피드 구독

ANSSI, the National Cybersecurity Agency of France (Agence nationale de la sécurité des systèmes d'information), provides a configuration guide for GNU/Linux systems. It's identified as ANSSI-BP-028 (formerly known as ANSSI DAT NT-028). Recently, ANSSI published an update of its ANSSI-BP-028 configuration recommendations. In this post, I review what has changed from version 1.2 to 2.0, and what it might mean for you as a Red Hat Enterprise Linux (RHEL) user. Most importantly, I also illustrate how to verify compliance of your systems with this updated Security Content Automation Protocol (SCAP) profile.

The first version of BP-028 was published in 2015. Red Hat introduced Security Content Automation Protocol (SCAP) content covering this version of recommendations in RHEL 7.9.7 and RHEL 8.5. After a series of minor changes, a major update of the guide, marked as version 2.0, was released in October 2022. We have concluded updating RHEL ANSSI SCAP profiles to align them with the latest version of the security recommendations.

ANSSI GNU/Linux configuration guide

The guide sets out a number of security measures that should be implemented to enhance the confidentiality, integrity, and availability of GNU/Linux information systems. It focuses on generally useful system configuration recommendations based on security principles and common sense practices that should be applied when deploying a system.

These recommendations are not specific to any use case, but are instead intentionally broad in scope. Evaluate them based on the purpose of the system being deployed and the ecosystem it's going to integrate into.

The guide defines 4 levels of hardening; Minimal, Intermediary, Enhanced, and High.

Some points covered by the guide:

  • General security and hardening principles
  • Hardware configuration
  • Securing the boot chain
  • Kernel configuration   
  • Privilege and access management
  • Configuration of system services
  • Partitioning solutions

The guide in English can be downloaded from https://cyber.gouv.fr/sites/default/files/document/linux_configuration-en-v2.pdf

What changed between ANSSI-BP-028 1.2 and 2.0?

The guide was restructured to better organize the principles and hardening recommendations, strongly emphasizing the principle you should have in mind when evaluating the recommendations.

 In version 2.0, the levels (Minimal, Intermediary, Enhanced, and High) remained the same, but the definitions have been updated. Most notably, the implementation of the Intermediary hardening level is now strongly recommended once the Minimal level is applied successfully. And the recommendations were updated to account for new technologies and threats, the next section mentions some of the recommendations that changed. For the full list of changes between versions, see appendix C of the ANSSI BP028 version 2.0.

Notable recommendations that changed hardening level

These recommendations have been moved from Intermediary to Enhanced:

  • Implementation of logging systems
  • Hardening of services and components
  • Partitioning of services
  • Creation of a dedicated group for sudo users

 Other recommendations' hardening levels have gone down:

  • Installation of strictly necessary packages dropped from Intermediary to Minimal
  • Disablement of unused user accounts dropped from Enhanced to Minimal
  • Configuration of Sticky bit on world writable directories dropped from Intermediary to Minimal
  • Configuration of a boot loader password dropped from Enhanced to Intermediary
  • Loading of Yama module dropped from Enhanced to Intermediary
  • Use of Mandatory Access Control (MAC) dropped from High to Enhanced
  • Activation of IOMMU dropped from High to Enhanced   

New recommendations have been added:

  • UEFI, secure boot and protection of kernel command lines
  • Configuration of memory options during boot. For example, Page Table Isolation and Speculative Store Bypass
  • Kernel compilation options like CONFIG_FORTIFY_SOURCE, CONFIG_MODULES, and CONFIG_SECCOMP
  • Restriction for files and directories without an associated owner

Automating compliance with ANSSI-BP-028 2.0

Like the ANSSI -BP-028 policy itself, Red Hat's SCAP content has been significantly updated.

Here are some interesting statistics collected through the tooling available in the upstream ComplianceAsCode/content project repository. First, let’s look at the state of the ANSSI BP028 High profile, which naturally corresponds with the High level of the underlying security policy. We can compare its coverage by our SCAP content between the last update of version 1.2 and the current state covering version 2.0.

Before we delve into exact numbers, let us define what the “coverage” of a control means in the context of the ComplianceAsCode/content project. When reading a security policy and expressing it with SCAP rules, we generally separate requirements (controls) into four main categories:

  • Fully covered: A control is assessed and fully covered by SCAP rules where possible. This can also mean that the whole requirement or its part cannot be automated for technical reasons. In this case, we try to achieve maximum possible coverage of the control
  • Partially covered: Part of the requirement is assessed and already automated with SCAP, but there's still some part of the requirement that requires analysis
  • Not assessed: The requirement is not assessed yet
  • Not applicable: The requirement is not applicable with regards to a product or a technology.  For example, there is a requirement specific to 32-bit Linux kernels (x86 architecture), but Red Hat Enterprise Linux 9 supports x86_64, Power, IBM Z, and ARM. In this case, the whole requirement is marked as not applicable

The profile corresponding to the security policy version 1.2 for RHEL 9 was composed of 204 rules. This version of security policy was composed of 69 controls. The SCAP content fully covered 27 controls (39.13%) and partially covered 14 more (additional 20.29%). The remaining 28 controls were not assessed.

The current coverage of the ANSSI-BP-028 High profile version 2.0 for RHEL 9 is much better. The updated profile now contains 432 rules. The policy defines 80 controls. It was decided that 4 controls are not applicable for Red Hat Enterprise Linux systems. All remaining 76 controls are fully assessed and where possible also automated.

You can read more about automating compliance with ANSSI security requirements in appendix B of the guide.

How to confirm that you are using the latest compliance automation

Anyone tasked with the security of an IT environment can appreciate ANSSI's efforts in clarifying the configuration recommendations and how they can be applied with automation tools in mind. Now you know the key takeaways from the update to ANSSI-BP-028 version 2.0, and its implications for securing your digital assets.

If you're using Red Hat Insights or Satellite, then the compliance automation content is updated automatically for you. If your source of the SCAP artifact is the scap-security-package, then update to the latest 0.1.73 version.


저자 소개

Vojtěch Polášek is a software engineer working within the security compliance subsystem in Red Hat. He studied computer networks and, later, information technology security at Masaryk University in Brno, Czech Republic.

Read full bio
UI_Icon-Red_Hat-Close-A-Black-RGB

채널별 검색

automation icon

오토메이션

기술, 팀, 인프라를 위한 IT 자동화 최신 동향

AI icon

인공지능

고객이 어디서나 AI 워크로드를 실행할 수 있도록 지원하는 플랫폼 업데이트

open hybrid cloud icon

오픈 하이브리드 클라우드

하이브리드 클라우드로 더욱 유연한 미래를 구축하는 방법을 알아보세요

security icon

보안

환경과 기술 전반에 걸쳐 리스크를 감소하는 방법에 대한 최신 정보

edge icon

엣지 컴퓨팅

엣지에서의 운영을 단순화하는 플랫폼 업데이트

Infrastructure icon

인프라

세계적으로 인정받은 기업용 Linux 플랫폼에 대한 최신 정보

application development icon

애플리케이션

복잡한 애플리케이션에 대한 솔루션 더 보기

Original series icon

오리지널 쇼

엔터프라이즈 기술 분야의 제작자와 리더가 전하는 흥미로운 스토리