OSPP - Protection Profile for General Purpose Operating Systems
Rules and Groups employed by this XCCDF Profile
-
System Settings
Contains rules that check correct system settings.Group -
Installing and Maintaining Software
The following sections contain information on security-relevant choices during the initial operating system installation process and the setup of software updates.Group -
System and Software Integrity
System and software integrity can be gained by installing antivirus, increasing system encryption strength with FIPS, verifying installed software, enabling SELinux, installing an Intrusion Prevent...Group -
Software Integrity Checking
Both the AIDE (Advanced Intrusion Detection Environment) software and the RPM package management system provide mechanisms for verifying the integrity of installed software. AIDE uses snapshots of ...Group -
Verify Integrity with RPM
The RPM package management system includes the ability to verify the integrity of installed packages by comparing the installed files with information about the files taken from the package metadat...Group -
Verify File Hashes with RPM
Without cryptographic integrity protections, system executables and files can be altered by unauthorized users without detection. The RPM package management system can check the hashes of installed...Rule High Severity -
Federal Information Processing Standard (FIPS)
The Federal Information Processing Standard (FIPS) is a computer security standard which is developed by the U.S. Government and industry working groups to validate the quality of cryptographic mod...Group -
Enable FIPS Mode
To enable FIPS mode, run the following command: <pre>fips-mode-setup --enable</pre> <br> The <code>fips-mode-setup</code> command will configure the system in FIPS mode by automatically c...Rule High Severity -
System Cryptographic Policies
Linux has the capability to centrally configure cryptographic polices. The command <code>update-crypto-policies</code> is used to set the policy applicable for the various cryptographic back-ends, ...Group -
Configure BIND to use System Crypto Policy
Crypto Policies provide a centralized control over crypto algorithms usage of many packages. BIND is supported by crypto policy, but the BIND configuration may be set up to ignore it. To check tha...Rule High Severity -
Configure System Cryptography Policy
To configure the system cryptography policy to use ciphers only from the <code><xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_system_crypto_policy" use="legacy"></xccdf-1.2:sub></code...Rule High Severity -
Configure Kerberos to use System Crypto Policy
Crypto Policies provide a centralized control over crypto algorithms usage of many packages. Kerberos is supported by crypto policy, but it's configuration may be set up to ignore it. To check that...Rule High Severity -
Configure Libreswan to use System Crypto Policy
Crypto Policies provide a centralized control over crypto algorithms usage of many packages. Libreswan is supported by system crypto policy, but the Libreswan configuration may be set up to ignore ...Rule High Severity -
Configure OpenSSL library to use System Crypto Policy
Crypto Policies provide a centralized control over crypto algorithms usage of many packages. OpenSSL is supported by crypto policy, but the OpenSSL configuration may be set up to ignore it. To chec...Rule Medium Severity -
Configure SSH to use System Crypto Policy
Crypto Policies provide a centralized control over crypto algorithms usage of many packages. SSH is supported by crypto policy, but the SSH configuration may be set up to ignore it. To check that C...Rule Medium Severity -
Operating System Vendor Support and Certification
The assurance of a vendor to provide operating system support and maintenance for their product is an important criterion to ensure product stability and security over the life of the product. A ce...Group -
The Installed Operating System Is Vendor Supported
The installed operating system must be maintained by a vendor. Red Hat Enterprise Linux is supported by Red Hat, Inc. As the Red Hat Enterprise Linux vendor, Red Hat, Inc. is responsible for provi...Rule High Severity -
GNOME Desktop Environment
GNOME is a graphical desktop environment bundled with many Linux distributions that allow users to easily interact with the operating system graphically rather than textually. The GNOME Graphical D...Group -
Make sure that the dconf databases are up-to-date with regards to respective keyfiles
By default, DConf uses a binary database as a data backend. The system-level database is compiled from keyfiles in the /etc/dconf/db/ directory by the <pre>dconf update</pre> command. More specific...Rule High Severity -
Configure GNOME Login Screen
In the default GNOME desktop, the login is displayed after system boot and can display user accounts, allow users to reboot the system, and allow users to login automatically and/or with a guest ac...Group -
Set the GNOME3 Login Number of Failures
In the default graphical environment, the GNOME3 login screen and be configured to restart the authentication process after a configured number of attempts. This can be configured by setting <code>...Rule Medium Severity -
Disable GDM Automatic Login
The GNOME Display Manager (GDM) can allow users to automatically login without user interaction or credentials. User should always be required to authenticate themselves to the system that they are...Rule High Severity -
Disable GDM Guest Login
The GNOME Display Manager (GDM) can allow users to login without credentials which can be useful for public kiosk scenarios. Allowing users to login without credentials or "guest" account access ha...Rule High Severity -
Configure GNOME Screen Locking
In the default GNOME3 desktop, the screen can be locked by selecting the user name in the far right corner of the main panel and selecting <b>Lock</b>. <br> <br> The following sections deta...Group -
Enable GNOME3 Screensaver Idle Activation
To activate the screensaver in the GNOME3 desktop after a period of inactivity, add or set <code>idle-activation-enabled</code> to <code>true</code> in <code>/etc/dconf/db/local.d/00-security-setti...Rule Medium Severity -
Set GNOME3 Screensaver Inactivity Timeout
The idle time-out value for inactivity in the GNOME3 desktop is configured via the <code>idle-delay</code> setting must be set under an appropriate configuration file(s) in the <code>/etc/dconf/db/...Rule Medium Severity -
Set GNOME3 Screensaver Lock Delay After Activation Period
To activate the locking delay of the screensaver in the GNOME3 desktop when the screensaver is activated, add or set <code>lock-delay</code> to <code>uint32 <xccdf-1.2:sub idref="xccdf_org.ssgproje...Rule Medium Severity -
Enable GNOME3 Screensaver Lock After Idle Period
To activate locking of the screensaver in the GNOME3 desktop when it is activated, add or set <code>lock-enabled</code> to <code>true</code> in <code>/etc/dconf/db/local.d/00-security-settings</co...Rule Medium Severity -
Implement Blank Screensaver
To set the screensaver mode in the GNOME3 desktop to a blank screen, add or set <code>picture-uri</code> to <code>string ''</code> in <code>/etc/dconf/db/local.d/00-security-settings</code>. For...Rule Medium Severity -
Disable Full User Name on Splash Shield
By default when the screen is locked, the splash shield will show the user's full name. This should be disabled to prevent casual observers from seeing who has access to the system. This can be dis...Rule Medium Severity -
Ensure Users Cannot Change GNOME3 Screensaver Settings
If not already configured, ensure that users cannot change GNOME3 screensaver lock settings by adding <code>/org/gnome/desktop/screensaver/lock-delay</code> to <code>/etc/dconf/db/local.d/locks/00-...Rule Medium Severity -
Ensure Users Cannot Change GNOME3 Session Idle Settings
If not already configured, ensure that users cannot change GNOME3 session idle settings by adding <code>/org/gnome/desktop/session/idle-delay</code> to <code>/etc/dconf/db/local.d/locks/00-security...Rule Medium Severity -
System Tooling / Utilities
The following checks evaluate the system for recommended base packages -- both for installation and removal.Group -
Install rng-tools Package
Therng-toolspackage can be installed with the following command:$ sudo dnf install rng-tools
Rule Low Severity -
Updating Software
The <code>dnf</code> command line tool is used to install and update software packages. The system also provides a graphical software update tool in the <b>System</b> menu, in the <b>Administration...Group -
Install dnf-automatic Package
Thednf-automaticpackage can be installed with the following command:$ sudo dnf install dnf-automatic
Rule Medium Severity -
Configure dnf-automatic to Install Available Updates Automatically
To ensure that the packages comprising the available updates will be automatically installed by <code>dnf-automatic</code>, set <code>apply_updates</code> to <code>yes</code> under <code>[commands]...Rule Medium Severity -
Configure dnf-automatic to Install Only Security Updates
To configure <code>dnf-automatic</code> to install only security updates automatically, set <code>upgrade_type</code> to <code>security</code> under <code>[commands]</code> section in <code>/etc/dn...Rule Low Severity -
Ensure Fedora GPG Key Installed
To ensure the system can cryptographically verify base software packages come from Fedora (and to connect to the Fedora Network to receive them), the Fedora GPG key must properly be installed. To i...Rule High Severity -
Ensure gpgcheck Enabled In Main dnf Configuration
The <code>gpgcheck</code> option controls whether RPM packages' signatures are always checked prior to installation. To configure dnf to check package signatures before installing them, ensure the ...Rule High Severity -
Ensure gpgcheck Enabled for Local Packages
<code>dnf</code> should be configured to verify the signature(s) of local packages prior to installation. To configure <code>dnf</code> to verify signatures of local packages, set the <code>localpk...Rule High Severity -
Ensure gpgcheck Enabled for All dnf Package Repositories
To ensure signature checking is not disabled for any repos, remove any lines from files in/etc/yum.repos.dof the form:gpgcheck=0
Rule High Severity -
Enable dnf-automatic Timer
Thednf-automatictimer can be enabled with the following command:$ sudo systemctl enable dnf-automatic.timer
Rule Medium Severity -
Account and Access Control
In traditional Unix security, if an attacker gains shell access to a certain login account, they can perform any action or access any file to which that account has access. Therefore, making it mor...Group -
Warning Banners for System Accesses
Each system should expose as little information about itself as possible. <br> <br> System banners, which are typically displayed just before a login prompt, give out information about the s...Group -
Modify the System Login Banner
To configure the system login banner edit <code>/etc/issue</code>. Replace the default text with a message compliant with the local site policy or a legal disclaimer. The DoD required text is ei...Rule Medium Severity -
Implement a GUI Warning Banner
In the default graphical environment, users logging directly into the system are greeted with a login screen provided by the GNOME Display Manager (GDM). The warning banner should be displayed in t...Group -
Enable GNOME3 Login Warning Banner
In the default graphical environment, displaying a login warning banner in the GNOME Display Manager's login screen can be enabled on the login screen by setting <code>banner-message-enable</code> ...Rule Medium Severity -
Set the GNOME3 Login Warning Banner Text
In the default graphical environment, configuring the login warning banner text in the GNOME Display Manager's login screen can be configured on the login screen by setting <code>banner-message-tex...Rule Medium Severity -
Protect Accounts by Configuring PAM
PAM, or Pluggable Authentication Modules, is a system which implements modular authentication for Linux programs. PAM provides a flexible and configurable architecture for authentication, and it sh...Group
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.
Capacity
Modules