Skip to content

DRAFT - ANSSI-BP-028 (high)

Rules and Groups employed by this XCCDF Profile

  • Enable SLUB/SLAB allocator poisoning

    To enable poisoning of SLUB/SLAB objects, add the argument <code>slub_debug=<xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_slub_debug...
    Rule Medium Severity
  • SELinux

    SELinux is a feature of the Linux kernel which can be used to guard against misconfigured or compromised programs. SELinux enforces the idea that p...
    Group
  • Uninstall setroubleshoot-plugins Package

    The SETroubleshoot plugins are used to analyze SELinux AVC data. The service provides information around configuration errors, unauthorized intrusi...
    Rule Low Severity
  • Uninstall setroubleshoot-server Package

    The SETroubleshoot service notifies desktop users of SELinux denials. The service provides information around configuration errors, unauthorized in...
    Rule Low Severity
  • Uninstall setroubleshoot Package

    The SETroubleshoot service notifies desktop users of SELinux denials. The service provides information around configuration errors, unauthorized in...
    Rule Low Severity
  • Configure SELinux Policy

    The SELinux <code>targeted</code> policy is appropriate for general-purpose desktops and servers, as well as systems in many other roles. To config...
    Rule Medium Severity
  • Ensure SELinux State is Enforcing

    The SELinux state should be set to <code><xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_selinux_state" use="legacy"></xccdf-1.2:sub><...
    Rule High Severity
  • SELinux - Booleans

    Enable or Disable runtime customization of SELinux system policies without having to reload or recompile the SELinux policy.
    Group
  • Configure the deny_execmem SELinux Boolean

    By default, the SELinux boolean <code>deny_execmem</code> is disabled. This setting should be configured to <xccdf-1.2:sub idref="xccdf_org.ssgproj...
    Rule Medium Severity
  • Configure the polyinstantiation_enabled SELinux Boolean

    By default, the SELinux boolean <code>polyinstantiation_enabled</code> is disabled. This setting should be configured to <xccdf-1.2:sub idref="xccd...
    Rule Medium Severity
  • Configure the secure_mode_insmod SELinux Boolean

    By default, the SELinux boolean <code>secure_mode_insmod</code> is disabled. This setting should be configured to <xccdf-1.2:sub idref="xccdf_org.s...
    Rule Medium Severity
  • Disable the selinuxuser_execheap SELinux Boolean

    By default, the SELinux boolean <code>selinuxuser_execheap</code> is disabled. When enabled this boolean is enabled it allows selinuxusers to execu...
    Rule Medium Severity
  • Disable the selinuxuser_execstack SELinux Boolean

    By default, the SELinux boolean <code>selinuxuser_execstack</code> is enabled. This setting should be disabled as unconfined executables should not...
    Rule Medium Severity
  • Disable the ssh_sysadm_login SELinux Boolean

    By default, the SELinux boolean <code>ssh_sysadm_login</code> is disabled. If this setting is enabled, it should be disabled. To disable the <code...
    Rule Medium Severity
  • Services

    The best protection against vulnerable software is running less software. This section describes how to review the software which Oracle Linux 7 in...
    Group
  • DHCP

    The Dynamic Host Configuration Protocol (DHCP) allows systems to request and obtain an IP address and other configuration parameters from a server....
    Group
  • Disable DHCP Server

    The DHCP server <code>dhcpd</code> is not installed or activated by default. If the software was installed and activated, but the system does not n...
    Group
  • Uninstall DHCP Server Package

    If the system does not need to act as a DHCP server, the dhcp package can be uninstalled. The <code>dhcp</code> package can be removed with the fo...
    Rule Medium Severity
  • Mail Server Software

    Mail servers are used to send and receive email over the network. Mail is a very common service, and Mail Transfer Agents (MTAs) are obvious target...
    Group
  • Uninstall Sendmail Package

    Sendmail is not the default mail transfer agent and is not installed by default. The <code>sendmail</code> package can be removed with the followin...
    Rule Medium Severity
  • Configure SMTP For Mail Clients

    This section discusses settings for Postfix in a submission-only e-mail configuration.
    Group
  • Configure System to Forward All Mail For The Root Account

    Make sure that mails delivered to root user are forwarded to a monitored email address. Make sure that the address <xccdf-1.2:sub idref="xccdf_org....
    Rule Medium Severity
  • Disable Postfix Network Listening

    Edit the file <code>/etc/postfix/main.cf</code> to ensure that only the following <code>inet_interfaces</code> line appears: <pre>inet_interfaces =...
    Rule Medium Severity
  • Network Time Protocol

    The Network Time Protocol is used to manage the system clock over a network. Computer clocks are not very accurate, so time will drift unpredictabl...
    Group
  • The Chrony package is installed

    System time should be synchronized between all systems in an environment. This is typically done by establishing an authoritative time server or se...
    Rule Medium Severity
  • Enable the NTP Daemon

    Run the following command to determine the current status of the <code>chronyd</code> service: <pre>$ sudo systemctl is-active chronyd</pre> If t...
    Rule Medium Severity
  • A remote time server for Chrony is configured

    <code>Chrony</code> is a daemon which implements the Network Time Protocol (NTP). It is designed to synchronize system clocks across a variety of s...
    Rule Medium Severity
  • Obsolete Services

    This section discusses a number of network-visible services which have historically caused problems for system security, and for which disabling or...
    Group
  • Xinetd

    The <code>xinetd</code> service acts as a dedicated listener for some network services (mostly, obsolete ones) and can be used to provide access co...
    Group
  • Uninstall xinetd Package

    The xinetd package can be removed with the following command:
    $ sudo yum erase xinetd
    Rule Low Severity
  • NIS

    The Network Information Service (NIS), also known as 'Yellow Pages' (YP), and its successor NIS+ have been made obsolete by Kerberos, LDAP, and oth...
    Group
  • Remove NIS Client

    The Network Information Service (NIS), formerly known as Yellow Pages, is a client-server directory service protocol used to distribute system conf...
    Rule Unknown Severity
  • Uninstall ypserv Package

    The ypserv package can be removed with the following command:
    $ sudo yum erase ypserv
    Rule High Severity
  • Rlogin, Rsh, and Rexec

    The Berkeley r-commands are legacy services which allow cleartext remote access and have an insecure trust model.
    Group
  • Uninstall rsh-server Package

    The rsh-server package can be removed with the following command:
    $ sudo yum erase rsh-server
    Rule High Severity
  • Uninstall rsh Package

    The rsh package contains the client commands for the rsh services
    Rule Unknown Severity
  • Chat/Messaging Services

    The talk software makes it possible for users to send and receive messages across systems through a terminal session.
    Group
  • Uninstall talk-server Package

    The talk-server package can be removed with the following command:
     $ sudo yum erase talk-server
    Rule Medium Severity
  • Uninstall talk Package

    The <code>talk</code> package contains the client program for the Internet talk protocol, which allows the user to chat with other users on differe...
    Rule Medium Severity
  • Telnet

    The telnet protocol does not provide confidentiality or integrity for information transmitted on the network. This includes authentication informat...
    Group
  • Uninstall telnet-server Package

    The telnet-server package can be removed with the following command:
    $ sudo yum erase telnet-server
    Rule High Severity
  • Remove telnet Clients

    The telnet client allows users to start connections to other systems via the telnet protocol.
    Rule Low Severity
  • TFTP Server

    TFTP is a lightweight version of the FTP protocol which has traditionally been used to configure networking equipment. However, TFTP provides littl...
    Group
  • Uninstall tftp-server Package

    The tftp-server package can be removed with the following command:
     $ sudo yum erase tftp-server
    Rule High Severity
  • Remove tftp Daemon

    Trivial File Transfer Protocol (TFTP) is a simple file transfer protocol, typically used to automatically transfer configuration or boot files betw...
    Rule Low Severity
  • SSH Server

    The SSH protocol is recommended for remote login and remote file transfer. SSH provides confidentiality and integrity for data exchanged between tw...
    Group
  • Verify Permissions on SSH Server Private *_key Key Files

    SSH server private keys - files that match the <code>/etc/ssh/*_key</code> glob, have to have restricted permissions. If those files are owned by t...
    Rule Medium Severity
  • Configure OpenSSH Server if Necessary

    If the system needs to act as an SSH server, then certain changes should be made to the OpenSSH daemon configuration file <code>/etc/ssh/sshd_confi...
    Group
  • Set SSH Client Alive Count Max

    The SSH server sends at most <code>ClientAliveCountMax</code> messages during a SSH session and waits for a response from the SSH client. The optio...
    Rule Medium Severity
  • Set SSH Client Alive Interval

    SSH allows administrators to set a network responsiveness timeout interval. After this interval has passed, the unresponsive client will be automat...
    Rule Medium Severity

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules