Skip to content
Log In

ANSSI-BP-028 (enhanced)

Rules and Groups employed by this XCCDF Profile

  • Ensure AppArmor is enabled in the bootloader configuration

    Configure AppArmor to be enabled at boot time and verify that it has not been overwritten by the bootloader boot parameters. Note: This recommendation is designed around the grub bootloader, if LI...
    Rule Medium Severity
    Show

  • Verify /boot/grub2/user.cfg Group Ownership

    The file <code>/boot/grub2/user.cfg</code> should be group-owned by the <code>root</code> group to prevent reading or modification of the file. To properly set the group owner of <code>/boot/grub2...
    Rule Medium Severity
    Show

  • Verify /boot/efi/EFI/redhat/user.cfg Group Ownership

    The file <code>/boot/efi/EFI/redhat/user.cfg</code> should be group-owned by the <code>root</code> group to prevent reading or modification of the file. To properly set the group owner of <code>/b...
    Rule Medium Severity
    Show

  • Verify Group Who Owns /etc/ipsec.d Directory

    To properly set the group owner of /etc/ipsec.d, run the command: 
    $ sudo chgrp root /etc/ipsec.d
    Rule Medium Severity
    Show

  • Verify User Who Owns /etc/ipsec.d Directory

    To properly set the owner of /etc/ipsec.d, run the command: 
    $ sudo chown root /etc/ipsec.d
    Rule Medium Severity
    Show

  • Verify Permissions On /etc/ipsec.d Directory

    To properly set the permissions of /etc/ipsec.d, run the command: 
    $ sudo chmod 0700 /etc/ipsec.d
    Rule Medium Severity
    Show

  • Verify Group Who Owns /etc/ipsec.conf File

    To properly set the group owner of /etc/ipsec.conf, run the command: 
    $ sudo chgrp root /etc/ipsec.conf
    Rule Medium Severity
    Show

  • Verify Group Who Owns /etc/ipsec.secrets File

    To properly set the group owner of /etc/ipsec.secrets, run the command: 
    $ sudo chgrp root /etc/ipsec.secrets
    Rule Medium Severity
    Show

  • Verify User Who Owns /etc/ipsec.conf File

    To properly set the owner of /etc/ipsec.conf, run the command: 
    $ sudo chown root /etc/ipsec.conf
    Rule Medium Severity
    Show

  • Verify User Who Owns /etc/ipsec.secrets File

    To properly set the owner of /etc/ipsec.secrets, run the command: 
    $ sudo chown root /etc/ipsec.secrets
    Rule Medium Severity
    Show

  • Verify Permissions On /etc/ipsec.conf File

    To properly set the permissions of /etc/ipsec.conf, run the command: 
    $ sudo chmod 0644 /etc/ipsec.conf
    Rule Medium Severity
    Show

  • Verify Permissions On /etc/ipsec.secrets File

    To properly set the permissions of /etc/ipsec.secrets, run the command: 
    $ sudo chmod 0644 /etc/ipsec.secrets
    Rule Medium Severity
    Show

  • Verify Group Who Owns /etc/iptables Directory

    To properly set the group owner of /etc/iptables, run the command: 
    $ sudo chgrp root /etc/iptables
    Rule Medium Severity
    Show

  • Verify User Who Owns /etc/iptables Directory

    To properly set the owner of /etc/iptables, run the command: 
    $ sudo chown root /etc/iptables
    Rule Medium Severity
    Show

  • Verify Permissions On /etc/iptables Directory

    To properly set the permissions of /etc/iptables, run the command: 
    $ sudo chmod 0700 /etc/iptables
    Rule Medium Severity
    Show

  • Verify Group Who Owns /etc/nftables Directory

    To properly set the group owner of /etc/nftables, run the command: 
    $ sudo chgrp root /etc/nftables
    Rule Medium Severity
    Show

  • Verify User Who Owns /etc/nftables Directory

    To properly set the owner of /etc/nftables, run the command: 
    $ sudo chown root /etc/nftables
    Rule Medium Severity
    Show

  • Verify Permissions On /etc/nftables Directory

    To properly set the permissions of /etc/nftables, run the command: 
    $ sudo chmod 0700 /etc/nftables
    Rule Medium Severity
    Show

  • Verify that system commands directories have root as a group owner

    System commands are stored in the following directories: by default: <pre>/bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin </pre> All these directories should have <code>root</code...
    Rule Medium Severity
    Show

  • Verify that system commands directories have root ownership

    System commands are stored in the following directories by default: <pre>/bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin </pre> All these directories should be owned by the <code>...
    Rule Medium Severity
    Show

  • Verify Group Who Owns /etc/crypttab File

    To properly set the group owner of /etc/crypttab, run the command: 
    $ sudo chgrp root /etc/crypttab
    Rule Medium Severity
    Show

  • Verify Group Who Owns System.map Files

    The System.map files are symbol map files generated during the compilation of the Linux kernel. They contain the mapping between kernel symbols and their corresponding memory addresses. These files...
    Rule Low Severity
    Show

  • Verify User Who Owns /etc/crypttab File

    To properly set the owner of /etc/crypttab, run the command: 
    $ sudo chown root /etc/crypttab
    Rule Medium Severity
    Show

  • Verify User Who Owns System.map Files

    The System.map files are symbol map files generated during the compilation of the Linux kernel. They contain the mapping between kernel symbols and their corresponding memory addresses. These files...
    Rule Low Severity
    Show

  • Verify Permissions On /etc/crypttab File

    To properly set the permissions of /etc/crypttab, run the command: 
    $ sudo chmod 0600 /etc/crypttab
    Rule Medium Severity
    Show

  • Verify Group Who Owns /etc/shells File

    To properly set the group owner of /etc/shells, run the command: 
    $ sudo chgrp root /etc/shells
    Rule Medium Severity
    Show

  • Verify Who Owns /etc/shells File

    To properly set the owner of /etc/shells, run the command: 
    $ sudo chown root /etc/shells
    Rule Medium Severity
    Show

  • Verify Permissions on /etc/shells File

    To properly set the permissions of /etc/shells, run the command: 
    $ sudo chmod 0644 /etc/shells
    Rule Medium Severity
    Show

  • Verify Group Who Owns /etc/sysctl.d Directory

    To properly set the group owner of /etc/sysctl.d, run the command: 
    $ sudo chgrp root /etc/sysctl.d
    Rule Medium Severity
    Show

  • Verify User Who Owns /etc/sysctl.d Directory

    To properly set the owner of /etc/sysctl.d, run the command: 
    $ sudo chown root /etc/sysctl.d
    Rule Medium Severity
    Show

  • Verify Permissions On /etc/sysctl.d Directory

    To properly set the permissions of /etc/sysctl.d, run the command: 
    $ sudo chmod 0755 /etc/sysctl.d
    Rule Medium Severity
    Show

  • Verify that system commands files are group owned by root or a system account

    System commands files are stored in the following directories by default: <pre>/bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin </pre> All files in these directories should be owned by ...
    Rule Medium Severity
    Show

  • Verify Group Who Owns /etc/selinux Directory

    To properly set the group owner of /etc/selinux, run the command: 
    $ sudo chgrp root /etc/selinux
    Rule Medium Severity
    Show

  • Verify User Who Owns /etc/selinux Directory

    To properly set the owner of /etc/selinux, run the command: 
    $ sudo chown root /etc/selinux
    Rule Medium Severity
    Show

  • Verify Permissions On /etc/selinux Directory

    To properly set the permissions of /etc/selinux, run the command: 
    $ sudo chmod 0755 /etc/selinux
    Rule Medium Severity
    Show

  • Verify Group Who Owns /etc/sestatus.conf File

    To properly set the group owner of /etc/sestatus.conf, run the command: 
    $ sudo chgrp root /etc/sestatus.conf
    Rule Medium Severity
    Show

  • Verify User Who Owns /etc/sestatus.conf File

    To properly set the owner of /etc/sestatus.conf, run the command: 
    $ sudo chown root /etc/sestatus.conf
    Rule Medium Severity
    Show

  • Verify Permissions On /etc/sestatus.conf File

    To properly set the permissions of /etc/sestatus.conf, run the command: 
    $ sudo chmod 0644 /etc/sestatus.conf
    Rule Medium Severity
    Show

  • Verify Group Who Owns /etc/chrony.keys File

    To properly set the group owner of /etc/chrony.keys, run the command: 
    $ sudo chgrp chrony /etc/chrony.keys
    Rule Medium Severity
    Show

  • Verify User Who Owns /etc/chrony.keys File

    To properly set the owner of /etc/chrony.keys, run the command: 
    $ sudo chown root /etc/chrony.keys
    Rule Medium Severity
    Show

  • Verify Permissions On /etc/chrony.keys File

    To properly set the permissions of /etc/chrony.keys, run the command: 
    $ sudo chmod 0640 /etc/chrony.keys
    Rule Medium Severity
    Show

  • Verify Group Who Owns SSH Server config file

    To properly set the group owner of /etc/ssh/sshd_config, run the command: 
    $ sudo chgrp root /etc/ssh/sshd_config
    Rule Medium Severity
    Show

  • Verify Owner on SSH Server config file

    To properly set the owner of /etc/ssh/sshd_config, run the command: 
    $ sudo chown root /etc/ssh/sshd_config
    Rule Medium Severity
    Show

  • Verify Permissions on SSH Server config file

    To properly set the permissions of /etc/ssh/sshd_config, run the command: 
    $ sudo chmod 0600 /etc/ssh/sshd_config
    Rule Medium Severity
    Show

Node 2

siemur/test-space

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules