Bug 1497415
| Summary: | [RFE] Add ANSSI-BP-028 to SSG (Minimal, Intermediary and Enhanced Levels) [rhel-7.9.z] | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Luc de Louw <ldelouw> | |
| Component: | scap-security-guide | Assignee: | Watson Yuuma Sato <wsato> | |
| Status: | CLOSED ERRATA | QA Contact: | Milan Lysonek <mlysonek> | |
| Severity: | medium | Docs Contact: | Jan Fiala <jafiala> | |
| Priority: | high | |||
| Version: | 7.4 | CC: | adakopou, aeladawy, brault, cylopez, dhill, dsi-audes-oi-digit-myinfra, fduthill, fherrman, gkadam, jafiala, jreznik, ldelouw, matyc, mhaicman, mlysonek, openscap-maint, rbdiri, sboyron, ssigwald, svigan, wsato | |
| Target Milestone: | rc | Keywords: | FutureFeature, Rebase, Reopened, Triaged, ZStream | |
| Target Release: | --- | Flags: | lcervako:
mirror+
|
|
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | ||||
| Fixed In Version: | scap-security-guide-0.1.54-1.el7_9 | Doc Type: | Enhancement | |
| Doc Text: |
.SCAP Security Guide has updated and improved ANSSI-BP-028 profiles
With the new profiles, you can harden the system to the recommendations from the French National Security Agency (ANSSI) for GNU/Linux Systems at the Minimal, Intermediary and Enhanced hardening levels. As a result, you can configure and automate compliance of your RHEL 7 systems according to your required ANSSI hardening level by using the ANSSI Ansible Playbooks and the ANSSI SCAP profiles.
The Draft ANSSI profiles provided with the previous versions were aligned to ANSSI DAT-NT-028. Although the profile names and versions have changed, the IDs of the ANSSI profiles remain the same for backward compatibility, for example, `xccdf_org.ssgproject.content_profile_anssi_nt28_minimal`.
WARNING: Automatic remediation might render the system non-functional. Run the remediation in a test environment first.
Notable changes in the ANSSI profile include:
* The profiles for Intermediary and Enhanced levels now require that the `/srv` and `/opt` records be mounted in their own partitions. Because the profiles cannot automatically remediate and partition the disk, you need to partition the disk manually, or reinstall the system with appropriate partitions.
* Rules configuring mount options for `/srv` and `/opt` will fail if these paths are not configured to be mounted on a separate partition.
* Evaluation results of rules checking for UEFI configurations in a system with BIOS firmware now result in `notapplicable` instead of `pass`. This reflects a more accurate result of the check.
Known issue: The rule 'dir_perms_world_writable_root_owned' fails after a hardened install with OSCAP Anaconda Addon. This is caused by configuration limitations of polyinstantiation of the '/tmp' directory during installation. To fix this issue, apply remediation for rule `accounts_polyinstantiated_tmp`. For more details, see https://bugzilla.redhat.com/show_bug.cgi?id=1935097.
|
Story Points: | --- | |
| Clone Of: | ||||
| : | 1778188 1920954 (view as bug list) | Environment: | ||
| Last Closed: | 2021-04-27 11:30:11 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 1563291, 1891032, 1920954 | |||
|
Description
Luc de Louw
2017-09-30 08:55:07 UTC
Hello Francois, Could you chime in on Marek's comments#15 here; It started as a RHEL Profile request. Thanks, Bertrand There are a few updates in ANSSI profile: 1. Mappings to enhanced and high profile: https://github.com/ComplianceAsCode/content/pull/4351 2. Add ANSSI network sysctl rules: https://github.com/ComplianceAsCode/content/pull/4345 3. Rule mappings: https://github.com/ComplianceAsCode/content/pull/4439 4. Profile enabled along with a few rules selected:https://github.com/ComplianceAsCode/content/pull/4615 About 40 requirements (out of 69) have no rule assigned to them. So about 42% requirement coverage. It is important to note that some requirements are not actionable, like R16 - Repositories of hardened packages. Red Hat Enterprise Linux 7 shipped it's final minor release on September 29th, 2020. 7.9 was the last minor releases scheduled for RHEL 7. From intial triage it does not appear the remaining Bugzillas meet the inclusion criteria for Maintenance Phase 2 and will now be closed. From the RHEL life cycle page: https://access.redhat.com/support/policy/updates/errata#Maintenance_Support_2_Phase "During Maintenance Support 2 Phase for Red Hat Enterprise Linux version 7,Red Hat defined Critical and Important impact Security Advisories (RHSAs) and selected (at Red Hat discretion) Urgent Priority Bug Fix Advisories (RHBAs) may be released as they become available." If this BZ was closed in error and meets the above criteria please re-open it flag for 7.9.z, provide suitable business and technical justifications, and follow the process for Accelerated Fixes: https://source.redhat.com/groups/public/pnt-cxno/pnt_customer_experience_and_operations_wiki/support_delivery_accelerated_fix_release_handbook Feature Requests can re-opened and moved to RHEL 8 if the desired functionality is not already present in the product. Please reach out to the applicable Product Experience Engineer[0] if you have any questions or concerns. [0] https://bugzilla.redhat.com/page.cgi?id=agile_component_mapping.html&product=Red+Hat+Enterprise+Linux+7 Apologies for the inadvertent closure. Granting devel ACK, as the engineering aims to deliver minimal, intermediary and enhanced profiles of the ANSSI policy that would cover rules that are automation-friendly. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (scap-security-guide bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2021:1383 |