Skip to content

ANSSI-BP-028 (intermediary)

Rules and Groups employed by this XCCDF Profile

  • Add nosuid Option to /srv

    The <code>nosuid</code> mount option can be used to prevent execution of setuid programs in <code>/srv</code>. The SUID and SGID permissions should...
    Rule Medium Severity
  • Add noexec Option to /tmp

    The <code>noexec</code> mount option can be used to prevent binaries from being executed out of <code>/tmp</code>. Add the <code>noexec</code> opti...
    Rule Medium Severity
  • Add nosuid Option to /tmp

    The <code>nosuid</code> mount option can be used to prevent execution of setuid programs in <code>/tmp</code>. The SUID and SGID permissions should...
    Rule Medium Severity
  • Add noexec Option to /var/log

    The <code>noexec</code> mount option can be used to prevent binaries from being executed out of <code>/var/log</code>. Add the <code>noexec</code> ...
    Rule Medium Severity
  • Add nosuid Option to /var/log

    The <code>nosuid</code> mount option can be used to prevent execution of setuid programs in <code>/var/log</code>. The SUID and SGID permissions sh...
    Rule Medium Severity
  • Add noexec Option to /var

    The <code>noexec</code> mount option can be used to prevent binaries from being executed out of <code>/var</code>. Add the <code>noexec</code> opti...
    Rule Medium Severity
  • Add nosuid Option to /var

    The <code>nosuid</code> mount option can be used to prevent execution of setuid programs in <code>/var</code>. The SUID and SGID permissions should...
    Rule Medium Severity
  • Add noexec Option to /var/tmp

    The <code>noexec</code> mount option can be used to prevent binaries from being executed out of <code>/var/tmp</code>. Add the <code>noexec</code> ...
    Rule Medium Severity
  • Add nosuid Option to /var/tmp

    The <code>nosuid</code> mount option can be used to prevent execution of setuid programs in <code>/var/tmp</code>. The SUID and SGID permissions sh...
    Rule Medium Severity
  • Restrict Programs from Dangerous Execution Patterns

    The recommendations in this section are designed to ensure that the system's features to protect against potentially dangerous program execution ar...
    Group
  • Restrict Access to Kernel Message Buffer

    To set the runtime status of the <code>kernel.dmesg_restrict</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w kernel.dmesg...
    Rule Low Severity
  • Kernel panic on oops

    To set the runtime status of the <code>kernel.panic_on_oops</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w kernel.panic_...
    Rule Medium Severity
  • Limit CPU consumption of the Perf system

    To set the runtime status of the <code>kernel.perf_cpu_time_max_percent</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w k...
    Rule Medium Severity
  • Limit sampling frequency of the Perf system

    To set the runtime status of the <code>kernel.perf_event_max_sample_rate</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w ...
    Rule Medium Severity
  • Disallow kernel profiling by unprivileged users

    To set the runtime status of the <code>kernel.perf_event_paranoid</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w kernel....
    Rule Low Severity
  • Configure maximum number of process identifiers

    To set the runtime status of the <code>kernel.pid_max</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w kernel.pid_max=6553...
    Rule Medium Severity
  • Disallow magic SysRq key

    To set the runtime status of the <code>kernel.sysrq</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w kernel.sysrq=0</pre> ...
    Rule Medium Severity
  • Prevent applications from mapping low portion of virtual memory

    To set the runtime status of the <code>vm.mmap_min_addr</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w vm.mmap_min_addr=...
    Rule Medium Severity
  • Disable Core Dumps

    A core dump file is the memory image of an executable program when it was terminated by the operating system due to errant behavior. In most cases,...
    Group
  • Disable Core Dumps for SUID programs

    To set the runtime status of the <code>fs.suid_dumpable</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w fs.suid_dumpable=...
    Rule Medium Severity
  • Enable ExecShield

    ExecShield describes kernel features that provide protection against exploitation of memory corruption errors such as buffer overflows. These featu...
    Group
  • Restrict Exposed Kernel Pointer Addresses Access

    To set the runtime status of the <code>kernel.kptr_restrict</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w kernel.kptr_r...
    Rule Medium Severity
  • Enable Randomized Layout of Virtual Address Space

    To set the runtime status of the <code>kernel.randomize_va_space</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w kernel.r...
    Rule Medium Severity
  • SELinux

    SELinux is a feature of the Linux kernel which can be used to guard against misconfigured or compromised programs. SELinux enforces the idea that p...
    Group
  • Ensure SELinux State is Enforcing

    The SELinux state should be set to <code><xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_selinux_state" use="legacy"></xccdf-1.2:sub><...
    Rule High Severity
  • SELinux - Booleans

    Enable or Disable runtime customization of SELinux system policies without having to reload or recompile the SELinux policy.
    Group
  • Configure the polyinstantiation_enabled SELinux Boolean

    By default, the SELinux boolean <code>polyinstantiation_enabled</code> is disabled. This setting should be configured to <xccdf-1.2:sub idref="xccd...
    Rule Medium Severity
  • Services

    The best protection against vulnerable software is running less software. This section describes how to review the software which SUSE Linux Enterp...
    Group
  • DHCP

    The Dynamic Host Configuration Protocol (DHCP) allows systems to request and obtain an IP address and other configuration parameters from a server....
    Group
  • Disable DHCP Server

    The DHCP server <code>dhcpd</code> is not installed or activated by default. If the software was installed and activated, but the system does not n...
    Group
  • Uninstall DHCP Server Package

    If the system does not need to act as a DHCP server, the dhcp package can be uninstalled. The <code>dhcp-server</code> package can be removed with...
    Rule Medium Severity
  • Mail Server Software

    Mail servers are used to send and receive email over the network. Mail is a very common service, and Mail Transfer Agents (MTAs) are obvious target...
    Group
  • Uninstall Sendmail Package

    Sendmail is not the default mail transfer agent and is not installed by default. The <code>sendmail</code> package can be removed with the followin...
    Rule Medium Severity
  • Configure SMTP For Mail Clients

    This section discusses settings for Postfix in a submission-only e-mail configuration.
    Group
  • Configure System to Forward All Mail For The Root Account

    Make sure that mails delivered to root user are forwarded to a monitored email address. Make sure that the address <xccdf-1.2:sub idref="xccdf_org....
    Rule Medium Severity
  • Disable Postfix Network Listening

    Edit the file <code>/etc/postfix/main.cf</code> to ensure that only the following <code>inet_interfaces</code> line appears: <pre>inet_interfaces =...
    Rule Medium Severity
  • Obsolete Services

    This section discusses a number of network-visible services which have historically caused problems for system security, and for which disabling or...
    Group
  • Xinetd

    The <code>xinetd</code> service acts as a dedicated listener for some network services (mostly, obsolete ones) and can be used to provide access co...
    Group
  • Uninstall xinetd Package

    The xinetd package can be removed with the following command:
    $ sudo zypper remove xinetd
    Rule Low Severity
  • NIS

    The Network Information Service (NIS), also known as 'Yellow Pages' (YP), and its successor NIS+ have been made obsolete by Kerberos, LDAP, and oth...
    Group
  • Remove NIS Client

    The Network Information Service (NIS), formerly known as Yellow Pages, is a client-server directory service protocol used to distribute system conf...
    Rule Unknown Severity
  • Uninstall ypserv Package

    The ypserv package can be removed with the following command:
    $ sudo zypper remove ypserv
    Rule High Severity
  • Rlogin, Rsh, and Rexec

    The Berkeley r-commands are legacy services which allow cleartext remote access and have an insecure trust model.
    Group
  • Uninstall rsh-server Package

    The rsh-server package can be removed with the following command:
    $ sudo zypper remove rsh-server
    Rule High Severity
  • Uninstall rsh Package

    The rsh package contains the client commands for the rsh services
    Rule Unknown Severity
  • Chat/Messaging Services

    The talk software makes it possible for users to send and receive messages across systems through a terminal session.
    Group
  • Uninstall talk-server Package

    The talk-server package can be removed with the following command:
     $ sudo zypper remove talk-server
    Rule Medium Severity
  • Uninstall talk Package

    The <code>talk</code> package contains the client program for the Internet talk protocol, which allows the user to chat with other users on differe...
    Rule Medium Severity
  • Telnet

    The telnet protocol does not provide confidentiality or integrity for information transmitted on the network. This includes authentication informat...
    Group
  • Uninstall telnet-server Package

    The telnet-server package can be removed with the following command:
    $ sudo zypper remove telnet-server
    Rule High Severity

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules