Merge pull request #12833 from Xeicker/ol10_profiles

Update Ol10 profiles

products/ol10/profiles/anssi_bp28_enhanced.profile

@@ -1,42 +1,61 @@
 documentation_complete: true
 
-title: 'ANSSI-BP-028 (enhanced)'
+title: 'DRAFT - ANSSI-BP-028 (enhanced)'
 
 description: |-
-    This profile contains configurations that align to ANSSI-BP-028 at the enhanced hardening
-    level. ANSSI is the French National Information Security Agency, and stands for Agence
-    nationale de la sécurité des systèmes d'information. ANSSI-BP-028 is a configuration
-    recommendation for GNU/Linux systems.
+    This is a draft profile for experimental purposes.
+    This draft profile contains configurations that align to ANSSI-BP-028 v2.0 at the enhanced hardening level.
+
+    ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information.
+    ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
 
     A copy of the ANSSI-BP-028 can be found at the ANSSI website:
     https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/
 
+    An English version of the ANSSI-BP-028 can also be found at the ANSSI website:
+    https://cyber.gouv.fr/publications/configuration-recommendations-gnulinux-system
+
 selections:
     - anssi:all:enhanced
-    - '!partition_for_opt'
     - '!package_ypserv_removed'
     - '!accounts_passwords_pam_tally2_deny_root'
     - '!install_PAE_kernel_on_x86-32'
-    - '!partition_for_boot'
     - '!ensure_redhat_gpgkey_installed'
-    - '!sudo_add_ignore_dot'
-    - '!audit_rules_privileged_commands_rmmod'
-    - '!audit_rules_privileged_commands_modprobe'
     - '!package_dracut-fips-aesni_installed'
     - '!cracklib_accounts_password_pam_lcredit'
-    - '!partition_for_usr'
     - '!cracklib_accounts_password_pam_ocredit'
-    - '!enable_pam_namespace'
-    - '!audit_rules_privileged_commands_insmod'
     - '!package_ypbind_removed'
-    - '!service_chronyd_or_ntpd_enabled'
-    - '!sudo_dedicated_group'
-    - '!chronyd_configure_pool_and_server'
     - '!accounts_passwords_pam_tally2'
     - '!cracklib_accounts_password_pam_ucredit'
     - '!accounts_passwords_pam_tally2_unlock_time'
     - '!sudo_add_umask'
-    - '!sudo_add_env_reset'
     - '!cracklib_accounts_password_pam_minlen'
     - '!cracklib_accounts_password_pam_dcredit'
+    # this rule is not automated anymore
+    - '!security_patches_up_to_date'
+    # There is only chrony package on OL 10, no ntpd
+    - '!service_chronyd_or_ntpd_enabled'
+    - 'service_chronyd_enabled'
+    # OL 10 unified the paths for grub2 files. These rules are selected in control file by R29.
+    - '!file_groupowner_efi_grub2_cfg'
+    - '!file_owner_efi_grub2_cfg'
+    - '!file_permissions_efi_grub2_cfg'
+    - '!file_groupowner_efi_user_cfg'
+    - '!file_owner_efi_user_cfg'
+    - '!file_permissions_efi_user_cfg'
+    # disable R45: Enable AppArmor security profiles
+    - '!apparmor_configured'
+    - '!all_apparmor_profiles_enforced'
+    - '!grub2_enable_apparmor'
+    - '!package_apparmor_installed'
+    - '!package_pam_apparmor_installed'
+    # these packages do not exist in ol10 (R62)
+    - '!package_dhcp_removed'
+    - '!package_rsh_removed'
+    - '!package_rsh-server_removed'
+    - '!package_sendmail_removed'
+    - '!package_talk_removed'
+    - '!package_talk-server_removed'
     - '!package_xinetd_removed'
+    # There isn't 32 bits OL
+    - '!prefer_64bit_os'

products/ol10/profiles/anssi_bp28_high.profile

@@ -1,43 +1,71 @@
 documentation_complete: true
 
-title: 'ANSSI-BP-028 (high)'
+title: 'DRAFT - ANSSI-BP-028 (high)'
 
 description: |-
-    This profile contains configurations that align to ANSSI-BP-028 at the high hardening
-    level. ANSSI is the French National Information Security Agency, and stands for Agence
-    nationale de la sécurité des systèmes d'information. ANSSI-BP-028 is a configuration
-    recommendation for GNU/Linux systems.
+    This is a draft profile for experimental purposes.
+    This draft profile contains configurations that align to ANSSI-BP-028 v2.0 at the high hardening level.
+
+    ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information.
+    ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
 
     A copy of the ANSSI-BP-028 can be found at the ANSSI website:
     https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/
 
+    An English version of the ANSSI-BP-028 can also be found at the ANSSI website:
+    https://cyber.gouv.fr/publications/configuration-recommendations-gnulinux-system
+
 selections:
     - anssi:all:high
-    - '!partition_for_opt'
     - '!package_ypserv_removed'
+    - '!sebool_secure_mode_insmod'
     - '!accounts_passwords_pam_tally2_deny_root'
     - '!install_PAE_kernel_on_x86-32'
-    - '!partition_for_boot'
     - '!ensure_redhat_gpgkey_installed'
     - '!aide_periodic_checking_systemd_timer'
-    - '!sudo_add_ignore_dot'
-    - '!audit_rules_privileged_commands_rmmod'
-    - '!audit_rules_privileged_commands_modprobe'
-    - '!partition_for_usr'
     - '!package_dracut-fips-aesni_installed'
     - '!cracklib_accounts_password_pam_lcredit'
     - '!cracklib_accounts_password_pam_ocredit'
-    - '!enable_pam_namespace'
-    - '!audit_rules_privileged_commands_insmod'
     - '!package_ypbind_removed'
     - '!service_chronyd_or_ntpd_enabled'
-    - '!sudo_dedicated_group'
-    - '!chronyd_configure_pool_and_server'
+    - 'service_chronyd_enabled'
     - '!accounts_passwords_pam_tally2'
     - '!cracklib_accounts_password_pam_ucredit'
     - '!accounts_passwords_pam_tally2_unlock_time'
     - '!sudo_add_umask'
-    - '!sudo_add_env_reset'
     - '!cracklib_accounts_password_pam_minlen'
     - '!cracklib_accounts_password_pam_dcredit'
+    # this rule is not automated anymore
+    - '!security_patches_up_to_date'
+    # OL 10 unified the paths for grub2 files. These rules are selected in control file by R29.
+    - '!file_groupowner_efi_grub2_cfg'
+    - '!file_owner_efi_grub2_cfg'
+    - '!file_permissions_efi_grub2_cfg'
+    - '!file_groupowner_efi_user_cfg'
+    - '!file_owner_efi_user_cfg'
+    - '!file_permissions_efi_user_cfg'
+    # disable R45: Enable AppArmor security profiles
+    - '!apparmor_configured'
+    - '!all_apparmor_profiles_enforced'
+    - '!grub2_enable_apparmor'
+    - '!package_apparmor_installed'
+    - '!package_pam_apparmor_installed'
+    # these packages do not exist in ol10 (R62)
+    - '!package_dhcp_removed'
+    - '!package_rsh_removed'
+    - '!package_rsh-server_removed'
+    - '!package_sendmail_removed'
+    - '!package_talk_removed'
+    - '!package_talk-server_removed'
     - '!package_xinetd_removed'
+    # There isn't 32 bits OL
+    - '!prefer_64bit_os'
+    # These rules are no longer relevant
+    - '!kernel_config_devkmem'
+    - '!kernel_config_hardened_usercopy_fallback'
+    - '!kernel_config_page_poisoning_no_sanity'
+    - '!kernel_config_page_poisoning_zero'
+    - '!kernel_config_page_table_isolation'
+    - '!kernel_config_refcount_full'
+    - '!kernel_config_retpoline'
+    - '!kernel_config_security_writable_hooks'

products/ol10/profiles/anssi_bp28_intermediary.profile

@@ -1,34 +1,41 @@
 documentation_complete: true
 
-title: 'ANSSI-BP-028 (intermediary)'
+title: 'DRAFT - ANSSI-BP-028 (intermediary)'
 
 description: |-
-    This profile contains configurations that align to ANSSI-BP-028 at the intermediary hardening
-    level. ANSSI is the French National Information Security Agency, and stands for Agence
-    nationale de la sécurité des systèmes d'information. ANSSI-BP-028 is a configuration
-    recommendation for GNU/Linux systems.
+    This is a draft profile for experimental purposes.
+    This draft profile contains configurations that align to ANSSI-BP-028 v2.0 at the intermediary hardening level.
+
+    ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information.
+    ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
 
     A copy of the ANSSI-BP-028 can be found at the ANSSI website:
     https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/
 
+    An English version of the ANSSI-BP-028 can also be found at the ANSSI website:
+    https://cyber.gouv.fr/publications/configuration-recommendations-gnulinux-system
+
 selections:
     - anssi:all:intermediary
     - '!package_ypbind_removed'
-    - '!partition_for_opt'
     - '!cracklib_accounts_password_pam_minlen'
     - '!package_ypserv_removed'
     - '!accounts_passwords_pam_tally2_deny_root'
     - '!accounts_passwords_pam_tally2'
     - '!cracklib_accounts_password_pam_ucredit'
     - '!cracklib_accounts_password_pam_dcredit'
     - '!cracklib_accounts_password_pam_lcredit'
-    - '!partition_for_usr'
-    - '!partition_for_boot'
     - '!cracklib_accounts_password_pam_ocredit'
-    - '!enable_pam_namespace'
     - '!accounts_passwords_pam_tally2_unlock_time'
     - '!ensure_redhat_gpgkey_installed'
     - '!sudo_add_umask'
-    - '!sudo_add_ignore_dot'
-    - '!sudo_add_env_reset'
+    # this rule is not automated anymore
+    - '!security_patches_up_to_date'
+    # these packages do not exist in ol10 (R62)
+    - '!package_dhcp_removed'
+    - '!package_rsh_removed'
+    - '!package_rsh-server_removed'
+    - '!package_sendmail_removed'
+    - '!package_talk_removed'
+    - '!package_talk-server_removed'
     - '!package_xinetd_removed'

products/ol10/profiles/anssi_bp28_minimal.profile

@@ -1,27 +1,39 @@
 documentation_complete: true
 
-title: 'ANSSI-BP-028 (minimal)'
+title: 'DRAFT - ANSSI-BP-028 (minimal)'
 
 description: |-
-    This profile contains configurations that align to ANSSI-BP-028 at the minimal hardening
-    level. ANSSI is the French National Information Security Agency, and stands for Agence
-    nationale de la sécurité des systèmes d'information. ANSSI-BP-028 is a configuration
-    recommendation for GNU/Linux systems.
+    This is a draft profile for experimental purposes.
+    This draft profile contains configurations that align to ANSSI-BP-028 v2.0 at the minimal hardening level.
+
+    ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information.
+    ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
 
     A copy of the ANSSI-BP-028 can be found at the ANSSI website:
     https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/
 
+    An English version of the ANSSI-BP-028 can also be found at the ANSSI website:
+    https://cyber.gouv.fr/publications/configuration-recommendations-gnulinux-system
+
 selections:
-  - anssi:all:minimal
-  - '!package_ypbind_removed'
-  - '!cracklib_accounts_password_pam_minlen'
-  - '!package_ypserv_removed'
-  - '!accounts_passwords_pam_tally2_deny_root'
-  - '!accounts_passwords_pam_tally2'
-  - '!cracklib_accounts_password_pam_ucredit'
-  - '!cracklib_accounts_password_pam_dcredit'
-  - '!cracklib_accounts_password_pam_lcredit'
-  - '!cracklib_accounts_password_pam_ocredit'
-  - '!accounts_passwords_pam_tally2_unlock_time'
-  - '!ensure_redhat_gpgkey_installed'
-  - '!package_xinetd_removed'
+    - anssi:all:minimal
+    - '!package_ypbind_removed'
+    - '!cracklib_accounts_password_pam_minlen'
+    - '!package_ypserv_removed'
+    - '!accounts_passwords_pam_tally2_deny_root'
+    - '!accounts_passwords_pam_tally2'
+    - '!cracklib_accounts_password_pam_ucredit'
+    - '!cracklib_accounts_password_pam_dcredit'
+    - '!cracklib_accounts_password_pam_lcredit'
+    - '!cracklib_accounts_password_pam_ocredit'
+    - '!accounts_passwords_pam_tally2_unlock_time'
+    - '!ensure_redhat_gpgkey_installed'
+    - '!security_patches_up_to_date'
+    # these packages do not exist in ol10 (R62)
+    - '!package_dhcp_removed'
+    - '!package_rsh_removed'
+    - '!package_rsh-server_removed'
+    - '!package_sendmail_removed'
+    - '!package_talk_removed'
+    - '!package_talk-server_removed'
+    - '!package_xinetd_removed'

products/ol10/profiles/e8.profile

@@ -0,0 +1,32 @@
+documentation_complete: true
+
+reference: https://www.cyber.gov.au/acsc/view-all-content/publications/hardening-linux-workstations-and-servers
+
+title: 'DRAFT - Australian Cyber Security Centre (ACSC) Essential Eight'
+
+description: |-
+    This is a draft profile for experimental purposes.
+
+    This draft profile contains configuration checks for Oracle Linux 10
+    that align to the Australian Cyber Security Centre (ACSC) Essential Eight.
+
+    A copy of the Essential Eight in Linux Environments guide can be found at the
+    ACSC website:
+
+    https://www.cyber.gov.au/acsc/view-all-content/publications/hardening-linux-workstations-and-servers
+
+selections:
+    - e8:all
+
+    - '!ensure_redhat_gpgkey_installed'
+    - ensure_oracle_gpgkey_installed
+
+    - var_system_crypto_policy=default_policy
+    # these packages do not exist in OL 10
+    - '!package_talk_removed'
+    - '!package_talk-server_removed'
+    - '!package_ypbind_removed'
+    - '!package_ypserv_removed'
+    - '!package_rsh_removed'
+    - '!package_rsh-server_removed'
+    - '!security_patches_up_to_date'

products/ol10/profiles/hipaa.profile

@@ -0,0 +1,62 @@
+documentation_complete: true
+
+reference: https://www.hhs.gov/hipaa/for-professionals/index.html
+
+title: 'DRAFT - Health Insurance Portability and Accountability Act (HIPAA)'
+
+description: |-
+    This is a draft profile for experimental purposes.
+
+    The HIPAA Security Rule establishes U.S. national standards to protect individuals's
+    electronic personal health information that is created, received, used, or
+    maintained by a covered entity. The Security Rule requires appropriate
+    administrative, physical and technical safeguards to ensure the
+    confidentiality, integrity, and security of electronic protected health
+    information.
+
+    This draft profile configures Oracle Linux 10 to the HIPAA Security
+    Rule identified for securing of electronic protected health information.
+    Use of this profile in no way guarantees or makes claims against legal compliance against the HIPAA Security Rule(s).
+
+selections:
+    - hipaa:all
+
+    - '!ensure_redhat_gpgkey_installed'
+    - ensure_oracle_gpgkey_installed
+
+    # Conflicts with sshd_set_keepalive
+    - '!sshd_set_keepalive_0'
+
+    - '!coreos_disable_interactive_boot'
+    - '!coreos_audit_option'
+    - '!coreos_nousb_kernel_argument'
+    - '!coreos_enable_selinux_kernel_argument'
+    - '!dconf_gnome_remote_access_credential_prompt'
+    - '!dconf_gnome_remote_access_encryption'
+    - '!ensure_suse_gpgkey_installed'
+    - '!ensure_fedora_gpgkey_installed'
+    - '!grub2_uefi_admin_username'
+    - '!grub2_uefi_pass'
+    - '!service_ypbind_disabled'
+    - '!service_zebra_disabled'
+    - '!package_talk-server_removed'
+    - '!package_talk_removed'
+    - '!sshd_use_approved_macs'
+    - '!sshd_use_approved_ciphers'
+    - '!accounts_passwords_pam_tally2'
+    - '!package_audit-audispd-plugins_installed'
+    - '!auditd_audispd_syslog_plugin_activated'
+    - '!package_ypserv_removed'
+    - '!package_ypbind_removed'
+    - '!package_xinetd_removed'
+    - '!package_rsh_removed'
+    - '!package_rsh-server_removed'
+    - '!service_rexec_disabled'
+    - '!service_rsh_disabled'
+    - '!package_tcp_wrappers_removed'
+    - '!package_ypbind_removed'
+    - '!package_xinetd_removed'
+    - '!service_xinetd_disabled'
+    - '!sshd_allow_only_protocol2'
+    - '!sshd_disable_kerb_auth'
+    - '!sshd_disable_gssapi_auth'