Skip to content

Profile for ANSSI DAT-NT28 Minimal Level

Rules and Groups employed by this XCCDF Profile

  • System Settings

    Contains rules that check correct system settings.
    Group
  • Installing and Maintaining Software

    The following sections contain information on security-relevant choices during the initial operating system installation process and the setup of s...
    Group
  • Sudo

    <code>Sudo</code>, which stands for "su 'do'", provides the ability to delegate authority to certain users, groups of users, or system administrato...
    Group
  • Ensure Users Re-Authenticate for Privilege Escalation - sudo !authenticate

    The sudo <code>!authenticate</code> option, when specified, allows a user to execute commands using sudo without having to authenticate. This shoul...
    Rule Medium Severity
  • Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD

    The sudo <code>NOPASSWD</code> tag, when specified, allows a user to execute commands using sudo without having to authenticate. This should be dis...
    Rule Medium Severity
  • Configure Syslog

    The syslog service has been the default Unix logging mechanism for many years. It has a number of downsides, including inconsistent log format, lac...
    Group
  • Ensure rsyslog is Installed

    Rsyslog is installed by default. The rsyslog package can be installed with the following command:
     $ apt-get install rsyslog
    Rule Medium Severity
  • Enable rsyslog Service

    The <code>rsyslog</code> service provides syslog-style logging by default on Debian 10. The <code>rsyslog</code> service can be enabled with the f...
    Rule Medium Severity
  • Configure rsyslogd to Accept Remote Messages If Acting as a Log Server

    By default, <code>rsyslog</code> does not listen over the network for log messages. If needed, modules can be enabled to allow the rsyslog daemon t...
    Group
  • Ensure syslog-ng is Installed

    syslog-ng can be installed in replacement of rsyslog. The <code>syslog-ng-core</code> package can be installed with the following command: <pre> $ ...
    Rule Medium Severity
  • Enable syslog-ng Service

    The <code>syslog-ng</code> service (in replacement of rsyslog) provides syslog-style logging by default on Debian. The <code>syslog-ng</code> serv...
    Rule Medium Severity
  • File Permissions and Masks

    Traditional Unix security relies heavily on file and directory permissions to prevent unauthorized users from reading or modifying files to which t...
    Group
  • Verify Permissions on Important Files and Directories

    Permissions for many files on a system must be set restrictively to ensure sensitive information is properly protected. This section discusses impo...
    Group
  • Verify Permissions on Files with Local Account Information and Credentials

    The default restrictive permissions for files which act as important security databases such as <code>passwd</code>, <code>shadow</code>, <code>gro...
    Group
  • Verify Group Who Owns group File

    To properly set the group owner of /etc/group, run the command:
    $ sudo chgrp root /etc/group
    Rule Medium Severity
  • Verify Group Who Owns gshadow File

    To properly set the group owner of /etc/gshadow, run the command:
    $ sudo chgrp shadow /etc/gshadow
    Rule Medium Severity
  • Verify Group Who Owns passwd File

    To properly set the group owner of /etc/passwd, run the command:
    $ sudo chgrp root /etc/passwd
    Rule Medium Severity
  • Verify Group Who Owns shadow File

    To properly set the group owner of /etc/shadow, run the command:
    $ sudo chgrp shadow /etc/shadow
    Rule Medium Severity
  • Verify User Who Owns group File

    To properly set the owner of /etc/group, run the command:
    $ sudo chown root /etc/group 
    Rule Medium Severity
  • Verify User Who Owns gshadow File

    To properly set the owner of /etc/gshadow, run the command:
    $ sudo chown root /etc/gshadow 
    Rule Medium Severity
  • Verify User Who Owns passwd File

    To properly set the owner of /etc/passwd, run the command:
    $ sudo chown root /etc/passwd 
    Rule Medium Severity
  • Verify User Who Owns shadow File

    To properly set the owner of /etc/shadow, run the command:
    $ sudo chown root /etc/shadow 
    Rule Medium Severity
  • Verify Permissions on group File

    To properly set the permissions of /etc/group, run the command:
    $ sudo chmod 0644 /etc/group
    Rule Medium Severity
  • Verify Permissions on gshadow File

    To properly set the permissions of /etc/gshadow, run the command:
    $ sudo chmod 0640 /etc/gshadow
    Rule Medium Severity
  • Verify Permissions on passwd File

    To properly set the permissions of /etc/passwd, run the command:
    $ sudo chmod 0644 /etc/passwd
    Rule Medium Severity
  • Verify Permissions on shadow File

    To properly set the permissions of /etc/shadow, run the command:
    $ sudo chmod 0640 /etc/shadow
    Rule Medium Severity
  • Services

    The best protection against vulnerable software is running less software. This section describes how to review the software which Debian 10 install...
    Group
  • APT service configuration

    The apt service manage the package management and update of the whole system. Its configuration need to be properly defined to ensure efficient sec...
    Group
  • Disable unauthenticated repositories in APT configuration

    Unauthenticated repositories should not be used for updates.
    Rule Unknown Severity
  • Ensure that official distribution repositories are used

    Check that official Debian repositories, including security repository, are configured in apt.
    Rule Unknown Severity
  • Deprecated services

    Some deprecated software services impact the overall system security due to their behavior (leak of confidentiality in network exchange, usage as u...
    Group
  • Uninstall the inet-based telnet server

    The inet-based telnet daemon should be uninstalled.
    Rule High Severity
  • Uninstall the nis package

    The support for Yellowpages should not be installed unless it is required.
    Rule Low Severity
  • Uninstall the ssl compliant telnet server

    The telnet daemon, even with ssl support, should be uninstalled.
    Rule High Severity
  • Uninstall the telnet server

    The telnet daemon should be uninstalled.
    Rule High Severity

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules