ANSSI-BP-028 (high)
Rules and Groups employed by this XCCDF Profile
-
Ensure AppArmor is enabled in the bootloader configuration
Configure AppArmor to be enabled at boot time and verify that it has not been overwritten by the bootloader boot parameters. Note: This recommendation is designed around the grub bootloader, if LI...Rule Medium Severity -
Verify /boot/grub2/grub.cfg Permissions
File permissions for <code>/boot/grub2/grub.cfg</code> should be set to 600. To properly set the permissions of <code>/boot/grub2/grub.cfg</code>, run the command: <pre>$ sudo chmod 600 /boot/grub...Rule Medium Severity -
Verify /boot/grub2/user.cfg Permissions
File permissions for <code>/boot/grub2/user.cfg</code> should be set to 600. To properly set the permissions of <code>/boot/grub2/user.cfg</code>, run the command: <pre>$ sudo chmod 600 /boot/grub...Rule Medium Severity -
Verify the UEFI Boot Loader grub.cfg Group Ownership
The file <code>/boot/grub2/grub.cfg</code> should be group-owned by the <code>root</code> group to prevent destruction or modification of the file. To properly set the group owner of <code>/boot/g...Rule Medium Severity -
Verify the UEFI Boot Loader grub.cfg User Ownership
The file <code>/boot/grub2/grub.cfg</code> should be owned by the <code>root</code> user to prevent destruction or modification of the file. To properly set the owner of <code>/boot/grub2/grub.cfg...Rule Medium Severity -
Verify /boot/grub2/user.cfg User Ownership
The file <code>/boot/grub2/user.cfg</code> should be owned by the <code>root</code> user to prevent reading or modification of the file. To properly set the owner of <code>/boot/grub2/user.cfg</co...Rule Medium Severity -
Verify the UEFI Boot Loader grub.cfg Permissions
File permissions for <code>/boot/grub2/grub.cfg</code> should be set to 700. To properly set the permissions of <code>/boot/grub2/grub.cfg</code>, run the command: <pre>$ sudo chmod 700 /boot/grub...Rule Medium Severity -
Verify /boot/grub2/user.cfg Permissions
File permissions for <code>/boot/grub2/user.cfg</code> should be set to 600. To properly set the permissions of <code>/boot/grub2/user.cfg</code>, run the command: <pre>$ sudo chmod 600 /boot/grub...Rule Medium Severity -
Emulate Privileged Access Never (PAN)
Enabling this option prevents the kernel from accessing user-space memory directly by pointing TTBR0_EL1 to a reserved zeroed area and reserved ASID. The user access routines restore the valid TTBR...Rule Medium Severity -
Trigger a kernel BUG when data corruption is detected
This option makes the kernel BUG when it encounters data corruption in kernel memory structures when they get checked for validity. This configuration is available from kernel 4.10. The configurat...Rule Low Severity -
Warn on W+X mappings found at boot
Generate a warning if any W+X mappings are found at boot. This configuration is available from kernel 5.8. The configuration that was used to build kernel is available at <code>/boot/config-*</cod...Rule Medium Severity -
Harden common str/mem functions against buffer overflows
Detect overflows of buffers in common string and memory functions where the compiler can determine and validate the buffer sizes. This configuration is available from kernel 4.13, but may be availa...Rule Medium Severity -
Harden memory copies between kernel and userspace
This option checks for obviously wrong memory regions when copying memory to/from the kernel (via copy_to_user() and copy_from_user() functions) by rejecting memory ranges that are larger than the ...Rule High Severity -
Do not allow usercopy whitelist violations to fallback to object size
This is a temporary option that allows missing usercopy whitelists to be discovered via a WARN() to the kernel log, instead of rejecting the copy, falling back to non-whitelisted hardened usercopy ...Rule High Severity -
Disable vsyscall emulation
The kernel traps and emulates calls into the fixed vsyscall address mapping. This configuration is available from kernel 5.3, but may be available if backported by distros. The configuration that ...Rule Medium Severity -
Disable vsyscall mapping
This config disables the vsyscall mapping at all. Attempts to use the vsyscalls will be reported to dmesg, so that either old or malicious userspace programs can be identified. This configuration i...Rule Medium Severity -
Disable vsyscall emulate execution only
The kernel traps and emulates calls into the fixed vsyscall address mapping and does not allow reads. This configuration is available from kernel 5.3. The configuration that was used to build kern...Rule Medium Severity -
Disable the LDT (local descriptor table)
Linux can allow user programs to install a per-process x86 Local Descriptor Table (LDT) using the modify_ldt(2) system call. This is required to run 16-bit or segmented code such as DOSEMU or some ...Rule Medium Severity -
Enable poison of pages after freeing
Fill the pages with poison patterns after free_pages() and verify the patterns before alloc_pages. This does have a potential performance impact if enabled with the "page_poison=1" kernel boot opti...Rule Medium Severity -
Perform full reference count validation
Enabling this switches the refcounting infrastructure from a fast unchecked atomic_t implementation to a fully state checked implementation, which can have a slight impact in performance. This conf...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.