From 6006e997000ab19aa59df24b074feb285ec4e586 Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Tue, 11 May 2021 17:14:24 +0200 Subject: [PATCH 1/6] Update ANSSI metadata for High level hardening --- controls/anssi.yml | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/controls/anssi.yml b/controls/anssi.yml index 2053de05c0..e9b9f1b803 100644 --- a/controls/anssi.yml +++ b/controls/anssi.yml @@ -70,6 +70,10 @@ controls: It is recommended to use the mandatory access control (MAC) features in addition to the traditional Unix user model (DAC), or possibly combine them with partitioning mechanisms. + notes: >- + Other partitioning mechanisms can include chroot and containers and are not contemplated + in this requirement. + automated: partially rules: - selinux_state - var_selinux_state=enforcing @@ -161,6 +165,7 @@ controls: The iommu = force directive must be added to the list of kernel parameters during startup in addition to those already present in the configuration files of the bootloader (/boot/grub/menu.lst or /etc/default/grub). + automated: yes rules: - grub2_enable_iommu_force @@ -837,8 +842,8 @@ controls: not locally stored in clear), or possibly stored on a separate machine of the one on which the sealing is done. Check section "Database and config signing in AIDE manual" - https://github.com/aide/aide/blob/master/doc/manual.html - # rules: TBD + https://aide.github.io/doc/#signing + automated: no - id: R53 level: enhanced @@ -946,7 +951,7 @@ controls: title: Enable AppArmor security profiles description: >- All AppArmor security profiles on the system must be enabled by default. - # rules: TBD + automated: no - id: R66 level: high @@ -990,6 +995,7 @@ controls: description: >- SELinux policy manipulation and debugging tools should not be installed on a machine in production. + automated: yes rules: - package_setroubleshoot_removed - package_setroubleshoot-server_removed @@ -1000,4 +1006,5 @@ controls: title: Confining interactive non-privileged users description: >- Interactive non-privileged users of a system must be confined by associating them with a SELinux confined user. - # rules: TBD + notes: Interactive users who still need to perform administrative tasks should not be confined with user_u. + automated: no From 98c310f893c31fb828c7ee17f9f8c7f7f11dde7a Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Tue, 11 May 2021 17:31:11 +0200 Subject: [PATCH 2/6] Update metadata of other ANSSI hardening levels --- controls/anssi.yml | 91 ++++++++++++++++++++++++++++++++++++++-------- 1 file changed, 75 insertions(+), 16 deletions(-) diff --git a/controls/anssi.yml b/controls/anssi.yml index e9b9f1b803..291af65f58 100644 --- a/controls/anssi.yml +++ b/controls/anssi.yml @@ -19,8 +19,10 @@ controls: Those whose presence can not be justified should be disabled, removed or deleted. automated: partially # The list of essential services is not objective. notes: >- - Use of obsolete or insecure services is not recommended. - The minimal install is a good starting point, but this doesn't provide any assurance over any package installed later. + Manual review is required to assess if the installed services are minimal. + In general, use of obsolete or insecure services is not recommended. + Performing a minimal install is a good starting point, but doesn't provide any assurance + over any package installed later. rules: - package_dhcp_removed #- package_rsh_removed @@ -45,10 +47,9 @@ controls: problematic from a security point of view. The features configured at the level of launched services should be limited to the strict minimum. + automated: no notes: >- Define a list of most problematic components or features to be hardened or restricted. - # potential components: sshd, pam, chrony? - # rules: TBD - id: R3 level: enhanced @@ -109,7 +110,10 @@ controls: Network services should as much as possible be hosted on isolated environments. This avoids having other potentially affected services if one of them gets compromised under the same environment. - #rules: TBD + notes: >- + Manual analysis is required to determine if services are hosted appropriately in + separate or isolated system while maintaining functionality. + automated: no - id: R7 level: enhanced @@ -117,6 +121,7 @@ controls: description: >- The activities of the running system and services must be logged and archived on an external, non-local system. + automated: yes rules: # The default remote loghost is logcollector. # Change the default value to the hostname or IP of the system to send the logs to @@ -235,6 +240,7 @@ controls: notes: >- The rule disabling auto-mount for /boot is commented until the rules checking for other /boot mount options are updated to handle this usecase. + automated: no #rules: #- mount_option_boot_noauto @@ -275,7 +281,7 @@ controls: hardening measures. Between two packages providing the same service, those subject to hardening (at compilation, installation, or default configuration) must be preferred. - #rules: TBD + automated: no - id: R17 level: enhanced @@ -283,6 +289,7 @@ controls: description: >- A boot loader to protect the password boot must be to be privileged. This password must prevent any user from changing their configuration options. + automated: yes # without remediation rules: - grub2_password - grub2_uefi_password @@ -358,12 +365,28 @@ controls: must be set up as soon as the system is installed: account and administration passwords, root authority certificates, public keys, or certificates of the host (and their respective private key). - # rules: TBD + notes: >- + This concerns two aspects, the first is administrative, and involves prompt + installation of secrets or trusted elements by the sysadmin. + The second involves removal of any default secret or trusted element + configured by the operating system during install process, e.g. default + known passwords. + automated: no - id: R21 level: intermediary title: Hardening and monitoring of services subject to arbitrary flows - # rules: TBD + notes: >- + SELinux can provide confinement and monitoring of services, and AIDE provides + basic integrity checking. System logs are configured as part of R43. + Hardening of particular services should be done on a case by case basis and is + not automated by this content. + automated: partially + rules: + - selinux_state + - var_selinux_state=enforcing + - package_aide_installed + - aide_build_database - id: R22 level: intermediary @@ -535,6 +558,7 @@ controls: sysctl kernel.modules_disabledconf: Prohibition of loading modules (except those already loaded to this point) kernel.modules_disabled = 1 + automated: yes # without remediation rules: - sysctl_kernel_modules_disabled @@ -545,6 +569,7 @@ controls: It is recommended to load the Yama security module at startup (by example passing the security = yama argument to the kernel) and configure the sysctl kernel.yama.ptrace_scope to a value of at least 1. + automated: yes rules: - sysctl_kernel_yama_ptrace_scope @@ -553,13 +578,19 @@ controls: title: Disabling unused user accounts description: >- Unused user accounts must be disabled at the system level. - # rules: TBD + notes: >- + The definition of unused user accounts is broad. It can include accounts + whose owners don't use the system anymore, or users created by services + or applicatons that should not be used. + automated: no - id: R27 title: Disabling service accounts level: intermediary notes: >- It is difficult to generally identify the system's service accounts. + UID of such accounts are generally between SYS_UID_MIN and UID_SYS_MAX, but its values + are not enforced by the OS and can be changed over time. Assisting rules could list users which are not disabled for manual review. automated: no @@ -568,7 +599,11 @@ controls: title: Uniqueness and exclusivity of system service accounts description: >- Each service must have its own system account and be dedicated to it exclusively. - # rules: TBD + notes: >- + It is not trivial to identify wether a user account is a service account. + UID of such accounts are generally between SYS_UID_MIN and UID_SYS_MAX, but its values + are not enforced by the OS and can be changed over time. + automated: no - id: R29 level: enhanced @@ -778,6 +813,7 @@ controls: description: >- The syslog services must be isolated from the rest of the system in a dedicated container. + automated: no # rules: TBD - id: R46 @@ -825,6 +861,7 @@ controls: This includes: directories containing executables, libraries, configuration files, as well as any files that may contain sensitive elements (cryptographic keys, passwords, confidential data). + automated: yes rules: - package_aide_installed - aide_build_database @@ -851,7 +888,12 @@ controls: description: >- The deployed services must have their access restricted to the system strict minimum, especially when it comes to files, processes or network. - # rules: TBD + notes: >- + SELinux policies limit the privileges of services and daemons to only what they require. + automated: partially + rules: + - selinux_policytype + - var_selinux_policy_name=targeted - id: R54 level: enhanced @@ -859,17 +901,24 @@ controls: description: >- Each component supporting the virtualization must be hardened, especially by applying technical measures to counter the exploit attempts. - # rules: TBD + notes: >- + It may be interesting to point out virtulization components that are installed and + should be hardened. + automated: no - id: R55 level: intermediary title: chroot jail and access right for partitioned service - # rules: TBD + notes: >- + Automation to restrict access and chroot services is not generally reliable. + autmated: no - id: R56 level: intermediary title: Enablement and usage of chroot by a service - # rules: TBD + notes: >- + Automation to restrict access and chroot services is not generally reliable. + automated: no - id: R57 level: intermediary @@ -924,7 +973,10 @@ controls: description: >- The commands requiring the execution of sub-processes (EXEC tag) must be explicitly listed and their use should be reduced to a strict minimum. - # rules: TBD + notes: >- + Human review is required to assess if the commands requiring EXEC is minimal. + An auxiliary rule could list rules containing EXEC tag, for analysis. + automated: no - id: R62 level: intermediary @@ -944,7 +996,13 @@ controls: - id: R64 level: intermediary title: Good use of sudoedit - # rules: TBD + description: A file requiring sudo to be edited, must be edited through the sudoedit command. + notes: >- + In R62 we established that the sudoers files should not use negations, thus the approach + for this requirement is to ensure that sudoedit is the only text editor allowed. + But it is difficult to ensure that allowed binaries aren't text editors without human + review. + automated: no - id: R65 level: high @@ -959,6 +1017,7 @@ controls: description: >- It is recommended to enable the targeted policy when the distribution support it and that it does not operate another security module than SELinux. + automated: yes rules: - selinux_policytype - var_selinux_policy_name=targeted From 655c8ab2d778f0826cb9cb9f3052bb5d49fcbbc4 Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Tue, 11 May 2021 17:49:42 +0200 Subject: [PATCH 3/6] Undraft RHEL ANSSI High profiles --- rhel7/profiles/anssi_nt28_high.profile | 2 +- rhel8/profiles/anssi_bp28_high.profile | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/rhel7/profiles/anssi_nt28_high.profile b/rhel7/profiles/anssi_nt28_high.profile index 22efad9c09..560460b55f 100644 --- a/rhel7/profiles/anssi_nt28_high.profile +++ b/rhel7/profiles/anssi_nt28_high.profile @@ -1,6 +1,6 @@ documentation_complete: true -title: 'DRAFT - ANSSI-BP-028 (high)' +title: 'ANSSI-BP-028 (high)' description: |- This profile contains configurations that align to ANSSI-BP-028 at the high hardening level. diff --git a/rhel8/profiles/anssi_bp28_high.profile b/rhel8/profiles/anssi_bp28_high.profile index 22efad9c09..560460b55f 100644 --- a/rhel8/profiles/anssi_bp28_high.profile +++ b/rhel8/profiles/anssi_bp28_high.profile @@ -1,6 +1,6 @@ documentation_complete: true -title: 'DRAFT - ANSSI-BP-028 (high)' +title: 'ANSSI-BP-028 (high)' description: |- This profile contains configurations that align to ANSSI-BP-028 at the high hardening level. From 227baf32a959a94df241f49016aa23da2917de88 Mon Sep 17 00:00:00 2001 From: Watson Yuuma Sato Date: Fri, 14 May 2021 10:58:50 +0200 Subject: [PATCH 4/6] Fix typos and improve language Co-authored-by: vojtapolasek --- controls/anssi.yml | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/controls/anssi.yml b/controls/anssi.yml index 291af65f58..81d099e98b 100644 --- a/controls/anssi.yml +++ b/controls/anssi.yml @@ -581,7 +581,7 @@ controls: notes: >- The definition of unused user accounts is broad. It can include accounts whose owners don't use the system anymore, or users created by services - or applicatons that should not be used. + or applications that should not be used. automated: no - id: R27 @@ -589,7 +589,7 @@ controls: level: intermediary notes: >- It is difficult to generally identify the system's service accounts. - UID of such accounts are generally between SYS_UID_MIN and UID_SYS_MAX, but its values + UIDs of such accounts are generally between SYS_UID_MIN and SYS_UID_MAX, but their values are not enforced by the OS and can be changed over time. Assisting rules could list users which are not disabled for manual review. automated: no @@ -600,8 +600,8 @@ controls: description: >- Each service must have its own system account and be dedicated to it exclusively. notes: >- - It is not trivial to identify wether a user account is a service account. - UID of such accounts are generally between SYS_UID_MIN and UID_SYS_MAX, but its values + It is not trivial to identify whether a user account is a service account. + UIDs of such accounts are generally between SYS_UID_MIN and SYS_UID_MAX, but their values are not enforced by the OS and can be changed over time. automated: no @@ -889,7 +889,7 @@ controls: The deployed services must have their access restricted to the system strict minimum, especially when it comes to files, processes or network. notes: >- - SELinux policies limit the privileges of services and daemons to only what they require. + SELinux policies limit the privileges of services and daemons just to those which are required. automated: partially rules: - selinux_policytype @@ -902,7 +902,7 @@ controls: Each component supporting the virtualization must be hardened, especially by applying technical measures to counter the exploit attempts. notes: >- - It may be interesting to point out virtulization components that are installed and + It may be interesting to point out virtualization components that are installed and should be hardened. automated: no @@ -910,14 +910,14 @@ controls: level: intermediary title: chroot jail and access right for partitioned service notes: >- - Automation to restrict access and chroot services is not generally reliable. - autmated: no + Using automation to restrict access and chroot services is not generally reliable. + automated: no - id: R56 level: intermediary title: Enablement and usage of chroot by a service notes: >- - Automation to restrict access and chroot services is not generally reliable. + Using automation to restrict access and chroot services is not generally reliable. automated: no - id: R57 @@ -974,7 +974,7 @@ controls: The commands requiring the execution of sub-processes (EXEC tag) must be explicitly listed and their use should be reduced to a strict minimum. notes: >- - Human review is required to assess if the commands requiring EXEC is minimal. + Human review is required to assess if the set of commands requiring EXEC is minimal. An auxiliary rule could list rules containing EXEC tag, for analysis. automated: no From 7bf2131e20bcf5a64e21b66afba48008324b058a Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Fri, 14 May 2021 11:41:30 +0200 Subject: [PATCH 5/6] Update R1 notes and selected rule --- controls/anssi.yml | 28 +++++++++---------- .../package_xinetd_removed/rule.yml | 1 + .../nis/package_ypbind_removed/rule.yml | 1 + .../nis/package_ypserv_removed/rule.yml | 1 + .../package_rsh-server_removed/rule.yml | 1 + .../r_services/package_rsh_removed/rule.yml | 1 + .../talk/package_talk-server_removed/rule.yml | 1 + .../talk/package_talk_removed/rule.yml | 1 + .../package_telnet-server_removed/rule.yml | 1 + .../telnet/package_telnet_removed/rule.yml | 1 + .../tftp/package_tftp-server_removed/rule.yml | 1 + .../tftp/package_tftp_removed/rule.yml | 4 +++ shared/references/cce-redhat-avail.txt | 1 - 13 files changed, 28 insertions(+), 15 deletions(-) diff --git a/controls/anssi.yml b/controls/anssi.yml index 81d099e98b..ebee9c4259 100644 --- a/controls/anssi.yml +++ b/controls/anssi.yml @@ -19,25 +19,25 @@ controls: Those whose presence can not be justified should be disabled, removed or deleted. automated: partially # The list of essential services is not objective. notes: >- - Manual review is required to assess if the installed services are minimal. - In general, use of obsolete or insecure services is not recommended. Performing a minimal install is a good starting point, but doesn't provide any assurance over any package installed later. + Manual review is required to assess if the installed services are minimal. + In general, use of obsolete or insecure services is not recommended and we remove some + of these in this recommendation. rules: - package_dhcp_removed - #- package_rsh_removed - #- package_rsh-server_removed + - package_rsh_removed + - package_rsh-server_removed - package_sendmail_removed - - package_telnetd_removed - #- package_talk_removed - #- package_talk-server_removed - #- package_telnet_removed - #- package_telnet-server_removed - #- package_tftp_removed - #- package_tftp-server_removed - #- package_xinetd_removed - #- package_ypbind_removed - #- package_ypserv_removed + - package_talk_removed + - package_talk-server_removed + - package_telnet_removed + - package_telnet-server_removed + - package_tftp_removed + - package_tftp-server_removed + - package_xinetd_removed + - package_ypbind_removed + - package_ypserv_removed - id: R2 level: intermediary diff --git a/linux_os/guide/services/obsolete/inetd_and_xinetd/package_xinetd_removed/rule.yml b/linux_os/guide/services/obsolete/inetd_and_xinetd/package_xinetd_removed/rule.yml index e2431be9c5..9494025449 100644 --- a/linux_os/guide/services/obsolete/inetd_and_xinetd/package_xinetd_removed/rule.yml +++ b/linux_os/guide/services/obsolete/inetd_and_xinetd/package_xinetd_removed/rule.yml @@ -18,6 +18,7 @@ identifiers: cce@rhel8: CCE-80850-1 references: + anssi: BP28(R1) cis@rhel8: 2.1.1 disa: CCI-000305 hipaa: 164.308(a)(4)(i),164.308(b)(1),164.308(b)(3),164.310(b),164.312(e)(1),164.312(e)(2)(ii) diff --git a/linux_os/guide/services/obsolete/nis/package_ypbind_removed/rule.yml b/linux_os/guide/services/obsolete/nis/package_ypbind_removed/rule.yml index 97e27e2a4c..e836dc6fb1 100644 --- a/linux_os/guide/services/obsolete/nis/package_ypbind_removed/rule.yml +++ b/linux_os/guide/services/obsolete/nis/package_ypbind_removed/rule.yml @@ -24,6 +24,7 @@ identifiers: cce@rhel8: CCE-82181-9 references: + anssi: BP28(R1) cis@rhel8: 2.3.1 hipaa: 164.308(a)(4)(i),164.308(b)(1),164.308(b)(3),164.310(b),164.312(e)(1),164.312(e)(2)(ii) diff --git a/linux_os/guide/services/obsolete/nis/package_ypserv_removed/rule.yml b/linux_os/guide/services/obsolete/nis/package_ypserv_removed/rule.yml index ac1d8e6f4c..7ca7a67e69 100644 --- a/linux_os/guide/services/obsolete/nis/package_ypserv_removed/rule.yml +++ b/linux_os/guide/services/obsolete/nis/package_ypserv_removed/rule.yml @@ -22,6 +22,7 @@ cce@rhel7: CCE-27399-5 cce@rhel8: CCE-82432-6 references: + anssi: BP28(R1) stigid@ol7: OL07-00-020010 cis: 2.2.16 disa: CCI-000381 diff --git a/linux_os/guide/services/obsolete/r_services/package_rsh-server_removed/rule.yml b/linux_os/guide/services/obsolete/r_services/package_rsh-server_removed/rule.yml index 21f4d7bae6..33c36cde67 100644 --- a/linux_os/guide/services/obsolete/r_services/package_rsh-server_removed/rule.yml +++ b/linux_os/guide/services/obsolete/r_services/package_rsh-server_removed/rule.yml @@ -22,6 +22,7 @@ identifiers: cce@rhel8: CCE-82184-3 references: + anssi: BP28(R1) stigid@ol7: OL07-00-020000 disa: CCI-000381 hipaa: 164.308(a)(4)(i),164.308(b)(1),164.308(b)(3),164.310(b),164.312(e)(1),164.312(e)(2)(ii) diff --git a/linux_os/guide/services/obsolete/r_services/package_rsh_removed/rule.yml b/linux_os/guide/services/obsolete/r_services/package_rsh_removed/rule.yml index c8f4673a3a..dbc6bd7329 100644 --- a/linux_os/guide/services/obsolete/r_services/package_rsh_removed/rule.yml +++ b/linux_os/guide/services/obsolete/r_services/package_rsh_removed/rule.yml @@ -23,6 +23,7 @@ identifiers: cce@rhel8: CCE-82183-5 references: + anssi: BP28(R1) cis: 2.3.2 cui: 3.1.13 hipaa: 164.308(a)(4)(i),164.308(b)(1),164.308(b)(3),164.310(b),164.312(e)(1),164.312(e)(2)(ii) diff --git a/linux_os/guide/services/obsolete/talk/package_talk-server_removed/rule.yml b/linux_os/guide/services/obsolete/talk/package_talk-server_removed/rule.yml index 12971558e9..e46e4f55d0 100644 --- a/linux_os/guide/services/obsolete/talk/package_talk-server_removed/rule.yml +++ b/linux_os/guide/services/obsolete/talk/package_talk-server_removed/rule.yml @@ -18,6 +18,7 @@ identifiers: cce@rhel8: CCE-82180-1 references: + anssi: BP28(R1) cis: 2.2.21 hipaa: 164.308(a)(4)(i),164.308(b)(1),164.308(b)(3),164.310(b),164.312(e)(1),164.312(e)(2)(ii) diff --git a/linux_os/guide/services/obsolete/talk/package_talk_removed/rule.yml b/linux_os/guide/services/obsolete/talk/package_talk_removed/rule.yml index 68e804ba38..24743fc2d6 100644 --- a/linux_os/guide/services/obsolete/talk/package_talk_removed/rule.yml +++ b/linux_os/guide/services/obsolete/talk/package_talk_removed/rule.yml @@ -23,6 +23,7 @@ identifiers: cce@rhel8: CCE-80848-5 references: + anssi: BP28(R1) cis: 2.3.3 hipaa: 164.308(a)(4)(i),164.308(b)(1),164.308(b)(3),164.310(b),164.312(e)(1),164.312(e)(2)(ii) diff --git a/linux_os/guide/services/obsolete/telnet/package_telnet-server_removed/rule.yml b/linux_os/guide/services/obsolete/telnet/package_telnet-server_removed/rule.yml index 7bb5ed5da3..24cf50ff29 100644 --- a/linux_os/guide/services/obsolete/telnet/package_telnet-server_removed/rule.yml +++ b/linux_os/guide/services/obsolete/telnet/package_telnet-server_removed/rule.yml @@ -31,6 +31,7 @@ identifiers: cce@rhel8: CCE-82182-7 references: + anssi: BP28(R1) stigid@ol7: OL07-00-021710 cis: 2.1.1 disa: CCI-000381 diff --git a/linux_os/guide/services/obsolete/telnet/package_telnet_removed/rule.yml b/linux_os/guide/services/obsolete/telnet/package_telnet_removed/rule.yml index 1b0128ec06..afef488734 100644 --- a/linux_os/guide/services/obsolete/telnet/package_telnet_removed/rule.yml +++ b/linux_os/guide/services/obsolete/telnet/package_telnet_removed/rule.yml @@ -21,6 +21,7 @@ identifiers: cce@rhel8: CCE-80849-3 references: + anssi: BP28(R1) cis@rhel8: 2.3.2 cui: 3.1.13 hipaa: 164.308(a)(4)(i),164.308(b)(1),164.308(b)(3),164.310(b),164.312(e)(1),164.312(e)(2)(ii) diff --git a/linux_os/guide/services/obsolete/tftp/package_tftp-server_removed/rule.yml b/linux_os/guide/services/obsolete/tftp/package_tftp-server_removed/rule.yml index 3fcc8db4c8..ca25bb2124 100644 --- a/linux_os/guide/services/obsolete/tftp/package_tftp-server_removed/rule.yml +++ b/linux_os/guide/services/obsolete/tftp/package_tftp-server_removed/rule.yml @@ -22,6 +22,7 @@ identifiers: cce@rhel8: CCE-82436-7 references: + anssi: BP28(R1) stigid@ol7: OL07-00-040700 disa: CCI-000318,CCI-000366,CCI-000368,CCI-001812,CCI-001813,CCI-001814 nist: CM-7(a),CM-7(b),CM-6(a) diff --git a/linux_os/guide/services/obsolete/tftp/package_tftp_removed/rule.yml b/linux_os/guide/services/obsolete/tftp/package_tftp_removed/rule.yml index c3a501259c..0be9a60d38 100644 --- a/linux_os/guide/services/obsolete/tftp/package_tftp_removed/rule.yml +++ b/linux_os/guide/services/obsolete/tftp/package_tftp_removed/rule.yml @@ -19,6 +19,10 @@ severity: low identifiers: cce@rhel7: CCE-80443-5 + cce@rhel8: CCE-83590-0 + +references: + anssi: BP28(R1) ocil: '{{{ describe_package_remove(package="tftp") }}}' diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt index 4c4f8c3aa3..b719186add 100644 --- a/shared/references/cce-redhat-avail.txt +++ b/shared/references/cce-redhat-avail.txt @@ -91,7 +91,6 @@ CCE-83584-3 CCE-83587-6 CCE-83588-4 CCE-83589-2 -CCE-83590-0 CCE-83592-6 CCE-83594-2 CCE-83595-9 From c8124b72c208951b3ac2a4da1f8c64157f6be69b Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Fri, 14 May 2021 11:43:32 +0200 Subject: [PATCH 6/6] Update R5 notes and rule selection Note commented rules as related, and potentially useful. --- controls/anssi.yml | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/controls/anssi.yml b/controls/anssi.yml index ebee9c4259..bba7148da9 100644 --- a/controls/anssi.yml +++ b/controls/anssi.yml @@ -88,20 +88,22 @@ controls: automated: partially notes: >- Defense in-depth can be broadly divided into three areas - physical, technical and - administrative. The security profile is best suitedto protect the technical area. + administrative. The security profile is best suited to protect the technical area. Among the barriers that can be implemented within the technical area are antivirus software, authentication, multi-factor authentication, encryption, logging, auditing, sandboxing, intrusion detection systems, firewalls and vulnerability scanners. + The selection below is not in any way exaustive and should be adapted to the system's needs. rules: - #- package_audit_installed - #- service_auditd_enabled - sudo_remove_no_authenticate - package_rsyslog_installed - service_rsyslog_enabled - #- package_ntp_installed - #- package_firewalld_installed - #- service_firewalld_enabled - #- sssd_enable_smartcards + related_rules: + - package_audit_installed + - service_auditd_enabled + - package_ntp_installed + - package_firewalld_installed + - service_firewalld_enabled + - sssd_enable_smartcards - id: R6 level: enhanced