diff --git a/enable-54-rules-for-openEuler.patch b/enable-54-rules-for-openEuler.patch new file mode 100644 index 0000000000000000000000000000000000000000..4fd930c4390e107053262e9585fcd06476e93ebf --- /dev/null +++ b/enable-54-rules-for-openEuler.patch @@ -0,0 +1,1317 @@ +From 10617803f98189b619b64f9c716c6aef00610aa9 Mon Sep 17 00:00:00 2001 +From: "steven.y.gui" +Date: Thu, 27 Jul 2023 11:35:15 +0800 +Subject: [PATCH] enable 54 rules for openEuler + +--- + .../service_avahi-daemon_disabled/rule.yml | 2 +- + .../cron_and_at_config/oval/shared.xml | 51 +++++++++++++++ + .../cron_and_at/cron_and_at_config/rule.yml | 15 +++++ + .../file_groupowner_cron_d/rule.yml | 2 +- + .../file_groupowner_cron_daily/rule.yml | 2 +- + .../file_groupowner_cron_hourly/rule.yml | 2 +- + .../file_groupowner_cron_monthly/rule.yml | 2 +- + .../file_groupowner_cron_weekly/rule.yml | 2 +- + .../file_groupowner_crontab/rule.yml | 2 +- + .../cron_and_at/file_owner_cron_d/rule.yml | 2 +- + .../file_owner_cron_daily/rule.yml | 2 +- + .../file_owner_cron_hourly/rule.yml | 2 +- + .../file_owner_cron_monthly/rule.yml | 2 +- + .../file_owner_cron_weekly/rule.yml | 2 +- + .../cron_and_at/file_owner_crontab/rule.yml | 2 +- + .../file_permissions_cron_d/rule.yml | 2 +- + .../file_permissions_cron_daily/rule.yml | 2 +- + .../file_permissions_cron_hourly/rule.yml | 2 +- + .../file_permissions_cron_monthly/rule.yml | 2 +- + .../file_permissions_cron_weekly/rule.yml | 2 +- + .../file_permissions_crontab/rule.yml | 2 +- + .../file_groupowner_cron_allow/rule.yml | 2 +- + .../file_owner_cron_allow/rule.yml | 2 +- + .../service_crond_enabled/rule.yml | 2 +- + .../package_openldap-servers_removed/rule.yml | 2 +- + .../rule.yml | 2 +- + .../service_chronyd_or_ntpd_enabled/rule.yml | 2 +- + .../nis/package_ypbind_removed/rule.yml | 2 +- + .../nis/package_ypserv_removed/rule.yml | 2 +- + .../printing/service_cups_disabled/rule.yml | 2 +- + .../package_openssh-server_installed/rule.yml | 2 +- + .../package_openssh-server_removed/rule.yml | 2 +- + .../oval/shared.xml | 1 + + .../firewalld_sshd_port_enabled/rule.yml | 2 +- + .../oval/shared.xml | 36 ++++++++++ + .../sshd_disable_user_known_hosts_ex/rule.yml | 19 ++++++ + .../service_debug-shell_disabled/rule.yml | 2 +- + .../account_temp_expire_date/rule.yml | 2 +- + .../oval/shared.xml | 65 +++++++++++++++++++ + .../rule.yml | 24 +++++++ + .../oval/shared.xml | 1 + + .../audit_rules_login_events/oval/shared.xml | 1 + + .../rule.yml | 2 +- + .../audit_rules_login_events_lastlog/rule.yml | 2 +- + .../rule.yml | 2 +- + .../rule.yml | 2 +- + .../rule.yml | 2 +- + .../rule.yml | 2 +- + .../rule.yml | 2 +- + .../rule.yml | 2 +- + .../rsyslog_cron_logging/oval/shared.xml | 1 + + .../rsyslog_cron_logging/rule.yml | 2 +- + .../service_firewalld_enabled/rule.yml | 2 +- + .../configure_firewalld_ports/oval/shared.xml | 1 + + .../configure_firewalld_ports/rule.yml | 2 +- + .../rule.yml | 35 ++++++++++ + .../oval/shared.xml | 1 + + .../set_firewalld_default_zone/rule.yml | 2 +- + .../oval/{rhel6.xml => shared.xml} | 1 + + .../rule.yml | 2 +- + .../rule.yml | 2 +- + .../rule.yml | 2 +- + .../rule.yml | 2 +- + .../rule.yml | 2 +- + .../rule.yml | 2 +- + .../rule.yml | 2 +- + .../rule.yml | 2 +- + .../rule.yml | 2 +- + .../rule.yml | 2 +- + .../rule.yml | 2 +- + .../sysctl_net_ipv4_tcp_syncookies/rule.yml | 2 +- + .../rule.yml | 2 +- + .../rule.yml | 2 +- + .../sysctl_net_ipv4_ip_forward/rule.yml | 2 +- + .../kernel_module_sctp_disabled/rule.yml | 2 +- + .../rule.yml | 2 +- + .../selinux/selinux_policytype/rule.yml | 2 +- + .../system/selinux/selinux_state/rule.yml | 2 +- + openeuler2203/profiles/standard.profile | 55 ++++++++++++++++ + shared/templates/template_OVAL_sysctl | 2 +- + 80 files changed, 372 insertions(+), 65 deletions(-) + create mode 100644 linux_os/guide/services/cron_and_at/cron_and_at_config/oval/shared.xml + create mode 100644 linux_os/guide/services/cron_and_at/cron_and_at_config/rule.yml + create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_disable_user_known_hosts_ex/oval/shared.xml + create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_disable_user_known_hosts_ex/rule.yml + create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_install_and_remove/oval/shared.xml + create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_install_and_remove/rule.yml + create mode 100644 linux_os/guide/system/network/network-firewalld/ruleset_modifications/disable_unnecessary_service_and_ports/rule.yml + rename linux_os/guide/system/network/network-iptables/iptables_ruleset_modifications/set_iptables_default_rule/oval/{rhel6.xml => shared.xml} (97%) + +diff --git a/linux_os/guide/services/avahi/disable_avahi_group/service_avahi-daemon_disabled/rule.yml b/linux_os/guide/services/avahi/disable_avahi_group/service_avahi-daemon_disabled/rule.yml +index 76c4a8a..fd7dd6d 100644 +--- a/linux_os/guide/services/avahi/disable_avahi_group/service_avahi-daemon_disabled/rule.yml ++++ b/linux_os/guide/services/avahi/disable_avahi_group/service_avahi-daemon_disabled/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: ol7,ol8,rhel6,rhel7,rhel8 ++prodtype: ol7,ol8,openeuler2203,rhel6,rhel7,rhel8 + + title: 'Disable Avahi Server Software' + +diff --git a/linux_os/guide/services/cron_and_at/cron_and_at_config/oval/shared.xml b/linux_os/guide/services/cron_and_at/cron_and_at_config/oval/shared.xml +new file mode 100644 +index 0000000..c032930 +--- /dev/null ++++ b/linux_os/guide/services/cron_and_at/cron_and_at_config/oval/shared.xml +@@ -0,0 +1,51 @@ ++ ++ ++ ++ Verify Permissions On The cron And at Files ++ ++ multi_platform_openeuler ++ ++ Check permissions on the cron and at files. ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ /etc ++ ^cron.deny$ ++ ++ ++ /etc ++ ^at.deny$ ++ ++ ++ +diff --git a/linux_os/guide/services/cron_and_at/cron_and_at_config/rule.yml b/linux_os/guide/services/cron_and_at/cron_and_at_config/rule.yml +new file mode 100644 +index 0000000..630b3d7 +--- /dev/null ++++ b/linux_os/guide/services/cron_and_at/cron_and_at_config/rule.yml +@@ -0,0 +1,15 @@ ++documentation_complete: true ++ ++prodtype: openeuler2203 ++ ++title: 'Verify Permissions On The cron And at Files' ++ ++description: |- ++ Check permissions on the cron and at files, include: cron.d, crontab, cron.hourly, ++ cron.daily, cron.weekly, cron.monthly, cron.allow, at.allow. And there are no files of cron.deny and at.deny. ++ ++rationale: |- ++ Strict permission control prevents attacks from low-privileged users. ++ ++severity: medium ++ +diff --git a/linux_os/guide/services/cron_and_at/file_groupowner_cron_d/rule.yml b/linux_os/guide/services/cron_and_at/file_groupowner_cron_d/rule.yml +index 3add79d..f8d3d62 100644 +--- a/linux_os/guide/services/cron_and_at/file_groupowner_cron_d/rule.yml ++++ b/linux_os/guide/services/cron_and_at/file_groupowner_cron_d/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: rhel6,rhel7,rhel8,rhv4 ++prodtype: openeuler2203,rhel6,rhel7,rhel8,rhv4 + + title: 'Verify Group Who Owns cron.d' + +diff --git a/linux_os/guide/services/cron_and_at/file_groupowner_cron_daily/rule.yml b/linux_os/guide/services/cron_and_at/file_groupowner_cron_daily/rule.yml +index 53e1800..57b7fb2 100644 +--- a/linux_os/guide/services/cron_and_at/file_groupowner_cron_daily/rule.yml ++++ b/linux_os/guide/services/cron_and_at/file_groupowner_cron_daily/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: rhel6,rhel7,rhel8,rhv4 ++prodtype: openeuler2203,rhel6,rhel7,rhel8,rhv4 + + title: 'Verify Group Who Owns cron.daily' + +diff --git a/linux_os/guide/services/cron_and_at/file_groupowner_cron_hourly/rule.yml b/linux_os/guide/services/cron_and_at/file_groupowner_cron_hourly/rule.yml +index c3545bc..48d42ad 100644 +--- a/linux_os/guide/services/cron_and_at/file_groupowner_cron_hourly/rule.yml ++++ b/linux_os/guide/services/cron_and_at/file_groupowner_cron_hourly/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: rhel6,rhel7,rhel8,rhv4 ++prodtype: openeuler2203,rhel6,rhel7,rhel8,rhv4 + + title: 'Verify Group Who Owns cron.hourly' + +diff --git a/linux_os/guide/services/cron_and_at/file_groupowner_cron_monthly/rule.yml b/linux_os/guide/services/cron_and_at/file_groupowner_cron_monthly/rule.yml +index a664d78..82c0fac 100644 +--- a/linux_os/guide/services/cron_and_at/file_groupowner_cron_monthly/rule.yml ++++ b/linux_os/guide/services/cron_and_at/file_groupowner_cron_monthly/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: rhel6,rhel7,rhel8,rhv4 ++prodtype: openeuler2203,rhel6,rhel7,rhel8,rhv4 + + title: 'Verify Group Who Owns cron.monthly' + +diff --git a/linux_os/guide/services/cron_and_at/file_groupowner_cron_weekly/rule.yml b/linux_os/guide/services/cron_and_at/file_groupowner_cron_weekly/rule.yml +index de1ac8c..91e258c 100644 +--- a/linux_os/guide/services/cron_and_at/file_groupowner_cron_weekly/rule.yml ++++ b/linux_os/guide/services/cron_and_at/file_groupowner_cron_weekly/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: rhel6,rhel7,rhel8,rhv4 ++prodtype: openeuler2203,rhel6,rhel7,rhel8,rhv4 + + title: 'Verify Group Who Owns cron.weekly' + +diff --git a/linux_os/guide/services/cron_and_at/file_groupowner_crontab/rule.yml b/linux_os/guide/services/cron_and_at/file_groupowner_crontab/rule.yml +index 8df80cb..cc35092 100644 +--- a/linux_os/guide/services/cron_and_at/file_groupowner_crontab/rule.yml ++++ b/linux_os/guide/services/cron_and_at/file_groupowner_crontab/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: rhel6,rhel7,rhel8,rhv4 ++prodtype: openeuler2203,rhel6,rhel7,rhel8,rhv4 + + title: 'Verify Group Who Owns Crontab' + +diff --git a/linux_os/guide/services/cron_and_at/file_owner_cron_d/rule.yml b/linux_os/guide/services/cron_and_at/file_owner_cron_d/rule.yml +index 8778109..5cdf85c 100644 +--- a/linux_os/guide/services/cron_and_at/file_owner_cron_d/rule.yml ++++ b/linux_os/guide/services/cron_and_at/file_owner_cron_d/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: rhel6,rhel7,rhel8,rhv4 ++prodtype: openeuler2203,rhel6,rhel7,rhel8,rhv4 + + title: 'Verify Owner on cron.d' + +diff --git a/linux_os/guide/services/cron_and_at/file_owner_cron_daily/rule.yml b/linux_os/guide/services/cron_and_at/file_owner_cron_daily/rule.yml +index ed6e76e..32dc30b 100644 +--- a/linux_os/guide/services/cron_and_at/file_owner_cron_daily/rule.yml ++++ b/linux_os/guide/services/cron_and_at/file_owner_cron_daily/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: rhel6,rhel7,rhel8,rhv4 ++prodtype: openeuler2203,rhel6,rhel7,rhel8,rhv4 + + title: 'Verify Owner on cron.daily' + +diff --git a/linux_os/guide/services/cron_and_at/file_owner_cron_hourly/rule.yml b/linux_os/guide/services/cron_and_at/file_owner_cron_hourly/rule.yml +index 298a03b..12491e8 100644 +--- a/linux_os/guide/services/cron_and_at/file_owner_cron_hourly/rule.yml ++++ b/linux_os/guide/services/cron_and_at/file_owner_cron_hourly/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: rhel6,rhel7,rhel8,rhv4 ++prodtype: openeuler2203,rhel6,rhel7,rhel8,rhv4 + + title: 'Verify Owner on cron.hourly' + +diff --git a/linux_os/guide/services/cron_and_at/file_owner_cron_monthly/rule.yml b/linux_os/guide/services/cron_and_at/file_owner_cron_monthly/rule.yml +index 35f2bc1..4a8734b 100644 +--- a/linux_os/guide/services/cron_and_at/file_owner_cron_monthly/rule.yml ++++ b/linux_os/guide/services/cron_and_at/file_owner_cron_monthly/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: rhel6,rhel7,rhel8,rhv4 ++prodtype: openeuler2203,rhel6,rhel7,rhel8,rhv4 + + title: 'Verify Owner on cron.monthly' + +diff --git a/linux_os/guide/services/cron_and_at/file_owner_cron_weekly/rule.yml b/linux_os/guide/services/cron_and_at/file_owner_cron_weekly/rule.yml +index f5bba63..ca82f2d 100644 +--- a/linux_os/guide/services/cron_and_at/file_owner_cron_weekly/rule.yml ++++ b/linux_os/guide/services/cron_and_at/file_owner_cron_weekly/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: rhel6,rhel7,rhel8,rhv4 ++prodtype: openeuler2203,rhel6,rhel7,rhel8,rhv4 + + title: 'Verify Owner on cron.weekly' + +diff --git a/linux_os/guide/services/cron_and_at/file_owner_crontab/rule.yml b/linux_os/guide/services/cron_and_at/file_owner_crontab/rule.yml +index a10a283..fd5b5e7 100644 +--- a/linux_os/guide/services/cron_and_at/file_owner_crontab/rule.yml ++++ b/linux_os/guide/services/cron_and_at/file_owner_crontab/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: rhel6,rhel7,rhel8,rhv4 ++prodtype: openeuler2203,rhel6,rhel7,rhel8,rhv4 + + title: 'Verify Owner on crontab' + +diff --git a/linux_os/guide/services/cron_and_at/file_permissions_cron_d/rule.yml b/linux_os/guide/services/cron_and_at/file_permissions_cron_d/rule.yml +index cd0dc61..fdf8daf 100644 +--- a/linux_os/guide/services/cron_and_at/file_permissions_cron_d/rule.yml ++++ b/linux_os/guide/services/cron_and_at/file_permissions_cron_d/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: rhel6,rhel7,rhel8,rhv4 ++prodtype: openeuler2203,rhel6,rhel7,rhel8,rhv4 + + title: 'Verify Permissions on cron.d' + +diff --git a/linux_os/guide/services/cron_and_at/file_permissions_cron_daily/rule.yml b/linux_os/guide/services/cron_and_at/file_permissions_cron_daily/rule.yml +index 4313ffb..84651fc 100644 +--- a/linux_os/guide/services/cron_and_at/file_permissions_cron_daily/rule.yml ++++ b/linux_os/guide/services/cron_and_at/file_permissions_cron_daily/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: rhel6,rhel7,rhel8,rhv4 ++prodtype: openeuler2203,rhel6,rhel7,rhel8,rhv4 + + title: 'Verify Permissions on cron.daily' + +diff --git a/linux_os/guide/services/cron_and_at/file_permissions_cron_hourly/rule.yml b/linux_os/guide/services/cron_and_at/file_permissions_cron_hourly/rule.yml +index 1d06872..eef3028 100644 +--- a/linux_os/guide/services/cron_and_at/file_permissions_cron_hourly/rule.yml ++++ b/linux_os/guide/services/cron_and_at/file_permissions_cron_hourly/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: rhel6,rhel7,rhel8,rhv4 ++prodtype: openeuler2203,rhel6,rhel7,rhel8,rhv4 + + title: 'Verify Permissions on cron.hourly' + +diff --git a/linux_os/guide/services/cron_and_at/file_permissions_cron_monthly/rule.yml b/linux_os/guide/services/cron_and_at/file_permissions_cron_monthly/rule.yml +index b4d1863..72ffb6c 100644 +--- a/linux_os/guide/services/cron_and_at/file_permissions_cron_monthly/rule.yml ++++ b/linux_os/guide/services/cron_and_at/file_permissions_cron_monthly/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: rhel6,rhel7,rhel8,rhv4 ++prodtype: openeuler2203,rhel6,rhel7,rhel8,rhv4 + + title: 'Verify Permissions on cron.monthly' + +diff --git a/linux_os/guide/services/cron_and_at/file_permissions_cron_weekly/rule.yml b/linux_os/guide/services/cron_and_at/file_permissions_cron_weekly/rule.yml +index 523ea17..4fcbe28 100644 +--- a/linux_os/guide/services/cron_and_at/file_permissions_cron_weekly/rule.yml ++++ b/linux_os/guide/services/cron_and_at/file_permissions_cron_weekly/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: rhel6,rhel7,rhel8,rhv4 ++prodtype: openeuler2203,rhel6,rhel7,rhel8,rhv4 + + title: 'Verify Permissions on cron.weekly' + +diff --git a/linux_os/guide/services/cron_and_at/file_permissions_crontab/rule.yml b/linux_os/guide/services/cron_and_at/file_permissions_crontab/rule.yml +index 126bffd..31b3152 100644 +--- a/linux_os/guide/services/cron_and_at/file_permissions_crontab/rule.yml ++++ b/linux_os/guide/services/cron_and_at/file_permissions_crontab/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: rhel6,rhel7,rhel8,rhv4 ++prodtype: openeuler2203,rhel6,rhel7,rhel8,rhv4 + + title: 'Verify Permissions on crontab' + +diff --git a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_groupowner_cron_allow/rule.yml b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_groupowner_cron_allow/rule.yml +index b32afa5..7c797bf 100644 +--- a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_groupowner_cron_allow/rule.yml ++++ b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_groupowner_cron_allow/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: rhel7,rhel8,rhv4,wrlinux1019 ++prodtype: openeuler2203,rhel7,rhel8,rhv4,wrlinux1019 + + title: 'Verify Group Who Owns /etc/cron.allow file' + +diff --git a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_owner_cron_allow/rule.yml b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_owner_cron_allow/rule.yml +index 80dedca..27694be 100644 +--- a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_owner_cron_allow/rule.yml ++++ b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_owner_cron_allow/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: rhel7,rhel8,rhv4,wrlinux1019 ++prodtype: openeuler2203,rhel7,rhel8,rhv4,wrlinux1019 + + title: 'Verify User Who Owns /etc/cron.allow file' + +diff --git a/linux_os/guide/services/cron_and_at/service_crond_enabled/rule.yml b/linux_os/guide/services/cron_and_at/service_crond_enabled/rule.yml +index a1f82cf..1917061 100644 +--- a/linux_os/guide/services/cron_and_at/service_crond_enabled/rule.yml ++++ b/linux_os/guide/services/cron_and_at/service_crond_enabled/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,ol7,ol8,rhel6,rhel7,rhel8,rhv4 ++prodtype: fedora,ol7,ol8,openeuler2203,rhel6,rhel7,rhel8,rhv4 + + title: 'Enable cron Service' + +diff --git a/linux_os/guide/services/ldap/openldap_server/package_openldap-servers_removed/rule.yml b/linux_os/guide/services/ldap/openldap_server/package_openldap-servers_removed/rule.yml +index d328872..348f794 100644 +--- a/linux_os/guide/services/ldap/openldap_server/package_openldap-servers_removed/rule.yml ++++ b/linux_os/guide/services/ldap/openldap_server/package_openldap-servers_removed/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: rhel6,rhel7,rhel8 ++prodtype: openeuler2203,rhel6,rhel7,rhel8 + + title: 'Uninstall openldap-servers Package' + +diff --git a/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_remote_server/rule.yml b/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_remote_server/rule.yml +index 437d72a..1381b06 100644 +--- a/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_remote_server/rule.yml ++++ b/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_remote_server/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,ocp4,ol7,ol8,rhel7,rhel8,rhv4 ++prodtype: fedora,ocp4,ol7,ol8,openeuler2203,rhel7,rhel8,rhv4 + + title: 'Specify a Remote NTP Server' + +diff --git a/linux_os/guide/services/ntp/service_chronyd_or_ntpd_enabled/rule.yml b/linux_os/guide/services/ntp/service_chronyd_or_ntpd_enabled/rule.yml +index 6bdf586..f50264c 100644 +--- a/linux_os/guide/services/ntp/service_chronyd_or_ntpd_enabled/rule.yml ++++ b/linux_os/guide/services/ntp/service_chronyd_or_ntpd_enabled/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,ocp4,ol7,ol8,rhel7,rhel8,rhv4 ++prodtype: fedora,ocp4,ol7,ol8,openeuler2203,rhel7,rhel8,rhv4 + + title: 'Enable the NTP Daemon' + +diff --git a/linux_os/guide/services/obsolete/nis/package_ypbind_removed/rule.yml b/linux_os/guide/services/obsolete/nis/package_ypbind_removed/rule.yml +index eb1ad4c..efb6c20 100644 +--- a/linux_os/guide/services/obsolete/nis/package_ypbind_removed/rule.yml ++++ b/linux_os/guide/services/obsolete/nis/package_ypbind_removed/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: ol7,ol8,rhel6,rhel7,rhel8,rhv4 ++prodtype: ol7,ol8,openeuler2203,rhel6,rhel7,rhel8,rhv4 + + title: 'Remove NIS Client' + +diff --git a/linux_os/guide/services/obsolete/nis/package_ypserv_removed/rule.yml b/linux_os/guide/services/obsolete/nis/package_ypserv_removed/rule.yml +index d364ef6..f855b1d 100644 +--- a/linux_os/guide/services/obsolete/nis/package_ypserv_removed/rule.yml ++++ b/linux_os/guide/services/obsolete/nis/package_ypserv_removed/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: ol7,ol8,rhel6,rhel7,rhel8,rhv4,wrlinux1019 ++prodtype: ol7,ol8,openeuler2203,rhel6,rhel7,rhel8,rhv4,wrlinux1019 + + title: 'Uninstall ypserv Package' + +diff --git a/linux_os/guide/services/printing/service_cups_disabled/rule.yml b/linux_os/guide/services/printing/service_cups_disabled/rule.yml +index bd04e58..542a304 100644 +--- a/linux_os/guide/services/printing/service_cups_disabled/rule.yml ++++ b/linux_os/guide/services/printing/service_cups_disabled/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: rhel6,rhel7,rhel8 ++prodtype: openeuler2203,rhel6,rhel7,rhel8 + + title: 'Disable the CUPS Service' + +diff --git a/linux_os/guide/services/ssh/package_openssh-server_installed/rule.yml b/linux_os/guide/services/ssh/package_openssh-server_installed/rule.yml +index 0bb4aad..ab99c61 100644 +--- a/linux_os/guide/services/ssh/package_openssh-server_installed/rule.yml ++++ b/linux_os/guide/services/ssh/package_openssh-server_installed/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: debian10,debian8,debian9,fedora,ocp4,ol7,ol8,rhel6,rhel7,rhel8,rhv4,ubuntu1404,ubuntu1604,ubuntu1804,wrlinux1019,wrlinux8 ++prodtype: debian10,debian8,debian9,fedora,ocp4,ol7,ol8,openeuler2203,rhel6,rhel7,rhel8,rhv4,ubuntu1404,ubuntu1604,ubuntu1804,wrlinux1019,wrlinux8 + + title: 'Install the OpenSSH Server Package' + +diff --git a/linux_os/guide/services/ssh/package_openssh-server_removed/rule.yml b/linux_os/guide/services/ssh/package_openssh-server_removed/rule.yml +index 1c491d1..13affc3 100644 +--- a/linux_os/guide/services/ssh/package_openssh-server_removed/rule.yml ++++ b/linux_os/guide/services/ssh/package_openssh-server_removed/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: debian10,debian8,debian9,fedora,ocp4,ol7,ol8,rhel6,rhel7,rhel8,rhv4,ubuntu1404,ubuntu1604,ubuntu1804,wrlinux1019,wrlinux8 ++prodtype: debian10,debian8,debian9,fedora,ocp4,ol7,ol8,openeuler2203,rhel6,rhel7,rhel8,rhv4,ubuntu1404,ubuntu1604,ubuntu1804,wrlinux1019,wrlinux8 + + title: 'Remove the OpenSSH Server Package' + +diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/oval/shared.xml +index 25f1d1e..19c155e 100644 +--- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/oval/shared.xml ++++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/oval/shared.xml +@@ -7,6 +7,7 @@ + Red Hat Enterprise Linux 8 + Red Hat Virtualization 4 + multi_platform_ol ++ multi_platform_openeuler + multi_platform_wrlinux + + If inbound SSH access is needed, the firewall should allow access to +diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/rule.yml b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/rule.yml +index 37f7e32..ef8970f 100644 +--- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/rule.yml ++++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: ol7,ol8,rhel7,rhel8,rhv4 ++prodtype: ol7,ol8,openeuler2203,rhel7,rhel8,rhv4 + + title: 'Enable SSH Server firewalld Firewall Exception' + +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_user_known_hosts_ex/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_user_known_hosts_ex/oval/shared.xml +new file mode 100644 +index 0000000..d629e00 +--- /dev/null ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_user_known_hosts_ex/oval/shared.xml +@@ -0,0 +1,36 @@ ++ ++ ++ ++ Disable SSH Support for User Known Hosts ++ ++ multi_platform_openeuler ++ ++ Not support user known hosts on ssh server ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ /root/.ssh ++ ^known_hosts$ ++ ++ ++ ++ \/home\/.+\/\.ssh ++ ^known_hosts$ ++ ++ ++ +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_user_known_hosts_ex/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_user_known_hosts_ex/rule.yml +new file mode 100644 +index 0000000..ee76374 +--- /dev/null ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_user_known_hosts_ex/rule.yml +@@ -0,0 +1,19 @@ ++documentation_complete: true ++ ++title: 'Not Use User Known Hosts' ++ ++description: |- ++ SSH can allow system users to connect to systems if a cache of the remote ++ systems public keys is available. This should be disabled. ++

++ To ensure this behavior is disabled, add or correct the ++ following line in /etc/ssh/sshd_config: ++ 
IgnoreUserKnownHosts yes
++ Or remove the files of known_hosts from /root and /home directory. ++ ++rationale: |- ++ Configuring this setting for the SSH daemon provides additional ++ assurance that remove login via SSH will require a password, even ++ in the event of misconfiguration elsewhere. ++ ++severity: medium +diff --git a/linux_os/guide/system/accounts/accounts-physical/service_debug-shell_disabled/rule.yml b/linux_os/guide/system/accounts/accounts-physical/service_debug-shell_disabled/rule.yml +index cfda54d..8efaa28 100644 +--- a/linux_os/guide/system/accounts/accounts-physical/service_debug-shell_disabled/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-physical/service_debug-shell_disabled/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,ocp4,ol7,ol8,rhel7,rhel8,rhv4 ++prodtype: fedora,ocp4,ol7,ol8,openeuler2203,rhel7,rhel8,rhv4 + + title: 'Disable debug-shell SystemD Service' + +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_temp_expire_date/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_temp_expire_date/rule.yml +index 34ef1e6..1b663a4 100644 +--- a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_temp_expire_date/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_temp_expire_date/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,rhel6,rhel7,rhel8,rhv4 ++prodtype: fedora,openeuler2203,rhel6,rhel7,rhel8,rhv4 + + title: 'Assign Expiration Date to Temporary Accounts' + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_install_and_remove/oval/shared.xml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_install_and_remove/oval/shared.xml +new file mode 100644 +index 0000000..92b2667 +--- /dev/null ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_install_and_remove/oval/shared.xml +@@ -0,0 +1,65 @@ ++ ++ ++ ++ Audit Kernel Module Installing and Removing ++ ++ multi_platform_openeuler ++ ++ The audit rules should be configured to log information about kernel module installing and removing. ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ^/etc/audit/rules\.d/.*\.rules$ ++ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+init_module[\s]+|([\s]+|[,])init_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ++ 1 ++ ++ ++ ++ ++ ++ ++ ^/etc/audit/rules\.d/.*\.rules$ ++ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+delete_module[\s]+|([\s]+|[,])delete_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ++ 1 ++ ++ ++ ++ ++ ++ ++ ^/etc/audit/rules\.d/.*\.rules$ ++ ^[\s]*-w[\s]+\/sbin\/insmod[\s]+-p[\s]+x[\s]+-k[\s]+.*[\s]*$ ++ 1 ++ ++ ++ ++ ++ ++ ++ ^/etc/audit/rules\.d/.*\.rules$ ++ ^[\s]*-w[\s]+\/sbin\/rmmod[\s]+-p[\s]+x[\s]+-k[\s]+.*[\s]*$ ++ 1 ++ ++ ++ ++ ++ ++ ++ ^/etc/audit/rules\.d/.*\.rules$ ++ ^[\s]*-w[\s]+\/sbin\/modprobe[\s]+-p[\s]+x[\s]+-k[\s]+.*[\s]*$ ++ 1 ++ ++ ++ +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_install_and_remove/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_install_and_remove/rule.yml +new file mode 100644 +index 0000000..03aa0b7 +--- /dev/null ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_install_and_remove/rule.yml +@@ -0,0 +1,24 @@ ++documentation_complete: true ++ ++title: 'Ensure auditd Collects Information on Kernel Module Installing and Removing' ++ ++prodtype: openeuler2203 ++ ++description: |- ++ To capture kernel module installing and removing events. ++ ++ The place to add the lines depends on a way auditd daemon is configured. If it is configured ++ to use the augenrules program (the default), add the lines to a file with suffix ++ .rules in the directory /etc/audit/rules.d. ++ ++ If the auditd daemon is configured to use the auditctl utility, ++ add the lines to file /etc/audit/audit.rules. ++ ++

Here, we only use the first method (augenrules) to check.

++ ++rationale: |- ++ The addition/removal of kernel modules can be used to alter the behavior of ++ the kernel and potentially introduce malicious code into kernel space. It is important ++ to have an audit trail of modules that have been introduced into the kernel. ++ ++severity: medium +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/oval/shared.xml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/oval/shared.xml +index e987860..872458d 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/oval/shared.xml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/oval/shared.xml +@@ -6,6 +6,7 @@ + Red Hat Virtualization 4 + multi_platform_fedora + multi_platform_ol ++ multi_platform_openeuler + multi_platform_rhel + + The audit rules should be configured to log information about kernel module loading and unloading. +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events/oval/shared.xml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events/oval/shared.xml +index 772b34f..c222204 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events/oval/shared.xml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events/oval/shared.xml +@@ -6,6 +6,7 @@ + Red Hat Virtualization 4 + multi_platform_fedora + multi_platform_ol ++ multi_platform_openeuler + multi_platform_rhel + + Audit rules should be configured to log successful and unsuccessful login and logout events. +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/rule.yml +index 4d2af18..9dc69ef 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,ocp4,ol7,ol8,rhel6,rhel7,rhel8,rhv4,wrlinux1019 ++prodtype: fedora,ocp4,ol7,ol8,openeuler2203,rhel6,rhel7,rhel8,rhv4,wrlinux1019 + + title: 'Record Attempts to Alter Logon and Logout Events - faillock' + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_lastlog/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_lastlog/rule.yml +index 355004a..58cb1ca 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_lastlog/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_lastlog/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,ocp4,ol7,ol8,rhel6,rhel7,rhel8,rhv4,wrlinux1019 ++prodtype: fedora,ocp4,ol7,ol8,openeuler2203,rhel6,rhel7,rhel8,rhv4,wrlinux1019 + + title: 'Record Attempts to Alter Logon and Logout Events - lastlog' + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_tallylog/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_tallylog/rule.yml +index 7c27c22..531cf37 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_tallylog/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_tallylog/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,ocp4,ol7,ol8,rhel6,rhel7,rhel8,rhv4 ++prodtype: fedora,ocp4,ol7,ol8,openeuler2203,rhel6,rhel7,rhel8,rhv4 + + title: 'Record Attempts to Alter Logon and Logout Events - tallylog' + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_group/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_group/rule.yml +index 5536a62..071c762 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_group/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_group/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,ocp4,ol7,ol8,rhel6,rhel7,rhel8,rhv4,wrlinux1019 ++prodtype: fedora,ocp4,ol7,ol8,openeuler2203,rhel6,rhel7,rhel8,rhv4,wrlinux1019 + + title: 'Record Events that Modify User/Group Information - /etc/group' + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_gshadow/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_gshadow/rule.yml +index 8627ad9..b4dbab4 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_gshadow/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_gshadow/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,ocp4,ol7,ol8,rhel6,rhel7,rhel8,rhv4,wrlinux1019 ++prodtype: fedora,ocp4,ol7,ol8,openeuler2203,rhel6,rhel7,rhel8,rhv4,wrlinux1019 + + title: 'Record Events that Modify User/Group Information - /etc/gshadow' + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_opasswd/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_opasswd/rule.yml +index 4db8bbe..47e36fa 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_opasswd/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_opasswd/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,ocp4,ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019 ++prodtype: fedora,ocp4,ol7,ol8,openeuler2203,rhel7,rhel8,rhv4,wrlinux1019 + + title: 'Record Events that Modify User/Group Information - /etc/security/opasswd' + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_passwd/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_passwd/rule.yml +index 0f18997..c21225c 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_passwd/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_passwd/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,ocp4,ol7,ol8,rhel6,rhel7,rhel8,rhv4,wrlinux1019 ++prodtype: fedora,ocp4,ol7,ol8,openeuler2203,rhel6,rhel7,rhel8,rhv4,wrlinux1019 + + title: 'Record Events that Modify User/Group Information - /etc/passwd' + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_shadow/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_shadow/rule.yml +index 32b6b9e..77f1e71 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_shadow/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_shadow/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,ocp4,ol7,ol8,rhel6,rhel7,rhel8,rhv4,wrlinux1019 ++prodtype: fedora,ocp4,ol7,ol8,openeuler2203,rhel6,rhel7,rhel8,rhv4,wrlinux1019 + + title: 'Record Events that Modify User/Group Information - /etc/shadow' + +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_cron_logging/oval/shared.xml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_cron_logging/oval/shared.xml +index 97e8d85..ec94870 100644 +--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_cron_logging/oval/shared.xml ++++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_cron_logging/oval/shared.xml +@@ -7,6 +7,7 @@ + Red Hat Virtualization 4 + multi_platform_fedora + multi_platform_ol ++ multi_platform_openeuler + multi_platform_rhel + multi_platform_wrlinux + +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_cron_logging/rule.yml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_cron_logging/rule.yml +index 31e9a56..cba4e19 100644 +--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_cron_logging/rule.yml ++++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_cron_logging/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019 ++prodtype: fedora,ol7,ol8,openeuler2203,rhel7,rhel8,rhv4,wrlinux1019 + + title: 'Ensure cron Is Logging To Rsyslog' + +diff --git a/linux_os/guide/system/network/network-firewalld/firewalld_activation/service_firewalld_enabled/rule.yml b/linux_os/guide/system/network/network-firewalld/firewalld_activation/service_firewalld_enabled/rule.yml +index 74d3880..bcb4758 100644 +--- a/linux_os/guide/system/network/network-firewalld/firewalld_activation/service_firewalld_enabled/rule.yml ++++ b/linux_os/guide/system/network/network-firewalld/firewalld_activation/service_firewalld_enabled/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,ocp4,ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019 ++prodtype: fedora,ocp4,ol7,ol8,openeuler2203,rhel7,rhel8,rhv4,wrlinux1019 + + title: 'Verify firewalld Enabled' + +diff --git a/linux_os/guide/system/network/network-firewalld/ruleset_modifications/configure_firewalld_ports/oval/shared.xml b/linux_os/guide/system/network/network-firewalld/ruleset_modifications/configure_firewalld_ports/oval/shared.xml +index c25e31a..cee35b4 100644 +--- a/linux_os/guide/system/network/network-firewalld/ruleset_modifications/configure_firewalld_ports/oval/shared.xml ++++ b/linux_os/guide/system/network/network-firewalld/ruleset_modifications/configure_firewalld_ports/oval/shared.xml +@@ -6,6 +6,7 @@ + Red Hat Enterprise Linux 7 + Red Hat Enterprise Linux 8 + Red Hat Virtualization 4 ++ multi_platform_openeuler + multi_platform_wrlinux + + Configure the firewalld ports to allow approved +diff --git a/linux_os/guide/system/network/network-firewalld/ruleset_modifications/configure_firewalld_ports/rule.yml b/linux_os/guide/system/network/network-firewalld/ruleset_modifications/configure_firewalld_ports/rule.yml +index d2b6697..49c390c 100644 +--- a/linux_os/guide/system/network/network-firewalld/ruleset_modifications/configure_firewalld_ports/rule.yml ++++ b/linux_os/guide/system/network/network-firewalld/ruleset_modifications/configure_firewalld_ports/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: rhel7,rhel8,rhv4,wrlinux1019 ++prodtype: openeuler2203,rhel7,rhel8,rhv4,wrlinux1019 + + title: 'Configure the Firewalld Ports' + +diff --git a/linux_os/guide/system/network/network-firewalld/ruleset_modifications/disable_unnecessary_service_and_ports/rule.yml b/linux_os/guide/system/network/network-firewalld/ruleset_modifications/disable_unnecessary_service_and_ports/rule.yml +new file mode 100644 +index 0000000..3acd6c4 +--- /dev/null ++++ b/linux_os/guide/system/network/network-firewalld/ruleset_modifications/disable_unnecessary_service_and_ports/rule.yml +@@ -0,0 +1,35 @@ ++documentation_complete: true ++ ++prodtype: openeuler2203 ++ ++title: 'Disable Unnecessary Services and Ports on Firewalld' ++ ++description: |- ++ Configure the firewalld services and ports to allow approved ++ services to have the right to access to the system. To configure firewalld ++ to open/remove ports, run the following command: ++ 
$ sudo firewall-cmd --permanent --add-port/--remove-port=port_number/tcp
++ or ++ 
$ sudo firewall-cmd --permanent --add-service/--remove-service=service_name
++ Whether the port configuration is correct depends on the application scenario. Therefore, automatic check is not suitable. ++ ++rationale: |- ++ In order to prevent unauthorized connection of devices, unauthorized ++ transfer of information, or unauthorized tunneling (i.e., embedding of data ++ types within data types), organizations must disable or restrict unused or ++ unnecessary physical and logical ports/protocols on information systems. ++

++ Operating systems are capable of providing a wide variety of functions and ++ services. Some of the functions and services provided by default may not be ++ necessary to support essential organizational operations. ++ Additionally, it is sometimes convenient to provide multiple services from ++ a single component (e.g., VPN and IPS); however, doing so increases risk ++ over limiting the services provided by any one component. ++

++ To support the requirements and principles of least functionality, the ++ operating system must support the organizational requirements, providing ++ only essential capabilities and limiting the use of ports, protocols, ++ and/or services to only those required, authorized, and approved to conduct ++ official business or to address authorized quality of life issues. ++ ++severity: medium +diff --git a/linux_os/guide/system/network/network-firewalld/ruleset_modifications/set_firewalld_default_zone/oval/shared.xml b/linux_os/guide/system/network/network-firewalld/ruleset_modifications/set_firewalld_default_zone/oval/shared.xml +index cc275f0..39966f4 100644 +--- a/linux_os/guide/system/network/network-firewalld/ruleset_modifications/set_firewalld_default_zone/oval/shared.xml ++++ b/linux_os/guide/system/network/network-firewalld/ruleset_modifications/set_firewalld_default_zone/oval/shared.xml +@@ -8,6 +8,7 @@ + Red Hat Virtualization 4 + multi_platform_fedora + multi_platform_ol ++ multi_platform_openeuler + + Change the default firewalld zone to drop. + +diff --git a/linux_os/guide/system/network/network-firewalld/ruleset_modifications/set_firewalld_default_zone/rule.yml b/linux_os/guide/system/network/network-firewalld/ruleset_modifications/set_firewalld_default_zone/rule.yml +index 7cf9cf7..74afe48 100644 +--- a/linux_os/guide/system/network/network-firewalld/ruleset_modifications/set_firewalld_default_zone/rule.yml ++++ b/linux_os/guide/system/network/network-firewalld/ruleset_modifications/set_firewalld_default_zone/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4 ++prodtype: fedora,ol7,ol8,openeuler2203,rhel7,rhel8,rhv4 + + title: 'Set Default firewalld Zone for Incoming Packets' + +diff --git a/linux_os/guide/system/network/network-iptables/iptables_ruleset_modifications/set_iptables_default_rule/oval/rhel6.xml b/linux_os/guide/system/network/network-iptables/iptables_ruleset_modifications/set_iptables_default_rule/oval/shared.xml +similarity index 97% +rename from linux_os/guide/system/network/network-iptables/iptables_ruleset_modifications/set_iptables_default_rule/oval/rhel6.xml +rename to linux_os/guide/system/network/network-iptables/iptables_ruleset_modifications/set_iptables_default_rule/oval/shared.xml +index 7eddc5c..2e487a8 100644 +--- a/linux_os/guide/system/network/network-iptables/iptables_ruleset_modifications/set_iptables_default_rule/oval/rhel6.xml ++++ b/linux_os/guide/system/network/network-iptables/iptables_ruleset_modifications/set_iptables_default_rule/oval/shared.xml +@@ -4,6 +4,7 @@ + Change the default policy to DROP (from ACCEPT) for + the INPUT built-in chain + ++ multi_platform_openeuler + Red Hat Enterprise Linux 6 + + Change the default policy to DROP (from ACCEPT) +diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_redirects/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_redirects/rule.yml +index a8fe3d1..0dfda21 100644 +--- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_redirects/rule.yml ++++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_redirects/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: ocp4,ol7,ol8,rhel6,rhel7,rhel8,rhv4 ++prodtype: ocp4,ol7,ol8,openeuler2203,rhel6,rhel7,rhel8,rhv4 + + title: 'Disable Accepting ICMP Redirects for All IPv6 Interfaces' + +diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_source_route/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_source_route/rule.yml +index d9b306f..f38d5cb 100644 +--- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_source_route/rule.yml ++++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_source_route/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: ocp4,ol7,ol8,rhel6,rhel7,rhel8,rhv4,wrlinux1019 ++prodtype: ocp4,ol7,ol8,rhel6,openeuler2203,rhel7,rhel8,rhv4,wrlinux1019 + + title: 'Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv6 Interfaces' + +diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_forwarding/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_forwarding/rule.yml +index 661121c..759e6b0 100644 +--- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_forwarding/rule.yml ++++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_forwarding/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: ol7,ol8,rhel6,rhel7,rhel8,rhv4 ++prodtype: ol7,ol8,openeuler2203,rhel6,rhel7,rhel8,rhv4 + + title: 'Disable Kernel Parameter for IPv6 Forwarding' + +diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_redirects/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_redirects/rule.yml +index 6284b03..5073adb 100644 +--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_redirects/rule.yml ++++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_redirects/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,ocp4,ol7,ol8,rhel6,rhel7,rhel8,rhv4,wrlinux1019 ++prodtype: fedora,ocp4,ol7,ol8,openeuler2203,rhel6,rhel7,rhel8,rhv4,wrlinux1019 + + title: 'Disable Accepting ICMP Redirects for All IPv4 Interfaces' + +diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_source_route/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_source_route/rule.yml +index fb91b61..9bf1f89 100644 +--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_source_route/rule.yml ++++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_source_route/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,ocp4,ol7,ol8,rhel6,rhel7,rhel8,rhv4,wrlinux1019 ++prodtype: fedora,ocp4,ol7,ol8,openeuler2203,rhel6,rhel7,rhel8,rhv4,wrlinux1019 + + title: 'Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv4 Interfaces' + +diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_log_martians/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_log_martians/rule.yml +index 3ed5583..49a137b 100644 +--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_log_martians/rule.yml ++++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_log_martians/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,ocp4,ol7,ol8,rhel6,rhel7,rhel8,rhv4 ++prodtype: fedora,ocp4,ol7,ol8,openeuler2203,rhel6,rhel7,rhel8,rhv4 + + title: 'Enable Kernel Parameter to Log Martian Packets on all IPv4 Interfaces' + +diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml +index 93d3a6d..4f0cf66 100644 +--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml ++++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,ocp4,ol7,ol8,rhel6,rhel7,rhel8,rhv4 ++prodtype: fedora,ocp4,ol7,ol8,openeuler2203,rhel6,rhel7,rhel8,rhv4 + + title: 'Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces' + +diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_secure_redirects/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_secure_redirects/rule.yml +index 7633f29..2f09e5c 100644 +--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_secure_redirects/rule.yml ++++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_secure_redirects/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,ocp4,ol7,ol8,rhel6,rhel7,rhel8,rhv4 ++prodtype: fedora,ocp4,ol7,ol8,openeuler2203,rhel6,rhel7,rhel8,rhv4 + + title: 'Disable Kernel Parameter for Accepting Secure ICMP Redirects on all IPv4 Interfaces' + +diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_log_martians/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_log_martians/rule.yml +index ffca800..e7a63f2 100644 +--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_log_martians/rule.yml ++++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_log_martians/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,ocp4,ol7,ol8,rhel7,rhel8,rhv4 ++prodtype: fedora,ocp4,ol7,ol8,openeuler2203,rhel7,rhel8,rhv4 + + title: 'Enable Kernel Paremeter to Log Martian Packets on all IPv4 Interfaces by Default' + +diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_secure_redirects/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_secure_redirects/rule.yml +index ed541e7..f843b20 100644 +--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_secure_redirects/rule.yml ++++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_secure_redirects/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,ocp4,ol7,ol8,rhel6,rhel7,rhel8,rhv4 ++prodtype: fedora,ocp4,ol7,ol8,openeuler2203,rhel6,rhel7,rhel8,rhv4 + + title: 'Configure Kernel Parameter for Accepting Secure Redirects By Default' + +diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_echo_ignore_broadcasts/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_echo_ignore_broadcasts/rule.yml +index a958ce1..d0c8370 100644 +--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_echo_ignore_broadcasts/rule.yml ++++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_echo_ignore_broadcasts/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,ocp4,ol7,ol8,rhel6,rhel7,rhel8,rhv4,wrlinux1019 ++prodtype: fedora,ocp4,ol7,ol8,openeuler2203,rhel6,rhel7,rhel8,rhv4,wrlinux1019 + + title: 'Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests on IPv4 Interfaces' + +diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_tcp_syncookies/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_tcp_syncookies/rule.yml +index 1f2f188..1612dd7 100644 +--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_tcp_syncookies/rule.yml ++++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_tcp_syncookies/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,ocp4,ol7,ol8,rhel6,rhel7,rhel8,rhv4 ++prodtype: fedora,ocp4,ol7,ol8,openeuler2203,rhel6,rhel7,rhel8,rhv4 + + title: 'Enable Kernel Parameter to Use TCP Syncookies on IPv4 Interfaces' + +diff --git a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_all_send_redirects/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_all_send_redirects/rule.yml +index 5fa19c6..32c4521 100644 +--- a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_all_send_redirects/rule.yml ++++ b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_all_send_redirects/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,ocp4,ol7,ol8,rhel6,rhel7,rhel8,rhv4,wrlinux1019 ++prodtype: fedora,ocp4,ol7,ol8,openeuler2203,rhel6,rhel7,rhel8,rhv4,wrlinux1019 + + title: 'Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces' + +diff --git a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_default_send_redirects/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_default_send_redirects/rule.yml +index 1263313..0c016c7 100644 +--- a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_default_send_redirects/rule.yml ++++ b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_default_send_redirects/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,ocp4,ol7,ol8,rhel6,rhel7,rhel8,rhv4,wrlinux1019 ++prodtype: fedora,ocp4,ol7,ol8,openeuler2203,rhel6,rhel7,rhel8,rhv4,wrlinux1019 + + title: 'Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Default' + +diff --git a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_ip_forward/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_ip_forward/rule.yml +index 8cb0868..d68c99e 100644 +--- a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_ip_forward/rule.yml ++++ b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_ip_forward/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,ol7,ol8,rhel6,rhel7,rhel8,rhv4,wrlinux1019 ++prodtype: fedora,ol7,ol8,openeuler2203,rhel6,rhel7,rhel8,rhv4,wrlinux1019 + + title: 'Disable Kernel Parameter for IP Forwarding on IPv4 Interfaces' + +diff --git a/linux_os/guide/system/network/network-uncommon/kernel_module_sctp_disabled/rule.yml b/linux_os/guide/system/network/network-uncommon/kernel_module_sctp_disabled/rule.yml +index b3278b5..ae395f4 100644 +--- a/linux_os/guide/system/network/network-uncommon/kernel_module_sctp_disabled/rule.yml ++++ b/linux_os/guide/system/network/network-uncommon/kernel_module_sctp_disabled/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: ocp4,ol7,ol8,rhel6,rhel7,rhel8,rhv4 ++prodtype: ocp4,ol7,ol8,openeuler2203,rhel6,rhel7,rhel8,rhv4 + + title: 'Disable SCTP Support' + +diff --git a/linux_os/guide/system/permissions/mounting/kernel_module_usb-storage_disabled/rule.yml b/linux_os/guide/system/permissions/mounting/kernel_module_usb-storage_disabled/rule.yml +index de971a2..04e1d45 100644 +--- a/linux_os/guide/system/permissions/mounting/kernel_module_usb-storage_disabled/rule.yml ++++ b/linux_os/guide/system/permissions/mounting/kernel_module_usb-storage_disabled/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,ocp4,ol7,ol8,rhel6,rhel7,rhel8,rhv4,wrlinux1019 ++prodtype: fedora,ocp4,ol7,ol8,openeuler2203,rhel6,rhel7,rhel8,rhv4,wrlinux1019 + + title: 'Disable Modprobe Loading of USB Storage Driver' + +diff --git a/linux_os/guide/system/selinux/selinux_policytype/rule.yml b/linux_os/guide/system/selinux/selinux_policytype/rule.yml +index b6b719f..d9c6817 100644 +--- a/linux_os/guide/system/selinux/selinux_policytype/rule.yml ++++ b/linux_os/guide/system/selinux/selinux_policytype/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,ocp4,ol7,ol8,rhel6,rhel7,rhel8,rhv4,wrlinux1019 ++prodtype: fedora,ocp4,ol7,ol8,openeuler2203,rhel6,rhel7,rhel8,rhv4,wrlinux1019 + + title: 'Configure SELinux Policy' + +diff --git a/linux_os/guide/system/selinux/selinux_state/rule.yml b/linux_os/guide/system/selinux/selinux_state/rule.yml +index fc2d4ae..31afc19 100644 +--- a/linux_os/guide/system/selinux/selinux_state/rule.yml ++++ b/linux_os/guide/system/selinux/selinux_state/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,ocp4,ol7,ol8,rhel6,rhel7,rhel8,rhv4,wrlinux1019 ++prodtype: fedora,ocp4,ol7,ol8,openeuler2203,rhel6,rhel7,rhel8,rhv4,wrlinux1019 + + title: 'Ensure SELinux State is Enforcing' + +diff --git a/openeuler2203/profiles/standard.profile b/openeuler2203/profiles/standard.profile +index 7f6f0e3..00405f5 100644 +--- a/openeuler2203/profiles/standard.profile ++++ b/openeuler2203/profiles/standard.profile +@@ -94,3 +94,58 @@ selections: + - no_empty_symlink_files + - no_hide_exec_files + - no_lowprivilege_users_writeable_cmds_in_crontab_file ++ - service_debug-shell_disabled ++ - service_avahi-daemon_disabled ++ - package_openldap-servers_removed ++ - service_cups_disabled ++ - package_ypserv_removed ++ - package_ypbind_removed ++ - account_temp_expire_date ++ - no_netrc_files ++ - service_chronyd_or_ntpd_enabled ++ - chronyd_or_ntpd_specify_remote_server ++ - kernel_module_sctp_disabled ++ - kernel_module_tipc_disabled ++ - sshd_set_loglevel_verbose ++ - sshd_set_max_auth_tries ++ - sshd_max_auth_tries_value=3 ++ - sshd_do_not_permit_user_env ++ - sshd_disable_user_known_hosts_ex ++ - sshd_disable_rhosts_rsa ++ - service_firewalld_enabled ++ - set_firewalld_default_zone ++ - disable_unnecessary_service_and_ports ++ - service_iptables_enabled ++ - service_ip6tables_enabled ++ - set_iptables_default_rule ++ - sysctl_net_ipv4_icmp_echo_ignore_broadcasts ++ - sysctl_net_ipv4_conf_all_accept_redirects ++ - sysctl_net_ipv6_conf_all_accept_redirects ++ - sysctl_net_ipv4_conf_all_secure_redirects ++ - sysctl_net_ipv4_conf_default_secure_redirects ++ - sysctl_net_ipv4_conf_all_send_redirects ++ - sysctl_net_ipv4_conf_default_send_redirects ++ - sysctl_net_ipv4_conf_all_rp_filter ++ - sysctl_net_ipv4_ip_forward ++ - sysctl_net_ipv6_conf_all_forwarding ++ - sysctl_net_ipv4_conf_all_accept_source_route ++ - sysctl_net_ipv6_conf_all_accept_source_route ++ - sysctl_net_ipv4_tcp_syncookies ++ - sysctl_net_ipv4_conf_all_log_martians ++ - sysctl_net_ipv4_conf_default_log_martians ++ - sysctl_fs_suid_dumpable ++ - selinux_state ++ - selinux_policytype ++ - sysctl_fs_protected_symlinks ++ - sysctl_fs_protected_hardlinks ++ - kernel_module_usb-storage_disabled ++ - service_crond_enabled ++ - cron_and_at_config ++ - audit_rules_login_events ++ - audit_rules_usergroup_modification_group ++ - audit_rules_usergroup_modification_gshadow ++ - audit_rules_usergroup_modification_opasswd ++ - audit_rules_usergroup_modification_passwd ++ - audit_rules_usergroup_modification_shadow ++ - audit_rules_kernel_module_install_and_remove ++ - rsyslog_cron_logging +diff --git a/shared/templates/template_OVAL_sysctl b/shared/templates/template_OVAL_sysctl +index 62ae26d..3c30612 100644 +--- a/shared/templates/template_OVAL_sysctl ++++ b/shared/templates/template_OVAL_sysctl +@@ -43,7 +43,7 @@ + The "{{{ SYSCTLVAR }}}" kernel parameter should be set to the appropriate value in both system configuration and system runtime. + + +-{{% if product in ["rhel6", "debian8", "ubuntu1404", "ubuntu1604", "ubuntu1804"] %}} ++{{% if product in ["openeuler2203", "rhel6", "debian8", "ubuntu1404", "ubuntu1604", "ubuntu1804"] %}} + + {{% else %}} + +-- +2.21.0.windows.1 + diff --git a/scap-security-guide.spec b/scap-security-guide.spec index 037517521ae0bf28e883d3d814d46439d6ddf74a..5ae7f7c4bdd7bd82baf30b85f32485b38f9c5fae 100644 --- a/scap-security-guide.spec +++ b/scap-security-guide.spec @@ -1,6 +1,6 @@ Name: scap-security-guide Version: 0.1.49 -Release: 6 +Release: 7 Summary: Security guidance and baselines in SCAP formats License: BSD-3-Clause URL: https://github.com/ComplianceAsCode/content/ @@ -13,6 +13,7 @@ Patch0004:backport-fix-remaining-getchildren-and-getiterator-functions.patch Patch0005:backport-fix-for-older-python-versions-lacking-.iter-method.patch Patch0006:init-openEuler-ssg-project.patch Patch0007:enable-76-rules-for-openEuler.patch +Patch0008:enable-54-rules-for-openEuler.patch BuildArch: noarch BuildRequires: libxslt, expat, python3, openscap-scanner >= 1.2.5, cmake >= 3.8, python3-jinja2, python3-PyYAML @@ -67,6 +68,9 @@ cd build %doc %{_docdir}/%{name}/tables/*.html %changelog +* Thu Jul 27 2023 steven - 0.1.49-7 +- enable 54 rules for openEuler + * Sun Jun 25 2023 steven - 0.1.49-6 - add some descriptions