From 74576ca0d90f006cbd28a94866ad14b03fab7983 Mon Sep 17 00:00:00 2001 From: Jan Lieskovsky <[email protected]> Date: Tue, 17 Sep 2013 16:30:46 +0200 Subject: [PATCH 4/8] Add Introduction and System Settings XML files. Common profile XML definition.
Signed-off-by: Jan Lieskovsky <[email protected]> --- FEDORA/input/intro/intro.xml | 167 +++++++++++++++++++++++++++++++++++++++ FEDORA/input/profiles/common.xml | 8 ++ FEDORA/input/system/system.xml | 4 + 3 files changed, 179 insertions(+) create mode 100644 FEDORA/input/intro/intro.xml create mode 100644 FEDORA/input/profiles/common.xml create mode 100644 FEDORA/input/system/system.xml diff --git a/FEDORA/input/intro/intro.xml b/FEDORA/input/intro/intro.xml new file mode 100644 index 0000000..ca8608c --- /dev/null +++ b/FEDORA/input/intro/intro.xml @@ -0,0 +1,167 @@ +<Group id="intro"> +<title>Introduction</title> +<description> +<!-- purpose and scope of guidance --> +The purpose of this guidance is to provide security configuration +recommendations and baselines for the Fedora operating system. +Recommended settings for the basic operating system are provided, +as well as for many network services that the system can provide +to other systems. +<!-- audience -->The guide is intended for system administrators. Readers are assumed to +possess basic system administration skills for Unix-like systems, as well +as some familiarity with Fedora's documentation and administration +conventions. Some instructions within this guide are complex. +All directions should be followed completely and with understanding of +their effects in order to avoid serious adverse effects on the system +and its security. +</description> + +<Group id="general-principles"> +<title>General Principles</title> +<description> +The following general principles motivate much of the advice in this +guide and should also influence any configuration decisions that are +not explicitly covered. +</description> + +<Group id="principle-encrypt-transmitted-data"> +<title>Encrypt Transmitted Data Whenever Possible</title> +<description> +Data transmitted over a network, whether wired or wireless, is susceptible +to passive monitoring. Whenever practical solutions for encrypting +such data exist, they should be applied. Even if data is expected to +be transmitted only over a local network, it should still be encrypted. +Encrypting authentication data, such as passwords, is particularly +important. Networks of Fedora machines can and should be configured +so that no unencrypted authentication data is ever transmitted between +machines. +</description> +</Group> + + +<Group id="principle-minimize-software"> +<title>Minimize Software to Minimize Vulnerability</title> +<description> +The simplest way to avoid vulnerabilities in software is to avoid +installing that software. On Fedora, the RPM Package Manager (originally +Red Hat Package Manager, abbreviated RPM) allows for careful management of +the set of software packages installed on a system. Installed software +contributes to system vulnerability in several ways. Packages that +include setuid programs may provide local attackers a potential path to +privilege escalation. Packages that include network services may give +this opportunity to network-based attackers. Packages that include +programs which are predictably executed by local users (e.g. after +graphical login) may provide opportunities for trojan horses or other +attack code to be run undetected. The number of software packages +installed on a system can almost always be significantly pruned to include +only the software for which there is an environmental or operational need. +</description> +</Group> + +<Group id="principle-separate-servers"> +<title>Run Different Network Services on Separate Systems</title> +<description> +Whenever possible, a server should be dedicated to serving exactly one +network service. This limits the number of other services that can +be compromised in the event that an attacker is able to successfully +exploit a software flaw in one network service. +</description> +</Group> + +<Group id="principle-use-security-tools"> +<title>Configure Security Tools to Improve System Robustness</title> +<description> +Several tools exist which can be effectively used to improve a system's +resistance to and detection of unknown attacks. These tools can improve +robustness against attack at the cost of relatively little configuration +effort. In particular, this guide recommends and discusses the use of +Iptables for host-based firewalling, SELinux for protection against +vulnerable services, and a logging and auditing infrastructure for +detection of problems. +</description> +</Group> + +<Group id="principle-least-privilege"> +<title>Least Privilege</title> +<description> +Grant the least privilege necessary for user accounts and software to perform tasks. +For example, <tt>sudo</tt> can be implemented to limit authorization to super user +accounts on the system only to designated personnel. Another example is to limit +logins on server systems to only those administrators who need to log into them in +order to perform administration tasks. Using SELinux also follows the principle of +least privilege: SELinux policy can confine software to perform only actions on the +system that are specifically allowed. This can be far more restrictive than the +actions permissible by the traditional Unix permissions model. +</description> +</Group> + +</Group> + + + +<Group id="how-to-use"> +<title>How to Use This Guide</title> +<description> +Readers should heed the following points when using the guide. +</description> + + +<Group id="intro-read-sections-completely"> +<title>Read Sections Completely and in Order</title> +<description> +Each section may build on information and recommendations discussed in +prior sections. Each section should be read and understood completely; +instructions should never be blindly applied. Relevant discussion may +occur after instructions for an action. +</description> +</Group> + + +<Group id="intro-test-non-production"> +<title>Test in Non-Production Environment</title> +<description> +This guidance should always be tested in a non-production environment +before deployment. This test environment should simulate the setup in +which the system will be deployed as closely as possible. +</description> +</Group> + + +<Group id="intro-root-shell-assumed"> +<title>Root Shell Environment Assumed</title> +<description> +Most of the actions listed in this document are written with the +assumption that they will be executed by the root user running the +<tt>/bin/bash</tt> shell. Commands preceded with a hash mark (#) +assume that the administrator will execute the commands as root, i.e. +apply the command via <tt>sudo</tt> whenever possible, or use +<tt>su</tt> to gain root privileges if <tt>sudo</tt> cannot be +used. Commands which can be executed as a non-root user are are preceded +by a dollar sign ($) prompt. +</description> +</Group> + +<Group id="intro-formatting-conventions"> +<title>Formatting Conventions</title> +<description> +Commands intended for shell execution, as well as configuration file text, +are featured in a <tt>monospace font</tt>. <i>Italics</i> are used +to indicate instances where the system administrator must substitute +the appropriate information into a command or configuration file. +</description> +</Group> + +<Group id="intro-reboot-required"> +<title>Reboot Required</title> +<description> +A system reboot is implicitly required after some actions in order to +complete the reconfiguration of the system. In many cases, the changes +will not take effect until a reboot is performed. In order to ensure +that changes are applied properly and to test functionality, always +reboot the system after applying a set of recommendations from this guide. +</description> +</Group> + +</Group> + +</Group> diff --git a/FEDORA/input/profiles/common.xml b/FEDORA/input/profiles/common.xml new file mode 100644 index 0000000..18c8f3e --- /dev/null +++ b/FEDORA/input/profiles/common.xml @@ -0,0 +1,8 @@ +<Profile id="common"> +<title>Common Profile for General-Purpose Fedora Systems</title> +<description>This profile contains items common to general-purpose Fedora installations.</description> + +<select idref="ensure_gpgcheck_globally_activated" selected="true"/> +<select idref="ensure_gpgcheck_never_disabled" selected="true"/> + +</Profile> diff --git a/FEDORA/input/system/system.xml b/FEDORA/input/system/system.xml new file mode 100644 index 0000000..1814ce1 --- /dev/null +++ b/FEDORA/input/system/system.xml @@ -0,0 +1,4 @@ +<Group id="system"> +<title>System Settings</title> + +</Group> -- 1.7.11.7
_______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
