Skip to content
Log In

ANSSI-BP-028 (high)

Rules and Groups employed by this XCCDF Profile

  • Remove telnet Clients

    The telnet client allows users to start connections to other systems via the telnet protocol.
    Rule Low Severity
    Show

  • TFTP Server

    TFTP is a lightweight version of the FTP protocol which has traditionally been used to configure networking equipment. However, TFTP provides little security, and modern versions of networking oper...
    Group
    Show

  • Uninstall tftp-server Package

    The tftp-server package can be removed with the following command: 
     $ sudo dnf erase tftp-server
    Rule High Severity
    Show

  • Remove tftp Daemon

    Trivial File Transfer Protocol (TFTP) is a simple file transfer protocol, typically used to automatically transfer configuration or boot files between systems. TFTP does not support authentication ...
    Rule Low Severity
    Show

  • SSH Server

    The SSH protocol is recommended for remote login and remote file transfer. SSH provides confidentiality and integrity for data exchanged between two systems, as well as server authentication, throu...
    Group
    Show

  • Verify Group Who Owns SSH Server config file

    To properly set the group owner of /etc/ssh/sshd_config, run the command: 
    $ sudo chgrp root /etc/ssh/sshd_config
    Rule Medium Severity
    Show

  • Verify Group Ownership on SSH Server Private *_key Key Files

    SSH server private keys, files that match the /etc/ssh/*_key glob, must be group-owned by ssh_keys group.
    Rule Medium Severity
    Show

  • Verify Group Ownership on SSH Server Public *.pub Key Files

    SSH server public keys, files that match the /etc/ssh/*.pub glob, must be group-owned by root group.
    Rule Medium Severity
    Show

  • Verify Owner on SSH Server config file

    To properly set the owner of /etc/ssh/sshd_config, run the command: 
    $ sudo chown root /etc/ssh/sshd_config
    Rule Medium Severity
    Show

  • Verify Ownership on SSH Server Private *_key Key Files

    SSH server private keys, files that match the /etc/ssh/*_key glob, must be owned by root user.
    Rule Medium Severity
    Show

  • Verify Ownership on SSH Server Public *.pub Key Files

    SSH server public keys, files that match the /etc/ssh/*.pub glob, must be owned by root user.
    Rule Medium Severity
    Show

  • Verify Permissions on SSH Server config file

    To properly set the permissions of /etc/ssh/sshd_config, run the command: 
    $ sudo chmod 0600 /etc/ssh/sshd_config
    Rule Medium Severity
    Show

  • Verify Permissions on SSH Server Private *_key Key Files

    SSH server private keys - files that match the <code>/etc/ssh/*_key</code> glob, have to have restricted permissions. If those files are owned by the <code>root</code> user and the <code>root</code...
    Rule Medium Severity
    Show

  • Verify Permissions on SSH Server Public *.pub Key Files

    To properly set the permissions of /etc/ssh/*.pub, run the command: 
    $ sudo chmod 0644 /etc/ssh/*.pub
    Rule Medium Severity
    Show

  • Configure OpenSSH Server if Necessary

    If the system needs to act as an SSH server, then certain changes should be made to the OpenSSH daemon configuration file <code>/etc/ssh/sshd_config</code>. The following recommendations can be app...
    Group
    Show

  • Disable SSH Root Login

    The root user should never be allowed to login to a system directly over a network. To disable root login via SSH, add or correct the following line in <code>/etc/ssh/sshd_config.d/00-compliancea...
    Rule Medium Severity
    Show

  • System Security Services Daemon

    The System Security Services Daemon (SSSD) is a system daemon that provides access to different identity and authentication providers such as Red Hat's IdM, Microsoft's AD, openLDAP, MIT Kerberos, ...
    Group
    Show

  • System Security Services Daemon (SSSD) - LDAP

    The System Security Services Daemon (SSSD) is a system daemon that provides access to different identity and authentication providers such as Red Hat's IdM, Microsoft's AD, openLDAP, MIT Kerberos, ...
    Group
    Show

  • Ensure tmp.mount Unit Us Enabled

    The <code>/tmp</code> directory is a world-writable directory used for temporary file storage. This directory is managed by <code>systemd-tmpfiles</code>. Ensure that the <code>tmp.mount</code> sys...
    Rule Low Severity
    Show

  • Verify Group Who Owns /etc/sudoers.d Directory

    To properly set the group owner of /etc/sudoers.d, run the command: 
    $ sudo chgrp root /etc/sudoers.d
    Rule Medium Severity
    Show

  • Verify User Who Owns /etc/sudoers.d Directory

    To properly set the owner of /etc/sudoers.d, run the command: 
    $ sudo chown root /etc/sudoers.d
    Rule Medium Severity
    Show

  • Verify Permissions On /etc/sudoers.d Directory

    To properly set the permissions of /etc/sudoers.d, run the command: 
    $ sudo chmod 0750 /etc/sudoers.d
    Rule Medium Severity
    Show

  • Verify Group Who Owns /etc/sudoers File

    To properly set the group owner of /etc/sudoers, run the command: 
    $ sudo chgrp root /etc/sudoers
    Rule Medium Severity
    Show

  • Verify User Who Owns /etc/sudoers File

    To properly set the owner of /etc/sudoers, run the command: 
    $ sudo chown root /etc/sudoers
    Rule Medium Severity
    Show

  • Verify Permissions On /etc/sudoers File

    To properly set the permissions of /etc/sudoers, run the command: 
    $ sudo chmod 0440 /etc/sudoers
    Rule Medium Severity
    Show

  • Ensure That the sudo Binary Has the Correct Permissions

    To properly set the permissions of /usr/bin/sudo, run the command: 
    $ sudo chmod 4111 /usr/bin/sudo
    Rule Medium Severity
    Show

  • Ensure a dedicated group owns sudo

    Restrict the execution of privilege escalated commands to a dedicated group of users. Ensure the group owner of /usr/bin/sudo is <xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2...
    Rule Medium Severity
    Show

  • Set Root Account Password Maximum Age

    Configure the root account to enforce a <xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_accounts_maximum_age_root" use="legacy"></xccdf-1.2:sub>-day maximum password lifetime restricti...
    Rule Medium Severity
    Show

  • User Initialization Files Must Be Group-Owned By The Primary Group

    Change the group owner of interactive users files to the group found in <pre>/etc/passwd</pre> for the user. To change the group owner of a local interactive user home directory, use the following ...
    Rule Medium Severity
    Show

  • User Initialization Files Must Be Owned By the Primary User

    Set the owner of the user initialization files for interactive users to the primary owner with the following command: <pre>$ sudo chown <i>USER</i> /home/<i>USER</i>/.*</pre> This rule ensures eve...
    Rule Medium Severity
    Show

  • All User Files and Directories In The Home Directory Must Be Group-Owned By The Primary Group

    Change the group of a local interactive users files and directories to a group that the interactive user is a member of. To change the group owner of a local interactive users files and directories...
    Rule Medium Severity
    Show

  • All User Files and Directories In The Home Directory Must Have a Valid Owner

    Either remove all files and directories from the system that do not have a valid user, or assign a valid user to all unowned files and directories. To assign a valid owner to a local interactive us...
    Rule Medium Severity
    Show

  • All User Files and Directories In The Home Directory Must Have Mode 0750 Or Less Permissive

    Set the mode on files and directories in the local interactive user home directory with the following command: <pre>$ sudo chmod 0750 /home/<i>USER</i>/<i>FILE_DIR</i> </pre> Files ...
    Rule Medium Severity
    Show

  • Verify Group Who Owns /etc/ipsec.d Directory

    To properly set the group owner of /etc/ipsec.d, run the command: 
    $ sudo chgrp root /etc/ipsec.d
    Rule Medium Severity
    Show

  • Verify User Who Owns /etc/ipsec.d Directory

    To properly set the owner of /etc/ipsec.d, run the command: 
    $ sudo chown root /etc/ipsec.d
    Rule Medium Severity
    Show

  • Verify Permissions On /etc/ipsec.d Directory

    To properly set the permissions of /etc/ipsec.d, run the command: 
    $ sudo chmod 0700 /etc/ipsec.d
    Rule Medium Severity
    Show

  • Verify Group Who Owns /etc/ipsec.conf File

    To properly set the group owner of /etc/ipsec.conf, run the command: 
    $ sudo chgrp root /etc/ipsec.conf
    Rule Medium Severity
    Show

  • Verify Group Who Owns /etc/ipsec.secrets File

    To properly set the group owner of /etc/ipsec.secrets, run the command: 
    $ sudo chgrp root /etc/ipsec.secrets
    Rule Medium Severity
    Show

  • Verify User Who Owns /etc/ipsec.conf File

    To properly set the owner of /etc/ipsec.conf, run the command: 
    $ sudo chown root /etc/ipsec.conf
    Rule Medium Severity
    Show

  • Verify User Who Owns /etc/ipsec.secrets File

    To properly set the owner of /etc/ipsec.secrets, run the command: 
    $ sudo chown root /etc/ipsec.secrets
    Rule Medium Severity
    Show

  • Verify Permissions On /etc/ipsec.conf File

    To properly set the permissions of /etc/ipsec.conf, run the command: 
    $ sudo chmod 0644 /etc/ipsec.conf
    Rule Medium Severity
    Show

  • Verify Permissions On /etc/ipsec.secrets File

    To properly set the permissions of /etc/ipsec.secrets, run the command: 
    $ sudo chmod 0644 /etc/ipsec.secrets
    Rule Medium Severity
    Show

  • Verify Group Who Owns /etc/iptables Directory

    To properly set the group owner of /etc/iptables, run the command: 
    $ sudo chgrp root /etc/iptables
    Rule Medium Severity
    Show

  • Verify User Who Owns /etc/iptables Directory

    To properly set the owner of /etc/iptables, run the command: 
    $ sudo chown root /etc/iptables
    Rule Medium Severity
    Show

  • Verify Permissions On /etc/iptables Directory

    To properly set the permissions of /etc/iptables, run the command: 
    $ sudo chmod 0600 /etc/iptables
    Rule Medium Severity
    Show

  • Verify Group Who Owns /etc/nftables Directory

    To properly set the group owner of /etc/nftables, run the command: 
    $ sudo chgrp root /etc/nftables
    Rule Medium Severity
    Show

  • Verify User Who Owns /etc/nftables Directory

    To properly set the owner of /etc/nftables, run the command: 
    $ sudo chown root /etc/nftables
    Rule Medium Severity
    Show

  • Verify Permissions On /etc/nftables Directory

    To properly set the permissions of /etc/nftables, run the command: 
    $ sudo chmod 0700 /etc/nftables
    Rule Medium Severity
    Show

  • Verify that system commands directories have root as a group owner

    System commands are stored in the following directories: by default: <pre>/bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin </pre> All these directories should have <code>root</code...
    Rule Medium Severity
    Show

  • Verify that system commands directories have root ownership

    System commands are stored in the following directories by default: <pre>/bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin </pre> All these directories should be owned by the <code>...
    Rule Medium Severity
    Show

Node 2

siemur/test-space

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules