Skip to content

Commit

Permalink
update debian12 anssi high profile
Browse files Browse the repository at this point in the history 
Add some rules that were previously disabled due to prodtype.
  • Loading branch information
@a-skr
a-skr committed Feb 19, 2024
1 parent 6a6910a commit 5fadfe2
Showing 1 changed file with 18 additions and 177 deletions.
195 changes: 18 additions & 177 deletions products/debian12/profiles/anssi_bp28_high.profile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,9 +17,14 @@ selections:
- service_rsyslog_enabled
# PASS_MIN_LEN is handled by PAM on debian systems.
- '!accounts_password_minlen_login_defs'
# ANSSI BP 28 suggest using libpam_pwquality, which isn't deployed by default
- 'package_pam_pwquality_installed'
# PAM honour login.defs file for algorithm
- 'set_password_hashing_algorithm_logindefs'
# Debian uses apparmor
- '!selinux_state'
- '!audit_rules_mac_modification'
- '!selinux_policytype'
- apparmor_configured
- all_apparmor_profiles_enforced
- grub2_enable_apparmor
Expand All @@ -28,194 +33,30 @@ selections:
# The following are MLS related rules (not part of ANSSI-BP-028)
- '!accounts_polyinstantiated_tmp'
- '!accounts_polyinstantiated_var_tmp'
- '!enable_pam_namespace'

# Following rules once had a prodtype incompatible with the debian12 product
- '!aide_verify_acls'
- '!sysctl_net_ipv4_conf_default_secure_redirects'
- '!accounts_password_pam_dcredit'
- '!sebool_ssh_sysadm_login'
- '!package_sendmail_removed'
- '!kernel_config_refcount_full'
- '!partition_for_boot'
- '!sysctl_net_ipv4_conf_all_accept_source_route'
- '!mount_option_home_nosuid'
- '!audit_rules_usergroup_modification_opasswd'
- '!accounts_passwords_pam_tally2_deny_root'
- '!ensure_redhat_gpgkey_installed'
- '!set_password_hashing_algorithm_systemauth'
- '!package_dnf-automatic_installed'
- '!accounts_passwords_pam_faillock_deny_root'
- '!sysctl_fs_protected_regular'
- '!dnf-automatic_security_updates_only'
- '!cracklib_accounts_password_pam_lcredit'
- '!kernel_config_sched_stack_end_check'
- '!dnf-automatic_apply_updates'
- '!cracklib_accounts_password_pam_ocredit'
- '!enable_pam_namespace'
- '!package_talk_removed'
- '!audit_rules_privileged_commands_insmod'
- '!accounts_password_pam_minlen'
- '!accounts_password_pam_unix_rounds_system_auth'
- '!sudo_dedicated_group'
- '!chronyd_configure_pool_and_server'
- '!grub2_page_poison_argument'
- '!ensure_gpgcheck_local_packages'
- '!sebool_selinuxuser_execstack'
- '!grub2_uefi_password'
- '!sysctl_net_ipv6_conf_all_accept_redirects'
- '!kernel_config_slab_freelist_hardened'
- '!audit_rules_usergroup_modification_group'
- '!package_sudo_installed'
- '!kernel_config_slab_merge_default'
- '!package_xinetd_removed'
- '!package_rsh-server_removed'
- '!mount_option_srv_nosuid'
- '!audit_sudo_log_events'
- '!mount_option_boot_noexec'
- '!mount_option_var_tmp_noexec'
- '!kernel_config_gcc_plugin_structleak_byref_all'
- '!sysctl_net_ipv6_conf_default_router_solicitations'
- '!package_ypserv_removed'
- '!mount_option_tmp_nosuid'
- '!service_chronyd_or_ntpd_enabled'
- '!sebool_selinuxuser_execheap'
- '!security_patches_up_to_date'
- '!sysctl_net_ipv4_conf_all_rp_filter'
- '!timer_logrotate_enabled'
- '!rsyslog_remote_tls'
- '!accounts_passwords_pam_faillock_unlock_time'
- '!file_permissions_ungroupowned'
- '!set_password_hashing_algorithm_systemauth'
- '!sysctl_net_ipv6_conf_all_accept_ra_defrtr'
- '!package_tftp-server_removed'
- '!package_rsh_removed'
- '!sysctl_net_ipv4_conf_default_accept_redirects'
- '!package_dnf-automatic_installed'
- '!audit_rules_privileged_commands_modprobe'
- '!sysctl_kernel_perf_event_max_sample_rate'
- '!kernel_config_stackprotector_strong'
- '!sysctl_net_ipv6_conf_all_accept_ra_pinfo'
- '!sysctl_kernel_perf_cpu_time_max_percent'
- '!kernel_config_page_poisoning'
- '!timer_dnf-automatic_enabled'
- '!accounts_passwords_pam_tally2'
- '!accounts_password_pam_unix_remember'
- '!kernel_config_vmap_stack'
- '!file_permissions_unauthorized_sgid'
- '!sysctl_net_ipv6_conf_all_router_solicitations'
- '!sysctl_net_ipv4_conf_default_rp_filter'
- '!audit_rules_usergroup_modification_shadow'
- '!sudo_add_umask'
- '!sudo_add_env_reset'
- '!package_dhcp_removed'
- '!aide_scan_notification'
- '!audit_rules_privileged_commands_kmod'
- '!sysctl_net_ipv6_conf_default_accept_source_route'
- '!sysctl_fs_protected_fifos'
- '!kernel_config_strict_kernel_rwx'
- '!kernel_config_slab_freelist_random'
- '!kernel_config_hardened_usercopy'
- '!grub2_page_alloc_shuffle_argument'
- '!mount_option_var_noexec'
- '!accounts_password_pam_ucredit'
- '!ensure_gpgcheck_never_disabled'
- '!mount_option_opt_nosuid'
- '!partition_for_opt'
- '!sysctl_kernel_sysrq'
- '!aide_periodic_cron_checking'
- '!sysctl_net_ipv4_ip_forward'
- '!sysctl_net_ipv6_conf_all_accept_ra_rtr_pref'
- '!postfix_network_listening_disabled'
- '!install_PAE_kernel_on_x86-32'
- '!sysctl_kernel_modules_disabled'
- '!sebool_secure_mode_insmod'
- '!audit_rules_usergroup_modification_gshadow'
- '!kernel_config_hardened_usercopy_fallback'
- '!ensure_redhat_gpgkey_installed'
- '!accounts_passwords_pam_faillock_interval'
- '!sudo_add_ignore_dot'
- '!sysctl_kernel_perf_event_paranoid'
- '!mount_option_var_log_nosuid'
- '!sysctl_net_ipv6_conf_default_autoconf'
- '!sysctl_net_ipv6_conf_default_max_addresses'
- '!kernel_config_gcc_plugin_latent_entropy'
- '!sysctl_net_ipv6_conf_default_accept_ra_rtr_pref'
- '!grub2_mds_argument'
- '!audit_rules_privileged_commands_rmmod'
- '!package_setroubleshoot-plugins_removed'
- '!grub2_slub_debug_argument'
- '!dnf-automatic_security_updates_only'
- '!audit_rules_usergroup_modification_passwd'
- '!mount_option_var_log_noexec'
- '!partition_for_usr'
- '!package_telnet-server_removed'
- '!kernel_config_gcc_plugin_stackleak'
- '!kernel_config_arm64_sw_ttbr0_pan'
- '!sysctl_net_ipv4_ip_local_port_range'
- '!package_talk-server_removed'
- '!sysctl_kernel_pid_max'
- '!package_ypbind_removed'
- '!sysctl_net_ipv4_conf_default_send_redirects'
- '!mount_option_var_nosuid'
- '!sysctl_net_ipv6_conf_all_max_addresses'
- '!sysctl_net_ipv4_conf_all_accept_redirects'
- '!cracklib_accounts_password_pam_ucredit'
- '!sysctl_net_ipv4_conf_all_send_redirects'
- '!kernel_config_legacy_vsyscall_xonly'
- '!sysctl_net_ipv4_conf_all_secure_redirects'
- '!kernel_config_gcc_plugin_randstruct'
- '!file_permissions_unauthorized_sgid'
- '!ensure_gpgcheck_local_packages'
- '!accounts_passwords_pam_tally2_unlock_time'
- '!selinux_policytype'
- '!sysctl_net_ipv4_conf_default_accept_source_route'
- '!cracklib_accounts_password_pam_minlen'
- '!kernel_config_debug_wx'
- '!sebool_polyinstantiation_enabled'
- '!accounts_tmout'
- '!mount_option_nodev_nonroot_local_partitions'
- '!package_tftp_removed'
- '!sysctl_net_core_bpf_jit_harden'
- '!kernel_config_strict_module_rwx'
- '!kernel_config_modify_ldt_syscall'
- '!aide_verify_ext_attributes'
- '!grub2_pti_argument'
- '!file_permissions_unauthorized_suid'
- '!package_rsyslog-gnutls_installed'
- '!accounts_passwords_pam_tally2_deny_root'
- '!sysctl_net_ipv6_conf_default_accept_redirects'
- '!sysctl_kernel_unprivileged_bpf_disabled'
- '!kernel_config_legacy_vsyscall_none'
- '!accounts_passwords_pam_faillock_deny'
- '!accounts_password_pam_unix_rounds_password_auth'
- '!aide_periodic_checking_systemd_timer'
- '!sysctl_vm_mmap_min_addr'
- '!sysctl_net_ipv4_tcp_rfc1337'
- '!sysctl_net_ipv4_tcp_syncookies'
- '!sysctl_kernel_yama_ptrace_scope'
- '!sysctl_net_ipv6_conf_default_accept_ra_pinfo'
- '!package_dracut-fips-aesni_installed'
- '!accounts_password_pam_ocredit'
- '!accounts_password_pam_lcredit'
- '!no_files_unowned_by_user'
- '!mount_option_boot_nosuid'
- '!kernel_config_bug_on_data_corruption'
- '!kernel_config_legacy_vsyscall_emulate'
- '!audit_rules_privileged_commands_sudo'
- '!mount_option_tmp_noexec'
- '!mount_option_home_noexec'
- '!sysctl_net_ipv4_conf_all_drop_gratuitous_arp'
- '!sebool_deny_execmem'
- '!sysctl_net_ipv6_conf_all_accept_source_route'
- '!rsyslog_remote_tls_cacert'
- '!sysctl_net_ipv6_conf_default_accept_ra_defrtr'
- '!package_setroubleshoot-server_removed'
- '!kernel_config_stackprotector'
- '!kernel_config_gcc_plugin_structleak'
- '!enable_authselect'
- '!sysctl_net_ipv4_icmp_ignore_bogus_error_responses'
- '!sysctl_kernel_dmesg_restrict'
- '!package_telnet_removed'
- '!grub2_password'
- '!package_setroubleshoot_removed'
- '!kernel_config_fortify_source'
- '!dir_perms_world_writable_root_owned'
- '!cracklib_accounts_password_pam_minlen'
- '!cracklib_accounts_password_pam_dcredit'
- '!partition_for_var_tmp'
- '!ensure_gpgcheck_globally_activated'
- '!accounts_umask_etc_bashrc'
- '!sysctl_net_ipv6_conf_all_autoconf'
- '!file_permissions_unauthorized_suid'
- '!ensure_gpgcheck_never_disabled'
- '!ensure_oracle_gpgkey_installed'
- '!mount_option_var_tmp_nosuid'
- '!package_dracut-fips-aesni_installed'

0 comments on commit 5fadfe2

Please sign in to comment.