Skip to content

Commit

Permalink
Merge pull request ComplianceAsCode#11570 from jan-cerny/anssi_R32
Browse files Browse the repository at this point in the history
Update ANSSI R32
  • Loading branch information
Mab879 authored Feb 9, 2024
2 parents af1721a + 7ad490d commit 9299819
Show file tree
Hide file tree
Showing 5 changed files with 10 additions and 17 deletions.
23 changes: 6 additions & 17 deletions controls/anssi.yml
Original file line number Diff line number Diff line change
Expand Up @@ -776,30 +776,19 @@ controls:
- accounts_password_pam_unix_remember

- id: R32
title: User session timeout
title: Configuring a timeout on local user sessions
levels:
- intermediary
description: >-
Remote user sessions (shell access, graphical clients) must be closed
after a certain period of inactivity.
Local user sessions (console TTY, graphical session) must be locked after a certain period of inactivity.
notes: >-
There is no specific capability to check remote user inactivity, but some shells allow the
session inactivity time out to be configured via TMOUT variable.
In OpenSSH < 8.2 the inactivity of the user is implied from the network inactivity.
The server is configured to disconnect sessions if no data has been received within the idle timeout,
regardless of liveness status (ClientAliveCountMax is 0 and ClientAliveInterval is > 0).
In OpenSSH >= 8.2 there is no way to disconnect sessions based on client liveness.
The semantics of "ClientAliveCountMax 0" has changed from "disconnect on first timeout" to
"don't disconnect network inactive sessions". The server either probes for the client liveness
or keeps inactive sessions connected.
status: supported
ANSSI doesn't specify the length of the inactivity period, we are choosing 10 minutes as reasonable number.
status: automated
rules:
- logind_session_timeout
- var_logind_session_timeout=10_minutes
- accounts_tmout
- var_accounts_tmout=10_min
- sshd_set_idle_timeout
- sshd_idle_timeout_value=10_minutes
- sshd_set_keepalive
- var_sshd_set_keepalive=0

- id: R33
title: Use of dedicated administration accounts
Expand Down
1 change: 1 addition & 0 deletions products/rhel7/profiles/anssi_nt28_enhanced.profile
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,7 @@ selections:
- anssi:all:enhanced
- '!selinux_state'
- '!timer_logrotate_enabled'
- '!logind_session_timeout'
# Following rules once had a prodtype incompatible with the rhel7 product
- '!accounts_passwords_pam_tally2_deny_root'
- '!sysctl_kernel_unprivileged_bpf_disabled'
Expand Down
1 change: 1 addition & 0 deletions products/rhel7/profiles/anssi_nt28_high.profile
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,7 @@ description: |-
selections:
- anssi:all:high
- '!timer_logrotate_enabled'
- '!logind_session_timeout'
# Following rules once had a prodtype incompatible with the rhel7 product
- '!kernel_config_gcc_plugin_structleak_byref_all'
- '!accounts_passwords_pam_tally2_deny_root'
Expand Down
1 change: 1 addition & 0 deletions products/rhel7/profiles/anssi_nt28_intermediary.profile
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@ description: |-

selections:
- anssi:all:intermediary
- '!logind_session_timeout'
# Following rules once had a prodtype incompatible with the rhel7 product
- '!accounts_passwords_pam_tally2_deny_root'
- '!sysctl_kernel_unprivileged_bpf_disabled'
Expand Down
1 change: 1 addition & 0 deletions products/rhel7/profiles/anssi_nt28_minimal.profile
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@ description: |-

selections:
- anssi:all:minimal
- '!logind_session_timeout'
# Following rules once had a prodtype incompatible with the rhel7 product
- '!cracklib_accounts_password_pam_minlen'
- '!package_dnf-automatic_installed'
Expand Down

0 comments on commit 9299819

Please sign in to comment.