!31 optimize 8 rules for openEuler

From: @qsw333 Reviewed-by: @flysubmarine, @zhujianwei001 Signed-off-by: @zhujianwei001
2024-06-21 02:00:19 +00:00 · 2024-06-21 02:00:19 +00:00 · 5cb531b371
commit 5cb531b371
parent 200a135683 6a9af824f9
2 changed files with 204 additions and 1 deletions
--- a/optimize-8-rules-for-openEuler.patch
+++ b/optimize-8-rules-for-openEuler.patch
@ -0,0 +1,199 @@
+From e7f1e45f0b3172b5b5a35a1822865fddbca6d9f0 Mon Sep 17 00:00:00 2001
+From: wangqingsan <wangqingsan@huawei.com>
+Date: Wed, 19 Jun 2024 13:27:03 +0800
+Subject: [PATCH] fix bug for oe
+
+---
+ .../oval/shared.xml                           |  2 +-
+ .../oval/shared.xml                           |  2 +-
+ .../sshd_set_max_auth_tries/oval/shared.xml   | 14 ++++++++++++
+ .../accounts_umask_etc_bashrc/oval/shared.xml |  4 ++--
+ .../oval/shared.xml                           | 13 ++++++-----
+ .../rsyslog_files_permissions_oe/rule.yml     | 22 +++++++++++++++++++
+ .../service_ip6tables_enabled/rule.yml        |  2 +-
+ openeuler2203/profiles/standard.profile       |  4 ++--
+ 8 files changed, 51 insertions(+), 12 deletions(-)
+ create mode 100644 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions_oe/rule.yml
+
+diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_concurrent_unauthenticated_connections/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_concurrent_unauthenticated_connections/oval/shared.xml
+index e6c1a0e..494e255 100644
+--- a/linux_os/guide/services/ssh/ssh_server/sshd_concurrent_unauthenticated_connections/oval/shared.xml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_concurrent_unauthenticated_connections/oval/shared.xml
+@@ -19,7 +19,7 @@
+   </ind:textfilecontent54_test>
+   <ind:textfilecontent54_object id="obj_test_sshd_configure_concurrent_unauthenticated_connections" version="1">
+     <ind:filepath>/etc/ssh/sshd_config</ind:filepath>
+-    <ind:pattern operation="pattern match">^maxstartups\s+\d+:\d+:\d+$</ind:pattern>
+    <ind:pattern operation="pattern match">^MaxStartups\s*[0-9]*:[0-9]*:[0-9]*[0-9]</ind:pattern>
+     <ind:instance datatype="int">1</ind:instance>
+   </ind:textfilecontent54_object>
+ </def-group>
+\ No newline at end of file
+diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_configure_correct_LoginGraceTime/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_configure_correct_LoginGraceTime/oval/shared.xml
+index fb79aff..30bc3c4 100644
+--- a/linux_os/guide/services/ssh/ssh_server/sshd_configure_correct_LoginGraceTime/oval/shared.xml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_configure_correct_LoginGraceTime/oval/shared.xml
+@@ -19,7 +19,7 @@
+   </ind:textfilecontent54_test>
+   <ind:textfilecontent54_object id="obj_test_sshd_configure_correct_LoginGraceTime" version="1">
+     <ind:filepath>/etc/ssh/sshd_config</ind:filepath>
+-    <ind:pattern operation="pattern match">^LoginGraceTime\s+\d+$</ind:pattern>
+    <ind:pattern operation="pattern match">^LoginGraceTime\s(\d*)[smhdw]*$</ind:pattern>
+     <ind:instance datatype="int">1</ind:instance>
+   </ind:textfilecontent54_object>
+ </def-group>
+\ No newline at end of file
+diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/oval/shared.xml
+index a8eaabd..ae811c7 100644
+--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/oval/shared.xml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/oval/shared.xml
+@@ -8,14 +8,28 @@
+       <description>The SSH MaxAuthTries should be set to an
+       appropriate value.</description>
+     </metadata>
+    {{% if product in ['openeuler2203'] %}}
+    <criteria comment="SSH is not being used or conditions are met" operator="OR">
+      <extend_definition comment="sshd service is disabled"
+      definition_ref="service_sshd_disabled" />
+      <criterion comment="Check MaxAuthTries in /etc/ssh/sshd_config"
+      test_ref="test_sshd_max_auth_tries_oe" />
+    </criteria>
+    {{% else %}}
+     <criteria comment="SSH is not being used or conditions are met" operator="OR">
+       <extend_definition comment="sshd service is disabled"
+       definition_ref="service_sshd_disabled" />
+       <criterion comment="Check MaxAuthTries in /etc/ssh/sshd_config"
+       test_ref="test_sshd_max_auth_tries" />
+     </criteria>
+    {{% endif %}}
+   </definition>
+ 
+  <ind:textfilecontent54_test check="all" check_existence="all_exist"
+  comment="maxauthtries is configured" id="test_sshd_max_auth_tries_oe" version="1">
+    <ind:object object_ref="object_sshd_max_auth_tries" />
+  </ind:textfilecontent54_test>
+
+   <ind:textfilecontent54_test check="all" check_existence="all_exist"
+   comment="maxauthtries is configured" id="test_sshd_max_auth_tries" version="1">
+     <ind:object object_ref="object_sshd_max_auth_tries" />
+diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/oval/shared.xml b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/oval/shared.xml
+index 0bd0ac1..ec4197a 100644
+--- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/oval/shared.xml
+++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/oval/shared.xml
+@@ -95,7 +95,7 @@
+   </ind:textfilecontent54_test>
+   <ind:textfilecontent54_object id="object_umask_in_etc_bash_openeuler" version="1">
+     <ind:filepath operation="pattern match">/etc/bashrc</ind:filepath>
+-    <ind:pattern operation="pattern match">[\s]*umask[\s]*0077[\s]*</ind:pattern>
+    <ind:pattern operation="pattern match">^umask[\s]*0*7*$</ind:pattern>
+     <ind:instance datatype="int">1</ind:instance>
+   </ind:textfilecontent54_object>
+ 
+@@ -104,7 +104,7 @@
+   </ind:textfilecontent54_test>
+   <ind:textfilecontent54_object id="object_umask_in_point_bash_openeuler" version="1">
+     <ind:filepath>^/home/.*\.bashrc$</ind:filepath>
+-    <ind:pattern operation="pattern match">[\s]*umask[\s]*0077[\s]*</ind:pattern>
+    <ind:pattern operation="pattern match">^umask[\s]*0*7*$</ind:pattern>
+     <ind:instance datatype="int">1</ind:instance>
+   </ind:textfilecontent54_object>
+ 
+diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_install_and_remove/oval/shared.xml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_install_and_remove/oval/shared.xml
+index 92b2667..372e175 100644
+--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_install_and_remove/oval/shared.xml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_install_and_remove/oval/shared.xml
+@@ -8,12 +8,15 @@
+       <description>The audit rules should be configured to log information about kernel module installing and removing.</description>
+     </metadata>
+     <criteria operator="AND">
+-      <extend_definition comment="audit augenrules" definition_ref="audit_rules_augenrules" />
+-      <criterion comment="audit augenrules 64-bit init_module" test_ref="test_64bit_init_module_augenrules" />
+-      <criterion comment="audit augenrules 64-bit delete_module" test_ref="test_64bit_delete_module_augenrules" />
+      <extend_definition comment="32-bit system audit augenrules" definition_ref="audit_rules_augenrules" />
+       <criterion comment="audit augenrules inmod" test_ref="test_install_module_augenrules" />
+       <criterion comment="audit augenrules rmmod" test_ref="test_remove_module_augenrules" />
+       <criterion comment="audit augenrules modprobe" test_ref="test_probe_module_augenrules" />
+      <criteria operator="OR">
+      <extend_definition comment="64-bit systemctl audit augenrules" definition_ref="audit_rules_augenrules" />
+      <criterion comment="audit augenrules 64-bit init_module" test_ref="test_64bit_init_module_augenrules" />
+      <criterion comment="audit augenrules 64-bit delete_module" test_ref="test_64bit_delete_module_augenrules" />
+      </criteria>
+     </criteria>
+   </definition>
+ 
+@@ -22,7 +25,7 @@
+   </ind:textfilecontent54_test>
+   <ind:textfilecontent54_object id="object_64bit_init_module_augenrules" version="1">
+     <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
+-    <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+init_module[\s]+|([\s]+|[,])init_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
+    <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+init_module[\s]+|([\s]+|[,])delete_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*.*$</ind:pattern>
+     <ind:instance datatype="int">1</ind:instance>
+   </ind:textfilecontent54_object>
+ 
+@@ -31,7 +34,7 @@
+   </ind:textfilecontent54_test>
+   <ind:textfilecontent54_object id="object_64bit_delete_module_augenrules" version="1">
+     <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
+-    <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+delete_module[\s]+|([\s]+|[,])delete_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
+    <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+init_module[\s]+|([\s]+|[,])delete_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*.*$</ind:pattern>
+     <ind:instance datatype="int">1</ind:instance>
+   </ind:textfilecontent54_object>
+ 
+diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions_oe/rule.yml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions_oe/rule.yml
+new file mode 100644
+index 0000000..93fd68f
+--- /dev/null
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions_oe/rule.yml
+@@ -0,0 +1,22 @@
+documentation_complete: true
+
+title: 'Ensure System Log Files Have Correct Permissions'
+
+description: |-
+    <p>Log files record system operations. The log tool <tt>rsyslog</tt> can record logs 
+    to specified files. When the specified log file does not exist in the system, 
+    <tt>rsyslog</tt> can create a new log file. You can set the permission on new log files 
+    in the <tt>rsyslog</tt> configuration file. You can set the default file permission to 
+    ensure that new log files have proper and secure permissions.</p>
+    <p>Run the following command to manually check whether the log permission is properly set:</p>
+    <pre>$ ls -l <i>LOGFILE</i></pre>
+    <p>If the permissions are not 600 or more restrictive, run the following
+    command to correct this:</p>
+    <pre>$ sudo chmod 0600 <i>LOGFILE</i></pre>"
+
+rationale: |-
+    Log files can contain valuable information regarding system
+    configuration. If the system log files are not protected unauthorized
+    users could change the logged data, eliminating their forensic value.
+
+severity: low
+diff --git a/linux_os/guide/system/network/network-iptables/iptables_activation/service_ip6tables_enabled/rule.yml b/linux_os/guide/system/network/network-iptables/iptables_activation/service_ip6tables_enabled/rule.yml
+index d533940..a8ce14a 100644
+--- a/linux_os/guide/system/network/network-iptables/iptables_activation/service_ip6tables_enabled/rule.yml
+++ b/linux_os/guide/system/network/network-iptables/iptables_activation/service_ip6tables_enabled/rule.yml
+@@ -34,6 +34,6 @@ template:
+     name: service_enabled
+     vars:
+         servicename: ip6tables
+-        packagename: iptables-ipv6
+        packagename: iptables
+ 
+ platform: machine
+diff --git a/openeuler2203/profiles/standard.profile b/openeuler2203/profiles/standard.profile
+index 76fe4dd..4ae7a01 100644
+--- a/openeuler2203/profiles/standard.profile
+++ b/openeuler2203/profiles/standard.profile
+@@ -376,8 +376,8 @@ selections:
+     - audit_rules_admin_privilege.severity=low
+     - recorded_authentication_related_event
+     - recorded_authentication_related_event.severity=high
+-    - rsyslog_files_permissions
+-    - rsyslog_files_permissions.severity=low
+    - rsyslog_files_permissions_oe
+    - rsyslog_files_permissions_oe.severity=low
+     - partitions_manage_hard_drive_data
+     - partitions_manage_hard_drive_data.severity=low
+     - uninstall_debugging_tools
+-- 
+2.36.1
+
--- a/scap-security-guide.spec
+++ b/scap-security-guide.spec
@ -1,6 +1,6 @@
 Name:		scap-security-guide
 Version:	0.1.49
-Release:	11
+Release:	12
 Summary:	Security guidance and baselines in SCAP formats
 License:	BSD-3-Clause
 URL:		https://github.com/ComplianceAsCode/content/
@ -16,6 +16,7 @@ Patch0007:enable-76-rules-for-openEuler.patch
 Patch0008:enable-54-rules-for-openEuler.patch
 Patch0009:add-15-rules-for-openeuler.patch
 Patch0010:optimize-80-rules-for-openEuler.patch
+Patch0011:optimize-8-rules-for-openEuler.patch

 BuildArch:	noarch
 BuildRequires: 	libxslt, expat, python3, openscap-scanner >= 1.2.5, cmake >= 3.8, python3-jinja2, python3-PyYAML
@ -70,6 +71,9 @@ cd build
 %doc %{_docdir}/%{name}/tables/*.html

 %changelog
+* Thu Jun 20 2024 wangqingsan <wangqingsan@huawei.com> - 0.1.49-12
+- optimized 8 rules for openEuler
+
 * Fri Dec 22 2023 wangqingsan <wangqingsan@huawei.com> - 0.1.49-11
 - elevate 80 rules for openEuler