1318 lines
72 KiB
Diff
1318 lines
72 KiB
Diff
From 10617803f98189b619b64f9c716c6aef00610aa9 Mon Sep 17 00:00:00 2001
|
|
From: "steven.y.gui" <steven_ygui@163.com>
|
|
Date: Thu, 27 Jul 2023 11:35:15 +0800
|
|
Subject: [PATCH] enable 54 rules for openEuler
|
|
|
|
---
|
|
.../service_avahi-daemon_disabled/rule.yml | 2 +-
|
|
.../cron_and_at_config/oval/shared.xml | 51 +++++++++++++++
|
|
.../cron_and_at/cron_and_at_config/rule.yml | 15 +++++
|
|
.../file_groupowner_cron_d/rule.yml | 2 +-
|
|
.../file_groupowner_cron_daily/rule.yml | 2 +-
|
|
.../file_groupowner_cron_hourly/rule.yml | 2 +-
|
|
.../file_groupowner_cron_monthly/rule.yml | 2 +-
|
|
.../file_groupowner_cron_weekly/rule.yml | 2 +-
|
|
.../file_groupowner_crontab/rule.yml | 2 +-
|
|
.../cron_and_at/file_owner_cron_d/rule.yml | 2 +-
|
|
.../file_owner_cron_daily/rule.yml | 2 +-
|
|
.../file_owner_cron_hourly/rule.yml | 2 +-
|
|
.../file_owner_cron_monthly/rule.yml | 2 +-
|
|
.../file_owner_cron_weekly/rule.yml | 2 +-
|
|
.../cron_and_at/file_owner_crontab/rule.yml | 2 +-
|
|
.../file_permissions_cron_d/rule.yml | 2 +-
|
|
.../file_permissions_cron_daily/rule.yml | 2 +-
|
|
.../file_permissions_cron_hourly/rule.yml | 2 +-
|
|
.../file_permissions_cron_monthly/rule.yml | 2 +-
|
|
.../file_permissions_cron_weekly/rule.yml | 2 +-
|
|
.../file_permissions_crontab/rule.yml | 2 +-
|
|
.../file_groupowner_cron_allow/rule.yml | 2 +-
|
|
.../file_owner_cron_allow/rule.yml | 2 +-
|
|
.../service_crond_enabled/rule.yml | 2 +-
|
|
.../package_openldap-servers_removed/rule.yml | 2 +-
|
|
.../rule.yml | 2 +-
|
|
.../service_chronyd_or_ntpd_enabled/rule.yml | 2 +-
|
|
.../nis/package_ypbind_removed/rule.yml | 2 +-
|
|
.../nis/package_ypserv_removed/rule.yml | 2 +-
|
|
.../printing/service_cups_disabled/rule.yml | 2 +-
|
|
.../package_openssh-server_installed/rule.yml | 2 +-
|
|
.../package_openssh-server_removed/rule.yml | 2 +-
|
|
.../oval/shared.xml | 1 +
|
|
.../firewalld_sshd_port_enabled/rule.yml | 2 +-
|
|
.../oval/shared.xml | 36 ++++++++++
|
|
.../sshd_disable_user_known_hosts_ex/rule.yml | 19 ++++++
|
|
.../service_debug-shell_disabled/rule.yml | 2 +-
|
|
.../account_temp_expire_date/rule.yml | 2 +-
|
|
.../oval/shared.xml | 65 +++++++++++++++++++
|
|
.../rule.yml | 24 +++++++
|
|
.../oval/shared.xml | 1 +
|
|
.../audit_rules_login_events/oval/shared.xml | 1 +
|
|
.../rule.yml | 2 +-
|
|
.../audit_rules_login_events_lastlog/rule.yml | 2 +-
|
|
.../rule.yml | 2 +-
|
|
.../rule.yml | 2 +-
|
|
.../rule.yml | 2 +-
|
|
.../rule.yml | 2 +-
|
|
.../rule.yml | 2 +-
|
|
.../rule.yml | 2 +-
|
|
.../rsyslog_cron_logging/oval/shared.xml | 1 +
|
|
.../rsyslog_cron_logging/rule.yml | 2 +-
|
|
.../service_firewalld_enabled/rule.yml | 2 +-
|
|
.../configure_firewalld_ports/oval/shared.xml | 1 +
|
|
.../configure_firewalld_ports/rule.yml | 2 +-
|
|
.../rule.yml | 35 ++++++++++
|
|
.../oval/shared.xml | 1 +
|
|
.../set_firewalld_default_zone/rule.yml | 2 +-
|
|
.../oval/{rhel6.xml => shared.xml} | 1 +
|
|
.../rule.yml | 2 +-
|
|
.../rule.yml | 2 +-
|
|
.../rule.yml | 2 +-
|
|
.../rule.yml | 2 +-
|
|
.../rule.yml | 2 +-
|
|
.../rule.yml | 2 +-
|
|
.../rule.yml | 2 +-
|
|
.../rule.yml | 2 +-
|
|
.../rule.yml | 2 +-
|
|
.../rule.yml | 2 +-
|
|
.../rule.yml | 2 +-
|
|
.../sysctl_net_ipv4_tcp_syncookies/rule.yml | 2 +-
|
|
.../rule.yml | 2 +-
|
|
.../rule.yml | 2 +-
|
|
.../sysctl_net_ipv4_ip_forward/rule.yml | 2 +-
|
|
.../kernel_module_sctp_disabled/rule.yml | 2 +-
|
|
.../rule.yml | 2 +-
|
|
.../selinux/selinux_policytype/rule.yml | 2 +-
|
|
.../system/selinux/selinux_state/rule.yml | 2 +-
|
|
openeuler2203/profiles/standard.profile | 55 ++++++++++++++++
|
|
shared/templates/template_OVAL_sysctl | 2 +-
|
|
80 files changed, 372 insertions(+), 65 deletions(-)
|
|
create mode 100644 linux_os/guide/services/cron_and_at/cron_and_at_config/oval/shared.xml
|
|
create mode 100644 linux_os/guide/services/cron_and_at/cron_and_at_config/rule.yml
|
|
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_disable_user_known_hosts_ex/oval/shared.xml
|
|
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_disable_user_known_hosts_ex/rule.yml
|
|
create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_install_and_remove/oval/shared.xml
|
|
create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_install_and_remove/rule.yml
|
|
create mode 100644 linux_os/guide/system/network/network-firewalld/ruleset_modifications/disable_unnecessary_service_and_ports/rule.yml
|
|
rename linux_os/guide/system/network/network-iptables/iptables_ruleset_modifications/set_iptables_default_rule/oval/{rhel6.xml => shared.xml} (97%)
|
|
|
|
diff --git a/linux_os/guide/services/avahi/disable_avahi_group/service_avahi-daemon_disabled/rule.yml b/linux_os/guide/services/avahi/disable_avahi_group/service_avahi-daemon_disabled/rule.yml
|
|
index 76c4a8a..fd7dd6d 100644
|
|
--- a/linux_os/guide/services/avahi/disable_avahi_group/service_avahi-daemon_disabled/rule.yml
|
|
+++ b/linux_os/guide/services/avahi/disable_avahi_group/service_avahi-daemon_disabled/rule.yml
|
|
@@ -1,6 +1,6 @@
|
|
documentation_complete: true
|
|
|
|
-prodtype: ol7,ol8,rhel6,rhel7,rhel8
|
|
+prodtype: ol7,ol8,openeuler2203,rhel6,rhel7,rhel8
|
|
|
|
title: 'Disable Avahi Server Software'
|
|
|
|
diff --git a/linux_os/guide/services/cron_and_at/cron_and_at_config/oval/shared.xml b/linux_os/guide/services/cron_and_at/cron_and_at_config/oval/shared.xml
|
|
new file mode 100644
|
|
index 0000000..c032930
|
|
--- /dev/null
|
|
+++ b/linux_os/guide/services/cron_and_at/cron_and_at_config/oval/shared.xml
|
|
@@ -0,0 +1,51 @@
|
|
+<def-group>
|
|
+ <definition class="compliance" id="cron_and_at_config" version="1">
|
|
+ <metadata>
|
|
+ <title>Verify Permissions On The cron And at Files</title>
|
|
+ <affected family="unix">
|
|
+ <platform>multi_platform_openeuler</platform>
|
|
+ </affected>
|
|
+ <description>Check permissions on the cron and at files.</description>
|
|
+ </metadata>
|
|
+ <criteria operator="AND">
|
|
+ <extend_definition comment="audit augenrules" definition_ref="file_groupowner_cron_d" />
|
|
+ <extend_definition comment="audit augenrules" definition_ref="file_groupowner_cron_daily" />
|
|
+ <extend_definition comment="audit augenrules" definition_ref="file_groupowner_cron_hourly" />
|
|
+ <extend_definition comment="audit augenrules" definition_ref="file_groupowner_cron_monthly" />
|
|
+ <extend_definition comment="audit augenrules" definition_ref="file_groupowner_cron_weekly" />
|
|
+ <extend_definition comment="audit augenrules" definition_ref="file_groupowner_crontab" />
|
|
+ <extend_definition comment="audit augenrules" definition_ref="file_owner_cron_d" />
|
|
+ <extend_definition comment="audit augenrules" definition_ref="file_owner_cron_daily" />
|
|
+ <extend_definition comment="audit augenrules" definition_ref="file_owner_cron_hourly" />
|
|
+ <extend_definition comment="audit augenrules" definition_ref="file_owner_cron_monthly" />
|
|
+ <extend_definition comment="audit augenrules" definition_ref="file_owner_cron_weekly" />
|
|
+ <extend_definition comment="audit augenrules" definition_ref="file_owner_crontab" />
|
|
+ <extend_definition comment="audit augenrules" definition_ref="file_permissions_cron_d" />
|
|
+ <extend_definition comment="audit augenrules" definition_ref="file_permissions_cron_daily" />
|
|
+ <extend_definition comment="audit augenrules" definition_ref="file_permissions_cron_hourly" />
|
|
+ <extend_definition comment="audit augenrules" definition_ref="file_permissions_cron_monthly" />
|
|
+ <extend_definition comment="audit augenrules" definition_ref="file_permissions_cron_weekly" />
|
|
+ <extend_definition comment="audit augenrules" definition_ref="file_permissions_crontab" />
|
|
+
|
|
+ <criterion comment="no cron.deny" test_ref="test_no_cron_deny" />
|
|
+ <criterion comment="no at.deny" test_ref="test_no_at_deny" />
|
|
+ </criteria>
|
|
+ </definition>
|
|
+
|
|
+ <unix:file_test check="all" check_existence="none_exist" comment="look for cron.deny in /etc" id="test_no_cron_deny" version="1">
|
|
+ <unix:object object_ref="object_no_cron_deny" />
|
|
+ </unix:file_test>
|
|
+ <unix:file_test check="all" check_existence="none_exist" comment="look for at.deny in /etc" id="test_no_at_deny" version="1">
|
|
+ <unix:object object_ref="object_no_at_deny" />
|
|
+ </unix:file_test>
|
|
+
|
|
+ <unix:file_object comment="look for cron.deny in /etc" id="object_no_cron_deny" version="1">
|
|
+ <unix:path operation="equals">/etc</unix:path>
|
|
+ <unix:filename operation="pattern match">^cron.deny$</unix:filename>
|
|
+ </unix:file_object>
|
|
+ <unix:file_object comment="look for at.deny in /etc" id="object_no_at_deny" version="1">
|
|
+ <unix:path operation="equals">/etc</unix:path>
|
|
+ <unix:filename operation="pattern match">^at.deny$</unix:filename>
|
|
+ </unix:file_object>
|
|
+
|
|
+</def-group>
|
|
diff --git a/linux_os/guide/services/cron_and_at/cron_and_at_config/rule.yml b/linux_os/guide/services/cron_and_at/cron_and_at_config/rule.yml
|
|
new file mode 100644
|
|
index 0000000..630b3d7
|
|
--- /dev/null
|
|
+++ b/linux_os/guide/services/cron_and_at/cron_and_at_config/rule.yml
|
|
@@ -0,0 +1,15 @@
|
|
+documentation_complete: true
|
|
+
|
|
+prodtype: openeuler2203
|
|
+
|
|
+title: 'Verify Permissions On The cron And at Files'
|
|
+
|
|
+description: |-
|
|
+ Check permissions on the cron and at files, include: cron.d, crontab, cron.hourly,
|
|
+ cron.daily, cron.weekly, cron.monthly, cron.allow, at.allow. And there are no files of cron.deny and at.deny.
|
|
+
|
|
+rationale: |-
|
|
+ Strict permission control prevents attacks from low-privileged users.
|
|
+
|
|
+severity: medium
|
|
+
|
|
diff --git a/linux_os/guide/services/cron_and_at/file_groupowner_cron_d/rule.yml b/linux_os/guide/services/cron_and_at/file_groupowner_cron_d/rule.yml
|
|
index 3add79d..f8d3d62 100644
|
|
--- a/linux_os/guide/services/cron_and_at/file_groupowner_cron_d/rule.yml
|
|
+++ b/linux_os/guide/services/cron_and_at/file_groupowner_cron_d/rule.yml
|
|
@@ -1,6 +1,6 @@
|
|
documentation_complete: true
|
|
|
|
-prodtype: rhel6,rhel7,rhel8,rhv4
|
|
+prodtype: openeuler2203,rhel6,rhel7,rhel8,rhv4
|
|
|
|
title: 'Verify Group Who Owns cron.d'
|
|
|
|
diff --git a/linux_os/guide/services/cron_and_at/file_groupowner_cron_daily/rule.yml b/linux_os/guide/services/cron_and_at/file_groupowner_cron_daily/rule.yml
|
|
index 53e1800..57b7fb2 100644
|
|
--- a/linux_os/guide/services/cron_and_at/file_groupowner_cron_daily/rule.yml
|
|
+++ b/linux_os/guide/services/cron_and_at/file_groupowner_cron_daily/rule.yml
|
|
@@ -1,6 +1,6 @@
|
|
documentation_complete: true
|
|
|
|
-prodtype: rhel6,rhel7,rhel8,rhv4
|
|
+prodtype: openeuler2203,rhel6,rhel7,rhel8,rhv4
|
|
|
|
title: 'Verify Group Who Owns cron.daily'
|
|
|
|
diff --git a/linux_os/guide/services/cron_and_at/file_groupowner_cron_hourly/rule.yml b/linux_os/guide/services/cron_and_at/file_groupowner_cron_hourly/rule.yml
|
|
index c3545bc..48d42ad 100644
|
|
--- a/linux_os/guide/services/cron_and_at/file_groupowner_cron_hourly/rule.yml
|
|
+++ b/linux_os/guide/services/cron_and_at/file_groupowner_cron_hourly/rule.yml
|
|
@@ -1,6 +1,6 @@
|
|
documentation_complete: true
|
|
|
|
-prodtype: rhel6,rhel7,rhel8,rhv4
|
|
+prodtype: openeuler2203,rhel6,rhel7,rhel8,rhv4
|
|
|
|
title: 'Verify Group Who Owns cron.hourly'
|
|
|
|
diff --git a/linux_os/guide/services/cron_and_at/file_groupowner_cron_monthly/rule.yml b/linux_os/guide/services/cron_and_at/file_groupowner_cron_monthly/rule.yml
|
|
index a664d78..82c0fac 100644
|
|
--- a/linux_os/guide/services/cron_and_at/file_groupowner_cron_monthly/rule.yml
|
|
+++ b/linux_os/guide/services/cron_and_at/file_groupowner_cron_monthly/rule.yml
|
|
@@ -1,6 +1,6 @@
|
|
documentation_complete: true
|
|
|
|
-prodtype: rhel6,rhel7,rhel8,rhv4
|
|
+prodtype: openeuler2203,rhel6,rhel7,rhel8,rhv4
|
|
|
|
title: 'Verify Group Who Owns cron.monthly'
|
|
|
|
diff --git a/linux_os/guide/services/cron_and_at/file_groupowner_cron_weekly/rule.yml b/linux_os/guide/services/cron_and_at/file_groupowner_cron_weekly/rule.yml
|
|
index de1ac8c..91e258c 100644
|
|
--- a/linux_os/guide/services/cron_and_at/file_groupowner_cron_weekly/rule.yml
|
|
+++ b/linux_os/guide/services/cron_and_at/file_groupowner_cron_weekly/rule.yml
|
|
@@ -1,6 +1,6 @@
|
|
documentation_complete: true
|
|
|
|
-prodtype: rhel6,rhel7,rhel8,rhv4
|
|
+prodtype: openeuler2203,rhel6,rhel7,rhel8,rhv4
|
|
|
|
title: 'Verify Group Who Owns cron.weekly'
|
|
|
|
diff --git a/linux_os/guide/services/cron_and_at/file_groupowner_crontab/rule.yml b/linux_os/guide/services/cron_and_at/file_groupowner_crontab/rule.yml
|
|
index 8df80cb..cc35092 100644
|
|
--- a/linux_os/guide/services/cron_and_at/file_groupowner_crontab/rule.yml
|
|
+++ b/linux_os/guide/services/cron_and_at/file_groupowner_crontab/rule.yml
|
|
@@ -1,6 +1,6 @@
|
|
documentation_complete: true
|
|
|
|
-prodtype: rhel6,rhel7,rhel8,rhv4
|
|
+prodtype: openeuler2203,rhel6,rhel7,rhel8,rhv4
|
|
|
|
title: 'Verify Group Who Owns Crontab'
|
|
|
|
diff --git a/linux_os/guide/services/cron_and_at/file_owner_cron_d/rule.yml b/linux_os/guide/services/cron_and_at/file_owner_cron_d/rule.yml
|
|
index 8778109..5cdf85c 100644
|
|
--- a/linux_os/guide/services/cron_and_at/file_owner_cron_d/rule.yml
|
|
+++ b/linux_os/guide/services/cron_and_at/file_owner_cron_d/rule.yml
|
|
@@ -1,6 +1,6 @@
|
|
documentation_complete: true
|
|
|
|
-prodtype: rhel6,rhel7,rhel8,rhv4
|
|
+prodtype: openeuler2203,rhel6,rhel7,rhel8,rhv4
|
|
|
|
title: 'Verify Owner on cron.d'
|
|
|
|
diff --git a/linux_os/guide/services/cron_and_at/file_owner_cron_daily/rule.yml b/linux_os/guide/services/cron_and_at/file_owner_cron_daily/rule.yml
|
|
index ed6e76e..32dc30b 100644
|
|
--- a/linux_os/guide/services/cron_and_at/file_owner_cron_daily/rule.yml
|
|
+++ b/linux_os/guide/services/cron_and_at/file_owner_cron_daily/rule.yml
|
|
@@ -1,6 +1,6 @@
|
|
documentation_complete: true
|
|
|
|
-prodtype: rhel6,rhel7,rhel8,rhv4
|
|
+prodtype: openeuler2203,rhel6,rhel7,rhel8,rhv4
|
|
|
|
title: 'Verify Owner on cron.daily'
|
|
|
|
diff --git a/linux_os/guide/services/cron_and_at/file_owner_cron_hourly/rule.yml b/linux_os/guide/services/cron_and_at/file_owner_cron_hourly/rule.yml
|
|
index 298a03b..12491e8 100644
|
|
--- a/linux_os/guide/services/cron_and_at/file_owner_cron_hourly/rule.yml
|
|
+++ b/linux_os/guide/services/cron_and_at/file_owner_cron_hourly/rule.yml
|
|
@@ -1,6 +1,6 @@
|
|
documentation_complete: true
|
|
|
|
-prodtype: rhel6,rhel7,rhel8,rhv4
|
|
+prodtype: openeuler2203,rhel6,rhel7,rhel8,rhv4
|
|
|
|
title: 'Verify Owner on cron.hourly'
|
|
|
|
diff --git a/linux_os/guide/services/cron_and_at/file_owner_cron_monthly/rule.yml b/linux_os/guide/services/cron_and_at/file_owner_cron_monthly/rule.yml
|
|
index 35f2bc1..4a8734b 100644
|
|
--- a/linux_os/guide/services/cron_and_at/file_owner_cron_monthly/rule.yml
|
|
+++ b/linux_os/guide/services/cron_and_at/file_owner_cron_monthly/rule.yml
|
|
@@ -1,6 +1,6 @@
|
|
documentation_complete: true
|
|
|
|
-prodtype: rhel6,rhel7,rhel8,rhv4
|
|
+prodtype: openeuler2203,rhel6,rhel7,rhel8,rhv4
|
|
|
|
title: 'Verify Owner on cron.monthly'
|
|
|
|
diff --git a/linux_os/guide/services/cron_and_at/file_owner_cron_weekly/rule.yml b/linux_os/guide/services/cron_and_at/file_owner_cron_weekly/rule.yml
|
|
index f5bba63..ca82f2d 100644
|
|
--- a/linux_os/guide/services/cron_and_at/file_owner_cron_weekly/rule.yml
|
|
+++ b/linux_os/guide/services/cron_and_at/file_owner_cron_weekly/rule.yml
|
|
@@ -1,6 +1,6 @@
|
|
documentation_complete: true
|
|
|
|
-prodtype: rhel6,rhel7,rhel8,rhv4
|
|
+prodtype: openeuler2203,rhel6,rhel7,rhel8,rhv4
|
|
|
|
title: 'Verify Owner on cron.weekly'
|
|
|
|
diff --git a/linux_os/guide/services/cron_and_at/file_owner_crontab/rule.yml b/linux_os/guide/services/cron_and_at/file_owner_crontab/rule.yml
|
|
index a10a283..fd5b5e7 100644
|
|
--- a/linux_os/guide/services/cron_and_at/file_owner_crontab/rule.yml
|
|
+++ b/linux_os/guide/services/cron_and_at/file_owner_crontab/rule.yml
|
|
@@ -1,6 +1,6 @@
|
|
documentation_complete: true
|
|
|
|
-prodtype: rhel6,rhel7,rhel8,rhv4
|
|
+prodtype: openeuler2203,rhel6,rhel7,rhel8,rhv4
|
|
|
|
title: 'Verify Owner on crontab'
|
|
|
|
diff --git a/linux_os/guide/services/cron_and_at/file_permissions_cron_d/rule.yml b/linux_os/guide/services/cron_and_at/file_permissions_cron_d/rule.yml
|
|
index cd0dc61..fdf8daf 100644
|
|
--- a/linux_os/guide/services/cron_and_at/file_permissions_cron_d/rule.yml
|
|
+++ b/linux_os/guide/services/cron_and_at/file_permissions_cron_d/rule.yml
|
|
@@ -1,6 +1,6 @@
|
|
documentation_complete: true
|
|
|
|
-prodtype: rhel6,rhel7,rhel8,rhv4
|
|
+prodtype: openeuler2203,rhel6,rhel7,rhel8,rhv4
|
|
|
|
title: 'Verify Permissions on cron.d'
|
|
|
|
diff --git a/linux_os/guide/services/cron_and_at/file_permissions_cron_daily/rule.yml b/linux_os/guide/services/cron_and_at/file_permissions_cron_daily/rule.yml
|
|
index 4313ffb..84651fc 100644
|
|
--- a/linux_os/guide/services/cron_and_at/file_permissions_cron_daily/rule.yml
|
|
+++ b/linux_os/guide/services/cron_and_at/file_permissions_cron_daily/rule.yml
|
|
@@ -1,6 +1,6 @@
|
|
documentation_complete: true
|
|
|
|
-prodtype: rhel6,rhel7,rhel8,rhv4
|
|
+prodtype: openeuler2203,rhel6,rhel7,rhel8,rhv4
|
|
|
|
title: 'Verify Permissions on cron.daily'
|
|
|
|
diff --git a/linux_os/guide/services/cron_and_at/file_permissions_cron_hourly/rule.yml b/linux_os/guide/services/cron_and_at/file_permissions_cron_hourly/rule.yml
|
|
index 1d06872..eef3028 100644
|
|
--- a/linux_os/guide/services/cron_and_at/file_permissions_cron_hourly/rule.yml
|
|
+++ b/linux_os/guide/services/cron_and_at/file_permissions_cron_hourly/rule.yml
|
|
@@ -1,6 +1,6 @@
|
|
documentation_complete: true
|
|
|
|
-prodtype: rhel6,rhel7,rhel8,rhv4
|
|
+prodtype: openeuler2203,rhel6,rhel7,rhel8,rhv4
|
|
|
|
title: 'Verify Permissions on cron.hourly'
|
|
|
|
diff --git a/linux_os/guide/services/cron_and_at/file_permissions_cron_monthly/rule.yml b/linux_os/guide/services/cron_and_at/file_permissions_cron_monthly/rule.yml
|
|
index b4d1863..72ffb6c 100644
|
|
--- a/linux_os/guide/services/cron_and_at/file_permissions_cron_monthly/rule.yml
|
|
+++ b/linux_os/guide/services/cron_and_at/file_permissions_cron_monthly/rule.yml
|
|
@@ -1,6 +1,6 @@
|
|
documentation_complete: true
|
|
|
|
-prodtype: rhel6,rhel7,rhel8,rhv4
|
|
+prodtype: openeuler2203,rhel6,rhel7,rhel8,rhv4
|
|
|
|
title: 'Verify Permissions on cron.monthly'
|
|
|
|
diff --git a/linux_os/guide/services/cron_and_at/file_permissions_cron_weekly/rule.yml b/linux_os/guide/services/cron_and_at/file_permissions_cron_weekly/rule.yml
|
|
index 523ea17..4fcbe28 100644
|
|
--- a/linux_os/guide/services/cron_and_at/file_permissions_cron_weekly/rule.yml
|
|
+++ b/linux_os/guide/services/cron_and_at/file_permissions_cron_weekly/rule.yml
|
|
@@ -1,6 +1,6 @@
|
|
documentation_complete: true
|
|
|
|
-prodtype: rhel6,rhel7,rhel8,rhv4
|
|
+prodtype: openeuler2203,rhel6,rhel7,rhel8,rhv4
|
|
|
|
title: 'Verify Permissions on cron.weekly'
|
|
|
|
diff --git a/linux_os/guide/services/cron_and_at/file_permissions_crontab/rule.yml b/linux_os/guide/services/cron_and_at/file_permissions_crontab/rule.yml
|
|
index 126bffd..31b3152 100644
|
|
--- a/linux_os/guide/services/cron_and_at/file_permissions_crontab/rule.yml
|
|
+++ b/linux_os/guide/services/cron_and_at/file_permissions_crontab/rule.yml
|
|
@@ -1,6 +1,6 @@
|
|
documentation_complete: true
|
|
|
|
-prodtype: rhel6,rhel7,rhel8,rhv4
|
|
+prodtype: openeuler2203,rhel6,rhel7,rhel8,rhv4
|
|
|
|
title: 'Verify Permissions on crontab'
|
|
|
|
diff --git a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_groupowner_cron_allow/rule.yml b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_groupowner_cron_allow/rule.yml
|
|
index b32afa5..7c797bf 100644
|
|
--- a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_groupowner_cron_allow/rule.yml
|
|
+++ b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_groupowner_cron_allow/rule.yml
|
|
@@ -1,6 +1,6 @@
|
|
documentation_complete: true
|
|
|
|
-prodtype: rhel7,rhel8,rhv4,wrlinux1019
|
|
+prodtype: openeuler2203,rhel7,rhel8,rhv4,wrlinux1019
|
|
|
|
title: 'Verify Group Who Owns /etc/cron.allow file'
|
|
|
|
diff --git a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_owner_cron_allow/rule.yml b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_owner_cron_allow/rule.yml
|
|
index 80dedca..27694be 100644
|
|
--- a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_owner_cron_allow/rule.yml
|
|
+++ b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_owner_cron_allow/rule.yml
|
|
@@ -1,6 +1,6 @@
|
|
documentation_complete: true
|
|
|
|
-prodtype: rhel7,rhel8,rhv4,wrlinux1019
|
|
+prodtype: openeuler2203,rhel7,rhel8,rhv4,wrlinux1019
|
|
|
|
title: 'Verify User Who Owns /etc/cron.allow file'
|
|
|
|
diff --git a/linux_os/guide/services/cron_and_at/service_crond_enabled/rule.yml b/linux_os/guide/services/cron_and_at/service_crond_enabled/rule.yml
|
|
index a1f82cf..1917061 100644
|
|
--- a/linux_os/guide/services/cron_and_at/service_crond_enabled/rule.yml
|
|
+++ b/linux_os/guide/services/cron_and_at/service_crond_enabled/rule.yml
|
|
@@ -1,6 +1,6 @@
|
|
documentation_complete: true
|
|
|
|
-prodtype: fedora,ol7,ol8,rhel6,rhel7,rhel8,rhv4
|
|
+prodtype: fedora,ol7,ol8,openeuler2203,rhel6,rhel7,rhel8,rhv4
|
|
|
|
title: 'Enable cron Service'
|
|
|
|
diff --git a/linux_os/guide/services/ldap/openldap_server/package_openldap-servers_removed/rule.yml b/linux_os/guide/services/ldap/openldap_server/package_openldap-servers_removed/rule.yml
|
|
index d328872..348f794 100644
|
|
--- a/linux_os/guide/services/ldap/openldap_server/package_openldap-servers_removed/rule.yml
|
|
+++ b/linux_os/guide/services/ldap/openldap_server/package_openldap-servers_removed/rule.yml
|
|
@@ -1,6 +1,6 @@
|
|
documentation_complete: true
|
|
|
|
-prodtype: rhel6,rhel7,rhel8
|
|
+prodtype: openeuler2203,rhel6,rhel7,rhel8
|
|
|
|
title: 'Uninstall openldap-servers Package'
|
|
|
|
diff --git a/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_remote_server/rule.yml b/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_remote_server/rule.yml
|
|
index 437d72a..1381b06 100644
|
|
--- a/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_remote_server/rule.yml
|
|
+++ b/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_remote_server/rule.yml
|
|
@@ -1,6 +1,6 @@
|
|
documentation_complete: true
|
|
|
|
-prodtype: fedora,ocp4,ol7,ol8,rhel7,rhel8,rhv4
|
|
+prodtype: fedora,ocp4,ol7,ol8,openeuler2203,rhel7,rhel8,rhv4
|
|
|
|
title: 'Specify a Remote NTP Server'
|
|
|
|
diff --git a/linux_os/guide/services/ntp/service_chronyd_or_ntpd_enabled/rule.yml b/linux_os/guide/services/ntp/service_chronyd_or_ntpd_enabled/rule.yml
|
|
index 6bdf586..f50264c 100644
|
|
--- a/linux_os/guide/services/ntp/service_chronyd_or_ntpd_enabled/rule.yml
|
|
+++ b/linux_os/guide/services/ntp/service_chronyd_or_ntpd_enabled/rule.yml
|
|
@@ -1,6 +1,6 @@
|
|
documentation_complete: true
|
|
|
|
-prodtype: fedora,ocp4,ol7,ol8,rhel7,rhel8,rhv4
|
|
+prodtype: fedora,ocp4,ol7,ol8,openeuler2203,rhel7,rhel8,rhv4
|
|
|
|
title: 'Enable the NTP Daemon'
|
|
|
|
diff --git a/linux_os/guide/services/obsolete/nis/package_ypbind_removed/rule.yml b/linux_os/guide/services/obsolete/nis/package_ypbind_removed/rule.yml
|
|
index eb1ad4c..efb6c20 100644
|
|
--- a/linux_os/guide/services/obsolete/nis/package_ypbind_removed/rule.yml
|
|
+++ b/linux_os/guide/services/obsolete/nis/package_ypbind_removed/rule.yml
|
|
@@ -1,6 +1,6 @@
|
|
documentation_complete: true
|
|
|
|
-prodtype: ol7,ol8,rhel6,rhel7,rhel8,rhv4
|
|
+prodtype: ol7,ol8,openeuler2203,rhel6,rhel7,rhel8,rhv4
|
|
|
|
title: 'Remove NIS Client'
|
|
|
|
diff --git a/linux_os/guide/services/obsolete/nis/package_ypserv_removed/rule.yml b/linux_os/guide/services/obsolete/nis/package_ypserv_removed/rule.yml
|
|
index d364ef6..f855b1d 100644
|
|
--- a/linux_os/guide/services/obsolete/nis/package_ypserv_removed/rule.yml
|
|
+++ b/linux_os/guide/services/obsolete/nis/package_ypserv_removed/rule.yml
|
|
@@ -1,6 +1,6 @@
|
|
documentation_complete: true
|
|
|
|
-prodtype: ol7,ol8,rhel6,rhel7,rhel8,rhv4,wrlinux1019
|
|
+prodtype: ol7,ol8,openeuler2203,rhel6,rhel7,rhel8,rhv4,wrlinux1019
|
|
|
|
title: 'Uninstall ypserv Package'
|
|
|
|
diff --git a/linux_os/guide/services/printing/service_cups_disabled/rule.yml b/linux_os/guide/services/printing/service_cups_disabled/rule.yml
|
|
index bd04e58..542a304 100644
|
|
--- a/linux_os/guide/services/printing/service_cups_disabled/rule.yml
|
|
+++ b/linux_os/guide/services/printing/service_cups_disabled/rule.yml
|
|
@@ -1,6 +1,6 @@
|
|
documentation_complete: true
|
|
|
|
-prodtype: rhel6,rhel7,rhel8
|
|
+prodtype: openeuler2203,rhel6,rhel7,rhel8
|
|
|
|
title: 'Disable the CUPS Service'
|
|
|
|
diff --git a/linux_os/guide/services/ssh/package_openssh-server_installed/rule.yml b/linux_os/guide/services/ssh/package_openssh-server_installed/rule.yml
|
|
index 0bb4aad..ab99c61 100644
|
|
--- a/linux_os/guide/services/ssh/package_openssh-server_installed/rule.yml
|
|
+++ b/linux_os/guide/services/ssh/package_openssh-server_installed/rule.yml
|
|
@@ -1,6 +1,6 @@
|
|
documentation_complete: true
|
|
|
|
-prodtype: debian10,debian8,debian9,fedora,ocp4,ol7,ol8,rhel6,rhel7,rhel8,rhv4,ubuntu1404,ubuntu1604,ubuntu1804,wrlinux1019,wrlinux8
|
|
+prodtype: debian10,debian8,debian9,fedora,ocp4,ol7,ol8,openeuler2203,rhel6,rhel7,rhel8,rhv4,ubuntu1404,ubuntu1604,ubuntu1804,wrlinux1019,wrlinux8
|
|
|
|
title: 'Install the OpenSSH Server Package'
|
|
|
|
diff --git a/linux_os/guide/services/ssh/package_openssh-server_removed/rule.yml b/linux_os/guide/services/ssh/package_openssh-server_removed/rule.yml
|
|
index 1c491d1..13affc3 100644
|
|
--- a/linux_os/guide/services/ssh/package_openssh-server_removed/rule.yml
|
|
+++ b/linux_os/guide/services/ssh/package_openssh-server_removed/rule.yml
|
|
@@ -1,6 +1,6 @@
|
|
documentation_complete: true
|
|
|
|
-prodtype: debian10,debian8,debian9,fedora,ocp4,ol7,ol8,rhel6,rhel7,rhel8,rhv4,ubuntu1404,ubuntu1604,ubuntu1804,wrlinux1019,wrlinux8
|
|
+prodtype: debian10,debian8,debian9,fedora,ocp4,ol7,ol8,openeuler2203,rhel6,rhel7,rhel8,rhv4,ubuntu1404,ubuntu1604,ubuntu1804,wrlinux1019,wrlinux8
|
|
|
|
title: 'Remove the OpenSSH Server Package'
|
|
|
|
diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/oval/shared.xml
|
|
index 25f1d1e..19c155e 100644
|
|
--- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/oval/shared.xml
|
|
+++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/oval/shared.xml
|
|
@@ -7,6 +7,7 @@
|
|
<platform>Red Hat Enterprise Linux 8</platform>
|
|
<platform>Red Hat Virtualization 4</platform>
|
|
<platform>multi_platform_ol</platform>
|
|
+ <platform>multi_platform_openeuler</platform>
|
|
<platform>multi_platform_wrlinux</platform>
|
|
</affected>
|
|
<description>If inbound SSH access is needed, the firewall should allow access to
|
|
diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/rule.yml b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/rule.yml
|
|
index 37f7e32..ef8970f 100644
|
|
--- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/rule.yml
|
|
+++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/rule.yml
|
|
@@ -1,6 +1,6 @@
|
|
documentation_complete: true
|
|
|
|
-prodtype: ol7,ol8,rhel7,rhel8,rhv4
|
|
+prodtype: ol7,ol8,openeuler2203,rhel7,rhel8,rhv4
|
|
|
|
title: 'Enable SSH Server firewalld Firewall Exception'
|
|
|
|
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_user_known_hosts_ex/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_user_known_hosts_ex/oval/shared.xml
|
|
new file mode 100644
|
|
index 0000000..d629e00
|
|
--- /dev/null
|
|
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_user_known_hosts_ex/oval/shared.xml
|
|
@@ -0,0 +1,36 @@
|
|
+<def-group>
|
|
+ <definition class="compliance" id="sshd_disable_user_known_hosts_ex" version="1">
|
|
+ <metadata>
|
|
+ <title>Disable SSH Support for User Known Hosts</title>
|
|
+ <affected family="unix">
|
|
+ <platform>multi_platform_openeuler</platform>
|
|
+ </affected>
|
|
+ <description>Not support user known hosts on ssh server</description>
|
|
+ </metadata>
|
|
+ <criteria operator="OR">
|
|
+ <extend_definition comment="Remove known_hosts config from sshd_config" definition_ref="sshd_disable_user_known_hosts" />
|
|
+ <criteria operator="AND">
|
|
+ <criterion comment="Check known hosts list in root" test_ref="test_user_known_hosts_file_list_in_root" />
|
|
+ <criterion comment="Check known hosts list in home" test_ref="test_user_known_hosts_file_list_in_home" />
|
|
+ </criteria>
|
|
+ </criteria>
|
|
+ </definition>
|
|
+
|
|
+ <unix:file_test check="all" check_existence="none_exist" comment="look for known_hosts in /root" id="test_user_known_hosts_file_list_in_root" version="1">
|
|
+ <unix:object object_ref="object_user_known_hosts_file_list_in_root" />
|
|
+ </unix:file_test>
|
|
+ <unix:file_test check="all" check_existence="none_exist" comment="look for known_hosts in /home" id="test_user_known_hosts_file_list_in_home" version="1">
|
|
+ <unix:object object_ref="object_test_user_known_hosts_file_list_in_home" />
|
|
+ </unix:file_test>
|
|
+
|
|
+ <unix:file_object comment="look for known_hosts in /root" id="object_user_known_hosts_file_list_in_root" version="1">
|
|
+ <unix:path operation="equals">/root/.ssh</unix:path>
|
|
+ <unix:filename operation="pattern match">^known_hosts$</unix:filename>
|
|
+ </unix:file_object>
|
|
+ <unix:file_object comment="look for known_hosts in /home" id="object_test_user_known_hosts_file_list_in_home" version="1">
|
|
+ <unix:behaviors recurse="directories" recurse_direction="down" max_depth="1" recurse_file_system="all" />
|
|
+ <unix:path operation="pattern match">\/home\/.+\/\.ssh</unix:path>
|
|
+ <unix:filename operation="pattern match">^known_hosts$</unix:filename>
|
|
+ </unix:file_object>
|
|
+</def-group>
|
|
+
|
|
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_user_known_hosts_ex/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_user_known_hosts_ex/rule.yml
|
|
new file mode 100644
|
|
index 0000000..ee76374
|
|
--- /dev/null
|
|
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_user_known_hosts_ex/rule.yml
|
|
@@ -0,0 +1,19 @@
|
|
+documentation_complete: true
|
|
+
|
|
+title: 'Not Use User Known Hosts'
|
|
+
|
|
+description: |-
|
|
+ SSH can allow system users to connect to systems if a cache of the remote
|
|
+ systems public keys is available. This should be disabled.
|
|
+ <br /><br />
|
|
+ To ensure this behavior is disabled, add or correct the
|
|
+ following line in <tt>/etc/ssh/sshd_config</tt>:
|
|
+ <pre>IgnoreUserKnownHosts yes</pre>
|
|
+ Or remove the files of known_hosts from /root and /home directory.
|
|
+
|
|
+rationale: |-
|
|
+ Configuring this setting for the SSH daemon provides additional
|
|
+ assurance that remove login via SSH will require a password, even
|
|
+ in the event of misconfiguration elsewhere.
|
|
+
|
|
+severity: medium
|
|
diff --git a/linux_os/guide/system/accounts/accounts-physical/service_debug-shell_disabled/rule.yml b/linux_os/guide/system/accounts/accounts-physical/service_debug-shell_disabled/rule.yml
|
|
index cfda54d..8efaa28 100644
|
|
--- a/linux_os/guide/system/accounts/accounts-physical/service_debug-shell_disabled/rule.yml
|
|
+++ b/linux_os/guide/system/accounts/accounts-physical/service_debug-shell_disabled/rule.yml
|
|
@@ -1,6 +1,6 @@
|
|
documentation_complete: true
|
|
|
|
-prodtype: fedora,ocp4,ol7,ol8,rhel7,rhel8,rhv4
|
|
+prodtype: fedora,ocp4,ol7,ol8,openeuler2203,rhel7,rhel8,rhv4
|
|
|
|
title: 'Disable debug-shell SystemD Service'
|
|
|
|
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_temp_expire_date/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_temp_expire_date/rule.yml
|
|
index 34ef1e6..1b663a4 100644
|
|
--- a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_temp_expire_date/rule.yml
|
|
+++ b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_temp_expire_date/rule.yml
|
|
@@ -1,6 +1,6 @@
|
|
documentation_complete: true
|
|
|
|
-prodtype: fedora,rhel6,rhel7,rhel8,rhv4
|
|
+prodtype: fedora,openeuler2203,rhel6,rhel7,rhel8,rhv4
|
|
|
|
title: 'Assign Expiration Date to Temporary Accounts'
|
|
|
|
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_install_and_remove/oval/shared.xml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_install_and_remove/oval/shared.xml
|
|
new file mode 100644
|
|
index 0000000..92b2667
|
|
--- /dev/null
|
|
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_install_and_remove/oval/shared.xml
|
|
@@ -0,0 +1,65 @@
|
|
+<def-group>
|
|
+ <definition class="compliance" id="audit_rules_kernel_module_install_and_remove" version="1">
|
|
+ <metadata>
|
|
+ <title>Audit Kernel Module Installing and Removing</title>
|
|
+ <affected family="unix">
|
|
+ <platform>multi_platform_openeuler</platform>
|
|
+ </affected>
|
|
+ <description>The audit rules should be configured to log information about kernel module installing and removing.</description>
|
|
+ </metadata>
|
|
+ <criteria operator="AND">
|
|
+ <extend_definition comment="audit augenrules" definition_ref="audit_rules_augenrules" />
|
|
+ <criterion comment="audit augenrules 64-bit init_module" test_ref="test_64bit_init_module_augenrules" />
|
|
+ <criterion comment="audit augenrules 64-bit delete_module" test_ref="test_64bit_delete_module_augenrules" />
|
|
+ <criterion comment="audit augenrules inmod" test_ref="test_install_module_augenrules" />
|
|
+ <criterion comment="audit augenrules rmmod" test_ref="test_remove_module_augenrules" />
|
|
+ <criterion comment="audit augenrules modprobe" test_ref="test_probe_module_augenrules" />
|
|
+ </criteria>
|
|
+ </definition>
|
|
+
|
|
+ <ind:textfilecontent54_test check="all" comment="audit augenrules 64-bit init_module" id="test_64bit_init_module_augenrules" version="1">
|
|
+ <ind:object object_ref="object_64bit_init_module_augenrules" />
|
|
+ </ind:textfilecontent54_test>
|
|
+ <ind:textfilecontent54_object id="object_64bit_init_module_augenrules" version="1">
|
|
+ <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
|
|
+ <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+init_module[\s]+|([\s]+|[,])init_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
|
|
+ <ind:instance datatype="int">1</ind:instance>
|
|
+ </ind:textfilecontent54_object>
|
|
+
|
|
+ <ind:textfilecontent54_test check="all" comment="audit augenrules 64-bit delete_module" id="test_64bit_delete_module_augenrules" version="1">
|
|
+ <ind:object object_ref="object_64bit_delete_module_augenrules" />
|
|
+ </ind:textfilecontent54_test>
|
|
+ <ind:textfilecontent54_object id="object_64bit_delete_module_augenrules" version="1">
|
|
+ <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
|
|
+ <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+delete_module[\s]+|([\s]+|[,])delete_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
|
|
+ <ind:instance datatype="int">1</ind:instance>
|
|
+ </ind:textfilecontent54_object>
|
|
+
|
|
+ <ind:textfilecontent54_test check="all" comment="audit augenrules insmod" id="test_install_module_augenrules" version="1">
|
|
+ <ind:object object_ref="object_install_module_augenrules" />
|
|
+ </ind:textfilecontent54_test>
|
|
+ <ind:textfilecontent54_object id="object_install_module_augenrules" version="1">
|
|
+ <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
|
|
+ <ind:pattern operation="pattern match">^[\s]*-w[\s]+\/sbin\/insmod[\s]+-p[\s]+x[\s]+-k[\s]+.*[\s]*$</ind:pattern>
|
|
+ <ind:instance datatype="int">1</ind:instance>
|
|
+ </ind:textfilecontent54_object>
|
|
+
|
|
+ <ind:textfilecontent54_test check="all" comment="audit augenrules rmmod" id="test_remove_module_augenrules" version="1">
|
|
+ <ind:object object_ref="object_remove_module_augenrules" />
|
|
+ </ind:textfilecontent54_test>
|
|
+ <ind:textfilecontent54_object id="object_remove_module_augenrules" version="1">
|
|
+ <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
|
|
+ <ind:pattern operation="pattern match">^[\s]*-w[\s]+\/sbin\/rmmod[\s]+-p[\s]+x[\s]+-k[\s]+.*[\s]*$</ind:pattern>
|
|
+ <ind:instance datatype="int">1</ind:instance>
|
|
+ </ind:textfilecontent54_object>
|
|
+
|
|
+ <ind:textfilecontent54_test check="all" comment="audit augenrules modprobe" id="test_probe_module_augenrules" version="1">
|
|
+ <ind:object object_ref="object_probe_module_augenrules" />
|
|
+ </ind:textfilecontent54_test>
|
|
+ <ind:textfilecontent54_object id="object_probe_module_augenrules" version="1">
|
|
+ <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
|
|
+ <ind:pattern operation="pattern match">^[\s]*-w[\s]+\/sbin\/modprobe[\s]+-p[\s]+x[\s]+-k[\s]+.*[\s]*$</ind:pattern>
|
|
+ <ind:instance datatype="int">1</ind:instance>
|
|
+ </ind:textfilecontent54_object>
|
|
+
|
|
+</def-group>
|
|
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_install_and_remove/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_install_and_remove/rule.yml
|
|
new file mode 100644
|
|
index 0000000..03aa0b7
|
|
--- /dev/null
|
|
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_install_and_remove/rule.yml
|
|
@@ -0,0 +1,24 @@
|
|
+documentation_complete: true
|
|
+
|
|
+title: 'Ensure auditd Collects Information on Kernel Module Installing and Removing'
|
|
+
|
|
+prodtype: openeuler2203
|
|
+
|
|
+description: |-
|
|
+ To capture kernel module installing and removing events.
|
|
+
|
|
+ The place to add the lines depends on a way <tt>auditd</tt> daemon is configured. If it is configured
|
|
+ to use the <tt>augenrules</tt> program (the default), add the lines to a file with suffix
|
|
+ <tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>.
|
|
+
|
|
+ If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt> utility,
|
|
+ add the lines to file <tt>/etc/audit/audit.rules</tt>.
|
|
+
|
|
+ <p>Here, we only use the first method (augenrules) to check. </p>
|
|
+
|
|
+rationale: |-
|
|
+ The addition/removal of kernel modules can be used to alter the behavior of
|
|
+ the kernel and potentially introduce malicious code into kernel space. It is important
|
|
+ to have an audit trail of modules that have been introduced into the kernel.
|
|
+
|
|
+severity: medium
|
|
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/oval/shared.xml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/oval/shared.xml
|
|
index e987860..872458d 100644
|
|
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/oval/shared.xml
|
|
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/oval/shared.xml
|
|
@@ -6,6 +6,7 @@
|
|
<platform>Red Hat Virtualization 4</platform>
|
|
<platform>multi_platform_fedora</platform>
|
|
<platform>multi_platform_ol</platform>
|
|
+ <platform>multi_platform_openeuler</platform>
|
|
<platform>multi_platform_rhel</platform>
|
|
</affected>
|
|
<description>The audit rules should be configured to log information about kernel module loading and unloading.</description>
|
|
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events/oval/shared.xml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events/oval/shared.xml
|
|
index 772b34f..c222204 100644
|
|
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events/oval/shared.xml
|
|
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events/oval/shared.xml
|
|
@@ -6,6 +6,7 @@
|
|
<platform>Red Hat Virtualization 4</platform>
|
|
<platform>multi_platform_fedora</platform>
|
|
<platform>multi_platform_ol</platform>
|
|
+ <platform>multi_platform_openeuler</platform>
|
|
<platform>multi_platform_rhel</platform>
|
|
</affected>
|
|
<description>Audit rules should be configured to log successful and unsuccessful login and logout events.</description>
|
|
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/rule.yml
|
|
index 4d2af18..9dc69ef 100644
|
|
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/rule.yml
|
|
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/rule.yml
|
|
@@ -1,6 +1,6 @@
|
|
documentation_complete: true
|
|
|
|
-prodtype: fedora,ocp4,ol7,ol8,rhel6,rhel7,rhel8,rhv4,wrlinux1019
|
|
+prodtype: fedora,ocp4,ol7,ol8,openeuler2203,rhel6,rhel7,rhel8,rhv4,wrlinux1019
|
|
|
|
title: 'Record Attempts to Alter Logon and Logout Events - faillock'
|
|
|
|
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_lastlog/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_lastlog/rule.yml
|
|
index 355004a..58cb1ca 100644
|
|
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_lastlog/rule.yml
|
|
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_lastlog/rule.yml
|
|
@@ -1,6 +1,6 @@
|
|
documentation_complete: true
|
|
|
|
-prodtype: fedora,ocp4,ol7,ol8,rhel6,rhel7,rhel8,rhv4,wrlinux1019
|
|
+prodtype: fedora,ocp4,ol7,ol8,openeuler2203,rhel6,rhel7,rhel8,rhv4,wrlinux1019
|
|
|
|
title: 'Record Attempts to Alter Logon and Logout Events - lastlog'
|
|
|
|
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_tallylog/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_tallylog/rule.yml
|
|
index 7c27c22..531cf37 100644
|
|
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_tallylog/rule.yml
|
|
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_tallylog/rule.yml
|
|
@@ -1,6 +1,6 @@
|
|
documentation_complete: true
|
|
|
|
-prodtype: fedora,ocp4,ol7,ol8,rhel6,rhel7,rhel8,rhv4
|
|
+prodtype: fedora,ocp4,ol7,ol8,openeuler2203,rhel6,rhel7,rhel8,rhv4
|
|
|
|
title: 'Record Attempts to Alter Logon and Logout Events - tallylog'
|
|
|
|
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_group/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_group/rule.yml
|
|
index 5536a62..071c762 100644
|
|
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_group/rule.yml
|
|
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_group/rule.yml
|
|
@@ -1,6 +1,6 @@
|
|
documentation_complete: true
|
|
|
|
-prodtype: fedora,ocp4,ol7,ol8,rhel6,rhel7,rhel8,rhv4,wrlinux1019
|
|
+prodtype: fedora,ocp4,ol7,ol8,openeuler2203,rhel6,rhel7,rhel8,rhv4,wrlinux1019
|
|
|
|
title: 'Record Events that Modify User/Group Information - /etc/group'
|
|
|
|
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_gshadow/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_gshadow/rule.yml
|
|
index 8627ad9..b4dbab4 100644
|
|
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_gshadow/rule.yml
|
|
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_gshadow/rule.yml
|
|
@@ -1,6 +1,6 @@
|
|
documentation_complete: true
|
|
|
|
-prodtype: fedora,ocp4,ol7,ol8,rhel6,rhel7,rhel8,rhv4,wrlinux1019
|
|
+prodtype: fedora,ocp4,ol7,ol8,openeuler2203,rhel6,rhel7,rhel8,rhv4,wrlinux1019
|
|
|
|
title: 'Record Events that Modify User/Group Information - /etc/gshadow'
|
|
|
|
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_opasswd/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_opasswd/rule.yml
|
|
index 4db8bbe..47e36fa 100644
|
|
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_opasswd/rule.yml
|
|
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_opasswd/rule.yml
|
|
@@ -1,6 +1,6 @@
|
|
documentation_complete: true
|
|
|
|
-prodtype: fedora,ocp4,ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019
|
|
+prodtype: fedora,ocp4,ol7,ol8,openeuler2203,rhel7,rhel8,rhv4,wrlinux1019
|
|
|
|
title: 'Record Events that Modify User/Group Information - /etc/security/opasswd'
|
|
|
|
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_passwd/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_passwd/rule.yml
|
|
index 0f18997..c21225c 100644
|
|
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_passwd/rule.yml
|
|
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_passwd/rule.yml
|
|
@@ -1,6 +1,6 @@
|
|
documentation_complete: true
|
|
|
|
-prodtype: fedora,ocp4,ol7,ol8,rhel6,rhel7,rhel8,rhv4,wrlinux1019
|
|
+prodtype: fedora,ocp4,ol7,ol8,openeuler2203,rhel6,rhel7,rhel8,rhv4,wrlinux1019
|
|
|
|
title: 'Record Events that Modify User/Group Information - /etc/passwd'
|
|
|
|
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_shadow/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_shadow/rule.yml
|
|
index 32b6b9e..77f1e71 100644
|
|
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_shadow/rule.yml
|
|
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_shadow/rule.yml
|
|
@@ -1,6 +1,6 @@
|
|
documentation_complete: true
|
|
|
|
-prodtype: fedora,ocp4,ol7,ol8,rhel6,rhel7,rhel8,rhv4,wrlinux1019
|
|
+prodtype: fedora,ocp4,ol7,ol8,openeuler2203,rhel6,rhel7,rhel8,rhv4,wrlinux1019
|
|
|
|
title: 'Record Events that Modify User/Group Information - /etc/shadow'
|
|
|
|
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_cron_logging/oval/shared.xml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_cron_logging/oval/shared.xml
|
|
index 97e8d85..ec94870 100644
|
|
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_cron_logging/oval/shared.xml
|
|
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_cron_logging/oval/shared.xml
|
|
@@ -7,6 +7,7 @@
|
|
<platform>Red Hat Virtualization 4</platform>
|
|
<platform>multi_platform_fedora</platform>
|
|
<platform>multi_platform_ol</platform>
|
|
+ <platform>multi_platform_openeuler</platform>
|
|
<platform>multi_platform_rhel</platform>
|
|
<platform>multi_platform_wrlinux</platform>
|
|
</affected>
|
|
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_cron_logging/rule.yml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_cron_logging/rule.yml
|
|
index 31e9a56..cba4e19 100644
|
|
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_cron_logging/rule.yml
|
|
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_cron_logging/rule.yml
|
|
@@ -1,6 +1,6 @@
|
|
documentation_complete: true
|
|
|
|
-prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019
|
|
+prodtype: fedora,ol7,ol8,openeuler2203,rhel7,rhel8,rhv4,wrlinux1019
|
|
|
|
title: 'Ensure cron Is Logging To Rsyslog'
|
|
|
|
diff --git a/linux_os/guide/system/network/network-firewalld/firewalld_activation/service_firewalld_enabled/rule.yml b/linux_os/guide/system/network/network-firewalld/firewalld_activation/service_firewalld_enabled/rule.yml
|
|
index 74d3880..bcb4758 100644
|
|
--- a/linux_os/guide/system/network/network-firewalld/firewalld_activation/service_firewalld_enabled/rule.yml
|
|
+++ b/linux_os/guide/system/network/network-firewalld/firewalld_activation/service_firewalld_enabled/rule.yml
|
|
@@ -1,6 +1,6 @@
|
|
documentation_complete: true
|
|
|
|
-prodtype: fedora,ocp4,ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019
|
|
+prodtype: fedora,ocp4,ol7,ol8,openeuler2203,rhel7,rhel8,rhv4,wrlinux1019
|
|
|
|
title: 'Verify firewalld Enabled'
|
|
|
|
diff --git a/linux_os/guide/system/network/network-firewalld/ruleset_modifications/configure_firewalld_ports/oval/shared.xml b/linux_os/guide/system/network/network-firewalld/ruleset_modifications/configure_firewalld_ports/oval/shared.xml
|
|
index c25e31a..cee35b4 100644
|
|
--- a/linux_os/guide/system/network/network-firewalld/ruleset_modifications/configure_firewalld_ports/oval/shared.xml
|
|
+++ b/linux_os/guide/system/network/network-firewalld/ruleset_modifications/configure_firewalld_ports/oval/shared.xml
|
|
@@ -6,6 +6,7 @@
|
|
<platform>Red Hat Enterprise Linux 7</platform>
|
|
<platform>Red Hat Enterprise Linux 8</platform>
|
|
<platform>Red Hat Virtualization 4</platform>
|
|
+ <platform>multi_platform_openeuler</platform>
|
|
<platform>multi_platform_wrlinux</platform>
|
|
</affected>
|
|
<description>Configure the firewalld ports to allow approved
|
|
diff --git a/linux_os/guide/system/network/network-firewalld/ruleset_modifications/configure_firewalld_ports/rule.yml b/linux_os/guide/system/network/network-firewalld/ruleset_modifications/configure_firewalld_ports/rule.yml
|
|
index d2b6697..49c390c 100644
|
|
--- a/linux_os/guide/system/network/network-firewalld/ruleset_modifications/configure_firewalld_ports/rule.yml
|
|
+++ b/linux_os/guide/system/network/network-firewalld/ruleset_modifications/configure_firewalld_ports/rule.yml
|
|
@@ -1,6 +1,6 @@
|
|
documentation_complete: true
|
|
|
|
-prodtype: rhel7,rhel8,rhv4,wrlinux1019
|
|
+prodtype: openeuler2203,rhel7,rhel8,rhv4,wrlinux1019
|
|
|
|
title: 'Configure the Firewalld Ports'
|
|
|
|
diff --git a/linux_os/guide/system/network/network-firewalld/ruleset_modifications/disable_unnecessary_service_and_ports/rule.yml b/linux_os/guide/system/network/network-firewalld/ruleset_modifications/disable_unnecessary_service_and_ports/rule.yml
|
|
new file mode 100644
|
|
index 0000000..3acd6c4
|
|
--- /dev/null
|
|
+++ b/linux_os/guide/system/network/network-firewalld/ruleset_modifications/disable_unnecessary_service_and_ports/rule.yml
|
|
@@ -0,0 +1,35 @@
|
|
+documentation_complete: true
|
|
+
|
|
+prodtype: openeuler2203
|
|
+
|
|
+title: 'Disable Unnecessary Services and Ports on Firewalld'
|
|
+
|
|
+description: |-
|
|
+ Configure the <tt>firewalld</tt> services and ports to allow approved
|
|
+ services to have the right to access to the system. To configure <tt>firewalld</tt>
|
|
+ to open/remove ports, run the following command:
|
|
+ <pre>$ sudo firewall-cmd --permanent --add-port/--remove-port=<i>port_number</i>/tcp</pre>
|
|
+ or
|
|
+ <pre>$ sudo firewall-cmd --permanent --add-service/--remove-service=<i>service_name</i></pre>
|
|
+ Whether the port configuration is correct depends on the application scenario. Therefore, automatic check is not suitable.
|
|
+
|
|
+rationale: |-
|
|
+ In order to prevent unauthorized connection of devices, unauthorized
|
|
+ transfer of information, or unauthorized tunneling (i.e., embedding of data
|
|
+ types within data types), organizations must disable or restrict unused or
|
|
+ unnecessary physical and logical ports/protocols on information systems.
|
|
+ <br /><br />
|
|
+ Operating systems are capable of providing a wide variety of functions and
|
|
+ services. Some of the functions and services provided by default may not be
|
|
+ necessary to support essential organizational operations.
|
|
+ Additionally, it is sometimes convenient to provide multiple services from
|
|
+ a single component (e.g., VPN and IPS); however, doing so increases risk
|
|
+ over limiting the services provided by any one component.
|
|
+ <br /><br />
|
|
+ To support the requirements and principles of least functionality, the
|
|
+ operating system must support the organizational requirements, providing
|
|
+ only essential capabilities and limiting the use of ports, protocols,
|
|
+ and/or services to only those required, authorized, and approved to conduct
|
|
+ official business or to address authorized quality of life issues.
|
|
+
|
|
+severity: medium
|
|
diff --git a/linux_os/guide/system/network/network-firewalld/ruleset_modifications/set_firewalld_default_zone/oval/shared.xml b/linux_os/guide/system/network/network-firewalld/ruleset_modifications/set_firewalld_default_zone/oval/shared.xml
|
|
index cc275f0..39966f4 100644
|
|
--- a/linux_os/guide/system/network/network-firewalld/ruleset_modifications/set_firewalld_default_zone/oval/shared.xml
|
|
+++ b/linux_os/guide/system/network/network-firewalld/ruleset_modifications/set_firewalld_default_zone/oval/shared.xml
|
|
@@ -8,6 +8,7 @@
|
|
<platform>Red Hat Virtualization 4</platform>
|
|
<platform>multi_platform_fedora</platform>
|
|
<platform>multi_platform_ol</platform>
|
|
+ <platform>multi_platform_openeuler</platform>
|
|
</affected>
|
|
<description>Change the default firewalld zone to drop.</description>
|
|
</metadata>
|
|
diff --git a/linux_os/guide/system/network/network-firewalld/ruleset_modifications/set_firewalld_default_zone/rule.yml b/linux_os/guide/system/network/network-firewalld/ruleset_modifications/set_firewalld_default_zone/rule.yml
|
|
index 7cf9cf7..74afe48 100644
|
|
--- a/linux_os/guide/system/network/network-firewalld/ruleset_modifications/set_firewalld_default_zone/rule.yml
|
|
+++ b/linux_os/guide/system/network/network-firewalld/ruleset_modifications/set_firewalld_default_zone/rule.yml
|
|
@@ -1,6 +1,6 @@
|
|
documentation_complete: true
|
|
|
|
-prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4
|
|
+prodtype: fedora,ol7,ol8,openeuler2203,rhel7,rhel8,rhv4
|
|
|
|
title: 'Set Default firewalld Zone for Incoming Packets'
|
|
|
|
diff --git a/linux_os/guide/system/network/network-iptables/iptables_ruleset_modifications/set_iptables_default_rule/oval/rhel6.xml b/linux_os/guide/system/network/network-iptables/iptables_ruleset_modifications/set_iptables_default_rule/oval/shared.xml
|
|
similarity index 97%
|
|
rename from linux_os/guide/system/network/network-iptables/iptables_ruleset_modifications/set_iptables_default_rule/oval/rhel6.xml
|
|
rename to linux_os/guide/system/network/network-iptables/iptables_ruleset_modifications/set_iptables_default_rule/oval/shared.xml
|
|
index 7eddc5c..2e487a8 100644
|
|
--- a/linux_os/guide/system/network/network-iptables/iptables_ruleset_modifications/set_iptables_default_rule/oval/rhel6.xml
|
|
+++ b/linux_os/guide/system/network/network-iptables/iptables_ruleset_modifications/set_iptables_default_rule/oval/shared.xml
|
|
@@ -4,6 +4,7 @@
|
|
<title>Change the default policy to DROP (from ACCEPT) for
|
|
the INPUT built-in chain</title>
|
|
<affected family="unix">
|
|
+ <platform>multi_platform_openeuler</platform>
|
|
<platform>Red Hat Enterprise Linux 6</platform>
|
|
</affected>
|
|
<description>Change the default policy to DROP (from ACCEPT)
|
|
diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_redirects/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_redirects/rule.yml
|
|
index a8fe3d1..0dfda21 100644
|
|
--- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_redirects/rule.yml
|
|
+++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_redirects/rule.yml
|
|
@@ -1,6 +1,6 @@
|
|
documentation_complete: true
|
|
|
|
-prodtype: ocp4,ol7,ol8,rhel6,rhel7,rhel8,rhv4
|
|
+prodtype: ocp4,ol7,ol8,openeuler2203,rhel6,rhel7,rhel8,rhv4
|
|
|
|
title: 'Disable Accepting ICMP Redirects for All IPv6 Interfaces'
|
|
|
|
diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_source_route/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_source_route/rule.yml
|
|
index d9b306f..f38d5cb 100644
|
|
--- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_source_route/rule.yml
|
|
+++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_source_route/rule.yml
|
|
@@ -1,6 +1,6 @@
|
|
documentation_complete: true
|
|
|
|
-prodtype: ocp4,ol7,ol8,rhel6,rhel7,rhel8,rhv4,wrlinux1019
|
|
+prodtype: ocp4,ol7,ol8,rhel6,openeuler2203,rhel7,rhel8,rhv4,wrlinux1019
|
|
|
|
title: 'Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv6 Interfaces'
|
|
|
|
diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_forwarding/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_forwarding/rule.yml
|
|
index 661121c..759e6b0 100644
|
|
--- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_forwarding/rule.yml
|
|
+++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_forwarding/rule.yml
|
|
@@ -1,6 +1,6 @@
|
|
documentation_complete: true
|
|
|
|
-prodtype: ol7,ol8,rhel6,rhel7,rhel8,rhv4
|
|
+prodtype: ol7,ol8,openeuler2203,rhel6,rhel7,rhel8,rhv4
|
|
|
|
title: 'Disable Kernel Parameter for IPv6 Forwarding'
|
|
|
|
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_redirects/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_redirects/rule.yml
|
|
index 6284b03..5073adb 100644
|
|
--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_redirects/rule.yml
|
|
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_redirects/rule.yml
|
|
@@ -1,6 +1,6 @@
|
|
documentation_complete: true
|
|
|
|
-prodtype: fedora,ocp4,ol7,ol8,rhel6,rhel7,rhel8,rhv4,wrlinux1019
|
|
+prodtype: fedora,ocp4,ol7,ol8,openeuler2203,rhel6,rhel7,rhel8,rhv4,wrlinux1019
|
|
|
|
title: 'Disable Accepting ICMP Redirects for All IPv4 Interfaces'
|
|
|
|
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_source_route/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_source_route/rule.yml
|
|
index fb91b61..9bf1f89 100644
|
|
--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_source_route/rule.yml
|
|
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_source_route/rule.yml
|
|
@@ -1,6 +1,6 @@
|
|
documentation_complete: true
|
|
|
|
-prodtype: fedora,ocp4,ol7,ol8,rhel6,rhel7,rhel8,rhv4,wrlinux1019
|
|
+prodtype: fedora,ocp4,ol7,ol8,openeuler2203,rhel6,rhel7,rhel8,rhv4,wrlinux1019
|
|
|
|
title: 'Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv4 Interfaces'
|
|
|
|
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_log_martians/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_log_martians/rule.yml
|
|
index 3ed5583..49a137b 100644
|
|
--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_log_martians/rule.yml
|
|
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_log_martians/rule.yml
|
|
@@ -1,6 +1,6 @@
|
|
documentation_complete: true
|
|
|
|
-prodtype: fedora,ocp4,ol7,ol8,rhel6,rhel7,rhel8,rhv4
|
|
+prodtype: fedora,ocp4,ol7,ol8,openeuler2203,rhel6,rhel7,rhel8,rhv4
|
|
|
|
title: 'Enable Kernel Parameter to Log Martian Packets on all IPv4 Interfaces'
|
|
|
|
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml
|
|
index 93d3a6d..4f0cf66 100644
|
|
--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml
|
|
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml
|
|
@@ -1,6 +1,6 @@
|
|
documentation_complete: true
|
|
|
|
-prodtype: fedora,ocp4,ol7,ol8,rhel6,rhel7,rhel8,rhv4
|
|
+prodtype: fedora,ocp4,ol7,ol8,openeuler2203,rhel6,rhel7,rhel8,rhv4
|
|
|
|
title: 'Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces'
|
|
|
|
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_secure_redirects/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_secure_redirects/rule.yml
|
|
index 7633f29..2f09e5c 100644
|
|
--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_secure_redirects/rule.yml
|
|
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_secure_redirects/rule.yml
|
|
@@ -1,6 +1,6 @@
|
|
documentation_complete: true
|
|
|
|
-prodtype: fedora,ocp4,ol7,ol8,rhel6,rhel7,rhel8,rhv4
|
|
+prodtype: fedora,ocp4,ol7,ol8,openeuler2203,rhel6,rhel7,rhel8,rhv4
|
|
|
|
title: 'Disable Kernel Parameter for Accepting Secure ICMP Redirects on all IPv4 Interfaces'
|
|
|
|
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_log_martians/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_log_martians/rule.yml
|
|
index ffca800..e7a63f2 100644
|
|
--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_log_martians/rule.yml
|
|
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_log_martians/rule.yml
|
|
@@ -1,6 +1,6 @@
|
|
documentation_complete: true
|
|
|
|
-prodtype: fedora,ocp4,ol7,ol8,rhel7,rhel8,rhv4
|
|
+prodtype: fedora,ocp4,ol7,ol8,openeuler2203,rhel7,rhel8,rhv4
|
|
|
|
title: 'Enable Kernel Paremeter to Log Martian Packets on all IPv4 Interfaces by Default'
|
|
|
|
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_secure_redirects/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_secure_redirects/rule.yml
|
|
index ed541e7..f843b20 100644
|
|
--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_secure_redirects/rule.yml
|
|
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_secure_redirects/rule.yml
|
|
@@ -1,6 +1,6 @@
|
|
documentation_complete: true
|
|
|
|
-prodtype: fedora,ocp4,ol7,ol8,rhel6,rhel7,rhel8,rhv4
|
|
+prodtype: fedora,ocp4,ol7,ol8,openeuler2203,rhel6,rhel7,rhel8,rhv4
|
|
|
|
title: 'Configure Kernel Parameter for Accepting Secure Redirects By Default'
|
|
|
|
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_echo_ignore_broadcasts/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_echo_ignore_broadcasts/rule.yml
|
|
index a958ce1..d0c8370 100644
|
|
--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_echo_ignore_broadcasts/rule.yml
|
|
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_echo_ignore_broadcasts/rule.yml
|
|
@@ -1,6 +1,6 @@
|
|
documentation_complete: true
|
|
|
|
-prodtype: fedora,ocp4,ol7,ol8,rhel6,rhel7,rhel8,rhv4,wrlinux1019
|
|
+prodtype: fedora,ocp4,ol7,ol8,openeuler2203,rhel6,rhel7,rhel8,rhv4,wrlinux1019
|
|
|
|
title: 'Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests on IPv4 Interfaces'
|
|
|
|
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_tcp_syncookies/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_tcp_syncookies/rule.yml
|
|
index 1f2f188..1612dd7 100644
|
|
--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_tcp_syncookies/rule.yml
|
|
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_tcp_syncookies/rule.yml
|
|
@@ -1,6 +1,6 @@
|
|
documentation_complete: true
|
|
|
|
-prodtype: fedora,ocp4,ol7,ol8,rhel6,rhel7,rhel8,rhv4
|
|
+prodtype: fedora,ocp4,ol7,ol8,openeuler2203,rhel6,rhel7,rhel8,rhv4
|
|
|
|
title: 'Enable Kernel Parameter to Use TCP Syncookies on IPv4 Interfaces'
|
|
|
|
diff --git a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_all_send_redirects/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_all_send_redirects/rule.yml
|
|
index 5fa19c6..32c4521 100644
|
|
--- a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_all_send_redirects/rule.yml
|
|
+++ b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_all_send_redirects/rule.yml
|
|
@@ -1,6 +1,6 @@
|
|
documentation_complete: true
|
|
|
|
-prodtype: fedora,ocp4,ol7,ol8,rhel6,rhel7,rhel8,rhv4,wrlinux1019
|
|
+prodtype: fedora,ocp4,ol7,ol8,openeuler2203,rhel6,rhel7,rhel8,rhv4,wrlinux1019
|
|
|
|
title: 'Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces'
|
|
|
|
diff --git a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_default_send_redirects/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_default_send_redirects/rule.yml
|
|
index 1263313..0c016c7 100644
|
|
--- a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_default_send_redirects/rule.yml
|
|
+++ b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_default_send_redirects/rule.yml
|
|
@@ -1,6 +1,6 @@
|
|
documentation_complete: true
|
|
|
|
-prodtype: fedora,ocp4,ol7,ol8,rhel6,rhel7,rhel8,rhv4,wrlinux1019
|
|
+prodtype: fedora,ocp4,ol7,ol8,openeuler2203,rhel6,rhel7,rhel8,rhv4,wrlinux1019
|
|
|
|
title: 'Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Default'
|
|
|
|
diff --git a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_ip_forward/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_ip_forward/rule.yml
|
|
index 8cb0868..d68c99e 100644
|
|
--- a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_ip_forward/rule.yml
|
|
+++ b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_ip_forward/rule.yml
|
|
@@ -1,6 +1,6 @@
|
|
documentation_complete: true
|
|
|
|
-prodtype: fedora,ol7,ol8,rhel6,rhel7,rhel8,rhv4,wrlinux1019
|
|
+prodtype: fedora,ol7,ol8,openeuler2203,rhel6,rhel7,rhel8,rhv4,wrlinux1019
|
|
|
|
title: 'Disable Kernel Parameter for IP Forwarding on IPv4 Interfaces'
|
|
|
|
diff --git a/linux_os/guide/system/network/network-uncommon/kernel_module_sctp_disabled/rule.yml b/linux_os/guide/system/network/network-uncommon/kernel_module_sctp_disabled/rule.yml
|
|
index b3278b5..ae395f4 100644
|
|
--- a/linux_os/guide/system/network/network-uncommon/kernel_module_sctp_disabled/rule.yml
|
|
+++ b/linux_os/guide/system/network/network-uncommon/kernel_module_sctp_disabled/rule.yml
|
|
@@ -1,6 +1,6 @@
|
|
documentation_complete: true
|
|
|
|
-prodtype: ocp4,ol7,ol8,rhel6,rhel7,rhel8,rhv4
|
|
+prodtype: ocp4,ol7,ol8,openeuler2203,rhel6,rhel7,rhel8,rhv4
|
|
|
|
title: 'Disable SCTP Support'
|
|
|
|
diff --git a/linux_os/guide/system/permissions/mounting/kernel_module_usb-storage_disabled/rule.yml b/linux_os/guide/system/permissions/mounting/kernel_module_usb-storage_disabled/rule.yml
|
|
index de971a2..04e1d45 100644
|
|
--- a/linux_os/guide/system/permissions/mounting/kernel_module_usb-storage_disabled/rule.yml
|
|
+++ b/linux_os/guide/system/permissions/mounting/kernel_module_usb-storage_disabled/rule.yml
|
|
@@ -1,6 +1,6 @@
|
|
documentation_complete: true
|
|
|
|
-prodtype: fedora,ocp4,ol7,ol8,rhel6,rhel7,rhel8,rhv4,wrlinux1019
|
|
+prodtype: fedora,ocp4,ol7,ol8,openeuler2203,rhel6,rhel7,rhel8,rhv4,wrlinux1019
|
|
|
|
title: 'Disable Modprobe Loading of USB Storage Driver'
|
|
|
|
diff --git a/linux_os/guide/system/selinux/selinux_policytype/rule.yml b/linux_os/guide/system/selinux/selinux_policytype/rule.yml
|
|
index b6b719f..d9c6817 100644
|
|
--- a/linux_os/guide/system/selinux/selinux_policytype/rule.yml
|
|
+++ b/linux_os/guide/system/selinux/selinux_policytype/rule.yml
|
|
@@ -1,6 +1,6 @@
|
|
documentation_complete: true
|
|
|
|
-prodtype: fedora,ocp4,ol7,ol8,rhel6,rhel7,rhel8,rhv4,wrlinux1019
|
|
+prodtype: fedora,ocp4,ol7,ol8,openeuler2203,rhel6,rhel7,rhel8,rhv4,wrlinux1019
|
|
|
|
title: 'Configure SELinux Policy'
|
|
|
|
diff --git a/linux_os/guide/system/selinux/selinux_state/rule.yml b/linux_os/guide/system/selinux/selinux_state/rule.yml
|
|
index fc2d4ae..31afc19 100644
|
|
--- a/linux_os/guide/system/selinux/selinux_state/rule.yml
|
|
+++ b/linux_os/guide/system/selinux/selinux_state/rule.yml
|
|
@@ -1,6 +1,6 @@
|
|
documentation_complete: true
|
|
|
|
-prodtype: fedora,ocp4,ol7,ol8,rhel6,rhel7,rhel8,rhv4,wrlinux1019
|
|
+prodtype: fedora,ocp4,ol7,ol8,openeuler2203,rhel6,rhel7,rhel8,rhv4,wrlinux1019
|
|
|
|
title: 'Ensure SELinux State is Enforcing'
|
|
|
|
diff --git a/openeuler2203/profiles/standard.profile b/openeuler2203/profiles/standard.profile
|
|
index 7f6f0e3..00405f5 100644
|
|
--- a/openeuler2203/profiles/standard.profile
|
|
+++ b/openeuler2203/profiles/standard.profile
|
|
@@ -94,3 +94,58 @@ selections:
|
|
- no_empty_symlink_files
|
|
- no_hide_exec_files
|
|
- no_lowprivilege_users_writeable_cmds_in_crontab_file
|
|
+ - service_debug-shell_disabled
|
|
+ - service_avahi-daemon_disabled
|
|
+ - package_openldap-servers_removed
|
|
+ - service_cups_disabled
|
|
+ - package_ypserv_removed
|
|
+ - package_ypbind_removed
|
|
+ - account_temp_expire_date
|
|
+ - no_netrc_files
|
|
+ - service_chronyd_or_ntpd_enabled
|
|
+ - chronyd_or_ntpd_specify_remote_server
|
|
+ - kernel_module_sctp_disabled
|
|
+ - kernel_module_tipc_disabled
|
|
+ - sshd_set_loglevel_verbose
|
|
+ - sshd_set_max_auth_tries
|
|
+ - sshd_max_auth_tries_value=3
|
|
+ - sshd_do_not_permit_user_env
|
|
+ - sshd_disable_user_known_hosts_ex
|
|
+ - sshd_disable_rhosts_rsa
|
|
+ - service_firewalld_enabled
|
|
+ - set_firewalld_default_zone
|
|
+ - disable_unnecessary_service_and_ports
|
|
+ - service_iptables_enabled
|
|
+ - service_ip6tables_enabled
|
|
+ - set_iptables_default_rule
|
|
+ - sysctl_net_ipv4_icmp_echo_ignore_broadcasts
|
|
+ - sysctl_net_ipv4_conf_all_accept_redirects
|
|
+ - sysctl_net_ipv6_conf_all_accept_redirects
|
|
+ - sysctl_net_ipv4_conf_all_secure_redirects
|
|
+ - sysctl_net_ipv4_conf_default_secure_redirects
|
|
+ - sysctl_net_ipv4_conf_all_send_redirects
|
|
+ - sysctl_net_ipv4_conf_default_send_redirects
|
|
+ - sysctl_net_ipv4_conf_all_rp_filter
|
|
+ - sysctl_net_ipv4_ip_forward
|
|
+ - sysctl_net_ipv6_conf_all_forwarding
|
|
+ - sysctl_net_ipv4_conf_all_accept_source_route
|
|
+ - sysctl_net_ipv6_conf_all_accept_source_route
|
|
+ - sysctl_net_ipv4_tcp_syncookies
|
|
+ - sysctl_net_ipv4_conf_all_log_martians
|
|
+ - sysctl_net_ipv4_conf_default_log_martians
|
|
+ - sysctl_fs_suid_dumpable
|
|
+ - selinux_state
|
|
+ - selinux_policytype
|
|
+ - sysctl_fs_protected_symlinks
|
|
+ - sysctl_fs_protected_hardlinks
|
|
+ - kernel_module_usb-storage_disabled
|
|
+ - service_crond_enabled
|
|
+ - cron_and_at_config
|
|
+ - audit_rules_login_events
|
|
+ - audit_rules_usergroup_modification_group
|
|
+ - audit_rules_usergroup_modification_gshadow
|
|
+ - audit_rules_usergroup_modification_opasswd
|
|
+ - audit_rules_usergroup_modification_passwd
|
|
+ - audit_rules_usergroup_modification_shadow
|
|
+ - audit_rules_kernel_module_install_and_remove
|
|
+ - rsyslog_cron_logging
|
|
diff --git a/shared/templates/template_OVAL_sysctl b/shared/templates/template_OVAL_sysctl
|
|
index 62ae26d..3c30612 100644
|
|
--- a/shared/templates/template_OVAL_sysctl
|
|
+++ b/shared/templates/template_OVAL_sysctl
|
|
@@ -43,7 +43,7 @@
|
|
<description>The "{{{ SYSCTLVAR }}}" kernel parameter should be set to the appropriate value in both system configuration and system runtime.</description>
|
|
</metadata>
|
|
<criteria comment="IPv6 disabled or {{{ SYSCTLVAR }}} set correctly" operator="OR">
|
|
-{{% if product in ["rhel6", "debian8", "ubuntu1404", "ubuntu1604", "ubuntu1804"] %}}
|
|
+{{% if product in ["openeuler2203", "rhel6", "debian8", "ubuntu1404", "ubuntu1604", "ubuntu1804"] %}}
|
|
<extend_definition comment="is IPv6 enabled?" definition_ref="kernel_module_ipv6_option_disabled" />
|
|
{{% else %}}
|
|
<extend_definition comment="is IPv6 enabled?" definition_ref="sysctl_kernel_ipv6_disable" />
|
|
--
|
|
2.21.0.windows.1
|
|
|