Bug 1955180
Summary: | Update ANSSI-BP-028 High level profile | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Watson Yuuma Sato <wsato> |
Component: | scap-security-guide | Assignee: | Vojtech Polasek <vpolasek> |
Status: | CLOSED ERRATA | QA Contact: | Matus Marhefka <mmarhefk> |
Severity: | high | Docs Contact: | Mirek Jahoda <mjahoda> |
Priority: | high | ||
Version: | 7.9 | CC: | ggasparb, jafiala, jreznik, mhaicman, mjahoda, mlysonek, wsato |
Target Milestone: | rc | Keywords: | Triaged, ZStream |
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | scap-security-guide-0.1.54-4.el7_9 | Doc Type: | Enhancement |
Doc Text: |
.`scap-security-guide` now provides an ANSSI-BP-028 High hardening level profile
With the release of the link:https://access.redhat.com/errata/RHBA-2021:2803[RHBA-2021:2803] advisory, the `scap-security-guide` packages provide an updated profile for ANSSI-BP-028 at the High hardening level. This addition completes the availability of profiles for all ANSSI-BP-028 v1.2 hardening levels. Using the updated profile, you can configure the system to comply with the recommendations from the French National Security Agency (ANSSI) for GNU/Linux Systems at the High hardening level.
As a result, you can configure and automate compliance of your RHEL 7 systems according to your required ANSSI hardening level by using the ANSSI Ansible Playbooks and the ANSSI SCAP profiles. The Draft ANSSI High profile provided with the previous versions has been aligned to ANSSI DAT-NT-028. Although the profile names and versions have changed, the IDs of the ANSSI profiles such as `xccdf_org.ssgproject.content_profile_anssi_nt28_high` remain the same to ensure backward compatibility.
WARNING:: Automatic remediation might render the system non-functional. Red Hat recommends running the remediation in a test environment first.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2021-07-21 01:06:27 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Watson Yuuma Sato
2021-04-29 15:42:25 UTC
Summary of patches updating ANSSI High Profile R11 - https://github.com/ComplianceAsCode/content/pull/6956 R51 - https://github.com/ComplianceAsCode/content/pull/6960 R67 - https://github.com/ComplianceAsCode/content/pull/6988 R68 - https://github.com/ComplianceAsCode/content/pull/6969 Update to rule in Intermediary R58 - https://github.com/ComplianceAsCode/content/pull/6984 Metadata - https://github.com/ComplianceAsCode/content/pull/6997 Created attachment 1793066 [details]
HTML report from scan of a system installed with ANSSI High profile (minimal install)
Created attachment 1793067 [details]
HTML report from scan of a system installed with ANSSI High profile (Server with GUI install)
Verified for scap-security-guide-0.1.54-5.el7_9 Status of ANSSI High profile: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Rules without Bash and Ansible remediations (remediations are omitted on purpose): sudoers_explicit_command_args sudo_dedicated_group sudoers_no_root_target grub2_password sysctl_kernel_modules_disabled sebool_deny_execmem Rules missing only Ansible remediations: aide_verify_ext_attributes aide_verify_acls aide_scan_notification Known issues: postfix_network_listening_disabled - bz1828871, won't be fixed in RHEL7 but can be fixed by running remediation once more accounts_polyinstantiated_var_tmp - needs to be remediated once more after installation accounts_polyinstantiated_tmp - needs to be remediated once more after installation dir_perms_world_writable_root_owned - bz1935097, only occurs on GUI installations, can be workarounded by applying remediation of accounts_polyinstantiated_tmp rule once more HTML reports from scan of a system installed with ANSSI High profile are attached as anssi_nogui.html (minimal install) and anssi_gui.html (Server with GUI install). Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (scap-security-guide bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2021:2803 |