-
Notifications
You must be signed in to change notification settings - Fork 686
/
anssi.yml
1662 lines (1496 loc) · 58.4 KB
/
anssi.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
policy: 'ANSSI-BP-028'
title: 'Configuration Recommendations of a GNU/Linux System'
id: anssi
version: '2.0'
source: https://cyber.gouv.fr/sites/default/files/document/linux_configuration-en-v2.pdf
levels:
- id: minimal
- id: intermediary
inherits_from:
- minimal
- id: enhanced
inherits_from:
- intermediary
- id: high
inherits_from:
- enhanced
reference_type: anssi
controls:
- id: R1
title: Hardware Support
levels:
- enhanced
description: >-
It is recommended to apply the configuration recommendations for Hardware support
mentioned in ANSSI DAT-24.
notes: >-
This requirement can be checked, but remediation requires manual reinstall of the OS.
The content automation cannot really configure the BIOS, but can in some cases,
check settings that are visible to the OS. Like for example the NX/DX setting.
status: automated
rules:
# From ANSSI DAT-24
# R1 and R2 Prefer 64 bit OS
- prefer_64bit_os
# R3 If using 32 bit OS, PAE mode should be enabled
- install_PAE_kernel_on_x86-32
# R5 It is recommended to use hardware and OS that support SMEP
- grub2_nosmep_argument_absent
# R6 It is recommended to use hardware and OS that support SMAP
- grub2_nosmap_argument_absent
# R7 It is recommended to use hardware and OS that support AES-NI
- package_dracut-fips-aesni_installed
# R8 It is recommended to use hardware with support for hardware random number generator
# R9 Disable VT-x AMD-V technologies
# TODO: can we reliably check cpuinfo flags?
# R10 IOMMU must enabled if the hardware supports it
- id: R2
title: Hardware configuration
levels:
- intermediary
description: >-
It is recommended to apply the configuration recommendations for BIOS/UEFI mentioned in
ANSSI DAT-24.
notes: >-
Configurations recommended for this requirement are to be performed at the BIOS level.
status: manual
#rules:
# From ANSSI DAT-24
# R11 Password protect the BIOS
# R12 Deactivate peripherals not needed
# R13 The boot order list should give highest preference to component on which final OS is installed
# R14 Enable NX/XD bit
# - bios_enable_execution_restrictions # Doesn't have check
# R15 Disable VT-x/AMD-V functionality
# R16 Enable IOMMU
- id: R3
title: UEFI Secure boot activation
levels:
- intermediary
description: >-
It is recommended to apply UEFI Secure Boot configuration of the distribution.
notes: >-
Secure Boot needs to be enabled in the UEFI Setup program.
Enabling Secure Boot can't be accomplished from the operating system.
Also, OVAL doesn't provide any reliable ways to detect the Secure Boot status.
Therefore, we will not provide any rules to automate this requirement.
We recommend checking the Secure Boot status using the `mokutil --sb-state` or `bootctl status` commands.
status: manual
- id: R4
title: Replacing of preloaded keys
levels:
- high
description: >-
It is recommended to replace the UEFI preloaded keys with new keys used to sign;
the bootloader and Linux kernel, or; the image of the Linux kernel in EFI format.
notes: >-
This requirement is not generally automatable. The Machine Owner Key (MOK) could
be used to add keys to the Secure Boot db key database but manual interaction is
required to navigate the UEFI console and input the key password.
On systems where MOK utility is not supported, one will need to access the UEFI
firmware interface to add new keys.
We have no automation support for UEFI interfaces and the steps for each hardware
manufacturer can vary.
status: manual
- id: R5
title: Boot loader password
levels:
- intermediary
description: >-
A password protecting the boot loader must exist.
This password must prevent any user from changing their configuration options.
status: automated
rules:
- grub2_password
- grub2_uefi_password
- id: R6
title: Protecting kernel command line parameters
levels:
- high
description: >-
It is recommended that UEFI Secure Boot is used to protect the Linux Kernel
command line parameters during boot.
notes: >-
To protect the Linux Kernel command line one needs to create an Unified Kernel Image and use
it with the UEFI Secure Boot mechanism.
To check if the Kernel image contains the kernel command one needs to inspect the binary, on
the command line one can use the objdump command. But unfortunately OVAL is not able to
inspect kernel images.
Also, it is not trivial to automate creation of such image or configuration of the
Secure Boot mechanism.
status: manual
- id: R7
title: IOMMU Configuration Guidelines
levels:
- enhanced
description: >-
The iommu = force directive must be added to the list of kernel parameters
during startup in addition to those already present in the configuration
files of the bootloader (/boot/grub/menu.lst or /etc/default/grub).
status: automated
rules:
- grub2_enable_iommu_force
- id: R8
title: Memory configuration options
levels:
- intermediary
status: automated
rules:
# l1tf=full,force to enable countermeasure for L1 Terminal Fault vulnerability, or
# l1tf=off to maximize performance, when system is not a hypervisor or VMs are trusted
- grub2_l1tf_argument
- var_l1tf_options=full_force
# page_poison=on: activate the poisoning of the pages of the page allocator (buddy allocator)
- grub2_page_poison_argument
# pti=on: force the use of Page Table Isolation (PTI) including on processors claiming not to
# be affected by the Meltdown vulnerability;
- grub2_pti_argument
# slab_nomerge=yes (equivalent to CONFIG_SLAB_MERGE_DEFAULT=n): disables the merging of slab
# caches (dynamic memory allocations) of identical size.
- grub2_slab_nomerge_argument
# slub_debug=F,Z,P: activate certain options for checking slabs caches (dynamic memory allocation)
- grub2_slub_debug_argument
- var_slub_debug_options=FZP
# spec_store_bypass_disable=seccomp: force the system to use the default countermeasure
# (on an x86 system supporting seccomp) for the Specter v4 (Speculative Store Bypass) vulnerability
- grub2_spec_store_bypass_disable_argument
- var_spec_store_bypass_disable_options=seccomp
# spectre_v2=on: force the system to use a countermeasure for the Specter v2 (Branch Target Injection) vulnerability.
- grub2_spectre_v2_argument
# mds=full,nosmt: force the system to use Microarchitectural Data Sampling (MDS) to mitigate
# the vulnerabilities of Intel processors.
- grub2_mds_argument
- var_mds_options=full_nosmt
# mce=0: force a kernel panic on uncorrected errors reported by Machine Check support.
- grub2_mce_argument
# page_alloc.shuffle=1: enables Page allocator randomization
- grub2_page_alloc_shuffle_argument
# rng_core.default_quality=500: increase confidence in TPM's HWRNG for robust and fast Linux
# CSPRNG initialization by crediting half of the entropy it provides.
- grub2_rng_core_default_quality_argument
- var_rng_core_default_quality=500
# Forbidden to map memory in low addresses (0)
# vm.mmap_min_addr = 65536
- sysctl_vm_mmap_min_addr
- id: R9
title: Kernel configuration options
levels:
- intermediary
status: automated
rules:
# Restrict access to the dmesg buffer (equivalent to
# CONFIG_SECURITY_DMESG_RESTRICT=y)
- sysctl_kernel_dmesg_restrict
# Hide kernel addresses in /proc and various other interfaces,
# including from privileged users
- sysctl_kernel_kptr_restrict
- sysctl_kernel_kptr_restrict_value=2
# Explicitly specify the process id space supported by the kernel,
# 65536 being an example value
# kernel.pid_max=65536
- sysctl_kernel_pid_max
# Restricts the use of the perf system
# kernel.perf_event_max_sample_rate = 1
# kernel.perf_cpu_time_max_percent = 1
- sysctl_kernel_perf_event_max_sample_rate
- sysctl_kernel_perf_cpu_time_max_percent
# Prohibit unprivileged access to the perf_event_open () system call.
# With a value greater than 2, we impose the possession of
# CAP_SYS_ADMIN, in order to collect the perf events.
# kernel.perf_event_paranoid = 2
- sysctl_kernel_perf_event_paranoid
# Activate ASLR
- sysctl_kernel_randomize_va_space
# Disable Magic System Request Key combinations
# kernel.sysrq = 0
- sysctl_kernel_sysrq
# Restrict kernel BPF usage to privileged users
# kernel.unprivileged_bpf_disabled=1
- sysctl_kernel_unprivileged_bpf_disabled
# Completely shut down the system if the Linux kernel behaves
# unexpectedly
# kernel.panic_on_oops=1
- sysctl_kernel_panic_on_oops
- id: R10
title: Disabling the loading of kernel modules
levels:
- enhanced
description: >-
The loading of the kernel modules can be blocked by the activation of the
sysctl kernel.modules_disabled:
Prohibition of loading modules (except those already loaded to this point)
kernel.modules_disabled = 1
status: automated
rules:
- sysctl_kernel_modules_disabled
- id: R11
title: Yama module sysctl configuration
levels:
- intermediary
description: >-
It is recommended to load the Yama security module at startup (by example
passing the security = yama argument to the kernel) and configure the
sysctl kernel.yama.ptrace_scope to a value of at least 1.
status: automated
rules:
- sysctl_kernel_yama_ptrace_scope
- id: R12
title: IPv4 configuration options
levels:
- intermediary
status: automated
rules:
# Mitigation of the dispersion effect of the kernel JIT at the cost of a
# compromise on the associated performance.
# net.core.bpf_jit_harden=2
- sysctl_net_core_bpf_jit_harden
# No routing between interfaces
# net.ipv4.ip_forward = 0
- sysctl_net_ipv4_ip_forward
# Consider as invalid the packets received from outside whose source
# is the 127/8 network.
# net.ipv4.conf.all.accept_local=0
- sysctl_net_ipv4_conf_all_accept_local
# Deny receipt of ICMP redirect packets
# net.ipv4.conf.all.accept_redirects = 0
- sysctl_net_ipv4_conf_all_accept_redirects_value=disabled
- sysctl_net_ipv4_conf_all_accept_redirects
# net.ipv4.conf.default.accept_redirects = 0
- sysctl_net_ipv4_conf_default_accept_redirects_value=disabled
- sysctl_net_ipv4_conf_default_accept_redirects
# net.ipv4.conf.all.secure_redirects = 0
- sysctl_net_ipv4_conf_all_secure_redirects
# net.ipv4.conf.default.secure_redirects = 0
- sysctl_net_ipv4_conf_default_secure_redirects
# net.ipv4.conf. all.shared_media=0
- sysctl_net_ipv4_conf_all_shared_media
- sysctl_net_ipv4_conf_all_shared_media_value=disabled
- sysctl_net_ipv4_conf_default_shared_media
- sysctl_net_ipv4_conf_default_shared_media_value=disabled
# Deny the source routing header information supplied by the
# packet to determine its route.
# net.ipv4.conf.all.accept_source_route = 0
- sysctl_net_ipv4_conf_all_accept_source_route
# net.ipv4.conf.default.accept_source_route = 0
- sysctl_net_ipv4_conf_default_accept_source_route
# Prevent the Linux kernel from handling the ARP table globally.
- sysctl_net_ipv4_conf_all_arp_filter
# Respond to ARP requests only if the source and destination address are on the
# same network and come from the same interface on which the packet was received.
# Note that the configuration of this option is to be studied according to the
# use case.
- sysctl_net_ipv4_conf_all_arp_ignore
- sysctl_net_ipv4_conf_all_arp_ignore_value=2
# Refuse the routing of packets whose source or destination address is that
# of the local loopback.
# net.ipv4.conf.all.route_localnet=0
- sysctl_net_ipv4_conf_all_route_localnet
# Ignore gratuitous ARP requests.
# net.ipv4.conf.all.drop_gratuitous_arp=1
- sysctl_net_ipv4_conf_all_drop_gratuitous_arp
# Check that the source address of packets received on a given interface
# would have been contacted via this same interface.
# net.ipv4.conf.all.rp_filter = 1
- sysctl_net_ipv4_conf_all_rp_filter
# net.ipv4.conf.default.rp_filter = 1
- sysctl_net_ipv4_conf_default_rp_filter
# A non-routing equipment has no reason to receive a flow for which it is not the recipient
# and therefore to send an ICMP redirect packet.
# net.ipv4.conf.all.send_redirects = 0
- sysctl_net_ipv4_conf_all_send_redirects
# net.ipv4.conf.default.send_redirects = 0
- sysctl_net_ipv4_conf_default_send_redirects
# Ignore responses that do not comply with RFC 1122
# net.ipv4.icmp_ignore_bogus_error_responses = 1
- sysctl_net_ipv4_icmp_ignore_bogus_error_responses
# Increase the range for ephemeral ports
# net.ipv4.ip_local_port_range = 32768 65535
- sysctl_net_ipv4_ip_local_port_range
# RFC 1337
# net.ipv4.tcp_rfc1337 = 1
- sysctl_net_ipv4_tcp_rfc1337
# Use SYN cookies
# net.ipv4.tcp_syncookies = 1
- sysctl_net_ipv4_tcp_syncookies
- id: R13
title: Disabling IPv6
levels:
- intermediary
notes: >-
When IPv6 is not in use, disable it, otherwise secure the IPv6 stack.
This control hardens the IPv6 stack, to disable it use the related rules instead.
status: automated
rules:
# Disable support for "router solicitations"
# net.ipv6.conf.all.router_solicitations = 0
# net.ipv6.conf.default.router_solicitations = 0
- sysctl_net_ipv6_conf_all_router_solicitations
- sysctl_net_ipv6_conf_default_router_solicitations
# Do not accept "router preferences" by "router advertisements"
# net.ipv6.conf.all.accept_ra_rtr_pref = 0
# net.ipv6.conf.default.accept_ra_rtr_pref = 0
- sysctl_net_ipv6_conf_all_accept_ra_rtr_pref
- sysctl_net_ipv6_conf_default_accept_ra_rtr_pref
# No auto configuration of prefixes by router advertisements
# net.ipv6.conf.all.accept_ra_pinfo = 0
# net.ipv6.conf.default.accept_ra_pinfo = 0
- sysctl_net_ipv6_conf_all_accept_ra_pinfo
- sysctl_net_ipv6_conf_default_accept_ra_pinfo
# No default router learning by router advertisements
# net.ipv6.conf.all.accept_ra_defrtr = 0
# net.ipv6.conf.default.accept_ra_defrtr = 0
- sysctl_net_ipv6_conf_all_accept_ra_defrtr
- sysctl_net_ipv6_conf_default_accept_ra_defrtr
# No auto configuration of addresses from "routers" advertisements
# net.ipv6.conf.all.autoconf = 0
# net.ipv6.conf.default.autoconf = 0
- sysctl_net_ipv6_conf_all_autoconf
- sysctl_net_ipv6_conf_default_autoconf
# Do not accept ICMPs of redirect type
# net.ipv6.conf.all_accept_redirects = 0
- sysctl_net_ipv6_conf_all_accept_redirects
# net.ipv6.conf.default.accept_redirects = 0
- sysctl_net_ipv6_conf_default_accept_redirects
# Deny routing source packets
# net.ipv6.conf.all.accept_source_route = 0
- sysctl_net_ipv6_conf_all_accept_source_route
# net.ipv6.conf.default.accept_source_route = 0
- sysctl_net_ipv6_conf_default_accept_source_route
# Maximum number of autoconfigured addresses per interface
# net.ipv6.conf.all.max_addresses = 1
# net.ipv6.conf.default.max_addresses = 1
- sysctl_net_ipv6_conf_all_max_addresses
- sysctl_net_ipv6_conf_default_max_addresses
related_rules:
# Rules to select when disabling the IPv6 stack.
- sysctl_net_ipv6_conf_all_disable_ipv6
- sysctl_net_ipv6_conf_default_disable_ipv6
- id: R14
title: File system configuration options
levels:
- intermediary
notes: >-
The rule for the /proc file system is not implemented
status: automated
rules:
# Disable coredump creation for setuid executables
- sysctl_fs_suid_dumpable
# Available from version 4.19 of the Linux kernel, allows to prohibit
# opening FIFOs and "regular" files that are not owned by the user
# in sticky folders for everyone to write.
# fs.protected_fifos=2
- sysctl_fs_protected_fifos
# fs.protected_regular=2
- sysctl_fs_protected_regular
# Restrict the creation of symbolic links to files that the user owns.
- sysctl_fs_protected_symlinks
# Restrict the creation of hard links to files whose user is owner.
- sysctl_fs_protected_hardlinks
- id: R15
title: Compile options for memory management
levels:
- high
status: automated
notes: >-
The special case of direct access to physical memory is not handled.
rules:
- kernel_config_strict_kernel_rwx
- kernel_config_debug_wx
- kernel_config_debug_fs
- kernel_config_stackprotector
- kernel_config_stackprotector_strong
- kernel_config_sched_stack_end_check
- kernel_config_hardened_usercopy
- kernel_config_hardened_usercopy_fallback
- kernel_config_vmap_stack
- kernel_config_refcount_full
- kernel_config_fortify_source
- kernel_config_acpi_custom_method
- kernel_config_devkmem
- kernel_config_proc_kcore
- kernel_config_compat_vdso
- kernel_config_security_dmesg_restrict
- kernel_config_retpoline
- kernel_config_legacy_vsyscall_none
- kernel_config_legacy_vsyscall_emulate
- kernel_config_legacy_vsyscall_xonly
- kernel_config_x86_vsyscall_emulation
- id: R16
title: Compile options for kernel data structures
levels:
- high
status: automated
rules:
- kernel_config_debug_credentials
- kernel_config_debug_notifiers
- kernel_config_debug_list
- kernel_config_debug_sg
- kernel_config_bug_on_data_corruption
- id: R17
title: Compile options for the memory allocator
levels:
- high
status: automated
rules:
- kernel_config_slab_freelist_random
- kernel_config_slab_freelist_hardened
- kernel_config_slab_merge_default
- kernel_config_slub_debug
- kernel_config_page_poisoning
- kernel_config_page_poisoning_no_sanity
- kernel_config_page_poisoning_zero
- kernel_config_compat_brk
- id: R18
title: Compile options for the management of kernel module
levels:
- high
status: automated
rules:
- kernel_config_strict_module_rwx
- kernel_config_module_sig
- kernel_config_module_sig_force
- kernel_config_module_sig_all
- kernel_config_module_sig_sha512
- kernel_config_module_sig_hash
- kernel_config_module_sig_key
- id: R19
title: Compile options for abnormal situations
levels:
- high
status: automated
rules:
- kernel_config_bug
- kernel_config_panic_on_oops
- kernel_config_panic_timeout
- id: R20
title: Compile options for kernel security functions
levels:
- high
status: automated
rules:
- kernel_config_seccomp
- kernel_config_seccomp_filter
- kernel_config_security
- kernel_config_security_yama
- kernel_config_security_writable_hooks
- id: R21
title: Compile options for the compiler plugins
levels:
- high
status: automated
rules:
- kernel_config_gcc_plugin_latent_entropy
- kernel_config_gcc_plugin_stackleak
- kernel_config_gcc_plugin_structleak
- kernel_config_gcc_plugin_structleak_byref_all
- kernel_config_gcc_plugin_randstruct
- id: R22
title: Compile options for the IP stack
levels:
- high
notes: >-
This control doesn't disable the IPv6 stack, to disable it select the related rule.
status: automated
rules:
- kernel_config_syn_cookies
related_rules:
- kernel_config_ipv6
- id: R23
title: Compile options for various kernel behaviors
levels:
- high
notes: >-
If the system can function without support for kernel modules, module support should be disabled by setting CONFIG_MODULES=n.
status: automated
rules:
- kernel_config_kexec
- kernel_config_hibernation
- kernel_config_binfmt_misc
- kernel_config_legacy_ptys
- id: R24
title: Compile options for 32-bit architectures
levels:
- high
notes: >-
Unless a X86 32bit kernel is explicitly supported by one of products in the project, this
requirement is set to not applicable.
status: not applicable
- id: R25
title: Compile options for x86_64 architectures
levels:
- high
status: automated
rules:
# TODO: add support for variable for config_default_mmap_min_addr
# CONFIG_DEFAULT_MMAP_MIN_ADDR=65536
- kernel_config_default_mmap_min_addr
- kernel_config_randomize_base
- kernel_config_randomize_memory
- kernel_config_page_table_isolation
- kernel_config_ia32_emulation
- kernel_config_modify_ldt_syscall
- id: R26
title: Compile options for ARM architectures
levels:
- high
notes: >-
Unless a ARM 32bit kernel is explicitly supported by one of products in the project, this
requirement is set to not applicable.
status: not applicable
- id: R27
title: Compile options for ARM 64 architectures
levels:
- high
status: automated
rules:
# CONFIG_DEFAULT_MMAP_MIN_ADDR=32768
- kernel_config_default_mmap_min_addr
- kernel_config_randomize_base
- kernel_config_arm64_sw_ttbr0_pan
- kernel_config_unmap_kernel_at_el0
- id: R28
title: Partitioning type
levels:
- intermediary
status: automated
rules:
# this covers nodev options
- mount_option_nodev_nonroot_local_partitions
# The recommended partitioning type is as follows:
# / <without option> Root partition, contains the rest of the tree
# /boot nosuid, nodev, noexec (optional noauto) Contains the kernel and the bootloader. No access required once the boot finished (except update)
- partition_for_boot
- mount_option_boot_nosuid
- mount_option_boot_noexec
# The noauto option rule breaks checking of the other mount options
# Commented until rules for /boot mount_option handles this use case
# - mount_option_boot_noauto
# /opt nosuid, nodev (optional ro) Additional packages to the system. Read-only editing if not used
- partition_for_opt
- mount_option_opt_nosuid
# /tmp nosuid, noexec temporary files. Must contain only non-executable elements. Cleaned after reboot. Prefferred tmpfs.
- systemd_tmp_mount_enabled
- mount_option_tmp_nosuid
- mount_option_tmp_noexec
# /srv nosuid, nodev (noexec, optional ro) Contains files served by a service type web, ftp, etc
- partition_for_srv
- mount_option_srv_nosuid
# /home nosuid, nodev, noexec Contains the HOME users. Read-only editing if not in use
- partition_for_home
- mount_option_home_nosuid
- mount_option_home_noexec
# /usr nodev Contains the majority of utilities and system files
- partition_for_usr
# /var nosuid, nodev, noexec Partition containing variable files during the life of the system (mails, PID files, databases of a service)
- partition_for_var
- mount_option_var_nosuid
- mount_option_var_noexec
# /var/log nosuid, nodev, noexec Contains system logs
- partition_for_var_log
- mount_option_var_log_noexec
- mount_option_var_log_nosuid
# /var/tmp nosuid, nodev, noexec Temporary files kept after extinction
- partition_for_var_tmp
- mount_option_var_tmp_nosuid
- mount_option_var_tmp_noexec
related_rules:
# /proc hidepid = 2 Contains process information and the system
- mount_option_proc_hidepid
- var_mount_option_proc_hidepid=2
- id: R29
title: Access Restrictions on /boot
levels:
- enhanced
description: >-
When possible, it is recommended not to automatically mount the /boot partition.
In any case, access to the /boot folder should only be allowed for the root user.
notes: >-
The /boot partition mounted is essential to perform certain administrative actions, for
example updating the kernel. Therefore, for better stability, in this requirement only rules
to restrict the access to /boot are selected. It is not changed how the /boot is mounted.
status: automated
rules:
- file_groupowner_efi_grub2_cfg
- file_groupowner_grub2_cfg
- file_owner_efi_grub2_cfg
- file_owner_grub2_cfg
- file_permissions_efi_grub2_cfg
- file_permissions_grub2_cfg
- file_groupowner_efi_user_cfg
- file_groupowner_user_cfg
- file_owner_efi_user_cfg
- file_owner_user_cfg
- file_permissions_efi_user_cfg
- file_permissions_user_cfg
- file_groupowner_systemmap
- file_owner_systemmap
- file_permissions_systemmap
related_rules:
- mount_option_boot_noauto
- id: R30
title: Removal of unused user accounts
levels:
- minimal
description: >-
Unused user accounts must be deleted from the system.
notes: >-
The definition of unused user accounts is broad. It can include accounts
whose owners don't use the system anymore, or users created by services
or applications that should not be used.
Automation by itself cannot discern which accounts are used or not.
status: manual
- id: R31
title: User password strength
levels:
- minimal
notes: >-
The rules selected below establish a general password strength baseline
of 100 bits, based on the recommendations of the technical note
"Recommandations relatives à l'authentification multifacteur et aux mots de passe"
(https://cyber.gouv.fr/publications/recommandations-relatives-lauthentification-multifacteur-et-aux-mots-de-passe)
The baseline should be reviewed and tailored to the system's use case and needs.
status: automated
rules:
# enable authselect to support following rules
- enable_authselect
# Set the maximum password age for the root account to 1 year
- var_accounts_maximum_age_root=365
- accounts_password_set_max_life_root
# Ensure passwords with minimum of 15 characters
- var_password_pam_minlen=15
- accounts_password_pam_minlen
- cracklib_accounts_password_pam_minlen
# Enforce password lenght for new accounts
- var_accounts_password_minlen_login_defs=15
- accounts_password_minlen_login_defs
# Require at Least 1 Special Character in Password
- var_password_pam_ocredit=1
- accounts_password_pam_ocredit
- cracklib_accounts_password_pam_ocredit
# Require at Least 1 Numeric Character in Password
- var_password_pam_dcredit=1
- cracklib_accounts_password_pam_dcredit
- accounts_password_pam_dcredit
# Require at Least 1 Uppercase Character in Password
- var_password_pam_ucredit=1
- accounts_password_pam_ucredit
- cracklib_accounts_password_pam_ucredit
# Require at Least 1 Lowercase Character in Password
- var_password_pam_lcredit=1
- cracklib_accounts_password_pam_lcredit
- accounts_password_pam_lcredit
# Lock out users after 3 failed authentication attempts within 15 min
- var_accounts_passwords_pam_faillock_fail_interval=900
- accounts_passwords_pam_faillock_interval
- var_accounts_passwords_pam_faillock_deny=3
- accounts_passwords_pam_faillock_deny
- accounts_passwords_pam_faillock_deny_root
# same as above but for pam_tally2 module
- accounts_passwords_pam_tally2_deny_root
- var_password_pam_tally2=5
- accounts_passwords_pam_tally2
- accounts_passwords_pam_tally2_unlock_time
- var_accounts_passwords_pam_tally2_unlock_time=1800
# Automatically unlock users after 15 min to prevent DoS
- var_accounts_passwords_pam_faillock_unlock_time=900
- accounts_passwords_pam_faillock_unlock_time
# Do not reuse last two passwords
- var_password_pam_unix_remember=2
- accounts_password_pam_unix_remember
- id: R32
title: Configuring a timeout on local user sessions
levels:
- intermediary
description: >-
Local user sessions (console TTY, graphical session) must be locked after a certain period of inactivity.
notes: >-
ANSSI doesn't specify the length of the inactivity period, we are choosing 10 minutes as reasonable number.
status: automated
rules:
- logind_session_timeout
- var_logind_session_timeout=10_minutes
- accounts_tmout
- var_accounts_tmout=10_min
- id: R33
title: Use of dedicated administration accounts
levels:
- intermediary
notes: >-
By disabling direct root logins proper accountability is ensured.
Users will login first, then escalate to privileged (root) access.
Change of privilege operations must be based on executables to monitor the activities
performed (for example sudo).
Nonetheless, the content automation cannot ensure that each administrator was given a
nominative administration account separate from his normal user account.
status: automated
rules:
- no_direct_root_logins
- sshd_disable_root_login
- package_sudo_installed
- audit_rules_privileged_commands_sudo
- service_auditd_enabled
- package_audit_installed
- id: R34
title: Deactivation of service accounts
levels:
- intermediary
notes: >-
It is difficult to generally identify the system's service accounts.
UIDs of such accounts are generally between SYS_UID_MIN and SYS_UID_MAX, but their values
are not enforced by the OS and can be changed over time.
Assisting rules could list users which are not disabled for manual review.
status: manual
- id: R35
title: Uniqueness and exclusivity of system service accounts
levels:
- intermediary
description: >-
Each service must have its own system account and be dedicated to it exclusively.
notes: >-
It is not trivial to identify whether a user account is a service account.
UIDs of such accounts are generally between SYS_UID_MIN and SYS_UID_MAX, but their values
are not enforced by the OS and can be changed over time.
status: manual
- id: R36
title: Changing the default value of UMASK
levels:
- enhanced
description: >-
The default value of UMASK for the shells must be set to 0077 in order to allow read and
write access to its owner only. This value can be defined in the configuration file
/etc/profile that most shells (bash, dash, ksh…) will use.
The default value of UMASK for services must be determined for each service, but in most
cases, it should be set to 0027 (or more restrictive). This allows read access to its owner
and its group, and a full access to its owner. For services such as systemd, this value can
be defined directly in the configuration file of the service with the directive UMask=0027.
notes: >-
There are cases of Systemd services which would stop working in case umask
would be configured to 0027 for all services. One such example is the
Cups service which needs to create sockets which need to be available for
all users. Therefore, this part of the requirement can't be automated.
status: automated
rules:
- accounts_umask_etc_bashrc
- accounts_umask_etc_login_defs
- accounts_umask_etc_profile
- var_accounts_user_umask=077
- id: R37
title: Using access control features
levels:
- enhanced
description: >-
It is recommended to use the mandatory access control (MAC) features in
addition to the traditional Unix user model (DAC), or possibly combine
them with partitioning mechanisms.
notes: >-
Other partitioning mechanisms can include chroot and containers and are not contemplated
in this requirement.
status: automated
rules:
- selinux_state
- var_selinux_state=enforcing
- id: R38
title: Group dedicated to the use of sudo
levels:
- enhanced
description: >-
A group dedicated to the use of sudo must be created, and only members of this
group are allowed to execute sudo.
status: automated
rules:
- sudo_dedicated_group
- var_sudo_dedicated_group=sudogrp
- file_permissions_sudo
- id: R39
title: Sudo configuration guidelines
levels:
- intermediary
status: automated
rules:
- sudo_add_noexec
- sudo_add_requiretty
- sudo_add_use_pty
- sudo_add_umask
- var_sudo_umask=0077
- sudo_add_ignore_dot
- sudo_add_env_reset
- id: R40
title: Privileges of target sudo users
description: The targeted users of a rule should be, as much as possible, non privileged users.
levels:
- intermediary
status: automated
rules:
- sudoers_no_root_target
- id: R41
title: Limiting the number of commands requiring the use of the EXEC option
levels:
- enhanced
description: >-
The commands requiring the execution of sub-processes (EXEC tag) must be
explicitly listed and their use should be reduced to a strict minimum.
notes: >-
Human review is required to assess if the set of commands requiring EXEC is minimal.
An auxiliary rule could list rules containing EXEC tag, for analysis.
status: manual
- id: R42
title: Good use of negation in a sudoers file
levels:
- intermediary
description: The sudoers configuration rules should not involve negation.
status: automated
rules:
- sudoers_no_command_negation
- id: R43
title: Explicit arguments in sudo specifications
levels:
- intermediary
status: automated
rules:
- sudoers_explicit_command_args
- id: R44
title: Editing files with sudo
levels:
- intermediary
description: A file requiring sudo to be edited, must be edited through the sudoedit command.
notes: >-
In R62 we established that the sudoers files should not use negations, thus the approach
for this requirement is to ensure that sudoedit is the only text editor allowed.
But it is difficult to ensure that allowed binaries aren't text editors without human
review.
status: manual
- id: R45
title: Enable AppArmor security profiles
levels:
- enhanced
description: >-
All AppArmor security profiles on the system must be enabled by default.
status: automated
rules:
- apparmor_configured
- all_apparmor_profiles_enforced
- grub2_enable_apparmor
- package_apparmor_installed
- package_pam_apparmor_installed
- id: R46
title: Activate SELinux with the Targeted Policy
levels:
- high
description: >-
It is recommended to enable the targeted policy when the distribution
supports it and that it does not operate another security module than SELinux.
status: automated
rules:
- selinux_policytype
- var_selinux_policy_name=targeted
- id: R47