Guide to the Secure Configuration of Fedora
Rules, Groups, and Values defined within the XCCDF Benchmark
-
Make Each System a Client or a Server, not Both
If NFS must be used, it should be deployed in the simplest configuration possible to avoid maintainability problems which may lead to unnecessary s...Group -
Configure NFS Services to Use Fixed Ports (NFSv3 and NFSv2)
Firewalling should be done at each host and at the border firewalls to protect the NFS daemons from remote access, since NFS servers should never b...Group -
Configure lockd to use static TCP port
Configure the <code>lockd</code> daemon to use a static TCP port as opposed to letting the RPC Bind service dynamically assign a port. Edit the fil...Rule Unknown Severity -
Configure lockd to use static UDP port
Configure the <code>lockd</code> daemon to use a static UDP port as opposed to letting the RPC Bind service dynamically assign a port. Edit the fil...Rule Unknown Severity -
Configure mountd to use static port
Configure the <code>mountd</code> daemon to use a static port as opposed to letting the RPC Bind service dynamically assign a port. Edit the file <...Rule Unknown Severity -
Configure statd to use static port
Configure the <code>statd</code> daemon to use a static port as opposed to letting the RPC Bind service dynamically assign a port. Edit the file <c...Rule Unknown Severity -
Configure NFS Clients
The steps in this section are appropriate for systems which operate as NFS clients.Group -
Disable NFS Server Daemons
There is no need to run the NFS server daemons <code>nfs</code> and <code>rpcsvcgssd</code> except on a small number of properly secured systems de...Group -
Disable Network File System (nfs)
The Network File System (NFS) service allows remote hosts to mount and interact with shared filesystems on the local system. If the local system is...Rule Unknown Severity -
Disable Secure RPC Server Service (rpcsvcgssd)
The rpcsvcgssd service manages RPCSEC GSS contexts required to secure protocols that use RPC (most often Kerberos and NFS). The rpcsvcgssd service ...Rule Unknown Severity -
X Window System
The X Window System implementation included with the system is called X.org.Group -
Specify UID and GID for Anonymous NFS Connections
To specify the UID and GID for remote root users, edit the <code>/etc/exports</code> file and add the following for each export: <pre> anonuid=<cod...Rule Unknown Severity -
Mount Remote Filesystems with Restrictive Options
Edit the file <code>/etc/fstab</code>. For each filesystem whose type (column 3) is <code>nfs</code> or <code>nfs4</code>, add the text <code>,node...Group -
Configure NFS Servers
The steps in this section are appropriate for systems which operate as NFS servers.Group -
Ensure All-Squashing Disabled On All Exports
The <code>all_squash</code> maps all uids and gids to an anonymous user. This should be disabled by removing any instances of the <code>all_squash<...Rule Low Severity -
Ensure Insecure File Locking is Not Allowed
By default the NFS server requires secure file-lock requests, which require credentials from the client in order to lock a file. Most NFS clients s...Rule Medium Severity -
Restrict NFS Clients to Privileged Ports
By default, the server NFS implementation requires that all client requests be made from ports less than 1024. If your organization has control ove...Rule Unknown Severity -
Use Root-Squashing on All Exports
If a filesystem is exported using root squashing, requests from root on the client are considered to be unprivileged (mapped to a user such as nobo...Rule Unknown Severity -
Configure the Exports File Restrictively
Linux's NFS implementation uses the file <code>/etc/exports</code> to control what filesystems and directories may be accessed via NFS. (See the <c...Group -
Export Filesystems Read-Only if Possible
If a filesystem is being exported so that users can view the files in a convenient fashion, but there is no need for users to edit those files, exp...Group
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.