ANSSI-BP-028 (high)
Rules and Groups employed by this XCCDF Profile
-
Disable Access to Network bpf() Syscall From Unprivileged Processes
To set the runtime status of the <code>kernel.unprivileged_bpf_disabled</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w kernel.unprivileged_bpf_disabled=1</pre> To make su...Rule Medium Severity -
Restrict usage of ptrace to descendant processes
To set the runtime status of the <code>kernel.yama.ptrace_scope</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w kernel.yama.ptrace_scope=1</pre> To make sure that the sett...Rule Medium Severity -
Harden the operation of the BPF just-in-time compiler
To set the runtime status of the <code>net.core.bpf_jit_harden</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.core.bpf_jit_harden=2</pre> To make sure that the settin...Rule Medium Severity -
Prevent applications from mapping low portion of virtual memory
To set the runtime status of the <code>vm.mmap_min_addr</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w vm.mmap_min_addr=65536</pre> To make sure that the setting is persi...Rule Medium Severity -
Disable Core Dumps
A core dump file is the memory image of an executable program when it was terminated by the operating system due to errant behavior. In most cases, only software developers legitimately need to acc...Group -
Disable Core Dumps for SUID programs
To set the runtime status of the <code>fs.suid_dumpable</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w fs.suid_dumpable=0</pre> To make sure that the setting is persisten...Rule Medium Severity -
Enable ExecShield
ExecShield describes kernel features that provide protection against exploitation of memory corruption errors such as buffer overflows. These features include random placement of the stack and othe...Group -
Restrict Exposed Kernel Pointer Addresses Access
To set the runtime status of the <code>kernel.kptr_restrict</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w kernel.kptr_restrict=<xccdf-1.2:sub idref="xccdf_org.ssgproject...Rule Medium Severity -
Enable Randomized Layout of Virtual Address Space
To set the runtime status of the <code>kernel.randomize_va_space</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w kernel.randomize_va_space=2</pre> To make sure that the se...Rule Medium Severity -
Memory Poisoning
Memory Poisoning consists of writing a special value to uninitialized or freed memory. Poisoning can be used as a mechanism to prevent leak of information and detection of corrupted memory.Group -
Enable page allocator poisoning
To enable poisoning of free pages, add the argument <code>page_poison=1</code> to the default GRUB 2 command line for the Linux operating system. To ensure that <code>page_poison=1</code> is added ...Rule Medium Severity -
Enable SLUB/SLAB allocator poisoning
To enable poisoning of SLUB/SLAB objects, add the argument <code>slub_debug=<xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_slub_debug_options" use="legacy"></xccdf-1.2:sub> ...Rule Medium Severity -
SELinux
SELinux is a feature of the Linux kernel which can be used to guard against misconfigured or compromised programs. SELinux enforces the idea that programs should be limited in what files they can a...Group -
Uninstall setroubleshoot-plugins Package
The SETroubleshoot plugins are used to analyze SELinux AVC data. The service provides information around configuration errors, unauthorized intrusions, and other potential errors. The <code>setroub...Rule Low Severity -
Uninstall setroubleshoot-server Package
The SETroubleshoot service notifies desktop users of SELinux denials. The service provides information around configuration errors, unauthorized intrusions, and other potential errors. The <code>se...Rule Low Severity -
Uninstall setroubleshoot Package
The SETroubleshoot service notifies desktop users of SELinux denials. The service provides information around configuration errors, unauthorized intrusions, and other potential errors. The <code>se...Rule Low Severity -
Configure SELinux Policy
The SELinux <code>targeted</code> policy is appropriate for general-purpose desktops and servers, as well as systems in many other roles. To configure the system to use this policy, add or correct ...Rule Medium Severity -
Ensure SELinux State is Enforcing
The SELinux state should be set to <code><xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_selinux_state" use="legacy"></xccdf-1.2:sub></code> at system boot time. In the file <code>/et...Rule High Severity -
SELinux - Booleans
Enable or Disable runtime customization of SELinux system policies without having to reload or recompile the SELinux policy.Group -
Configure the deny_execmem SELinux Boolean
By default, the SELinux boolean <code>deny_execmem</code> is disabled. This setting should be configured to <xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_deny_execmem" use="legacy"><...Rule Medium Severity -
Configure the polyinstantiation_enabled SELinux Boolean
By default, the SELinux boolean <code>polyinstantiation_enabled</code> is disabled. This setting should be configured to <xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_polyinstantiati...Rule Medium Severity -
Disable the selinuxuser_execheap SELinux Boolean
By default, the SELinux boolean <code>selinuxuser_execheap</code> is disabled. When enabled this boolean is enabled it allows selinuxusers to execute code from the heap. If this setting is enabled,...Rule Medium Severity -
Disable the selinuxuser_execstack SELinux Boolean
By default, the SELinux boolean <code>selinuxuser_execstack</code> is enabled. This setting should be disabled as unconfined executables should not be able to make their stack executable. To disab...Rule Medium Severity -
Disable the ssh_sysadm_login SELinux Boolean
By default, the SELinux boolean <code>ssh_sysadm_login</code> is disabled. If this setting is enabled, it should be disabled. To disable the <code>ssh_sysadm_login</code> SELinux boolean, run the ...Rule Medium Severity -
Services
The best protection against vulnerable software is running less software. This section describes how to review the software which Red Hat Enterprise Linux 9 installs on a system and disable softwar...Group -
DHCP
The Dynamic Host Configuration Protocol (DHCP) allows systems to request and obtain an IP address and other configuration parameters from a server. <br> <br> This guide recommends confi...Group -
Disable DHCP Server
The DHCP server <code>dhcpd</code> is not installed or activated by default. If the software was installed and activated, but the system does not need to act as a DHCP server, it should be disabled...Group -
Uninstall DHCP Server Package
If the system does not need to act as a DHCP server, the dhcp package can be uninstalled. The <code>dhcp-server</code> package can be removed with the following command: <pre> $ sudo dnf erase dhc...Rule Medium Severity -
Mail Server Software
Mail servers are used to send and receive email over the network. Mail is a very common service, and Mail Transfer Agents (MTAs) are obvious targets of network attack. Ensure that systems are not r...Group -
Uninstall Sendmail Package
Sendmail is not the default mail transfer agent and is not installed by default. The <code>sendmail</code> package can be removed with the following command: <pre> $ sudo dnf erase sendmail</pre> ...Rule Medium Severity -
Configure SMTP For Mail Clients
This section discusses settings for Postfix in a submission-only e-mail configuration.Group -
Configure System to Forward All Mail For The Root Account
Make sure that mails delivered to root user are forwarded to a monitored email address. Make sure that the address <xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_postfix_root_mail_ali...Rule Medium Severity -
Disable Postfix Network Listening
Edit the file <code>/etc/postfix/main.cf</code> to ensure that only the following <code>inet_interfaces</code> line appears: <pre>inet_interfaces = <xccdf-1.2:sub idref="xccdf_org.ssgproject.conten...Rule Medium Severity -
Network Time Protocol
The Network Time Protocol is used to manage the system clock over a network. Computer clocks are not very accurate, so time will drift unpredictably on unmanaged systems. Central time protocols can...Group -
The Chrony package is installed
System time should be synchronized between all systems in an environment. This is typically done by establishing an authoritative time server or set of servers and having all systems synchronize th...Rule Medium Severity -
A remote time server for Chrony is configured
<code>Chrony</code> is a daemon which implements the Network Time Protocol (NTP). It is designed to synchronize system clocks across a variety of systems and use a source that is highly accurate. M...Rule Medium Severity -
Obsolete Services
This section discusses a number of network-visible services which have historically caused problems for system security, and for which disabling or severely limiting the service has been the best a...Group -
Xinetd
The <code>xinetd</code> service acts as a dedicated listener for some network services (mostly, obsolete ones) and can be used to provide access controls and perform some logging. It has been large...Group -
Uninstall xinetd Package
Thexinetdpackage can be removed with the following command:$ sudo dnf erase xinetd
Rule Low Severity -
NIS
The Network Information Service (NIS), also known as 'Yellow Pages' (YP), and its successor NIS+ have been made obsolete by Kerberos, LDAP, and other modern centralized authentication services. NIS...Group -
Remove NIS Client
The Network Information Service (NIS), formerly known as Yellow Pages, is a client-server directory service protocol used to distribute system configuration files. The NIS client (<code>ypbind</cod...Rule Unknown Severity -
Uninstall ypserv Package
Theypservpackage can be removed with the following command:$ sudo dnf erase ypserv
Rule High Severity -
Rlogin, Rsh, and Rexec
The Berkeley r-commands are legacy services which allow cleartext remote access and have an insecure trust model.Group -
Uninstall rsh-server Package
Thersh-serverpackage can be removed with the following command:$ sudo dnf erase rsh-server
Rule High Severity -
Uninstall rsh Package
Thershpackage contains the client commands for the rsh servicesRule Unknown Severity -
Chat/Messaging Services
The talk software makes it possible for users to send and receive messages across systems through a terminal session.Group -
Uninstall talk-server Package
Thetalk-serverpackage can be removed with the following command:$ sudo dnf erase talk-server
Rule Medium Severity -
Uninstall talk Package
The <code>talk</code> package contains the client program for the Internet talk protocol, which allows the user to chat with other users on different systems. Talk is a communication program which ...Rule Medium Severity -
Telnet
The telnet protocol does not provide confidentiality or integrity for information transmitted on the network. This includes authentication information such as passwords. Organizations which use tel...Group -
Uninstall telnet-server Package
Thetelnet-serverpackage can be removed with the following command:$ sudo dnf erase telnet-server
Rule High Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.
Capacity
Modules