-
Notifications
You must be signed in to change notification settings - Fork 671
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update ANSSI BP-028 to version 2.0 #10334
Update ANSSI BP-028 to version 2.0 #10334
Conversation
Skipping CI for Draft Pull Request. |
ac1c202
to
74038af
Compare
- Reorder and renumber the recommendations - Selection of rules updated - Control statues updated
Some rules were added while others were removed.
- sysctl_fs_protected_fifos - sysctl_fs_protected_regular
- sysctl_net_ipv6_conf_default_disable_ipv6
Select sysctl_kernel_panic_on_oops; Select value 2 for sysctl_kernel_kptr_restrict
hidepid can cause problems with PolicyKit and D-Bus.
This keeps the same approach for ANSSI BP-028 profiles.
Add ANSSI references to rules that configure the IPv6 stack.
Remove ANSSI references from rules that are not selected anymore.
48ab889
to
7305fec
Compare
@teacup-on-rockingchair Hi, have you had any involvement in the development of ANSSI profiles for SLE? |
@dodys Hi, do you have any thoughts on this update? Edit: I see that Ubuntu doesn't use the ANSSI Control file. So this PR won't affect Ubuntu's ANSSI profiles. |
@freddieRv Hi, do you have any thoughts on this update? The ANSSI BP-028 profiles for OL will be updated to 2.0. |
I did indeed, will try to provide feedback till end of the week, thanks for the heads up 🙇 Do we have CIS -like comparison between old and new revision, or just go over the requirement of the new spec? |
Code Climate has analyzed commit a9a8b1e and detected 0 issues on this pull request. The test coverage on the diff in this pull request is 100.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 51.8% (0.0% change). View more on Code Climate. |
@teacup-on-rockingchair You mean generated by us? No. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you for the fixes and improvements @vojtapolasek :)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Changes LGTM.
Thanks for the efforts guys!
@teacup-on-rockingchair Hi, did you have a chance to look at the ANSSI 2.0 update? |
Did some initial review and tests LGTM 👍 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have checked all commits and the final control file. The changes are sane and the control file parameters are consistent with the referenced document. I didn't check each rule in details to confirm they are doing exactly what is expected from the requirement. But they were mostly just included in the controlfile. So, if any referenced rule needs updates, it is not in the scope of this PR.
Overriding CODEOWNERS since a SUSE approver is not currently available. Also, we have a green light from one of the SUSE contributors: #10334 (comment) |
Description:
Rationale:
This PR introduces updated version of ANSSI profiles. The coverage is not 100% but the rules which are present in the profile are aligned with the security policy.
Reference: https://www.ssi.gouv.fr/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/
Most changes were introduced by @yuumasato .
What still needs to be done?
[x] investigate problem where Ansible playbook for RHEL 7 is aborted
[x] gather rules which got removed during the upgrade process and remove ANSSI references