packages/scap-security-guide
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

add br

Browse Source
This commit is contained in:
steven.y.gui 2023-06-26 19:33:30 +08:00
parent 696e34728b
commit 9b9f626e2c
1 changed files with 20 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

36
enable-76-rules-for-openEuler.patch
View File

@ -1,7 +1,7 @@
From 49b0ed553a842d15ed5f942dd9825aa89eb84078 Mon Sep 17 00:00:00 2001 From 6c007906571ed8e7b931d1b923a54af52b6ec91c Mon Sep 17 00:00:00 2001
From: "steven.y.gui" <steven_ygui@163.com> From: "steven.y.gui" <steven_ygui@163.com>
Date: Mon, 26 Jun 2023 17:09:54 +0800 Date: Mon, 26 Jun 2023 19:32:25 +0800
Subject: [PATCH] enable-76-rules-for-openEuler Subject: [PATCH] enable 76 rules for openEuler
--- ---
.../rule.yml | 30 +++++++ .../rule.yml | 30 +++++++
@ -23,7 +23,7 @@ Subject: [PATCH] enable-76-rules-for-openEuler
.../sshd_use_strong_pubkey/rule.yml | 13 +++ .../sshd_use_strong_pubkey/rule.yml | 13 +++
.../guide/services/ssh/sshd_strong_kex.var | 19 +++++ .../guide/services/ssh/sshd_strong_kex.var | 19 +++++
.../oval/shared.xml | 1 + .../oval/shared.xml | 1 +
.../rule.yml | 7 +- .../rule.yml | 8 +-
.../oval/shared.xml | 12 ++- .../oval/shared.xml | 12 ++-
.../rule.yml | 8 +- .../rule.yml | 8 +-
.../oval/shared.xml | 13 ++- .../oval/shared.xml | 13 ++-
@ -35,13 +35,13 @@ Subject: [PATCH] enable-76-rules-for-openEuler
.../no_name_contained_in_password/rule.yml | 12 +++ .../no_name_contained_in_password/rule.yml | 12 +++
.../accounts_password_pam_dcredit/rule.yml | 2 +- .../accounts_password_pam_dcredit/rule.yml | 2 +-
.../oval/shared.xml | 27 ++++++ .../oval/shared.xml | 27 ++++++
.../accounts_password_pam_dictcheck/rule.yml | 28 ++++++ .../accounts_password_pam_dictcheck/rule.yml | 29 +++++++
.../accounts_password_pam_lcredit/rule.yml | 2 +- .../accounts_password_pam_lcredit/rule.yml | 2 +-
.../accounts_password_pam_minclass/rule.yml | 2 +- .../accounts_password_pam_minclass/rule.yml | 2 +-
.../accounts_password_pam_minlen/rule.yml | 2 +- .../accounts_password_pam_minlen/rule.yml | 2 +-
.../accounts_password_pam_ocredit/rule.yml | 2 +- .../accounts_password_pam_ocredit/rule.yml | 2 +-
.../oval/shared.xml | 1 + .../oval/shared.xml | 1 +
.../accounts_password_pam_retry/rule.yml | 7 +- .../accounts_password_pam_retry/rule.yml | 8 +-
.../accounts_password_pam_ucredit/rule.yml | 2 +- .../accounts_password_pam_ucredit/rule.yml | 2 +-
.../var_password_pam_dictcheck.var | 16 ++++ .../var_password_pam_dictcheck.var | 16 ++++
.../oval/shared.xml | 1 + .../oval/shared.xml | 1 +
@ -70,7 +70,7 @@ Subject: [PATCH] enable-76-rules-for-openEuler
.../tests/wrong_value.fail.sh | 5 ++ .../tests/wrong_value.fail.sh | 5 ++
.../oval/shared.xml | 30 +++++++ .../oval/shared.xml | 30 +++++++
.../login_accounts_are_necessary/rule.yml | 31 +++++++ .../login_accounts_are_necessary/rule.yml | 31 +++++++
.../accounts_maximum_age_login_defs/rule.yml | 5 ++ .../accounts_maximum_age_login_defs/rule.yml | 6 ++
.../gid_passwd_group_same/oval/shared.xml | 3 +- .../gid_passwd_group_same/oval/shared.xml | 3 +-
.../accounts_tmout/oval/shared.xml | 1 + .../accounts_tmout/oval/shared.xml | 1 +
.../accounts-session/accounts_tmout/rule.yml | 7 +- .../accounts-session/accounts_tmout/rule.yml | 7 +-
@ -105,7 +105,7 @@ Subject: [PATCH] enable-76-rules-for-openEuler
shared/macros-oval.jinja | 73 ++++++++++++++++ shared/macros-oval.jinja | 73 ++++++++++++++++
shared/templates/template_OVAL_sysctl | 4 + shared/templates/template_OVAL_sysctl | 4 +
ssg/constants.py | 4 +- ssg/constants.py | 4 +-
101 files changed, 1526 insertions(+), 37 deletions(-) 101 files changed, 1530 insertions(+), 37 deletions(-)
create mode 100644 linux_os/guide/services/cron_and_at/no_lowprivilege_users_writeable_cmds_in_crontab_file/rule.yml create mode 100644 linux_os/guide/services/cron_and_at/no_lowprivilege_users_writeable_cmds_in_crontab_file/rule.yml
create mode 100644 linux_os/guide/services/ftp/package_ftp_removed/rule.yml create mode 100644 linux_os/guide/services/ftp/package_ftp_removed/rule.yml
create mode 100644 linux_os/guide/services/ssh/ssh_server/disable_host_auth/oval/shared.xml create mode 100644 linux_os/guide/services/ssh/ssh_server/disable_host_auth/oval/shared.xml
@ -614,7 +614,7 @@ index 28eecc8..5165c15 100644
<description>The passwords to remember should be set correctly.</description> <description>The passwords to remember should be set correctly.</description>
</metadata> </metadata>
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/rule.yml diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/rule.yml
index 579ffc0..1d926b7 100644 index 579ffc0..3bb940f 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/rule.yml --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/rule.yml
@@ -1,6 +1,6 @@ @@ -1,6 +1,6 @@
@ -625,11 +625,12 @@ index 579ffc0..1d926b7 100644
title: 'Limit Password Reuse' title: 'Limit Password Reuse'
@@ -20,6 +20,11 @@ description: |- @@ -20,6 +20,12 @@ description: |-
</li> </li>
</ul> </ul>
The DoD STIG requirement is 5 passwords. The DoD STIG requirement is 5 passwords.
+ {{% if product in ["openeuler2203"] %}} + {{% if product in ["openeuler2203"] %}}
+ <br />
+ Considering the usability of the community release of openEuler in different scenarios, + Considering the usability of the community release of openEuler in different scenarios,
+ the openEuler release does not disable historical passwords by default. + the openEuler release does not disable historical passwords by default.
+ Please configure historical passwords based on the site requirements. + Please configure historical passwords based on the site requirements.
@ -884,10 +885,10 @@ index 0000000..13bbae4
+</def-group> +</def-group>
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/rule.yml diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/rule.yml
new file mode 100644 new file mode 100644
index 0000000..1dc59f5 index 0000000..46159db
--- /dev/null --- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/rule.yml
@@ -0,0 +1,28 @@ @@ -0,0 +1,29 @@
+documentation_complete: true +documentation_complete: true
+ +
+prodtype: openeuler2203 +prodtype: openeuler2203
@ -898,6 +899,7 @@ index 0000000..1dc59f5
+ The pam_pwquality module's <tt>dictcheck</tt> check if passwords contains dictionary words. When + The pam_pwquality module's <tt>dictcheck</tt> check if passwords contains dictionary words. When
+ <tt>dictcheck</tt> is set to <tt>1</tt> passwords will be checked for dictionary words. + <tt>dictcheck</tt> is set to <tt>1</tt> passwords will be checked for dictionary words.
+ {{% if product in ["openeuler2203"] %}} + {{% if product in ["openeuler2203"] %}}
+ <br />
+ Considering the usability of the community release of openEuler in different scenarios, + Considering the usability of the community release of openEuler in different scenarios,
+ the weak password dictionary check is not configured for the openEuler release by default. + the weak password dictionary check is not configured for the openEuler release by default.
+ Please configure the weak password dictionary check based on the site requirements. + Please configure the weak password dictionary check based on the site requirements.
@ -977,7 +979,7 @@ index d888d78..4588489 100644
<description>The password retry should meet minimum requirements</description> <description>The password retry should meet minimum requirements</description>
</metadata> </metadata>
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/rule.yml diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/rule.yml
index 099cbbf..50853ed 100644 index 099cbbf..4bf912f 100644
--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/rule.yml --- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/rule.yml
@@ -1,6 +1,6 @@ @@ -1,6 +1,6 @@
@ -988,11 +990,12 @@ index 099cbbf..50853ed 100644
title: 'Ensure PAM Enforces Password Requirements - Authentication Retry Prompts Permitted Per-Session' title: 'Ensure PAM Enforces Password Requirements - Authentication Retry Prompts Permitted Per-Session'
@@ -10,6 +10,11 @@ description: |- @@ -10,6 +10,12 @@ description: |-
show <tt>retry=<sub idref="var_password_pam_retry" /></tt>, or a lower value if show <tt>retry=<sub idref="var_password_pam_retry" /></tt>, or a lower value if
site policy is more restrictive. site policy is more restrictive.
The DoD requirement is a maximum of 3 prompts per session. The DoD requirement is a maximum of 3 prompts per session.
+ {{% if product in ["openeuler2203"] %}} + {{% if product in ["openeuler2203"] %}}
+ <br />
+ Considering the usability of the community release of openEuler in different scenarios, + Considering the usability of the community release of openEuler in different scenarios,
+ the values of retry are not configured in the openEuler release by default. + the values of retry are not configured in the openEuler release by default.
+ Please set it based on the site requirements. + Please set it based on the site requirements.
@ -1737,14 +1740,15 @@ index 0000000..7fd34bc
+severity: medium +severity: medium
+ +
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/rule.yml diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/rule.yml
index d41a0eb..738fb8b 100644 index d41a0eb..d667d96 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/rule.yml --- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/rule.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/rule.yml
@@ -10,6 +10,11 @@ description: |- @@ -10,6 +10,12 @@ description: |-
A value of 180 days is sufficient for many environments. A value of 180 days is sufficient for many environments.
The DoD requirement is 60. The DoD requirement is 60.
The profile requirement is <tt><sub idref="var_accounts_maximum_age_login_defs" /></tt>. The profile requirement is <tt><sub idref="var_accounts_maximum_age_login_defs" /></tt>.
+ {{% if product in ["openeuler2203"] %}} + {{% if product in ["openeuler2203"] %}}
+ <br />
+ Considering the usability of the community release of openEuler in different scenarios, + Considering the usability of the community release of openEuler in different scenarios,
+ the password expiration time is not configured in the openEuler release by default. + the password expiration time is not configured in the openEuler release by default.
+ Please set the password expiration time based on the site requirements. + Please set the password expiration time based on the site requirements.