9.1. Military Programming Law (MPL)

9.1.1. Regulatory reminders

Some reminders of the main principles of the french Military Programming Law (MPL):

  • Fench Military Programming Law (Act no. 2013-1168 of 18 December 2013)

  • Article 22: implementation supervised by the ANSSI for the OIVs

    • Impose security measures,

    • Impose controls on the most critical information systems

    • Make it compulsory to report incidents observed by OIVs on their information systems

  • Article L.1332-6-1 of the Defense Code amended by Act no. 2015-917 of 28 July 2015 - Art. 27

    • Establish organizational and technical measures

    • Define procedures for identifying and reporting security incidents affecting vital information systems (SIIV)

9.1.2. Goal Reminders

The objectives are :

  • To protect national critical infrastructures against cyber attacks

  • Reduce exposure to risks and

  • Optimise the quality of services provided by organisations

9.1.3. Reminders of requirements

Requirements for OIVs and security incident detection service provider (PDIS) actors are to be taken into account on equipment:

  • Implement an information systems security policy

  • Carry out a security certification

  • Communicate the elements on the IVIS set up by the operator to the ANSSI

  • Observe and react to security alerts

  • Limit access

  • Partition the networks

  • Select the qualified technologies

../_images/ANSSI.png

9.1.4. MPL applied to GCenter

Note

Whatever the mode, the AIONIQ solution integrates GRSECURITY improvements, including PaX, thus reducing the attack surface including at the kernel level.

The specific configuration points that allow the solution to comply with the Military Programming Law are presented here.
Although a number of actions are performed automatically when entering MPL mode, the administrator will have to customise and modify some of the parameters manually:

  • AD/LDAP manual action required

  • USB port automatic action

  • Update in "Offline" mode manual action required

  • Interface separation manual action required

  • Certificate integration manual action required

  • iDRAC Disabled manual action required

  • The groups manual action required

9.1.4.1. Automatic actions

9.1.4.1.1. USB Port

Access via USB ports can involve risks.
When the AIONIQ solution is in MPL mode, the USB ports are automatically disabled
USB ports are automatically deactivated after switching to LPM mode from the SETUP profile settings configuration menu.
If a USB device is already plugged in, the port used will not deactivate until after disconnecting the present media.
In order for it to be supported again, you will need to restart the GCenter by reconnecting the device before booting.

Note

This limits access to the device's TTY.

9.1.4.2. Manual actions

The following list of actions should only be performed by an administrator of the AIONIQ solution.

9.1.4.2.1. No connection between GCenter and AD LDAP

In the context of an IS subject to the MPL, there are certain constraints, in particular the fact that the GCenter is not connected to an Active Directory or LDAP.
It is necessary to check whether this is the case.
To do this, go to the ADMINISTRATORS section of the GCenter and click on Accounts and LDAP configuration.
../_images/LDAP-01.PNG
In the `LDAP authentication settings` (2) area:

  • Deselect the `Enable LDAP authentication` selection and

  • Click the `Save and apply` button to take the change into account.

This change will cause the application to restart, resulting in a disconnection from the user page.
Once the administrator clicks the `Confirm` button, it will be necessary to reconnect to the interface.
After this manipulation and reconnection to GCenter, a green banner is visible and indicates the validation of the change.
`LDAP interconnection status` indicates that GCenter is now disconnected from the Active Directory or LDAP.

9.1.4.2.2. Deactivation of remote control console interface

The remote control console interface is made via a specific network connection.
This connection interface is called iDRAC at Dell (or TSM at Lenovo).
According to ANSSI, it is recommended to disable this interface for security reasons.
Under certain conditions, it can nevertheless be reactivated by the administrator to facilitate maintenance.

9.1.4.2.3. Network interface separation

As part of an IS subject to the LPM, the GCenter must have a special configuration of its network interfaces.
Indeed, in order to guarantee this compliance and a good level of security, the management flow and that of the interconnection with the GCap must be on two different interfaces respectively [MGMT0] and [VPN0].
This change is not effective automatically after LPM mode is enabled, even if the network cables are correctly connected.
It is precisely from the SETUP interface that the administrator can modify and manually add a new IP address for the [VPN0] interface.
Only the [MGMT0] and [VPN0] interfaces are impacted. Refer to the setup configuration document to make the change.
Details of flows in this mode are described in section Interconnection between devices.
For even more security, sending logs to a SIEM in an operating area can therefore be done through a dedicated interface by separating the management interface (administrator) from the log export interface (operator).

9.1.4.2.4. Update in "Offline" mode

In order for the AIONIQ solution to comply with the Military Programming Law, signature updates must be done in Manual or Local mode.
Therefore, there are two possibilities:

  • Either from the GCenter web interface (see section Update Local). This is a manual update.

  • Or via a location on the network, disconnected from the internet, (see section Update Manual). This corresponds to an Local update.

9.1.4.2.4.1. Certificate integration
In order to comply with the specific requirements concerning the use of cryptographic mechanisms, GATEWATCHER advises referring to the documents written by the national authority on information system security and defence.
The Military Programming Law imposes rules and recommendations concerning the management of the keys used, authentication mechanisms, and the choice and sizing of cryptographic mechanisms.
All these prerequisites are available in the RGS General Security Reference (RGS B1, RGS B2, and RGS B3) of the ANSSI.

The `SSL settings` section section indicates how to add your own SSL configuration.

9.1.5. Groups

In order to respect the separation of roles on the GCenter, default groups are already created to facilitate user management:

  • The operators group

  • The administrators group

A user is therefore a member of one or both groups.
Profiles are managed from `Admin-GCenter- Accounts` screen of the legacy web UI

9.1.5.1. Mission of a member of the operator group

A member of the operator group has as mission :

  • Viewing of synthetic dashboards via the WEB UI interface showing information about the monitored system

  • Main dashboard (Home) to synthetically display alarms classified by level of risk

  • Dashboard to display the network map. It shows the relationships between the elements present on the network

  • Dashboards to display alarms classified by criteria (Users, Assets, Alerts) or by type of risk (Overview)

  • Consultation of detailed dashboards via the Kibana interface showing the data information present in the detection event dashboards.

  • Own account management

  • Changing the current account password

  • Modification of certain information of the current user

  • Sigflow engine configuration

  • Management of SIGFLOW engine rule sources

  • Creation of a ruleset of the SIGFLOW engine

  • Modification of SIGFLOW engine rules

  • Generation of SIGFLOW engine rulesets

  • GCap configuration from GCenter from GCaps Profiles

  • Détection ruleset

  • Base variables

  • Net variables

  • File rule management

  • Packet filters

9.1.5.2. Mission of a member of the administrator group

A member of the administrator group is responsible for:

  • NDR configuration, for example:

  • Alerts displayed in the Alerts dashboard

  • The equipment displayed in the Assets dashboard

  • Users displayed in the Users dashboard

  • Administrating a GCap, for example:

  • Pairing a GCap with the GCenter

  • Re-pairing a GCap

  • Changing the default profile or customise the existing profile

  • Deleting a GCap connected to the GCenter

  • Managing the GCenter backup and restoration, for example:

  • Backup configuration

  • Backup

  • Restoration

  • Managing of the GCenter software

  • Updating signatures

  • Installing a hotfix

  • Upgrading software

  • Administrating the GCenter

  • Exporting data (log files)

  • Deleting data (log files)

  • Generating and loading files for diagnosis

  • Managing user account

  • Creating local users

  • Changing some of a local user's information

  • Resetting a local user's password

  • Deleting a local user

  • Displaying of the connection status between the GCenter and the LDAP server

  • Enable the connection between the GCenter and the LDAP server

  • Configuring the connection between the GCenter and the LDAP server

  • Configuring the users and groups defined on LDAP / ActiveDirectory

  • Viewing the authentication history

  • Viewing the history of user creations or deletions

  • Viewing the history function for all changes in user rights

  • Adding an API access token

  • Managing the password policy

  • Configuring the detection engine

  • Setting up GBox and the Malcore and Retroact engines

  • Managing the white and black lists of the Malcore engine

  • Enabling and configuring the Machine Learning engine

  • Managing the white and black lists of the Machine Learning engine

  • Configuring the GCenter

  • Displaying the information (name of the GCenter, version of the GCenter software, characteristics of the IP address of the mgmt0 interface)

  • Generating a text report of the GCenter status ("Tech Support")

  • Changing the keyboard language (US or FR choice)

  • Changing the password of the access account setup

  • Changing the date and time of the GCenter

  • Viewing and modifying GCenter network settings

  • Management of the ARP table and its cache

  • Changing the MTU value of the IPsec tunnel interface (mgmt0 or vpn0)

  • Execution of various actions on the network to validate the correct GCenter configuration

  • Choice of the type of update required

  • Managing the GCenter services and applications (start, reset, restart)

  • Modifying the storage mode for the alerts and the metadata

  • Changing the LPM mode (on/off)

  • Restarting / Shutdowning GCenter

  • Reconfiguring the GCenter in its factory settings