packages/scap-security-guide
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

add some descriptions

Browse Source
This commit is contained in:
steven.y.gui 2023-06-25 17:27:01 +08:00
parent 5e0f09b08a
commit f21f424cb7
2 changed files with 109 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

120
enable-76-rules-for-openEuler.patch
View File

@ -1,7 +1,7 @@
From a2fde1d192ec8fa8e1bdaed9daf68156b77e7ca4 Mon Sep 17 00:00:00 2001
From 808277d4cd1bb001fc2925034f1e770f51b70aa9 Mon Sep 17 00:00:00 2001
From: "steven.y.gui" <steven_ygui@163.com>
Date: Tue, 6 Jun 2023 21:03:36 +0800
Subject: [PATCH] enable 76 rules for openEuler
Date: Sun, 25 Jun 2023 17:23:33 +0800
Subject: [PATCH] enable-76-rules-for-openEuler.patch
---
.../rule.yml | 30 +++++++
@ -23,9 +23,9 @@ Subject: [PATCH] enable 76 rules for openEuler
.../sshd_use_strong_pubkey/rule.yml | 13 +++
.../guide/services/ssh/sshd_strong_kex.var | 19 +++++
.../oval/shared.xml | 1 +
.../rule.yml | 2 +-
.../rule.yml | 7 +-
.../oval/shared.xml | 12 ++-
.../rule.yml | 2 +-
.../rule.yml | 8 +-
.../oval/shared.xml | 13 ++-
.../rule.yml | 2 +-
.../oval/shared.xml | 1 +
@ -35,7 +35,7 @@ Subject: [PATCH] enable 76 rules for openEuler
.../no_name_contained_in_password/rule.yml | 12 +++
.../accounts_password_pam_dcredit/rule.yml | 2 +-
.../oval/shared.xml | 27 ++++++
.../accounts_password_pam_dictcheck/rule.yml | 23 +++++
.../accounts_password_pam_dictcheck/rule.yml | 28 ++++++
.../accounts_password_pam_lcredit/rule.yml | 2 +-
.../accounts_password_pam_minclass/rule.yml | 2 +-
.../accounts_password_pam_minlen/rule.yml | 2 +-
@ -70,13 +70,14 @@ Subject: [PATCH] enable 76 rules for openEuler
.../tests/wrong_value.fail.sh | 5 ++
.../oval/shared.xml | 30 +++++++
.../login_accounts_are_necessary/rule.yml | 31 +++++++
.../accounts_maximum_age_login_defs/rule.yml | 5 ++
.../gid_passwd_group_same/oval/shared.xml | 3 +-
.../accounts_tmout/oval/shared.xml | 1 +
.../accounts-session/accounts_tmout/rule.yml | 2 +-
.../accounts-session/accounts_tmout/rule.yml | 7 +-
.../oval/shared.xml | 83 ++++++++++++++++++
.../rule.yml | 2 +-
.../accounts_umask_etc_bashrc/oval/shared.xml | 1 +
.../accounts_umask_etc_bashrc/rule.yml | 2 +-
.../accounts_umask_etc_bashrc/rule.yml | 9 +-
.../accounts_umask_interactive_users/rule.yml | 2 +-
.../oval/shared.xml | 20 +++++
.../grub2_nosmap_argument_absent/rule.yml | 25 ++++++
@ -91,6 +92,7 @@ Subject: [PATCH] enable 76 rules for openEuler
.../files/no_files_unowned_by_user/rule.yml | 2 +-
.../files/no_hide_exec_files/oval/shared.xml | 40 +++++++++
.../files/no_hide_exec_files/rule.yml | 14 +++
.../sysctl_kernel_kptr_restrict/rule.yml | 5 ++
.../sysctl_kernel_dmesg_restrict/rule.yml | 2 +-
.../oval/shared.xml | 1 +
.../configure_ssh_crypto_policy/rule.yml | 2 +-
@ -103,7 +105,7 @@ Subject: [PATCH] enable 76 rules for openEuler
shared/macros-oval.jinja | 73 ++++++++++++++++
shared/templates/template_OVAL_sysctl | 4 +
ssg/constants.py | 4 +-
99 files changed, 1481 insertions(+), 36 deletions(-)
101 files changed, 1519 insertions(+), 36 deletions(-)
create mode 100644 linux_os/guide/services/cron_and_at/no_lowprivilege_users_writeable_cmds_in_crontab_file/rule.yml
create mode 100644 linux_os/guide/services/ftp/package_ftp_removed/rule.yml
create mode 100644 linux_os/guide/services/ssh/ssh_server/disable_host_auth/oval/shared.xml
@ -612,7 +614,7 @@ index 28eecc8..5165c15 100644
<description>The passwords to remember should be set correctly.</description>
</metadata>
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/rule.yml
index 579ffc0..cb2d878 100644
index 579ffc0..1d926b7 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/rule.yml
@@ -1,6 +1,6 @@
@ -623,6 +625,18 @@ index 579ffc0..cb2d878 100644
title: 'Limit Password Reuse'
@@ -20,6 +20,11 @@ description: |-
</li>
</ul>
The DoD STIG requirement is 5 passwords.
+ {{% if product in ["openeuler2203"] %}}
+ Considering the usability of the community release of openEuler in different scenarios,
+ the openEuler release does not disable historical passwords by default.
+ Please configure historical passwords based on the site requirements.
+ {{% endif %}}
rationale: 'Preventing re-use of previous passwords helps ensure that a compromised password is not re-used by a user.'
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/oval/shared.xml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/oval/shared.xml
index db91fa9..0139186 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/oval/shared.xml
@ -656,7 +670,7 @@ index db91fa9..0139186 100644
<ind:instance datatype="int" operation="equals">1</ind:instance>
</ind:textfilecontent54_object>
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/rule.yml
index 5575bd3..1fe3174 100644
index 5575bd3..a06d04e 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/rule.yml
@@ -1,6 +1,6 @@
@ -667,6 +681,19 @@ index 5575bd3..1fe3174 100644
title: 'Set Deny For Failed Password Attempts'
@@ -17,6 +17,12 @@ description: |-
<li> add the following line immediately <tt>before</tt> the <tt>pam_unix.so</tt> statement in the <tt>ACCOUNT</tt> section:
<pre>account required pam_faillock.so</pre></li>
</ul>
+ {{% if product in ["openeuler2203"] %}}
+ Considering the usability of the community release of openEuler in different scenarios,
+ the openEuler release does not provide this security function by default.
+ Please configure the default number of failures and lockout duration based on
+ the actual application scenario and requirements.
+ {{% endif %}}
rationale: |-
Locking out user accounts after a number of incorrect attempts
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/oval/shared.xml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/oval/shared.xml
index 402feab..da09d06 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/oval/shared.xml
@ -857,10 +884,10 @@ index 0000000..13bbae4
+</def-group>
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/rule.yml
new file mode 100644
index 0000000..b10e340
index 0000000..1dc59f5
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/rule.yml
@@ -0,0 +1,23 @@
@@ -0,0 +1,28 @@
+documentation_complete: true
+
+prodtype: openeuler2203
@ -870,6 +897,11 @@ index 0000000..b10e340
+description: |-
+ The pam_pwquality module's <tt>dictcheck</tt> check if passwords contains dictionary words. When
+ <tt>dictcheck</tt> is set to <tt>1</tt> passwords will be checked for dictionary words.
+ {{% if product in ["openeuler2203"] %}}
+ Considering the usability of the community release of openEuler in different scenarios,
+ the weak password dictionary check is not configured for the openEuler release by default.
+ Please configure the weak password dictionary check based on the site requirements.
+ {{% endif %}}
+
+rationale: |-
+ Use of a complex password helps to increase the time and resources required to compromise the password.
@ -1692,6 +1724,22 @@ index 0000000..7fd34bc
+
+severity: medium
+
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/rule.yml
index d41a0eb..738fb8b 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/rule.yml
@@ -10,6 +10,11 @@ description: |-
A value of 180 days is sufficient for many environments.
The DoD requirement is 60.
The profile requirement is <tt><sub idref="var_accounts_maximum_age_login_defs" /></tt>.
+ {{% if product in ["openeuler2203"] %}}
+ Considering the usability of the community release of openEuler in different scenarios,
+ the password expiration time is not configured in the openEuler release by default.
+ Please set the password expiration time based on the site requirements.
+ {{% endif %}}
rationale: |-
Any password, no matter how complex, can eventually be cracked. Therefore, passwords
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/gid_passwd_group_same/oval/shared.xml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/gid_passwd_group_same/oval/shared.xml
index 34d605b..781cd3f 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/gid_passwd_group_same/oval/shared.xml
@ -1719,7 +1767,7 @@ index c68effb..bcb50bd 100644
<description>Checks interactive shell timeout</description>
</metadata>
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_tmout/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_tmout/rule.yml
index cdfa67d..4ceead4 100644
index cdfa67d..437abe6 100644
--- a/linux_os/guide/system/accounts/accounts-session/accounts_tmout/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_tmout/rule.yml
@@ -1,6 +1,6 @@
@ -1730,6 +1778,18 @@ index cdfa67d..4ceead4 100644
title: 'Set Interactive Session Timeout'
@@ -9,6 +9,11 @@ description: |-
all user sessions will terminate based on inactivity. The <tt>TMOUT</tt>
setting in <tt>/etc/profile</tt> should read as follows:
<pre>TMOUT=<sub idref="var_accounts_tmout" /></pre>
+ {{% if product in ["openeuler2203"] %}}
+ Considering the usability of the community release of openEuler in different scenarios,
+ the session timeout interval is not configured by default in the openEuler release.
+ Please configure the session timeout interval based on the site requirements.
+ {{% endif %}}
rationale: |-
Terminating an idle session within a short time period reduces
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/oval/shared.xml b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/oval/shared.xml
new file mode 100644
index 0000000..56b3396
@ -1844,7 +1904,7 @@ index 73e457d..9bbd226 100644
<description>The default umask for users of the bash shell</description>
</metadata>
diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/rule.yml b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/rule.yml
index 9b189bc..88acb8b 100644
index 9b189bc..a6d933c 100644
--- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/rule.yml
@@ -1,6 +1,6 @@
@ -1855,6 +1915,20 @@ index 9b189bc..88acb8b 100644
title: 'Ensure the Default Bash Umask is Set Correctly'
@@ -9,6 +9,13 @@ description: |-
add or correct the <tt>umask</tt> setting in <tt>/etc/bashrc</tt> to read
as follows:
<pre>umask <sub idref="var_accounts_user_umask" /></pre>
+ {{% if product in ["openeuler2203"] %}}
+ After UMASK is set to 077, the default permission on the created file is 600,
+ and the default permission on the directory is 700.
+ Considering the usability of the community release of openEuler in different scenarios,
+ the openEuler release does not configure the UMASK by default.
+ Please configure the UMASK based on the site requirements.
+ {{% endif %}}
rationale: |-
The umask value influences the permissions assigned to files when they are created.
diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/rule.yml b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/rule.yml
index 7e6b11a..6271928 100644
--- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/rule.yml
@ -2151,6 +2225,22 @@ index 0000000..5c8bc4b
+
+severity: medium
+
diff --git a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml
index 2408bd0..53cb7f6 100644
--- a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml
+++ b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml
@@ -3,6 +3,11 @@ documentation_complete: true
title: 'Restrict Exposed Kernel Pointer Addresses Access'
description: '{{{ describe_sysctl_option_value(sysctl="kernel.kptr_restrict", value="1") }}}'
+ {{% if product in ["openeuler2203"] %}}
+ To ensure easy maintenance and location,
+ the kptr_restrict parameter is set to 0 by default in the openEuler release.
+ Please set this parameter based on the site requirements.
+ {{% endif %}}
rationale: |-
Exposing kernel pointers (through procfs or <tt>seq_printf()</tt>) exposes
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_dmesg_restrict/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_dmesg_restrict/rule.yml
index bf58274..0ccf428 100644
--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_dmesg_restrict/rule.yml

5
scap-security-guide.spec
View File

@ -1,6 +1,6 @@
Name: scap-security-guide
Version: 0.1.49
Release: 5
Release: 6
Summary: Security guidance and baselines in SCAP formats
License: BSD-3-Clause
URL: https://github.com/ComplianceAsCode/content/
@ -67,6 +67,9 @@ cd build
%doc %{_docdir}/%{name}/tables/*.html
%changelog
* Sun Jun 25 2023 steven <steven_ygui@163.com> - 0.1.49-6
- add some descriptions
* Tue Jun 6 2023 steven <steven_ygui@163.com> - 0.1.49-5
- fix bug of rule "require_signleuser_auth"