From 76aede9cea67f4ea37eaa05ad74bf80273638de2 Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Wed, 28 Oct 2020 18:52:13 +0100 Subject: [PATCH] Select rules for ANSSI R37 These rules are better fit for R37 than R38. R37 is about binaries designed to be used with setuid or setgid bits. R38 is about reducing number of binaries with setuid root. --- controls/anssi.yml | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-) diff --git a/controls/anssi.yml b/controls/anssi.yml index 26bc7f4694..4648b98dff 100644 --- a/controls/anssi.yml +++ b/controls/anssi.yml @@ -590,8 +590,17 @@ controls: - id: R37 level: minimal - title: Executables with setuid and/or setgid bits - # rules: TBD + title: Executables with setuid and setgid bits + notes: >- + Only programs specifically designed to be used with setuid or setgid bits can have these privilege bits set. + This requirement considers apropriate for setuid and setgid bits the binaries that are installed from + recognized and authorized repositories (covered in R15). + The remediation resets the sticky bit to intended value by vendor/developer, any finding after remediation + should be reviewed. + automated: yes + rules: + - file_permissions_unauthorized_suid + - file_permissions_unauthorized_sgid - id: R38 level: enhanced @@ -600,9 +609,7 @@ controls: Setuid executables should be as small as possible. When it is expected that only the administrators of the machine execute them, the setuid bit must be removed and prefer them commands like su or sudo, which can be monitored - rules: - - file_permissions_unauthorized_suid - - file_permissions_unauthorized_sgid + # rules: TBD - id: R39 level: intermediary