ComplianceAsCode · matejak · Jun 25, 2019 · Jun 21, 2019 · Jun 21, 2019 · Jun 21, 2019
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_root_login/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_root_login/rule.yml
@@ -44,5 +44,6 @@ references:
     cobit5: APO01.06,DSS05.02,DSS05.04,DSS05.05,DSS05.07,DSS05.10,DSS06.02,DSS06.03,DSS06.06,DSS06.10
     iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.18.1.4,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.1,A.9.4.2,A.9.4.3,A.9.4.4,A.9.4.5
     cis-csc: 1,11,12,13,14,15,16,18,3,5
+    anssi: NT28(R19)
 
 {{{ complete_ocil_entry_sshd_option(default="no", option="PermitRootLogin", value="no") }}}
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml
@@ -54,6 +54,7 @@ references:
     cobit5: APO13.01,BAI03.01,BAI03.02,BAI03.03,DSS01.03,DSS03.05,DSS05.04,DSS05.05,DSS05.07,DSS05.10,DSS06.03,DSS06.10
     iso27001-2013: A.12.4.1,A.12.4.3,A.14.1.1,A.14.2.1,A.14.2.5,A.18.1.4,A.6.1.2,A.6.1.5,A.7.1.1,A.9.1.2,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.1,A.9.4.2,A.9.4.3,A.9.4.4,A.9.4.5
     cis-csc: 1,12,13,14,15,16,18,3,5,7,8
+    anssi: NT28(R29)
 
 ocil_clause: 'it is commented out or not configured properly'
 

diff --git a/...unts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_logindefs/rule.yml b/...unts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_logindefs/rule.yml
@@ -41,6 +41,7 @@ references:
     cobit5: DSS05.04,DSS05.05,DSS05.07,DSS05.10,DSS06.03,DSS06.10
     iso27001-2013: A.18.1.4,A.7.1.1,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.2,A.9.4.3
     cis-csc: 1,12,15,16,5
+    anssi: NT28(R32)
 
 ocil_clause: 'it does not'
 

diff --git a/...os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/rule.yml b/...os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/rule.yml
@@ -42,6 +42,7 @@ references:
     cobit5: DSS05.04,DSS05.05,DSS05.07,DSS05.10,DSS06.03,DSS06.10
     iso27001-2013: A.18.1.4,A.7.1.1,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.2,A.9.4.3
     cis-csc: 1,12,15,16,5
+    anssi: NT28(R19)
 
 ocil_clause: 'the /etc/securetty file is not empty'
 

diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_tmout/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_tmout/rule.yml
@@ -37,6 +37,7 @@ references:
     cobit5: DSS05.04,DSS05.10,DSS06.10
     iso27001-2013: A.18.1.4,A.9.2.1,A.9.2.4,A.9.3.1,A.9.4.2,A.9.4.3
     cis-csc: 1,12,15,16
+    anssi: NT28(R29)
 
 ocil_clause: 'value of TMOUT is not less than or equal to expected setting'
 

diff --git a/.../guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs/rule.yml b/.../guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs/rule.yml
@@ -31,6 +31,7 @@ references:
     cobit5: APO13.01,BAI03.01,BAI03.02,BAI03.03,BAI10.01,BAI10.02,BAI10.03,BAI10.05
     iso27001-2013: A.12.1.2,A.12.5.1,A.12.6.2,A.14.1.1,A.14.2.1,A.14.2.2,A.14.2.3,A.14.2.4,A.14.2.5,A.6.1.5
     cis-csc: 11,18,3,9
+    anssi: NT28(R35)
 
 ocil_clause: 'the above command returns no output, or if the umask is configured incorrectly'
 

diff --git a/..._os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_profile/rule.yml b/..._os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_profile/rule.yml
@@ -29,6 +29,7 @@ references:
     cobit5: APO13.01,BAI03.01,BAI03.02,BAI03.03
     iso27001-2013: A.14.1.1,A.14.2.1,A.14.2.5,A.6.1.5
     cis-csc: '18'
+    anssi: NT28(R35)
 
 ocil_clause: 'the above command returns no output, or if the umask is configured incorrectly'
 

diff --git a/linux_os/guide/system/bootloader-grub-legacy/grub_legacy_password/rule.yml b/linux_os/guide/system/bootloader-grub-legacy/grub_legacy_password/rule.yml
@@ -37,6 +37,7 @@ references:
     cobit5: DSS05.04,DSS05.05,DSS05.07,DSS05.10,DSS06.03,DSS06.10
     iso27001-2013: A.18.1.4,A.7.1.1,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.2,A.9.4.3
     cis-csc: 1,12,15,16,5
+    anssi: NT28(R17)
 
 ocil_clause: 'it does not'
 

diff --git a/linux_os/guide/system/bootloader-grub2/grub2_password/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_password/rule.yml
@@ -65,6 +65,7 @@ references:
     cobit5: DSS05.02,DSS05.04,DSS05.05,DSS05.07,DSS05.10,DSS06.03,DSS06.06,DSS06.10
     iso27001-2013: A.18.1.4,A.6.1.2,A.7.1.1,A.9.1.2,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.1,A.9.4.2,A.9.4.3,A.9.4.4,A.9.4.5
     cis-csc: 1,11,12,14,15,16,18,3,5
+    anssi: NT28(R17)
 
 ocil_clause: 'it does not'
 

diff --git a/linux_os/guide/system/bootloader-grub2/grub2_uefi_password/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_uefi_password/rule.yml
@@ -65,6 +65,7 @@ references:
     cobit5: DSS05.02,DSS05.04,DSS05.05,DSS05.07,DSS06.03,DSS06.06
     iso27001-2013: A.6.1.2,A.7.1.1,A.9.1.2,A.9.2.1,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5
     cis-csc: 11,12,14,15,16,18,3,5
+    anssi: NT28(R17)
 
 ocil_clause: 'it does not'
 

diff --git a/...tem/permissions/files/permissions_important_account_files/file_owner_etc_gshadow/rule.yml b/...tem/permissions/files/permissions_important_account_files/file_owner_etc_gshadow/rule.yml
@@ -27,6 +27,7 @@ references:
     cobit5: APO01.06,DSS05.04,DSS05.07,DSS06.02
     iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5
     cis-csc: 12,13,14,15,16,18,3,5
+    anssi: NT28(R36)
 
 ocil_clause: '{{{ ocil_clause_file_owner(file="/etc/gshadow", owner="root") }}}'
 

diff --git a/...stem/permissions/files/permissions_important_account_files/file_owner_etc_shadow/rule.yml b/...stem/permissions/files/permissions_important_account_files/file_owner_etc_shadow/rule.yml
@@ -32,6 +32,7 @@ references:
     cobit5: APO01.06,DSS05.04,DSS05.07,DSS06.02
     iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5
     cis-csc: 12,13,14,15,16,18,3,5
+    anssi: NT28(R36)
 
 ocil_clause: '{{{ ocil_clause_file_owner(file="/etc/shadow", owner="root") }}}'
 

diff --git a/...rmissions/files/permissions_important_account_files/file_permissions_etc_gshadow/rule.yml b/...rmissions/files/permissions_important_account_files/file_permissions_etc_gshadow/rule.yml
@@ -17,7 +17,7 @@ identifiers:
     cce@rhel8: 80811-3
 
 references:
-    anssi@debian8: NT28(R36)
+    anssi: NT28(R36)
     stigid@rhel6: RHEL-06-000038
     srg@rhel6: SRG-OS-999999
     disa@rhel6: '225'

diff --git a/...ermissions/files/permissions_important_account_files/file_permissions_etc_shadow/rule.yml b/...ermissions/files/permissions_important_account_files/file_permissions_etc_shadow/rule.yml
@@ -20,7 +20,7 @@ identifiers:
     cce@rhel8: 80813-9
 
 references:
-    anssi@debian8: NT28(R36)
+    anssi: NT28(R36)
     stigid@rhel6: RHEL-06-000035
     srg@rhel6: SRG-OS-999999
     disa@rhel6: '225'

diff --git a/linux_os/guide/system/permissions/partitions/mount_option_home_nodev/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_home_nodev/rule.yml
@@ -20,5 +20,6 @@ severity: unknown
 
 references:
     cis: 1.1.14
+    anssi: NT28(R12)
 
 platform: machine
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_home_nosuid/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_home_nosuid/rule.yml
@@ -29,5 +29,6 @@ references:
     cobit5: APO13.01,BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS05.02,DSS05.05,DSS05.06,DSS06.06
     iso27001-2013: A.11.2.9,A.12.1.2,A.12.5.1,A.12.6.2,A.14.2.2,A.14.2.3,A.14.2.4,A.8.2.1,A.8.2.2,A.8.2.3,A.8.3.1,A.8.3.3,A.9.1.2
     cis-csc: 11,13,14,3,8,9
+    anssi: NT28(R12)
 
 platform: machine
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_tmp_nodev/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_tmp_nodev/rule.yml
@@ -29,5 +29,6 @@ references:
     cobit5: APO13.01,BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS05.02,DSS05.05,DSS05.06,DSS06.06
     iso27001-2013: A.11.2.9,A.12.1.2,A.12.5.1,A.12.6.2,A.14.2.2,A.14.2.3,A.14.2.4,A.8.2.1,A.8.2.2,A.8.2.3,A.8.3.1,A.8.3.3,A.9.1.2
     cis-csc: 11,13,14,3,8,9
+    anssi: NT28(R12)
 
 platform: machine
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_tmp_noexec/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_tmp_noexec/rule.yml
@@ -32,5 +32,6 @@ references:
     cobit5: APO13.01,BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS05.02,DSS05.05,DSS05.06,DSS06.06
     iso27001-2013: A.11.2.9,A.12.1.2,A.12.5.1,A.12.6.2,A.14.2.2,A.14.2.3,A.14.2.4,A.8.2.1,A.8.2.2,A.8.2.3,A.8.3.1,A.8.3.3,A.9.1.2
     cis-csc: 11,13,14,3,8,9
+    anssi: NT28(R12)
 
 platform: machine
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_tmp_nosuid/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_tmp_nosuid/rule.yml
@@ -29,5 +29,6 @@ references:
     cobit5: APO13.01,BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS05.02,DSS05.05,DSS05.06,DSS06.06
     iso27001-2013: A.11.2.9,A.12.1.2,A.12.5.1,A.12.6.2,A.14.2.2,A.14.2.3,A.14.2.4,A.8.2.1,A.8.2.2,A.8.2.3,A.8.3.1,A.8.3.3,A.9.1.2
     cis-csc: 11,13,14,3,8,9
+    anssi: NT28(R12)
 
 platform: machine
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/rule.yml
@@ -18,5 +18,6 @@ severity: unknown
 
 references:
     cis: 1.1.8
+    anssi: NT28(R12)
 
 platform: machine
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_noexec/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_noexec/rule.yml
@@ -18,5 +18,6 @@ severity: unknown
 
 references:
     cis: 1.1.10
+    anssi: NT28(R12)
 
 platform: machine
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nosuid/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nosuid/rule.yml
@@ -18,5 +18,6 @@ severity: unknown
 
 references:
     cis: 1.1.9
+    anssi: NT28(R12)
 
 platform: machine
diff --git a/linux_os/guide/system/permissions/restrictions/coredumps/sysctl_fs_suid_dumpable/rule.yml b/linux_os/guide/system/permissions/restrictions/coredumps/sysctl_fs_suid_dumpable/rule.yml
@@ -22,6 +22,7 @@ references:
     cis: 1.5.1
     hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3),164.308(a)(4),164.310(b),164.310(c),164.312(a),164.312(e)
     nist: SI-11
+    anssi: NT28(R23)
 
 {{{ complete_ocil_entry_sysctl_option_value(sysctl="fs.suid_dumpable", value="0") }}}
 

diff --git a/...issions/restrictions/enable_execshield_settings/sysctl_kernel_randomize_va_space/rule.yml b/...issions/restrictions/enable_execshield_settings/sysctl_kernel_randomize_va_space/rule.yml
@@ -29,6 +29,7 @@ references:
     nist: SC-30(2),SC-39
     srg: SRG-OS-000480-GPOS-00227
     stigid: "040201"
+    anssi: NT28(R23)
 
 {{{ complete_ocil_entry_sysctl_option_value(sysctl="kernel.randomize_va_space", value="2") }}}
 

diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_dmesg_restrict/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_dmesg_restrict/rule.yml
@@ -22,6 +22,7 @@ references:
     disa: "1314"
     hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3),164.308(a)(4),164.310(b),164.310(c),164.312(a),164.312(e)
     nist: SI-11
+    anssi: NT28(R23)
 
 {{{ complete_ocil_entry_sysctl_option_value(sysctl="kernel.dmesg_restrict", value="1") }}}
 

diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_yama_ptrace_scope/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_yama_ptrace_scope/rule.yml
@@ -17,6 +17,9 @@ severity: medium
 identifiers:
     cce@rhel8: 80953-3
 
+references:
+    anssi: NT28(R25)
+
 {{{ complete_ocil_entry_sysctl_option_value(sysctl="kernel.yama.ptrace_scope", value="1") }}}
 
 platform: machine
diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_secure_mode_insmod/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_secure_mode_insmod/rule.yml
@@ -11,6 +11,9 @@ description: |-
 
 rationale: ""
 
+references:
+    anssi: NT28(R67)
+
 severity: medium
 
 {{{ complete_ocil_entry_sebool_disabled(sebool="secure_mode_insmod") }}}
diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_ssh_sysadm_login/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_ssh_sysadm_login/rule.yml
@@ -11,6 +11,9 @@ description: |-
 
 rationale: ""
 
+references:
+    anssi: NT28(R67)
+
 severity: medium
 
 {{{ complete_ocil_entry_sebool_disabled(sebool="ssh_sysadm_login") }}}
diff --git a/linux_os/guide/system/software/disk_partitioning/partition_for_tmp/rule.yml b/linux_os/guide/system/software/disk_partitioning/partition_for_tmp/rule.yml
@@ -20,7 +20,7 @@ identifiers:
     cce@rhel8: 80851-9
 
 references:
-    anssi@debian8: NT28(R12)
+    anssi: NT28(R12)
     stigid@rhel6: RHEL-06-000001
     srg@rhel6: SRG-OS-999999
     nist@rhel6: SC-32

diff --git a/linux_os/guide/system/software/disk_partitioning/partition_for_var_tmp/rule.yml b/linux_os/guide/system/software/disk_partitioning/partition_for_var_tmp/rule.yml
@@ -18,6 +18,7 @@ severity: low
 
 references:
     cis: 1.1.7
+    anssi: NT28(R12)
 
 {{{ complete_ocil_entry_separate_partition(part="/var/tmp") }}}
 

diff --git a/linux_os/guide/system/software/updating/security_patches_up_to_date/rule.yml b/linux_os/guide/system/software/updating/security_patches_up_to_date/rule.yml
@@ -54,6 +54,7 @@ references:
     cobit5: APO12.01,APO12.02,APO12.03,APO12.04,BAI03.10,DSS05.01,DSS05.02
     iso27001-2013: A.12.6.1,A.14.2.3,A.16.1.3,A.18.2.2,A.18.2.3
     cis-csc: 18,20,4
+    anssi: NT28(R08)
 
 {{# Make sure all the external OVAL content links are secured via TLS! #}}
 

diff --git a/rhel7/profiles/anssi_nt28_enhanced.profile b/rhel7/profiles/anssi_nt28_enhanced.profile
@@ -9,6 +9,29 @@ description: 'Draft profile for ANSSI compliance at the enhanced level. ANSSI st
 extends: anssi_nt28_intermediary
 
 selections:
+    # ==============================================
+    # R38 - Executable setuid root
     - file_permissions_unauthorized_suid
     - file_permissions_unauthorized_sgid
+
     - rsyslog_remote_loghost
+
+    # R13 - Access restricions on System.map files
+    # When the /boot partition cannot be dismounted (or it does not exist),
+    # the file(s) System.map must be read restricted to root only.
+    - file_permissions_systemmap
+
+    # R17 Boot loader password
+    - grub2_password
+    - grub2_uefi_password
+
+    # R25 Yama module sysctl configuration
+    - sysctl_kernel_yama_ptrace_scope
+
+    # R29 User session timeout
+    - accounts_tmout
+    - sshd_set_idle_timeout
+
+    # R35 umask value
+    - accounts_umask_etc_login_defs
+    - accounts_umask_etc_profile
diff --git a/rhel7/profiles/anssi_nt28_high.profile b/rhel7/profiles/anssi_nt28_high.profile
@@ -17,3 +17,23 @@ selections:
     - aide_scan_notification
     - aide_verify_acls
     - aide_verify_ext_attributes
+
+    # ==============================================
+    # R11 - IOMMU Configuration Guidelines
+    # The iommu = force directive must be added to the list of kernel parameters
+    # during startup in addition to those already present in the configuration
+    # files of the bootloader (/boot/grub/menu.lst or  /etc/default/grub).
+    - grub2_enable_iommu_force
+
+    # ==============================================
+    # R67 - Setting SELinux booleans
+    # It is recommended to set the following Boolean values to off:
+    # allow_execheap        if off, forbid processes to make their heap executable (heap);
+    # allow_execmem         if off, forbid processes to have a memory area with rights w (write) and x (execute);
+    # allow_execstack       if off, forbid processes to make their stack (stack) executable;
+
+    # secure_mode_insmod    if off, prohibits dynamic loading of modules by any process;
+    - sebool_secure_mode_insmod
+
+    # ssh_sysadm_login      if off, forbid SSH logins to connect directly in sysadmin role.
+    - sebool_ssh_sysadm_login
diff --git a/rhel7/profiles/anssi_nt28_intermediary.profile b/rhel7/profiles/anssi_nt28_intermediary.profile
@@ -9,18 +9,39 @@ description: 'Draft profile for ANSSI compliance at the intermediary level. ANSS
 extends: anssi_nt28_minimal
 
 selections:
+
+    # ==============================================
+    # R12 Partitioning
     - partition_for_tmp
+    - mount_option_tmp_nosuid
+    - mount_option_tmp_nodev
+    - mount_option_tmp_noexec
     - partition_for_var
+    - partition_for_var_tmp
+    - mount_option_var_tmp_nosuid
+    - mount_option_var_tmp_nodev
+    - mount_option_var_tmp_noexec
     - partition_for_var_log
     - partition_for_var_log_audit
     - partition_for_home
+    - mount_option_home_nosuid
+    - mount_option_home_nodev
+
     - sshd_idle_timeout_value=5_minutes
     - rsyslog_files_ownership
     - rsyslog_files_groupownership
     - rsyslog_files_permissions
     - ensure_logrotate_activated
-    - sysctl_fs_suid_dumpable
-    - sysctl_kernel_randomize_va_space
+
+    # ==============================================
+    # R19  - Accountability of administration
+    # Each administrator must have a dedicated account (local or remote), and not use the root
+    # account as the access account for system administration.
+    #
+    # Change of privilege operations must be based on executables to monitor the activities
+    # performed (for example sudo).
+    - no_direct_root_logins
+    - sshd_disable_root_login
 
     # ==============================================
     # R22 - Setting up network sysctl
@@ -124,3 +145,49 @@ selections:
     # Maximum number of autoconfigured addresses per interface
     # net.ipv6.conf.all.max_addresses = 1
     # net.ipv6.conf.default.max_addresses = 1
+
+    # ==============================================
+    #  R23 - Setting system sysctl
+    # Here is a list of recommended system sysctl (in the format /etc/sysctl.conf):
+    # Disabling SysReq
+    # kernel. sysrq = 0
+
+    # No core dump of executable setuid
+    - sysctl_fs_suid_dumpable
+
+    # Prohibit links to find links to files
+    # the current user is not the owner
+    # Can prevent some programs from working properly
+    - sysctl_fs_protected_symlinks
+    - sysctl_fs_protected_hardlinks
+
+    # Activation of the ASLR
+    - sysctl_kernel_randomize_va_space
+
+    # Prohibit mapping of memory in low addresses (0)
+    # vm.mmap_min_addr = 65536
+
+    # Larger choice space for PID values
+    # kernel.pid_max = 65536
+
+    # Obfuscation of addresses memory kernel
+    - sysctl_kernel_kptr_restrict
+
+    # Access restriction to the dmesg buffer
+    - sysctl_kernel_dmesg_restrict
+
+    # Restricts the use of the perf system
+    # kernel.perf_event_paranoid = 2
+    # kernel.perf_event_max_sample_rate = 1
+    # kernel.perf_cpu_time_max_percent = 1
+
+    # ==============================================
+    # R36 - Rights to access sensitive content files
+    # Sensitive content files should only be readable by users with strict need to know.
+    - file_owner_etc_shadow
+    - file_permissions_etc_shadow
+    - file_owner_etc_gshadow
+    - file_permissions_etc_gshadow
+    - file_permissions_etc_passwd
+    - file_permissions_etc_group
+