Update ANSSI BP28 profiles in rhel10 product

linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_insmod/rule.yml

@@ -27,6 +27,7 @@ severity: medium
 
 identifiers:
     cce@rhel8: CCE-85919-9
+    cce@rhel10: CCE-90738-6
     cce@sle12: CCE-92258-3
     cce@sle15: CCE-85744-1
     cce@slmicro5: CCE-93612-0

linux_os/guide/system/accounts/accounts-pam/enable_pam_namespace/rule.yml

@@ -19,6 +19,7 @@ severity: low
 
 identifiers:
   cce@rhel8: CCE-83744-3
+  cce@rhel10: CCE-90739-4
   cce@sle12: CCE-91505-8
   cce@sle15: CCE-91196-6
 

linux_os/guide/system/software/disk_partitioning/partition_for_boot/rule.yml

@@ -20,6 +20,7 @@ platform: machine
 
 identifiers:
     cce@rhel8: CCE-83336-8
+    cce@rhel10: CCE-90755-0
     cce@sle12: CCE-91484-6
     cce@sle15: CCE-91176-8
 

linux_os/guide/system/software/disk_partitioning/partition_for_opt/rule.yml

@@ -19,6 +19,7 @@ platform: machine
 
 identifiers:
     cce@rhel8: CCE-83340-0
+    cce@rhel10: CCE-90750-1
     cce@sle12: CCE-91485-3
     cce@sle15: CCE-91177-6
 

linux_os/guide/system/software/disk_partitioning/partition_for_usr/rule.yml

@@ -18,6 +18,7 @@ platform: machine
 
 identifiers:
     cce@rhel8: CCE-83343-4
+    cce@rhel10: CCE-90748-5
     cce@sle12: CCE-91488-7
     cce@sle15: CCE-91180-0
 

linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/oval/shared.xml

@@ -17,6 +17,8 @@
     <ind:filepath>/etc/aide.conf</ind:filepath>
     {{% if 'sle' in product or 'slmicro' in product %}}
       <ind:pattern operation="pattern match">^database=file:/([/a-z.]+)$</ind:pattern>
+    {{% elif product == 'rhel10' %}}
+      <ind:pattern operation="pattern match">^database_in=file:@@{DBDIR}/([a-z.]+)$</ind:pattern>
     {{% else %}}
       <ind:pattern operation="pattern match">^database=file:@@{DBDIR}/([a-z.]+)$</ind:pattern>
     {{% endif %}}

linux_os/guide/system/software/sudo/sudo_add_env_reset/rule.yml

@@ -21,6 +21,7 @@ severity: medium
 
 identifiers:
     cce@rhel8: CCE-83820-1
+    cce@rhel10: CCE-90747-7
     cce@sle12: CCE-91492-9
     cce@sle15: CCE-91184-2
 

linux_os/guide/system/software/sudo/sudo_add_ignore_dot/rule.yml

@@ -21,6 +21,7 @@ severity: medium
 
 identifiers:
     cce@rhel8: CCE-83810-2
+    cce@rhel10: CCE-90743-6
     cce@sle12: CCE-91493-7
     cce@sle15: CCE-91185-9
 

products/rhel10/product.yml

@@ -20,10 +20,6 @@ init_system: "systemd"
 
 # EFI and non-EFI configs are stored in same path, see https://fedoraproject.org/wiki/Changes/UnifyGrubConfig
 
-groups:
-  dedicated_ssh_keyowner:
-    name: ssh_keys
-
 sshd_distributed_config: "true"
 
 dconf_gdm_dir: "distro.d"

products/rhel10/profiles/anssi_bp28_enhanced.profile

@@ -22,32 +22,31 @@ description: |-
 
 selections:
     - anssi:all:enhanced
-    # Following rules are incompatible with the rhel10 product
-    - '!partition_for_opt'
+    # Following rules are incompatible with rhel10 product
+    # tally2 is deprecated, replaced by faillock
     - '!accounts_passwords_pam_tally2_deny_root'
+    - '!accounts_passwords_pam_tally2'
+    - '!accounts_passwords_pam_tally2_unlock_time'
+    # RHEL 10 does not support 32 bit architecture
     - '!install_PAE_kernel_on_x86-32'
-    - '!partition_for_boot'
-    - '!sudo_add_ignore_dot'
-    - '!audit_rules_privileged_commands_rmmod'
-    - '!audit_rules_privileged_commands_modprobe'
+    # the package does not exist in RHEL 10
     - '!package_dracut-fips-aesni_installed'
+    # pam_cracklib is not used in RHEL 10
     - '!cracklib_accounts_password_pam_lcredit'
-    - '!partition_for_usr'
     - '!cracklib_accounts_password_pam_ocredit'
-    - '!enable_pam_namespace'
-    - '!audit_rules_privileged_commands_insmod'
-    - '!service_chronyd_or_ntpd_enabled'
-    - '!chronyd_configure_pool_and_server'
-    - '!accounts_passwords_pam_tally2'
     - '!cracklib_accounts_password_pam_ucredit'
-    - '!accounts_passwords_pam_tally2_unlock_time'
-    - '!sudo_add_umask'
-    - '!sudo_add_env_reset'
     - '!cracklib_accounts_password_pam_minlen'
     - '!cracklib_accounts_password_pam_dcredit'
+    # umask is configured at a different place in RHEL 10
+    - '!sudo_add_umask'
+    # Oracle key is not relevant on RHEL 10
     - '!ensure_oracle_gpgkey_installed'
+    # this rule is not automated anymore
     - '!security_patches_up_to_date'
-    # RHEL10 unified the paths for grub2 files. These rules are selected in control file by R29.
+    # There is only chrony package on RHEL 10, no ntpd
+    - '!service_chronyd_or_ntpd_enabled'
+    - 'service_chronyd_enabled'
+    # RHEL 10 unified the paths for grub2 files. These rules are selected in control file by R29.
     - '!file_groupowner_efi_grub2_cfg'
     - '!file_owner_efi_grub2_cfg'
     - '!file_permissions_efi_grub2_cfg'
@@ -60,3 +59,17 @@ selections:
     - '!grub2_enable_apparmor'
     - '!package_apparmor_installed'
     - '!package_pam_apparmor_installed'
+    # these packages do not exist in rhel10 (R62)
+    - '!package_dhcp_removed'
+    - '!package_rsh_removed'
+    - '!package_rsh-server_removed'
+    - '!package_sendmail_removed'
+    - '!package_talk_removed'
+    - '!package_xinetd_removed'
+    - '!package_ypserv_removed'
+    # these rules are failing when they are remediated with Ansible, removing them temporarily until they are fixed
+    - '!accounts_password_pam_retry'
+    # These rules are being modified and they are causing trouble in their current state (R67)
+    - '!sssd_enable_pam_services'
+    - '!sssd_ldap_configure_tls_reqcert'
+    - '!sssd_ldap_start_tls'

products/rhel10/profiles/anssi_bp28_high.profile

@@ -24,35 +24,56 @@ selections:
     - anssi:all:high
     # the following rule renders UEFI systems unbootable
     - '!sebool_secure_mode_insmod'
-    # Thuse rules are incompatible rhel10 product
-    - '!partition_for_opt'
+    # Following rules are incompatible with rhel10 product
+    # tally2 is deprecated, replaced by faillock
     - '!accounts_passwords_pam_tally2_deny_root'
+    - '!accounts_passwords_pam_tally2'
+    - '!accounts_passwords_pam_tally2_unlock_time'
+    # RHEL 10 does not support 32 bit architecture
     - '!install_PAE_kernel_on_x86-32'
-    - '!partition_for_boot'
+    # this timer does not exist in RHEL 10
     - '!aide_periodic_checking_systemd_timer'
-    - '!sudo_add_ignore_dot'
-    - '!audit_rules_privileged_commands_rmmod'
-    - '!audit_rules_privileged_commands_modprobe'
+    # the package does not exist in RHEL 10
     - '!package_dracut-fips-aesni_installed'
+    # pam_cracklib is not used in RHEL 10
     - '!cracklib_accounts_password_pam_lcredit'
-    - '!partition_for_usr'
     - '!cracklib_accounts_password_pam_ocredit'
-    - '!enable_pam_namespace'
-    - '!audit_rules_privileged_commands_insmod'
-    - '!service_chronyd_or_ntpd_enabled'
-    - '!chronyd_configure_pool_and_server'
-    - '!accounts_passwords_pam_tally2'
     - '!cracklib_accounts_password_pam_ucredit'
-    - '!accounts_passwords_pam_tally2_unlock_time'
-    - '!sudo_add_umask'
-    - '!sudo_add_env_reset'
     - '!cracklib_accounts_password_pam_minlen'
     - '!cracklib_accounts_password_pam_dcredit'
+    # umask is configured at a different place in RHEL 10
+    - '!sudo_add_umask'
+    # Oracle key is not relevant on RHEL 10
     - '!ensure_oracle_gpgkey_installed'
+    # this rule is not automated anymore
     - '!security_patches_up_to_date'
+    # There is only chrony package on RHEL 10, no ntpd
+    - '!service_chronyd_or_ntpd_enabled'
+    - 'service_chronyd_enabled'
+    # RHEL 10 unified the paths for grub2 files. These rules are selected in control file by R29.
+    - '!file_groupowner_efi_grub2_cfg'
+    - '!file_owner_efi_grub2_cfg'
+    - '!file_permissions_efi_grub2_cfg'
+    - '!file_groupowner_efi_user_cfg'
+    - '!file_owner_efi_user_cfg'
+    - '!file_permissions_efi_user_cfg'
     # disable R45: Enable AppArmor security profiles
     - '!apparmor_configured'
     - '!all_apparmor_profiles_enforced'
     - '!grub2_enable_apparmor'
     - '!package_apparmor_installed'
     - '!package_pam_apparmor_installed'
+    # these packages do not exist in rhel10 (R62)
+    - '!package_dhcp_removed'
+    - '!package_rsh_removed'
+    - '!package_rsh-server_removed'
+    - '!package_sendmail_removed'
+    - '!package_talk_removed'
+    - '!package_xinetd_removed'
+    - '!package_ypserv_removed'
+    # these rules are failing when they are remediated with Ansible, removing them temporarily until they are fixed
+    - '!accounts_password_pam_retry'
+    # These rules are being modified and they are causing trouble in their current state (R67)
+    - '!sssd_enable_pam_services'
+    - '!sssd_ldap_configure_tls_reqcert'
+    - '!sssd_ldap_start_tls'

products/rhel10/profiles/anssi_bp28_intermediary.profile

@@ -21,22 +21,35 @@ description: |-
     https://cyber.gouv.fr/publications/configuration-recommendations-gnulinux-system
 
 selections:
-  - anssi:all:intermediary
-  # Following rules are incompatible with the rhel10 product
-  - '!partition_for_opt'
-  - '!cracklib_accounts_password_pam_minlen'
-  - '!accounts_passwords_pam_tally2_deny_root'
-  - '!accounts_passwords_pam_tally2'
-  - '!cracklib_accounts_password_pam_ucredit'
-  - '!cracklib_accounts_password_pam_dcredit'
-  - '!cracklib_accounts_password_pam_lcredit'
-  - '!partition_for_usr'
-  - '!partition_for_boot'
-  - '!cracklib_accounts_password_pam_ocredit'
-  - '!enable_pam_namespace'
-  - '!accounts_passwords_pam_tally2_unlock_time'
-  - '!sudo_add_umask'
-  - '!sudo_add_ignore_dot'
-  - '!sudo_add_env_reset'
-  - '!ensure_oracle_gpgkey_installed'
-  - '!security_patches_up_to_date'
+    - anssi:all:intermediary
+    # Following rules are incompatible with rhel10 product
+    # tally2 is deprecated, replaced by faillock
+    - '!accounts_passwords_pam_tally2_deny_root'
+    - '!accounts_passwords_pam_tally2'
+    - '!accounts_passwords_pam_tally2_unlock_time'
+    # pam_cracklib is not used in RHEL 10
+    - '!cracklib_accounts_password_pam_minlen'
+    - '!cracklib_accounts_password_pam_ucredit'
+    - '!cracklib_accounts_password_pam_dcredit'
+    - '!cracklib_accounts_password_pam_lcredit'
+    - '!cracklib_accounts_password_pam_ocredit'
+    # umask is configured at a different place in RHEL 10
+    - '!sudo_add_umask'
+    # Oracle key is not relevant on RHEL 10
+    - '!ensure_oracle_gpgkey_installed'
+    # this rule is not automated anymore
+    - '!security_patches_up_to_date'
+    # these packages do not exist in rhel10 (R62)
+    - '!package_dhcp_removed'
+    - '!package_rsh_removed'
+    - '!package_rsh-server_removed'
+    - '!package_sendmail_removed'
+    - '!package_talk_removed'
+    - '!package_xinetd_removed'
+    - '!package_ypserv_removed'
+    # these rules are failing when they are remediated with Ansible, removing them temporarily until they are fixed
+    - '!accounts_password_pam_retry'
+    # These rules are being modified and they are causing trouble in their current state (R67)
+    - '!sssd_enable_pam_services'
+    - '!sssd_ldap_configure_tls_reqcert'
+    - '!sssd_ldap_start_tls'

products/rhel10/profiles/anssi_bp28_minimal.profile

@@ -21,15 +21,29 @@ description: |-
     https://cyber.gouv.fr/publications/configuration-recommendations-gnulinux-system
 
 selections:
-  - anssi:all:minimal
-  # Following are incompatible with the rhel9 product
-  - '!cracklib_accounts_password_pam_minlen'
-  - '!accounts_passwords_pam_tally2_deny_root'
-  - '!accounts_passwords_pam_tally2'
-  - '!cracklib_accounts_password_pam_ucredit'
-  - '!cracklib_accounts_password_pam_dcredit'
-  - '!cracklib_accounts_password_pam_lcredit'
-  - '!cracklib_accounts_password_pam_ocredit'
-  - '!accounts_passwords_pam_tally2_unlock_time'
-  - '!ensure_oracle_gpgkey_installed'
-  - '!security_patches_up_to_date'
+    - anssi:all:minimal
+    # Following rules are incompatible with rhel10 product
+    # tally2 is deprecated, replaced by faillock
+    - '!accounts_passwords_pam_tally2_deny_root'
+    - '!accounts_passwords_pam_tally2'
+    - '!accounts_passwords_pam_tally2_unlock_time'
+    # pam_cracklib is not used in RHEL 10
+    - '!cracklib_accounts_password_pam_minlen'
+    - '!cracklib_accounts_password_pam_ucredit'
+    - '!cracklib_accounts_password_pam_dcredit'
+    - '!cracklib_accounts_password_pam_lcredit'
+    - '!cracklib_accounts_password_pam_ocredit'
+    # Oracle key is not relevant on RHEL 10
+    - '!ensure_oracle_gpgkey_installed'
+    # this rule is not automated anymore
+    - '!security_patches_up_to_date'
+    # these packages do not exist in rhel10 (R62)
+    - '!package_dhcp_removed'
+    - '!package_rsh_removed'
+    - '!package_rsh-server_removed'
+    - '!package_sendmail_removed'
+    - '!package_talk_removed'
+    - '!package_xinetd_removed'
+    - '!package_ypserv_removed'
+    # these rules are failing when they are remediated with Ansible, removing then temporarily until they are fixed
+    - '!accounts_password_pam_retry'

shared/references/cce-redhat-avail.txt

@@ -2622,10 +2622,3 @@ CCE-90728-7
 CCE-90732-9
 CCE-90735-2
 CCE-90737-8
-CCE-90738-6
-CCE-90739-4
-CCE-90743-6
-CCE-90747-7
-CCE-90748-5
-CCE-90750-1
-CCE-90755-0