Definition of Fedora Common User Security Policy for fedora

1.1: Protection of the BIOS or UEFI

Description: Users should protect their BIOS or UEFI with a password.

• default

Automated: no

No rules selected

1.2: Proper BIOS or UEFI Configuration

Description: Users should disable features and devices in the BIOS or UEFI that are not in use and should only include trusted devices in the boot order.

• default

Automated: no

No rules selected

1.3: 64-bit OS

Description: When possible, users should use a 64-bit system and hardware that supports it.

• default

Automated: no

No rules selected

2.1: Security Policy Selection

Description: Users should apply the Fedora Common User Security Policy in the installer.

• default

Automated: no

No rules selected

2.2: Disk Partitioning

Description: Users should put the /home, /tmp, /var, /var/tmp and /var/log directories on separate partitions.

• default

Automated: no

No rules selected

2.3: Password Security

Description: Users should ensure that all account passwords adhere to the password rules in rule 4.1.

• default

Automated: no

No rules selected

2.4: Disk Encryption

Description: Users should encrypt their disk with a passphrase that adheres to the password rules in rule 4.1.

• default

Automated: no

No rules selected

3.1: Bootloader Security

Description: If the BIOS or UEFI does not allow password protection of the boot process, users should set a bootloader password.

• default

Automated: no

• file_groupowner_efi_grub2_cfg: Verify the UEFI Boot Loader grub.cfg Group Ownership
• file_groupowner_efi_user_cfg: Verify /boot/grub2/user.cfg Group Ownership
• file_groupowner_grub2_cfg: Verify /boot/grub2/grub.cfg Group Ownership
• file_groupowner_user_cfg: Verify /boot/grub2/user.cfg Group Ownership
• file_owner_efi_grub2_cfg: Verify the UEFI Boot Loader grub.cfg User Ownership
• file_owner_efi_user_cfg: Verify /boot/grub2/user.cfg User Ownership
• file_owner_grub2_cfg: Verify /boot/grub2/grub.cfg User Ownership
• file_owner_user_cfg: Verify /boot/grub2/user.cfg User Ownership
• file_permissions_efi_grub2_cfg: Verify the UEFI Boot Loader grub.cfg Permissions
• file_permissions_efi_user_cfg: Verify /boot/grub2/user.cfg Permissions
• file_permissions_grub2_cfg: Verify /boot/grub2/grub.cfg Permissions
• file_permissions_user_cfg: Verify /boot/grub2/user.cfg Permissions
• grub2_password: Set Boot Loader Password in grub2
• grub2_uefi_password: Set the UEFI Boot Loader Password

3.2: Software Updates

Description: Users should apply updates from the GNOME Software application at least once per day.

• default

Automated: no

• package_gnome_software_installed: Install GNOME Software

3.3: Filesystem Configuration

Description: Directories /home (-noexec), /tmp, /var, /var/tmp and /var/log mount option configuration.

• default

Automated: yes

• kernel_module_cramfs_disabled: Disable Mounting of cramfs
• kernel_module_squashfs_disabled: Disable Mounting of squashfs
• kernel_module_udf_disabled: Disable Mounting of udf
• mount_option_home_nodev: Add nodev Option to /home
• mount_option_home_nosuid: Add nosuid Option to /home

3.4: Crypto Policy

Description: System cryto policy configuation and ensuring it is not overridden in critical components.

• default

Automated: yes

• configure_bind_crypto_policy: Configure BIND to use System Crypto Policy
• configure_crypto_policy: Configure System Cryptography Policy
• configure_gnutls_tls_crypto_policy: Configure GnuTLS library to use DoD-approved TLS Encryption
• configure_kerberos_crypto_policy: Configure Kerberos to use System Crypto Policy
• configure_libreswan_crypto_policy: Configure Libreswan to use System Crypto Policy
• configure_openssl_crypto_policy: Configure OpenSSL library to use System Crypto Policy
• configure_ssh_crypto_policy: Configure SSH to use System Crypto Policy
• var_system_crypto_policy = default_policy

3.5: Auditing and Logging

Description: Auditd and journald configutation.

• default

Automated: yes

• audit_rules_dac_modification_chmod: Record Events that Modify the System's Discretionary Access Controls - chmod
• audit_rules_dac_modification_chown: Record Events that Modify the System's Discretionary Access Controls - chown
• audit_rules_dac_modification_fchmod: Record Events that Modify the System's Discretionary Access Controls - fchmod
• audit_rules_dac_modification_fchmodat: Record Events that Modify the System's Discretionary Access Controls - fchmodat
• audit_rules_dac_modification_fchown: Record Events that Modify the System's Discretionary Access Controls - fchown
• audit_rules_dac_modification_fchownat: Record Events that Modify the System's Discretionary Access Controls - fchownat
• audit_rules_dac_modification_fremovexattr: Record Events that Modify the System's Discretionary Access Controls - fremovexattr
• audit_rules_dac_modification_fsetxattr: Record Events that Modify the System's Discretionary Access Controls - fsetxattr
• audit_rules_dac_modification_lchown: Record Events that Modify the System's Discretionary Access Controls - lchown
• audit_rules_dac_modification_lremovexattr: Record Events that Modify the System's Discretionary Access Controls - lremovexattr
• audit_rules_dac_modification_lsetxattr: Record Events that Modify the System's Discretionary Access Controls - lsetxattr
• audit_rules_dac_modification_removexattr: Record Events that Modify the System's Discretionary Access Controls - removexattr
• audit_rules_dac_modification_setxattr: Record Events that Modify the System's Discretionary Access Controls - setxattr
• audit_rules_execution_chacl: Record Any Attempts to Run chacl
• audit_rules_execution_chcon: Record Any Attempts to Run chcon
• audit_rules_execution_setfacl: Record Any Attempts to Run setfacl
• audit_rules_file_deletion_events_rename: Ensure auditd Collects File Deletion Events by User - rename
• audit_rules_file_deletion_events_renameat: Ensure auditd Collects File Deletion Events by User - renameat
• audit_rules_file_deletion_events_unlink: Ensure auditd Collects File Deletion Events by User - unlink
• audit_rules_file_deletion_events_unlinkat: Ensure auditd Collects File Deletion Events by User - unlinkat
• audit_rules_immutable: Make the auditd Configuration Immutable
• audit_rules_kernel_module_loading_delete: Ensure auditd Collects Information on Kernel Module Unloading - delete_module
• audit_rules_kernel_module_loading_init: Ensure auditd Collects Information on Kernel Module Loading - init_module
• audit_rules_login_events_faillock: Record Attempts to Alter Logon and Logout Events - faillock
• audit_rules_login_events_lastlog: Record Attempts to Alter Logon and Logout Events - lastlog
• audit_rules_mac_modification: Record Events that Modify the System's Mandatory Access Controls
• audit_rules_mac_modification_usr_share: Record Events that Modify the System's Mandatory Access Controls in usr/share
• audit_rules_media_export: Ensure auditd Collects Information on Exporting to Media (successful)
• audit_rules_networkconfig_modification: Record Events that Modify the System's Network Environment
• audit_rules_privileged_commands: Ensure auditd Collects Information on the Use of Privileged Commands
• audit_rules_privileged_commands_usermod: Ensure auditd Collects Information on the Use of Privileged Commands - usermod
• audit_rules_session_events: Record Attempts to Alter Process and Session Initiation Information
• audit_rules_sudoers: Ensure auditd Collects System Administrator Actions - /etc/sudoers
• audit_rules_sudoers_d: Ensure auditd Collects System Administrator Actions - /etc/sudoers.d/
• audit_rules_suid_privilege_function: Record Events When Privileged Executables Are Run
• audit_rules_sysadmin_actions: Ensure auditd Collects System Administrator Actions
• audit_rules_time_adjtimex: Record attempts to alter time through adjtimex
• audit_rules_time_clock_settime: Record Attempts to Alter Time Through clock_settime
• audit_rules_time_settimeofday: Record attempts to alter time through settimeofday
• audit_rules_time_stime: Record Attempts to Alter Time Through stime
• audit_rules_time_watch_localtime: Record Attempts to Alter the localtime File
• audit_rules_unsuccessful_file_modification_creat: Record Unsuccessful Access Attempts to Files - creat
• audit_rules_unsuccessful_file_modification_ftruncate: Record Unsuccessful Access Attempts to Files - ftruncate
• audit_rules_unsuccessful_file_modification_open: Record Unsuccessful Access Attempts to Files - open
• audit_rules_unsuccessful_file_modification_openat: Record Unsuccessful Access Attempts to Files - openat
• audit_rules_unsuccessful_file_modification_truncate: Record Unsuccessful Access Attempts to Files - truncate
• audit_rules_usergroup_modification_group: Record Events that Modify User/Group Information - /etc/group
• audit_rules_usergroup_modification_gshadow: Record Events that Modify User/Group Information - /etc/gshadow
• audit_rules_usergroup_modification_opasswd: Record Events that Modify User/Group Information - /etc/security/opasswd
• audit_rules_usergroup_modification_passwd: Record Events that Modify User/Group Information - /etc/passwd
• audit_rules_usergroup_modification_shadow: Record Events that Modify User/Group Information - /etc/shadow
• audit_sudo_log_events: Record Attempts to perform maintenance activities
• auditd_data_retention_max_log_file: Configure auditd Max Log File Size
• auditd_data_retention_max_log_file_action: Configure auditd max_log_file_action Upon Reaching Maximum Log Size
• grub2_audit_argument: Enable Auditing for Processes Which Start Prior to the Audit Daemon
• grub2_audit_backlog_limit_argument: Extend Audit Backlog Limit for the Audit Daemon
• journald_compress: Ensure journald is configured to compress large log files
• journald_storage: Ensure journald is configured to write log files to persistent disk
• package_audit_installed: Ensure the audit Subsystem is Installed
• service_auditd_enabled: Enable auditd Service
• service_systemd-journald_enabled: Enable systemd-journald Service
• socket_systemd-journal-remote_disabled: Disable systemd-journal-remote Socket
• var_auditd_max_log_file = 6
• var_auditd_max_log_file_action = rotate

3.6: Files, Permissions, and Ownership

Description: User and critical system file permissions and ownership, user and group file and directory ownership, identifiers.

• default

Automated: no

• account_unique_id: Ensure All Accounts on the System Have Unique User IDs
• account_unique_name: Ensure All Accounts on the System Have Unique Names
• accounts_no_uid_except_zero: Verify Only Root Has UID 0
• accounts_root_path_dirs_no_write: Ensure that Root's Path Does Not Include World or Group-Writable Directories
• accounts_user_dot_no_world_writable_programs: User Initialization Files Must Not Run World-Writable Programs
• accounts_user_interactive_home_directory_exists: All Interactive Users Home Directories Must Exist
• dir_perms_world_writable_sticky_bits: Verify that All World-Writable Directories Have Sticky Bits Set
• file_groupowner_backup_etc_group: Verify Group Who Owns Backup group File
• file_groupowner_backup_etc_gshadow: Verify Group Who Owns Backup gshadow File
• file_groupowner_backup_etc_passwd: Verify Group Who Owns Backup passwd File
• file_groupowner_backup_etc_shadow: Verify User Who Owns Backup shadow File
• file_groupowner_etc_group: Verify Group Who Owns group File
• file_groupowner_etc_gshadow: Verify Group Who Owns gshadow File
• file_groupowner_etc_passwd: Verify Group Who Owns passwd File
• file_groupowner_etc_shadow: Verify Group Who Owns shadow File
• file_groupownership_home_directories: All Interactive User Home Directories Must Be Group-Owned By The Primary Group
• file_owner_backup_etc_group: Verify User Who Owns Backup group File
• file_owner_backup_etc_gshadow: Verify User Who Owns Backup gshadow File
• file_owner_backup_etc_passwd: Verify User Who Owns Backup passwd File
• file_owner_backup_etc_shadow: Verify Group Who Owns Backup shadow File
• file_owner_etc_group: Verify User Who Owns group File
• file_owner_etc_gshadow: Verify User Who Owns gshadow File
• file_owner_etc_passwd: Verify User Who Owns passwd File
• file_owner_etc_shadow: Verify User Who Owns shadow File
• file_ownership_home_directories: All Interactive User Home Directories Must Be Owned By The Primary User
• file_permissions_backup_etc_group: Verify Permissions on Backup group File
• file_permissions_backup_etc_gshadow: Verify Permissions on Backup gshadow File
• file_permissions_backup_etc_passwd: Verify Permissions on Backup passwd File
• file_permissions_backup_etc_shadow: Verify Permissions on Backup shadow File
• file_permissions_etc_group: Verify Permissions on group File
• file_permissions_etc_gshadow: Verify Permissions on gshadow File
• file_permissions_etc_passwd: Verify Permissions on passwd File
• file_permissions_etc_shadow: Verify Permissions on shadow File
• file_permissions_home_directories: All Interactive User Home Directories Must Have mode 0750 Or Less Permissive
• file_permissions_unauthorized_world_writable: Ensure No World-Writable Files Exist
• file_permissions_ungroupowned: Ensure All Files Are Owned by a Group
• gid_passwd_group_same: All GIDs referenced in /etc/passwd must be defined in /etc/group
• group_unique_id: Ensure All Groups on the System Have Unique Group ID
• group_unique_name: Ensure All Groups on the System Have Unique Group Names
• no_empty_passwords_etc_shadow: Ensure There Are No Accounts With Blank or Null Passwords
• no_files_unowned_by_user: Ensure All Files Are Owned by a User

3.7: Memory Protection

Description: Enable ASLR and ExecShield, restrict exposed kernel pointer.

• default

Automated: yes

• sysctl_kernel_exec_shield: Enable ExecShield via sysctl
• sysctl_kernel_kptr_restrict: Restrict Exposed Kernel Pointer Addresses Access
• sysctl_kernel_randomize_va_space: Enable Randomized Layout of Virtual Address Space

3.8: GUI Configuration

Description: Do not show user list, disable xdmpc and auto login, set up idle lock and protect the settings.

• default

Automated: yes

• gnome_gdm_disable_automatic_login: Disable GDM Automatic Login
• gnome_gdm_disable_xdmcp: Disable XDMCP in GDM

3.9: Time and Schedulers

Description: Chrony and time-based scheduler security configuration.

• default

Automated: yes

• chronyd_client_only: Disable chrony daemon from acting as server
• chronyd_no_chronyc_network: Disable network management of chrony daemon
• chronyd_or_ntpd_set_maxpoll: Configure Time Service Maxpoll Interval
• chronyd_run_as_chrony_user: Ensure that chronyd is running under chrony user account
• chronyd_specify_remote_server: A remote time server for Chrony is configured
• file_groupowner_at_allow: Verify Group Who Owns /etc/at.allow file
• file_groupowner_cron_allow: Verify Group Who Owns /etc/cron.allow file
• file_groupowner_cron_d: Verify Group Who Owns cron.d
• file_groupowner_cron_daily: Verify Group Who Owns cron.daily
• file_groupowner_cron_hourly: Verify Group Who Owns cron.hourly
• file_groupowner_cron_monthly: Verify Group Who Owns cron.monthly
• file_groupowner_cron_weekly: Verify Group Who Owns cron.weekly
• file_groupowner_crontab: Verify Group Who Owns Crontab
• file_owner_at_allow: Verify User Who Owns /etc/at.allow file
• file_owner_cron_allow: Verify User Who Owns /etc/cron.allow file
• file_owner_cron_d: Verify Owner on cron.d
• file_owner_cron_daily: Verify Owner on cron.daily
• file_owner_cron_hourly: Verify Owner on cron.hourly
• file_owner_cron_monthly: Verify Owner on cron.monthly
• file_owner_cron_weekly: Verify Owner on cron.weekly
• file_owner_crontab: Verify Owner on crontab
• file_permissions_at_allow: Verify Permissions on /etc/at.allow file
• file_permissions_cron_allow: Verify Permissions on /etc/cron.allow file
• file_permissions_cron_d: Verify Permissions on cron.d
• file_permissions_cron_daily: Verify Permissions on cron.daily
• file_permissions_cron_hourly: Verify Permissions on cron.hourly
• file_permissions_cron_monthly: Verify Permissions on cron.monthly
• file_permissions_cron_weekly: Verify Permissions on cron.weekly
• file_permissions_crontab: Verify Permissions on crontab

3.10: Service Minimization

Description: Users should remove any services that are not necessary for normal system usage.

• default

Automated: no

• package_bind_removed: Uninstall bind Package
• package_cyrus-imapd_removed: Uninstall cyrus-imapd Package
• package_dhcp_removed: Uninstall DHCP Server Package
• package_dovecot_removed: Uninstall dovecot Package
• package_httpd_removed: Uninstall httpd Package
• package_net-snmp_removed: Uninstall net-snmp Package
• package_nginx_removed: Uninstall nginx Package
• package_rsh-server_removed: Uninstall rsh-server Package
• package_rsh_removed: Uninstall rsh Package
• package_rsync_removed: Uninstall rsync Package
• package_samba_removed: Uninstall Samba Package
• package_sendmail_removed: Uninstall Sendmail Package
• package_squid_removed: Uninstall squid Package
• package_talk-server_removed: Uninstall talk-server Package
• package_talk_removed: Uninstall talk Package
• package_telnet-server_removed: Uninstall telnet-server Package
• package_telnet_removed: Remove telnet Clients
• package_tftp-server_removed: Uninstall tftp-server Package
• package_tftp_removed: Remove tftp Daemon
• package_vsftpd_removed: Uninstall vsftpd Package
• package_xinetd_removed: Uninstall xinetd Package
• package_ypbind_removed: Remove NIS Client
• package_ypserv_removed: Uninstall ypserv Package
• service_nfs_disabled: Disable Network File System (nfs)
• service_rpcbind_disabled: Disable rpcbind Service

4.1: Account Protection

Description: All account passwords must be passphrases of at least 4 words and 15 characters with at least three character classes, generated with a large wordlist and a source of randomness.

• default

Automated: no

• account_password_selinux_faillock_dir: An SELinux Context must be configured for the pam_faillock.so records directory
• accounts_password_pam_difok: Ensure PAM Enforces Password Requirements - Minimum Different Characters
• accounts_password_pam_maxrepeat: Set Password Maximum Consecutive Repeating Characters
• accounts_password_pam_minclass: Ensure PAM Enforces Password Requirements - Minimum Different Categories
• accounts_password_pam_minlen: Ensure PAM Enforces Password Requirements - Minimum Length
• accounts_password_pam_pwquality_password_auth: Ensure PAM password complexity module is enabled in password-auth
• accounts_password_pam_pwquality_system_auth: Ensure PAM password complexity module is enabled in system-auth
• accounts_password_pam_retry: Ensure PAM Enforces Password Requirements - Authentication Retry Prompts Permitted Per-Session
• accounts_root_gid_zero: Verify Root Has A Primary GID 0
• accounts_tmout: Set Interactive Session Timeout
• accounts_umask_etc_bashrc: Ensure the Default Bash Umask is Set Correctly
• accounts_umask_etc_login_defs: Ensure the Default Umask is Set Correctly in login.defs
• accounts_umask_etc_profile: Ensure the Default Umask is Set Correctly in /etc/profile
• enable_authselect: Enable authselect
• no_empty_passwords: Prevent Login to Accounts With Empty Password
• set_password_hashing_algorithm_logindefs: Set Password Hashing Algorithm in /etc/login.defs
• set_password_hashing_algorithm_passwordauth: Set PAM''s Password Hashing Algorithm - password-auth
• set_password_hashing_algorithm_systemauth: Set PAM''s Password Hashing Algorithm
• var_accounts_tmout = 15_min
• var_accounts_user_umask = 027
• var_password_hashing_algorithm = SHA512
• var_password_hashing_algorithm_pam = sha512
• var_password_pam_difok = 8
• var_password_pam_minclass = 3
• var_password_pam_minlen = 15
• var_password_pam_remember = 5
• var_password_pam_remember_control_flag = requisite_or_required

4.2: Sudo

Description: Secure sudo configuration.

• default

Automated: yes

• package_sudo_installed: Install sudo Package
• sudo_add_use_pty: Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo use_pty
• sudo_custom_logfile: Ensure Sudo Logfile Exists - sudo logfile
• sudo_require_authentication: Ensure Users Re-Authenticate for Privilege Escalation - sudo
• sudo_require_reauthentication: Require Re-Authentication When Using the sudo Command
• sudoers_default_includedir: Ensure sudo only includes the default configuration directory
• use_pam_wheel_for_su: Enforce usage of pam_wheel for su authentication

4.3: SSH Server

Description: Secure ssh server configuration.

• default

Automated: yes

• disable_host_auth: Disable Host-Based Authentication
• file_groupowner_sshd_config: Verify Group Who Owns SSH Server config file
• file_owner_sshd_config: Verify Owner on SSH Server config file
• file_permissions_sshd_config: Verify Permissions on SSH Server config file
• file_permissions_sshd_private_key: Verify Permissions on SSH Server Private *_key Key Files
• file_permissions_sshd_pub_key: Verify Permissions on SSH Server Public *.pub Key Files
• sshd_disable_empty_passwords: Disable SSH Access via Empty Passwords
• sshd_disable_gssapi_auth: Disable GSSAPI Authentication
• sshd_disable_kerb_auth: Disable Kerberos Authentication
• sshd_disable_rhosts: Disable SSH Support for .rhosts Files
• sshd_disable_root_login: Disable SSH Root Login
• sshd_disable_tcp_forwarding: Disable SSH TCP Forwarding
• sshd_disable_x11_forwarding: Disable X11 Forwarding
• sshd_do_not_permit_user_env: Do Not Allow SSH Environment Options
• sshd_enable_pam: Enable PAM
• sshd_enable_strictmodes: Enable Use of Strict Mode Checking
• sshd_idle_timeout_value = 15_minutes
• sshd_max_auth_tries_value = 4
• sshd_rekey_limit: Force frequent session key renegotiation
• sshd_set_idle_timeout: Set SSH Client Alive Interval
• sshd_set_keepalive: Set SSH Client Alive Count Max
• sshd_set_keepalive_0: Set SSH Client Alive Count Max to zero
• sshd_set_login_grace_time: Ensure SSH LoginGraceTime is configured
• sshd_set_loglevel_verbose: Set SSH Daemon LogLevel to VERBOSE
• sshd_set_max_auth_tries: Set SSH authentication attempt limit
• sshd_set_max_sessions: Set SSH MaxSessions limit
• sshd_set_maxstartups: Ensure SSH MaxStartups is configured
• sshd_use_strong_rng: SSH server uses strong entropy to seed
• sshd_x11_use_localhost: Prevent remote hosts from connecting to the proxy display
• var_rekey_limit_size = 1G
• var_rekey_limit_time = 1hour
• var_sshd_max_sessions = 10
• var_sshd_set_keepalive = 0
• var_sshd_set_login_grace_time = 60
• var_sshd_set_maxstartups = 10:30:60

5.1: General Network Configuration

Description: If users did not configure IPv6 on the system and it is not needed, it should be disabled.

• default

Automated: no

• kernel_module_dccp_disabled: Disable DCCP Support
• kernel_module_sctp_disabled: Disable SCTP Support
• sysctl_net_ipv4_conf_all_accept_redirects: Disable Accepting ICMP Redirects for All IPv4 Interfaces
• sysctl_net_ipv4_conf_all_accept_redirects_value = disabled
• sysctl_net_ipv4_conf_all_accept_source_route: Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv4 Interfaces
• sysctl_net_ipv4_conf_all_accept_source_route_value = disabled
• sysctl_net_ipv4_conf_all_log_martians: Enable Kernel Parameter to Log Martian Packets on all IPv4 Interfaces
• sysctl_net_ipv4_conf_all_log_martians_value = enabled
• sysctl_net_ipv4_conf_all_rp_filter: Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces
• sysctl_net_ipv4_conf_all_rp_filter_value = enabled
• sysctl_net_ipv4_conf_all_secure_redirects: Disable Kernel Parameter for Accepting Secure ICMP Redirects on all IPv4 Interfaces
• sysctl_net_ipv4_conf_all_secure_redirects_value = disabled
• sysctl_net_ipv4_conf_all_send_redirects: Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces
• sysctl_net_ipv4_conf_default_accept_redirects: Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4 Interfaces
• sysctl_net_ipv4_conf_default_accept_redirects_value = disabled
• sysctl_net_ipv4_conf_default_accept_source_route: Disable Kernel Parameter for Accepting Source-Routed Packets on IPv4 Interfaces by Default
• sysctl_net_ipv4_conf_default_accept_source_route_value = disabled
• sysctl_net_ipv4_conf_default_log_martians: Enable Kernel Paremeter to Log Martian Packets on all IPv4 Interfaces by Default
• sysctl_net_ipv4_conf_default_log_martians_value = enabled
• sysctl_net_ipv4_conf_default_rp_filter: Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces by Default
• sysctl_net_ipv4_conf_default_rp_filter_value = enabled
• sysctl_net_ipv4_conf_default_secure_redirects: Configure Kernel Parameter for Accepting Secure Redirects By Default
• sysctl_net_ipv4_conf_default_secure_redirects_value = disabled
• sysctl_net_ipv4_conf_default_send_redirects: Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Default
• sysctl_net_ipv4_icmp_echo_ignore_broadcasts: Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests on IPv4 Interfaces
• sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value = enabled
• sysctl_net_ipv4_icmp_ignore_bogus_error_responses: Enable Kernel Parameter to Ignore Bogus ICMP Error Responses on IPv4 Interfaces
• sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value = enabled
• sysctl_net_ipv4_tcp_syncookies: Enable Kernel Parameter to Use TCP Syncookies on Network Interfaces
• sysctl_net_ipv4_tcp_syncookies_value = enabled
• sysctl_net_ipv6_conf_all_accept_redirects: Disable Accepting ICMP Redirects for All IPv6 Interfaces
• sysctl_net_ipv6_conf_all_accept_redirects_value = disabled
• sysctl_net_ipv6_conf_all_accept_source_route: Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv6 Interfaces
• sysctl_net_ipv6_conf_all_accept_source_route_value = disabled
• sysctl_net_ipv6_conf_default_accept_redirects: Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv6 Interfaces
• sysctl_net_ipv6_conf_default_accept_redirects_value = disabled
• sysctl_net_ipv6_conf_default_accept_source_route: Disable Kernel Parameter for Accepting Source-Routed Packets on IPv6 Interfaces by Default
• sysctl_net_ipv6_conf_default_accept_source_route_value = disabled

5.2: Firewall Configuration

Description: Users should ensure that all network interfaces are in the appropriate firewall zone and that ports and services allowed by the firewall are reduced to the necessary minimum.

• default

Automated: no

• package_firewalld_installed: Install firewalld Package
• service_firewalld_enabled: Verify firewalld Enabled
• service_nftables_disabled: Verify nftables Service is Disabled

6.1: Web Browser

Description: Users should install the Firefox Flatpak from FlatHub and use it instead of the default Firefox application. If the default Firefox application must be used, the users should apply the Common User Security Profile for Mozilla Firefox CaC profile.

• default

Automated: no

No rules selected

7.1: Mandatory Access Control

Description: Ensure SELinux is installed and enabled, in enforcing mode using targeted policy.

• default

Automated: no

• grub2_enable_selinux: Ensure SELinux Not Disabled in /etc/default/grub
• package_libselinux_installed: Install libselinux Package
• package_mcstrans_removed: Uninstall mcstrans Package
• selinux_policytype: Configure SELinux Policy
• selinux_state: Ensure SELinux State is Enforcing
• sysctl_fs_protected_hardlinks: Enable Kernel Parameter to Enforce DAC on Hardlinks
• sysctl_fs_protected_symlinks: Enable Kernel Parameter to Enforce DAC on Symlinks
• var_selinux_policy_name = targeted
• var_selinux_state = enforcing

7.2: Periodic Compliance Scans

Description: Users should perform periodic system scans and remediations with the Common User Security Profile by using the oscap tool or SCAP Workbench.

• default

Automated: no

No rules selected