Skip to content
Log In

DRAFT - ANSSI-BP-028 (enhanced)

Rules and Groups employed by this XCCDF Profile

  • System Settings

    Contains rules that check correct system settings.
    Group
    Show

  • Installing and Maintaining Software

    The following sections contain information on security-relevant choices during the initial operating system installation process and the setup of software updates.
    Group
    Show

  • Prefer to use a 64-bit Operating System when supported

    Prefer installation of 64-bit operating systems when the CPU supports it.
    Rule Medium Severity
    Show

  • System and Software Integrity

    System and software integrity can be gained by installing antivirus, increasing system encryption strength with FIPS, verifying installed software, enabling SELinux, installing an Intrusion Prevent...
    Group
    Show

  • Software Integrity Checking

    Both the AIDE (Advanced Intrusion Detection Environment) software and the RPM package management system provide mechanisms for verifying the integrity of installed software. AIDE uses snapshots of ...
    Group
    Show

  • Verify Integrity with AIDE

    AIDE conducts integrity checks by comparing information about files with previously-gathered information. Ideally, the AIDE database is created immediately after initial system configuration, and t...
    Group
    Show

  • Install AIDE

    The aide package can be installed with the following command: 
    $ sudo dnf install aide
    Rule Medium Severity
    Show

  • Build and Test AIDE Database

    Run the following command to generate a new database: <pre>$ sudo /usr/sbin/aide --init</pre> By default, the database will be written to the file <code>/var/lib/aide/aide.db.new.gz</code>. Sto...
    Rule Medium Severity
    Show

  • Federal Information Processing Standard (FIPS)

    The Federal Information Processing Standard (FIPS) is a computer security standard which is developed by the U.S. Government and industry working groups to validate the quality of cryptographic mod...
    Group
    Show

  • Install the dracut-fips-aesni Package

    To enable FIPS on system that support the Advanced Encryption Standard (AES) or New Instructions (AES-NI) engine, the system requires that the <code>dracut-fips-aesni</code> package be installed. T...
    Rule Medium Severity
    Show

  • Disk Partitioning

    To ensure separation and protection of data, there are top-level system directories which should be placed on their own physical partition or logical volume. The installer's default partitioning sc...
    Group
    Show

  • Ensure /home Located On Separate Partition

    If user home directories will be stored locally, create a separate partition for <code>/home</code> at installation time (or migrate it later using LVM). If <code>/home</code> will be mounted from ...
    Rule Low Severity
    Show

  • Ensure /srv Located On Separate Partition

    If a file server (FTP, TFTP...) is hosted locally, create a separate partition for <code>/srv</code> at installation time (or migrate it later using LVM). If <code>/srv</code> will be mounted from ...
    Rule Unknown Severity
    Show

  • Ensure /var Located On Separate Partition

    The <code>/var</code> directory is used by daemons and other system services to store frequently-changing data. Ensure that <code>/var</code> has its own partition or logical volume at installation...
    Rule Low Severity
    Show

  • Ensure /var/log Located On Separate Partition

    System logs are stored in the <code>/var/log</code> directory. <p> Partitioning Red Hat CoreOS is a Day 1 operation and cannot be changed afterwards. For documentation on how to add a MachineConfig...
    Rule Low Severity
    Show

  • Ensure /var/log/audit Located On Separate Partition

    Audit logs are stored in the <code>/var/log/audit</code> directory. <p> Partitioning Red Hat CoreOS is a Day 1 operation and cannot be changed afterwards. For documentation on how to add a MachineC...
    Rule Low Severity
    Show

  • Ensure /var/tmp Located On Separate Partition

    The /var/tmp directory is a world-writable directory used for temporary file storage. Ensure it has its own partition or logical volume at installation time, or migrate it using LVM.
    Rule Medium Severity
    Show

  • Sudo

    <code>Sudo</code>, which stands for "su 'do'", provides the ability to delegate authority to certain users, groups of users, or system administrators. When configured for system users and/or groups...
    Group
    Show

  • Install sudo Package

    The sudo package can be installed with the following command: 
    $ sudo dnf install sudo
    Rule Medium Severity
    Show

  • Ensure Privileged Escalated Commands Cannot Execute Other Commands - sudo NOEXEC

    The sudo <code>NOEXEC</code> tag, when specified, prevents user executed commands from executing other commands, like a shell for example. This should be enabled by making sure that the <code>NOEXE...
    Rule High Severity
    Show

  • Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo requiretty

    The sudo <code>requiretty</code> tag, when specified, will only execute sudo commands from users logged in to a real tty. This should be enabled by making sure that the <code>requiretty</code> tag ...
    Rule Medium Severity
    Show

  • Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo use_pty

    The sudo <code>use_pty</code> tag, when specified, will only execute sudo commands from users logged in to a real tty. This should be enabled by making sure that the <code>use_pty</code> tag exists...
    Rule Medium Severity
    Show

  • Explicit arguments in sudo specifications

    All commands in the sudoers file must strictly specify the arguments allowed to be used for a given user. If the command is supposed to be executed only without arguments, pass "" as an argument in...
    Rule Medium Severity
    Show

  • Don't define allowed commands in sudoers by means of exclusion

    Policies applied by sudo through the sudoers file should not involve negation. Each user specification in the <code>sudoers</code> file contains a comma-delimited list of command specifications. T...
    Rule Medium Severity
    Show

  • Don't target root user in the sudoers file

    The targeted users of a user specification should be, as much as possible, non privileged users (i.e.: non-root). User specifications have to explicitly list the runas spec (i.e. the list of targe...
    Rule Medium Severity
    Show

  • Updating Software

    The <code>dnf</code> command line tool is used to install and update software packages. The system also provides a graphical software update tool in the <b>System</b> menu, in the <b>Administration...
    Group
    Show

  • Ensure Red Hat GPG Key Installed

    To ensure the system can cryptographically verify base software packages come from Red Hat (and to connect to the Red Hat Network to receive them), the Red Hat GPG key must properly be installed. T...
    Rule High Severity
    Show

  • Account and Access Control

    In traditional Unix security, if an attacker gains shell access to a certain login account, they can perform any action or access any file to which that account has access. Therefore, making it mor...
    Group
    Show

  • Protect Accounts by Configuring PAM

    PAM, or Pluggable Authentication Modules, is a system which implements modular authentication for Linux programs. PAM provides a flexible and configurable architecture for authentication, and it sh...
    Group
    Show

  • Set Password Quality Requirements

    The default <code>pam_pwquality</code> PAM module provides strength checking for passwords. It performs a number of checks, such as making sure passwords are not similar to dictionary words, are of...
    Group
    Show

  • Set Password Quality Requirements with pam_pwquality

    The <code>pam_pwquality</code> PAM module can be configured to meet requirements for a variety of policies. <br> <br> For example, to configure <code>pam_pwquality</code> to require at lea...
    Group
    Show

  • Protect Physical Console Access

    It is impossible to fully protect a system from an attacker with physical access, so securing the space in which the system is located should be considered a necessary step. However, there are some...
    Group
    Show

  • Protect Accounts by Restricting Password-Based Login

    Conventionally, Unix shell accounts are accessed by providing a username and password to a login program, which tests these values for correctness using the <code>/etc/passwd</code> and <code>/etc/...
    Group
    Show

  • Set Password Expiration Parameters

    The file <code>/etc/login.defs</code> controls several password-related settings. Programs such as <code>passwd</code>, <code>su</code>, and <code>login</code> consult <code>/etc/login.defs</code> ...
    Group
    Show

  • Set Password Minimum Length in login.defs

    To specify password length requirements for new accounts, edit the file <code>/etc/login.defs</code> and add or correct the following line: <pre>PASS_MIN_LEN <xccdf-1.2:sub idref="xccdf_org.ssgproj...
    Rule Medium Severity
    Show

  • Restrict Root Logins

    Direct root logins should be allowed only for emergency use. In normal situations, the administrator should access the system via a unique unprivileged account, and then use <code>su</code> or <cod...
    Group
    Show

  • Direct root Logins Not Allowed

    To further limit access to the <code>root</code> account, administrators can disable root logins at the console by editing the <code>/etc/securetty</code> file. This file lists all devices the root...
    Rule Medium Severity
    Show

  • Secure Session Configuration Files for Login Accounts

    When a user logs into a Unix account, the system configures the user's session by reading a number of files. Many of these files are located in the user's home directory, and may have weak permissi...
    Group
    Show

  • Configure Polyinstantiation of /tmp Directories

    To configure polyinstantiated /tmp directories, first create the parent directories which will hold the polyinstantiation child directories. Use the following command: <pre>$ sudo mkdir --mode 000 ...
    Rule Low Severity
    Show

  • Configure Polyinstantiation of /var/tmp Directories

    To configure polyinstantiated /tmp directories, first create the parent directories which will hold the polyinstantiation child directories. Use the following command: <pre>$ sudo mkdir --mode 000 ...
    Rule Low Severity
    Show

  • Set Interactive Session Timeout

    Setting the <code>TMOUT</code> option in <code>/etc/profile</code> ensures that all user sessions will terminate based on inactivity. The value of TMOUT should be exported and read only. The <code>...
    Rule Medium Severity
    Show

  • Ensure that Users Have Sensible Umask Values

    The umask setting controls the default permissions for the creation of new files. With a default <code>umask</code> setting of 077, files and directories created by users will not be readable by an...
    Group
    Show

  • Ensure the Default Bash Umask is Set Correctly

    To ensure the default umask for users of the Bash shell is set properly, add or correct the <code>umask</code> setting in <code>/etc/bashrc</code> to read as follows: <pre>umask <xccdf-1.2:sub idre...
    Rule Medium Severity
    Show

  • Ensure the Default Umask is Set Correctly in login.defs

    To ensure the default umask controlled by <code>/etc/login.defs</code> is set properly, add or correct the <code>UMASK</code> setting in <code>/etc/login.defs</code> to read as follows: <pre>UMASK ...
    Rule Medium Severity
    Show

  • Ensure the Default Umask is Set Correctly in /etc/profile

    To ensure the default umask controlled by <code>/etc/profile</code> is set properly, add or correct the <code>umask</code> setting in <code>/etc/profile</code> to read as follows: <pre>umask <xccdf...
    Rule Medium Severity
    Show

  • System Accounting with auditd

    The audit service provides substantial capabilities for recording system activities. By default, the service audits about SELinux AVC denials and certain types of security-relevant events such as s...
    Group
    Show

  • Ensure the audit Subsystem is Installed

    The audit package should be installed.
    Rule Medium Severity
    Show

  • Enable auditd Service

    The <code>auditd</code> service is an essential userspace component of the Linux Auditing System, as it is responsible for writing audit records to disk. The <code>auditd</code> service can be ena...
    Rule Medium Severity
    Show

  • Configure auditd Rules for Comprehensive Auditing

    The <code>auditd</code> program can perform comprehensive monitoring of system activity. This section describes recommended configuration settings for comprehensive auditing, but a full description...
    Group
    Show

  • Make the auditd Configuration Immutable

    If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit rules during daemon startup (the default), add the following line to a file with suffix <cod...
    Rule Medium Severity
    Show

Node 2

siemur/test-space

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules