Definition of Configuration Recommendations of a GNU/Linux System for ol10

based on https://cyber.gouv.fr/sites/default/files/document/linux_configuration-en-v2.pdf

R1: Hardware Support

Description: It is recommended to apply the configuration recommendations for Hardware support mentioned in ANSSI DAT-24.

Levels:

Automated: yes

Selections:

R2: Hardware configuration

Description: It is recommended to apply the configuration recommendations for BIOS/UEFI mentioned in ANSSI DAT-24.

Levels:

Automated: no

No rules selected

R3: UEFI Secure boot activation

Description: It is recommended to apply UEFI Secure Boot configuration of the distribution.

Levels:

Automated: no

No rules selected

R4: Replacing of preloaded keys

Description: It is recommended to replace the UEFI preloaded keys with new keys used to sign; the bootloader and Linux kernel, or; the image of the Linux kernel in EFI format.

Levels:

Automated: no

No rules selected

R5: Boot loader password

Description: A password protecting the boot loader must exist. This password must prevent any user from changing their configuration options.

Levels:

Automated: yes

Selections:

R6: Protecting kernel command line parameters

Description: It is recommended that UEFI Secure Boot is used to protect the Linux Kernel command line parameters during boot.

Levels:

Automated: no

No rules selected

R7: IOMMU Configuration Guidelines

Description: The iommu = force directive must be added to the list of kernel parameters during startup in addition to those already present in the configuration files of the bootloader (/boot/grub/menu.lst or /etc/default/grub).

Levels:

Automated: yes

Selections:

R8: Memory configuration options

Description: None

Levels:

Automated: yes

Selections:

R9: Kernel configuration options

Description: None

Levels:

Automated: yes

Selections:

R10: Disabling the loading of kernel modules

Description: The loading of the kernel modules can be blocked by the activation of the sysctl kernel.modules_disabled: Prohibition of loading modules (except those already loaded to this point) kernel.modules_disabled = 1

Levels:

Automated: yes

Selections:

R11: Yama module sysctl configuration

Description: It is recommended to load the Yama security module at startup (by example passing the security = yama argument to the kernel) and configure the sysctl kernel.yama.ptrace_scope to a value of at least 1.

Levels:

Automated: yes

Selections:

R12: IPv4 configuration options

Description: None

Levels:

Automated: yes

Selections:

R13: Disabling IPv6

Description: None

Levels:

Automated: yes

Selections:

R14: File system configuration options

Description: None

Levels:

Automated: yes

Selections:

R15: Compile options for memory management

Description: None

Levels:

Automated: yes

Selections:

R16: Compile options for kernel data structures

Description: None

Levels:

Automated: yes

Selections:

R17: Compile options for the memory allocator

Description: None

Levels:

Automated: yes

Selections:

R18: Compile options for the management of kernel module

Description: None

Levels:

Automated: yes

Selections:

R19: Compile options for abnormal situations

Description: None

Levels:

Automated: yes

Selections:

R20: Compile options for kernel security functions

Description: None

Levels:

Automated: yes

Selections:

R21: Compile options for the compiler plugins

Description: None

Levels:

Automated: yes

Selections:

R22: Compile options for the IP stack

Description: None

Levels:

Automated: yes

Selections:

R23: Compile options for various kernel behaviors

Description: None

Levels:

Automated: yes

Selections:

R24: Compile options for 32-bit architectures

Description: None

Levels:

Automated: no

No rules selected

R25: Compile options for x86_64 architectures

Description: None

Levels:

Automated: yes

Selections:

R26: Compile options for ARM architectures

Description: None

Levels:

Automated: no

No rules selected

R27: Compile options for ARM 64 architectures

Description: None

Levels:

Automated: yes

Selections:

R28: Partitioning type

Description: None

Levels:

Automated: yes

Selections:

R29: Access Restrictions on /boot

Description: When possible, it is recommended not to automatically mount the /boot partition. In any case, access to the /boot folder should only be allowed for the root user.

Levels:

Automated: yes

Selections:

R30: Removal of unused user accounts

Description: Unused user accounts must be deleted from the system.

Levels:

Automated: no

No rules selected

R31: User password strength

Description: None

Levels:

Automated: yes

Selections:

R32: Configuring a timeout on local user sessions

Description: Local user sessions (console TTY, graphical session) must be locked after a certain period of inactivity.

Levels:

Automated: yes

Selections:

R33: Use of dedicated administration accounts

Description: None

Levels:

Automated: yes

Selections:

R34: Deactivation of service accounts

Description: None

Levels:

Automated: no

No rules selected

R35: Uniqueness and exclusivity of system service accounts

Description: Each service must have its own system account and be dedicated to it exclusively.

Levels:

Automated: no

No rules selected

R36: Changing the default value of UMASK

Description: The default value of UMASK for the shells must be set to 0077 in order to allow read and write access to its owner only. This value can be defined in the configuration file /etc/profile that most shells (bash, dash, ksh…) will use. The default value of UMASK for services must be determined for each service, but in most cases, it should be set to 0027 (or more restrictive). This allows read access to its owner and its group, and a full access to its owner. For services such as systemd, this value can be defined directly in the configuration file of the service with the directive UMask=0027.

Levels:

Automated: yes

Selections:

R37: Using access control features

Description: It is recommended to use the mandatory access control (MAC) features in addition to the traditional Unix user model (DAC), or possibly combine them with partitioning mechanisms.

Levels:

Automated: yes

Selections:

R38: Group dedicated to the use of sudo

Description: A group dedicated to the use of sudo must be created, and only members of this group are allowed to execute sudo.

Levels:

Automated: yes

Selections:

R39: Sudo configuration guidelines

Description: None

Levels:

Automated: yes

Selections:

R40: Privileges of target sudo users

Description: The targeted users of a rule should be, as much as possible, non privileged users.

Levels:

Automated: yes

Selections:

R41: Limiting the number of commands requiring the use of the EXEC option

Description: The commands requiring the execution of sub-processes (EXEC tag) must be explicitly listed and their use should be reduced to a strict minimum.

Levels:

Automated: no

No rules selected

R42: Good use of negation in a sudoers file

Description: The sudoers configuration rules should not involve negation.

Levels:

Automated: yes

Selections:

R43: Explicit arguments in sudo specifications

Description: None

Levels:

Automated: yes

Selections:

R44: Editing files with sudo

Description: A file requiring sudo to be edited, must be edited through the sudoedit command.

Levels:

Automated: no

No rules selected

R45: Enable AppArmor security profiles

Description: All AppArmor security profiles on the system must be enabled by default.

Levels:

Automated: yes

Selections:

R46: Activate SELinux with the Targeted Policy

Description: It is recommended to enable the targeted policy when the distribution supports it and that it does not operate another security module than SELinux.

Levels:

Automated: yes

Selections:

R47: Containment of unprivileged interactive users

Description: Interactive non-privileged users of a system must be confined by associating them with a SELinux confined user.

Levels:

Automated: no

No rules selected

R48: Setting SELinux booleans

Description: It is recommended to set the following Booleans: allow_execheap to off, forbids processes to make their heap executable; allow_execmem to off, forbids processes to have both write and execute rights on memory pages; allow_execstack to off, forbids processes to make their stack executable; secure_mode_insmod to on, prohibits dynamic loading of modules by any process; ssh_sysadm_login to off, forbids SSH logins to connect directly in sysadmin role.

Levels:

Automated: yes

Selections:

R49: Uninstalling SELinux Policy Debugging Tools

Description: SELinux policy manipulation and debugging tools should not be installed on a machine in production.

Levels:

Automated: yes

Selections:

R50: Rights to access sensitive files and directories

Description: None

Levels:

Automated: yes

Selections:

R51: Sensitive and trusted files

Description: All sensitive files and those contributing to the authentication mechanisms must be set up as soon as the system is installed. If default secrets are preconfigured, they must be replaced during, or immediately after, the installation phase of the system.

Levels:

Automated: no

No rules selected

R52: Securing access for named sockets and pipes

Description: None

Levels:

Automated: no

No rules selected

R53: Files or directories without a known user or group

Description: None

Levels:

Automated: yes

Selections:

R54: Sticky bit and write access rights

Description: None

Levels:

Automated: yes

Selections:

R55: Temporary directories dedicated to accounts

Description: Each user or service account must have its own temporary directory and dispose of it exclusively.

Levels:

Automated: yes

Selections:

R56: Executables with setuid and setgid bits

Description: None

Levels:

Automated: yes

Selections:

R57: Executable with special rights setuid root and setgid root

Description: The executables with setuid executables root and setgid root special rights should be as few as possible. When only administrators are expected to execute them, these special rights should be removed and prefer them commands like su or sudo, which can be monitored

Levels:

Automated: no

No rules selected

R58: Installation of packages reduced to the bare necessities

Description: The selection of packages installed should be as small as possible, limiting itself to select only what is required.

Levels:

Automated: no

No rules selected

R59: Official package repositories

Description: Only up-to-date official repositories of the distribution must be used.

Levels:

Automated: yes

Selections:

R60: Hardened package repositories

Description: When the distribution provides several types of repositories, preference should be given to those containing packages subject to additional hardening measures. Between two packages providing the same service, those subject to hardening (at compilation, installation, or default configuration) must be preferred.

Levels:

Automated: no

No rules selected

R61: Regular updates

Description: None

Levels:

Automated: yes

Selections:

R62: Minimization of installed services

Description: Only the components strictly necessary to the service provided by the system should be installed. Those whose presence can not be justified should be disabled, removed or deleted.

Levels:

Automated: no

Selections:

R63: Minimization of services configuration

Description: Services are often installed with default configurations that enable features potentially problematic from a security point of view. The features configured at the level of launched services should be limited to the strict minimum.

Levels:

Automated: no

No rules selected

R64: Least privilege for the services

Description: The deployed services must have their access restricted to the system strict minimum, especially when it comes to files, processes or network.

Levels:

Automated: yes

Selections:

R65: Services partitioning

Description: None

Levels:

Automated: no

No rules selected

R66: Virtualization components hardening

Description: Each component supporting the virtualization must be hardened, especially by applying technical measures to counter the exploit attempts.

Levels:

Automated: no

No rules selected

R67: Secure remote authentication with PAM

Description: When authentication takes place through a remote application (network), the authentication protocol used by PAM must be secure (flow encryption, remote server authentication, anti-replay mechanisms, ...).

Levels:

Automated: yes

Selections:

R68: Protecting stored passwords

Description: Any password must be protected by cryptographic mechanisms.

Levels:

Automated: no

Selections:

R69: Securing access to remote user databases

Description: When the user databases are stored on a remote network service, NSS must be configured to establish a secure link that allows, at minimum, to authenticate the server and protect the communication channel.

Levels:

Automated: yes

No rules selected

R70: Separation of System Accounts and Directory Administrator

Description: None

Levels:

Automated: no

No rules selected

R71: Implement a logging system

Description: The configuration of the service must be performed according to the 'Security Recommendations for the architecture of a logging system' (DAT-PA-012 v2.0) accessible on the ANSSI website (https://www.ssi.gouv.fr/journalisation).

Levels:

Automated: yes

Selections:

R72: Service Activity Logs

Description: Each service must have a dedicated event logging journal on the system. This log must only be accessible by the syslog server, and must not be readable, editable or deletable by the service directly.

Levels:

Automated: no

No rules selected

R73: Logging activity by auditd

Description: The logging of the system activity must be done through the auditd service.

Levels:

Automated: yes

Selections:

R74: Configuring the local messaging service

Description: None

Levels:

Automated: yes

Selections:

R75: Messaging Aliases for Service Accounts

Description: None

Levels:

Automated: yes

Selections:

R76: Sealing and integrity of files

Description: Any file that is not transient (such as temporary files, databases, etc.) must be monitored by a sealing program. This includes: directories containing executables, libraries, configuration files, as well as any files that may contain sensitive elements (cryptographic keys, passwords, confidential data).

Levels:

Automated: yes

Selections:

R77: Protection of the seals database

Description: The sealing database must be protected from malicious access by cryptographic signature mechanisms (with the key used for the signature not locally stored in clear), or possibly stored on a separate machine of the one on which the sealing is done. Check section "Database and config signing in AIDE manual" https://aide.github.io/doc/#signing

Levels:

Automated: no

No rules selected

R78: Network services partitioning

Description: Network services should as much as possible be hosted on isolated environments. This avoids having other potentially affected services if one of them gets compromised under the same environment.

Levels:

Automated: no

No rules selected

R79: Hardening and monitoring of exposed services

Description: None

Levels:

Automated: no

Selections:

R80: Minimization of network services

Description: All network services must be listening on the correct network intefaces.

Levels:

Automated: no

No rules selected