Guide to the Secure Configuration of Fedora
Rules, Groups, and Values defined within the XCCDF Benchmark
-
Disable acquiring, saving, and processing core dumps
Thesystemd-coredump.socketunit is a socket activation of thesystemd-coredump@.servicewhich processes core dumps. By masking the unit, core dump processing is disabled.Rule Medium Severity -
Disable core dump backtraces
The <code>ProcessSizeMax</code> option in <code>[Coredump]</code> section of <code>/etc/systemd/coredump.conf</code> specifies the maximum size in bytes of a core which will be processed. Core dump...Rule Medium Severity -
Uninstall mcstrans Package
The <code>mcstransd</code> daemon provides category label information to client processes requesting information. The label translations are defined in <code>/etc/selinux/targeted/setrans.conf</cod...Rule Low Severity -
Daemon Umask
The umask is a per-process setting which limits the default permissions for creation of new files and directories. The system includes initialization scripts which set the default umask for system ...Group -
daemon umask
Enter umask for daemonsValue -
Set Daemon Umask
The file <code>/etc/init.d/functions</code> includes initialization parameters for most or all daemons started at boot time. Many daemons on the system already individually restrict themselves to a...Rule Unknown Severity -
Enable ExecShield
ExecShield describes kernel features that provide protection against exploitation of memory corruption errors such as buffer overflows. These features include random placement of the stack and othe...Group -
kernel.kptr_restrict
Configure exposition of kernel pointer addressesValue -
Enable ExecShield via sysctl
By default on Fedora 64-bit systems, ExecShield is enabled and can only be disabled if the hardware does not support ExecShield or is disabled in/etc/default/grub.Rule Medium Severity -
Restrict Exposed Kernel Pointer Addresses Access
To set the runtime status of the <code>kernel.kptr_restrict</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w kernel.kptr_restrict=<xccdf-1.2:sub idref="xccdf_org.ssgproject...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.
Capacity
Modules