ANSSI-BP-028 (intermediary)
Rules and Groups employed by this XCCDF Profile
-
Configure System to Forward All Mail For The Root Account
Make sure that mails delivered to root user are forwarded to a monitored email address. Make sure that the address <xccdf-1.2:sub idref="xccdf_org....Rule Medium Severity -
Network Time Protocol
The Network Time Protocol is used to manage the system clock over a network. Computer clocks are not very accurate, so time will drift unpredictabl...Group -
Obsolete Services
This section discusses a number of network-visible services which have historically caused problems for system security, and for which disabling or...Group -
Xinetd
The <code>xinetd</code> service acts as a dedicated listener for some network services (mostly, obsolete ones) and can be used to provide access co...Group -
NIS
The Network Information Service (NIS), also known as 'Yellow Pages' (YP), and its successor NIS+ have been made obsolete by Kerberos, LDAP, and oth...Group -
Rlogin, Rsh, and Rexec
The Berkeley r-commands are legacy services which allow cleartext remote access and have an insecure trust model.Group -
Chat/Messaging Services
The talk software makes it possible for users to send and receive messages across systems through a terminal session.Group -
Telnet
The telnet protocol does not provide confidentiality or integrity for information transmitted on the network. This includes authentication informat...Group -
TFTP Server
TFTP is a lightweight version of the FTP protocol which has traditionally been used to configure networking equipment. However, TFTP provides littl...Group -
SSH Server
The SSH protocol is recommended for remote login and remote file transfer. SSH provides confidentiality and integrity for data exchanged between tw...Group -
Verify Group Ownership on SSH Server Private *_key Key Files
SSH server private keys, files that match the/etc/ssh/*_keyglob, must be group-owned byrootgroup.Rule Medium Severity -
Verify Group Ownership on SSH Server Public *.pub Key Files
SSH server public keys, files that match the/etc/ssh/*.pubglob, must be group-owned byrootgroup.Rule Medium Severity -
Verify Ownership on SSH Server Private *_key Key Files
SSH server private keys, files that match the/etc/ssh/*_keyglob, must be owned byrootuser.Rule Medium Severity -
Verify Ownership on SSH Server Public *.pub Key Files
SSH server public keys, files that match the/etc/ssh/*.pubglob, must be owned byrootuser.Rule Medium Severity -
Verify Permissions on SSH Server Private *_key Key Files
SSH server private keys - files that match the <code>/etc/ssh/*_key</code> glob, have to have restricted permissions. If those files are owned by t...Rule Medium Severity -
Verify Permissions on SSH Server Public *.pub Key Files
To properly set the permissions of/etc/ssh/*.pub, run the command:$ sudo chmod 0644 /etc/ssh/*.pub
Rule Medium Severity -
Configure OpenSSH Server if Necessary
If the system needs to act as an SSH server, then certain changes should be made to the OpenSSH daemon configuration file <code>/etc/ssh/sshd_confi...Group -
Disable SSH Root Login
The root user should never be allowed to login to a system directly over a network. To disable root login via SSH, add or correct the following lin...Rule Medium Severity -
Ensure /boot Located On Separate Partition
It is recommended that the <code>/boot</code> directory resides on a separate partition. This makes it easier to apply restrictions e.g. through th...Rule Medium Severity -
Ensure /opt Located On Separate Partition
It is recommended that the/optdirectory resides on a separate partition.Rule Medium Severity -
Ensure /usr Located On Separate Partition
It is recommended that the/usrdirectory resides on a separate partition.Rule Medium Severity -
Ensure /var/tmp Located On Separate Partition
The <code>/var/tmp</code> directory is a world-writable directory used for temporary file storage. Ensure it has its own partition or logical volum...Rule Medium Severity -
Ensure tmp.mount Unit Us Enabled
The <code>/tmp</code> directory is a world-writable directory used for temporary file storage. This directory is managed by <code>systemd-tmpfiles<...Rule Low Severity -
Install sudo Package
Thesudopackage can be installed with the following command:$ apt-get install sudo
Rule Medium Severity -
Verify Group Who Owns /etc/sudoers.d Directory
To properly set the group owner of/etc/sudoers.d, run the command:$ sudo chgrp root /etc/sudoers.d
Rule Medium Severity -
Verify User Who Owns /etc/sudoers.d Directory
To properly set the owner of/etc/sudoers.d, run the command:$ sudo chown root /etc/sudoers.d
Rule Medium Severity -
Verify Permissions On /etc/sudoers.d Directory
To properly set the permissions of/etc/sudoers.d, run the command:$ sudo chmod 0750 /etc/sudoers.d
Rule Medium Severity -
Verify Group Who Owns /etc/sudoers File
To properly set the group owner of/etc/sudoers, run the command:$ sudo chgrp root /etc/sudoers
Rule Medium Severity -
Verify User Who Owns /etc/sudoers File
To properly set the owner of/etc/sudoers, run the command:$ sudo chown root /etc/sudoers
Rule Medium Severity -
Verify Permissions On /etc/sudoers File
To properly set the permissions of/etc/sudoers, run the command:$ sudo chmod 0440 /etc/sudoers
Rule Medium Severity -
Ensure sudo Runs In A Minimal Environment - sudo env_reset
The sudo <code>env_reset</code> tag, when specified, will run the command in a minimal environment, containing the TERM, PATH, HOME, MAIL, SHELL, L...Rule Medium Severity -
Ensure sudo Ignores Commands In Current Dir - sudo ignore_dot
The sudo <code>ignore_dot</code> tag, when specified, will ignore the current directory in the PATH environment variable. This should be enabled by...Rule Medium Severity -
Ensure sudo umask is appropriate - sudo umask
The sudo <code>umask</code> tag, when specified, will be added the to the user's umask in the command environment. The umask should be configured b...Rule Medium Severity -
Ensure Software Patches Installed
If the system has an apt repository available, run the following command to install updates: <pre>$ apt update && apt full-upgrade</pre> ...Rule Medium Severity -
Install pam_pwquality Package
Thelibpam-pwqualitypackage can be installed with the following command:$ apt-get install libpam-pwquality
Rule Medium Severity -
Limit Password Reuse
Do not allow users to reuse recent passwords. This can be accomplished by using the <code>remember</code> option for the <code>pam_unix</code> or <...Rule Medium Severity -
Lock Accounts After Failed Password Attempts
This rule configures the system to lock out accounts after a number of incorrect login attempts using <code>pam_faillock.so</code>. pam_faillock.so...Rule Medium Severity -
Set Interval For Counting Failed Password Attempts
Utilizing <code>pam_faillock.so</code>, the <code>fail_interval</code> directive configures the system to lock out an account after a number of inc...Rule Medium Severity -
Set Lockout Time for Failed Password Attempts
This rule configures the system to lock out accounts during a specified time period after a number of incorrect login attempts using <code>pam_fail...Rule Medium Severity -
Ensure PAM Enforces Password Requirements - Minimum Digit Characters
The pam_pwquality module's <code>dcredit</code> parameter controls requirements for usage of digits in a password. When set to a negative number, a...Rule Medium Severity -
Ensure PAM Enforces Password Requirements - Minimum Lowercase Characters
The pam_pwquality module's <code>lcredit</code> parameter controls requirements for usage of lowercase letters in a password. When set to a negativ...Rule Medium Severity -
Ensure PAM Enforces Password Requirements - Minimum Different Categories
The pam_pwquality module's <code>minclass</code> parameter controls requirements for usage of different character classes, or types, of character t...Rule Medium Severity -
Ensure PAM Enforces Password Requirements - Minimum Length
The pam_pwquality module's <code>minlen</code> parameter controls requirements for minimum characters required in a password. Add <code>minlen=<xcc...Rule Medium Severity -
Ensure PAM Enforces Password Requirements - Minimum Special Characters
The pam_pwquality module's <code>ocredit=</code> parameter controls requirements for usage of special (or "other") characters in a password. When s...Rule Medium Severity -
Ensure PAM Enforces Password Requirements - Authentication Retry Prompts Permitted Per-Session
To configure the number of retry prompts that are permitted per-session: Edit the <code>pam_pwquality.so</code> statement in <code>/etc/pam.d/com...Rule Medium Severity -
Ensure PAM Enforces Password Requirements - Minimum Uppercase Characters
The pam_pwquality module's <code>ucredit=</code> parameter controls requirements for usage of uppercase letters in a password. When set to a negati...Rule Medium Severity -
Set Password Hashing Algorithm in /etc/login.defs
In <code>/etc/login.defs</code>, add or update the following line to ensure the system will use <xccdf-1.2:sub idref="xccdf_org.ssgproject.content_...Rule Medium Severity -
Configure Logind to terminate idle sessions after certain time of inactivity
To configure <code>logind</code> service to terminate inactive user sessions after <xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_log...Rule Medium Severity -
Set Root Account Password Maximum Age
Configure the root account to enforce a <xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_accounts_maximum_age_root" use="legacy"></xccd...Rule Medium Severity -
Set number of Password Hashing Rounds - password-auth
Configure the number or rounds for the password hashing algorithm. This can be accomplished by using the <code>rounds</code> option for the <code>p...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.