ANSSI-BP-028 (enhanced)
Rules and Groups employed by this XCCDF Profile
-
User Initialization Files Must Be Owned By the Primary User
Set the owner of the user initialization files for interactive users to the primary owner with the following command: <pre>$ sudo chown <i>USER</i> /home/<i>USER</i>/.*</pre> This rule ensures eve...Rule Medium Severity -
All User Files and Directories In The Home Directory Must Be Group-Owned By The Primary Group
Change the group of a local interactive users files and directories to a group that the interactive user is a member of. To change the group owner of a local interactive users files and directories...Rule Medium Severity -
All User Files and Directories In The Home Directory Must Have a Valid Owner
Either remove all files and directories from the system that do not have a valid user, or assign a valid user to all unowned files and directories. To assign a valid owner to a local interactive us...Rule Medium Severity -
All User Files and Directories In The Home Directory Must Have Mode 0750 Or Less Permissive
Set the mode on files and directories in the local interactive user home directory with the following command: <pre>$ sudo chmod 0750 /home/<i>USER</i>/<i>FILE_DIR</i> </pre> Files that beg...Rule Medium Severity -
Ensure All User Initialization Files Have Mode 0740 Or Less Permissive
Set the mode of the user initialization files to0740with the following command:$ sudo chmod 0740 /home/USER/.INIT_FILERule Medium Severity -
Ensure that Users Have Sensible Umask Values
The umask setting controls the default permissions for the creation of new files. With a default <code>umask</code> setting of 077, files and directories created by users will not be readable by an...Group -
Ensure the Default Bash Umask is Set Correctly
To ensure the default umask for users of the Bash shell is set properly, add or correct the <code>umask</code> setting in <code>/etc/bash.bashrc</code> to read as follows: <pre>umask <xccdf-1.2:sub...Rule Medium Severity -
Ensure the Default Umask is Set Correctly in login.defs
To ensure the default umask controlled by <code>/etc/login.defs</code> is set properly, add or correct the <code>UMASK</code> setting in <code>/etc/login.defs</code> to read as follows: <pre>UMASK ...Rule Medium Severity -
Ensure the Default Umask is Set Correctly in /etc/profile
To ensure the default umask controlled by <code>/etc/profile</code> is set properly, add or correct the <code>umask</code> setting in <code>/etc/profile</code> to read as follows: <pre>umask <xccdf...Rule Medium Severity -
System Accounting with auditd
The audit service provides substantial capabilities for recording system activities. By default, the service audits about SELinux AVC denials and certain types of security-relevant events such as s...Group
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.