ANSSI-BP-028 (high)
Rules and Groups employed by this XCCDF Profile
-
Disable vsyscall mapping
This config disables the vsyscall mapping at all. Attempts to use the vsyscalls will be reported to dmesg, so that either old or malicious userspace programs can be identified. This configuration i...Rule Medium Severity -
Disable vsyscall emulate execution only
The kernel traps and emulates calls into the fixed vsyscall address mapping and does not allow reads. This configuration is available from kernel 5.3. The configuration that was used to build kern...Rule Medium Severity -
Disable the LDT (local descriptor table)
Linux can allow user programs to install a per-process x86 Local Descriptor Table (LDT) using the modify_ldt(2) system call. This is required to run 16-bit or segmented code such as DOSEMU or some ...Rule Medium Severity -
Enable poison of pages after freeing
Fill the pages with poison patterns after free_pages() and verify the patterns before alloc_pages. This does have a potential performance impact if enabled with the "page_poison=1" kernel boot opti...Rule Medium Severity -
Perform full reference count validation
Enabling this switches the refcounting infrastructure from a fast unchecked atomic_t implementation to a fully state checked implementation, which can have a slight impact in performance. This conf...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.
Capacity
Modules