{"id": "anssi", "policy": "ANSSI-BP-028", "title": "Configuration Recommendations of a GNU/Linux System", "source": "https://cyber.gouv.fr/sites/default/files/document/linux_configuration-en-v2.pdf", "definition_location": "/aptdata/openscap/scap-security-guide/controls/anssi.yml", "controls": [{"id": "R1", "levels": ["enhanced"], "notes": "This requirement can be checked, but remediation requires manual reinstall of the OS. The content automation cannot really configure the BIOS, but can in some cases, check settings that are visible to the OS. Like for example the NX/DX setting.", "title": "Hardware Support", "description": "It is recommended to apply the configuration recommendations for Hardware support mentioned in ANSSI DAT-24.", "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["package_dracut-fips-aesni_installed", "grub2_nosmep_argument_absent", "prefer_64bit_os", "grub2_nosmap_argument_absent", "install_PAE_kernel_on_x86-32"], "controls": []}, {"id": "R2", "levels": ["intermediary"], "notes": "Configurations recommended for this requirement are to be performed at the BIOS level.", "title": "Hardware configuration", "description": "It is recommended to apply the configuration recommendations for BIOS/UEFI mentioned in ANSSI DAT-24.", "rationale": null, "automated": "no", "status": "manual", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "R3", "levels": ["intermediary"], "notes": "Secure Boot needs to be enabled in the UEFI Setup program. Enabling Secure Boot can't be accomplished from the operating system. Also, OVAL doesn't provide any reliable ways to detect the Secure Boot status. Therefore, we will not provide any rules to automate this requirement. We recommend checking the Secure Boot status using the `mokutil --sb-state` or `bootctl status` commands.", "title": "UEFI Secure boot activation", "description": "It is recommended to apply UEFI Secure Boot configuration of the distribution.", "rationale": null, "automated": "no", "status": "manual", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "R4", "levels": ["high"], "notes": "This requirement is not generally automatable. The Machine Owner Key (MOK) could be used to add keys to the Secure Boot db key database but manual interaction is required to navigate the UEFI console and input the key password. On systems where MOK utility is not supported, one will need to access the UEFI firmware interface to add new keys. We have no automation support for UEFI interfaces and the steps for each hardware manufacturer can vary.", "title": "Replacing of preloaded keys", "description": "It is recommended to replace the UEFI preloaded keys with new keys used to sign; the bootloader and Linux kernel, or; the image of the Linux kernel in EFI format.", "rationale": null, "automated": "no", "status": "manual", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "R5", "levels": ["intermediary"], "notes": "", "title": "Boot loader password", "description": "A password protecting the boot loader must exist. This password must prevent any user from changing their configuration options.", "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["grub2_password", "grub2_uefi_password"], "controls": []}, {"id": "R6", "levels": ["high"], "notes": "To protect the Linux Kernel command line one needs to create an Unified Kernel Image and use it with the UEFI Secure Boot mechanism. To check if the Kernel image contains the kernel command one needs to inspect the binary, on the command line one can use the objdump command. But unfortunately OVAL is not able to inspect kernel images. Also, it is not trivial to automate creation of such image or configuration of the Secure Boot mechanism.", "title": "Protecting kernel command line parameters", "description": "It is recommended that UEFI Secure Boot is used to protect the Linux Kernel command line parameters during boot.", "rationale": null, "automated": "no", "status": "manual", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "R7", "levels": ["enhanced"], "notes": "", "title": "IOMMU Configuration Guidelines", "description": "The iommu = force directive must be added to the list of kernel parameters during startup in addition to those already present in the configuration files of the bootloader (/boot/grub/menu.lst or /etc/default/grub).", "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["grub2_enable_iommu_force"], "controls": []}, {"id": "R8", "levels": ["intermediary"], "notes": "", "title": "Memory configuration options", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["grub2_slab_nomerge_argument", "grub2_slub_debug_argument", "sysctl_vm_mmap_min_addr", "grub2_page_alloc_shuffle_argument", "grub2_spectre_v2_argument", "grub2_mce_argument", "grub2_rng_core_default_quality_argument", "grub2_l1tf_argument", "grub2_mds_argument", "grub2_pti_argument", "grub2_spec_store_bypass_disable_argument", "grub2_page_poison_argument", "var_l1tf_options=full_force", "var_slub_debug_options=FZP", "var_spec_store_bypass_disable_options=seccomp", "var_mds_options=full_nosmt", "var_rng_core_default_quality=500"], "controls": []}, {"id": "R9", "levels": ["intermediary"], "notes": "", "title": "Kernel configuration options", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sysctl_kernel_perf_event_paranoid", "sysctl_kernel_perf_cpu_time_max_percent", "sysctl_kernel_perf_event_max_sample_rate", "sysctl_kernel_pid_max", "sysctl_kernel_randomize_va_space", "sysctl_kernel_panic_on_oops", "sysctl_kernel_unprivileged_bpf_disabled", "sysctl_kernel_kptr_restrict", "sysctl_kernel_sysrq", "sysctl_kernel_dmesg_restrict", "sysctl_kernel_kptr_restrict_value=2"], "controls": []}, {"id": "R10", "levels": ["enhanced"], "notes": "", "title": "Disabling the loading of kernel modules", "description": "The loading of the kernel modules can be blocked by the activation of the sysctl kernel.modules_disabled: Prohibition of loading modules (except those already loaded to this point) kernel.modules_disabled = 1", "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sysctl_kernel_modules_disabled"], "controls": []}, {"id": "R11", "levels": ["intermediary"], "notes": "", "title": "Yama module sysctl configuration", "description": "It is recommended to load the Yama security module at startup (by example passing the security = yama argument to the kernel) and configure the sysctl kernel.yama.ptrace_scope to a value of at least 1.", "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sysctl_kernel_yama_ptrace_scope"], "controls": []}, {"id": "R12", "levels": ["intermediary"], "notes": "", "title": "IPv4 configuration options", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sysctl_net_ipv4_icmp_ignore_bogus_error_responses", "sysctl_net_ipv4_conf_default_rp_filter", "sysctl_net_ipv4_conf_default_accept_source_route", "sysctl_net_ipv4_conf_default_accept_redirects", "sysctl_net_ipv4_conf_all_accept_redirects", "sysctl_net_ipv4_conf_all_accept_source_route", "sysctl_net_ipv4_conf_all_send_redirects", "sysctl_net_ipv4_conf_all_drop_gratuitous_arp", "sysctl_net_ipv4_conf_default_send_redirects", "sysctl_net_ipv4_conf_all_secure_redirects", "sysctl_net_ipv4_conf_all_route_localnet", "sysctl_net_ipv4_conf_all_shared_media", "sysctl_net_ipv4_ip_local_port_range", "sysctl_net_ipv4_tcp_syncookies", "sysctl_net_ipv4_conf_all_accept_local", "sysctl_net_ipv4_conf_default_shared_media", "sysctl_net_ipv4_tcp_rfc1337", "sysctl_net_ipv4_conf_default_secure_redirects", "sysctl_net_ipv4_conf_all_rp_filter", "sysctl_net_ipv4_conf_all_arp_filter", "sysctl_net_ipv4_ip_forward", "sysctl_net_ipv4_conf_all_arp_ignore", "sysctl_net_core_bpf_jit_harden", "sysctl_net_ipv4_conf_all_accept_redirects_value=disabled", "sysctl_net_ipv4_conf_default_accept_redirects_value=disabled", "sysctl_net_ipv4_conf_all_shared_media_value=disabled", "sysctl_net_ipv4_conf_default_shared_media_value=disabled", "sysctl_net_ipv4_conf_all_arp_ignore_value=2"], "controls": []}, {"id": "R13", "levels": ["intermediary"], "notes": "When IPv6 is not in use, disable it, otherwise secure the IPv6 stack. This control hardens the IPv6 stack, to disable it use the related rules instead.", "title": "Disabling IPv6", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["sysctl_net_ipv6_conf_all_disable_ipv6", "sysctl_net_ipv6_conf_default_disable_ipv6"], "rules": ["sysctl_net_ipv6_conf_all_router_solicitations", "sysctl_net_ipv6_conf_default_autoconf", "sysctl_net_ipv6_conf_default_router_solicitations", "sysctl_net_ipv6_conf_all_accept_ra_pinfo", "sysctl_net_ipv6_conf_all_accept_ra_defrtr", "sysctl_net_ipv6_conf_default_accept_redirects", "sysctl_net_ipv6_conf_default_accept_ra_rtr_pref", "sysctl_net_ipv6_conf_all_accept_source_route", "sysctl_net_ipv6_conf_all_accept_redirects", "sysctl_net_ipv6_conf_all_autoconf", "sysctl_net_ipv6_conf_default_accept_source_route", "sysctl_net_ipv6_conf_default_max_addresses", "sysctl_net_ipv6_conf_default_accept_ra_pinfo", "sysctl_net_ipv6_conf_all_max_addresses", "sysctl_net_ipv6_conf_all_accept_ra_rtr_pref", "sysctl_net_ipv6_conf_default_accept_ra_defrtr"], "controls": []}, {"id": "R14", "levels": ["intermediary"], "notes": "The rule for the /proc file system is not implemented", "title": "File system configuration options", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sysctl_fs_protected_symlinks", "sysctl_fs_suid_dumpable", "sysctl_fs_protected_fifos", "sysctl_fs_protected_hardlinks", "sysctl_fs_protected_regular"], "controls": []}, {"id": "R15", "levels": ["high"], "notes": "The special case of direct access to physical memory is not handled.", "title": "Compile options for memory management", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["kernel_config_refcount_full", "kernel_config_x86_vsyscall_emulation", "kernel_config_acpi_custom_method", "kernel_config_fortify_source", "kernel_config_security_dmesg_restrict", "kernel_config_retpoline", "kernel_config_legacy_vsyscall_emulate", "kernel_config_hardened_usercopy", "kernel_config_legacy_vsyscall_none", "kernel_config_stackprotector", "kernel_config_debug_wx", "kernel_config_legacy_vsyscall_xonly", "kernel_config_compat_vdso", "kernel_config_vmap_stack", "kernel_config_hardened_usercopy_fallback", "kernel_config_devkmem", "kernel_config_proc_kcore", "kernel_config_sched_stack_end_check", "kernel_config_stackprotector_strong", "kernel_config_debug_fs", "kernel_config_strict_kernel_rwx"], "controls": []}, {"id": "R16", "levels": ["high"], "notes": "", "title": "Compile options for kernel data structures", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["kernel_config_debug_credentials", "kernel_config_bug_on_data_corruption", "kernel_config_debug_sg", "kernel_config_debug_notifiers", "kernel_config_debug_list"], "controls": []}, {"id": "R17", "levels": ["high"], "notes": "", "title": "Compile options for the memory allocator", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["kernel_config_slab_merge_default", "kernel_config_slab_freelist_random", "kernel_config_slub_debug", "kernel_config_page_poisoning_no_sanity", "kernel_config_slab_freelist_hardened", "kernel_config_compat_brk", "kernel_config_page_poisoning_zero", "kernel_config_page_poisoning"], "controls": []}, {"id": "R18", "levels": ["high"], "notes": "", "title": "Compile options for the management of kernel module", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["kernel_config_module_sig_key", "kernel_config_module_sig_all", "kernel_config_module_sig_sha512", "kernel_config_module_sig", "kernel_config_module_sig_force", "kernel_config_module_sig_hash", "kernel_config_strict_module_rwx"], "controls": []}, {"id": "R19", "levels": ["high"], "notes": "", "title": "Compile options for abnormal situations", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["kernel_config_panic_timeout", "kernel_config_panic_on_oops", "kernel_config_bug"], "controls": []}, {"id": "R20", "levels": ["high"], "notes": "", "title": "Compile options for kernel security functions", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["kernel_config_seccomp_filter", "kernel_config_security_yama", "kernel_config_seccomp", "kernel_config_security_writable_hooks", "kernel_config_security"], "controls": []}, {"id": "R21", "levels": ["high"], "notes": "", "title": "Compile options for the compiler plugins", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["kernel_config_gcc_plugin_randstruct", "kernel_config_gcc_plugin_latent_entropy", "kernel_config_gcc_plugin_stackleak", "kernel_config_gcc_plugin_structleak", "kernel_config_gcc_plugin_structleak_byref_all"], "controls": []}, {"id": "R22", "levels": ["high"], "notes": "This control doesn't disable the IPv6 stack, to disable it select the related rule.", "title": "Compile options for the IP stack", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["kernel_config_ipv6"], "rules": ["kernel_config_syn_cookies"], "controls": []}, {"id": "R23", "levels": ["high"], "notes": "If the system can function without support for kernel modules, module support should be disabled by setting CONFIG_MODULES=n.", "title": "Compile options for various kernel behaviors", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["kernel_config_kexec", "kernel_config_binfmt_misc", "kernel_config_hibernation", "kernel_config_legacy_ptys"], "controls": []}, {"id": "R24", "levels": ["high"], "notes": "Unless a X86 32bit kernel is explicitly supported by one of products in the project, this requirement is set to not applicable.", "title": "Compile options for 32-bit architectures", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "R25", "levels": ["high"], "notes": "", "title": "Compile options for x86_64 architectures", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["kernel_config_default_mmap_min_addr", "kernel_config_randomize_base", "kernel_config_modify_ldt_syscall", "kernel_config_ia32_emulation", "kernel_config_randomize_memory", "kernel_config_page_table_isolation"], "controls": []}, {"id": "R26", "levels": ["high"], "notes": "Unless a ARM 32bit kernel is explicitly supported by one of products in the project, this requirement is set to not applicable.", "title": "Compile options for ARM architectures", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "R27", "levels": ["high"], "notes": "", "title": "Compile options for ARM 64 architectures", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["kernel_config_default_mmap_min_addr", "kernel_config_randomize_base", "kernel_config_unmap_kernel_at_el0", "kernel_config_arm64_sw_ttbr0_pan"], "controls": []}, {"id": "R28", "levels": ["intermediary"], "notes": "", "title": "Partitioning type", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["mount_option_proc_hidepid"], "rules": ["mount_option_var_log_noexec", "partition_for_opt", "partition_for_home", "mount_option_boot_noexec", "mount_option_var_nosuid", "systemd_tmp_mount_enabled", "partition_for_srv", "partition_for_var_tmp", "mount_option_var_tmp_nosuid", "mount_option_var_tmp_noexec", "partition_for_boot", "mount_option_nodev_nonroot_local_partitions", "mount_option_tmp_noexec", "mount_option_var_noexec", "mount_option_boot_nosuid", "mount_option_opt_nosuid", "partition_for_var", "mount_option_tmp_nosuid", "mount_option_srv_nosuid", "mount_option_var_log_nosuid", "partition_for_usr", "partition_for_var_log", "mount_option_home_nosuid", "mount_option_home_noexec"], "controls": []}, {"id": "R29", "levels": ["enhanced"], "notes": "The /boot partition mounted is essential to perform certain administrative actions, for example updating the kernel. Therefore, for better stability, in this requirement only rules to restrict the access to /boot are selected. It is not changed how the /boot is mounted.", "title": "Access Restrictions on /boot", "description": "When possible, it is recommended not to automatically mount the /boot partition. In any case, access to the /boot folder should only be allowed for the root user.", "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["mount_option_boot_noauto"], "rules": ["file_owner_grub2_cfg", "file_owner_efi_grub2_cfg", "file_owner_user_cfg", "file_owner_efi_user_cfg", "file_groupowner_systemmap", "file_groupowner_efi_grub2_cfg", "file_permissions_efi_grub2_cfg", "file_groupowner_grub2_cfg", "file_permissions_user_cfg", "file_groupowner_efi_user_cfg", "file_permissions_systemmap", "file_groupowner_user_cfg", "file_permissions_grub2_cfg", "file_owner_systemmap", "file_permissions_efi_user_cfg"], "controls": []}, {"id": "R30", "levels": ["minimal"], "notes": "The definition of unused user accounts is broad. It can include accounts whose owners don't use the system anymore, or users created by services or applications that should not be used. Automation by itself cannot discern which accounts are used or not.", "title": "Removal of unused user accounts", "description": "Unused user accounts must be deleted from the system.", "rationale": null, "automated": "no", "status": "manual", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "R31", "levels": ["minimal"], "notes": "The rules selected below establish a general password strength baseline of 100 bits, based on the recommendations of the technical note \"Recommandations relatives \u00e0 l'authentification multifacteur et aux mots de passe\" (https://cyber.gouv.fr/publications/recommandations-relatives-lauthentification-multifacteur-et-aux-mots-de-passe)\nThe baseline should be reviewed and tailored to the system's use case and needs.", "title": "User password strength", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["accounts_passwords_pam_faillock_deny", "accounts_password_pam_ocredit", "accounts_password_pam_minlen", "accounts_passwords_pam_tally2_deny_root", "cracklib_accounts_password_pam_ocredit", "cracklib_accounts_password_pam_dcredit", "cracklib_accounts_password_pam_lcredit", "accounts_passwords_pam_faillock_unlock_time", "accounts_password_minlen_login_defs", "accounts_passwords_pam_tally2_unlock_time", "accounts_password_pam_ucredit", "accounts_password_pam_unix_remember", "accounts_passwords_pam_faillock_interval", "enable_authselect", "cracklib_accounts_password_pam_ucredit", "accounts_password_pam_lcredit", "accounts_password_pam_dcredit", "accounts_passwords_pam_faillock_deny_root", "accounts_password_set_max_life_root", "accounts_passwords_pam_tally2", "cracklib_accounts_password_pam_minlen", "var_accounts_maximum_age_root=365", "var_password_pam_minlen=15", "var_accounts_password_minlen_login_defs=15", "var_password_pam_ocredit=1", "var_password_pam_dcredit=1", "var_password_pam_ucredit=1", "var_password_pam_lcredit=1", "var_accounts_passwords_pam_faillock_fail_interval=900", "var_accounts_passwords_pam_faillock_deny=3", "var_password_pam_tally2=5", "var_accounts_passwords_pam_tally2_unlock_time=1800", "var_accounts_passwords_pam_faillock_unlock_time=900", "var_password_pam_unix_remember=2"], "controls": []}, {"id": "R32", "levels": ["intermediary"], "notes": "ANSSI doesn't specify the length of the inactivity period, we are choosing 10 minutes as reasonable number.", "title": "Configuring a timeout on local user sessions", "description": "Local user sessions (console TTY, graphical session) must be locked after a certain period of inactivity.", "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["accounts_tmout", "logind_session_timeout", "var_logind_session_timeout=10_minutes", "var_accounts_tmout=10_min"], "controls": []}, {"id": "R33", "levels": ["intermediary"], "notes": "By disabling direct root logins proper accountability is ensured. Users will login first, then escalate to privileged (root) access. Change of privilege operations must be based on executables to monitor the activities performed (for example sudo). Nonetheless, the content automation cannot ensure that each administrator was given a nominative administration account separate from his normal user account.", "title": "Use of dedicated administration accounts", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["no_direct_root_logins", "package_sudo_installed", "sshd_disable_root_login", "audit_rules_privileged_commands_sudo", "package_audit_installed", "service_auditd_enabled"], "controls": []}, {"id": "R34", "levels": ["intermediary"], "notes": "It is difficult to generally identify the system's service accounts. UIDs of such accounts are generally between SYS_UID_MIN and SYS_UID_MAX, but their values are not enforced by the OS and can be changed over time. Assisting rules could list users which are not disabled for manual review.", "title": "Deactivation of service accounts", "description": null, "rationale": null, "automated": "no", "status": "manual", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "R35", "levels": ["intermediary"], "notes": "It is not trivial to identify whether a user account is a service account. UIDs of such accounts are generally between SYS_UID_MIN and SYS_UID_MAX, but their values are not enforced by the OS and can be changed over time.", "title": "Uniqueness and exclusivity of system service accounts", "description": "Each service must have its own system account and be dedicated to it exclusively.", "rationale": null, "automated": "no", "status": "manual", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "R36", "levels": ["enhanced"], "notes": "There are cases of Systemd services which would stop working in case umask would be configured to 0027 for all services. One such example is the Cups service which needs to create sockets which need to be available for all users. Therefore, this part of the requirement can't be automated.", "title": "Changing the default value of UMASK", "description": "The default value of UMASK for the shells must be set to 0077 in order to allow read and write access to its owner only. This value can be defined in the configuration file /etc/profile that most shells (bash, dash, ksh\u2026) will use. The default value of UMASK for services must be determined for each service, but in most cases, it should be set to 0027 (or more restrictive). This allows read access to its owner and its group, and a full access to its owner. For services such as systemd, this value can be defined directly in the configuration file of the service with the directive UMask=0027.", "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["accounts_umask_etc_profile", "accounts_umask_etc_login_defs", "accounts_umask_etc_bashrc", "var_accounts_user_umask=077"], "controls": []}, {"id": "R37", "levels": ["enhanced"], "notes": "Other partitioning mechanisms can include chroot and containers and are not contemplated in this requirement.", "title": "Using access control features", "description": "It is recommended to use the mandatory access control (MAC) features in addition to the traditional Unix user model (DAC), or possibly combine them with partitioning mechanisms.", "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["selinux_state", "var_selinux_state=enforcing"], "controls": []}, {"id": "R38", "levels": ["enhanced"], "notes": "", "title": "Group dedicated to the use of sudo", "description": "A group dedicated to the use of sudo must be created, and only members of this group are allowed to execute sudo.", "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_permissions_sudo", "sudo_dedicated_group", "var_sudo_dedicated_group=sudogrp"], "controls": []}, {"id": "R39", "levels": ["intermediary"], "notes": "", "title": "Sudo configuration guidelines", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sudo_add_requiretty", "sudo_add_umask", "sudo_add_noexec", "sudo_add_use_pty", "sudo_add_ignore_dot", "sudo_add_env_reset", "var_sudo_umask=0077"], "controls": []}, {"id": "R40", "levels": ["intermediary"], "notes": "", "title": "Privileges of target sudo users", "description": "The targeted users of a rule should be, as much as possible, non privileged users.", "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sudoers_no_root_target"], "controls": []}, {"id": "R41", "levels": ["enhanced"], "notes": "Human review is required to assess if the set of commands requiring EXEC is minimal. An auxiliary rule could list rules containing EXEC tag, for analysis.", "title": "Limiting the number of commands requiring the use of the EXEC option", "description": "The commands requiring the execution of sub-processes (EXEC tag) must be explicitly listed and their use should be reduced to a strict minimum.", "rationale": null, "automated": "no", "status": "manual", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "R42", "levels": ["intermediary"], "notes": "", "title": "Good use of negation in a sudoers file", "description": "The sudoers configuration rules should not involve negation.", "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sudoers_no_command_negation"], "controls": []}, {"id": "R43", "levels": ["intermediary"], "notes": "", "title": "Explicit arguments in sudo specifications", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sudoers_explicit_command_args"], "controls": []}, {"id": "R44", "levels": ["intermediary"], "notes": "In R62 we established that the sudoers files should not use negations, thus the approach for this requirement is to ensure that sudoedit is the only text editor allowed. But it is difficult to ensure that allowed binaries aren't text editors without human review.", "title": "Editing files with sudo", "description": "A file requiring sudo to be edited, must be edited through the sudoedit command.", "rationale": null, "automated": "no", "status": "manual", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "R45", "levels": ["enhanced"], "notes": "", "title": "Enable AppArmor security profiles", "description": "All AppArmor security profiles on the system must be enabled by default.", "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["apparmor_configured", "all_apparmor_profiles_enforced", "package_pam_apparmor_installed", "package_apparmor_installed", "grub2_enable_apparmor"], "controls": []}, {"id": "R46", "levels": ["high"], "notes": "", "title": "Activate SELinux with the Targeted Policy", "description": "It is recommended to enable the targeted policy when the distribution supports it and that it does not operate another security module than SELinux.", "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["selinux_policytype", "var_selinux_policy_name=targeted"], "controls": []}, {"id": "R47", "levels": ["high"], "notes": "Interactive users who still need to perform administrative tasks should not be confined with user_u.", "title": "Containment of unprivileged interactive users", "description": "Interactive non-privileged users of a system must be confined by associating them with a SELinux confined user.", "rationale": null, "automated": "no", "status": "manual", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "R48", "levels": ["high"], "notes": "In RHEL, the SELinux boolean allow_execheap is renamed to selinuxuser_execheap, and the boolean allow_execstack is renamed to selinuxuser_execstack. And allow_execmem is not available, deny_execmem provides the same functionality.", "title": "Setting SELinux booleans", "description": "It is recommended to set the following Booleans: allow_execheap to off, forbids processes to make their heap executable; allow_execmem to off, forbids processes to have both write and execute rights on memory pages; allow_execstack to off, forbids processes to make their stack executable; secure_mode_insmod to on, prohibits dynamic loading of modules by any process; ssh_sysadm_login to off, forbids SSH logins to connect directly in sysadmin role.", "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sebool_selinuxuser_execstack", "sebool_deny_execmem", "sebool_selinuxuser_execheap", "sebool_secure_mode_insmod", "sebool_ssh_sysadm_login", "var_selinuxuser_execheap=off", "var_deny_execmem=on", "var_selinuxuser_execstack=off", "var_secure_mode_insmod=on"], "controls": []}, {"id": "R49", "levels": ["high"], "notes": "", "title": "Uninstalling SELinux Policy Debugging Tools", "description": "SELinux policy manipulation and debugging tools should not be installed on a machine in production.", "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["package_setroubleshoot_removed", "package_setroubleshoot-plugins_removed", "package_setroubleshoot-server_removed"], "controls": []}, {"id": "R50", "levels": ["intermediary"], "notes": "", "title": "Rights to access sensitive files and directories", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_permissions_etc_sudoers", "file_groupowner_etc_shells", "file_permissions_etc_ipsec_conf", "file_owner_etc_group", "file_groupowner_etc_ipsec_secrets", "file_groupowner_etc_group", "directory_owner_etc_selinux", "file_groupowner_sshd_config", "file_owner_etc_sestatus_conf", "file_groupowner_etc_crypttab", "file_groupowner_etc_chrony_keys", "file_permissions_etc_group", "directory_groupowner_etc_ipsecd", "file_groupownership_sshd_private_key", "accounts_users_home_files_permissions", "file_ownership_binary_dirs", "directory_permissions_etc_selinux", "file_groupowner_etc_gshadow", "directory_owner_etc_sysctld", "accounts_user_dot_group_ownership", "file_owner_sshd_config", "file_owner_etc_ipsec_conf", "file_groupownership_sshd_pub_key", "file_groupowner_etc_passwd", "file_permissions_sshd_config", "dir_system_commands_group_root_owned", "directory_groupowner_etc_nftables", "file_permissions_etc_shells", "file_owner_etc_chrony_keys", "file_permissions_sshd_private_key", "file_permission_user_init_files", "file_ownership_sshd_pub_key", "file_permissions_etc_sestatus_conf", "file_permissions_etc_crypttab", "directory_permissions_etc_ipsecd", "file_permissions_etc_gshadow", "file_owner_etc_shells", "file_groupowner_etc_ipsec_conf", "directory_owner_etc_iptables", "file_groupowner_etc_sestatus_conf", "directory_owner_etc_sudoersd", "accounts_users_home_files_ownership", "directory_owner_etc_ipsecd", "file_owner_etc_shadow", "file_permissions_etc_chrony_keys", "directory_permissions_etc_sudoersd", "file_permissions_etc_passwd", "file_groupowner_etc_shadow", "file_ownership_sshd_private_key", "file_owner_etc_passwd", "file_permissions_sshd_pub_key", "directory_groupowner_etc_sysctld", "accounts_users_home_files_groupownership", "directory_groupowner_etc_selinux", "file_owner_etc_gshadow", "directory_owner_etc_nftables", "file_owner_etc_crypttab", "file_permissions_etc_shadow", "directory_permissions_etc_iptables", "file_owner_etc_ipsec_secrets", "dir_system_commands_root_owned", "file_permissions_binary_dirs", "directory_groupowner_etc_iptables", "accounts_user_dot_user_ownership", "directory_groupowner_etc_sudoersd", "directory_permissions_etc_sysctld", "file_permissions_etc_ipsec_secrets", "file_owner_etc_sudoers", "file_groupowner_etc_sudoers", "file_groupownership_system_commands_dirs", "directory_permissions_etc_nftables"], "controls": []}, {"id": "R51", "levels": ["enhanced"], "notes": "This concerns two aspects, the first is administrative, and involves prompt installation of secrets or trusted elements by the sysadmin. The second involves removal of any default secret or trusted element configured by the operating system during install process, e.g. default known passwords.", "title": "Sensitive and trusted files", "description": "All sensitive files and those contributing to the authentication mechanisms must be set up as soon as the system is installed. If default secrets are preconfigured, they must be replaced during, or immediately after, the installation phase of the system.", "rationale": null, "automated": "no", "status": "documentation", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "R52", "levels": ["intermediary"], "notes": "The requirement states that all sockets and named pipes within all mounted\nfile systems should be checked. The check should look at the permissions\nof the socket / pipe and compare them with permissions of the directory\nwhich contains the particular socket. In case permissions of the directory\nare less stricter than permissions of the socket, this should be\nconsidered a finding. Since different use cases can require different\npermissions for named pipes / sockets, it is not possible to perform this\ncheck automatically.", "title": "Securing access for named sockets and pipes", "description": null, "rationale": null, "automated": "no", "status": "manual", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "R53", "levels": ["minimal"], "notes": "", "title": "Files or directories without a known user or group", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_permissions_ungroupowned", "no_files_unowned_by_user"], "controls": []}, {"id": "R54", "levels": ["minimal"], "notes": "", "title": "Sticky bit and write access rights", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["dir_perms_world_writable_root_owned", "file_permissions_unauthorized_world_writable", "dir_perms_world_writable_sticky_bits"], "controls": []}, {"id": "R55", "levels": ["intermediary"], "notes": "The approach of the selected rules is to use and configure pam_namespace module.", "title": "Temporary directories dedicated to accounts", "description": "Each user or service account must have its own temporary directory and dispose of it exclusively.", "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["enable_pam_namespace", "accounts_polyinstantiated_var_tmp", "sebool_polyinstantiation_enabled", "accounts_polyinstantiated_tmp", "var_polyinstantiation_enabled=on"], "controls": []}, {"id": "R56", "levels": ["minimal"], "notes": "Only programs specifically designed to be used with setuid or setgid bits can have these privilege bits set. This requirement considers apropriate for setuid and setgid bits the binaries that are installed from recognized and authorized repositories (covered in R15). The remediation resets the sticky bit to intended value by vendor/developer, any finding after remediation should be reviewed.", "title": "Executables with setuid and setgid bits", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_permissions_unauthorized_suid", "file_permissions_unauthorized_sgid"], "controls": []}, {"id": "R57", "levels": ["enhanced"], "notes": "There could be rules to list all executables with setuid root or setgid root rights.", "title": "Executable with special rights setuid root and setgid root", "description": "The executables with setuid executables root and setgid root special rights should be as few as possible. When only administrators are expected to execute them, these special rights should be removed and prefer them commands like su or sudo, which can be monitored", "rationale": null, "automated": "no", "status": "manual", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "R58", "levels": ["minimal"], "notes": "It is not possible to automatically decide in general way if a package is required or not for given system. As a future improvement, there could be rules assisting assessment by listing the installed packages.", "title": "Installation of packages reduced to the bare necessities", "description": "The selection of packages installed should be as small as possible, limiting itself to select only what is required.", "rationale": null, "automated": "no", "status": "manual", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "R59", "levels": ["minimal"], "notes": "It is not trivial to distinguish an official repository from an unofficial one. We cannot draw conclusions from the repo name or URL of the repo (as they can be arbitrary or behind a proxy). One approach to check the origin of installed packages is to check the signature of the packages. If the public key of a repository is not installed, the repo is not trusted.", "title": "Official package repositories", "description": "Only up-to-date official repositories of the distribution must be used.", "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["ensure_redhat_gpgkey_installed", "package_sequoia-sq_installed", "ensure_gpgcheck_never_disabled", "ensure_gpgcheck_globally_activated", "ensure_gpgcheck_local_packages", "ensure_oracle_gpgkey_installed", "ensure_almalinux_gpgkey_installed"], "controls": []}, {"id": "R60", "levels": ["enhanced"], "notes": "", "title": "Hardened package repositories", "description": "When the distribution provides several types of repositories, preference should be given to those containing packages subject to additional hardening measures. Between two packages providing the same service, those subject to hardening (at compilation, installation, or default configuration) must be preferred.", "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "R61", "levels": ["minimal"], "notes": "Check the vendor CVE feed and configure automatic install of security related updates.", "title": "Regular updates", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["timer_dnf-automatic_enabled", "package_dnf-automatic_installed", "security_patches_up_to_date", "dnf-automatic_apply_updates", "dnf-automatic_security_updates_only"], "controls": []}, {"id": "R62", "levels": ["minimal"], "notes": "Performing a minimal install is a good starting point, but doesn't provide any assurance over any package installed later. Manual review is required to assess if the installed services are minimal. In general, use of obsolete or insecure services is not recommended and we remove some of these in this recommendation.", "title": "Minimization of installed services", "description": "Only the components strictly necessary to the service provided by the system should be installed. Those whose presence can not be justified should be disabled, removed or deleted.", "rationale": null, "automated": "no", "status": "manual", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["package_tftp-server_removed", "package_telnet_removed", "package_sendmail_removed", "package_ypserv_removed", "package_tftp_removed", "package_xinetd_removed", "package_talk-server_removed", "package_kea_removed", "package_telnet-server_removed", "package_dhcp_removed", "package_rsh_removed", "package_talk_removed", "package_ypbind_removed", "package_rsh-server_removed"], "controls": []}, {"id": "R63", "levels": ["intermediary"], "notes": "Define a list of most problematic components or features to be hardened or restricted.", "title": "Minimization of services configuration", "description": "Services are often installed with default configurations that enable features potentially problematic from a security point of view. The features configured at the level of launched services should be limited to the strict minimum.", "rationale": null, "automated": "no", "status": "manual", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "R64", "levels": ["enhanced"], "notes": "SELinux policies limit the privileges of services and daemons just to those which are required. The policies should be enough to restrict the services' privileges to its essentials, but the automated content cannot assess whether they are the minimum required for the deployment.", "title": "Least privilege for the services", "description": "The deployed services must have their access restricted to the system strict minimum, especially when it comes to files, processes or network.", "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["selinux_policytype", "var_selinux_policy_name=targeted"], "controls": []}, {"id": "R65", "levels": ["enhanced"], "notes": "Using automation to restrict access and chroot services is not generally reliable.", "title": "Services partitioning", "description": null, "rationale": null, "automated": "no", "status": "manual", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "R66", "levels": ["high"], "notes": "We cannot easily automate securing of virtualization technologies in a general way. It may be interesting to point out virtualization components that are installed and should be hardened.", "title": "Virtualization components hardening", "description": "Each component supporting the virtualization must be hardened, especially by applying technical measures to counter the exploit attempts.", "rationale": null, "automated": "no", "status": "manual", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "R67", "levels": ["intermediary"], "notes": "In systems where remote authentication is handled through sssd service, PAM delegates\nrequests for remote authentication to sssd service through a local Unix socket. The sssd\nservice can use IPA, AD or LDAP as a remote database containing information required for authentication.\nIn case LDAP is configured manually, there are several configuration options which should be chedked.", "title": "Secure remote authentication with PAM", "description": "When authentication takes place through a remote application (network),\nthe authentication protocol used by PAM must be secure (flow encryption,\nremote server authentication, anti-replay mechanisms, ...).", "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["package_sssd-ipa_installed"], "rules": ["sssd_ldap_start_tls", "ldap_client_tls_cacertpath", "sssd_ldap_configure_tls_reqcert", "sssd_enable_pam_services", "ldap_client_start_tls", "service_sssd_enabled", "package_sssd_installed"], "controls": []}, {"id": "R68", "levels": ["minimal"], "notes": "The selection of rules doesn't cover the use of hardware devices to protect the passwords.", "title": "Protecting stored passwords", "description": "Any password must be protected by cryptographic mechanisms.", "rationale": null, "automated": "no", "status": "supported", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["accounts_password_pam_unix_rounds_password_auth", "accounts_password_pam_minclass", "set_password_hashing_algorithm_systemauth", "accounts_password_pam_unix_rounds_system_auth", "accounts_password_pam_retry", "accounts_password_pam_minlen", "var_password_hashing_algorithm=yescrypt", "var_password_hashing_algorithm_pam=sha512", "var_password_pam_unix_rounds=11", "var_password_pam_minclass=4"], "controls": []}, {"id": "R69", "levels": ["intermediary"], "notes": "A nsswitch service connecting to remote database is provided by sssd. This is checked in requirement R67.\nAnother such service is winbind which is by default configured to connect securely to Samba domains.\nOther relevant services are NIS and Hesiod. These should not be used.", "title": "Securing access to remote user databases", "description": "When the user databases are stored on a remote network service, NSS must\nbe configured to establish a secure link that allows, at minimum, to\nauthenticate the server and protect the communication channel.", "rationale": null, "automated": "no", "status": "pending", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["no_nis_in_nsswitch"], "controls": []}, {"id": "R70", "levels": ["intermediary"], "notes": "", "title": "Separation of System Accounts and Directory Administrator", "description": null, "rationale": null, "automated": "no", "status": "manual", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "R71", "levels": ["enhanced"], "notes": "A lot of recommendations and requirements from the DAT-PA-012 document are administrative and hard to automate. The rules selected below address a few of the aspects that can be covered, keep in mind that these configurations should be customized for the systems deployment requirements.", "title": "Implement a logging system", "description": "The configuration of the service must be performed according to the 'Security Recommendations for the architecture of a logging system' (DAT-PA-012 v2.0) accessible on the ANSSI website (https://www.ssi.gouv.fr/journalisation).", "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["ensure_logrotate_activated", "rsyslog_remote_loghost", "package_chrony_installed", "package_rsyslog-gnutls_installed", "chronyd_configure_pool_and_server", "service_chronyd_or_ntpd_enabled", "rsyslog_remote_tls", "rsyslog_files_ownership", "rsyslog_remote_tls_cacert", "package_logrotate_installed", "rsyslog_files_permissions", "chronyd_specify_remote_server", "service_chronyd_enabled", "rsyslog_files_groupownership", "timer_logrotate_enabled", "partition_for_var_log_audit"], "controls": []}, {"id": "R72", "levels": ["enhanced"], "notes": "", "title": "Service Activity Logs", "description": "Each service must have a dedicated event logging journal on the system. This log must only be accessible by the syslog server, and must not be readable, editable or deletable by the service directly.", "rationale": null, "automated": "no", "status": "documentation", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "R73", "levels": ["enhanced"], "notes": "", "title": "Logging activity by auditd", "description": "The logging of the system activity must be done through the auditd service.", "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_dac_modification_fchmodat2", "audit_rules_privileged_commands_modprobe", "audit_rules_mac_modification", "audit_rules_file_deletion_events_renameat2", "audit_sudo_log_events", "audit_rules_networkconfig_modification", "audit_rules_time_clock_settime", "audit_rules_session_events_btmp", "audit_rules_dac_modification_fchownat", "package_audit_installed", "audit_rules_dac_modification_lchown", "audit_rules_unsuccessful_file_modification_truncate", "audit_rules_kernel_module_loading_delete", "audit_rules_dac_modification_setxattr", "audit_rules_unsuccessful_file_modification_ftruncate", "audit_rules_usergroup_modification_shadow", "audit_rules_media_export", "audit_rules_privileged_commands_kmod", "audit_rules_time_adjtimex", "audit_rules_dac_modification_fchown", "audit_rules_mac_modification_etc_selinux", "audit_rules_dac_modification_lsetxattr", "audit_rules_immutable", "audit_rules_file_deletion_events_renameat", "audit_rules_session_events_wtmp", "audit_rules_unsuccessful_file_modification_openat", "audit_rules_login_events_faillock", "audit_rules_privileged_commands", "audit_rules_time_watch_localtime", "audit_rules_dac_modification_chmod", "audit_rules_session_events_utmp", "audit_rules_dac_modification_fsetxattr", "audit_rules_file_deletion_events_unlink", "audit_rules_file_deletion_events_rmdir", "audit_rules_dac_modification_fchmodat", "audit_rules_file_deletion_events_rename", "audit_rules_dac_modification_umount2", "audit_rules_dac_modification_fchmod", "audit_rules_file_deletion_events_unlinkat", "audit_rules_kernel_module_loading_init", "audit_rules_time_stime", "audit_rules_login_events_lastlog", "audit_rules_dac_modification_lremovexattr", "audit_rules_privileged_commands_rmmod", "audit_rules_dac_modification_removexattr", "audit_rules_privileged_commands_insmod", "audit_rules_usergroup_modification_passwd", "audit_rules_dac_modification_chown", "audit_rules_usergroup_modification_opasswd", "audit_rules_usergroup_modification_group", "audit_rules_dac_modification_fremovexattr", "audit_rules_unsuccessful_file_modification_open", "audit_rules_sysadmin_actions", "service_auditd_enabled", "audit_rules_usergroup_modification_gshadow", "audit_rules_kernel_module_loading_finit", "audit_rules_unsuccessful_file_modification_creat"], "controls": []}, {"id": "R74", "levels": ["intermediary"], "notes": "", "title": "Configuring the local messaging service", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["postfix_network_listening_disabled"], "controls": []}, {"id": "R75", "levels": ["intermediary"], "notes": "Only the alias for root user is covered by the rule. The other services cannot be reliably covered, as there is no simple way of determining what is a service account.", "title": "Messaging Aliases for Service Accounts", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["postfix_client_configure_mail_alias"], "controls": []}, {"id": "R76", "levels": ["high"], "notes": "", "title": "Sealing and integrity of files", "description": "Any file that is not transient (such as temporary files, databases, etc.) must be monitored by a sealing program. This includes: directories containing executables, libraries, configuration files, as well as any files that may contain sensitive elements (cryptographic keys, passwords, confidential data).", "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["aide_periodic_cron_checking", "aide_verify_ext_attributes", "aide_periodic_checking_systemd_timer", "aide_verify_acls", "package_aide_installed", "aide_scan_notification", "aide_build_database"], "controls": []}, {"id": "R77", "levels": ["high"], "notes": "", "title": "Protection of the seals database", "description": "The sealing database must be protected from malicious access by cryptographic signature mechanisms (with the key used for the signature not locally stored in clear), or possibly stored on a separate machine of the one on which the sealing is done. Check section \"Database and config signing in AIDE manual\" https://aide.github.io/doc/#signing", "rationale": null, "automated": "no", "status": "does not meet", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "R78", "levels": ["enhanced"], "notes": "Manual analysis is required to determine if services are hosted appropriately in separate or isolated system while maintaining functionality.", "title": "Network services partitioning", "description": "Network services should as much as possible be hosted on isolated environments. This avoids having other potentially affected services if one of them gets compromised under the same environment.", "rationale": null, "automated": "no", "status": "manual", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "R79", "levels": ["intermediary"], "notes": "SELinux can provide confinement and monitoring of services, and AIDE provides basic integrity checking. System logs are configured as part of R43. Hardening of particular services should be done on a case by case basis and is not automated by this content.", "title": "Hardening and monitoring of exposed services", "description": null, "rationale": null, "automated": "no", "status": "partial", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["package_aide_installed", "selinux_state", "aide_build_database", "var_selinux_state=enforcing"], "controls": []}, {"id": "R80", "levels": ["minimal"], "notes": "Manual review is necessary to decide if the list of resident daemons is minimal. Assisting rules could be created to list sevices listening on the network for manual review.", "title": "Minimization of network services", "description": "All network services must be listening on the correct network intefaces.", "rationale": null, "automated": "no", "status": "manual", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}], "levels": [{"id": "minimal", "inherits_from": null}, {"id": "intermediary", "inherits_from": ["minimal"]}, {"id": "enhanced", "inherits_from": ["intermediary"]}, {"id": "high", "inherits_from": ["enhanced"]}]}