ANSSI-BP-028 (intermediary)
Rules and Groups employed by this XCCDF Profile
-
Verify Permissions on SSH Server config file
To properly set the permissions of/etc/ssh/sshd_config, run the command:$ sudo chmod 0600 /etc/ssh/sshd_config
Rule Medium Severity -
Verify Permissions on SSH Server Private *_key Key Files
SSH server private keys - files that match the <code>/etc/ssh/*_key</code> glob, have to have restricted permissions. If those files are owned by the <code>root</code> user and the <code>root</code...Rule Medium Severity -
Verify Permissions on SSH Server Public *.pub Key Files
To properly set the permissions of/etc/ssh/*.pub, run the command:$ sudo chmod 0644 /etc/ssh/*.pub
Rule Medium Severity -
Configure OpenSSH Server if Necessary
If the system needs to act as an SSH server, then certain changes should be made to the OpenSSH daemon configuration file <code>/etc/ssh/sshd_config</code>. The following recommendations can be app...Group -
Disable SSH Root Login
The root user should never be allowed to login to a system directly over a network. To disable root login via SSH, add or correct the following line in <code>/etc/ssh/sshd_config</code>: <pre>Pe...Rule Medium Severity -
System Security Services Daemon
The System Security Services Daemon (SSSD) is a system daemon that provides access to different identity and authentication providers such as Red Hat's IdM, Microsoft's AD, openLDAP, MIT Kerberos, ...Group -
Install the SSSD Package
Thesssdpackage should be installed. Thesssdpackage can be installed with the following command:$ sudo yum install sssd
Rule Medium Severity -
Enable the SSSD Service
The SSSD service should be enabled. Thesssdservice can be enabled with the following command:$ sudo systemctl enable sssd.service
Rule Medium Severity -
Configure PAM in SSSD Services
SSSD should be configured to run SSSD <code>pam</code> services. To configure SSSD to known SSH hosts, add <code>pam</code> to <code>services</code> under the <code>[sssd]</code> section in <code>/...Rule Medium Severity -
System Security Services Daemon (SSSD) - LDAP
The System Security Services Daemon (SSSD) is a system daemon that provides access to different identity and authentication providers such as Red Hat's IdM, Microsoft's AD, openLDAP, MIT Kerberos, ...Group
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.
Capacity
Modules