Compare commits
14 Commits
5e0f09b08a
...
5cb531b371
| Author | SHA1 | Date | |
|---|---|---|---|
|
5cb531b371 | ||
|
|
6a9af824f9 | ||
|
|
200a135683 | ||
|
|
036441f47a | ||
|
|
16dc1181f0 | ||
|
|
f3439d17b8 | ||
|
|
8dfa7f98b0 | ||
|
|
6e238086df | ||
|
|
18f669ad30 | ||
|
|
4a58250e67 | ||
|
|
9b9f626e2c | ||
|
|
696e34728b | ||
|
|
e72f93dfa0 | ||
|
|
f21f424cb7 |
789
add-15-rules-for-openeuler.patch
Normal file
789
add-15-rules-for-openeuler.patch
Normal file
@ -0,0 +1,789 @@
|
||||
From dc37689392abe60433dc4521a835dfa6a031f603 Mon Sep 17 00:00:00 2001
|
||||
From: "steven.y.gui" <steven_ygui@163.com>
|
||||
Date: Fri, 11 Aug 2023 10:03:30 +0800
|
||||
Subject: [PATCH] add 15 rules for openeuler
|
||||
|
||||
---
|
||||
.../rule.yml | 21 +++
|
||||
.../rule.yml | 21 +++
|
||||
.../oval/shared.xml | 15 ++
|
||||
.../rule.yml | 17 +++
|
||||
.../rule.yml | 21 +++
|
||||
.../rule.yml | 2 +-
|
||||
.../sysctl_net_ipv4_tcp_fin_timeout/rule.yml | 22 +++
|
||||
.../rule.yml | 23 +++
|
||||
.../sysctl_net_ipv4_tcp_timestamps/rule.yml | 21 +++
|
||||
.../files/ensure_minimum_permission/rule.yml | 139 ++++++++++++++++++
|
||||
.../oval/shared.xml | 1 +
|
||||
.../rule.yml | 2 +-
|
||||
.../oval/shared.xml | 1 +
|
||||
.../rule.yml | 2 +-
|
||||
.../oval/shared.xml | 1 +
|
||||
.../files/opened_files_count_limited/rule.yml | 34 +++++
|
||||
.../guide/system/software/polkit/group.yml | 6 +
|
||||
.../only_root_can_run_pkexec/oval/shared.xml | 23 +++
|
||||
.../polkit/only_root_can_run_pkexec/rule.yml | 17 +++
|
||||
linux_os/guide/system/software/su/group.yml | 6 +
|
||||
.../su/su_always_set_path/oval/shared.xml | 23 +++
|
||||
.../software/su/su_always_set_path/rule.yml | 20 +++
|
||||
.../su/su_only_for_wheel/oval/shared.xml | 23 +++
|
||||
.../software/su/su_only_for_wheel/rule.yml | 19 +++
|
||||
.../sudo_not_for_all_users/oval/shared.xml | 23 +++
|
||||
.../sudo/sudo_not_for_all_users/rule.yml | 20 +++
|
||||
openeuler2203/profiles/standard.profile | 15 ++
|
||||
27 files changed, 535 insertions(+), 3 deletions(-)
|
||||
create mode 100644 linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_proxy_arp/rule.yml
|
||||
create mode 100644 linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_proxy_arp/rule.yml
|
||||
create mode 100644 linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_disable_arp_proxy/oval/shared.xml
|
||||
create mode 100644 linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_disable_arp_proxy/rule.yml
|
||||
create mode 100644 linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_echo_ignore_all/rule.yml
|
||||
create mode 100644 linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_tcp_fin_timeout/rule.yml
|
||||
create mode 100644 linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_tcp_max_syn_backlog/rule.yml
|
||||
create mode 100644 linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_tcp_timestamps/rule.yml
|
||||
create mode 100644 linux_os/guide/system/permissions/files/ensure_minimum_permission/rule.yml
|
||||
create mode 100644 linux_os/guide/system/permissions/files/opened_files_count_limited/rule.yml
|
||||
create mode 100644 linux_os/guide/system/software/polkit/group.yml
|
||||
create mode 100644 linux_os/guide/system/software/polkit/only_root_can_run_pkexec/oval/shared.xml
|
||||
create mode 100644 linux_os/guide/system/software/polkit/only_root_can_run_pkexec/rule.yml
|
||||
create mode 100644 linux_os/guide/system/software/su/group.yml
|
||||
create mode 100644 linux_os/guide/system/software/su/su_always_set_path/oval/shared.xml
|
||||
create mode 100644 linux_os/guide/system/software/su/su_always_set_path/rule.yml
|
||||
create mode 100644 linux_os/guide/system/software/su/su_only_for_wheel/oval/shared.xml
|
||||
create mode 100644 linux_os/guide/system/software/su/su_only_for_wheel/rule.yml
|
||||
create mode 100644 linux_os/guide/system/software/sudo/sudo_not_for_all_users/oval/shared.xml
|
||||
create mode 100644 linux_os/guide/system/software/sudo/sudo_not_for_all_users/rule.yml
|
||||
|
||||
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_proxy_arp/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_proxy_arp/rule.yml
|
||||
new file mode 100644
|
||||
index 0000000..7066bcc
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_proxy_arp/rule.yml
|
||||
@@ -0,0 +1,21 @@
|
||||
+documentation_complete: true
|
||||
+
|
||||
+prodtype: openeuler2203
|
||||
+
|
||||
+title: 'Disable Kernel Parameter for ARP Proxy'
|
||||
+
|
||||
+description: '{{{ describe_sysctl_option_value(sysctl="net.ipv4.conf.all.proxy_arp", value="0") }}}'
|
||||
+
|
||||
+rationale: |-
|
||||
+ Restricted execution of programs that depend on the ARP proxy.
|
||||
+
|
||||
+severity: low
|
||||
+
|
||||
+platform: machine
|
||||
+
|
||||
+template:
|
||||
+ name: sysctl
|
||||
+ vars:
|
||||
+ sysctlvar: net.ipv4.conf.all.proxy_arp
|
||||
+ sysctlval: '0'
|
||||
+ datatype: int
|
||||
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_proxy_arp/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_proxy_arp/rule.yml
|
||||
new file mode 100644
|
||||
index 0000000..170696b
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_proxy_arp/rule.yml
|
||||
@@ -0,0 +1,21 @@
|
||||
+documentation_complete: true
|
||||
+
|
||||
+prodtype: openeuler2203
|
||||
+
|
||||
+title: 'Disable Kernel Parameter for ARP Proxy by Default'
|
||||
+
|
||||
+description: '{{{ describe_sysctl_option_value(sysctl="net.ipv4.conf.default.proxy_arp", value="0") }}}'
|
||||
+
|
||||
+rationale: |-
|
||||
+ Restricted execution of programs that depend on the ARP proxy.
|
||||
+
|
||||
+severity: low
|
||||
+
|
||||
+platform: machine
|
||||
+
|
||||
+template:
|
||||
+ name: sysctl
|
||||
+ vars:
|
||||
+ sysctlvar: net.ipv4.conf.default.proxy_arp
|
||||
+ sysctlval: '0'
|
||||
+ datatype: int
|
||||
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_disable_arp_proxy/oval/shared.xml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_disable_arp_proxy/oval/shared.xml
|
||||
new file mode 100644
|
||||
index 0000000..b072446
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_disable_arp_proxy/oval/shared.xml
|
||||
@@ -0,0 +1,15 @@
|
||||
+<def-group>
|
||||
+ <definition class="compliance" id="sysctl_net_ipv4_disable_arp_proxy" version="1">
|
||||
+ <metadata>
|
||||
+ <title>Disable ARP Proxy</title>
|
||||
+ <affected family="unix">
|
||||
+ <platform>multi_platform_openeuler</platform>
|
||||
+ </affected>
|
||||
+ <description>Disable arp proxy.</description>
|
||||
+ </metadata>
|
||||
+ <criteria operator="AND">
|
||||
+ <extend_definition comment="all arp proxy" definition_ref="sysctl_net_ipv4_conf_all_proxy_arp" />
|
||||
+ <extend_definition comment="default arp proxy" definition_ref="sysctl_net_ipv4_conf_default_proxy_arp" />
|
||||
+ </criteria>
|
||||
+ </definition>
|
||||
+</def-group>
|
||||
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_disable_arp_proxy/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_disable_arp_proxy/rule.yml
|
||||
new file mode 100644
|
||||
index 0000000..66a336e
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_disable_arp_proxy/rule.yml
|
||||
@@ -0,0 +1,17 @@
|
||||
+documentation_complete: true
|
||||
+
|
||||
+prodtype: openeuler2203
|
||||
+
|
||||
+title: 'Disable ARP Proxy'
|
||||
+
|
||||
+description: |-
|
||||
+ ARP proxy allows the system to send a response to an ARP request on another interface on behalf of a host connected to an interface.
|
||||
+ Disabling ARP proxy not only prevents authorized information sharing also prevents addressing information leakage between connected network segments.
|
||||
+ Therefore, the ARP proxy must be disabled to prevent ARP packet attacks on the system.
|
||||
+
|
||||
+rationale: |-
|
||||
+ Restricted execution of programs that depend on the ARP proxy.
|
||||
+
|
||||
+severity: high
|
||||
+
|
||||
+platform: machine
|
||||
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_echo_ignore_all/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_echo_ignore_all/rule.yml
|
||||
new file mode 100644
|
||||
index 0000000..31bf313
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_echo_ignore_all/rule.yml
|
||||
@@ -0,0 +1,21 @@
|
||||
+documentation_complete: true
|
||||
+
|
||||
+prodtype: openeuler2203
|
||||
+
|
||||
+title: 'Set Kernel Parameter for Ignoring All ICMP'
|
||||
+
|
||||
+description: '{{{ describe_sysctl_option_value(sysctl="net.ipv4.icmp_echo_ignore_all", value="1") }}}'
|
||||
+
|
||||
+rationale: |-
|
||||
+ All ICMP packages are ignored.
|
||||
+
|
||||
+severity: low
|
||||
+
|
||||
+platform: machine
|
||||
+
|
||||
+template:
|
||||
+ name: sysctl
|
||||
+ vars:
|
||||
+ sysctlvar: net.ipv4.icmp_echo_ignore_all
|
||||
+ sysctlval: '1'
|
||||
+ datatype: int
|
||||
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_ignore_bogus_error_responses/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_ignore_bogus_error_responses/rule.yml
|
||||
index 12cbdea..74d196a 100644
|
||||
--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_ignore_bogus_error_responses/rule.yml
|
||||
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_ignore_bogus_error_responses/rule.yml
|
||||
@@ -1,6 +1,6 @@
|
||||
documentation_complete: true
|
||||
|
||||
-prodtype: fedora,ocp4,ol7,ol8,rhel6,rhel7,rhel8,rhv4
|
||||
+prodtype: fedora,ocp4,ol7,ol8,openeuler2203,rhel6,rhel7,rhel8,rhv4
|
||||
|
||||
title: 'Enable Kernel Parameter to Ignore Bogus ICMP Error Responses on IPv4 Interfaces'
|
||||
|
||||
diff --git a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_tcp_fin_timeout/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_tcp_fin_timeout/rule.yml
|
||||
new file mode 100644
|
||||
index 0000000..ffd435a
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_tcp_fin_timeout/rule.yml
|
||||
@@ -0,0 +1,22 @@
|
||||
+documentation_complete: true
|
||||
+
|
||||
+prodtype: openeuler2203
|
||||
+
|
||||
+title: 'Set Kernel Parameter for TCP TIME_WAIT'
|
||||
+
|
||||
+description: '{{{ describe_sysctl_option_value(sysctl="net.ipv4.tcp_fin_timeout", value="60") }}}'
|
||||
+
|
||||
+rationale: |-
|
||||
+ Suggested value is <tt>60</tt>.<br />
|
||||
+ If TIME_WAIT is set too long, DoS attacks may occur.
|
||||
+
|
||||
+severity: high
|
||||
+
|
||||
+platform: machine
|
||||
+
|
||||
+template:
|
||||
+ name: sysctl
|
||||
+ vars:
|
||||
+ sysctlvar: net.ipv4.tcp_fin_timeout
|
||||
+ sysctlval: '60'
|
||||
+ datatype: int
|
||||
diff --git a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_tcp_max_syn_backlog/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_tcp_max_syn_backlog/rule.yml
|
||||
new file mode 100644
|
||||
index 0000000..f95f0be
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_tcp_max_syn_backlog/rule.yml
|
||||
@@ -0,0 +1,23 @@
|
||||
+documentation_complete: true
|
||||
+
|
||||
+prodtype: openeuler2203
|
||||
+
|
||||
+title: 'Set Kernel Parameter for TCP SYN_RECV'
|
||||
+
|
||||
+description: '{{{ describe_sysctl_option_value(sysctl="net.ipv4.tcp_max_syn_backlog", value="256") }}}'
|
||||
+
|
||||
+rationale: |-
|
||||
+ Suggested value is <tt>256</tt>.<br />
|
||||
+ For security purposes, you are advised to set this parameter to a large value to mitigate TCP SYN flood attacks.
|
||||
+ However, if this parameter is set to a large value, more system resources are consumed.
|
||||
+
|
||||
+severity: low
|
||||
+
|
||||
+platform: machine
|
||||
+
|
||||
+template:
|
||||
+ name: sysctl
|
||||
+ vars:
|
||||
+ sysctlvar: net.ipv4.tcp_max_syn_backlog
|
||||
+ sysctlval: '256'
|
||||
+ datatype: int
|
||||
diff --git a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_tcp_timestamps/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_tcp_timestamps/rule.yml
|
||||
new file mode 100644
|
||||
index 0000000..a2df1d7
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_tcp_timestamps/rule.yml
|
||||
@@ -0,0 +1,21 @@
|
||||
+documentation_complete: true
|
||||
+
|
||||
+prodtype: openeuler2203
|
||||
+
|
||||
+title: 'Disable Kernel Parameter for TCP Timestamps'
|
||||
+
|
||||
+description: '{{{ describe_sysctl_option_value(sysctl="net.ipv4.tcp_timestamps", value="0") }}}'
|
||||
+
|
||||
+rationale: |-
|
||||
+ After this function is enabled, packages with invalid addresses is recorded into kernel logs, which may cause logs overwrite.
|
||||
+
|
||||
+severity: low
|
||||
+
|
||||
+platform: machine
|
||||
+
|
||||
+template:
|
||||
+ name: sysctl
|
||||
+ vars:
|
||||
+ sysctlvar: net.ipv4.tcp_timestamps
|
||||
+ sysctlval: '0'
|
||||
+ datatype: int
|
||||
diff --git a/linux_os/guide/system/permissions/files/ensure_minimum_permission/rule.yml b/linux_os/guide/system/permissions/files/ensure_minimum_permission/rule.yml
|
||||
new file mode 100644
|
||||
index 0000000..9cab819
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/permissions/files/ensure_minimum_permission/rule.yml
|
||||
@@ -0,0 +1,139 @@
|
||||
+documentation_complete: true
|
||||
+
|
||||
+prodtype: openeuler2203
|
||||
+
|
||||
+title: 'Ensure All Files Have Minimum Permission'
|
||||
+
|
||||
+description: |-
|
||||
+ <p><tt>It can not be scanned automatically, please check it manually.</tt></p>
|
||||
+
|
||||
+ <p>According to the minimum permission requirements, the minimum access permission must be set for key files in the system,
|
||||
+ especially files that contain sensitive information. Users with corresponding permissions can access the directory.
|
||||
+ If the file or directory permission is incorrectly configured, the file information may leakage. </p>
|
||||
+
|
||||
+ <p>For example, if the access permission is set to 644 or greater, any user can access or even tamper with the data.
|
||||
+ If the program's access permission is set to 755, as a result, any user can perform the operation,
|
||||
+ which leads to privilege escalation risks.</p>
|
||||
+
|
||||
+ <p>Common types of files or directories that require access permission control are as follows:
|
||||
+ <ul>
|
||||
+ <li>Executable files (binary files and scripts): directory for storing executable files.
|
||||
+ Improper permission configuration may lead to privilege escalation attacks.</li>
|
||||
+
|
||||
+ <li>Configuration files, key files, log files, data files that store sensitive information,
|
||||
+ temporary files generated during system running, and static files.
|
||||
+ These files may contain sensitive and private data. Improper permission configuration increases the risk of information leakage.</li>
|
||||
+ </ul>
|
||||
+ </p>
|
||||
+
|
||||
+ <p>The basic principles of permission control are as follows:
|
||||
+ <table border="1">
|
||||
+ <tr>
|
||||
+ <th align="center">File Type</th>
|
||||
+ <th align="center">Suggested Permission</th>
|
||||
+ </tr>
|
||||
+ <tr>
|
||||
+ <td>Home Directory</td>
|
||||
+ <td align="right">750(rwxr-x---)</td>
|
||||
+ </tr>
|
||||
+ <tr>
|
||||
+ <td>Programs(Include bash, library)</td>
|
||||
+ <td align="right">550(r-xr-x---)</td>
|
||||
+ </tr>
|
||||
+ <tr>
|
||||
+ <td>Programs Directory</td>
|
||||
+ <td align="right">550(r-xr-x---)</td>
|
||||
+ </tr>
|
||||
+ <tr>
|
||||
+ <td>Configuration Files</td>
|
||||
+ <td align="right">640(rw-r-----)</td>
|
||||
+ </tr>
|
||||
+ <tr>
|
||||
+ <td>Configuration Files Directory</td>
|
||||
+ <td align="right">750(rwxr-x---)</td>
|
||||
+ </tr>
|
||||
+ <tr>
|
||||
+ <td>Log Files(Archived)</td>
|
||||
+ <td align="right">440(r--r-----)</td>
|
||||
+ </tr>
|
||||
+ <tr>
|
||||
+ <td>Log Files(Recording)</td>
|
||||
+ <td align="right">640(rw-r-----)</td>
|
||||
+ </tr>
|
||||
+ <tr>
|
||||
+ <td>Log Files Directory</td>
|
||||
+ <td align="right">750(rwxr-x---)</td>
|
||||
+ </tr>
|
||||
+ <tr>
|
||||
+ <td>Debug Files</td>
|
||||
+ <td align="right">640(rw-r-----)</td>
|
||||
+ </tr>
|
||||
+ <tr>
|
||||
+ <td>Debug Files Directory</td>
|
||||
+ <td align="right">750(rwxr-x---)</td>
|
||||
+ </tr>
|
||||
+ <tr>
|
||||
+ <td>Temporary Files Directory</td>
|
||||
+ <td align="right">750(rwxr-x---)</td>
|
||||
+ </tr>
|
||||
+ <tr>
|
||||
+ <td>Upgrading Files Directory</td>
|
||||
+ <td align="right">770(rwxrwx---)</td>
|
||||
+ </tr>
|
||||
+ <tr>
|
||||
+ <td>Data Files</td>
|
||||
+ <td align="right">640(rw-r-----)</td>
|
||||
+ </tr>
|
||||
+ <tr>
|
||||
+ <td>Data Files Directory</td>
|
||||
+ <td align="right">750(rwxr-x---)</td>
|
||||
+ </tr>
|
||||
+ <tr>
|
||||
+ <td>Directory Of Crypto Component, Private Key, Certificate, Encrypted Data</td>
|
||||
+ <td align="right">700(rwx------)</td>
|
||||
+ </tr>
|
||||
+ <tr>
|
||||
+ <td>Crypto Component, Private Key, Certificate, Encrypted Data</td>
|
||||
+ <td align="right">600(rw-------)</td>
|
||||
+ </tr>
|
||||
+ <tr>
|
||||
+ <td>Interface or Shell Files Of Crypto</td>
|
||||
+ <td align="right">500(r-x------)</td>
|
||||
+ </tr>
|
||||
+ </table>
|
||||
+ </p>
|
||||
+ <p>Generally, a non-root user is used to perform services. This user needs to access necessary directories in the Linux system and files.
|
||||
+ Therefore, permission control can be relaxed for system directories, configuration files, executable files,
|
||||
+ and certificate files that the system depends on.</p>
|
||||
+ <p>The system is consistent with the general release in the industry. The suggestions are as follows:
|
||||
+ <table border="1">
|
||||
+ <tr>
|
||||
+ <th align="center">File Type</th>
|
||||
+ <th align="center">Suggested Permission</th>
|
||||
+ </tr>
|
||||
+ <tr>
|
||||
+ <td>Directory</td>
|
||||
+ <td align="right">755(rwxr-xr-x)</td>
|
||||
+ </tr>
|
||||
+ <tr>
|
||||
+ <td>Programs(Include bash, library)</td>
|
||||
+ <td align="right">755(rwxr-xr-x)</td>
|
||||
+ </tr>
|
||||
+ <tr>
|
||||
+ <td>Configuration Files</td>
|
||||
+ <td align="right">644(rw-r--r--)</td>
|
||||
+ </tr>
|
||||
+ <tr>
|
||||
+ <td>Certificate Files(No Private Key)</td>
|
||||
+ <td align="right">444(r--r--r--)</td>
|
||||
+ </tr>
|
||||
+ </table>
|
||||
+ </p>
|
||||
+
|
||||
+rationale: |-
|
||||
+ The permission cannot be too high or too low. For example, if the permission of some system configuration files is set to 600 or 640,
|
||||
+ common users cannot read the configuration files, the corresponding program may not be executed
|
||||
+ because it does not have the permission to read the configuration.
|
||||
+
|
||||
+severity: high
|
||||
+
|
||||
diff --git a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/oval/shared.xml b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/oval/shared.xml
|
||||
index 83988fe..c1a4f1e 100644
|
||||
--- a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/oval/shared.xml
|
||||
+++ b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/oval/shared.xml
|
||||
@@ -6,6 +6,7 @@
|
||||
<platform>multi_platform_fedora</platform>
|
||||
<platform>multi_platform_rhel</platform>
|
||||
<platform>multi_platform_ol</platform>
|
||||
+ <platform>multi_platform_openeuler</platform>
|
||||
<platform>multi_platform_wrlinux</platform>
|
||||
</affected>
|
||||
<description>Evaluates to true if all files with SGID set are owned by RPM packages.</description>
|
||||
diff --git a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/rule.yml b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/rule.yml
|
||||
index 32c176d..ee5eb40 100644
|
||||
--- a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/rule.yml
|
||||
+++ b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/rule.yml
|
||||
@@ -2,7 +2,7 @@ documentation_complete: true
|
||||
|
||||
title: 'Ensure All SGID Executables Are Authorized'
|
||||
|
||||
-prodtype: fedora,ol7,ol8,rhel6,rhel7,rhel8,wrlinux1019,wrlinux8
|
||||
+prodtype: fedora,ol7,ol8,openeuler2203,rhel6,rhel7,rhel8,wrlinux1019,wrlinux8
|
||||
|
||||
description: |-
|
||||
The SGID (set group id) bit should be set only on files that were
|
||||
diff --git a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/oval/shared.xml b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/oval/shared.xml
|
||||
index e83595c..8da5b5b 100644
|
||||
--- a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/oval/shared.xml
|
||||
+++ b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/oval/shared.xml
|
||||
@@ -6,6 +6,7 @@
|
||||
<platform>multi_platform_fedora</platform>
|
||||
<platform>multi_platform_rhel</platform>
|
||||
<platform>multi_platform_ol</platform>
|
||||
+ <platform>multi_platform_openeuler</platform>
|
||||
<platform>multi_platform_wrlinux</platform>
|
||||
</affected>
|
||||
<description>Evaluates to true if all files with SUID set are owned by RPM packages.</description>
|
||||
diff --git a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml
|
||||
index ae5f130..1a9dab0 100644
|
||||
--- a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml
|
||||
+++ b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml
|
||||
@@ -2,7 +2,7 @@ documentation_complete: true
|
||||
|
||||
title: 'Ensure All SUID Executables Are Authorized'
|
||||
|
||||
-prodtype: fedora,ol7,ol8,rhel6,rhel7,rhel8,wrlinux1019,wrlinux8
|
||||
+prodtype: fedora,ol7,ol8,openeuler2203,rhel6,rhel7,rhel8,wrlinux1019,wrlinux8
|
||||
|
||||
description: |-
|
||||
The SUID (set user id) bit should be set only on files that were
|
||||
diff --git a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_world_writable/oval/shared.xml b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_world_writable/oval/shared.xml
|
||||
index 4455469..20d67d6 100644
|
||||
--- a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_world_writable/oval/shared.xml
|
||||
+++ b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_world_writable/oval/shared.xml
|
||||
@@ -5,6 +5,7 @@
|
||||
<affected family="unix">
|
||||
<platform>Red Hat Virtualization 4</platform>
|
||||
<platform>multi_platform_ol</platform>
|
||||
+ <platform>multi_platform_openeuler</platform>
|
||||
<platform>multi_platform_opensuse</platform>
|
||||
<platform>multi_platform_rhel</platform>
|
||||
<platform>multi_platform_wrlinux</platform>
|
||||
diff --git a/linux_os/guide/system/permissions/files/opened_files_count_limited/rule.yml b/linux_os/guide/system/permissions/files/opened_files_count_limited/rule.yml
|
||||
new file mode 100644
|
||||
index 0000000..6c87050
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/permissions/files/opened_files_count_limited/rule.yml
|
||||
@@ -0,0 +1,34 @@
|
||||
+documentation_complete: true
|
||||
+
|
||||
+prodtype: openeuler2203
|
||||
+
|
||||
+title: 'Opened Files Count Limited'
|
||||
+
|
||||
+description: |-
|
||||
+ <p><tt>It can not be scanned automatically, please check it manually.</tt></p>
|
||||
+
|
||||
+ <p>The number of files that can be opened in Linux is limited. If all resources are occupied by a user, other users cannot open the file.</p>
|
||||
+ <p>openEuler allows a user to open a maximum of 1024 file handles by default. If the number of file handles exceeds 1024,
|
||||
+ new file handles cannot be opened. Low-privilege users can modify the value of 1024, but the upper limit 524288 cannot be exceed.
|
||||
+ The root can modify the upper limit. </p>
|
||||
+ <p>This parameter is set to a proper value to prevent all processes of a single user from opening too many file handles and exhausting system resources.</p>
|
||||
+
|
||||
+ <p>You can use below cli command to check the limitation:</p>
|
||||
+ <ul>
|
||||
+ <li>Check current limitation value:
|
||||
+ <pre># ulimit -Sn
|
||||
+ 1024
|
||||
+ </pre>
|
||||
+ </li>
|
||||
+ <li>Check current upper limitation value:
|
||||
+ <pre># ulimit -Hn
|
||||
+ 524288
|
||||
+ </pre>
|
||||
+ </li>
|
||||
+ </ul>
|
||||
+
|
||||
+rationale: |-
|
||||
+ None
|
||||
+
|
||||
+severity: high
|
||||
+
|
||||
diff --git a/linux_os/guide/system/software/polkit/group.yml b/linux_os/guide/system/software/polkit/group.yml
|
||||
new file mode 100644
|
||||
index 0000000..37662e9
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/software/polkit/group.yml
|
||||
@@ -0,0 +1,6 @@
|
||||
+documentation_complete: true
|
||||
+
|
||||
+title: Polkit
|
||||
+
|
||||
+description: |-
|
||||
+ <tt>Polkit</tt>, which provides privilege escalation capabilities.
|
||||
diff --git a/linux_os/guide/system/software/polkit/only_root_can_run_pkexec/oval/shared.xml b/linux_os/guide/system/software/polkit/only_root_can_run_pkexec/oval/shared.xml
|
||||
new file mode 100644
|
||||
index 0000000..ae03bd4
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/software/polkit/only_root_can_run_pkexec/oval/shared.xml
|
||||
@@ -0,0 +1,23 @@
|
||||
+<def-group>
|
||||
+ <definition class="compliance" id="only_root_can_run_pkexec" version="1">
|
||||
+ <metadata>
|
||||
+ <title>Only root user can run pkexec</title>
|
||||
+ <affected family="unix">
|
||||
+ <platform>multi_platform_openeuler</platform>
|
||||
+ </affected>
|
||||
+ <description>Only root user can run pkexec.</description>
|
||||
+ </metadata>
|
||||
+ <criteria>
|
||||
+ <criterion comment="check polkit setting" test_ref="test_only_root_can_run_pkexec" />
|
||||
+ </criteria>
|
||||
+ </definition>
|
||||
+
|
||||
+ <ind:textfilecontent54_test check="all" check_existence="none_exist" comment="check polkit setting" id="test_only_root_can_run_pkexec" version="1">
|
||||
+ <ind:object object_ref="object_only_root_can_run_pkexec" />
|
||||
+ </ind:textfilecontent54_test>
|
||||
+ <ind:textfilecontent54_object id="object_only_root_can_run_pkexec" version="1">
|
||||
+ <ind:filepath operation="equals">/etc/polkit-1/rules.d/50-default.rules</ind:filepath>
|
||||
+ <ind:pattern operation="pattern match">^[\s]*polkit.addAdminRule\(function.+\n*[\s]*return[\s]+\[\s*"\s*unix-user\s*:\s*[1-9]*[1-9][0-9]*\s*"\s*\]</ind:pattern>
|
||||
+ <ind:instance datatype="int" operation="equals">1</ind:instance>
|
||||
+ </ind:textfilecontent54_object>
|
||||
+</def-group>
|
||||
diff --git a/linux_os/guide/system/software/polkit/only_root_can_run_pkexec/rule.yml b/linux_os/guide/system/software/polkit/only_root_can_run_pkexec/rule.yml
|
||||
new file mode 100644
|
||||
index 0000000..0ae583d
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/software/polkit/only_root_can_run_pkexec/rule.yml
|
||||
@@ -0,0 +1,17 @@
|
||||
+documentation_complete: true
|
||||
+
|
||||
+title: 'Ensure Only Root Can Run The Command of Pkexec'
|
||||
+
|
||||
+prodtype: openeuler2203
|
||||
+
|
||||
+description: |-
|
||||
+ The pkexec command enables a common user to have the rights of the super user or other users.
|
||||
+ After the authentication is successful, the command is executed with the rights of the super user.
|
||||
+ Pkexec provides a convenient path for users to change their identities, unconstrained use of the pkexec command can bring potential security risks.
|
||||
+ The permission to access the root account using pkexec is restricted.<br />
|
||||
+ By default, the password of the root user must be verified when uses pkexec. Only the root user can obtain the system administrator rights.
|
||||
+
|
||||
+rationale: |-
|
||||
+ Low-privilege users can not use pkexec.
|
||||
+
|
||||
+severity: high
|
||||
diff --git a/linux_os/guide/system/software/su/group.yml b/linux_os/guide/system/software/su/group.yml
|
||||
new file mode 100644
|
||||
index 0000000..aa6e29d
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/software/su/group.yml
|
||||
@@ -0,0 +1,6 @@
|
||||
+documentation_complete: true
|
||||
+
|
||||
+title: Su
|
||||
+
|
||||
+description: |-
|
||||
+ <tt>Su</tt>, which provides the ability to switch to root or other users.
|
||||
diff --git a/linux_os/guide/system/software/su/su_always_set_path/oval/shared.xml b/linux_os/guide/system/software/su/su_always_set_path/oval/shared.xml
|
||||
new file mode 100644
|
||||
index 0000000..942df37
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/software/su/su_always_set_path/oval/shared.xml
|
||||
@@ -0,0 +1,23 @@
|
||||
+<def-group>
|
||||
+ <definition class="compliance" id="su_always_set_path" version="1">
|
||||
+ <metadata>
|
||||
+ <title>Always set env path when user switched</title>
|
||||
+ <affected family="unix">
|
||||
+ <platform>multi_platform_openeuler</platform>
|
||||
+ </affected>
|
||||
+ <description>Alway set env path when user switched by su.</description>
|
||||
+ </metadata>
|
||||
+ <criteria>
|
||||
+ <criterion comment="check always-set-path value" test_ref="test_su_always_set_path" />
|
||||
+ </criteria>
|
||||
+ </definition>
|
||||
+
|
||||
+ <ind:textfilecontent54_test check="all" comment="check value in login.defs" id="test_su_always_set_path" version="1">
|
||||
+ <ind:object object_ref="object_su_always_set_path" />
|
||||
+ </ind:textfilecontent54_test>
|
||||
+ <ind:textfilecontent54_object id="object_su_always_set_path" version="1">
|
||||
+ <ind:filepath operation="equals">/etc/login.defs</ind:filepath>
|
||||
+ <ind:pattern operation="pattern match">^[\s]*ALWAYS_SET_PATH[\s]*=[\s]*yes[\s]*$</ind:pattern>
|
||||
+ <ind:instance datatype="int">1</ind:instance>
|
||||
+ </ind:textfilecontent54_object>
|
||||
+</def-group>
|
||||
diff --git a/linux_os/guide/system/software/su/su_always_set_path/rule.yml b/linux_os/guide/system/software/su/su_always_set_path/rule.yml
|
||||
new file mode 100644
|
||||
index 0000000..d461435
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/software/su/su_always_set_path/rule.yml
|
||||
@@ -0,0 +1,20 @@
|
||||
+documentation_complete: true
|
||||
+
|
||||
+title: 'Ensure Always Set Path is Set to YES'
|
||||
+
|
||||
+prodtype: openeuler2203
|
||||
+
|
||||
+description: |-
|
||||
+ The su command enables a common user to have the rights of the super user or other users.
|
||||
+ It is often used to switch from a low-privilege user account to the system root account.
|
||||
+ The su command provides a convenient way for users to change their identities.
|
||||
+ However, using the su command without restrictions brings potential risks to the system.
|
||||
+ <br />
|
||||
+ The path is not automatically set for the user when the user is changed by using su.
|
||||
+ If the system automatically initializes the environment variable PATH after you run the su command to switch users,
|
||||
+ you can effectively prevent the privilege escalation which caused by inheriting the environment variable PATH.
|
||||
+
|
||||
+rationale: |-
|
||||
+ None
|
||||
+
|
||||
+severity: high
|
||||
diff --git a/linux_os/guide/system/software/su/su_only_for_wheel/oval/shared.xml b/linux_os/guide/system/software/su/su_only_for_wheel/oval/shared.xml
|
||||
new file mode 100644
|
||||
index 0000000..fe2409a
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/software/su/su_only_for_wheel/oval/shared.xml
|
||||
@@ -0,0 +1,23 @@
|
||||
+<def-group>
|
||||
+ <definition class="compliance" id="su_only_for_wheel" version="1">
|
||||
+ <metadata>
|
||||
+ <title>Only wheel group users can use su</title>
|
||||
+ <affected family="unix">
|
||||
+ <platform>multi_platform_openeuler</platform>
|
||||
+ </affected>
|
||||
+ <description>Only wheel group users can use su command.</description>
|
||||
+ </metadata>
|
||||
+ <criteria>
|
||||
+ <criterion comment="check wheel group in pam" test_ref="test_pam_wheel_so" />
|
||||
+ </criteria>
|
||||
+ </definition>
|
||||
+
|
||||
+ <ind:textfilecontent54_test check="all" comment="check wheel setting in pam" id="test_pam_wheel_so" version="1">
|
||||
+ <ind:object object_ref="object_pam_wheel_so" />
|
||||
+ </ind:textfilecontent54_test>
|
||||
+ <ind:textfilecontent54_object id="object_pam_wheel_so" version="1">
|
||||
+ <ind:filepath operation="equals">/etc/pam.d/su</ind:filepath>
|
||||
+ <ind:pattern operation="pattern match">^[\s]*auth[\s]*required[\s]*pam_wheel\.so[\s]*.*$</ind:pattern>
|
||||
+ <ind:instance datatype="int">1</ind:instance>
|
||||
+ </ind:textfilecontent54_object>
|
||||
+</def-group>
|
||||
diff --git a/linux_os/guide/system/software/su/su_only_for_wheel/rule.yml b/linux_os/guide/system/software/su/su_only_for_wheel/rule.yml
|
||||
new file mode 100644
|
||||
index 0000000..55725ba
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/software/su/su_only_for_wheel/rule.yml
|
||||
@@ -0,0 +1,19 @@
|
||||
+documentation_complete: true
|
||||
+
|
||||
+title: 'Ensure Only Users of Wheel Group Can Use SU'
|
||||
+
|
||||
+prodtype: openeuler2203
|
||||
+
|
||||
+description: |-
|
||||
+ The su command enables a common user to have the rights of the super user or other users.
|
||||
+ It is often used to switch from a common user account to the system root account.
|
||||
+ The su command provides a convenient way for users to change their identities.
|
||||
+ However, unconstrained use of the su command brings potential risks to the system.
|
||||
+ <br />
|
||||
+ The permission to access the root account using the su command is restricted.
|
||||
+ Allows only common users in the wheel group to use the su command, which improves the security of system.
|
||||
+
|
||||
+rationale: |-
|
||||
+ Users outside the wheel group cannot run the su command.
|
||||
+
|
||||
+severity: high
|
||||
diff --git a/linux_os/guide/system/software/sudo/sudo_not_for_all_users/oval/shared.xml b/linux_os/guide/system/software/sudo/sudo_not_for_all_users/oval/shared.xml
|
||||
new file mode 100644
|
||||
index 0000000..16384d0
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/software/sudo/sudo_not_for_all_users/oval/shared.xml
|
||||
@@ -0,0 +1,23 @@
|
||||
+<def-group>
|
||||
+ <definition class="compliance" id="sudo_not_for_all_users" version="1">
|
||||
+ <metadata>
|
||||
+ <title>Not all users can run all privilege programs</title>
|
||||
+ <affected family="unix">
|
||||
+ <platform>multi_platform_openeuler</platform>
|
||||
+ </affected>
|
||||
+ <description>Not all users can run all privileged programs.</description>
|
||||
+ </metadata>
|
||||
+ <criteria>
|
||||
+ <criterion comment="check sudoers setting" test_ref="test_privilege_setting_in_sudoers" />
|
||||
+ </criteria>
|
||||
+ </definition>
|
||||
+
|
||||
+ <ind:textfilecontent54_test check="all" check_existence="none_exist" comment="check privilege setting" id="test_privilege_setting_in_sudoers" version="1">
|
||||
+ <ind:object object_ref="object_privilege_setting_in_sudoers" />
|
||||
+ </ind:textfilecontent54_test>
|
||||
+ <ind:textfilecontent54_object id="object_privilege_setting_in_sudoers" version="1">
|
||||
+ <ind:filepath operation="equals">/etc/sudoers</ind:filepath>
|
||||
+ <ind:pattern operation="pattern match">^[\s]*ALL[\s]+ALL[\s]*=[\s]*.*[\s]*ALL[\s]*$</ind:pattern>
|
||||
+ <ind:instance datatype="int" operation="equals">1</ind:instance>
|
||||
+ </ind:textfilecontent54_object>
|
||||
+</def-group>
|
||||
diff --git a/linux_os/guide/system/software/sudo/sudo_not_for_all_users/rule.yml b/linux_os/guide/system/software/sudo/sudo_not_for_all_users/rule.yml
|
||||
new file mode 100644
|
||||
index 0000000..98ac45e
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/software/sudo/sudo_not_for_all_users/rule.yml
|
||||
@@ -0,0 +1,20 @@
|
||||
+documentation_complete: true
|
||||
+
|
||||
+title: 'Ensure Not All Users Can Use Sudo In All Commands'
|
||||
+
|
||||
+prodtype: openeuler2203
|
||||
+
|
||||
+description: |-
|
||||
+ The sudo command enables a common user to execute certain programs with the root permission.
|
||||
+ Most system management commands need to be executed as root.<br />
|
||||
+ Properly authorizing other users can reduce the burden of the system administrator,
|
||||
+ but directly granting the root password to the common user will bring security risks.
|
||||
+ Using sudo can avoid this problem.<br />
|
||||
+ You can use the sudo mechanism to avoid using the root user for privileged programs that need to be run by the root user.
|
||||
+ If so, the security is improved.
|
||||
+ However, ensure that NOT all low-privilege users can run all commands.
|
||||
+
|
||||
+rationale: |-
|
||||
+ Low-privilege users maybe can not run privileged programs.
|
||||
+
|
||||
+severity: high
|
||||
diff --git a/openeuler2203/profiles/standard.profile b/openeuler2203/profiles/standard.profile
|
||||
index 00405f5..de6890c 100644
|
||||
--- a/openeuler2203/profiles/standard.profile
|
||||
+++ b/openeuler2203/profiles/standard.profile
|
||||
@@ -149,3 +149,18 @@ selections:
|
||||
- audit_rules_usergroup_modification_shadow
|
||||
- audit_rules_kernel_module_install_and_remove
|
||||
- rsyslog_cron_logging
|
||||
+ - ensure_minimum_permission
|
||||
+ - opened_files_count_limited
|
||||
+ - sysctl_net_ipv4_tcp_timestamps
|
||||
+ - sysctl_net_ipv4_tcp_fin_timeout
|
||||
+ - sysctl_net_ipv4_tcp_max_syn_backlog
|
||||
+ - sysctl_net_ipv4_disable_arp_proxy
|
||||
+ - sysctl_net_ipv4_icmp_echo_ignore_all
|
||||
+ - sysctl_net_ipv4_icmp_ignore_bogus_error_responses
|
||||
+ - su_only_for_wheel
|
||||
+ - sudo_not_for_all_users
|
||||
+ - only_root_can_run_pkexec
|
||||
+ - su_always_set_path
|
||||
+ - file_permissions_unauthorized_world_writable
|
||||
+ - file_permissions_unauthorized_suid
|
||||
+ - file_permissions_unauthorized_sgid
|
||||
--
|
||||
2.21.0.windows.1
|
||||
|
||||
1317
enable-54-rules-for-openEuler.patch
Normal file
1317
enable-54-rules-for-openEuler.patch
Normal file
File diff suppressed because it is too large
Load Diff
@ -1,6 +1,6 @@
|
||||
From a2fde1d192ec8fa8e1bdaed9daf68156b77e7ca4 Mon Sep 17 00:00:00 2001
|
||||
From 6c007906571ed8e7b931d1b923a54af52b6ec91c Mon Sep 17 00:00:00 2001
|
||||
From: "steven.y.gui" <steven_ygui@163.com>
|
||||
Date: Tue, 6 Jun 2023 21:03:36 +0800
|
||||
Date: Mon, 26 Jun 2023 19:32:25 +0800
|
||||
Subject: [PATCH] enable 76 rules for openEuler
|
||||
|
||||
---
|
||||
@ -23,9 +23,9 @@ Subject: [PATCH] enable 76 rules for openEuler
|
||||
.../sshd_use_strong_pubkey/rule.yml | 13 +++
|
||||
.../guide/services/ssh/sshd_strong_kex.var | 19 +++++
|
||||
.../oval/shared.xml | 1 +
|
||||
.../rule.yml | 2 +-
|
||||
.../rule.yml | 8 +-
|
||||
.../oval/shared.xml | 12 ++-
|
||||
.../rule.yml | 2 +-
|
||||
.../rule.yml | 8 +-
|
||||
.../oval/shared.xml | 13 ++-
|
||||
.../rule.yml | 2 +-
|
||||
.../oval/shared.xml | 1 +
|
||||
@ -35,13 +35,13 @@ Subject: [PATCH] enable 76 rules for openEuler
|
||||
.../no_name_contained_in_password/rule.yml | 12 +++
|
||||
.../accounts_password_pam_dcredit/rule.yml | 2 +-
|
||||
.../oval/shared.xml | 27 ++++++
|
||||
.../accounts_password_pam_dictcheck/rule.yml | 23 +++++
|
||||
.../accounts_password_pam_dictcheck/rule.yml | 29 +++++++
|
||||
.../accounts_password_pam_lcredit/rule.yml | 2 +-
|
||||
.../accounts_password_pam_minclass/rule.yml | 2 +-
|
||||
.../accounts_password_pam_minlen/rule.yml | 2 +-
|
||||
.../accounts_password_pam_ocredit/rule.yml | 2 +-
|
||||
.../oval/shared.xml | 1 +
|
||||
.../accounts_password_pam_retry/rule.yml | 2 +-
|
||||
.../accounts_password_pam_retry/rule.yml | 8 +-
|
||||
.../accounts_password_pam_ucredit/rule.yml | 2 +-
|
||||
.../var_password_pam_dictcheck.var | 16 ++++
|
||||
.../oval/shared.xml | 1 +
|
||||
@ -70,13 +70,14 @@ Subject: [PATCH] enable 76 rules for openEuler
|
||||
.../tests/wrong_value.fail.sh | 5 ++
|
||||
.../oval/shared.xml | 30 +++++++
|
||||
.../login_accounts_are_necessary/rule.yml | 31 +++++++
|
||||
.../accounts_maximum_age_login_defs/rule.yml | 6 ++
|
||||
.../gid_passwd_group_same/oval/shared.xml | 3 +-
|
||||
.../accounts_tmout/oval/shared.xml | 1 +
|
||||
.../accounts-session/accounts_tmout/rule.yml | 2 +-
|
||||
.../accounts-session/accounts_tmout/rule.yml | 7 +-
|
||||
.../oval/shared.xml | 83 ++++++++++++++++++
|
||||
.../rule.yml | 2 +-
|
||||
.../accounts_umask_etc_bashrc/oval/shared.xml | 1 +
|
||||
.../accounts_umask_etc_bashrc/rule.yml | 2 +-
|
||||
.../accounts_umask_etc_bashrc/rule.yml | 9 +-
|
||||
.../accounts_umask_interactive_users/rule.yml | 2 +-
|
||||
.../oval/shared.xml | 20 +++++
|
||||
.../grub2_nosmap_argument_absent/rule.yml | 25 ++++++
|
||||
@ -91,6 +92,7 @@ Subject: [PATCH] enable 76 rules for openEuler
|
||||
.../files/no_files_unowned_by_user/rule.yml | 2 +-
|
||||
.../files/no_hide_exec_files/oval/shared.xml | 40 +++++++++
|
||||
.../files/no_hide_exec_files/rule.yml | 14 +++
|
||||
.../sysctl_kernel_kptr_restrict/rule.yml | 8 +-
|
||||
.../sysctl_kernel_dmesg_restrict/rule.yml | 2 +-
|
||||
.../oval/shared.xml | 1 +
|
||||
.../configure_ssh_crypto_policy/rule.yml | 2 +-
|
||||
@ -103,7 +105,7 @@ Subject: [PATCH] enable 76 rules for openEuler
|
||||
shared/macros-oval.jinja | 73 ++++++++++++++++
|
||||
shared/templates/template_OVAL_sysctl | 4 +
|
||||
ssg/constants.py | 4 +-
|
||||
99 files changed, 1481 insertions(+), 36 deletions(-)
|
||||
101 files changed, 1530 insertions(+), 37 deletions(-)
|
||||
create mode 100644 linux_os/guide/services/cron_and_at/no_lowprivilege_users_writeable_cmds_in_crontab_file/rule.yml
|
||||
create mode 100644 linux_os/guide/services/ftp/package_ftp_removed/rule.yml
|
||||
create mode 100644 linux_os/guide/services/ssh/ssh_server/disable_host_auth/oval/shared.xml
|
||||
@ -612,7 +614,7 @@ index 28eecc8..5165c15 100644
|
||||
<description>The passwords to remember should be set correctly.</description>
|
||||
</metadata>
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/rule.yml
|
||||
index 579ffc0..cb2d878 100644
|
||||
index 579ffc0..3bb940f 100644
|
||||
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/rule.yml
|
||||
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/rule.yml
|
||||
@@ -1,6 +1,6 @@
|
||||
@ -623,6 +625,19 @@ index 579ffc0..cb2d878 100644
|
||||
|
||||
title: 'Limit Password Reuse'
|
||||
|
||||
@@ -20,6 +20,12 @@ description: |-
|
||||
</li>
|
||||
</ul>
|
||||
The DoD STIG requirement is 5 passwords.
|
||||
+ {{% if product in ["openeuler2203"] %}}
|
||||
+ <br />
|
||||
+ Considering the usability of the community release of openEuler in different scenarios,
|
||||
+ the openEuler release does not disable historical passwords by default.
|
||||
+ Please configure historical passwords based on the site requirements.
|
||||
+ {{% endif %}}
|
||||
|
||||
rationale: 'Preventing re-use of previous passwords helps ensure that a compromised password is not re-used by a user.'
|
||||
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/oval/shared.xml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/oval/shared.xml
|
||||
index db91fa9..0139186 100644
|
||||
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/oval/shared.xml
|
||||
@ -656,7 +671,7 @@ index db91fa9..0139186 100644
|
||||
<ind:instance datatype="int" operation="equals">1</ind:instance>
|
||||
</ind:textfilecontent54_object>
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/rule.yml
|
||||
index 5575bd3..1fe3174 100644
|
||||
index 5575bd3..a06d04e 100644
|
||||
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/rule.yml
|
||||
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/rule.yml
|
||||
@@ -1,6 +1,6 @@
|
||||
@ -667,6 +682,19 @@ index 5575bd3..1fe3174 100644
|
||||
|
||||
title: 'Set Deny For Failed Password Attempts'
|
||||
|
||||
@@ -17,6 +17,12 @@ description: |-
|
||||
<li> add the following line immediately <tt>before</tt> the <tt>pam_unix.so</tt> statement in the <tt>ACCOUNT</tt> section:
|
||||
<pre>account required pam_faillock.so</pre></li>
|
||||
</ul>
|
||||
+ {{% if product in ["openeuler2203"] %}}
|
||||
+ Considering the usability of the community release of openEuler in different scenarios,
|
||||
+ the openEuler release does not provide this security function by default.
|
||||
+ Please configure the default number of failures and lockout duration based on
|
||||
+ the actual application scenario and requirements.
|
||||
+ {{% endif %}}
|
||||
|
||||
rationale: |-
|
||||
Locking out user accounts after a number of incorrect attempts
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/oval/shared.xml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/oval/shared.xml
|
||||
index 402feab..da09d06 100644
|
||||
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/oval/shared.xml
|
||||
@ -857,10 +885,10 @@ index 0000000..13bbae4
|
||||
+</def-group>
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/rule.yml
|
||||
new file mode 100644
|
||||
index 0000000..b10e340
|
||||
index 0000000..46159db
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/rule.yml
|
||||
@@ -0,0 +1,23 @@
|
||||
@@ -0,0 +1,29 @@
|
||||
+documentation_complete: true
|
||||
+
|
||||
+prodtype: openeuler2203
|
||||
@ -870,6 +898,12 @@ index 0000000..b10e340
|
||||
+description: |-
|
||||
+ The pam_pwquality module's <tt>dictcheck</tt> check if passwords contains dictionary words. When
|
||||
+ <tt>dictcheck</tt> is set to <tt>1</tt> passwords will be checked for dictionary words.
|
||||
+ {{% if product in ["openeuler2203"] %}}
|
||||
+ <br />
|
||||
+ Considering the usability of the community release of openEuler in different scenarios,
|
||||
+ the weak password dictionary check is not configured for the openEuler release by default.
|
||||
+ Please configure the weak password dictionary check based on the site requirements.
|
||||
+ {{% endif %}}
|
||||
+
|
||||
+rationale: |-
|
||||
+ Use of a complex password helps to increase the time and resources required to compromise the password.
|
||||
@ -945,7 +979,7 @@ index d888d78..4588489 100644
|
||||
<description>The password retry should meet minimum requirements</description>
|
||||
</metadata>
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/rule.yml
|
||||
index 099cbbf..908ca40 100644
|
||||
index 099cbbf..4bf912f 100644
|
||||
--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/rule.yml
|
||||
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/rule.yml
|
||||
@@ -1,6 +1,6 @@
|
||||
@ -956,6 +990,19 @@ index 099cbbf..908ca40 100644
|
||||
|
||||
title: 'Ensure PAM Enforces Password Requirements - Authentication Retry Prompts Permitted Per-Session'
|
||||
|
||||
@@ -10,6 +10,12 @@ description: |-
|
||||
show <tt>retry=<sub idref="var_password_pam_retry" /></tt>, or a lower value if
|
||||
site policy is more restrictive.
|
||||
The DoD requirement is a maximum of 3 prompts per session.
|
||||
+ {{% if product in ["openeuler2203"] %}}
|
||||
+ <br />
|
||||
+ Considering the usability of the community release of openEuler in different scenarios,
|
||||
+ the values of retry are not configured in the openEuler release by default.
|
||||
+ Please set it based on the site requirements.
|
||||
+ {{% endif %}}
|
||||
|
||||
rationale: |-
|
||||
Setting the password retry prompts that are permitted on a per-session basis to a low value
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ucredit/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ucredit/rule.yml
|
||||
index 7b5fe67..203da95 100644
|
||||
--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ucredit/rule.yml
|
||||
@ -1692,6 +1739,23 @@ index 0000000..7fd34bc
|
||||
+
|
||||
+severity: medium
|
||||
+
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/rule.yml
|
||||
index d41a0eb..d667d96 100644
|
||||
--- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/rule.yml
|
||||
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/rule.yml
|
||||
@@ -10,6 +10,12 @@ description: |-
|
||||
A value of 180 days is sufficient for many environments.
|
||||
The DoD requirement is 60.
|
||||
The profile requirement is <tt><sub idref="var_accounts_maximum_age_login_defs" /></tt>.
|
||||
+ {{% if product in ["openeuler2203"] %}}
|
||||
+ <br />
|
||||
+ Considering the usability of the community release of openEuler in different scenarios,
|
||||
+ the password expiration time is not configured in the openEuler release by default.
|
||||
+ Please set the password expiration time based on the site requirements.
|
||||
+ {{% endif %}}
|
||||
|
||||
rationale: |-
|
||||
Any password, no matter how complex, can eventually be cracked. Therefore, passwords
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/gid_passwd_group_same/oval/shared.xml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/gid_passwd_group_same/oval/shared.xml
|
||||
index 34d605b..781cd3f 100644
|
||||
--- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/gid_passwd_group_same/oval/shared.xml
|
||||
@ -1719,7 +1783,7 @@ index c68effb..bcb50bd 100644
|
||||
<description>Checks interactive shell timeout</description>
|
||||
</metadata>
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_tmout/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_tmout/rule.yml
|
||||
index cdfa67d..4ceead4 100644
|
||||
index cdfa67d..437abe6 100644
|
||||
--- a/linux_os/guide/system/accounts/accounts-session/accounts_tmout/rule.yml
|
||||
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_tmout/rule.yml
|
||||
@@ -1,6 +1,6 @@
|
||||
@ -1730,6 +1794,18 @@ index cdfa67d..4ceead4 100644
|
||||
|
||||
title: 'Set Interactive Session Timeout'
|
||||
|
||||
@@ -9,6 +9,11 @@ description: |-
|
||||
all user sessions will terminate based on inactivity. The <tt>TMOUT</tt>
|
||||
setting in <tt>/etc/profile</tt> should read as follows:
|
||||
<pre>TMOUT=<sub idref="var_accounts_tmout" /></pre>
|
||||
+ {{% if product in ["openeuler2203"] %}}
|
||||
+ Considering the usability of the community release of openEuler in different scenarios,
|
||||
+ the session timeout interval is not configured by default in the openEuler release.
|
||||
+ Please configure the session timeout interval based on the site requirements.
|
||||
+ {{% endif %}}
|
||||
|
||||
rationale: |-
|
||||
Terminating an idle session within a short time period reduces
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/oval/shared.xml b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/oval/shared.xml
|
||||
new file mode 100644
|
||||
index 0000000..56b3396
|
||||
@ -1844,7 +1920,7 @@ index 73e457d..9bbd226 100644
|
||||
<description>The default umask for users of the bash shell</description>
|
||||
</metadata>
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/rule.yml b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/rule.yml
|
||||
index 9b189bc..88acb8b 100644
|
||||
index 9b189bc..a6d933c 100644
|
||||
--- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/rule.yml
|
||||
+++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/rule.yml
|
||||
@@ -1,6 +1,6 @@
|
||||
@ -1855,6 +1931,20 @@ index 9b189bc..88acb8b 100644
|
||||
|
||||
title: 'Ensure the Default Bash Umask is Set Correctly'
|
||||
|
||||
@@ -9,6 +9,13 @@ description: |-
|
||||
add or correct the <tt>umask</tt> setting in <tt>/etc/bashrc</tt> to read
|
||||
as follows:
|
||||
<pre>umask <sub idref="var_accounts_user_umask" /></pre>
|
||||
+ {{% if product in ["openeuler2203"] %}}
|
||||
+ After UMASK is set to 077, the default permission on the created file is 600,
|
||||
+ and the default permission on the directory is 700.
|
||||
+ Considering the usability of the community release of openEuler in different scenarios,
|
||||
+ the openEuler release does not configure the UMASK by default.
|
||||
+ Please configure the UMASK based on the site requirements.
|
||||
+ {{% endif %}}
|
||||
|
||||
rationale: |-
|
||||
The umask value influences the permissions assigned to files when they are created.
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/rule.yml b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/rule.yml
|
||||
index 7e6b11a..6271928 100644
|
||||
--- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/rule.yml
|
||||
@ -2151,6 +2241,25 @@ index 0000000..5c8bc4b
|
||||
+
|
||||
+severity: medium
|
||||
+
|
||||
diff --git a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml
|
||||
index 2408bd0..a5bd907 100644
|
||||
--- a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml
|
||||
+++ b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml
|
||||
@@ -2,7 +2,13 @@ documentation_complete: true
|
||||
|
||||
title: 'Restrict Exposed Kernel Pointer Addresses Access'
|
||||
|
||||
-description: '{{{ describe_sysctl_option_value(sysctl="kernel.kptr_restrict", value="1") }}}'
|
||||
+description: |-
|
||||
+ {{{ describe_sysctl_option_value(sysctl="kernel.kptr_restrict", value="1") }}}
|
||||
+ {{% if product in ["openeuler2203"] %}}
|
||||
+ To ensure easy maintenance and location,
|
||||
+ the kptr_restrict parameter is set to 0 by default in the openEuler release.
|
||||
+ Please set this parameter based on the site requirements.
|
||||
+ {{% endif %}}
|
||||
|
||||
rationale: |-
|
||||
Exposing kernel pointers (through procfs or <tt>seq_printf()</tt>) exposes
|
||||
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_dmesg_restrict/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_dmesg_restrict/rule.yml
|
||||
index bf58274..0ccf428 100644
|
||||
--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_dmesg_restrict/rule.yml
|
||||
|
||||
199
optimize-8-rules-for-openEuler.patch
Normal file
199
optimize-8-rules-for-openEuler.patch
Normal file
@ -0,0 +1,199 @@
|
||||
From e7f1e45f0b3172b5b5a35a1822865fddbca6d9f0 Mon Sep 17 00:00:00 2001
|
||||
From: wangqingsan <wangqingsan@huawei.com>
|
||||
Date: Wed, 19 Jun 2024 13:27:03 +0800
|
||||
Subject: [PATCH] fix bug for oe
|
||||
|
||||
---
|
||||
.../oval/shared.xml | 2 +-
|
||||
.../oval/shared.xml | 2 +-
|
||||
.../sshd_set_max_auth_tries/oval/shared.xml | 14 ++++++++++++
|
||||
.../accounts_umask_etc_bashrc/oval/shared.xml | 4 ++--
|
||||
.../oval/shared.xml | 13 ++++++-----
|
||||
.../rsyslog_files_permissions_oe/rule.yml | 22 +++++++++++++++++++
|
||||
.../service_ip6tables_enabled/rule.yml | 2 +-
|
||||
openeuler2203/profiles/standard.profile | 4 ++--
|
||||
8 files changed, 51 insertions(+), 12 deletions(-)
|
||||
create mode 100644 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions_oe/rule.yml
|
||||
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_concurrent_unauthenticated_connections/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_concurrent_unauthenticated_connections/oval/shared.xml
|
||||
index e6c1a0e..494e255 100644
|
||||
--- a/linux_os/guide/services/ssh/ssh_server/sshd_concurrent_unauthenticated_connections/oval/shared.xml
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_concurrent_unauthenticated_connections/oval/shared.xml
|
||||
@@ -19,7 +19,7 @@
|
||||
</ind:textfilecontent54_test>
|
||||
<ind:textfilecontent54_object id="obj_test_sshd_configure_concurrent_unauthenticated_connections" version="1">
|
||||
<ind:filepath>/etc/ssh/sshd_config</ind:filepath>
|
||||
- <ind:pattern operation="pattern match">^maxstartups\s+\d+:\d+:\d+$</ind:pattern>
|
||||
+ <ind:pattern operation="pattern match">^MaxStartups\s*[0-9]*:[0-9]*:[0-9]*[0-9]</ind:pattern>
|
||||
<ind:instance datatype="int">1</ind:instance>
|
||||
</ind:textfilecontent54_object>
|
||||
</def-group>
|
||||
\ No newline at end of file
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_configure_correct_LoginGraceTime/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_configure_correct_LoginGraceTime/oval/shared.xml
|
||||
index fb79aff..30bc3c4 100644
|
||||
--- a/linux_os/guide/services/ssh/ssh_server/sshd_configure_correct_LoginGraceTime/oval/shared.xml
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_configure_correct_LoginGraceTime/oval/shared.xml
|
||||
@@ -19,7 +19,7 @@
|
||||
</ind:textfilecontent54_test>
|
||||
<ind:textfilecontent54_object id="obj_test_sshd_configure_correct_LoginGraceTime" version="1">
|
||||
<ind:filepath>/etc/ssh/sshd_config</ind:filepath>
|
||||
- <ind:pattern operation="pattern match">^LoginGraceTime\s+\d+$</ind:pattern>
|
||||
+ <ind:pattern operation="pattern match">^LoginGraceTime\s(\d*)[smhdw]*$</ind:pattern>
|
||||
<ind:instance datatype="int">1</ind:instance>
|
||||
</ind:textfilecontent54_object>
|
||||
</def-group>
|
||||
\ No newline at end of file
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/oval/shared.xml
|
||||
index a8eaabd..ae811c7 100644
|
||||
--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/oval/shared.xml
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/oval/shared.xml
|
||||
@@ -8,14 +8,28 @@
|
||||
<description>The SSH MaxAuthTries should be set to an
|
||||
appropriate value.</description>
|
||||
</metadata>
|
||||
+ {{% if product in ['openeuler2203'] %}}
|
||||
+ <criteria comment="SSH is not being used or conditions are met" operator="OR">
|
||||
+ <extend_definition comment="sshd service is disabled"
|
||||
+ definition_ref="service_sshd_disabled" />
|
||||
+ <criterion comment="Check MaxAuthTries in /etc/ssh/sshd_config"
|
||||
+ test_ref="test_sshd_max_auth_tries_oe" />
|
||||
+ </criteria>
|
||||
+ {{% else %}}
|
||||
<criteria comment="SSH is not being used or conditions are met" operator="OR">
|
||||
<extend_definition comment="sshd service is disabled"
|
||||
definition_ref="service_sshd_disabled" />
|
||||
<criterion comment="Check MaxAuthTries in /etc/ssh/sshd_config"
|
||||
test_ref="test_sshd_max_auth_tries" />
|
||||
</criteria>
|
||||
+ {{% endif %}}
|
||||
</definition>
|
||||
|
||||
+ <ind:textfilecontent54_test check="all" check_existence="all_exist"
|
||||
+ comment="maxauthtries is configured" id="test_sshd_max_auth_tries_oe" version="1">
|
||||
+ <ind:object object_ref="object_sshd_max_auth_tries" />
|
||||
+ </ind:textfilecontent54_test>
|
||||
+
|
||||
<ind:textfilecontent54_test check="all" check_existence="all_exist"
|
||||
comment="maxauthtries is configured" id="test_sshd_max_auth_tries" version="1">
|
||||
<ind:object object_ref="object_sshd_max_auth_tries" />
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/oval/shared.xml b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/oval/shared.xml
|
||||
index 0bd0ac1..ec4197a 100644
|
||||
--- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/oval/shared.xml
|
||||
+++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/oval/shared.xml
|
||||
@@ -95,7 +95,7 @@
|
||||
</ind:textfilecontent54_test>
|
||||
<ind:textfilecontent54_object id="object_umask_in_etc_bash_openeuler" version="1">
|
||||
<ind:filepath operation="pattern match">/etc/bashrc</ind:filepath>
|
||||
- <ind:pattern operation="pattern match">[\s]*umask[\s]*0077[\s]*</ind:pattern>
|
||||
+ <ind:pattern operation="pattern match">^umask[\s]*0*7*$</ind:pattern>
|
||||
<ind:instance datatype="int">1</ind:instance>
|
||||
</ind:textfilecontent54_object>
|
||||
|
||||
@@ -104,7 +104,7 @@
|
||||
</ind:textfilecontent54_test>
|
||||
<ind:textfilecontent54_object id="object_umask_in_point_bash_openeuler" version="1">
|
||||
<ind:filepath>^/home/.*\.bashrc$</ind:filepath>
|
||||
- <ind:pattern operation="pattern match">[\s]*umask[\s]*0077[\s]*</ind:pattern>
|
||||
+ <ind:pattern operation="pattern match">^umask[\s]*0*7*$</ind:pattern>
|
||||
<ind:instance datatype="int">1</ind:instance>
|
||||
</ind:textfilecontent54_object>
|
||||
|
||||
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_install_and_remove/oval/shared.xml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_install_and_remove/oval/shared.xml
|
||||
index 92b2667..372e175 100644
|
||||
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_install_and_remove/oval/shared.xml
|
||||
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_install_and_remove/oval/shared.xml
|
||||
@@ -8,12 +8,15 @@
|
||||
<description>The audit rules should be configured to log information about kernel module installing and removing.</description>
|
||||
</metadata>
|
||||
<criteria operator="AND">
|
||||
- <extend_definition comment="audit augenrules" definition_ref="audit_rules_augenrules" />
|
||||
- <criterion comment="audit augenrules 64-bit init_module" test_ref="test_64bit_init_module_augenrules" />
|
||||
- <criterion comment="audit augenrules 64-bit delete_module" test_ref="test_64bit_delete_module_augenrules" />
|
||||
+ <extend_definition comment="32-bit system audit augenrules" definition_ref="audit_rules_augenrules" />
|
||||
<criterion comment="audit augenrules inmod" test_ref="test_install_module_augenrules" />
|
||||
<criterion comment="audit augenrules rmmod" test_ref="test_remove_module_augenrules" />
|
||||
<criterion comment="audit augenrules modprobe" test_ref="test_probe_module_augenrules" />
|
||||
+ <criteria operator="OR">
|
||||
+ <extend_definition comment="64-bit systemctl audit augenrules" definition_ref="audit_rules_augenrules" />
|
||||
+ <criterion comment="audit augenrules 64-bit init_module" test_ref="test_64bit_init_module_augenrules" />
|
||||
+ <criterion comment="audit augenrules 64-bit delete_module" test_ref="test_64bit_delete_module_augenrules" />
|
||||
+ </criteria>
|
||||
</criteria>
|
||||
</definition>
|
||||
|
||||
@@ -22,7 +25,7 @@
|
||||
</ind:textfilecontent54_test>
|
||||
<ind:textfilecontent54_object id="object_64bit_init_module_augenrules" version="1">
|
||||
<ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
|
||||
- <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+init_module[\s]+|([\s]+|[,])init_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
|
||||
+ <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+init_module[\s]+|([\s]+|[,])delete_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*.*$</ind:pattern>
|
||||
<ind:instance datatype="int">1</ind:instance>
|
||||
</ind:textfilecontent54_object>
|
||||
|
||||
@@ -31,7 +34,7 @@
|
||||
</ind:textfilecontent54_test>
|
||||
<ind:textfilecontent54_object id="object_64bit_delete_module_augenrules" version="1">
|
||||
<ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
|
||||
- <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+delete_module[\s]+|([\s]+|[,])delete_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
|
||||
+ <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+init_module[\s]+|([\s]+|[,])delete_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*.*$</ind:pattern>
|
||||
<ind:instance datatype="int">1</ind:instance>
|
||||
</ind:textfilecontent54_object>
|
||||
|
||||
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions_oe/rule.yml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions_oe/rule.yml
|
||||
new file mode 100644
|
||||
index 0000000..93fd68f
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions_oe/rule.yml
|
||||
@@ -0,0 +1,22 @@
|
||||
+documentation_complete: true
|
||||
+
|
||||
+title: 'Ensure System Log Files Have Correct Permissions'
|
||||
+
|
||||
+description: |-
|
||||
+ <p>Log files record system operations. The log tool <tt>rsyslog</tt> can record logs
|
||||
+ to specified files. When the specified log file does not exist in the system,
|
||||
+ <tt>rsyslog</tt> can create a new log file. You can set the permission on new log files
|
||||
+ in the <tt>rsyslog</tt> configuration file. You can set the default file permission to
|
||||
+ ensure that new log files have proper and secure permissions.</p>
|
||||
+ <p>Run the following command to manually check whether the log permission is properly set:</p>
|
||||
+ <pre>$ ls -l <i>LOGFILE</i></pre>
|
||||
+ <p>If the permissions are not 600 or more restrictive, run the following
|
||||
+ command to correct this:</p>
|
||||
+ <pre>$ sudo chmod 0600 <i>LOGFILE</i></pre>"
|
||||
+
|
||||
+rationale: |-
|
||||
+ Log files can contain valuable information regarding system
|
||||
+ configuration. If the system log files are not protected unauthorized
|
||||
+ users could change the logged data, eliminating their forensic value.
|
||||
+
|
||||
+severity: low
|
||||
diff --git a/linux_os/guide/system/network/network-iptables/iptables_activation/service_ip6tables_enabled/rule.yml b/linux_os/guide/system/network/network-iptables/iptables_activation/service_ip6tables_enabled/rule.yml
|
||||
index d533940..a8ce14a 100644
|
||||
--- a/linux_os/guide/system/network/network-iptables/iptables_activation/service_ip6tables_enabled/rule.yml
|
||||
+++ b/linux_os/guide/system/network/network-iptables/iptables_activation/service_ip6tables_enabled/rule.yml
|
||||
@@ -34,6 +34,6 @@ template:
|
||||
name: service_enabled
|
||||
vars:
|
||||
servicename: ip6tables
|
||||
- packagename: iptables-ipv6
|
||||
+ packagename: iptables
|
||||
|
||||
platform: machine
|
||||
diff --git a/openeuler2203/profiles/standard.profile b/openeuler2203/profiles/standard.profile
|
||||
index 76fe4dd..4ae7a01 100644
|
||||
--- a/openeuler2203/profiles/standard.profile
|
||||
+++ b/openeuler2203/profiles/standard.profile
|
||||
@@ -376,8 +376,8 @@ selections:
|
||||
- audit_rules_admin_privilege.severity=low
|
||||
- recorded_authentication_related_event
|
||||
- recorded_authentication_related_event.severity=high
|
||||
- - rsyslog_files_permissions
|
||||
- - rsyslog_files_permissions.severity=low
|
||||
+ - rsyslog_files_permissions_oe
|
||||
+ - rsyslog_files_permissions_oe.severity=low
|
||||
- partitions_manage_hard_drive_data
|
||||
- partitions_manage_hard_drive_data.severity=low
|
||||
- uninstall_debugging_tools
|
||||
--
|
||||
2.36.1
|
||||
|
||||
5127
optimize-80-rules-for-openEuler.patch
Normal file
5127
optimize-80-rules-for-openEuler.patch
Normal file
File diff suppressed because it is too large
Load Diff
@ -1,6 +1,6 @@
|
||||
Name: scap-security-guide
|
||||
Version: 0.1.49
|
||||
Release: 5
|
||||
Release: 12
|
||||
Summary: Security guidance and baselines in SCAP formats
|
||||
License: BSD-3-Clause
|
||||
URL: https://github.com/ComplianceAsCode/content/
|
||||
@ -13,6 +13,10 @@ Patch0004:backport-fix-remaining-getchildren-and-getiterator-functions.patch
|
||||
Patch0005:backport-fix-for-older-python-versions-lacking-.iter-method.patch
|
||||
Patch0006:init-openEuler-ssg-project.patch
|
||||
Patch0007:enable-76-rules-for-openEuler.patch
|
||||
Patch0008:enable-54-rules-for-openEuler.patch
|
||||
Patch0009:add-15-rules-for-openeuler.patch
|
||||
Patch0010:optimize-80-rules-for-openEuler.patch
|
||||
Patch0011:optimize-8-rules-for-openEuler.patch
|
||||
|
||||
BuildArch: noarch
|
||||
BuildRequires: libxslt, expat, python3, openscap-scanner >= 1.2.5, cmake >= 3.8, python3-jinja2, python3-PyYAML
|
||||
@ -67,6 +71,27 @@ cd build
|
||||
%doc %{_docdir}/%{name}/tables/*.html
|
||||
|
||||
%changelog
|
||||
* Thu Jun 20 2024 wangqingsan <wangqingsan@huawei.com> - 0.1.49-12
|
||||
- optimized 8 rules for openEuler
|
||||
|
||||
* Fri Dec 22 2023 wangqingsan <wangqingsan@huawei.com> - 0.1.49-11
|
||||
- elevate 80 rules for openEuler
|
||||
|
||||
* Fri Dec 8 2023 wangqingsan <wangqingsan@huawei.com> - 0.1.49-10
|
||||
- enable 80 rules for openEuler
|
||||
|
||||
* Fri Nov 17 2023 wangqingsan <wangqingsan@huawei.com> - 0.1.49-9
|
||||
- enable 80 rules for openEuler
|
||||
|
||||
* Fri Aug 11 2023 steven <steven_ygui@163.com> - 0.1.49-8
|
||||
- enable 15 rules for openEuler
|
||||
|
||||
* Thu Jul 27 2023 steven <steven_ygui@163.com> - 0.1.49-7
|
||||
- enable 54 rules for openEuler
|
||||
|
||||
* Sun Jun 25 2023 steven <steven_ygui@163.com> - 0.1.49-6
|
||||
- add some descriptions
|
||||
|
||||
* Tue Jun 6 2023 steven <steven_ygui@163.com> - 0.1.49-5
|
||||
- fix bug of rule "require_signleuser_auth"
|
||||
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user