RELEASE 8.6

Author: Chelsea486MHz

README.md

@@ -42,16 +42,30 @@ OpenSSH and Cockpit are installed and running.
 
 ## Compliance
 
-**The deployed system does not pass all ANSSI-BP-028-HIGH OpenSCAP tests**. The remaining tests rely on user configuration that varies on the user infrastructure and needs to pass successfully.
+**The deployed system does not pass all ANSSI-BP-028-HIGH OpenSCAP tests out of the box.**
 
-An OpenSCAP report (HTML format) can be found at the root of the repository showing the system's compliance. However, it does show some false positives:
+An OpenSCAP report (HTML format) can be found at the root of the repository showing the system's compliance. You can recreate the report by running the following commands on a freshly installed system:
 
-* **Ensure a dedicated group owns sudo (R57)**: FALSE POSITIVE. You can manually verify this rule with `ls -l /usr/bin | grep sudo`. The group *wheel* owns the binary.
+`# oscap xccdf eval --results results.xml --profile xccdf_org.ssgproject.content_profile_anssi_bp28_high /usr/share/xml/scap/ssg/content/ssg-almalinux8-ds-1.2.xml`
 
-* **Explicit arguments in sudo specifications (R63)**: FALSE POSITIVE. As described in the report, false positives happen due to bad parsing of the sudoers file.
+`# oscap xccdf generate report results.xml > report.html`
 
-* **Don't target root user in the sudoers file (R60)**: It is up to the user to configure this file to suit their needs.
+### False positives
 
-* **Configure TLS for rsyslog remote logging (R43)**: It is up to the user to configure the TLS certificates to match their infrastructure.
+These checks are reported as failed, but should be reported as passing. This is due to issues with OpenSCAP.
+
+* **Ensure a dedicated group owns sudo (R57)**: You can manually verify this rule with the following command: `ls -l /usr/bin | grep sudo`. The group *wheel* owns the binary.
+
+* **IOMMU configuration directive (R11)**: You can manually verify iommu usage is enforced with the following command: `dmesg iommu=force`
+
+### Depend on user configuration
+
+The system requires configuration and secrets unique to the user's infrastructure for those checks to pass.
+
+* **Explicit arguments in sudo specifications (R63)**: sudo configuration should be brought in by the user.
+
+* **Don't target root user in the sudoers file (R60)**: sudo configuration should be brought in by the user.
+
+* **Configure TLS for rsyslog remote logging (R43)**: It is up to the user to configure the rsyslog server to match their infrastructure.
 
 * **Configure CA certificate for rsyslog remote logging (R43)**: It is up to the user to configure the TLS certificates to match their infrastructure.

build.sh

@@ -226,6 +226,11 @@ sed -i "s/%SCAP_ID_DATASTREAM%/${SCAP_ID_DATASTREAM}/g" ${PATH_KICKSTART_SCAP}
 sed -i "s/%SCAP_ID_XCCDF%/${SCAP_ID_XCCDF}/g" ${PATH_KICKSTART_SCAP}
 echo -e "${TEXT_SUCC} => Configured the OpenSCAP kickstart"
 
+# Configure the hardening kickstart
+sed -i "s/%SCAP_PROFILE%/${SCAP_PROFILE}/g" ${PATH_KICKSTART_HARD}
+sed -i "s|%SCAP_CONTENT%|${SCAP_CONTENT}|g" ${PATH_KICKSTART_HARD}
+echo -e "${TEXT_SUCC} => Configured the hardening kickstart"
+
 # Configure the partitioning kickstart
 sed -i "s/%TARGET_BLOCK_DEVICE%/${TARGET_BLOCK_DEVICE}/g" ${PATH_KICKSTART_PART}
 echo -e "${TEXT_SUCC} => Configured the partitioning kickstart"

kickstarts/hardening.ks

@@ -1,10 +1,16 @@
 # Post-installation script
 %post --erroronfail
 
+# Mount the EFI partition
+mount /boot/efi
+
 # ANSSI-BP-028 compliance not brought in by OpenSCAP
 systemctl enable dnf-automatic.timer                                            # Addresses ANSSI-BP-028-R08
 echo 'kernel.modules_disabled = 1' > /etc/sysctl.d/ANSSI-BP-028-R24.conf        # Addresses ANSSI-BP-028-R24
-chown root:wheel /usr/bin/sudo                                                  # Addresses ANSSI-BP-028-R57
+
+# Addresses ANSSI-BP-028-R57
+groupadd wheel
+chown root:wheel /usr/bin/sudo
 
 # Addresses ANSSI-BP-028-R67
 setsebool -P deny_execmem=on
@@ -17,13 +23,18 @@ setsebool -P ssh_sysadm_login=off
 # I can't believe this one-liner is making it in prod
 # Addresses ANSSI-BP-028-R17
 {python3 -c 'print("password_pbkdf2 root")' &  python3 -c 'import string as s; import secrets as x; a=s.ascii_letters+s.digits; p="".join(x.choice(a) for i in range(64)); print(p + "\n" + p)' | grub2-mkpasswd-pbkdf2 | cut -d ' ' -f 7 | sed -r '/^\s*$/d'} | cat | tr '\n' ' ' >> /etc/grub.d/01_users
-grub2-mkconfig -o /boot/grub2/grub.cfg             # And for BIOS
+grub2-mkconfig -o /boot/grub2/grub.cfg
 
 # Addresses ANSSI-BP-028-R11
 grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) iommu=force"
 
 # Addresses ANSSI-BP-028-R36
-chmod 0600 /etc/ssh/*_key
+ssh-keygen -q -N "" -t ecdsa -f /etc/ssh/ssh_host_ecdsa_key
+ssh-keygen -q -N "" -t ed25519 -f /etc/ssh/ssh_host_ed25519_key
+ssh-keygen -q -N "" -t rsa -b 4096 -f /etc/ssh/ssh_host_rsa_key
+chmod 0600 /etc/ssh/ssh_host_ecdsa_key
+chmod 0600 /etc/ssh/ssh_host_ed25519_key
+chmod 0600 /etc/ssh/ssh_host_rsa_key
 
 # Disables automounting /boot/efi
 sed -i '/efi/ s/nodev/nodev,noauto/g' /etc/fstab
@@ -33,4 +44,11 @@ mkdir -p /etc/tmpfiles.d
 echo 'd       /tmp/tmp-inst 0000 root root - -' > /etc/tmpfiles.d/anssi-bp-028-r39.conf
 echo '/tmp     /tmp/tmp-inst/            level      root,adm' >> /etc/security/namespace.conf
 
+# Addresses ANSSI-BP-028-R18
+sed -i '/rounds=65536/ s/$/ remember=2/' /etc/pam.d/system-auth
+
+# Extra remediation
+oscap xccdf eval --remediate --results res.xml --profile %SCAP_PROFILE% %SCAP_CONTENT%
+rm res.xml
+
 %end

kickstarts/kickstart.ks

@@ -4,7 +4,7 @@ text
 cdrom
 
 # GRUB2 configuration
-bootloader --boot-drive=%TARGET_BLOCK_DEVICE% --timeout=0 --append="rhgb quiet crashkernel=256M"
+bootloader --boot-drive=%TARGET_BLOCK_DEVICE% --timeout=0 --append="rhgb quiet crashkernel=256M iommu=force"
 
 # Automatically accept EULA
 eula --agreed