ANSSI-BP-028 (enhanced)
Rules and Groups employed by this XCCDF Profile
-
Verify User Who Owns /etc/selinux Directory
To properly set the owner of/etc/selinux, run the command:$ sudo chown root /etc/selinux
Rule Medium Severity -
Verify Permissions On /etc/selinux Directory
To properly set the permissions of/etc/selinux, run the command:$ sudo chmod 0755 /etc/selinux
Rule Medium Severity -
Verify Group Who Owns /etc/sestatus.conf File
To properly set the group owner of/etc/sestatus.conf, run the command:$ sudo chgrp root /etc/sestatus.conf
Rule Medium Severity -
Verify User Who Owns /etc/sestatus.conf File
To properly set the owner of/etc/sestatus.conf, run the command:$ sudo chown root /etc/sestatus.conf
Rule Medium Severity -
Verify Permissions On /etc/sestatus.conf File
To properly set the permissions of/etc/sestatus.conf, run the command:$ sudo chmod 0644 /etc/sestatus.conf
Rule Medium Severity -
Configure SELinux Policy
The SELinux <code>targeted</code> policy is appropriate for general-purpose desktops and servers, as well as systems in many other roles. To config...Rule Medium Severity -
Ensure SELinux State is Enforcing
The SELinux state should be set to <code><xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_selinux_state" use="legacy"></xccdf-1.2:sub><...Rule High Severity -
SELinux - Booleans
Enable or Disable runtime customization of SELinux system policies without having to reload or recompile the SELinux policy.Group -
Configure the polyinstantiation_enabled SELinux Boolean
By default, the SELinux boolean <code>polyinstantiation_enabled</code> is disabled. This setting should be configured to <xccdf-1.2:sub idref="xccd...Rule Medium Severity -
Services
The best protection against vulnerable software is running less software. This section describes how to review the software which Oracle Linux 10 i...Group -
DHCP
The Dynamic Host Configuration Protocol (DHCP) allows systems to request and obtain an IP address and other configuration parameters from a server....Group -
Disable DHCP Server
The DHCP server <code>dhcpd</code> is not installed or activated by default. If the software was installed and activated, but the system does not n...Group -
Uninstall DHCP Server Package
If the system does not need to act as a DHCP server, the dhcp package can be uninstalled. The <code>dhcp</code> package can be removed with the fo...Rule Medium Severity -
Uninstall kea Package
If the system does not need to act as a DHCP server, the kea package can be uninstalled.Rule Medium Severity -
Mail Server Software
Mail servers are used to send and receive email over the network. Mail is a very common service, and Mail Transfer Agents (MTAs) are obvious target...Group -
Uninstall Sendmail Package
Sendmail is not the default mail transfer agent and is not installed by default. The <code>sendmail</code> package can be removed with the followin...Rule Medium Severity -
Configure SMTP For Mail Clients
This section discusses settings for Postfix in a submission-only e-mail configuration.Group -
Configure System to Forward All Mail For The Root Account
Make sure that mails delivered to root user are forwarded to a monitored email address. Make sure that the address <xccdf-1.2:sub idref="xccdf_org....Rule Medium Severity -
Disable Postfix Network Listening
Edit the file <code>/etc/postfix/main.cf</code> to ensure that only the following <code>inet_interfaces</code> line appears: <pre>inet_interfaces =...Rule Medium Severity -
Network Time Protocol
The Network Time Protocol is used to manage the system clock over a network. Computer clocks are not very accurate, so time will drift unpredictabl...Group
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.