From f21f424cb74a40748f6887d70e9635e4bcdf8cc9 Mon Sep 17 00:00:00 2001 From: "steven.y.gui" Date: Sun, 25 Jun 2023 17:27:01 +0800 Subject: [PATCH 1/4] add some descriptions --- enable-76-rules-for-openEuler.patch | 120 ++++++++++++++++++++++++---- scap-security-guide.spec | 5 +- 2 files changed, 109 insertions(+), 16 deletions(-) diff --git a/enable-76-rules-for-openEuler.patch b/enable-76-rules-for-openEuler.patch index 1551e35..0955ac5 100644 --- a/enable-76-rules-for-openEuler.patch +++ b/enable-76-rules-for-openEuler.patch @@ -1,7 +1,7 @@ -From a2fde1d192ec8fa8e1bdaed9daf68156b77e7ca4 Mon Sep 17 00:00:00 2001 +From 808277d4cd1bb001fc2925034f1e770f51b70aa9 Mon Sep 17 00:00:00 2001 From: "steven.y.gui" -Date: Tue, 6 Jun 2023 21:03:36 +0800 -Subject: [PATCH] enable 76 rules for openEuler +Date: Sun, 25 Jun 2023 17:23:33 +0800 +Subject: [PATCH] enable-76-rules-for-openEuler.patch --- .../rule.yml | 30 +++++++ @@ -23,9 +23,9 @@ Subject: [PATCH] enable 76 rules for openEuler .../sshd_use_strong_pubkey/rule.yml | 13 +++ .../guide/services/ssh/sshd_strong_kex.var | 19 +++++ .../oval/shared.xml | 1 + - .../rule.yml | 2 +- + .../rule.yml | 7 +- .../oval/shared.xml | 12 ++- - .../rule.yml | 2 +- + .../rule.yml | 8 +- .../oval/shared.xml | 13 ++- .../rule.yml | 2 +- .../oval/shared.xml | 1 + @@ -35,7 +35,7 @@ Subject: [PATCH] enable 76 rules for openEuler .../no_name_contained_in_password/rule.yml | 12 +++ .../accounts_password_pam_dcredit/rule.yml | 2 +- .../oval/shared.xml | 27 ++++++ - .../accounts_password_pam_dictcheck/rule.yml | 23 +++++ + .../accounts_password_pam_dictcheck/rule.yml | 28 ++++++ .../accounts_password_pam_lcredit/rule.yml | 2 +- .../accounts_password_pam_minclass/rule.yml | 2 +- .../accounts_password_pam_minlen/rule.yml | 2 +- @@ -70,13 +70,14 @@ Subject: [PATCH] enable 76 rules for openEuler .../tests/wrong_value.fail.sh | 5 ++ .../oval/shared.xml | 30 +++++++ .../login_accounts_are_necessary/rule.yml | 31 +++++++ + .../accounts_maximum_age_login_defs/rule.yml | 5 ++ .../gid_passwd_group_same/oval/shared.xml | 3 +- .../accounts_tmout/oval/shared.xml | 1 + - .../accounts-session/accounts_tmout/rule.yml | 2 +- + .../accounts-session/accounts_tmout/rule.yml | 7 +- .../oval/shared.xml | 83 ++++++++++++++++++ .../rule.yml | 2 +- .../accounts_umask_etc_bashrc/oval/shared.xml | 1 + - .../accounts_umask_etc_bashrc/rule.yml | 2 +- + .../accounts_umask_etc_bashrc/rule.yml | 9 +- .../accounts_umask_interactive_users/rule.yml | 2 +- .../oval/shared.xml | 20 +++++ .../grub2_nosmap_argument_absent/rule.yml | 25 ++++++ @@ -91,6 +92,7 @@ Subject: [PATCH] enable 76 rules for openEuler .../files/no_files_unowned_by_user/rule.yml | 2 +- .../files/no_hide_exec_files/oval/shared.xml | 40 +++++++++ .../files/no_hide_exec_files/rule.yml | 14 +++ + .../sysctl_kernel_kptr_restrict/rule.yml | 5 ++ .../sysctl_kernel_dmesg_restrict/rule.yml | 2 +- .../oval/shared.xml | 1 + .../configure_ssh_crypto_policy/rule.yml | 2 +- @@ -103,7 +105,7 @@ Subject: [PATCH] enable 76 rules for openEuler shared/macros-oval.jinja | 73 ++++++++++++++++ shared/templates/template_OVAL_sysctl | 4 + ssg/constants.py | 4 +- - 99 files changed, 1481 insertions(+), 36 deletions(-) + 101 files changed, 1519 insertions(+), 36 deletions(-) create mode 100644 linux_os/guide/services/cron_and_at/no_lowprivilege_users_writeable_cmds_in_crontab_file/rule.yml create mode 100644 linux_os/guide/services/ftp/package_ftp_removed/rule.yml create mode 100644 linux_os/guide/services/ssh/ssh_server/disable_host_auth/oval/shared.xml @@ -612,7 +614,7 @@ index 28eecc8..5165c15 100644 The passwords to remember should be set correctly. diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/rule.yml -index 579ffc0..cb2d878 100644 +index 579ffc0..1d926b7 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/rule.yml @@ -1,6 +1,6 @@ @@ -623,6 +625,18 @@ index 579ffc0..cb2d878 100644 title: 'Limit Password Reuse' +@@ -20,6 +20,11 @@ description: |- + + + The DoD STIG requirement is 5 passwords. ++ {{% if product in ["openeuler2203"] %}} ++ Considering the usability of the community release of openEuler in different scenarios, ++ the openEuler release does not disable historical passwords by default. ++ Please configure historical passwords based on the site requirements. ++ {{% endif %}} + + rationale: 'Preventing re-use of previous passwords helps ensure that a compromised password is not re-used by a user.' + diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/oval/shared.xml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/oval/shared.xml index db91fa9..0139186 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/oval/shared.xml @@ -656,7 +670,7 @@ index db91fa9..0139186 100644 1 diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/rule.yml -index 5575bd3..1fe3174 100644 +index 5575bd3..a06d04e 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/rule.yml @@ -1,6 +1,6 @@ @@ -667,6 +681,19 @@ index 5575bd3..1fe3174 100644 title: 'Set Deny For Failed Password Attempts' +@@ -17,6 +17,12 @@ description: |- +
  • add the following line immediately before the pam_unix.so statement in the ACCOUNT section: + 
    account required pam_faillock.so
    • + ++ {{% if product in ["openeuler2203"] %}} ++ Considering the usability of the community release of openEuler in different scenarios, ++ the openEuler release does not provide this security function by default. ++ Please configure the default number of failures and lockout duration based on ++ the actual application scenario and requirements. ++ {{% endif %}} + + rationale: |- + Locking out user accounts after a number of incorrect attempts diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/oval/shared.xml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/oval/shared.xml index 402feab..da09d06 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/oval/shared.xml @@ -857,10 +884,10 @@ index 0000000..13bbae4 + diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/rule.yml new file mode 100644 -index 0000000..b10e340 +index 0000000..1dc59f5 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/rule.yml -@@ -0,0 +1,23 @@ +@@ -0,0 +1,28 @@ +documentation_complete: true + +prodtype: openeuler2203 @@ -870,6 +897,11 @@ index 0000000..b10e340 +description: |- + The pam_pwquality module's dictcheck check if passwords contains dictionary words. When + dictcheck is set to 1 passwords will be checked for dictionary words. ++ {{% if product in ["openeuler2203"] %}} ++ Considering the usability of the community release of openEuler in different scenarios, ++ the weak password dictionary check is not configured for the openEuler release by default. ++ Please configure the weak password dictionary check based on the site requirements. ++ {{% endif %}} + +rationale: |- + Use of a complex password helps to increase the time and resources required to compromise the password. @@ -1692,6 +1724,22 @@ index 0000000..7fd34bc + +severity: medium + +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/rule.yml +index d41a0eb..738fb8b 100644 +--- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/rule.yml +@@ -10,6 +10,11 @@ description: |- + A value of 180 days is sufficient for many environments. + The DoD requirement is 60. + The profile requirement is . ++ {{% if product in ["openeuler2203"] %}} ++ Considering the usability of the community release of openEuler in different scenarios, ++ the password expiration time is not configured in the openEuler release by default. ++ Please set the password expiration time based on the site requirements. ++ {{% endif %}} + + rationale: |- + Any password, no matter how complex, can eventually be cracked. Therefore, passwords diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/gid_passwd_group_same/oval/shared.xml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/gid_passwd_group_same/oval/shared.xml index 34d605b..781cd3f 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/gid_passwd_group_same/oval/shared.xml @@ -1719,7 +1767,7 @@ index c68effb..bcb50bd 100644 Checks interactive shell timeout diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_tmout/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_tmout/rule.yml -index cdfa67d..4ceead4 100644 +index cdfa67d..437abe6 100644 --- a/linux_os/guide/system/accounts/accounts-session/accounts_tmout/rule.yml +++ b/linux_os/guide/system/accounts/accounts-session/accounts_tmout/rule.yml @@ -1,6 +1,6 @@ @@ -1730,6 +1778,18 @@ index cdfa67d..4ceead4 100644 title: 'Set Interactive Session Timeout' +@@ -9,6 +9,11 @@ description: |- + all user sessions will terminate based on inactivity. The TMOUT + setting in /etc/profile should read as follows: + 
    TMOUT=
    ++ {{% if product in ["openeuler2203"] %}} ++ Considering the usability of the community release of openEuler in different scenarios, ++ the session timeout interval is not configured by default in the openEuler release. ++ Please configure the session timeout interval based on the site requirements. ++ {{% endif %}} + + rationale: |- + Terminating an idle session within a short time period reduces diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/oval/shared.xml b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/oval/shared.xml new file mode 100644 index 0000000..56b3396 @@ -1844,7 +1904,7 @@ index 73e457d..9bbd226 100644 The default umask for users of the bash shell diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/rule.yml b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/rule.yml -index 9b189bc..88acb8b 100644 +index 9b189bc..a6d933c 100644 --- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/rule.yml +++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/rule.yml @@ -1,6 +1,6 @@ @@ -1855,6 +1915,20 @@ index 9b189bc..88acb8b 100644 title: 'Ensure the Default Bash Umask is Set Correctly' +@@ -9,6 +9,13 @@ description: |- + add or correct the umask setting in /etc/bashrc to read + as follows: + 
    umask
    ++ {{% if product in ["openeuler2203"] %}} ++ After UMASK is set to 077, the default permission on the created file is 600, ++ and the default permission on the directory is 700. ++ Considering the usability of the community release of openEuler in different scenarios, ++ the openEuler release does not configure the UMASK by default. ++ Please configure the UMASK based on the site requirements. ++ {{% endif %}} + + rationale: |- + The umask value influences the permissions assigned to files when they are created. diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/rule.yml b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/rule.yml index 7e6b11a..6271928 100644 --- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/rule.yml @@ -2151,6 +2225,22 @@ index 0000000..5c8bc4b + +severity: medium + +diff --git a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml +index 2408bd0..53cb7f6 100644 +--- a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml ++++ b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml +@@ -3,6 +3,11 @@ documentation_complete: true + title: 'Restrict Exposed Kernel Pointer Addresses Access' + + description: '{{{ describe_sysctl_option_value(sysctl="kernel.kptr_restrict", value="1") }}}' ++ {{% if product in ["openeuler2203"] %}} ++ To ensure easy maintenance and location, ++ the kptr_restrict parameter is set to 0 by default in the openEuler release. ++ Please set this parameter based on the site requirements. ++ {{% endif %}} + + rationale: |- + Exposing kernel pointers (through procfs or seq_printf()) exposes diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_dmesg_restrict/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_dmesg_restrict/rule.yml index bf58274..0ccf428 100644 --- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_dmesg_restrict/rule.yml diff --git a/scap-security-guide.spec b/scap-security-guide.spec index 644b43d..0375175 100644 --- a/scap-security-guide.spec +++ b/scap-security-guide.spec @@ -1,6 +1,6 @@ Name: scap-security-guide Version: 0.1.49 -Release: 5 +Release: 6 Summary: Security guidance and baselines in SCAP formats License: BSD-3-Clause URL: https://github.com/ComplianceAsCode/content/ @@ -67,6 +67,9 @@ cd build %doc %{_docdir}/%{name}/tables/*.html %changelog +* Sun Jun 25 2023 steven - 0.1.49-6 +- add some descriptions + * Tue Jun 6 2023 steven - 0.1.49-5 - fix bug of rule "require_signleuser_auth" -- Gitee From e72f93dfa02499223c7d4ff658d99f18687bb9e2 Mon Sep 17 00:00:00 2001 From: steven_ygui Date: Fri, 19 May 2023 01:39:08 +0800 Subject: [PATCH 2/4] fix --- enable-76-rules-for-openEuler.patch | 21 ++++++++++++--------- 1 file changed, 12 insertions(+), 9 deletions(-) diff --git a/enable-76-rules-for-openEuler.patch b/enable-76-rules-for-openEuler.patch index 0955ac5..3b86709 100644 --- a/enable-76-rules-for-openEuler.patch +++ b/enable-76-rules-for-openEuler.patch @@ -1,6 +1,6 @@ -From 808277d4cd1bb001fc2925034f1e770f51b70aa9 Mon Sep 17 00:00:00 2001 -From: "steven.y.gui" -Date: Sun, 25 Jun 2023 17:23:33 +0800 +From 262435c4b8c511cf8afc5927051cb0948415f593 Mon Sep 17 00:00:00 2001 +From: steven_ygui +Date: Fri, 19 May 2023 01:37:20 +0800 Subject: [PATCH] enable-76-rules-for-openEuler.patch --- @@ -92,7 +92,7 @@ Subject: [PATCH] enable-76-rules-for-openEuler.patch .../files/no_files_unowned_by_user/rule.yml | 2 +- .../files/no_hide_exec_files/oval/shared.xml | 40 +++++++++ .../files/no_hide_exec_files/rule.yml | 14 +++ - .../sysctl_kernel_kptr_restrict/rule.yml | 5 ++ + .../sysctl_kernel_kptr_restrict/rule.yml | 8 +- .../sysctl_kernel_dmesg_restrict/rule.yml | 2 +- .../oval/shared.xml | 1 + .../configure_ssh_crypto_policy/rule.yml | 2 +- @@ -105,7 +105,7 @@ Subject: [PATCH] enable-76-rules-for-openEuler.patch shared/macros-oval.jinja | 73 ++++++++++++++++ shared/templates/template_OVAL_sysctl | 4 + ssg/constants.py | 4 +- - 101 files changed, 1519 insertions(+), 36 deletions(-) + 101 files changed, 1521 insertions(+), 37 deletions(-) create mode 100644 linux_os/guide/services/cron_and_at/no_lowprivilege_users_writeable_cmds_in_crontab_file/rule.yml create mode 100644 linux_os/guide/services/ftp/package_ftp_removed/rule.yml create mode 100644 linux_os/guide/services/ssh/ssh_server/disable_host_auth/oval/shared.xml @@ -2226,13 +2226,16 @@ index 0000000..5c8bc4b +severity: medium + diff --git a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml -index 2408bd0..53cb7f6 100644 +index 2408bd0..a5bd907 100644 --- a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml +++ b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml -@@ -3,6 +3,11 @@ documentation_complete: true +@@ -2,7 +2,13 @@ documentation_complete: true + title: 'Restrict Exposed Kernel Pointer Addresses Access' - description: '{{{ describe_sysctl_option_value(sysctl="kernel.kptr_restrict", value="1") }}}' +-description: '{{{ describe_sysctl_option_value(sysctl="kernel.kptr_restrict", value="1") }}}' ++description: |- ++ {{{ describe_sysctl_option_value(sysctl="kernel.kptr_restrict", value="1") }}} + {{% if product in ["openeuler2203"] %}} + To ensure easy maintenance and location, + the kptr_restrict parameter is set to 0 by default in the openEuler release. @@ -2665,5 +2668,5 @@ index 401c60d..aa081d8 100644 "opensuse": [ "cpe:/o:opensuse:leap:42.1", -- -2.21.0.windows.1 +2.33.0 -- Gitee From 696e34728b7075247e8502d201cc8aaea2149b4c Mon Sep 17 00:00:00 2001 From: "steven.y.gui" Date: Mon, 26 Jun 2023 17:10:55 +0800 Subject: [PATCH 3/4] add some descriptions --- enable-76-rules-for-openEuler.patch | 28 ++++++++++++++++++++-------- 1 file changed, 20 insertions(+), 8 deletions(-) diff --git a/enable-76-rules-for-openEuler.patch b/enable-76-rules-for-openEuler.patch index 3b86709..f5ccc6f 100644 --- a/enable-76-rules-for-openEuler.patch +++ b/enable-76-rules-for-openEuler.patch @@ -1,7 +1,7 @@ -From 262435c4b8c511cf8afc5927051cb0948415f593 Mon Sep 17 00:00:00 2001 -From: steven_ygui -Date: Fri, 19 May 2023 01:37:20 +0800 -Subject: [PATCH] enable-76-rules-for-openEuler.patch +From 49b0ed553a842d15ed5f942dd9825aa89eb84078 Mon Sep 17 00:00:00 2001 +From: "steven.y.gui" +Date: Mon, 26 Jun 2023 17:09:54 +0800 +Subject: [PATCH] enable-76-rules-for-openEuler --- .../rule.yml | 30 +++++++ @@ -41,7 +41,7 @@ Subject: [PATCH] enable-76-rules-for-openEuler.patch .../accounts_password_pam_minlen/rule.yml | 2 +- .../accounts_password_pam_ocredit/rule.yml | 2 +- .../oval/shared.xml | 1 + - .../accounts_password_pam_retry/rule.yml | 2 +- + .../accounts_password_pam_retry/rule.yml | 7 +- .../accounts_password_pam_ucredit/rule.yml | 2 +- .../var_password_pam_dictcheck.var | 16 ++++ .../oval/shared.xml | 1 + @@ -105,7 +105,7 @@ Subject: [PATCH] enable-76-rules-for-openEuler.patch shared/macros-oval.jinja | 73 ++++++++++++++++ shared/templates/template_OVAL_sysctl | 4 + ssg/constants.py | 4 +- - 101 files changed, 1521 insertions(+), 37 deletions(-) + 101 files changed, 1526 insertions(+), 37 deletions(-) create mode 100644 linux_os/guide/services/cron_and_at/no_lowprivilege_users_writeable_cmds_in_crontab_file/rule.yml create mode 100644 linux_os/guide/services/ftp/package_ftp_removed/rule.yml create mode 100644 linux_os/guide/services/ssh/ssh_server/disable_host_auth/oval/shared.xml @@ -977,7 +977,7 @@ index d888d78..4588489 100644 The password retry should meet minimum requirements diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/rule.yml -index 099cbbf..908ca40 100644 +index 099cbbf..50853ed 100644 --- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/rule.yml @@ -1,6 +1,6 @@ @@ -988,6 +988,18 @@ index 099cbbf..908ca40 100644 title: 'Ensure PAM Enforces Password Requirements - Authentication Retry Prompts Permitted Per-Session' +@@ -10,6 +10,11 @@ description: |- + show retry=, or a lower value if + site policy is more restrictive. + The DoD requirement is a maximum of 3 prompts per session. ++ {{% if product in ["openeuler2203"] %}} ++ Considering the usability of the community release of openEuler in different scenarios, ++ the values of retry are not configured in the openEuler release by default. ++ Please set it based on the site requirements. ++ {{% endif %}} + + rationale: |- + Setting the password retry prompts that are permitted on a per-session basis to a low value diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ucredit/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ucredit/rule.yml index 7b5fe67..203da95 100644 --- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ucredit/rule.yml @@ -2668,5 +2680,5 @@ index 401c60d..aa081d8 100644 "opensuse": [ "cpe:/o:opensuse:leap:42.1", -- -2.33.0 +2.21.0.windows.1 -- Gitee From 9b9f626e2c66b6326797566fe79d2a4362c2b44e Mon Sep 17 00:00:00 2001 From: "steven.y.gui" Date: Mon, 26 Jun 2023 19:33:30 +0800 Subject: [PATCH 4/4] add br --- enable-76-rules-for-openEuler.patch | 36 ++++++++++++++++------------- 1 file changed, 20 insertions(+), 16 deletions(-) diff --git a/enable-76-rules-for-openEuler.patch b/enable-76-rules-for-openEuler.patch index f5ccc6f..2a1f0a1 100644 --- a/enable-76-rules-for-openEuler.patch +++ b/enable-76-rules-for-openEuler.patch @@ -1,7 +1,7 @@ -From 49b0ed553a842d15ed5f942dd9825aa89eb84078 Mon Sep 17 00:00:00 2001 +From 6c007906571ed8e7b931d1b923a54af52b6ec91c Mon Sep 17 00:00:00 2001 From: "steven.y.gui" -Date: Mon, 26 Jun 2023 17:09:54 +0800 -Subject: [PATCH] enable-76-rules-for-openEuler +Date: Mon, 26 Jun 2023 19:32:25 +0800 +Subject: [PATCH] enable 76 rules for openEuler --- .../rule.yml | 30 +++++++ @@ -23,7 +23,7 @@ Subject: [PATCH] enable-76-rules-for-openEuler .../sshd_use_strong_pubkey/rule.yml | 13 +++ .../guide/services/ssh/sshd_strong_kex.var | 19 +++++ .../oval/shared.xml | 1 + - .../rule.yml | 7 +- + .../rule.yml | 8 +- .../oval/shared.xml | 12 ++- .../rule.yml | 8 +- .../oval/shared.xml | 13 ++- @@ -35,13 +35,13 @@ Subject: [PATCH] enable-76-rules-for-openEuler .../no_name_contained_in_password/rule.yml | 12 +++ .../accounts_password_pam_dcredit/rule.yml | 2 +- .../oval/shared.xml | 27 ++++++ - .../accounts_password_pam_dictcheck/rule.yml | 28 ++++++ + .../accounts_password_pam_dictcheck/rule.yml | 29 +++++++ .../accounts_password_pam_lcredit/rule.yml | 2 +- .../accounts_password_pam_minclass/rule.yml | 2 +- .../accounts_password_pam_minlen/rule.yml | 2 +- .../accounts_password_pam_ocredit/rule.yml | 2 +- .../oval/shared.xml | 1 + - .../accounts_password_pam_retry/rule.yml | 7 +- + .../accounts_password_pam_retry/rule.yml | 8 +- .../accounts_password_pam_ucredit/rule.yml | 2 +- .../var_password_pam_dictcheck.var | 16 ++++ .../oval/shared.xml | 1 + @@ -70,7 +70,7 @@ Subject: [PATCH] enable-76-rules-for-openEuler .../tests/wrong_value.fail.sh | 5 ++ .../oval/shared.xml | 30 +++++++ .../login_accounts_are_necessary/rule.yml | 31 +++++++ - .../accounts_maximum_age_login_defs/rule.yml | 5 ++ + .../accounts_maximum_age_login_defs/rule.yml | 6 ++ .../gid_passwd_group_same/oval/shared.xml | 3 +- .../accounts_tmout/oval/shared.xml | 1 + .../accounts-session/accounts_tmout/rule.yml | 7 +- @@ -105,7 +105,7 @@ Subject: [PATCH] enable-76-rules-for-openEuler shared/macros-oval.jinja | 73 ++++++++++++++++ shared/templates/template_OVAL_sysctl | 4 + ssg/constants.py | 4 +- - 101 files changed, 1526 insertions(+), 37 deletions(-) + 101 files changed, 1530 insertions(+), 37 deletions(-) create mode 100644 linux_os/guide/services/cron_and_at/no_lowprivilege_users_writeable_cmds_in_crontab_file/rule.yml create mode 100644 linux_os/guide/services/ftp/package_ftp_removed/rule.yml create mode 100644 linux_os/guide/services/ssh/ssh_server/disable_host_auth/oval/shared.xml @@ -614,7 +614,7 @@ index 28eecc8..5165c15 100644 The passwords to remember should be set correctly. diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/rule.yml -index 579ffc0..1d926b7 100644 +index 579ffc0..3bb940f 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/rule.yml @@ -1,6 +1,6 @@ @@ -625,11 +625,12 @@ index 579ffc0..1d926b7 100644 title: 'Limit Password Reuse' -@@ -20,6 +20,11 @@ description: |- +@@ -20,6 +20,12 @@ description: |- The DoD STIG requirement is 5 passwords. + {{% if product in ["openeuler2203"] %}} ++
    + Considering the usability of the community release of openEuler in different scenarios, + the openEuler release does not disable historical passwords by default. + Please configure historical passwords based on the site requirements. @@ -884,10 +885,10 @@ index 0000000..13bbae4 + diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/rule.yml new file mode 100644 -index 0000000..1dc59f5 +index 0000000..46159db --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/rule.yml -@@ -0,0 +1,28 @@ +@@ -0,0 +1,29 @@ +documentation_complete: true + +prodtype: openeuler2203 @@ -898,6 +899,7 @@ index 0000000..1dc59f5 + The pam_pwquality module's dictcheck check if passwords contains dictionary words. When + dictcheck is set to 1 passwords will be checked for dictionary words. + {{% if product in ["openeuler2203"] %}} ++
    + Considering the usability of the community release of openEuler in different scenarios, + the weak password dictionary check is not configured for the openEuler release by default. + Please configure the weak password dictionary check based on the site requirements. @@ -977,7 +979,7 @@ index d888d78..4588489 100644 The password retry should meet minimum requirements diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/rule.yml -index 099cbbf..50853ed 100644 +index 099cbbf..4bf912f 100644 --- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/rule.yml @@ -1,6 +1,6 @@ @@ -988,11 +990,12 @@ index 099cbbf..50853ed 100644 title: 'Ensure PAM Enforces Password Requirements - Authentication Retry Prompts Permitted Per-Session' -@@ -10,6 +10,11 @@ description: |- +@@ -10,6 +10,12 @@ description: |- show retry=, or a lower value if site policy is more restrictive. The DoD requirement is a maximum of 3 prompts per session. + {{% if product in ["openeuler2203"] %}} ++
    + Considering the usability of the community release of openEuler in different scenarios, + the values of retry are not configured in the openEuler release by default. + Please set it based on the site requirements. @@ -1737,14 +1740,15 @@ index 0000000..7fd34bc +severity: medium + diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/rule.yml -index d41a0eb..738fb8b 100644 +index d41a0eb..d667d96 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/rule.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/rule.yml -@@ -10,6 +10,11 @@ description: |- +@@ -10,6 +10,12 @@ description: |- A value of 180 days is sufficient for many environments. The DoD requirement is 60. The profile requirement is . + {{% if product in ["openeuler2203"] %}} ++
    + Considering the usability of the community release of openEuler in different scenarios, + the password expiration time is not configured in the openEuler release by default. + Please set the password expiration time based on the site requirements. -- Gitee