Profile for ANSSI DAT-NT28 Restrictive Level
Rules and Groups employed by this XCCDF Profile
-
Uninstall the inet-based telnet server
The inet-based telnet daemon should be uninstalled.Rule High Severity -
Uninstall the nis package
The support for Yellowpages should not be installed unless it is required.Rule Low Severity -
Uninstall the ntpdate package
ntpdate is a historical ntp synchronization client for unixes. It sould be uninstalled.Rule Low Severity -
Uninstall the ssl compliant telnet server
Thetelnet
daemon, even with ssl support, should be uninstalled.Rule High Severity -
Uninstall the telnet server
The telnet daemon should be uninstalled.Rule High Severity -
Network Time Protocol
The Network Time Protocol is used to manage the system clock over a network. Computer clocks are not very accurate, so time will drift unpredictabl...Group -
Install the ntp service
The ntpd service should be installed.Rule High Severity -
Enable the NTP Daemon
Thentp
service can be enabled with the following command:$ sudo systemctl enable ntp.service
Rule High Severity -
Enable systemd_timesyncd Service
Thesystemd_timesyncd
service can be enabled with the following command:$ sudo systemctl enable systemd_timesyncd.service
Rule High Severity -
SSH Server
The SSH protocol is recommended for remote login and remote file transfer. SSH provides confidentiality and integrity for data exchanged between tw...Group -
Configure OpenSSH Server if Necessary
If the system needs to act as an SSH server, then certain changes should be made to the OpenSSH daemon configuration file <code>/etc/ssh/sshd_confi...Group -
Set SSH Client Alive Count Max to zero
The SSH server sends at most <code>ClientAliveCountMax</code> messages during a SSH session and waits for a response from the SSH client. The optio...Rule Medium Severity -
Set SSH Client Alive Interval
SSH allows administrators to set a network responsiveness timeout interval. After this interval has passed, the unresponsive client will be automat...Rule Medium Severity -
Allow Only SSH Protocol 2
Only SSH protocol version 2 connections should be permitted. The default setting in <code>/etc/ssh/sshd_config</code> is correct, and can be verifi...Rule High Severity -
Disable SSH Access via Empty Passwords
Disallow SSH login with empty passwords. The default SSH configuration disables logins with empty passwords. The appropriate configuration is used ...Rule High Severity -
Disable SSH Root Login
The root user should never be allowed to login to a system directly over a network. To disable root login via SSH, add or correct the following lin...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.
Capacity
Modules