Guide to the Secure Configuration of Fedora
Rules, Groups, and Values defined within the XCCDF Benchmark
-
System Settings
Contains rules that check correct system settings.Group -
Installing and Maintaining Software
The following sections contain information on security-relevant choices during the initial operating system installation process and the setup of software updates.Group -
Prefer to use a 64-bit Operating System when supported
Prefer installation of 64-bit operating systems when the CPU supports it.Rule Medium Severity -
System and Software Integrity
System and software integrity can be gained by installing antivirus, increasing system encryption strength with FIPS, verifying installed software, enabling SELinux, installing an Intrusion Prevent...Group -
Software Integrity Checking
Both the AIDE (Advanced Intrusion Detection Environment) software and the RPM package management system provide mechanisms for verifying the integrity of installed software. AIDE uses snapshots of ...Group -
Verify Integrity with RPM
The RPM package management system includes the ability to verify the integrity of installed packages by comparing the installed files with information about the files taken from the package metadat...Group -
pwhistory_remember
Prevent password re-use using password history lookupValue -
Kernel Configuration
Contains rules that check the kernel configuration that was used to build it.Group -
net.ipv6.conf.all.accept_redirects
Toggle ICMP Redirect AcceptanceValue -
Audit Configuration Files Must Be Owned By Group root
All audit configuration files must be owned by group root.chown :root /etc/audit/audit*.{rules,conf} /etc/audit/rules.d/*Rule Medium Severity -
Hash function for kernel module signing
The hash function to use when signing modules during kernel build process.Value -
Disable Dovecot
If the system does not need to operate as an IMAP or POP3 server, the dovecot software should be disabled and removed.Group -
McAfee Endpoint Security Software
In DoD environments, McAfee Host-based Security System (HBSS) and VirusScan Enterprise for Linux (VSEL) is required to be installed on all systems.Group -
Install AIDE
Theaidepackage can be installed with the following command:$ sudo dnf install aide
Rule Medium Severity -
Build and Test AIDE Database
Run the following command to generate a new database: <pre>$ sudo /usr/sbin/aide --init</pre> By default, the database will be written to the file <code>/var/lib/aide/aide.db.new.gz</code>. Sto...Rule Medium Severity -
Configure AIDE to Verify the Audit Tools
The operating system file integrity tool must be configured to protect the integrity of the audit tools.Rule Medium Severity -
Install Intrusion Detection Software
The base Fedora platform already includes a sophisticated auditing system that can detect intruder activity, as well as SELinux, which provides host-based intrusion prevention capabilities by confi...Rule High Severity -
Enable Dracut FIPS Module
To enable FIPS mode, run the following command: <pre>fips-mode-setup --enable</pre> To enable FIPS, the system requires that the <code>fips</code> module is added in <code>dracut</code> configurati...Rule High Severity -
Ensure '/etc/system-fips' exists
On a system where FIPS mode is enabled,/etc/system-fipsmust exist. To enable FIPS mode, run the following command:fips-mode-setup --enable
Rule High Severity -
Set kernel parameter 'crypto.fips_enabled' to 1
System running in FIPS mode is indicated by kernel parameter <code>'crypto.fips_enabled'</code>. This parameter should be set to <code>1</code> in FIPS mode. To enable FIPS mode, run the following ...Rule High Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.