Definition of Configuration Recommendations of a GNU/Linux System for ol8

R1: Hardware Support

Description: It is recommended to apply the configuration recommendations for Hardware support mentioned in ANSSI DAT-24.

• enhanced

Automated: yes

• grub2_nosmap_argument_absent: Ensure SMAP is not disabled during boot
• grub2_nosmep_argument_absent: Ensure SMEP is not disabled during boot
• install_PAE_kernel_on_x86-32: Install PAE Kernel on Supported 32-bit x86 Systems
• package_dracut-fips-aesni_installed: Install the dracut-fips-aesni Package
• prefer_64bit_os: Prefer to use a 64-bit Operating System when supported

R2: Hardware configuration

Description: It is recommended to apply the configuration recommendations for BIOS/UEFI mentioned in ANSSI DAT-24.

• intermediary

Automated: no

No rules selected

R3: UEFI Secure boot activation

Description: It is recommended to apply UEFI Secure Boot configuration of the distribution.

• intermediary

Automated: no

No rules selected

R4: Replacing of preloaded keys

Description: It is recommended to replace the UEFI preloaded keys with new keys used to sign; the bootloader and Linux kernel, or; the image of the Linux kernel in EFI format.

• high

Automated: no

No rules selected

R5: Boot loader password

Description: A password protecting the boot loader must exist. This password must prevent any user from changing their configuration options.

• intermediary

Automated: yes

• grub2_password: Set Boot Loader Password in grub2
• grub2_uefi_password: Set the UEFI Boot Loader Password

R6: Protecting kernel command line parameters

Description: It is recommended that UEFI Secure Boot is used to protect the Linux Kernel command line parameters during boot.

• high

Automated: no

No rules selected

R7: IOMMU Configuration Guidelines

Description: The iommu = force directive must be added to the list of kernel parameters during startup in addition to those already present in the configuration files of the bootloader (/boot/grub/menu.lst or /etc/default/grub).

• enhanced

Automated: yes

• grub2_enable_iommu_force: IOMMU configuration directive

R8: Memory configuration options

Description: None

• intermediary

Automated: yes

• grub2_l1tf_argument: Configure L1 Terminal Fault mitigations
• grub2_mce_argument: Force kernel panic on uncorrected MCEs
• grub2_mds_argument: Configure Microarchitectural Data Sampling mitigation
• grub2_page_alloc_shuffle_argument: Enable randomization of the page allocator
• grub2_page_poison_argument: Enable page allocator poisoning
• grub2_pti_argument: Enable Kernel Page-Table Isolation (KPTI)
• grub2_rng_core_default_quality_argument: Configure the confidence in TPM for entropy
• grub2_slab_nomerge_argument: Disable merging of slabs with similar size
• grub2_slub_debug_argument: Enable SLUB/SLAB allocator poisoning
• grub2_spec_store_bypass_disable_argument: Configure Speculative Store Bypass Mitigation
• grub2_spectre_v2_argument: Enforce Spectre v2 mitigation
• sysctl_vm_mmap_min_addr: Prevent applications from mapping low portion of virtual memory
• var_l1tf_options = full_force
• var_mds_options = full_nosmt
• var_rng_core_default_quality = 500
• var_slub_debug_options = FZP
• var_spec_store_bypass_disable_options = seccomp

R9: Kernel configuration options

Description: None

• intermediary

Automated: yes

• sysctl_kernel_dmesg_restrict: Restrict Access to Kernel Message Buffer
• sysctl_kernel_kptr_restrict: Restrict Exposed Kernel Pointer Addresses Access
• sysctl_kernel_kptr_restrict_value = 2
• sysctl_kernel_panic_on_oops: Kernel panic on oops
• sysctl_kernel_perf_cpu_time_max_percent: Limit CPU consumption of the Perf system
• sysctl_kernel_perf_event_max_sample_rate: Limit sampling frequency of the Perf system
• sysctl_kernel_perf_event_paranoid: Disallow kernel profiling by unprivileged users
• sysctl_kernel_pid_max: Configure maximum number of process identifiers
• sysctl_kernel_randomize_va_space: Enable Randomized Layout of Virtual Address Space
• sysctl_kernel_sysrq: Disallow magic SysRq key
• sysctl_kernel_unprivileged_bpf_disabled: Disable Access to Network bpf() Syscall From Unprivileged Processes

R10: Disabling the loading of kernel modules

Description: The loading of the kernel modules can be blocked by the activation of the sysctl kernel.modules_disabled: Prohibition of loading modules (except those already loaded to this point) kernel.modules_disabled = 1

• enhanced

Automated: yes

• sysctl_kernel_modules_disabled: Disable loading and unloading of kernel modules

R11: Yama module sysctl configuration

Description: It is recommended to load the Yama security module at startup (by example passing the security = yama argument to the kernel) and configure the sysctl kernel.yama.ptrace_scope to a value of at least 1.

• intermediary

Automated: yes

• sysctl_kernel_yama_ptrace_scope: Restrict usage of ptrace to descendant processes

R12: IPv4 configuration options

Description: None

• intermediary

Automated: yes

• sysctl_net_core_bpf_jit_harden: Harden the operation of the BPF just-in-time compiler
• sysctl_net_ipv4_conf_all_accept_local: Disable Accepting Packets Routed Between Local Interfaces
• sysctl_net_ipv4_conf_all_accept_redirects: Disable Accepting ICMP Redirects for All IPv4 Interfaces
• sysctl_net_ipv4_conf_all_accept_redirects_value = disabled
• sysctl_net_ipv4_conf_all_accept_source_route: Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv4 Interfaces
• sysctl_net_ipv4_conf_all_arp_filter: Configure ARP filtering for All IPv4 Interfaces
• sysctl_net_ipv4_conf_all_arp_ignore: Configure Response Mode of ARP Requests for All IPv4 Interfaces
• sysctl_net_ipv4_conf_all_arp_ignore_value = 2
• sysctl_net_ipv4_conf_all_drop_gratuitous_arp: Drop Gratuitious ARP frames on All IPv4 Interfaces
• sysctl_net_ipv4_conf_all_route_localnet: Prevent Routing External Traffic to Local Loopback on All IPv4 Interfaces
• sysctl_net_ipv4_conf_all_rp_filter: Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces
• sysctl_net_ipv4_conf_all_secure_redirects: Disable Kernel Parameter for Accepting Secure ICMP Redirects on all IPv4 Interfaces
• sysctl_net_ipv4_conf_all_send_redirects: Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces
• sysctl_net_ipv4_conf_all_shared_media: Configure Sending and Accepting Shared Media Redirects for All IPv4 Interfaces
• sysctl_net_ipv4_conf_all_shared_media_value = disabled
• sysctl_net_ipv4_conf_default_accept_redirects: Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4 Interfaces
• sysctl_net_ipv4_conf_default_accept_redirects_value = disabled
• sysctl_net_ipv4_conf_default_accept_source_route: Disable Kernel Parameter for Accepting Source-Routed Packets on IPv4 Interfaces by Default
• sysctl_net_ipv4_conf_default_rp_filter: Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces by Default
• sysctl_net_ipv4_conf_default_secure_redirects: Configure Kernel Parameter for Accepting Secure Redirects By Default
• sysctl_net_ipv4_conf_default_send_redirects: Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Default
• sysctl_net_ipv4_conf_default_shared_media: Configure Sending and Accepting Shared Media Redirects by Default
• sysctl_net_ipv4_conf_default_shared_media_value = disabled
• sysctl_net_ipv4_icmp_ignore_bogus_error_responses: Enable Kernel Parameter to Ignore Bogus ICMP Error Responses on IPv4 Interfaces
• sysctl_net_ipv4_ip_forward: Disable Kernel Parameter for IP Forwarding on IPv4 Interfaces
• sysctl_net_ipv4_ip_local_port_range: Set Kernel Parameter to Increase Local Port Range
• sysctl_net_ipv4_tcp_rfc1337: Enable Kernel Parameter to Use TCP RFC 1337 on IPv4 Interfaces
• sysctl_net_ipv4_tcp_syncookies: Enable Kernel Parameter to Use TCP Syncookies on Network Interfaces

R13: Disabling IPv6

Description: None

• intermediary

Automated: yes

• sysctl_net_ipv6_conf_all_accept_ra_defrtr: Configure Accepting Default Router in Router Advertisements on All IPv6 Interfaces
• sysctl_net_ipv6_conf_all_accept_ra_pinfo: Configure Accepting Prefix Information in Router Advertisements on All IPv6 Interfaces
• sysctl_net_ipv6_conf_all_accept_ra_rtr_pref: Configure Accepting Router Preference in Router Advertisements on All IPv6 Interfaces
• sysctl_net_ipv6_conf_all_accept_redirects: Disable Accepting ICMP Redirects for All IPv6 Interfaces
• sysctl_net_ipv6_conf_all_accept_source_route: Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv6 Interfaces
• sysctl_net_ipv6_conf_all_autoconf: Configure Auto Configuration on All IPv6 Interfaces
• sysctl_net_ipv6_conf_all_max_addresses: Configure Maximum Number of Autoconfigured Addresses on All IPv6 Interfaces
• sysctl_net_ipv6_conf_all_router_solicitations: Configure Denying Router Solicitations on All IPv6 Interfaces
• sysctl_net_ipv6_conf_default_accept_ra_defrtr: Configure Accepting Default Router in Router Advertisements on All IPv6 Interfaces By Default
• sysctl_net_ipv6_conf_default_accept_ra_pinfo: Configure Accepting Prefix Information in Router Advertisements on All IPv6 Interfaces By Default
• sysctl_net_ipv6_conf_default_accept_ra_rtr_pref: Configure Accepting Router Preference in Router Advertisements on All IPv6 Interfaces By Default
• sysctl_net_ipv6_conf_default_accept_redirects: Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv6 Interfaces
• sysctl_net_ipv6_conf_default_accept_source_route: Disable Kernel Parameter for Accepting Source-Routed Packets on IPv6 Interfaces by Default
• sysctl_net_ipv6_conf_default_autoconf: Configure Auto Configuration on All IPv6 Interfaces By Default
• sysctl_net_ipv6_conf_default_max_addresses: Configure Maximum Number of Autoconfigured Addresses on All IPv6 Interfaces By Default
• sysctl_net_ipv6_conf_default_router_solicitations: Configure Denying Router Solicitations on All IPv6 Interfaces By Default

R14: File system configuration options

Description: None

• intermediary

Automated: yes

• sysctl_fs_protected_fifos: Enable Kernel Parameter to Enforce DAC on FIFOs
• sysctl_fs_protected_hardlinks: Enable Kernel Parameter to Enforce DAC on Hardlinks
• sysctl_fs_protected_regular: Enable Kernel Parameter to Enforce DAC on Regular files
• sysctl_fs_protected_symlinks: Enable Kernel Parameter to Enforce DAC on Symlinks
• sysctl_fs_suid_dumpable: Disable Core Dumps for SUID programs

R15: Compile options for memory management

Description: None

• high

Automated: yes

• kernel_config_acpi_custom_method: Do not allow ACPI methods to be inserted/replaced at run time
• kernel_config_compat_vdso: Disable the 32-bit vDSO
• kernel_config_debug_fs: Disable kernel debugfs
• kernel_config_debug_wx: Warn on W+X mappings found at boot
• kernel_config_devkmem: Disable /dev/kmem virtual device support
• kernel_config_fortify_source: Harden common str/mem functions against buffer overflows
• kernel_config_hardened_usercopy: Harden memory copies between kernel and userspace
• kernel_config_hardened_usercopy_fallback: Do not allow usercopy whitelist violations to fallback to object size
• kernel_config_legacy_vsyscall_emulate: Disable vsyscall emulation
• kernel_config_legacy_vsyscall_none: Disable vsyscall mapping
• kernel_config_legacy_vsyscall_xonly: Disable vsyscall emulate execution only
• kernel_config_proc_kcore: Disable support for /proc/kkcore
• kernel_config_refcount_full: Perform full reference count validation
• kernel_config_retpoline: Avoid speculative indirect branches in kernel
• kernel_config_sched_stack_end_check: Detect stack corruption on calls to schedule()
• kernel_config_security_dmesg_restrict: Restrict unprivileged access to the kernel syslog
• kernel_config_stackprotector: Stack Protector buffer overlow detection
• kernel_config_stackprotector_strong: Strong Stack Protector
• kernel_config_strict_kernel_rwx: Make the kernel text and rodata read-only
• kernel_config_vmap_stack: User a virtually-mapped stack
• kernel_config_x86_vsyscall_emulation: Disable x86 vsyscall emulation

R16: Compile options for kernel data structures

Description: None

• high

Automated: yes

• kernel_config_bug_on_data_corruption: Trigger a kernel BUG when data corruption is detected
• kernel_config_debug_credentials: Enable checks on credential management
• kernel_config_debug_list: Enable checks on linked list manipulation
• kernel_config_debug_notifiers: Enable checks on notifier call chains
• kernel_config_debug_sg: Enable checks on scatter-gather (SG) table operations

R17: Compile options for the memory allocator

Description: None

• high

Automated: yes

• kernel_config_compat_brk: Disable compatibility with brk()
• kernel_config_page_poisoning: Enable poison of pages after freeing
• kernel_config_page_poisoning_no_sanity: Enable poison without sanity check
• kernel_config_page_poisoning_zero: Use zero for poisoning instead of debugging value
• kernel_config_slab_freelist_hardened: Harden slab freelist metadata
• kernel_config_slab_freelist_random: Randomize slab freelist
• kernel_config_slab_merge_default: Disallow merge of slab caches
• kernel_config_slub_debug: Enable SLUB debugging support

R18: Compile options for the management of kernel module

Description: None

• high

Automated: yes

• kernel_config_module_sig: Enable module signature verification
• kernel_config_module_sig_all: Enable automatic signing of all modules
• kernel_config_module_sig_force: Require modules to be validly signed
• kernel_config_module_sig_hash: Specify the hash to use when signing modules
• kernel_config_module_sig_key: Specify module signing key to use
• kernel_config_module_sig_sha512: Sign kernel modules with SHA-512
• kernel_config_strict_module_rwx: Make the module text and rodata read-only

R19: Compile options for abnormal situations

Description: None

• high

Automated: yes

• kernel_config_bug: Enable support for BUG()
• kernel_config_panic_on_oops: Kernel panic oops
• kernel_config_panic_timeout: Kernel panic timeout

R20: Compile options for kernel security functions

Description: None

• high

Automated: yes

• kernel_config_seccomp: Enable seccomp to safely compute untrusted bytecode
• kernel_config_seccomp_filter: Enable use of Berkeley Packet Filter with seccomp
• kernel_config_security: Enable different security models
• kernel_config_security_writable_hooks: Disable mutable hooks
• kernel_config_security_yama: Enable Yama support

R21: Compile options for the compiler plugins

Description: None

• high

Automated: yes

• kernel_config_gcc_plugin_latent_entropy: Generate some entropy during boot and runtime
• kernel_config_gcc_plugin_randstruct: Randomize layout of sensitive kernel structures
• kernel_config_gcc_plugin_stackleak: Poison kernel stack before returning from syscalls
• kernel_config_gcc_plugin_structleak: Force initialization of variables containing userspace addresses
• kernel_config_gcc_plugin_structleak_byref_all: zero-init everything passed by reference

R22: Compile options for the IP stack

Description: None

• high

Automated: yes

• kernel_config_syn_cookies: Enable TCP/IP syncookie support

R23: Compile options for various kernel behaviors

Description: None

• high

Automated: yes

• kernel_config_binfmt_misc: Disable kernel support for MISC binaries
• kernel_config_hibernation: Disable hibernation
• kernel_config_kexec: Disable kexec system call
• kernel_config_legacy_ptys: Disable legacy (BSD) PTY support

R24: Compile options for 32-bit architectures

Description: None

• high

Automated: no

No rules selected

R25: Compile options for x86_64 architectures

Description: None

• high

Automated: yes

• kernel_config_default_mmap_min_addr: Configure Low Address Space To Protect From User Allocation
• kernel_config_ia32_emulation: Disable IA32 emulation
• kernel_config_modify_ldt_syscall: Disable the LDT (local descriptor table)
• kernel_config_page_table_isolation: Remove the kernel mapping in user mode
• kernel_config_randomize_base: Randomize the address of the kernel image (KASLR)
• kernel_config_randomize_memory: Randomize the kernel memory sections

R26: Compile options for ARM architectures

Description: None

• high

Automated: no

No rules selected

R27: Compile options for ARM 64 architectures

Description: None

• high

Automated: yes

• kernel_config_arm64_sw_ttbr0_pan: Emulate Privileged Access Never (PAN)
• kernel_config_default_mmap_min_addr: Configure Low Address Space To Protect From User Allocation
• kernel_config_randomize_base: Randomize the address of the kernel image (KASLR)
• kernel_config_unmap_kernel_at_el0: Unmap kernel when running in userspace (aka KAISER)

R28: Partitioning type

Description: None

• intermediary

Automated: yes

• mount_option_boot_noexec: Add noexec Option to /boot
• mount_option_boot_nosuid: Add nosuid Option to /boot
• mount_option_home_noexec: Add noexec Option to /home
• mount_option_home_nosuid: Add nosuid Option to /home
• mount_option_nodev_nonroot_local_partitions: Add nodev Option to Non-Root Local Partitions
• mount_option_opt_nosuid: Add nosuid Option to /opt
• mount_option_srv_nosuid: Add nosuid Option to /srv
• mount_option_tmp_noexec: Add noexec Option to /tmp
• mount_option_tmp_nosuid: Add nosuid Option to /tmp
• mount_option_var_log_noexec: Add noexec Option to /var/log
• mount_option_var_log_nosuid: Add nosuid Option to /var/log
• mount_option_var_noexec: Add noexec Option to /var
• mount_option_var_nosuid: Add nosuid Option to /var
• mount_option_var_tmp_noexec: Add noexec Option to /var/tmp
• mount_option_var_tmp_nosuid: Add nosuid Option to /var/tmp
• partition_for_boot: Ensure /boot Located On Separate Partition
• partition_for_home: Ensure /home Located On Separate Partition
• partition_for_opt: Ensure /opt Located On Separate Partition
• partition_for_srv: Ensure /srv Located On Separate Partition
• partition_for_usr: Ensure /usr Located On Separate Partition
• partition_for_var: Ensure /var Located On Separate Partition
• partition_for_var_log: Ensure /var/log Located On Separate Partition
• partition_for_var_tmp: Ensure /var/tmp Located On Separate Partition
• systemd_tmp_mount_enabled: Ensure tmp.mount Unit Is Enabled

R29: Access Restrictions on /boot

Description: When possible, it is recommended not to automatically mount the /boot partition. In any case, access to the /boot folder should only be allowed for the root user.

• enhanced

Automated: yes

• file_groupowner_efi_grub2_cfg: Verify the UEFI Boot Loader grub.cfg Group Ownership
• file_groupowner_efi_user_cfg: Verify /boot/efi/EFI/redhat/user.cfg Group Ownership
• file_groupowner_grub2_cfg: Verify /boot/grub2/grub.cfg Group Ownership
• file_groupowner_systemmap: Verify Group Who Owns System.map Files
• file_groupowner_user_cfg: Verify /boot/grub2/user.cfg Group Ownership
• file_owner_efi_grub2_cfg: Verify the UEFI Boot Loader grub.cfg User Ownership
• file_owner_efi_user_cfg: Verify /boot/efi/EFI/redhat/user.cfg User Ownership
• file_owner_grub2_cfg: Verify /boot/grub2/grub.cfg User Ownership
• file_owner_systemmap: Verify User Who Owns System.map Files
• file_owner_user_cfg: Verify /boot/grub2/user.cfg User Ownership
• file_permissions_efi_grub2_cfg: Verify the UEFI Boot Loader grub.cfg Permissions
• file_permissions_efi_user_cfg: Verify /boot/efi/EFI/redhat/user.cfg Permissions
• file_permissions_grub2_cfg: Verify /boot/grub2/grub.cfg Permissions
• file_permissions_systemmap: Verify Permissions on System.map Files
• file_permissions_user_cfg: Verify /boot/grub2/user.cfg Permissions

R30: Removal of unused user accounts

Description: Unused user accounts must be deleted from the system.

• minimal

Automated: no

No rules selected

R31: User password strength

Description: None

• minimal

Automated: yes

• accounts_password_minlen_login_defs: Set Password Minimum Length in login.defs
• accounts_password_pam_dcredit: Ensure PAM Enforces Password Requirements - Minimum Digit Characters
• accounts_password_pam_lcredit: Ensure PAM Enforces Password Requirements - Minimum Lowercase Characters
• accounts_password_pam_minlen: Ensure PAM Enforces Password Requirements - Minimum Length
• accounts_password_pam_ocredit: Ensure PAM Enforces Password Requirements - Minimum Special Characters
• accounts_password_pam_ucredit: Ensure PAM Enforces Password Requirements - Minimum Uppercase Characters
• accounts_password_pam_unix_remember: Limit Password Reuse
• accounts_password_set_max_life_root: Set Root Account Password Maximum Age
• accounts_passwords_pam_faillock_deny: Lock Accounts After Failed Password Attempts
• accounts_passwords_pam_faillock_deny_root: Configure the root Account for Failed Password Attempts
• accounts_passwords_pam_faillock_interval: Set Interval For Counting Failed Password Attempts
• accounts_passwords_pam_faillock_unlock_time: Set Lockout Time for Failed Password Attempts
• accounts_passwords_pam_tally2: Set Deny For Failed Password Attempts
• accounts_passwords_pam_tally2_deny_root: Configure the root Account lock for Failed Password Attempts via pam_tally2
• accounts_passwords_pam_tally2_unlock_time: Set Lockout Time for Failed Password Attempts using pam_tally2
• cracklib_accounts_password_pam_dcredit: Set Password Strength Minimum Digit Characters
• cracklib_accounts_password_pam_lcredit: Set Password Strength Minimum Lowercase Characters
• cracklib_accounts_password_pam_minlen: Set Password Minimum Length
• cracklib_accounts_password_pam_ocredit: Set Password Strength Minimum Special Characters
• cracklib_accounts_password_pam_ucredit: Set Password Strength Minimum Uppercase Characters
• enable_authselect: Enable authselect
• var_accounts_maximum_age_root = 365
• var_accounts_password_minlen_login_defs = 15
• var_accounts_passwords_pam_faillock_deny = 3
• var_accounts_passwords_pam_faillock_fail_interval = 900
• var_accounts_passwords_pam_faillock_unlock_time = 900
• var_accounts_passwords_pam_tally2_unlock_time = 1800
• var_password_pam_dcredit = 1
• var_password_pam_lcredit = 1
• var_password_pam_minlen = 15
• var_password_pam_ocredit = 1
• var_password_pam_tally2 = 5
• var_password_pam_ucredit = 1
• var_password_pam_unix_remember = 2

R32: Configuring a timeout on local user sessions

Description: Local user sessions (console TTY, graphical session) must be locked after a certain period of inactivity.

• intermediary

Automated: yes

• accounts_tmout: Set Interactive Session Timeout
• logind_session_timeout: Configure Logind to terminate idle sessions after certain time of inactivity
• var_accounts_tmout = 10_min
• var_logind_session_timeout = 10_minutes

R33: Use of dedicated administration accounts

Description: None

• intermediary

Automated: yes

• audit_rules_privileged_commands_sudo: Ensure auditd Collects Information on the Use of Privileged Commands - sudo
• no_direct_root_logins: Direct root Logins Not Allowed
• package_audit_installed: Ensure the audit Subsystem is Installed
• package_sudo_installed: Install sudo Package
• service_auditd_enabled: Enable auditd Service
• sshd_disable_root_login: Disable SSH Root Login

R34: Deactivation of service accounts

Description: None

• intermediary

Automated: no

No rules selected

R35: Uniqueness and exclusivity of system service accounts

Description: Each service must have its own system account and be dedicated to it exclusively.

• intermediary

Automated: no

No rules selected

R36: Changing the default value of UMASK

Description: The default value of UMASK for the shells must be set to 0077 in order to allow read and write access to its owner only. This value can be defined in the configuration file /etc/profile that most shells (bash, dash, ksh…) will use. The default value of UMASK for services must be determined for each service, but in most cases, it should be set to 0027 (or more restrictive). This allows read access to its owner and its group, and a full access to its owner. For services such as systemd, this value can be defined directly in the configuration file of the service with the directive UMask=0027.

• enhanced

Automated: yes

• accounts_umask_etc_bashrc: Ensure the Default Bash Umask is Set Correctly
• accounts_umask_etc_login_defs: Ensure the Default Umask is Set Correctly in login.defs
• accounts_umask_etc_profile: Ensure the Default Umask is Set Correctly in /etc/profile
• var_accounts_user_umask = 077

R37: Using access control features

Description: It is recommended to use the mandatory access control (MAC) features in addition to the traditional Unix user model (DAC), or possibly combine them with partitioning mechanisms.

• enhanced

Automated: yes

• selinux_state: Ensure SELinux State is Enforcing
• var_selinux_state = enforcing

R38: Group dedicated to the use of sudo

Description: A group dedicated to the use of sudo must be created, and only members of this group are allowed to execute sudo.

• enhanced

Automated: yes

• file_permissions_sudo: Ensure That the sudo Binary Has the Correct Permissions
• sudo_dedicated_group: Ensure a dedicated group owns sudo
• var_sudo_dedicated_group = sudogrp

R39: Sudo configuration guidelines

Description: None

• intermediary

Automated: yes

• sudo_add_env_reset: Ensure sudo Runs In A Minimal Environment - sudo env_reset
• sudo_add_ignore_dot: Ensure sudo Ignores Commands In Current Dir - sudo ignore_dot
• sudo_add_noexec: Ensure Privileged Escalated Commands Cannot Execute Other Commands - sudo NOEXEC
• sudo_add_requiretty: Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo requiretty
• sudo_add_umask: Ensure sudo umask is appropriate - sudo umask
• sudo_add_use_pty: Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo use_pty
• var_sudo_umask = 0077

R40: Privileges of target sudo users

Description: The targeted users of a rule should be, as much as possible, non privileged users.

• intermediary

Automated: yes

• sudoers_no_root_target: Don't target root user in the sudoers file

R41: Limiting the number of commands requiring the use of the EXEC option

Description: The commands requiring the execution of sub-processes (EXEC tag) must be explicitly listed and their use should be reduced to a strict minimum.

• enhanced

Automated: no

No rules selected

R42: Good use of negation in a sudoers file

Description: The sudoers configuration rules should not involve negation.

• intermediary

Automated: yes

• sudoers_no_command_negation: Don't define allowed commands in sudoers by means of exclusion

R43: Explicit arguments in sudo specifications

Description: None

• intermediary

Automated: yes

• sudoers_explicit_command_args: Explicit arguments in sudo specifications

R44: Editing files with sudo

Description: A file requiring sudo to be edited, must be edited through the sudoedit command.

• intermediary

Automated: no

No rules selected

R45: Enable AppArmor security profiles

Description: All AppArmor security profiles on the system must be enabled by default.

• enhanced

Automated: yes

• all_apparmor_profiles_enforced: Enforce all AppArmor Profiles
• apparmor_configured: Ensure AppArmor is Active and Configured
• grub2_enable_apparmor: Ensure AppArmor is enabled in the bootloader configuration
• package_apparmor_installed: Ensure AppArmor is installed
• package_pam_apparmor_installed: Install the pam_apparmor Package

R46: Activate SELinux with the Targeted Policy

Description: It is recommended to enable the targeted policy when the distribution supports it and that it does not operate another security module than SELinux.

• high

Automated: yes

• selinux_policytype: Configure SELinux Policy
• var_selinux_policy_name = targeted

R47: Containment of unprivileged interactive users

Description: Interactive non-privileged users of a system must be confined by associating them with a SELinux confined user.

• high

Automated: no

No rules selected

R48: Setting SELinux booleans

Description: It is recommended to set the following Booleans: allow_execheap to off, forbids processes to make their heap executable; allow_execmem to off, forbids processes to have both write and execute rights on memory pages; allow_execstack to off, forbids processes to make their stack executable; secure_mode_insmod to on, prohibits dynamic loading of modules by any process; ssh_sysadm_login to off, forbids SSH logins to connect directly in sysadmin role.

• high

Automated: yes

• sebool_deny_execmem: Configure the deny_execmem SELinux Boolean
• sebool_secure_mode_insmod: Configure the secure_mode_insmod SELinux Boolean
• sebool_selinuxuser_execheap: Disable the selinuxuser_execheap SELinux Boolean
• sebool_selinuxuser_execstack: Disable the selinuxuser_execstack SELinux Boolean
• sebool_ssh_sysadm_login: Disable the ssh_sysadm_login SELinux Boolean
• var_deny_execmem = on
• var_secure_mode_insmod = on
• var_selinuxuser_execheap = off
• var_selinuxuser_execstack = off

R49: Uninstalling SELinux Policy Debugging Tools

Description: SELinux policy manipulation and debugging tools should not be installed on a machine in production.

• high

Automated: yes

• package_setroubleshoot-plugins_removed: Uninstall setroubleshoot-plugins Package
• package_setroubleshoot-server_removed: Uninstall setroubleshoot-server Package
• package_setroubleshoot_removed: Uninstall setroubleshoot Package

R50: Rights to access sensitive files and directories

Description: None

• intermediary

Automated: yes

• accounts_user_dot_group_ownership: User Initialization Files Must Be Group-Owned By The Primary Group
• accounts_user_dot_user_ownership: User Initialization Files Must Be Owned By the Primary User
• accounts_users_home_files_groupownership: All User Files and Directories In The Home Directory Must Be Group-Owned By The Primary Group
• accounts_users_home_files_ownership: All User Files and Directories In The Home Directory Must Have a Valid Owner
• accounts_users_home_files_permissions: All User Files and Directories In The Home Directory Must Have Mode 0750 Or Less Permissive
• dir_system_commands_group_root_owned: Verify that system commands directories have root as a group owner
• dir_system_commands_root_owned: Verify that system commands directories have root ownership
• directory_groupowner_etc_ipsecd: Verify Group Who Owns /etc/ipsec.d Directory
• directory_groupowner_etc_iptables: Verify Group Who Owns /etc/iptables Directory
• directory_groupowner_etc_nftables: Verify Group Who Owns /etc/nftables Directory
• directory_groupowner_etc_selinux: Verify Group Who Owns /etc/selinux Directory
• directory_groupowner_etc_sudoersd: Verify Group Who Owns /etc/sudoers.d Directory
• directory_groupowner_etc_sysctld: Verify Group Who Owns /etc/sysctl.d Directory
• directory_owner_etc_ipsecd: Verify User Who Owns /etc/ipsec.d Directory
• directory_owner_etc_iptables: Verify User Who Owns /etc/iptables Directory
• directory_owner_etc_nftables: Verify User Who Owns /etc/nftables Directory
• directory_owner_etc_selinux: Verify User Who Owns /etc/selinux Directory
• directory_owner_etc_sudoersd: Verify User Who Owns /etc/sudoers.d Directory
• directory_owner_etc_sysctld: Verify User Who Owns /etc/sysctl.d Directory
• directory_permissions_etc_ipsecd: Verify Permissions On /etc/ipsec.d Directory
• directory_permissions_etc_iptables: Verify Permissions On /etc/iptables Directory
• directory_permissions_etc_nftables: Verify Permissions On /etc/nftables Directory
• directory_permissions_etc_selinux: Verify Permissions On /etc/selinux Directory
• directory_permissions_etc_sudoersd: Verify Permissions On /etc/sudoers.d Directory
• directory_permissions_etc_sysctld: Verify Permissions On /etc/sysctl.d Directory
• file_groupowner_etc_chrony_keys: Verify Group Who Owns /etc/chrony.keys File
• file_groupowner_etc_crypttab: Verify Group Who Owns /etc/crypttab File
• file_groupowner_etc_group: Verify Group Who Owns group File
• file_groupowner_etc_gshadow: Verify Group Who Owns gshadow File
• file_groupowner_etc_ipsec_conf: Verify Group Who Owns /etc/ipsec.conf File
• file_groupowner_etc_ipsec_secrets: Verify Group Who Owns /etc/ipsec.secrets File
• file_groupowner_etc_passwd: Verify Group Who Owns passwd File
• file_groupowner_etc_sestatus_conf: Verify Group Who Owns /etc/sestatus.conf File
• file_groupowner_etc_shadow: Verify Group Who Owns shadow File
• file_groupowner_etc_shells: Verify Group Who Owns /etc/shells File
• file_groupowner_etc_sudoers: Verify Group Who Owns /etc/sudoers File
• file_groupowner_sshd_config: Verify Group Who Owns SSH Server config file
• file_groupownership_sshd_private_key: Verify Group Ownership on SSH Server Private *_key Key Files
• file_groupownership_sshd_pub_key: Verify Group Ownership on SSH Server Public *.pub Key Files
• file_groupownership_system_commands_dirs: Verify that system commands files are group owned by root or a system account
• file_owner_etc_chrony_keys: Verify User Who Owns /etc/chrony.keys File
• file_owner_etc_crypttab: Verify User Who Owns /etc/crypttab File
• file_owner_etc_group: Verify User Who Owns group File
• file_owner_etc_gshadow: Verify User Who Owns gshadow File
• file_owner_etc_ipsec_conf: Verify User Who Owns /etc/ipsec.conf File
• file_owner_etc_ipsec_secrets: Verify User Who Owns /etc/ipsec.secrets File
• file_owner_etc_passwd: Verify User Who Owns passwd File
• file_owner_etc_sestatus_conf: Verify User Who Owns /etc/sestatus.conf File
• file_owner_etc_shadow: Verify User Who Owns shadow File
• file_owner_etc_shells: Verify Who Owns /etc/shells File
• file_owner_etc_sudoers: Verify User Who Owns /etc/sudoers File
• file_owner_sshd_config: Verify Owner on SSH Server config file
• file_ownership_binary_dirs: Verify that System Executables Have Root Ownership
• file_ownership_sshd_private_key: Verify Ownership on SSH Server Private *_key Key Files
• file_ownership_sshd_pub_key: Verify Ownership on SSH Server Public *.pub Key Files
• file_permission_user_init_files: Ensure All User Initialization Files Have Mode 0740 Or Less Permissive
• file_permissions_binary_dirs: Verify that System Executables Have Restrictive Permissions
• file_permissions_etc_chrony_keys: Verify Permissions On /etc/chrony.keys File
• file_permissions_etc_crypttab: Verify Permissions On /etc/crypttab File
• file_permissions_etc_group: Verify Permissions on group File
• file_permissions_etc_gshadow: Verify Permissions on gshadow File
• file_permissions_etc_ipsec_conf: Verify Permissions On /etc/ipsec.conf File
• file_permissions_etc_ipsec_secrets: Verify Permissions On /etc/ipsec.secrets File
• file_permissions_etc_passwd: Verify Permissions on passwd File
• file_permissions_etc_sestatus_conf: Verify Permissions On /etc/sestatus.conf File
• file_permissions_etc_shadow: Verify Permissions on shadow File
• file_permissions_etc_shells: Verify Permissions on /etc/shells File
• file_permissions_etc_sudoers: Verify Permissions On /etc/sudoers File
• file_permissions_sshd_config: Verify Permissions on SSH Server config file
• file_permissions_sshd_private_key: Verify Permissions on SSH Server Private *_key Key Files
• file_permissions_sshd_pub_key: Verify Permissions on SSH Server Public *.pub Key Files

R51: Sensitive and trusted files

Description: All sensitive files and those contributing to the authentication mechanisms must be set up as soon as the system is installed. If default secrets are preconfigured, they must be replaced during, or immediately after, the installation phase of the system.

• enhanced

Automated: no

No rules selected

R52: Securing access for named sockets and pipes

Description: None

• intermediary

Automated: no

No rules selected

R53: Files or directories without a known user or group

Description: None

• minimal

Automated: yes

• file_permissions_ungroupowned: Ensure All Files Are Owned by a Group
• no_files_unowned_by_user: Ensure All Files Are Owned by a User

R54: Sticky bit and write access rights

Description: None

• minimal

Automated: yes

• dir_perms_world_writable_root_owned: Ensure All World-Writable Directories Are Owned by root User
• dir_perms_world_writable_sticky_bits: Verify that All World-Writable Directories Have Sticky Bits Set
• file_permissions_unauthorized_world_writable: Ensure No World-Writable Files Exist

R55: Temporary directories dedicated to accounts

Description: Each user or service account must have its own temporary directory and dispose of it exclusively.

• intermediary

Automated: yes

• accounts_polyinstantiated_tmp: Configure Polyinstantiation of /tmp Directories
• accounts_polyinstantiated_var_tmp: Configure Polyinstantiation of /var/tmp Directories
• enable_pam_namespace: Set Up a Private Namespace in PAM Configuration
• sebool_polyinstantiation_enabled: Configure the polyinstantiation_enabled SELinux Boolean
• var_polyinstantiation_enabled = on

R56: Executables with setuid and setgid bits

Description: None

• minimal

Automated: yes

• file_permissions_unauthorized_sgid: Ensure All SGID Executables Are Authorized
• file_permissions_unauthorized_suid: Ensure All SUID Executables Are Authorized

R57: Executable with special rights setuid root and setgid root

Description: The executables with setuid executables root and setgid root special rights should be as few as possible. When only administrators are expected to execute them, these special rights should be removed and prefer them commands like su or sudo, which can be monitored

• enhanced

Automated: no

No rules selected

R58: Installation of packages reduced to the bare necessities

Description: The selection of packages installed should be as small as possible, limiting itself to select only what is required.

• minimal

Automated: no

No rules selected

R59: Official package repositories

Description: Only up-to-date official repositories of the distribution must be used.

• minimal

Automated: yes

• ensure_gpgcheck_globally_activated: Ensure gpgcheck Enabled In Main yum Configuration
• ensure_gpgcheck_local_packages: Ensure gpgcheck Enabled for Local Packages
• ensure_gpgcheck_never_disabled: Ensure gpgcheck Enabled for All yum Package Repositories
• ensure_oracle_gpgkey_installed: Ensure Oracle Linux GPG Key Installed
• ensure_redhat_gpgkey_installed: Ensure Red Hat GPG Key Installed

R60: Hardened package repositories

Description: When the distribution provides several types of repositories, preference should be given to those containing packages subject to additional hardening measures. Between two packages providing the same service, those subject to hardening (at compilation, installation, or default configuration) must be preferred.

• enhanced

Automated: no

No rules selected

R61: Regular updates

Description: None

• minimal

Automated: yes

• dnf-automatic_apply_updates: Configure dnf-automatic to Install Available Updates Automatically
• dnf-automatic_security_updates_only: Configure dnf-automatic to Install Only Security Updates
• package_dnf-automatic_installed: Install dnf-automatic Package
• security_patches_up_to_date: Ensure Software Patches Installed
• timer_dnf-automatic_enabled: Enable dnf-automatic Timer

R62: Minimization of installed services

Description: Only the components strictly necessary to the service provided by the system should be installed. Those whose presence can not be justified should be disabled, removed or deleted.

• minimal

Automated: no

• package_dhcp_removed: Uninstall DHCP Server Package
• package_kea_removed: Uninstall kea Package
• package_rsh-server_removed: Uninstall rsh-server Package
• package_rsh_removed: Uninstall rsh Package
• package_sendmail_removed: Uninstall Sendmail Package
• package_talk-server_removed: Uninstall talk-server Package
• package_talk_removed: Uninstall talk Package
• package_telnet-server_removed: Uninstall telnet-server Package
• package_telnet_removed: Remove telnet Clients
• package_tftp-server_removed: Uninstall tftp-server Package
• package_tftp_removed: Remove tftp Daemon
• package_xinetd_removed: Uninstall xinetd Package
• package_ypbind_removed: Remove NIS Client
• package_ypserv_removed: Uninstall ypserv Package

R63: Minimization of services configuration

Description: Services are often installed with default configurations that enable features potentially problematic from a security point of view. The features configured at the level of launched services should be limited to the strict minimum.

• intermediary

Automated: no

No rules selected

R64: Least privilege for the services

Description: The deployed services must have their access restricted to the system strict minimum, especially when it comes to files, processes or network.

• enhanced

Automated: yes

• selinux_policytype: Configure SELinux Policy
• var_selinux_policy_name = targeted

R65: Services partitioning

Description: None

• enhanced

Automated: no

No rules selected

R66: Virtualization components hardening

Description: Each component supporting the virtualization must be hardened, especially by applying technical measures to counter the exploit attempts.

• high

Automated: no

No rules selected

R67: Secure remote authentication with PAM

Description: When authentication takes place through a remote application (network), the authentication protocol used by PAM must be secure (flow encryption, remote server authentication, anti-replay mechanisms, ...).

• intermediary

Automated: yes

• ldap_client_start_tls: Configure LDAP Client to Use TLS For All Transactions
• ldap_client_tls_cacertpath: Configure Certificate Directives for LDAP Use of TLS
• package_sssd_installed: Install the SSSD Package
• service_sssd_enabled: Enable the SSSD Service
• sssd_enable_pam_services: Configure PAM in SSSD Services
• sssd_ldap_configure_tls_reqcert: Configure SSSD LDAP Backend Client to Demand a Valid Certificate from the Server
• sssd_ldap_start_tls: Configure SSSD LDAP Backend to Use TLS For All Transactions

R68: Protecting stored passwords

Description: Any password must be protected by cryptographic mechanisms.

• minimal

Automated: no

• accounts_password_pam_minclass: Ensure PAM Enforces Password Requirements - Minimum Different Categories
• accounts_password_pam_minlen: Ensure PAM Enforces Password Requirements - Minimum Length
• accounts_password_pam_retry: Ensure PAM Enforces Password Requirements - Authentication Retry Prompts Permitted Per-Session
• accounts_password_pam_unix_rounds_password_auth: Set number of Password Hashing Rounds - password-auth
• accounts_password_pam_unix_rounds_system_auth: Set number of Password Hashing Rounds - system-auth
• set_password_hashing_algorithm_systemauth: Set PAM''s Password Hashing Algorithm
• var_password_hashing_algorithm = yescrypt
• var_password_hashing_algorithm_pam = sha512
• var_password_pam_minclass = 4
• var_password_pam_unix_rounds = 11

R69: Securing access to remote user databases

Description: When the user databases are stored on a remote network service, NSS must be configured to establish a secure link that allows, at minimum, to authenticate the server and protect the communication channel.

• intermediary

Automated: yes

• no_nis_in_nsswitch: Name Service Switch does not use NIS

R70: Separation of System Accounts and Directory Administrator

Description: None

• intermediary

Automated: no

No rules selected

R71: Implement a logging system

Description: The configuration of the service must be performed according to the 'Security Recommendations for the architecture of a logging system' (DAT-PA-012 v2.0) accessible on the ANSSI website (https://www.ssi.gouv.fr/journalisation).

• enhanced

Automated: yes

• chronyd_configure_pool_and_server: Chrony Configure Pool and Server
• chronyd_specify_remote_server: A remote time server for Chrony is configured
• ensure_logrotate_activated: Ensure Logrotate Runs Periodically
• package_chrony_installed: The Chrony package is installed
• package_logrotate_installed: Ensure logrotate is Installed
• package_rsyslog-gnutls_installed: Ensure rsyslog-gnutls is installed
• partition_for_var_log_audit: Ensure /var/log/audit Located On Separate Partition
• rsyslog_files_groupownership: Ensure Log Files Are Owned By Appropriate Group
• rsyslog_files_ownership: Ensure Log Files Are Owned By Appropriate User
• rsyslog_files_permissions: Ensure System Log Files Have Correct Permissions
• rsyslog_remote_loghost: Ensure Logs Sent To Remote Host
• rsyslog_remote_tls: Configure TLS for rsyslog remote logging
• rsyslog_remote_tls_cacert: Configure CA certificate for rsyslog remote logging
• service_chronyd_or_ntpd_enabled: Enable the NTP Daemon
• timer_logrotate_enabled: Enable logrotate Timer

R72: Service Activity Logs

Description: Each service must have a dedicated event logging journal on the system. This log must only be accessible by the syslog server, and must not be readable, editable or deletable by the service directly.

• enhanced

Automated: no

No rules selected

R73: Logging activity by auditd

Description: The logging of the system activity must be done through the auditd service.

• enhanced

Automated: yes

• audit_rules_dac_modification_chmod: Record Events that Modify the System's Discretionary Access Controls - chmod
• audit_rules_dac_modification_chown: Record Events that Modify the System's Discretionary Access Controls - chown
• audit_rules_dac_modification_fchmod: Record Events that Modify the System's Discretionary Access Controls - fchmod
• audit_rules_dac_modification_fchmodat: Record Events that Modify the System's Discretionary Access Controls - fchmodat
• audit_rules_dac_modification_fchown: Record Events that Modify the System's Discretionary Access Controls - fchown
• audit_rules_dac_modification_fchownat: Record Events that Modify the System's Discretionary Access Controls - fchownat
• audit_rules_dac_modification_fremovexattr: Record Events that Modify the System's Discretionary Access Controls - fremovexattr
• audit_rules_dac_modification_fsetxattr: Record Events that Modify the System's Discretionary Access Controls - fsetxattr
• audit_rules_dac_modification_lchown: Record Events that Modify the System's Discretionary Access Controls - lchown
• audit_rules_dac_modification_lremovexattr: Record Events that Modify the System's Discretionary Access Controls - lremovexattr
• audit_rules_dac_modification_lsetxattr: Record Events that Modify the System's Discretionary Access Controls - lsetxattr
• audit_rules_dac_modification_removexattr: Record Events that Modify the System's Discretionary Access Controls - removexattr
• audit_rules_dac_modification_setxattr: Record Events that Modify the System's Discretionary Access Controls - setxattr
• audit_rules_dac_modification_umount2: Record Events that Modify the System's Discretionary Access Controls - umount2
• audit_rules_file_deletion_events_rename: Ensure auditd Collects File Deletion Events by User - rename
• audit_rules_file_deletion_events_renameat: Ensure auditd Collects File Deletion Events by User - renameat
• audit_rules_file_deletion_events_rmdir: Ensure auditd Collects File Deletion Events by User - rmdir
• audit_rules_file_deletion_events_unlink: Ensure auditd Collects File Deletion Events by User - unlink
• audit_rules_file_deletion_events_unlinkat: Ensure auditd Collects File Deletion Events by User - unlinkat
• audit_rules_immutable: Make the auditd Configuration Immutable
• audit_rules_kernel_module_loading_delete: Ensure auditd Collects Information on Kernel Module Unloading - delete_module
• audit_rules_kernel_module_loading_finit: Ensure auditd Collects Information on Kernel Module Loading and Unloading - finit_module
• audit_rules_kernel_module_loading_init: Ensure auditd Collects Information on Kernel Module Loading - init_module
• audit_rules_login_events_faillock: Record Attempts to Alter Logon and Logout Events - faillock
• audit_rules_login_events_lastlog: Record Attempts to Alter Logon and Logout Events - lastlog
• audit_rules_mac_modification: Record Events that Modify the System's Mandatory Access Controls
• audit_rules_media_export: Ensure auditd Collects Information on Exporting to Media (successful)
• audit_rules_networkconfig_modification: Record Events that Modify the System's Network Environment
• audit_rules_privileged_commands: Ensure auditd Collects Information on the Use of Privileged Commands
• audit_rules_privileged_commands_insmod: Ensure auditd Collects Information on the Use of Privileged Commands - insmod
• audit_rules_privileged_commands_kmod: Ensure auditd Collects Information on the Use of Privileged Commands - kmod
• audit_rules_privileged_commands_modprobe: Ensure auditd Collects Information on the Use of Privileged Commands - modprobe
• audit_rules_privileged_commands_rmmod: Ensure auditd Collects Information on the Use of Privileged Commands - rmmod
• audit_rules_session_events: Record Attempts to Alter Process and Session Initiation Information
• audit_rules_sysadmin_actions: Ensure auditd Collects System Administrator Actions
• audit_rules_time_adjtimex: Record attempts to alter time through adjtimex
• audit_rules_time_clock_settime: Record Attempts to Alter Time Through clock_settime
• audit_rules_time_stime: Record Attempts to Alter Time Through stime
• audit_rules_time_watch_localtime: Record Attempts to Alter the localtime File
• audit_rules_unsuccessful_file_modification_creat: Record Unsuccessful Access Attempts to Files - creat
• audit_rules_unsuccessful_file_modification_ftruncate: Record Unsuccessful Access Attempts to Files - ftruncate
• audit_rules_unsuccessful_file_modification_open: Record Unsuccessful Access Attempts to Files - open
• audit_rules_unsuccessful_file_modification_openat: Record Unsuccessful Access Attempts to Files - openat
• audit_rules_unsuccessful_file_modification_truncate: Record Unsuccessful Access Attempts to Files - truncate
• audit_rules_usergroup_modification_group: Record Events that Modify User/Group Information - /etc/group
• audit_rules_usergroup_modification_gshadow: Record Events that Modify User/Group Information - /etc/gshadow
• audit_rules_usergroup_modification_opasswd: Record Events that Modify User/Group Information - /etc/security/opasswd
• audit_rules_usergroup_modification_passwd: Record Events that Modify User/Group Information - /etc/passwd
• audit_rules_usergroup_modification_shadow: Record Events that Modify User/Group Information - /etc/shadow
• audit_sudo_log_events: Record Attempts to perform maintenance activities
• package_audit_installed: Ensure the audit Subsystem is Installed
• service_auditd_enabled: Enable auditd Service

R74: Configuring the local messaging service

Description: None

• intermediary

Automated: yes

• postfix_network_listening_disabled: Disable Postfix Network Listening

R75: Messaging Aliases for Service Accounts

Description: None

• intermediary

Automated: yes

• postfix_client_configure_mail_alias: Configure System to Forward All Mail For The Root Account

R76: Sealing and integrity of files

Description: Any file that is not transient (such as temporary files, databases, etc.) must be monitored by a sealing program. This includes: directories containing executables, libraries, configuration files, as well as any files that may contain sensitive elements (cryptographic keys, passwords, confidential data).

• high

Automated: yes

• aide_build_database: Build and Test AIDE Database
• aide_periodic_checking_systemd_timer: Configure Systemd Timer Execution of AIDE
• aide_periodic_cron_checking: Configure Periodic Execution of AIDE
• aide_scan_notification: Configure Notification of Post-AIDE Scan Details
• aide_verify_acls: Configure AIDE to Verify Access Control Lists (ACLs)
• aide_verify_ext_attributes: Configure AIDE to Verify Extended Attributes
• package_aide_installed: Install AIDE

R77: Protection of the seals database

Description: The sealing database must be protected from malicious access by cryptographic signature mechanisms (with the key used for the signature not locally stored in clear), or possibly stored on a separate machine of the one on which the sealing is done. Check section "Database and config signing in AIDE manual" https://aide.github.io/doc/#signing

• high

Automated: no

No rules selected

R78: Network services partitioning

Description: Network services should as much as possible be hosted on isolated environments. This avoids having other potentially affected services if one of them gets compromised under the same environment.

• enhanced

Automated: no

No rules selected

R79: Hardening and monitoring of exposed services

Description: None

• intermediary

Automated: no

• aide_build_database: Build and Test AIDE Database
• package_aide_installed: Install AIDE
• selinux_state: Ensure SELinux State is Enforcing
• var_selinux_state = enforcing

R80: Minimization of network services

Description: All network services must be listening on the correct network intefaces.

• minimal

Automated: no

No rules selected