Guide to the Secure Configuration of Fedora
Rules, Groups, and Values defined within the XCCDF Benchmark
-
net.ipv4.conf.all.log_martians
Disable so you don't Log Spoofed Packets, Source Routed Packets, Redirect PacketsValue -
net.ipv4.conf.all.rp_filter
Enable to enforce sanity checking, also called ingress filtering or egress filtering. The point is to drop a packet if the source and destination IP addresses in the IP header do not make sense whe...Value -
net.ipv4.conf.all.secure_redirects
Enable to prevent hijacking of routing path by only allowing redirects from gateways known in routing table. Disable to refuse acceptance of secure ICMP redirected packets on all interfaces.Value -
net.ipv4.conf.all.shared_media
Controls whether the system can send (router) or accept (host) RFC1620 shared media redirects. <code>shared_media</code> for the interface will be enabled if at least one of conf/{all,interface}/sh...Value -
net.ipv4.conf.default.accept_redirects
Disable ICMP Redirect Acceptance?Value -
net.ipv4.conf.default.accept_source_route
Disable IP source routing?Value -
net.ipv4.conf.default.log_martians
Disable so you don't Log Spoofed Packets, Source Routed Packets, Redirect PacketsValue -
net.ipv4.conf.default.rp_filter
Enables source route verificationValue -
net.ipv4.conf.default.secure_redirects
Enable to prevent hijacking of routing path by only allowing redirects from gateways known in routing table. Disable to refuse acceptance of secure ICMP redirected packages by default.Value -
net.ipv4.conf.default.shared_media
Controls whether the system can send(router) or accept(host) RFC1620 shared media redirects. <code>shared_media</code> for the interface will be enabled if at least one of conf/{all,interface}/shar...Value -
net.ipv4.icmp_echo_ignore_broadcasts
Ignore all ICMP ECHO and TIMESTAMP requests sent to it via broadcast/multicastValue -
net.ipv4.icmp_ignore_bogus_error_responses
Enable to prevent unnecessary loggingValue -
net.ipv4.tcp_syncookies
Enable to turn on TCP SYN Cookie ProtectionValue -
Disable WiFi or Bluetooth in BIOS
Some machines that include built-in wireless support offer the ability to disable the device through the BIOS. This is hardware-specific; consult your hardware manual or explore the BIOS setup duri...Rule Unknown Severity -
Disable RDS Support
The Reliable Datagram Sockets (RDS) protocol is a transport layer protocol designed to provide reliable high-bandwidth, low-latency communications between nodes in a cluster. To configure the syst...Rule Low Severity -
Network Parameters for Hosts Only
If the system is not going to be used as a router, then setting certain kernel parameters ensure that the host will not perform routing of network traffic.Group -
Disable SCTP Support
The Stream Control Transmission Protocol (SCTP) is a transport layer protocol, designed to support the idea of message-oriented communication, with several streams of messages within one connection...Rule Medium Severity -
Uncomplicated Firewall (ufw)
The Linux kernel in Ubuntu provides a packet filtering system called netfilter, and the traditional interface for manipulating netfilter are the iptables suite of commands. iptables provide a compl...Group -
Uncommon Network Protocols
The system includes support for several network protocols which are not commonly used. Although security vulnerabilities in kernel networking code are not frequently discovered, the consequences ca...Group -
Disable IEEE 1394 (FireWire) Support
The IEEE 1394 (FireWire) is a serial bus standard for high-speed real-time communication. To configure the system to prevent the <code>firewire-core</code> kernel module from being loaded, add the...Rule Low Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.