DRAFT - ANSSI-BP-028 (high)
Rules and Groups employed by this XCCDF Profile
-
Configure SELinux Policy
The SELinux <code>targeted</code> policy is appropriate for general-purpose desktops and servers, as well as systems in many other roles. To configure the system to use this policy, add or correct ...Rule Medium Severity -
Ensure SELinux State is Enforcing
The SELinux state should be set to <code><xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_selinux_state" use="legacy"></xccdf-1.2:sub></code> at system boot time. In the file <code>/et...Rule High Severity -
Services
The best protection against vulnerable software is running less software. This section describes how to review the software which Red Hat Enterprise Linux CoreOS 4 installs on a system and disable ...Group -
DHCP
The Dynamic Host Configuration Protocol (DHCP) allows systems to request and obtain an IP address and other configuration parameters from a server. <br> <br> This guide recommends configuring...Group -
Disable DHCP Server
The DHCP server <code>dhcpd</code> is not installed or activated by default. If the software was installed and activated, but the system does not need to act as a DHCP server, it should be disabled...Group -
Mail Server Software
Mail servers are used to send and receive email over the network. Mail is a very common service, and Mail Transfer Agents (MTAs) are obvious targets of network attack. Ensure that systems are not r...Group -
Uninstall Sendmail Package
Sendmail is not the default mail transfer agent and is not installed by default. The <code>sendmail</code> package can be removed with the following command: <pre> $ sudo dnf remove sendmail</pre> ...Rule Medium Severity -
Configure SMTP For Mail Clients
This section discusses settings for Postfix in a submission-only e-mail configuration.Group -
Configure System to Forward All Mail For The Root Account
Make sure that mails delivered to root user are forwarded to a monitored email address. Make sure that the address <xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_postfix_root_mail_ali...Rule Medium Severity -
Network Time Protocol
The Network Time Protocol is used to manage the system clock over a network. Computer clocks are not very accurate, so time will drift unpredictably on unmanaged systems. Central time protocols can...Group -
The Chrony package is installed
System time should be synchronized between all systems in an environment. This is typically done by establishing an authoritative time server or set of servers and having all systems synchronize th...Rule Medium Severity -
Enable the NTP Daemon
As a user with administrator privileges, log into a node in the relevant pool: <pre> $ oc debug node/$NODE_NAME </pre> At the <pre>sh-4.4#</pre> prompt, run: <pre> # chroot /host </pre> Run the ...Rule Medium Severity -
A remote time server for Chrony is configured
<code>Chrony</code> is a daemon which implements the Network Time Protocol (NTP). It is designed to synchronize system clocks across a variety of systems and use a source that is highly accurate. M...Rule Medium Severity -
SSH Server
The SSH protocol is recommended for remote login and remote file transfer. SSH provides confidentiality and integrity for data exchanged between two systems, as well as server authentication, throu...Group -
Verify Group Who Owns SSH Server config file
To properly set the group owner of/etc/ssh/sshd_config, run the command:$ sudo chgrp root /etc/ssh/sshd_config
Rule Medium Severity -
Verify Group Ownership on SSH Server Private *_key Key Files
SSH server private keys, files that match the/etc/ssh/*_keyglob, must be group-owned byssh_keysgroup.Rule Medium Severity -
Verify Group Ownership on SSH Server Public *.pub Key Files
SSH server public keys, files that match the/etc/ssh/*.pubglob, must be group-owned byrootgroup.Rule Medium Severity -
Verify Owner on SSH Server config file
To properly set the owner of/etc/ssh/sshd_config, run the command:$ sudo chown root /etc/ssh/sshd_config
Rule Medium Severity -
Verify Ownership on SSH Server Private *_key Key Files
SSH server private keys, files that match the/etc/ssh/*_keyglob, must be owned byrootuser.Rule Medium Severity -
Verify Ownership on SSH Server Public *.pub Key Files
SSH server public keys, files that match the/etc/ssh/*.pubglob, must be owned byrootuser.Rule Medium Severity -
Verify Permissions on SSH Server config file
To properly set the permissions of/etc/ssh/sshd_config, run the command:$ sudo chmod 0600 /etc/ssh/sshd_config
Rule Medium Severity -
Verify Permissions on SSH Server Private *_key Key Files
SSH server private keys - files that match the <code>/etc/ssh/*_key</code> glob, have to have restricted permissions. If those files are owned by the <code>root</code> user and the <code>root</code...Rule Medium Severity -
Verify Permissions on SSH Server Public *.pub Key Files
To properly set the permissions of/etc/ssh/*.pub, run the command:$ sudo chmod 0644 /etc/ssh/*.pub
Rule Medium Severity -
Configure OpenSSH Server if Necessary
If the system needs to act as an SSH server, then certain changes should be made to the OpenSSH daemon configuration file <code>/etc/ssh/sshd_config</code>. The following recommendations can be app...Group -
Disable SSH Root Login
The root user should never be allowed to login to a system directly over a network. To disable root login via SSH, add or correct the following line in <code>/etc/ssh/sshd_config</code>: <pre>Pe...Rule Medium Severity -
Ensure tmp.mount Unit Is Enabled
The <code>/tmp</code> directory is a world-writable directory used for temporary file storage. This directory is managed by <code>systemd-tmpfiles</code>. Ensure that the <code>tmp.mount</code> sys...Rule Low Severity -
Verify Group Who Owns /etc/sudoers.d Directory
To properly set the group owner of/etc/sudoers.d, run the command:$ sudo chgrp root /etc/sudoers.d
Rule Medium Severity -
Verify User Who Owns /etc/sudoers.d Directory
To properly set the owner of/etc/sudoers.d, run the command:$ sudo chown root /etc/sudoers.d
Rule Medium Severity -
Verify Permissions On /etc/sudoers.d Directory
To properly set the permissions of/etc/sudoers.d, run the command:$ sudo chmod 0750 /etc/sudoers.d
Rule Medium Severity -
Verify Group Who Owns /etc/sudoers File
To properly set the group owner of/etc/sudoers, run the command:$ sudo chgrp root /etc/sudoers
Rule Medium Severity -
Verify User Who Owns /etc/sudoers File
To properly set the owner of/etc/sudoers, run the command:$ sudo chown root /etc/sudoers
Rule Medium Severity -
Verify Permissions On /etc/sudoers File
To properly set the permissions of/etc/sudoers, run the command:$ sudo chmod 0440 /etc/sudoers
Rule Medium Severity -
Ensure That the sudo Binary Has the Correct Permissions
To properly set the permissions of/usr/bin/sudo, run the command:$ sudo chmod 4111 /usr/bin/sudo
Rule Medium Severity -
Ensure PAM Enforces Password Requirements - Minimum Different Categories
The pam_pwquality module's <code>minclass</code> parameter controls requirements for usage of different character classes, or types, of character that must exist in a password before it is consider...Rule Medium Severity -
Ensure PAM Enforces Password Requirements - Authentication Retry Prompts Permitted Per-Session
To configure the number of retry prompts that are permitted per-session: Edit the <code>pam_pwquality.so</code> statement in <code>/etc/pam.d/system-auth</code> to show <code>retry=<xccdf-1.2:s...Rule Medium Severity -
Configure Logind to terminate idle sessions after certain time of inactivity
To configure <code>logind</code> service to terminate inactive user sessions after <xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_logind_session_timeout" use="legacy"></xccdf-1.2:sub>...Rule Medium Severity -
Set Root Account Password Maximum Age
Configure the root account to enforce a <xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_accounts_maximum_age_root" use="legacy"></xccdf-1.2:sub>-day maximum password lifetime restricti...Rule Medium Severity -
User Initialization Files Must Be Group-Owned By The Primary Group
Change the group owner of interactive users files to the group found in <pre>/etc/passwd</pre> for the user. To change the group owner of a local interactive user home directory, use the following ...Rule Medium Severity -
User Initialization Files Must Be Owned By the Primary User
Set the owner of the user initialization files for interactive users to the primary owner with the following command: <pre>$ sudo chown <i>USER</i> /home/<i>USER</i>/.*</pre> This rule ensures eve...Rule Medium Severity -
All User Files and Directories In The Home Directory Must Be Group-Owned By The Primary Group
Change the group of a local interactive users files and directories to a group that the interactive user is a member of. To change the group owner of a local interactive users files and directories...Rule Medium Severity -
All User Files and Directories In The Home Directory Must Have a Valid Owner
Either remove all files and directories from the system that do not have a valid user, or assign a valid user to all unowned files and directories. To assign a valid owner to a local interactive us...Rule Medium Severity -
All User Files and Directories In The Home Directory Must Have Mode 0750 Or Less Permissive
Set the mode on files and directories in the local interactive user home directory with the following command: <pre>$ sudo chmod 0750 /home/<i>USER</i>/<i>FILE_DIR</i> </pre> Files that beg...Rule Medium Severity -
Ensure All User Initialization Files Have Mode 0740 Or Less Permissive
Set the mode of the user initialization files to0740with the following command:$ sudo chmod 0740 /home/USER/.INIT_FILERule Medium Severity -
Ensure AppArmor is installed
AppArmor provide Mandatory Access Controls.Rule Medium Severity -
Install the pam_apparmor Package
Thepam_apparmorpackage can be installed with the following command:$ sudo dnf install pam_apparmor
Rule Medium Severity -
Enforce all AppArmor Profiles
AppArmor profiles define what resources applications are able to access. To set all profiles to enforce mode run the following command: <pre>$ sudo aa-enforce /etc/apparmor.d/*</pre> To list unconf...Rule Medium Severity -
Ensure AppArmor is Active and Configured
Verify that the Apparmor tool is configured to control whitelisted applications and user home directory access control.<br> <br> The <code>apparmor</code> service can be enabled with the fo...Rule Medium Severity -
Ensure AppArmor is enabled in the bootloader configuration
Configure AppArmor to be enabled at boot time and verify that it has not been overwritten by the bootloader boot parameters. Note: This recommendation is designed around the grub bootloader, if LI...Rule Medium Severity -
Verify /boot/grub2/grub.cfg Group Ownership
The file <code>/boot/grub2/grub.cfg</code> should be group-owned by the <code>root</code> group to prevent destruction or modification of the file. To properly set the group owner of <code>/boot/g...Rule Medium Severity -
Verify /boot/grub2/user.cfg Group Ownership
The file <code>/boot/grub2/user.cfg</code> should be group-owned by the <code>root</code> group to prevent reading or modification of the file. To properly set the group owner of <code>/boot/grub2...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.