Update ANSSI BP-028 to version 2.0 #10334
Conversation
vojtapolasek
added
SLES
openshift-ci
bot
added
the
do-not-merge/work-in-progress
|
Skipping CI for Draft Pull Request. |
|
Start a new ephemeral environment with changes proposed in this pull request: Fedora Environment Oracle Linux 8 Environment |
vojtapolasek
force-pushed
the
anssi_20_upstream
branch
from
ac1c202
to
74038af
Compare
- Reorder and renumber the recommendations - Selection of rules updated - Control statues updated
Some rules were added while others were removed.
- sysctl_fs_protected_fifos - sysctl_fs_protected_regular
- sysctl_net_ipv6_conf_default_disable_ipv6
Select sysctl_kernel_panic_on_oops; Select value 2 for sysctl_kernel_kptr_restrict
hidepid can cause problems with PolicyKit and D-Bus.
This keeps the same approach for ANSSI BP-028 profiles.
Add ANSSI references to rules that configure the IPv6 stack.
Remove ANSSI references from rules that are not selected anymore.
vojtapolasek
force-pushed
the
anssi_20_upstream
branch
from
48ab889
to
7305fec
Compare
vojtapolasek
changed the title
openshift-ci
bot
removed
the
do-not-merge/work-in-progress
|
@teacup-on-rockingchair Hi, have you had any involvement in the development of ANSSI profiles for SLE? |
|
@dodys Hi, do you have any thoughts on this update? Edit: I see that Ubuntu doesn't use the ANSSI Control file. So this PR won't affect Ubuntu's ANSSI profiles. |
|
@freddieRv Hi, do you have any thoughts on this update? The ANSSI BP-028 profiles for OL will be updated to 2.0. |
I did indeed, will try to provide feedback till end of the week, thanks for the heads up 🙇 Do we have CIS -like comparison between old and new revision, or just go over the requirement of the new spec? |
|
Code Climate has analyzed commit a9a8b1e and detected 0 issues on this pull request. The test coverage on the diff in this pull request is 100.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 51.8% (0.0% change). View more on Code Climate. |
@teacup-on-rockingchair You mean generated by us? No. |
@teacup-on-rockingchair Hi, did you have a chance to look at the ANSSI 2.0 update? |
Did some initial review and tests LGTM 👍 |
There was a problem hiding this comment.
I have checked all commits and the final control file. The changes are sane and the control file parameters are consistent with the referenced document. I didn't check each rule in details to confirm they are doing exactly what is expected from the requirement. But they were mostly just included in the controlfile. So, if any referenced rule needs updates, it is not in the scope of this PR.
|
Overriding CODEOWNERS since a SUSE approver is not currently available. Also, we have a green light from one of the SUSE contributors: #10334 (comment) |
Description:
Rationale:
This PR introduces updated version of ANSSI profiles. The coverage is not 100% but the rules which are present in the profile are aligned with the security policy.
Reference: https://www.ssi.gouv.fr/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/
Most changes were introduced by @yuumasato .
What still needs to be done?
[x] investigate problem where Ansible playbook for RHEL 7 is aborted
[x] gather rules which got removed during the upgrade process and remove ANSSI references