ANSSI-BP-028 (high)
Rules and Groups employed by this XCCDF Profile
-
Verify /boot/grub2/grub.cfg Group Ownership
The file <code>/boot/grub2/grub.cfg</code> should be group-owned by the <code>root</code> group to prevent destruction or modification of the file. To properly set the group owner of <code>/boot/g...Rule Medium Severity -
Verify /boot/grub2/user.cfg Group Ownership
The file <code>/boot/grub2/user.cfg</code> should be group-owned by the <code>root</code> group to prevent reading or modification of the file. To properly set the group owner of <code>/boot/grub2...Rule Medium Severity -
Verify /boot/grub2/grub.cfg User Ownership
The file <code>/boot/grub2/grub.cfg</code> should be owned by the <code>root</code> user to prevent destruction or modification of the file. To properly set the owner of <code>/boot/grub2/grub.cfg...Rule Medium Severity -
Verify /boot/grub2/user.cfg User Ownership
The file <code>/boot/grub2/user.cfg</code> should be owned by the <code>root</code> user to prevent reading or modification of the file. To properly set the owner of <code>/boot/grub2/user.cfg</co...Rule Medium Severity -
Verify /boot/grub2/grub.cfg Permissions
File permissions for <code>/boot/grub2/grub.cfg</code> should be set to 600. To properly set the permissions of <code>/boot/grub2/grub.cfg</code>, run the command: <pre>$ sudo chmod 600 /boot/grub...Rule Medium Severity -
Verify /boot/grub2/user.cfg Permissions
File permissions for <code>/boot/grub2/user.cfg</code> should be set to 600. To properly set the permissions of <code>/boot/grub2/user.cfg</code>, run the command: <pre>$ sudo chmod 600 /boot/grub...Rule Medium Severity -
Set Boot Loader Password in grub2
The grub2 boot loader should have a superuser account and password protection enabled to protect boot-time settings. <br> <br> Since plaintext passwords are a security risk, generat...Rule High Severity -
UEFI GRUB2 bootloader configuration
UEFI GRUB2 bootloader configurationGroup -
Verify the UEFI Boot Loader grub.cfg Group Ownership
The file <code>/boot/efi/EFI/redhat/grub.cfg</code> should be group-owned by the <code>root</code> group to prevent destruction or modification of the file. To properly set the group owner of <cod...Rule Medium Severity -
Verify /boot/efi/EFI/redhat/user.cfg Group Ownership
The file <code>/boot/efi/EFI/redhat/user.cfg</code> should be group-owned by the <code>root</code> group to prevent reading or modification of the file. To properly set the group owner of <code>/b...Rule Medium Severity -
Verify the UEFI Boot Loader grub.cfg User Ownership
The file <code>/boot/efi/EFI/redhat/grub.cfg</code> should be owned by the <code>root</code> user to prevent destruction or modification of the file. To properly set the owner of <code>/boot/efi/E...Rule Medium Severity -
Verify /boot/efi/EFI/redhat/user.cfg User Ownership
The file <code>/boot/efi/EFI/redhat/user.cfg</code> should be owned by the <code>root</code> user to prevent reading or modification of the file. To properly set the owner of <code>/boot/efi/EFI/r...Rule Medium Severity -
Verify the UEFI Boot Loader grub.cfg Permissions
File permissions for <code>/boot/efi/EFI/redhat/grub.cfg</code> should be set to 700. To properly set the permissions of <code>/boot/efi/EFI/redhat/grub.cfg</code>, run the command: <pre>$ sudo ch...Rule Medium Severity -
Verify /boot/efi/EFI/redhat/user.cfg Permissions
File permissions for <code>/boot/efi/EFI/redhat/user.cfg</code> should be set to 600. To properly set the permissions of <code>/boot/efi/EFI/redhat/user.cfg</code>, run the command: <pre>$ sudo ch...Rule Medium Severity -
Set the UEFI Boot Loader Password
The grub2 boot loader should have a superuser account and password protection enabled to protect boot-time settings. <br> <br> Since plaintext passwords are a security risk, generat...Rule High Severity -
Kernel Configuration
Contains rules that check the kernel configuration that was used to build it.Group -
Do not allow ACPI methods to be inserted/replaced at run time
This debug facility allows ACPI AML methods to be inserted and/or replaced without rebooting the system. This configuration is available from kernel 3.0. The configuration that was used to build k...Rule Low Severity -
Emulate Privileged Access Never (PAN)
Enabling this option prevents the kernel from accessing user-space memory directly by pointing TTBR0_EL1 to a reserved zeroed area and reserved ASID. The user access routines restore the valid TTBR...Rule Medium Severity -
Disable kernel support for MISC binaries
Enabling <code>CONFIG_BINFMT_MISC</code> makes it possible to plug wrapper-driven binary formats into the kernel. This is specially useful for programs that need an interpreter to run like Java, Py...Rule Medium Severity -
Enable support for BUG()
Disabling this option eliminates support for BUG and WARN, reducing the size of your kernel image and potentially quietly ignoring numerous fatal conditions. You should only consider disabling this...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.