Guide to the Secure Configuration of Fedora
Rules, Groups, and Values defined within the XCCDF Benchmark
-
System Settings
Contains rules that check correct system settings.Group -
Installing and Maintaining Software
The following sections contain information on security-relevant choices during the initial operating system installation process and the setup of software updates.Group -
Prefer to use a 64-bit Operating System when supported
Prefer installation of 64-bit operating systems when the CPU supports it.Rule Medium Severity -
System and Software Integrity
System and software integrity can be gained by installing antivirus, increasing system encryption strength with FIPS, verifying installed software, enabling SELinux, installing an Intrusion Prevent...Group -
Software Integrity Checking
Both the AIDE (Advanced Intrusion Detection Environment) software and the RPM package management system provide mechanisms for verifying the integrity of installed software. AIDE uses snapshots of ...Group -
Verify Integrity with RPM
The RPM package management system includes the ability to verify the integrity of installed packages by comparing the installed files with information about the files taken from the package metadat...Group -
pwhistory_remember
Prevent password re-use using password history lookupValue -
Kernel Configuration
Contains rules that check the kernel configuration that was used to build it.Group -
net.ipv6.conf.all.accept_redirects
Toggle ICMP Redirect AcceptanceValue -
Audit Configuration Files Must Be Owned By Group root
All audit configuration files must be owned by group root.chown :root /etc/audit/audit*.{rules,conf} /etc/audit/rules.d/*Rule Medium Severity -
Hash function for kernel module signing
The hash function to use when signing modules during kernel build process.Value -
Disable Dovecot
If the system does not need to operate as an IMAP or POP3 server, the dovecot software should be disabled and removed.Group -
McAfee Endpoint Security Software
In DoD environments, McAfee Host-based Security System (HBSS) and VirusScan Enterprise for Linux (VSEL) is required to be installed on all systems.Group -
Install AIDE
Theaidepackage can be installed with the following command:$ sudo dnf install aide
Rule Medium Severity -
Build and Test AIDE Database
Run the following command to generate a new database: <pre>$ sudo /usr/sbin/aide --init</pre> By default, the database will be written to the file <code>/var/lib/aide/aide.db.new.gz</code>. Sto...Rule Medium Severity -
Configure AIDE to Verify the Audit Tools
The operating system file integrity tool must be configured to protect the integrity of the audit tools.Rule Medium Severity -
Install Intrusion Detection Software
The base Fedora platform already includes a sophisticated auditing system that can detect intruder activity, as well as SELinux, which provides host-based intrusion prevention capabilities by confi...Rule High Severity -
Enable Dracut FIPS Module
To enable FIPS mode, run the following command: <pre>fips-mode-setup --enable</pre> To enable FIPS, the system requires that the <code>fips</code> module is added in <code>dracut</code> configurati...Rule High Severity -
Ensure '/etc/system-fips' exists
On a system where FIPS mode is enabled,/etc/system-fipsmust exist. To enable FIPS mode, run the following command:fips-mode-setup --enable
Rule High Severity -
Set kernel parameter 'crypto.fips_enabled' to 1
System running in FIPS mode is indicated by kernel parameter <code>'crypto.fips_enabled'</code>. This parameter should be set to <code>1</code> in FIPS mode. To enable FIPS mode, run the following ...Rule High Severity -
System Cryptographic Policies
Linux has the capability to centrally configure cryptographic polices. The command <code>update-crypto-policies</code> is used to set the policy applicable for the various cryptographic back-ends, ...Group -
The system-provided crypto policies
Specify the crypto policy for the system.Value -
Configure BIND to use System Crypto Policy
Crypto Policies provide a centralized control over crypto algorithms usage of many packages. BIND is supported by crypto policy, but the BIND configuration may be set up to ignore it. To check tha...Rule High Severity -
Configure GnuTLS library to use DoD-approved TLS Encryption
Crypto Policies provide a centralized control over crypto algorithms usage of many packages. GnuTLS is supported by system crypto policy, but the GnuTLS configuration may be set up to ignore it. T...Rule Medium Severity -
Configure Kerberos to use System Crypto Policy
Crypto Policies provide a centralized control over crypto algorithms usage of many packages. Kerberos is supported by crypto policy, but it's configuration may be set up to ignore it. To check that...Rule High Severity -
Configure Libreswan to use System Crypto Policy
Crypto Policies provide a centralized control over crypto algorithms usage of many packages. Libreswan is supported by system crypto policy, but the Libreswan configuration may be set up to ignore ...Rule High Severity -
Configure OpenSSL library to use System Crypto Policy
Crypto Policies provide a centralized control over crypto algorithms usage of many packages. OpenSSL is supported by crypto policy, but the OpenSSL configuration may be set up to ignore it. To chec...Rule Medium Severity -
Configure SSH to use System Crypto Policy
Crypto Policies provide a centralized control over crypto algorithms usage of many packages. SSH is supported by crypto policy, but the SSH configuration may be set up to ignore it. To check that C...Rule Medium Severity -
Harden SSH client Crypto Policy
Crypto Policies are means of enforcing certain cryptographic settings for selected applications including OpenSSH client. To override the system wide crypto policy for Openssh client, place a file ...Rule Medium Severity -
Harden SSHD Crypto Policy
Crypto Policies are means of enforcing certain cryptographic settings for selected applications including OpenSSH server. The SSHD service is by default configured to modify its configuration based...Rule Medium Severity -
Operating System Vendor Support and Certification
The assurance of a vendor to provide operating system support and maintenance for their product is an important criterion to ensure product stability and security over the life of the product. A ce...Group -
The Installed Operating System Is FIPS 140-2 Certified
To enable processing of sensitive information the operating system must provide certified cryptographic modules compliant with FIPS 140-2 standard.Rule High Severity -
The Installed Operating System Is Vendor Supported
The installed operating system must be maintained by a vendor. Red Hat Enterprise Linux is supported by Red Hat, Inc. As the Red Hat Enterprise Linux vendor, Red Hat, Inc. is responsible for provi...Rule High Severity -
Endpoint Protection Software
Endpoint protection security software that is not provided or supported by Red Hat can be installed to provide complementary or duplicative security capabilities to those provided by the base pla...Group -
Configure Backups of User Data
The operating system must conduct backups of user data contained in the operating system. The operating system provides utilities for automating backups of user data. Commercial and open-source pro...Rule Medium Severity -
Install Virus Scanning Software
Virus scanning software can be used to protect a system from penetration from computer viruses and to limit their spread through intermediate systems. The virus scanning software should be configu...Rule High Severity -
McAfee Host-Based Intrusion Detection Software (HBSS)
McAfee Host-based Security System (HBSS) is a suite of software applications used to monitor, detect, and defend computer networks and systems.Group -
Install the Host Intrusion Prevention System (HIPS) Module
Install the McAfee Host Intrusion Prevention System (HIPS) Module if it is absolutely necessary. If SELinux is enabled, do not install or enable this module.Rule Medium Severity -
Encrypt Partitions
Fedora natively supports partition encryption through the Linux Unified Key Setup-on-disk-format (LUKS) technology. The easiest way to encrypt a partition is during installation time. <br> ...Rule High Severity -
Ensure /boot Located On Separate Partition
It is recommended that the <code>/boot</code> directory resides on a separate partition. This makes it easier to apply restrictions e.g. through the <code>noexec</code> mount option. Eventually, th...Rule Medium Severity -
Ensure /home Located On Separate Partition
If user home directories will be stored locally, create a separate partition for <code>/home</code> at installation time (or migrate it later using LVM). If <code>/home</code> will be mounted from ...Rule Low Severity -
Ensure /opt Located On Separate Partition
It is recommended that the/optdirectory resides on a separate partition.Rule Medium Severity -
Ensure /srv Located On Separate Partition
If a file server (FTP, TFTP...) is hosted locally, create a separate partition for <code>/srv</code> at installation time (or migrate it later using LVM). If <code>/srv</code> will be mounted from ...Rule Unknown Severity -
Ensure /tmp Located On Separate Partition
The/tmpdirectory is a world-writable directory used for temporary file storage. Ensure it has its own partition or logical volume at installation time, or migrate it using LVM.Rule Low Severity -
Ensure /usr Located On Separate Partition
It is recommended that the/usrdirectory resides on a separate partition.Rule Medium Severity -
Ensure /var Located On Separate Partition
The <code>/var</code> directory is used by daemons and other system services to store frequently-changing data. Ensure that <code>/var</code> has its own partition or logical volume at installation...Rule Low Severity -
Ensure /var/log Located On Separate Partition
System logs are stored in the/var/logdirectory. Ensure that/var/loghas its own partition or logical volume at installation time, or migrate it using LVM.Rule Low Severity -
Ensure /var/log/audit Located On Separate Partition
Audit logs are stored in the <code>/var/log/audit</code> directory. Ensure that <code>/var/log/audit</code> has its own partition or logical volume at installation time, or migrate it using LVM. M...Rule Low Severity -
Make sure that the dconf databases are up-to-date with regards to respective keyfiles
By default, DConf uses a binary database as a data backend. The system-level database is compiled from keyfiles in the /etc/dconf/db/ directory by the <pre>dconf update</pre> command. More specific...Rule High Severity -
Configure GNOME3 DConf User Profile
By default, DConf provides a standard user profile. This profile contains a list of DConf configuration databases. The user profile and database always take the highest priority. As such the DConf ...Rule High Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.
Capacity
Modules