ANSSI-BP-028 (intermediary)
Rules and Groups employed by this XCCDF Profile
-
Verify Permissions On /etc/sudoers File
To properly set the permissions of/etc/sudoers
, run the command:$ sudo chmod 0440 /etc/sudoers
Rule Medium Severity -
Configure Logind to terminate idle sessions after certain time of inactivity
To configure <code>logind</code> service to terminate inactive user sessions after <xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_log...Rule Medium Severity -
Set Root Account Password Maximum Age
Configure the root account to enforce a <xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_accounts_maximum_age_root" use="legacy"></xccd...Rule Medium Severity -
Verify Group Who Owns /etc/ipsec.d Directory
To properly set the group owner of/etc/ipsec.d
, run the command:$ sudo chgrp root /etc/ipsec.d
Rule Medium Severity -
Verify User Who Owns /etc/ipsec.d Directory
To properly set the owner of/etc/ipsec.d
, run the command:$ sudo chown root /etc/ipsec.d
Rule Medium Severity -
Verify Permissions On /etc/ipsec.d Directory
To properly set the permissions of/etc/ipsec.d
, run the command:$ sudo chmod 0700 /etc/ipsec.d
Rule Medium Severity -
Verify Group Who Owns /etc/ipsec.conf File
To properly set the group owner of/etc/ipsec.conf
, run the command:$ sudo chgrp root /etc/ipsec.conf
Rule Medium Severity -
Verify Group Who Owns /etc/ipsec.secrets File
To properly set the group owner of/etc/ipsec.secrets
, run the command:$ sudo chgrp root /etc/ipsec.secrets
Rule Medium Severity -
Verify User Who Owns /etc/ipsec.conf File
To properly set the owner of/etc/ipsec.conf
, run the command:$ sudo chown root /etc/ipsec.conf
Rule Medium Severity -
Verify User Who Owns /etc/ipsec.secrets File
To properly set the owner of/etc/ipsec.secrets
, run the command:$ sudo chown root /etc/ipsec.secrets
Rule Medium Severity -
Verify Permissions On /etc/ipsec.conf File
To properly set the permissions of/etc/ipsec.conf
, run the command:$ sudo chmod 0644 /etc/ipsec.conf
Rule Medium Severity -
Verify Permissions On /etc/ipsec.secrets File
To properly set the permissions of/etc/ipsec.secrets
, run the command:$ sudo chmod 0644 /etc/ipsec.secrets
Rule Medium Severity -
Verify Group Who Owns /etc/iptables Directory
To properly set the group owner of/etc/iptables
, run the command:$ sudo chgrp root /etc/iptables
Rule Medium Severity -
Verify User Who Owns /etc/iptables Directory
To properly set the owner of/etc/iptables
, run the command:$ sudo chown root /etc/iptables
Rule Medium Severity -
Verify Permissions On /etc/iptables Directory
To properly set the permissions of/etc/iptables
, run the command:$ sudo chmod 0700 /etc/iptables
Rule Medium Severity -
Verify Group Who Owns /etc/nftables Directory
To properly set the group owner of/etc/nftables
, run the command:$ sudo chgrp root /etc/nftables
Rule Medium Severity -
Verify User Who Owns /etc/nftables Directory
To properly set the owner of/etc/nftables
, run the command:$ sudo chown root /etc/nftables
Rule Medium Severity -
Verify Permissions On /etc/nftables Directory
To properly set the permissions of/etc/nftables
, run the command:$ sudo chmod 0700 /etc/nftables
Rule Medium Severity -
Verify that system commands directories have root as a group owner
System commands are stored in the following directories: by default: <pre>/bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin </pre> ...Rule Medium Severity -
Verify that system commands directories have root ownership
System commands are stored in the following directories by default: <pre>/bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin </pre> A...Rule Medium Severity -
Verify Group Who Owns /etc/crypttab File
To properly set the group owner of/etc/crypttab
, run the command:$ sudo chgrp root /etc/crypttab
Rule Medium Severity -
Verify User Who Owns /etc/crypttab File
To properly set the owner of/etc/crypttab
, run the command:$ sudo chown root /etc/crypttab
Rule Medium Severity -
Verify Permissions On /etc/crypttab File
To properly set the permissions of/etc/crypttab
, run the command:$ sudo chmod 0600 /etc/crypttab
Rule Medium Severity -
Verify Group Who Owns /etc/shells File
To properly set the group owner of/etc/shells
, run the command:$ sudo chgrp root /etc/shells
Rule Medium Severity -
Verify Who Owns /etc/shells File
To properly set the owner of/etc/shells
, run the command:$ sudo chown root /etc/shells
Rule Medium Severity -
Verify Permissions on /etc/shells File
To properly set the permissions of/etc/shells
, run the command:$ sudo chmod 0644 /etc/shells
Rule Medium Severity -
Verify Group Who Owns /etc/sysctl.d Directory
To properly set the group owner of/etc/sysctl.d
, run the command:$ sudo chgrp root /etc/sysctl.d
Rule Medium Severity -
Verify User Who Owns /etc/sysctl.d Directory
To properly set the owner of/etc/sysctl.d
, run the command:$ sudo chown root /etc/sysctl.d
Rule Medium Severity -
Verify Permissions On /etc/sysctl.d Directory
To properly set the permissions of/etc/sysctl.d
, run the command:$ sudo chmod 0755 /etc/sysctl.d
Rule Medium Severity -
Verify that system commands files are group owned by root or a system account
System commands files are stored in the following directories by default: <pre>/bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin </pre> ...Rule Medium Severity -
Verify Group Who Owns /etc/selinux Directory
To properly set the group owner of/etc/selinux
, run the command:$ sudo chgrp root /etc/selinux
Rule Medium Severity -
Verify User Who Owns /etc/selinux Directory
To properly set the owner of/etc/selinux
, run the command:$ sudo chown root /etc/selinux
Rule Medium Severity -
Verify Permissions On /etc/selinux Directory
To properly set the permissions of/etc/selinux
, run the command:$ sudo chmod 0755 /etc/selinux
Rule Medium Severity -
Verify Group Who Owns /etc/sestatus.conf File
To properly set the group owner of/etc/sestatus.conf
, run the command:$ sudo chgrp root /etc/sestatus.conf
Rule Medium Severity -
Verify User Who Owns /etc/sestatus.conf File
To properly set the owner of/etc/sestatus.conf
, run the command:$ sudo chown root /etc/sestatus.conf
Rule Medium Severity -
Verify Permissions On /etc/sestatus.conf File
To properly set the permissions of/etc/sestatus.conf
, run the command:$ sudo chmod 0644 /etc/sestatus.conf
Rule Medium Severity -
Verify Group Who Owns /etc/chrony.keys File
To properly set the group owner of/etc/chrony.keys
, run the command:$ sudo chgrp chrony /etc/chrony.keys
Rule Medium Severity -
Verify User Who Owns /etc/chrony.keys File
To properly set the owner of/etc/chrony.keys
, run the command:$ sudo chown root /etc/chrony.keys
Rule Medium Severity -
Verify Permissions On /etc/chrony.keys File
To properly set the permissions of/etc/chrony.keys
, run the command:$ sudo chmod 0640 /etc/chrony.keys
Rule Medium Severity -
Verify Group Who Owns SSH Server config file
To properly set the group owner of/etc/ssh/sshd_config
, run the command:$ sudo chgrp root /etc/ssh/sshd_config
Rule Medium Severity -
Verify Owner on SSH Server config file
To properly set the owner of/etc/ssh/sshd_config
, run the command:$ sudo chown root /etc/ssh/sshd_config
Rule Medium Severity -
Verify Permissions on SSH Server config file
To properly set the permissions of/etc/ssh/sshd_config
, run the command:$ sudo chmod 0600 /etc/ssh/sshd_config
Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.