-
Notifications
You must be signed in to change notification settings - Fork 708
/
Copy pathanssi_bp28_high.profile
59 lines (52 loc) · 2.27 KB
/
anssi_bp28_high.profile
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
documentation_complete: true
metadata:
SMEs:
- marcusburghardt
- yuumasato
title: 'ANSSI-BP-028 (high)'
description: |-
This profile contains configurations that align to ANSSI-BP-028 v2.0 at the high hardening level.
ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information.
ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
A copy of the ANSSI-BP-028 can be found at the ANSSI website:
https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/
An English version of the ANSSI-BP-028 can also be found at the ANSSI website:
https://cyber.gouv.fr/publications/configuration-recommendations-gnulinux-system
selections:
- anssi:all:high
- var_password_hashing_algorithm=SHA512
- var_password_pam_unix_rounds=65536
# the following rule renders UEFI systems unbootable
- '!sebool_secure_mode_insmod'
# Following rules once had a prodtype incompatible with the rhel9 product
- '!partition_for_opt'
- '!accounts_passwords_pam_tally2_deny_root'
- '!install_PAE_kernel_on_x86-32'
- '!partition_for_boot'
- '!aide_periodic_checking_systemd_timer'
- '!sudo_add_ignore_dot'
- '!audit_rules_privileged_commands_rmmod'
- '!audit_rules_privileged_commands_modprobe'
- '!package_dracut-fips-aesni_installed'
- '!cracklib_accounts_password_pam_lcredit'
- '!partition_for_usr'
- '!cracklib_accounts_password_pam_ocredit'
- '!enable_pam_namespace'
- '!audit_rules_privileged_commands_insmod'
- '!service_chronyd_or_ntpd_enabled'
- '!chronyd_configure_pool_and_server'
- '!accounts_passwords_pam_tally2'
- '!cracklib_accounts_password_pam_ucredit'
- '!accounts_passwords_pam_tally2_unlock_time'
- '!sudo_add_umask'
- '!sudo_add_env_reset'
- '!cracklib_accounts_password_pam_minlen'
- '!cracklib_accounts_password_pam_dcredit'
- '!ensure_oracle_gpgkey_installed'
- '!package_kea_removed'
# disable R45: Enable AppArmor security profiles
- '!apparmor_configured'
- '!all_apparmor_profiles_enforced'
- '!grub2_enable_apparmor'
- '!package_apparmor_installed'
- '!package_pam_apparmor_installed'