ANSSI DAT-NT28 (minimal)


ANSSI Mapping Rule Title Description Rationale Variable Setting
Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD The sudo NOPASSWD tag, when specified, allows a user to execute commands using sudo without having to authenticate. This should be disabled by making sure that the NOPASSWD tag does not exist in /etc/sudoers configuration file or any sudo configuration snippets in /etc/sudoers.d/. Without re-authentication, users may access resources or perform tasks for which they do not have authorization.

When operating systems provide the capability to escalate a functional capability, it is critical that the user re-authenticate.
Ensure Users Re-Authenticate for Privilege Escalation - sudo !authenticate The sudo !authenticate option, when specified, allows a user to execute commands using sudo without having to authenticate. This should be disabled by making sure that the !authenticate option does not exist in /etc/sudoers configuration file or any sudo configuration snippets in /etc/sudoers.d/. Without re-authentication, users may access resources or perform tasks for which they do not have authorization.

When operating systems provide the capability to escalate a functional capability, it is critical that the user re-authenticate.
NT28(R5)
NT28(R46)
Ensure rsyslog is Installed Rsyslog is installed by default. The rsyslog package can be installed with the following command:
$ sudo yum install rsyslog
The rsyslog package provides the rsyslog daemon, which provides system logging services.
NT28(R5)
NT28(R46)
Enable rsyslog Service The rsyslog service provides syslog-style logging by default on Red Hat Enterprise Linux 7. The rsyslog service can be enabled with the following command:
$ sudo systemctl enable rsyslog.service
The rsyslog service must be running in order to provide logging services, which are essential to system administration.
Verify Permissions on shadow File To properly set the permissions of /etc/shadow, run the command:
$ sudo chmod 0000 /etc/shadow
The /etc/shadow file contains the list of local system accounts and stores password hashes. Protection of this file is critical for system security. Failure to give ownership of this file to root provides the designated owner with access to sensitive information which could weaken the system security posture.
Verify Permissions on gshadow File To properly set the permissions of /etc/gshadow, run the command:
$ sudo chmod 0000 /etc/gshadow
The /etc/gshadow file contains group password hashes. Protection of this file is critical for system security.
Verify Permissions on passwd File To properly set the permissions of /etc/passwd, run the command:
$ sudo chmod 0644 /etc/passwd
If the /etc/passwd file is writable by a group-owner or the world the risk of its compromise is increased. The file contains the list of accounts on the system and associated information, and protection of this file is critical for system security.
Verify Permissions on group File To properly set the permissions of /etc/group, run the command:
$ sudo chmod 644 /etc/group
The /etc/group file contains information regarding groups that are configured on the system. Protection of this file is important for system security.