ANSSI-BP-028 (high)
Rules and Groups employed by this XCCDF Profile
-
Disable kexec system call
<code>kexec</code> is a system call that implements the ability to shutdown your current kernel, and to start another kernel. It is like a reboot b...Rule Low Severity -
Disable legacy (BSD) PTY support
Disable the Linux traditional BSD-like terminal names /dev/ptyxx for masters and /dev/ttyxx for slaves of pseudo terminals, and use only the modern...Rule Medium Severity -
Enable module signature verification
Check modules for valid signatures upon load. Note that this option adds the OpenSSL development packages as a kernel build dependency so that the ...Rule Medium Severity -
Enable automatic signing of all modules
Sign all modules during make modules_install. Without this option, modules must be signed manually, using the scripts/sign-file tool. The configur...Rule Medium Severity -
Require modules to be validly signed
Reject unsigned modules or signed modules with an unknown key. The configuration that was used to build kernel is available at <code>/boot/config-...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.
Capacity
Modules