Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Map more rules into Anssi policy #4439

Merged
merged 16 commits into from
Jun 25, 2019
Merged

Map more rules into Anssi policy #4439

merged 16 commits into from
Jun 25, 2019

Conversation

yuumasato
Copy link
Member

Description:

  • Maps rules into ANSSI requirements
  • Select mapped rules in profile corresponding to hardening level

@yuumasato
Map ANSSI R29 user session timeout
9743f7f 
Remote user sessions (shell access, graphical clients) must be closed
after a certain period of inactivity.
@yuumasato
Map R35 umask value
7a82d94
@yuumasato
Map R08 Regular updates
b93ebdc
@yuumasato
Map R17 Boot loader password
1c15559
@yuumasato
Mat R19 Accountabilit of administration
ead7515 
Each administrator must have a dedicated account (local or remote),
and not use the root account as the access account for system
administration.
@yuumasato
Map R12 Partitioning
233eaf4
@yuumasato
Mat R25 Yama module
272c20f
@yuumasato
Map R23
a58a5df
@yuumasato
Map R32 Protection of stored passwords
0dd31fa
@yuumasato
Comment R38 in profile
6a5132d
@yuumasato
Map R13 Restriction on System.map
2ed50e8
@yuumasato
Map R11 IOMMU Configuration Guidelines
61ab20a
@yuumasato
Map R36 Rights to access sensitive content files
9230614
@yuumasato
Map R67 Setting SELinux Booleans
5b33382
@yuumasato
Comment R59 in profile
ac40763
@matejak matejak self-assigned this Jun 25, 2019
@matejak matejak added this to the 0.1.45 milestone Jun 25, 2019
@matejak
Copy link
Member

matejak commented Jun 25, 2019

It looks like that we have double-selection of rules sysctl_fs_suid_dumpable and sysctl_kernel_randomize_va_space.

matejak
matejak requested changes Jun 25, 2019
View reviewed changes
rhel7/profiles/anssi_nt28_intermediary.profile Outdated
@@ -22,6 +35,16 @@ selections:
- sysctl_fs_suid_dumpable
- sysctl_kernel_randomize_va_space
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

first occurrence of both

rhel7/profiles/anssi_nt28_intermediary.profile
- sysctl_fs_protected_hardlinks

# Activation of the ASLR
- sysctl_kernel_randomize_va_space
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

second occurrence

rhel7/profiles/anssi_nt28_intermediary.profile
# kernel. sysrq = 0

# No core dump of executable setuid
- sysctl_fs_suid_dumpable
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

second occurrence

@yuumasato
Copy link
Member Author

@matejak Thanks for review, and nice catch.
The duplicated rules have been removed.

@matejak
Copy link
Member

matejak commented Jun 25, 2019

Thanks for improving the ANSSI profile set!

@matejak matejak merged commit 8f0a2a5 into ComplianceAsCode:master Jun 25, 2019
@yuumasato yuumasato deleted the anssi_mappings branch June 25, 2019 13:38
This pull request was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@matejak matejak matejak approved these changes

Assignees

@matejak matejak

Labels
None yet
Projects
None yet
Milestone
0.1.45
Development

Successfully merging this pull request may close these issues.
2 participants
@yuumasato @matejak