ANSSI-BP-028 (intermediary)
Rules and Groups employed by this XCCDF Profile
-
Disable Kernel Parameter for Accepting Source-Routed Packets on IPv4 Interfaces by Default
To set the runtime status of the <code>net.ipv4.conf.default.accept_source_route</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv4.conf.default.accept_source_route=...Rule Medium Severity -
Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces by Default
To set the runtime status of the <code>net.ipv4.conf.default.rp_filter</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv4.conf.default.rp_filter=1</pre> To make sure...Rule Medium Severity -
Configure Kernel Parameter for Accepting Secure Redirects By Default
To set the runtime status of the <code>net.ipv4.conf.default.secure_redirects</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv4.conf.default.secure_redirects=0</pre...Rule Medium Severity -
Configure Sending and Accepting Shared Media Redirects by Default
To set the runtime status of the <code>net.ipv4.conf.default.shared_media</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv4.conf.default.shared_media=<xccdf-1.2:sub...Rule Medium Severity -
Enable Kernel Parameter to Ignore Bogus ICMP Error Responses on IPv4 Interfaces
To set the runtime status of the <code>net.ipv4.icmp_ignore_bogus_error_responses</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv4.icmp_ignore_bogus_error_response...Rule Unknown Severity -
Set Kernel Parameter to Increase Local Port Range
To set the runtime status of the <code>net.ipv4.ip_local_port_range</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv4.ip_local_port_range=32768 65535</pre> To make ...Rule Medium Severity -
Enable Kernel Parameter to Use TCP RFC 1337 on IPv4 Interfaces
To set the runtime status of the <code>net.ipv4.tcp_rfc1337</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv4.tcp_rfc1337=1</pre> To make sure that the setting is p...Rule Medium Severity -
Enable Kernel Parameter to Use TCP Syncookies on Network Interfaces
To set the runtime status of the <code>net.ipv4.tcp_syncookies</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv4.tcp_syncookies=1</pre> To make sure that the settin...Rule Medium Severity -
Network Parameters for Hosts Only
If the system is not going to be used as a router, then setting certain kernel parameters ensure that the host will not perform routing of network traffic.Group -
Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces
To set the runtime status of the <code>net.ipv4.conf.all.send_redirects</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv4.conf.all.send_redirects=0</pre> To make su...Rule Medium Severity -
Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Default
To set the runtime status of the <code>net.ipv4.conf.default.send_redirects</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv4.conf.default.send_redirects=0</pre> To...Rule Medium Severity -
Disable Kernel Parameter for IP Forwarding on IPv4 Interfaces
To set the runtime status of the <code>net.ipv4.ip_forward</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv4.ip_forward=0</pre> To make sure that the setting is per...Rule Medium Severity -
nftables
<code>If firewalld or iptables are being used in your environment, please follow the guidance in their respective section and pass-over the guidance in this section.</code><br><br> nftables is a su...Group -
File Permissions and Masks
Traditional Unix security relies heavily on file and directory permissions to prevent unauthorized users from reading or modifying files to which they should not have access. <br> <br> Severa...Group -
Verify Permissions on Important Files and Directories
Permissions for many files on a system must be set restrictively to ensure sensitive information is properly protected. This section discusses important permission restrictions which can be verifie...Group -
Ensure All World-Writable Directories Are Owned by root User
All directories in local partitions which are world-writable should be owned by root. If any world-writable directories are not owned by root, this should be investigated. Following this, the files...Rule Medium Severity -
Verify that All World-Writable Directories Have Sticky Bits Set
When the so-called 'sticky bit' is set on a directory, only the owner of a given file may remove that file from the directory. Without the sticky bit, any user with write access to a directory may ...Rule Medium Severity -
Verify that system commands directories have root as a group owner
System commands are stored in the following directories: by default: <pre>/bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin </pre> All these directories should have <code>root</code...Rule Medium Severity -
Verify that system commands directories have root ownership
System commands are stored in the following directories by default: <pre>/bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin </pre> All these directories should be owned by the <code>...Rule Medium Severity -
Ensure All SGID Executables Are Authorized
The SGID (set group id) bit should be set only on files that were installed via authorized means. A straightforward means of identifying unauthorized SGID files is determine if any were not install...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.