From 6006e997000ab19aa59df24b074feb285ec4e586 Mon Sep 17 00:00:00 2001

From: Watson Sato <wsato@redhat.com>

Date: Tue, 11 May 2021 17:14:24 +0200

Subject: [PATCH 1/6] Update ANSSI metadata for High level hardening

---

 controls/anssi.yml | 15 +++++++++++----

 1 file changed, 11 insertions(+), 4 deletions(-)

diff --git a/controls/anssi.yml b/controls/anssi.yml

index 2053de05c0..e9b9f1b803 100644

--- a/controls/anssi.yml

+++ b/controls/anssi.yml

@@ -70,6 +70,10 @@ controls:

       It is recommended to use the mandatory access control (MAC) features in

       addition to the traditional Unix user model (DAC), or possibly combine

       them with partitioning mechanisms.

+    notes: >-

+      Other partitioning mechanisms can include chroot and containers and are not contemplated

+      in this requirement.

+    automated: partially

     rules:

     - selinux_state

     - var_selinux_state=enforcing

@@ -161,6 +165,7 @@ controls:

       The iommu = force directive must be added to the list of kernel parameters

       during startup in addition to those already present in the configuration

       files of the bootloader (/boot/grub/menu.lst or /etc/default/grub).

+    automated: yes

     rules:

     - grub2_enable_iommu_force

@@ -837,8 +842,8 @@ controls:

       not locally stored in clear), or possibly stored on a separate machine

       of the one on which the sealing is done.

       Check section "Database and config signing in AIDE manual"

-      https://github.com/aide/aide/blob/master/doc/manual.html

-    # rules: TBD

+      https://aide.github.io/doc/#signing

+    automated: no

   - id: R53

     level: enhanced

@@ -946,7 +951,7 @@ controls:

     title: Enable AppArmor security profiles

     description: >-

       All AppArmor security profiles on the system must be enabled by default.

-    # rules: TBD

+    automated: no

   - id: R66

     level: high

@@ -990,6 +995,7 @@ controls:

     description: >-

       SELinux policy manipulation and debugging tools should not be installed

       on a machine in production.

+    automated: yes

     rules:

     - package_setroubleshoot_removed

     - package_setroubleshoot-server_removed

@@ -1000,4 +1006,5 @@ controls:

     title: Confining interactive non-privileged users

     description: >-

       Interactive non-privileged users of a system must be confined by associating them with a SELinux confined user.

-    # rules: TBD

+    notes: Interactive users who still need to perform administrative tasks should not be confined with user_u.

+    automated: no

From 98c310f893c31fb828c7ee17f9f8c7f7f11dde7a Mon Sep 17 00:00:00 2001

From: Watson Sato <wsato@redhat.com>

Date: Tue, 11 May 2021 17:31:11 +0200

Subject: [PATCH 2/6] Update metadata of other ANSSI hardening levels

---

 controls/anssi.yml | 91 ++++++++++++++++++++++++++++++++++++++--------

 1 file changed, 75 insertions(+), 16 deletions(-)

diff --git a/controls/anssi.yml b/controls/anssi.yml

index e9b9f1b803..291af65f58 100644

--- a/controls/anssi.yml

+++ b/controls/anssi.yml

@@ -19,8 +19,10 @@ controls:

       Those whose presence can not be justified should be disabled, removed or deleted.

     automated: partially  # The list of essential services is not objective.

     notes: >-

-      Use of obsolete or insecure services is not recommended.

-      The minimal install is a good starting point, but this doesn't provide any assurance over any package installed later.

+      Manual review is required to assess if the installed services are minimal.

+      In general, use of obsolete or insecure services is not recommended.

+      Performing a minimal install is a good starting point, but doesn't provide any assurance

+      over any package installed later.

     rules:

     - package_dhcp_removed

     #- package_rsh_removed

@@ -45,10 +47,9 @@ controls:

       problematic from a security point of view.

       The features configured at the level of launched services should be limited to the strict

       minimum.

+    automated: no

     notes: >-

       Define a list of most problematic components or features to be hardened or restricted.

-      # potential components: sshd, pam, chrony?

-    # rules: TBD

   - id: R3

     level: enhanced

@@ -109,7 +110,10 @@ controls:

       Network services should as much as possible be hosted on isolated environments.

       This avoids having other potentially affected services if one of them gets

       compromised under the same environment.

-    #rules: TBD

+    notes: >-

+      Manual analysis is required to determine if services are hosted appropriately in

+      separate or isolated system while maintaining functionality.

+    automated: no

   - id: R7

     level: enhanced

@@ -117,6 +121,7 @@ controls:

     description: >-

       The activities of the running system and services must be logged and

       archived on an external, non-local system.

+    automated: yes

     rules:

     # The default remote loghost is logcollector.

     # Change the default value to the hostname or IP of the system to send the logs to

@@ -235,6 +240,7 @@ controls:

     notes: >-

       The rule disabling auto-mount for /boot is commented until the rules checking for other

       /boot mount options are updated to handle this usecase.

+    automated: no

     #rules:

     #- mount_option_boot_noauto

@@ -275,7 +281,7 @@ controls:

       hardening measures.

       Between two packages providing the same service, those subject to hardening

       (at compilation, installation, or default configuration) must be preferred.

-    #rules: TBD

+    automated: no

   - id: R17

     level: enhanced

@@ -283,6 +289,7 @@ controls:

     description: >-

       A boot loader to protect the password boot must be to be privileged.

       This password must prevent any user from changing their configuration options.

+    automated: yes # without remediation

     rules:

     - grub2_password

     - grub2_uefi_password

@@ -358,12 +365,28 @@ controls:

       must be set up as soon as the system is installed: account and administration

       passwords, root authority certificates, public keys, or certificates of the

       host (and their respective private key).

-    # rules: TBD

+    notes: >-

+      This concerns two aspects, the first is administrative, and involves prompt

+      installation of secrets or trusted elements by the sysadmin.

+      The second involves removal of any default secret or trusted element

+      configured by the operating system during install process, e.g. default

+      known passwords.

+    automated: no

   - id: R21

     level: intermediary

     title: Hardening and monitoring of services subject to arbitrary flows

-    # rules: TBD

+    notes: >-

+      SELinux can provide confinement and monitoring of services, and AIDE provides

+      basic integrity checking. System logs are configured as part of R43.

+      Hardening of particular services should be done on a case by case basis and is

+      not automated by this content.

+    automated: partially

+    rules:

+    - selinux_state

+    - var_selinux_state=enforcing

+    - package_aide_installed

+    - aide_build_database

   - id: R22

     level: intermediary

@@ -535,6 +558,7 @@ controls:

       sysctl kernel.modules_disabledconf:

       Prohibition of loading modules (except those already loaded to this point)

       kernel.modules_disabled = 1

+    automated: yes # without remediation

     rules:

     - sysctl_kernel_modules_disabled

@@ -545,6 +569,7 @@ controls:

       It is recommended to load the Yama security module at startup (by example

       passing the security = yama argument to the kernel) and configure the

       sysctl kernel.yama.ptrace_scope to a value of at least 1.

+    automated: yes

     rules:

     - sysctl_kernel_yama_ptrace_scope

@@ -553,13 +578,19 @@ controls:

     title: Disabling unused user accounts

     description: >-

       Unused user accounts must be disabled at the system level.

-    # rules: TBD

+    notes: >-

+      The definition of unused user accounts is broad. It can include accounts

+      whose owners don't use the system anymore, or users created by services

+      or applicatons that should not be used.

+    automated: no

   - id: R27

     title: Disabling service accounts

     level: intermediary

     notes: >-

       It is difficult to generally identify the system's service accounts.

+      UID of such accounts are generally between SYS_UID_MIN and UID_SYS_MAX, but its values

+      are not enforced by the OS and can be changed over time.

       Assisting rules could list users which are not disabled for manual review.

     automated: no

@@ -568,7 +599,11 @@ controls:

     title: Uniqueness and exclusivity of system service accounts

     description: >-

       Each service must have its own system account and be dedicated to it exclusively.

-    # rules: TBD

+    notes: >-

+      It is not trivial to identify wether a user account is a service account.

+      UID of such accounts are generally between SYS_UID_MIN and UID_SYS_MAX, but its values

+      are not enforced by the OS and can be changed over time.

+    automated: no

   - id: R29

     level: enhanced

@@ -778,6 +813,7 @@ controls:

     description: >-

       The syslog services must be isolated from the rest of the system in a

       dedicated container.

+    automated: no

     # rules: TBD

   - id: R46

@@ -825,6 +861,7 @@ controls:

       This includes: directories containing executables, libraries,

       configuration files, as well as any files that may contain sensitive

       elements (cryptographic keys, passwords, confidential data).

+    automated: yes

     rules:

     - package_aide_installed

     - aide_build_database

@@ -851,7 +888,12 @@ controls:

     description: >-

       The deployed services must have their access restricted to the system

       strict minimum, especially when it comes to files, processes or network.

-    # rules: TBD

+    notes: >-

+      SELinux policies limit the privileges of services and daemons to only what they require.

+    automated: partially

+    rules:

+    - selinux_policytype

+    - var_selinux_policy_name=targeted

   - id: R54

     level: enhanced

@@ -859,17 +901,24 @@ controls:

     description: >-

       Each component supporting the virtualization must be hardened, especially

       by applying technical measures to counter the exploit attempts.

-    # rules: TBD

+    notes: >-

+      It may be interesting to point out virtulization components that are installed and

+      should be hardened.

+    automated: no

   - id: R55

     level: intermediary

     title: chroot jail and access right for partitioned service

-    # rules: TBD

+    notes: >-

+      Automation to restrict access and chroot services is not generally reliable.

+    autmated: no

   - id: R56

     level: intermediary

     title: Enablement and usage of chroot by a service

-    # rules: TBD

+    notes: >-

+      Automation to restrict access and chroot services is not generally reliable.

+    automated: no

   - id: R57

     level: intermediary

@@ -924,7 +973,10 @@ controls:

     description: >-

       The commands requiring the execution of sub-processes (EXEC tag) must be

       explicitly listed and their use should be reduced to a strict minimum.

-    # rules: TBD

+    notes: >-

+      Human review is required to assess if the commands requiring EXEC is minimal.

+      An auxiliary rule could list rules containing EXEC tag, for analysis.

+    automated: no

   - id: R62

     level: intermediary

@@ -944,7 +996,13 @@ controls:

   - id: R64

     level: intermediary

     title: Good use of sudoedit

-    # rules: TBD

+    description: A file requiring sudo to be edited, must be edited through the sudoedit command.

+    notes: >-

+      In R62 we established that the sudoers files should not use negations, thus the approach

+      for this requirement is to ensure that sudoedit is the only text editor allowed.

+      But it is difficult to ensure that allowed binaries aren't text editors without human

+      review.

+    automated: no

   - id: R65

     level: high

@@ -959,6 +1017,7 @@ controls:

     description: >-

       It is recommended to enable the targeted policy when the distribution

       support it and that it does not operate another security module than SELinux.

+    automated: yes

     rules:

     - selinux_policytype

     - var_selinux_policy_name=targeted

From 655c8ab2d778f0826cb9cb9f3052bb5d49fcbbc4 Mon Sep 17 00:00:00 2001

From: Watson Sato <wsato@redhat.com>

Date: Tue, 11 May 2021 17:49:42 +0200

Subject: [PATCH 3/6] Undraft RHEL ANSSI High profiles

---

 rhel7/profiles/anssi_nt28_high.profile | 2 +-

 rhel8/profiles/anssi_bp28_high.profile | 2 +-

 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/rhel7/profiles/anssi_nt28_high.profile b/rhel7/profiles/anssi_nt28_high.profile

index 22efad9c09..560460b55f 100644

--- a/rhel7/profiles/anssi_nt28_high.profile

+++ b/rhel7/profiles/anssi_nt28_high.profile

@@ -1,6 +1,6 @@

 documentation_complete: true

-title: 'DRAFT - ANSSI-BP-028 (high)'

+title: 'ANSSI-BP-028 (high)'

 description: |-

     This profile contains configurations that align to ANSSI-BP-028 at the high hardening level.

diff --git a/rhel8/profiles/anssi_bp28_high.profile b/rhel8/profiles/anssi_bp28_high.profile

index 22efad9c09..560460b55f 100644

--- a/rhel8/profiles/anssi_bp28_high.profile

+++ b/rhel8/profiles/anssi_bp28_high.profile

@@ -1,6 +1,6 @@

 documentation_complete: true

-title: 'DRAFT - ANSSI-BP-028 (high)'

+title: 'ANSSI-BP-028 (high)'

 description: |-

     This profile contains configurations that align to ANSSI-BP-028 at the high hardening level.

From 227baf32a959a94df241f49016aa23da2917de88 Mon Sep 17 00:00:00 2001

From: Watson Yuuma Sato <wsato@redhat.com>

Date: Fri, 14 May 2021 10:58:50 +0200

Subject: [PATCH 4/6] Fix typos and improve language

Co-authored-by: vojtapolasek <krecoun@gmail.com>

---

 controls/anssi.yml | 20 ++++++++++----------

 1 file changed, 10 insertions(+), 10 deletions(-)

diff --git a/controls/anssi.yml b/controls/anssi.yml

index 291af65f58..81d099e98b 100644

--- a/controls/anssi.yml

+++ b/controls/anssi.yml

@@ -581,7 +581,7 @@ controls:

     notes: >-

       The definition of unused user accounts is broad. It can include accounts

       whose owners don't use the system anymore, or users created by services

-      or applicatons that should not be used.

+      or applications that should not be used.

     automated: no

   - id: R27

@@ -589,7 +589,7 @@ controls:

     level: intermediary

     notes: >-

       It is difficult to generally identify the system's service accounts.

-      UID of such accounts are generally between SYS_UID_MIN and UID_SYS_MAX, but its values

+      UIDs of such accounts are generally between SYS_UID_MIN and SYS_UID_MAX, but their values

       are not enforced by the OS and can be changed over time.

       Assisting rules could list users which are not disabled for manual review.

     automated: no

@@ -600,8 +600,8 @@ controls:

     description: >-

       Each service must have its own system account and be dedicated to it exclusively.

     notes: >-

-      It is not trivial to identify wether a user account is a service account.

-      UID of such accounts are generally between SYS_UID_MIN and UID_SYS_MAX, but its values

+      It is not trivial to identify whether a user account is a service account.

+      UIDs of such accounts are generally between SYS_UID_MIN and SYS_UID_MAX, but their values

       are not enforced by the OS and can be changed over time.

     automated: no

@@ -889,7 +889,7 @@ controls:

       The deployed services must have their access restricted to the system

       strict minimum, especially when it comes to files, processes or network.

     notes: >-

-      SELinux policies limit the privileges of services and daemons to only what they require.

+      SELinux policies limit the privileges of services and daemons just to those which are required.

     automated: partially

     rules:

     - selinux_policytype

@@ -902,7 +902,7 @@ controls:

       Each component supporting the virtualization must be hardened, especially

       by applying technical measures to counter the exploit attempts.

     notes: >-

-      It may be interesting to point out virtulization components that are installed and

+      It may be interesting to point out virtualization components that are installed and

       should be hardened.

     automated: no

@@ -910,14 +910,14 @@ controls:

     level: intermediary

     title: chroot jail and access right for partitioned service

     notes: >-

-      Automation to restrict access and chroot services is not generally reliable.

-    autmated: no

+      Using automation to restrict access and chroot services is not generally reliable.

+    automated: no

   - id: R56

     level: intermediary

     title: Enablement and usage of chroot by a service

     notes: >-

-      Automation to restrict access and chroot services is not generally reliable.

+      Using automation to restrict access and chroot services is not generally reliable.

     automated: no

   - id: R57

@@ -974,7 +974,7 @@ controls:

       The commands requiring the execution of sub-processes (EXEC tag) must be

       explicitly listed and their use should be reduced to a strict minimum.

     notes: >-

-      Human review is required to assess if the commands requiring EXEC is minimal.

+      Human review is required to assess if the set of commands requiring EXEC is minimal.

       An auxiliary rule could list rules containing EXEC tag, for analysis.

     automated: no

From 7bf2131e20bcf5a64e21b66afba48008324b058a Mon Sep 17 00:00:00 2001

From: Watson Sato <wsato@redhat.com>

Date: Fri, 14 May 2021 11:41:30 +0200

Subject: [PATCH 5/6] Update R1 notes and selected rule

---

 controls/anssi.yml                            | 28 +++++++++----------

 .../package_xinetd_removed/rule.yml           |  1 +

 .../nis/package_ypbind_removed/rule.yml       |  1 +

 .../nis/package_ypserv_removed/rule.yml       |  1 +

 .../package_rsh-server_removed/rule.yml       |  1 +

 .../r_services/package_rsh_removed/rule.yml   |  1 +

 .../talk/package_talk-server_removed/rule.yml |  1 +

 .../talk/package_talk_removed/rule.yml        |  1 +

 .../package_telnet-server_removed/rule.yml    |  1 +

 .../telnet/package_telnet_removed/rule.yml    |  1 +

 .../tftp/package_tftp-server_removed/rule.yml |  1 +

 .../tftp/package_tftp_removed/rule.yml        |  4 +++

 shared/references/cce-redhat-avail.txt        |  1 -

 13 files changed, 28 insertions(+), 15 deletions(-)

diff --git a/controls/anssi.yml b/controls/anssi.yml

index 81d099e98b..ebee9c4259 100644

--- a/controls/anssi.yml

+++ b/controls/anssi.yml

@@ -19,25 +19,25 @@ controls:

       Those whose presence can not be justified should be disabled, removed or deleted.

     automated: partially  # The list of essential services is not objective.

     notes: >-

-      Manual review is required to assess if the installed services are minimal.

-      In general, use of obsolete or insecure services is not recommended.

       Performing a minimal install is a good starting point, but doesn't provide any assurance

       over any package installed later.

+      Manual review is required to assess if the installed services are minimal.

+      In general, use of obsolete or insecure services is not recommended and we remove some

+      of these in this recommendation.

     rules:

     - package_dhcp_removed

-    #- package_rsh_removed

-    #- package_rsh-server_removed

+    - package_rsh_removed

+    - package_rsh-server_removed

     - package_sendmail_removed

-    - package_telnetd_removed

-    #- package_talk_removed

-    #- package_talk-server_removed

-    #- package_telnet_removed

-    #- package_telnet-server_removed

-    #- package_tftp_removed

-    #- package_tftp-server_removed

-    #- package_xinetd_removed

-    #- package_ypbind_removed

-    #- package_ypserv_removed

+    - package_talk_removed

+    - package_talk-server_removed

+    - package_telnet_removed

+    - package_telnet-server_removed

+    - package_tftp_removed

+    - package_tftp-server_removed

+    - package_xinetd_removed

+    - package_ypbind_removed

+    - package_ypserv_removed

   - id: R2

     level: intermediary

diff --git a/linux_os/guide/services/obsolete/inetd_and_xinetd/package_xinetd_removed/rule.yml b/linux_os/guide/services/obsolete/inetd_and_xinetd/package_xinetd_removed/rule.yml

index e2431be9c5..9494025449 100644

--- a/linux_os/guide/services/obsolete/inetd_and_xinetd/package_xinetd_removed/rule.yml

+++ b/linux_os/guide/services/obsolete/inetd_and_xinetd/package_xinetd_removed/rule.yml

@@ -18,6 +18,7 @@ identifiers:

     cce@rhel8: CCE-80850-1

 references:

+    anssi: BP28(R1)

     cis@rhel8: 2.1.1

     disa: CCI-000305

     hipaa: 164.308(a)(4)(i),164.308(b)(1),164.308(b)(3),164.310(b),164.312(e)(1),164.312(e)(2)(ii)

diff --git a/linux_os/guide/services/obsolete/nis/package_ypbind_removed/rule.yml b/linux_os/guide/services/obsolete/nis/package_ypbind_removed/rule.yml

index 97e27e2a4c..e836dc6fb1 100644

--- a/linux_os/guide/services/obsolete/nis/package_ypbind_removed/rule.yml

+++ b/linux_os/guide/services/obsolete/nis/package_ypbind_removed/rule.yml

@@ -24,6 +24,7 @@ identifiers:

     cce@rhel8: CCE-82181-9

 references:

+    anssi: BP28(R1)

     cis@rhel7: 2.3.1

     cis@rhel8: 2.3.1

     hipaa: 164.308(a)(4)(i),164.308(b)(1),164.308(b)(3),164.310(b),164.312(e)(1),164.312(e)(2)(ii)

diff --git a/linux_os/guide/services/obsolete/nis/package_ypserv_removed/rule.yml b/linux_os/guide/services/obsolete/nis/package_ypserv_removed/rule.yml

index ac1d8e6f4c..7ca7a67e69 100644

--- a/linux_os/guide/services/obsolete/nis/package_ypserv_removed/rule.yml

+++ b/linux_os/guide/services/obsolete/nis/package_ypserv_removed/rule.yml

@@ -22,6 +22,7 @@ identifiers:

     cce@rhel8: CCE-82432-6

 references:

+    anssi: BP28(R1)

     stigid@ol7: OL07-00-020010

     cis@rhel7: 2.2.16

     cis@rhel8: 2.2.17

diff --git a/linux_os/guide/services/obsolete/r_services/package_rsh-server_removed/rule.yml b/linux_os/guide/services/obsolete/r_services/package_rsh-server_removed/rule.yml

index 21f4d7bae6..33c36cde67 100644

--- a/linux_os/guide/services/obsolete/r_services/package_rsh-server_removed/rule.yml

+++ b/linux_os/guide/services/obsolete/r_services/package_rsh-server_removed/rule.yml

@@ -22,6 +22,7 @@ identifiers:

     cce@rhel8: CCE-82184-3

 references:

+    anssi: BP28(R1)

     stigid@ol7: OL07-00-020000

     disa: CCI-000381

     hipaa: 164.308(a)(4)(i),164.308(b)(1),164.308(b)(3),164.310(b),164.312(e)(1),164.312(e)(2)(ii)

diff --git a/linux_os/guide/services/obsolete/r_services/package_rsh_removed/rule.yml b/linux_os/guide/services/obsolete/r_services/package_rsh_removed/rule.yml

index c8f4673a3a..dbc6bd7329 100644

--- a/linux_os/guide/services/obsolete/r_services/package_rsh_removed/rule.yml

+++ b/linux_os/guide/services/obsolete/r_services/package_rsh_removed/rule.yml

@@ -23,6 +23,7 @@ identifiers:

     cce@rhel8: CCE-82183-5

 references:

+    anssi: BP28(R1)

     cis@rhel7: 2.3.2

     cui: 3.1.13

     hipaa: 164.308(a)(4)(i),164.308(b)(1),164.308(b)(3),164.310(b),164.312(e)(1),164.312(e)(2)(ii)

diff --git a/linux_os/guide/services/obsolete/talk/package_talk-server_removed/rule.yml b/linux_os/guide/services/obsolete/talk/package_talk-server_removed/rule.yml

index 12971558e9..e46e4f55d0 100644

--- a/linux_os/guide/services/obsolete/talk/package_talk-server_removed/rule.yml

+++ b/linux_os/guide/services/obsolete/talk/package_talk-server_removed/rule.yml

@@ -18,6 +18,7 @@ identifiers:

     cce@rhel8: CCE-82180-1

 references:

+    anssi: BP28(R1)

     cis@rhel7: 2.2.18

     hipaa: 164.308(a)(4)(i),164.308(b)(1),164.308(b)(3),164.310(b),164.312(e)(1),164.312(e)(2)(ii)

diff --git a/linux_os/guide/services/obsolete/talk/package_talk_removed/rule.yml b/linux_os/guide/services/obsolete/talk/package_talk_removed/rule.yml

index 68e804ba38..24743fc2d6 100644

--- a/linux_os/guide/services/obsolete/talk/package_talk_removed/rule.yml

+++ b/linux_os/guide/services/obsolete/talk/package_talk_removed/rule.yml

@@ -23,6 +23,7 @@ identifiers:

     cce@rhel8: CCE-80848-5

 references:

+    anssi: BP28(R1)

     cis@rhel7: 2.3.3

     hipaa: 164.308(a)(4)(i),164.308(b)(1),164.308(b)(3),164.310(b),164.312(e)(1),164.312(e)(2)(ii)

diff --git a/linux_os/guide/services/obsolete/telnet/package_telnet-server_removed/rule.yml b/linux_os/guide/services/obsolete/telnet/package_telnet-server_removed/rule.yml

index 7bb5ed5da3..24cf50ff29 100644

--- a/linux_os/guide/services/obsolete/telnet/package_telnet-server_removed/rule.yml

+++ b/linux_os/guide/services/obsolete/telnet/package_telnet-server_removed/rule.yml

@@ -31,6 +31,7 @@ identifiers:

     cce@sle15: CCE-83273-3

 references:

+    anssi: BP28(R1)

     stigid@ol7: OL07-00-021710

     cis@rhel7: 2.1.19

     disa: CCI-000381

diff --git a/linux_os/guide/services/obsolete/telnet/package_telnet_removed/rule.yml b/linux_os/guide/services/obsolete/telnet/package_telnet_removed/rule.yml

index 1b0128ec06..afef488734 100644

--- a/linux_os/guide/services/obsolete/telnet/package_telnet_removed/rule.yml

+++ b/linux_os/guide/services/obsolete/telnet/package_telnet_removed/rule.yml

@@ -21,6 +21,7 @@ identifiers:

     cce@rhel8: CCE-80849-3

 references:

+    anssi: BP28(R1)

     cis@rhel7: 2.3.4

     cis@rhel8: 2.3.2

     cui: 3.1.13

diff --git a/linux_os/guide/services/obsolete/tftp/package_tftp-server_removed/rule.yml b/linux_os/guide/services/obsolete/tftp/package_tftp-server_removed/rule.yml

index 3fcc8db4c8..ca25bb2124 100644

--- a/linux_os/guide/services/obsolete/tftp/package_tftp-server_removed/rule.yml

+++ b/linux_os/guide/services/obsolete/tftp/package_tftp-server_removed/rule.yml

@@ -22,6 +22,7 @@ identifiers:

     cce@rhel8: CCE-82436-7

 references:

+    anssi: BP28(R1)

     stigid@ol7: OL07-00-040700

     disa: CCI-000318,CCI-000366,CCI-000368,CCI-001812,CCI-001813,CCI-001814

     nist: CM-7(a),CM-7(b),CM-6(a)

diff --git a/linux_os/guide/services/obsolete/tftp/package_tftp_removed/rule.yml b/linux_os/guide/services/obsolete/tftp/package_tftp_removed/rule.yml

index c3a501259c..0be9a60d38 100644

--- a/linux_os/guide/services/obsolete/tftp/package_tftp_removed/rule.yml

+++ b/linux_os/guide/services/obsolete/tftp/package_tftp_removed/rule.yml

@@ -19,6 +19,10 @@ severity: low

 identifiers:

     cce@rhel7: CCE-80443-5

+    cce@rhel8: CCE-83590-0

+

+references:

+    anssi: BP28(R1)

 ocil: '{{{ describe_package_remove(package="tftp") }}}'

diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt

index 4c4f8c3aa3..b719186add 100644

--- a/shared/references/cce-redhat-avail.txt

+++ b/shared/references/cce-redhat-avail.txt

@@ -91,7 +91,6 @@ CCE-83584-3

 CCE-83587-6

 CCE-83588-4

 CCE-83589-2

-CCE-83590-0

 CCE-83592-6

 CCE-83594-2

 CCE-83595-9

From c8124b72c208951b3ac2a4da1f8c64157f6be69b Mon Sep 17 00:00:00 2001

From: Watson Sato <wsato@redhat.com>

Date: Fri, 14 May 2021 11:43:32 +0200

Subject: [PATCH 6/6] Update R5 notes and rule selection

Note commented rules as related, and potentially useful.

---

 controls/anssi.yml | 16 +++++++++-------

 1 file changed, 9 insertions(+), 7 deletions(-)

diff --git a/controls/anssi.yml b/controls/anssi.yml

index ebee9c4259..bba7148da9 100644

--- a/controls/anssi.yml

+++ b/controls/anssi.yml

@@ -88,20 +88,22 @@ controls:

     automated: partially

     notes: >-

       Defense in-depth can be broadly divided into three areas - physical, technical and

-      administrative. The security profile is best suitedto protect the technical area.

+      administrative. The security profile is best suited to protect the technical area.

       Among the barriers that can be implemented within the technical area are antivirus software,

       authentication, multi-factor authentication, encryption, logging, auditing, sandboxing,

       intrusion detection systems, firewalls and vulnerability scanners.

+      The selection below is not in any way exaustive and should be adapted to the system's needs.

     rules:

-    #- package_audit_installed

-    #- service_auditd_enabled

     - sudo_remove_no_authenticate

     - package_rsyslog_installed

     - service_rsyslog_enabled

-    #- package_ntp_installed

-    #- package_firewalld_installed

-    #- service_firewalld_enabled

-    #- sssd_enable_smartcards

+    related_rules:

+    - package_audit_installed

+    - service_auditd_enabled

+    - package_ntp_installed

+    - package_firewalld_installed

+    - service_firewalld_enabled

+    - sssd_enable_smartcards

   - id: R6

     level: enhanced