Skip to content
Log In

ANSSI-BP-028 (high)

Rules and Groups employed by this XCCDF Profile

  • Add nosuid Option to /home

    The <code>nosuid</code> mount option can be used to prevent execution of setuid programs in <code>/home</code>. The SUID and SGID permissions should not be required in these user data directories. ...
    Rule Medium Severity
    Show

  • Add nodev Option to Non-Root Local Partitions

    The <code>nodev</code> mount option prevents files from being interpreted as character or block devices. Legitimate character and block devices should exist only in the <code>/dev</code> directory ...
    Rule Medium Severity
    Show

  • Add nosuid Option to /opt

    The <code>nosuid</code> mount option can be used to prevent execution of setuid programs in <code>/opt</code>. The SUID and SGID permissions should not be required in this directory. Add the <code>...
    Rule Medium Severity
    Show

  • Add nosuid Option to /srv

    The <code>nosuid</code> mount option can be used to prevent execution of setuid programs in <code>/srv</code>. The SUID and SGID permissions should not be required in this directory. Add the <code>...
    Rule Medium Severity
    Show

  • Add noexec Option to /tmp

    The <code>noexec</code> mount option can be used to prevent binaries from being executed out of <code>/tmp</code>. Add the <code>noexec</code> option to the fourth column of <code>/etc/fstab</code>...
    Rule Medium Severity
    Show

  • Add nosuid Option to /tmp

    The <code>nosuid</code> mount option can be used to prevent execution of setuid programs in <code>/tmp</code>. The SUID and SGID permissions should not be required in these world-writable directori...
    Rule Medium Severity
    Show

  • Add noexec Option to /var/log

    The <code>noexec</code> mount option can be used to prevent binaries from being executed out of <code>/var/log</code>. Add the <code>noexec</code> option to the fourth column of <code>/etc/fstab</c...
    Rule Medium Severity
    Show

  • Add nosuid Option to /var/log

    The <code>nosuid</code> mount option can be used to prevent execution of setuid programs in <code>/var/log</code>. The SUID and SGID permissions should not be required in directories containing log...
    Rule Medium Severity
    Show

  • Add noexec Option to /var

    The <code>noexec</code> mount option can be used to prevent binaries from being executed out of <code>/var</code>. Add the <code>noexec</code> option to the fourth column of <code>/etc/fstab</code>...
    Rule Medium Severity
    Show

  • Add nosuid Option to /var

    The <code>nosuid</code> mount option can be used to prevent execution of setuid programs in <code>/var</code>. The SUID and SGID permissions should not be required for this directory. Add the <code...
    Rule Medium Severity
    Show

  • Add noexec Option to /var/tmp

    The <code>noexec</code> mount option can be used to prevent binaries from being executed out of <code>/var/tmp</code>. Add the <code>noexec</code> option to the fourth column of <code>/etc/fstab</c...
    Rule Medium Severity
    Show

  • Add nosuid Option to /var/tmp

    The <code>nosuid</code> mount option can be used to prevent execution of setuid programs in <code>/var/tmp</code>. The SUID and SGID permissions should not be required in these world-writable direc...
    Rule Medium Severity
    Show

  • Restrict Programs from Dangerous Execution Patterns

    The recommendations in this section are designed to ensure that the system's features to protect against potentially dangerous program execution are activated. These protections are applied at the ...
    Group
    Show

  • Restrict Access to Kernel Message Buffer

    To set the runtime status of the <code>kernel.dmesg_restrict</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w kernel.dmesg_restrict=1</pre> To make sure that the setting is...
    Rule Low Severity
    Show

  • Disable loading and unloading of kernel modules

    To set the runtime status of the <code>kernel.modules_disabled</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w kernel.modules_disabled=1</pre> To make sure that the settin...
    Rule Medium Severity
    Show

  • Kernel panic on oops

    To set the runtime status of the <code>kernel.panic_on_oops</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w kernel.panic_on_oops=1</pre> To make sure that the setting is p...
    Rule Medium Severity
    Show

  • Limit CPU consumption of the Perf system

    To set the runtime status of the <code>kernel.perf_cpu_time_max_percent</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w kernel.perf_cpu_time_max_percent=1</pre> To make su...
    Rule Medium Severity
    Show

  • Limit sampling frequency of the Perf system

    To set the runtime status of the <code>kernel.perf_event_max_sample_rate</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w kernel.perf_event_max_sample_rate=1</pre> To make ...
    Rule Medium Severity
    Show

  • Disallow kernel profiling by unprivileged users

    To set the runtime status of the <code>kernel.perf_event_paranoid</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w kernel.perf_event_paranoid=2</pre> To make sure that the ...
    Rule Low Severity
    Show

  • Configure maximum number of process identifiers

    To set the runtime status of the <code>kernel.pid_max</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w kernel.pid_max=65536</pre> To make sure that the setting is persisten...
    Rule Medium Severity
    Show

  • Disallow magic SysRq key

    To set the runtime status of the <code>kernel.sysrq</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w kernel.sysrq=0</pre> To make sure that the setting is persistent, add t...
    Rule Medium Severity
    Show

  • Restrict usage of ptrace to descendant processes

    To set the runtime status of the <code>kernel.yama.ptrace_scope</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w kernel.yama.ptrace_scope=1</pre> To make sure that the sett...
    Rule Medium Severity
    Show

  • Prevent applications from mapping low portion of virtual memory

    To set the runtime status of the <code>vm.mmap_min_addr</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w vm.mmap_min_addr=65536</pre> To make sure that the setting is persi...
    Rule Medium Severity
    Show

  • Disable Core Dumps

    A core dump file is the memory image of an executable program when it was terminated by the operating system due to errant behavior. In most cases, only software developers legitimately need to acc...
    Group
    Show

  • Disable Core Dumps for SUID programs

    To set the runtime status of the <code>fs.suid_dumpable</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w fs.suid_dumpable=0</pre> To make sure that the setting is persisten...
    Rule Medium Severity
    Show

  • Enable ExecShield

    ExecShield describes kernel features that provide protection against exploitation of memory corruption errors such as buffer overflows. These features include random placement of the stack and othe...
    Group
    Show

  • Restrict Exposed Kernel Pointer Addresses Access

    To set the runtime status of the <code>kernel.kptr_restrict</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w kernel.kptr_restrict=<xccdf-1.2:sub idref="xccdf_org.ssgproject...
    Rule Medium Severity
    Show

  • Enable Randomized Layout of Virtual Address Space

    To set the runtime status of the <code>kernel.randomize_va_space</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w kernel.randomize_va_space=2</pre> To make sure that the se...
    Rule Medium Severity
    Show

  • Enable Execute Disable (XD) or No Execute (NX) Support on x86 Systems

    Recent processors in the x86 family support the ability to prevent code execution on a per memory page basis. Generically and on AMD processors, this ability is called No Execute (NX), while on Int...
    Group
    Show

  • Install PAE Kernel on Supported 32-bit x86 Systems

    Systems that are using the 64-bit x86 kernel package do not need to install the kernel-PAE package because the 64-bit x86 kernel already includes this support. However, if the system is 32-bit and ...
    Rule Unknown Severity
    Show

  • SELinux

    SELinux is a feature of the Linux kernel which can be used to guard against misconfigured or compromised programs. SELinux enforces the idea that programs should be limited in what files they can a...
    Group
    Show

  • Uninstall setroubleshoot-plugins Package

    The SETroubleshoot plugins are used to analyze SELinux AVC data. The service provides information around configuration errors, unauthorized intrusions, and other potential errors. The <code>setroub...
    Rule Low Severity
    Show

  • Uninstall setroubleshoot-server Package

    The SETroubleshoot service notifies desktop users of SELinux denials. The service provides information around configuration errors, unauthorized intrusions, and other potential errors. The <code>se...
    Rule Low Severity
    Show

  • Uninstall setroubleshoot Package

    The SETroubleshoot service notifies desktop users of SELinux denials. The service provides information around configuration errors, unauthorized intrusions, and other potential errors. The <code>se...
    Rule Low Severity
    Show

  • Configure SELinux Policy

    The SELinux <code>targeted</code> policy is appropriate for general-purpose desktops and servers, as well as systems in many other roles. To configure the system to use this policy, add or correct ...
    Rule Medium Severity
    Show

  • Ensure SELinux State is Enforcing

    The SELinux state should be set to <code><xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_selinux_state" use="legacy"></xccdf-1.2:sub></code> at system boot time. In the file <code>/et...
    Rule High Severity
    Show

  • SELinux - Booleans

    Enable or Disable runtime customization of SELinux system policies without having to reload or recompile the SELinux policy.
    Group
    Show

  • Configure the deny_execmem SELinux Boolean

    By default, the SELinux boolean <code>deny_execmem</code> is disabled. This setting should be configured to <xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_deny_execmem" use="legacy"><...
    Rule Medium Severity
    Show

  • Configure the polyinstantiation_enabled SELinux Boolean

    By default, the SELinux boolean <code>polyinstantiation_enabled</code> is disabled. This setting should be configured to <xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_polyinstantiati...
    Rule Medium Severity
    Show

  • Configure the secure_mode_insmod SELinux Boolean

    By default, the SELinux boolean <code>secure_mode_insmod</code> is disabled. This setting should be configured to <xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_secure_mode_insmod" us...
    Rule Medium Severity
    Show

  • Disable the selinuxuser_execheap SELinux Boolean

    By default, the SELinux boolean <code>selinuxuser_execheap</code> is disabled. When enabled this boolean is enabled it allows selinuxusers to execute code from the heap. If this setting is enabled,...
    Rule Medium Severity
    Show

  • Disable the selinuxuser_execstack SELinux Boolean

    By default, the SELinux boolean <code>selinuxuser_execstack</code> is enabled. This setting should be disabled as unconfined executables should not be able to make their stack executable. To disab...
    Rule Medium Severity
    Show

  • Disable the ssh_sysadm_login SELinux Boolean

    By default, the SELinux boolean <code>ssh_sysadm_login</code> is disabled. If this setting is enabled, it should be disabled. To disable the <code>ssh_sysadm_login</code> SELinux boolean, run the ...
    Rule Medium Severity
    Show

  • Services

    The best protection against vulnerable software is running less software. This section describes how to review the software which SUSE Linux Enterprise 12 installs on a system and disable software ...
    Group
    Show

  • DHCP

    The Dynamic Host Configuration Protocol (DHCP) allows systems to request and obtain an IP address and other configuration parameters from a server. <br> <br> This guide recommends configuring...
    Group
    Show

  • Disable DHCP Server

    The DHCP server <code>dhcpd</code> is not installed or activated by default. If the software was installed and activated, but the system does not need to act as a DHCP server, it should be disabled...
    Group
    Show

  • Uninstall DHCP Server Package

    If the system does not need to act as a DHCP server, the dhcp package can be uninstalled. The <code>dhcp-server</code> package can be removed with the following command: <pre> $ sudo zypper remove...
    Rule Medium Severity
    Show

  • Mail Server Software

    Mail servers are used to send and receive email over the network. Mail is a very common service, and Mail Transfer Agents (MTAs) are obvious targets of network attack. Ensure that systems are not r...
    Group
    Show

  • Uninstall Sendmail Package

    Sendmail is not the default mail transfer agent and is not installed by default. The <code>sendmail</code> package can be removed with the following command: <pre> $ sudo zypper remove sendmail</pr...
    Rule Medium Severity
    Show

  • Configure SMTP For Mail Clients

    This section discusses settings for Postfix in a submission-only e-mail configuration.
    Group
    Show

Node 2

siemur/test-space

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules