packages/scap-security-guide
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
scap-security-guide/enable-76-rules-for-openEuler.patch
steven.y.gui 9b9f626e2c add br
2023-06-26 19:53:33 +08:00

2689 lines
137 KiB
Diff
Raw Blame History

From 6c007906571ed8e7b931d1b923a54af52b6ec91c Mon Sep 17 00:00:00 2001
From: "steven.y.gui" <steven_ygui@163.com>
Date: Mon, 26 Jun 2023 19:32:25 +0800
Subject: [PATCH] enable 76 rules for openEuler
---
.../rule.yml | 30 +++++++
.../services/ftp/package_ftp_removed/rule.yml | 22 +++++
.../tftp/package_tftp-server_removed/rule.yml | 2 +-
.../tftp/package_tftp_removed/rule.yml | 2 +-
.../package_net-snmp_removed/rule.yml | 2 +-
.../disable_host_auth/oval/shared.xml | 20 +++++
.../sshd_allow_only_protocol2/oval/shared.xml | 20 +++++
.../oval/shared.xml | 20 +++++
.../sshd_disable_rhosts/oval/shared.xml | 20 +++++
.../sshd_enable_pam/policy/stig/shared.yml | 26 ++++++
.../ssh/ssh_server/sshd_enable_pam/rule.yml | 26 ++++++
.../sshd_use_strong_ciphers/rule.yml | 2 +-
.../sshd_use_strong_kex/oval/shared.xml | 73 ++++++++++++++++
.../ssh_server/sshd_use_strong_kex/rule.yml | 17 ++++
.../ssh_server/sshd_use_strong_macs/rule.yml | 2 +-
.../sshd_use_strong_pubkey/oval/shared.xml | 1 +
.../sshd_use_strong_pubkey/rule.yml | 13 +++
.../guide/services/ssh/sshd_strong_kex.var | 19 +++++
.../oval/shared.xml | 1 +
.../rule.yml | 8 +-
.../oval/shared.xml | 12 ++-
.../rule.yml | 8 +-
.../oval/shared.xml | 13 ++-
.../rule.yml | 2 +-
.../oval/shared.xml | 1 +
.../rule.yml | 2 +-
...nts_passwords_pam_faillock_unlock_time.var | 1 +
.../oval/shared.xml | 32 +++++++
.../no_name_contained_in_password/rule.yml | 12 +++
.../accounts_password_pam_dcredit/rule.yml | 2 +-
.../oval/shared.xml | 27 ++++++
.../accounts_password_pam_dictcheck/rule.yml | 29 +++++++
.../accounts_password_pam_lcredit/rule.yml | 2 +-
.../accounts_password_pam_minclass/rule.yml | 2 +-
.../accounts_password_pam_minlen/rule.yml | 2 +-
.../accounts_password_pam_ocredit/rule.yml | 2 +-
.../oval/shared.xml | 1 +
.../accounts_password_pam_retry/rule.yml | 8 +-
.../accounts_password_pam_ucredit/rule.yml | 2 +-
.../var_password_pam_dictcheck.var | 16 ++++
.../oval/shared.xml | 1 +
.../rule.yml | 2 +-
.../verify_owner_password/oval/shared.xml | 60 +++++++++++++
.../verify_owner_password/rule.yml | 12 +++
.../require_singleuser_auth/oval/shared.xml | 21 ++++-
.../require_singleuser_auth/rule.yml | 2 +-
.../account_unique_group_id/oval/shared.xml | 51 +++++++++++
.../account_unique_group_id/rule.yml | 11 +++
.../account_unique_id/oval/shared.xml | 51 +++++++++++
.../account_unique_id/policy/stig/shared.yml | 15 ++++
.../account_unique_id/rule.yml | 11 +++
.../tests/correct_value.pass.sh | 2 +
.../tests/wrong_value.fail.sh | 5 ++
.../accounts_are_necessary/oval/shared.xml | 25 ++++++
.../accounts_are_necessary/rule.yml | 20 +++++
.../group_unique_id/oval/shared.xml | 50 +++++++++++
.../group_unique_id/policy/stig/shared.yml | 15 ++++
.../group_unique_id/rule.yml | 12 +++
.../tests/correct_value.pass.sh | 4 +
.../group_unique_id/tests/wrong_value.fail.sh | 5 ++
.../group_unique_name/oval/shared.xml | 50 +++++++++++
.../group_unique_name/rule.yml | 12 +++
.../tests/correct_value.pass.sh | 4 +
.../tests/wrong_value.fail.sh | 5 ++
.../oval/shared.xml | 30 +++++++
.../login_accounts_are_necessary/rule.yml | 31 +++++++
.../accounts_maximum_age_login_defs/rule.yml | 6 ++
.../gid_passwd_group_same/oval/shared.xml | 3 +-
.../accounts_tmout/oval/shared.xml | 1 +
.../accounts-session/accounts_tmout/rule.yml | 7 +-
.../oval/shared.xml | 83 ++++++++++++++++++
.../rule.yml | 2 +-
.../accounts_umask_etc_bashrc/oval/shared.xml | 1 +
.../accounts_umask_etc_bashrc/rule.yml | 9 +-
.../accounts_umask_interactive_users/rule.yml | 2 +-
.../oval/shared.xml | 20 +++++
.../grub2_nosmap_argument_absent/rule.yml | 25 ++++++
.../oval/shared.xml | 20 +++++
.../grub2_nosmep_argument_absent/rule.yml | 25 ++++++
.../grub2_uefi_password/rule.yml | 2 +-
.../oval/shared.xml | 1 +
.../oval/shared.xml | 1 +
.../file_permissions_ungroupowned/rule.yml | 2 +-
.../files/no_empty_symlink_files/rule.yml | 26 ++++++
.../no_files_unowned_by_user/oval/shared.xml | 1 +
.../files/no_files_unowned_by_user/rule.yml | 2 +-
.../files/no_hide_exec_files/oval/shared.xml | 40 +++++++++
.../files/no_hide_exec_files/rule.yml | 14 +++
.../sysctl_kernel_kptr_restrict/rule.yml | 8 +-
.../sysctl_kernel_dmesg_restrict/rule.yml | 2 +-
.../oval/shared.xml | 1 +
.../configure_ssh_crypto_policy/rule.yml | 2 +-
.../package_python2_removed/rule.yml | 18 ++++
.../oval/shared.xml | 1 +
.../ensure_gpgcheck_never_disabled/rule.yml | 2 +-
.../cpe/openeuler2203-cpe-dictionary.xml | 61 +++++++++++++
openeuler2203/profiles/standard.profile | 85 +++++++++++++++++++
.../oval/installed_env_has_login_defs.xml | 4 +
shared/macros-oval.jinja | 73 ++++++++++++++++
shared/templates/template_OVAL_sysctl | 4 +
ssg/constants.py | 4 +-
101 files changed, 1530 insertions(+), 37 deletions(-)
create mode 100644 linux_os/guide/services/cron_and_at/no_lowprivilege_users_writeable_cmds_in_crontab_file/rule.yml
create mode 100644 linux_os/guide/services/ftp/package_ftp_removed/rule.yml
create mode 100644 linux_os/guide/services/ssh/ssh_server/disable_host_auth/oval/shared.xml
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/oval/shared.xml
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_disable_empty_passwords/oval/shared.xml
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_disable_rhosts/oval/shared.xml
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_enable_pam/policy/stig/shared.yml
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_enable_pam/rule.yml
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_strong_kex/oval/shared.xml
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_strong_kex/rule.yml
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_strong_pubkey/oval/shared.xml
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_strong_pubkey/rule.yml
create mode 100644 linux_os/guide/services/ssh/sshd_strong_kex.var
create mode 100644 linux_os/guide/system/accounts/accounts-pam/no_name_contained_in_password/oval/shared.xml
create mode 100644 linux_os/guide/system/accounts/accounts-pam/no_name_contained_in_password/rule.yml
create mode 100644 linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/oval/shared.xml
create mode 100644 linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/rule.yml
create mode 100644 linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/var_password_pam_dictcheck.var
create mode 100644 linux_os/guide/system/accounts/accounts-pam/verify_owner_password/oval/shared.xml
create mode 100644 linux_os/guide/system/accounts/accounts-pam/verify_owner_password/rule.yml
create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/account_unique_group_id/oval/shared.xml
create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/account_unique_group_id/rule.yml
create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/account_unique_id/oval/shared.xml
create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/account_unique_id/policy/stig/shared.yml
create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/account_unique_id/rule.yml
create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/account_unique_id/tests/correct_value.pass.sh
create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/account_unique_id/tests/wrong_value.fail.sh
create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/accounts_are_necessary/oval/shared.xml
create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/accounts_are_necessary/rule.yml
create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/group_unique_id/oval/shared.xml
create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/group_unique_id/policy/stig/shared.yml
create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/group_unique_id/rule.yml
create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/group_unique_id/tests/correct_value.pass.sh
create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/group_unique_id/tests/wrong_value.fail.sh
create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/group_unique_name/oval/shared.xml
create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/group_unique_name/rule.yml
create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/group_unique_name/tests/correct_value.pass.sh
create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/group_unique_name/tests/wrong_value.fail.sh
create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/login_accounts_are_necessary/oval/shared.xml
create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/login_accounts_are_necessary/rule.yml
create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/oval/shared.xml
create mode 100644 linux_os/guide/system/bootloader-grub2/grub2_nosmap_argument_absent/oval/shared.xml
create mode 100644 linux_os/guide/system/bootloader-grub2/grub2_nosmap_argument_absent/rule.yml
create mode 100644 linux_os/guide/system/bootloader-grub2/grub2_nosmep_argument_absent/oval/shared.xml
create mode 100644 linux_os/guide/system/bootloader-grub2/grub2_nosmep_argument_absent/rule.yml
create mode 100644 linux_os/guide/system/permissions/files/no_empty_symlink_files/rule.yml
create mode 100644 linux_os/guide/system/permissions/files/no_hide_exec_files/oval/shared.xml
create mode 100644 linux_os/guide/system/permissions/files/no_hide_exec_files/rule.yml
create mode 100644 linux_os/guide/system/software/system-tools/package_python2_removed/rule.yml
diff --git a/linux_os/guide/services/cron_and_at/no_lowprivilege_users_writeable_cmds_in_crontab_file/rule.yml b/linux_os/guide/services/cron_and_at/no_lowprivilege_users_writeable_cmds_in_crontab_file/rule.yml
new file mode 100644
index 0000000..ef1fc32
--- /dev/null
+++ b/linux_os/guide/services/cron_and_at/no_lowprivilege_users_writeable_cmds_in_crontab_file/rule.yml
@@ -0,0 +1,30 @@
+documentation_complete: true
+
+prodtype: openeuler2203
+
+title: 'Ensure All Commands/Bashes In Crontab File Are Not Writeable By Low-privilege Users'
+
+description: |-
+ <p><tt>It can not be scanned automatically, please check it manually.</tt></p>
+ <p>Use below cli commands to check if there is any low-privilege users writeable commands/bashes in <tt>/etc/crontab</tt></p>
+ <ul>
+ <li>Step 1: list the commands/bashes from <tt>/etc/crontab</tt>
+ <pre>
+ # cat /etc/crontab
+ /bin/example.sh
+ </pre>
+ </li>
+ <li>Step 2: check the right of the commands/bashes file
+ <pre>
+ # ll /bin/example.sh
+ -rwxrwxrwx. 1 root root 200 Mar 17 18:00 /bin/example.sh
+ </pre>
+ </li>
+ </ul>
+ So, the wirteable flag of other users is present(-rwxr<tt>w</tt>xr<tt>w</tt>x.) and it is a risk.
+
+rationale: |-
+ If any symlink files have no camonical path, it should be removed.
+
+severity: medium
+
diff --git a/linux_os/guide/services/ftp/package_ftp_removed/rule.yml b/linux_os/guide/services/ftp/package_ftp_removed/rule.yml
new file mode 100644
index 0000000..ee68c97
--- /dev/null
+++ b/linux_os/guide/services/ftp/package_ftp_removed/rule.yml
@@ -0,0 +1,22 @@
+documentation_complete: true
+
+prodtype: openeuler2203
+
+title: 'Remove ftp Client'
+
+description: |-
+ FTP is a simple file transfer protocol,
+ it does not support authentication and can be easily hacked. The package
+ <tt>ftp</tt> is a client program that allows for connections to a <tt>ftp</tt> server.
+
+rationale: |-
+ It is recommended that FTP be removed, unless there is a specific need
+ for FTP. In that case, use extreme caution when configuring
+ the services.
+
+severity: low
+
+template:
+ name: package_removed
+ vars:
+ pkgname: ftp
diff --git a/linux_os/guide/services/obsolete/tftp/package_tftp-server_removed/rule.yml b/linux_os/guide/services/obsolete/tftp/package_tftp-server_removed/rule.yml
index 37a9b68..700e673 100644
--- a/linux_os/guide/services/obsolete/tftp/package_tftp-server_removed/rule.yml
+++ b/linux_os/guide/services/obsolete/tftp/package_tftp-server_removed/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: rhel6,rhel7,rhel8,rhv4,wrlinux1019
+prodtype: openeuler2203,rhel6,rhel7,rhel8,rhv4,wrlinux1019
title: 'Uninstall tftp-server Package'
diff --git a/linux_os/guide/services/obsolete/tftp/package_tftp_removed/rule.yml b/linux_os/guide/services/obsolete/tftp/package_tftp_removed/rule.yml
index 2e7858e..de45e4b 100644
--- a/linux_os/guide/services/obsolete/tftp/package_tftp_removed/rule.yml
+++ b/linux_os/guide/services/obsolete/tftp/package_tftp_removed/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: rhel6,rhel7,rhel8
+prodtype: openeuler2203,rhel6,rhel7,rhel8
title: 'Remove tftp Daemon'
diff --git a/linux_os/guide/services/snmp/disabling_snmp_service/package_net-snmp_removed/rule.yml b/linux_os/guide/services/snmp/disabling_snmp_service/package_net-snmp_removed/rule.yml
index 817463d..6484570 100644
--- a/linux_os/guide/services/snmp/disabling_snmp_service/package_net-snmp_removed/rule.yml
+++ b/linux_os/guide/services/snmp/disabling_snmp_service/package_net-snmp_removed/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: debian10,debian9,fedora,ocp4,ol7,ol8,rhel6,rhel7,rhel8,rhv4,wrlinux1019
+prodtype: debian10,debian9,fedora,ocp4,ol7,ol8,openeuler2203,rhel6,rhel7,rhel8,rhv4,wrlinux1019
title: 'Uninstall net-snmp Package'
diff --git a/linux_os/guide/services/ssh/ssh_server/disable_host_auth/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/disable_host_auth/oval/shared.xml
new file mode 100644
index 0000000..8178251
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/disable_host_auth/oval/shared.xml
@@ -0,0 +1,20 @@
+<def-group>
+ <definition class="compliance" id="disable_host_auth" version="1">
+ <metadata>
+ <title>Disable Host-Based Authentication</title>
+ {{{- oval_affected(products) }}}
+ <description>To disable host-based authentication.</description>
+ </metadata>
+ <criteria>
+ <criterion comment="To disable host-based authentication" test_ref="test_disable_host_auth" />
+ </criteria>
+ </definition>
+ <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="Test host-based authentication disabled" id="test_disable_host_auth" version="1">
+ <ind:object object_ref="object_disable_host_auth" />
+ </ind:textfilecontent54_test>
+ <ind:textfilecontent54_object id="object_disable_host_auth" version="1">
+ <ind:filepath>/etc/ssh/sshd_config</ind:filepath>
+ <ind:pattern operation="pattern match">^HostbasedAuthentication[\s]+no$</ind:pattern>
+ <ind:instance datatype="int">1</ind:instance>
+ </ind:textfilecontent54_object>
+</def-group>
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/oval/shared.xml
new file mode 100644
index 0000000..9446c3f
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/oval/shared.xml
@@ -0,0 +1,20 @@
+<def-group>
+ <definition class="compliance" id="sshd_allow_only_protocol2" version="1">
+ <metadata>
+ <title>Allow Only SSH Protocol 2</title>
+ {{{- oval_affected(products) }}}
+ <description>Only SSH protocol version 2 connections should be permitted.</description>
+ </metadata>
+ <criteria>
+ <criterion comment="tests that there are only SSH protocol version 2 connections should be permitted" test_ref="test_sshd_allow_only_protocol2" />
+ </criteria>
+ </definition>
+ <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="test that there are only SSH protocol version 2 connections should be permitted" id="test_sshd_allow_only_protocol2" version="1">
+ <ind:object object_ref="object_sshd_allow_only_protocol2" />
+ </ind:textfilecontent54_test>
+ <ind:textfilecontent54_object id="object_sshd_allow_only_protocol2" version="1">
+ <ind:filepath>/etc/ssh/sshd_config</ind:filepath>
+ <ind:pattern operation="pattern match">^Protocol[\s]+2$</ind:pattern>
+ <ind:instance datatype="int">1</ind:instance>
+ </ind:textfilecontent54_object>
+</def-group>
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_empty_passwords/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_empty_passwords/oval/shared.xml
new file mode 100644
index 0000000..44c5eab
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_empty_passwords/oval/shared.xml
@@ -0,0 +1,20 @@
+<def-group>
+ <definition class="compliance" id="sshd_disable_empty_passwords" version="1">
+ <metadata>
+ <title>Disable SSH Access via Empty Passwords</title>
+ {{{- oval_affected(products) }}}
+ <description>Disable SSH Access via Empty Passwords.</description>
+ </metadata>
+ <criteria>
+ <criterion comment="To disable SSH access via empty passwords" test_ref="test_sshd_disable_empty_passwords" />
+ </criteria>
+ </definition>
+ <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="Test empty passwords accessing disabled" id="test_sshd_disable_empty_passwords" version="1">
+ <ind:object object_ref="object_sshd_disable_empty_passwords" />
+ </ind:textfilecontent54_test>
+ <ind:textfilecontent54_object id="object_sshd_disable_empty_passwords" version="1">
+ <ind:filepath>/etc/ssh/sshd_config</ind:filepath>
+ <ind:pattern operation="pattern match">^PermitEmptyPasswords[\s]+no$</ind:pattern>
+ <ind:instance datatype="int">1</ind:instance>
+ </ind:textfilecontent54_object>
+</def-group>
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_rhosts/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_rhosts/oval/shared.xml
new file mode 100644
index 0000000..22a1069
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_rhosts/oval/shared.xml
@@ -0,0 +1,20 @@
+<def-group>
+ <definition class="compliance" id="sshd_disable_rhosts" version="1">
+ <metadata>
+ <title>Disable SSH Support for .rhosts Files</title>
+ {{{- oval_affected(products) }}}
+ <description>Disable SSH Support for .rhosts Files.</description>
+ </metadata>
+ <criteria>
+ <criterion comment="To disable SSH support for .rhosts files" test_ref="test_sshd_disable_rhosts" />
+ </criteria>
+ </definition>
+ <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="Test .rhosts files supporting disabled" id="test_sshd_disable_rhosts" version="1">
+ <ind:object object_ref="object_sshd_disable_rhosts" />
+ </ind:textfilecontent54_test>
+ <ind:textfilecontent54_object id="object_sshd_disable_rhosts" version="1">
+ <ind:filepath>/etc/ssh/sshd_config</ind:filepath>
+ <ind:pattern operation="pattern match">^IgnoreRhosts[\s]+yes$</ind:pattern>
+ <ind:instance datatype="int">1</ind:instance>
+ </ind:textfilecontent54_object>
+</def-group>
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_enable_pam/policy/stig/shared.yml b/linux_os/guide/services/ssh/ssh_server/sshd_enable_pam/policy/stig/shared.yml
new file mode 100644
index 0000000..5a3d8ee
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_enable_pam/policy/stig/shared.yml
@@ -0,0 +1,26 @@
+srg_requirement: |-
+ {{{ full_name }}} must enable the Pluggable Authenitcation Module (PAM) interface for SSHD.
+
+vuldiscussion: |-
+ When UsePAM is set to yes, PAM runs through account and session types properly. This is
+ important if you want to restrict access to services based off of IP, time or other factors of
+ the account. Additionally, you can make sure users inherit certain environment variables
+ on login or disallow access to the server.
+
+checktext: |-
+ Verify the {{{ full_name }}} SSHD is configured to allow for the UsePAM interface with the following command:
+
+ $ sudo grep -i usepam /etc/ssh/sshd_config
+
+ UsePAM yes
+
+ If the "UsePAM" keyword is set to "no", is missing, or is commented out, this is a finding.
+
+fixtext: |-
+ Configure the {{{ full_name }}} SSHD to use the UsePAM interface add or modify the following line in "/etc/ssh/sshd_config".
+
+ UsePAM yes
+
+ Restart the SSH daemon for the settings to take effect:
+
+ $ sudo systemctl restart sshd.service
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_enable_pam/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_enable_pam/rule.yml
new file mode 100644
index 0000000..e303b2c
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_enable_pam/rule.yml
@@ -0,0 +1,26 @@
+documentation_complete: true
+
+title: 'Enable PAM'
+
+description: |-
+ UsePAM Enables the Pluggable Authentication Module interface. If set to “yes” this will
+ enable PAM authentication using ChallengeResponseAuthentication and
+ PasswordAuthentication in addition to PAM account and session module processing for all
+ authentication types.
+
+rationale: |-
+ When UsePAM is set to yes, PAM runs through account and session types properly. This is
+ important if you want to restrict access to services based off of IP, time or other factors of
+ the account. Additionally, you can make sure users inherit certain environment variables
+ on login or disallow access to the server.
+
+severity: medium
+
+
+template:
+ name: sshd_lineinfile
+ vars:
+ missing_parameter_pass: 'false'
+ parameter: UsePAM
+ rule_id: sshd_enable_pam
+ value: 'yes'
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_ciphers/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_ciphers/rule.yml
index d476fda..59bb6a6 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_ciphers/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_ciphers/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: ol7,rhel6,rhel7
+prodtype: ol7,openeuler2203,rhel6,rhel7
title: 'Use Only Strong Ciphers'
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_kex/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_kex/oval/shared.xml
new file mode 100644
index 0000000..d8d13d8
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_kex/oval/shared.xml
@@ -0,0 +1,73 @@
+<def-group>
+ <definition class="compliance" id="sshd_use_strong_kex" version="1">
+ {{{ oval_metadata("Limit the Key Exchange Algorithms to those which are FIPS-approved.") }}}
+ {{% if product in ['openeuler2203'] %}}
+ <criteria comment="SSH is configured correctly or is not installed">
+ <criterion comment="Check KexAlgorithms in /etc/ssh/sshd_config"
+ test_ref="test_sshd_use_strong_kex" />
+ </criteria>
+ {{% else %}}
+ <criteria comment="SSH is configured correctly or is not installed"
+ operator="OR">
+ <criteria comment="sshd is not installed" operator="AND">
+ <extend_definition comment="sshd is not required or requirement is unset"
+ definition_ref="sshd_not_required_or_unset" />
+ {{% if product in ['opensuse', 'sle12', 'sle15'] %}}
+ <extend_definition comment="package openssh removed"
+ definition_ref="package_openssh_removed" />
+ {{% else %}}
+ <extend_definition comment="package openssh-server removed"
+ definition_ref="package_openssh-server_removed" />
+ {{% endif %}}
+ </criteria>
+ <criteria comment="sshd is installed and configured" operator="AND">
+ <extend_definition comment="sshd is required or requirement is unset"
+ definition_ref="sshd_required_or_unset" />
+ {{% if product in ['opensuse', 'sle12', 'sle15'] %}}
+ <extend_definition comment="package openssh installed"
+ definition_ref="package_openssh_installed" />
+ {{% else %}}
+ <extend_definition comment="package openssh-server installed"
+ definition_ref="package_openssh-server_installed" />
+ {{% endif %}}
+ <criterion comment="Check KexAlgorithms in /etc/ssh/sshd_config"
+ test_ref="test_sshd_use_strong_kex" />
+ </criteria>
+ </criteria>
+ {{% endif %}}
+ </definition>
+
+ <ind:variable_test check="at least one"
+ comment="tests the value of KexAlgorithms setting in the /etc/ssh/sshd_config file"
+ id="test_sshd_use_strong_kex" version="1">
+ <ind:object object_ref="obj_sshd_use_strong_kex" />
+ <ind:state state_ref="ste_sshd_use_strong_kex" />
+ </ind:variable_test>
+
+ <ind:variable_object id="obj_sshd_use_strong_kex" version="1">
+ <ind:var_ref>var_sshd_config_kex</ind:var_ref>
+ </ind:variable_object>
+
+ <ind:variable_state comment="approved strong kex" id="ste_sshd_use_strong_kex" version="1">
+ <ind:value operation="equals" datatype="string" var_ref="var_sshd_strong_kex" var_check="at least one" />
+ </ind:variable_state>
+
+ <ind:textfilecontent54_object id="obj_sshd_config_kex" version="1">
+ <ind:filepath>/etc/ssh/sshd_config</ind:filepath>
+ <ind:pattern operation="pattern match">^[\s]*(?i)KexAlgorithms(?-i)[\s]+([\w,-@]+)+[\s]*(?:#.*)?$</ind:pattern>
+ <ind:instance datatype="int">1</ind:instance>
+ </ind:textfilecontent54_object>
+
+ <local_variable id="var_sshd_config_kex" datatype="string" version="1" comment="MACs values splitted on comma">
+ <split delimiter=",">
+ <object_component item_field="subexpression" object_ref="obj_sshd_config_kex" />
+ </split>
+ </local_variable>
+
+ <local_variable id="var_sshd_strong_kex" datatype="string" version="1" comment="approved strong KEX values splitted on comma">
+ <split delimiter=",">
+ <variable_component var_ref="sshd_strong_kex" />
+ </split>
+ </local_variable>
+ <external_variable comment="SSH Approved KEX by FIPS" datatype="string" id="sshd_strong_kex" version="1" />
+</def-group>
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_kex/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_kex/rule.yml
new file mode 100644
index 0000000..2f94f68
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_kex/rule.yml
@@ -0,0 +1,17 @@
+documentation_complete: true
+
+prodtype: openeuler2203
+
+title: 'Use Only Strong Key Exchange algorithms'
+
+description: |-
+ Limit the Key Exchange to strong algorithms.
+
+rationale: |-
+ Key exchange is any method in cryptography by which cryptographic keys are exchanged
+ between two parties, allowing use of a cryptographic algorithm. If the sender and receiver
+ wish to exchange encrypted messages, each must be equipped to encrypt messages to be
+ sent and decrypt messages received
+
+severity: medium
+
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_macs/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_macs/rule.yml
index e5631ce..66d0402 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_macs/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_macs/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: ol7,rhel6,rhel7
+prodtype: ol7,openeuler2203,rhel6,rhel7
title: 'Use Only Strong MACs'
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_pubkey/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_pubkey/oval/shared.xml
new file mode 100644
index 0000000..3c13a96
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_pubkey/oval/shared.xml
@@ -0,0 +1 @@
+{{{ oval_sshd_config(parameter="PubkeyAcceptedKeyTypes", value="((ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-512),?)+") }}}
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_pubkey/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_pubkey/rule.yml
new file mode 100644
index 0000000..cdc3061
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_pubkey/rule.yml
@@ -0,0 +1,13 @@
+documentation_complete: true
+
+prodtype: openeuler2203
+
+title: 'Use Only Strong Algorithms For Public Key'
+
+description: |-
+ Limit the algorithm of public key to strong algorithms.
+
+rationale: |-
+ Week algorithms will introduce risks.
+
+severity: medium
diff --git a/linux_os/guide/services/ssh/sshd_strong_kex.var b/linux_os/guide/services/ssh/sshd_strong_kex.var
new file mode 100644
index 0000000..36b03ba
--- /dev/null
+++ b/linux_os/guide/services/ssh/sshd_strong_kex.var
@@ -0,0 +1,19 @@
+documentation_complete: true
+
+title: 'SSH Strong KEX by FIPS'
+
+description: "Specify the FIPS approved KEXs (Key Exchange Algorithms) algorithms\n\tthat are used for methods in cryptography by which cryptographic keys are exchanged between two parties"
+
+type: string
+
+operator: equals
+
+interactive: false
+
+options:
+ default: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
+ cis_rhel7: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
+ cis_sle12: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
+ cis_sle15: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
+ cis_ubuntu2004: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
+ standard_openeuler2203: curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/oval/shared.xml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/oval/shared.xml
index 28eecc8..5165c15 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/oval/shared.xml
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/oval/shared.xml
@@ -8,6 +8,7 @@
<platform>multi_platform_fedora</platform>
<platform>multi_platform_rhv</platform>
<platform>multi_platform_ol</platform>
+ <platform>multi_platform_openeuler</platform>
</affected>
<description>The passwords to remember should be set correctly.</description>
</metadata>
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/rule.yml
index 579ffc0..3bb940f 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: fedora,ol7,ol8,rhel6,rhel7,rhel8,rhv4,wrlinux1019
+prodtype: fedora,ol7,ol8,openeuler2203,rhel6,rhel7,rhel8,rhv4,wrlinux1019
title: 'Limit Password Reuse'
@@ -20,6 +20,12 @@ description: |-
</li>
</ul>
The DoD STIG requirement is 5 passwords.
+ {{% if product in ["openeuler2203"] %}}
+ <br />
+ Considering the usability of the community release of openEuler in different scenarios,
+ the openEuler release does not disable historical passwords by default.
+ Please configure historical passwords based on the site requirements.
+ {{% endif %}}
rationale: 'Preventing re-use of previous passwords helps ensure that a compromised password is not re-used by a user.'
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/oval/shared.xml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/oval/shared.xml
index db91fa9..0139186 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/oval/shared.xml
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/oval/shared.xml
@@ -129,8 +129,12 @@
<ind:textfilecontent54_object id="object_accounts_passwords_pam_faillock_preauth_silent_system-auth" version="1">
<ind:filepath>/etc/pam.d/system-auth</ind:filepath>
<!-- Since order of PAM modules matters ensure pam_faillock.so preauth silent in auth section is listed before
- pam_unix.so module in auth section -->
+ pam_unix.so module in auth section -->
+ {{% if product in ["openeuler2203"] %}}
+ <ind:pattern operation="pattern match">[\n][\s]*auth[\s]+required[\s]+pam_faillock\.so[\s]+preauth[\s]+[^\n]*audit[\s]+[^\n]*deny=([0-9]+)[\s]*(?s).*[\n][\s]*auth[^\n]+pam_unix\.so[^\n]*[\n]</ind:pattern>
+ {{% else %}}
<ind:pattern operation="pattern match">[\n][\s]*auth[\s]+required[\s]+pam_faillock\.so[\s]+preauth[\s]+[^\n]*silent[\s]+[^\n]*deny=([0-9]+)[\s]*(?s).*[\n][\s]*auth[^\n]+pam_unix\.so[^\n]*[\n]</ind:pattern>
+ {{% endif %}}
<!-- Check only the first instance -->
<ind:instance datatype="int" operation="equals">1</ind:instance>
</ind:textfilecontent54_object>
@@ -178,8 +182,12 @@
<ind:textfilecontent54_object id="object_accounts_passwords_pam_faillock_preauth_silent_password-auth" version="1">
<ind:filepath>/etc/pam.d/password-auth</ind:filepath>
<!-- Since order of PAM modules matters ensure pam_faillock.so preauth silent in auth section is listed before
- pam_unix.so module in auth section -->
+ pam_unix.so module in auth section -->
+ {{% if product in ["openeuler2203"] %}}
+ <ind:pattern operation="pattern match">[\n][\s]*auth[\s]+required[\s]+pam_faillock\.so[\s]+preauth[\s]+[^\n]*audit[\s]+[^\n]*deny=([0-9]+)[\s]*(?s).*[\n][\s]*auth[^\n]+pam_unix\.so[^\n]*[\n]</ind:pattern>
+ {{% else %}}
<ind:pattern operation="pattern match">[\n][\s]*auth[\s]+required[\s]+pam_faillock\.so[\s]+preauth[\s]+[^\n]*silent[\s]+[^\n]*deny=([0-9]+)[\s]*(?s).*[\n][\s]*auth[^\n]+pam_unix\.so[^\n]*[\n]</ind:pattern>
+ {{% endif %}}
<!-- Check only the first instance -->
<ind:instance datatype="int" operation="equals">1</ind:instance>
</ind:textfilecontent54_object>
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/rule.yml
index 5575bd3..a06d04e 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: fedora,ol7,ol8,rhel6,rhel7,rhel8,rhv4,wrlinux1019
+prodtype: fedora,ol7,ol8,openeuler2203,rhel6,rhel7,rhel8,rhv4,wrlinux1019
title: 'Set Deny For Failed Password Attempts'
@@ -17,6 +17,12 @@ description: |-
<li> add the following line immediately <tt>before</tt> the <tt>pam_unix.so</tt> statement in the <tt>ACCOUNT</tt> section:
<pre>account required pam_faillock.so</pre></li>
</ul>
+ {{% if product in ["openeuler2203"] %}}
+ Considering the usability of the community release of openEuler in different scenarios,
+ the openEuler release does not provide this security function by default.
+ Please configure the default number of failures and lockout duration based on
+ the actual application scenario and requirements.
+ {{% endif %}}
rationale: |-
Locking out user accounts after a number of incorrect attempts
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/oval/shared.xml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/oval/shared.xml
index 402feab..da09d06 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/oval/shared.xml
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/oval/shared.xml
@@ -9,6 +9,7 @@
<platform>multi_platform_fedora</platform>
<platform>multi_platform_rhv</platform>
<platform>multi_platform_ol</platform>
+ <platform>multi_platform_openeuler</platform>
</affected>
<description>The root account should be configured to deny access after the number of defined
failed attempts has been reached.</description>
@@ -37,8 +38,12 @@
<ind:behaviors singleline="true" />
<ind:filepath>/etc/pam.d/system-auth</ind:filepath>
<!-- Since order of PAM modules matters ensure pam_faillock.so preauth silent in auth section is listed before
- pam_unix.so module in auth section -->
+ pam_unix.so module in auth section -->
+ {{% if product in ["openeuler2203"] %}}
+ <ind:pattern operation="pattern match">[\n][\s]*auth[\s]+required[\s]+pam_faillock\.so[\s]+preauth[\s]+audit[\s]+[^\n]*even_deny_root[\s]*(?s).*[\n][\s]*auth[\s]+(?:(?:sufficient)|(?:\[.*default=die.*\]))[\s]+pam_unix\.so[^\n]*[\n]</ind:pattern>
+ {{% else %}}
<ind:pattern operation="pattern match">[\n][\s]*auth[\s]+required[\s]+pam_faillock\.so[\s]+preauth[\s]+silent[\s]+[^\n]*even_deny_root[\s]*(?s).*[\n][\s]*auth[\s]+(?:(?:sufficient)|(?:\[.*default=die.*\]))[\s]+pam_unix\.so[^\n]*[\n]</ind:pattern>
+ {{% endif %}}
<!-- Check only the first instance -->
<ind:instance datatype="int" operation="equals">1</ind:instance>
</ind:textfilecontent54_object>
@@ -72,8 +77,12 @@
<ind:behaviors singleline="true" />
<ind:filepath>/etc/pam.d/password-auth</ind:filepath>
<!-- Since order of PAM modules matters ensure pam_faillock.so preauth silent in auth section is listed before
- pam_unix.so module in auth section -->
+ pam_unix.so module in auth section -->
+ {{% if product in ["openeuler2203"] %}}
+ <ind:pattern operation="pattern match">[\n][\s]*auth[\s]+required[\s]+pam_faillock\.so[\s]+preauth[\s]+audit[\s]+[^\n]*even_deny_root[\s]*(?s).*[\n][\s]*auth[\s]+(?:(?:sufficient)|(?:\[.*default=die.*\]))[\s]+pam_unix\.so[^\n]*[\n]</ind:pattern>
+ {{% else %}}
<ind:pattern operation="pattern match">[\n][\s]*auth[\s]+required[\s]+pam_faillock\.so[\s]+preauth[\s]+silent[\s]+[^\n]*even_deny_root[\s]*(?s).*[\n][\s]*auth[\s]+(?:(?:sufficient)|(?:\[.*default=die.*\]))[\s]+pam_unix\.so[^\n]*[\n]</ind:pattern>
+ {{% endif %}}
<!-- Check only the first instance -->
<ind:instance datatype="int" operation="equals">1</ind:instance>
</ind:textfilecontent54_object>
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/rule.yml
index 03329a6..6615efa 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019
+prodtype: fedora,ol7,ol8,openeuler2203,rhel7,rhel8,rhv4,wrlinux1019
title: 'Configure the root Account for Failed Password Attempts'
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/oval/shared.xml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/oval/shared.xml
index ad3e2f1..057aca8 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/oval/shared.xml
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/oval/shared.xml
@@ -7,6 +7,7 @@
<platform>multi_platform_fedora</platform>
<platform>multi_platform_rhv</platform>
<platform>multi_platform_ol</platform>
+ <platform>multi_platform_openeuler</platform>
</affected>
<description>The number of allowed failed logins should be set correctly.</description>
</metadata>
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/rule.yml
index e4403bb..dccf1b7 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: fedora,ol7,ol8,rhel6,rhel7,rhel8,rhv4
+prodtype: fedora,ol7,ol8,openeuler2203,rhel6,rhel7,rhel8,rhv4
title: 'Set Lockout Time for Failed Password Attempts'
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/var_accounts_passwords_pam_faillock_unlock_time.var b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/var_accounts_passwords_pam_faillock_unlock_time.var
index 46c73e4..206b03e 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/var_accounts_passwords_pam_faillock_unlock_time.var
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/var_accounts_passwords_pam_faillock_unlock_time.var
@@ -17,5 +17,6 @@ options:
604800: 604800
86400: 86400
900: 900
+ 300: 300
default: 0
never: 0
diff --git a/linux_os/guide/system/accounts/accounts-pam/no_name_contained_in_password/oval/shared.xml b/linux_os/guide/system/accounts/accounts-pam/no_name_contained_in_password/oval/shared.xml
new file mode 100644
index 0000000..af4a11e
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-pam/no_name_contained_in_password/oval/shared.xml
@@ -0,0 +1,32 @@
+<def-group>
+ <definition class="compliance" id="no_name_contained_in_password" version="1">
+ <metadata>
+ <title>Accounts password should not be contained substring of name</title>
+ {{{- oval_affected(products) }}}
+ <description>Accounts password should not be contained substring of name.</description>
+ </metadata>
+ <criteria operator="AND" comment="Check that there is no usercheck=0 in pam files">
+ <criterion comment="Check /etc/pam.d/password-auth" test_ref="test_password_auth_no_name_in_password" />
+ <criterion comment="Check /etc/pam.d/system-auth" test_ref="test_system_no_name_in_password" />
+ </criteria>
+ </definition>
+ <ind:textfilecontent54_test check="all" check_existence="none_exist" comment="Test that there is no substring in password" id="test_password_auth_no_name_in_password" version="1">
+ <ind:object object_ref="object_test_password_auth_no_name_in_password" />
+ </ind:textfilecontent54_test>
+
+ <ind:textfilecontent54_test check="all" check_existence="none_exist" comment="Test that there is no substring in password" id="test_system_no_name_in_password" version="1">
+ <ind:object object_ref="object_test_system_no_name_in_password" />
+ </ind:textfilecontent54_test>
+
+ <ind:textfilecontent54_object id="object_test_password_auth_no_name_in_password" version="1">
+ <ind:filepath>/etc/pam.d/password-auth</ind:filepath>
+ <ind:pattern operation="pattern match">^.*usercheck[\s]*=[\s]*0.*$</ind:pattern>
+ <ind:instance datatype="int">1</ind:instance>
+ </ind:textfilecontent54_object>
+
+ <ind:textfilecontent54_object id="object_test_system_no_name_in_password" version="1">
+ <ind:filepath>/etc/pam.d/system-auth</ind:filepath>
+ <ind:pattern operation="pattern match">^.*usercheck[\s]*=[\s]*0.*$</ind:pattern>
+ <ind:instance datatype="int">1</ind:instance>
+ </ind:textfilecontent54_object>
+</def-group>
diff --git a/linux_os/guide/system/accounts/accounts-pam/no_name_contained_in_password/rule.yml b/linux_os/guide/system/accounts/accounts-pam/no_name_contained_in_password/rule.yml
new file mode 100644
index 0000000..fa84a3b
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-pam/no_name_contained_in_password/rule.yml
@@ -0,0 +1,12 @@
+documentation_complete: true
+
+title: 'Accounts Name Should Not Be Contained In Password'
+
+description: |-
+ Accounts name should not be contained in password.
+ There is no usercheck=0.
+
+rationale: |-
+ If the passowrd contains substring of accounts name, it is a risk.
+
+severity: high
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dcredit/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dcredit/rule.yml
index 86ec1e6..629a797 100644
--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dcredit/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dcredit/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019
+prodtype: fedora,ol7,ol8,openeuler2203,rhel7,rhel8,rhv4,wrlinux1019
title: 'Ensure PAM Enforces Password Requirements - Minimum Digit Characters'
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/oval/shared.xml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/oval/shared.xml
new file mode 100644
index 0000000..13bbae4
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/oval/shared.xml
@@ -0,0 +1,27 @@
+<def-group>
+ <definition class="compliance" id="accounts_password_pam_dictcheck" version="3">
+ {{{ oval_metadata("Check dictcheck in pwquality") }}}
+ <criteria comment="conditions for dictcheck are satisfied">
+ <criterion comment="pwquality.conf" test_ref="test_password_pam_pwquality_dictcheck" />
+ </criteria>
+ </definition>
+
+ <ind:textfilecontent54_test check="all" state_operator="AND"
+ comment="check the configuration of /etc/security/pwquality.conf"
+ id="test_password_pam_pwquality_dictcheck" version="3">
+ <ind:object object_ref="obj_password_pam_pwquality_dictcheck" />
+ <ind:state state_ref="state_password_pam_dictcheck" />
+ </ind:textfilecontent54_test>
+
+ <ind:textfilecontent54_object id="obj_password_pam_pwquality_dictcheck" version="3">
+ <ind:filepath operation="pattern match">{{{ filepath_regex }}}</ind:filepath>
+ <ind:pattern operation="pattern match">^\s*dictcheck[\s]*=[\s]*(-?\d+)(?:[\s]|$)</ind:pattern>
+ <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+ </ind:textfilecontent54_object>
+
+ <ind:textfilecontent54_state id="state_password_pam_dictcheck" version="3">
+ <ind:subexpression datatype="int" operation="equals" var_ref="var_password_pam_dictcheck" />
+ </ind:textfilecontent54_state>
+
+ <external_variable comment="External variable for pam_dictcheck" datatype="int" id="var_password_pam_dictcheck" version="3" />
+</def-group>
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/rule.yml
new file mode 100644
index 0000000..46159db
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/rule.yml
@@ -0,0 +1,29 @@
+documentation_complete: true
+
+prodtype: openeuler2203
+
+title: 'Ensure PAM Enforces Password Requirements - Prevent the Use of Dictionary Words'
+
+description: |-
+ The pam_pwquality module's <tt>dictcheck</tt> check if passwords contains dictionary words. When
+ <tt>dictcheck</tt> is set to <tt>1</tt> passwords will be checked for dictionary words.
+ {{% if product in ["openeuler2203"] %}}
+ <br />
+ Considering the usability of the community release of openEuler in different scenarios,
+ the weak password dictionary check is not configured for the openEuler release by default.
+ Please configure the weak password dictionary check based on the site requirements.
+ {{% endif %}}
+
+rationale: |-
+ Use of a complex password helps to increase the time and resources required to compromise the password.
+ Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at
+ guessing and brute-force attacks.
+ <br /><br />
+ Password complexity is one factor of several that determines how long it takes to crack a password. The more
+ complex the password, the greater the number of possible combinations that need to be tested before the
+ password is compromised.
+ <br /><br />
+ Passwords with dictionary words may be more vulnerable to password-guessing attacks.
+
+severity: medium
+
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_lcredit/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_lcredit/rule.yml
index 159a832..4e63274 100644
--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_lcredit/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_lcredit/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019
+prodtype: fedora,ol7,ol8,openeuler2203,rhel7,rhel8,rhv4,wrlinux1019
title: 'Ensure PAM Enforces Password Requirements - Minimum Lowercase Characters'
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minclass/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minclass/rule.yml
index 5c596d0..866fa5f 100644
--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minclass/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minclass/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019
+prodtype: fedora,ol7,ol8,openeuler2203,rhel7,rhel8,rhv4,wrlinux1019
title: 'Ensure PAM Enforces Password Requirements - Minimum Different Categories'
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minlen/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minlen/rule.yml
index 7db443b..3b65cb6 100644
--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minlen/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minlen/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019
+prodtype: fedora,ol7,ol8,openeuler2203,rhel7,rhel8,rhv4,wrlinux1019
title: 'Ensure PAM Enforces Password Requirements - Minimum Length'
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ocredit/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ocredit/rule.yml
index bdef268..0597fe9 100644
--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ocredit/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ocredit/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019
+prodtype: fedora,ol7,ol8,openeuler2203,rhel7,rhel8,rhv4,wrlinux1019
title: 'Ensure PAM Enforces Password Requirements - Minimum Special Characters'
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/oval/shared.xml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/oval/shared.xml
index d888d78..4588489 100644
--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/oval/shared.xml
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/oval/shared.xml
@@ -8,6 +8,7 @@
<platform>multi_platform_ol</platform>
<platform>multi_platform_rhel</platform>
<platform>multi_platform_wrlinux</platform>
+ <platform>multi_platform_openeuler</platform>
</affected>
<description>The password retry should meet minimum requirements</description>
</metadata>
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/rule.yml
index 099cbbf..4bf912f 100644
--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019
+prodtype: fedora,ol7,ol8,openeuler2203,rhel7,rhel8,rhv4,wrlinux1019
title: 'Ensure PAM Enforces Password Requirements - Authentication Retry Prompts Permitted Per-Session'
@@ -10,6 +10,12 @@ description: |-
show <tt>retry=<sub idref="var_password_pam_retry" /></tt>, or a lower value if
site policy is more restrictive.
The DoD requirement is a maximum of 3 prompts per session.
+ {{% if product in ["openeuler2203"] %}}
+ <br />
+ Considering the usability of the community release of openEuler in different scenarios,
+ the values of retry are not configured in the openEuler release by default.
+ Please set it based on the site requirements.
+ {{% endif %}}
rationale: |-
Setting the password retry prompts that are permitted on a per-session basis to a low value
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ucredit/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ucredit/rule.yml
index 7b5fe67..203da95 100644
--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ucredit/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ucredit/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019
+prodtype: fedora,ol7,ol8,openeuler2203,rhel7,rhel8,rhv4,wrlinux1019
title: 'Ensure PAM Enforces Password Requirements - Minimum Uppercase Characters'
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/var_password_pam_dictcheck.var b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/var_password_pam_dictcheck.var
new file mode 100644
index 0000000..26452c3
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/var_password_pam_dictcheck.var
@@ -0,0 +1,16 @@
+documentation_complete: true
+
+title: dictcheck
+
+description: |-
+ Prevent the use of dictionary words for passwords.
+
+type: number
+
+operator: equals
+
+interactive: false
+
+options:
+ 1: 1
+ default: 1
diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/oval/shared.xml b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/oval/shared.xml
index 3770a64..4cb9dc0 100644
--- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/oval/shared.xml
+++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/oval/shared.xml
@@ -8,6 +8,7 @@
<platform>multi_platform_fedora</platform>
<platform>multi_platform_rhv</platform>
<platform>multi_platform_ol</platform>
+ <platform>multi_platform_openeuler</platform>
</affected>
<description>The password hashing algorithm should be set correctly in /etc/pam.d/system-auth.</description>
</metadata>
diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/rule.yml b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/rule.yml
index 1c4032c..9bd46d6 100644
--- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: fedora,ol7,ol8,rhel6,rhel7,rhel8,rhv4,wrlinux1019
+prodtype: fedora,ol7,ol8,openeuler2203,rhel6,rhel7,rhel8,rhv4,wrlinux1019
title: "Set PAM's Password Hashing Algorithm"
diff --git a/linux_os/guide/system/accounts/accounts-pam/verify_owner_password/oval/shared.xml b/linux_os/guide/system/accounts/accounts-pam/verify_owner_password/oval/shared.xml
new file mode 100644
index 0000000..bfd0b01
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-pam/verify_owner_password/oval/shared.xml
@@ -0,0 +1,60 @@
+<def-group>
+ <definition class="compliance" id="verify_owner_password" version="1">
+ <metadata>
+ <title>Accounts password should be verified during modifying</title>
+ {{{- oval_affected(products) }}}
+ <description>Accounts password should be verified during modifying.</description>
+ </metadata>
+ <criteria operator="AND" comment="Check that there is pam_unix.so in pam files">
+ <criteria operator="AND" comment="Check /etc/pam.d/password-auth">
+ <criterion comment="Check pam_unix.so" test_ref="test_password_auth_unix" />
+ <criterion comment="Check pam_deny.so" test_ref="test_password_auth_deny" />
+ </criteria>
+ <criteria operator="AND" comment="Check /etc/pam.d/system-auth">
+ <criterion comment="Check pam_unix.so" test_ref="test_system_auth_unix" />
+ <criterion comment="Check pam_deny.so" test_ref="test_system_auth_deny" />
+ </criteria>
+ </criteria>
+ </definition>
+
+ <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="Test that there is pam_unix.so in pam files" id="test_password_auth_unix" version="1">
+ <ind:object object_ref="object_test_password_auth_unix" />
+ </ind:textfilecontent54_test>
+
+ <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="Test that there is pam_unix.so in pam files" id="test_password_auth_deny" version="1">
+ <ind:object object_ref="object_test_password_auth_deny" />
+ </ind:textfilecontent54_test>
+
+ <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="Test that there is pam_unix.so in pam files" id="test_system_auth_unix" version="1">
+ <ind:object object_ref="object_test_system_auth_unix" />
+ </ind:textfilecontent54_test>
+
+ <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="Test that there is pam_unix.so in pam files" id="test_system_auth_deny" version="1">
+ <ind:object object_ref="object_test_system_auth_deny" />
+ </ind:textfilecontent54_test>
+
+
+ <ind:textfilecontent54_object id="object_test_password_auth_unix" version="1">
+ <ind:filepath>/etc/pam.d/password-auth</ind:filepath>
+ <ind:pattern operation="pattern match">^password[\s]+sufficient[\s]+pam_unix\.so.*$</ind:pattern>
+ <ind:instance datatype="int">1</ind:instance>
+ </ind:textfilecontent54_object>
+
+ <ind:textfilecontent54_object id="object_test_password_auth_deny" version="1">
+ <ind:filepath>/etc/pam.d/password-auth</ind:filepath>
+ <ind:pattern operation="pattern match">^password[\s]+required[\s]+pam_deny\.so.*$</ind:pattern>
+ <ind:instance datatype="int">1</ind:instance>
+ </ind:textfilecontent54_object>
+
+ <ind:textfilecontent54_object id="object_test_system_auth_unix" version="1">
+ <ind:filepath>/etc/pam.d/system-auth</ind:filepath>
+ <ind:pattern operation="pattern match">^password[\s]+sufficient[\s]+pam_unix\.so.*$</ind:pattern>
+ <ind:instance datatype="int">1</ind:instance>
+ </ind:textfilecontent54_object>
+
+ <ind:textfilecontent54_object id="object_test_system_auth_deny" version="1">
+ <ind:filepath>/etc/pam.d/system-auth</ind:filepath>
+ <ind:pattern operation="pattern match">^password[\s]+required[\s]+pam_deny\.so.*$</ind:pattern>
+ <ind:instance datatype="int">1</ind:instance>
+ </ind:textfilecontent54_object>
+</def-group>
diff --git a/linux_os/guide/system/accounts/accounts-pam/verify_owner_password/rule.yml b/linux_os/guide/system/accounts/accounts-pam/verify_owner_password/rule.yml
new file mode 100644
index 0000000..b03948a
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-pam/verify_owner_password/rule.yml
@@ -0,0 +1,12 @@
+documentation_complete: true
+
+title: 'Accounts Password Should Be Verified When Changing'
+
+description: |-
+ Accounts password should be verified when it is modifying.
+ It is done by pam_unix.so.
+
+rationale: |-
+ Anyone can change the password if no verifying.
+
+severity: high
diff --git a/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/oval/shared.xml b/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/oval/shared.xml
index 827129d..9dd6b89 100644
--- a/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/oval/shared.xml
+++ b/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/oval/shared.xml
@@ -11,8 +11,12 @@
<criterion comment="Conditions are satisfied"
test_ref="test_require_rescue_service" />
<criterion test_ref="test_require_rescue_service_runlevel1" />
+ {{%- if product in ["openeuler2203"] -%}}
+ <criterion test_ref="test_require_emergency_service" />
+ {{%- else -%}}
<criterion test_ref="test_no_custom_runlevel1_target" negate="true"/>
<criterion test_ref="test_no_custom_rescue_service" negate="true"/>
+ {{%- endif -%}}
</criteria>
{{%- else -%}}
<criteria>
@@ -24,7 +28,7 @@
{{%- if init_system == "systemd" -%}}
<ind:textfilecontent54_test check="all" check_existence="all_exist"
comment="Tests that
- {{% if product in ["fedora", "rhel8"] -%}}
+ {{% if product in ["fedora", "rhel8", "openeuler2203"] -%}}
/usr/lib/systemd/systemd-sulogin-shell
{{%- else -%}}
/sbin/sulogin
@@ -36,7 +40,7 @@
</ind:textfilecontent54_test>
<ind:textfilecontent54_object id="obj_require_rescue_service" version="1">
<ind:filepath>/usr/lib/systemd/system/rescue.service</ind:filepath>
- {{%- if product in ["fedora", "rhel8"] -%}}
+ {{%- if product in ["fedora", "rhel8", "openeuler2203"] -%}}
<ind:pattern operation="pattern match">^ExecStart=\-.*/usr/lib/systemd/systemd-sulogin-shell[ ]+rescue</ind:pattern>
{{%- else -%}}
<ind:pattern operation="pattern match">^ExecStart=\-/bin/sh[\s]+-c[\s]+\"(/usr)?/sbin/sulogin;[\s]+/usr/bin/systemctl[\s]+--fail[\s]+--no-block[\s]+default\"</ind:pattern>
@@ -90,4 +94,17 @@
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
{{%- endif -%}}
+
+ {{%- if product in ["openeuler2203"] -%}}
+ <ind:textfilecontent54_test check="all" check_existence="all_exist"
+ comment="Tests that the systemd-sulogin-shell is in the emergency.service"
+ id="test_require_emergency_service" version="1">
+ <ind:object object_ref="obj_require_emergency_service" />
+ </ind:textfilecontent54_test>
+ <ind:textfilecontent54_object id="obj_require_emergency_service" version="1">
+ <ind:filepath>/usr/lib/systemd/system/emergency.service</ind:filepath>
+ <ind:pattern operation="pattern match">^ExecStart=\-.*/usr/lib/systemd/systemd-sulogin-shell[ ]+emergency</ind:pattern>
+ <ind:instance datatype="int">1</ind:instance>
+ </ind:textfilecontent54_object>
+ {{%- endif -%}}
</def-group>
diff --git a/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml b/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml
index c81e8cc..568163e 100644
--- a/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: fedora,ocp4,ol7,ol8,rhel6,rhel7,rhel8,rhv4,wrlinux1019
+prodtype: fedora,ocp4,ol7,ol8,openeuler2203,rhel6,rhel7,rhel8,rhv4,wrlinux1019
title: 'Require Authentication for Single User Mode'
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/account_unique_group_id/oval/shared.xml b/linux_os/guide/system/accounts/accounts-restrictions/account_unique_group_id/oval/shared.xml
new file mode 100644
index 0000000..8d31f9a
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-restrictions/account_unique_group_id/oval/shared.xml
@@ -0,0 +1,51 @@
+<def-group>
+ <definition class="compliance" id="account_unique_group_id" version="1">
+ {{{ oval_metadata("All accounts on the system should have unique master group IDs for proper accountability.") }}}
+ <criteria comment="There should not exist duplicate user master group IDs entries in /etc/passwd">
+ <criterion test_ref="test_etc_passwd_no_duplicate_user_group_ids" />
+ </criteria>
+
+ </definition>
+
+ <!-- collect information about all users -->
+ <unix:password_object id="obj_all_user_group_ids" version="1">
+ <unix:username operation="pattern match">^(?!sync|shutdown|halt|operator).*</unix:username>
+ </unix:password_object>
+
+ <!-- variable storing count of all uids - including duplicates -->
+ <local_variable id="variable_count_of_all_user_group_ids" datatype="int" version="1"
+ comment="Count of all group ids (including duplicates if any)">
+ <count>
+ <object_component item_field="group_id" object_ref="obj_all_user_group_ids" />
+ </count>
+ </local_variable>
+
+ <!-- Turn the OVAL variable representing count of user ids into OVAL object
+ (for use in <variable_test> below)-->
+ <ind:variable_object id="obj_count_of_all_user_group_ids" version="1">
+ <ind:var_ref>variable_count_of_all_user_group_ids</ind:var_ref>
+ </ind:variable_object>
+
+ <!-- OVAL variable to hold the count of unique user ids defined in /etc/passwd -->
+ <local_variable id="variable_count_of_unique_user_group_ids" datatype="int" version="1"
+ comment="Count of unique group ids">
+ <count>
+ <unique>
+ <object_component item_field="group_id" object_ref="obj_all_user_group_ids" />
+ </unique>
+ </count>
+ </local_variable>
+
+ <!-- this state checks that both counts (unique and non-unique) are the same -->
+ <ind:variable_state id="state_no_duplicate_user_group_ids" version="1">
+ <ind:value var_ref="variable_count_of_unique_user_group_ids" datatype="int"
+ operation="equals" var_check="at least one" />
+ </ind:variable_state>
+
+ <ind:variable_test id="test_etc_passwd_no_duplicate_user_group_ids" check="all" check_existence="all_exist"
+ comment="There should not exist duplicate user group ids in /etc/passwd" version="1">
+ <ind:object object_ref="obj_count_of_all_user_group_ids" />
+ <ind:state state_ref="state_no_duplicate_user_group_ids" />
+ </ind:variable_test>
+
+</def-group>
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/account_unique_group_id/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/account_unique_group_id/rule.yml
new file mode 100644
index 0000000..01b1ea9
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-restrictions/account_unique_group_id/rule.yml
@@ -0,0 +1,11 @@
+documentation_complete: true
+
+prodtype: openeuler2203
+
+title: 'Ensure All Accounts on the System Have Unique Master Group IDs'
+
+description: 'Change user master group IDs, or delete accounts.'
+
+rationale: 'To assure accountability and prevent unauthenticated access, interactive users must be identified and authenticated to prevent potential misuse and compromise of the system.'
+
+severity: medium
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/account_unique_id/oval/shared.xml b/linux_os/guide/system/accounts/accounts-restrictions/account_unique_id/oval/shared.xml
new file mode 100644
index 0000000..491ad45
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-restrictions/account_unique_id/oval/shared.xml
@@ -0,0 +1,51 @@
+<def-group>
+ <definition class="compliance" id="account_unique_id" version="1">
+ {{{ oval_metadata("All accounts on the system should have unique IDs for proper accountability.") }}}
+ <criteria comment="There should not exist duplicate user IDs entries in /etc/passwd">
+ <criterion test_ref="test_etc_passwd_no_duplicate_user_ids" />
+ </criteria>
+
+ </definition>
+
+ <!-- collect information about all users -->
+ <unix:password_object id="obj_all_uids" version="1">
+ <unix:username operation="pattern match">.*</unix:username>
+ </unix:password_object>
+
+ <!-- variable storing count of all uids - including duplicates -->
+ <local_variable id="variable_count_of_all_uids" datatype="int" version="1"
+ comment="Count of all uids (including duplicates if any)">
+ <count>
+ <object_component item_field="user_id" object_ref="obj_all_uids" />
+ </count>
+ </local_variable>
+
+ <!-- Turn the OVAL variable representing count of user ids into OVAL object
+ (for use in <variable_test> below)-->
+ <ind:variable_object id="obj_count_of_all_uids" version="1">
+ <ind:var_ref>variable_count_of_all_uids</ind:var_ref>
+ </ind:variable_object>
+
+ <!-- OVAL variable to hold the count of unique user ids defined in /etc/passwd -->
+ <local_variable id="variable_count_of_unique_uids" datatype="int" version="1"
+ comment="Count of unique uids">
+ <count>
+ <unique>
+ <object_component item_field="user_id" object_ref="obj_all_uids" />
+ </unique>
+ </count>
+ </local_variable>
+
+ <!-- this state checks that both counts (unique and non-unique) are the same -->
+ <ind:variable_state id="state_no_duplicate_uids" version="1">
+ <ind:value var_ref="variable_count_of_unique_uids" datatype="int"
+ operation="equals" var_check="at least one" />
+ </ind:variable_state>
+
+ <ind:variable_test id="test_etc_passwd_no_duplicate_user_ids" check="all" check_existence="all_exist"
+ comment="There should not exist duplicate user ids in /etc/passwd" version="1">
+ <ind:object object_ref="obj_count_of_all_uids" />
+ <ind:state state_ref="state_no_duplicate_uids" />
+ </ind:variable_test>
+
+</def-group>
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/account_unique_id/policy/stig/shared.yml b/linux_os/guide/system/accounts/accounts-restrictions/account_unique_id/policy/stig/shared.yml
new file mode 100644
index 0000000..cfe5f91
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-restrictions/account_unique_id/policy/stig/shared.yml
@@ -0,0 +1,15 @@
+srg_requirement: |-
+ {{{ full_name }}} duplicate User IDs (UIDs) must not exist for interactive users.
+
+vuldiscussion: |-
+ To assure accountability and prevent unauthenticated access, interactive users must be identified and authenticated to prevent potential misuse and compromise of the system.
+
+checktext: |-
+ Verify that {{{ full_name }}} contains no duplicate User IDs (UIDs) for interactive users with the following command:
+
+ $ sudo awk -F ":" 'list[$3]++{print $1, $3}' /etc/passwd
+
+ If output is produced and the accounts listed are interactive user accounts, this is a finding.
+
+fixtext: |-
+ Edit the file "/etc/passwd" and provide each interactive user account that has a duplicate User ID (UID) with a unique UID.
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/account_unique_id/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/account_unique_id/rule.yml
new file mode 100644
index 0000000..687a0c3
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-restrictions/account_unique_id/rule.yml
@@ -0,0 +1,11 @@
+documentation_complete: true
+
+prodtype: openeuler2203
+
+title: 'Ensure All Accounts on the System Have Unique User IDs'
+
+description: 'Change user IDs (UIDs), or delete accounts, so each has a unique id.'
+
+rationale: 'To assure accountability and prevent unauthenticated access, interactive users must be identified and authenticated to prevent potential misuse and compromise of the system.'
+
+severity: medium
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/account_unique_id/tests/correct_value.pass.sh b/linux_os/guide/system/accounts/accounts-restrictions/account_unique_id/tests/correct_value.pass.sh
new file mode 100644
index 0000000..645c46e
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-restrictions/account_unique_id/tests/correct_value.pass.sh
@@ -0,0 +1,2 @@
+#!/bin/bash
+# remediation = none
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/account_unique_id/tests/wrong_value.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/account_unique_id/tests/wrong_value.fail.sh
new file mode 100644
index 0000000..cc7f221
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-restrictions/account_unique_id/tests/wrong_value.fail.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+# remediation = none
+
+echo "test_user:x:30090:30090:Test User:/home/test_user:/usr/bin/bash" >> /etc/passwd
+echo "test_user_2:x:30090:30090:Test User 2:/home/test_user_2:/usr/bin/bash" >> /etc/passwd
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/accounts_are_necessary/oval/shared.xml b/linux_os/guide/system/accounts/accounts-restrictions/accounts_are_necessary/oval/shared.xml
new file mode 100644
index 0000000..e2047d9
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-restrictions/accounts_are_necessary/oval/shared.xml
@@ -0,0 +1,25 @@
+<def-group>
+ <definition class="compliance" id="accounts_are_necessary" version="1">
+ <metadata>
+ <title>All Accounts are Necessary</title>
+ <affected family="unix">
+ <platform>openEuler 22.03LTS</platform>
+ </affected>
+ <description>All Accounts are Necessary</description>
+ </metadata>
+ <criteria>
+ <criterion comment="Check /etc/passwd all accounts are necessary" test_ref="accounts_are_necessary_test" />
+ </criteria>
+ </definition>
+
+ <unix:password_object id="accounts_are_necessary_object" version="1">
+ <unix:username datatype="string" operation="pattern match">.*</unix:username>
+ </unix:password_object>
+
+ <unix:password_test xmlns:unix="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix"
+ check="all" check_existence="none_exist" comment="List all accounts on the system"
+ id="accounts_are_necessary_test" version="1">
+ <unix:object object_ref="accounts_are_necessary_object" />
+ </unix:password_test>
+</def-group>
+
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/accounts_are_necessary/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/accounts_are_necessary/rule.yml
new file mode 100644
index 0000000..143fe8a
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-restrictions/accounts_are_necessary/rule.yml
@@ -0,0 +1,20 @@
+documentation_complete: true
+
+prodtype: openeuler2203
+
+title: 'All Accounts Are Necessary'
+
+description: |-
+ <p><tt>It can not be scanned automatically, please check it manually.</tt></p>
+ <p>If any account is not necessary, it should be removed from <tt>/etc/passwd</tt>.</p>
+ <ul>
+ <li>Use below cli command to list all accounts in system:
+ <pre># cat /etc/passwd | awk -F ":" '{print $1}'</pre>
+ </li>
+ </ul>
+
+rationale: |-
+ It is a risk if an account exists in system but it is not necessary.
+
+severity: medium
+
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/group_unique_id/oval/shared.xml b/linux_os/guide/system/accounts/accounts-restrictions/group_unique_id/oval/shared.xml
new file mode 100644
index 0000000..b3425ec
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-restrictions/group_unique_id/oval/shared.xml
@@ -0,0 +1,50 @@
+<def-group>
+ <definition class="compliance" id="{{{rule_id}}}" version="1">
+ {{{ oval_metadata("All groups on the system should have unique names for proper accountability.") }}}
+ <criteria comment="There should not exist duplicate group ids entries in /etc/passwd">
+ <criterion test_ref="test_etc_group_no_duplicate_group_ids"/>
+ </criteria>
+ </definition>
+
+ <ind:textfilecontent54_object id="obj_all_group_ids" version="1" comment="Get all group ids">
+ <ind:filepath>/etc/group</ind:filepath>
+ <ind:pattern operation="pattern match">^.+:.+:(\d+):.*$</ind:pattern>
+ <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+ </ind:textfilecontent54_object>
+
+ <!-- variable storing count of all group ids - including duplicates -->
+ <local_variable id="variable_count_of_all_group_ids" datatype="int" version="1"
+ comment="Count of all group ids (including duplicates if any)">
+ <count>
+ <object_component item_field="subexpression" object_ref="obj_all_group_ids"/>
+ </count>
+ </local_variable>
+
+ <!-- OVAL variable to hold the count of unique group ids defined in /etc/group -->
+ <local_variable id="variable_count_of_unique_group_ids" datatype="int" version="1"
+ comment="Count of unique group ids">
+ <count>
+ <unique>
+ <object_component item_field="subexpression" object_ref="obj_all_group_ids"/>
+ </unique>
+ </count>
+ </local_variable>
+
+ <!-- Turn the OVAL variable representing count of user ids into OVAL object
+ (for use in <variable_test> below)-->
+ <ind:variable_object id="obj_count_of_all_group_ids" version="1">
+ <ind:var_ref>variable_count_of_all_group_ids</ind:var_ref>
+ </ind:variable_object>
+
+ <!-- this state checks that both counts (unique and non-unique) are the same -->
+ <ind:variable_state id="state_no_duplicate_group_ids" version="1">
+ <ind:value var_ref="variable_count_of_unique_group_ids" datatype="int"
+ operation="equals" var_check="at least one"/>
+ </ind:variable_state>
+
+ <ind:variable_test id="test_etc_group_no_duplicate_group_ids" check="all" check_existence="all_exist"
+ comment="There should not exist duplicate group ids in /etc/passwd" version="1">
+ <ind:object object_ref="obj_count_of_all_group_ids"/>
+ <ind:state state_ref="state_no_duplicate_group_ids"/>
+ </ind:variable_test>
+</def-group>
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/group_unique_id/policy/stig/shared.yml b/linux_os/guide/system/accounts/accounts-restrictions/group_unique_id/policy/stig/shared.yml
new file mode 100644
index 0000000..6944a01
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-restrictions/group_unique_id/policy/stig/shared.yml
@@ -0,0 +1,15 @@
+srg_requirement: |-
+ {{{ full_name }}} groups must have unique Group ID (GID).
+
+vuldiscussion: |-
+ To assure accountability and prevent unauthenticated access, groups must be identified uniquely to prevent potential misuse and compromise of the system.
+
+checktext: |-
+ Verify that {{{ full_name }}} contains no duplicate Group IDs (GID) for interactive users with the following command:
+
+ $ cut -d : -f 3 /etc/group | uniq -d
+
+ If the system has duplicate group ids, this is a finding.
+
+fixtext: |-
+ Edit the file "/etc/group" and provide each group that has a duplicate Group ID (GID) with a unique GID.
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/group_unique_id/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/group_unique_id/rule.yml
new file mode 100644
index 0000000..66925eb
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-restrictions/group_unique_id/rule.yml
@@ -0,0 +1,12 @@
+documentation_complete: true
+
+prodtype: openeuler2203
+
+title: 'Ensure All Groups on the System Have Unique Group ID'
+
+description: 'Change the group name or delete groups, so each has a unique id.'
+
+rationale: 'To assure accountability and prevent unauthenticated access, groups must be identified uniquely to prevent potential misuse and compromise of the system.'
+
+severity: medium
+
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/group_unique_id/tests/correct_value.pass.sh b/linux_os/guide/system/accounts/accounts-restrictions/group_unique_id/tests/correct_value.pass.sh
new file mode 100644
index 0000000..031b46c
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-restrictions/group_unique_id/tests/correct_value.pass.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+# remediation = no
+
+groupadd cac_test$(date +%s)
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/group_unique_id/tests/wrong_value.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/group_unique_id/tests/wrong_value.fail.sh
new file mode 100644
index 0000000..d8d9f7e
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-restrictions/group_unique_id/tests/wrong_value.fail.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+# remediation = no
+
+echo "testgroup1:x:1004:" >> /etc/group
+echo "testgroup:x:1004:" >> /etc/group
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/group_unique_name/oval/shared.xml b/linux_os/guide/system/accounts/accounts-restrictions/group_unique_name/oval/shared.xml
new file mode 100644
index 0000000..a1d46bb
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-restrictions/group_unique_name/oval/shared.xml
@@ -0,0 +1,50 @@
+<def-group>
+ <definition class="compliance" id="{{{rule_id}}}" version="1">
+ {{{ oval_metadata("All groups on the system should have unique names for proper accountability.") }}}
+ <criteria comment="There should not exist duplicate group names entries in /etc/passwd">
+ <criterion test_ref="test_etc_group_no_duplicate_group_names"/>
+ </criteria>
+ </definition>
+
+ <ind:textfilecontent54_object id="obj_all_group_names" version="1" comment="Get all group names">
+ <ind:filepath>/etc/group</ind:filepath>
+ <ind:pattern operation="pattern match">^(.+):.+</ind:pattern>
+ <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+ </ind:textfilecontent54_object>
+
+ <!-- variable storing count of all group names - including duplicates -->
+ <local_variable id="variable_count_of_all_group_names" datatype="int" version="1"
+ comment="Count of all group names (including duplicates if any)">
+ <count>
+ <object_component item_field="subexpression" object_ref="obj_all_group_names"/>
+ </count>
+ </local_variable>
+
+ <!-- OVAL variable to hold the count of unique group names defined in /etc/group -->
+ <local_variable id="variable_count_of_unique_group_names" datatype="int" version="1"
+ comment="Count of unique group names">
+ <count>
+ <unique>
+ <object_component item_field="subexpression" object_ref="obj_all_group_names"/>
+ </unique>
+ </count>
+ </local_variable>
+
+ <!-- Turn the OVAL variable representing count of user ids into OVAL object
+ (for use in <variable_test> below)-->
+ <ind:variable_object id="obj_count_of_all_group_names" version="1">
+ <ind:var_ref>variable_count_of_all_group_names</ind:var_ref>
+ </ind:variable_object>
+
+ <!-- this state checks that both counts (unique and non-unique) are the same -->
+ <ind:variable_state id="state_no_duplicate_group_names" version="1">
+ <ind:value var_ref="variable_count_of_unique_group_names" datatype="int"
+ operation="equals" var_check="at least one"/>
+ </ind:variable_state>
+
+ <ind:variable_test id="test_etc_group_no_duplicate_group_names" check="all" check_existence="all_exist"
+ comment="There should not exist duplicate group names in /etc/passwd" version="1">
+ <ind:object object_ref="obj_count_of_all_group_names"/>
+ <ind:state state_ref="state_no_duplicate_group_names"/>
+ </ind:variable_test>
+</def-group>
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/group_unique_name/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/group_unique_name/rule.yml
new file mode 100644
index 0000000..d3bc722
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-restrictions/group_unique_name/rule.yml
@@ -0,0 +1,12 @@
+documentation_complete: true
+
+prodtype: openeuler2203
+
+title: 'Ensure All Groups on the System Have Unique Group Names'
+
+description: 'Change the group name or delete groups, so each has a unique name.'
+
+rationale: 'To assure accountability and prevent unauthenticated access, groups must be identified uniquely to prevent potential misuse and compromise of the system.'
+
+severity: medium
+
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/group_unique_name/tests/correct_value.pass.sh b/linux_os/guide/system/accounts/accounts-restrictions/group_unique_name/tests/correct_value.pass.sh
new file mode 100644
index 0000000..031b46c
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-restrictions/group_unique_name/tests/correct_value.pass.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+# remediation = no
+
+groupadd cac_test$(date +%s)
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/group_unique_name/tests/wrong_value.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/group_unique_name/tests/wrong_value.fail.sh
new file mode 100644
index 0000000..e375c55
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-restrictions/group_unique_name/tests/wrong_value.fail.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+# remediation = no
+
+echo "testgroup:x:1004:" >> /etc/group
+echo "testgroup:x:1005:" >> /etc/group
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/login_accounts_are_necessary/oval/shared.xml b/linux_os/guide/system/accounts/accounts-restrictions/login_accounts_are_necessary/oval/shared.xml
new file mode 100644
index 0000000..ac39f98
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-restrictions/login_accounts_are_necessary/oval/shared.xml
@@ -0,0 +1,30 @@
+<def-group>
+ <definition class="compliance" id="login_accounts_are_necessary" version="1">
+ <metadata>
+ <title>All Login Accounts are Necessary</title>
+ <affected family="unix">
+ <platform>openEuler 22.03LTS</platform>
+ </affected>
+ <description>All Login Accounts are Necessary</description>
+ </metadata>
+ <criteria>
+ <criterion comment="Check /etc/passwd all login accounts are necessary" test_ref="login_accounts_are_necessary_test" />
+ </criteria>
+ </definition>
+
+ <unix:password_state id="login_accounts_are_necessary_state" version="1">
+ <unix:login_shell operation="pattern match">.*nologin.*</unix:login_shell>
+ </unix:password_state>
+
+ <unix:password_object id="login_accounts_are_necessary_object" version="1">
+ <unix:username datatype="string" operation="pattern match">.*</unix:username>
+ <filter action="exclude">login_accounts_are_necessary_state</filter>
+ </unix:password_object>
+
+ <unix:password_test xmlns:unix="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix"
+ check="all" check_existence="none_exist" comment="List all login accounts on the system"
+ id="login_accounts_are_necessary_test" version="1">
+ <unix:object object_ref="login_accounts_are_necessary_object" />
+ </unix:password_test>
+</def-group>
+
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/login_accounts_are_necessary/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/login_accounts_are_necessary/rule.yml
new file mode 100644
index 0000000..7fd34bc
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-restrictions/login_accounts_are_necessary/rule.yml
@@ -0,0 +1,31 @@
+documentation_complete: true
+
+prodtype: openeuler2203
+
+title: 'All Login Accounts Are Necessary'
+
+description: |-
+ <p><tt>It can not be scanned automatically, please check it manually.</tt></p>
+ If any account need not login, it should be removed from <tt>/etc/passwd</tt>
+ or it should be marked by <tt>"nologin"</tt>.
+ <p>It can be checked as below cli commands:</p>
+ <ul>
+ <li>List all nologin accounts, then check it manually:
+ <pre># cat /etc/passwd | grep "\/sbin\/nologin\|\/bin\/false" | awk -F ":" '{print $1}'</pre>
+ </li>
+ <li>List all login accounts, then check it manually:
+ <pre># cat /etc/passwd | grep -v "\/sbin\/nologin\|\/bin\/false" | awk -F ":" '{print $1}'</pre>
+ </li>
+ <li>List all accounts which the password are locked:
+ <pre># cat /etc/passwd | awk -F ":" '{print $1}' | xargs -I '{}' passwd -S '{}' | awk '($2=="L" || $2=="LK") {print $1}'</pre>
+ </li>
+ <li>List all accounts which the password are not locked:
+ <pre># cat /etc/passwd | awk -F ":" '{print $1}' | xargs -I '{}' passwd -S '{}' | awk '($2!="L" &amp;&amp; $2!="LK") {print $1}'</pre>
+ </li>
+ </ul>
+
+rationale: |-
+ It is a risk if an account can login system but it is not necessary.
+
+severity: medium
+
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/rule.yml
index d41a0eb..d667d96 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/rule.yml
@@ -10,6 +10,12 @@ description: |-
A value of 180 days is sufficient for many environments.
The DoD requirement is 60.
The profile requirement is <tt><sub idref="var_accounts_maximum_age_login_defs" /></tt>.
+ {{% if product in ["openeuler2203"] %}}
+ <br />
+ Considering the usability of the community release of openEuler in different scenarios,
+ the password expiration time is not configured in the openEuler release by default.
+ Please set the password expiration time based on the site requirements.
+ {{% endif %}}
rationale: |-
Any password, no matter how complex, can eventually be cracked. Therefore, passwords
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/gid_passwd_group_same/oval/shared.xml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/gid_passwd_group_same/oval/shared.xml
index 34d605b..781cd3f 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/gid_passwd_group_same/oval/shared.xml
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/gid_passwd_group_same/oval/shared.xml
@@ -7,7 +7,8 @@
<platform>multi_platform_fedora</platform>
<platform>multi_platform_ol</platform>
<platform>multi_platform_rhel</platform>
- <platform>multi_platform_wrlinux</platform>
+ <platform>multi_platform_wrlinux</platform>
+ <platform>multi_platform_openeuler</platform>
</affected>
<description>All GIDs referenced in /etc/passwd must be defined in /etc/group.</description>
</metadata>
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_tmout/oval/shared.xml b/linux_os/guide/system/accounts/accounts-session/accounts_tmout/oval/shared.xml
index c68effb..bcb50bd 100644
--- a/linux_os/guide/system/accounts/accounts-session/accounts_tmout/oval/shared.xml
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_tmout/oval/shared.xml
@@ -8,6 +8,7 @@
<platform>multi_platform_ol</platform>
<platform>multi_platform_rhel</platform>
<platform>multi_platform_wrlinux</platform>
+ <platform>multi_platform_openeuler</platform>
</affected>
<description>Checks interactive shell timeout</description>
</metadata>
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_tmout/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_tmout/rule.yml
index cdfa67d..437abe6 100644
--- a/linux_os/guide/system/accounts/accounts-session/accounts_tmout/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_tmout/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: fedora,ol7,ol8,rhel6,rhel7,rhel8,rhv4,wrlinux1019
+prodtype: fedora,ol7,ol8,openeuler2203,rhel6,rhel7,rhel8,rhv4,wrlinux1019
title: 'Set Interactive Session Timeout'
@@ -9,6 +9,11 @@ description: |-
all user sessions will terminate based on inactivity. The <tt>TMOUT</tt>
setting in <tt>/etc/profile</tt> should read as follows:
<pre>TMOUT=<sub idref="var_accounts_tmout" /></pre>
+ {{% if product in ["openeuler2203"] %}}
+ Considering the usability of the community release of openEuler in different scenarios,
+ the session timeout interval is not configured by default in the openEuler release.
+ Please configure the session timeout interval based on the site requirements.
+ {{% endif %}}
rationale: |-
Terminating an idle session within a short time period reduces
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/oval/shared.xml b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/oval/shared.xml
new file mode 100644
index 0000000..56b3396
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/oval/shared.xml
@@ -0,0 +1,83 @@
+<def-group>
+ <definition class="compliance" id="{{{ rule_id }}}" version="1">
+ {{{ oval_metadata("All Interactive Users Home Directories Must Exist") }}}
+ <criteria operator="OR">
+ <criterion test_ref="test_accounts_user_interactive_home_directory_exists"
+ comment="All Interactive Users Home Directories Must Exist"/>
+ <criterion test_ref="test_accounts_user_interactive_home_directory_exists_users"
+ comment="Interactive users don't exist on the system"/>
+ </criteria>
+ </definition>
+
+ {{%- set interactive_users_object = "object_" ~ rule_id ~ "_objects" -%}}
+ {{{ create_interactive_users_list_object(interactive_users_object) }}}
+
+ <!-- #### create a local variable composed by the list of home dirs from /etc/passwd #### -->
+ <local_variable id="var_accounts_user_interactive_home_directory_exists_dirs_list"
+ datatype="string" version="1"
+ comment="Variable including all home dirs from interactive users">
+ <object_component item_field="home_dir"
+ object_ref="{{{ interactive_users_object }}}"/>
+ </local_variable>
+
+ <!-- #### create a local variable composed by the number of home dirs from /etc/passwd #### -->
+ <local_variable id="var_accounts_user_interactive_home_directory_exists_dirs_count"
+ datatype="int" version="1"
+ comment="Variable including expected count of home dirs present on the system">
+ <count>
+ <variable_component var_ref="var_accounts_user_interactive_home_directory_exists_dirs_list"/>
+ </count>
+ </local_variable>
+
+ <!-- #### create a file_object to check existence of home dirs on file system #### -->
+ <unix:file_object id="object_accounts_user_interactive_home_directory_exists_dirs_fs"
+ version="1">
+ <unix:path var_ref="var_accounts_user_interactive_home_directory_exists_dirs_list"
+ var_check="at least one"/>
+ <unix:filename xsi:nil="true"/>
+ </unix:file_object>
+
+ <!-- #### create a local variable with the number of home dirs present on file system #### -->
+ <local_variable id="var_accounts_user_interactive_home_directory_exists_dirs_count_fs"
+ datatype="int" version="1"
+ comment="Variable including number of home dirs present on file system">
+ <count>
+ <object_component item_field="path"
+ object_ref="object_accounts_user_interactive_home_directory_exists_dirs_fs"/>
+ </count>
+ </local_variable>
+
+ <!-- #### create a variable object with count of home dirs from file system #### -->
+ <ind:variable_object id="object_accounts_user_interactive_home_directory_exists_dirs_count_fs"
+ version="1">
+ <ind:var_ref>var_accounts_user_interactive_home_directory_exists_dirs_count_fs</ind:var_ref>
+ </ind:variable_object>
+
+ <!-- #### create a variable state with count of home dirs from /etc/passwd #### -->
+ <ind:variable_state id="state_accounts_user_interactive_home_directory_exists_dirs_count_pw"
+ version="1">
+ <ind:value datatype="int" operation="equals" var_check="at least one"
+ var_ref="var_accounts_user_interactive_home_directory_exists_dirs_count"/>
+ </ind:variable_state>
+
+ <!-- #### test_accounts_user_interactive_home_directory_exists #### -->
+ <ind:variable_test id="test_accounts_user_interactive_home_directory_exists" check="all"
+ check_existence="at_least_one_exists" version="1"
+ comment="Check the existence of interactive users.">
+ <ind:object object_ref="object_accounts_user_interactive_home_directory_exists_dirs_count_fs"/>
+ <ind:state state_ref="state_accounts_user_interactive_home_directory_exists_dirs_count_pw"/>
+ </ind:variable_test>
+
+ <!-- #### create of variable object with count of home dirs from /etc/passwd #### -->
+ <ind:variable_object id="object_accounts_user_interactive_home_directory_exists_dirs_count_pw"
+ version="1">
+ <ind:var_ref>var_accounts_user_interactive_home_directory_exists_dirs_count</ind:var_ref>
+ </ind:variable_object>
+
+ <!-- #### test_accounts_user_interactive_home_directory_exists_users #### -->
+ <ind:variable_test id="test_accounts_user_interactive_home_directory_exists_users" check="all"
+ check_existence="none_exist" version="1"
+ comment="Check the existence of interactive users.">
+ <ind:object object_ref="object_accounts_user_interactive_home_directory_exists_dirs_count_pw"/>
+ </ind:variable_test>
+</def-group>
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml
index d51679f..6163f3d 100644
--- a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: rhel7,rhel8,rhv4,wrlinux1019
+prodtype: openeuler2203,rhel7,rhel8,rhv4,wrlinux1019
title: 'All Interactive Users Home Directories Must Exist'
diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/oval/shared.xml b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/oval/shared.xml
index 73e457d..9bbd226 100644
--- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/oval/shared.xml
+++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/oval/shared.xml
@@ -6,6 +6,7 @@
<platform>multi_platform_rhel</platform>
<platform>multi_platform_wrlinux</platform>
<platform>multi_platform_ol</platform>
+ <platform>multi_platform_openeuler</platform>
</affected>
<description>The default umask for users of the bash shell</description>
</metadata>
diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/rule.yml b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/rule.yml
index 9b189bc..a6d933c 100644
--- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: ol7,ol8,rhel6,rhel7,rhel8
+prodtype: ol7,ol8,openeuler2203,rhel6,rhel7,rhel8
title: 'Ensure the Default Bash Umask is Set Correctly'
@@ -9,6 +9,13 @@ description: |-
add or correct the <tt>umask</tt> setting in <tt>/etc/bashrc</tt> to read
as follows:
<pre>umask <sub idref="var_accounts_user_umask" /></pre>
+ {{% if product in ["openeuler2203"] %}}
+ After UMASK is set to 077, the default permission on the created file is 600,
+ and the default permission on the directory is 700.
+ Considering the usability of the community release of openEuler in different scenarios,
+ the openEuler release does not configure the UMASK by default.
+ Please configure the UMASK based on the site requirements.
+ {{% endif %}}
rationale: |-
The umask value influences the permissions assigned to files when they are created.
diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/rule.yml b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/rule.yml
index 7e6b11a..6271928 100644
--- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019
+prodtype: ol7,ol8,openeuler2203,rhel7,rhel8,rhv4,wrlinux1019
title: 'Ensure the Default Umask is Set Correctly For Interactive Users'
diff --git a/linux_os/guide/system/bootloader-grub2/grub2_nosmap_argument_absent/oval/shared.xml b/linux_os/guide/system/bootloader-grub2/grub2_nosmap_argument_absent/oval/shared.xml
new file mode 100644
index 0000000..40d201e
--- /dev/null
+++ b/linux_os/guide/system/bootloader-grub2/grub2_nosmap_argument_absent/oval/shared.xml
@@ -0,0 +1,20 @@
+<def-group>
+ <definition class="compliance" id="grub2_nosmap_argument_absent" version="1">
+ {{{ oval_metadata("SMAP should not be set.") }}}
+ <criteria comment="SMAP not set">
+ <criterion test_ref="test_grub2_nosmap_argument_absent" />
+ </criteria>
+ </definition>
+
+ <ind:textfilecontent54_test check="all" check_existence="none_exist" comment="No SMAP" id="test_grub2_nosmap_argument_absent" version="1">
+ <ind:object object_ref="obj_grub2_nosmap_argument_absent" />
+ </ind:textfilecontent54_test>
+
+ <ind:textfilecontent54_object id="obj_grub2_nosmap_argument_absent" version="1">
+ <ind:filepath>/proc/cmdline</ind:filepath>
+ <ind:pattern operation="pattern match">^.*nosmap.*$</ind:pattern>
+ <ind:instance datatype="int" operation="equals">1</ind:instance>
+ </ind:textfilecontent54_object>
+
+
+</def-group>
diff --git a/linux_os/guide/system/bootloader-grub2/grub2_nosmap_argument_absent/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_nosmap_argument_absent/rule.yml
new file mode 100644
index 0000000..51dab28
--- /dev/null
+++ b/linux_os/guide/system/bootloader-grub2/grub2_nosmap_argument_absent/rule.yml
@@ -0,0 +1,25 @@
+documentation_complete: true
+
+title: 'Ensure SMAP is not disabled during boot'
+
+description: |-
+ The SMAP is used to prevent the supervisor mode from unintentionally reading/writing into
+ memory pages in the user space, it is enabled by default since Linux kernel 3.7.
+ But it could be disabled through kernel boot parameters.
+
+ Ensure that Supervisor Mode Access Prevention (SMAP) is not disabled by
+ the <tt>nosmap</tt> boot paramenter option.
+
+ Check that the line <pre>GRUB_CMDLINE_LINUX="..."</pre> within <tt>/etc/default/grub</tt>
+ doesn't contain the argument <tt>nosmap</tt>.
+ Run the following command to update command line for already installed kernels:
+ <pre># grubby --update-kernel=ALL --remove-args="nosmap"</pre>
+
+rationale: |-
+ Disabling SMAP can facilitate exploitation of vulnerabilities caused by unintended access and
+ manipulation of data in the user space.
+
+severity: medium
+
+platform: machine
+
diff --git a/linux_os/guide/system/bootloader-grub2/grub2_nosmep_argument_absent/oval/shared.xml b/linux_os/guide/system/bootloader-grub2/grub2_nosmep_argument_absent/oval/shared.xml
new file mode 100644
index 0000000..359bc84
--- /dev/null
+++ b/linux_os/guide/system/bootloader-grub2/grub2_nosmep_argument_absent/oval/shared.xml
@@ -0,0 +1,20 @@
+<def-group>
+ <definition class="compliance" id="grub2_nosmep_argument_absent" version="1">
+ {{{ oval_metadata("SMEP should not be set.") }}}
+ <criteria comment="SMEP not set">
+ <criterion test_ref="test_grub2_nosmep_argument_absent" />
+ </criteria>
+ </definition>
+
+ <ind:textfilecontent54_test check="all" check_existence="none_exist" comment="No SMEP" id="test_grub2_nosmep_argument_absent" version="1">
+ <ind:object object_ref="obj_grub2_nosmep_argument_absent" />
+ </ind:textfilecontent54_test>
+
+ <ind:textfilecontent54_object id="obj_grub2_nosmep_argument_absent" version="1">
+ <ind:filepath>/proc/cmdline</ind:filepath>
+ <ind:pattern operation="pattern match">^.*nosmep.*$</ind:pattern>
+ <ind:instance datatype="int" operation="equals">1</ind:instance>
+ </ind:textfilecontent54_object>
+
+
+</def-group>
diff --git a/linux_os/guide/system/bootloader-grub2/grub2_nosmep_argument_absent/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_nosmep_argument_absent/rule.yml
new file mode 100644
index 0000000..f39bbb7
--- /dev/null
+++ b/linux_os/guide/system/bootloader-grub2/grub2_nosmep_argument_absent/rule.yml
@@ -0,0 +1,25 @@
+documentation_complete: true
+
+title: 'Ensure SMEP is not disabled during boot'
+
+description: |-
+ The SMEP is used to prevent the supervisor mode from executing user space code,
+ it is enabled by default since Linux kernel 3.0. But it could be disabled through
+ kernel boot parameters.
+
+ Ensure that Supervisor Mode Execution Prevention (SMEP) is not disabled by
+ the <tt>nosmep</tt> boot paramenter option.
+
+ Check that the line <pre>GRUB_CMDLINE_LINUX="..."</pre> within <tt>/etc/default/grub</tt>
+ doesn't contain the argument <tt>nosmep</tt>.
+ Run the following command to update command line for already installed kernels:
+ <pre># grubby --update-kernel=ALL --remove-args="nosmep"</pre>
+
+rationale: |-
+ Disabling SMEP can facilitate exploitation of certain vulnerabilities because it allows
+ the kernel to unintentionally execute code in less privileged memory space.
+
+severity: medium
+
+platform: machine
+
diff --git a/linux_os/guide/system/bootloader-grub2/grub2_uefi_password/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_uefi_password/rule.yml
index d12c53c..0c629cb 100644
--- a/linux_os/guide/system/bootloader-grub2/grub2_uefi_password/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/grub2_uefi_password/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: fedora,ocp4,ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019
+prodtype: fedora,ocp4,ol7,ol8,openeuler2203,rhel7,rhel8,rhv4,wrlinux1019
title: 'Set the UEFI Boot Loader Password'
diff --git a/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/oval/shared.xml b/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/oval/shared.xml
index 12df194..18a5974 100644
--- a/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/oval/shared.xml
+++ b/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/oval/shared.xml
@@ -6,6 +6,7 @@
<platform>Red Hat Virtualization 4</platform>
<platform>multi_platform_ol</platform>
<platform>multi_platform_rhel</platform>
+ <platform>multi_platform_openeuler</platform>
</affected>
<description>The sticky bit should be set for all world-writable directories.</description>
</metadata>
diff --git a/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/oval/shared.xml b/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/oval/shared.xml
index ed85608..d364e2b 100644
--- a/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/oval/shared.xml
+++ b/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/oval/shared.xml
@@ -7,6 +7,7 @@
<platform>multi_platform_fedora</platform>
<platform>multi_platform_rhel</platform>
<platform>multi_platform_wrlinux</platform>
+ <platform>multi_platform_openeuler</platform>
</affected>
<description>All files should be owned by a group</description>
</metadata>
diff --git a/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/rule.yml b/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/rule.yml
index e51cd7e..efd5046 100644
--- a/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/rule.yml
+++ b/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: fedora,rhel6,rhel7,rhel8,rhv4,wrlinux1019
+prodtype: fedora,openeuler2203,rhel6,rhel7,rhel8,rhv4,wrlinux1019
title: 'Ensure All Files Are Owned by a Group'
diff --git a/linux_os/guide/system/permissions/files/no_empty_symlink_files/rule.yml b/linux_os/guide/system/permissions/files/no_empty_symlink_files/rule.yml
new file mode 100644
index 0000000..5db67ea
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/no_empty_symlink_files/rule.yml
@@ -0,0 +1,26 @@
+documentation_complete: true
+
+prodtype: openeuler2203
+
+title: 'Ensure All Symlink Files Have Canonical Path'
+
+description: |-
+ <p><tt>It can not be scanned automatically, please check it manually.</tt></p>
+ <p>If any symlink files have no camonical path, it should be removed.</p>
+ <ul>
+ <li>You can use below cli command to find out all symlink files which have no canonical path under current path:
+ <pre># find ./ -type l -follow</pre>
+ </li>
+ <li>Or find it under root path bug exclude some dirs:
+ <pre># find / -path /var -prune -o -path /run -prune -o -path /proc -prune -o -path /sys -prune -o -path /dev -prune -o -type l -follow</pre>
+ </li>
+ <li>Or find it under the whole disk partition:
+ <pre># find / -xdev -type l -follow</pre>
+ </li>
+ </ul>
+
+rationale: |-
+ If any symlink files have no camonical path, it should be removed.
+
+severity: medium
+
diff --git a/linux_os/guide/system/permissions/files/no_files_unowned_by_user/oval/shared.xml b/linux_os/guide/system/permissions/files/no_files_unowned_by_user/oval/shared.xml
index 75d95d4..64429cc 100644
--- a/linux_os/guide/system/permissions/files/no_files_unowned_by_user/oval/shared.xml
+++ b/linux_os/guide/system/permissions/files/no_files_unowned_by_user/oval/shared.xml
@@ -6,6 +6,7 @@
<platform>Red Hat Virtualization 4</platform>
<platform>multi_platform_rhel</platform>
<platform>multi_platform_wrlinux</platform>
+ <platform>multi_platform_openeuler</platform>
</affected>
<description>All files should be owned by a user</description>
</metadata>
diff --git a/linux_os/guide/system/permissions/files/no_files_unowned_by_user/rule.yml b/linux_os/guide/system/permissions/files/no_files_unowned_by_user/rule.yml
index f2fb1f2..2903767 100644
--- a/linux_os/guide/system/permissions/files/no_files_unowned_by_user/rule.yml
+++ b/linux_os/guide/system/permissions/files/no_files_unowned_by_user/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: fedora,rhel6,rhel7,rhel8,rhv4,wrlinux1019
+prodtype: fedora,openeuler2203,rhel6,rhel7,rhel8,rhv4,wrlinux1019
title: 'Ensure All Files Are Owned by a User'
diff --git a/linux_os/guide/system/permissions/files/no_hide_exec_files/oval/shared.xml b/linux_os/guide/system/permissions/files/no_hide_exec_files/oval/shared.xml
new file mode 100644
index 0000000..107fed0
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/no_hide_exec_files/oval/shared.xml
@@ -0,0 +1,40 @@
+<def-group>
+ <definition class="compliance" id="no_hide_exec_files" version="1">
+ <metadata>
+ <title>All hidden executable files</title>
+ <affected family="unix">
+ <platform>multi_platform_openeuler</platform>
+ </affected>
+ <description>Find out all hidden executable files</description>
+ </metadata>
+ <criteria>
+ <criterion comment="Check all hidden exec files" test_ref="test_no_hide_exec_files" />
+ </criteria>
+ </definition>
+
+ <unix:file_state id="symlink_file_list_match" version="1">
+ <unix:type operation="equals">symbolic link</unix:type>
+ </unix:file_state>
+
+ <unix:file_state id="exec_file_list_match" version="1">
+ <unix:type operation="equals">regular</unix:type>
+ <unix:uexec datatype="boolean">false</unix:uexec>
+ <unix:gexec datatype="boolean">false</unix:gexec>
+ <unix:oexec datatype="boolean">false</unix:oexec>
+ </unix:file_state>
+
+ <unix:file_object comment="all local files" id="object_no_hide_exec_files" version="1">
+ <unix:behaviors recurse="directories" recurse_direction="down" recurse_file_system="local" />
+ <unix:path>/</unix:path>
+ <unix:filename operation="pattern match">^\..*</unix:filename>
+ <filter action="exclude">symlink_file_list_match</filter>
+ <filter action="exclude">exec_file_list_match</filter>
+ </unix:file_object>
+
+ <unix:file_test xmlns:unix="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix"
+ check="all" check_existence="none_exist" comment="Check all exec files"
+ id="test_no_hide_exec_files" version="1">
+ <unix:object object_ref="object_no_hide_exec_files" />
+ </unix:file_test>
+</def-group>
+
diff --git a/linux_os/guide/system/permissions/files/no_hide_exec_files/rule.yml b/linux_os/guide/system/permissions/files/no_hide_exec_files/rule.yml
new file mode 100644
index 0000000..5c8bc4b
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/no_hide_exec_files/rule.yml
@@ -0,0 +1,14 @@
+documentation_complete: true
+
+prodtype: openeuler2203
+
+title: 'Ensure All Executable Files are not hidden'
+
+description: |-
+ Find out all hidden executable files from system.
+
+rationale: |-
+ If a executable file is hidden, it maybe will introduce risks, since it can not be fould easily
+
+severity: medium
+
diff --git a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml
index 2408bd0..a5bd907 100644
--- a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml
+++ b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml
@@ -2,7 +2,13 @@ documentation_complete: true
title: 'Restrict Exposed Kernel Pointer Addresses Access'
-description: '{{{ describe_sysctl_option_value(sysctl="kernel.kptr_restrict", value="1") }}}'
+description: |-
+ {{{ describe_sysctl_option_value(sysctl="kernel.kptr_restrict", value="1") }}}
+ {{% if product in ["openeuler2203"] %}}
+ To ensure easy maintenance and location,
+ the kptr_restrict parameter is set to 0 by default in the openEuler release.
+ Please set this parameter based on the site requirements.
+ {{% endif %}}
rationale: |-
Exposing kernel pointers (through procfs or <tt>seq_printf()</tt>) exposes
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_dmesg_restrict/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_dmesg_restrict/rule.yml
index bf58274..0ccf428 100644
--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_dmesg_restrict/rule.yml
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_dmesg_restrict/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: fedora,ocp4,ol7,ol8,rhel6,rhel7,rhel8,rhv4
+prodtype: fedora,ocp4,ol7,ol8,openeuler2203,rhel6,rhel7,rhel8,rhv4
title: 'Restrict Access to Kernel Message Buffer'
diff --git a/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/oval/shared.xml b/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/oval/shared.xml
index 637b76d..cfb23ef 100644
--- a/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/oval/shared.xml
+++ b/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/oval/shared.xml
@@ -6,6 +6,7 @@
<platform>multi_platform_fedora</platform>
<platform>Red Hat Enterprise Linux 8</platform>
<platform>Oracle Linux 8</platform>
+ <platform>multi_platform_openeuler</platform>
</affected>
<description>SSH should be configured to use the system-wide crypto policy setting.</description>
</metadata>
diff --git a/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/rule.yml
index b9d8b06..5442718 100644
--- a/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/rule.yml
+++ b/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: fedora,ol8,rhel8
+prodtype: fedora,ol8,openeuler2203,rhel8
title: 'Configure SSH to use System Crypto Policy'
diff --git a/linux_os/guide/system/software/system-tools/package_python2_removed/rule.yml b/linux_os/guide/system/software/system-tools/package_python2_removed/rule.yml
new file mode 100644
index 0000000..1147e9b
--- /dev/null
+++ b/linux_os/guide/system/software/system-tools/package_python2_removed/rule.yml
@@ -0,0 +1,18 @@
+documentation_complete: true
+
+prodtype: openeuler2203
+
+title: 'Uninstall All Python2 Packages'
+
+description: |-
+ {{{ describe_package_remove(package="python2") }}}
+
+rationale: |-
+ python2 related packages should be removed.
+
+severity: medium
+
+template:
+ name: package_removed
+ vars:
+ pkgname: python2
diff --git a/linux_os/guide/system/software/updating/ensure_gpgcheck_never_disabled/oval/shared.xml b/linux_os/guide/system/software/updating/ensure_gpgcheck_never_disabled/oval/shared.xml
index 600c7c0..26c1de9 100644
--- a/linux_os/guide/system/software/updating/ensure_gpgcheck_never_disabled/oval/shared.xml
+++ b/linux_os/guide/system/software/updating/ensure_gpgcheck_never_disabled/oval/shared.xml
@@ -8,6 +8,7 @@
<platform>multi_platform_rhv</platform>
<platform>multi_platform_rhel</platform>
<platform>multi_platform_ol</platform>
+ <platform>multi_platform_openeuler</platform>
</affected>
<description>Ensure all yum or dnf repositories utilize signature checking.</description>
</metadata>
diff --git a/linux_os/guide/system/software/updating/ensure_gpgcheck_never_disabled/rule.yml b/linux_os/guide/system/software/updating/ensure_gpgcheck_never_disabled/rule.yml
index fc460dc..e1b4280 100644
--- a/linux_os/guide/system/software/updating/ensure_gpgcheck_never_disabled/rule.yml
+++ b/linux_os/guide/system/software/updating/ensure_gpgcheck_never_disabled/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: fedora,ol7,ol8,rhel6,rhel7,rhel8,rhv4
+prodtype: fedora,ol7,ol8,openeuler2203,rhel6,rhel7,rhel8,rhv4
title: 'Ensure gpgcheck Enabled for All {{{ pkg_manager }}} Package Repositories'
diff --git a/openeuler2203/cpe/openeuler2203-cpe-dictionary.xml b/openeuler2203/cpe/openeuler2203-cpe-dictionary.xml
index 986a804..f0eb8a8 100644
--- a/openeuler2203/cpe/openeuler2203-cpe-dictionary.xml
+++ b/openeuler2203/cpe/openeuler2203-cpe-dictionary.xml
@@ -7,4 +7,65 @@
<!-- the check references an OVAL file that contains an inventory definition -->
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_OS_is_openeuler2203</check>
</cpe-item>
+ <cpe-item name="cpe:/o:openEuler:openEuler:22.03LTS_SP1:ga:server">
+ <title xml:lang="en-us">openEuler 22.03 LTS</title>
+ <!-- the check references an OVAL file that contains an inventory definition -->
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_OS_is_openeuler2203</check>
+ </cpe-item>
+ <cpe-item name="cpe:/o:openEuler:openEuler:22.03LTS_SP2:ga:server">
+ <title xml:lang="en-us">openEuler 22.03 LTS</title>
+ <!-- the check references an OVAL file that contains an inventory definition -->
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_OS_is_openeuler2203</check>
+ </cpe-item>
+
+ <cpe-item name="cpe:/a:container">
+ <title xml:lang="en-us">Container</title>
+ <!-- the check references an OVAL file that contains an inventory definition -->
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_is_a_container</check>
+ </cpe-item>
+ <cpe-item name="cpe:/a:machine">
+ <title xml:lang="en-us">Bare-metal or Virtual Machine</title>
+ <!-- the check references an OVAL file that contains an inventory definition -->
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_is_a_machine</check>
+ </cpe-item>
+ <cpe-item name="cpe:/a:gdm">
+ <title xml:lang="en-us">Package gdm is installed</title>
+ <!-- the check references an OVAL file that contains an inventory definition -->
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_gdm_package</check>
+ </cpe-item>
+ <cpe-item name="cpe:/a:libuser">
+ <title xml:lang="en-us">Package libuser is installed</title>
+ <!-- the check references an OVAL file that contains an inventory definition -->
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_libuser_package</check>
+ </cpe-item>
+ <cpe-item name="cpe:/a:nss-pam-ldapd">
+ <title xml:lang="en-us">Package nss-pam-ldapd is installed</title>
+ <!-- the check references an OVAL file that contains an inventory definition -->
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_nss-pam-ldapd_package</check>
+ </cpe-item>
+ <cpe-item name="cpe:/a:pam">
+ <title xml:lang="en-us">Package pam is installed</title>
+ <!-- the check references an OVAL file that contains an inventory definition -->
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_pam_package</check>
+ </cpe-item>
+ <cpe-item name="cpe:/a:login_defs">
+ <title xml:lang="en-us">Package providing /etc/login.defs is installed</title>
+ <!-- the check references an OVAL file that contains an inventory definition -->
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_login_defs</check>
+ </cpe-item>
+ <cpe-item name="cpe:/a:sssd">
+ <title xml:lang="en-us">Package sssd-common is installed</title>
+ <!-- the check references an OVAL file that contains an inventory definition -->
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_sssd-common_package</check>
+ </cpe-item>
+ <cpe-item name="cpe:/a:systemd">
+ <title xml:lang="en-us">Package systemd is installed</title>
+ <!-- the check references an OVAL file that contains an inventory definition -->
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_systemd_package</check>
+ </cpe-item>
+ <cpe-item name="cpe:/a:yum">
+ <title xml:lang="en-us">Package yum is installed</title>
+ <!-- the check references an OVAL file that contains an inventory definition -->
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_yum_package</check>
+ </cpe-item>
</cpe-list>
diff --git a/openeuler2203/profiles/standard.profile b/openeuler2203/profiles/standard.profile
index 6fd9707..7f6f0e3 100644
--- a/openeuler2203/profiles/standard.profile
+++ b/openeuler2203/profiles/standard.profile
@@ -9,3 +9,88 @@ description: |-
selections:
- package_telnet_removed
+ - package_tftp-server_removed
+ - package_tftp_removed
+ - package_net-snmp_removed
+ - accounts_no_uid_except_zero
+ - file_owner_etc_passwd
+ - file_groupowner_etc_passwd
+ - file_permissions_etc_passwd
+ - file_owner_etc_shadow
+ - file_groupowner_etc_shadow
+ - file_permissions_etc_shadow
+ - file_owner_etc_group
+ - file_groupowner_etc_group
+ - file_permissions_etc_group
+ - file_owner_etc_gshadow
+ - file_groupowner_etc_gshadow
+ - file_permissions_etc_gshadow
+ - accounts_user_interactive_home_directory_exists
+ - gid_passwd_group_same
+ - var_password_pam_minlen=8
+ - accounts_password_pam_minlen
+ - accounts_password_pam_minclass
+ - var_password_pam_ucredit=0
+ - accounts_password_pam_ucredit
+ - var_password_pam_lcredit=0
+ - accounts_password_pam_lcredit
+ - var_password_pam_dcredit=0
+ - accounts_password_pam_dcredit
+ - var_password_pam_ocredit=0
+ - accounts_password_pam_ocredit
+ - accounts_password_pam_retry
+ - accounts_password_pam_unix_remember
+ - set_password_hashing_algorithm_systemauth
+ - accounts_maximum_age_login_defs
+ - var_accounts_minimum_age_login_defs=0
+ - accounts_minimum_age_login_defs
+ - accounts_password_warn_age_login_defs
+ - sshd_disable_empty_passwords
+ - grub2_uefi_password
+ - require_singleuser_auth
+ - accounts_passwords_pam_faillock_deny
+ - accounts_passwords_pam_faillock_deny_root
+ - var_accounts_passwords_pam_faillock_unlock_time=300
+ - accounts_passwords_pam_faillock_unlock_time
+ - var_accounts_tmout=5_min
+ - accounts_tmout
+ - sshd_allow_only_protocol2
+ - sshd_disable_rhosts
+ - disable_host_auth
+ - configure_ssh_crypto_policy
+ - sysctl_kernel_randomize_va_space
+ - sysctl_kernel_dmesg_restrict
+ - sysctl_kernel_kptr_restrict
+ - no_files_unowned_by_user
+ - file_permissions_ungroupowned
+ - dir_perms_world_writable_sticky_bits
+ - var_accounts_user_umask=077
+ - accounts_umask_etc_bashrc
+ - service_auditd_enabled
+ - auditd_data_retention_max_log_file_action
+ - auditd_data_retention_num_logs
+ - service_rsyslog_enabled
+ - package_python2_removed
+ - ensure_gpgcheck_never_disabled
+ - login_accounts_are_necessary
+ - accounts_are_necessary
+ - group_unique_id
+ - account_unique_id
+ - account_unique_group_id
+ - account_unique_name
+ - group_unique_name
+ - accounts_password_pam_dictcheck
+ - verify_owner_password
+ - no_name_contained_in_password
+ - sshd_strong_kex=standard_openeuler2203
+ - sshd_use_strong_kex
+ - sshd_use_strong_pubkey
+ - sshd_enable_pam
+ - sshd_use_strong_macs
+ - sshd_use_strong_ciphers
+ - grub2_nosmap_argument_absent
+ - grub2_nosmep_argument_absent
+ - package_ftp_removed
+ - no_empty_symlink_files
+ - no_hide_exec_files
+ - no_lowprivilege_users_writeable_cmds_in_crontab_file
diff --git a/shared/checks/oval/installed_env_has_login_defs.xml b/shared/checks/oval/installed_env_has_login_defs.xml
index 94ecbda..e304b19 100644
--- a/shared/checks/oval/installed_env_has_login_defs.xml
+++ b/shared/checks/oval/installed_env_has_login_defs.xml
@@ -21,7 +21,11 @@
<linux:object object_ref="obj_env_has_login_defs_installed" />
</linux:rpminfo_test>
<linux:rpminfo_object id="obj_env_has_login_defs_installed" version="1">
+{{% if product == "openeuler2203" %}}
+ <linux:name>shadow</linux:name>
+{{% else %}}
<linux:name>shadow-utils</linux:name>
+{{% endif %}}
</linux:rpminfo_object>
{{% elif pkg_system == "dpkg" %}}
<linux:dpkginfo_test check="all" check_existence="all_exist"
diff --git a/shared/macros-oval.jinja b/shared/macros-oval.jinja
index 867e083..111ba3c 100644
--- a/shared/macros-oval.jinja
+++ b/shared/macros-oval.jinja
@@ -34,6 +34,7 @@
<criteria comment="{{{ application }}} is configured correctly and configuration file exists"
operator="AND">
{{%- endif %}}
+ {{%- if product != "openeuler2203" %}}
{{%- if application == "sshd" %}}
{{#-
This condition is here to avoid regression in sshd configuration rules.
@@ -46,6 +47,7 @@
{{{- application_not_required_or_requirement_unset() }}}
{{{- application_required_or_requirement_unset() }}}
{{%- endif %}}
+ {{%- endif %}}
<criteria comment="{{{ application }}} is configured correctly"
operator="OR">
{{{- oval_line_in_file_criterion(path, parameter) }}}
@@ -53,10 +55,12 @@
{{{- oval_line_in_file_criterion(path, parameter, missing_parameter_pass) }}}
{{%- endif %}}
</criteria>
+ {{%- if product != "openeuler2203" %}}
{{%- if application == "sshd" %}}
</criteria> {{# close criteria left open in application_required_or_requirement_unset #}}
</criteria>
{{%- endif %}}
+ {{%- endif %}}
{{%- if missing_config_file_fail %}}
{{{- oval_config_file_exists_criterion(path) }}}
</criteria>
@@ -368,7 +372,11 @@
<linux:object object_ref="obj_{{{ test_id }}}" />
</linux:rpminfo_test>
<linux:rpminfo_object id="obj_{{{ test_id }}}" version="1">
+{{% if package == "python2" %}}
+ <linux:name operation="pattern match">python2-.*</linux:name>
+{{% else %}}
<linux:name>{{{ package }}}</linux:name>
+{{% endif %}}
</linux:rpminfo_object>
{{% elif pkg_system == "dpkg" %}}
<linux:dpkginfo_test check="all" check_existence="none_exist"
@@ -490,3 +498,68 @@
</def-group>
{{%- endmacro %}}
+
+
+{{#
+ Macro which generates the OVAL metadata section
+
+:param description: The text to place in the description section
+:type description: str
+:param title: Optional, the associated rule title is used by default
+:type title: str
+:param affected_platforms: Optional, list of unix platform strings (e.g. "Fedora") to put under the affected element. Uses the oval_affected macro by default under the hood.
+:type affected_platforms: str
+
+#}}
+{{%- macro oval_metadata(description, title="", affected_platforms=None) -%}}
+ <metadata>
+{{%- if title %}}
+ <title>{{{ title }}}</title>
+{{%- else %}}
+ <title>{{{ rule_title }}}</title>
+{{%- endif -%}}
+{{%- if affected_platforms %}}
+ <affected family="unix">
+{{%- for platform in affected_platforms %}}
+ <platform>{{{ platform }}}</platform>
+{{%- endfor %}}
+ </affected>
+{{%- else %}}
+ {{{ oval_affected(products) | indent -}}}
+{{%- endif %}}
+ <description>{{{ description }}}{{{ caller() if caller else '' }}}</description>
+ </metadata>
+{{%- endmacro %}}
+
+{{#
+ Extract from /etc/passwd a list composed of password objects related to non-system UIDs.
+ This list is then filtered to exclude some special usernames and users with /sbin/nologin shell.
+
+ The macro receives a string as parameter, which is used as the password_object id in the rule.
+
+ :param object_id: Object id to be created.
+ :type object_id: str
+#}}
+{{%- macro create_interactive_users_list_object(object_id) -%}}
+ {{%- set ignored_users_list="(nobody|nfsnobody)" %}}
+
+ <unix:password_object id="{{{ object_id }}}" version="1">
+ <unix:username datatype="string" operation="pattern match">.*</unix:username>
+ <filter action="include">state_{{{ rule_id }}}_users_uids</filter>
+ <filter action="exclude">state_{{{ rule_id }}}_users_ignored</filter>
+ <filter action="exclude">state_{{{ rule_id }}}_users_nologin_shell</filter>
+ </unix:password_object>
+
+ <unix:password_state id="state_{{{ rule_id }}}_users_uids" version="1">
+ <unix:user_id datatype="int" operation="greater than or equal">{{{ uid_min }}}</unix:user_id>
+ </unix:password_state>
+
+ <unix:password_state id="state_{{{ rule_id }}}_users_ignored" version="1">
+ <unix:username datatype="string" operation="pattern match">^{{{ ignored_users_list }}}$</unix:username>
+ </unix:password_state>
+
+ <unix:password_state id="state_{{{ rule_id }}}_users_nologin_shell" version="1">
+ <unix:login_shell datatype="string" operation="pattern match">^/sbin/nologin$</unix:login_shell>
+ </unix:password_state>
+{{%- endmacro %}}
+
diff --git a/shared/templates/template_OVAL_sysctl b/shared/templates/template_OVAL_sysctl
index f84fc3d..62ae26d 100644
--- a/shared/templates/template_OVAL_sysctl
+++ b/shared/templates/template_OVAL_sysctl
@@ -23,7 +23,9 @@
<description>The "{{{ SYSCTLVAR }}}" kernel parameter should be set to the appropriate value in both system configuration and system runtime.</description>
</metadata>
<criteria operator="AND">
+{{% if product not in ["openeuler2203"] %}}
<extend_definition comment="{{{ SYSCTLVAR }}} configuration setting check" definition_ref="sysctl_static_{{{ SYSCTLID }}}" />
+{{% endif %}}
<extend_definition comment="{{{ SYSCTLVAR }}} runtime setting check" definition_ref="sysctl_runtime_{{{ SYSCTLID }}}" />
</criteria>
</definition>
@@ -47,7 +49,9 @@
<extend_definition comment="is IPv6 enabled?" definition_ref="sysctl_kernel_ipv6_disable" />
{{% endif %}}
<criteria operator="AND">
+{{% if product not in ["openeuler2203"] %}}
<extend_definition comment="{{{ SYSCTLVAR }}} configuration setting check" definition_ref="sysctl_static_{{{ SYSCTLID }}}" />
+{{% endif %}}
<extend_definition comment="{{{ SYSCTLVAR }}} runtime setting check" definition_ref="sysctl_runtime_{{{ SYSCTLID }}}" />
</criteria>
</criteria>
diff --git a/ssg/constants.py b/ssg/constants.py
index 401c60d..aa081d8 100644
--- a/ssg/constants.py
+++ b/ssg/constants.py
@@ -120,7 +120,7 @@ FULL_NAME_TO_PRODUCT_MAPPING = {
"Red Hat OpenShift Container Platform 4": "ocp4",
"Oracle Linux 7": "ol7",
"Oracle Linux 8": "ol8",
- "openEuler 22.03 LTS": "openeuler2203",
+ "multi_platform_openeuler": "openeuler2203",
"openSUSE": "opensuse",
"Red Hat Enterprise Linux 6": "rhel6",
"Red Hat Enterprise Linux 7": "rhel7",
@@ -224,6 +224,8 @@ PRODUCT_TO_CPE_MAPPING = {
],
"openeuler2203": [
"cpe:/o:openEuler:openEuler:22.03LTS:ga:server",
+ "cpe:/o:openEuler:openEuler:22.03LTS_SP1:ga:server",
+ "cpe:/o:openEuler:openEuler:22.03LTS_SP2:ga:server",
],
"opensuse": [
"cpe:/o:opensuse:leap:42.1",
--
2.21.0.windows.1
Reference in New Issue View Git Blame Copy Permalink