Merge pull request ComplianceAsCode#11787 from Mab879/rhel10_anssi_init

Add ANSSI Profiles for RHEL 10

products/rhel10/profiles/anssi_bp28_enhanced.profile

@@ -0,0 +1,55 @@
+documentation_complete: true
+
+metadata:
+    SMEs:
+        - marcusburghardt
+        - vojtapolasek
+
+title: 'ANSSI-BP-028 (enhanced)'
+
+description: |-
+    This profile contains configurations that align to ANSSI-BP-028 v2.0 at the enhanced hardening level.
+
+    ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information.
+    ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
+
+    A copy of the ANSSI-BP-028 can be found at the ANSSI website:
+    https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/
+
+    An English version of the ANSSI-BP-028 can also be found at the ANSSI website:
+    https://cyber.gouv.fr/publications/configuration-recommendations-gnulinux-system
+
+selections:
+    - anssi:all:enhanced
+    # Following rules are incompatible with the rhel10 product
+    - '!partition_for_opt'
+    - '!accounts_passwords_pam_tally2_deny_root'
+    - '!install_PAE_kernel_on_x86-32'
+    - '!partition_for_boot'
+    - '!sudo_add_ignore_dot'
+    - '!audit_rules_privileged_commands_rmmod'
+    - '!audit_rules_privileged_commands_modprobe'
+    - '!package_dracut-fips-aesni_installed'
+    - '!cracklib_accounts_password_pam_lcredit'
+    - '!partition_for_usr'
+    - '!cracklib_accounts_password_pam_ocredit'
+    - '!enable_pam_namespace'
+    - '!audit_rules_privileged_commands_insmod'
+    - '!service_chronyd_or_ntpd_enabled'
+    - '!sudo_dedicated_group'
+    - '!chronyd_configure_pool_and_server'
+    - '!accounts_passwords_pam_tally2'
+    - '!cracklib_accounts_password_pam_ucredit'
+    - '!accounts_passwords_pam_tally2_unlock_time'
+    - '!sudo_add_umask'
+    - '!sudo_add_env_reset'
+    - '!cracklib_accounts_password_pam_minlen'
+    - '!cracklib_accounts_password_pam_dcredit'
+    - '!ensure_oracle_gpgkey_installed'
+    # RHEL10 unified the paths for grub2 files. These rules are selected in control file by R29.
+    - '!file_groupowner_efi_grub2_cfg'
+    - '!file_owner_efi_grub2_cfg'
+    - '!file_permissions_efi_grub2_cfg'
+    - '!file_groupowner_efi_user_cfg'
+    - '!file_owner_efi_user_cfg'
+    - '!file_permissions_efi_user_cfg'

products/rhel10/profiles/anssi_bp28_high.profile

@@ -0,0 +1,51 @@
+documentation_complete: true
+
+metadata:
+    SMEs:
+        - marcusburghardt
+        - vojtapolasek
+
+title: 'ANSSI-BP-028 (high)'
+
+description: |-
+    This profile contains configurations that align to ANSSI-BP-028 v2.0 at the high hardening level.
+
+    ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information.
+    ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
+
+    A copy of the ANSSI-BP-028 can be found at the ANSSI website:
+    https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/
+
+    An English version of the ANSSI-BP-028 can also be found at the ANSSI website:
+    https://cyber.gouv.fr/publications/configuration-recommendations-gnulinux-system
+
+selections:
+    - anssi:all:high
+    # the following rule renders UEFI systems unbootable
+    - '!sebool_secure_mode_insmod'
+    # Thuse rules are incompatible rhel10 product
+    - '!partition_for_opt'
+    - '!accounts_passwords_pam_tally2_deny_root'
+    - '!install_PAE_kernel_on_x86-32'
+    - '!partition_for_boot'
+    - '!aide_periodic_checking_systemd_timer'
+    - '!sudo_add_ignore_dot'
+    - '!audit_rules_privileged_commands_rmmod'
+    - '!audit_rules_privileged_commands_modprobe'
+    - '!package_dracut-fips-aesni_installed'
+    - '!cracklib_accounts_password_pam_lcredit'
+    - '!partition_for_usr'
+    - '!cracklib_accounts_password_pam_ocredit'
+    - '!enable_pam_namespace'
+    - '!audit_rules_privileged_commands_insmod'
+    - '!service_chronyd_or_ntpd_enabled'
+    - '!sudo_dedicated_group'
+    - '!chronyd_configure_pool_and_server'
+    - '!accounts_passwords_pam_tally2'
+    - '!cracklib_accounts_password_pam_ucredit'
+    - '!accounts_passwords_pam_tally2_unlock_time'
+    - '!sudo_add_umask'
+    - '!sudo_add_env_reset'
+    - '!cracklib_accounts_password_pam_minlen'
+    - '!cracklib_accounts_password_pam_dcredit'
+    - '!ensure_oracle_gpgkey_installed'

products/rhel10/profiles/anssi_bp28_intermediary.profile

@@ -0,0 +1,40 @@
+documentation_complete: true
+
+metadata:
+    SMEs:
+        - marcusburghardt
+        - vojtapolasek
+
+title: 'ANSSI-BP-028 (intermediary)'
+
+description: |-
+    This profile contains configurations that align to ANSSI-BP-028 v2.0 at the intermediary hardening level.
+
+    ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information.
+    ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
+
+    A copy of the ANSSI-BP-028 can be found at the ANSSI website:
+    https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/
+
+    An English version of the ANSSI-BP-028 can also be found at the ANSSI website:
+    https://cyber.gouv.fr/publications/configuration-recommendations-gnulinux-system
+
+selections:
+  - anssi:all:intermediary
+  # Following rules are incompatible with the rhel10 product
+  - '!partition_for_opt'
+  - '!cracklib_accounts_password_pam_minlen'
+  - '!accounts_passwords_pam_tally2_deny_root'
+  - '!accounts_passwords_pam_tally2'
+  - '!cracklib_accounts_password_pam_ucredit'
+  - '!cracklib_accounts_password_pam_dcredit'
+  - '!cracklib_accounts_password_pam_lcredit'
+  - '!partition_for_usr'
+  - '!partition_for_boot'
+  - '!cracklib_accounts_password_pam_ocredit'
+  - '!enable_pam_namespace'
+  - '!accounts_passwords_pam_tally2_unlock_time'
+  - '!sudo_add_umask'
+  - '!sudo_add_ignore_dot'
+  - '!sudo_add_env_reset'
+  - '!ensure_oracle_gpgkey_installed'

products/rhel10/profiles/anssi_bp28_minimal.profile

@@ -0,0 +1,33 @@
+documentation_complete: true
+
+metadata:
+    SMEs:
+        - marcusburghardt
+        - vojtapolasek
+
+title: 'ANSSI-BP-028 (minimal)'
+
+description: |-
+    This profile contains configurations that align to ANSSI-BP-028 v2.0 at the minimal hardening level.
+
+    ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information.
+    ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
+
+    A copy of the ANSSI-BP-028 can be found at the ANSSI website:
+    https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/
+
+    An English version of the ANSSI-BP-028 can also be found at the ANSSI website:
+    https://cyber.gouv.fr/publications/configuration-recommendations-gnulinux-system
+
+selections:
+  - anssi:all:minimal
+  # Following are incompatible with the rhel9 product
+  - '!cracklib_accounts_password_pam_minlen'
+  - '!accounts_passwords_pam_tally2_deny_root'
+  - '!accounts_passwords_pam_tally2'
+  - '!cracklib_accounts_password_pam_ucredit'
+  - '!cracklib_accounts_password_pam_dcredit'
+  - '!cracklib_accounts_password_pam_lcredit'
+  - '!cracklib_accounts_password_pam_ocredit'
+  - '!accounts_passwords_pam_tally2_unlock_time'
+  - '!ensure_oracle_gpgkey_installed'

shared/templates/sshd_lineinfile/tests/correct_value_directory.pass.sh

@@ -1,6 +1,6 @@
 #!/bin/bash
 
-# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 9,multi_platform_ubuntu
+# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 9,Red Hat Enterprise Linux 10,multi_platform_ubuntu
 
 source common.sh
 

shared/templates/sshd_lineinfile/tests/duplicated_param_directory.pass.sh

@@ -1,6 +1,6 @@
 #!/bin/bash
 
-# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 9,multi_platform_ubuntu
+# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 9,Red Hat Enterprise Linux 10,multi_platform_ubuntu
 
 mkdir -p /etc/ssh/sshd_config.d
 touch /etc/ssh/sshd_config.d/nothing

shared/templates/sshd_lineinfile/tests/param_conflict_directory.fail.sh

@@ -1,6 +1,6 @@
 #!/bin/bash
 
-# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 9,multi_platform_ubuntu
+# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 9,Red Hat Enterprise Linux 10,multi_platform_ubuntu
 
 SSHD_PARAM={{{ PARAMETER }}}
 SSHD_VAL={{{ VALUE }}}

shared/templates/sshd_lineinfile/tests/param_conflict_file_with_directory.fail.sh

@@ -1,6 +1,6 @@
 #!/bin/bash
 
-# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 9,multi_platform_ubuntu
+# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 9,Red Hat Enterprise Linux 10,multi_platform_ubuntu
 
 SSHD_PARAM={{{ PARAMETER }}}
 SSHD_VAL={{{ VALUE }}}

shared/templates/sshd_lineinfile/tests/wrong_value_directory.fail.sh

@@ -1,6 +1,6 @@
 #!/bin/bash
 
-# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 9,multi_platform_ubuntu
+# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 9,Red Hat Enterprise Linux 10,multi_platform_ubuntu
 
 SSHD_PARAM={{{ PARAMETER }}}
 SSHD_VAL="bad_val"