Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ANSSI R31 updates #11560

Merged
merged 3 commits into from
Feb 8, 2024
Merged

ANSSI R31 updates #11560

merged 3 commits into from
Feb 8, 2024

Conversation

jan-cerny
Copy link
Collaborator

Description:

  • change password minimal length to 15 characters
  • remove selection of the rule for maximum password age of user accounts
  • add a new rule checking maximum password age of root user
  • improve a comment

For more details, please read the commit message of every commit.

Rationale:

Align the ANSSI profiles with ANSSI 2.0.

@jan-cerny
Update a comment
03b64be
@jan-cerny
Change password minimal lenght
caad065 
ANSSI password recommendiation
https://cyber.gouv.fr/publications/recommandations-relatives-lauthentification-multifacteur-et-aux-mots-de-passe
section 4.2 recommends at least 15 characters.
@jan-cerny
Add a new rule accounts_password_set_max_life_root
48f4353 
The new rule checks that maximum password age is set for the root user.
This rule is similar to rule `accounts_maximum_age_login_defs` but that
applies to all user accounts. The ANSSI password recommendation
(https://cyber.gouv.fr/publications/recommandations-relatives-lauthentification-multifacteur-et-aux-mots-de-passe)
recommends to not set the maximum age for common users, but it says that
for the privileged users the maximum age should be configured to
1 to 3 years. We concluded to agree on 1 year.
@jan-cerny jan-cerny added New Rule Issues or pull requests related to new Rules. Update Profile Issues or pull requests related to Profiles updates. ANSSI ANSSI Benchmark related. labels Feb 8, 2024
@jan-cerny jan-cerny added this to the 0.1.73 milestone Feb 8, 2024
@github-actions GitHub Actions
Copy link

github-actions bot commented Feb 8, 2024

Start a new ephemeral environment with changes proposed in this pull request:

rhel8 (from CTF) Environment (using Fedora as testing environment)
Open in Gitpod

Fedora Testing Environment
Open in Gitpod

Oracle Linux 8 Environment
Open in Gitpod

@codeclimate CodeClimate
Copy link

codeclimate bot commented Feb 8, 2024

Code Climate has analyzed commit 48f4353 and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 58.4% (0.0% change).

View more on Code Climate.

@Mab879
Copy link
Member

Mab879 commented Feb 8, 2024

/retest-required

@Mab879 Mab879 self-assigned this Feb 8, 2024
@Mab879
Copy link
Member

Mab879 commented Feb 8, 2024 

./automatus.py rule --datastream ../build/ssg-rhel8-ds.xml --libvirt qemu:///system automatus_rhel8_10 accounts_password_set_max_life_root
Setting console output to log level INFO
INFO - The base image option has not been specified, choosing libvirt-based test environment.
INFO - Logging into /home/mburket/Developer/ComplianceAsCode/content/tests/logs/rule-custom-2024-02-08-1604/test_suite.log
INFO - xccdf_org.ssgproject.content_rule_accounts_password_set_max_life_root
INFO - Script correct.pass.sh using profile (all) OK
INFO - Script wrong.fail.sh using profile (all) OK

Automatus tests pass locally in a VM, waving Automatus CI.

@Mab879 Mab879 merged commit 8734eed into ComplianceAsCode:master Feb 8, 2024
40 of 43 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Mab879 Mab879 Mab879 approved these changes

Assignees

@Mab879 Mab879

Labels
ANSSI ANSSI Benchmark related. New Rule Issues or pull requests related to new Rules. Update Profile Issues or pull requests related to Profiles updates.
Projects
None yet
Milestone
0.1.73
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@jan-cerny @Mab879