users, edit the <code>/etc/exports</code> file and add the following for each export: <pre> anonuid=<code>value greater than UID_MAX from /etc/login.defs<...Rule Unknown Severity -
Network Time Protocol
The Network Time Protocol is used to manage the system clock over a network. Computer clocks are not very accurate, so time will drift unpredictably on unmanaged systems. Central time protocols can...Group -
The Chrony package is installed
System time should be synchronized between all systems in an environment. This is typically done by establishing an authoritative time server or set of servers and having all systems synchronize th...Rule Medium Severity -
Enable the NTP Daemon
Run the following command to determine the current status of the <code>chronyd</code> service: <pre>$ sudo systemctl is-active chronyd</pre> If the service is running, it should return the follo...Rule Medium Severity -
Configure Time Service Maxpoll Interval
The <code>maxpoll</code> should be configured to <xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_time_service_set_maxpoll" use="legacy"></xccdf-1.2:sub> in <code>/etc/ntp.conf</code> o...Rule Medium Severity -
Specify Additional Remote NTP Servers
Depending on specific functional requirements of a concrete production environment, the Fedora system can be configured to utilize the services of the <code>chronyd</code> NTP daemon (the default),...Rule Medium Severity -
Ensure Chrony is only configured with the server directive
Check that Chrony only has time sources configured with theserverdirective.Rule Medium Severity -
Configure server restrictions for ntpd
ntpd is a daemon which implements the Network Time Protocol (NTP). It is designed to synchronize system clocks across a variety of systems and use a source that is highly accurate. More information...Rule Medium Severity -
Uninstall ypserv Package
Theypservpackage can be removed with the following command:$ sudo dnf remove ypserv
Rule High Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.
Capacity
Modules