diff --git a/enable-76-rules-for-openEuler.patch b/enable-76-rules-for-openEuler.patch index f5ccc6f..2a1f0a1 100644 --- a/enable-76-rules-for-openEuler.patch +++ b/enable-76-rules-for-openEuler.patch @@ -1,7 +1,7 @@ -From 49b0ed553a842d15ed5f942dd9825aa89eb84078 Mon Sep 17 00:00:00 2001 +From 6c007906571ed8e7b931d1b923a54af52b6ec91c Mon Sep 17 00:00:00 2001 From: "steven.y.gui" -Date: Mon, 26 Jun 2023 17:09:54 +0800 -Subject: [PATCH] enable-76-rules-for-openEuler +Date: Mon, 26 Jun 2023 19:32:25 +0800 +Subject: [PATCH] enable 76 rules for openEuler --- .../rule.yml | 30 +++++++ @@ -23,7 +23,7 @@ Subject: [PATCH] enable-76-rules-for-openEuler .../sshd_use_strong_pubkey/rule.yml | 13 +++ .../guide/services/ssh/sshd_strong_kex.var | 19 +++++ .../oval/shared.xml | 1 + - .../rule.yml | 7 +- + .../rule.yml | 8 +- .../oval/shared.xml | 12 ++- .../rule.yml | 8 +- .../oval/shared.xml | 13 ++- @@ -35,13 +35,13 @@ Subject: [PATCH] enable-76-rules-for-openEuler .../no_name_contained_in_password/rule.yml | 12 +++ .../accounts_password_pam_dcredit/rule.yml | 2 +- .../oval/shared.xml | 27 ++++++ - .../accounts_password_pam_dictcheck/rule.yml | 28 ++++++ + .../accounts_password_pam_dictcheck/rule.yml | 29 +++++++ .../accounts_password_pam_lcredit/rule.yml | 2 +- .../accounts_password_pam_minclass/rule.yml | 2 +- .../accounts_password_pam_minlen/rule.yml | 2 +- .../accounts_password_pam_ocredit/rule.yml | 2 +- .../oval/shared.xml | 1 + - .../accounts_password_pam_retry/rule.yml | 7 +- + .../accounts_password_pam_retry/rule.yml | 8 +- .../accounts_password_pam_ucredit/rule.yml | 2 +- .../var_password_pam_dictcheck.var | 16 ++++ .../oval/shared.xml | 1 + @@ -70,7 +70,7 @@ Subject: [PATCH] enable-76-rules-for-openEuler .../tests/wrong_value.fail.sh | 5 ++ .../oval/shared.xml | 30 +++++++ .../login_accounts_are_necessary/rule.yml | 31 +++++++ - .../accounts_maximum_age_login_defs/rule.yml | 5 ++ + .../accounts_maximum_age_login_defs/rule.yml | 6 ++ .../gid_passwd_group_same/oval/shared.xml | 3 +- .../accounts_tmout/oval/shared.xml | 1 + .../accounts-session/accounts_tmout/rule.yml | 7 +- @@ -105,7 +105,7 @@ Subject: [PATCH] enable-76-rules-for-openEuler shared/macros-oval.jinja | 73 ++++++++++++++++ shared/templates/template_OVAL_sysctl | 4 + ssg/constants.py | 4 +- - 101 files changed, 1526 insertions(+), 37 deletions(-) + 101 files changed, 1530 insertions(+), 37 deletions(-) create mode 100644 linux_os/guide/services/cron_and_at/no_lowprivilege_users_writeable_cmds_in_crontab_file/rule.yml create mode 100644 linux_os/guide/services/ftp/package_ftp_removed/rule.yml create mode 100644 linux_os/guide/services/ssh/ssh_server/disable_host_auth/oval/shared.xml @@ -614,7 +614,7 @@ index 28eecc8..5165c15 100644 The passwords to remember should be set correctly. diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/rule.yml -index 579ffc0..1d926b7 100644 +index 579ffc0..3bb940f 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/rule.yml @@ -1,6 +1,6 @@ @@ -625,11 +625,12 @@ index 579ffc0..1d926b7 100644 title: 'Limit Password Reuse' -@@ -20,6 +20,11 @@ description: |- +@@ -20,6 +20,12 @@ description: |- The DoD STIG requirement is 5 passwords. + {{% if product in ["openeuler2203"] %}} ++
+ Considering the usability of the community release of openEuler in different scenarios, + the openEuler release does not disable historical passwords by default. + Please configure historical passwords based on the site requirements. @@ -884,10 +885,10 @@ index 0000000..13bbae4 + diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/rule.yml new file mode 100644 -index 0000000..1dc59f5 +index 0000000..46159db --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/rule.yml -@@ -0,0 +1,28 @@ +@@ -0,0 +1,29 @@ +documentation_complete: true + +prodtype: openeuler2203 @@ -898,6 +899,7 @@ index 0000000..1dc59f5 + The pam_pwquality module's dictcheck check if passwords contains dictionary words. When + dictcheck is set to 1 passwords will be checked for dictionary words. + {{% if product in ["openeuler2203"] %}} ++
+ Considering the usability of the community release of openEuler in different scenarios, + the weak password dictionary check is not configured for the openEuler release by default. + Please configure the weak password dictionary check based on the site requirements. @@ -977,7 +979,7 @@ index d888d78..4588489 100644 The password retry should meet minimum requirements diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/rule.yml -index 099cbbf..50853ed 100644 +index 099cbbf..4bf912f 100644 --- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/rule.yml @@ -1,6 +1,6 @@ @@ -988,11 +990,12 @@ index 099cbbf..50853ed 100644 title: 'Ensure PAM Enforces Password Requirements - Authentication Retry Prompts Permitted Per-Session' -@@ -10,6 +10,11 @@ description: |- +@@ -10,6 +10,12 @@ description: |- show retry=, or a lower value if site policy is more restrictive. The DoD requirement is a maximum of 3 prompts per session. + {{% if product in ["openeuler2203"] %}} ++
+ Considering the usability of the community release of openEuler in different scenarios, + the values of retry are not configured in the openEuler release by default. + Please set it based on the site requirements. @@ -1737,14 +1740,15 @@ index 0000000..7fd34bc +severity: medium + diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/rule.yml -index d41a0eb..738fb8b 100644 +index d41a0eb..d667d96 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/rule.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/rule.yml -@@ -10,6 +10,11 @@ description: |- +@@ -10,6 +10,12 @@ description: |- A value of 180 days is sufficient for many environments. The DoD requirement is 60. The profile requirement is . + {{% if product in ["openeuler2203"] %}} ++
+ Considering the usability of the community release of openEuler in different scenarios, + the password expiration time is not configured in the openEuler release by default. + Please set the password expiration time based on the site requirements.