diff --git a/add-15-rules-for-openeuler.patch b/add-15-rules-for-openeuler.patch new file mode 100644 index 0000000000000000000000000000000000000000..60af5a8c80e3a24577a8ce8370001b78c953f0da --- /dev/null +++ b/add-15-rules-for-openeuler.patch @@ -0,0 +1,789 @@ +From dc37689392abe60433dc4521a835dfa6a031f603 Mon Sep 17 00:00:00 2001 +From: "steven.y.gui" +Date: Fri, 11 Aug 2023 10:03:30 +0800 +Subject: [PATCH] add 15 rules for openeuler + +--- + .../rule.yml | 21 +++ + .../rule.yml | 21 +++ + .../oval/shared.xml | 15 ++ + .../rule.yml | 17 +++ + .../rule.yml | 21 +++ + .../rule.yml | 2 +- + .../sysctl_net_ipv4_tcp_fin_timeout/rule.yml | 22 +++ + .../rule.yml | 23 +++ + .../sysctl_net_ipv4_tcp_timestamps/rule.yml | 21 +++ + .../files/ensure_minimum_permission/rule.yml | 139 ++++++++++++++++++ + .../oval/shared.xml | 1 + + .../rule.yml | 2 +- + .../oval/shared.xml | 1 + + .../rule.yml | 2 +- + .../oval/shared.xml | 1 + + .../files/opened_files_count_limited/rule.yml | 34 +++++ + .../guide/system/software/polkit/group.yml | 6 + + .../only_root_can_run_pkexec/oval/shared.xml | 23 +++ + .../polkit/only_root_can_run_pkexec/rule.yml | 17 +++ + linux_os/guide/system/software/su/group.yml | 6 + + .../su/su_always_set_path/oval/shared.xml | 23 +++ + .../software/su/su_always_set_path/rule.yml | 20 +++ + .../su/su_only_for_wheel/oval/shared.xml | 23 +++ + .../software/su/su_only_for_wheel/rule.yml | 19 +++ + .../sudo_not_for_all_users/oval/shared.xml | 23 +++ + .../sudo/sudo_not_for_all_users/rule.yml | 20 +++ + openeuler2203/profiles/standard.profile | 15 ++ + 27 files changed, 535 insertions(+), 3 deletions(-) + create mode 100644 linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_proxy_arp/rule.yml + create mode 100644 linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_proxy_arp/rule.yml + create mode 100644 linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_disable_arp_proxy/oval/shared.xml + create mode 100644 linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_disable_arp_proxy/rule.yml + create mode 100644 linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_echo_ignore_all/rule.yml + create mode 100644 linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_tcp_fin_timeout/rule.yml + create mode 100644 linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_tcp_max_syn_backlog/rule.yml + create mode 100644 linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_tcp_timestamps/rule.yml + create mode 100644 linux_os/guide/system/permissions/files/ensure_minimum_permission/rule.yml + create mode 100644 linux_os/guide/system/permissions/files/opened_files_count_limited/rule.yml + create mode 100644 linux_os/guide/system/software/polkit/group.yml + create mode 100644 linux_os/guide/system/software/polkit/only_root_can_run_pkexec/oval/shared.xml + create mode 100644 linux_os/guide/system/software/polkit/only_root_can_run_pkexec/rule.yml + create mode 100644 linux_os/guide/system/software/su/group.yml + create mode 100644 linux_os/guide/system/software/su/su_always_set_path/oval/shared.xml + create mode 100644 linux_os/guide/system/software/su/su_always_set_path/rule.yml + create mode 100644 linux_os/guide/system/software/su/su_only_for_wheel/oval/shared.xml + create mode 100644 linux_os/guide/system/software/su/su_only_for_wheel/rule.yml + create mode 100644 linux_os/guide/system/software/sudo/sudo_not_for_all_users/oval/shared.xml + create mode 100644 linux_os/guide/system/software/sudo/sudo_not_for_all_users/rule.yml + +diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_proxy_arp/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_proxy_arp/rule.yml +new file mode 100644 +index 0000000..7066bcc +--- /dev/null ++++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_proxy_arp/rule.yml +@@ -0,0 +1,21 @@ ++documentation_complete: true ++ ++prodtype: openeuler2203 ++ ++title: 'Disable Kernel Parameter for ARP Proxy' ++ ++description: '{{{ describe_sysctl_option_value(sysctl="net.ipv4.conf.all.proxy_arp", value="0") }}}' ++ ++rationale: |- ++ Restricted execution of programs that depend on the ARP proxy. ++ ++severity: low ++ ++platform: machine ++ ++template: ++ name: sysctl ++ vars: ++ sysctlvar: net.ipv4.conf.all.proxy_arp ++ sysctlval: '0' ++ datatype: int +diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_proxy_arp/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_proxy_arp/rule.yml +new file mode 100644 +index 0000000..170696b +--- /dev/null ++++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_proxy_arp/rule.yml +@@ -0,0 +1,21 @@ ++documentation_complete: true ++ ++prodtype: openeuler2203 ++ ++title: 'Disable Kernel Parameter for ARP Proxy by Default' ++ ++description: '{{{ describe_sysctl_option_value(sysctl="net.ipv4.conf.default.proxy_arp", value="0") }}}' ++ ++rationale: |- ++ Restricted execution of programs that depend on the ARP proxy. ++ ++severity: low ++ ++platform: machine ++ ++template: ++ name: sysctl ++ vars: ++ sysctlvar: net.ipv4.conf.default.proxy_arp ++ sysctlval: '0' ++ datatype: int +diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_disable_arp_proxy/oval/shared.xml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_disable_arp_proxy/oval/shared.xml +new file mode 100644 +index 0000000..b072446 +--- /dev/null ++++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_disable_arp_proxy/oval/shared.xml +@@ -0,0 +1,15 @@ ++ ++ ++ ++ Disable ARP Proxy ++ ++ multi_platform_openeuler ++ ++ Disable arp proxy. ++ ++ ++ ++ ++ ++ ++ +diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_disable_arp_proxy/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_disable_arp_proxy/rule.yml +new file mode 100644 +index 0000000..66a336e +--- /dev/null ++++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_disable_arp_proxy/rule.yml +@@ -0,0 +1,17 @@ ++documentation_complete: true ++ ++prodtype: openeuler2203 ++ ++title: 'Disable ARP Proxy' ++ ++description: |- ++ ARP proxy allows the system to send a response to an ARP request on another interface on behalf of a host connected to an interface. ++ Disabling ARP proxy not only prevents authorized information sharing also prevents addressing information leakage between connected network segments. ++ Therefore, the ARP proxy must be disabled to prevent ARP packet attacks on the system. ++ ++rationale: |- ++ Restricted execution of programs that depend on the ARP proxy. ++ ++severity: high ++ ++platform: machine +diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_echo_ignore_all/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_echo_ignore_all/rule.yml +new file mode 100644 +index 0000000..31bf313 +--- /dev/null ++++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_echo_ignore_all/rule.yml +@@ -0,0 +1,21 @@ ++documentation_complete: true ++ ++prodtype: openeuler2203 ++ ++title: 'Set Kernel Parameter for Ignoring All ICMP' ++ ++description: '{{{ describe_sysctl_option_value(sysctl="net.ipv4.icmp_echo_ignore_all", value="1") }}}' ++ ++rationale: |- ++ All ICMP packages are ignored. ++ ++severity: low ++ ++platform: machine ++ ++template: ++ name: sysctl ++ vars: ++ sysctlvar: net.ipv4.icmp_echo_ignore_all ++ sysctlval: '1' ++ datatype: int +diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_ignore_bogus_error_responses/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_ignore_bogus_error_responses/rule.yml +index 12cbdea..74d196a 100644 +--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_ignore_bogus_error_responses/rule.yml ++++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_ignore_bogus_error_responses/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,ocp4,ol7,ol8,rhel6,rhel7,rhel8,rhv4 ++prodtype: fedora,ocp4,ol7,ol8,openeuler2203,rhel6,rhel7,rhel8,rhv4 + + title: 'Enable Kernel Parameter to Ignore Bogus ICMP Error Responses on IPv4 Interfaces' + +diff --git a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_tcp_fin_timeout/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_tcp_fin_timeout/rule.yml +new file mode 100644 +index 0000000..ffd435a +--- /dev/null ++++ b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_tcp_fin_timeout/rule.yml +@@ -0,0 +1,22 @@ ++documentation_complete: true ++ ++prodtype: openeuler2203 ++ ++title: 'Set Kernel Parameter for TCP TIME_WAIT' ++ ++description: '{{{ describe_sysctl_option_value(sysctl="net.ipv4.tcp_fin_timeout", value="60") }}}' ++ ++rationale: |- ++ Suggested value is 60.
++ If TIME_WAIT is set too long, DoS attacks may occur. ++ ++severity: high ++ ++platform: machine ++ ++template: ++ name: sysctl ++ vars: ++ sysctlvar: net.ipv4.tcp_fin_timeout ++ sysctlval: '60' ++ datatype: int +diff --git a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_tcp_max_syn_backlog/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_tcp_max_syn_backlog/rule.yml +new file mode 100644 +index 0000000..f95f0be +--- /dev/null ++++ b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_tcp_max_syn_backlog/rule.yml +@@ -0,0 +1,23 @@ ++documentation_complete: true ++ ++prodtype: openeuler2203 ++ ++title: 'Set Kernel Parameter for TCP SYN_RECV' ++ ++description: '{{{ describe_sysctl_option_value(sysctl="net.ipv4.tcp_max_syn_backlog", value="256") }}}' ++ ++rationale: |- ++ Suggested value is 256.
++ For security purposes, you are advised to set this parameter to a large value to mitigate TCP SYN flood attacks. ++ However, if this parameter is set to a large value, more system resources are consumed. ++ ++severity: low ++ ++platform: machine ++ ++template: ++ name: sysctl ++ vars: ++ sysctlvar: net.ipv4.tcp_max_syn_backlog ++ sysctlval: '256' ++ datatype: int +diff --git a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_tcp_timestamps/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_tcp_timestamps/rule.yml +new file mode 100644 +index 0000000..a2df1d7 +--- /dev/null ++++ b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_tcp_timestamps/rule.yml +@@ -0,0 +1,21 @@ ++documentation_complete: true ++ ++prodtype: openeuler2203 ++ ++title: 'Disable Kernel Parameter for TCP Timestamps' ++ ++description: '{{{ describe_sysctl_option_value(sysctl="net.ipv4.tcp_timestamps", value="0") }}}' ++ ++rationale: |- ++ After this function is enabled, packages with invalid addresses is recorded into kernel logs, which may cause logs overwrite. ++ ++severity: low ++ ++platform: machine ++ ++template: ++ name: sysctl ++ vars: ++ sysctlvar: net.ipv4.tcp_timestamps ++ sysctlval: '0' ++ datatype: int +diff --git a/linux_os/guide/system/permissions/files/ensure_minimum_permission/rule.yml b/linux_os/guide/system/permissions/files/ensure_minimum_permission/rule.yml +new file mode 100644 +index 0000000..9cab819 +--- /dev/null ++++ b/linux_os/guide/system/permissions/files/ensure_minimum_permission/rule.yml +@@ -0,0 +1,139 @@ ++documentation_complete: true ++ ++prodtype: openeuler2203 ++ ++title: 'Ensure All Files Have Minimum Permission' ++ ++description: |- ++

It can not be scanned automatically, please check it manually.

++ ++

According to the minimum permission requirements, the minimum access permission must be set for key files in the system, ++ especially files that contain sensitive information. Users with corresponding permissions can access the directory. ++ If the file or directory permission is incorrectly configured, the file information may leakage.

++ ++

For example, if the access permission is set to 644 or greater, any user can access or even tamper with the data. ++ If the program's access permission is set to 755, as a result, any user can perform the operation, ++ which leads to privilege escalation risks.

++ ++

Common types of files or directories that require access permission control are as follows: ++

++

++ ++

The basic principles of permission control are as follows: ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++
File TypeSuggested Permission
Home Directory750(rwxr-x---)
Programs(Include bash, library)550(r-xr-x---)
Programs Directory550(r-xr-x---)
Configuration Files640(rw-r-----)
Configuration Files Directory750(rwxr-x---)
Log Files(Archived)440(r--r-----)
Log Files(Recording)640(rw-r-----)
Log Files Directory750(rwxr-x---)
Debug Files640(rw-r-----)
Debug Files Directory750(rwxr-x---)
Temporary Files Directory750(rwxr-x---)
Upgrading Files Directory770(rwxrwx---)
Data Files640(rw-r-----)
Data Files Directory750(rwxr-x---)
Directory Of Crypto Component, Private Key, Certificate, Encrypted Data700(rwx------)
Crypto Component, Private Key, Certificate, Encrypted Data600(rw-------)
Interface or Shell Files Of Crypto500(r-x------)
++

++

Generally, a non-root user is used to perform services. This user needs to access necessary directories in the Linux system and files. ++ Therefore, permission control can be relaxed for system directories, configuration files, executable files, ++ and certificate files that the system depends on.

++

The system is consistent with the general release in the industry. The suggestions are as follows: ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++
File TypeSuggested Permission
Directory755(rwxr-xr-x)
Programs(Include bash, library)755(rwxr-xr-x)
Configuration Files644(rw-r--r--)
Certificate Files(No Private Key)444(r--r--r--)
++

++ ++rationale: |- ++ The permission cannot be too high or too low. For example, if the permission of some system configuration files is set to 600 or 640, ++ common users cannot read the configuration files, the corresponding program may not be executed ++ because it does not have the permission to read the configuration. ++ ++severity: high ++ +diff --git a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/oval/shared.xml b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/oval/shared.xml +index 83988fe..c1a4f1e 100644 +--- a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/oval/shared.xml ++++ b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/oval/shared.xml +@@ -6,6 +6,7 @@ + multi_platform_fedora + multi_platform_rhel + multi_platform_ol ++ multi_platform_openeuler + multi_platform_wrlinux + + Evaluates to true if all files with SGID set are owned by RPM packages. +diff --git a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/rule.yml b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/rule.yml +index 32c176d..ee5eb40 100644 +--- a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/rule.yml ++++ b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/rule.yml +@@ -2,7 +2,7 @@ documentation_complete: true + + title: 'Ensure All SGID Executables Are Authorized' + +-prodtype: fedora,ol7,ol8,rhel6,rhel7,rhel8,wrlinux1019,wrlinux8 ++prodtype: fedora,ol7,ol8,openeuler2203,rhel6,rhel7,rhel8,wrlinux1019,wrlinux8 + + description: |- + The SGID (set group id) bit should be set only on files that were +diff --git a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/oval/shared.xml b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/oval/shared.xml +index e83595c..8da5b5b 100644 +--- a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/oval/shared.xml ++++ b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/oval/shared.xml +@@ -6,6 +6,7 @@ + multi_platform_fedora + multi_platform_rhel + multi_platform_ol ++ multi_platform_openeuler + multi_platform_wrlinux + + Evaluates to true if all files with SUID set are owned by RPM packages. +diff --git a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml +index ae5f130..1a9dab0 100644 +--- a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml ++++ b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml +@@ -2,7 +2,7 @@ documentation_complete: true + + title: 'Ensure All SUID Executables Are Authorized' + +-prodtype: fedora,ol7,ol8,rhel6,rhel7,rhel8,wrlinux1019,wrlinux8 ++prodtype: fedora,ol7,ol8,openeuler2203,rhel6,rhel7,rhel8,wrlinux1019,wrlinux8 + + description: |- + The SUID (set user id) bit should be set only on files that were +diff --git a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_world_writable/oval/shared.xml b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_world_writable/oval/shared.xml +index 4455469..20d67d6 100644 +--- a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_world_writable/oval/shared.xml ++++ b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_world_writable/oval/shared.xml +@@ -5,6 +5,7 @@ + + Red Hat Virtualization 4 + multi_platform_ol ++ multi_platform_openeuler + multi_platform_opensuse + multi_platform_rhel + multi_platform_wrlinux +diff --git a/linux_os/guide/system/permissions/files/opened_files_count_limited/rule.yml b/linux_os/guide/system/permissions/files/opened_files_count_limited/rule.yml +new file mode 100644 +index 0000000..6c87050 +--- /dev/null ++++ b/linux_os/guide/system/permissions/files/opened_files_count_limited/rule.yml +@@ -0,0 +1,34 @@ ++documentation_complete: true ++ ++prodtype: openeuler2203 ++ ++title: 'Opened Files Count Limited' ++ ++description: |- ++

It can not be scanned automatically, please check it manually.

++ ++

The number of files that can be opened in Linux is limited. If all resources are occupied by a user, other users cannot open the file.

++

openEuler allows a user to open a maximum of 1024 file handles by default. If the number of file handles exceeds 1024, ++ new file handles cannot be opened. Low-privilege users can modify the value of 1024, but the upper limit 524288 cannot be exceed. ++ The root can modify the upper limit.

++

This parameter is set to a proper value to prevent all processes of a single user from opening too many file handles and exhausting system resources.

++ ++

You can use below cli command to check the limitation:

++ ++ ++rationale: |- ++ None ++ ++severity: high ++ +diff --git a/linux_os/guide/system/software/polkit/group.yml b/linux_os/guide/system/software/polkit/group.yml +new file mode 100644 +index 0000000..37662e9 +--- /dev/null ++++ b/linux_os/guide/system/software/polkit/group.yml +@@ -0,0 +1,6 @@ ++documentation_complete: true ++ ++title: Polkit ++ ++description: |- ++ Polkit, which provides privilege escalation capabilities. +diff --git a/linux_os/guide/system/software/polkit/only_root_can_run_pkexec/oval/shared.xml b/linux_os/guide/system/software/polkit/only_root_can_run_pkexec/oval/shared.xml +new file mode 100644 +index 0000000..ae03bd4 +--- /dev/null ++++ b/linux_os/guide/system/software/polkit/only_root_can_run_pkexec/oval/shared.xml +@@ -0,0 +1,23 @@ ++ ++ ++ ++ Only root user can run pkexec ++ ++ multi_platform_openeuler ++ ++ Only root user can run pkexec. ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ /etc/polkit-1/rules.d/50-default.rules ++ ^[\s]*polkit.addAdminRule\(function.+\n*[\s]*return[\s]+\[\s*"\s*unix-user\s*:\s*[1-9]*[1-9][0-9]*\s*"\s*\] ++ 1 ++ ++ +diff --git a/linux_os/guide/system/software/polkit/only_root_can_run_pkexec/rule.yml b/linux_os/guide/system/software/polkit/only_root_can_run_pkexec/rule.yml +new file mode 100644 +index 0000000..0ae583d +--- /dev/null ++++ b/linux_os/guide/system/software/polkit/only_root_can_run_pkexec/rule.yml +@@ -0,0 +1,17 @@ ++documentation_complete: true ++ ++title: 'Ensure Only Root Can Run The Command of Pkexec' ++ ++prodtype: openeuler2203 ++ ++description: |- ++ The pkexec command enables a common user to have the rights of the super user or other users. ++ After the authentication is successful, the command is executed with the rights of the super user. ++ Pkexec provides a convenient path for users to change their identities, unconstrained use of the pkexec command can bring potential security risks. ++ The permission to access the root account using pkexec is restricted.
++ By default, the password of the root user must be verified when uses pkexec. Only the root user can obtain the system administrator rights. ++ ++rationale: |- ++ Low-privilege users can not use pkexec. ++ ++severity: high +diff --git a/linux_os/guide/system/software/su/group.yml b/linux_os/guide/system/software/su/group.yml +new file mode 100644 +index 0000000..aa6e29d +--- /dev/null ++++ b/linux_os/guide/system/software/su/group.yml +@@ -0,0 +1,6 @@ ++documentation_complete: true ++ ++title: Su ++ ++description: |- ++ Su, which provides the ability to switch to root or other users. +diff --git a/linux_os/guide/system/software/su/su_always_set_path/oval/shared.xml b/linux_os/guide/system/software/su/su_always_set_path/oval/shared.xml +new file mode 100644 +index 0000000..942df37 +--- /dev/null ++++ b/linux_os/guide/system/software/su/su_always_set_path/oval/shared.xml +@@ -0,0 +1,23 @@ ++ ++ ++ ++ Always set env path when user switched ++ ++ multi_platform_openeuler ++ ++ Alway set env path when user switched by su. ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ /etc/login.defs ++ ^[\s]*ALWAYS_SET_PATH[\s]*=[\s]*yes[\s]*$ ++ 1 ++ ++ +diff --git a/linux_os/guide/system/software/su/su_always_set_path/rule.yml b/linux_os/guide/system/software/su/su_always_set_path/rule.yml +new file mode 100644 +index 0000000..d461435 +--- /dev/null ++++ b/linux_os/guide/system/software/su/su_always_set_path/rule.yml +@@ -0,0 +1,20 @@ ++documentation_complete: true ++ ++title: 'Ensure Always Set Path is Set to YES' ++ ++prodtype: openeuler2203 ++ ++description: |- ++ The su command enables a common user to have the rights of the super user or other users. ++ It is often used to switch from a low-privilege user account to the system root account. ++ The su command provides a convenient way for users to change their identities. ++ However, using the su command without restrictions brings potential risks to the system. ++
++ The path is not automatically set for the user when the user is changed by using su. ++ If the system automatically initializes the environment variable PATH after you run the su command to switch users, ++ you can effectively prevent the privilege escalation which caused by inheriting the environment variable PATH. ++ ++rationale: |- ++ None ++ ++severity: high +diff --git a/linux_os/guide/system/software/su/su_only_for_wheel/oval/shared.xml b/linux_os/guide/system/software/su/su_only_for_wheel/oval/shared.xml +new file mode 100644 +index 0000000..fe2409a +--- /dev/null ++++ b/linux_os/guide/system/software/su/su_only_for_wheel/oval/shared.xml +@@ -0,0 +1,23 @@ ++ ++ ++ ++ Only wheel group users can use su ++ ++ multi_platform_openeuler ++ ++ Only wheel group users can use su command. ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ /etc/pam.d/su ++ ^[\s]*auth[\s]*required[\s]*pam_wheel\.so[\s]*.*$ ++ 1 ++ ++ +diff --git a/linux_os/guide/system/software/su/su_only_for_wheel/rule.yml b/linux_os/guide/system/software/su/su_only_for_wheel/rule.yml +new file mode 100644 +index 0000000..55725ba +--- /dev/null ++++ b/linux_os/guide/system/software/su/su_only_for_wheel/rule.yml +@@ -0,0 +1,19 @@ ++documentation_complete: true ++ ++title: 'Ensure Only Users of Wheel Group Can Use SU' ++ ++prodtype: openeuler2203 ++ ++description: |- ++ The su command enables a common user to have the rights of the super user or other users. ++ It is often used to switch from a common user account to the system root account. ++ The su command provides a convenient way for users to change their identities. ++ However, unconstrained use of the su command brings potential risks to the system. ++
++ The permission to access the root account using the su command is restricted. ++ Allows only common users in the wheel group to use the su command, which improves the security of system. ++ ++rationale: |- ++ Users outside the wheel group cannot run the su command. ++ ++severity: high +diff --git a/linux_os/guide/system/software/sudo/sudo_not_for_all_users/oval/shared.xml b/linux_os/guide/system/software/sudo/sudo_not_for_all_users/oval/shared.xml +new file mode 100644 +index 0000000..16384d0 +--- /dev/null ++++ b/linux_os/guide/system/software/sudo/sudo_not_for_all_users/oval/shared.xml +@@ -0,0 +1,23 @@ ++ ++ ++ ++ Not all users can run all privilege programs ++ ++ multi_platform_openeuler ++ ++ Not all users can run all privileged programs. ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ /etc/sudoers ++ ^[\s]*ALL[\s]+ALL[\s]*=[\s]*.*[\s]*ALL[\s]*$ ++ 1 ++ ++ +diff --git a/linux_os/guide/system/software/sudo/sudo_not_for_all_users/rule.yml b/linux_os/guide/system/software/sudo/sudo_not_for_all_users/rule.yml +new file mode 100644 +index 0000000..98ac45e +--- /dev/null ++++ b/linux_os/guide/system/software/sudo/sudo_not_for_all_users/rule.yml +@@ -0,0 +1,20 @@ ++documentation_complete: true ++ ++title: 'Ensure Not All Users Can Use Sudo In All Commands' ++ ++prodtype: openeuler2203 ++ ++description: |- ++ The sudo command enables a common user to execute certain programs with the root permission. ++ Most system management commands need to be executed as root.
++ Properly authorizing other users can reduce the burden of the system administrator, ++ but directly granting the root password to the common user will bring security risks. ++ Using sudo can avoid this problem.
++ You can use the sudo mechanism to avoid using the root user for privileged programs that need to be run by the root user. ++ If so, the security is improved. ++ However, ensure that NOT all low-privilege users can run all commands. ++ ++rationale: |- ++ Low-privilege users maybe can not run privileged programs. ++ ++severity: high +diff --git a/openeuler2203/profiles/standard.profile b/openeuler2203/profiles/standard.profile +index 00405f5..de6890c 100644 +--- a/openeuler2203/profiles/standard.profile ++++ b/openeuler2203/profiles/standard.profile +@@ -149,3 +149,18 @@ selections: + - audit_rules_usergroup_modification_shadow + - audit_rules_kernel_module_install_and_remove + - rsyslog_cron_logging ++ - ensure_minimum_permission ++ - opened_files_count_limited ++ - sysctl_net_ipv4_tcp_timestamps ++ - sysctl_net_ipv4_tcp_fin_timeout ++ - sysctl_net_ipv4_tcp_max_syn_backlog ++ - sysctl_net_ipv4_disable_arp_proxy ++ - sysctl_net_ipv4_icmp_echo_ignore_all ++ - sysctl_net_ipv4_icmp_ignore_bogus_error_responses ++ - su_only_for_wheel ++ - sudo_not_for_all_users ++ - only_root_can_run_pkexec ++ - su_always_set_path ++ - file_permissions_unauthorized_world_writable ++ - file_permissions_unauthorized_suid ++ - file_permissions_unauthorized_sgid +-- +2.21.0.windows.1 + diff --git a/scap-security-guide.spec b/scap-security-guide.spec index 5ae7f7c4bdd7bd82baf30b85f32485b38f9c5fae..9f05ae5c56de6a4604bf769b9b8d74149d48c509 100644 --- a/scap-security-guide.spec +++ b/scap-security-guide.spec @@ -1,6 +1,6 @@ Name: scap-security-guide Version: 0.1.49 -Release: 7 +Release: 8 Summary: Security guidance and baselines in SCAP formats License: BSD-3-Clause URL: https://github.com/ComplianceAsCode/content/ @@ -14,6 +14,7 @@ Patch0005:backport-fix-for-older-python-versions-lacking-.iter-method.patch Patch0006:init-openEuler-ssg-project.patch Patch0007:enable-76-rules-for-openEuler.patch Patch0008:enable-54-rules-for-openEuler.patch +Patch0009:add-15-rules-for-openeuler.patch BuildArch: noarch BuildRequires: libxslt, expat, python3, openscap-scanner >= 1.2.5, cmake >= 3.8, python3-jinja2, python3-PyYAML @@ -68,6 +69,9 @@ cd build %doc %{_docdir}/%{name}/tables/*.html %changelog +* Fri Aug 11 2023 steven - 0.1.49-8 +- enable 15 rules for openEuler + * Thu Jul 27 2023 steven - 0.1.49-7 - enable 54 rules for openEuler