Skip to content

Commit ec70dbd

Browse files
teacup-on-rockingchairteacup-on-rockingchair
committed
Enable more rules for SLE16 ANSSI
1 parent baa7da4 commit ec70dbd

4 files changed

Lines changed: 81 additions & 146 deletions

File tree

products/sle16/profiles/anssi_bp28_enhanced.profile

Lines changed: 17 additions & 38 deletions
Original file line numberDiff line numberDiff line change
@@ -27,71 +27,50 @@ selections:
2727
- var_sudo_dedicated_group=root
2828
- accounts_password_pam_pwhistory_remember
2929
- set_password_hashing_min_rounds_logindefs
30-
- '!accounts_password_pam_dcredit'
31-
- '!accounts_password_pam_lcredit'
32-
- '!accounts_password_pam_minclass'
33-
- '!accounts_password_pam_minlen'
34-
- '!accounts_password_pam_ocredit'
35-
- '!accounts_password_pam_retry'
36-
- '!accounts_password_pam_ucredit'
37-
- '!accounts_password_pam_unix_remember'
38-
- '!accounts_password_pam_unix_rounds_password_auth'
30+
- '!cracklib_accounts_password_pam_dcredit'
31+
- '!cracklib_accounts_password_pam_lcredit'
32+
- '!cracklib_accounts_password_pam_minlen'
33+
- '!cracklib_accounts_password_pam_ocredit'
34+
- '!cracklib_accounts_password_pam_ucredit'
3935
- '!accounts_password_pam_unix_rounds_system_auth'
40-
- '!accounts_passwords_pam_faillock_deny_root'
41-
- '!accounts_passwords_pam_faillock_deny'
42-
- '!accounts_passwords_pam_faillock_interval'
43-
- '!accounts_passwords_pam_faillock_unlock_time'
4436
- '!accounts_passwords_pam_tally2_deny_root'
4537
- '!accounts_passwords_pam_tally2_unlock_time'
4638
- '!accounts_passwords_pam_tally2'
39+
- '!aide_periodic_cron_checking'
4740
- '!all_apparmor_profiles_enforced'
4841
- '!apparmor_configured'
49-
- '!audit_rules_dac_modification_fchmodat2'
50-
- '!audit_rules_file_deletion_events_renameat2'
5142
- '!audit_rules_immutable'
52-
- '!audit_rules_mac_modification_etc_selinux'
5343
- '!dnf-automatic_apply_updates'
5444
- '!dnf-automatic_security_updates_only'
5545
- '!enable_authselect'
5646
- '!ensure_almalinux_gpgkey_installed'
5747
- '!ensure_oracle_gpgkey_installed'
5848
- '!ensure_redhat_gpgkey_installed'
59-
- '!file_groupowner_etc_chrony_keys'
6049
- '!file_groupowner_user_cfg'
6150
- '!file_owner_user_cfg'
6251
- '!file_permissions_sudo'
6352
- '!file_permissions_user_cfg'
6453
- '!grub2_enable_apparmor'
65-
- '!grub2_mds_argument'
66-
- '!grub2_page_alloc_shuffle_argument'
67-
- '!grub2_page_poison_argument'
68-
- '!grub2_pti_argument'
69-
- '!grub2_slub_debug_argument'
54+
- '!kernel_config_arm64_sw_ttbr0_pan'
55+
- '!kernel_config_gcc_plugin_latent_entropy'
56+
- '!kernel_config_gcc_plugin_randstruct'
57+
- '!kernel_config_gcc_plugin_stackleak'
58+
- '!kernel_config_gcc_plugin_structleak_byref_all'
59+
- '!kernel_config_gcc_plugin_structleak'
60+
- '!kernel_config_legacy_vsyscall_emulate'
61+
- '!kernel_config_modify_ldt_syscall'
62+
- '!kernel_config_refcount_full'
63+
- '!kernel_config_slab_merge_default'
7064
- '!ldap_client_start_tls'
7165
- '!ldap_client_tls_cacertpath'
72-
- '!mount_option_tmp_noexec'
7366
- '!no_nis_in_nsswitch'
7467
- '!package_apparmor_installed'
7568
- '!package_dnf-automatic_installed'
7669
- '!package_dracut-fips-aesni_installed'
77-
- '!package_kea_removed'
7870
- '!package_pam_apparmor_installed'
7971
- '!package_rsh_removed'
8072
- '!package_rsh-server_removed'
81-
- '!package_sendmail_removed'
82-
- '!package_sequoia-sq_installed'
83-
- '!package_talk_removed'
84-
- '!package_talk-server_removed'
85-
- '!package_xinetd_removed'
8673
- '!package_ypbind_removed'
8774
- '!package_ypserv_removed'
88-
- '!service_chronyd_enabled'
89-
- '!set_password_hashing_algorithm_systemauth'
90-
- '!sysctl_fs_protected_fifos'
91-
- '!sysctl_fs_protected_regular'
92-
- '!sysctl_kernel_unprivileged_bpf_disabled'
93-
- '!sysctl_kernel_yama_ptrace_scope'
94-
- '!sysctl_net_core_bpf_jit_harden'
95-
- '!sysctl_net_ipv4_conf_all_drop_gratuitous_arp'
96-
- '!sysctl_net_ipv6_conf_all_autoconf'
75+
- '!sebool_secure_mode_insmod'
9776
- '!timer_dnf-automatic_enabled'

products/sle16/profiles/anssi_bp28_high.profile

Lines changed: 5 additions & 54 deletions
Original file line numberDiff line numberDiff line change
@@ -27,99 +27,50 @@ selections:
2727
- var_sudo_dedicated_group=root
2828
- accounts_password_pam_pwhistory_remember
2929
- set_password_hashing_min_rounds_logindefs
30-
- '!accounts_password_pam_dcredit'
31-
- '!accounts_password_pam_lcredit'
32-
- '!accounts_password_pam_minclass'
33-
- '!accounts_password_pam_minlen'
34-
- '!accounts_password_pam_ocredit'
35-
- '!accounts_password_pam_retry'
36-
- '!accounts_password_pam_ucredit'
37-
- '!accounts_password_pam_unix_remember'
38-
- '!accounts_password_pam_unix_rounds_password_auth'
30+
- '!cracklib_accounts_password_pam_dcredit'
31+
- '!cracklib_accounts_password_pam_lcredit'
32+
- '!cracklib_accounts_password_pam_minlen'
33+
- '!cracklib_accounts_password_pam_ocredit'
34+
- '!cracklib_accounts_password_pam_ucredit'
3935
- '!accounts_password_pam_unix_rounds_system_auth'
40-
- '!accounts_passwords_pam_faillock_deny_root'
41-
- '!accounts_passwords_pam_faillock_deny'
42-
- '!accounts_passwords_pam_faillock_interval'
43-
- '!accounts_passwords_pam_faillock_unlock_time'
4436
- '!accounts_passwords_pam_tally2_deny_root'
4537
- '!accounts_passwords_pam_tally2_unlock_time'
4638
- '!accounts_passwords_pam_tally2'
4739
- '!aide_periodic_cron_checking'
4840
- '!all_apparmor_profiles_enforced'
4941
- '!apparmor_configured'
50-
- '!audit_rules_dac_modification_fchmodat2'
51-
- '!audit_rules_file_deletion_events_renameat2'
5242
- '!audit_rules_immutable'
53-
- '!audit_rules_mac_modification_etc_selinux'
5443
- '!dnf-automatic_apply_updates'
5544
- '!dnf-automatic_security_updates_only'
5645
- '!enable_authselect'
5746
- '!ensure_almalinux_gpgkey_installed'
5847
- '!ensure_oracle_gpgkey_installed'
5948
- '!ensure_redhat_gpgkey_installed'
60-
- '!file_groupowner_etc_chrony_keys'
6149
- '!file_groupowner_user_cfg'
6250
- '!file_owner_user_cfg'
6351
- '!file_permissions_sudo'
6452
- '!file_permissions_user_cfg'
6553
- '!grub2_enable_apparmor'
66-
- '!grub2_mds_argument'
67-
- '!grub2_page_alloc_shuffle_argument'
68-
- '!grub2_page_poison_argument'
69-
- '!grub2_pti_argument'
70-
- '!grub2_slub_debug_argument'
7154
- '!kernel_config_arm64_sw_ttbr0_pan'
72-
- '!kernel_config_bug_on_data_corruption'
73-
- '!kernel_config_debug_wx'
74-
- '!kernel_config_fortify_source'
7555
- '!kernel_config_gcc_plugin_latent_entropy'
7656
- '!kernel_config_gcc_plugin_randstruct'
7757
- '!kernel_config_gcc_plugin_stackleak'
7858
- '!kernel_config_gcc_plugin_structleak_byref_all'
7959
- '!kernel_config_gcc_plugin_structleak'
80-
- '!kernel_config_hardened_usercopy_fallback'
81-
- '!kernel_config_hardened_usercopy'
8260
- '!kernel_config_legacy_vsyscall_emulate'
83-
- '!kernel_config_legacy_vsyscall_none'
84-
- '!kernel_config_legacy_vsyscall_xonly'
8561
- '!kernel_config_modify_ldt_syscall'
86-
- '!kernel_config_page_poisoning'
8762
- '!kernel_config_refcount_full'
88-
- '!kernel_config_sched_stack_end_check'
89-
- '!kernel_config_slab_freelist_hardened'
90-
- '!kernel_config_slab_freelist_random'
9163
- '!kernel_config_slab_merge_default'
92-
- '!kernel_config_stackprotector_strong'
93-
- '!kernel_config_stackprotector'
94-
- '!kernel_config_strict_kernel_rwx'
95-
- '!kernel_config_strict_module_rwx'
96-
- '!kernel_config_vmap_stack'
9764
- '!ldap_client_start_tls'
9865
- '!ldap_client_tls_cacertpath'
99-
- '!mount_option_tmp_noexec'
10066
- '!no_nis_in_nsswitch'
10167
- '!package_apparmor_installed'
10268
- '!package_dnf-automatic_installed'
10369
- '!package_dracut-fips-aesni_installed'
104-
- '!package_kea_removed'
10570
- '!package_pam_apparmor_installed'
10671
- '!package_rsh_removed'
10772
- '!package_rsh-server_removed'
108-
- '!package_sendmail_removed'
109-
- '!package_sequoia-sq_installed'
110-
- '!package_talk_removed'
111-
- '!package_talk-server_removed'
112-
- '!package_xinetd_removed'
11373
- '!package_ypbind_removed'
11474
- '!package_ypserv_removed'
11575
- '!sebool_secure_mode_insmod'
116-
- '!service_chronyd_enabled'
117-
- '!set_password_hashing_algorithm_systemauth'
118-
- '!sysctl_fs_protected_fifos'
119-
- '!sysctl_fs_protected_regular'
120-
- '!sysctl_kernel_unprivileged_bpf_disabled'
121-
- '!sysctl_kernel_yama_ptrace_scope'
122-
- '!sysctl_net_core_bpf_jit_harden'
123-
- '!sysctl_net_ipv4_conf_all_drop_gratuitous_arp'
124-
- '!sysctl_net_ipv6_conf_all_autoconf'
12576
- '!timer_dnf-automatic_enabled'

products/sle16/profiles/anssi_bp28_intermediary.profile

Lines changed: 28 additions & 34 deletions
Original file line numberDiff line numberDiff line change
@@ -27,56 +27,50 @@ selections:
2727
- var_sudo_dedicated_group=root
2828
- accounts_password_pam_pwhistory_remember
2929
- set_password_hashing_min_rounds_logindefs
30-
- '!accounts_password_pam_dcredit'
31-
- '!accounts_password_pam_lcredit'
32-
- '!accounts_password_pam_minclass'
33-
- '!accounts_password_pam_minlen'
34-
- '!accounts_password_pam_ocredit'
35-
- '!accounts_password_pam_retry'
36-
- '!accounts_password_pam_ucredit'
37-
- '!accounts_password_pam_unix_remember'
38-
- '!accounts_password_pam_unix_rounds_password_auth'
30+
- '!cracklib_accounts_password_pam_dcredit'
31+
- '!cracklib_accounts_password_pam_lcredit'
32+
- '!cracklib_accounts_password_pam_minlen'
33+
- '!cracklib_accounts_password_pam_ocredit'
34+
- '!cracklib_accounts_password_pam_ucredit'
3935
- '!accounts_password_pam_unix_rounds_system_auth'
40-
- '!accounts_passwords_pam_faillock_deny_root'
41-
- '!accounts_passwords_pam_faillock_deny'
42-
- '!accounts_passwords_pam_faillock_interval'
43-
- '!accounts_passwords_pam_faillock_unlock_time'
4436
- '!accounts_passwords_pam_tally2_deny_root'
4537
- '!accounts_passwords_pam_tally2_unlock_time'
4638
- '!accounts_passwords_pam_tally2'
39+
- '!aide_periodic_cron_checking'
40+
- '!all_apparmor_profiles_enforced'
41+
- '!apparmor_configured'
42+
- '!audit_rules_immutable'
4743
- '!dnf-automatic_apply_updates'
4844
- '!dnf-automatic_security_updates_only'
4945
- '!enable_authselect'
5046
- '!ensure_almalinux_gpgkey_installed'
5147
- '!ensure_oracle_gpgkey_installed'
5248
- '!ensure_redhat_gpgkey_installed'
53-
- '!file_groupowner_etc_chrony_keys'
54-
- '!grub2_mds_argument'
55-
- '!grub2_page_alloc_shuffle_argument'
56-
- '!grub2_page_poison_argument'
57-
- '!grub2_pti_argument'
58-
- '!grub2_slub_debug_argument'
49+
- '!file_groupowner_user_cfg'
50+
- '!file_owner_user_cfg'
51+
- '!file_permissions_sudo'
52+
- '!file_permissions_user_cfg'
53+
- '!grub2_enable_apparmor'
54+
- '!kernel_config_arm64_sw_ttbr0_pan'
55+
- '!kernel_config_gcc_plugin_latent_entropy'
56+
- '!kernel_config_gcc_plugin_randstruct'
57+
- '!kernel_config_gcc_plugin_stackleak'
58+
- '!kernel_config_gcc_plugin_structleak_byref_all'
59+
- '!kernel_config_gcc_plugin_structleak'
60+
- '!kernel_config_legacy_vsyscall_emulate'
61+
- '!kernel_config_modify_ldt_syscall'
62+
- '!kernel_config_refcount_full'
63+
- '!kernel_config_slab_merge_default'
5964
- '!ldap_client_start_tls'
6065
- '!ldap_client_tls_cacertpath'
61-
- '!mount_option_tmp_noexec'
6266
- '!no_nis_in_nsswitch'
67+
- '!package_apparmor_installed'
6368
- '!package_dnf-automatic_installed'
64-
- '!package_kea_removed'
69+
- '!package_dracut-fips-aesni_installed'
70+
- '!package_pam_apparmor_installed'
6571
- '!package_rsh_removed'
6672
- '!package_rsh-server_removed'
67-
- '!package_sendmail_removed'
68-
- '!package_sequoia-sq_installed'
69-
- '!package_talk_removed'
70-
- '!package_talk-server_removed'
71-
- '!package_xinetd_removed'
7273
- '!package_ypbind_removed'
7374
- '!package_ypserv_removed'
74-
- '!set_password_hashing_algorithm_systemauth'
75-
- '!sysctl_fs_protected_fifos'
76-
- '!sysctl_fs_protected_regular'
77-
- '!sysctl_kernel_unprivileged_bpf_disabled'
78-
- '!sysctl_kernel_yama_ptrace_scope'
79-
- '!sysctl_net_core_bpf_jit_harden'
80-
- '!sysctl_net_ipv4_conf_all_drop_gratuitous_arp'
81-
- '!sysctl_net_ipv6_conf_all_autoconf'
75+
- '!sebool_secure_mode_insmod'
8276
- '!timer_dnf-automatic_enabled'

products/sle16/profiles/anssi_bp28_minimal.profile

Lines changed: 31 additions & 20 deletions
Original file line numberDiff line numberDiff line change
@@ -27,39 +27,50 @@ selections:
2727
- var_sudo_dedicated_group=root
2828
- accounts_password_pam_pwhistory_remember
2929
- set_password_hashing_min_rounds_logindefs
30-
- '!accounts_password_pam_dcredit'
31-
- '!accounts_password_pam_lcredit'
32-
- '!accounts_password_pam_minclass'
33-
- '!accounts_password_pam_minlen'
34-
- '!accounts_password_pam_ocredit'
35-
- '!accounts_password_pam_retry'
36-
- '!accounts_password_pam_ucredit'
37-
- '!accounts_password_pam_unix_remember'
38-
- '!accounts_password_pam_unix_rounds_password_auth'
30+
- '!cracklib_accounts_password_pam_dcredit'
31+
- '!cracklib_accounts_password_pam_lcredit'
32+
- '!cracklib_accounts_password_pam_minlen'
33+
- '!cracklib_accounts_password_pam_ocredit'
34+
- '!cracklib_accounts_password_pam_ucredit'
3935
- '!accounts_password_pam_unix_rounds_system_auth'
40-
- '!accounts_passwords_pam_faillock_deny_root'
41-
- '!accounts_passwords_pam_faillock_deny'
42-
- '!accounts_passwords_pam_faillock_interval'
43-
- '!accounts_passwords_pam_faillock_unlock_time'
4436
- '!accounts_passwords_pam_tally2_deny_root'
4537
- '!accounts_passwords_pam_tally2_unlock_time'
4638
- '!accounts_passwords_pam_tally2'
39+
- '!aide_periodic_cron_checking'
40+
- '!all_apparmor_profiles_enforced'
41+
- '!apparmor_configured'
42+
- '!audit_rules_immutable'
4743
- '!dnf-automatic_apply_updates'
4844
- '!dnf-automatic_security_updates_only'
4945
- '!enable_authselect'
5046
- '!ensure_almalinux_gpgkey_installed'
5147
- '!ensure_oracle_gpgkey_installed'
5248
- '!ensure_redhat_gpgkey_installed'
49+
- '!file_groupowner_user_cfg'
50+
- '!file_owner_user_cfg'
51+
- '!file_permissions_sudo'
52+
- '!file_permissions_user_cfg'
53+
- '!grub2_enable_apparmor'
54+
- '!kernel_config_arm64_sw_ttbr0_pan'
55+
- '!kernel_config_gcc_plugin_latent_entropy'
56+
- '!kernel_config_gcc_plugin_randstruct'
57+
- '!kernel_config_gcc_plugin_stackleak'
58+
- '!kernel_config_gcc_plugin_structleak_byref_all'
59+
- '!kernel_config_gcc_plugin_structleak'
60+
- '!kernel_config_legacy_vsyscall_emulate'
61+
- '!kernel_config_modify_ldt_syscall'
62+
- '!kernel_config_refcount_full'
63+
- '!kernel_config_slab_merge_default'
64+
- '!ldap_client_start_tls'
65+
- '!ldap_client_tls_cacertpath'
66+
- '!no_nis_in_nsswitch'
67+
- '!package_apparmor_installed'
5368
- '!package_dnf-automatic_installed'
54-
- '!package_kea_removed'
69+
- '!package_dracut-fips-aesni_installed'
70+
- '!package_pam_apparmor_installed'
5571
- '!package_rsh_removed'
5672
- '!package_rsh-server_removed'
57-
- '!package_sendmail_removed'
58-
- '!package_sequoia-sq_installed'
59-
- '!package_talk_removed'
60-
- '!package_talk-server_removed'
61-
- '!package_xinetd_removed'
6273
- '!package_ypbind_removed'
6374
- '!package_ypserv_removed'
64-
- '!set_password_hashing_algorithm_systemauth'
75+
- '!sebool_secure_mode_insmod'
6576
- '!timer_dnf-automatic_enabled'

0 commit comments

Comments
 (0)