|
 |
d10e36 |
From ce6a307518c55b333897f5c130f5372dee9eeae8 Mon Sep 17 00:00:00 2001
|
|
|
d10e36 |
From: Watson Sato <wsato@redhat.com>
|
|
|
d10e36 |
Date: Mon, 18 Jan 2021 11:18:43 +0100
|
|
|
d10e36 |
Subject: [PATCH] Update metadata for a few miminal and intermediary
|
|
|
d10e36 |
requirements
|
|
|
d10e36 |
|
|
|
d10e36 |
---
|
|
|
d10e36 |
controls/anssi.yml | 20 +++++++++++++++++---
|
|
|
d10e36 |
1 file changed, 17 insertions(+), 3 deletions(-)
|
|
|
d10e36 |
|
|
|
d10e36 |
diff --git a/controls/anssi.yml b/controls/anssi.yml
|
|
|
d10e36 |
index dec9d68c99..9288ac1663 100644
|
|
|
d10e36 |
--- a/controls/anssi.yml
|
|
|
d10e36 |
+++ b/controls/anssi.yml
|
|
|
d10e36 |
@@ -506,7 +506,10 @@ controls:
|
|
|
d10e36 |
- id: R27
|
|
|
d10e36 |
title: Disabling service accounts
|
|
|
d10e36 |
level: intermediary
|
|
|
d10e36 |
- # rules: TBD
|
|
|
d10e36 |
+ notes: >-
|
|
|
d10e36 |
+ It is difficult to generally identify the system's service accounts.
|
|
|
d10e36 |
+ Assisting rules could list users which are not disabled for manual review.
|
|
|
d10e36 |
+ automated: no
|
|
|
d10e36 |
|
|
|
d10e36 |
- id: R28
|
|
|
d10e36 |
level: enhanced
|
|
|
d10e36 |
@@ -530,7 +533,10 @@ controls:
|
|
|
d10e36 |
- id: R30
|
|
|
d10e36 |
level: minimal
|
|
|
d10e36 |
title: Applications using PAM
|
|
|
d10e36 |
- # rules: TBD
|
|
|
d10e36 |
+ notes: >-
|
|
|
d10e36 |
+ Manual review is necessary to decide if the list of applications using PAM is minimal.
|
|
|
d10e36 |
+ Asssising rules could be created to list all applications using PAM for manual review.
|
|
|
d10e36 |
+ automated: no
|
|
|
d10e36 |
|
|
|
d10e36 |
- id: R31
|
|
|
d10e36 |
title: Securing PAM Authentication Network Services
|
|
|
d10e36 |
@@ -580,6 +586,7 @@ controls:
|
|
|
d10e36 |
- id: R36
|
|
|
d10e36 |
title: Rights to access sensitive content files
|
|
|
d10e36 |
level: intermediary
|
|
|
d10e36 |
+ automated: yes
|
|
|
d10e36 |
rules:
|
|
|
d10e36 |
- file_owner_etc_shadow
|
|
|
d10e36 |
- file_permissions_etc_shadow
|
|
|
d10e36 |
@@ -637,7 +644,10 @@ controls:
|
|
|
d10e36 |
- id: R42
|
|
|
d10e36 |
level: minimal
|
|
|
d10e36 |
title: In memory services and daemons
|
|
|
d10e36 |
- # rules: TBD
|
|
|
d10e36 |
+ notes: >-
|
|
|
d10e36 |
+ Manual review is necessary to decide if the list of resident daemons is minimal.
|
|
|
d10e36 |
+ Asssising rules could be created to list sevices listening on the network for manual review.
|
|
|
d10e36 |
+ automated: no
|
|
|
d10e36 |
|
|
|
d10e36 |
- id: R43
|
|
|
d10e36 |
title: Hardening and configuring the syslog
|
|
|
d10e36 |
@@ -709,6 +719,7 @@ controls:
|
|
|
d10e36 |
- id: R48
|
|
|
d10e36 |
level: intermediary
|
|
|
d10e36 |
title: Configuring the local messaging service
|
|
|
d10e36 |
+ automated: yes
|
|
|
d10e36 |
rules:
|
|
|
d10e36 |
- postfix_network_listening_disabled
|
|
|
d10e36 |
|
|
|
d10e36 |
@@ -825,6 +836,7 @@ controls:
|
|
|
d10e36 |
level: intermediary
|
|
|
d10e36 |
title: Privileges of target sudo users
|
|
|
d10e36 |
description: The targeted users of a rule should be, as much as possible, non privileged users.
|
|
|
d10e36 |
+ automated: yes
|
|
|
d10e36 |
rules:
|
|
|
d10e36 |
- sudoers_no_root_target
|
|
|
d10e36 |
|
|
|
d10e36 |
@@ -840,12 +852,14 @@ controls:
|
|
|
d10e36 |
level: intermediary
|
|
|
d10e36 |
title: Good use of negation in a sudoers file
|
|
|
d10e36 |
description: The sudoers configuration rules should not involve negation.
|
|
|
d10e36 |
+ automated: yes
|
|
|
d10e36 |
rules:
|
|
|
d10e36 |
- sudoers_no_command_negation
|
|
|
d10e36 |
|
|
|
d10e36 |
- id: R63
|
|
|
d10e36 |
level: intermediary
|
|
|
d10e36 |
title: Explicit arguments in sudo specifications
|
|
|
d10e36 |
+ automated: yes
|
|
|
d10e36 |
rules:
|
|
|
d10e36 |
- sudoers_explicit_command_args
|
|
|
d10e36 |
|