Skip to content
Log In

ANSSI-BP-028 (enhanced)

Rules and Groups employed by this XCCDF Profile

  • Verify Group Ownership on SSH Server Private *_key Key Files

    SSH server private keys, files that match the /etc/ssh/*_key glob, must be group-owned by ssh_keys group.
    Rule Medium Severity
    Show

  • Verify Group Ownership on SSH Server Public *.pub Key Files

    SSH server public keys, files that match the /etc/ssh/*.pub glob, must be group-owned by root group.
    Rule Medium Severity
    Show

  • Verify Owner on SSH Server config file

    To properly set the owner of /etc/ssh/sshd_config, run the command: 
    $ sudo chown root /etc/ssh/sshd_config
    Rule Medium Severity
    Show

  • Verify Ownership on SSH Server Private *_key Key Files

    SSH server private keys, files that match the /etc/ssh/*_key glob, must be owned by root user.
    Rule Medium Severity
    Show

  • Verify Ownership on SSH Server Public *.pub Key Files

    SSH server public keys, files that match the /etc/ssh/*.pub glob, must be owned by root user.
    Rule Medium Severity
    Show

  • Verify Permissions on SSH Server config file

    To properly set the permissions of /etc/ssh/sshd_config, run the command: 
    $ sudo chmod 0600 /etc/ssh/sshd_config
    Rule Medium Severity
    Show

  • Verify Permissions on SSH Server Private *_key Key Files

    SSH server private keys - files that match the <code>/etc/ssh/*_key</code> glob, have to have restricted permissions. If those files are owned by the <code>root</code> user and the <code>root</code...
    Rule Medium Severity
    Show

  • Verify Permissions on SSH Server Public *.pub Key Files

    To properly set the permissions of /etc/ssh/*.pub, run the command: 
    $ sudo chmod 0644 /etc/ssh/*.pub
    Rule Medium Severity
    Show

  • Configure OpenSSH Server if Necessary

    If the system needs to act as an SSH server, then certain changes should be made to the OpenSSH daemon configuration file <code>/etc/ssh/sshd_config</code>. The following recommendations can be app...
    Group
    Show

  • Disable SSH Root Login

    The root user should never be allowed to login to a system directly over a network. To disable root login via SSH, add or correct the following line in <code>/etc/ssh/sshd_config.d/00-compliancea...
    Rule Medium Severity
    Show

  • System Security Services Daemon

    The System Security Services Daemon (SSSD) is a system daemon that provides access to different identity and authentication providers such as Red Hat's IdM, Microsoft's AD, openLDAP, MIT Kerberos, ...
    Group
    Show

  • System Security Services Daemon (SSSD) - LDAP

    The System Security Services Daemon (SSSD) is a system daemon that provides access to different identity and authentication providers such as Red Hat's IdM, Microsoft's AD, openLDAP, MIT Kerberos, ...
    Group
    Show

  • Ensure tmp.mount Unit Us Enabled

    The <code>/tmp</code> directory is a world-writable directory used for temporary file storage. This directory is managed by <code>systemd-tmpfiles</code>. Ensure that the <code>tmp.mount</code> sys...
    Rule Low Severity
    Show

  • Verify Group Who Owns /etc/sudoers.d Directory

    To properly set the group owner of /etc/sudoers.d, run the command: 
    $ sudo chgrp root /etc/sudoers.d
    Rule Medium Severity
    Show

  • Verify User Who Owns /etc/sudoers.d Directory

    To properly set the owner of /etc/sudoers.d, run the command: 
    $ sudo chown root /etc/sudoers.d
    Rule Medium Severity
    Show

  • Verify Permissions On /etc/sudoers.d Directory

    To properly set the permissions of /etc/sudoers.d, run the command: 
    $ sudo chmod 0750 /etc/sudoers.d
    Rule Medium Severity
    Show

  • Verify Group Who Owns /etc/sudoers File

    To properly set the group owner of /etc/sudoers, run the command: 
    $ sudo chgrp root /etc/sudoers
    Rule Medium Severity
    Show

  • Verify User Who Owns /etc/sudoers File

    To properly set the owner of /etc/sudoers, run the command: 
    $ sudo chown root /etc/sudoers
    Rule Medium Severity
    Show

  • Verify Permissions On /etc/sudoers File

    To properly set the permissions of /etc/sudoers, run the command: 
    $ sudo chmod 0440 /etc/sudoers
    Rule Medium Severity
    Show

  • Ensure That the sudo Binary Has the Correct Permissions

    To properly set the permissions of /usr/bin/sudo, run the command: 
    $ sudo chmod 4111 /usr/bin/sudo
    Rule Medium Severity
    Show

Node 2

siemur/test-space

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules