Skip to content
Log In

ANSSI-BP-028 (intermediary)

Rules and Groups employed by this XCCDF Profile

  • Verify User Who Owns /etc/sudoers File

    To properly set the owner of /etc/sudoers, run the command: 
    $ sudo chown root /etc/sudoers
    Rule Medium Severity
    Show

  • Verify Permissions On /etc/sudoers File

    To properly set the permissions of /etc/sudoers, run the command: 
    $ sudo chmod 0440 /etc/sudoers
    Rule Medium Severity
    Show

  • Set Root Account Password Maximum Age

    Configure the root account to enforce a <xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_accounts_maximum_age_root" use="legacy"></xccdf-1.2:sub>-day maximum password lifetime restricti...
    Rule Medium Severity
    Show

  • User Initialization Files Must Be Group-Owned By The Primary Group

    Change the group owner of interactive users files to the group found in <pre>/etc/passwd</pre> for the user. To change the group owner of a local interactive user home directory, use the following ...
    Rule Medium Severity
    Show

  • User Initialization Files Must Be Owned By the Primary User

    Set the owner of the user initialization files for interactive users to the primary owner with the following command: <pre>$ sudo chown <i>USER</i> /home/<i>USER</i>/.*</pre> This rule ensures eve...
    Rule Medium Severity
    Show

  • All User Files and Directories In The Home Directory Must Be Group-Owned By The Primary Group

    Change the group of a local interactive users files and directories to a group that the interactive user is a member of. To change the group owner of a local interactive users files and directories...
    Rule Medium Severity
    Show

  • All User Files and Directories In The Home Directory Must Have a Valid Owner

    Either remove all files and directories from the system that do not have a valid user, or assign a valid user to all unowned files and directories. To assign a valid owner to a local interactive us...
    Rule Medium Severity
    Show

  • All User Files and Directories In The Home Directory Must Have Mode 0750 Or Less Permissive

    Set the mode on files and directories in the local interactive user home directory with the following command: <pre>$ sudo chmod 0750 /home/<i>USER</i>/<i>FILE_DIR</i> </pre> Files ...
    Rule Medium Severity
    Show

  • Verify Group Who Owns /etc/ipsec.d Directory

    To properly set the group owner of /etc/ipsec.d, run the command: 
    $ sudo chgrp root /etc/ipsec.d
    Rule Medium Severity
    Show

  • Verify User Who Owns /etc/ipsec.d Directory

    To properly set the owner of /etc/ipsec.d, run the command: 
    $ sudo chown root /etc/ipsec.d
    Rule Medium Severity
    Show

  • Verify Permissions On /etc/ipsec.d Directory

    To properly set the permissions of /etc/ipsec.d, run the command: 
    $ sudo chmod 0700 /etc/ipsec.d
    Rule Medium Severity
    Show

  • Verify Group Who Owns /etc/ipsec.conf File

    To properly set the group owner of /etc/ipsec.conf, run the command: 
    $ sudo chgrp root /etc/ipsec.conf
    Rule Medium Severity
    Show

  • Verify Group Who Owns /etc/ipsec.secrets File

    To properly set the group owner of /etc/ipsec.secrets, run the command: 
    $ sudo chgrp root /etc/ipsec.secrets
    Rule Medium Severity
    Show

  • Verify User Who Owns /etc/ipsec.conf File

    To properly set the owner of /etc/ipsec.conf, run the command: 
    $ sudo chown root /etc/ipsec.conf
    Rule Medium Severity
    Show

  • Verify User Who Owns /etc/ipsec.secrets File

    To properly set the owner of /etc/ipsec.secrets, run the command: 
    $ sudo chown root /etc/ipsec.secrets
    Rule Medium Severity
    Show

  • Verify Permissions On /etc/ipsec.conf File

    To properly set the permissions of /etc/ipsec.conf, run the command: 
    $ sudo chmod 0644 /etc/ipsec.conf
    Rule Medium Severity
    Show

  • Verify Permissions On /etc/ipsec.secrets File

    To properly set the permissions of /etc/ipsec.secrets, run the command: 
    $ sudo chmod 0644 /etc/ipsec.secrets
    Rule Medium Severity
    Show

  • Verify Group Who Owns /etc/iptables Directory

    To properly set the group owner of /etc/iptables, run the command: 
    $ sudo chgrp root /etc/iptables
    Rule Medium Severity
    Show

  • Verify User Who Owns /etc/iptables Directory

    To properly set the owner of /etc/iptables, run the command: 
    $ sudo chown root /etc/iptables
    Rule Medium Severity
    Show

  • Verify Permissions On /etc/iptables Directory

    To properly set the permissions of /etc/iptables, run the command: 
    $ sudo chmod 0600 /etc/iptables
    Rule Medium Severity
    Show

  • Verify Group Who Owns /etc/nftables Directory

    To properly set the group owner of /etc/nftables, run the command: 
    $ sudo chgrp root /etc/nftables
    Rule Medium Severity
    Show

  • Verify User Who Owns /etc/nftables Directory

    To properly set the owner of /etc/nftables, run the command: 
    $ sudo chown root /etc/nftables
    Rule Medium Severity
    Show

  • Verify Permissions On /etc/nftables Directory

    To properly set the permissions of /etc/nftables, run the command: 
    $ sudo chmod 0700 /etc/nftables
    Rule Medium Severity
    Show

  • Verify that system commands directories have root as a group owner

    System commands are stored in the following directories: by default: <pre>/bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin </pre> All these directories should have <code>root</code...
    Rule Medium Severity
    Show

  • Verify that system commands directories have root ownership

    System commands are stored in the following directories by default: <pre>/bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin </pre> All these directories should be owned by the <code>...
    Rule Medium Severity
    Show

  • Verify Group Who Owns /etc/crypttab File

    To properly set the group owner of /etc/crypttab, run the command: 
    $ sudo chgrp root /etc/crypttab
    Rule Medium Severity
    Show

  • Verify User Who Owns /etc/crypttab File

    To properly set the owner of /etc/crypttab, run the command: 
    $ sudo chown root /etc/crypttab
    Rule Medium Severity
    Show

  • Verify Permissions On /etc/crypttab File

    To properly set the permissions of /etc/crypttab, run the command: 
    $ sudo chmod 0600 /etc/crypttab
    Rule Medium Severity
    Show

  • Verify Group Who Owns /etc/shells File

    To properly set the group owner of /etc/shells, run the command: 
    $ sudo chgrp root /etc/shells
    Rule Medium Severity
    Show

  • Verify Who Owns /etc/shells File

    To properly set the owner of /etc/shells, run the command: 
    $ sudo chown root /etc/shells
    Rule Medium Severity
    Show

  • Verify Permissions on /etc/shells File

    To properly set the permissions of /etc/shells, run the command: 
    $ sudo chmod 0644 /etc/shells
    Rule Medium Severity
    Show

  • Verify Group Who Owns /etc/sysctl.d Directory

    To properly set the group owner of /etc/sysctl.d, run the command: 
    $ sudo chgrp root /etc/sysctl.d
    Rule Medium Severity
    Show

  • Verify User Who Owns /etc/sysctl.d Directory

    To properly set the owner of /etc/sysctl.d, run the command: 
    $ sudo chown root /etc/sysctl.d
    Rule Medium Severity
    Show

  • Verify Permissions On /etc/sysctl.d Directory

    To properly set the permissions of /etc/sysctl.d, run the command: 
    $ sudo chmod 0755 /etc/sysctl.d
    Rule Medium Severity
    Show

  • Verify Group Who Owns /etc/selinux Directory

    To properly set the group owner of /etc/selinux, run the command: 
    $ sudo chgrp root /etc/selinux
    Rule Medium Severity
    Show

  • Verify User Who Owns /etc/selinux Directory

    To properly set the owner of /etc/selinux, run the command: 
    $ sudo chown root /etc/selinux
    Rule Medium Severity
    Show

  • Verify Permissions On /etc/selinux Directory

    To properly set the permissions of /etc/selinux, run the command: 
    $ sudo chmod 0755 /etc/selinux
    Rule Medium Severity
    Show

  • Verify Group Who Owns /etc/sestatus.conf File

    To properly set the group owner of /etc/sestatus.conf, run the command: 
    $ sudo chgrp root /etc/sestatus.conf
    Rule Medium Severity
    Show

  • Verify User Who Owns /etc/sestatus.conf File

    To properly set the owner of /etc/sestatus.conf, run the command: 
    $ sudo chown root /etc/sestatus.conf
    Rule Medium Severity
    Show

  • Verify Permissions On /etc/sestatus.conf File

    To properly set the permissions of /etc/sestatus.conf, run the command: 
    $ sudo chmod 0644 /etc/sestatus.conf
    Rule Medium Severity
    Show

  • Verify Group Who Owns /etc/chrony.keys File

    To properly set the group owner of /etc/chrony.keys, run the command: 
    $ sudo chgrp root /etc/chrony.keys
    Rule Medium Severity
    Show

  • Verify User Who Owns /etc/chrony.keys File

    To properly set the owner of /etc/chrony.keys, run the command: 
    $ sudo chown root /etc/chrony.keys
    Rule Medium Severity
    Show

  • Verify Permissions On /etc/chrony.keys File

    To properly set the permissions of /etc/chrony.keys, run the command: 
    $ sudo chmod 0600 /etc/chrony.keys
    Rule Medium Severity
    Show

  • Install the SSSD Package

    The sssd package should be installed. The sssd package can be installed with the following command: 
    $ sudo dnf install sssd
    Rule Medium Severity
    Show

  • Enable the SSSD Service

    The SSSD service should be enabled. The sssd service can be enabled with the following command: 
    $ sudo systemctl enable sssd.service
    Rule Medium Severity
    Show

  • Configure PAM in SSSD Services

    SSSD should be configured to run SSSD <code>pam</code> services. To configure SSSD to known SSH hosts, add <code>pam</code> to <code>services</code> under the <code>[sssd]</code> section in <code>/...
    Rule Medium Severity
    Show

  • Configure SSSD LDAP Backend Client to Demand a Valid Certificate from the Server

    Configure SSSD to demand a valid certificate from the server to protect the integrity of LDAP remote access sessions by setting the <pre>ldap_tls_reqcert</pre> option in <pre>/etc/sssd/sssd.conf</p...
    Rule Medium Severity
    Show

  • Configure SSSD LDAP Backend to Use TLS For All Transactions

    The LDAP client should be configured to implement TLS for the integrity of all remote LDAP authentication sessions. If the <code>id_provider</code> is set to <code>ldap</code> or <code>ipa</code> i...
    Rule High Severity
    Show

Node 2

siemur/test-space

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules