Skip to content
Log In

ANSSI-BP-028 (high)

Rules and Groups employed by this XCCDF Profile

  • Enable Kernel Parameter to Enforce DAC on Regular files

    To set the runtime status of the <code>fs.protected_regular</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w fs.protected_regular=2</pre> To make sure that the setting is p...
    Rule Medium Severity
    Show

  • Ensure tmp.mount Unit Is Enabled

    The <code>/tmp</code> directory is a world-writable directory used for temporary file storage. This directory is managed by <code>systemd-tmpfiles</code>. Ensure that the <code>tmp.mount</code> sys...
    Rule Low Severity
    Show

  • Verify Group Who Owns /etc/sudoers.d Directory

    To properly set the group owner of /etc/sudoers.d, run the command: 
    $ sudo chgrp root /etc/sudoers.d
    Rule Medium Severity
    Show

  • Verify User Who Owns /etc/sudoers.d Directory

    To properly set the owner of /etc/sudoers.d, run the command: 
    $ sudo chown root /etc/sudoers.d
    Rule Medium Severity
    Show

  • Verify Permissions On /etc/sudoers.d Directory

    To properly set the permissions of /etc/sudoers.d, run the command: 
    $ sudo chmod 0750 /etc/sudoers.d
    Rule Medium Severity
    Show

  • Verify Group Who Owns /etc/sudoers File

    To properly set the group owner of /etc/sudoers, run the command: 
    $ sudo chgrp root /etc/sudoers
    Rule Medium Severity
    Show

  • Verify User Who Owns /etc/sudoers File

    To properly set the owner of /etc/sudoers, run the command: 
    $ sudo chown root /etc/sudoers
    Rule Medium Severity
    Show

  • Verify Permissions On /etc/sudoers File

    To properly set the permissions of /etc/sudoers, run the command: 
    $ sudo chmod 0440 /etc/sudoers
    Rule Medium Severity
    Show

  • Ensure That the sudo Binary Has the Correct Permissions

    To properly set the permissions of /usr/bin/sudo, run the command: 
    $ sudo chmod 4111 /usr/bin/sudo
    Rule Medium Severity
    Show

  • Configure Logind to terminate idle sessions after certain time of inactivity

    To configure <code>logind</code> service to terminate inactive user sessions after <xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_logind_session_timeout" use="legacy"></xccdf-1.2:sub>...
    Rule Medium Severity
    Show

  • Set Root Account Password Maximum Age

    Configure the root account to enforce a <xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_accounts_maximum_age_root" use="legacy"></xccdf-1.2:sub>-day maximum password lifetime restricti...
    Rule Medium Severity
    Show

  • User Initialization Files Must Be Group-Owned By The Primary Group

    Change the group owner of interactive users files to the group found in <pre>/etc/passwd</pre> for the user. To change the group owner of a local interactive user home directory, use the following ...
    Rule Medium Severity
    Show

  • User Initialization Files Must Be Owned By the Primary User

    Set the owner of the user initialization files for interactive users to the primary owner with the following command: <pre>$ sudo chown <i>USER</i> /home/<i>USER</i>/.*</pre> This rule ensures eve...
    Rule Medium Severity
    Show

  • All User Files and Directories In The Home Directory Must Be Group-Owned By The Primary Group

    Change the group of a local interactive users files and directories to a group that the interactive user is a member of. To change the group owner of a local interactive users files and directories...
    Rule Medium Severity
    Show

  • All User Files and Directories In The Home Directory Must Have a Valid Owner

    Either remove all files and directories from the system that do not have a valid user, or assign a valid user to all unowned files and directories. To assign a valid owner to a local interactive us...
    Rule Medium Severity
    Show

  • All User Files and Directories In The Home Directory Must Have Mode 0750 Or Less Permissive

    Set the mode on files and directories in the local interactive user home directory with the following command: <pre>$ sudo chmod 0750 /home/<i>USER</i>/<i>FILE_DIR</i> </pre> Files that beg...
    Rule Medium Severity
    Show

  • Ensure AppArmor is installed

    AppArmor provide Mandatory Access Controls.
    Rule Medium Severity
    Show

  • Install the pam_apparmor Package

    The pam_apparmor package can be installed with the following command: 
    $ sudo yum install pam_apparmor
    Rule Medium Severity
    Show

  • Enforce all AppArmor Profiles

    AppArmor profiles define what resources applications are able to access. To set all profiles to enforce mode run the following command: <pre>$ sudo aa-enforce /etc/apparmor.d/*</pre> To list unconf...
    Rule Medium Severity
    Show

  • Ensure AppArmor is Active and Configured

    Verify that the Apparmor tool is configured to control whitelisted applications and user home directory access control.<br> <br> The <code>apparmor</code> service can be enabled with the fo...
    Rule Medium Severity
    Show

Node 2

siemur/test-space

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules