From 54ab7e90e30cd280599ecfa22863720015a066d6 Mon Sep 17 00:00:00 2001
From: Alexandre Skrzyniarz <alexandre.skrzyniarz@laposte.net>
Date: Fri, 8 Dec 2023 12:49:11 +0100
Subject: [PATCH] add enhanced ANSSI-BP-028 profile for Debian

---
 .../profiles/anssi_bp28_enhanced.profile      | 30 +++++++++++++++++++
 1 file changed, 30 insertions(+)
 create mode 100644 products/debian12/profiles/anssi_bp28_enhanced.profile

diff --git a/products/debian12/profiles/anssi_bp28_enhanced.profile b/products/debian12/profiles/anssi_bp28_enhanced.profile
new file mode 100644
index 000000000000..b1c650c4ca34
--- /dev/null
+++ b/products/debian12/profiles/anssi_bp28_enhanced.profile
@@ -0,0 +1,30 @@
+documentation_complete: true
+
+title: 'ANSSI-BP-028 (enhanced)'
+
+description: |-
+      This profile contains configurations that align to ANSSI-BP-028 v2.0 at the enhanced hardening level.
+
+      ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information.
+      ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
+
+      A copy of the ANSSI-BP-028 can be found at the ANSSI website:
+        https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/
+
+selections:
+  - anssi:all:enhanced
+  - package_rsyslog_installed
+  - service_rsyslog_enabled
+  # PASS_MIN_LEN is handled by PAM on debian systems.
+  - '!accounts_password_minlen_login_defs'
+  # Debian uses apparmor
+  - '!selinux_state'
+  - '!audit_rules_mac_modification'
+  - apparmor_configured
+  - all_apparmor_profiles_enforced 
+  - grub2_enable_apparmor
+  - package_apparmor_installed
+  - package_pam_apparmor_installed
+  # The following are MLS related rules (not part of ANSSI-BP-028)
+  - '!accounts_polyinstantiated_tmp'
+  - '!accounts_polyinstantiated_var_tmp'