scap-security-guide/optimize-8-rules-for-openEuler.patch

From e7f1e45f0b3172b5b5a35a1822865fddbca6d9f0 Mon Sep 17 00:00:00 2001
From: wangqingsan <wangqingsan@huawei.com>
Date: Wed, 19 Jun 2024 13:27:03 +0800
Subject: [PATCH] fix bug for oe

---
 .../oval/shared.xml                           |  2 +-
 .../oval/shared.xml                           |  2 +-
 .../sshd_set_max_auth_tries/oval/shared.xml   | 14 ++++++++++++
 .../accounts_umask_etc_bashrc/oval/shared.xml |  4 ++--
 .../oval/shared.xml                           | 13 ++++++-----
 .../rsyslog_files_permissions_oe/rule.yml     | 22 +++++++++++++++++++
 .../service_ip6tables_enabled/rule.yml        |  2 +-
 openeuler2203/profiles/standard.profile       |  4 ++--
 8 files changed, 51 insertions(+), 12 deletions(-)
 create mode 100644 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions_oe/rule.yml

diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_concurrent_unauthenticated_connections/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_concurrent_unauthenticated_connections/oval/shared.xml
index e6c1a0e..494e255 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_concurrent_unauthenticated_connections/oval/shared.xml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_concurrent_unauthenticated_connections/oval/shared.xml
@@ -19,7 +19,7 @@
   </ind:textfilecontent54_test>
   <ind:textfilecontent54_object id="obj_test_sshd_configure_concurrent_unauthenticated_connections" version="1">
     <ind:filepath>/etc/ssh/sshd_config</ind:filepath>
-    <ind:pattern operation="pattern match">^maxstartups\s+\d+:\d+:\d+$</ind:pattern>
+    <ind:pattern operation="pattern match">^MaxStartups\s*[0-9]*:[0-9]*:[0-9]*[0-9]</ind:pattern>
     <ind:instance datatype="int">1</ind:instance>
   </ind:textfilecontent54_object>
 </def-group>
\ No newline at end of file
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_configure_correct_LoginGraceTime/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_configure_correct_LoginGraceTime/oval/shared.xml
index fb79aff..30bc3c4 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_configure_correct_LoginGraceTime/oval/shared.xml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_configure_correct_LoginGraceTime/oval/shared.xml
@@ -19,7 +19,7 @@
   </ind:textfilecontent54_test>
   <ind:textfilecontent54_object id="obj_test_sshd_configure_correct_LoginGraceTime" version="1">
     <ind:filepath>/etc/ssh/sshd_config</ind:filepath>
-    <ind:pattern operation="pattern match">^LoginGraceTime\s+\d+$</ind:pattern>
+    <ind:pattern operation="pattern match">^LoginGraceTime\s(\d*)[smhdw]*$</ind:pattern>
     <ind:instance datatype="int">1</ind:instance>
   </ind:textfilecontent54_object>
 </def-group>
\ No newline at end of file
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/oval/shared.xml
index a8eaabd..ae811c7 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/oval/shared.xml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/oval/shared.xml
@@ -8,14 +8,28 @@
       <description>The SSH MaxAuthTries should be set to an
       appropriate value.</description>
     </metadata>
+    {{% if product in ['openeuler2203'] %}}
+    <criteria comment="SSH is not being used or conditions are met" operator="OR">
+      <extend_definition comment="sshd service is disabled"
+      definition_ref="service_sshd_disabled" />
+      <criterion comment="Check MaxAuthTries in /etc/ssh/sshd_config"
+      test_ref="test_sshd_max_auth_tries_oe" />
+    </criteria>
+    {{% else %}}
     <criteria comment="SSH is not being used or conditions are met" operator="OR">
       <extend_definition comment="sshd service is disabled"
       definition_ref="service_sshd_disabled" />
       <criterion comment="Check MaxAuthTries in /etc/ssh/sshd_config"
       test_ref="test_sshd_max_auth_tries" />
     </criteria>
+    {{% endif %}}
   </definition>
 
+  <ind:textfilecontent54_test check="all" check_existence="all_exist"
+  comment="maxauthtries is configured" id="test_sshd_max_auth_tries_oe" version="1">
+    <ind:object object_ref="object_sshd_max_auth_tries" />
+  </ind:textfilecontent54_test>
+
   <ind:textfilecontent54_test check="all" check_existence="all_exist"
   comment="maxauthtries is configured" id="test_sshd_max_auth_tries" version="1">
     <ind:object object_ref="object_sshd_max_auth_tries" />
diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/oval/shared.xml b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/oval/shared.xml
index 0bd0ac1..ec4197a 100644
--- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/oval/shared.xml
+++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/oval/shared.xml
@@ -95,7 +95,7 @@
   </ind:textfilecontent54_test>
   <ind:textfilecontent54_object id="object_umask_in_etc_bash_openeuler" version="1">
     <ind:filepath operation="pattern match">/etc/bashrc</ind:filepath>
-    <ind:pattern operation="pattern match">[\s]*umask[\s]*0077[\s]*</ind:pattern>
+    <ind:pattern operation="pattern match">^umask[\s]*0*7*$</ind:pattern>
     <ind:instance datatype="int">1</ind:instance>
   </ind:textfilecontent54_object>
 
@@ -104,7 +104,7 @@
   </ind:textfilecontent54_test>
   <ind:textfilecontent54_object id="object_umask_in_point_bash_openeuler" version="1">
     <ind:filepath>^/home/.*\.bashrc$</ind:filepath>
-    <ind:pattern operation="pattern match">[\s]*umask[\s]*0077[\s]*</ind:pattern>
+    <ind:pattern operation="pattern match">^umask[\s]*0*7*$</ind:pattern>
     <ind:instance datatype="int">1</ind:instance>
   </ind:textfilecontent54_object>
 
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_install_and_remove/oval/shared.xml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_install_and_remove/oval/shared.xml
index 92b2667..372e175 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_install_and_remove/oval/shared.xml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_install_and_remove/oval/shared.xml
@@ -8,12 +8,15 @@
       <description>The audit rules should be configured to log information about kernel module installing and removing.</description>
     </metadata>
     <criteria operator="AND">
-      <extend_definition comment="audit augenrules" definition_ref="audit_rules_augenrules" />
-      <criterion comment="audit augenrules 64-bit init_module" test_ref="test_64bit_init_module_augenrules" />
-      <criterion comment="audit augenrules 64-bit delete_module" test_ref="test_64bit_delete_module_augenrules" />
+      <extend_definition comment="32-bit system audit augenrules" definition_ref="audit_rules_augenrules" />
       <criterion comment="audit augenrules inmod" test_ref="test_install_module_augenrules" />
       <criterion comment="audit augenrules rmmod" test_ref="test_remove_module_augenrules" />
       <criterion comment="audit augenrules modprobe" test_ref="test_probe_module_augenrules" />
+      <criteria operator="OR">
+      <extend_definition comment="64-bit systemctl audit augenrules" definition_ref="audit_rules_augenrules" />
+      <criterion comment="audit augenrules 64-bit init_module" test_ref="test_64bit_init_module_augenrules" />
+      <criterion comment="audit augenrules 64-bit delete_module" test_ref="test_64bit_delete_module_augenrules" />
+      </criteria>
     </criteria>
   </definition>
 
@@ -22,7 +25,7 @@
   </ind:textfilecontent54_test>
   <ind:textfilecontent54_object id="object_64bit_init_module_augenrules" version="1">
     <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-    <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+init_module[\s]+|([\s]+|[,])init_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
+    <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+init_module[\s]+|([\s]+|[,])delete_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*.*$</ind:pattern>
     <ind:instance datatype="int">1</ind:instance>
   </ind:textfilecontent54_object>
 
@@ -31,7 +34,7 @@
   </ind:textfilecontent54_test>
   <ind:textfilecontent54_object id="object_64bit_delete_module_augenrules" version="1">
     <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-    <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+delete_module[\s]+|([\s]+|[,])delete_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
+    <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+init_module[\s]+|([\s]+|[,])delete_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*.*$</ind:pattern>
     <ind:instance datatype="int">1</ind:instance>
   </ind:textfilecontent54_object>
 
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions_oe/rule.yml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions_oe/rule.yml
new file mode 100644
index 0000000..93fd68f
--- /dev/null
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions_oe/rule.yml
@@ -0,0 +1,22 @@
+documentation_complete: true
+
+title: 'Ensure System Log Files Have Correct Permissions'
+
+description: |-
+    <p>Log files record system operations. The log tool <tt>rsyslog</tt> can record logs 
+    to specified files. When the specified log file does not exist in the system, 
+    <tt>rsyslog</tt> can create a new log file. You can set the permission on new log files 
+    in the <tt>rsyslog</tt> configuration file. You can set the default file permission to 
+    ensure that new log files have proper and secure permissions.</p>
+    <p>Run the following command to manually check whether the log permission is properly set:</p>
+    <pre>$ ls -l <i>LOGFILE</i></pre>
+    <p>If the permissions are not 600 or more restrictive, run the following
+    command to correct this:</p>
+    <pre>$ sudo chmod 0600 <i>LOGFILE</i></pre>"
+
+rationale: |-
+    Log files can contain valuable information regarding system
+    configuration. If the system log files are not protected unauthorized
+    users could change the logged data, eliminating their forensic value.
+
+severity: low
diff --git a/linux_os/guide/system/network/network-iptables/iptables_activation/service_ip6tables_enabled/rule.yml b/linux_os/guide/system/network/network-iptables/iptables_activation/service_ip6tables_enabled/rule.yml
index d533940..a8ce14a 100644
--- a/linux_os/guide/system/network/network-iptables/iptables_activation/service_ip6tables_enabled/rule.yml
+++ b/linux_os/guide/system/network/network-iptables/iptables_activation/service_ip6tables_enabled/rule.yml
@@ -34,6 +34,6 @@ template:
     name: service_enabled
     vars:
         servicename: ip6tables
-        packagename: iptables-ipv6
+        packagename: iptables
 
 platform: machine
diff --git a/openeuler2203/profiles/standard.profile b/openeuler2203/profiles/standard.profile
index 76fe4dd..4ae7a01 100644
--- a/openeuler2203/profiles/standard.profile
+++ b/openeuler2203/profiles/standard.profile
@@ -376,8 +376,8 @@ selections:
     - audit_rules_admin_privilege.severity=low
     - recorded_authentication_related_event
     - recorded_authentication_related_event.severity=high
-    - rsyslog_files_permissions
-    - rsyslog_files_permissions.severity=low
+    - rsyslog_files_permissions_oe
+    - rsyslog_files_permissions_oe.severity=low
     - partitions_manage_hard_drive_data
     - partitions_manage_hard_drive_data.severity=low
     - uninstall_debugging_tools
-- 
2.36.1