From 262435c4b8c511cf8afc5927051cb0948415f593 Mon Sep 17 00:00:00 2001 From: steven_ygui Date: Fri, 19 May 2023 01:37:20 +0800 Subject: [PATCH] enable-76-rules-for-openEuler.patch --- .../rule.yml | 30 +++++++ .../services/ftp/package_ftp_removed/rule.yml | 22 +++++ .../tftp/package_tftp-server_removed/rule.yml | 2 +- .../tftp/package_tftp_removed/rule.yml | 2 +- .../package_net-snmp_removed/rule.yml | 2 +- .../disable_host_auth/oval/shared.xml | 20 +++++ .../sshd_allow_only_protocol2/oval/shared.xml | 20 +++++ .../oval/shared.xml | 20 +++++ .../sshd_disable_rhosts/oval/shared.xml | 20 +++++ .../sshd_enable_pam/policy/stig/shared.yml | 26 ++++++ .../ssh/ssh_server/sshd_enable_pam/rule.yml | 26 ++++++ .../sshd_use_strong_ciphers/rule.yml | 2 +- .../sshd_use_strong_kex/oval/shared.xml | 73 ++++++++++++++++ .../ssh_server/sshd_use_strong_kex/rule.yml | 17 ++++ .../ssh_server/sshd_use_strong_macs/rule.yml | 2 +- .../sshd_use_strong_pubkey/oval/shared.xml | 1 + .../sshd_use_strong_pubkey/rule.yml | 13 +++ .../guide/services/ssh/sshd_strong_kex.var | 19 +++++ .../oval/shared.xml | 1 + .../rule.yml | 7 +- .../oval/shared.xml | 12 ++- .../rule.yml | 8 +- .../oval/shared.xml | 13 ++- .../rule.yml | 2 +- .../oval/shared.xml | 1 + .../rule.yml | 2 +- ...nts_passwords_pam_faillock_unlock_time.var | 1 + .../oval/shared.xml | 32 +++++++ .../no_name_contained_in_password/rule.yml | 12 +++ .../accounts_password_pam_dcredit/rule.yml | 2 +- .../oval/shared.xml | 27 ++++++ .../accounts_password_pam_dictcheck/rule.yml | 28 ++++++ .../accounts_password_pam_lcredit/rule.yml | 2 +- .../accounts_password_pam_minclass/rule.yml | 2 +- .../accounts_password_pam_minlen/rule.yml | 2 +- .../accounts_password_pam_ocredit/rule.yml | 2 +- .../oval/shared.xml | 1 + .../accounts_password_pam_retry/rule.yml | 2 +- .../accounts_password_pam_ucredit/rule.yml | 2 +- .../var_password_pam_dictcheck.var | 16 ++++ .../oval/shared.xml | 1 + .../rule.yml | 2 +- .../verify_owner_password/oval/shared.xml | 60 +++++++++++++ .../verify_owner_password/rule.yml | 12 +++ .../require_singleuser_auth/oval/shared.xml | 21 ++++- .../require_singleuser_auth/rule.yml | 2 +- .../account_unique_group_id/oval/shared.xml | 51 +++++++++++ .../account_unique_group_id/rule.yml | 11 +++ .../account_unique_id/oval/shared.xml | 51 +++++++++++ .../account_unique_id/policy/stig/shared.yml | 15 ++++ .../account_unique_id/rule.yml | 11 +++ .../tests/correct_value.pass.sh | 2 + .../tests/wrong_value.fail.sh | 5 ++ .../accounts_are_necessary/oval/shared.xml | 25 ++++++ .../accounts_are_necessary/rule.yml | 20 +++++ .../group_unique_id/oval/shared.xml | 50 +++++++++++ .../group_unique_id/policy/stig/shared.yml | 15 ++++ .../group_unique_id/rule.yml | 12 +++ .../tests/correct_value.pass.sh | 4 + .../group_unique_id/tests/wrong_value.fail.sh | 5 ++ .../group_unique_name/oval/shared.xml | 50 +++++++++++ .../group_unique_name/rule.yml | 12 +++ .../tests/correct_value.pass.sh | 4 + .../tests/wrong_value.fail.sh | 5 ++ .../oval/shared.xml | 30 +++++++ .../login_accounts_are_necessary/rule.yml | 31 +++++++ .../accounts_maximum_age_login_defs/rule.yml | 5 ++ .../gid_passwd_group_same/oval/shared.xml | 3 +- .../accounts_tmout/oval/shared.xml | 1 + .../accounts-session/accounts_tmout/rule.yml | 7 +- .../oval/shared.xml | 83 ++++++++++++++++++ .../rule.yml | 2 +- .../accounts_umask_etc_bashrc/oval/shared.xml | 1 + .../accounts_umask_etc_bashrc/rule.yml | 9 +- .../accounts_umask_interactive_users/rule.yml | 2 +- .../oval/shared.xml | 20 +++++ .../grub2_nosmap_argument_absent/rule.yml | 25 ++++++ .../oval/shared.xml | 20 +++++ .../grub2_nosmep_argument_absent/rule.yml | 25 ++++++ .../grub2_uefi_password/rule.yml | 2 +- .../oval/shared.xml | 1 + .../oval/shared.xml | 1 + .../file_permissions_ungroupowned/rule.yml | 2 +- .../files/no_empty_symlink_files/rule.yml | 26 ++++++ .../no_files_unowned_by_user/oval/shared.xml | 1 + .../files/no_files_unowned_by_user/rule.yml | 2 +- .../files/no_hide_exec_files/oval/shared.xml | 40 +++++++++ .../files/no_hide_exec_files/rule.yml | 14 +++ .../sysctl_kernel_kptr_restrict/rule.yml | 8 +- .../sysctl_kernel_dmesg_restrict/rule.yml | 2 +- .../oval/shared.xml | 1 + .../configure_ssh_crypto_policy/rule.yml | 2 +- .../package_python2_removed/rule.yml | 18 ++++ .../oval/shared.xml | 1 + .../ensure_gpgcheck_never_disabled/rule.yml | 2 +- .../cpe/openeuler2203-cpe-dictionary.xml | 61 +++++++++++++ openeuler2203/profiles/standard.profile | 85 +++++++++++++++++++ .../oval/installed_env_has_login_defs.xml | 4 + shared/macros-oval.jinja | 73 ++++++++++++++++ shared/templates/template_OVAL_sysctl | 4 + ssg/constants.py | 4 +- 101 files changed, 1521 insertions(+), 37 deletions(-) create mode 100644 linux_os/guide/services/cron_and_at/no_lowprivilege_users_writeable_cmds_in_crontab_file/rule.yml create mode 100644 linux_os/guide/services/ftp/package_ftp_removed/rule.yml create mode 100644 linux_os/guide/services/ssh/ssh_server/disable_host_auth/oval/shared.xml create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/oval/shared.xml create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_disable_empty_passwords/oval/shared.xml create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_disable_rhosts/oval/shared.xml create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_enable_pam/policy/stig/shared.yml create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_enable_pam/rule.yml create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_strong_kex/oval/shared.xml create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_strong_kex/rule.yml create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_strong_pubkey/oval/shared.xml create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_strong_pubkey/rule.yml create mode 100644 linux_os/guide/services/ssh/sshd_strong_kex.var create mode 100644 linux_os/guide/system/accounts/accounts-pam/no_name_contained_in_password/oval/shared.xml create mode 100644 linux_os/guide/system/accounts/accounts-pam/no_name_contained_in_password/rule.yml create mode 100644 linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/oval/shared.xml create mode 100644 linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/rule.yml create mode 100644 linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/var_password_pam_dictcheck.var create mode 100644 linux_os/guide/system/accounts/accounts-pam/verify_owner_password/oval/shared.xml create mode 100644 linux_os/guide/system/accounts/accounts-pam/verify_owner_password/rule.yml create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/account_unique_group_id/oval/shared.xml create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/account_unique_group_id/rule.yml create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/account_unique_id/oval/shared.xml create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/account_unique_id/policy/stig/shared.yml create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/account_unique_id/rule.yml create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/account_unique_id/tests/correct_value.pass.sh create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/account_unique_id/tests/wrong_value.fail.sh create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/accounts_are_necessary/oval/shared.xml create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/accounts_are_necessary/rule.yml create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/group_unique_id/oval/shared.xml create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/group_unique_id/policy/stig/shared.yml create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/group_unique_id/rule.yml create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/group_unique_id/tests/correct_value.pass.sh create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/group_unique_id/tests/wrong_value.fail.sh create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/group_unique_name/oval/shared.xml create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/group_unique_name/rule.yml create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/group_unique_name/tests/correct_value.pass.sh create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/group_unique_name/tests/wrong_value.fail.sh create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/login_accounts_are_necessary/oval/shared.xml create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/login_accounts_are_necessary/rule.yml create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/oval/shared.xml create mode 100644 linux_os/guide/system/bootloader-grub2/grub2_nosmap_argument_absent/oval/shared.xml create mode 100644 linux_os/guide/system/bootloader-grub2/grub2_nosmap_argument_absent/rule.yml create mode 100644 linux_os/guide/system/bootloader-grub2/grub2_nosmep_argument_absent/oval/shared.xml create mode 100644 linux_os/guide/system/bootloader-grub2/grub2_nosmep_argument_absent/rule.yml create mode 100644 linux_os/guide/system/permissions/files/no_empty_symlink_files/rule.yml create mode 100644 linux_os/guide/system/permissions/files/no_hide_exec_files/oval/shared.xml create mode 100644 linux_os/guide/system/permissions/files/no_hide_exec_files/rule.yml create mode 100644 linux_os/guide/system/software/system-tools/package_python2_removed/rule.yml diff --git a/linux_os/guide/services/cron_and_at/no_lowprivilege_users_writeable_cmds_in_crontab_file/rule.yml b/linux_os/guide/services/cron_and_at/no_lowprivilege_users_writeable_cmds_in_crontab_file/rule.yml new file mode 100644 index 0000000..ef1fc32 --- /dev/null +++ b/linux_os/guide/services/cron_and_at/no_lowprivilege_users_writeable_cmds_in_crontab_file/rule.yml @@ -0,0 +1,30 @@ +documentation_complete: true + +prodtype: openeuler2203 + +title: 'Ensure All Commands/Bashes In Crontab File Are Not Writeable By Low-privilege Users' + +description: |- +

It can not be scanned automatically, please check it manually.

+

Use below cli commands to check if there is any low-privilege users writeable commands/bashes in /etc/crontab

+ + So, the wirteable flag of other users is present(-rwxrwxrwx.) and it is a risk. + +rationale: |- + If any symlink files have no camonical path, it should be removed. + +severity: medium + diff --git a/linux_os/guide/services/ftp/package_ftp_removed/rule.yml b/linux_os/guide/services/ftp/package_ftp_removed/rule.yml new file mode 100644 index 0000000..ee68c97 --- /dev/null +++ b/linux_os/guide/services/ftp/package_ftp_removed/rule.yml @@ -0,0 +1,22 @@ +documentation_complete: true + +prodtype: openeuler2203 + +title: 'Remove ftp Client' + +description: |- + FTP is a simple file transfer protocol, + it does not support authentication and can be easily hacked. The package + ftp is a client program that allows for connections to a ftp server. + +rationale: |- + It is recommended that FTP be removed, unless there is a specific need + for FTP. In that case, use extreme caution when configuring + the services. + +severity: low + +template: + name: package_removed + vars: + pkgname: ftp diff --git a/linux_os/guide/services/obsolete/tftp/package_tftp-server_removed/rule.yml b/linux_os/guide/services/obsolete/tftp/package_tftp-server_removed/rule.yml index 37a9b68..700e673 100644 --- a/linux_os/guide/services/obsolete/tftp/package_tftp-server_removed/rule.yml +++ b/linux_os/guide/services/obsolete/tftp/package_tftp-server_removed/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: rhel6,rhel7,rhel8,rhv4,wrlinux1019 +prodtype: openeuler2203,rhel6,rhel7,rhel8,rhv4,wrlinux1019 title: 'Uninstall tftp-server Package' diff --git a/linux_os/guide/services/obsolete/tftp/package_tftp_removed/rule.yml b/linux_os/guide/services/obsolete/tftp/package_tftp_removed/rule.yml index 2e7858e..de45e4b 100644 --- a/linux_os/guide/services/obsolete/tftp/package_tftp_removed/rule.yml +++ b/linux_os/guide/services/obsolete/tftp/package_tftp_removed/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: rhel6,rhel7,rhel8 +prodtype: openeuler2203,rhel6,rhel7,rhel8 title: 'Remove tftp Daemon' diff --git a/linux_os/guide/services/snmp/disabling_snmp_service/package_net-snmp_removed/rule.yml b/linux_os/guide/services/snmp/disabling_snmp_service/package_net-snmp_removed/rule.yml index 817463d..6484570 100644 --- a/linux_os/guide/services/snmp/disabling_snmp_service/package_net-snmp_removed/rule.yml +++ b/linux_os/guide/services/snmp/disabling_snmp_service/package_net-snmp_removed/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: debian10,debian9,fedora,ocp4,ol7,ol8,rhel6,rhel7,rhel8,rhv4,wrlinux1019 +prodtype: debian10,debian9,fedora,ocp4,ol7,ol8,openeuler2203,rhel6,rhel7,rhel8,rhv4,wrlinux1019 title: 'Uninstall net-snmp Package' diff --git a/linux_os/guide/services/ssh/ssh_server/disable_host_auth/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/disable_host_auth/oval/shared.xml new file mode 100644 index 0000000..8178251 --- /dev/null +++ b/linux_os/guide/services/ssh/ssh_server/disable_host_auth/oval/shared.xml @@ -0,0 +1,20 @@ + + + + Disable Host-Based Authentication + {{{- oval_affected(products) }}} + To disable host-based authentication. + + + + + + + + + + /etc/ssh/sshd_config + ^HostbasedAuthentication[\s]+no$ + 1 + + diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/oval/shared.xml new file mode 100644 index 0000000..9446c3f --- /dev/null +++ b/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/oval/shared.xml @@ -0,0 +1,20 @@ + + + + Allow Only SSH Protocol 2 + {{{- oval_affected(products) }}} + Only SSH protocol version 2 connections should be permitted. + + + + + + + + + + /etc/ssh/sshd_config + ^Protocol[\s]+2$ + 1 + + diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_empty_passwords/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_empty_passwords/oval/shared.xml new file mode 100644 index 0000000..44c5eab --- /dev/null +++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_empty_passwords/oval/shared.xml @@ -0,0 +1,20 @@ + + + + Disable SSH Access via Empty Passwords + {{{- oval_affected(products) }}} + Disable SSH Access via Empty Passwords. + + + + + + + + + + /etc/ssh/sshd_config + ^PermitEmptyPasswords[\s]+no$ + 1 + + diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_rhosts/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_rhosts/oval/shared.xml new file mode 100644 index 0000000..22a1069 --- /dev/null +++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_rhosts/oval/shared.xml @@ -0,0 +1,20 @@ + + + + Disable SSH Support for .rhosts Files + {{{- oval_affected(products) }}} + Disable SSH Support for .rhosts Files. + + + + + + + + + + /etc/ssh/sshd_config + ^IgnoreRhosts[\s]+yes$ + 1 + + diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_enable_pam/policy/stig/shared.yml b/linux_os/guide/services/ssh/ssh_server/sshd_enable_pam/policy/stig/shared.yml new file mode 100644 index 0000000..5a3d8ee --- /dev/null +++ b/linux_os/guide/services/ssh/ssh_server/sshd_enable_pam/policy/stig/shared.yml @@ -0,0 +1,26 @@ +srg_requirement: |- + {{{ full_name }}} must enable the Pluggable Authenitcation Module (PAM) interface for SSHD. + +vuldiscussion: |- + When UsePAM is set to yes, PAM runs through account and session types properly. This is + important if you want to restrict access to services based off of IP, time or other factors of + the account. Additionally, you can make sure users inherit certain environment variables + on login or disallow access to the server. + +checktext: |- + Verify the {{{ full_name }}} SSHD is configured to allow for the UsePAM interface with the following command: + + $ sudo grep -i usepam /etc/ssh/sshd_config + + UsePAM yes + + If the "UsePAM" keyword is set to "no", is missing, or is commented out, this is a finding. + +fixtext: |- + Configure the {{{ full_name }}} SSHD to use the UsePAM interface add or modify the following line in "/etc/ssh/sshd_config". + + UsePAM yes + + Restart the SSH daemon for the settings to take effect: + + $ sudo systemctl restart sshd.service diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_enable_pam/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_enable_pam/rule.yml new file mode 100644 index 0000000..e303b2c --- /dev/null +++ b/linux_os/guide/services/ssh/ssh_server/sshd_enable_pam/rule.yml @@ -0,0 +1,26 @@ +documentation_complete: true + +title: 'Enable PAM' + +description: |- + UsePAM Enables the Pluggable Authentication Module interface. If set to “yes” this will + enable PAM authentication using ChallengeResponseAuthentication and + PasswordAuthentication in addition to PAM account and session module processing for all + authentication types. + +rationale: |- + When UsePAM is set to yes, PAM runs through account and session types properly. This is + important if you want to restrict access to services based off of IP, time or other factors of + the account. Additionally, you can make sure users inherit certain environment variables + on login or disallow access to the server. + +severity: medium + + +template: + name: sshd_lineinfile + vars: + missing_parameter_pass: 'false' + parameter: UsePAM + rule_id: sshd_enable_pam + value: 'yes' diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_ciphers/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_ciphers/rule.yml index d476fda..59bb6a6 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_ciphers/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_ciphers/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: ol7,rhel6,rhel7 +prodtype: ol7,openeuler2203,rhel6,rhel7 title: 'Use Only Strong Ciphers' diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_kex/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_kex/oval/shared.xml new file mode 100644 index 0000000..d8d13d8 --- /dev/null +++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_kex/oval/shared.xml @@ -0,0 +1,73 @@ + + + {{{ oval_metadata("Limit the Key Exchange Algorithms to those which are FIPS-approved.") }}} + {{% if product in ['openeuler2203'] %}} + + + + {{% else %}} + + + + {{% if product in ['opensuse', 'sle12', 'sle15'] %}} + + {{% else %}} + + {{% endif %}} + + + + {{% if product in ['opensuse', 'sle12', 'sle15'] %}} + + {{% else %}} + + {{% endif %}} + + + + {{% endif %}} + + + + + + + + + var_sshd_config_kex + + + + + + + + /etc/ssh/sshd_config + ^[\s]*(?i)KexAlgorithms(?-i)[\s]+([\w,-@]+)+[\s]*(?:#.*)?$ + 1 + + + + + + + + + + + + + + + diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_kex/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_kex/rule.yml new file mode 100644 index 0000000..2f94f68 --- /dev/null +++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_kex/rule.yml @@ -0,0 +1,17 @@ +documentation_complete: true + +prodtype: openeuler2203 + +title: 'Use Only Strong Key Exchange algorithms' + +description: |- + Limit the Key Exchange to strong algorithms. + +rationale: |- + Key exchange is any method in cryptography by which cryptographic keys are exchanged + between two parties, allowing use of a cryptographic algorithm. If the sender and receiver + wish to exchange encrypted messages, each must be equipped to encrypt messages to be + sent and decrypt messages received + +severity: medium + diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_macs/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_macs/rule.yml index e5631ce..66d0402 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_macs/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_macs/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: ol7,rhel6,rhel7 +prodtype: ol7,openeuler2203,rhel6,rhel7 title: 'Use Only Strong MACs' diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_pubkey/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_pubkey/oval/shared.xml new file mode 100644 index 0000000..3c13a96 --- /dev/null +++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_pubkey/oval/shared.xml @@ -0,0 +1 @@ +{{{ oval_sshd_config(parameter="PubkeyAcceptedKeyTypes", value="((ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-512),?)+") }}} diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_pubkey/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_pubkey/rule.yml new file mode 100644 index 0000000..cdc3061 --- /dev/null +++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_pubkey/rule.yml @@ -0,0 +1,13 @@ +documentation_complete: true + +prodtype: openeuler2203 + +title: 'Use Only Strong Algorithms For Public Key' + +description: |- + Limit the algorithm of public key to strong algorithms. + +rationale: |- + Week algorithms will introduce risks. + +severity: medium diff --git a/linux_os/guide/services/ssh/sshd_strong_kex.var b/linux_os/guide/services/ssh/sshd_strong_kex.var new file mode 100644 index 0000000..36b03ba --- /dev/null +++ b/linux_os/guide/services/ssh/sshd_strong_kex.var @@ -0,0 +1,19 @@ +documentation_complete: true + +title: 'SSH Strong KEX by FIPS' + +description: "Specify the FIPS approved KEXs (Key Exchange Algorithms) algorithms\n\tthat are used for methods in cryptography by which cryptographic keys are exchanged between two parties" + +type: string + +operator: equals + +interactive: false + +options: + default: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256 + cis_rhel7: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256 + cis_sle12: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256 + cis_sle15: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256 + cis_ubuntu2004: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256 + standard_openeuler2203: curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256 diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/oval/shared.xml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/oval/shared.xml index 28eecc8..5165c15 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/oval/shared.xml +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/oval/shared.xml @@ -8,6 +8,7 @@ multi_platform_fedora multi_platform_rhv multi_platform_ol + multi_platform_openeuler The passwords to remember should be set correctly. diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/rule.yml index 579ffc0..1d926b7 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,ol7,ol8,rhel6,rhel7,rhel8,rhv4,wrlinux1019 +prodtype: fedora,ol7,ol8,openeuler2203,rhel6,rhel7,rhel8,rhv4,wrlinux1019 title: 'Limit Password Reuse' @@ -20,6 +20,11 @@ description: |- The DoD STIG requirement is 5 passwords. + {{% if product in ["openeuler2203"] %}} + Considering the usability of the community release of openEuler in different scenarios, + the openEuler release does not disable historical passwords by default. + Please configure historical passwords based on the site requirements. + {{% endif %}} rationale: 'Preventing re-use of previous passwords helps ensure that a compromised password is not re-used by a user.' diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/oval/shared.xml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/oval/shared.xml index db91fa9..0139186 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/oval/shared.xml +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/oval/shared.xml @@ -129,8 +129,12 @@ /etc/pam.d/system-auth + pam_unix.so module in auth section --> + {{% if product in ["openeuler2203"] %}} + [\n][\s]*auth[\s]+required[\s]+pam_faillock\.so[\s]+preauth[\s]+[^\n]*audit[\s]+[^\n]*deny=([0-9]+)[\s]*(?s).*[\n][\s]*auth[^\n]+pam_unix\.so[^\n]*[\n] + {{% else %}} [\n][\s]*auth[\s]+required[\s]+pam_faillock\.so[\s]+preauth[\s]+[^\n]*silent[\s]+[^\n]*deny=([0-9]+)[\s]*(?s).*[\n][\s]*auth[^\n]+pam_unix\.so[^\n]*[\n] + {{% endif %}} 1 @@ -178,8 +182,12 @@ /etc/pam.d/password-auth + pam_unix.so module in auth section --> + {{% if product in ["openeuler2203"] %}} + [\n][\s]*auth[\s]+required[\s]+pam_faillock\.so[\s]+preauth[\s]+[^\n]*audit[\s]+[^\n]*deny=([0-9]+)[\s]*(?s).*[\n][\s]*auth[^\n]+pam_unix\.so[^\n]*[\n] + {{% else %}} [\n][\s]*auth[\s]+required[\s]+pam_faillock\.so[\s]+preauth[\s]+[^\n]*silent[\s]+[^\n]*deny=([0-9]+)[\s]*(?s).*[\n][\s]*auth[^\n]+pam_unix\.so[^\n]*[\n] + {{% endif %}} 1 diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/rule.yml index 5575bd3..a06d04e 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,ol7,ol8,rhel6,rhel7,rhel8,rhv4,wrlinux1019 +prodtype: fedora,ol7,ol8,openeuler2203,rhel6,rhel7,rhel8,rhv4,wrlinux1019 title: 'Set Deny For Failed Password Attempts' @@ -17,6 +17,12 @@ description: |-
  • add the following line immediately before the pam_unix.so statement in the ACCOUNT section: 
    account required pam_faillock.so
    • + {{% if product in ["openeuler2203"] %}} + Considering the usability of the community release of openEuler in different scenarios, + the openEuler release does not provide this security function by default. + Please configure the default number of failures and lockout duration based on + the actual application scenario and requirements. + {{% endif %}} rationale: |- Locking out user accounts after a number of incorrect attempts diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/oval/shared.xml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/oval/shared.xml index 402feab..da09d06 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/oval/shared.xml +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/oval/shared.xml @@ -9,6 +9,7 @@ multi_platform_fedora multi_platform_rhv multi_platform_ol + multi_platform_openeuler The root account should be configured to deny access after the number of defined failed attempts has been reached. @@ -37,8 +38,12 @@ /etc/pam.d/system-auth + pam_unix.so module in auth section --> + {{% if product in ["openeuler2203"] %}} + [\n][\s]*auth[\s]+required[\s]+pam_faillock\.so[\s]+preauth[\s]+audit[\s]+[^\n]*even_deny_root[\s]*(?s).*[\n][\s]*auth[\s]+(?:(?:sufficient)|(?:\[.*default=die.*\]))[\s]+pam_unix\.so[^\n]*[\n] + {{% else %}} [\n][\s]*auth[\s]+required[\s]+pam_faillock\.so[\s]+preauth[\s]+silent[\s]+[^\n]*even_deny_root[\s]*(?s).*[\n][\s]*auth[\s]+(?:(?:sufficient)|(?:\[.*default=die.*\]))[\s]+pam_unix\.so[^\n]*[\n] + {{% endif %}} 1 @@ -72,8 +77,12 @@ /etc/pam.d/password-auth + pam_unix.so module in auth section --> + {{% if product in ["openeuler2203"] %}} + [\n][\s]*auth[\s]+required[\s]+pam_faillock\.so[\s]+preauth[\s]+audit[\s]+[^\n]*even_deny_root[\s]*(?s).*[\n][\s]*auth[\s]+(?:(?:sufficient)|(?:\[.*default=die.*\]))[\s]+pam_unix\.so[^\n]*[\n] + {{% else %}} [\n][\s]*auth[\s]+required[\s]+pam_faillock\.so[\s]+preauth[\s]+silent[\s]+[^\n]*even_deny_root[\s]*(?s).*[\n][\s]*auth[\s]+(?:(?:sufficient)|(?:\[.*default=die.*\]))[\s]+pam_unix\.so[^\n]*[\n] + {{% endif %}} 1 diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/rule.yml index 03329a6..6615efa 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019 +prodtype: fedora,ol7,ol8,openeuler2203,rhel7,rhel8,rhv4,wrlinux1019 title: 'Configure the root Account for Failed Password Attempts' diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/oval/shared.xml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/oval/shared.xml index ad3e2f1..057aca8 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/oval/shared.xml +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/oval/shared.xml @@ -7,6 +7,7 @@ multi_platform_fedora multi_platform_rhv multi_platform_ol + multi_platform_openeuler The number of allowed failed logins should be set correctly. diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/rule.yml index e4403bb..dccf1b7 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,ol7,ol8,rhel6,rhel7,rhel8,rhv4 +prodtype: fedora,ol7,ol8,openeuler2203,rhel6,rhel7,rhel8,rhv4 title: 'Set Lockout Time for Failed Password Attempts' diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/var_accounts_passwords_pam_faillock_unlock_time.var b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/var_accounts_passwords_pam_faillock_unlock_time.var index 46c73e4..206b03e 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/var_accounts_passwords_pam_faillock_unlock_time.var +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/var_accounts_passwords_pam_faillock_unlock_time.var @@ -17,5 +17,6 @@ options: 604800: 604800 86400: 86400 900: 900 + 300: 300 default: 0 never: 0 diff --git a/linux_os/guide/system/accounts/accounts-pam/no_name_contained_in_password/oval/shared.xml b/linux_os/guide/system/accounts/accounts-pam/no_name_contained_in_password/oval/shared.xml new file mode 100644 index 0000000..af4a11e --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-pam/no_name_contained_in_password/oval/shared.xml @@ -0,0 +1,32 @@ + + + + Accounts password should not be contained substring of name + {{{- oval_affected(products) }}} + Accounts password should not be contained substring of name. + + + + + + + + + + + + + + + + /etc/pam.d/password-auth + ^.*usercheck[\s]*=[\s]*0.*$ + 1 + + + + /etc/pam.d/system-auth + ^.*usercheck[\s]*=[\s]*0.*$ + 1 + + diff --git a/linux_os/guide/system/accounts/accounts-pam/no_name_contained_in_password/rule.yml b/linux_os/guide/system/accounts/accounts-pam/no_name_contained_in_password/rule.yml new file mode 100644 index 0000000..fa84a3b --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-pam/no_name_contained_in_password/rule.yml @@ -0,0 +1,12 @@ +documentation_complete: true + +title: 'Accounts Name Should Not Be Contained In Password' + +description: |- + Accounts name should not be contained in password. + There is no usercheck=0. + +rationale: |- + If the passowrd contains substring of accounts name, it is a risk. + +severity: high diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dcredit/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dcredit/rule.yml index 86ec1e6..629a797 100644 --- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dcredit/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dcredit/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019 +prodtype: fedora,ol7,ol8,openeuler2203,rhel7,rhel8,rhv4,wrlinux1019 title: 'Ensure PAM Enforces Password Requirements - Minimum Digit Characters' diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/oval/shared.xml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/oval/shared.xml new file mode 100644 index 0000000..13bbae4 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/oval/shared.xml @@ -0,0 +1,27 @@ + + + {{{ oval_metadata("Check dictcheck in pwquality") }}} + + + + + + + + + + + + {{{ filepath_regex }}} + ^\s*dictcheck[\s]*=[\s]*(-?\d+)(?:[\s]|$) + 1 + + + + + + + + diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/rule.yml new file mode 100644 index 0000000..1dc59f5 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/rule.yml @@ -0,0 +1,28 @@ +documentation_complete: true + +prodtype: openeuler2203 + +title: 'Ensure PAM Enforces Password Requirements - Prevent the Use of Dictionary Words' + +description: |- + The pam_pwquality module's dictcheck check if passwords contains dictionary words. When + dictcheck is set to 1 passwords will be checked for dictionary words. + {{% if product in ["openeuler2203"] %}} + Considering the usability of the community release of openEuler in different scenarios, + the weak password dictionary check is not configured for the openEuler release by default. + Please configure the weak password dictionary check based on the site requirements. + {{% endif %}} + +rationale: |- + Use of a complex password helps to increase the time and resources required to compromise the password. + Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at + guessing and brute-force attacks. +

    + Password complexity is one factor of several that determines how long it takes to crack a password. The more + complex the password, the greater the number of possible combinations that need to be tested before the + password is compromised. +

    + Passwords with dictionary words may be more vulnerable to password-guessing attacks. + +severity: medium + diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_lcredit/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_lcredit/rule.yml index 159a832..4e63274 100644 --- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_lcredit/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_lcredit/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019 +prodtype: fedora,ol7,ol8,openeuler2203,rhel7,rhel8,rhv4,wrlinux1019 title: 'Ensure PAM Enforces Password Requirements - Minimum Lowercase Characters' diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minclass/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minclass/rule.yml index 5c596d0..866fa5f 100644 --- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minclass/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minclass/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019 +prodtype: fedora,ol7,ol8,openeuler2203,rhel7,rhel8,rhv4,wrlinux1019 title: 'Ensure PAM Enforces Password Requirements - Minimum Different Categories' diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minlen/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minlen/rule.yml index 7db443b..3b65cb6 100644 --- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minlen/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minlen/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019 +prodtype: fedora,ol7,ol8,openeuler2203,rhel7,rhel8,rhv4,wrlinux1019 title: 'Ensure PAM Enforces Password Requirements - Minimum Length' diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ocredit/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ocredit/rule.yml index bdef268..0597fe9 100644 --- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ocredit/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ocredit/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019 +prodtype: fedora,ol7,ol8,openeuler2203,rhel7,rhel8,rhv4,wrlinux1019 title: 'Ensure PAM Enforces Password Requirements - Minimum Special Characters' diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/oval/shared.xml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/oval/shared.xml index d888d78..4588489 100644 --- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/oval/shared.xml +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/oval/shared.xml @@ -8,6 +8,7 @@ multi_platform_ol multi_platform_rhel multi_platform_wrlinux + multi_platform_openeuler The password retry should meet minimum requirements diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/rule.yml index 099cbbf..908ca40 100644 --- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019 +prodtype: fedora,ol7,ol8,openeuler2203,rhel7,rhel8,rhv4,wrlinux1019 title: 'Ensure PAM Enforces Password Requirements - Authentication Retry Prompts Permitted Per-Session' diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ucredit/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ucredit/rule.yml index 7b5fe67..203da95 100644 --- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ucredit/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ucredit/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019 +prodtype: fedora,ol7,ol8,openeuler2203,rhel7,rhel8,rhv4,wrlinux1019 title: 'Ensure PAM Enforces Password Requirements - Minimum Uppercase Characters' diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/var_password_pam_dictcheck.var b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/var_password_pam_dictcheck.var new file mode 100644 index 0000000..26452c3 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/var_password_pam_dictcheck.var @@ -0,0 +1,16 @@ +documentation_complete: true + +title: dictcheck + +description: |- + Prevent the use of dictionary words for passwords. + +type: number + +operator: equals + +interactive: false + +options: + 1: 1 + default: 1 diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/oval/shared.xml b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/oval/shared.xml index 3770a64..4cb9dc0 100644 --- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/oval/shared.xml +++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/oval/shared.xml @@ -8,6 +8,7 @@ multi_platform_fedora multi_platform_rhv multi_platform_ol + multi_platform_openeuler The password hashing algorithm should be set correctly in /etc/pam.d/system-auth. diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/rule.yml b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/rule.yml index 1c4032c..9bd46d6 100644 --- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,ol7,ol8,rhel6,rhel7,rhel8,rhv4,wrlinux1019 +prodtype: fedora,ol7,ol8,openeuler2203,rhel6,rhel7,rhel8,rhv4,wrlinux1019 title: "Set PAM's Password Hashing Algorithm" diff --git a/linux_os/guide/system/accounts/accounts-pam/verify_owner_password/oval/shared.xml b/linux_os/guide/system/accounts/accounts-pam/verify_owner_password/oval/shared.xml new file mode 100644 index 0000000..bfd0b01 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-pam/verify_owner_password/oval/shared.xml @@ -0,0 +1,60 @@ + + + + Accounts password should be verified during modifying + {{{- oval_affected(products) }}} + Accounts password should be verified during modifying. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + /etc/pam.d/password-auth + ^password[\s]+sufficient[\s]+pam_unix\.so.*$ + 1 + + + + /etc/pam.d/password-auth + ^password[\s]+required[\s]+pam_deny\.so.*$ + 1 + + + + /etc/pam.d/system-auth + ^password[\s]+sufficient[\s]+pam_unix\.so.*$ + 1 + + + + /etc/pam.d/system-auth + ^password[\s]+required[\s]+pam_deny\.so.*$ + 1 + + diff --git a/linux_os/guide/system/accounts/accounts-pam/verify_owner_password/rule.yml b/linux_os/guide/system/accounts/accounts-pam/verify_owner_password/rule.yml new file mode 100644 index 0000000..b03948a --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-pam/verify_owner_password/rule.yml @@ -0,0 +1,12 @@ +documentation_complete: true + +title: 'Accounts Password Should Be Verified When Changing' + +description: |- + Accounts password should be verified when it is modifying. + It is done by pam_unix.so. + +rationale: |- + Anyone can change the password if no verifying. + +severity: high diff --git a/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/oval/shared.xml b/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/oval/shared.xml index 827129d..9dd6b89 100644 --- a/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/oval/shared.xml +++ b/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/oval/shared.xml @@ -11,8 +11,12 @@ + {{%- if product in ["openeuler2203"] -%}} + + {{%- else -%}} + {{%- endif -%}} {{%- else -%}} @@ -24,7 +28,7 @@ {{%- if init_system == "systemd" -%}} /usr/lib/systemd/system/rescue.service - {{%- if product in ["fedora", "rhel8"] -%}} + {{%- if product in ["fedora", "rhel8", "openeuler2203"] -%}} ^ExecStart=\-.*/usr/lib/systemd/systemd-sulogin-shell[ ]+rescue {{%- else -%}} ^ExecStart=\-/bin/sh[\s]+-c[\s]+\"(/usr)?/sbin/sulogin;[\s]+/usr/bin/systemctl[\s]+--fail[\s]+--no-block[\s]+default\" @@ -90,4 +94,17 @@ 1 {{%- endif -%}} + + {{%- if product in ["openeuler2203"] -%}} + + + + + /usr/lib/systemd/system/emergency.service + ^ExecStart=\-.*/usr/lib/systemd/systemd-sulogin-shell[ ]+emergency + 1 + + {{%- endif -%}} diff --git a/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml b/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml index c81e8cc..568163e 100644 --- a/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml +++ b/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,ocp4,ol7,ol8,rhel6,rhel7,rhel8,rhv4,wrlinux1019 +prodtype: fedora,ocp4,ol7,ol8,openeuler2203,rhel6,rhel7,rhel8,rhv4,wrlinux1019 title: 'Require Authentication for Single User Mode' diff --git a/linux_os/guide/system/accounts/accounts-restrictions/account_unique_group_id/oval/shared.xml b/linux_os/guide/system/accounts/accounts-restrictions/account_unique_group_id/oval/shared.xml new file mode 100644 index 0000000..8d31f9a --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-restrictions/account_unique_group_id/oval/shared.xml @@ -0,0 +1,51 @@ + + + {{{ oval_metadata("All accounts on the system should have unique master group IDs for proper accountability.") }}} + + + + + + + + + ^(?!sync|shutdown|halt|operator).* + + + + + + + + + + + + variable_count_of_all_user_group_ids + + + + + + + + + + + + + + + + + + + + + + diff --git a/linux_os/guide/system/accounts/accounts-restrictions/account_unique_group_id/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/account_unique_group_id/rule.yml new file mode 100644 index 0000000..01b1ea9 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-restrictions/account_unique_group_id/rule.yml @@ -0,0 +1,11 @@ +documentation_complete: true + +prodtype: openeuler2203 + +title: 'Ensure All Accounts on the System Have Unique Master Group IDs' + +description: 'Change user master group IDs, or delete accounts.' + +rationale: 'To assure accountability and prevent unauthenticated access, interactive users must be identified and authenticated to prevent potential misuse and compromise of the system.' + +severity: medium diff --git a/linux_os/guide/system/accounts/accounts-restrictions/account_unique_id/oval/shared.xml b/linux_os/guide/system/accounts/accounts-restrictions/account_unique_id/oval/shared.xml new file mode 100644 index 0000000..491ad45 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-restrictions/account_unique_id/oval/shared.xml @@ -0,0 +1,51 @@ + + + {{{ oval_metadata("All accounts on the system should have unique IDs for proper accountability.") }}} + + + + + + + + + .* + + + + + + + + + + + + variable_count_of_all_uids + + + + + + + + + + + + + + + + + + + + + + diff --git a/linux_os/guide/system/accounts/accounts-restrictions/account_unique_id/policy/stig/shared.yml b/linux_os/guide/system/accounts/accounts-restrictions/account_unique_id/policy/stig/shared.yml new file mode 100644 index 0000000..cfe5f91 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-restrictions/account_unique_id/policy/stig/shared.yml @@ -0,0 +1,15 @@ +srg_requirement: |- + {{{ full_name }}} duplicate User IDs (UIDs) must not exist for interactive users. + +vuldiscussion: |- + To assure accountability and prevent unauthenticated access, interactive users must be identified and authenticated to prevent potential misuse and compromise of the system. + +checktext: |- + Verify that {{{ full_name }}} contains no duplicate User IDs (UIDs) for interactive users with the following command: + + $ sudo awk -F ":" 'list[$3]++{print $1, $3}' /etc/passwd + + If output is produced and the accounts listed are interactive user accounts, this is a finding. + +fixtext: |- + Edit the file "/etc/passwd" and provide each interactive user account that has a duplicate User ID (UID) with a unique UID. diff --git a/linux_os/guide/system/accounts/accounts-restrictions/account_unique_id/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/account_unique_id/rule.yml new file mode 100644 index 0000000..687a0c3 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-restrictions/account_unique_id/rule.yml @@ -0,0 +1,11 @@ +documentation_complete: true + +prodtype: openeuler2203 + +title: 'Ensure All Accounts on the System Have Unique User IDs' + +description: 'Change user IDs (UIDs), or delete accounts, so each has a unique id.' + +rationale: 'To assure accountability and prevent unauthenticated access, interactive users must be identified and authenticated to prevent potential misuse and compromise of the system.' + +severity: medium diff --git a/linux_os/guide/system/accounts/accounts-restrictions/account_unique_id/tests/correct_value.pass.sh b/linux_os/guide/system/accounts/accounts-restrictions/account_unique_id/tests/correct_value.pass.sh new file mode 100644 index 0000000..645c46e --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-restrictions/account_unique_id/tests/correct_value.pass.sh @@ -0,0 +1,2 @@ +#!/bin/bash +# remediation = none diff --git a/linux_os/guide/system/accounts/accounts-restrictions/account_unique_id/tests/wrong_value.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/account_unique_id/tests/wrong_value.fail.sh new file mode 100644 index 0000000..cc7f221 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-restrictions/account_unique_id/tests/wrong_value.fail.sh @@ -0,0 +1,5 @@ +#!/bin/bash +# remediation = none + +echo "test_user:x:30090:30090:Test User:/home/test_user:/usr/bin/bash" >> /etc/passwd +echo "test_user_2:x:30090:30090:Test User 2:/home/test_user_2:/usr/bin/bash" >> /etc/passwd diff --git a/linux_os/guide/system/accounts/accounts-restrictions/accounts_are_necessary/oval/shared.xml b/linux_os/guide/system/accounts/accounts-restrictions/accounts_are_necessary/oval/shared.xml new file mode 100644 index 0000000..e2047d9 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-restrictions/accounts_are_necessary/oval/shared.xml @@ -0,0 +1,25 @@ + + + + All Accounts are Necessary + + openEuler 22.03LTS + + All Accounts are Necessary + + + + + + + + .* + + + + + + + diff --git a/linux_os/guide/system/accounts/accounts-restrictions/accounts_are_necessary/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/accounts_are_necessary/rule.yml new file mode 100644 index 0000000..143fe8a --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-restrictions/accounts_are_necessary/rule.yml @@ -0,0 +1,20 @@ +documentation_complete: true + +prodtype: openeuler2203 + +title: 'All Accounts Are Necessary' + +description: |- +

    It can not be scanned automatically, please check it manually.

    +

    If any account is not necessary, it should be removed from /etc/passwd.

    +
      +
    • Use below cli command to list all accounts in system: + 
      # cat /etc/passwd | awk  -F ":" '{print $1}'
      +
      • +
    + +rationale: |- + It is a risk if an account exists in system but it is not necessary. + +severity: medium + diff --git a/linux_os/guide/system/accounts/accounts-restrictions/group_unique_id/oval/shared.xml b/linux_os/guide/system/accounts/accounts-restrictions/group_unique_id/oval/shared.xml new file mode 100644 index 0000000..b3425ec --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-restrictions/group_unique_id/oval/shared.xml @@ -0,0 +1,50 @@ + + + {{{ oval_metadata("All groups on the system should have unique names for proper accountability.") }}} + + + + + + + /etc/group + ^.+:.+:(\d+):.*$ + 1 + + + + + + + + + + + + + + + + + + + + + variable_count_of_all_group_ids + + + + + + + + + + + + diff --git a/linux_os/guide/system/accounts/accounts-restrictions/group_unique_id/policy/stig/shared.yml b/linux_os/guide/system/accounts/accounts-restrictions/group_unique_id/policy/stig/shared.yml new file mode 100644 index 0000000..6944a01 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-restrictions/group_unique_id/policy/stig/shared.yml @@ -0,0 +1,15 @@ +srg_requirement: |- + {{{ full_name }}} groups must have unique Group ID (GID). + +vuldiscussion: |- + To assure accountability and prevent unauthenticated access, groups must be identified uniquely to prevent potential misuse and compromise of the system. + +checktext: |- + Verify that {{{ full_name }}} contains no duplicate Group IDs (GID) for interactive users with the following command: + + $ cut -d : -f 3 /etc/group | uniq -d + + If the system has duplicate group ids, this is a finding. + +fixtext: |- + Edit the file "/etc/group" and provide each group that has a duplicate Group ID (GID) with a unique GID. diff --git a/linux_os/guide/system/accounts/accounts-restrictions/group_unique_id/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/group_unique_id/rule.yml new file mode 100644 index 0000000..66925eb --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-restrictions/group_unique_id/rule.yml @@ -0,0 +1,12 @@ +documentation_complete: true + +prodtype: openeuler2203 + +title: 'Ensure All Groups on the System Have Unique Group ID' + +description: 'Change the group name or delete groups, so each has a unique id.' + +rationale: 'To assure accountability and prevent unauthenticated access, groups must be identified uniquely to prevent potential misuse and compromise of the system.' + +severity: medium + diff --git a/linux_os/guide/system/accounts/accounts-restrictions/group_unique_id/tests/correct_value.pass.sh b/linux_os/guide/system/accounts/accounts-restrictions/group_unique_id/tests/correct_value.pass.sh new file mode 100644 index 0000000..031b46c --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-restrictions/group_unique_id/tests/correct_value.pass.sh @@ -0,0 +1,4 @@ +#!/bin/bash +# remediation = no + +groupadd cac_test$(date +%s) diff --git a/linux_os/guide/system/accounts/accounts-restrictions/group_unique_id/tests/wrong_value.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/group_unique_id/tests/wrong_value.fail.sh new file mode 100644 index 0000000..d8d9f7e --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-restrictions/group_unique_id/tests/wrong_value.fail.sh @@ -0,0 +1,5 @@ +#!/bin/bash +# remediation = no + +echo "testgroup1:x:1004:" >> /etc/group +echo "testgroup:x:1004:" >> /etc/group diff --git a/linux_os/guide/system/accounts/accounts-restrictions/group_unique_name/oval/shared.xml b/linux_os/guide/system/accounts/accounts-restrictions/group_unique_name/oval/shared.xml new file mode 100644 index 0000000..a1d46bb --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-restrictions/group_unique_name/oval/shared.xml @@ -0,0 +1,50 @@ + + + {{{ oval_metadata("All groups on the system should have unique names for proper accountability.") }}} + + + + + + + /etc/group + ^(.+):.+ + 1 + + + + + + + + + + + + + + + + + + + + + variable_count_of_all_group_names + + + + + + + + + + + + diff --git a/linux_os/guide/system/accounts/accounts-restrictions/group_unique_name/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/group_unique_name/rule.yml new file mode 100644 index 0000000..d3bc722 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-restrictions/group_unique_name/rule.yml @@ -0,0 +1,12 @@ +documentation_complete: true + +prodtype: openeuler2203 + +title: 'Ensure All Groups on the System Have Unique Group Names' + +description: 'Change the group name or delete groups, so each has a unique name.' + +rationale: 'To assure accountability and prevent unauthenticated access, groups must be identified uniquely to prevent potential misuse and compromise of the system.' + +severity: medium + diff --git a/linux_os/guide/system/accounts/accounts-restrictions/group_unique_name/tests/correct_value.pass.sh b/linux_os/guide/system/accounts/accounts-restrictions/group_unique_name/tests/correct_value.pass.sh new file mode 100644 index 0000000..031b46c --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-restrictions/group_unique_name/tests/correct_value.pass.sh @@ -0,0 +1,4 @@ +#!/bin/bash +# remediation = no + +groupadd cac_test$(date +%s) diff --git a/linux_os/guide/system/accounts/accounts-restrictions/group_unique_name/tests/wrong_value.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/group_unique_name/tests/wrong_value.fail.sh new file mode 100644 index 0000000..e375c55 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-restrictions/group_unique_name/tests/wrong_value.fail.sh @@ -0,0 +1,5 @@ +#!/bin/bash +# remediation = no + +echo "testgroup:x:1004:" >> /etc/group +echo "testgroup:x:1005:" >> /etc/group diff --git a/linux_os/guide/system/accounts/accounts-restrictions/login_accounts_are_necessary/oval/shared.xml b/linux_os/guide/system/accounts/accounts-restrictions/login_accounts_are_necessary/oval/shared.xml new file mode 100644 index 0000000..ac39f98 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-restrictions/login_accounts_are_necessary/oval/shared.xml @@ -0,0 +1,30 @@ + + + + All Login Accounts are Necessary + + openEuler 22.03LTS + + All Login Accounts are Necessary + + + + + + + + .*nologin.* + + + + .* + login_accounts_are_necessary_state + + + + + + + diff --git a/linux_os/guide/system/accounts/accounts-restrictions/login_accounts_are_necessary/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/login_accounts_are_necessary/rule.yml new file mode 100644 index 0000000..7fd34bc --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-restrictions/login_accounts_are_necessary/rule.yml @@ -0,0 +1,31 @@ +documentation_complete: true + +prodtype: openeuler2203 + +title: 'All Login Accounts Are Necessary' + +description: |- +

    It can not be scanned automatically, please check it manually.

    + If any account need not login, it should be removed from /etc/passwd + or it should be marked by "nologin". +

    It can be checked as below cli commands:

    +
      +
    • List all nologin accounts, then check it manually: + 
      # cat /etc/passwd | grep "\/sbin\/nologin\|\/bin\/false" | awk -F ":" '{print $1}'
      +
      • +
    • List all login accounts, then check it manually: + 
      # cat /etc/passwd | grep -v "\/sbin\/nologin\|\/bin\/false" | awk -F ":" '{print $1}'
      +
      • +
    • List all accounts which the password are locked: + 
      # cat /etc/passwd | awk -F ":" '{print $1}' | xargs -I '{}' passwd -S '{}' | awk '($2=="L" || $2=="LK") {print $1}'
      +
      • +
    • List all accounts which the password are not locked: + 
      # cat /etc/passwd | awk -F ":" '{print $1}' | xargs -I '{}' passwd -S '{}' | awk '($2!="L" && $2!="LK") {print $1}'
      +
      • +
    + +rationale: |- + It is a risk if an account can login system but it is not necessary. + +severity: medium + diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/rule.yml index d41a0eb..738fb8b 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/rule.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/rule.yml @@ -10,6 +10,11 @@ description: |- A value of 180 days is sufficient for many environments. The DoD requirement is 60. The profile requirement is . + {{% if product in ["openeuler2203"] %}} + Considering the usability of the community release of openEuler in different scenarios, + the password expiration time is not configured in the openEuler release by default. + Please set the password expiration time based on the site requirements. + {{% endif %}} rationale: |- Any password, no matter how complex, can eventually be cracked. Therefore, passwords diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/gid_passwd_group_same/oval/shared.xml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/gid_passwd_group_same/oval/shared.xml index 34d605b..781cd3f 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/gid_passwd_group_same/oval/shared.xml +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/gid_passwd_group_same/oval/shared.xml @@ -7,7 +7,8 @@ multi_platform_fedora multi_platform_ol multi_platform_rhel - multi_platform_wrlinux + multi_platform_wrlinux + multi_platform_openeuler All GIDs referenced in /etc/passwd must be defined in /etc/group. diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_tmout/oval/shared.xml b/linux_os/guide/system/accounts/accounts-session/accounts_tmout/oval/shared.xml index c68effb..bcb50bd 100644 --- a/linux_os/guide/system/accounts/accounts-session/accounts_tmout/oval/shared.xml +++ b/linux_os/guide/system/accounts/accounts-session/accounts_tmout/oval/shared.xml @@ -8,6 +8,7 @@ multi_platform_ol multi_platform_rhel multi_platform_wrlinux + multi_platform_openeuler Checks interactive shell timeout diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_tmout/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_tmout/rule.yml index cdfa67d..437abe6 100644 --- a/linux_os/guide/system/accounts/accounts-session/accounts_tmout/rule.yml +++ b/linux_os/guide/system/accounts/accounts-session/accounts_tmout/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,ol7,ol8,rhel6,rhel7,rhel8,rhv4,wrlinux1019 +prodtype: fedora,ol7,ol8,openeuler2203,rhel6,rhel7,rhel8,rhv4,wrlinux1019 title: 'Set Interactive Session Timeout' @@ -9,6 +9,11 @@ description: |- all user sessions will terminate based on inactivity. The TMOUT setting in /etc/profile should read as follows: 
    TMOUT=
    + {{% if product in ["openeuler2203"] %}} + Considering the usability of the community release of openEuler in different scenarios, + the session timeout interval is not configured by default in the openEuler release. + Please configure the session timeout interval based on the site requirements. + {{% endif %}} rationale: |- Terminating an idle session within a short time period reduces diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/oval/shared.xml b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/oval/shared.xml new file mode 100644 index 0000000..56b3396 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/oval/shared.xml @@ -0,0 +1,83 @@ + + + {{{ oval_metadata("All Interactive Users Home Directories Must Exist") }}} + + + + + + + {{%- set interactive_users_object = "object_" ~ rule_id ~ "_objects" -%}} + {{{ create_interactive_users_list_object(interactive_users_object) }}} + + + + + + + + + + + + + + + + + + + + + + + + + + + + + var_accounts_user_interactive_home_directory_exists_dirs_count_fs + + + + + + + + + + + + + + + + var_accounts_user_interactive_home_directory_exists_dirs_count + + + + + + + diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml index d51679f..6163f3d 100644 --- a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml +++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: rhel7,rhel8,rhv4,wrlinux1019 +prodtype: openeuler2203,rhel7,rhel8,rhv4,wrlinux1019 title: 'All Interactive Users Home Directories Must Exist' diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/oval/shared.xml b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/oval/shared.xml index 73e457d..9bbd226 100644 --- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/oval/shared.xml +++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/oval/shared.xml @@ -6,6 +6,7 @@ multi_platform_rhel multi_platform_wrlinux multi_platform_ol + multi_platform_openeuler The default umask for users of the bash shell diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/rule.yml b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/rule.yml index 9b189bc..a6d933c 100644 --- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/rule.yml +++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: ol7,ol8,rhel6,rhel7,rhel8 +prodtype: ol7,ol8,openeuler2203,rhel6,rhel7,rhel8 title: 'Ensure the Default Bash Umask is Set Correctly' @@ -9,6 +9,13 @@ description: |- add or correct the umask setting in /etc/bashrc to read as follows: 
    umask
    + {{% if product in ["openeuler2203"] %}} + After UMASK is set to 077, the default permission on the created file is 600, + and the default permission on the directory is 700. + Considering the usability of the community release of openEuler in different scenarios, + the openEuler release does not configure the UMASK by default. + Please configure the UMASK based on the site requirements. + {{% endif %}} rationale: |- The umask value influences the permissions assigned to files when they are created. diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/rule.yml b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/rule.yml index 7e6b11a..6271928 100644 --- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/rule.yml +++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019 +prodtype: ol7,ol8,openeuler2203,rhel7,rhel8,rhv4,wrlinux1019 title: 'Ensure the Default Umask is Set Correctly For Interactive Users' diff --git a/linux_os/guide/system/bootloader-grub2/grub2_nosmap_argument_absent/oval/shared.xml b/linux_os/guide/system/bootloader-grub2/grub2_nosmap_argument_absent/oval/shared.xml new file mode 100644 index 0000000..40d201e --- /dev/null +++ b/linux_os/guide/system/bootloader-grub2/grub2_nosmap_argument_absent/oval/shared.xml @@ -0,0 +1,20 @@ + + + {{{ oval_metadata("SMAP should not be set.") }}} + + + + + + + + + + + /proc/cmdline + ^.*nosmap.*$ + 1 + + + + diff --git a/linux_os/guide/system/bootloader-grub2/grub2_nosmap_argument_absent/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_nosmap_argument_absent/rule.yml new file mode 100644 index 0000000..51dab28 --- /dev/null +++ b/linux_os/guide/system/bootloader-grub2/grub2_nosmap_argument_absent/rule.yml @@ -0,0 +1,25 @@ +documentation_complete: true + +title: 'Ensure SMAP is not disabled during boot' + +description: |- + The SMAP is used to prevent the supervisor mode from unintentionally reading/writing into + memory pages in the user space, it is enabled by default since Linux kernel 3.7. + But it could be disabled through kernel boot parameters. + + Ensure that Supervisor Mode Access Prevention (SMAP) is not disabled by + the nosmap boot paramenter option. + + Check that the line 
    GRUB_CMDLINE_LINUX="..."
    within /etc/default/grub + doesn't contain the argument nosmap. + Run the following command to update command line for already installed kernels: + 
    # grubby --update-kernel=ALL --remove-args="nosmap"
    + +rationale: |- + Disabling SMAP can facilitate exploitation of vulnerabilities caused by unintended access and + manipulation of data in the user space. + +severity: medium + +platform: machine + diff --git a/linux_os/guide/system/bootloader-grub2/grub2_nosmep_argument_absent/oval/shared.xml b/linux_os/guide/system/bootloader-grub2/grub2_nosmep_argument_absent/oval/shared.xml new file mode 100644 index 0000000..359bc84 --- /dev/null +++ b/linux_os/guide/system/bootloader-grub2/grub2_nosmep_argument_absent/oval/shared.xml @@ -0,0 +1,20 @@ + + + {{{ oval_metadata("SMEP should not be set.") }}} + + + + + + + + + + + /proc/cmdline + ^.*nosmep.*$ + 1 + + + + diff --git a/linux_os/guide/system/bootloader-grub2/grub2_nosmep_argument_absent/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_nosmep_argument_absent/rule.yml new file mode 100644 index 0000000..f39bbb7 --- /dev/null +++ b/linux_os/guide/system/bootloader-grub2/grub2_nosmep_argument_absent/rule.yml @@ -0,0 +1,25 @@ +documentation_complete: true + +title: 'Ensure SMEP is not disabled during boot' + +description: |- + The SMEP is used to prevent the supervisor mode from executing user space code, + it is enabled by default since Linux kernel 3.0. But it could be disabled through + kernel boot parameters. + + Ensure that Supervisor Mode Execution Prevention (SMEP) is not disabled by + the nosmep boot paramenter option. + + Check that the line 
    GRUB_CMDLINE_LINUX="..."
    within /etc/default/grub + doesn't contain the argument nosmep. + Run the following command to update command line for already installed kernels: + 
    # grubby --update-kernel=ALL --remove-args="nosmep"
    + +rationale: |- + Disabling SMEP can facilitate exploitation of certain vulnerabilities because it allows + the kernel to unintentionally execute code in less privileged memory space. + +severity: medium + +platform: machine + diff --git a/linux_os/guide/system/bootloader-grub2/grub2_uefi_password/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_uefi_password/rule.yml index d12c53c..0c629cb 100644 --- a/linux_os/guide/system/bootloader-grub2/grub2_uefi_password/rule.yml +++ b/linux_os/guide/system/bootloader-grub2/grub2_uefi_password/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,ocp4,ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019 +prodtype: fedora,ocp4,ol7,ol8,openeuler2203,rhel7,rhel8,rhv4,wrlinux1019 title: 'Set the UEFI Boot Loader Password' diff --git a/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/oval/shared.xml b/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/oval/shared.xml index 12df194..18a5974 100644 --- a/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/oval/shared.xml +++ b/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/oval/shared.xml @@ -6,6 +6,7 @@ Red Hat Virtualization 4 multi_platform_ol multi_platform_rhel + multi_platform_openeuler The sticky bit should be set for all world-writable directories. diff --git a/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/oval/shared.xml b/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/oval/shared.xml index ed85608..d364e2b 100644 --- a/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/oval/shared.xml +++ b/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/oval/shared.xml @@ -7,6 +7,7 @@ multi_platform_fedora multi_platform_rhel multi_platform_wrlinux + multi_platform_openeuler All files should be owned by a group diff --git a/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/rule.yml b/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/rule.yml index e51cd7e..efd5046 100644 --- a/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/rule.yml +++ b/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,rhel6,rhel7,rhel8,rhv4,wrlinux1019 +prodtype: fedora,openeuler2203,rhel6,rhel7,rhel8,rhv4,wrlinux1019 title: 'Ensure All Files Are Owned by a Group' diff --git a/linux_os/guide/system/permissions/files/no_empty_symlink_files/rule.yml b/linux_os/guide/system/permissions/files/no_empty_symlink_files/rule.yml new file mode 100644 index 0000000..5db67ea --- /dev/null +++ b/linux_os/guide/system/permissions/files/no_empty_symlink_files/rule.yml @@ -0,0 +1,26 @@ +documentation_complete: true + +prodtype: openeuler2203 + +title: 'Ensure All Symlink Files Have Canonical Path' + +description: |- +

    It can not be scanned automatically, please check it manually.

    +

    If any symlink files have no camonical path, it should be removed.

    +
      +
    • You can use below cli command to find out all symlink files which have no canonical path under current path: + 
      # find ./ -type l -follow
      +
      • +
    • Or find it under root path bug exclude some dirs: + 
      # find / -path /var -prune -o -path /run -prune -o -path /proc -prune -o -path /sys -prune -o -path /dev -prune -o -type l -follow
      +
      • +
    • Or find it under the whole disk partition: + 
      # find / -xdev -type l -follow
      +
      • +
    + +rationale: |- + If any symlink files have no camonical path, it should be removed. + +severity: medium + diff --git a/linux_os/guide/system/permissions/files/no_files_unowned_by_user/oval/shared.xml b/linux_os/guide/system/permissions/files/no_files_unowned_by_user/oval/shared.xml index 75d95d4..64429cc 100644 --- a/linux_os/guide/system/permissions/files/no_files_unowned_by_user/oval/shared.xml +++ b/linux_os/guide/system/permissions/files/no_files_unowned_by_user/oval/shared.xml @@ -6,6 +6,7 @@ Red Hat Virtualization 4 multi_platform_rhel multi_platform_wrlinux + multi_platform_openeuler All files should be owned by a user diff --git a/linux_os/guide/system/permissions/files/no_files_unowned_by_user/rule.yml b/linux_os/guide/system/permissions/files/no_files_unowned_by_user/rule.yml index f2fb1f2..2903767 100644 --- a/linux_os/guide/system/permissions/files/no_files_unowned_by_user/rule.yml +++ b/linux_os/guide/system/permissions/files/no_files_unowned_by_user/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,rhel6,rhel7,rhel8,rhv4,wrlinux1019 +prodtype: fedora,openeuler2203,rhel6,rhel7,rhel8,rhv4,wrlinux1019 title: 'Ensure All Files Are Owned by a User' diff --git a/linux_os/guide/system/permissions/files/no_hide_exec_files/oval/shared.xml b/linux_os/guide/system/permissions/files/no_hide_exec_files/oval/shared.xml new file mode 100644 index 0000000..107fed0 --- /dev/null +++ b/linux_os/guide/system/permissions/files/no_hide_exec_files/oval/shared.xml @@ -0,0 +1,40 @@ + + + + All hidden executable files + + multi_platform_openeuler + + Find out all hidden executable files + + + + + + + + symbolic link + + + + regular + false + false + false + + + + + / + ^\..* + symlink_file_list_match + exec_file_list_match + + + + + + + diff --git a/linux_os/guide/system/permissions/files/no_hide_exec_files/rule.yml b/linux_os/guide/system/permissions/files/no_hide_exec_files/rule.yml new file mode 100644 index 0000000..5c8bc4b --- /dev/null +++ b/linux_os/guide/system/permissions/files/no_hide_exec_files/rule.yml @@ -0,0 +1,14 @@ +documentation_complete: true + +prodtype: openeuler2203 + +title: 'Ensure All Executable Files are not hidden' + +description: |- + Find out all hidden executable files from system. + +rationale: |- + If a executable file is hidden, it maybe will introduce risks, since it can not be fould easily + +severity: medium + diff --git a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml index 2408bd0..a5bd907 100644 --- a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml +++ b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml @@ -2,7 +2,13 @@ documentation_complete: true title: 'Restrict Exposed Kernel Pointer Addresses Access' -description: '{{{ describe_sysctl_option_value(sysctl="kernel.kptr_restrict", value="1") }}}' +description: |- + {{{ describe_sysctl_option_value(sysctl="kernel.kptr_restrict", value="1") }}} + {{% if product in ["openeuler2203"] %}} + To ensure easy maintenance and location, + the kptr_restrict parameter is set to 0 by default in the openEuler release. + Please set this parameter based on the site requirements. + {{% endif %}} rationale: |- Exposing kernel pointers (through procfs or seq_printf()) exposes diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_dmesg_restrict/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_dmesg_restrict/rule.yml index bf58274..0ccf428 100644 --- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_dmesg_restrict/rule.yml +++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_dmesg_restrict/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,ocp4,ol7,ol8,rhel6,rhel7,rhel8,rhv4 +prodtype: fedora,ocp4,ol7,ol8,openeuler2203,rhel6,rhel7,rhel8,rhv4 title: 'Restrict Access to Kernel Message Buffer' diff --git a/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/oval/shared.xml b/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/oval/shared.xml index 637b76d..cfb23ef 100644 --- a/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/oval/shared.xml +++ b/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/oval/shared.xml @@ -6,6 +6,7 @@ multi_platform_fedora Red Hat Enterprise Linux 8 Oracle Linux 8 + multi_platform_openeuler SSH should be configured to use the system-wide crypto policy setting. diff --git a/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/rule.yml index b9d8b06..5442718 100644 --- a/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/rule.yml +++ b/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,ol8,rhel8 +prodtype: fedora,ol8,openeuler2203,rhel8 title: 'Configure SSH to use System Crypto Policy' diff --git a/linux_os/guide/system/software/system-tools/package_python2_removed/rule.yml b/linux_os/guide/system/software/system-tools/package_python2_removed/rule.yml new file mode 100644 index 0000000..1147e9b --- /dev/null +++ b/linux_os/guide/system/software/system-tools/package_python2_removed/rule.yml @@ -0,0 +1,18 @@ +documentation_complete: true + +prodtype: openeuler2203 + +title: 'Uninstall All Python2 Packages' + +description: |- + {{{ describe_package_remove(package="python2") }}} + +rationale: |- + python2 related packages should be removed. + +severity: medium + +template: + name: package_removed + vars: + pkgname: python2 diff --git a/linux_os/guide/system/software/updating/ensure_gpgcheck_never_disabled/oval/shared.xml b/linux_os/guide/system/software/updating/ensure_gpgcheck_never_disabled/oval/shared.xml index 600c7c0..26c1de9 100644 --- a/linux_os/guide/system/software/updating/ensure_gpgcheck_never_disabled/oval/shared.xml +++ b/linux_os/guide/system/software/updating/ensure_gpgcheck_never_disabled/oval/shared.xml @@ -8,6 +8,7 @@ multi_platform_rhv multi_platform_rhel multi_platform_ol + multi_platform_openeuler Ensure all yum or dnf repositories utilize signature checking. diff --git a/linux_os/guide/system/software/updating/ensure_gpgcheck_never_disabled/rule.yml b/linux_os/guide/system/software/updating/ensure_gpgcheck_never_disabled/rule.yml index fc460dc..e1b4280 100644 --- a/linux_os/guide/system/software/updating/ensure_gpgcheck_never_disabled/rule.yml +++ b/linux_os/guide/system/software/updating/ensure_gpgcheck_never_disabled/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,ol7,ol8,rhel6,rhel7,rhel8,rhv4 +prodtype: fedora,ol7,ol8,openeuler2203,rhel6,rhel7,rhel8,rhv4 title: 'Ensure gpgcheck Enabled for All {{{ pkg_manager }}} Package Repositories' diff --git a/openeuler2203/cpe/openeuler2203-cpe-dictionary.xml b/openeuler2203/cpe/openeuler2203-cpe-dictionary.xml index 986a804..f0eb8a8 100644 --- a/openeuler2203/cpe/openeuler2203-cpe-dictionary.xml +++ b/openeuler2203/cpe/openeuler2203-cpe-dictionary.xml @@ -7,4 +7,65 @@ installed_OS_is_openeuler2203 + + openEuler 22.03 LTS + + installed_OS_is_openeuler2203 + + + openEuler 22.03 LTS + + installed_OS_is_openeuler2203 + + + + Container + + installed_env_is_a_container + + + Bare-metal or Virtual Machine + + installed_env_is_a_machine + + + Package gdm is installed + + installed_env_has_gdm_package + + + Package libuser is installed + + installed_env_has_libuser_package + + + Package nss-pam-ldapd is installed + + installed_env_has_nss-pam-ldapd_package + + + Package pam is installed + + installed_env_has_pam_package + + + Package providing /etc/login.defs is installed + + installed_env_has_login_defs + + + Package sssd-common is installed + + installed_env_has_sssd-common_package + + + Package systemd is installed + + installed_env_has_systemd_package + + + Package yum is installed + + installed_env_has_yum_package + diff --git a/openeuler2203/profiles/standard.profile b/openeuler2203/profiles/standard.profile index 6fd9707..7f6f0e3 100644 --- a/openeuler2203/profiles/standard.profile +++ b/openeuler2203/profiles/standard.profile @@ -9,3 +9,88 @@ description: |- selections: - package_telnet_removed + - package_tftp-server_removed + - package_tftp_removed + - package_net-snmp_removed + - accounts_no_uid_except_zero + - file_owner_etc_passwd + - file_groupowner_etc_passwd + - file_permissions_etc_passwd + - file_owner_etc_shadow + - file_groupowner_etc_shadow + - file_permissions_etc_shadow + - file_owner_etc_group + - file_groupowner_etc_group + - file_permissions_etc_group + - file_owner_etc_gshadow + - file_groupowner_etc_gshadow + - file_permissions_etc_gshadow + - accounts_user_interactive_home_directory_exists + - gid_passwd_group_same + - var_password_pam_minlen=8 + - accounts_password_pam_minlen + - accounts_password_pam_minclass + - var_password_pam_ucredit=0 + - accounts_password_pam_ucredit + - var_password_pam_lcredit=0 + - accounts_password_pam_lcredit + - var_password_pam_dcredit=0 + - accounts_password_pam_dcredit + - var_password_pam_ocredit=0 + - accounts_password_pam_ocredit + - accounts_password_pam_retry + - accounts_password_pam_unix_remember + - set_password_hashing_algorithm_systemauth + - accounts_maximum_age_login_defs + - var_accounts_minimum_age_login_defs=0 + - accounts_minimum_age_login_defs + - accounts_password_warn_age_login_defs + - sshd_disable_empty_passwords + - grub2_uefi_password + - require_singleuser_auth + - accounts_passwords_pam_faillock_deny + - accounts_passwords_pam_faillock_deny_root + - var_accounts_passwords_pam_faillock_unlock_time=300 + - accounts_passwords_pam_faillock_unlock_time + - var_accounts_tmout=5_min + - accounts_tmout + - sshd_allow_only_protocol2 + - sshd_disable_rhosts + - disable_host_auth + - configure_ssh_crypto_policy + - sysctl_kernel_randomize_va_space + - sysctl_kernel_dmesg_restrict + - sysctl_kernel_kptr_restrict + - no_files_unowned_by_user + - file_permissions_ungroupowned + - dir_perms_world_writable_sticky_bits + - var_accounts_user_umask=077 + - accounts_umask_etc_bashrc + - service_auditd_enabled + - auditd_data_retention_max_log_file_action + - auditd_data_retention_num_logs + - service_rsyslog_enabled + - package_python2_removed + - ensure_gpgcheck_never_disabled + - login_accounts_are_necessary + - accounts_are_necessary + - group_unique_id + - account_unique_id + - account_unique_group_id + - account_unique_name + - group_unique_name + - accounts_password_pam_dictcheck + - verify_owner_password + - no_name_contained_in_password + - sshd_strong_kex=standard_openeuler2203 + - sshd_use_strong_kex + - sshd_use_strong_pubkey + - sshd_enable_pam + - sshd_use_strong_macs + - sshd_use_strong_ciphers + - grub2_nosmap_argument_absent + - grub2_nosmep_argument_absent + - package_ftp_removed + - no_empty_symlink_files + - no_hide_exec_files + - no_lowprivilege_users_writeable_cmds_in_crontab_file diff --git a/shared/checks/oval/installed_env_has_login_defs.xml b/shared/checks/oval/installed_env_has_login_defs.xml index 94ecbda..e304b19 100644 --- a/shared/checks/oval/installed_env_has_login_defs.xml +++ b/shared/checks/oval/installed_env_has_login_defs.xml @@ -21,7 +21,11 @@ +{{% if product == "openeuler2203" %}} + shadow +{{% else %}} shadow-utils +{{% endif %}} {{% elif pkg_system == "dpkg" %}} {{%- endif %}} + {{%- if product != "openeuler2203" %}} {{%- if application == "sshd" %}} {{#- This condition is here to avoid regression in sshd configuration rules. @@ -46,6 +47,7 @@ {{{- application_not_required_or_requirement_unset() }}} {{{- application_required_or_requirement_unset() }}} {{%- endif %}} + {{%- endif %}} {{{- oval_line_in_file_criterion(path, parameter) }}} @@ -53,10 +55,12 @@ {{{- oval_line_in_file_criterion(path, parameter, missing_parameter_pass) }}} {{%- endif %}} + {{%- if product != "openeuler2203" %}} {{%- if application == "sshd" %}}     {{# close criteria left open in application_required_or_requirement_unset #}} {{%- endif %}} + {{%- endif %}} {{%- if missing_config_file_fail %}} {{{- oval_config_file_exists_criterion(path) }}} @@ -368,7 +372,11 @@ +{{% if package == "python2" %}} + python2-.* +{{% else %}} {{{ package }}} +{{% endif %}} {{% elif pkg_system == "dpkg" %}} {{%- endmacro %}} + + +{{# + Macro which generates the OVAL metadata section + +:param description: The text to place in the description section +:type description: str +:param title: Optional, the associated rule title is used by default +:type title: str +:param affected_platforms: Optional, list of unix platform strings (e.g. "Fedora") to put under the affected element. Uses the oval_affected macro by default under the hood. +:type affected_platforms: str + +#}} +{{%- macro oval_metadata(description, title="", affected_platforms=None) -%}} + +{{%- if title %}} + {{{ title }}} +{{%- else %}} + {{{ rule_title }}} +{{%- endif -%}} +{{%- if affected_platforms %}} + +{{%- for platform in affected_platforms %}} + {{{ platform }}} +{{%- endfor %}} + +{{%- else %}} + {{{ oval_affected(products) | indent -}}} +{{%- endif %}} + {{{ description }}}{{{ caller() if caller else '' }}} + +{{%- endmacro %}} + +{{# + Extract from /etc/passwd a list composed of password objects related to non-system UIDs. + This list is then filtered to exclude some special usernames and users with /sbin/nologin shell. + + The macro receives a string as parameter, which is used as the password_object id in the rule. + + :param object_id: Object id to be created. + :type object_id: str +#}} +{{%- macro create_interactive_users_list_object(object_id) -%}} + {{%- set ignored_users_list="(nobody|nfsnobody)" %}} + + + .* + state_{{{ rule_id }}}_users_uids + state_{{{ rule_id }}}_users_ignored + state_{{{ rule_id }}}_users_nologin_shell + + + + {{{ uid_min }}} + + + + ^{{{ ignored_users_list }}}$ + + + + ^/sbin/nologin$ + +{{%- endmacro %}} + diff --git a/shared/templates/template_OVAL_sysctl b/shared/templates/template_OVAL_sysctl index f84fc3d..62ae26d 100644 --- a/shared/templates/template_OVAL_sysctl +++ b/shared/templates/template_OVAL_sysctl @@ -23,7 +23,9 @@ The "{{{ SYSCTLVAR }}}" kernel parameter should be set to the appropriate value in both system configuration and system runtime. +{{% if product not in ["openeuler2203"] %}} +{{% endif %}} @@ -47,7 +49,9 @@ {{% endif %}} +{{% if product not in ["openeuler2203"] %}} +{{% endif %}} diff --git a/ssg/constants.py b/ssg/constants.py index 401c60d..aa081d8 100644 --- a/ssg/constants.py +++ b/ssg/constants.py @@ -120,7 +120,7 @@ FULL_NAME_TO_PRODUCT_MAPPING = { "Red Hat OpenShift Container Platform 4": "ocp4", "Oracle Linux 7": "ol7", "Oracle Linux 8": "ol8", - "openEuler 22.03 LTS": "openeuler2203", + "multi_platform_openeuler": "openeuler2203", "openSUSE": "opensuse", "Red Hat Enterprise Linux 6": "rhel6", "Red Hat Enterprise Linux 7": "rhel7", @@ -224,6 +224,8 @@ PRODUCT_TO_CPE_MAPPING = { ], "openeuler2203": [ "cpe:/o:openEuler:openEuler:22.03LTS:ga:server", + "cpe:/o:openEuler:openEuler:22.03LTS_SP1:ga:server", + "cpe:/o:openEuler:openEuler:22.03LTS_SP2:ga:server", ], "opensuse": [ "cpe:/o:opensuse:leap:42.1", -- 2.33.0