Implementing ANSSI security recommendations for RHEL 7 and 8

Maintaining security for Linux systems can be a complex task, especially as your number of servers and applications increases. The SCAP Security Guide, which is used in various Red Hat technologies like Red Hat Enterprise Linux (RHEL), Red Hat Insights and Red Hat Satellite, can help you maintain system compliance with select security baselines. 

In this post, we’ll share some details about the SCAP profiles for ANSSI-BP-028, a guideline published by Agence nationale de la sécurité des systèmes d’information (ANSSI), the French National Information Security Agency, and how you use them to assist in hardening your RHEL 7 and 8 environments. 

What is ANSSI-BP-028?

Among the guides published by ANSSI is ANSSI-BP-028, a document with configuration recommendations to harden Linux systems. It defines four levels of hardening that should be adhered to, based on the security level required by the system’s applications and workloads. 

The hardening levels are defined as follows:

• Minimal - To be implemented on every system.

• Intermediary - Generally applies to services protected by several layers of higher-level security.

• Enhanced - Generally applies to systems exposed to non-authenticated flows.

• High - Applies to systems hosting sensitive data accessible from non-authenticated or poorly controlled networks.

A collaborative effort

To accelerate deployment of ANSSI BP-028 recommendations Red Hat, in collaboration with ANSSI, worked on updating and improving the ANSSI BP-028 profiles available in the ComplianceAsCode project.

The outcome of this collaboration is a set of profiles aligned with v1.2 of ANSSI BP-028 featuring improvements in recommendation coverage that the whole hardening community can take advantage of.

Compliance profiles

From RHEL 8.5, the complete updated set of ANSSI-BP-028 v1.2 profiles encompassing the hardening levels is available in the scap-security-guide package. The same profile set, with minor adjustments, is also available in RHEL 7 (since RHEL 7.9.7).

The SCAP profiles for ANSSI-BP-028 are aligned with the hardening levels defined in the guide. There is one profile for each level, and the higher levels build upon the lower levels, just like in the configuration guide. (Note all names begin with "xccdf_org.ssgproject.content_profile_" such as xccdf_org.ssgproject.content_profile_anssi_nt28_minimal.)

What do the profiles cover?

The configuration recommendations from ANSSI-BP-028 range from technical and specific settings to security principles and procedures that encompass the organization's administration, infrastructure and security strategy.

Some recommendations are not straightforward to automate. For example, recommendations that require analysis and judgment of the system state cannot be generally automated. This can include analyzing whether the services enabled in a system are essential for its operation or checking if the features enabled in a service are needed or hardened adequately.

Recommendations related to administrative procedures, such as ensuring that users perform specific operations or ensuring distinct configurations for administrative and regular user accounts, are also not easily automated. Each organization will have its own approach and processes to information security that cannot be generalized.

Red Hat aims to develop configuration profiles that can be used in a wide range of situations without being specific for a particular deployment. So the ANSSI profiles in SCAP Security Guide cover the recommendations that can be automated and remediated in most of the deployments.

The policy coverage per hardening level is illustrated in Figure 1. Figure 1

The security recommendations that are automated by the profile are shown in bright green. The light green recommendations are partially automated, it means that not all aspects of the recommendation are covered by automation and manual assessments need to be done. 

The recommendations that we considered as not automatable are shown in blue. And the recommendations for which we don’t have an implementation are marked in bright orange.

Getting to know the the profiles

The scap-security-guide-doc package includes HTML guides that describe the rules selected in the profiles, you can read about the configuration changes enforced and why they are important. The HTML guides also include snippets of the remediations that will be applied if one chooses to remediate the system.

To install the RHEL 8 guides and view the profiles included, execute the following commands and view the corresponding HTML files in a Web browser:

sudo yum install scap-security-guide-doc
cd /usr/share/doc/scap-security-guide/ 
ls guides/ssg-rhel8-guide-anssi*.html 
guides/ssg-rhel8-guide-anssi_bp28_enhanced.html  
guides/ssg-rhel8-guide-anssi_bp28_high.html 
guides/ssg-rhel8-guide-anssi_bp28_intermediary.html 
guides/ssg-rhel8-guide-anssi_bp28_minimal.html

While going through the guides you’ll notice that each rule references one or more recommendations from ANSSI BP-028, and very likely requirements from other security policies. To facilitate tracking of coverage, the doc package includes a table mapping the ANSSI recommendations to the rules selected in the profiles.

cd /usr/share/doc/scap-security-guide/ ls tables/table-rhel8-guide-anssirefs.html

How to consume the profiles

The profiles are available in the scap-security-guide package and will require the OpenSCAP scanner to run the evaluations. 

sudo yum install openscap-scanner scap-security-guide

For more information about how the SCAP Security Guide profiles can help you achieve compliance, check this post about the SCAP Security Guide. You can also refer to our Security Hardening documentation for RHEL 7 and RHEL 8 for detailed information. All of the profiles are bundled up in the data streams, which can be found at:

• On RHEL 8: /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml

• On RHEL 7: /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml

Conclusion

In this post, we showed you how to use the ANSSI-BP-028 profile as a tool to help secure your RHEL systems. Special thanks to the agency for dedicating its time to discuss and clarify the configuration recommendations and how they can be applied with security content automation in mind.