CUSP - Common User Security Profile for Fedora Workstation
Rules and Groups employed by this XCCDF Profile
-
Verify User Who Owns shadow File
To properly set the owner of/etc/shadow, run the command:$ sudo chown root /etc/shadow
Rule Medium Severity -
Verify Permissions on Backup group File
To properly set the permissions of/etc/group-, run the command:$ sudo chmod 0644 /etc/group-
Rule Medium Severity -
Verify Permissions on Backup gshadow File
To properly set the permissions of/etc/gshadow-, run the command:$ sudo chmod 0000 /etc/gshadow-
Rule Medium Severity -
Verify Permissions on Backup passwd File
To properly set the permissions of/etc/passwd-, run the command:$ sudo chmod 0644 /etc/passwd-
Rule Medium Severity -
Verify Permissions on Backup shadow File
To properly set the permissions of/etc/shadow-, run the command:$ sudo chmod 0000 /etc/shadow-
Rule Medium Severity -
Verify Permissions on group File
To properly set the permissions of/etc/group, run the command:$ sudo chmod 0644 /etc/group
Rule Medium Severity -
Verify Permissions on gshadow File
To properly set the permissions of/etc/gshadow, run the command:$ sudo chmod 0000 /etc/gshadow
Rule Medium Severity -
Verify Permissions on passwd File
To properly set the permissions of/etc/passwd, run the command:$ sudo chmod 0644 /etc/passwd
Rule Medium Severity -
Verify Permissions on shadow File
To properly set the permissions of/etc/shadow, run the command:$ sudo chmod 0000 /etc/shadow
Rule Medium Severity -
Restrict Dynamic Mounting and Unmounting of Filesystems
Linux includes a number of facilities for the automated addition and removal of filesystems on a running system. These facilities may be necessary...Group -
Disable Mounting of cramfs
To configure the system to prevent the <code>cramfs</code> kernel module from being loaded, add the following line to the file <code>/etc/modprobe...Rule Low Severity -
Disable Mounting of squashfs
To configure the system to prevent the <code>squashfs</code> kernel module from being loaded, add the following line to the file <code>/etc/modpro...Rule Low Severity -
Disable Mounting of udf
To configure the system to prevent the <code>udf</code> kernel module from being loaded, add the following line to the file <code>/etc/modprobe.d/...Rule Low Severity -
Restrict Partition Mount Options
System partitions can be mounted with certain options that limit what files on those partitions can do. These options are set in the <code>/etc/fst...Group -
Add nodev Option to /home
The <code>nodev</code> mount option can be used to prevent device files from being created in <code>/home</code>. Legitimate character and block de...Rule Unknown Severity -
Add nosuid Option to /home
The <code>nosuid</code> mount option can be used to prevent execution of setuid programs in <code>/home</code>. The SUID and SGID permissions shoul...Rule Medium Severity -
Restrict Programs from Dangerous Execution Patterns
The recommendations in this section are designed to ensure that the system's features to protect against potentially dangerous program execution ar...Group -
Enable ExecShield
ExecShield describes kernel features that provide protection against exploitation of memory corruption errors such as buffer overflows. These featu...Group -
Enable ExecShield via sysctl
By default on Fedora 64-bit systems, ExecShield is enabled and can only be disabled if the hardware does not support ExecShield or is disabled in <...Rule Medium Severity -
Restrict Exposed Kernel Pointer Addresses Access
To set the runtime status of the <code>kernel.kptr_restrict</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w kernel.kptr_r...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.