Skip to content
Log In

Profile for ANSSI DAT-NT28 Restrictive Level

Rules and Groups employed by this XCCDF Profile

  • Ensure System Log Files Have Correct Permissions

    The file permissions for all log files written by <code>rsyslog</code> should be set to 640, or more restrictive. These log files are determined by the second part of each Rule line in <code>/etc/r...
    Rule Medium Severity
    Show

  • Ensure All Logs are Rotated by logrotate

    Edit the file <code>/etc/logrotate.d/syslog</code>. Find the first line, which should look like this (wrapped for clarity): <pre>/var/log/messages /var/log/secure /var/log/maillog /var/log/spoole...
    Group
    Show

  • Ensure Logrotate Runs Periodically

    The <code>logrotate</code> utility allows for the automatic rotation of log files. The frequency of rotation is specified in <code>/etc/logrotate.conf</code>, which triggers a cron task or a timer...
    Rule Medium Severity
    Show

  • Configure rsyslogd to Accept Remote Messages If Acting as a Log Server

    By default, <code>rsyslog</code> does not listen over the network for log messages. If needed, modules can be enabled to allow the rsyslog daemon to receive messages from other systems and for the ...
    Group
    Show

  • Ensure syslog-ng is Installed

    syslog-ng can be installed in replacement of rsyslog. The syslog-ng-core package can be installed with the following command: 
    $ apt-get install syslog-ng-core
    Rule Medium Severity
    Show

  • Enable syslog-ng Service

    The <code>syslog-ng</code> service (in replacement of rsyslog) provides syslog-style logging by default on Debian. The <code>syslog-ng</code> service can be enabled with the following command: <pr...
    Rule Medium Severity
    Show

  • File Permissions and Masks

    Traditional Unix security relies heavily on file and directory permissions to prevent unauthorized users from reading or modifying files to which they should not have access. <br><br> Several of th...
    Group
    Show

  • Verify Permissions on Important Files and Directories

    Permissions for many files on a system must be set restrictively to ensure sensitive information is properly protected. This section discusses important permission restrictions which can be verifie...
    Group
    Show

  • Verify that local System.map file (if exists) is readable only by root

    Files containing sensitive informations should be protected by restrictive permissions. Most of the time, there is no need that these files need to be read by any non-root user To properly set t...
    Rule Unknown Severity
    Show

  • Enable Kernel Parameter to Enforce DAC on Hardlinks

    To set the runtime status of the <code>fs.protected_hardlinks</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w fs.protected_hardlinks=1</pre> To make sure that the setting ...
    Rule Medium Severity
    Show

Node 2

siemur/test-space

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules