Skip to content

ANSSI-BP-028 (enhanced)

Rules and Groups employed by this XCCDF Profile

  • Verify Permissions on gshadow File

    To properly set the permissions of /etc/gshadow, run the command:
    $ sudo chmod 0640 /etc/gshadow
    Rule Medium Severity
  • Verify Permissions on passwd File

    To properly set the permissions of /etc/passwd, run the command:
    $ sudo chmod 0644 /etc/passwd
    Rule Medium Severity
  • Verify Permissions on shadow File

    To properly set the permissions of /etc/shadow, run the command:
    $ sudo chmod 0640 /etc/shadow
    Rule Medium Severity
  • Verify File Permissions Within Some Important Directories

    Some directories contain files whose confidentiality or integrity is notably important and may also be susceptible to misconfiguration over time, particularly if unpackaged software is installed. A...
    Group
  • Verify that System Executables Have Root Ownership

    System executables are stored in the following directories by default: <pre>/bin /sbin /usr/bin /usr/libexec /usr/local/bin /usr/local/sbin /usr/sbin</pre> All files in these directories should be ...
    Rule Medium Severity
  • Verify that System Executables Have Restrictive Permissions

    System executables are stored in the following directories by default: <pre>/bin /sbin /usr/bin /usr/libexec /usr/local/bin /usr/local/sbin /usr/sbin</pre> All files in these directories should not...
    Rule Medium Severity
  • Restrict Partition Mount Options

    System partitions can be mounted with certain options that limit what files on those partitions can do. These options are set in the <code>/etc/fstab</code> configuration file, and can be used to m...
    Group
  • Restrict Programs from Dangerous Execution Patterns

    The recommendations in this section are designed to ensure that the system's features to protect against potentially dangerous program execution are activated. These protections are applied at the ...
    Group
  • Kernel panic on oops

    To set the runtime status of the <code>kernel.panic_on_oops</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w kernel.panic_on_oops=1</pre> To make sure that the setting is p...
    Rule Medium Severity
  • Disable Core Dumps

    A core dump file is the memory image of an executable program when it was terminated by the operating system due to errant behavior. In most cases, only software developers legitimately need to acc...
    Group
  • Disable Core Dumps for SUID programs

    To set the runtime status of the <code>fs.suid_dumpable</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w fs.suid_dumpable=0</pre> To make sure that the setting is persisten...
    Rule Medium Severity
  • Enable ExecShield

    ExecShield describes kernel features that provide protection against exploitation of memory corruption errors such as buffer overflows. These features include random placement of the stack and othe...
    Group
  • Restrict Exposed Kernel Pointer Addresses Access

    To set the runtime status of the <code>kernel.kptr_restrict</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w kernel.kptr_restrict=<xccdf-1.2:sub idref="xccdf_org.ssgproject...
    Rule Medium Severity
  • Enable Randomized Layout of Virtual Address Space

    To set the runtime status of the <code>kernel.randomize_va_space</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w kernel.randomize_va_space=2</pre> To make sure that the se...
    Rule Medium Severity
  • Enable Execute Disable (XD) or No Execute (NX) Support on x86 Systems

    Recent processors in the x86 family support the ability to prevent code execution on a per memory page basis. Generically and on AMD processors, this ability is called No Execute (NX), while on Int...
    Group
  • Memory Poisoning

    Memory Poisoning consists of writing a special value to uninitialized or freed memory. Poisoning can be used as a mechanism to prevent leak of information and detection of corrupted memory.
    Group
  • SELinux

    SELinux is a feature of the Linux kernel which can be used to guard against misconfigured or compromised programs. SELinux enforces the idea that programs should be limited in what files they can a...
    Group
  • SELinux - Booleans

    Enable or Disable runtime customization of SELinux system policies without having to reload or recompile the SELinux policy.
    Group
  • Services

    The best protection against vulnerable software is running less software. This section describes how to review the software which Debian 12 installs on a system and disable software which is not ne...
    Group
  • DHCP

    The Dynamic Host Configuration Protocol (DHCP) allows systems to request and obtain an IP address and other configuration parameters from a server. <br> <br> This guide recommends configuring...
    Group
  • Disable DHCP Server

    The DHCP server <code>dhcpd</code> is not installed or activated by default. If the software was installed and activated, but the system does not need to act as a DHCP server, it should be disabled...
    Group
  • Mail Server Software

    Mail servers are used to send and receive email over the network. Mail is a very common service, and Mail Transfer Agents (MTAs) are obvious targets of network attack. Ensure that systems are not r...
    Group
  • Configure SMTP For Mail Clients

    This section discusses settings for Postfix in a submission-only e-mail configuration.
    Group
  • Configure System to Forward All Mail For The Root Account

    Make sure that mails delivered to root user are forwarded to a monitored email address. Make sure that the address <xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_postfix_root_mail_ali...
    Rule Medium Severity
  • Network Time Protocol

    The Network Time Protocol is used to manage the system clock over a network. Computer clocks are not very accurate, so time will drift unpredictably on unmanaged systems. Central time protocols can...
    Group
  • The Chrony package is installed

    System time should be synchronized between all systems in an environment. This is typically done by establishing an authoritative time server or set of servers and having all systems synchronize th...
    Rule Medium Severity
  • A remote time server for Chrony is configured

    <code>Chrony</code> is a daemon which implements the Network Time Protocol (NTP). It is designed to synchronize system clocks across a variety of systems and use a source that is highly accurate. M...
    Rule Medium Severity
  • Obsolete Services

    This section discusses a number of network-visible services which have historically caused problems for system security, and for which disabling or severely limiting the service has been the best a...
    Group
  • Xinetd

    The <code>xinetd</code> service acts as a dedicated listener for some network services (mostly, obsolete ones) and can be used to provide access controls and perform some logging. It has been large...
    Group
  • NIS

    The Network Information Service (NIS), also known as 'Yellow Pages' (YP), and its successor NIS+ have been made obsolete by Kerberos, LDAP, and other modern centralized authentication services. NIS...
    Group
  • Rlogin, Rsh, and Rexec

    The Berkeley r-commands are legacy services which allow cleartext remote access and have an insecure trust model.
    Group
  • Chat/Messaging Services

    The talk software makes it possible for users to send and receive messages across systems through a terminal session.
    Group
  • Telnet

    The telnet protocol does not provide confidentiality or integrity for information transmitted on the network. This includes authentication information such as passwords. Organizations which use tel...
    Group
  • TFTP Server

    TFTP is a lightweight version of the FTP protocol which has traditionally been used to configure networking equipment. However, TFTP provides little security, and modern versions of networking oper...
    Group
  • SSH Server

    The SSH protocol is recommended for remote login and remote file transfer. SSH provides confidentiality and integrity for data exchanged between two systems, as well as server authentication, throu...
    Group
  • Verify Group Ownership on SSH Server Private *_key Key Files

    SSH server private keys, files that match the /etc/ssh/*_key glob, must be group-owned by root group.
    Rule Medium Severity
  • Verify Group Ownership on SSH Server Public *.pub Key Files

    SSH server public keys, files that match the /etc/ssh/*.pub glob, must be group-owned by root group.
    Rule Medium Severity
  • Verify Ownership on SSH Server Private *_key Key Files

    SSH server private keys, files that match the /etc/ssh/*_key glob, must be owned by root user.
    Rule Medium Severity
  • Verify Ownership on SSH Server Public *.pub Key Files

    SSH server public keys, files that match the /etc/ssh/*.pub glob, must be owned by root user.
    Rule Medium Severity
  • Verify Permissions on SSH Server Private *_key Key Files

    SSH server private keys - files that match the <code>/etc/ssh/*_key</code> glob, have to have restricted permissions. If those files are owned by the <code>root</code> user and the <code>root</code...
    Rule Medium Severity
  • Verify Permissions on SSH Server Public *.pub Key Files

    To properly set the permissions of /etc/ssh/*.pub, run the command:
    $ sudo chmod 0644 /etc/ssh/*.pub
    Rule Medium Severity
  • Configure OpenSSH Server if Necessary

    If the system needs to act as an SSH server, then certain changes should be made to the OpenSSH daemon configuration file <code>/etc/ssh/sshd_config</code>. The following recommendations can be app...
    Group
  • Disable SSH Root Login

    The root user should never be allowed to login to a system directly over a network. To disable root login via SSH, add or correct the following line in <code>/etc/ssh/sshd_config</code>: <pre>Pe...
    Rule Medium Severity
  • Ensure /boot Located On Separate Partition

    It is recommended that the <code>/boot</code> directory resides on a separate partition. This makes it easier to apply restrictions e.g. through the <code>noexec</code> mount option. Eventually, th...
    Rule Medium Severity
  • Ensure /opt Located On Separate Partition

    It is recommended that the /opt directory resides on a separate partition.
    Rule Medium Severity
  • Ensure /usr Located On Separate Partition

    It is recommended that the /usr directory resides on a separate partition.
    Rule Medium Severity
  • Ensure /var/tmp Located On Separate Partition

    The /var/tmp directory is a world-writable directory used for temporary file storage. Ensure it has its own partition or logical volume at installation time, or migrate it using LVM.
    Rule Medium Severity
  • Ensure tmp.mount Unit Us Enabled

    The <code>/tmp</code> directory is a world-writable directory used for temporary file storage. This directory is managed by <code>systemd-tmpfiles</code>. Ensure that the <code>tmp.mount</code> sys...
    Rule Low Severity
  • Install sudo Package

    The sudo package can be installed with the following command:
    $ apt-get install sudo
    Rule Medium Severity
  • Verify Group Who Owns /etc/sudoers.d Directory

    To properly set the group owner of /etc/sudoers.d, run the command:
    $ sudo chgrp root /etc/sudoers.d
    Rule Medium Severity

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules