DRAFT - ANSSI-BP-028 (enhanced)
Rules and Groups employed by this XCCDF Profile
-
Disable Core Dumps
A core dump file is the memory image of an executable program when it was terminated by the operating system due to errant behavior. In most cases, only software developers legitimately need to acc...Group -
Disable Core Dumps for SUID programs
To set the runtime status of the <code>fs.suid_dumpable</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w fs.suid_dumpable=0</pre> To make sure that the setting is persisten...Rule Medium Severity -
Enable ExecShield
ExecShield describes kernel features that provide protection against exploitation of memory corruption errors such as buffer overflows. These features include random placement of the stack and othe...Group -
Restrict Exposed Kernel Pointer Addresses Access
To set the runtime status of the <code>kernel.kptr_restrict</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w kernel.kptr_restrict=<xccdf-1.2:sub idref="xccdf_org.ssgproject...Rule Medium Severity -
Enable Randomized Layout of Virtual Address Space
To set the runtime status of the <code>kernel.randomize_va_space</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w kernel.randomize_va_space=2</pre> To make sure that the se...Rule Medium Severity -
SELinux
SELinux is a feature of the Linux kernel which can be used to guard against misconfigured or compromised programs. SELinux enforces the idea that programs should be limited in what files they can a...Group -
Configure SELinux Policy
The SELinux <code>targeted</code> policy is appropriate for general-purpose desktops and servers, as well as systems in many other roles. To configure the system to use this policy, add or correct ...Rule Medium Severity -
Services
The best protection against vulnerable software is running less software. This section describes how to review the software which Red Hat Enterprise Linux CoreOS 4 installs on a system and disable ...Group -
DHCP
The Dynamic Host Configuration Protocol (DHCP) allows systems to request and obtain an IP address and other configuration parameters from a server. <br> <br> This guide recommends configuring...Group -
Disable DHCP Server
The DHCP server <code>dhcpd</code> is not installed or activated by default. If the software was installed and activated, but the system does not need to act as a DHCP server, it should be disabled...Group -
Mail Server Software
Mail servers are used to send and receive email over the network. Mail is a very common service, and Mail Transfer Agents (MTAs) are obvious targets of network attack. Ensure that systems are not r...Group -
Uninstall Sendmail Package
Sendmail is not the default mail transfer agent and is not installed by default. The <code>sendmail</code> package can be removed with the following command: <pre> $ sudo dnf remove sendmail</pre> ...Rule Medium Severity -
Configure SMTP For Mail Clients
This section discusses settings for Postfix in a submission-only e-mail configuration.Group -
Configure System to Forward All Mail For The Root Account
Make sure that mails delivered to root user are forwarded to a monitored email address. Make sure that the address <xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_postfix_root_mail_ali...Rule Medium Severity -
Network Time Protocol
The Network Time Protocol is used to manage the system clock over a network. Computer clocks are not very accurate, so time will drift unpredictably on unmanaged systems. Central time protocols can...Group -
The Chrony package is installed
System time should be synchronized between all systems in an environment. This is typically done by establishing an authoritative time server or set of servers and having all systems synchronize th...Rule Medium Severity -
Enable the NTP Daemon
As a user with administrator privileges, log into a node in the relevant pool: <pre> $ oc debug node/$NODE_NAME </pre> At the <pre>sh-4.4#</pre> prompt, run: <pre> # chroot /host </pre> Run the ...Rule Medium Severity -
A remote time server for Chrony is configured
<code>Chrony</code> is a daemon which implements the Network Time Protocol (NTP). It is designed to synchronize system clocks across a variety of systems and use a source that is highly accurate. M...Rule Medium Severity -
SSH Server
The SSH protocol is recommended for remote login and remote file transfer. SSH provides confidentiality and integrity for data exchanged between two systems, as well as server authentication, throu...Group -
Verify Group Who Owns SSH Server config file
To properly set the group owner of/etc/ssh/sshd_config, run the command:$ sudo chgrp root /etc/ssh/sshd_config
Rule Medium Severity -
Verify Group Ownership on SSH Server Private *_key Key Files
SSH server private keys, files that match the/etc/ssh/*_keyglob, must be group-owned byssh_keysgroup.Rule Medium Severity -
Verify Group Ownership on SSH Server Public *.pub Key Files
SSH server public keys, files that match the/etc/ssh/*.pubglob, must be group-owned byrootgroup.Rule Medium Severity -
Verify Owner on SSH Server config file
To properly set the owner of/etc/ssh/sshd_config, run the command:$ sudo chown root /etc/ssh/sshd_config
Rule Medium Severity -
Verify Ownership on SSH Server Private *_key Key Files
SSH server private keys, files that match the/etc/ssh/*_keyglob, must be owned byrootuser.Rule Medium Severity -
Verify Ownership on SSH Server Public *.pub Key Files
SSH server public keys, files that match the/etc/ssh/*.pubglob, must be owned byrootuser.Rule Medium Severity -
Verify Permissions on SSH Server config file
To properly set the permissions of/etc/ssh/sshd_config, run the command:$ sudo chmod 0600 /etc/ssh/sshd_config
Rule Medium Severity -
Verify Permissions on SSH Server Private *_key Key Files
SSH server private keys - files that match the <code>/etc/ssh/*_key</code> glob, have to have restricted permissions. If those files are owned by the <code>root</code> user and the <code>root</code...Rule Medium Severity -
Verify Permissions on SSH Server Public *.pub Key Files
To properly set the permissions of/etc/ssh/*.pub, run the command:$ sudo chmod 0644 /etc/ssh/*.pub
Rule Medium Severity -
Configure OpenSSH Server if Necessary
If the system needs to act as an SSH server, then certain changes should be made to the OpenSSH daemon configuration file <code>/etc/ssh/sshd_config</code>. The following recommendations can be app...Group -
Disable SSH Root Login
The root user should never be allowed to login to a system directly over a network. To disable root login via SSH, add or correct the following line in <code>/etc/ssh/sshd_config</code>: <pre>Pe...Rule Medium Severity -
Ensure tmp.mount Unit Is Enabled
The <code>/tmp</code> directory is a world-writable directory used for temporary file storage. This directory is managed by <code>systemd-tmpfiles</code>. Ensure that the <code>tmp.mount</code> sys...Rule Low Severity -
Verify Group Who Owns /etc/sudoers.d Directory
To properly set the group owner of/etc/sudoers.d, run the command:$ sudo chgrp root /etc/sudoers.d
Rule Medium Severity -
Verify User Who Owns /etc/sudoers.d Directory
To properly set the owner of/etc/sudoers.d, run the command:$ sudo chown root /etc/sudoers.d
Rule Medium Severity -
Verify Permissions On /etc/sudoers.d Directory
To properly set the permissions of/etc/sudoers.d, run the command:$ sudo chmod 0750 /etc/sudoers.d
Rule Medium Severity -
Verify Group Who Owns /etc/sudoers File
To properly set the group owner of/etc/sudoers, run the command:$ sudo chgrp root /etc/sudoers
Rule Medium Severity -
Verify User Who Owns /etc/sudoers File
To properly set the owner of/etc/sudoers, run the command:$ sudo chown root /etc/sudoers
Rule Medium Severity -
Verify Permissions On /etc/sudoers File
To properly set the permissions of/etc/sudoers, run the command:$ sudo chmod 0440 /etc/sudoers
Rule Medium Severity -
Ensure That the sudo Binary Has the Correct Permissions
To properly set the permissions of/usr/bin/sudo, run the command:$ sudo chmod 4111 /usr/bin/sudo
Rule Medium Severity -
Ensure PAM Enforces Password Requirements - Minimum Different Categories
The pam_pwquality module's <code>minclass</code> parameter controls requirements for usage of different character classes, or types, of character that must exist in a password before it is consider...Rule Medium Severity -
Ensure PAM Enforces Password Requirements - Authentication Retry Prompts Permitted Per-Session
To configure the number of retry prompts that are permitted per-session: Edit the <code>pam_pwquality.so</code> statement in <code>/etc/pam.d/system-auth</code> to show <code>retry=<xccdf-1.2:s...Rule Medium Severity -
Configure Logind to terminate idle sessions after certain time of inactivity
To configure <code>logind</code> service to terminate inactive user sessions after <xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_logind_session_timeout" use="legacy"></xccdf-1.2:sub>...Rule Medium Severity -
Set Root Account Password Maximum Age
Configure the root account to enforce a <xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_accounts_maximum_age_root" use="legacy"></xccdf-1.2:sub>-day maximum password lifetime restricti...Rule Medium Severity -
User Initialization Files Must Be Group-Owned By The Primary Group
Change the group owner of interactive users files to the group found in <pre>/etc/passwd</pre> for the user. To change the group owner of a local interactive user home directory, use the following ...Rule Medium Severity -
User Initialization Files Must Be Owned By the Primary User
Set the owner of the user initialization files for interactive users to the primary owner with the following command: <pre>$ sudo chown <i>USER</i> /home/<i>USER</i>/.*</pre> This rule ensures eve...Rule Medium Severity -
All User Files and Directories In The Home Directory Must Be Group-Owned By The Primary Group
Change the group of a local interactive users files and directories to a group that the interactive user is a member of. To change the group owner of a local interactive users files and directories...Rule Medium Severity -
All User Files and Directories In The Home Directory Must Have a Valid Owner
Either remove all files and directories from the system that do not have a valid user, or assign a valid user to all unowned files and directories. To assign a valid owner to a local interactive us...Rule Medium Severity -
All User Files and Directories In The Home Directory Must Have Mode 0750 Or Less Permissive
Set the mode on files and directories in the local interactive user home directory with the following command: <pre>$ sudo chmod 0750 /home/<i>USER</i>/<i>FILE_DIR</i> </pre> Files that beg...Rule Medium Severity -
Ensure All User Initialization Files Have Mode 0740 Or Less Permissive
Set the mode of the user initialization files to0740with the following command:$ sudo chmod 0740 /home/USER/.INIT_FILERule Medium Severity -
Ensure AppArmor is installed
AppArmor provide Mandatory Access Controls.Rule Medium Severity -
Install the pam_apparmor Package
Thepam_apparmorpackage can be installed with the following command:$ sudo dnf install pam_apparmor
Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.