Initial definition of ANSSI BP28 minmal profile for SLE

[teacup-on-rockingchair]

Description:

• Add initial version of the anssi_bp28_minmal.profile

Rationale:

• Enable sle15 platform for ANSSI needed rules
• Also add CCE identifiers where needed
• Add missing rules to ANSSI minimal profile for SLE15
• Add SLE15 CCE ids to ANSSI rules in minimal profile
• Enable Bash and Ansible remediations for accounts_password_minlen_login_defs rule
• Enable Bash and Ansible remediations for accounts_password_pam_unix_rounds_system_auth
• Enable Bash and Ansible remediations for dnf-automatic_apply_updates rule
• Add rule accounts_password_pam_unix_rounds_password_auth remediations support for SLE
• Use SLE specific gpgkey rule
• Restructure ANSSI SLE15 minimal profile definition
• Fix ANSSI profiles referencing

[openshift-ci]

Hi @teacup-on-rockingchair. Thanks for your PR.

I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[github-actions]

Start a new ephemeral environment with changes proposed in this pull request:

[apatard]

Hi,
I was looking for something else and found this PR. Given I'm not part of this project, I may be missing something but I don't understand why the controls/anssi.yml file is not used as basis. Can someone explain me this ?

[apatard]

Hi, I was looking for something else and found this PR. Given I'm not part of this project, I may be missing something but I don't understand why the controls/anssi.yml file is not used as basis. Can someone explain me this ?

Please forget this comment. Should have read things more closely. Sorry for the noise.

[pep8speaks]

Hello @teacup-on-rockingchair! Thanks for updating this PR. We checked the lines you've touched for PEP 8 issues, and found:

• In the file utils/controleval.py:

Line 151:100: E501 line too long (111 > 99 characters)
Line 152:100: E501 line too long (104 > 99 characters)

Comment last updated at 2022-05-02 14:57:10 UTC

[github-actions]

This datastream diff is auto generated by the check Compare DS/Generate Diff

Click here to see the full diff

bash remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_rounds_password_auth' differs:
--- old datastream
+++ new datastream
@@ -37,6 +37,7 @@
 false
 fi
 else
+
 pamFile="/etc/pam.d/password-auth"
 
 if grep -q "rounds=" $pamFile; then

[jan-cerny]

/ok-to-test