This page summarizes which ANSSI rules are activated , according to the level and
category of a host. It is the reference to consult before hardening a machine.
The concepts used here (levels, categories, labels, MAC, egress…) are
explained in Security
notions .
darkone . system . security = {
level = " intermediary " ; # minimal | intermediary | reinforced | high
category = " server " ; # base | client | server
Levels are cumulative : intermediary adds its rules to those of
minimal, and so on. The category adds the rules specific to a workstation
(client) or a server (server).
Profile Recommended category Why minimal, portablebaseUniversal base desktop, laptopclientScreen, USB, interactive session server, gateway, hcs, vmserverExposed services, network
Each column shows the rule’s state at that level (levels being
cumulative). Legend:
Icon Meaning ✅ Active at this level ⚠️ Partial (see note) ❌ Not yet active at this level
Code Rule Min Inter Rein High R3UEFI Secure Boot (if supported) ❌ ⚠️ ⚠️ ⚠️ R5Bootloader password ❌ ⚠️ ⚠️ ⚠️ C6LUKS2 disk encryption ❌ ⚠️ ⚠️ ⚠️ R7IOMMU enabled ❌ ❌ ✅ ✅ R29/boot restricted❌ ❌ ✅ ✅ R6cmdline and initramfs protection ❌ ❌ ❌ ✅
R3, R5, C6: warning, no boot reconfiguration
From intermediary onward, these rules emit a warning when the protection
is not detected, but do not reconfigure the boot. Secure Boot (lanzaboote, key
enrollment) and LUKS encryption are declared in the host disk configuration
(disko); the module only signals their absence. The future checkScript will
verify their actual state.
Code Rule Min Inter Renf High R8Memory options on the command line ❌ ✅ ✅ ✅ R9Hardening sysctls ❌ ✅ ✅ ✅ R11Yama: ptrace restricted ❌ ✅ ✅ ✅ R10Module loading disabled ❌ ❌ ✅ ✅ R60linux_hardened kernel❌ ❌ ✅ ✅ C1linux-hardened patches ❌ ❌ ❌ ✅ C2LSM Lockdown ❌ ❌ ❌ ✅ R15–R27Compile-time hardening ❌ ❌ ❌ ✅
Code Rule Min Inter Rein High R30Disabled unused accounts ✅ ✅ ✅ ✅ R31Strong passwords ✅ ✅ ✅ ✅ R68Password storage in yescrypt ✅ ✅ ✅ ✅ R32Lock on inactivity ❌ ✅ ✅ ✅ R33Admin action traceability ❌ ✅ ✅ ✅ R34Service accounts without shell ❌ ✅ ✅ ✅ R35Unique service accounts ❌ ✅ ✅ ✅ R67Secure remote PAM ❌ ⚠️ ⚠️ ⚠️ R69User databases over TLS ❌ ⚠️ ⚠️ ⚠️ R70System accounts ≠ directory ❌ ⚠️ ⚠️ ⚠️ C10Anti brute-force, session limits ❌ ✅ ✅ ✅
R67, R69, R70: remote directory deferred
These rules only concern a remote directory (SSSD/nslcd), not used by DNF
today; their TLS aspect is deferred (future checkScript). Only local
anti-brute-force (pam_faillock, see C10) is active from intermediary.
Code Rule Min Inter Renf High R39Hardened sudo directives ❌ ✅ ✅ ✅ R40Non-root sudo targets ❌ ✅ ✅ ✅ R42Negation prohibition ❌ ✅ ✅ ✅ R44sudoedit for editing❌ ✅ ✅ ✅ R38Dedicated sudo group ❌ ❌ ✅ ✅ R41Limited NOEXEC overrides ❌ ❌ ✅ ✅
Code Rule Min Inter Rein High R53Orphaned file detection ✅ ✅ ✅ ✅ R54Sticky bit on /tmp and /var/tmp ✅ ✅ ✅ ✅ R56setuid detection outside whitelist✅ ✅ ✅ ✅ R14Filesystem sysctls ❌ ✅ ✅ ✅ R28Partitioning and mount options ❌ ✅ ✅ ✅ R50Sensitive file restriction ❌ ✅ ✅ ✅ R52Socket and named pipe permissions ❌ ⚠️ ⚠️ ⚠️ R55Per-user temporary directories ❌ ⚠️ ⚠️ ⚠️ R36UMASK 0077❌ ❌ ✅ ✅ R57Minimal root setuid (capabilities) ❌ ❌ ✅ ✅
R28, R52, R55: designated services and partitions
R28 hardens /tmp, /proc and /dev/shm by default; options on /var/log,
/srv, /opt, /home are added via darkone.security.filesystem.extraMountHardening
(separate partitions required). R52 (0750 mode for runtime directories)
and R55 (private /tmp per service) apply to units listed in
darkone.security.services.hardenedUnits — empty by default. See R63.
Code Rule Min Inter Rein High R62Obsolete services disabled ✅ ✅ ✅ ✅ R63Reduced service capabilities ❌ ⚠️ ⚠️ ⚠️ R37Mandatory access control (MAC) ❌ ❌ ✅ ✅ R45AppArmor profiles ❌ ❌ ✅ ✅ R64Restricted service privileges ❌ ❌ ✅ ✅ R65Service isolation (namespaces) ❌ ❌ ✅ ✅ R66Container hardening ❌ ❌ ❌ ✅
R63: opt-in sandboxing per service
Full systemd confinement (ProtectSystem=strict, system call filters,
MemoryDenyWriteExecute, UMask=0027…) applies to units declared in
darkone.security.services.hardenedUnits. Empty by default : blind
hardening would break services. The list acts as a floor , overridable per
unit, and needs-jit lifts MemoryDenyWriteExecute for JIT engines.
Code Rule Min Inter Renf High R80Monitoring listening ports ✅ ✅ ✅ ✅ C4Firewall default deny ⚠️ ⚠️ ✅ ✅ R12IPv4 network sysctls ❌ ✅ ✅ ✅ R13IPv6 disabled (unless no-ipv6) ❌ ✅ ✅ ✅ C5OpenSSH hardening ❌ ✅ ✅ ✅ C7NTS time synchronization ❌ ✅ ✅ ✅ C8Secure DNS resolver (DNSSEC, DoT) ❌ ✅ ✅ ✅ R79Hardened exposed services (server) ❌ ✅ ✅ ✅ R78Network service isolation (server) ❌ ❌ ✅ ✅
C4 partial at the first two levels
At minimal and intermediary levels, C4 covers inbound filtering
(default deny). Outbound filtering (egress) is added from
reinforced and above.
Code Rule Min Inter Renf High R71Persisting sealed logging ❌ ❌ ✅ ✅ R72Dedicated logs per service ❌ ❌ ✅ ✅ R73auditd with ANSSI rules ❌ ❌ ✅ ✅ C9Core dumps disabled ❌ ❌ ✅ ✅ R76Sealing and integrity verification ❌ ❌ ❌ ✅ R77Sealed base protection ❌ ❌ ❌ ✅
Code Rule Min Inter Hard High C11Legal access banners ✅ ✅ ✅ ✅ C12cron / at restricted✅ ✅ ✅ ✅ R61Regular updates ⚠️ ⚠️ ⚠️ ⚠️ R74Hardened local mail ❌ ✅ ✅ ✅ R75Mail alias (root → admin) ❌ ✅ ✅ ✅ R51Installation secret rotation ❌ ❌ ✅ ✅ C3USBGuard (workstation) ❌ ❌ ✅ ✅
Two safety valves allow bypassing a specific protection without lowering the
global level.
Tags (excludes): exclude a group of incompatible rules
(e.g. needs-jit, no-ipv6).Exceptions (exceptions): bypass one rule, justification
required.
Details on these safety valves are in Security
concepts .
Raise the level progressively and test each host before production.
