ANSSI-BP-028 (high)
Rules and Groups employed by this XCCDF Profile
-
Use zero for poisoning instead of debugging value
Instead of using the existing poison value, fill the pages with zeros. This makes it harder to detect when errors are occurring due to sanitization...Rule Medium Severity -
Remove the kernel mapping in user mode
This feature reduces the number of hardware side channels by ensuring that the majority of kernel addresses are not mapped into userspace. This con...Rule High Severity -
Kernel panic oops
Enable the kernel to panic when it oopses. This has the same effect as setting oops=panic on the kernel command line. The configuration that was u...Rule Medium Severity -
Kernel panic timeout
Set the timeout value (in seconds) until a reboot occurs when the kernel panics. A timeout of 0 configures the system to wait forever. With a timeo...Rule Medium Severity -
Disable support for /proc/kkcore
Provides a virtual ELF core file of the live kernel. The configuration that was used to build kernel is available at <code>/boot/config-*</code>. ...Rule Low Severity -
Randomize the address of the kernel image (KASLR)
In support of Kernel Address Space Layout Randomization (KASLR), this randomizes the physical address at which the kernel image is decompressed and...Rule Medium Severity -
Randomize the kernel memory sections
Randomizes the base virtual address of kernel memory sections (physical memory mapping, vmalloc & vmemmap). This configuration is available fro...Rule Medium Severity -
Perform full reference count validation
Enabling this switches the refcounting infrastructure from a fast unchecked atomic_t implementation to a fully state checked implementation, which ...Rule Medium Severity -
Avoid speculative indirect branches in kernel
Compile kernel with the retpoline compiler options to guard against kernel-to-user data leaks by avoiding speculative indirect branches. Requires a...Rule Medium Severity -
Detect stack corruption on calls to schedule()
This option checks for a stack overrun on calls to schedule(). If the stack end location is found to be overwritten always panic as the content of ...Rule Medium Severity -
Enable seccomp to safely compute untrusted bytecode
This kernel feature is useful for number crunching applications that may need to compute untrusted bytecode during their execution. By using pipes ...Rule Medium Severity -
Enable use of Berkeley Packet Filter with seccomp
Enable tasks to build secure computing environments defined in terms of Berkeley Packet Filter programs which implement task-defined system call fi...Rule Medium Severity -
Enable different security models
This allows you to choose different security modules to be configured into your kernel. The configuration that was used to build kernel is availab...Rule Medium Severity -
Restrict unprivileged access to the kernel syslog
Enforce restrictions on unprivileged users reading the kernel syslog via dmesg(8). The configuration that was used to build kernel is available at...Rule Medium Severity -
Disable mutable hooks
Ensure kernel structures associated with LSMs are always mapped as read-only after system boot. The configuration that was used to build kernel is...Rule Medium Severity -
Enable Yama support
This enables support for LSM module Yama, which extends DAC support with additional system-wide security settings beyond regular Linux discretionar...Rule Medium Severity -
Harden slab freelist metadata
This feature protects integrity of the allocator's metadata. This configuration is available from kernel 4.14. The configuration that was used to ...Rule Medium Severity -
Randomize slab freelist
Randomizes the freelist order used on creating new pages. This configuration is available from kernel 5.9, but may be available if backported by di...Rule Medium Severity -
Disallow merge of slab caches
For reduced kernel memory fragmentation, slab caches can be merged when they share the same size and other characteristics. This carries a risk of ...Rule Medium Severity -
Enable SLUB debugging support
SLUB has extensive debug support features and this allows the allocator validation checking to be enabled. The configuration that was used to buil...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.