R1: Minimization of installed services
Description: Only the components strictly necessary to the service provided by the system should be installed. Those whose presence can not be justified should be disabled, removed or deleted.
Level: minimal
Automated: partially
Selections:
- package_dhcp_removed - not available for this product
- package_sendmail_removed - not available for this product
- package_telnetd_removed: Uninstall the telnet server
R2: Minimization of configuration
Description: Services are often installed with default configurations that enable features potentially problematic from a security point of view. The features configured at the level of launched services should be limited to the strict minimum.
Level: intermediary
Automated: yes
No rules selected
R3: Principle of least privilege
Description: The services and executables available on the system must be analyzed in order to know the privileges they require, and must then be configured and integrated to use the bare necessities.
Level: enhanced
Automated: partially
Selections:
- selinux_state - not available for this product
R4: Using access control features
Description: It is recommended to use the mandatory access control (MAC) features in addition to the traditional Unix user model (DAC), or possibly combine them with partitioning mechanisms.
Level: high
Automated: yes
Selections:
- selinux_state - not available for this product
R5: Defense in-depth principle
Description: Under Unix and derivatives, defense in depth must be based on a combination of barriers that must be kept independent of each other.
Level: minimal
Automated: partially
Selections:
R6: Network services partitioning
Description: Network services should as much as possible be hosted on isolated environments. This avoids having other potentially affected services if one of them gets compromised under the same environment.
Level: enhanced
Automated: yes
No rules selected
R7: Logging of service activity
Description: The activities of the running system and services must be logged and archived on an external, non-local system.
Level: enhanced
Automated: yes
Selections:
R8: Regular updates
Description: None
Level: minimal
Automated: yes
Selections:
- security_patches_up_to_date - not available for this product
R9: Hardware configuration
Description: None
Level: intermediary
Automated: partially
Selections:
- sysctl_kernel_exec_shield - not available for this product
- bios_enable_execution_restrictions - not available for this product
- install_PAE_kernel_on_x86-32 - not available for this product
R10: 32 and 64 bit architecture
Description: When the machine supports 64-bit operating systems, prefer it.
Level: intermediary
Automated: yes
Selections:
R11: IOMMU Configuration Guidelines
Description: The iommu = force directive must be added to the list of kernel parameters during startup in addition to those already present in the configuration files of the bootloader (/boot/grub/menu.lst or /etc/default/grub).
Level: high
Automated: yes
Selections:
R12: Partitioning type
Description: None
Level: intermediary
Automated: partially
Selections:
- mount_option_nodev_nonroot_local_partitions - not available for this product
- partition_for_boot - not available for this product
- mount_option_boot_nosuid - not available for this product
- mount_option_boot_noexec - not available for this product
- mount_option_boot_noauto - not available for this product
- partition_for_opt - not available for this product
- mount_option_opt_nosuid - not available for this product
- partition_for_tmp: Ensure /tmp Located On Separate Partition
- mount_option_tmp_nosuid - not available for this product
- mount_option_tmp_noexec - not available for this product
- partition_for_srv: Ensure /srv Located On Separate Partition
- mount_option_srv_nosuid - not available for this product
- partition_for_home: Ensure /home Located On Separate Partition
- mount_option_home_nosuid - not available for this product
- mount_option_home_noexec - not available for this product
- partition_for_usr - not available for this product
- partition_for_var: Ensure /var Located On Separate Partition
- mount_option_var_nosuid - not available for this product
- mount_option_var_noexec - not available for this product
- partition_for_var_log: Ensure /var/log Located On Separate Partition
- mount_option_var_log_noexec - not available for this product
- mount_option_var_log_nosuid - not available for this product
- partition_for_var_tmp - not available for this product
- mount_option_var_tmp_nosuid - not available for this product
- mount_option_var_tmp_noexec - not available for this product
R13: Access Restrictions on the /boot directory
Description: When possible, the /boot partition should not be mounted. In any case, access to the /boot directory must only be allowed to the root user.
Level: enhanced
Automated: yes
Selections:
- mount_option_boot_noauto - not available for this product
R14: Installation of packages reduced to the bare necessities
Description: The selection of packages installed should be as small as possible, limiting itself to select only what is required.
Level: intermediary
Automated: no
No rules selected
R15: Choice of package repositories
Description: Only up-to-date official repositories of the distribution must be used.
Level: minimal
Automated: partially
Selections:
- ensure_redhat_gpgkey_installed - not available for this product
- ensure_gpgcheck_never_disabled - not available for this product
- ensure_gpgcheck_globally_activated - not available for this product
- ensure_gpgcheck_local_packages - not available for this product
R16: Hardened package repositories
Description: When the distribution provides several types of repositories, preference should be given to those containing packages subject to additional hardening measures. Between two packages providing the same service, those subject to hardening (at compilation, installation, or default configuration) must be preferred.
Level: enhanced
Automated: yes
No rules selected
R17: Boot loader password
Description: A boot loader to protect the password boot must be to be privileged. This password must prevent any user from changing their configuration options.
Level: enhanced
Automated: yes
Selections:
- grub2_password - not available for this product
- grub2_uefi_password - not available for this product
R18: Administrator password robustness
Description: None
Level: minimal
Automated: partially
Selections:
- accounts_maximum_age_login_defs: Set Password Maximum Age
- accounts_password_pam_minlen - not available for this product
- accounts_password_minlen_login_defs: Set Password Minimum Length in login.defs
- accounts_password_pam_ocredit - not available for this product
- accounts_password_pam_dcredit - not available for this product
- accounts_password_pam_ucredit - not available for this product
- accounts_password_pam_lcredit - not available for this product
- accounts_passwords_pam_faillock_interval - not available for this product
- accounts_passwords_pam_faillock_deny - not available for this product
- accounts_passwords_pam_faillock_deny_root - not available for this product
- accounts_passwords_pam_faillock_unlock_time - not available for this product
- accounts_password_pam_unix_remember - not available for this product
R19: Accountability of administration
Description: None
Level: intermediary
Automated: yes
Selections:
- no_direct_root_logins: Direct root Logins Not Allowed
- sshd_disable_root_login: Disable SSH Root Login
- package_sudo_installed - not available for this product
- audit_rules_privileged_commands_sudo - not available for this product
R20: Installation of secret or trusted elements
Description: All secret elements or those contributing to the authentication mechanisms must be set up as soon as the system is installed: account and administration passwords, root authority certificates, public keys, or certificates of the host (and their respective private key).
Level: enhanced
Automated: yes
No rules selected
R21: Hardening and monitoring of services subject to arbitrary flows
Description: None
Level: intermediary
Automated: yes
No rules selected
R22: Setting up network sysctl
Description: None
Level: intermediary
Automated: yes
Selections:
- sysctl_net_ipv4_ip_forward - not available for this product
- sysctl_net_ipv4_conf_all_rp_filter - not available for this product
- sysctl_net_ipv4_conf_default_rp_filter - not available for this product
- sysctl_net_ipv4_conf_all_send_redirects - not available for this product
- sysctl_net_ipv4_conf_default_send_redirects - not available for this product
- sysctl_net_ipv4_conf_all_accept_source_route - not available for this product
- sysctl_net_ipv4_conf_default_accept_source_route - not available for this product
- sysctl_net_ipv4_conf_all_accept_redirects - not available for this product
- sysctl_net_ipv4_conf_all_secure_redirects - not available for this product
- sysctl_net_ipv4_conf_default_accept_redirects - not available for this product
- sysctl_net_ipv4_conf_default_secure_redirects - not available for this product
- sysctl_net_ipv4_conf_all_log_martians - not available for this product
- sysctl_net_ipv4_tcp_rfc1337 - not available for this product
- sysctl_net_ipv4_icmp_ignore_bogus_error_responses - not available for this product
- sysctl_net_ipv4_ip_local_port_range - not available for this product
- sysctl_net_ipv4_tcp_syncookies - not available for this product
- sysctl_net_ipv6_conf_all_router_solicitations - not available for this product
- sysctl_net_ipv6_conf_default_router_solicitations - not available for this product
- sysctl_net_ipv6_conf_all_accept_ra_rtr_pref - not available for this product
- sysctl_net_ipv6_conf_default_accept_ra_rtr_pref - not available for this product
- sysctl_net_ipv6_conf_all_accept_ra_pinfo - not available for this product
- sysctl_net_ipv6_conf_default_accept_ra_pinfo - not available for this product
- sysctl_net_ipv6_conf_all_accept_ra_defrtr - not available for this product
- sysctl_net_ipv6_conf_default_accept_ra_defrtr - not available for this product
- sysctl_net_ipv6_conf_all_autoconf - not available for this product
- sysctl_net_ipv6_conf_default_autoconf - not available for this product
- sysctl_net_ipv6_conf_all_accept_redirects - not available for this product
- sysctl_net_ipv6_conf_default_accept_redirects - not available for this product
- sysctl_net_ipv6_conf_all_accept_source_route - not available for this product
- sysctl_net_ipv6_conf_default_accept_source_route - not available for this product
- sysctl_net_ipv6_conf_all_max_addresses - not available for this product
- sysctl_net_ipv6_conf_default_max_addresses - not available for this product
R23: Setting up system sysctl
Description: None
Level: intermediary
Automated: yes
Selections:
- sysctl_kernel_sysrq - not available for this product
- sysctl_fs_suid_dumpable: Disable Core Dumps for SUID programs
- sysctl_fs_protected_symlinks: Enable Kernel Parameter to Enforce DAC on Symlinks
- sysctl_fs_protected_hardlinks: Enable Kernel Parameter to Enforce DAC on Hardlinks
- sysctl_kernel_randomize_va_space: Enable Randomized Layout of Virtual Address Space
- sysctl_vm_mmap_min_addr - not available for this product
- sysctl_kernel_pid_max - not available for this product
- sysctl_kernel_kptr_restrict: Restrict Exposed Kernel Pointer Addresses Access
- sysctl_kernel_dmesg_restrict - not available for this product
- sysctl_kernel_perf_event_paranoid - not available for this product
- sysctl_kernel_perf_event_paranoid - not available for this product
- sysctl_kernel_perf_event_max_sample_rate - not available for this product
- sysctl_kernel_perf_cpu_time_max_percent - not available for this product
R24: Disabling the loading of kernel modules
Description: The loading of the kernel modules can be blocked by the activation of the sysctl kernel.modules_disabledconf: Prohibition of loading modules (except those already loaded to this point) kernel.modules_disabled = 1
Level: enhanced
Automated: yes
Selections:
- sysctl_kernel_modules_disabled - not available for this product
R25: Yama module sysctl configuration
Description: It is recommended to load the Yama security module at startup (by example passing the security = yama argument to the kernel) and configure the sysctl kernel.yama.ptrace_scope to a value of at least 1.
Level: enhanced
Automated: yes
Selections:
- sysctl_kernel_yama_ptrace_scope - not available for this product
R26: Disabling unused user accounts
Description: Unused user accounts must be disabled at the system level.
Level: enhanced
Automated: yes
No rules selected
R27: Disabling service accounts
Description: None
Level: intermediary
Automated: no
No rules selected
R28: Uniqueness and exclusivity of system service accounts
Description: Each service must have its own system account and be dedicated to it exclusively.
Level: enhanced
Automated: yes
No rules selected
R29: User session timeout
Description: Remote user sessions (shell access, graphical clients) must be closed after a certain period of inactivity.
Level: enhanced
Automated: yes
Selections:
R30: Applications using PAM
Description: None
Level: minimal
Automated: no
No rules selected
R31: Securing PAM Authentication Network Services
Description: None
Level: intermediary
Automated: yes
No rules selected
R32: Protecting stored passwords
Description: Any password must be protected by cryptographic mechanisms.
Level: minimal
Automated: yes
Selections:
- set_password_hashing_algorithm_systemauth - not available for this product
- accounts_password_pam_unix_rounds_system_auth - not available for this product
- accounts_password_pam_unix_rounds_password_auth - not available for this product
R33: Securing access to remote user databases
Description: None
Level: intermediary
Automated: yes
No rules selected
R34: Separation of System Accounts and Directory Administrator
Description: None
Level: intermediary
Automated: yes
No rules selected
R35: umask value
Description: The system umask must be set to 0027 (by default, any created file can only be read by the user and his group, and be editable only by his owner). The umask for users must be set to 0077 (any file created by a user is readable and editable only by him).
Level: enhanced
Automated: partially
Selections:
R36: Rights to access sensitive content files
Description: None
Level: intermediary
Automated: yes
Selections:
R37: Executables with setuid and setgid bits
Description: None
Level: minimal
Automated: yes
Selections:
- file_permissions_unauthorized_suid - not available for this product
- file_permissions_unauthorized_sgid - not available for this product
R38: Executable setuid root
Description: Setuid executables should be as small as possible. When it is expected that only the administrators of the machine execute them, the setuid bit must be removed and prefer them commands like su or sudo, which can be monitored
Level: enhanced
Automated: yes
No rules selected
R39: Temporary directories dedicated to accounts
Description: Each user or service account must have its own temporary directory and dispose of it exclusively.
Level: intermediary
Automated: yes
Selections:
R40: Sticky bit and write access rights
Description: None
Level: intermediary
Automated: yes
Selections:
R41: Securing access for named sockets and pipes
Description: None
Level: intermediary
Automated: yes
No rules selected
R42: In memory services and daemons
Description: None
Level: minimal
Automated: no
No rules selected
R43: Hardening and configuring the syslog
Description: The chosen syslog server must be hardened according to the security guides associated with this server. The configuration of the service must be performed according to the 'Security Recommendations for the implementation of a logging system' (DAT-NT-012) accessible on the ANSSI website.
Level: intermediary
Automated: partially
Selections:
R44: Partitioning the syslog service by chroot
Description: None
Level: intermediary
Automated: yes
No rules selected
R45: Partitioning the syslog service by container
Description: The syslog services must be isolated from the rest of the system in a dedicated container.
Level: high
Automated: yes
No rules selected
R46: Service Activity Logs
Description: None
Level: intermediary
Automated: yes
No rules selected
R47: Dedicated partition for logs
Description: None
Level: intermediary
Automated: yes
Selections:
R48: Configuring the local messaging service
Description: None
Level: intermediary
Automated: yes
Selections:
- postfix_network_listening_disabled - not available for this product
R49: Messaging Aliases for Service Accounts
Description: None
Level: intermediary
Automated: partially
Selections:
R50: Logging activity by auditd
Description: The logging of the system activity must be done through the auditd service.
Level: enhanced
Automated: yes
No rules selected
R51: Sealing and integrity of files
Description: Any file that is not transient (such as temporary files, databases, etc.) must be monitored by a sealing program. This includes: directories containing executables, libraries, configuration files, as well as any files that may contain sensitive elements (cryptographic keys, passwords, confidential data).
Level: high
Automated: yes
Selections:
- package_aide_installed - not available for this product
- aide_build_database: Build and Test AIDE Database
- aide_periodic_cron_checking - not available for this product
- aide_scan_notification - not available for this product
- aide_verify_acls - not available for this product
- aide_verify_ext_attributes - not available for this product
R52: Protection of the seals database
Description: The sealing database must be protected from malicious access by cryptographic signature mechanisms (with the key used for the signature not locally stored in clear), or possibly stored on a separate machine of the one on which the sealing is done. Check section "Database and config signing in AIDE manual" https://github.com/aide/aide/blob/master/doc/manual.html
Level: high
Automated: yes
No rules selected
R53: Restricting access of deployed services
Description: The deployed services must have their access restricted to the system strict minimum, especially when it comes to files, processes or network.
Level: enhanced
Automated: yes
No rules selected
R54: Virtualization components hardening
Description: Each component supporting the virtualization must be hardened, especially by applying technical measures to counter the exploit attempts.
Level: enhanced
Automated: yes
No rules selected
R55: chroot jail and access right for partitioned service
Description: None
Level: intermediary
Automated: yes
No rules selected
R56: Enablement and usage of chroot by a service
Description: None
Level: intermediary
Automated: yes
No rules selected
R57: Group dedicated to the use of sudo
Description: A group dedicated to the use of sudo must be created, and only members of this group are allowed to execute sudo.
Level: intermediary
Automated: yes
Selections:
- sudo_dedicated_group - not available for this product
R58: Sudo configuration guidelines
Description: None
Level: intermediary
Automated: partially
Selections:
- sudo_add_noexec: Ensure Privileged Escalated Commands Cannot Execute Other Commands - sudo NOEXEC
- sudo_add_requiretty: Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo requiretty
- sudo_add_use_pty: Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo use_pty
- sudo_add_umask - not available for this product
- sudo_add_ignore_dot - not available for this product
- sudo_add_env_reset - not available for this product
R59: User authentication running sudo
Description: The calling user must be authenticated before running any command with sudo.
Level: minimal
Automated: yes
Selections:
R60: Privileges of target sudo users
Description: The targeted users of a rule should be, as much as possible, non privileged users.
Level: intermediary
Automated: yes
Selections:
R61: Limiting the number of commands requiring the use of the EXEC option
Description: The commands requiring the execution of sub-processes (EXEC tag) must be explicitly listed and their use should be reduced to a strict minimum.
Level: enhanced
Automated: yes
No rules selected
R62: Good use of negation in a sudoers file
Description: The sudoers configuration rules should not involve negation.
Level: intermediary
Automated: yes
Selections:
R63: Explicit arguments in sudo specifications
Description: None
Level: intermediary
Automated: yes
Selections:
R64: Good use of sudoedit
Description: None
Level: intermediary
Automated: yes
No rules selected
R65: Enable AppArmor security profiles
Description: All AppArmor security profiles on the system must be enabled by default.
Level: high
Automated: yes
No rules selected
R66: Enabling SELinux Targeted Policy
Description: It is recommended to enable the targeted policy when the distribution support it and that it does not operate another security module than SELinux.
Level: high
Automated: yes
Selections:
- selinux_policytype - not available for this product
R67: Setting SELinux booleans
Description: It is recommended to set the following Booleans: allow_execheap to off, forbids processes to make their heap executable; allow_execmem to off, forbids processes to have both write and execute rights on memory pages; allow_execstack to off, forbids processes to make their stack executable; secure_mode_insmod to on, prohibits dynamic loading of modules by any process; ssh_sysadm_login to off, forbids SSH logins to connect directly in sysadmin role.
Level: high
Automated: yes
Selections:
- sebool_secure_mode_insmod - not available for this product
- sebool_ssh_sysadm_login - not available for this product
R68: Uninstalling SELinux Policy Debugging Tools
Description: SELinux policy manipulation and debugging tools should not be installed on a machine in production.
Level: high
Automated: yes
Selections:
- package_setroubleshoot_removed - not available for this product
R69: Confining interactive non-privileged users
Description: Interactive non-privileged users of a system must be confined by associating them with a SELinux confined user.
Level: high
Automated: yes
No rules selected