ANSSI Mapping | Rule Title | Description | Rationale | Variable Setting |
Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD |
The sudo NOPASSWD tag, when specified, allows a user to execute commands using
sudo without having to authenticate. This should be disabled by making sure that the
NOPASSWD tag does not exist in /etc/sudoers configuration file or
any sudo configuration snippets in /etc/sudoers.d/ .
|
Without re-authentication, users may access resources or perform tasks for which they
do not have authorization.
When operating systems provide the capability to escalate a functional capability, it is critical that the user re-authenticate. |
||
Ensure Users Re-Authenticate for Privilege Escalation - sudo !authenticate |
The sudo !authenticate option, when specified, allows a user to execute commands using
sudo without having to authenticate. This should be disabled by making sure that the
!authenticate option does not exist in /etc/sudoers configuration file or
any sudo configuration snippets in /etc/sudoers.d/ .
|
Without re-authentication, users may access resources or perform tasks for which they
do not have authorization.
When operating systems provide the capability to escalate a functional capability, it is critical that the user re-authenticate. |
||
NT28(R5) NT28(R46) |
Ensure rsyslog is Installed |
Rsyslog is installed by default.
The rsyslog package can be installed with the following command:
$ sudo yum install rsyslog |
The rsyslog package provides the rsyslog daemon, which provides system logging services. | |
NT28(R5) NT28(R46) |
Enable rsyslog Service | The rsyslog service provides syslog-style logging by default on Red Hat Enterprise Linux 7.
The rsyslog service can be enabled with the following command:
$ sudo systemctl enable rsyslog.service |
The rsyslog service must be running in order to provide
logging services, which are essential to system administration.
|
|
Verify Permissions on shadow File |
To properly set the permissions of /etc/shadow , run the command:
$ sudo chmod 0000 /etc/shadow |
The /etc/shadow file contains the list of local
system accounts and stores password hashes. Protection of this file is
critical for system security. Failure to give ownership of this file
to root provides the designated owner with access to sensitive information
which could weaken the system security posture. |
||
Verify Permissions on gshadow File |
To properly set the permissions of /etc/gshadow , run the command:
$ sudo chmod 0000 /etc/gshadow |
The /etc/gshadow file contains group password hashes. Protection of this file
is critical for system security. |
||
Verify Permissions on passwd File |
To properly set the permissions of /etc/passwd , run the command:
$ sudo chmod 0644 /etc/passwd |
If the /etc/passwd file is writable by a group-owner or the
world the risk of its compromise is increased. The file contains the list of
accounts on the system and associated information, and protection of this file
is critical for system security. |
||
Verify Permissions on group File |
To properly set the permissions of /etc/group , run the command:
$ sudo chmod 644 /etc/group |
The /etc/group file contains information regarding groups that are configured
on the system. Protection of this file is important for system security. |