Bug 1497415 - [RFE] Add ANSSI-BP-028 to SSG (Minimal, Intermediary and Enhanced Levels) [rhel-7.9.z]
Summary: [RFE] Add ANSSI-BP-028 to SSG (Minimal, Intermediary and Enhanced Levels) [rh...
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: scap-security-guide
Version: 7.4
Hardware: Unspecified
OS: Unspecified
Target Milestone: rc
: ---
Assignee: Watson Yuuma Sato
QA Contact: Milan Lysonek
Jan Fiala
Depends On:
Blocks: 1563291 1891032 1920954
TreeView+ depends on / blocked
Reported: 2017-09-30 08:55 UTC by Luc de Louw
Modified: 2021-04-27 11:30 UTC (History)
21 users (show)

Fixed In Version: scap-security-guide-0.1.54-1.el7_9
Doc Type: Enhancement
Doc Text:
.SCAP Security Guide has updated and improved ANSSI-BP-028 profiles With the new profiles, you can harden the system to the recommendations from the French National Security Agency (ANSSI) for GNU/Linux Systems at the Minimal, Intermediary and Enhanced hardening levels. As a result, you can configure and automate compliance of your RHEL 7 systems according to your required ANSSI hardening level by using the ANSSI Ansible Playbooks and the ANSSI SCAP profiles. The Draft ANSSI profiles provided with the previous versions were aligned to ANSSI DAT-NT-028. Although the profile names and versions have changed, the IDs of the ANSSI profiles remain the same for backward compatibility, for example, `xccdf_org.ssgproject.content_profile_anssi_nt28_minimal`. WARNING: Automatic remediation might render the system non-functional. Run the remediation in a test environment first. Notable changes in the ANSSI profile include: * The profiles for Intermediary and Enhanced levels now require that the `/srv` and `/opt` records be mounted in their own partitions. Because the profiles cannot automatically remediate and partition the disk, you need to partition the disk manually, or reinstall the system with appropriate partitions. * Rules configuring mount options for `/srv` and `/opt` will fail if these paths are not configured to be mounted on a separate partition. * Evaluation results of rules checking for UEFI configurations in a system with BIOS firmware now result in `notapplicable` instead of `pass`. This reflects a more accurate result of the check. Known issue: The rule 'dir_perms_world_writable_root_owned' fails after a hardened install with OSCAP Anaconda Addon. This is caused by configuration limitations of polyinstantiation of the '/tmp' directory during installation. To fix this issue, apply remediation for rule `accounts_polyinstantiated_tmp`. For more details, see https://bugzilla.redhat.com/show_bug.cgi?id=1935097.
Clone Of:
: 1778188 1920954 (view as bug list)
Last Closed: 2021-04-27 11:30:11 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Knowledge Base (Solution) 4176641 0 None None None 2019-05-28 13:28:55 UTC

Description Luc de Louw 2017-09-30 08:55:07 UTC
Description of problem:
The content for the French regulation ANSSI DAT-NT28 is not available for RHEL

Version-Release number of selected component (if applicable):
0.1.33 (And Fedora upstream)

How reproducible:

Steps to Reproduce:
1. yum install scap-security-guide
2. oscap info /usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml
3. ANSSI not in the list of profiles

Actual results:

Expected results:

Additional info:
In upstream SSG it is available for Debian, see https://github.com/OpenSCAP/scap-security-guide/tree/master/Debian/8/profiles

Comment 16 Bertrand 2019-02-01 13:19:15 UTC
Hello Francois,

Could you chime in on Marek's comments#15 here; 
It started as a RHEL Profile request.



Comment 27 Watson Yuuma Sato 2019-07-18 14:21:44 UTC
There are a few updates in ANSSI profile:
1. Mappings to enhanced and high profile: https://github.com/ComplianceAsCode/content/pull/4351
2. Add ANSSI network sysctl rules: https://github.com/ComplianceAsCode/content/pull/4345
3. Rule mappings: https://github.com/ComplianceAsCode/content/pull/4439
4. Profile enabled along with a few rules selected:https://github.com/ComplianceAsCode/content/pull/4615

About 40 requirements (out of 69) have no rule assigned to them. So about 42% requirement coverage.
It is important to note that some requirements are not actionable, like R16 - Repositories of hardened packages.

Comment 40 Chris Williams 2020-11-11 21:39:55 UTC
Red Hat Enterprise Linux 7 shipped it's final minor release on September 29th, 2020. 7.9 was the last minor releases scheduled for RHEL 7.
From intial triage it does not appear the remaining Bugzillas meet the inclusion criteria for Maintenance Phase 2 and will now be closed. 

From the RHEL life cycle page:
"During Maintenance Support 2 Phase for Red Hat Enterprise Linux version 7,Red Hat defined Critical and Important impact Security Advisories (RHSAs) and selected (at Red Hat discretion) Urgent Priority Bug Fix Advisories (RHBAs) may be released as they become available."

If this BZ was closed in error and meets the above criteria please re-open it flag for 7.9.z, provide suitable business and technical justifications, and follow the process for Accelerated Fixes:

Feature Requests can re-opened and moved to RHEL 8 if the desired functionality is not already present in the product. 

Please reach out to the applicable Product Experience Engineer[0] if you have any questions or concerns.  

[0] https://bugzilla.redhat.com/page.cgi?id=agile_component_mapping.html&product=Red+Hat+Enterprise+Linux+7

Comment 41 Chris Williams 2020-11-11 23:16:53 UTC
Apologies for the inadvertent closure.

Comment 43 Matěj Týč 2021-02-01 14:21:00 UTC
Granting devel ACK, as the engineering aims to deliver minimal, intermediary and enhanced profiles of the ANSSI policy that would cover rules that are automation-friendly.

Comment 80 errata-xmlrpc 2021-04-27 11:30:11 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (scap-security-guide bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.