Skip to content

ANSSI-BP-028 (high)

Rules and Groups employed by this XCCDF Profile

  • Configure the secure_mode_insmod SELinux Boolean

    By default, the SELinux boolean <code>secure_mode_insmod</code> is disabled. This setting should be configured to <xccdf-1.2:sub idref="xccdf_org.s...
    Rule Medium Severity
  • Disable the selinuxuser_execheap SELinux Boolean

    By default, the SELinux boolean <code>selinuxuser_execheap</code> is disabled. When enabled this boolean is enabled it allows selinuxusers to execu...
    Rule Medium Severity
  • Disable the selinuxuser_execstack SELinux Boolean

    By default, the SELinux boolean <code>selinuxuser_execstack</code> is enabled. This setting should be disabled as unconfined executables should not...
    Rule Medium Severity
  • Disable the ssh_sysadm_login SELinux Boolean

    By default, the SELinux boolean <code>ssh_sysadm_login</code> is disabled. If this setting is enabled, it should be disabled. To disable the <code...
    Rule Medium Severity
  • Services

    The best protection against vulnerable software is running less software. This section describes how to review the software which Oracle Linux 8 in...
    Group
  • DHCP

    The Dynamic Host Configuration Protocol (DHCP) allows systems to request and obtain an IP address and other configuration parameters from a server....
    Group
  • Disable DHCP Server

    The DHCP server <code>dhcpd</code> is not installed or activated by default. If the software was installed and activated, but the system does not n...
    Group
  • Uninstall DHCP Server Package

    If the system does not need to act as a DHCP server, the dhcp package can be uninstalled. The <code>dhcp-server</code> package can be removed with...
    Rule Medium Severity
  • Mail Server Software

    Mail servers are used to send and receive email over the network. Mail is a very common service, and Mail Transfer Agents (MTAs) are obvious target...
    Group
  • Uninstall Sendmail Package

    Sendmail is not the default mail transfer agent and is not installed by default. The <code>sendmail</code> package can be removed with the followin...
    Rule Medium Severity
  • Configure SMTP For Mail Clients

    This section discusses settings for Postfix in a submission-only e-mail configuration.
    Group
  • Configure System to Forward All Mail For The Root Account

    Make sure that mails delivered to root user are forwarded to a monitored email address. Make sure that the address <xccdf-1.2:sub idref="xccdf_org....
    Rule Medium Severity
  • Disable Postfix Network Listening

    Edit the file <code>/etc/postfix/main.cf</code> to ensure that only the following <code>inet_interfaces</code> line appears: <pre>inet_interfaces =...
    Rule Medium Severity
  • Network Time Protocol

    The Network Time Protocol is used to manage the system clock over a network. Computer clocks are not very accurate, so time will drift unpredictabl...
    Group
  • The Chrony package is installed

    System time should be synchronized between all systems in an environment. This is typically done by establishing an authoritative time server or se...
    Rule Medium Severity
  • Enable the NTP Daemon

    Run the following command to determine the current status of the <code>chronyd</code> service: <pre>$ sudo systemctl is-active chronyd</pre> If t...
    Rule Medium Severity
  • A remote time server for Chrony is configured

    <code>Chrony</code> is a daemon which implements the Network Time Protocol (NTP). It is designed to synchronize system clocks across a variety of s...
    Rule Medium Severity
  • Obsolete Services

    This section discusses a number of network-visible services which have historically caused problems for system security, and for which disabling or...
    Group
  • Xinetd

    The <code>xinetd</code> service acts as a dedicated listener for some network services (mostly, obsolete ones) and can be used to provide access co...
    Group
  • Uninstall xinetd Package

    The xinetd package can be removed with the following command:
    $ sudo yum erase xinetd
    Rule Low Severity

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules