316 lines
13 KiB
Diff
316 lines
13 KiB
Diff
From be290f3b8fc4a9d91925a43a56cb37c3ae27cc07 Mon Sep 17 00:00:00 2001
|
|
From: "steven.y.gui" <steven_ygui@163.com>
|
|
Date: Tue, 9 May 2023 10:50:52 +0800
|
|
Subject: [PATCH] init openEuler ssg project
|
|
|
|
---
|
|
CMakeLists.txt | 5 ++++
|
|
.../telnet/package_telnet_removed/rule.yml | 4 +--
|
|
openeuler2203/CMakeLists.txt | 6 ++++
|
|
.../cpe/openeuler2203-cpe-dictionary.xml | 10 +++++++
|
|
openeuler2203/product.yml | 11 ++++++++
|
|
openeuler2203/profiles/standard.profile | 11 ++++++++
|
|
openeuler2203/transforms/constants.xslt | 15 ++++++++++
|
|
openeuler2203/transforms/shorthand2xccdf.xslt | 8 ++++++
|
|
.../xccdf2table-profilecisrefs.xslt | 9 ++++++
|
|
.../checks/oval/installed_OS_is_openeuler.xml | 27 ++++++++++++++++++
|
|
.../oval/installed_OS_is_openeuler2203.xml | 28 +++++++++++++++++++
|
|
ssg/constants.py | 9 +++++-
|
|
12 files changed, 140 insertions(+), 3 deletions(-)
|
|
create mode 100644 openeuler2203/CMakeLists.txt
|
|
create mode 100644 openeuler2203/cpe/openeuler2203-cpe-dictionary.xml
|
|
create mode 100644 openeuler2203/product.yml
|
|
create mode 100644 openeuler2203/profiles/standard.profile
|
|
create mode 100644 openeuler2203/transforms/constants.xslt
|
|
create mode 100644 openeuler2203/transforms/shorthand2xccdf.xslt
|
|
create mode 100644 openeuler2203/transforms/xccdf2table-profilecisrefs.xslt
|
|
create mode 100644 shared/checks/oval/installed_OS_is_openeuler.xml
|
|
create mode 100644 shared/checks/oval/installed_OS_is_openeuler2203.xml
|
|
|
|
diff --git a/CMakeLists.txt b/CMakeLists.txt
|
|
index 82488f7..e594299 100644
|
|
--- a/CMakeLists.txt
|
|
+++ b/CMakeLists.txt
|
|
@@ -74,6 +74,7 @@ option(SSG_PRODUCT_OCP3 "If enabled, the OCP3 SCAP content will be built" ${SSG_
|
|
option(SSG_PRODUCT_OCP4 "If enabled, the OCP4 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
|
|
option(SSG_PRODUCT_OL7 "If enabled, the Oracle Linux 7 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
|
|
option(SSG_PRODUCT_OL8 "If enabled, the Oracle Linux 8 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
|
|
+option(SSG_PRODUCT_OPENEULER2203 "If enabled, the openEuler 22.03 LTS SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
|
|
option(SSG_PRODUCT_OPENSUSE "If enabled, the openSUSE SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
|
|
option(SSG_PRODUCT_RHEL6 "If enabled, the RHEL6 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
|
|
option(SSG_PRODUCT_RHEL7 "If enabled, the RHEL7 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
|
|
@@ -242,6 +243,7 @@ message(STATUS "OCP3: ${SSG_PRODUCT_OCP3}")
|
|
message(STATUS "OCP4: ${SSG_PRODUCT_OCP4}")
|
|
message(STATUS "Oracle Linux 7: ${SSG_PRODUCT_OL7}")
|
|
message(STATUS "Oracle Linux 8: ${SSG_PRODUCT_OL8}")
|
|
+message(STATUS "openEuler 22.03 LTS: ${SSG_PRODUCT_OPENEULER2203}")
|
|
message(STATUS "openSUSE: ${SSG_PRODUCT_OPENSUSE}")
|
|
message(STATUS "RHEL 6: ${SSG_PRODUCT_RHEL6}")
|
|
message(STATUS "RHEL 7: ${SSG_PRODUCT_RHEL7}")
|
|
@@ -329,6 +331,9 @@ endif()
|
|
if (SSG_PRODUCT_OL8)
|
|
add_subdirectory("ol8")
|
|
endif()
|
|
+if (SSG_PRODUCT_OPENEULER2203)
|
|
+ add_subdirectory("openeuler2203")
|
|
+endif()
|
|
if (SSG_PRODUCT_OPENSUSE)
|
|
add_subdirectory("opensuse")
|
|
endif()
|
|
diff --git a/linux_os/guide/services/obsolete/telnet/package_telnet_removed/rule.yml b/linux_os/guide/services/obsolete/telnet/package_telnet_removed/rule.yml
|
|
index 28cbf10..b3e3f2d 100644
|
|
--- a/linux_os/guide/services/obsolete/telnet/package_telnet_removed/rule.yml
|
|
+++ b/linux_os/guide/services/obsolete/telnet/package_telnet_removed/rule.yml
|
|
@@ -1,6 +1,6 @@
|
|
documentation_complete: true
|
|
|
|
-prodtype: ol7,ol8,rhel6,rhel7,rhel8,rhv4
|
|
+prodtype: ol7,ol8,openeuler2203,rhel6,rhel7,rhel8,rhv4
|
|
|
|
title: 'Remove telnet Clients'
|
|
|
|
@@ -14,7 +14,7 @@ rationale: |-
|
|
to steal credentials. The <tt>ssh</tt> package provides an
|
|
encrypted session and stronger security and is included in {{{ full_name }}}.
|
|
|
|
-severity: low
|
|
+severity: high
|
|
|
|
identifiers:
|
|
cce@rhel6: 27428-2
|
|
diff --git a/openeuler2203/CMakeLists.txt b/openeuler2203/CMakeLists.txt
|
|
new file mode 100644
|
|
index 0000000..da8fe4b
|
|
--- /dev/null
|
|
+++ b/openeuler2203/CMakeLists.txt
|
|
@@ -0,0 +1,6 @@
|
|
+# Sometimes our users will try to do: "cd openeuler2203; cmake ." That needs to error in a nice way.
|
|
+if ("${CMAKE_SOURCE_DIR}" STREQUAL "${CMAKE_CURRENT_SOURCE_DIR}")
|
|
+ message(FATAL_ERROR "cmake has to be used on the root CMakeLists.txt, see the developer_guide.adoc for more details!")
|
|
+endif()
|
|
+
|
|
+ssg_build_product("openeuler2203")
|
|
diff --git a/openeuler2203/cpe/openeuler2203-cpe-dictionary.xml b/openeuler2203/cpe/openeuler2203-cpe-dictionary.xml
|
|
new file mode 100644
|
|
index 0000000..986a804
|
|
--- /dev/null
|
|
+++ b/openeuler2203/cpe/openeuler2203-cpe-dictionary.xml
|
|
@@ -0,0 +1,10 @@
|
|
+<?xml version="1.0" encoding="UTF-8"?>
|
|
+<cpe-list xmlns="http://cpe.mitre.org/dictionary/2.0"
|
|
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
|
|
+ xsi:schemaLocation="http://cpe.mitre.org/dictionary/2.0 http://cpe.mitre.org/files/cpe-dictionary_2.1.xsd">
|
|
+ <cpe-item name="cpe:/o:openEuler:openEuler:22.03LTS:ga:server">
|
|
+ <title xml:lang="en-us">openEuler 22.03 LTS</title>
|
|
+ <!-- the check references an OVAL file that contains an inventory definition -->
|
|
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_OS_is_openeuler2203</check>
|
|
+ </cpe-item>
|
|
+</cpe-list>
|
|
diff --git a/openeuler2203/product.yml b/openeuler2203/product.yml
|
|
new file mode 100644
|
|
index 0000000..864a057
|
|
--- /dev/null
|
|
+++ b/openeuler2203/product.yml
|
|
@@ -0,0 +1,11 @@
|
|
+product: openeuler2203
|
|
+full_name: openEuler 22.03 LTS
|
|
+type: platform
|
|
+
|
|
+benchmark_root: "../linux_os/guide"
|
|
+
|
|
+profiles_root: "./profiles"
|
|
+
|
|
+pkg_manager: "dnf"
|
|
+
|
|
+init_system: "systemd"
|
|
diff --git a/openeuler2203/profiles/standard.profile b/openeuler2203/profiles/standard.profile
|
|
new file mode 100644
|
|
index 0000000..6fd9707
|
|
--- /dev/null
|
|
+++ b/openeuler2203/profiles/standard.profile
|
|
@@ -0,0 +1,11 @@
|
|
+documentation_complete: true
|
|
+
|
|
+title: 'Standard System Security Profile for openEuler 22.03 LTS'
|
|
+
|
|
+description: |-
|
|
+ This profile contains rules to ensure standard security baseline
|
|
+ of an openEuler system. Regardless of your system's workload
|
|
+ all of these checks should pass.
|
|
+
|
|
+selections:
|
|
+ - package_telnet_removed
|
|
diff --git a/openeuler2203/transforms/constants.xslt b/openeuler2203/transforms/constants.xslt
|
|
new file mode 100644
|
|
index 0000000..a168e75
|
|
--- /dev/null
|
|
+++ b/openeuler2203/transforms/constants.xslt
|
|
@@ -0,0 +1,15 @@
|
|
+<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
|
|
+
|
|
+<xsl:include href="../../shared/transforms/shared_constants.xslt"/>
|
|
+
|
|
+<xsl:variable name="product_long_name">openEuler 22.03 LTS</xsl:variable>
|
|
+<xsl:variable name="product_short_name">openEuler 22.03</xsl:variable>
|
|
+<xsl:variable name="product_stig_id_name">empty</xsl:variable>
|
|
+<xsl:variable name="product_guide_id_name">OPENEULER_2203_LTS</xsl:variable>
|
|
+<xsl:variable name="prod_type">openeuler2203</xsl:variable>
|
|
+
|
|
+<xsl:variable name="cisuri">empty</xsl:variable>
|
|
+<xsl:variable name="disa-stigs-uri" select="$disa-stigs-os-unix-linux-uri"/>
|
|
+<xsl:variable name="os-stigid-concat" />
|
|
+
|
|
+</xsl:stylesheet>
|
|
diff --git a/openeuler2203/transforms/shorthand2xccdf.xslt b/openeuler2203/transforms/shorthand2xccdf.xslt
|
|
new file mode 100644
|
|
index 0000000..e017cf6
|
|
--- /dev/null
|
|
+++ b/openeuler2203/transforms/shorthand2xccdf.xslt
|
|
@@ -0,0 +1,8 @@
|
|
+<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
|
|
+
|
|
+<xsl:import href="../../shared/transforms/shared_shorthand2xccdf.xslt"/>
|
|
+
|
|
+<xsl:include href="constants.xslt"/>
|
|
+<xsl:param name="ssg_version">unknown</xsl:param>
|
|
+
|
|
+</xsl:stylesheet>
|
|
diff --git a/openeuler2203/transforms/xccdf2table-profilecisrefs.xslt b/openeuler2203/transforms/xccdf2table-profilecisrefs.xslt
|
|
new file mode 100644
|
|
index 0000000..92cbdf9
|
|
--- /dev/null
|
|
+++ b/openeuler2203/transforms/xccdf2table-profilecisrefs.xslt
|
|
@@ -0,0 +1,9 @@
|
|
+<?xml version="1.0" encoding="utf-8" standalone="yes"?>
|
|
+<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:cdf="http://checklists.nist.gov/xccdf/1.1" xmlns:xhtml="http://www.w3.org/1999/xhtml">
|
|
+
|
|
+<xsl:import href="../../shared/transforms/shared_xccdf2table-profilecisrefs.xslt"/>
|
|
+
|
|
+<xsl:include href="constants.xslt"/>
|
|
+<xsl:include href="table-style.xslt"/>
|
|
+
|
|
+</xsl:stylesheet>
|
|
diff --git a/shared/checks/oval/installed_OS_is_openeuler.xml b/shared/checks/oval/installed_OS_is_openeuler.xml
|
|
new file mode 100644
|
|
index 0000000..f356806
|
|
--- /dev/null
|
|
+++ b/shared/checks/oval/installed_OS_is_openeuler.xml
|
|
@@ -0,0 +1,27 @@
|
|
+<def-group>
|
|
+ <definition class="inventory" id="installed_OS_is_openeuler" version="1">
|
|
+ <metadata>
|
|
+ <title>openEuler</title>
|
|
+ <affected family="unix">
|
|
+ <platform>multi_platform_all</platform>
|
|
+ </affected>
|
|
+ <description>The operating system installed on the system is openEuler.</description>
|
|
+ </metadata>
|
|
+ <criteria operator="AND">
|
|
+ <extend_definition comment="Installed OS is part of the Unix family" definition_ref="installed_OS_is_part_of_Unix_family" />
|
|
+ <criterion comment="openEuler is installed" test_ref="test_openeuler_installed" />
|
|
+ </criteria>
|
|
+ </definition>
|
|
+
|
|
+ <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="openEuler is installed" id="test_openeuler_installed" version="1">
|
|
+ <linux:object object_ref="obj_openeuler_installed" />
|
|
+ <linux:state state_ref="state_openeuler_installed" />
|
|
+ </linux:rpminfo_test>
|
|
+ <linux:rpminfo_state id="state_openeuler_installed" version="1">
|
|
+ <linux:name operation="pattern match">openEuler-release</linux:name>
|
|
+ </linux:rpminfo_state>
|
|
+ <linux:rpminfo_object id="obj_openeuler_installed" version="1">
|
|
+ <linux:name>openEuler-release</linux:name>
|
|
+ </linux:rpminfo_object>
|
|
+
|
|
+</def-group>
|
|
diff --git a/shared/checks/oval/installed_OS_is_openeuler2203.xml b/shared/checks/oval/installed_OS_is_openeuler2203.xml
|
|
new file mode 100644
|
|
index 0000000..d819ab6
|
|
--- /dev/null
|
|
+++ b/shared/checks/oval/installed_OS_is_openeuler2203.xml
|
|
@@ -0,0 +1,28 @@
|
|
+<def-group>
|
|
+ <definition class="inventory" id="installed_OS_is_openeuler2203" version="1">
|
|
+ <metadata>
|
|
+ <title>openEuler 22.03 LTS</title>
|
|
+ <affected family="unix">
|
|
+ <platform>multi_platform_all</platform>
|
|
+ </affected>
|
|
+ <reference ref_id="cpe:/o:openEuler:openEuler:22.03LTS:ga:server" source="CPE" />
|
|
+ <description>The operating system installed on the system is openEuler 22.03 LTS.</description>
|
|
+ </metadata>
|
|
+ <criteria operator="AND">
|
|
+ <extend_definition comment="openEuler is installed" definition_ref="installed_OS_is_openeuler" />
|
|
+ <criterion comment="openEuler 22.03 LTS is installed" test_ref="test_openeuler2203_installed" />
|
|
+ </criteria>
|
|
+ </definition>
|
|
+
|
|
+ <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="openEuler 22.03 LTS is installed" id="test_openeuler2203_installed" version="1">
|
|
+ <linux:object object_ref="obj_openeuler2203_installed" />
|
|
+ <linux:state state_ref="state_openeuler2203_installed" />
|
|
+ </linux:rpminfo_test>
|
|
+ <linux:rpminfo_state id="state_openeuler2203_installed" version="1">
|
|
+ <linux:version operation="pattern match">^22\.03.*$</linux:version>
|
|
+ </linux:rpminfo_state>
|
|
+ <linux:rpminfo_object id="obj_openeuler2203_installed" version="1">
|
|
+ <linux:name>openEuler-release</linux:name>
|
|
+ </linux:rpminfo_object>
|
|
+
|
|
+</def-group>
|
|
diff --git a/ssg/constants.py b/ssg/constants.py
|
|
index 813e529..401c60d 100644
|
|
--- a/ssg/constants.py
|
|
+++ b/ssg/constants.py
|
|
@@ -15,6 +15,7 @@ product_directories = [
|
|
'jre',
|
|
'ocp3', 'ocp4',
|
|
'ol7', 'ol8',
|
|
+ 'openeuler2203',
|
|
'opensuse',
|
|
'rhel6', 'rhel7', 'rhel8',
|
|
'rhosp10', 'rhosp13',
|
|
@@ -119,6 +120,7 @@ FULL_NAME_TO_PRODUCT_MAPPING = {
|
|
"Red Hat OpenShift Container Platform 4": "ocp4",
|
|
"Oracle Linux 7": "ol7",
|
|
"Oracle Linux 8": "ol8",
|
|
+ "openEuler 22.03 LTS": "openeuler2203",
|
|
"openSUSE": "opensuse",
|
|
"Red Hat Enterprise Linux 6": "rhel6",
|
|
"Red Hat Enterprise Linux 7": "rhel7",
|
|
@@ -220,6 +222,9 @@ PRODUCT_TO_CPE_MAPPING = {
|
|
"ol8": [
|
|
"cpe:/o:oracle:linux:8",
|
|
],
|
|
+ "openeuler2203": [
|
|
+ "cpe:/o:openEuler:openEuler:22.03LTS:ga:server",
|
|
+ ],
|
|
"opensuse": [
|
|
"cpe:/o:opensuse:leap:42.1",
|
|
"cpe:/o:opensuse:leap:42.2",
|
|
@@ -290,12 +295,13 @@ REF_PREFIX_MAP = {
|
|
}
|
|
|
|
MULTI_PLATFORM_LIST = ["rhel", "fedora", "rhosp", "rhv", "debian", "ubuntu",
|
|
- "wrlinux", "opensuse", "sle", "ol", "ocp", "example"]
|
|
+ "wrlinux", "openeuler","opensuse", "sle", "ol", "ocp", "example"]
|
|
|
|
MULTI_PLATFORM_MAPPING = {
|
|
"multi_platform_debian": ["debian8", "debian9", "debian10"],
|
|
"multi_platform_example": ["example"],
|
|
"multi_platform_fedora": ["fedora"],
|
|
+ "multi_platform_openeuler": ["openeuler2203"],
|
|
"multi_platform_opensuse": ["opensuse"],
|
|
"multi_platform_ol": ["ol7", "ol8"],
|
|
"multi_platform_ocp": ["ocp3", "ocp4"],
|
|
@@ -462,6 +468,7 @@ MAKEFILE_ID_TO_PRODUCT_MAP = {
|
|
'ubuntu': 'Ubuntu',
|
|
'eap': 'JBoss Enterprise Application Platform',
|
|
'fuse': 'JBoss Fuse',
|
|
+ 'openeuler': 'openEuler',
|
|
'opensuse': 'openSUSE',
|
|
'sle': 'SUSE Linux Enterprise',
|
|
'wrlinux': 'WRLinux',
|
|
--
|
|
2.21.0.windows.1
|
|
|