Update ANSSI BP-028 to version 2.0 #10334
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
vojtapolasek
added
SLES
openshift-ci
bot
added
the
do-not-merge/work-in-progress
|
Skipping CI for Draft Pull Request. |
|
Start a new ephemeral environment with changes proposed in this pull request: Fedora Environment Oracle Linux 8 Environment |
vojtapolasek
force-pushed
the
anssi_20_upstream
branch
from
ac1c202 to
74038af
Compare
Mab879
reviewed
Mar 14, 2023
- Reorder and renumber the recommendations - Selection of rules updated - Control statues updated
Some rules were added while others were removed.
- sysctl_fs_protected_fifos - sysctl_fs_protected_regular
- sysctl_net_ipv6_conf_default_disable_ipv6
Select sysctl_kernel_panic_on_oops; Select value 2 for sysctl_kernel_kptr_restrict
hidepid can cause problems with PolicyKit and D-Bus.
Add ANSSI references to rules that configure the IPv6 stack.
Remove ANSSI references from rules that are not selected anymore.
vojtapolasek
force-pushed
the
anssi_20_upstream
branch
from
48ab889 to
7305fec
Compare
vojtapolasek
changed the title
openshift-ci
bot
removed
the
do-not-merge/work-in-progress
|
@teacup-on-rockingchair Hi, have you had any involvement in the development of ANSSI profiles for SLE? |
|
@dodys Hi, do you have any thoughts on this update? Edit: I see that Ubuntu doesn't use the ANSSI Control file. So this PR won't affect Ubuntu's ANSSI profiles. |
|
@freddieRv Hi, do you have any thoughts on this update? The ANSSI BP-028 profiles for OL will be updated to 2.0. |
I did indeed, will try to provide feedback till end of the week, thanks for the heads up 🙇 Do we have CIS -like comparison between old and new revision, or just go over the requirement of the new spec? |
|
Code Climate has analyzed commit a9a8b1e and detected 0 issues on this pull request. The test coverage on the diff in this pull request is 100.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 51.8% (0.0% change). View more on Code Climate. |
@teacup-on-rockingchair You mean generated by us? No. |
yuumasato
approved these changes
Mar 30, 2023
freddieRv
approved these changes
Mar 30, 2023
@teacup-on-rockingchair Hi, did you have a chance to look at the ANSSI 2.0 update? |
Did some initial review and tests LGTM 👍 |
marcusburghardt
approved these changes
Apr 11, 2023
There was a problem hiding this comment.
I have checked all commits and the final control file. The changes are sane and the control file parameters are consistent with the referenced document. I didn't check each rule in details to confirm they are doing exactly what is expected from the requirement. But they were mostly just included in the controlfile. So, if any referenced rule needs updates, it is not in the scope of this PR.
|
Overriding CODEOWNERS since a SUSE approver is not currently available. Also, we have a green light from one of the SUSE contributors: #10334 (comment) |
alanmcanonical
pushed a commit
to alanmcanonical/CaC_content
that referenced
this pull request
Aug 14, 2024
Too many disruptive changes to cherry pick. Only in master: - 91023c9|2023-11-02|2023-11-08 Review and update pcidss_4 requirement 10.2.1.7 [Marcus Burghardt] - 3a89685|2023-10-31|2023-10-31 Merge pull request ComplianceAsCode#11193 from Mab879/add_rhel9_stig [GitHub] - 2df3231|2023-10-18|2023-10-27 Copy Debian11 product to Debian12 [Paul Rensing] - 2804dfb|2023-10-17|2023-10-18 Add rule for RHEL-09-654080 [Matthew Burket] - 92e7882|2023-08-02|2023-09-12 Fix UBTU-20-010179 to use proper parameters and key [Dexter Le] - c493b4d|2023-05-22|2023-07-19 SRG-APP-000504-CTR-001280: Red Hat Enterprise Linux CoreOS (RHCOS) must be configured to audit the loading and unloading of dynamic kernel modules [Jakub Hrozek] - bdcd7c9|2023-05-22|2023-07-19 SRG-APP-000495-CTR-001235: audit records when successful/unsuccessful attempts to modify privileges occur [Jakub Hrozek] - 29f415f|2023-05-05|2023-07-06 products/anolis23: supports Anolis OS 23 [YuQing] - ec2bfe8|2023-05-28|2023-05-28 fix: uid_min: use it in audit auid checks, out jinja macro [Markus Linnala] - 8fe3315|2023-04-21|2023-05-15 Update jinja conditionals that apply to any ol [Edgar Aguilar] - 4f18ae7|2023-04-17|2023-04-18 Ensure that all files in the repo end with a newline [Matthew Burket] - acc24a1|2023-04-11|2023-04-11 Merge pull request ComplianceAsCode#10334 from vojtapolasek/anssi_20_upstream [GitHub] - 0c5d7b9|2023-03-30|2023-03-30 Drop Req prefix from pcidss4 reference ids [teacup-on-rockingchair] - d6338b6|2023-03-19|2023-03-26 Extract rules from SLE15 profile to PCI-DSS v4 control file [teacup-on-rockingchair] - 209fc25|2023-03-08|2023-03-23 add anssi references to rules [Vojtech Polasek] - 5ae4bfd|2023-03-14|2023-03-14 Remove vmmsrg references from rules [Matthew Burket] - e3886d4|2023-01-19|2023-01-19 Include CIS RHEL9 reference in Logging related rules [Marcus Burghardt] - 9f273f2|2022-12-08|2022-12-14 ubuntu2204: cis_level2_server: Add cis references [Eduardo Barretto] - 3d711c8|2022-11-30|2022-11-30 Merge pull request ComplianceAsCode#9897 from litios/master [GitHub] - 795f076|2022-11-28|2022-11-28 Update rule tests to rely on platform_package_overrides + add needed alternatives to products [David Fernandez Gonzalez] - 15abac6|2022-11-25|2022-11-25 Recognize all 64bit architectures in audit rules [Milan Lysonek] - 5f2250d|2022-11-04|2022-11-07 products/anolis8: supports Anolis OS 8 [YiLin.Li] - 2e2af47|2022-09-30|2022-10-04 Import STIG content for RHEL9 [Matthew Burket] - e02980a|2022-09-19|2022-09-19 Remove Debian 9 from products [Matthew Burket] - fd54c29|2022-08-31|2022-09-01 Add ol7 platform to existing required tests [Edgar Aguilar] - 95f767a|2022-08-19|2022-08-22 Tag Ubuntu CIS reference for 22.04 [Juan Antonio Osorio] - 7f5b811|2022-08-19|2022-08-22 Tag rules applicable to ubuntu2004 as applicable to ubuntu2204 too [Juan Antonio Osorio] - 16e89ad|2022-08-10|2022-08-11 Add the AUID filters on audit kernel module rules [Federico Ramirez] - a29edee|2022-08-03|2022-08-03 Add the AUID filters on audit kernel module rules [Watson Sato] - b020fd2|2022-07-28|2022-07-30 ssg/constants.py: fix the alinux3 full name error [YiLin.Li] - 95cfa85|2022-07-15|2022-07-15 Update RHEL8 CIS refereces for logging and auditing rules [Marcus Burghardt] - 41ea38b|2022-07-08|2022-07-08 Remove WRLinux 1019 product [Matthew Burket] - 1b538df|2022-05-11|2022-06-16 Update references in OL8 STIG rules [Edgar Aguilar] - 7a25ff4|2022-04-15|2022-06-08 products/alinux2 && controls: Add CIS Alibaba Cloud Linux (Aliyun Linux) 2 profiles [YiLin.Li] - 32c8074|2022-05-24|2022-05-26 Add fixtext and srg_requirement to audit_rules_kernel_module_loading_init [Matthew Burket] - fa81eb1|2022-04-06|2022-04-06 Merge pull request ComplianceAsCode#8327 from Xeicker/ol08-00-030390 [GitHub] - c0ae24e|2022-04-04|2022-04-04 Update ansible in audit_rules_kernel_module rules [Edgar Aguilar] - de702fb|2022-04-04|2022-04-04 Update tests in audit_rules_kernel_module rules [Edgar Aguilar] - 55f2f34|2022-03-30|2022-03-30 Update tests in audit_rules_kernel_module rules [Edgar Aguilar] - fa8680a|2022-03-22|2022-03-22 Group init_module and finit_module audit rules. [Yavor Georgiev] - c8b9548|2022-03-09|2022-03-10 Add auid criteria to rules required by rhel8 [Edgar Aguilar] - a62d887|2022-03-09|2022-03-10 Add auid criteria to rule to meet OL08-00-030360 [Edgar Aguilar] - fb60278|2022-01-20|2022-01-25 Add OL9 prodtype to rules part of standard profile [Federico Ramirez] - f2530de|2021-11-19|2021-11-29 Add OL8 STIG IDs [Federico Ramirez] - a59d63a|2021-11-02|2021-11-02 Run ./utils/fix_rules.py sort_prodtypes [Matthew Burket] - f59b8db|2021-10-08|2021-10-08 Add support for Debian 11 [Marco De Donno] - 5ad8290|2021-08-20|2021-09-08 Completed CIS Chapters 4-6 Build currently failing. [Nico Truzzolino] - 2214054|2021-08-26|2021-08-30 Converted function calls to macro invocations; removed the old function; fixed comment in macro file [Jiri Odehnal] Only in focal: - 782f6c4|2021-08-31|2021-09-01 Add packages entry to auditd tests [richardmaciel-canonical] - f44e014|2021-08-17|2021-09-01 Fix auditd tests as the package is not installed by default in Ubuntu [richardmaciel-canonical] - 60345d7|2021-08-24|2021-08-25 Automatically add Ubuntu to existing shared fixes [Richard Maciel Costa] - 51c80e3|2021-07-08|2021-08-25 Manually add missing disa & srg references [Richard Maciel Costa]
alanmcanonical
pushed a commit
to alanmcanonical/CaC_content
that referenced
this pull request
Aug 14, 2024
Too many disruptive changes to cherry pick. Only in master: - 91023c9|2023-11-02|2023-11-08 Review and update pcidss_4 requirement 10.2.1.7 [Marcus Burghardt] - 3a89685|2023-10-31|2023-10-31 Merge pull request ComplianceAsCode#11193 from Mab879/add_rhel9_stig [GitHub] - 2df3231|2023-10-18|2023-10-27 Copy Debian11 product to Debian12 [Paul Rensing] - 0bc66b3|2023-09-21|2023-10-18 Add RHEL 9 STIG IDs [Matthew Burket] - 92e7882|2023-08-02|2023-09-12 Fix UBTU-20-010179 to use proper parameters and key [Dexter Le] - c493b4d|2023-05-22|2023-07-19 SRG-APP-000504-CTR-001280: Red Hat Enterprise Linux CoreOS (RHCOS) must be configured to audit the loading and unloading of dynamic kernel modules [Jakub Hrozek] - bdcd7c9|2023-05-22|2023-07-19 SRG-APP-000495-CTR-001235: audit records when successful/unsuccessful attempts to modify privileges occur [Jakub Hrozek] - 29f415f|2023-05-05|2023-07-06 products/anolis23: supports Anolis OS 23 [YuQing] - ec2bfe8|2023-05-28|2023-05-28 fix: uid_min: use it in audit auid checks, out jinja macro [Markus Linnala] - 8fe3315|2023-04-21|2023-05-15 Update jinja conditionals that apply to any ol [Edgar Aguilar] - 6f8a2ee|2023-04-25|2023-04-27 Update 4.1.3.19 CIS requirement for RHEL8 and RHEL9 [Marcus Burghardt] - 4f18ae7|2023-04-17|2023-04-18 Ensure that all files in the repo end with a newline [Matthew Burket] - acc24a1|2023-04-11|2023-04-11 Merge pull request ComplianceAsCode#10334 from vojtapolasek/anssi_20_upstream [GitHub] - 0c5d7b9|2023-03-30|2023-03-30 Drop Req prefix from pcidss4 reference ids [teacup-on-rockingchair] - d6338b6|2023-03-19|2023-03-26 Extract rules from SLE15 profile to PCI-DSS v4 control file [teacup-on-rockingchair] - 209fc25|2023-03-08|2023-03-23 add anssi references to rules [Vojtech Polasek] - 5ae4bfd|2023-03-14|2023-03-14 Remove vmmsrg references from rules [Matthew Burket] - b77974c|2023-02-09|2023-02-14 Fix `>` to `>` for audit rules in RHEL 9 STIG [Matthew Burket] - 45f48ce|2023-02-06|2023-02-14 Escape < and > in product specific content [Matthew Burket] - 3d711c8|2022-11-30|2022-11-30 Merge pull request ComplianceAsCode#9897 from litios/master [GitHub] - 795f076|2022-11-28|2022-11-28 Update rule tests to rely on platform_package_overrides + add needed alternatives to products [David Fernandez Gonzalez] - 15abac6|2022-11-25|2022-11-25 Recognize all 64bit architectures in audit rules [Milan Lysonek] - 5f2250d|2022-11-04|2022-11-07 products/anolis8: supports Anolis OS 8 [YiLin.Li] - 2e2af47|2022-09-30|2022-10-04 Import STIG content for RHEL9 [Matthew Burket] - e02980a|2022-09-19|2022-09-19 Remove Debian 9 from products [Matthew Burket] - fd54c29|2022-08-31|2022-09-01 Add ol7 platform to existing required tests [Edgar Aguilar] - 7f5b811|2022-08-19|2022-08-22 Tag rules applicable to ubuntu2004 as applicable to ubuntu2204 too [Juan Antonio Osorio] - 16e89ad|2022-08-10|2022-08-11 Add the AUID filters on audit kernel module rules [Federico Ramirez] - a29edee|2022-08-03|2022-08-03 Add the AUID filters on audit kernel module rules [Watson Sato] - b020fd2|2022-07-28|2022-07-30 ssg/constants.py: fix the alinux3 full name error [YiLin.Li] - f035005|2022-07-28|2022-07-30 ssg/constants.py: fix the alinux2 full name error [YiLin.Li] - 41ea38b|2022-07-08|2022-07-08 Remove WRLinux 1019 product [Matthew Burket] - 1b538df|2022-05-11|2022-06-16 Update references in OL8 STIG rules [Edgar Aguilar] - 763df44|2022-05-09|2022-06-16 Clean and update OL8 STIG profile [Edgar Aguilar] - 870a7f0|2022-05-24|2022-05-26 Add fixtext and srg_requirement to audit_rules_kernel_module_loading_finit [Matthew Burket] - c0ae24e|2022-04-04|2022-04-04 Update ansible in audit_rules_kernel_module rules [Edgar Aguilar] - de702fb|2022-04-04|2022-04-04 Update tests in audit_rules_kernel_module rules [Edgar Aguilar] - 55f2f34|2022-03-30|2022-03-30 Update tests in audit_rules_kernel_module rules [Edgar Aguilar] - c8b9548|2022-03-09|2022-03-10 Add auid criteria to rules required by rhel8 [Edgar Aguilar] - c04d0fa|2022-03-09|2022-03-10 Add auid criteria to rule to meet OL08-00-030380 [Edgar Aguilar] - d3756a7|2022-02-15|2022-02-15 Group RHEL7 STIG audit rules. [Gabriel Becker] - dd8af26|2022-02-07|2022-02-08 Assign single STIGID to multiples syscalls rules of *init group. [Gabriel Becker] - d29079c|2022-02-03|2022-02-04 Update STIG IDs to meet ol7 v2r6 [Edgar Aguilar] - fb60278|2022-01-20|2022-01-25 Add OL9 prodtype to rules part of standard profile [Federico Ramirez] - f2530de|2021-11-19|2021-11-29 Add OL8 STIG IDs [Federico Ramirez] - a59d63a|2021-11-02|2021-11-02 Run ./utils/fix_rules.py sort_prodtypes [Matthew Burket] - f59b8db|2021-10-08|2021-10-08 Add support for Debian 11 [Marco De Donno] - 2214054|2021-08-26|2021-08-30 Converted function calls to macro invocations; removed the old function; fixed comment in macro file [Jiri Odehnal] Only in focal: - 782f6c4|2021-08-31|2021-09-01 Add packages entry to auditd tests [richardmaciel-canonical] - f44e014|2021-08-17|2021-09-01 Fix auditd tests as the package is not installed by default in Ubuntu [richardmaciel-canonical] - 9fbf7c4|2021-08-24|2021-08-25 Automatically add Ubuntu to existing shared fixes [Richard Maciel Costa] - 51c80e3|2021-07-08|2021-08-25 Manually add missing disa & srg references [Richard Maciel Costa]
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description:
Rationale:
This PR introduces updated version of ANSSI profiles. The coverage is not 100% but the rules which are present in the profile are aligned with the security policy.
Reference: https://www.ssi.gouv.fr/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/
Most changes were introduced by @yuumasato .
What still needs to be done?
[x] investigate problem where Ansible playbook for RHEL 7 is aborted
[x] gather rules which got removed during the upgrade process and remove ANSSI references