From dc37689392abe60433dc4521a835dfa6a031f603 Mon Sep 17 00:00:00 2001 From: "steven.y.gui" Date: Fri, 11 Aug 2023 10:03:30 +0800 Subject: [PATCH] add 15 rules for openeuler --- .../rule.yml | 21 +++ .../rule.yml | 21 +++ .../oval/shared.xml | 15 ++ .../rule.yml | 17 +++ .../rule.yml | 21 +++ .../rule.yml | 2 +- .../sysctl_net_ipv4_tcp_fin_timeout/rule.yml | 22 +++ .../rule.yml | 23 +++ .../sysctl_net_ipv4_tcp_timestamps/rule.yml | 21 +++ .../files/ensure_minimum_permission/rule.yml | 139 ++++++++++++++++++ .../oval/shared.xml | 1 + .../rule.yml | 2 +- .../oval/shared.xml | 1 + .../rule.yml | 2 +- .../oval/shared.xml | 1 + .../files/opened_files_count_limited/rule.yml | 34 +++++ .../guide/system/software/polkit/group.yml | 6 + .../only_root_can_run_pkexec/oval/shared.xml | 23 +++ .../polkit/only_root_can_run_pkexec/rule.yml | 17 +++ linux_os/guide/system/software/su/group.yml | 6 + .../su/su_always_set_path/oval/shared.xml | 23 +++ .../software/su/su_always_set_path/rule.yml | 20 +++ .../su/su_only_for_wheel/oval/shared.xml | 23 +++ .../software/su/su_only_for_wheel/rule.yml | 19 +++ .../sudo_not_for_all_users/oval/shared.xml | 23 +++ .../sudo/sudo_not_for_all_users/rule.yml | 20 +++ openeuler2203/profiles/standard.profile | 15 ++ 27 files changed, 535 insertions(+), 3 deletions(-) create mode 100644 linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_proxy_arp/rule.yml create mode 100644 linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_proxy_arp/rule.yml create mode 100644 linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_disable_arp_proxy/oval/shared.xml create mode 100644 linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_disable_arp_proxy/rule.yml create mode 100644 linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_echo_ignore_all/rule.yml create mode 100644 linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_tcp_fin_timeout/rule.yml create mode 100644 linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_tcp_max_syn_backlog/rule.yml create mode 100644 linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_tcp_timestamps/rule.yml create mode 100644 linux_os/guide/system/permissions/files/ensure_minimum_permission/rule.yml create mode 100644 linux_os/guide/system/permissions/files/opened_files_count_limited/rule.yml create mode 100644 linux_os/guide/system/software/polkit/group.yml create mode 100644 linux_os/guide/system/software/polkit/only_root_can_run_pkexec/oval/shared.xml create mode 100644 linux_os/guide/system/software/polkit/only_root_can_run_pkexec/rule.yml create mode 100644 linux_os/guide/system/software/su/group.yml create mode 100644 linux_os/guide/system/software/su/su_always_set_path/oval/shared.xml create mode 100644 linux_os/guide/system/software/su/su_always_set_path/rule.yml create mode 100644 linux_os/guide/system/software/su/su_only_for_wheel/oval/shared.xml create mode 100644 linux_os/guide/system/software/su/su_only_for_wheel/rule.yml create mode 100644 linux_os/guide/system/software/sudo/sudo_not_for_all_users/oval/shared.xml create mode 100644 linux_os/guide/system/software/sudo/sudo_not_for_all_users/rule.yml diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_proxy_arp/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_proxy_arp/rule.yml new file mode 100644 index 0000000..7066bcc --- /dev/null +++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_proxy_arp/rule.yml @@ -0,0 +1,21 @@ +documentation_complete: true + +prodtype: openeuler2203 + +title: 'Disable Kernel Parameter for ARP Proxy' + +description: '{{{ describe_sysctl_option_value(sysctl="net.ipv4.conf.all.proxy_arp", value="0") }}}' + +rationale: |- + Restricted execution of programs that depend on the ARP proxy. + +severity: low + +platform: machine + +template: + name: sysctl + vars: + sysctlvar: net.ipv4.conf.all.proxy_arp + sysctlval: '0' + datatype: int diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_proxy_arp/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_proxy_arp/rule.yml new file mode 100644 index 0000000..170696b --- /dev/null +++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_proxy_arp/rule.yml @@ -0,0 +1,21 @@ +documentation_complete: true + +prodtype: openeuler2203 + +title: 'Disable Kernel Parameter for ARP Proxy by Default' + +description: '{{{ describe_sysctl_option_value(sysctl="net.ipv4.conf.default.proxy_arp", value="0") }}}' + +rationale: |- + Restricted execution of programs that depend on the ARP proxy. + +severity: low + +platform: machine + +template: + name: sysctl + vars: + sysctlvar: net.ipv4.conf.default.proxy_arp + sysctlval: '0' + datatype: int diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_disable_arp_proxy/oval/shared.xml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_disable_arp_proxy/oval/shared.xml new file mode 100644 index 0000000..b072446 --- /dev/null +++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_disable_arp_proxy/oval/shared.xml @@ -0,0 +1,15 @@ + + + + Disable ARP Proxy + + multi_platform_openeuler + + Disable arp proxy. + + + + + + + diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_disable_arp_proxy/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_disable_arp_proxy/rule.yml new file mode 100644 index 0000000..66a336e --- /dev/null +++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_disable_arp_proxy/rule.yml @@ -0,0 +1,17 @@ +documentation_complete: true + +prodtype: openeuler2203 + +title: 'Disable ARP Proxy' + +description: |- + ARP proxy allows the system to send a response to an ARP request on another interface on behalf of a host connected to an interface. + Disabling ARP proxy not only prevents authorized information sharing also prevents addressing information leakage between connected network segments. + Therefore, the ARP proxy must be disabled to prevent ARP packet attacks on the system. + +rationale: |- + Restricted execution of programs that depend on the ARP proxy. + +severity: high + +platform: machine diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_echo_ignore_all/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_echo_ignore_all/rule.yml new file mode 100644 index 0000000..31bf313 --- /dev/null +++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_echo_ignore_all/rule.yml @@ -0,0 +1,21 @@ +documentation_complete: true + +prodtype: openeuler2203 + +title: 'Set Kernel Parameter for Ignoring All ICMP' + +description: '{{{ describe_sysctl_option_value(sysctl="net.ipv4.icmp_echo_ignore_all", value="1") }}}' + +rationale: |- + All ICMP packages are ignored. + +severity: low + +platform: machine + +template: + name: sysctl + vars: + sysctlvar: net.ipv4.icmp_echo_ignore_all + sysctlval: '1' + datatype: int diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_ignore_bogus_error_responses/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_ignore_bogus_error_responses/rule.yml index 12cbdea..74d196a 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_ignore_bogus_error_responses/rule.yml +++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_ignore_bogus_error_responses/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,ocp4,ol7,ol8,rhel6,rhel7,rhel8,rhv4 +prodtype: fedora,ocp4,ol7,ol8,openeuler2203,rhel6,rhel7,rhel8,rhv4 title: 'Enable Kernel Parameter to Ignore Bogus ICMP Error Responses on IPv4 Interfaces' diff --git a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_tcp_fin_timeout/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_tcp_fin_timeout/rule.yml new file mode 100644 index 0000000..ffd435a --- /dev/null +++ b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_tcp_fin_timeout/rule.yml @@ -0,0 +1,22 @@ +documentation_complete: true + +prodtype: openeuler2203 + +title: 'Set Kernel Parameter for TCP TIME_WAIT' + +description: '{{{ describe_sysctl_option_value(sysctl="net.ipv4.tcp_fin_timeout", value="60") }}}' + +rationale: |- + Suggested value is 60.
+ If TIME_WAIT is set too long, DoS attacks may occur. + +severity: high + +platform: machine + +template: + name: sysctl + vars: + sysctlvar: net.ipv4.tcp_fin_timeout + sysctlval: '60' + datatype: int diff --git a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_tcp_max_syn_backlog/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_tcp_max_syn_backlog/rule.yml new file mode 100644 index 0000000..f95f0be --- /dev/null +++ b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_tcp_max_syn_backlog/rule.yml @@ -0,0 +1,23 @@ +documentation_complete: true + +prodtype: openeuler2203 + +title: 'Set Kernel Parameter for TCP SYN_RECV' + +description: '{{{ describe_sysctl_option_value(sysctl="net.ipv4.tcp_max_syn_backlog", value="256") }}}' + +rationale: |- + Suggested value is 256.
+ For security purposes, you are advised to set this parameter to a large value to mitigate TCP SYN flood attacks. + However, if this parameter is set to a large value, more system resources are consumed. + +severity: low + +platform: machine + +template: + name: sysctl + vars: + sysctlvar: net.ipv4.tcp_max_syn_backlog + sysctlval: '256' + datatype: int diff --git a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_tcp_timestamps/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_tcp_timestamps/rule.yml new file mode 100644 index 0000000..a2df1d7 --- /dev/null +++ b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_tcp_timestamps/rule.yml @@ -0,0 +1,21 @@ +documentation_complete: true + +prodtype: openeuler2203 + +title: 'Disable Kernel Parameter for TCP Timestamps' + +description: '{{{ describe_sysctl_option_value(sysctl="net.ipv4.tcp_timestamps", value="0") }}}' + +rationale: |- + After this function is enabled, packages with invalid addresses is recorded into kernel logs, which may cause logs overwrite. + +severity: low + +platform: machine + +template: + name: sysctl + vars: + sysctlvar: net.ipv4.tcp_timestamps + sysctlval: '0' + datatype: int diff --git a/linux_os/guide/system/permissions/files/ensure_minimum_permission/rule.yml b/linux_os/guide/system/permissions/files/ensure_minimum_permission/rule.yml new file mode 100644 index 0000000..9cab819 --- /dev/null +++ b/linux_os/guide/system/permissions/files/ensure_minimum_permission/rule.yml @@ -0,0 +1,139 @@ +documentation_complete: true + +prodtype: openeuler2203 + +title: 'Ensure All Files Have Minimum Permission' + +description: |- +

It can not be scanned automatically, please check it manually.

+ +

According to the minimum permission requirements, the minimum access permission must be set for key files in the system, + especially files that contain sensitive information. Users with corresponding permissions can access the directory. + If the file or directory permission is incorrectly configured, the file information may leakage.

+ +

For example, if the access permission is set to 644 or greater, any user can access or even tamper with the data. + If the program's access permission is set to 755, as a result, any user can perform the operation, + which leads to privilege escalation risks.

+ +

Common types of files or directories that require access permission control are as follows: +

+

+ +

The basic principles of permission control are as follows: + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
File TypeSuggested Permission
Home Directory750(rwxr-x---)
Programs(Include bash, library)550(r-xr-x---)
Programs Directory550(r-xr-x---)
Configuration Files640(rw-r-----)
Configuration Files Directory750(rwxr-x---)
Log Files(Archived)440(r--r-----)
Log Files(Recording)640(rw-r-----)
Log Files Directory750(rwxr-x---)
Debug Files640(rw-r-----)
Debug Files Directory750(rwxr-x---)
Temporary Files Directory750(rwxr-x---)
Upgrading Files Directory770(rwxrwx---)
Data Files640(rw-r-----)
Data Files Directory750(rwxr-x---)
Directory Of Crypto Component, Private Key, Certificate, Encrypted Data700(rwx------)
Crypto Component, Private Key, Certificate, Encrypted Data600(rw-------)
Interface or Shell Files Of Crypto500(r-x------)
+

+

Generally, a non-root user is used to perform services. This user needs to access necessary directories in the Linux system and files. + Therefore, permission control can be relaxed for system directories, configuration files, executable files, + and certificate files that the system depends on.

+

The system is consistent with the general release in the industry. The suggestions are as follows: + + + + + + + + + + + + + + + + + + + + + +
File TypeSuggested Permission
Directory755(rwxr-xr-x)
Programs(Include bash, library)755(rwxr-xr-x)
Configuration Files644(rw-r--r--)
Certificate Files(No Private Key)444(r--r--r--)
+

+ +rationale: |- + The permission cannot be too high or too low. For example, if the permission of some system configuration files is set to 600 or 640, + common users cannot read the configuration files, the corresponding program may not be executed + because it does not have the permission to read the configuration. + +severity: high + diff --git a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/oval/shared.xml b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/oval/shared.xml index 83988fe..c1a4f1e 100644 --- a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/oval/shared.xml +++ b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/oval/shared.xml @@ -6,6 +6,7 @@ multi_platform_fedora multi_platform_rhel multi_platform_ol + multi_platform_openeuler multi_platform_wrlinux Evaluates to true if all files with SGID set are owned by RPM packages. diff --git a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/rule.yml b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/rule.yml index 32c176d..ee5eb40 100644 --- a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/rule.yml +++ b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/rule.yml @@ -2,7 +2,7 @@ documentation_complete: true title: 'Ensure All SGID Executables Are Authorized' -prodtype: fedora,ol7,ol8,rhel6,rhel7,rhel8,wrlinux1019,wrlinux8 +prodtype: fedora,ol7,ol8,openeuler2203,rhel6,rhel7,rhel8,wrlinux1019,wrlinux8 description: |- The SGID (set group id) bit should be set only on files that were diff --git a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/oval/shared.xml b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/oval/shared.xml index e83595c..8da5b5b 100644 --- a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/oval/shared.xml +++ b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/oval/shared.xml @@ -6,6 +6,7 @@ multi_platform_fedora multi_platform_rhel multi_platform_ol + multi_platform_openeuler multi_platform_wrlinux Evaluates to true if all files with SUID set are owned by RPM packages. diff --git a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml index ae5f130..1a9dab0 100644 --- a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml +++ b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml @@ -2,7 +2,7 @@ documentation_complete: true title: 'Ensure All SUID Executables Are Authorized' -prodtype: fedora,ol7,ol8,rhel6,rhel7,rhel8,wrlinux1019,wrlinux8 +prodtype: fedora,ol7,ol8,openeuler2203,rhel6,rhel7,rhel8,wrlinux1019,wrlinux8 description: |- The SUID (set user id) bit should be set only on files that were diff --git a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_world_writable/oval/shared.xml b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_world_writable/oval/shared.xml index 4455469..20d67d6 100644 --- a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_world_writable/oval/shared.xml +++ b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_world_writable/oval/shared.xml @@ -5,6 +5,7 @@ Red Hat Virtualization 4 multi_platform_ol + multi_platform_openeuler multi_platform_opensuse multi_platform_rhel multi_platform_wrlinux diff --git a/linux_os/guide/system/permissions/files/opened_files_count_limited/rule.yml b/linux_os/guide/system/permissions/files/opened_files_count_limited/rule.yml new file mode 100644 index 0000000..6c87050 --- /dev/null +++ b/linux_os/guide/system/permissions/files/opened_files_count_limited/rule.yml @@ -0,0 +1,34 @@ +documentation_complete: true + +prodtype: openeuler2203 + +title: 'Opened Files Count Limited' + +description: |- +

It can not be scanned automatically, please check it manually.

+ +

The number of files that can be opened in Linux is limited. If all resources are occupied by a user, other users cannot open the file.

+

openEuler allows a user to open a maximum of 1024 file handles by default. If the number of file handles exceeds 1024, + new file handles cannot be opened. Low-privilege users can modify the value of 1024, but the upper limit 524288 cannot be exceed. + The root can modify the upper limit.

+

This parameter is set to a proper value to prevent all processes of a single user from opening too many file handles and exhausting system resources.

+ +

You can use below cli command to check the limitation:

+ + +rationale: |- + None + +severity: high + diff --git a/linux_os/guide/system/software/polkit/group.yml b/linux_os/guide/system/software/polkit/group.yml new file mode 100644 index 0000000..37662e9 --- /dev/null +++ b/linux_os/guide/system/software/polkit/group.yml @@ -0,0 +1,6 @@ +documentation_complete: true + +title: Polkit + +description: |- + Polkit, which provides privilege escalation capabilities. diff --git a/linux_os/guide/system/software/polkit/only_root_can_run_pkexec/oval/shared.xml b/linux_os/guide/system/software/polkit/only_root_can_run_pkexec/oval/shared.xml new file mode 100644 index 0000000..ae03bd4 --- /dev/null +++ b/linux_os/guide/system/software/polkit/only_root_can_run_pkexec/oval/shared.xml @@ -0,0 +1,23 @@ + + + + Only root user can run pkexec + + multi_platform_openeuler + + Only root user can run pkexec. + + + + + + + + + + + /etc/polkit-1/rules.d/50-default.rules + ^[\s]*polkit.addAdminRule\(function.+\n*[\s]*return[\s]+\[\s*"\s*unix-user\s*:\s*[1-9]*[1-9][0-9]*\s*"\s*\] + 1 + + diff --git a/linux_os/guide/system/software/polkit/only_root_can_run_pkexec/rule.yml b/linux_os/guide/system/software/polkit/only_root_can_run_pkexec/rule.yml new file mode 100644 index 0000000..0ae583d --- /dev/null +++ b/linux_os/guide/system/software/polkit/only_root_can_run_pkexec/rule.yml @@ -0,0 +1,17 @@ +documentation_complete: true + +title: 'Ensure Only Root Can Run The Command of Pkexec' + +prodtype: openeuler2203 + +description: |- + The pkexec command enables a common user to have the rights of the super user or other users. + After the authentication is successful, the command is executed with the rights of the super user. + Pkexec provides a convenient path for users to change their identities, unconstrained use of the pkexec command can bring potential security risks. + The permission to access the root account using pkexec is restricted.
+ By default, the password of the root user must be verified when uses pkexec. Only the root user can obtain the system administrator rights. + +rationale: |- + Low-privilege users can not use pkexec. + +severity: high diff --git a/linux_os/guide/system/software/su/group.yml b/linux_os/guide/system/software/su/group.yml new file mode 100644 index 0000000..aa6e29d --- /dev/null +++ b/linux_os/guide/system/software/su/group.yml @@ -0,0 +1,6 @@ +documentation_complete: true + +title: Su + +description: |- + Su, which provides the ability to switch to root or other users. diff --git a/linux_os/guide/system/software/su/su_always_set_path/oval/shared.xml b/linux_os/guide/system/software/su/su_always_set_path/oval/shared.xml new file mode 100644 index 0000000..942df37 --- /dev/null +++ b/linux_os/guide/system/software/su/su_always_set_path/oval/shared.xml @@ -0,0 +1,23 @@ + + + + Always set env path when user switched + + multi_platform_openeuler + + Alway set env path when user switched by su. + + + + + + + + + + + /etc/login.defs + ^[\s]*ALWAYS_SET_PATH[\s]*=[\s]*yes[\s]*$ + 1 + + diff --git a/linux_os/guide/system/software/su/su_always_set_path/rule.yml b/linux_os/guide/system/software/su/su_always_set_path/rule.yml new file mode 100644 index 0000000..d461435 --- /dev/null +++ b/linux_os/guide/system/software/su/su_always_set_path/rule.yml @@ -0,0 +1,20 @@ +documentation_complete: true + +title: 'Ensure Always Set Path is Set to YES' + +prodtype: openeuler2203 + +description: |- + The su command enables a common user to have the rights of the super user or other users. + It is often used to switch from a low-privilege user account to the system root account. + The su command provides a convenient way for users to change their identities. + However, using the su command without restrictions brings potential risks to the system. +
+ The path is not automatically set for the user when the user is changed by using su. + If the system automatically initializes the environment variable PATH after you run the su command to switch users, + you can effectively prevent the privilege escalation which caused by inheriting the environment variable PATH. + +rationale: |- + None + +severity: high diff --git a/linux_os/guide/system/software/su/su_only_for_wheel/oval/shared.xml b/linux_os/guide/system/software/su/su_only_for_wheel/oval/shared.xml new file mode 100644 index 0000000..fe2409a --- /dev/null +++ b/linux_os/guide/system/software/su/su_only_for_wheel/oval/shared.xml @@ -0,0 +1,23 @@ + + + + Only wheel group users can use su + + multi_platform_openeuler + + Only wheel group users can use su command. + + + + + + + + + + + /etc/pam.d/su + ^[\s]*auth[\s]*required[\s]*pam_wheel\.so[\s]*.*$ + 1 + + diff --git a/linux_os/guide/system/software/su/su_only_for_wheel/rule.yml b/linux_os/guide/system/software/su/su_only_for_wheel/rule.yml new file mode 100644 index 0000000..55725ba --- /dev/null +++ b/linux_os/guide/system/software/su/su_only_for_wheel/rule.yml @@ -0,0 +1,19 @@ +documentation_complete: true + +title: 'Ensure Only Users of Wheel Group Can Use SU' + +prodtype: openeuler2203 + +description: |- + The su command enables a common user to have the rights of the super user or other users. + It is often used to switch from a common user account to the system root account. + The su command provides a convenient way for users to change their identities. + However, unconstrained use of the su command brings potential risks to the system. +
+ The permission to access the root account using the su command is restricted. + Allows only common users in the wheel group to use the su command, which improves the security of system. + +rationale: |- + Users outside the wheel group cannot run the su command. + +severity: high diff --git a/linux_os/guide/system/software/sudo/sudo_not_for_all_users/oval/shared.xml b/linux_os/guide/system/software/sudo/sudo_not_for_all_users/oval/shared.xml new file mode 100644 index 0000000..16384d0 --- /dev/null +++ b/linux_os/guide/system/software/sudo/sudo_not_for_all_users/oval/shared.xml @@ -0,0 +1,23 @@ + + + + Not all users can run all privilege programs + + multi_platform_openeuler + + Not all users can run all privileged programs. + + + + + + + + + + + /etc/sudoers + ^[\s]*ALL[\s]+ALL[\s]*=[\s]*.*[\s]*ALL[\s]*$ + 1 + + diff --git a/linux_os/guide/system/software/sudo/sudo_not_for_all_users/rule.yml b/linux_os/guide/system/software/sudo/sudo_not_for_all_users/rule.yml new file mode 100644 index 0000000..98ac45e --- /dev/null +++ b/linux_os/guide/system/software/sudo/sudo_not_for_all_users/rule.yml @@ -0,0 +1,20 @@ +documentation_complete: true + +title: 'Ensure Not All Users Can Use Sudo In All Commands' + +prodtype: openeuler2203 + +description: |- + The sudo command enables a common user to execute certain programs with the root permission. + Most system management commands need to be executed as root.
+ Properly authorizing other users can reduce the burden of the system administrator, + but directly granting the root password to the common user will bring security risks. + Using sudo can avoid this problem.
+ You can use the sudo mechanism to avoid using the root user for privileged programs that need to be run by the root user. + If so, the security is improved. + However, ensure that NOT all low-privilege users can run all commands. + +rationale: |- + Low-privilege users maybe can not run privileged programs. + +severity: high diff --git a/openeuler2203/profiles/standard.profile b/openeuler2203/profiles/standard.profile index 00405f5..de6890c 100644 --- a/openeuler2203/profiles/standard.profile +++ b/openeuler2203/profiles/standard.profile @@ -149,3 +149,18 @@ selections: - audit_rules_usergroup_modification_shadow - audit_rules_kernel_module_install_and_remove - rsyslog_cron_logging + - ensure_minimum_permission + - opened_files_count_limited + - sysctl_net_ipv4_tcp_timestamps + - sysctl_net_ipv4_tcp_fin_timeout + - sysctl_net_ipv4_tcp_max_syn_backlog + - sysctl_net_ipv4_disable_arp_proxy + - sysctl_net_ipv4_icmp_echo_ignore_all + - sysctl_net_ipv4_icmp_ignore_bogus_error_responses + - su_only_for_wheel + - sudo_not_for_all_users + - only_root_can_run_pkexec + - su_always_set_path + - file_permissions_unauthorized_world_writable + - file_permissions_unauthorized_suid + - file_permissions_unauthorized_sgid -- 2.21.0.windows.1