ANSSI-BP-028 Compliance

SEAPATH follows the applicable cybersecurity guidelines defined by the ANSSI in the ANSSI-BP-028v2.0 document.

Below are two detailed lists of all recommendations, their current state on SEAPATH Yocto and Debian and a small explanation of the work done or to be done.

Done: SEAPATH complies with this requirement. Tests are run with cukinia to ensure that future development don't break this compliance. (Some recommendations are done, but no tests exist for them. When it is so, it is explicitly written in the table below.)
Not Done: SEAPATH doesn't comply with this requirement. A small description of the work to do is given.
Not applicable: This requirement has no sense to be applied on SEAPATH.
User applicable: This requirement cannot be fulfilled by SEAPATH and must be ensured by the end user/SEAPATH integrator.
Partially done: This requirement is not done in SEAPATH. Either only specific parts of the requirement are done and tested, or the requirement is not properly tested for now.

Yocto-based SEAPATH

A compliance matrix listing all the tests done on SEAPATH and their relation to the recommendations is available at the end of each test report on the CI. You can find weekly test reports here: https://github.com/seapath/ci/tree/reports-PRmain/docs/reports/PR-main

	Subject	Level	Explanations	State

	Subject	Level	Explanations	State
R1	Choosing and configuring the hardware	MIE	The hardware chosen to run SEAPATH must comply with https://cyber.gouv.fr/publications/recommandations-de-configuration-materielle-de-postes-clients-et-serveurs-x86 Note that all modern x86 machines are already compatible. The ANSSI has not released a similar Document for ARM machines. Some tests exist for fallback, but many configurations must be done by the end user.	User applicable
R2	Configuring the BIOS/UEFI	MI	The BIOS must be configured according to the document https://cyber.gouv.fr/publications/recommandations-de-configuration-materielle-de-postes-clients-et-serveurs-x86	User applicable
R3	Activating the UEFI secure boot	MI	SEAPATH is compatible with Secure Boot and support preload keys.	User applicable
R4	Replacing of preloaded keys	MIEH	Yocto provides secure boot functions. It is up to the end user to enable them and provide their keys. Proper documentation should be added to the wiki. TODO	User applicable
R5	Configuring a password on the bootloader	MI	Grub password can be configured at build time.	Done
R6	Protecting the kernel command line parameters and the initramfs	MIEH	We have made an implementation for the Dunfell version of Yocto. This implementation does not work on the Kirkstone version and should be updated.	Not Done
R7	Activating the IOMMU	MIE	TODO: add iommu=force in kernel parameter + add cukinia test	Not Done
R8	Configuring the memory options	MI	SEAPATH does not implement every kernel parameters by default because it would degrade performance a lot. However, a test exists to check for any known vulnerability on the hardware that is running SEAPATH. If a vulnerability is found, the end user must apply the related configuration manually.	Done
R9	Configuring the kernel options	MI	The kernel options are present	Done
R10	Disabling kernel modules loading	MIE	Module loading is disabled after boot	Done
R11	Configuration option of the Yama LSM	MI	The kernel parameter security=yama is present. The sysctl is configured to 2	Done
R12	IPv4 configuration options	MI	IPV4 must comply to a certain list of sysctl configuration. Some sysctl are natively enabled, but not all are tested correctly. The rest of the sysctl must be activated by taking care of not breaking a SEAPATH feature. A reason must be explicitely given for the sysctl that cannot be activated. TODO	Partially done
R13	Disabling IPv6	MI	IPV6 can be disabled with one machine option in meta-seapath. It is up to the user to choose if he needs it or not.	User applicable
R14	File system configuration options	MI	The recommended options are present on SEAPATH.	Done
R15	Compile options for memory management	MIEH	We have access to the kernel config. These configs must be added and tested. TODO CONFIG_DEBUG_FS=y -> n CONFIG_SCHED_STACK_END_CHECK=n -> y CONFIG_SECURITY_DMESG_RESTRICT=n -> y	Not Done
R16	Compile options for kernel data structure	MIEH	We have access to the kernel config. These configs must be added and tested. TODO CONFIG_DEBUG_CREDENTIALS=n -> y CONFIG_DEBUG_NOTIFIERS=n -> y CONFIG_DEBUG_LIST=n -> y CONFIG_DEBUG_SG=n -> y	Not Done
R17	Compile options for the memory allocator	MIEH	We have access to the kernel config. These configs must be added and tested. TODO CONFIG_SLAB_MERGE_DEFAULT=y -> n	Not Done
R18	Compile options for the management of kernel modules	MIEH	We have access to the kernel config. These configs must be added and tested. TODO	Not Done
R19	Compile options for abnormal situations	MIEH	We have access to the kernel config. These configs must be added and tested. TODO CONFIG_PANIC_ON_OOPS=n → y CONFIG_PANIC_TIMEOUT =0 → -1	Not Done
R20	Compile options for kernel security functions	MIEH	The recommended configs are present. TODO : Add test	Done
R21	Compile options for the compiler plugins	MIEH	The recommended configs are present. TODO : Add test	Done
R22	Compile options of the IP stack	MIEH	The CONFIG_SYN_COOKIES option is set, but no test exists for it. TODO The IPv6 can be disabled at build, but the kernel config is still present. This must be corrected TODO	Partially done
R23	Compile options for various kernel behaviors	MIEH	The module disable kernel config is not present. We must verify that module loading is indeed mandatory. TODO All other kernel configs are present, but no test exists for them. TODO	Partially done
R24	Compile options for 32-bit architectures	MIEH	This recommendation targets 32-bit x86 machines. Currently, SEAPATH is not supported on such hardware.	Not Applicable
R25	Compile options for x86_64 bit architectures	MIEH	We have access to the kernel config. These configs must be added and tested. Only CONFIG_IA32_EMULATION is enabled. Check if we have to support 32-bit binaries. TODO	Not Done
R26	Compile options for ARM architectures	MIEH	This recommendation targets ARM based processor. Currently, SEAPATH is not supported on such hardware.	Not Applicable
R27	Compile options for ARM 64 bit architectures	MIEH	This recommendation targets ARM based processor. Currently, SEAPATH is not supported on such hardware.	Not Applicable
R28	Typical partitioning	MI	Not all partitions are correctly separated. The mount options must also be verified. On SEAPATH Yocto the rootfs is mounted as read only, so there is some separation and mount which make no sense. / should be mounted with nodev because we use a devtmpfs /opt is empty, so no need to separate it /srv is empty, so no need to separate it /usr: due to the read-only, there is no need to separate /usr from /. /home is an overlay /var is not separate. As / root is mounted with ro option, it should be impossible to add executables or dev on it. TODO noexec to /tmp hidepid=2 to /proc noexec,nosuid to /dev (not explicit in R28 but coherent with it) nodev,noexec,nosuid to /mnt/persistent, /var/lib/volatile, /home, /var/lib and /etc to respect /home and /var mount options nodev to / Add test to check there is no executable on /var. Mount points tests must be added.	Partially done
R29	Access restrictions on /boot	MIE	/boot is not mounted by default, but can be with Ansible for certain tasks.	Done
R30	Removing the unused user accounts	M	There are no unused accounts on SEAPATH	Done
R31	User password strength	M	The passwords used on SEAPATH must follow https://www.ssi.gouv.fr/mots-de-passe/ Additional passwords added by PAM software must also follow this recommendation. Tests exist to ensure that the root password is randomized at each boot. For local user, rules are defined in login.defs and tested inside common_security_tests.d/hardening.conf. TODO Use yescrypt instead of SHA512 for password hash	User applicable
R32	Configuring a timeout on local user sessions	MI	The timeout for bash and ssh is set to 300s	Done
R33	Ensuring the imputability of administration actions	MI	Only sudo commands are logged. TODO Setup auditd as it is done on SEAPATH Debian	Not Done
R34	Disabling the service accounts	MI	No additional accounts can be opened by a service on SEAPATH.	Done
R35	Uniqueness and exclusivity of service accounts	MI	Some services are launched by the root user. We must create a user for these services. Services which need to run as root: agetty dbus-daemon systemd (init) systemd-logind dbus-daemon systemd-journald systemd-udevd TODO Root services to changed are: ceph-crash snmptrapd libvirtd (difficult to run as a regular user) syslog-ng timemaster chronyd ptp4l phc2sys irqbalance	Not Done
R36	Changing the default value of UMASK	MIE	UMASK is set to the desired value.	Done
R37	Using Mandatory Access Control features	MIE	No MAC feature is implemented on SEAPATH Yocto.	Not Done
R38	Creating a group dedicated to the use of sudo	MIE	The group "privileged" is used for sudo usage. If PAM authentication is implemented by the end user, privileged users must also use this group.	Done
R39	Sudo configuration guidelines	MI	All desired options are implemented and tested.	Done
R40	Using unprivileged users as target for sudo commands	MI	Old groups and users are still present in the sudoer files. The related tests don’t work.	Not Done
R41	Limiting the number of commands requiring the use of the EXEC directive	MIE	Old groups and users are still present in the sudoer files. The related tests don’t work.	Not Done
R42	Banishing the negations in sudo policie	MI	Old groups and users are still present in the sudoer files. The related tests don’t work.	Not Done
R43	Defining the arguments in sudo specifications	MI	Old groups and users are still present in the sudoer files. The related tests don’t work.	Not Done
R44	Editing files securely with sudo	MI	No text editor must be launched with sudo privileges. To modify the sudoers rules, the visudo command is installed on SEAPATH. Note that sudo rules should not be changed after the initial configuration of SEAPATH	User applicable
R45	Activating AppArmor security profiles	MIE	AppArmor is not installed on SEAPATH Yocto	Not Done
R46	Activating SELinux with the targeted policy	MIEH