Maintaining security for Linux systems can be a complex task, especially as your number of servers and applications increases. The SCAP Security Guide, which is used in various Red Hat technologies like Red Hat Enterprise Linux (RHEL), Red Hat Insights and Red Hat Satellite, can help you maintain system compliance with select security baselines.
In this post, we’ll share some details about the SCAP profiles for ANSSI-BP-028, a guideline published by Agence nationale de la sécurité des systèmes d’information (ANSSI), the French National Information Security Agency, and how you use them to assist in hardening your RHEL 7 and 8 environments.
What is ANSSI-BP-028?
Among the guides published by ANSSI is ANSSI-BP-028, a document with configuration recommendations to harden Linux systems. It defines four levels of hardening that should be adhered to, based on the security level required by the system’s applications and workloads.
The hardening levels are defined as follows:
-
Minimal - To be implemented on every system.
-
Intermediary - Generally applies to services protected by several layers of higher-level security.
-
Enhanced - Generally applies to systems exposed to non-authenticated flows.
-
High - Applies to systems hosting sensitive data accessible from non-authenticated or poorly controlled networks.
A collaborative effort
To accelerate deployment of ANSSI BP-028 recommendations Red Hat, in collaboration with ANSSI, worked on updating and improving the ANSSI BP-028 profiles available in the ComplianceAsCode project.
The outcome of this collaboration is a set of profiles aligned with v1.2 of ANSSI BP-028 featuring improvements in recommendation coverage that the whole hardening community can take advantage of.
Compliance profiles
From RHEL 8.5, the complete updated set of ANSSI-BP-028 v1.2 profiles encompassing the hardening levels is available in the scap-security-guide package. The same profile set, with minor adjustments, is also available in RHEL 7 (since RHEL 7.9.7).
The SCAP profiles for ANSSI-BP-028 are aligned with the hardening levels defined in the guide. There is one profile for each level, and the higher levels build upon the lower levels, just like in the configuration guide. (Note all names begin with "xccdf_org.ssgproject.content_profile_
" such as xccdf_org.ssgproject.content_profile_anssi_nt28_minimal
.)
ANSSI-BP-028 |
SCAP Security Guide Profile ID |
|
Level |
RHEL 7 |
RHEL 8 |
Minimal |
anssi_nt28_minimal |
anssi_bp28_minimal |
Intermediary |
anssi_nt28_intermediary |
anssi_bp28_intermediary |
Enhanced |
anssi_nt28_enhanced |
anssi_bp28_enhanced |
High |
anssi_nt28_high |
anssi_bp28_high |
Important note: The RHEL 7 profiles are aligned with version 1.2, but for backward compatibility reasons they still retain the original IDs from version 1.1. Note that existing tailorings may stop working due to changes in the selected rules.
What do the profiles cover?
The configuration recommendations from ANSSI-BP-028 range from technical and specific settings to security principles and procedures that encompass the organization's administration, infrastructure and security strategy.
Some recommendations are not straightforward to automate. For example, recommendations that require analysis and judgment of the system state cannot be generally automated. This can include analyzing whether the services enabled in a system are essential for its operation or checking if the features enabled in a service are needed or hardened adequately.
Recommendations related to administrative procedures, such as ensuring that users perform specific operations or ensuring distinct configurations for administrative and regular user accounts, are also not easily automated. Each organization will have its own approach and processes to information security that cannot be generalized.
Red Hat aims to develop configuration profiles that can be used in a wide range of situations without being specific for a particular deployment. So the ANSSI profiles in SCAP Security Guide cover the recommendations that can be automated and remediated in most of the deployments.
The policy coverage per hardening level is illustrated in Figure 1.
Figure 1
The security recommendations that are automated by the profile are shown in bright green. The light green recommendations are partially automated, it means that not all aspects of the recommendation are covered by automation and manual assessments need to be done.
The recommendations that we considered as not automatable are shown in blue. And the recommendations for which we don’t have an implementation are marked in bright orange.
Getting to know the the profiles
The scap-security-guide-doc package includes HTML guides that describe the rules selected in the profiles, you can read about the configuration changes enforced and why they are important. The HTML guides also include snippets of the remediations that will be applied if one chooses to remediate the system.
To install the RHEL 8 guides and view the profiles included, execute the following commands and view the corresponding HTML files in a Web browser:
sudo yum install scap-security-guide-doc cd /usr/share/doc/scap-security-guide/ ls guides/ssg-rhel8-guide-anssi*.html guides/ssg-rhel8-guide-anssi_bp28_enhanced.html guides/ssg-rhel8-guide-anssi_bp28_high.html guides/ssg-rhel8-guide-anssi_bp28_intermediary.html guides/ssg-rhel8-guide-anssi_bp28_minimal.html
While going through the guides you’ll notice that each rule references one or more recommendations from ANSSI BP-028, and very likely requirements from other security policies. To facilitate tracking of coverage, the doc package includes a table mapping the ANSSI recommendations to the rules selected in the profiles.
cd /usr/share/doc/scap-security-guide/ ls tables/table-rhel8-guide-anssirefs.html
How to consume the profiles
The profiles are available in the scap-security-guide package and will require the OpenSCAP scanner to run the evaluations.
sudo yum install openscap-scanner scap-security-guide
For more information about how the SCAP Security Guide profiles can help you achieve compliance, check this post about the SCAP Security Guide. You can also refer to our Security Hardening documentation for RHEL 7 and RHEL 8 for detailed information. All of the profiles are bundled up in the data streams, which can be found at:
-
On RHEL 8: /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml
-
On RHEL 7: /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml
Conclusion
In this post, we showed you how to use the ANSSI-BP-028 profile as a tool to help secure your RHEL systems. Special thanks to the agency for dedicating its time to discuss and clarify the configuration recommendations and how they can be applied with security content automation in mind.
Sull'autore
Watson Sato has been working as a member of the Security Compliance Subsystem at Red Hat since 2016. While maintaining the SCAP and security compliance ecosystem, he has contributed to the development of key security profiles for Red Hat Enterprise Linux (RHEL), like the Health Insurance Portability and Accountability Act (HIPAA), the Center for Internet Security Benchmarks (CIS) and the Configuration recommendations for GNU/Linux from the National Cybersecurity Agency of France (ANSSI BP-028).
Altri risultati simili a questo
Ricerca per canale
Automazione
Novità sull'automazione IT di tecnologie, team e ambienti
Intelligenza artificiale
Aggiornamenti sulle piattaforme che consentono alle aziende di eseguire carichi di lavoro IA ovunque
Hybrid cloud open source
Scopri come affrontare il futuro in modo più agile grazie al cloud ibrido
Sicurezza
Le ultime novità sulle nostre soluzioni per ridurre i rischi nelle tecnologie e negli ambienti
Edge computing
Aggiornamenti sulle piattaforme che semplificano l'operatività edge
Infrastruttura
Le ultime novità sulla piattaforma Linux aziendale leader a livello mondiale
Applicazioni
Approfondimenti sulle nostre soluzioni alle sfide applicative più difficili
Serie originali
Raccontiamo le interessanti storie di leader e creatori di tecnologie pensate per le aziende
Prodotti
- Red Hat Enterprise Linux
- Red Hat OpenShift
- Red Hat Ansible Automation Platform
- Servizi cloud
- Scopri tutti i prodotti
Strumenti
- Formazione e certificazioni
- Il mio account
- Supporto clienti
- Risorse per sviluppatori
- Trova un partner
- Red Hat Ecosystem Catalog
- Calcola il valore delle soluzioni Red Hat
- Documentazione
Prova, acquista, vendi
Comunica
- Contatta l'ufficio vendite
- Contatta l'assistenza clienti
- Contatta un esperto della formazione
- Social media
Informazioni su Red Hat
Red Hat è leader mondiale nella fornitura di soluzioni open source per le aziende, tra cui Linux, Kubernetes, container e soluzioni cloud. Le nostre soluzioni open source, rese sicure per un uso aziendale, consentono di operare su più piattaforme e ambienti, dal datacenter centrale all'edge della rete.
Seleziona la tua lingua
Red Hat legal and privacy links
- Informazioni su Red Hat
- Opportunità di lavoro
- Eventi
- Sedi
- Contattaci
- Blog di Red Hat
- Diversità, equità e inclusione
- Cool Stuff Store
- Red Hat Summit