From 10617803f98189b619b64f9c716c6aef00610aa9 Mon Sep 17 00:00:00 2001 From: "steven.y.gui" Date: Thu, 27 Jul 2023 11:35:15 +0800 Subject: [PATCH] enable 54 rules for openEuler --- .../service_avahi-daemon_disabled/rule.yml | 2 +- .../cron_and_at_config/oval/shared.xml | 51 +++++++++++++++ .../cron_and_at/cron_and_at_config/rule.yml | 15 +++++ .../file_groupowner_cron_d/rule.yml | 2 +- .../file_groupowner_cron_daily/rule.yml | 2 +- .../file_groupowner_cron_hourly/rule.yml | 2 +- .../file_groupowner_cron_monthly/rule.yml | 2 +- .../file_groupowner_cron_weekly/rule.yml | 2 +- .../file_groupowner_crontab/rule.yml | 2 +- .../cron_and_at/file_owner_cron_d/rule.yml | 2 +- .../file_owner_cron_daily/rule.yml | 2 +- .../file_owner_cron_hourly/rule.yml | 2 +- .../file_owner_cron_monthly/rule.yml | 2 +- .../file_owner_cron_weekly/rule.yml | 2 +- .../cron_and_at/file_owner_crontab/rule.yml | 2 +- .../file_permissions_cron_d/rule.yml | 2 +- .../file_permissions_cron_daily/rule.yml | 2 +- .../file_permissions_cron_hourly/rule.yml | 2 +- .../file_permissions_cron_monthly/rule.yml | 2 +- .../file_permissions_cron_weekly/rule.yml | 2 +- .../file_permissions_crontab/rule.yml | 2 +- .../file_groupowner_cron_allow/rule.yml | 2 +- .../file_owner_cron_allow/rule.yml | 2 +- .../service_crond_enabled/rule.yml | 2 +- .../package_openldap-servers_removed/rule.yml | 2 +- .../rule.yml | 2 +- .../service_chronyd_or_ntpd_enabled/rule.yml | 2 +- .../nis/package_ypbind_removed/rule.yml | 2 +- .../nis/package_ypserv_removed/rule.yml | 2 +- .../printing/service_cups_disabled/rule.yml | 2 +- .../package_openssh-server_installed/rule.yml | 2 +- .../package_openssh-server_removed/rule.yml | 2 +- .../oval/shared.xml | 1 + .../firewalld_sshd_port_enabled/rule.yml | 2 +- .../oval/shared.xml | 36 ++++++++++ .../sshd_disable_user_known_hosts_ex/rule.yml | 19 ++++++ .../service_debug-shell_disabled/rule.yml | 2 +- .../account_temp_expire_date/rule.yml | 2 +- .../oval/shared.xml | 65 +++++++++++++++++++ .../rule.yml | 24 +++++++ .../oval/shared.xml | 1 + .../audit_rules_login_events/oval/shared.xml | 1 + .../rule.yml | 2 +- .../audit_rules_login_events_lastlog/rule.yml | 2 +- .../rule.yml | 2 +- .../rule.yml | 2 +- .../rule.yml | 2 +- .../rule.yml | 2 +- .../rule.yml | 2 +- .../rule.yml | 2 +- .../rsyslog_cron_logging/oval/shared.xml | 1 + .../rsyslog_cron_logging/rule.yml | 2 +- .../service_firewalld_enabled/rule.yml | 2 +- .../configure_firewalld_ports/oval/shared.xml | 1 + .../configure_firewalld_ports/rule.yml | 2 +- .../rule.yml | 35 ++++++++++ .../oval/shared.xml | 1 + .../set_firewalld_default_zone/rule.yml | 2 +- .../oval/{rhel6.xml => shared.xml} | 1 + .../rule.yml | 2 +- .../rule.yml | 2 +- .../rule.yml | 2 +- .../rule.yml | 2 +- .../rule.yml | 2 +- .../rule.yml | 2 +- .../rule.yml | 2 +- .../rule.yml | 2 +- .../rule.yml | 2 +- .../rule.yml | 2 +- .../rule.yml | 2 +- .../sysctl_net_ipv4_tcp_syncookies/rule.yml | 2 +- .../rule.yml | 2 +- .../rule.yml | 2 +- .../sysctl_net_ipv4_ip_forward/rule.yml | 2 +- .../kernel_module_sctp_disabled/rule.yml | 2 +- .../rule.yml | 2 +- .../selinux/selinux_policytype/rule.yml | 2 +- .../system/selinux/selinux_state/rule.yml | 2 +- openeuler2203/profiles/standard.profile | 55 ++++++++++++++++ shared/templates/template_OVAL_sysctl | 2 +- 80 files changed, 372 insertions(+), 65 deletions(-) create mode 100644 linux_os/guide/services/cron_and_at/cron_and_at_config/oval/shared.xml create mode 100644 linux_os/guide/services/cron_and_at/cron_and_at_config/rule.yml create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_disable_user_known_hosts_ex/oval/shared.xml create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_disable_user_known_hosts_ex/rule.yml create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_install_and_remove/oval/shared.xml create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_install_and_remove/rule.yml create mode 100644 linux_os/guide/system/network/network-firewalld/ruleset_modifications/disable_unnecessary_service_and_ports/rule.yml rename linux_os/guide/system/network/network-iptables/iptables_ruleset_modifications/set_iptables_default_rule/oval/{rhel6.xml => shared.xml} (97%) diff --git a/linux_os/guide/services/avahi/disable_avahi_group/service_avahi-daemon_disabled/rule.yml b/linux_os/guide/services/avahi/disable_avahi_group/service_avahi-daemon_disabled/rule.yml index 76c4a8a..fd7dd6d 100644 --- a/linux_os/guide/services/avahi/disable_avahi_group/service_avahi-daemon_disabled/rule.yml +++ b/linux_os/guide/services/avahi/disable_avahi_group/service_avahi-daemon_disabled/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: ol7,ol8,rhel6,rhel7,rhel8 +prodtype: ol7,ol8,openeuler2203,rhel6,rhel7,rhel8 title: 'Disable Avahi Server Software' diff --git a/linux_os/guide/services/cron_and_at/cron_and_at_config/oval/shared.xml b/linux_os/guide/services/cron_and_at/cron_and_at_config/oval/shared.xml new file mode 100644 index 0000000..c032930 --- /dev/null +++ b/linux_os/guide/services/cron_and_at/cron_and_at_config/oval/shared.xml @@ -0,0 +1,51 @@ + + + + Verify Permissions On The cron And at Files + + multi_platform_openeuler + + Check permissions on the cron and at files. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + /etc + ^cron.deny$ + + + /etc + ^at.deny$ + + + diff --git a/linux_os/guide/services/cron_and_at/cron_and_at_config/rule.yml b/linux_os/guide/services/cron_and_at/cron_and_at_config/rule.yml new file mode 100644 index 0000000..630b3d7 --- /dev/null +++ b/linux_os/guide/services/cron_and_at/cron_and_at_config/rule.yml @@ -0,0 +1,15 @@ +documentation_complete: true + +prodtype: openeuler2203 + +title: 'Verify Permissions On The cron And at Files' + +description: |- + Check permissions on the cron and at files, include: cron.d, crontab, cron.hourly, + cron.daily, cron.weekly, cron.monthly, cron.allow, at.allow. And there are no files of cron.deny and at.deny. + +rationale: |- + Strict permission control prevents attacks from low-privileged users. + +severity: medium + diff --git a/linux_os/guide/services/cron_and_at/file_groupowner_cron_d/rule.yml b/linux_os/guide/services/cron_and_at/file_groupowner_cron_d/rule.yml index 3add79d..f8d3d62 100644 --- a/linux_os/guide/services/cron_and_at/file_groupowner_cron_d/rule.yml +++ b/linux_os/guide/services/cron_and_at/file_groupowner_cron_d/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: rhel6,rhel7,rhel8,rhv4 +prodtype: openeuler2203,rhel6,rhel7,rhel8,rhv4 title: 'Verify Group Who Owns cron.d' diff --git a/linux_os/guide/services/cron_and_at/file_groupowner_cron_daily/rule.yml b/linux_os/guide/services/cron_and_at/file_groupowner_cron_daily/rule.yml index 53e1800..57b7fb2 100644 --- a/linux_os/guide/services/cron_and_at/file_groupowner_cron_daily/rule.yml +++ b/linux_os/guide/services/cron_and_at/file_groupowner_cron_daily/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: rhel6,rhel7,rhel8,rhv4 +prodtype: openeuler2203,rhel6,rhel7,rhel8,rhv4 title: 'Verify Group Who Owns cron.daily' diff --git a/linux_os/guide/services/cron_and_at/file_groupowner_cron_hourly/rule.yml b/linux_os/guide/services/cron_and_at/file_groupowner_cron_hourly/rule.yml index c3545bc..48d42ad 100644 --- a/linux_os/guide/services/cron_and_at/file_groupowner_cron_hourly/rule.yml +++ b/linux_os/guide/services/cron_and_at/file_groupowner_cron_hourly/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: rhel6,rhel7,rhel8,rhv4 +prodtype: openeuler2203,rhel6,rhel7,rhel8,rhv4 title: 'Verify Group Who Owns cron.hourly' diff --git a/linux_os/guide/services/cron_and_at/file_groupowner_cron_monthly/rule.yml b/linux_os/guide/services/cron_and_at/file_groupowner_cron_monthly/rule.yml index a664d78..82c0fac 100644 --- a/linux_os/guide/services/cron_and_at/file_groupowner_cron_monthly/rule.yml +++ b/linux_os/guide/services/cron_and_at/file_groupowner_cron_monthly/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: rhel6,rhel7,rhel8,rhv4 +prodtype: openeuler2203,rhel6,rhel7,rhel8,rhv4 title: 'Verify Group Who Owns cron.monthly' diff --git a/linux_os/guide/services/cron_and_at/file_groupowner_cron_weekly/rule.yml b/linux_os/guide/services/cron_and_at/file_groupowner_cron_weekly/rule.yml index de1ac8c..91e258c 100644 --- a/linux_os/guide/services/cron_and_at/file_groupowner_cron_weekly/rule.yml +++ b/linux_os/guide/services/cron_and_at/file_groupowner_cron_weekly/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: rhel6,rhel7,rhel8,rhv4 +prodtype: openeuler2203,rhel6,rhel7,rhel8,rhv4 title: 'Verify Group Who Owns cron.weekly' diff --git a/linux_os/guide/services/cron_and_at/file_groupowner_crontab/rule.yml b/linux_os/guide/services/cron_and_at/file_groupowner_crontab/rule.yml index 8df80cb..cc35092 100644 --- a/linux_os/guide/services/cron_and_at/file_groupowner_crontab/rule.yml +++ b/linux_os/guide/services/cron_and_at/file_groupowner_crontab/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: rhel6,rhel7,rhel8,rhv4 +prodtype: openeuler2203,rhel6,rhel7,rhel8,rhv4 title: 'Verify Group Who Owns Crontab' diff --git a/linux_os/guide/services/cron_and_at/file_owner_cron_d/rule.yml b/linux_os/guide/services/cron_and_at/file_owner_cron_d/rule.yml index 8778109..5cdf85c 100644 --- a/linux_os/guide/services/cron_and_at/file_owner_cron_d/rule.yml +++ b/linux_os/guide/services/cron_and_at/file_owner_cron_d/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: rhel6,rhel7,rhel8,rhv4 +prodtype: openeuler2203,rhel6,rhel7,rhel8,rhv4 title: 'Verify Owner on cron.d' diff --git a/linux_os/guide/services/cron_and_at/file_owner_cron_daily/rule.yml b/linux_os/guide/services/cron_and_at/file_owner_cron_daily/rule.yml index ed6e76e..32dc30b 100644 --- a/linux_os/guide/services/cron_and_at/file_owner_cron_daily/rule.yml +++ b/linux_os/guide/services/cron_and_at/file_owner_cron_daily/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: rhel6,rhel7,rhel8,rhv4 +prodtype: openeuler2203,rhel6,rhel7,rhel8,rhv4 title: 'Verify Owner on cron.daily' diff --git a/linux_os/guide/services/cron_and_at/file_owner_cron_hourly/rule.yml b/linux_os/guide/services/cron_and_at/file_owner_cron_hourly/rule.yml index 298a03b..12491e8 100644 --- a/linux_os/guide/services/cron_and_at/file_owner_cron_hourly/rule.yml +++ b/linux_os/guide/services/cron_and_at/file_owner_cron_hourly/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: rhel6,rhel7,rhel8,rhv4 +prodtype: openeuler2203,rhel6,rhel7,rhel8,rhv4 title: 'Verify Owner on cron.hourly' diff --git a/linux_os/guide/services/cron_and_at/file_owner_cron_monthly/rule.yml b/linux_os/guide/services/cron_and_at/file_owner_cron_monthly/rule.yml index 35f2bc1..4a8734b 100644 --- a/linux_os/guide/services/cron_and_at/file_owner_cron_monthly/rule.yml +++ b/linux_os/guide/services/cron_and_at/file_owner_cron_monthly/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: rhel6,rhel7,rhel8,rhv4 +prodtype: openeuler2203,rhel6,rhel7,rhel8,rhv4 title: 'Verify Owner on cron.monthly' diff --git a/linux_os/guide/services/cron_and_at/file_owner_cron_weekly/rule.yml b/linux_os/guide/services/cron_and_at/file_owner_cron_weekly/rule.yml index f5bba63..ca82f2d 100644 --- a/linux_os/guide/services/cron_and_at/file_owner_cron_weekly/rule.yml +++ b/linux_os/guide/services/cron_and_at/file_owner_cron_weekly/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: rhel6,rhel7,rhel8,rhv4 +prodtype: openeuler2203,rhel6,rhel7,rhel8,rhv4 title: 'Verify Owner on cron.weekly' diff --git a/linux_os/guide/services/cron_and_at/file_owner_crontab/rule.yml b/linux_os/guide/services/cron_and_at/file_owner_crontab/rule.yml index a10a283..fd5b5e7 100644 --- a/linux_os/guide/services/cron_and_at/file_owner_crontab/rule.yml +++ b/linux_os/guide/services/cron_and_at/file_owner_crontab/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: rhel6,rhel7,rhel8,rhv4 +prodtype: openeuler2203,rhel6,rhel7,rhel8,rhv4 title: 'Verify Owner on crontab' diff --git a/linux_os/guide/services/cron_and_at/file_permissions_cron_d/rule.yml b/linux_os/guide/services/cron_and_at/file_permissions_cron_d/rule.yml index cd0dc61..fdf8daf 100644 --- a/linux_os/guide/services/cron_and_at/file_permissions_cron_d/rule.yml +++ b/linux_os/guide/services/cron_and_at/file_permissions_cron_d/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: rhel6,rhel7,rhel8,rhv4 +prodtype: openeuler2203,rhel6,rhel7,rhel8,rhv4 title: 'Verify Permissions on cron.d' diff --git a/linux_os/guide/services/cron_and_at/file_permissions_cron_daily/rule.yml b/linux_os/guide/services/cron_and_at/file_permissions_cron_daily/rule.yml index 4313ffb..84651fc 100644 --- a/linux_os/guide/services/cron_and_at/file_permissions_cron_daily/rule.yml +++ b/linux_os/guide/services/cron_and_at/file_permissions_cron_daily/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: rhel6,rhel7,rhel8,rhv4 +prodtype: openeuler2203,rhel6,rhel7,rhel8,rhv4 title: 'Verify Permissions on cron.daily' diff --git a/linux_os/guide/services/cron_and_at/file_permissions_cron_hourly/rule.yml b/linux_os/guide/services/cron_and_at/file_permissions_cron_hourly/rule.yml index 1d06872..eef3028 100644 --- a/linux_os/guide/services/cron_and_at/file_permissions_cron_hourly/rule.yml +++ b/linux_os/guide/services/cron_and_at/file_permissions_cron_hourly/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: rhel6,rhel7,rhel8,rhv4 +prodtype: openeuler2203,rhel6,rhel7,rhel8,rhv4 title: 'Verify Permissions on cron.hourly' diff --git a/linux_os/guide/services/cron_and_at/file_permissions_cron_monthly/rule.yml b/linux_os/guide/services/cron_and_at/file_permissions_cron_monthly/rule.yml index b4d1863..72ffb6c 100644 --- a/linux_os/guide/services/cron_and_at/file_permissions_cron_monthly/rule.yml +++ b/linux_os/guide/services/cron_and_at/file_permissions_cron_monthly/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: rhel6,rhel7,rhel8,rhv4 +prodtype: openeuler2203,rhel6,rhel7,rhel8,rhv4 title: 'Verify Permissions on cron.monthly' diff --git a/linux_os/guide/services/cron_and_at/file_permissions_cron_weekly/rule.yml b/linux_os/guide/services/cron_and_at/file_permissions_cron_weekly/rule.yml index 523ea17..4fcbe28 100644 --- a/linux_os/guide/services/cron_and_at/file_permissions_cron_weekly/rule.yml +++ b/linux_os/guide/services/cron_and_at/file_permissions_cron_weekly/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: rhel6,rhel7,rhel8,rhv4 +prodtype: openeuler2203,rhel6,rhel7,rhel8,rhv4 title: 'Verify Permissions on cron.weekly' diff --git a/linux_os/guide/services/cron_and_at/file_permissions_crontab/rule.yml b/linux_os/guide/services/cron_and_at/file_permissions_crontab/rule.yml index 126bffd..31b3152 100644 --- a/linux_os/guide/services/cron_and_at/file_permissions_crontab/rule.yml +++ b/linux_os/guide/services/cron_and_at/file_permissions_crontab/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: rhel6,rhel7,rhel8,rhv4 +prodtype: openeuler2203,rhel6,rhel7,rhel8,rhv4 title: 'Verify Permissions on crontab' diff --git a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_groupowner_cron_allow/rule.yml b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_groupowner_cron_allow/rule.yml index b32afa5..7c797bf 100644 --- a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_groupowner_cron_allow/rule.yml +++ b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_groupowner_cron_allow/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: rhel7,rhel8,rhv4,wrlinux1019 +prodtype: openeuler2203,rhel7,rhel8,rhv4,wrlinux1019 title: 'Verify Group Who Owns /etc/cron.allow file' diff --git a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_owner_cron_allow/rule.yml b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_owner_cron_allow/rule.yml index 80dedca..27694be 100644 --- a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_owner_cron_allow/rule.yml +++ b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_owner_cron_allow/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: rhel7,rhel8,rhv4,wrlinux1019 +prodtype: openeuler2203,rhel7,rhel8,rhv4,wrlinux1019 title: 'Verify User Who Owns /etc/cron.allow file' diff --git a/linux_os/guide/services/cron_and_at/service_crond_enabled/rule.yml b/linux_os/guide/services/cron_and_at/service_crond_enabled/rule.yml index a1f82cf..1917061 100644 --- a/linux_os/guide/services/cron_and_at/service_crond_enabled/rule.yml +++ b/linux_os/guide/services/cron_and_at/service_crond_enabled/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,ol7,ol8,rhel6,rhel7,rhel8,rhv4 +prodtype: fedora,ol7,ol8,openeuler2203,rhel6,rhel7,rhel8,rhv4 title: 'Enable cron Service' diff --git a/linux_os/guide/services/ldap/openldap_server/package_openldap-servers_removed/rule.yml b/linux_os/guide/services/ldap/openldap_server/package_openldap-servers_removed/rule.yml index d328872..348f794 100644 --- a/linux_os/guide/services/ldap/openldap_server/package_openldap-servers_removed/rule.yml +++ b/linux_os/guide/services/ldap/openldap_server/package_openldap-servers_removed/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: rhel6,rhel7,rhel8 +prodtype: openeuler2203,rhel6,rhel7,rhel8 title: 'Uninstall openldap-servers Package' diff --git a/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_remote_server/rule.yml b/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_remote_server/rule.yml index 437d72a..1381b06 100644 --- a/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_remote_server/rule.yml +++ b/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_remote_server/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,ocp4,ol7,ol8,rhel7,rhel8,rhv4 +prodtype: fedora,ocp4,ol7,ol8,openeuler2203,rhel7,rhel8,rhv4 title: 'Specify a Remote NTP Server' diff --git a/linux_os/guide/services/ntp/service_chronyd_or_ntpd_enabled/rule.yml b/linux_os/guide/services/ntp/service_chronyd_or_ntpd_enabled/rule.yml index 6bdf586..f50264c 100644 --- a/linux_os/guide/services/ntp/service_chronyd_or_ntpd_enabled/rule.yml +++ b/linux_os/guide/services/ntp/service_chronyd_or_ntpd_enabled/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,ocp4,ol7,ol8,rhel7,rhel8,rhv4 +prodtype: fedora,ocp4,ol7,ol8,openeuler2203,rhel7,rhel8,rhv4 title: 'Enable the NTP Daemon' diff --git a/linux_os/guide/services/obsolete/nis/package_ypbind_removed/rule.yml b/linux_os/guide/services/obsolete/nis/package_ypbind_removed/rule.yml index eb1ad4c..efb6c20 100644 --- a/linux_os/guide/services/obsolete/nis/package_ypbind_removed/rule.yml +++ b/linux_os/guide/services/obsolete/nis/package_ypbind_removed/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: ol7,ol8,rhel6,rhel7,rhel8,rhv4 +prodtype: ol7,ol8,openeuler2203,rhel6,rhel7,rhel8,rhv4 title: 'Remove NIS Client' diff --git a/linux_os/guide/services/obsolete/nis/package_ypserv_removed/rule.yml b/linux_os/guide/services/obsolete/nis/package_ypserv_removed/rule.yml index d364ef6..f855b1d 100644 --- a/linux_os/guide/services/obsolete/nis/package_ypserv_removed/rule.yml +++ b/linux_os/guide/services/obsolete/nis/package_ypserv_removed/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: ol7,ol8,rhel6,rhel7,rhel8,rhv4,wrlinux1019 +prodtype: ol7,ol8,openeuler2203,rhel6,rhel7,rhel8,rhv4,wrlinux1019 title: 'Uninstall ypserv Package' diff --git a/linux_os/guide/services/printing/service_cups_disabled/rule.yml b/linux_os/guide/services/printing/service_cups_disabled/rule.yml index bd04e58..542a304 100644 --- a/linux_os/guide/services/printing/service_cups_disabled/rule.yml +++ b/linux_os/guide/services/printing/service_cups_disabled/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: rhel6,rhel7,rhel8 +prodtype: openeuler2203,rhel6,rhel7,rhel8 title: 'Disable the CUPS Service' diff --git a/linux_os/guide/services/ssh/package_openssh-server_installed/rule.yml b/linux_os/guide/services/ssh/package_openssh-server_installed/rule.yml index 0bb4aad..ab99c61 100644 --- a/linux_os/guide/services/ssh/package_openssh-server_installed/rule.yml +++ b/linux_os/guide/services/ssh/package_openssh-server_installed/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: debian10,debian8,debian9,fedora,ocp4,ol7,ol8,rhel6,rhel7,rhel8,rhv4,ubuntu1404,ubuntu1604,ubuntu1804,wrlinux1019,wrlinux8 +prodtype: debian10,debian8,debian9,fedora,ocp4,ol7,ol8,openeuler2203,rhel6,rhel7,rhel8,rhv4,ubuntu1404,ubuntu1604,ubuntu1804,wrlinux1019,wrlinux8 title: 'Install the OpenSSH Server Package' diff --git a/linux_os/guide/services/ssh/package_openssh-server_removed/rule.yml b/linux_os/guide/services/ssh/package_openssh-server_removed/rule.yml index 1c491d1..13affc3 100644 --- a/linux_os/guide/services/ssh/package_openssh-server_removed/rule.yml +++ b/linux_os/guide/services/ssh/package_openssh-server_removed/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: debian10,debian8,debian9,fedora,ocp4,ol7,ol8,rhel6,rhel7,rhel8,rhv4,ubuntu1404,ubuntu1604,ubuntu1804,wrlinux1019,wrlinux8 +prodtype: debian10,debian8,debian9,fedora,ocp4,ol7,ol8,openeuler2203,rhel6,rhel7,rhel8,rhv4,ubuntu1404,ubuntu1604,ubuntu1804,wrlinux1019,wrlinux8 title: 'Remove the OpenSSH Server Package' diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/oval/shared.xml index 25f1d1e..19c155e 100644 --- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/oval/shared.xml +++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/oval/shared.xml @@ -7,6 +7,7 @@ Red Hat Enterprise Linux 8 Red Hat Virtualization 4 multi_platform_ol + multi_platform_openeuler multi_platform_wrlinux If inbound SSH access is needed, the firewall should allow access to diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/rule.yml b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/rule.yml index 37f7e32..ef8970f 100644 --- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: ol7,ol8,rhel7,rhel8,rhv4 +prodtype: ol7,ol8,openeuler2203,rhel7,rhel8,rhv4 title: 'Enable SSH Server firewalld Firewall Exception' diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_user_known_hosts_ex/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_user_known_hosts_ex/oval/shared.xml new file mode 100644 index 0000000..d629e00 --- /dev/null +++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_user_known_hosts_ex/oval/shared.xml @@ -0,0 +1,36 @@ + + + + Disable SSH Support for User Known Hosts + + multi_platform_openeuler + + Not support user known hosts on ssh server + + + + + + + + + + + + + + + + + + + /root/.ssh + ^known_hosts$ + + + + \/home\/.+\/\.ssh + ^known_hosts$ + + + diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_user_known_hosts_ex/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_user_known_hosts_ex/rule.yml new file mode 100644 index 0000000..ee76374 --- /dev/null +++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_user_known_hosts_ex/rule.yml @@ -0,0 +1,19 @@ +documentation_complete: true + +title: 'Not Use User Known Hosts' + +description: |- + SSH can allow system users to connect to systems if a cache of the remote + systems public keys is available. This should be disabled. +

+ To ensure this behavior is disabled, add or correct the + following line in /etc/ssh/sshd_config: + 
IgnoreUserKnownHosts yes
+ Or remove the files of known_hosts from /root and /home directory. + +rationale: |- + Configuring this setting for the SSH daemon provides additional + assurance that remove login via SSH will require a password, even + in the event of misconfiguration elsewhere. + +severity: medium diff --git a/linux_os/guide/system/accounts/accounts-physical/service_debug-shell_disabled/rule.yml b/linux_os/guide/system/accounts/accounts-physical/service_debug-shell_disabled/rule.yml index cfda54d..8efaa28 100644 --- a/linux_os/guide/system/accounts/accounts-physical/service_debug-shell_disabled/rule.yml +++ b/linux_os/guide/system/accounts/accounts-physical/service_debug-shell_disabled/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,ocp4,ol7,ol8,rhel7,rhel8,rhv4 +prodtype: fedora,ocp4,ol7,ol8,openeuler2203,rhel7,rhel8,rhv4 title: 'Disable debug-shell SystemD Service' diff --git a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_temp_expire_date/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_temp_expire_date/rule.yml index 34ef1e6..1b663a4 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_temp_expire_date/rule.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_temp_expire_date/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,rhel6,rhel7,rhel8,rhv4 +prodtype: fedora,openeuler2203,rhel6,rhel7,rhel8,rhv4 title: 'Assign Expiration Date to Temporary Accounts' diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_install_and_remove/oval/shared.xml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_install_and_remove/oval/shared.xml new file mode 100644 index 0000000..92b2667 --- /dev/null +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_install_and_remove/oval/shared.xml @@ -0,0 +1,65 @@ + + + + Audit Kernel Module Installing and Removing + + multi_platform_openeuler + + The audit rules should be configured to log information about kernel module installing and removing. + + + + + + + + + + + + + + + + ^/etc/audit/rules\.d/.*\.rules$ + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+init_module[\s]+|([\s]+|[,])init_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + + + + + ^/etc/audit/rules\.d/.*\.rules$ + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+delete_module[\s]+|([\s]+|[,])delete_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + + + + + ^/etc/audit/rules\.d/.*\.rules$ + ^[\s]*-w[\s]+\/sbin\/insmod[\s]+-p[\s]+x[\s]+-k[\s]+.*[\s]*$ + 1 + + + + + + + ^/etc/audit/rules\.d/.*\.rules$ + ^[\s]*-w[\s]+\/sbin\/rmmod[\s]+-p[\s]+x[\s]+-k[\s]+.*[\s]*$ + 1 + + + + + + + ^/etc/audit/rules\.d/.*\.rules$ + ^[\s]*-w[\s]+\/sbin\/modprobe[\s]+-p[\s]+x[\s]+-k[\s]+.*[\s]*$ + 1 + + + diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_install_and_remove/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_install_and_remove/rule.yml new file mode 100644 index 0000000..03aa0b7 --- /dev/null +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_install_and_remove/rule.yml @@ -0,0 +1,24 @@ +documentation_complete: true + +title: 'Ensure auditd Collects Information on Kernel Module Installing and Removing' + +prodtype: openeuler2203 + +description: |- + To capture kernel module installing and removing events. + + The place to add the lines depends on a way auditd daemon is configured. If it is configured + to use the augenrules program (the default), add the lines to a file with suffix + .rules in the directory /etc/audit/rules.d. + + If the auditd daemon is configured to use the auditctl utility, + add the lines to file /etc/audit/audit.rules. + +

Here, we only use the first method (augenrules) to check.

+ +rationale: |- + The addition/removal of kernel modules can be used to alter the behavior of + the kernel and potentially introduce malicious code into kernel space. It is important + to have an audit trail of modules that have been introduced into the kernel. + +severity: medium diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/oval/shared.xml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/oval/shared.xml index e987860..872458d 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/oval/shared.xml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/oval/shared.xml @@ -6,6 +6,7 @@ Red Hat Virtualization 4 multi_platform_fedora multi_platform_ol + multi_platform_openeuler multi_platform_rhel The audit rules should be configured to log information about kernel module loading and unloading. diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events/oval/shared.xml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events/oval/shared.xml index 772b34f..c222204 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events/oval/shared.xml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events/oval/shared.xml @@ -6,6 +6,7 @@ Red Hat Virtualization 4 multi_platform_fedora multi_platform_ol + multi_platform_openeuler multi_platform_rhel Audit rules should be configured to log successful and unsuccessful login and logout events. diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/rule.yml index 4d2af18..9dc69ef 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,ocp4,ol7,ol8,rhel6,rhel7,rhel8,rhv4,wrlinux1019 +prodtype: fedora,ocp4,ol7,ol8,openeuler2203,rhel6,rhel7,rhel8,rhv4,wrlinux1019 title: 'Record Attempts to Alter Logon and Logout Events - faillock' diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_lastlog/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_lastlog/rule.yml index 355004a..58cb1ca 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_lastlog/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_lastlog/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,ocp4,ol7,ol8,rhel6,rhel7,rhel8,rhv4,wrlinux1019 +prodtype: fedora,ocp4,ol7,ol8,openeuler2203,rhel6,rhel7,rhel8,rhv4,wrlinux1019 title: 'Record Attempts to Alter Logon and Logout Events - lastlog' diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_tallylog/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_tallylog/rule.yml index 7c27c22..531cf37 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_tallylog/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_tallylog/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,ocp4,ol7,ol8,rhel6,rhel7,rhel8,rhv4 +prodtype: fedora,ocp4,ol7,ol8,openeuler2203,rhel6,rhel7,rhel8,rhv4 title: 'Record Attempts to Alter Logon and Logout Events - tallylog' diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_group/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_group/rule.yml index 5536a62..071c762 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_group/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_group/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,ocp4,ol7,ol8,rhel6,rhel7,rhel8,rhv4,wrlinux1019 +prodtype: fedora,ocp4,ol7,ol8,openeuler2203,rhel6,rhel7,rhel8,rhv4,wrlinux1019 title: 'Record Events that Modify User/Group Information - /etc/group' diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_gshadow/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_gshadow/rule.yml index 8627ad9..b4dbab4 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_gshadow/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_gshadow/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,ocp4,ol7,ol8,rhel6,rhel7,rhel8,rhv4,wrlinux1019 +prodtype: fedora,ocp4,ol7,ol8,openeuler2203,rhel6,rhel7,rhel8,rhv4,wrlinux1019 title: 'Record Events that Modify User/Group Information - /etc/gshadow' diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_opasswd/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_opasswd/rule.yml index 4db8bbe..47e36fa 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_opasswd/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_opasswd/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,ocp4,ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019 +prodtype: fedora,ocp4,ol7,ol8,openeuler2203,rhel7,rhel8,rhv4,wrlinux1019 title: 'Record Events that Modify User/Group Information - /etc/security/opasswd' diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_passwd/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_passwd/rule.yml index 0f18997..c21225c 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_passwd/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_passwd/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,ocp4,ol7,ol8,rhel6,rhel7,rhel8,rhv4,wrlinux1019 +prodtype: fedora,ocp4,ol7,ol8,openeuler2203,rhel6,rhel7,rhel8,rhv4,wrlinux1019 title: 'Record Events that Modify User/Group Information - /etc/passwd' diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_shadow/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_shadow/rule.yml index 32b6b9e..77f1e71 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_shadow/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_shadow/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,ocp4,ol7,ol8,rhel6,rhel7,rhel8,rhv4,wrlinux1019 +prodtype: fedora,ocp4,ol7,ol8,openeuler2203,rhel6,rhel7,rhel8,rhv4,wrlinux1019 title: 'Record Events that Modify User/Group Information - /etc/shadow' diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_cron_logging/oval/shared.xml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_cron_logging/oval/shared.xml index 97e8d85..ec94870 100644 --- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_cron_logging/oval/shared.xml +++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_cron_logging/oval/shared.xml @@ -7,6 +7,7 @@ Red Hat Virtualization 4 multi_platform_fedora multi_platform_ol + multi_platform_openeuler multi_platform_rhel multi_platform_wrlinux diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_cron_logging/rule.yml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_cron_logging/rule.yml index 31e9a56..cba4e19 100644 --- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_cron_logging/rule.yml +++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_cron_logging/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019 +prodtype: fedora,ol7,ol8,openeuler2203,rhel7,rhel8,rhv4,wrlinux1019 title: 'Ensure cron Is Logging To Rsyslog' diff --git a/linux_os/guide/system/network/network-firewalld/firewalld_activation/service_firewalld_enabled/rule.yml b/linux_os/guide/system/network/network-firewalld/firewalld_activation/service_firewalld_enabled/rule.yml index 74d3880..bcb4758 100644 --- a/linux_os/guide/system/network/network-firewalld/firewalld_activation/service_firewalld_enabled/rule.yml +++ b/linux_os/guide/system/network/network-firewalld/firewalld_activation/service_firewalld_enabled/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,ocp4,ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019 +prodtype: fedora,ocp4,ol7,ol8,openeuler2203,rhel7,rhel8,rhv4,wrlinux1019 title: 'Verify firewalld Enabled' diff --git a/linux_os/guide/system/network/network-firewalld/ruleset_modifications/configure_firewalld_ports/oval/shared.xml b/linux_os/guide/system/network/network-firewalld/ruleset_modifications/configure_firewalld_ports/oval/shared.xml index c25e31a..cee35b4 100644 --- a/linux_os/guide/system/network/network-firewalld/ruleset_modifications/configure_firewalld_ports/oval/shared.xml +++ b/linux_os/guide/system/network/network-firewalld/ruleset_modifications/configure_firewalld_ports/oval/shared.xml @@ -6,6 +6,7 @@ Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 8 Red Hat Virtualization 4 + multi_platform_openeuler multi_platform_wrlinux Configure the firewalld ports to allow approved diff --git a/linux_os/guide/system/network/network-firewalld/ruleset_modifications/configure_firewalld_ports/rule.yml b/linux_os/guide/system/network/network-firewalld/ruleset_modifications/configure_firewalld_ports/rule.yml index d2b6697..49c390c 100644 --- a/linux_os/guide/system/network/network-firewalld/ruleset_modifications/configure_firewalld_ports/rule.yml +++ b/linux_os/guide/system/network/network-firewalld/ruleset_modifications/configure_firewalld_ports/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: rhel7,rhel8,rhv4,wrlinux1019 +prodtype: openeuler2203,rhel7,rhel8,rhv4,wrlinux1019 title: 'Configure the Firewalld Ports' diff --git a/linux_os/guide/system/network/network-firewalld/ruleset_modifications/disable_unnecessary_service_and_ports/rule.yml b/linux_os/guide/system/network/network-firewalld/ruleset_modifications/disable_unnecessary_service_and_ports/rule.yml new file mode 100644 index 0000000..3acd6c4 --- /dev/null +++ b/linux_os/guide/system/network/network-firewalld/ruleset_modifications/disable_unnecessary_service_and_ports/rule.yml @@ -0,0 +1,35 @@ +documentation_complete: true + +prodtype: openeuler2203 + +title: 'Disable Unnecessary Services and Ports on Firewalld' + +description: |- + Configure the firewalld services and ports to allow approved + services to have the right to access to the system. To configure firewalld + to open/remove ports, run the following command: + 
$ sudo firewall-cmd --permanent --add-port/--remove-port=port_number/tcp
+ or + 
$ sudo firewall-cmd --permanent --add-service/--remove-service=service_name
+ Whether the port configuration is correct depends on the application scenario. Therefore, automatic check is not suitable. + +rationale: |- + In order to prevent unauthorized connection of devices, unauthorized + transfer of information, or unauthorized tunneling (i.e., embedding of data + types within data types), organizations must disable or restrict unused or + unnecessary physical and logical ports/protocols on information systems. +

+ Operating systems are capable of providing a wide variety of functions and + services. Some of the functions and services provided by default may not be + necessary to support essential organizational operations. + Additionally, it is sometimes convenient to provide multiple services from + a single component (e.g., VPN and IPS); however, doing so increases risk + over limiting the services provided by any one component. +

+ To support the requirements and principles of least functionality, the + operating system must support the organizational requirements, providing + only essential capabilities and limiting the use of ports, protocols, + and/or services to only those required, authorized, and approved to conduct + official business or to address authorized quality of life issues. + +severity: medium diff --git a/linux_os/guide/system/network/network-firewalld/ruleset_modifications/set_firewalld_default_zone/oval/shared.xml b/linux_os/guide/system/network/network-firewalld/ruleset_modifications/set_firewalld_default_zone/oval/shared.xml index cc275f0..39966f4 100644 --- a/linux_os/guide/system/network/network-firewalld/ruleset_modifications/set_firewalld_default_zone/oval/shared.xml +++ b/linux_os/guide/system/network/network-firewalld/ruleset_modifications/set_firewalld_default_zone/oval/shared.xml @@ -8,6 +8,7 @@ Red Hat Virtualization 4 multi_platform_fedora multi_platform_ol + multi_platform_openeuler Change the default firewalld zone to drop. diff --git a/linux_os/guide/system/network/network-firewalld/ruleset_modifications/set_firewalld_default_zone/rule.yml b/linux_os/guide/system/network/network-firewalld/ruleset_modifications/set_firewalld_default_zone/rule.yml index 7cf9cf7..74afe48 100644 --- a/linux_os/guide/system/network/network-firewalld/ruleset_modifications/set_firewalld_default_zone/rule.yml +++ b/linux_os/guide/system/network/network-firewalld/ruleset_modifications/set_firewalld_default_zone/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4 +prodtype: fedora,ol7,ol8,openeuler2203,rhel7,rhel8,rhv4 title: 'Set Default firewalld Zone for Incoming Packets' diff --git a/linux_os/guide/system/network/network-iptables/iptables_ruleset_modifications/set_iptables_default_rule/oval/rhel6.xml b/linux_os/guide/system/network/network-iptables/iptables_ruleset_modifications/set_iptables_default_rule/oval/shared.xml similarity index 97% rename from linux_os/guide/system/network/network-iptables/iptables_ruleset_modifications/set_iptables_default_rule/oval/rhel6.xml rename to linux_os/guide/system/network/network-iptables/iptables_ruleset_modifications/set_iptables_default_rule/oval/shared.xml index 7eddc5c..2e487a8 100644 --- a/linux_os/guide/system/network/network-iptables/iptables_ruleset_modifications/set_iptables_default_rule/oval/rhel6.xml +++ b/linux_os/guide/system/network/network-iptables/iptables_ruleset_modifications/set_iptables_default_rule/oval/shared.xml @@ -4,6 +4,7 @@ Change the default policy to DROP (from ACCEPT) for the INPUT built-in chain + multi_platform_openeuler Red Hat Enterprise Linux 6 Change the default policy to DROP (from ACCEPT) diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_redirects/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_redirects/rule.yml index a8fe3d1..0dfda21 100644 --- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_redirects/rule.yml +++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_redirects/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: ocp4,ol7,ol8,rhel6,rhel7,rhel8,rhv4 +prodtype: ocp4,ol7,ol8,openeuler2203,rhel6,rhel7,rhel8,rhv4 title: 'Disable Accepting ICMP Redirects for All IPv6 Interfaces' diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_source_route/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_source_route/rule.yml index d9b306f..f38d5cb 100644 --- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_source_route/rule.yml +++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_source_route/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: ocp4,ol7,ol8,rhel6,rhel7,rhel8,rhv4,wrlinux1019 +prodtype: ocp4,ol7,ol8,rhel6,openeuler2203,rhel7,rhel8,rhv4,wrlinux1019 title: 'Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv6 Interfaces' diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_forwarding/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_forwarding/rule.yml index 661121c..759e6b0 100644 --- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_forwarding/rule.yml +++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_forwarding/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: ol7,ol8,rhel6,rhel7,rhel8,rhv4 +prodtype: ol7,ol8,openeuler2203,rhel6,rhel7,rhel8,rhv4 title: 'Disable Kernel Parameter for IPv6 Forwarding' diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_redirects/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_redirects/rule.yml index 6284b03..5073adb 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_redirects/rule.yml +++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_redirects/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,ocp4,ol7,ol8,rhel6,rhel7,rhel8,rhv4,wrlinux1019 +prodtype: fedora,ocp4,ol7,ol8,openeuler2203,rhel6,rhel7,rhel8,rhv4,wrlinux1019 title: 'Disable Accepting ICMP Redirects for All IPv4 Interfaces' diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_source_route/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_source_route/rule.yml index fb91b61..9bf1f89 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_source_route/rule.yml +++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_source_route/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,ocp4,ol7,ol8,rhel6,rhel7,rhel8,rhv4,wrlinux1019 +prodtype: fedora,ocp4,ol7,ol8,openeuler2203,rhel6,rhel7,rhel8,rhv4,wrlinux1019 title: 'Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv4 Interfaces' diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_log_martians/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_log_martians/rule.yml index 3ed5583..49a137b 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_log_martians/rule.yml +++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_log_martians/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,ocp4,ol7,ol8,rhel6,rhel7,rhel8,rhv4 +prodtype: fedora,ocp4,ol7,ol8,openeuler2203,rhel6,rhel7,rhel8,rhv4 title: 'Enable Kernel Parameter to Log Martian Packets on all IPv4 Interfaces' diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml index 93d3a6d..4f0cf66 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml +++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,ocp4,ol7,ol8,rhel6,rhel7,rhel8,rhv4 +prodtype: fedora,ocp4,ol7,ol8,openeuler2203,rhel6,rhel7,rhel8,rhv4 title: 'Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces' diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_secure_redirects/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_secure_redirects/rule.yml index 7633f29..2f09e5c 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_secure_redirects/rule.yml +++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_secure_redirects/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,ocp4,ol7,ol8,rhel6,rhel7,rhel8,rhv4 +prodtype: fedora,ocp4,ol7,ol8,openeuler2203,rhel6,rhel7,rhel8,rhv4 title: 'Disable Kernel Parameter for Accepting Secure ICMP Redirects on all IPv4 Interfaces' diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_log_martians/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_log_martians/rule.yml index ffca800..e7a63f2 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_log_martians/rule.yml +++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_log_martians/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,ocp4,ol7,ol8,rhel7,rhel8,rhv4 +prodtype: fedora,ocp4,ol7,ol8,openeuler2203,rhel7,rhel8,rhv4 title: 'Enable Kernel Paremeter to Log Martian Packets on all IPv4 Interfaces by Default' diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_secure_redirects/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_secure_redirects/rule.yml index ed541e7..f843b20 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_secure_redirects/rule.yml +++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_secure_redirects/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,ocp4,ol7,ol8,rhel6,rhel7,rhel8,rhv4 +prodtype: fedora,ocp4,ol7,ol8,openeuler2203,rhel6,rhel7,rhel8,rhv4 title: 'Configure Kernel Parameter for Accepting Secure Redirects By Default' diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_echo_ignore_broadcasts/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_echo_ignore_broadcasts/rule.yml index a958ce1..d0c8370 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_echo_ignore_broadcasts/rule.yml +++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_echo_ignore_broadcasts/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,ocp4,ol7,ol8,rhel6,rhel7,rhel8,rhv4,wrlinux1019 +prodtype: fedora,ocp4,ol7,ol8,openeuler2203,rhel6,rhel7,rhel8,rhv4,wrlinux1019 title: 'Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests on IPv4 Interfaces' diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_tcp_syncookies/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_tcp_syncookies/rule.yml index 1f2f188..1612dd7 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_tcp_syncookies/rule.yml +++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_tcp_syncookies/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,ocp4,ol7,ol8,rhel6,rhel7,rhel8,rhv4 +prodtype: fedora,ocp4,ol7,ol8,openeuler2203,rhel6,rhel7,rhel8,rhv4 title: 'Enable Kernel Parameter to Use TCP Syncookies on IPv4 Interfaces' diff --git a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_all_send_redirects/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_all_send_redirects/rule.yml index 5fa19c6..32c4521 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_all_send_redirects/rule.yml +++ b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_all_send_redirects/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,ocp4,ol7,ol8,rhel6,rhel7,rhel8,rhv4,wrlinux1019 +prodtype: fedora,ocp4,ol7,ol8,openeuler2203,rhel6,rhel7,rhel8,rhv4,wrlinux1019 title: 'Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces' diff --git a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_default_send_redirects/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_default_send_redirects/rule.yml index 1263313..0c016c7 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_default_send_redirects/rule.yml +++ b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_default_send_redirects/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,ocp4,ol7,ol8,rhel6,rhel7,rhel8,rhv4,wrlinux1019 +prodtype: fedora,ocp4,ol7,ol8,openeuler2203,rhel6,rhel7,rhel8,rhv4,wrlinux1019 title: 'Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Default' diff --git a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_ip_forward/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_ip_forward/rule.yml index 8cb0868..d68c99e 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_ip_forward/rule.yml +++ b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_ip_forward/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,ol7,ol8,rhel6,rhel7,rhel8,rhv4,wrlinux1019 +prodtype: fedora,ol7,ol8,openeuler2203,rhel6,rhel7,rhel8,rhv4,wrlinux1019 title: 'Disable Kernel Parameter for IP Forwarding on IPv4 Interfaces' diff --git a/linux_os/guide/system/network/network-uncommon/kernel_module_sctp_disabled/rule.yml b/linux_os/guide/system/network/network-uncommon/kernel_module_sctp_disabled/rule.yml index b3278b5..ae395f4 100644 --- a/linux_os/guide/system/network/network-uncommon/kernel_module_sctp_disabled/rule.yml +++ b/linux_os/guide/system/network/network-uncommon/kernel_module_sctp_disabled/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: ocp4,ol7,ol8,rhel6,rhel7,rhel8,rhv4 +prodtype: ocp4,ol7,ol8,openeuler2203,rhel6,rhel7,rhel8,rhv4 title: 'Disable SCTP Support' diff --git a/linux_os/guide/system/permissions/mounting/kernel_module_usb-storage_disabled/rule.yml b/linux_os/guide/system/permissions/mounting/kernel_module_usb-storage_disabled/rule.yml index de971a2..04e1d45 100644 --- a/linux_os/guide/system/permissions/mounting/kernel_module_usb-storage_disabled/rule.yml +++ b/linux_os/guide/system/permissions/mounting/kernel_module_usb-storage_disabled/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,ocp4,ol7,ol8,rhel6,rhel7,rhel8,rhv4,wrlinux1019 +prodtype: fedora,ocp4,ol7,ol8,openeuler2203,rhel6,rhel7,rhel8,rhv4,wrlinux1019 title: 'Disable Modprobe Loading of USB Storage Driver' diff --git a/linux_os/guide/system/selinux/selinux_policytype/rule.yml b/linux_os/guide/system/selinux/selinux_policytype/rule.yml index b6b719f..d9c6817 100644 --- a/linux_os/guide/system/selinux/selinux_policytype/rule.yml +++ b/linux_os/guide/system/selinux/selinux_policytype/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,ocp4,ol7,ol8,rhel6,rhel7,rhel8,rhv4,wrlinux1019 +prodtype: fedora,ocp4,ol7,ol8,openeuler2203,rhel6,rhel7,rhel8,rhv4,wrlinux1019 title: 'Configure SELinux Policy' diff --git a/linux_os/guide/system/selinux/selinux_state/rule.yml b/linux_os/guide/system/selinux/selinux_state/rule.yml index fc2d4ae..31afc19 100644 --- a/linux_os/guide/system/selinux/selinux_state/rule.yml +++ b/linux_os/guide/system/selinux/selinux_state/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,ocp4,ol7,ol8,rhel6,rhel7,rhel8,rhv4,wrlinux1019 +prodtype: fedora,ocp4,ol7,ol8,openeuler2203,rhel6,rhel7,rhel8,rhv4,wrlinux1019 title: 'Ensure SELinux State is Enforcing' diff --git a/openeuler2203/profiles/standard.profile b/openeuler2203/profiles/standard.profile index 7f6f0e3..00405f5 100644 --- a/openeuler2203/profiles/standard.profile +++ b/openeuler2203/profiles/standard.profile @@ -94,3 +94,58 @@ selections: - no_empty_symlink_files - no_hide_exec_files - no_lowprivilege_users_writeable_cmds_in_crontab_file + - service_debug-shell_disabled + - service_avahi-daemon_disabled + - package_openldap-servers_removed + - service_cups_disabled + - package_ypserv_removed + - package_ypbind_removed + - account_temp_expire_date + - no_netrc_files + - service_chronyd_or_ntpd_enabled + - chronyd_or_ntpd_specify_remote_server + - kernel_module_sctp_disabled + - kernel_module_tipc_disabled + - sshd_set_loglevel_verbose + - sshd_set_max_auth_tries + - sshd_max_auth_tries_value=3 + - sshd_do_not_permit_user_env + - sshd_disable_user_known_hosts_ex + - sshd_disable_rhosts_rsa + - service_firewalld_enabled + - set_firewalld_default_zone + - disable_unnecessary_service_and_ports + - service_iptables_enabled + - service_ip6tables_enabled + - set_iptables_default_rule + - sysctl_net_ipv4_icmp_echo_ignore_broadcasts + - sysctl_net_ipv4_conf_all_accept_redirects + - sysctl_net_ipv6_conf_all_accept_redirects + - sysctl_net_ipv4_conf_all_secure_redirects + - sysctl_net_ipv4_conf_default_secure_redirects + - sysctl_net_ipv4_conf_all_send_redirects + - sysctl_net_ipv4_conf_default_send_redirects + - sysctl_net_ipv4_conf_all_rp_filter + - sysctl_net_ipv4_ip_forward + - sysctl_net_ipv6_conf_all_forwarding + - sysctl_net_ipv4_conf_all_accept_source_route + - sysctl_net_ipv6_conf_all_accept_source_route + - sysctl_net_ipv4_tcp_syncookies + - sysctl_net_ipv4_conf_all_log_martians + - sysctl_net_ipv4_conf_default_log_martians + - sysctl_fs_suid_dumpable + - selinux_state + - selinux_policytype + - sysctl_fs_protected_symlinks + - sysctl_fs_protected_hardlinks + - kernel_module_usb-storage_disabled + - service_crond_enabled + - cron_and_at_config + - audit_rules_login_events + - audit_rules_usergroup_modification_group + - audit_rules_usergroup_modification_gshadow + - audit_rules_usergroup_modification_opasswd + - audit_rules_usergroup_modification_passwd + - audit_rules_usergroup_modification_shadow + - audit_rules_kernel_module_install_and_remove + - rsyslog_cron_logging diff --git a/shared/templates/template_OVAL_sysctl b/shared/templates/template_OVAL_sysctl index 62ae26d..3c30612 100644 --- a/shared/templates/template_OVAL_sysctl +++ b/shared/templates/template_OVAL_sysctl @@ -43,7 +43,7 @@ The "{{{ SYSCTLVAR }}}" kernel parameter should be set to the appropriate value in both system configuration and system runtime. -{{% if product in ["rhel6", "debian8", "ubuntu1404", "ubuntu1604", "ubuntu1804"] %}} +{{% if product in ["openeuler2203", "rhel6", "debian8", "ubuntu1404", "ubuntu1604", "ubuntu1804"] %}} {{% else %}} -- 2.21.0.windows.1