ANSSI BP-028 v2.0 (February 2024) is the French infrastructure-hardening reference,
with four levels (minimal / intermediary / reinforced /
high) across three host categories (base / client /
server). The recommendations below carry kernel-level and audit-level
hardening that nixfleet-compliance
enforces by control.
| Reco. | Title | Controls |
|---|---|---|
| R7 | Activating the IOMMU | _baseline-hardening (BH-01) |
| R8 | Memory hardening | _baseline-hardening (BH-02) |
| R9 | Kernel options | _baseline-hardening (BH-03) |
| R10 | Disable kernel modules loading | _baseline-hardening (BH-04) |
| R11 | Yama LSM | _baseline-hardening (BH-05) |
| R12 | IPv4 hardening | _baseline-hardening (BH-06) |
| R13 | Disable IPv6 | _baseline-hardening (BH-07) |
| R14 | Filesystem hardening | _baseline-hardening (BH-08) |
| R33 | Auditd enforcement | _audit-logging (AL-02) |
The ANSSI preset also activates _access-control, _encryption-at-rest,
_authentication, _secure-boot, and _network-segmentation
(server category) as additional hardening controls without specific R-numbers.
Canonical control source: docs/anssi-mapping.md in the compliance repo.