packages/scap-security-guide
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
scap-security-guide/add-15-rules-for-openeuler.patch
steven.y.gui f3439d17b8 add 15 new rules for openeuler
2023-08-11 10:12:25 +08:00

790 lines
35 KiB
Diff
Raw Blame History

From dc37689392abe60433dc4521a835dfa6a031f603 Mon Sep 17 00:00:00 2001
From: "steven.y.gui" <steven_ygui@163.com>
Date: Fri, 11 Aug 2023 10:03:30 +0800
Subject: [PATCH] add 15 rules for openeuler
---
.../rule.yml | 21 +++
.../rule.yml | 21 +++
.../oval/shared.xml | 15 ++
.../rule.yml | 17 +++
.../rule.yml | 21 +++
.../rule.yml | 2 +-
.../sysctl_net_ipv4_tcp_fin_timeout/rule.yml | 22 +++
.../rule.yml | 23 +++
.../sysctl_net_ipv4_tcp_timestamps/rule.yml | 21 +++
.../files/ensure_minimum_permission/rule.yml | 139 ++++++++++++++++++
.../oval/shared.xml | 1 +
.../rule.yml | 2 +-
.../oval/shared.xml | 1 +
.../rule.yml | 2 +-
.../oval/shared.xml | 1 +
.../files/opened_files_count_limited/rule.yml | 34 +++++
.../guide/system/software/polkit/group.yml | 6 +
.../only_root_can_run_pkexec/oval/shared.xml | 23 +++
.../polkit/only_root_can_run_pkexec/rule.yml | 17 +++
linux_os/guide/system/software/su/group.yml | 6 +
.../su/su_always_set_path/oval/shared.xml | 23 +++
.../software/su/su_always_set_path/rule.yml | 20 +++
.../su/su_only_for_wheel/oval/shared.xml | 23 +++
.../software/su/su_only_for_wheel/rule.yml | 19 +++
.../sudo_not_for_all_users/oval/shared.xml | 23 +++
.../sudo/sudo_not_for_all_users/rule.yml | 20 +++
openeuler2203/profiles/standard.profile | 15 ++
27 files changed, 535 insertions(+), 3 deletions(-)
create mode 100644 linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_proxy_arp/rule.yml
create mode 100644 linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_proxy_arp/rule.yml
create mode 100644 linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_disable_arp_proxy/oval/shared.xml
create mode 100644 linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_disable_arp_proxy/rule.yml
create mode 100644 linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_echo_ignore_all/rule.yml
create mode 100644 linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_tcp_fin_timeout/rule.yml
create mode 100644 linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_tcp_max_syn_backlog/rule.yml
create mode 100644 linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_tcp_timestamps/rule.yml
create mode 100644 linux_os/guide/system/permissions/files/ensure_minimum_permission/rule.yml
create mode 100644 linux_os/guide/system/permissions/files/opened_files_count_limited/rule.yml
create mode 100644 linux_os/guide/system/software/polkit/group.yml
create mode 100644 linux_os/guide/system/software/polkit/only_root_can_run_pkexec/oval/shared.xml
create mode 100644 linux_os/guide/system/software/polkit/only_root_can_run_pkexec/rule.yml
create mode 100644 linux_os/guide/system/software/su/group.yml
create mode 100644 linux_os/guide/system/software/su/su_always_set_path/oval/shared.xml
create mode 100644 linux_os/guide/system/software/su/su_always_set_path/rule.yml
create mode 100644 linux_os/guide/system/software/su/su_only_for_wheel/oval/shared.xml
create mode 100644 linux_os/guide/system/software/su/su_only_for_wheel/rule.yml
create mode 100644 linux_os/guide/system/software/sudo/sudo_not_for_all_users/oval/shared.xml
create mode 100644 linux_os/guide/system/software/sudo/sudo_not_for_all_users/rule.yml
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_proxy_arp/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_proxy_arp/rule.yml
new file mode 100644
index 0000000..7066bcc
--- /dev/null
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_proxy_arp/rule.yml
@@ -0,0 +1,21 @@
+documentation_complete: true
+
+prodtype: openeuler2203
+
+title: 'Disable Kernel Parameter for ARP Proxy'
+
+description: '{{{ describe_sysctl_option_value(sysctl="net.ipv4.conf.all.proxy_arp", value="0") }}}'
+
+rationale: |-
+ Restricted execution of programs that depend on the ARP proxy.
+
+severity: low
+
+platform: machine
+
+template:
+ name: sysctl
+ vars:
+ sysctlvar: net.ipv4.conf.all.proxy_arp
+ sysctlval: '0'
+ datatype: int
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_proxy_arp/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_proxy_arp/rule.yml
new file mode 100644
index 0000000..170696b
--- /dev/null
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_proxy_arp/rule.yml
@@ -0,0 +1,21 @@
+documentation_complete: true
+
+prodtype: openeuler2203
+
+title: 'Disable Kernel Parameter for ARP Proxy by Default'
+
+description: '{{{ describe_sysctl_option_value(sysctl="net.ipv4.conf.default.proxy_arp", value="0") }}}'
+
+rationale: |-
+ Restricted execution of programs that depend on the ARP proxy.
+
+severity: low
+
+platform: machine
+
+template:
+ name: sysctl
+ vars:
+ sysctlvar: net.ipv4.conf.default.proxy_arp
+ sysctlval: '0'
+ datatype: int
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_disable_arp_proxy/oval/shared.xml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_disable_arp_proxy/oval/shared.xml
new file mode 100644
index 0000000..b072446
--- /dev/null
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_disable_arp_proxy/oval/shared.xml
@@ -0,0 +1,15 @@
+<def-group>
+ <definition class="compliance" id="sysctl_net_ipv4_disable_arp_proxy" version="1">
+ <metadata>
+ <title>Disable ARP Proxy</title>
+ <affected family="unix">
+ <platform>multi_platform_openeuler</platform>
+ </affected>
+ <description>Disable arp proxy.</description>
+ </metadata>
+ <criteria operator="AND">
+ <extend_definition comment="all arp proxy" definition_ref="sysctl_net_ipv4_conf_all_proxy_arp" />
+ <extend_definition comment="default arp proxy" definition_ref="sysctl_net_ipv4_conf_default_proxy_arp" />
+ </criteria>
+ </definition>
+</def-group>
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_disable_arp_proxy/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_disable_arp_proxy/rule.yml
new file mode 100644
index 0000000..66a336e
--- /dev/null
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_disable_arp_proxy/rule.yml
@@ -0,0 +1,17 @@
+documentation_complete: true
+
+prodtype: openeuler2203
+
+title: 'Disable ARP Proxy'
+
+description: |-
+ ARP proxy allows the system to send a response to an ARP request on another interface on behalf of a host connected to an interface.
+ Disabling ARP proxy not only prevents authorized information sharing also prevents addressing information leakage between connected network segments.
+ Therefore, the ARP proxy must be disabled to prevent ARP packet attacks on the system.
+
+rationale: |-
+ Restricted execution of programs that depend on the ARP proxy.
+
+severity: high
+
+platform: machine
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_echo_ignore_all/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_echo_ignore_all/rule.yml
new file mode 100644
index 0000000..31bf313
--- /dev/null
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_echo_ignore_all/rule.yml
@@ -0,0 +1,21 @@
+documentation_complete: true
+
+prodtype: openeuler2203
+
+title: 'Set Kernel Parameter for Ignoring All ICMP'
+
+description: '{{{ describe_sysctl_option_value(sysctl="net.ipv4.icmp_echo_ignore_all", value="1") }}}'
+
+rationale: |-
+ All ICMP packages are ignored.
+
+severity: low
+
+platform: machine
+
+template:
+ name: sysctl
+ vars:
+ sysctlvar: net.ipv4.icmp_echo_ignore_all
+ sysctlval: '1'
+ datatype: int
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_ignore_bogus_error_responses/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_ignore_bogus_error_responses/rule.yml
index 12cbdea..74d196a 100644
--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_ignore_bogus_error_responses/rule.yml
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_ignore_bogus_error_responses/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: fedora,ocp4,ol7,ol8,rhel6,rhel7,rhel8,rhv4
+prodtype: fedora,ocp4,ol7,ol8,openeuler2203,rhel6,rhel7,rhel8,rhv4
title: 'Enable Kernel Parameter to Ignore Bogus ICMP Error Responses on IPv4 Interfaces'
diff --git a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_tcp_fin_timeout/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_tcp_fin_timeout/rule.yml
new file mode 100644
index 0000000..ffd435a
--- /dev/null
+++ b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_tcp_fin_timeout/rule.yml
@@ -0,0 +1,22 @@
+documentation_complete: true
+
+prodtype: openeuler2203
+
+title: 'Set Kernel Parameter for TCP TIME_WAIT'
+
+description: '{{{ describe_sysctl_option_value(sysctl="net.ipv4.tcp_fin_timeout", value="60") }}}'
+
+rationale: |-
+ Suggested value is <tt>60</tt>.<br />
+ If TIME_WAIT is set too long, DoS attacks may occur.
+
+severity: high
+
+platform: machine
+
+template:
+ name: sysctl
+ vars:
+ sysctlvar: net.ipv4.tcp_fin_timeout
+ sysctlval: '60'
+ datatype: int
diff --git a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_tcp_max_syn_backlog/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_tcp_max_syn_backlog/rule.yml
new file mode 100644
index 0000000..f95f0be
--- /dev/null
+++ b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_tcp_max_syn_backlog/rule.yml
@@ -0,0 +1,23 @@
+documentation_complete: true
+
+prodtype: openeuler2203
+
+title: 'Set Kernel Parameter for TCP SYN_RECV'
+
+description: '{{{ describe_sysctl_option_value(sysctl="net.ipv4.tcp_max_syn_backlog", value="256") }}}'
+
+rationale: |-
+ Suggested value is <tt>256</tt>.<br />
+ For security purposes, you are advised to set this parameter to a large value to mitigate TCP SYN flood attacks.
+ However, if this parameter is set to a large value, more system resources are consumed.
+
+severity: low
+
+platform: machine
+
+template:
+ name: sysctl
+ vars:
+ sysctlvar: net.ipv4.tcp_max_syn_backlog
+ sysctlval: '256'
+ datatype: int
diff --git a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_tcp_timestamps/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_tcp_timestamps/rule.yml
new file mode 100644
index 0000000..a2df1d7
--- /dev/null
+++ b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_tcp_timestamps/rule.yml
@@ -0,0 +1,21 @@
+documentation_complete: true
+
+prodtype: openeuler2203
+
+title: 'Disable Kernel Parameter for TCP Timestamps'
+
+description: '{{{ describe_sysctl_option_value(sysctl="net.ipv4.tcp_timestamps", value="0") }}}'
+
+rationale: |-
+ After this function is enabled, packages with invalid addresses is recorded into kernel logs, which may cause logs overwrite.
+
+severity: low
+
+platform: machine
+
+template:
+ name: sysctl
+ vars:
+ sysctlvar: net.ipv4.tcp_timestamps
+ sysctlval: '0'
+ datatype: int
diff --git a/linux_os/guide/system/permissions/files/ensure_minimum_permission/rule.yml b/linux_os/guide/system/permissions/files/ensure_minimum_permission/rule.yml
new file mode 100644
index 0000000..9cab819
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/ensure_minimum_permission/rule.yml
@@ -0,0 +1,139 @@
+documentation_complete: true
+
+prodtype: openeuler2203
+
+title: 'Ensure All Files Have Minimum Permission'
+
+description: |-
+ <p><tt>It can not be scanned automatically, please check it manually.</tt></p>
+
+ <p>According to the minimum permission requirements, the minimum access permission must be set for key files in the system,
+ especially files that contain sensitive information. Users with corresponding permissions can access the directory.
+ If the file or directory permission is incorrectly configured, the file information may leakage. </p>
+
+ <p>For example, if the access permission is set to 644 or greater, any user can access or even tamper with the data.
+ If the program's access permission is set to 755, as a result, any user can perform the operation,
+ which leads to privilege escalation risks.</p>
+
+ <p>Common types of files or directories that require access permission control are as follows:
+ <ul>
+ <li>Executable files (binary files and scripts): directory for storing executable files.
+ Improper permission configuration may lead to privilege escalation attacks.</li>
+
+ <li>Configuration files, key files, log files, data files that store sensitive information,
+ temporary files generated during system running, and static files.
+ These files may contain sensitive and private data. Improper permission configuration increases the risk of information leakage.</li>
+ </ul>
+ </p>
+
+ <p>The basic principles of permission control are as follows:
+ <table border="1">
+ <tr>
+ <th align="center">File Type</th>
+ <th align="center">Suggested Permission</th>
+ </tr>
+ <tr>
+ <td>Home Directory</td>
+ <td align="right">750(rwxr-x---)</td>
+ </tr>
+ <tr>
+ <td>Programs(Include bash, library)</td>
+ <td align="right">550(r-xr-x---)</td>
+ </tr>
+ <tr>
+ <td>Programs Directory</td>
+ <td align="right">550(r-xr-x---)</td>
+ </tr>
+ <tr>
+ <td>Configuration Files</td>
+ <td align="right">640(rw-r-----)</td>
+ </tr>
+ <tr>
+ <td>Configuration Files Directory</td>
+ <td align="right">750(rwxr-x---)</td>
+ </tr>
+ <tr>
+ <td>Log Files(Archived)</td>
+ <td align="right">440(r--r-----)</td>
+ </tr>
+ <tr>
+ <td>Log Files(Recording)</td>
+ <td align="right">640(rw-r-----)</td>
+ </tr>
+ <tr>
+ <td>Log Files Directory</td>
+ <td align="right">750(rwxr-x---)</td>
+ </tr>
+ <tr>
+ <td>Debug Files</td>
+ <td align="right">640(rw-r-----)</td>
+ </tr>
+ <tr>
+ <td>Debug Files Directory</td>
+ <td align="right">750(rwxr-x---)</td>
+ </tr>
+ <tr>
+ <td>Temporary Files Directory</td>
+ <td align="right">750(rwxr-x---)</td>
+ </tr>
+ <tr>
+ <td>Upgrading Files Directory</td>
+ <td align="right">770(rwxrwx---)</td>
+ </tr>
+ <tr>
+ <td>Data Files</td>
+ <td align="right">640(rw-r-----)</td>
+ </tr>
+ <tr>
+ <td>Data Files Directory</td>
+ <td align="right">750(rwxr-x---)</td>
+ </tr>
+ <tr>
+ <td>Directory Of Crypto Component, Private Key, Certificate, Encrypted Data</td>
+ <td align="right">700(rwx------)</td>
+ </tr>
+ <tr>
+ <td>Crypto Component, Private Key, Certificate, Encrypted Data</td>
+ <td align="right">600(rw-------)</td>
+ </tr>
+ <tr>
+ <td>Interface or Shell Files Of Crypto</td>
+ <td align="right">500(r-x------)</td>
+ </tr>
+ </table>
+ </p>
+ <p>Generally, a non-root user is used to perform services. This user needs to access necessary directories in the Linux system and files.
+ Therefore, permission control can be relaxed for system directories, configuration files, executable files,
+ and certificate files that the system depends on.</p>
+ <p>The system is consistent with the general release in the industry. The suggestions are as follows:
+ <table border="1">
+ <tr>
+ <th align="center">File Type</th>
+ <th align="center">Suggested Permission</th>
+ </tr>
+ <tr>
+ <td>Directory</td>
+ <td align="right">755(rwxr-xr-x)</td>
+ </tr>
+ <tr>
+ <td>Programs(Include bash, library)</td>
+ <td align="right">755(rwxr-xr-x)</td>
+ </tr>
+ <tr>
+ <td>Configuration Files</td>
+ <td align="right">644(rw-r--r--)</td>
+ </tr>
+ <tr>
+ <td>Certificate Files(No Private Key)</td>
+ <td align="right">444(r--r--r--)</td>
+ </tr>
+ </table>
+ </p>
+
+rationale: |-
+ The permission cannot be too high or too low. For example, if the permission of some system configuration files is set to 600 or 640,
+ common users cannot read the configuration files, the corresponding program may not be executed
+ because it does not have the permission to read the configuration.
+
+severity: high
+
diff --git a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/oval/shared.xml b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/oval/shared.xml
index 83988fe..c1a4f1e 100644
--- a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/oval/shared.xml
+++ b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/oval/shared.xml
@@ -6,6 +6,7 @@
<platform>multi_platform_fedora</platform>
<platform>multi_platform_rhel</platform>
<platform>multi_platform_ol</platform>
+ <platform>multi_platform_openeuler</platform>
<platform>multi_platform_wrlinux</platform>
</affected>
<description>Evaluates to true if all files with SGID set are owned by RPM packages.</description>
diff --git a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/rule.yml b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/rule.yml
index 32c176d..ee5eb40 100644
--- a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/rule.yml
+++ b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/rule.yml
@@ -2,7 +2,7 @@ documentation_complete: true
title: 'Ensure All SGID Executables Are Authorized'
-prodtype: fedora,ol7,ol8,rhel6,rhel7,rhel8,wrlinux1019,wrlinux8
+prodtype: fedora,ol7,ol8,openeuler2203,rhel6,rhel7,rhel8,wrlinux1019,wrlinux8
description: |-
The SGID (set group id) bit should be set only on files that were
diff --git a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/oval/shared.xml b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/oval/shared.xml
index e83595c..8da5b5b 100644
--- a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/oval/shared.xml
+++ b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/oval/shared.xml
@@ -6,6 +6,7 @@
<platform>multi_platform_fedora</platform>
<platform>multi_platform_rhel</platform>
<platform>multi_platform_ol</platform>
+ <platform>multi_platform_openeuler</platform>
<platform>multi_platform_wrlinux</platform>
</affected>
<description>Evaluates to true if all files with SUID set are owned by RPM packages.</description>
diff --git a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml
index ae5f130..1a9dab0 100644
--- a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml
+++ b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml
@@ -2,7 +2,7 @@ documentation_complete: true
title: 'Ensure All SUID Executables Are Authorized'
-prodtype: fedora,ol7,ol8,rhel6,rhel7,rhel8,wrlinux1019,wrlinux8
+prodtype: fedora,ol7,ol8,openeuler2203,rhel6,rhel7,rhel8,wrlinux1019,wrlinux8
description: |-
The SUID (set user id) bit should be set only on files that were
diff --git a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_world_writable/oval/shared.xml b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_world_writable/oval/shared.xml
index 4455469..20d67d6 100644
--- a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_world_writable/oval/shared.xml
+++ b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_world_writable/oval/shared.xml
@@ -5,6 +5,7 @@
<affected family="unix">
<platform>Red Hat Virtualization 4</platform>
<platform>multi_platform_ol</platform>
+ <platform>multi_platform_openeuler</platform>
<platform>multi_platform_opensuse</platform>
<platform>multi_platform_rhel</platform>
<platform>multi_platform_wrlinux</platform>
diff --git a/linux_os/guide/system/permissions/files/opened_files_count_limited/rule.yml b/linux_os/guide/system/permissions/files/opened_files_count_limited/rule.yml
new file mode 100644
index 0000000..6c87050
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/opened_files_count_limited/rule.yml
@@ -0,0 +1,34 @@
+documentation_complete: true
+
+prodtype: openeuler2203
+
+title: 'Opened Files Count Limited'
+
+description: |-
+ <p><tt>It can not be scanned automatically, please check it manually.</tt></p>
+
+ <p>The number of files that can be opened in Linux is limited. If all resources are occupied by a user, other users cannot open the file.</p>
+ <p>openEuler allows a user to open a maximum of 1024 file handles by default. If the number of file handles exceeds 1024,
+ new file handles cannot be opened. Low-privilege users can modify the value of 1024, but the upper limit 524288 cannot be exceed.
+ The root can modify the upper limit. </p>
+ <p>This parameter is set to a proper value to prevent all processes of a single user from opening too many file handles and exhausting system resources.</p>
+
+ <p>You can use below cli command to check the limitation:</p>
+ <ul>
+ <li>Check current limitation value:
+ <pre># ulimit -Sn
+ 1024
+ </pre>
+ </li>
+ <li>Check current upper limitation value:
+ <pre># ulimit -Hn
+ 524288
+ </pre>
+ </li>
+ </ul>
+
+rationale: |-
+ None
+
+severity: high
+
diff --git a/linux_os/guide/system/software/polkit/group.yml b/linux_os/guide/system/software/polkit/group.yml
new file mode 100644
index 0000000..37662e9
--- /dev/null
+++ b/linux_os/guide/system/software/polkit/group.yml
@@ -0,0 +1,6 @@
+documentation_complete: true
+
+title: Polkit
+
+description: |-
+ <tt>Polkit</tt>, which provides privilege escalation capabilities.
diff --git a/linux_os/guide/system/software/polkit/only_root_can_run_pkexec/oval/shared.xml b/linux_os/guide/system/software/polkit/only_root_can_run_pkexec/oval/shared.xml
new file mode 100644
index 0000000..ae03bd4
--- /dev/null
+++ b/linux_os/guide/system/software/polkit/only_root_can_run_pkexec/oval/shared.xml
@@ -0,0 +1,23 @@
+<def-group>
+ <definition class="compliance" id="only_root_can_run_pkexec" version="1">
+ <metadata>
+ <title>Only root user can run pkexec</title>
+ <affected family="unix">
+ <platform>multi_platform_openeuler</platform>
+ </affected>
+ <description>Only root user can run pkexec.</description>
+ </metadata>
+ <criteria>
+ <criterion comment="check polkit setting" test_ref="test_only_root_can_run_pkexec" />
+ </criteria>
+ </definition>
+
+ <ind:textfilecontent54_test check="all" check_existence="none_exist" comment="check polkit setting" id="test_only_root_can_run_pkexec" version="1">
+ <ind:object object_ref="object_only_root_can_run_pkexec" />
+ </ind:textfilecontent54_test>
+ <ind:textfilecontent54_object id="object_only_root_can_run_pkexec" version="1">
+ <ind:filepath operation="equals">/etc/polkit-1/rules.d/50-default.rules</ind:filepath>
+ <ind:pattern operation="pattern match">^[\s]*polkit.addAdminRule\(function.+\n*[\s]*return[\s]+\[\s*"\s*unix-user\s*:\s*[1-9]*[1-9][0-9]*\s*"\s*\]</ind:pattern>
+ <ind:instance datatype="int" operation="equals">1</ind:instance>
+ </ind:textfilecontent54_object>
+</def-group>
diff --git a/linux_os/guide/system/software/polkit/only_root_can_run_pkexec/rule.yml b/linux_os/guide/system/software/polkit/only_root_can_run_pkexec/rule.yml
new file mode 100644
index 0000000..0ae583d
--- /dev/null
+++ b/linux_os/guide/system/software/polkit/only_root_can_run_pkexec/rule.yml
@@ -0,0 +1,17 @@
+documentation_complete: true
+
+title: 'Ensure Only Root Can Run The Command of Pkexec'
+
+prodtype: openeuler2203
+
+description: |-
+ The pkexec command enables a common user to have the rights of the super user or other users.
+ After the authentication is successful, the command is executed with the rights of the super user.
+ Pkexec provides a convenient path for users to change their identities, unconstrained use of the pkexec command can bring potential security risks.
+ The permission to access the root account using pkexec is restricted.<br />
+ By default, the password of the root user must be verified when uses pkexec. Only the root user can obtain the system administrator rights.
+
+rationale: |-
+ Low-privilege users can not use pkexec.
+
+severity: high
diff --git a/linux_os/guide/system/software/su/group.yml b/linux_os/guide/system/software/su/group.yml
new file mode 100644
index 0000000..aa6e29d
--- /dev/null
+++ b/linux_os/guide/system/software/su/group.yml
@@ -0,0 +1,6 @@
+documentation_complete: true
+
+title: Su
+
+description: |-
+ <tt>Su</tt>, which provides the ability to switch to root or other users.
diff --git a/linux_os/guide/system/software/su/su_always_set_path/oval/shared.xml b/linux_os/guide/system/software/su/su_always_set_path/oval/shared.xml
new file mode 100644
index 0000000..942df37
--- /dev/null
+++ b/linux_os/guide/system/software/su/su_always_set_path/oval/shared.xml
@@ -0,0 +1,23 @@
+<def-group>
+ <definition class="compliance" id="su_always_set_path" version="1">
+ <metadata>
+ <title>Always set env path when user switched</title>
+ <affected family="unix">
+ <platform>multi_platform_openeuler</platform>
+ </affected>
+ <description>Alway set env path when user switched by su.</description>
+ </metadata>
+ <criteria>
+ <criterion comment="check always-set-path value" test_ref="test_su_always_set_path" />
+ </criteria>
+ </definition>
+
+ <ind:textfilecontent54_test check="all" comment="check value in login.defs" id="test_su_always_set_path" version="1">
+ <ind:object object_ref="object_su_always_set_path" />
+ </ind:textfilecontent54_test>
+ <ind:textfilecontent54_object id="object_su_always_set_path" version="1">
+ <ind:filepath operation="equals">/etc/login.defs</ind:filepath>
+ <ind:pattern operation="pattern match">^[\s]*ALWAYS_SET_PATH[\s]*=[\s]*yes[\s]*$</ind:pattern>
+ <ind:instance datatype="int">1</ind:instance>
+ </ind:textfilecontent54_object>
+</def-group>
diff --git a/linux_os/guide/system/software/su/su_always_set_path/rule.yml b/linux_os/guide/system/software/su/su_always_set_path/rule.yml
new file mode 100644
index 0000000..d461435
--- /dev/null
+++ b/linux_os/guide/system/software/su/su_always_set_path/rule.yml
@@ -0,0 +1,20 @@
+documentation_complete: true
+
+title: 'Ensure Always Set Path is Set to YES'
+
+prodtype: openeuler2203
+
+description: |-
+ The su command enables a common user to have the rights of the super user or other users.
+ It is often used to switch from a low-privilege user account to the system root account.
+ The su command provides a convenient way for users to change their identities.
+ However, using the su command without restrictions brings potential risks to the system.
+ <br />
+ The path is not automatically set for the user when the user is changed by using su.
+ If the system automatically initializes the environment variable PATH after you run the su command to switch users,
+ you can effectively prevent the privilege escalation which caused by inheriting the environment variable PATH.
+
+rationale: |-
+ None
+
+severity: high
diff --git a/linux_os/guide/system/software/su/su_only_for_wheel/oval/shared.xml b/linux_os/guide/system/software/su/su_only_for_wheel/oval/shared.xml
new file mode 100644
index 0000000..fe2409a
--- /dev/null
+++ b/linux_os/guide/system/software/su/su_only_for_wheel/oval/shared.xml
@@ -0,0 +1,23 @@
+<def-group>
+ <definition class="compliance" id="su_only_for_wheel" version="1">
+ <metadata>
+ <title>Only wheel group users can use su</title>
+ <affected family="unix">
+ <platform>multi_platform_openeuler</platform>
+ </affected>
+ <description>Only wheel group users can use su command.</description>
+ </metadata>
+ <criteria>
+ <criterion comment="check wheel group in pam" test_ref="test_pam_wheel_so" />
+ </criteria>
+ </definition>
+
+ <ind:textfilecontent54_test check="all" comment="check wheel setting in pam" id="test_pam_wheel_so" version="1">
+ <ind:object object_ref="object_pam_wheel_so" />
+ </ind:textfilecontent54_test>
+ <ind:textfilecontent54_object id="object_pam_wheel_so" version="1">
+ <ind:filepath operation="equals">/etc/pam.d/su</ind:filepath>
+ <ind:pattern operation="pattern match">^[\s]*auth[\s]*required[\s]*pam_wheel\.so[\s]*.*$</ind:pattern>
+ <ind:instance datatype="int">1</ind:instance>
+ </ind:textfilecontent54_object>
+</def-group>
diff --git a/linux_os/guide/system/software/su/su_only_for_wheel/rule.yml b/linux_os/guide/system/software/su/su_only_for_wheel/rule.yml
new file mode 100644
index 0000000..55725ba
--- /dev/null
+++ b/linux_os/guide/system/software/su/su_only_for_wheel/rule.yml
@@ -0,0 +1,19 @@
+documentation_complete: true
+
+title: 'Ensure Only Users of Wheel Group Can Use SU'
+
+prodtype: openeuler2203
+
+description: |-
+ The su command enables a common user to have the rights of the super user or other users.
+ It is often used to switch from a common user account to the system root account.
+ The su command provides a convenient way for users to change their identities.
+ However, unconstrained use of the su command brings potential risks to the system.
+ <br />
+ The permission to access the root account using the su command is restricted.
+ Allows only common users in the wheel group to use the su command, which improves the security of system.
+
+rationale: |-
+ Users outside the wheel group cannot run the su command.
+
+severity: high
diff --git a/linux_os/guide/system/software/sudo/sudo_not_for_all_users/oval/shared.xml b/linux_os/guide/system/software/sudo/sudo_not_for_all_users/oval/shared.xml
new file mode 100644
index 0000000..16384d0
--- /dev/null
+++ b/linux_os/guide/system/software/sudo/sudo_not_for_all_users/oval/shared.xml
@@ -0,0 +1,23 @@
+<def-group>
+ <definition class="compliance" id="sudo_not_for_all_users" version="1">
+ <metadata>
+ <title>Not all users can run all privilege programs</title>
+ <affected family="unix">
+ <platform>multi_platform_openeuler</platform>
+ </affected>
+ <description>Not all users can run all privileged programs.</description>
+ </metadata>
+ <criteria>
+ <criterion comment="check sudoers setting" test_ref="test_privilege_setting_in_sudoers" />
+ </criteria>
+ </definition>
+
+ <ind:textfilecontent54_test check="all" check_existence="none_exist" comment="check privilege setting" id="test_privilege_setting_in_sudoers" version="1">
+ <ind:object object_ref="object_privilege_setting_in_sudoers" />
+ </ind:textfilecontent54_test>
+ <ind:textfilecontent54_object id="object_privilege_setting_in_sudoers" version="1">
+ <ind:filepath operation="equals">/etc/sudoers</ind:filepath>
+ <ind:pattern operation="pattern match">^[\s]*ALL[\s]+ALL[\s]*=[\s]*.*[\s]*ALL[\s]*$</ind:pattern>
+ <ind:instance datatype="int" operation="equals">1</ind:instance>
+ </ind:textfilecontent54_object>
+</def-group>
diff --git a/linux_os/guide/system/software/sudo/sudo_not_for_all_users/rule.yml b/linux_os/guide/system/software/sudo/sudo_not_for_all_users/rule.yml
new file mode 100644
index 0000000..98ac45e
--- /dev/null
+++ b/linux_os/guide/system/software/sudo/sudo_not_for_all_users/rule.yml
@@ -0,0 +1,20 @@
+documentation_complete: true
+
+title: 'Ensure Not All Users Can Use Sudo In All Commands'
+
+prodtype: openeuler2203
+
+description: |-
+ The sudo command enables a common user to execute certain programs with the root permission.
+ Most system management commands need to be executed as root.<br />
+ Properly authorizing other users can reduce the burden of the system administrator,
+ but directly granting the root password to the common user will bring security risks.
+ Using sudo can avoid this problem.<br />
+ You can use the sudo mechanism to avoid using the root user for privileged programs that need to be run by the root user.
+ If so, the security is improved.
+ However, ensure that NOT all low-privilege users can run all commands.
+
+rationale: |-
+ Low-privilege users maybe can not run privileged programs.
+
+severity: high
diff --git a/openeuler2203/profiles/standard.profile b/openeuler2203/profiles/standard.profile
index 00405f5..de6890c 100644
--- a/openeuler2203/profiles/standard.profile
+++ b/openeuler2203/profiles/standard.profile
@@ -149,3 +149,18 @@ selections:
- audit_rules_usergroup_modification_shadow
- audit_rules_kernel_module_install_and_remove
- rsyslog_cron_logging
+ - ensure_minimum_permission
+ - opened_files_count_limited
+ - sysctl_net_ipv4_tcp_timestamps
+ - sysctl_net_ipv4_tcp_fin_timeout
+ - sysctl_net_ipv4_tcp_max_syn_backlog
+ - sysctl_net_ipv4_disable_arp_proxy
+ - sysctl_net_ipv4_icmp_echo_ignore_all
+ - sysctl_net_ipv4_icmp_ignore_bogus_error_responses
+ - su_only_for_wheel
+ - sudo_not_for_all_users
+ - only_root_can_run_pkexec
+ - su_always_set_path
+ - file_permissions_unauthorized_world_writable
+ - file_permissions_unauthorized_suid
+ - file_permissions_unauthorized_sgid
--
2.21.0.windows.1
Reference in New Issue View Git Blame Copy Permalink