Maintaining security for Linux systems can be a complex task, especially as your number of servers and applications increases. The SCAP Security Guide, which is used in various Red Hat technologies like Red Hat Enterprise Linux (RHEL), Red Hat Insights and Red Hat Satellite, can help you maintain system compliance with select security baselines.
In this post, we’ll share some details about the SCAP profiles for ANSSI-BP-028, a guideline published by Agence nationale de la sécurité des systèmes d’information (ANSSI), the French National Information Security Agency, and how you use them to assist in hardening your RHEL 7 and 8 environments.
What is ANSSI-BP-028?
Among the guides published by ANSSI is ANSSI-BP-028, a document with configuration recommendations to harden Linux systems. It defines four levels of hardening that should be adhered to, based on the security level required by the system’s applications and workloads.
The hardening levels are defined as follows:
-
Minimal - To be implemented on every system.
-
Intermediary - Generally applies to services protected by several layers of higher-level security.
-
Enhanced - Generally applies to systems exposed to non-authenticated flows.
-
High - Applies to systems hosting sensitive data accessible from non-authenticated or poorly controlled networks.
A collaborative effort
To accelerate deployment of ANSSI BP-028 recommendations Red Hat, in collaboration with ANSSI, worked on updating and improving the ANSSI BP-028 profiles available in the ComplianceAsCode project.
The outcome of this collaboration is a set of profiles aligned with v1.2 of ANSSI BP-028 featuring improvements in recommendation coverage that the whole hardening community can take advantage of.
Compliance profiles
From RHEL 8.5, the complete updated set of ANSSI-BP-028 v1.2 profiles encompassing the hardening levels is available in the scap-security-guide package. The same profile set, with minor adjustments, is also available in RHEL 7 (since RHEL 7.9.7).
The SCAP profiles for ANSSI-BP-028 are aligned with the hardening levels defined in the guide. There is one profile for each level, and the higher levels build upon the lower levels, just like in the configuration guide. (Note all names begin with "xccdf_org.ssgproject.content_profile_
" such as xccdf_org.ssgproject.content_profile_anssi_nt28_minimal
.)
ANSSI-BP-028 |
SCAP Security Guide Profile ID |
|
Level |
RHEL 7 |
RHEL 8 |
Minimal |
anssi_nt28_minimal |
anssi_bp28_minimal |
Intermediary |
anssi_nt28_intermediary |
anssi_bp28_intermediary |
Enhanced |
anssi_nt28_enhanced |
anssi_bp28_enhanced |
High |
anssi_nt28_high |
anssi_bp28_high |
Important note: The RHEL 7 profiles are aligned with version 1.2, but for backward compatibility reasons they still retain the original IDs from version 1.1. Note that existing tailorings may stop working due to changes in the selected rules.
What do the profiles cover?
The configuration recommendations from ANSSI-BP-028 range from technical and specific settings to security principles and procedures that encompass the organization's administration, infrastructure and security strategy.
Some recommendations are not straightforward to automate. For example, recommendations that require analysis and judgment of the system state cannot be generally automated. This can include analyzing whether the services enabled in a system are essential for its operation or checking if the features enabled in a service are needed or hardened adequately.
Recommendations related to administrative procedures, such as ensuring that users perform specific operations or ensuring distinct configurations for administrative and regular user accounts, are also not easily automated. Each organization will have its own approach and processes to information security that cannot be generalized.
Red Hat aims to develop configuration profiles that can be used in a wide range of situations without being specific for a particular deployment. So the ANSSI profiles in SCAP Security Guide cover the recommendations that can be automated and remediated in most of the deployments.
The policy coverage per hardening level is illustrated in Figure 1.
Figure 1
The security recommendations that are automated by the profile are shown in bright green. The light green recommendations are partially automated, it means that not all aspects of the recommendation are covered by automation and manual assessments need to be done.
The recommendations that we considered as not automatable are shown in blue. And the recommendations for which we don’t have an implementation are marked in bright orange.
Getting to know the the profiles
The scap-security-guide-doc package includes HTML guides that describe the rules selected in the profiles, you can read about the configuration changes enforced and why they are important. The HTML guides also include snippets of the remediations that will be applied if one chooses to remediate the system.
To install the RHEL 8 guides and view the profiles included, execute the following commands and view the corresponding HTML files in a Web browser:
sudo yum install scap-security-guide-doc cd /usr/share/doc/scap-security-guide/ ls guides/ssg-rhel8-guide-anssi*.html guides/ssg-rhel8-guide-anssi_bp28_enhanced.html guides/ssg-rhel8-guide-anssi_bp28_high.html guides/ssg-rhel8-guide-anssi_bp28_intermediary.html guides/ssg-rhel8-guide-anssi_bp28_minimal.html
While going through the guides you’ll notice that each rule references one or more recommendations from ANSSI BP-028, and very likely requirements from other security policies. To facilitate tracking of coverage, the doc package includes a table mapping the ANSSI recommendations to the rules selected in the profiles.
cd /usr/share/doc/scap-security-guide/ ls tables/table-rhel8-guide-anssirefs.html
How to consume the profiles
The profiles are available in the scap-security-guide package and will require the OpenSCAP scanner to run the evaluations.
sudo yum install openscap-scanner scap-security-guide
For more information about how the SCAP Security Guide profiles can help you achieve compliance, check this post about the SCAP Security Guide. You can also refer to our Security Hardening documentation for RHEL 7 and RHEL 8 for detailed information. All of the profiles are bundled up in the data streams, which can be found at:
-
On RHEL 8: /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml
-
On RHEL 7: /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml
Conclusion
In this post, we showed you how to use the ANSSI-BP-028 profile as a tool to help secure your RHEL systems. Special thanks to the agency for dedicating its time to discuss and clarify the configuration recommendations and how they can be applied with security content automation in mind.
À propos de l'auteur
Watson Sato has been working as a member of the Security Compliance Subsystem at Red Hat since 2016. While maintaining the SCAP and security compliance ecosystem, he has contributed to the development of key security profiles for Red Hat Enterprise Linux (RHEL), like the Health Insurance Portability and Accountability Act (HIPAA), the Center for Internet Security Benchmarks (CIS) and the Configuration recommendations for GNU/Linux from the National Cybersecurity Agency of France (ANSSI BP-028).
Contenu similaire
Parcourir par canal
Automatisation
Les dernières nouveautés en matière d'automatisation informatique pour les technologies, les équipes et les environnements
Intelligence artificielle
Actualité sur les plateformes qui permettent aux clients d'exécuter des charges de travail d'IA sur tout type d'environnement
Cloud hybride ouvert
Découvrez comment créer un avenir flexible grâce au cloud hybride
Sécurité
Les dernières actualités sur la façon dont nous réduisons les risques dans tous les environnements et technologies
Edge computing
Actualité sur les plateformes qui simplifient les opérations en périphérie
Infrastructure
Les dernières nouveautés sur la plateforme Linux d'entreprise leader au monde
Applications
À l’intérieur de nos solutions aux défis d’application les plus difficiles
Programmes originaux
Histoires passionnantes de créateurs et de leaders de technologies d'entreprise
Produits
- Red Hat Enterprise Linux
- Red Hat OpenShift
- Red Hat Ansible Automation Platform
- Services cloud
- Voir tous les produits
Outils
- Formation et certification
- Mon compte
- Assistance client
- Ressources développeurs
- Rechercher un partenaire
- Red Hat Ecosystem Catalog
- Calculateur de valeur Red Hat
- Documentation
Essayer, acheter et vendre
Communication
- Contacter le service commercial
- Contactez notre service clientèle
- Contacter le service de formation
- Réseaux sociaux
À propos de Red Hat
Premier éditeur mondial de solutions Open Source pour les entreprises, nous fournissons des technologies Linux, cloud, de conteneurs et Kubernetes. Nous proposons des solutions stables qui aident les entreprises à jongler avec les divers environnements et plateformes, du cœur du datacenter à la périphérie du réseau.
Sélectionner une langue
Red Hat legal and privacy links
- À propos de Red Hat
- Carrières
- Événements
- Bureaux
- Contacter Red Hat
- Lire le blog Red Hat
- Diversité, équité et inclusion
- Cool Stuff Store
- Red Hat Summit