{"id": "cusp_fedora", "policy": "Fedora Common User Security Policy", "title": "Fedora Common User Security Policy", "source": "jodehnal's bachelor thesis on creating a SCAP profile for common users of Fedora workstation - link will be added after publication", "definition_location": "/aptdata/openscap/scap-security-guide/controls/cusp_fedora.yml", "controls": [{"id": "1.1", "levels": ["default"], "notes": "", "title": "Protection of the BIOS or UEFI", "description": "Users should protect their BIOS or UEFI with a password.", "rationale": null, "automated": "no", "status": "manual", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "1.2", "levels": ["default"], "notes": "", "title": "Proper BIOS or UEFI Configuration", "description": "Users should disable features and devices in the BIOS or UEFI that are not in use and should only include trusted devices in the boot order.", "rationale": null, "automated": "no", "status": "manual", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "1.3", "levels": ["default"], "notes": "", "title": "64-bit OS", "description": "When possible, users should use a 64-bit system and hardware that supports it.", "rationale": null, "automated": "no", "status": "manual", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "2.1", "levels": ["default"], "notes": "", "title": "Security Policy Selection", "description": "Users should apply the Fedora Common User Security Policy in the installer.", "rationale": null, "automated": "no", "status": "manual", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "2.2", "levels": ["default"], "notes": "", "title": "Disk Partitioning", "description": "Users should put the /home, /tmp, /var, /var/tmp and /var/log directories on separate partitions.", "rationale": null, "automated": "no", "status": "manual", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "2.3", "levels": ["default"], "notes": "", "title": "Password Security", "description": "Users should ensure that all account passwords adhere to the password rules in rule 4.1.", "rationale": null, "automated": "no", "status": "manual", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "2.4", "levels": ["default"], "notes": "", "title": "Disk Encryption", "description": "Users should encrypt their disk with a passphrase that adheres to the password rules in rule 4.1.", "rationale": null, "automated": "no", "status": "manual", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "3.1", "levels": ["default"], "notes": "", "title": "Bootloader Security", "description": "If the BIOS or UEFI does not allow password protection of the boot process, users should set a bootloader password.", "rationale": null, "automated": "no", "status": "partial", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_permissions_grub2_cfg", "file_owner_efi_grub2_cfg", "file_permissions_efi_grub2_cfg", "file_owner_user_cfg", "file_groupowner_efi_grub2_cfg", "grub2_password", "file_groupowner_grub2_cfg", "file_owner_grub2_cfg", "file_groupowner_user_cfg", "file_groupowner_efi_user_cfg", "grub2_uefi_password", "file_permissions_user_cfg", "file_owner_efi_user_cfg", "file_permissions_efi_user_cfg"], "controls": []}, {"id": "3.2", "levels": ["default"], "notes": "", "title": "Software Updates", "description": "Users should apply updates from the GNOME Software application at least once per day.", "rationale": null, "automated": "no", "status": "partial", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["package_gnome_software_installed"], "controls": []}, {"id": "3.3", "levels": ["default"], "notes": "", "title": "Filesystem Configuration", "description": "Directories /home (-noexec), /tmp, /var, /var/tmp and /var/log mount option configuration.", "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["kernel_module_udf_disabled", "mount_option_home_nosuid", "mount_option_home_nodev", "kernel_module_cramfs_disabled", "kernel_module_squashfs_disabled"], "controls": []}, {"id": "3.4", "levels": ["default"], "notes": "", "title": "Crypto Policy", "description": "System cryto policy configuation and ensuring it is not overridden in critical components.", "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["configure_bind_crypto_policy", "configure_kerberos_crypto_policy", "configure_openssl_crypto_policy", "configure_ssh_crypto_policy", "configure_libreswan_crypto_policy", "configure_crypto_policy", "var_system_crypto_policy=default_policy"], "controls": []}, {"id": "3.5", "levels": ["default"], "notes": "", "title": "Auditing and Logging", "description": "Auditd and journald configutation.", "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["service_systemd-journald_enabled", "audit_rules_time_stime", "audit_rules_login_events_lastlog", "audit_rules_privileged_commands_usermod", "audit_rules_kernel_module_loading_delete", "audit_rules_kernel_module_loading_init", "audit_rules_dac_modification_removexattr", "audit_rules_immutable", "audit_rules_dac_modification_fremovexattr", "journald_storage", "auditd_data_retention_max_log_file", "audit_rules_file_deletion_events_unlink", "audit_rules_dac_modification_chmod", "audit_rules_dac_modification_fchownat", "audit_rules_sysadmin_actions", "audit_rules_unsuccessful_file_modification_truncate", "audit_rules_usergroup_modification_group", "audit_rules_suid_privilege_function", "auditd_data_retention_max_log_file_action", "audit_rules_time_adjtimex", "audit_rules_media_export", "audit_rules_session_events", "audit_rules_execution_setfacl", "audit_rules_dac_modification_lremovexattr", "journald_compress", "audit_rules_execution_chacl", "audit_rules_file_deletion_events_rename", "audit_rules_time_settimeofday", "audit_rules_file_deletion_events_renameat", "audit_rules_time_clock_settime", "audit_rules_dac_modification_fchmodat", "audit_rules_dac_modification_setxattr", "audit_rules_mac_modification_usr_share", "audit_rules_sudoers_d", "audit_rules_unsuccessful_file_modification_creat", "service_auditd_enabled", "audit_rules_dac_modification_chown", "audit_rules_file_deletion_events_unlinkat", "audit_rules_unsuccessful_file_modification_ftruncate", "audit_rules_time_watch_localtime", "audit_rules_usergroup_modification_gshadow", "audit_rules_sudoers", "audit_rules_unsuccessful_file_modification_open", "socket_systemd-journal-remote_disabled", "audit_rules_dac_modification_lsetxattr", "audit_rules_login_events_faillock", "audit_rules_execution_chcon", "audit_sudo_log_events", "audit_rules_dac_modification_fchmod", "audit_rules_dac_modification_fchown", "audit_rules_mac_modification", "audit_rules_networkconfig_modification", "audit_rules_unsuccessful_file_modification_openat", "audit_rules_usergroup_modification_shadow", "grub2_audit_argument", "audit_rules_dac_modification_fsetxattr", "audit_rules_privileged_commands", "audit_rules_usergroup_modification_opasswd", "package_audit_installed", "audit_rules_usergroup_modification_passwd", "audit_rules_dac_modification_lchown", "grub2_audit_backlog_limit_argument", "var_audit_backlog_limit=8192", "var_auditd_max_log_file=6", "var_auditd_max_log_file_action=rotate"], "controls": []}, {"id": "3.6", "levels": ["default"], "notes": "", "title": "Files, Permissions, and Ownership", "description": "User and critical system file permissions and ownership, user and group file and directory ownership, identifiers.", "rationale": null, "automated": "no", "status": "partial", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_permissions_backup_etc_passwd", "group_unique_id", "no_files_unowned_by_user", "file_permissions_backup_etc_shadow", "file_owner_backup_etc_group", "file_groupownership_home_directories", "file_groupowner_etc_passwd", "file_permissions_etc_group", "accounts_root_path_dirs_no_write", "file_owner_backup_etc_gshadow", "account_unique_id", "file_groupowner_etc_shadow", "file_groupowner_etc_group", "group_unique_name", "file_permissions_unauthorized_world_writable", "file_owner_etc_gshadow", "file_permissions_etc_gshadow", "file_groupowner_backup_etc_gshadow", "file_ownership_home_directories", "file_groupowner_backup_etc_shadow", "file_groupowner_backup_etc_passwd", "file_owner_backup_etc_passwd", "file_permissions_backup_etc_group", "accounts_user_interactive_home_directory_exists", "file_owner_etc_group", "dir_perms_world_writable_sticky_bits", "accounts_no_uid_except_zero", "file_permissions_home_directories", "file_owner_etc_shadow", "file_permissions_backup_etc_gshadow", "accounts_user_dot_no_world_writable_programs", "gid_passwd_group_same", "file_owner_backup_etc_shadow", "account_unique_name", "file_permissions_etc_passwd", "file_groupowner_etc_gshadow", "file_groupowner_backup_etc_group", "no_empty_passwords_etc_shadow", "file_permissions_etc_shadow", "file_permissions_ungroupowned", "file_owner_etc_passwd"], "controls": []}, {"id": "3.7", "levels": ["default"], "notes": "", "title": "Memory Protection", "description": "Enable ASLR and ExecShield, restrict exposed kernel pointer.", "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sysctl_kernel_kptr_restrict", "sysctl_kernel_randomize_va_space", "sysctl_kernel_exec_shield"], "controls": []}, {"id": "3.8", "levels": ["default"], "notes": "", "title": "GUI Configuration", "description": "Do not show user list, disable xdmpc and auto login, set up idle lock and protect the settings.", "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["gnome_gdm_disable_automatic_login", "gnome_gdm_disable_xdmcp"], "controls": []}, {"id": "3.9", "levels": ["default"], "notes": "", "title": "Time and Schedulers", "description": "Chrony and time-based scheduler security configuration.", "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_groupowner_at_allow", "file_groupowner_cron_monthly", "file_permissions_cron_daily", "chronyd_or_ntpd_set_maxpoll", "file_owner_cron_hourly", "file_permissions_cron_weekly", "file_permissions_cron_allow", "chronyd_no_chronyc_network", "file_groupowner_cron_hourly", "file_owner_cron_weekly", "file_permissions_cron_hourly", "file_owner_cron_d", "file_permissions_cron_d", "file_permissions_crontab", "file_groupowner_crontab", "file_permissions_at_allow", "file_groupowner_cron_allow", "file_groupowner_cron_weekly", "file_owner_crontab", "file_permissions_cron_monthly", "file_groupowner_cron_daily", "file_owner_cron_monthly", "file_owner_cron_allow", "file_owner_at_allow", "chronyd_specify_remote_server", "chronyd_run_as_chrony_user", "chronyd_client_only", "file_owner_cron_daily", "file_groupowner_cron_d"], "controls": []}, {"id": "3.10", "levels": ["default"], "notes": "", "title": "Service Minimization", "description": "Users should remove any services that are not necessary for normal system usage.", "rationale": null, "automated": "no", "status": "partial", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["package_ypserv_removed", "service_nfs_disabled", "package_rsync_removed", "package_nginx_removed", "package_telnet_removed", "package_tftp-server_removed", "package_vsftpd_removed", "package_rsh-server_removed", "package_cyrus-imapd_removed", "package_talk_removed", "package_httpd_removed", "package_sendmail_removed", "package_dhcp_removed", "package_samba_removed", "package_rsh_removed", "package_ypbind_removed", "package_tftp_removed", "package_telnet-server_removed", "service_rpcbind_disabled", "package_net-snmp_removed", "package_squid_removed", "package_bind_removed", "package_dovecot_removed", "package_xinetd_removed", "package_talk-server_removed"], "controls": []}, {"id": "4.1", "levels": ["default"], "notes": "", "title": "Account Protection", "description": "All account passwords must be passphrases of at least 4 words and 15 characters with at least three character classes, generated with a large wordlist and a source of randomness.", "rationale": null, "automated": "no", "status": "partial", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["set_password_hashing_algorithm_systemauth", "accounts_umask_etc_login_defs", "accounts_root_gid_zero", "accounts_password_pam_minclass", "accounts_tmout", "accounts_umask_etc_profile", "enable_authselect", "accounts_umask_etc_bashrc", "accounts_password_pam_difok", "accounts_password_pam_pwquality_system_auth", "account_password_selinux_faillock_dir", "set_password_hashing_algorithm_logindefs", "accounts_password_pam_pwquality_password_auth", "no_empty_passwords", "accounts_password_pam_minlen", "accounts_password_pam_maxrepeat", "accounts_password_pam_retry", "set_password_hashing_algorithm_passwordauth", "var_password_hashing_algorithm=SHA512", "var_password_hashing_algorithm_pam=sha512", "var_accounts_tmout=15_min", "var_accounts_user_umask=027", "var_password_pam_minclass=3", "var_password_pam_minlen=15", "var_password_pam_remember_control_flag=requisite_or_required", "var_password_pam_remember=5", "var_password_pam_difok=8"], "controls": []}, {"id": "4.2", "levels": ["default"], "notes": "", "title": "Sudo", "description": "Secure sudo configuration.", "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["package_sudo_installed", "sudo_custom_logfile", "sudo_require_authentication", "sudo_add_use_pty", "sudo_require_reauthentication", "use_pam_wheel_for_su", "sudoers_default_includedir"], "controls": []}, {"id": "4.3", "levels": ["default"], "notes": "", "title": "SSH Server", "description": "Secure ssh server configuration.", "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sshd_disable_rhosts", "sshd_x11_use_localhost", "sshd_set_maxstartups", "file_owner_sshd_config", "sshd_rekey_limit", "sshd_do_not_permit_user_env", "file_permissions_sshd_private_key", "sshd_set_max_auth_tries", "file_permissions_sshd_config", "sshd_disable_x11_forwarding", "sshd_set_keepalive_0", "sshd_use_strong_rng", "sshd_set_max_sessions", "sshd_disable_empty_passwords", "sshd_enable_pam", "sshd_disable_kerb_auth", "sshd_set_loglevel_verbose", "file_groupowner_sshd_config", "sshd_disable_tcp_forwarding", "file_permissions_sshd_pub_key", "sshd_set_login_grace_time", "disable_host_auth", "sshd_set_idle_timeout", "sshd_disable_root_login", "sshd_set_keepalive", "sshd_enable_strictmodes", "sshd_disable_gssapi_auth", "sshd_max_auth_tries_value=4", "var_sshd_set_maxstartups=10:30:60", "var_sshd_max_sessions=10", "var_sshd_set_login_grace_time=60", "sshd_idle_timeout_value=15_minutes", "var_sshd_set_keepalive=0", "var_rekey_limit_size=1G", "var_rekey_limit_time=1hour"], "controls": []}, {"id": "5.1", "levels": ["default"], "notes": "", "title": "General Network Configuration", "description": "If users did not configure IPv6 on the system and it is not needed, it should be disabled.", "rationale": null, "automated": "no", "status": "partial", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sysctl_net_ipv4_conf_all_log_martians", "kernel_module_dccp_disabled", "sysctl_net_ipv4_conf_default_accept_redirects", "sysctl_net_ipv4_conf_all_send_redirects", "kernel_module_sctp_disabled", "sysctl_net_ipv6_conf_all_accept_redirects", "sysctl_net_ipv4_conf_all_rp_filter", "sysctl_net_ipv6_conf_default_accept_redirects", "sysctl_net_ipv4_conf_default_accept_source_route", "sysctl_net_ipv4_conf_all_accept_redirects", "sysctl_net_ipv4_icmp_echo_ignore_broadcasts", "sysctl_net_ipv4_conf_all_accept_source_route", "sysctl_net_ipv4_tcp_syncookies", "sysctl_net_ipv4_conf_default_send_redirects", "sysctl_net_ipv6_conf_default_accept_source_route", "sysctl_net_ipv4_conf_default_log_martians", "sysctl_net_ipv6_conf_all_accept_source_route", "sysctl_net_ipv4_conf_all_secure_redirects", "sysctl_net_ipv4_conf_default_rp_filter", "sysctl_net_ipv4_icmp_ignore_bogus_error_responses", "sysctl_net_ipv4_conf_default_secure_redirects", "sysctl_net_ipv4_conf_all_accept_source_route_value=disabled", "sysctl_net_ipv4_conf_default_accept_source_route_value=disabled", "sysctl_net_ipv6_conf_all_accept_source_route_value=disabled", "sysctl_net_ipv6_conf_default_accept_source_route_value=disabled", "sysctl_net_ipv4_conf_all_accept_redirects_value=disabled", "sysctl_net_ipv4_conf_default_accept_redirects_value=disabled", "sysctl_net_ipv6_conf_all_accept_redirects_value=disabled", "sysctl_net_ipv6_conf_default_accept_redirects_value=disabled", "sysctl_net_ipv4_conf_all_secure_redirects_value=disabled", "sysctl_net_ipv4_conf_default_secure_redirects_value=disabled", "sysctl_net_ipv4_conf_all_log_martians_value=enabled", "sysctl_net_ipv4_conf_default_log_martians_value=enabled", "sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value=enabled", "sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value=enabled", "sysctl_net_ipv4_conf_all_rp_filter_value=enabled", "sysctl_net_ipv4_conf_default_rp_filter_value=enabled", "sysctl_net_ipv4_tcp_syncookies_value=enabled"], "controls": []}, {"id": "5.2", "levels": ["default"], "notes": "", "title": "Firewall Configuration", "description": "Users should ensure that all network interfaces are in the appropriate firewall zone and that ports and services allowed by the firewall are reduced to the necessary minimum.", "rationale": null, "automated": "no", "status": "partial", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["service_nftables_disabled", "package_firewalld_installed", "service_firewalld_enabled"], "controls": []}, {"id": "6.1", "levels": ["default"], "notes": "", "title": "Web Browser", "description": "Users should install the Firefox Flatpak from FlatHub and use it instead of the default Firefox application. If the default Firefox application must be used, the users should apply the Common User Security Profile for Mozilla Firefox CaC profile.", "rationale": null, "automated": "no", "status": "manual", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "7.1", "levels": ["default"], "notes": "", "title": "Mandatory Access Control", "description": "Ensure SELinux is installed and enabled, in enforcing mode using targeted policy.", "rationale": null, "automated": "no", "status": "partial", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["grub2_enable_selinux", "selinux_state", "selinux_policytype", "package_mcstrans_removed", "sysctl_fs_protected_hardlinks", "sysctl_fs_protected_symlinks", "package_libselinux_installed", "var_selinux_policy_name=targeted", "var_selinux_state=enforcing"], "controls": []}, {"id": "7.2", "levels": ["default"], "notes": "", "title": "Periodic Compliance Scans", "description": "Users should perform periodic system scans and remediations with the Common User Security Profile by using the oscap tool or SCAP Workbench.", "rationale": null, "automated": "no", "status": "manual", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}], "levels": [{"id": "default", "inherits_from": null}]}