Profile for ANSSI DAT-NT28 High (Enforced) Level
Rules and Groups employed by this XCCDF Profile
-
System Settings
Contains rules that check correct system settings.Group -
Installing and Maintaining Software
The following sections contain information on security-relevant choices during the initial operating system installation process and the setup of software updates.Group -
Disk Partitioning
To ensure separation and protection of data, there are top-level system directories which should be placed on their own physical partition or logical volume. The installer's default partitioning sc...Group -
Ensure /home Located On Separate Partition
If user home directories will be stored locally, create a separate partition for <code>/home</code> at installation time (or migrate it later using LVM). If <code>/home</code> will be mounted from ...Rule Low Severity -
Ensure /tmp Located On Separate Partition
The/tmpdirectory is a world-writable directory used for temporary file storage. Ensure it has its own partition or logical volume at installation time, or migrate it using LVM.Rule Low Severity -
Ensure /var Located On Separate Partition
The <code>/var</code> directory is used by daemons and other system services to store frequently-changing data. Ensure that <code>/var</code> has its own partition or logical volume at installation...Rule Low Severity -
Ensure /var/log Located On Separate Partition
System logs are stored in the/var/logdirectory. Ensure that/var/loghas its own partition or logical volume at installation time, or migrate it using LVM.Rule Low Severity -
Ensure /var/log/audit Located On Separate Partition
Audit logs are stored in the <code>/var/log/audit</code> directory. Ensure that <code>/var/log/audit</code> has its own partition or logical volume at installation time, or migrate it using LVM. M...Rule Low Severity -
Sudo
<code>Sudo</code>, which stands for "su 'do'", provides the ability to delegate authority to certain users, groups of users, or system administrators. When configured for system users and/or groups...Group -
Ensure Users Re-Authenticate for Privilege Escalation - sudo !authenticate
The sudo <code>!authenticate</code> option, when specified, allows a user to execute commands using sudo without having to authenticate. This should be disabled by making sure that the <code>!authe...Rule Medium Severity -
Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
The sudo <code>NOPASSWD</code> tag, when specified, allows a user to execute commands using sudo without having to authenticate. This should be disabled by making sure that the <code>NOPASSWD</code...Rule Medium Severity -
System Accounting with auditd
The audit service provides substantial capabilities for recording system activities. By default, the service audits about SELinux AVC denials and certain types of security-relevant events such as s...Group -
Ensure the audit Subsystem is Installed
The audit package should be installed.Rule Medium Severity -
Enable auditd Service
The <code>auditd</code> service is an essential userspace component of the Linux Auditing System, as it is responsible for writing audit records to disk. The <code>auditd</code> service can be ena...Rule Medium Severity -
GRUB2 bootloader configuration
During the boot process, the boot loader is responsible for starting the execution of the kernel and passing options to it. The boot loader allows for the selection of different kernels - possibly ...Group -
IOMMU configuration directive
On x86 architecture supporting VT-d, the IOMMU manages the access control policy between the hardware devices and some of the system critical units such as the memory. Configure the default Gru...Rule Unknown Severity -
Configure Syslog
The syslog service has been the default Unix logging mechanism for many years. It has a number of downsides, including inconsistent log format, lack of authentication for received messages, and lac...Group -
Ensure rsyslog is Installed
Rsyslog is installed by default. Thersyslogpackage can be installed with the following command:$ apt-get install rsyslog
Rule Medium Severity -
Enable rsyslog Service
The <code>rsyslog</code> service provides syslog-style logging by default on Debian 10. The <code>rsyslog</code> service can be enabled with the following command: <pre>$ sudo systemctl enable rsy...Rule Medium Severity -
Ensure Proper Configuration of Log Files
The file <code>/etc/rsyslog.conf</code> controls where log message are written. These are controlled by lines called <i>rules</i>, which consist of a <i>selector</i> and an <i>action</i>. These rul...Group -
Ensure Log Files Are Owned By Appropriate Group
The group-owner of all log files written by <code>rsyslog</code> should be <code>adm</code>. These log files are determined by the second part of each Rule line in <code>/etc/rsyslog.conf</code> an...Rule Medium Severity -
Ensure Log Files Are Owned By Appropriate User
The owner of all log files written by <code>rsyslog</code> should be <code>adm</code>. These log files are determined by the second part of each Rule line in <code>/etc/rsyslog.conf</code> and ty...Rule Medium Severity -
Ensure System Log Files Have Correct Permissions
The file permissions for all log files written by <code>rsyslog</code> should be set to 640, or more restrictive. These log files are determined by the second part of each Rule line in <code>/etc/r...Rule Medium Severity -
Ensure All Logs are Rotated by logrotate
Edit the file <code>/etc/logrotate.d/syslog</code>. Find the first line, which should look like this (wrapped for clarity): <pre>/var/log/messages /var/log/secure /var/log/maillog /var/log/spoole...Group -
Ensure Logrotate Runs Periodically
The <code>logrotate</code> utility allows for the automatic rotation of log files. The frequency of rotation is specified in <code>/etc/logrotate.conf</code>, which triggers a cron task or a timer...Rule Medium Severity -
Configure rsyslogd to Accept Remote Messages If Acting as a Log Server
By default, <code>rsyslog</code> does not listen over the network for log messages. If needed, modules can be enabled to allow the rsyslog daemon to receive messages from other systems and for the ...Group -
Ensure syslog-ng is Installed
syslog-ng can be installed in replacement of rsyslog. Thesyslog-ng-corepackage can be installed with the following command:$ apt-get install syslog-ng-core
Rule Medium Severity -
Enable syslog-ng Service
The <code>syslog-ng</code> service (in replacement of rsyslog) provides syslog-style logging by default on Debian. The <code>syslog-ng</code> service can be enabled with the following command: <pr...Rule Medium Severity -
File Permissions and Masks
Traditional Unix security relies heavily on file and directory permissions to prevent unauthorized users from reading or modifying files to which they should not have access. <br><br> Several of th...Group -
Verify Permissions on Important Files and Directories
Permissions for many files on a system must be set restrictively to ensure sensitive information is properly protected. This section discusses important permission restrictions which can be verifie...Group -
Verify that local System.map file (if exists) is readable only by root
Files containing sensitive informations should be protected by restrictive permissions. Most of the time, there is no need that these files need to be read by any non-root user To properly set t...Rule Unknown Severity -
Enable Kernel Parameter to Enforce DAC on Hardlinks
To set the runtime status of the <code>fs.protected_hardlinks</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w fs.protected_hardlinks=1</pre> To make sure that the setting ...Rule Medium Severity -
Enable Kernel Parameter to Enforce DAC on Symlinks
To set the runtime status of the <code>fs.protected_symlinks</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w fs.protected_symlinks=1</pre> To make sure that the setting is...Rule Medium Severity -
Verify Permissions on Files with Local Account Information and Credentials
The default restrictive permissions for files which act as important security databases such as <code>passwd</code>, <code>shadow</code>, <code>group</code>, and <code>gshadow</code> files must be ...Group -
Verify Group Who Owns group File
To properly set the group owner of/etc/group, run the command:$ sudo chgrp root /etc/group
Rule Medium Severity -
Verify Group Who Owns gshadow File
To properly set the group owner of/etc/gshadow, run the command:$ sudo chgrp shadow /etc/gshadow
Rule Medium Severity -
Verify Group Who Owns passwd File
To properly set the group owner of/etc/passwd, run the command:$ sudo chgrp root /etc/passwd
Rule Medium Severity -
Verify Group Who Owns shadow File
To properly set the group owner of/etc/shadow, run the command:$ sudo chgrp shadow /etc/shadow
Rule Medium Severity -
Verify User Who Owns group File
To properly set the owner of/etc/group, run the command:$ sudo chown root /etc/group
Rule Medium Severity -
Verify User Who Owns gshadow File
To properly set the owner of/etc/gshadow, run the command:$ sudo chown root /etc/gshadow
Rule Medium Severity -
Verify User Who Owns passwd File
To properly set the owner of/etc/passwd, run the command:$ sudo chown root /etc/passwd
Rule Medium Severity -
Verify User Who Owns shadow File
To properly set the owner of/etc/shadow, run the command:$ sudo chown root /etc/shadow
Rule Medium Severity -
Verify Permissions on group File
To properly set the permissions of/etc/group, run the command:$ sudo chmod 0644 /etc/group
Rule Medium Severity -
Verify Permissions on gshadow File
To properly set the permissions of/etc/gshadow, run the command:$ sudo chmod 0640 /etc/gshadow
Rule Medium Severity -
Verify Permissions on passwd File
To properly set the permissions of/etc/passwd, run the command:$ sudo chmod 0644 /etc/passwd
Rule Medium Severity -
Verify Permissions on shadow File
To properly set the permissions of/etc/shadow, run the command:$ sudo chmod 0640 /etc/shadow
Rule Medium Severity -
Restrict Programs from Dangerous Execution Patterns
The recommendations in this section are designed to ensure that the system's features to protect against potentially dangerous program execution are activated. These protections are applied at the ...Group -
Disable Core Dumps
A core dump file is the memory image of an executable program when it was terminated by the operating system due to errant behavior. In most cases, only software developers legitimately need to acc...Group -
Disable Core Dumps for SUID programs
To set the runtime status of the <code>fs.suid_dumpable</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w fs.suid_dumpable=0</pre> To make sure that the setting is persisten...Rule Medium Severity -
Enable ExecShield
ExecShield describes kernel features that provide protection against exploitation of memory corruption errors such as buffer overflows. These features include random placement of the stack and othe...Group
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.
Capacity
Modules