Skip to content

ANSSI-BP-028 (intermediary)

Rules and Groups employed by this XCCDF Profile

  • Set PAM''s Password Hashing Algorithm

    The PAM system service can be configured to only store encrypted representations of passwords. In "/etc/pam.d/system-auth", the <code>password</cod...
    Rule Medium Severity
  • Protect Accounts by Restricting Password-Based Login

    Conventionally, Unix shell accounts are accessed by providing a username and password to a login program, which tests these values for correctness ...
    Group
  • Set Password Expiration Parameters

    The file <code>/etc/login.defs</code> controls several password-related settings. Programs such as <code>passwd</code>, <code>su</code>, and <code>...
    Group
  • Set Password Maximum Age

    To specify password maximum age for new accounts, edit the file <code>/etc/login.defs</code> and add or correct the following line: <pre>PASS_MAX_D...
    Rule Medium Severity
  • Set Password Minimum Length in login.defs

    To specify password length requirements for new accounts, edit the file <code>/etc/login.defs</code> and add or correct the following line: <pre>PA...
    Rule Medium Severity
  • Verify Proper Storage and Existence of Password Hashes

    By default, password hashes for local accounts are stored in the second field (colon-separated) in <code>/etc/shadow</code>. This file should be re...
    Group
  • Set number of Password Hashing Rounds - password-auth

    Configure the number or rounds for the password hashing algorithm. This can be accomplished by using the <code>rounds</code> option for the <code>p...
    Rule Medium Severity
  • Set number of Password Hashing Rounds - system-auth

    Configure the number or rounds for the password hashing algorithm. This can be accomplished by using the <code>rounds</code> option for the <code>p...
    Rule Medium Severity
  • Restrict Root Logins

    Direct root logins should be allowed only for emergency use. In normal situations, the administrator should access the system via a unique unprivil...
    Group
  • Direct root Logins Not Allowed

    To further limit access to the <code>root</code> account, administrators can disable root logins at the console by editing the <code>/etc/securetty...
    Rule Medium Severity
  • Secure Session Configuration Files for Login Accounts

    When a user logs into a Unix account, the system configures the user's session by reading a number of files. Many of these files are located in the...
    Group
  • Configure Polyinstantiation of /tmp Directories

    To configure polyinstantiated /tmp directories, first create the parent directories which will hold the polyinstantiation child directories. Use th...
    Rule Low Severity
  • Configure Polyinstantiation of /var/tmp Directories

    To configure polyinstantiated /tmp directories, first create the parent directories which will hold the polyinstantiation child directories. Use th...
    Rule Low Severity
  • Set Interactive Session Timeout

    Setting the <code>TMOUT</code> option in <code>/etc/profile</code> ensures that all user sessions will terminate based on inactivity. The value of ...
    Rule Medium Severity
  • System Accounting with auditd

    The audit service provides substantial capabilities for recording system activities. By default, the service audits about SELinux AVC denials and c...
    Group
  • Ensure the audit Subsystem is Installed

    The audit package should be installed.
    Rule Medium Severity
  • Enable auditd Service

    The <code>auditd</code> service is an essential userspace component of the Linux Auditing System, as it is responsible for writing audit records to...
    Rule Medium Severity
  • Configure auditd Rules for Comprehensive Auditing

    The <code>auditd</code> program can perform comprehensive monitoring of system activity. This section describes recommended configuration settings ...
    Group
  • Record Information on the Use of Privileged Commands

    At a minimum, the audit system should collect the execution of privileged commands for all users and root.
    Group
  • Ensure auditd Collects Information on the Use of Privileged Commands - sudo

    At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the <code>auditd</code> daemon is con...
    Rule Medium Severity
  • GRUB2 bootloader configuration

    During the boot process, the boot loader is responsible for starting the execution of the kernel and passing options to it. The boot loader allows ...
    Group
  • Configure L1 Terminal Fault mitigations

    L1 Terminal Fault (L1TF) is a hardware vulnerability which allows unprivileged speculative access to data which is available in the Level 1 Data Ca...
    Rule High Severity
  • Force kernel panic on uncorrected MCEs

    A Machine Check Exception is an error generated by the CPU itdetects an error in itself, memory or I/O devices. These errors may be corrected and g...
    Rule Medium Severity
  • Configure Microarchitectural Data Sampling mitigation

    Microarchitectural Data Sampling (MDS) is a hardware vulnerability which allows unprivileged speculative access to data which is available in vario...
    Rule Medium Severity
  • Enable randomization of the page allocator

    To enable randomization of the page allocator in the kernel, add the <code>page_alloc.shuffle=1</code> argument to the default GRUB 2 command line....
    Rule Medium Severity
  • Enable Kernel Page-Table Isolation (KPTI)

    To enable Kernel page-table isolation, add the argument <code>pti=on</code> to the default GRUB 2 command line for the Linux operating system. To e...
    Rule Low Severity
  • Configure the confidence in TPM for entropy

    The TPM security chip that is available in most modern systems has a hardware RNG. It is also used to feed the entropy pool, but generally not cred...
    Rule Low Severity
  • Disable merging of slabs with similar size

    The kernel may merge similar slabs together to reduce overhead and increase cache hotness of objects. Disabling merging of slabs keeps the slabs se...
    Rule Medium Severity
  • Configure Speculative Store Bypass Mitigation

    Certain CPUs are vulnerable to an exploit against a common wide industry wide performance optimization known as Speculative Store Bypass (SSB). In...
    Rule Medium Severity
  • Enforce Spectre v2 mitigation

    Spectre V2 is an indirect branch poisoning attack that can lead to data leakage. An exploit for Spectre V2 tricks the indirect branch predictor int...
    Rule High Severity
  • Non-UEFI GRUB2 bootloader configuration

    Non-UEFI GRUB2 bootloader configuration
    Group
  • Set Boot Loader Password in grub2

    The grub2 boot loader should have a superuser account and password protection enabled to protect boot-time settings. <br><br> Since plaintext passw...
    Rule High Severity
  • UEFI GRUB2 bootloader configuration

    UEFI GRUB2 bootloader configuration
    Group
  • Set the UEFI Boot Loader Password

    The grub2 boot loader should have a superuser account and password protection enabled to protect boot-time settings. <br><br> Since plaintext passw...
    Rule High Severity
  • Network Configuration and Firewalls

    Most systems must be connected to a network of some sort, and this brings with it the substantial risk of network attack. This section discusses th...
    Group
  • IPv6

    The system includes support for Internet Protocol version 6. A major and often-mentioned improvement over IPv4 is its enormous increase in the numb...
    Group
  • Configure IPv6 Settings if Necessary

    A major feature of IPv6 is the extent to which systems implementing it can automatically configure their networking devices using information from ...
    Group
  • Configure Accepting Default Router in Router Advertisements on All IPv6 Interfaces

    To set the runtime status of the <code>net.ipv6.conf.all.accept_ra_defrtr</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w...
    Rule Unknown Severity
  • Configure Accepting Prefix Information in Router Advertisements on All IPv6 Interfaces

    To set the runtime status of the <code>net.ipv6.conf.all.accept_ra_pinfo</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w ...
    Rule Unknown Severity
  • Configure Accepting Router Preference in Router Advertisements on All IPv6 Interfaces

    To set the runtime status of the <code>net.ipv6.conf.all.accept_ra_rtr_pref</code> kernel parameter, run the following command: <pre>$ sudo sysctl ...
    Rule Unknown Severity
  • Disable Accepting ICMP Redirects for All IPv6 Interfaces

    To set the runtime status of the <code>net.ipv6.conf.all.accept_redirects</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w...
    Rule Medium Severity
  • Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv6 Interfaces

    To set the runtime status of the <code>net.ipv6.conf.all.accept_source_route</code> kernel parameter, run the following command: <pre>$ sudo sysctl...
    Rule Medium Severity
  • Configure Auto Configuration on All IPv6 Interfaces

    To set the runtime status of the <code>net.ipv6.conf.all.autoconf</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv...
    Rule Unknown Severity
  • Configure Maximum Number of Autoconfigured Addresses on All IPv6 Interfaces

    To set the runtime status of the <code>net.ipv6.conf.all.max_addresses</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w ne...
    Rule Unknown Severity
  • Configure Denying Router Solicitations on All IPv6 Interfaces

    To set the runtime status of the <code>net.ipv6.conf.all.router_solicitations</code> kernel parameter, run the following command: <pre>$ sudo sysct...
    Rule Unknown Severity
  • Configure Accepting Default Router in Router Advertisements on All IPv6 Interfaces By Default

    To set the runtime status of the <code>net.ipv6.conf.default.accept_ra_defrtr</code> kernel parameter, run the following command: <pre>$ sudo sysct...
    Rule Unknown Severity
  • Configure Accepting Prefix Information in Router Advertisements on All IPv6 Interfaces By Default

    To set the runtime status of the <code>net.ipv6.conf.default.accept_ra_pinfo</code> kernel parameter, run the following command: <pre>$ sudo sysctl...
    Rule Unknown Severity
  • Configure Accepting Router Preference in Router Advertisements on All IPv6 Interfaces By Default

    To set the runtime status of the <code>net.ipv6.conf.default.accept_ra_rtr_pref</code> kernel parameter, run the following command: <pre>$ sudo sys...
    Rule Unknown Severity
  • Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv6 Interfaces

    To set the runtime status of the <code>net.ipv6.conf.default.accept_redirects</code> kernel parameter, run the following command: <pre>$ sudo sysct...
    Rule Medium Severity
  • Disable Kernel Parameter for Accepting Source-Routed Packets on IPv6 Interfaces by Default

    To set the runtime status of the <code>net.ipv6.conf.default.accept_source_route</code> kernel parameter, run the following command: <pre>$ sudo sy...
    Rule Medium Severity

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules