CUSP - Common User Security Profile for Fedora Workstation
Rules and Groups employed by this XCCDF Profile
-
Disable NFS Server Daemons
There is no need to run the NFS server daemons <code>nfs</code> and <code>rpcsvcgssd</code> except on a small number of properly secured systems designated as NFS servers. Ensure that these daemons...Group -
Disable Network File System (nfs)
The Network File System (NFS) service allows remote hosts to mount and interact with shared filesystems on the local system. If the local system is not designated as a NFS server then this service ...Rule Unknown Severity -
Network Time Protocol
The Network Time Protocol is used to manage the system clock over a network. Computer clocks are not very accurate, so time will drift unpredictably on unmanaged systems. Central time protocols can...Group -
Disable chrony daemon from acting as server
The <code>port</code> option in <code>/etc/chrony.conf</code> can be set to <code>0</code> to make chrony daemon to never open any listening port for server operation and to operate strictly in a c...Rule Low Severity -
Disable network management of chrony daemon
Thecmdportoption in/etc/chrony.confcan be set to0to stop chrony daemon from listening on the UDP port 323 for management connections made by chronyc.Rule Low Severity -
Configure Time Service Maxpoll Interval
The <code>maxpoll</code> should be configured to <xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_time_service_set_maxpoll" use="legacy"></xccdf-1.2:sub> in <code>/etc/ntp.conf</code> o...Rule Medium Severity -
Ensure that chronyd is running under chrony user account
chrony is a daemon which implements the Network Time Protocol (NTP). It is designed to synchronize system clocks across a variety of systems and use a source that is highly accurate. More informati...Rule Medium Severity -
A remote time server for Chrony is configured
<code>Chrony</code> is a daemon which implements the Network Time Protocol (NTP). It is designed to synchronize system clocks across a variety of systems and use a source that is highly accurate. M...Rule Medium Severity -
Obsolete Services
This section discusses a number of network-visible services which have historically caused problems for system security, and for which disabling or severely limiting the service has been the best a...Group -
Uninstall rsync Package
The rsyncd service can be used to synchronize files between systems over network links. The <code>rsync</code> package can be removed with the following command: <pre> $ sudo dnf remove rsync</pre>...Rule Medium Severity -
Xinetd
The <code>xinetd</code> service acts as a dedicated listener for some network services (mostly, obsolete ones) and can be used to provide access controls and perform some logging. It has been large...Group -
Uninstall xinetd Package
Thexinetdpackage can be removed with the following command:$ sudo dnf remove xinetd
Rule Low Severity -
NIS
The Network Information Service (NIS), also known as 'Yellow Pages' (YP), and its successor NIS+ have been made obsolete by Kerberos, LDAP, and other modern centralized authentication services. NIS...Group -
Remove NIS Client
The Network Information Service (NIS), formerly known as Yellow Pages, is a client-server directory service protocol used to distribute system configuration files. The NIS client (<code>ypbind</cod...Rule Unknown Severity -
Uninstall ypserv Package
Theypservpackage can be removed with the following command:$ sudo dnf remove ypserv
Rule High Severity -
Rlogin, Rsh, and Rexec
The Berkeley r-commands are legacy services which allow cleartext remote access and have an insecure trust model.Group -
Uninstall rsh-server Package
Thersh-serverpackage can be removed with the following command:$ sudo dnf remove rsh-server
Rule High Severity -
Uninstall rsh Package
Thershpackage contains the client commands for the rsh servicesRule Unknown Severity -
Chat/Messaging Services
The talk software makes it possible for users to send and receive messages across systems through a terminal session.Group -
Uninstall talk-server Package
Thetalk-serverpackage can be removed with the following command:$ sudo dnf remove talk-server
Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.
Capacity
Modules