DRAFT - ANSSI-BP-028 (enhanced)
Rules and Groups employed by this XCCDF Profile
-
Disable merging of slabs with similar size
The kernel may merge similar slabs together to reduce overhead and increase cache hotness of objects. Disabling merging of slabs keeps the slabs separate and reduces the risk of kernel heap overflo...Rule Medium Severity -
Configure Speculative Store Bypass Mitigation
Certain CPUs are vulnerable to an exploit against a common wide industry wide performance optimization known as Speculative Store Bypass (SSB). In such cases, recent stores to the same memory loca...Rule Medium Severity -
Enforce Spectre v2 mitigation
Spectre V2 is an indirect branch poisoning attack that can lead to data leakage. An exploit for Spectre V2 tricks the indirect branch predictor into executing code from a future indirect branch cho...Rule High Severity -
Non-UEFI GRUB2 bootloader configuration
Non-UEFI GRUB2 bootloader configurationGroup -
UEFI GRUB2 bootloader configuration
UEFI GRUB2 bootloader configurationGroup -
Set the UEFI Boot Loader Password
The grub2 boot loader should have a superuser account and password protection enabled to protect boot-time settings. <br> <br> Since plaintext passwords are a security risk, generate a hash...Rule High Severity -
Configure Syslog
The syslog service has been the default Unix logging mechanism for many years. It has a number of downsides, including inconsistent log format, lack of authentication for received messages, and lac...Group -
Ensure Proper Configuration of Log Files
The file <code>/etc/rsyslog.conf</code> controls where log message are written. These are controlled by lines called <i>rules</i>, which consist of a <i>selector</i> and an <i>action</i>. These rul...Group -
Ensure Log Files Are Owned By Appropriate Group
The group-owner of all log files written by <code>rsyslog</code> should be <code>root</code>. These log files are determined by the second part of each Rule line in <code>/etc/rsyslog.conf</code> a...Rule Medium Severity -
Ensure Log Files Are Owned By Appropriate User
The owner of all log files written by <code>rsyslog</code> should be <code>root</code>. These log files are determined by the second part of each Rule line in <code>/etc/rsyslog.conf</code> and t...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.
Capacity
Modules