Description of problem: Update RHEL-7 ANSSI-BP-028 High level profile. Currently, the profile xccdf_org.ssgproject.content_profile_anssi_nt28_high is in Draft state and of limited usefulnes. Additional info: RHEL-7.9.5 updated the ANSSI-BP-028 Minimal, Intermediary and Enhanced levels.
Summary of patches updating ANSSI High Profile R11 - https://github.com/ComplianceAsCode/content/pull/6956 R51 - https://github.com/ComplianceAsCode/content/pull/6960 R67 - https://github.com/ComplianceAsCode/content/pull/6988 R68 - https://github.com/ComplianceAsCode/content/pull/6969 Update to rule in Intermediary R58 - https://github.com/ComplianceAsCode/content/pull/6984 Metadata - https://github.com/ComplianceAsCode/content/pull/6997
Created attachment 1793066 [details] HTML report from scan of a system installed with ANSSI High profile (minimal install)
Created attachment 1793067 [details] HTML report from scan of a system installed with ANSSI High profile (Server with GUI install)
Verified for scap-security-guide-0.1.54-5.el7_9 Status of ANSSI High profile: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Rules without Bash and Ansible remediations (remediations are omitted on purpose): sudoers_explicit_command_args sudo_dedicated_group sudoers_no_root_target grub2_password sysctl_kernel_modules_disabled sebool_deny_execmem Rules missing only Ansible remediations: aide_verify_ext_attributes aide_verify_acls aide_scan_notification Known issues: postfix_network_listening_disabled - bz1828871, won't be fixed in RHEL7 but can be fixed by running remediation once more accounts_polyinstantiated_var_tmp - needs to be remediated once more after installation accounts_polyinstantiated_tmp - needs to be remediated once more after installation dir_perms_world_writable_root_owned - bz1935097, only occurs on GUI installations, can be workarounded by applying remediation of accounts_polyinstantiated_tmp rule once more HTML reports from scan of a system installed with ANSSI High profile are attached as anssi_nogui.html (minimal install) and anssi_gui.html (Server with GUI install).
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (scap-security-guide bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2021:2803
Release note published: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/7.9_release_notes/new_features#BZ-1955180