ANSSI-BP-028 (high)
Rules and Groups employed by this XCCDF Profile
-
Sudo
<code>Sudo</code>, which stands for "su 'do'", provides the ability to delegate authority to certain users, groups of users, or system administrato...Group -
Install sudo Package
Thesudopackage can be installed with the following command:$ sudo dnf install sudo
Rule Medium Severity -
Verify Group Who Owns /etc/sudoers.d Directory
To properly set the group owner of/etc/sudoers.d, run the command:$ sudo chgrp root /etc/sudoers.d
Rule Medium Severity -
Verify User Who Owns /etc/sudoers.d Directory
To properly set the owner of/etc/sudoers.d, run the command:$ sudo chown root /etc/sudoers.d
Rule Medium Severity -
Verify Permissions On /etc/sudoers.d Directory
To properly set the permissions of/etc/sudoers.d, run the command:$ sudo chmod 0750 /etc/sudoers.d
Rule Medium Severity -
Verify Group Who Owns /etc/sudoers File
To properly set the group owner of/etc/sudoers, run the command:$ sudo chgrp root /etc/sudoers
Rule Medium Severity -
Verify User Who Owns /etc/sudoers File
To properly set the owner of/etc/sudoers, run the command:$ sudo chown root /etc/sudoers
Rule Medium Severity -
Verify Permissions On /etc/sudoers File
To properly set the permissions of/etc/sudoers, run the command:$ sudo chmod 0440 /etc/sudoers
Rule Medium Severity -
Ensure That the sudo Binary Has the Correct Permissions
To properly set the permissions of/usr/bin/sudo, run the command:$ sudo chmod 4111 /usr/bin/sudo
Rule Medium Severity -
Ensure Privileged Escalated Commands Cannot Execute Other Commands - sudo NOEXEC
The sudo <code>NOEXEC</code> tag, when specified, prevents user executed commands from executing other commands, like a shell for example. This sho...Rule High Severity -
Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo requiretty
The sudo <code>requiretty</code> tag, when specified, will only execute sudo commands from users logged in to a real tty. This should be enabled by...Rule Medium Severity -
Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo use_pty
The sudo <code>use_pty</code> tag, when specified, will only execute sudo commands from users logged in to a real tty. This should be enabled by ma...Rule Medium Severity -
Explicit arguments in sudo specifications
All commands in the sudoers file must strictly specify the arguments allowed to be used for a given user. If the command is supposed to be executed...Rule Medium Severity -
Don't define allowed commands in sudoers by means of exclusion
Policies applied by sudo through the sudoers file should not involve negation. Each user specification in the <code>sudoers</code> file contains a...Rule Medium Severity -
Don't target root user in the sudoers file
The targeted users of a user specification should be, as much as possible, non privileged users (i.e.: non-root). User specifications have to expl...Rule Medium Severity -
Updating Software
The <code>dnf</code> command line tool is used to install and update software packages. The system also provides a graphical software update tool i...Group -
Install dnf-automatic Package
Thednf-automaticpackage can be installed with the following command:$ sudo dnf install dnf-automatic
Rule Medium Severity -
Configure dnf-automatic to Install Available Updates Automatically
To ensure that the packages comprising the available updates will be automatically installed by <code>dnf-automatic</code>, set <code>apply_updates...Rule Medium Severity -
Configure dnf-automatic to Install Only Security Updates
To configure <code>dnf-automatic</code> to install only security updates automatically, set <code>upgrade_type</code> to <code>security</code> unde...Rule Low Severity -
Ensure gpgcheck Enabled In Main dnf Configuration
The <code>gpgcheck</code> option controls whether RPM packages' signatures are always checked prior to installation. To configure dnf to check pack...Rule High Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.